esc_sql( string|array $data ): string|array

Escapes data for use in a MySQL query.

Description

Usually you should prepare queries using wpdb::prepare().
Sometimes, spot-escaping is required or useful. One example is preparing an array for use in an IN clause.

NOTE: Since 4.8.3, ‘%’ characters will be replaced with a placeholder string, this prevents certain SQLi attacks from taking place. This change in behavior may cause issues for code that expects the return value of esc_sql() to be usable for other purposes.

Parameters

$datastring|arrayrequired
Unescaped data.

Return

string|array Escaped data, in the same type as supplied.

More Information

  • Be careful in using this function correctly. It will only escape values to be used in strings in the query. That is, it only provides escaping for values that will be within quotes in the SQL (as in field = '{$escaped_value}'). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}. As such, this function does not escape unquoted numeric values, field names, or SQL keywords.
  • $wpdb->prepare() is generally preferred as it corrects some common formatting errors.
  • This function was formerly just an alias for $wpdb->escape(), but that function has now been deprecated.

Source

function esc_sql( $data ) {
	global $wpdb;
	return $wpdb->_escape( $data );
}

Changelog

VersionDescription
2.8.0Introduced.

User Contributed Notes

  1. Skip to note 3 content

    It should be noted that this function will only escape values to be used in strings in the query. That is, it only provides escaping for values that will be within quotes in the SQL (as in field = '{$escaped_value}'). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}. As such, this function does not escape unquoted numeric values, field names, or SQL keywords..

You must log in before being able to contribute a note or feedback.