diff --git a/wp-includes/comment.php b/wp-includes/comment.php index 076f8a025..7f296585e 100644 --- a/wp-includes/comment.php +++ b/wp-includes/comment.php @@ -1229,7 +1229,7 @@ function wp_update_comment($commentarr) { $comment = get_comment($commentarr['comment_ID'], ARRAY_A); // Escape data pulled from DB. - $comment = $wpdb->escape($comment); + $comment = esc_sql($comment); $old_status = $comment['comment_approved']; diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index a88beb68e..00ba9ddd1 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -1110,7 +1110,7 @@ function addslashes_gpc($gpc) { $gpc = stripslashes($gpc); } - return $wpdb->escape($gpc); + return esc_sql($gpc); } /** @@ -1280,7 +1280,7 @@ function wp_rel_nofollow( $text ) { // This is a pre save filter, so text is already escaped. $text = stripslashes($text); $text = preg_replace_callback('||i', 'wp_rel_nofollow_callback', $text); - $text = $wpdb->escape($text); + $text = esc_sql($text); return $text; } diff --git a/wp-includes/functions.php b/wp-includes/functions.php index fb831d0d2..b6cf92f37 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -497,7 +497,7 @@ function update_option( $option_name, $newvalue ) { wp_protect_special_option( $option_name ); - $safe_option_name = $wpdb->escape( $option_name ); + $safe_option_name = esc_sql( $option_name ); $newvalue = sanitize_option( $option_name, $newvalue ); $oldvalue = get_option( $safe_option_name ); @@ -571,7 +571,7 @@ function add_option( $name, $value = '', $deprecated = '', $autoload = 'yes' ) { global $wpdb; wp_protect_special_option( $name ); - $safe_name = $wpdb->escape( $name ); + $safe_name = esc_sql( $name ); $value = sanitize_option( $name, $value ); // Make sure the option doesn't already exist. We can check the 'notoptions' cache before we ask for a db query @@ -654,7 +654,7 @@ function delete_transient($transient) { if ( $_wp_using_ext_object_cache ) { return wp_cache_delete($transient, 'transient'); } else { - $transient = '_transient_' . $wpdb->escape($transient); + $transient = '_transient_' . esc_sql($transient); return delete_option($transient); } } @@ -682,11 +682,11 @@ function get_transient($transient) { if ( $_wp_using_ext_object_cache ) { $value = wp_cache_get($transient, 'transient'); } else { - $transient_option = '_transient_' . $wpdb->escape($transient); + $transient_option = '_transient_' . esc_sql($transient); // If option is not in alloptions, it is not autoloaded and thus has a timeout $alloptions = wp_load_alloptions(); if ( !isset( $alloptions[$transient_option] ) ) { - $transient_timeout = '_transient_timeout_' . $wpdb->escape($transient); + $transient_timeout = '_transient_timeout_' . esc_sql($transient); if ( get_option($transient_timeout) < time() ) { delete_option($transient_option); delete_option($transient_timeout); @@ -723,7 +723,7 @@ function set_transient($transient, $value, $expiration = 0) { } else { $transient_timeout = '_transient_timeout_' . $transient; $transient = '_transient_' . $transient; - $safe_transient = $wpdb->escape($transient); + $safe_transient = esc_sql($transient); if ( false === get_option( $safe_transient ) ) { $autoload = 'yes'; if ( 0 != $expiration ) { @@ -1412,7 +1412,7 @@ function add_magic_quotes( $array ) { if ( is_array( $v ) ) { $array[$k] = add_magic_quotes( $v ); } else { - $array[$k] = $wpdb->escape( $v ); + $array[$k] = esc_sql( $v ); } } return $array; diff --git a/wp-includes/post.php b/wp-includes/post.php index d28d237a5..9745f9e2e 100644 --- a/wp-includes/post.php +++ b/wp-includes/post.php @@ -1752,7 +1752,7 @@ function wp_unique_post_slug($slug, $post_ID, $post_status, $post_type, $post_pa } elseif ( in_array($post_type, $hierarchical_post_types) ) { // Page slugs must be unique within their own trees. Pages are in a // separate namespace than posts so page slugs are allowed to overlap post slugs. - $check_sql = "SELECT post_name FROM $wpdb->posts WHERE post_name = %s AND post_type IN ( '" . implode("', '", $wpdb->escape($hierarchical_post_types)) . "' ) AND ID != %d AND post_parent = %d LIMIT 1"; + $check_sql = "SELECT post_name FROM $wpdb->posts WHERE post_name = %s AND post_type IN ( '" . implode("', '", esc_sql($hierarchical_post_types)) . "' ) AND ID != %d AND post_parent = %d LIMIT 1"; $post_name_check = $wpdb->get_var($wpdb->prepare($check_sql, $slug, $post_ID, $post_parent)); if ( $post_name_check || in_array($slug, $wp_rewrite->feeds) ) { diff --git a/wp-includes/query.php b/wp-includes/query.php index 196551e7a..9c3c660c9 100644 --- a/wp-includes/query.php +++ b/wp-includes/query.php @@ -1756,7 +1756,7 @@ class WP_Query { $search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))"; $searchand = ' AND '; } - $term = $wpdb->escape($q['s']); + $term = esc_sql($q['s']); if (empty($q['sentence']) && count($q['search_terms']) > 1 && $q['search_terms'][0] != $q['s'] ) $search .= " OR ($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}')"; diff --git a/wp-includes/registration.php b/wp-includes/registration.php index 9a7f6c46d..73af76440 100644 --- a/wp-includes/registration.php +++ b/wp-includes/registration.php @@ -293,8 +293,8 @@ function wp_update_user($userdata) { function wp_create_user($username, $password, $email = '') { global $wpdb; - $user_login = $wpdb->escape($username); - $user_email = $wpdb->escape($email); + $user_login = esc_sql( $username ); + $user_email = esc_sql( $email ); $user_pass = $password; $userdata = compact('user_login', 'user_email', 'user_pass'); diff --git a/wp-includes/user.php b/wp-includes/user.php index 00537a85f..7ee0ee9a1 100644 --- a/wp-includes/user.php +++ b/wp-includes/user.php @@ -153,7 +153,7 @@ function wp_authenticate_cookie($user, $username, $password) { function get_profile($field, $user = false) { global $wpdb; if ( !$user ) - $user = $wpdb->escape($_COOKIE[USER_COOKIE]); + $user = esc_sql( $_COOKIE[USER_COOKIE] ); return $wpdb->get_var( $wpdb->prepare("SELECT $field FROM $wpdb->users WHERE user_login = %s", $user) ); }