How to fix ‘Notice: wpdb::escape is deprecated since version 3.6!’

The Cause:

The error occurs because a function used to “escape” strings before being stored in the database has been deprecated. Escaping is the process of removing characters that can lead to SQL injection and XSS. The existing escape() function was deprecated in WordPress v3.6 RC2 and missed the previous released, and so may have gone unnoticed.

The reason for this deprecation was security related, so could not be avoided. The wpdb:escape() function (found in wp-includes/wp-db.php) has been replaces with the newer esc_sql() function.

The Fix:

First of all, don’t search for the wrong line of code, wpdb::escape.

The string to look for is $wpdb->escape.

In the short-term, you can fix the problem yourself.

1. Fix the Theme or Plugins Manually (Recommended)

This is the longest but also the recommended option. You basically have to manually go though all your plugins or themes to look for references to $wpdb->escape or $this->wpdb->escapeand replace all instances with esc_sql. It’s a straightforward find-and-replace, but it just means going through a lot of files.

If you’re on Linux or Mac, you can use the following command line in your WordPress directory to quickly see which files need to be updated:

# Go to wp-content folder
cd /path/to/wordpress/wp-content
# Find all files that have wpdb->escape
grep -ri 'wpdb->escape' *

Running the command in terminal will give you a list of files that are affected.

Simply replace $wpdb->escape with esc_sql.

If you still haver a problem after doing this…….

Are you running a domain mapping plugin with the sunrise.php file located in the wp-content directory?

Unfortunately, esc_sql() can’t be used, since apparently sunrise.php is been included before the function esc_sql() is even registered.

So, I looked up into esc_sql():

function esc_sql( $data ) {
	global $wpdb;
	return $wpdb->_escape( $data );
}

Therefore, in sunrise.php, I commented the original line that causes the trouble, and duplicated it right below, modifying it as such:

// $dm_domain = $wpdb->escape( $_SERVER[ 'HTTP_HOST' ] );
$dm_domain = $wpdb->_escape( $_SERVER[ 'HTTP_HOST' ] );

Should be problem solved!

Revisions

Tags: ,

No comments yet.

Leave a Reply