Changeset 24718

Timestamp:

07/16/2013 05:44:42 PM (11 years ago)

Author:

nacin

Message:

Deprecate wpdb::escape() in favor of wpdb::prepare() and esc_sql(). fixes #24774.

Location:

trunk/wp-includes

Files:

• formatting.php (modified) (1 diff)
• wp-db.php (modified) (5 diffs)

trunk/wp-includes/formatting.php

@@ -2592 +2592 @@
 
 /**
- * Escapes data for use in a MySQL query
- *
- * This is just a handy shortcut for $wpdb->escape(), for completeness' sake
+ * Escapes data for use in a MySQL query.
+ *
+ * Usually you should prepare queries using wpdb::prepare().
+ * Sometimes, spot-escaping is required or useful. One example
+ * is preparing an array for use in an IN clause.
  *
  * @since 2.8.0
- * @param string $sql Unescaped SQL data
- * @return string The cleaned $sql
- */
-function esc_sql( $sql ) {
+ * @param string $data Unescaped data
+ * @return string Escaped data
+ */
+function esc_sql( $data ) {
     global $wpdb;
-    return $wpdb->escape( $sql );
+    return $wpdb->_escape( $data );
 }
 

trunk/wp-includes/wp-db.php

@@ -847 +847 @@
 
     /**
-     * Weak escape, using addslashes()
-     *
-     * @see addslashes()
+     * Do not use, deprecated.
+     *
+     * Use esc_sql() or wpdb::prepare() instead.
+     *
      * @since 2.8.0
+     * @deprecated 3.6.0
+     * @see wpdb::prepare
+     * @see esc_sql()
      * @access private
      *
@@ -857 +861 @@
      */
     function _weak_escape( $string ) {
+        if ( func_num_args() === 1 )
+            _deprecated_function( __METHOD__, '3.6', 'wpdb::prepare() or esc_sql()' );
         return addslashes( $string );
     }
@@ -877 +883 @@
      * Escape data. Works on arrays.
      *
-     * @uses wpdb::_escape()
      * @uses wpdb::_real_escape()
      * @since  2.8.0
@@ -887 +892 @@
     function _escape( $data ) {
         if ( is_array( $data ) ) {
-            foreach ( (array) $data as $k => $v ) {
+            foreach ( $data as $k => $v ) {
                 if ( is_array($v) )
                     $data[$k] = $this->_escape( $v );
@@ -901 +906 @@
 
     /**
-     * Escapes content for insertion into the database using addslashes(), for security.
-     *
-     * Works on arrays.
-     *
-     * @since 0.71
-     * @param string|array $data to escape
-     * @return string|array escaped as query safe string
+     * Do not use, deprecated.
+     *
+     * Use esc_sql() or wpdb::prepare() instead.
+     *
+     * @since 0.71
+     * @deprecated 3.6.0
+     * @see wpdb::prepare()
+     * @see esc_sql()
+     *
+     * @param mixed $data
+     * @return mixed
      */
     function escape( $data ) {
+        if ( func_num_args() === 1 )
+            _deprecated_function( __METHOD__, '3.6', 'wpdb::prepare() or esc_sql()' );
         if ( is_array( $data ) ) {
-            foreach ( (array) $data as $k => $v ) {
+            foreach ( $data as $k => $v ) {
                 if ( is_array( $v ) )
-                    $data[$k] = $this->escape( $v );
+                    $data[$k] = $this->escape( $v, 'recursive' );
                 else
-                    $data[$k] = $this->_weak_escape( $v );
+                    $data[$k] = $this->_weak_escape( $v, 'internal' );
             }
         } else {
-            $data = $this->_weak_escape( $data );
+            $data = $this->_weak_escape( $data, 'internal' );
         }