esc_sql( string|array $data )

Escapes data for use in a MySQL query.

Contents

Description Description

Usually you should prepare queries using wpdb::prepare(). Sometimes, spot-escaping is required or useful. One example is preparing an array for use in an IN clause.

NOTE: Since 4.8.3, ‘%’ characters will be replaced with a placeholder string, this prevents certain SQLi attacks from taking place. This change in behaviour may cause issues for code that expects the return value of esc_sql() to be useable for other purposes.

Parameters Parameters

$data

(string|array) (Required) Unescaped data

Top ↑

Return Return

(string|array) Escaped data

Top ↑

Source Source

File: wp-includes/formatting.php 

function esc_sql( $data ) {
	global $wpdb;
	return $wpdb->_escape( $data );
}

Expand full source code Collapse full source code View on Trac

Top ↑

Changelog Changelog

Changelog
Version Description
2.8.0 Introduced.

Top ↑

Top ↑

Used By Used By

Used By
Used By Description
wp-includes/class-wp-user-query.php: WP_User_Query::parse_orderby()

Parse and sanitize ‘orderby’ keys passed to the user query.
wp-includes/class-wp-comment-query.php: WP_Comment_Query::parse_orderby()

Parse and sanitize ‘orderby’ keys passed to the comment query.
wp-includes/date.php: WP_Date_Query::get_sql_for_clause()

Turns a first-order date query into SQL for a WHERE clause.
wp-includes/class-wp-query.php: WP_Query::get_posts()

Retrieves an array of posts based on query variables.
wp-includes/taxonomy.php: _pad_term_counts()

Add count of children to parent count.
wp-includes/taxonomy.php: _update_post_term_count()

Will update term count based on object types of the current taxonomy.
wp-includes/date.php: WP_Date_Query::__construct()

Constructor.
wp-includes/post.php: get_page_by_path()

Retrieves a page given its path.
wp-includes/post.php: get_page_by_title()

Retrieve a page given its title.
Show 4 more used by Hide more used by

Top ↑

User Contributed Notes User Contributed Notes

  1. Skip to note 1 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 4You must log in to vote on the helpfulness of this note
    Contributed by J.D. Grimes

    It should be noted that this function will only escape values to be used in strings in the query. That is, it only provides escaping for values that will be within quotes in the SQL (as in field = '{$escaped_value}'). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}. As such, this function does not escape unquoted numeric values, field names, or SQL keywords..

You must log in before being able to contribute a note or feedback.