esc_sql( string|array $data )
Escapes data for use in a MySQL query.
Description
Usually you should prepare queries using wpdb::prepare(). Sometimes, spot-escaping is required or useful. One example is preparing an array for use in an IN clause.
NOTE: Since WP-4.8.3, ‘%’ characters will be replaced with a placeholder string, this prevents certain SQLi attacks from taking place. This change in behaviour may cause issues for code that expects the return value of esc_sql() to be useable for other purposes.
Parameters
- $data
-
(string|array) (Required) Unescaped data
Return
(string|array) Escaped data
Source
File: wp-includes/formatting.php
function esc_sql( $data ) {
global $wpdb;
return $wpdb->_escape( $data );
}
Changelog
Version | Description |
---|---|
WP-2.8.0 | Introduced. |