WordPress v3.6 was recently released, and as such, not all themes and plugins have been updated to support the new version. If you have PHP error_reporting
turned on with E_NOTICES
enabled, you are likely to see errors like “Notice: wpdb::escape
is deprecated since version 3.6! Use wpdb::prepare()
or esc_sql()
instead.”
These errors are common with third-party themes and plugins – especially ones that haven’t been updated in a while.
The Cause:
The error occurs because a function used to “escape” strings before being stored in the database has been deprecated. Escaping is the process of removing characters that can lead to SQL injection and XSS. The existing escape() function was deprecated in WordPress v3.6 RC2 and missed the previous released, and so may have gone unnoticed.
The reason for this deprecation was security related, so could not be avoided. The wpdb:escape()
function (found in wp-includes/wp-db.php
) has been replaces with the newer esc_sql()
function.
The Fix:
In the short-term, you can fix the problem yourself. There are two possible solutions:
1. Update PHP Settings (Quick)
Update your PHP init settings to stop reporting E_NOTICES
errors. This option is not recommended, as it’s just masking the errors and not really fixing them. Since the error is just a notice, it’s not going to break anything and it’s the quickest way to fix your WordPress site.
However, this won’t be possible for everyone to do, as you need the ability to change your PHP settings – something that is not possible on share hosting providers. If you are on a VPS or dedicated hosting provider, this is a very quick fix for you.
2. Fix the Theme or Plugins Manually (Recommended)
This is the longest but also the recommended option. You basically have to manually go though all your plugins or themes to look for references to $wpdb->escape
or $this->wpdb->escape
and replace all instances with esc_sql
. It’s a straightforward find-and-replace, but it just means going through a lot of files.
If you’re on Linux or Mac, you can use the following command line in your WordPress directory to quickly see which files need to be updated:
Running the command in terminal will give you a list of files that are affected:
In my example above, you can see that only one plugin needs to be updated, and that’s the Akismet plugin. Opening these files and doing a find-and-replace is enough to fix the issue. If we look at the first line in the search, we need to turn $type = $wpdb->escape( $type );
into $type = esc_sql( $type );
Or simply replace $wpdb->escape
with esc_sql
.
Thanks, this helpful tip worked 4 me!
Life saver, thank you!
Worked like a charm for me. Thank you!
It’s amazing to me that major plugins (looking at you Backup Buddy) still haven’t resolved this a year later.
Hi guys, Thanks for the tip, looked around for hours but the problem is that it worked perfectly in one file but not in an other. I have now a fatal error : Call to undefined function esc_sql() in… Tryed manythings in vain; I’m a zero in PHP and not so good in english. Could you help me please. All my sites are crashed for hours.
Thanks a lot
Unfortunately, you either need to update all the plugins / themes to the latest version and hope that it fixes the issue, or you’ll need to manually go and edit each of the affected files. Make sure you back-up any plugins / files before you edit, so you can revert if something goes wrong.