mysql_real_escape_string() gives warning when non-string passed in

[MrWiblog]

I got an error from my Demo Data plugin in WP3.0 beta 1:

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in ...\wp-includes\wp-db.php on line 772

I think an integer was being passed to the function, so casting the input as a string sorted it out:

return mysql_real_escape_string( $string, $this->dbh );

became

return mysql_real_escape_string( (string)$string, $this->dbh );

Patch attached.

[MrWiblog]

Patch for wp-db.php mysql_real_escape_string() warning

[MrWiblog]

Scrap this, apparently sometimes other types are passed into this function including WP_Error objects.

[nacin]

It should not be receiving WP_Error objects.

This is indicative of a bug. Think you can track down where the WP_Error is coming from? As a start, you could do something like:

if ( is_wp_error( $string ) ) {
   var_dump( debug_backtrace() );
   die();
}

Prior to the mysql_real_escape_string() call.

[nacin]

I downloaded the plugin. I was unable to reproduce this on trunk, on both single-site and multisite.

With WP_DEBUG on, I received plenty of notices, ranging from deprecated warnings (including user level usage), unchecked indexes, undefined variables, etc. I also had to replace instances of wpmu-admin.php with ms-admin.php before testing multisite (note that some of these were ajax requests -- those should be going instead to admin-ajax.php).

And, for reference, I don't think a plugin that has an opt-in phone home registration should be sending user names. But that's just my opinion.

Closing as worksforme pending reporter feedback.