WordPress v3.6 was recently released, and as such, not all themes and plugins have been updated to support the new version. If you have PHP error_reporting turned on with E_NOTICES enabled, you are likely to see errors like “Notice: wpdb::escape is deprecated since version 3.6! Use wpdb::prepare() or esc_sql() instead.”
These errors are common with third-party themes and plugins – especially ones that haven’t been updated in a while.
The Cause:
The error occurs because a function used to “escape” strings before being stored in the database has been deprecated. Escaping is the process of removing characters that can lead to SQL injection and XSS. The existing escape() function was deprecated in WordPress v3.6 RC2 and missed the previous released, and so may have gone unnoticed.
The reason for this deprecation was security related, so could not be avoided. The wpdb:escape() function (found in wp-includes/wp-db.php) has been replaces with the newer esc_sql() function.
The Fix:
In the short-term, you can fix the problem yourself. There are two possible solutions:
1. Update PHP Settings (Quick)
Update your PHP init settings to stop reporting E_NOTICES errors. This option is not recommended, as it’s just masking the errors and not really fixing them. Since the error is just a notice, it’s not going to break anything and it’s the quickest way to fix your WordPress site.
However, this won’t be possible for everyone to do, as you need the ability to change your PHP settings – something that is not possible on share hosting providers. If you are on a VPS or dedicated hosting provider, this is a very quick fix for you.
2. Fix the Theme or Plugins Manually (Recommended)
This is the longest but also the recommended option. You basically have to manually go though all your plugins or themes to look for references to $wpdb->escape or $this->wpdb->escape and replace all instances with esc_sql. It’s a straightforward find-and-replace, but it just means going through a lot of files.
If you’re on Linux or Mac, you can use the following command line in your WordPress directory to quickly see which files need to be updated:
Running the command in terminal will give you a list of files that are affected:
In my example above, you can see that only one plugin needs to be updated, and that’s the Akismet plugin. Opening these files and doing a find-and-replace is enough to fix the issue. If we look at the first line in the search, we need to turn $type = $wpdb->escape( $type ); into $type = esc_sql( $type );
Or simply replace $wpdb->escape with esc_sql.