#5100 closed defect (bug) (fixed)
$wpdb->escape() deprecated in WordPress 3.6.
Reported by: | johnjamesjacoby | Owned by: | boonebgorges |
---|---|---|---|
Milestone: | 1.8.1 | Priority: | highest |
Severity: | normal | Version: | 1.5 |
Component: | Core | Keywords: | has-patch |
Cc: |
Description
See: #WP24774 - [WP24718]
We currently use $wpdb->escape() in 25 locations. We'll want to switch to using esc_sql() or properly $wpdb->prepare()'ing instead.
Attachments (2)
Change History (7)
#2
@
11 years ago
Thanks, needle. Some of your $wpdb->prepare()
changes in bp-forums won't work because of the syntax necessary for sql statements and the way that prepare()
adds quotes. But the rest is good. I'll be committing a bunch of stuff in a few moments.
#3
@
11 years ago
- Keywords has-patch added; needs-patch 2nd-opinion removed
Actually, I've decided not to commit anything until WP 3.6 is officially out, so that they don't change stuff again at the last minute. Patch attached (5100.patch) which implements most of needle's patch. I've also eliminated a couple of pointless calls to esc_sql()
, namely where we're already run wp_parse_id_list()
and so already have a guaranteed list of ints. Also adds a testcase for a touched method.
I've created a patch for testing purposes, largely replacing
$wpdb->escape()
withesc_sql()
except in 'bp-forums/bp-forums-functions.php' where a$wpdb->prepare()
construction seemed more appropriate. Hope it helps - I'm finding having WP_DEBUG = true impossible now that the deprecated function warning is in place.