Uses
| Uses | Description |
|---|---|
| wp-includes/wp-db.php: wpdb::_escape() | Escapes data. Works on arrays. |
Escapes data for use in a MySQL query.
Usually you should prepare queries using wpdb::prepare(). Sometimes, spot-escaping is required or useful. One example is preparing an array for use in an IN clause.
NOTE: Since 4.8.3, ‘%’ characters will be replaced with a placeholder string, this prevents certain SQLi attacks from taking place. This change in behaviour may cause issues for code that expects the return value of esc_sql() to be useable for other purposes.
(string|array) (Required) Unescaped data
(string|array) Escaped data
field = '{$escaped_value}'). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}. As such, this function does not escape unquoted numeric values, field names, or SQL keywords.$wpdb->prepare() is generally preferred as it corrects some common formatting errors.$wpdb->escape(), but that function has now been deprecated.File: wp-includes/formatting.php
function esc_sql( $data ) {
global $wpdb;
return $wpdb->_escape( $data );
} | Version | Description |
|---|---|
| 2.8.0 | Introduced. |
© 2003–2019 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/esc_sql