esc_sql( string|array $data )

Escapes data for use in a MySQL query.

Description

Usually you should prepare queries using wpdb::prepare(). Sometimes, spot-escaping is required or useful. One example is preparing an array for use in an IN clause.

NOTE: Since 4.8.3, ‘%’ characters will be replaced with a placeholder string, this prevents certain SQLi attacks from taking place. This change in behaviour may cause issues for code that expects the return value of esc_sql() to be useable for other purposes.

Parameters

$data

(string|array) (Required) Unescaped data

Top ↑

Return

(string|array) Escaped data

Top ↑

Source

File: wp-includes/formatting.php 

function esc_sql( $data ) {
	global $wpdb;
	return $wpdb->_escape( $data );
}

View on Trac

Top ↑

Changelog

Version Description
2.8.0 Introduced.

Top ↑

Top ↑

Used By

Used By Description
wp-includes/class-wp-user-query.php: WP_User_Query::parse_orderby()

Parse and sanitize ‘orderby’ keys passed to the user query.
wp-includes/class-wp-comment-query.php: WP_Comment_Query::parse_orderby()

Parse and sanitize ‘orderby’ keys passed to the comment query.
wp-includes/class-wp-date-query.php: WP_Date_Query::get_sql_for_clause()

Turns a first-order date query into SQL for a WHERE clause.
wp-includes/class-wp-query.php: WP_Query::get_posts()

Retrieves an array of posts based on query variables.
wp-includes/taxonomy.php: _pad_term_counts()

Add count of children to parent count.
wp-includes/taxonomy.php: _update_post_term_count()

Will update term count based on object types of the current taxonomy.
wp-includes/class-wp-date-query.php: WP_Date_Query::__construct()

Constructor.
wp-includes/post.php: get_page_by_path()

Retrieves a page given its path.
wp-includes/post.php: get_page_by_title()

Retrieve a page given its title.