[wp-hackers] escape data before db insert?

Bjorn Wijers mailings at bdisfunctional.net
Wed Jan 17 18:13:40 GMT 2007

Hi all,

Sometime ago I had a discussion about escaping data in Wordpress. If I 
understood it correctly, this person claimed that every GPC data will be 
escaped by Wordpress before handing it over. I actually doubt that this 
is the case due to the existence of $wpdb->escape().

Now my question is: Do I need to manually call $wpdb->escape() on every 
piece of data I would like to insert into the database or not.

Actually when I do use it, I get an extra slash with this example:

$string = "O'Reilly" (comes in via $_GET or $_POST)

after I use


becomes after retrieving it from the database and echo'ing it:


So I presume it is already escaped before I used $wpdb->escape() and the 
extra $wpdb->escape() changes it into O\\'Reilly before inserting it 
into the database.

Could someone of the core team tell a bit more about when to escape and 
when not as. I would like to harden my plugin against XSS and SQL 
injections and I'd rather not have someones wordpress install get messed 
up due to my plugin.

Thanks in advance!


More information about the wp-hackers mailing list