diff --git a/wp-includes/post.php b/wp-includes/post.php
index accc3415c..39bde1507 100644
--- a/wp-includes/post.php
+++ b/wp-includes/post.php
@@ -1499,14 +1499,20 @@ function wp_insert_post($postarr = array(), $wp_error = false) {
 	}
 
 	// expected_slashed (everything!)
-	$data = compact( array( 'post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'guid' ) );
+	$fields = array( 'post_author' => '%d', 'post_date' => '%s', 'post_date_gmt' => '%s', 'post_content' => '%s', 'post_content_filtered' => '%s', 'post_title' => '%s',
+		'post_excerpt' => '%s', 'post_status' => '%s', 'post_type' => '%s', 'comment_status' => '%s', 'ping_status' => '%s', 'post_password' => '%s', 'post_name' => '%s',
+		'to_ping' => '%s', 'pinged' => '%s', 'post_modified' => '%s', 'post_modified_gmt' => '%s', 'post_parent' => '%d', 'menu_order' => '%d', 'guid' => '%s' );
+	$data = compact( array_keys( $fields) );
+	$data_formats = array_values( $fields );
 	$data = apply_filters('wp_insert_post_data', $data, $postarr);
 	$data = stripslashes_deep( $data );
+	error_log(var_export($data, true));
 	$where = array( 'ID' => $post_ID );
+	$where_formats = array('%d');
 
-	if ($update) {
+	if ( $update ) {
 		do_action( 'pre_post_update', $post_ID );
-		if ( false === $wpdb->update( $wpdb->posts, $data, $where ) ) {
+		if ( false === $wpdb->update( $wpdb->posts, $data, $where, $data_formats, $where_formats ) ) {
 			if ( $wp_error )
 				return new WP_Error('db_update_error', __('Could not update post in the database'), $wpdb->last_error);
 			else
@@ -1522,7 +1528,7 @@ function wp_insert_post($postarr = array(), $wp_error = false) {
 				$data['ID'] = $import_id;
 			}
 		}
-		if ( false === $wpdb->insert( $wpdb->posts, $data ) ) {
+		if ( false === $wpdb->insert( $wpdb->posts, $data, $data_formats ) ) {
 			if ( $wp_error )
 				return new WP_Error('db_insert_error', __('Could not insert post into the database'), $wpdb->last_error);
 			else
diff --git a/wp-includes/wp-db.php b/wp-includes/wp-db.php
index 1d45d6c3d..61f8f7eae 100644
--- a/wp-includes/wp-db.php
+++ b/wp-includes/wp-db.php
@@ -699,12 +699,19 @@ class wpdb {
 	 *
 	 * @param string $table WARNING: not sanitized!
 	 * @param array $data Should not already be SQL-escaped
+	 * @param array|string $format The format of the field values.
 	 * @return mixed Results of $this->query()
 	 */
-	function insert($table, $data) {
-		$data = $this->_escape($data);
+	function insert($table, $data, $format = '%s') {
+		$format = (array) $format;
 		$fields = array_keys($data);
-		return $this->query("INSERT INTO $table (`" . implode('`,`',$fields) . "`) VALUES ('".implode("','",$data)."')");
+		$formatted_fields = array();
+		foreach ( $data as $field ) {
+			$form = ( $form = array_shift($format) ) ? $form : $formatted_fields[0];
+			$formatted_fields[] = $form;
+		}
+		$sql = "INSERT INTO $table (`" . implode( '`,`', $fields ) . "`) VALUES ('" . implode( "','", $formatted_fields ) . "')";
+		return $this->query( $this->prepare( $sql, $data) );
 	}
 
 	/**
@@ -715,21 +722,29 @@ class wpdb {
 	 * @param string $table WARNING: not sanitized!
 	 * @param array $data Should not already be SQL-escaped
 	 * @param array $where A named array of WHERE column => value relationships.  Multiple member pairs will be joined with ANDs.  WARNING: the column names are not currently sanitized!
+	 * @param array|string $format The format of the field values.
+	 * @param array|string $where_format The format of the where field values.
 	 * @return mixed Results of $this->query()
 	 */
-	function update($table, $data, $where){
-		$data = $this->_escape($data);
-		$bits = $wheres = array();
-		foreach ( (array) array_keys($data) as $k )
-			$bits[] = "`$k` = '$data[$k]'";
-
-		if ( is_array( $where ) )
-			foreach ( $where as $c => $v )
-				$wheres[] = "$c = '" . $this->_escape( $v ) . "'";
-		else
+	function update($table, $data, $where, $format = '%s', $where_format = '%s') {
+		if ( !is_array( $where ) )
 			return false;
 
-		return $this->query( "UPDATE $table SET " . implode( ', ', $bits ) . ' WHERE ' . implode( ' AND ', $wheres ) );
+		$formats = $format = (array) $format;
+		$bits = $wheres = array();
+		foreach ( (array) array_keys($data) as $k ) {
+			$form = ( $form = array_shift($formats) ) ? $form : $format[0];
+			$bits[] = "`$k` = {$form}";
+		}
+
+		$where_formats = $where_format = (array) $where_format;
+		foreach ( $where as $c => $v ) {
+			$form = ( $form = array_shift($where_formats) ) ? $form : $where_format[0];
+			$wheres[] = "$c = {$form}";
+		}
+
+		$sql = "UPDATE $table SET " . implode( ', ', $bits ) . ' WHERE ' . implode( ' AND ', $wheres );
+		return $this->query( $this->prepare( $sql, array_merge(array_values($data), array_values($where))) );
 	}
 
 	/**