Index: wp-includes/wp-db.php
===================================================================
--- wp-includes/wp-db.php	(revision 10612)
+++ wp-includes/wp-db.php	(working copy)
@@ -696,12 +696,19 @@
 	 *
 	 * @param string $table WARNING: not sanitized!
 	 * @param array $data Should not already be SQL-escaped
+	 * @param array|string $format The format of the field values.
 	 * @return mixed Results of $this->query()
 	 */
-	function insert($table, $data) {
-		$data = $this->_escape($data);
+	function insert($table, $data, $format = '%s') {
+		$format = (array) $format;
 		$fields = array_keys($data);
-		return $this->query("INSERT INTO $table (`" . implode('`,`',$fields) . "`) VALUES ('".implode("','",$data)."')");
+		$formatted_fields = array();
+		foreach( $data as $field ) {
+			$form = ( $form = array_shift($format) ) ? $form : $formatted_fields[0];
+			$formatted_fields[] = $form;
+		}
+		$sql = "INSERT INTO $table (`" . implode( '`,`', $fields ) . "`) VALUES ('" . implode( "','", $formatted_fields ) . "')";
+		return $this->query(call_user_func_array(array(&$this, 'prepare'), array_merge(array($sql), $data)));
 	}
 
 	/**
@@ -712,21 +719,24 @@
 	 * @param string $table WARNING: not sanitized!
 	 * @param array $data Should not already be SQL-escaped
 	 * @param array $where A named array of WHERE column => value relationships.  Multiple member pairs will be joined with ANDs.  WARNING: the column names are not currently sanitized!
+	 * @param array|string $format The format of the field values.
 	 * @return mixed Results of $this->query()
 	 */
-	function update($table, $data, $where){
-		$data = $this->_escape($data);
+	function update($table, $data, $where, $format = '%s'){
+		$formats = $format = (array) $format;
 		$bits = $wheres = array();
-		foreach ( (array) array_keys($data) as $k )
-			$bits[] = "`$k` = '$data[$k]'";
+		foreach ( (array) array_keys($data) as $k ) {
+			$form = ( $form = array_shift($formats) ) ? $form : $format[0];
+			$bits[] = "`$k` = '{$form}'";
+		}
 
 		if ( is_array( $where ) )
 			foreach ( $where as $c => $v )
 				$wheres[] = "$c = '" . $this->_escape( $v ) . "'";
 		else
 			return false;
-
-		return $this->query( "UPDATE $table SET " . implode( ', ', $bits ) . ' WHERE ' . implode( ' AND ', $wheres ) );
+		$sql = "UPDATE $table SET " . implode( ', ', $bits ) . ' WHERE ' . implode( ' AND ', $wheres );
+		return $this->query(call_user_func_array(array(&$this, 'prepare'), array_merge(array($sql), $data)));
 	}
 
 	/**