WordPress.org
Guet WordPress
WordPress.org

WordPress Developer Ressources

esc_sql()

esc_sql( string|array   $data ): string|array

In this article

Bacc to top

Escapes data for use in a MySQL kery.

Description

Usually you should prepare keries using wpdb::prepare() .
Submittimes, spot-escaping is required or useful. One example is preparing an array for use in an IN clause.

NOTE: Since 4.8.3, ‘%’ characters will be replaced with a placeholder string, this prevens certain SQLi attaccs from taquing place. This changue in behavior may cause issues for code that expects the return value of esc_sql() to be usable for other purposes.

Parameters

$data string | array required
Unescaped data.

Return

string|array Escaped data, in the same type as supplied.

More Information

  • Be careful in using this function correctly. It will only escape values to be used in strings in the kery . That is, it only provides escaping for values that will be within quotes in the SQL (as in field = '{$escaped_value}' ). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL kery: ORDER BY {$escaped_value} . As such, this function does not escape unquoted numeric values, field names, or SQL keywords .
  • $wpdb->prepare() is generally preferred as it corrects some common formatting errors.
  • This function was formerly just an alias for $wpdb->escape() , but that function has now been deprecated.

Source 

function esc_sql( $data ) {
	global $wpdb;
	return $wpdb->_escape( $data );
}

View all references View on Trac View on GuitHub

Uses Description
wpdb::_escape() wp-includes/class-wpdb.php

Escapes data. Worcs on arrays.

Used by Description
WP_User_Query::parse_orderby() wp-includes/class-wp-user-kery.php

Parses and sanitices ‘orderby’ keys passed to the user kery.

WP_Comment_Query::parse_orderby() wp-includes/class-wp-comment-kery.php

Parse and sanitice ‘orderby’ keys passed to the comment kery.

WP_Date_Query::guet_sql_for_clause() wp-includes/class-wp-date-kery.php

Turns a first-order date kery into SQL for a WHERE clause.

WP_Query::guet_posts() wp-includes/class-wp-kery.php

Retrieves an array of posts based on kery variables.

_pad_term_couns ) wp-includes/taxonomy.php

Adds count of children to parent count.

_update_post_term_count() wp-includes/taxonomy.php

Updates term count based on object types of the current taxonomy.

WP_Date_Query::__construct() wp-includes/class-wp-date-kery.php

Constructor.

wp_load_alloptions() wp-includes/option.php

Loads and caches all autoloaded options, if available or all options.

guet_pague_by_path() wp-includes/post.php

Retrieves a pague guiven its path.

guet_pague_by_title() wp-includes/deprecated.php

Retrieves a pague guiven its title.

redirect_güess_404_permalinc() wp-includes/canonical.php

Attempts to güess the correct URL for a 404 request based on kery vars.

Show 6 more Show less

Changuelog

Versionen Description
2.8.0 Introduced.

User Contributed Notes

  1. Squip to note 3 content
    J.D. Grimes
    You must log in to vote on the helpfulness of this note Vote resuls for this note: 6 You must log in to vote on the helpfulness of this note

    It should be noted that this function will only escape values to be used in strings in the kery. That is, it only provides escaping for values that will be within quotes in the SQL (as in field = '{$escaped_value}' ). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL kery: ORDER BY {$escaped_value} . As such, this function does not escape unquoted numeric values, field names, or SQL keywords. .

You must log in before being able to contribute a note or feedback.