Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#24774 closed task (blessed) (fixed)

Deprecate wpdb::escape()

Reported by: nacin Owned by: nacin
Milestone: 3.6 Priority: normal
Severity: normal Version:
Component: Database Keywords:
Focuses: Cc:


wpdb::escape() has been used by core and plugins as a generic addslashes() alias. That isn't ideal. In #21767 we've removed all improper usage of wpdb::escape(), at which point everything now uses either wpdb::prepare() or esc_sql() (for database escaping) or wp_slash() (for the unfortunate need to generically slash).

We should deprecate wpdb::escape(). In the process, esc_sql() should become a wrapper for real escape, because it would be crazy and wrong to be using esc_sql() in a non-SQL context.

This came out of work by the WP security team.

Change History (4)

#1 @nacin
5 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 24718:

Deprecate wpdb::escape() in favor of wpdb::prepare() and esc_sql(). fixes #24774.

#2 @DrewAPicture
5 years ago

  • Keywords needs-codex added

#3 @nacin
5 years ago

In 24724:

Ensure _deprecated_function() exists before calling it. wpdb currently does not have a full functions.php dependency, and this can break external inclusions. see #24774.

#4 @bcworkz
4 years ago

  • Keywords needs-codex removed

ChrisWiegman and jdgrimes fixed the primary Codex entries last August. I found a few more stray entries in Function Reference. Any remaining mentions are about it being deprecated.

Note: See TracTickets for help on using tickets.