esc_sql( string|array $data )

Escapes data for use in a MySQL query.

Description

Usually you should prepare queries using wpdb::prepare(). Sometimes, spot-escaping is required or useful. One example is preparing an array for use in an IN clause.

NOTE: Since WP-4.8.3, ‘%’ characters will be replaced with a placeholder string, this prevents certain SQLi attacks from taking place. This change in behaviour may cause issues for code that expects the return value of esc_sql() to be useable for other purposes.

Parameters

$data

(string|array) (Required) Unescaped data

Return

(string|array) Escaped data

Source

File: wp-includes/formatting.php 

function esc_sql( $data ) {
	global $wpdb;
	return $wpdb->_escape( $data );
}

Expand Source Code View on GitHub

Related

Uses

Uses
Uses Description
wp-includes/wp-db.php: wpdb::_escape()

Escape data. Works on arrays.

Used By

Used By
Used By Description
wp-includes/class-wp-user-query.php: WP_User_Query::parse_orderby()

Parse and sanitize ‘orderby’ keys passed to the user query.
wp-includes/class-wp-query.php: WP_Query::get_posts()

Retrieve the posts based on query variables.
wp-includes/date.php: WP_Date_Query::__construct()

Constructor.
wp-includes/date.php: WP_Date_Query::get_sql_for_clause()

Turns a first-order date query into SQL for a WHERE clause.
wp-includes/post.php: get_page_by_path()

Retrieves a page given its path.
wp-includes/post.php: get_page_by_title()

Retrieve a page given its title.
wp-includes/class-wp-comment-query.php: WP_Comment_Query::parse_orderby()

Parse and sanitize ‘orderby’ keys passed to the comment query.
wp-includes/taxonomy.php: _pad_term_counts()

Add count of children to parent count.
wp-includes/taxonomy.php: _update_post_term_count()

Will update term count based on object types of the current taxonomy.
Show 4 more used by Hide more used by

Changelog

Changelog
Version Description
WP-2.8.0 Introduced.