Track progress on native prepared statements

[iandunn]

A lot of the complexity around escaping queries would be simplified if Core supported native MySQL prepared statements.

It'll be worth following that ticket in the future, and maybe even coordinating w/ the Core team to push it forward.

[tellyworth]

What problems would native prepared statements solve? Would it reduce complexity for plugin developers and other users of the wpdb API?

The most complex queries at the moment are ones that involve lists (WHERE foo IN( ... )) and complex WHERE clauses pieced together from multiple conditional pieces. What would they look like using native prepares?

[iandunn]

complex WHERE clauses pieced together from multiple conditional pieces

That's mostly what I was thinking about, but also the difficultly escaping table/column names. In general, the problem is the ambiguity between what's a table/column name, what's syntax, and what's a value.

Prepared statements should make the values explicit, and WPDB could wrap table/column names in backticks for additional guardrails.

It could make the recommendations much easier if we could just say, "use this new API that fixes the problems and complexity of the old one".

I could be misreading it, though, and the implementation could impact the details. What are your thoughts?