From 3b4f3dea29197d1cd09f1edebe9ad691b7292880 Mon Sep 17 00:00:00 2001
From: Andrew Nacin <wp@andrewnacin.com>
Date: Tue, 16 Jul 2013 17:44:42 +0000
Subject: [PATCH] Deprecate wpdb::escape() in favor of wpdb::prepare() and
 esc_sql(). fixes #24774.

git-svn-id: http://core.svn.wordpress.org/trunk@24718 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/formatting.php | 14 ++++++++------
 wp-includes/wp-db.php      | 35 +++++++++++++++++++++++------------
 2 files changed, 31 insertions(+), 18 deletions(-)

diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php
index 0a480fb1be..aef2b6378c 100644
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@@ -2591,17 +2591,19 @@ function _deep_replace( $search, $subject ) {
 }
 
 /**
- * Escapes data for use in a MySQL query
+ * Escapes data for use in a MySQL query.
  *
- * This is just a handy shortcut for $wpdb->escape(), for completeness' sake
+ * Usually you should prepare queries using wpdb::prepare().
+ * Sometimes, spot-escaping is required or useful. One example
+ * is preparing an array for use in an IN clause.
  *
  * @since 2.8.0
- * @param string $sql Unescaped SQL data
- * @return string The cleaned $sql
+ * @param string $data Unescaped data
+ * @return string Escaped data
  */
-function esc_sql( $sql ) {
+function esc_sql( $data ) {
 	global $wpdb;
-	return $wpdb->escape( $sql );
+	return $wpdb->_escape( $data );
 }
 
 /**
diff --git a/wp-includes/wp-db.php b/wp-includes/wp-db.php
index 2a86b5b7e7..2c4c28262f 100644
--- a/wp-includes/wp-db.php
+++ b/wp-includes/wp-db.php
@@ -846,16 +846,22 @@ class wpdb {
 	}
 
 	/**
-	 * Weak escape, using addslashes()
+	 * Do not use, deprecated.
+	 *
+	 * Use esc_sql() or wpdb::prepare() instead.
 	 *
-	 * @see addslashes()
 	 * @since 2.8.0
+	 * @deprecated 3.6.0
+	 * @see wpdb::prepare
+	 * @see esc_sql()
 	 * @access private
 	 *
 	 * @param string $string
 	 * @return string
 	 */
 	function _weak_escape( $string ) {
+		if ( func_num_args() === 1 )
+			_deprecated_function( __METHOD__, '3.6', 'wpdb::prepare() or esc_sql()' );
 		return addslashes( $string );
 	}
 
@@ -876,7 +882,6 @@ class wpdb {
 	/**
 	 * Escape data. Works on arrays.
 	 *
-	 * @uses wpdb::_escape()
 	 * @uses wpdb::_real_escape()
 	 * @since  2.8.0
 	 * @access private
@@ -886,7 +891,7 @@ class wpdb {
 	 */
 	function _escape( $data ) {
 		if ( is_array( $data ) ) {
-			foreach ( (array) $data as $k => $v ) {
+			foreach ( $data as $k => $v ) {
 				if ( is_array($v) )
 					$data[$k] = $this->_escape( $v );
 				else
@@ -900,24 +905,30 @@ class wpdb {
 	}
 
 	/**
-	 * Escapes content for insertion into the database using addslashes(), for security.
+	 * Do not use, deprecated.
 	 *
-	 * Works on arrays.
+	 * Use esc_sql() or wpdb::prepare() instead.
 	 *
 	 * @since 0.71
-	 * @param string|array $data to escape
-	 * @return string|array escaped as query safe string
+	 * @deprecated 3.6.0
+	 * @see wpdb::prepare()
+	 * @see esc_sql()
+	 *
+	 * @param mixed $data
+	 * @return mixed
 	 */
 	function escape( $data ) {
+		if ( func_num_args() === 1 )
+			_deprecated_function( __METHOD__, '3.6', 'wpdb::prepare() or esc_sql()' );
 		if ( is_array( $data ) ) {
-			foreach ( (array) $data as $k => $v ) {
+			foreach ( $data as $k => $v ) {
 				if ( is_array( $v ) )
-					$data[$k] = $this->escape( $v );
+					$data[$k] = $this->escape( $v, 'recursive' );
 				else
-					$data[$k] = $this->_weak_escape( $v );
+					$data[$k] = $this->_weak_escape( $v, 'internal' );
 			}
 		} else {
-			$data = $this->_weak_escape( $data );
+			$data = $this->_weak_escape( $data, 'internal' );
 		}
 
 		return $data;