Handbook: "Functions that update the database should expect their parameters to lack SQL slash escaping when passed."

[jrfnl]

Ref: https://make.wordpress.org/core/handbook/best-practices/coding-standards/php/#formatting-sql-statements

We could possibly verify that variables passed to $wpdb->prepare() don't have a slashing function around it ?

Could possibly be added to the ~~WordPress.WP.PreparedSQL~~ WordPress.WP.PreparedSQLPlaceholders sniff.