Question

esc_sql( string|array $data )

Escapes data for use in a MySQL query.

---

description

Usually you should prepare queries using wpdb::prepare(). Sometimes, spot-escaping is required or useful. One example is preparing an array for use in an IN clause.

---

参数

$data

(string|array) (Required) Unescaped data

---

返回值

(string|array) Escaped data

---

源代码

File: wp-includes/formatting.php

function esc_sql( $data ) {
	global $wpdb;
	return $wpdb->_escape( $data );
}

---

更新日志

Version	description
2.8.0	Introduced.

---

相关函数

Uses

• wp-includes/wp-db.php: wpdb::_escape()

---

Used By

• wp-includes/class-wp-user-query.php: WP_User_Query::parse_orderby()
• wp-includes/class-wp-comment-query.php: WP_Comment_Query::parse_orderby()
• wp-includes/date.php: WP_Date_Query::get_sql_for_clause()
• wp-includes/class-wp-query.php: WP_Query::get_posts()
• wp-includes/class-wp-tax-query.php: WP_Tax_Query::transform_query()
• wp-includes/taxonomy.php: _pad_term_counts()
• wp-includes/taxonomy.php: _update_post_term_count()
• wp-includes/date.php: WP_Date_Query::__construct()
• wp-includes/post.php: get_page_by_path()
• wp-includes/post.php: get_page_by_title()
Show 5 more used by Hide more used by

---

User Contributed Notes

1. Skip to note content You must log in to vote on the helpfulness of this noteVote results for this note: 1You must log in to vote on the helpfulness of this note Contributed by J.D. Grimes

   It should be noted that this function will only escape values to be used in strings in the query. That is, it only provides escaping for values that will be within quotes in the SQL (as in field = '{$escaped_value}'). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}. As such, this function does not escape unquoted numeric values, field names, or SQL keywords..

Basic Example

<?php

$name   = esc_sql( $name );
$status = esc_sql( $status );

$wpdb->get_var( "SELECT something FROM table WHERE foo = '$name' and status = '$status'" );

?>