W3cubDocs

/WordPress

esc_sql( string|array $data )

Escapes data for use in a MySQL query.

Description

Usually you should prepare queries using wpdb::prepare(). Sometimes, spot-escaping is required or useful. One example is preparing an array for use in an IN clause.

NOTE: Since 4.8.3, ‘%’ characters will be replaced with a placeholder string, this prevents certain SQLi attacks from taking place. This change in behaviour may cause issues for code that expects the return value of esc_sql() to be useable for other purposes.

Parameters

$data

(string|array) (Required) Unescaped data

Return

(string|array) Escaped data

Source

File: wp-includes/formatting.php

function esc_sql( $data ) {
	global $wpdb;
	return $wpdb->_escape( $data );
}

Changelog

Version Description
2.8.0 Introduced.

© 2003–2019 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/esc_sql