diff --git a/wp-includes/post.php b/wp-includes/post.php
index a38eb0960..869dba779 100644
--- a/wp-includes/post.php
+++ b/wp-includes/post.php
@@ -1368,46 +1368,22 @@ function wp_insert_attachment($object, $file = false, $parent = 0) {
 	if ( ! isset($pinged) )
 		$pinged = '';
 
+	// expected_slashed (everything!)
+	$data = array();
+	foreach ( array('post_author', 'post_date', 'post_date_gmt', 'post_content', 'post_content_filtered', 'post_title', 'post_excerpt', 'post_status', 'post_type', 'comment_status', 'ping_status', 'post_password', 'post_name', 'to_ping', 'pinged', 'post_modified', 'post_modified_gmt', 'post_parent', 'menu_order', 'post_mime_type', 'guid') as $f )
+		$data[$f] = stripslashes($$f);
+	unset($f);
+
 	if ($update) {
-		// expected_slashed (everything!)
-		$wpdb->query(
-			"UPDATE $wpdb->posts SET
-			post_author = '$post_author',
-			post_date = '$post_date',
-			post_date_gmt = '$post_date_gmt',
-			post_content = '$post_content',
-			post_content_filtered = '$post_content_filtered',
-			post_title = '$post_title',
-			post_excerpt = '$post_excerpt',
-			post_status = '$post_status',
-			post_type = '$post_type',
-			comment_status = '$comment_status',
-			ping_status = '$ping_status',
-			post_password = '$post_password',
-			post_name = '$post_name',
-			to_ping = '$to_ping',
-			pinged = '$pinged',
-			post_modified = '".current_time('mysql')."',
-			post_modified_gmt = '".current_time('mysql',1)."',
-			post_parent = '$post_parent',
-			menu_order = '$menu_order',
-			post_mime_type = '$post_mime_type',
-			guid = '$guid'
-			WHERE ID = $post_ID");
+		$wpdb->db_update($wpdb->posts, $data, 'ID', $post_ID);
 	} else {
-		// expected_slashed (everything!)
-		$wpdb->query(
-			"INSERT INTO $wpdb->posts
-			(post_author, post_date, post_date_gmt, post_content, post_content_filtered, post_title, post_excerpt,  post_status, post_type, comment_status, ping_status, post_password, post_name, to_ping, pinged, post_modified, post_modified_gmt, post_parent, menu_order, post_mime_type, guid)
-			VALUES
-			('$post_author', '$post_date', '$post_date_gmt', '$post_content', '$post_content_filtered', '$post_title', '$post_excerpt', '$post_status', '$post_type', '$comment_status', '$ping_status', '$post_password', '$post_name', '$to_ping', '$pinged', '$post_date', '$post_date_gmt', '$post_parent', '$menu_order', '$post_mime_type', '$guid')");
-			$post_ID = (int) $wpdb->insert_id;
+		$wpdb->db_insert($wpdb->posts, $data);
+		$post_ID = (int) $wpdb->insert_id;
 	}
 
 	if ( empty($post_name) ) {
 		$post_name = sanitize_title($post_title, $post_ID);
-		// expected_slashed ($post_name)
-		$wpdb->query( $wpdb->prepare( "UPDATE $wpdb->posts SET post_name = '$post_name' WHERE ID = %d", $post_ID));
+		$wpdb->query( $wpdb->prepare( "UPDATE $wpdb->posts SET post_name = '%s' WHERE ID = %d", $post_name, $post_ID));
 	}
 
 	wp_set_post_categories($post_ID, $post_category);
diff --git a/wp-includes/wp-db.php b/wp-includes/wp-db.php
index e5537bbea..c2de5d1e0 100644
--- a/wp-includes/wp-db.php
+++ b/wp-includes/wp-db.php
@@ -250,6 +250,35 @@ class wpdb {
 		return $return_val;
 	}
 
+	/**
+	 * Insert an array of data into a table
+	 * @param string $table WARNING: not sanitized!
+	 * @param array $data should not already be SQL-escaped
+	 * @return mixed results of $this->query()
+	 */
+	function db_insert($table, $data) {
+		$data = add_magic_quotes($data);
+		$fields = array_keys($data);
+		return $this->query("INSERT INTO $table (`" . implode('`,`',$fields) . "`) VALUES ('".implode("','",$data)."')");
+	}
+
+	/**
+	 * Update a row in the table with an array of data
+	 * @param string $table WARNING: not sanitized!
+	 * @param array $data should not already be SQL-escaped
+	 * @param string $where_col the column of the WHERE statement.  WARNING: not sanitized!
+	 * @param string $where_val the value of the WHERE statement.  Should not already be SQL-escaped.
+	 * @return mixed results of $this->query()
+	 */
+	function db_update($table, $data, $where_col, $where_val){
+		$data = add_magic_quotes($data);
+		$bits = array();
+		foreach ( array_keys($data) as $k )
+			$bits[] = "`$k`='$data[$k]'";
+		$where_val = $wpdb->escape($where_val);
+		return $this->query("UPDATE $table SET ".implode(', ',$bits)." WHERE $where_col = '$where_val' LIMIT 1");
+	}
+
 	/**
 	 * Get one variable from the database
 	 * @param string $query (can be null as well, for caching, see codex)