|Reported by:||nacin||Owned by:||nacin|
wpdb::escape() has been used by core and plugins as a generic addslashes() alias. That isn't ideal. In #21767 we've removed all improper usage of wpdb::escape(), at which point everything now uses either wpdb::prepare() or esc_sql() (for database escaping) or wp_slash() (for the unfortunate need to generically slash).
We should deprecate wpdb::escape(). In the process, esc_sql() should become a wrapper for real escape, because it would be crazy and wrong to be using esc_sql() in a non-SQL context.
This came out of work by the WP security team.