Why line returns are not reapply after doing esc_sql?

That’s not what esc_sql is for, or what it should be used for.

Safely Escaping Variables In SQL Queries

To make variables safe for an SQL query, use $wpdb->prepare, e.g.

$table_name = "{$wpdb->prefix}myTable";
$myID = 12;
 
$wpdb->query(
    $wpdb->prepare(
        "UPDATE `$table_name` SET `your_column_1` = 1 WHERE `$table_name`.`your_column_id` = %d",
        $myID
    )
);

Notice that $myID is safely inserted into the SQL query using $wpdb->prepare, and is not directly included in the query string. esc_sql is not used here.

Safely Escaping Query Results

To escape data you have retrieved from the database on output, use the function that matches the context it’s being displayed in

  • esc_html for non-HTML text
  • esc_attr for HTML tag attributes
  • esc_url for URLs
  • wp_kses_post for content with tags allowed in post content

When Should I Use esc_sql?

Very, very, rarely:

Usually you should prepare queries using wpdb::prepare(). Sometimes, spot-escaping is required or useful. One example is preparing an array for use in an IN clause.

and

Be careful in using this function correctly. It will only escape values to be used in strings in the query. That is, it only provides escaping for values that will be within quotes in the SQL (as in field = ‘{$escaped_value}’). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}. As such, this function does not escape unquoted numeric values, field names, or SQL keywords.

https://developer.wordpress.org/reference/functions/esc_sql/

Most WP developers will never use or encounter esc_sql and that’s a good thing.

Related Posts:

  1. What is the difference between “INNER JOIN” and “OUTER JOIN”?
  2. Unknown column in ‘field list’ error on MySQL Update query
  3. Conversion failed when converting date and/or time from character string while inserting datetime
  4. how to fix oracle ORA-01722 invalid number error
  5. MySQL – Operand should contain 1 column(s)
  6. SQL SELECT WHERE field contains words
  7. MySQL Error: : ‘Access denied for user ‘root’@’localhost’
  8. How to create Temp table with SELECT * INTO tempTable FROM CTE Query
  9. NOT IN vs NOT EXISTS
  10. ORA-00979 not a group by expression
  11. Using group by on multiple columns
  12. Efficiently convert rows to columns in sql server
  13. How can I do a FULL OUTER JOIN in MySQL?
  14. Nested select statement in SQL Server
  15. How do I escape a single quote in SQL Server?
  16. What’s the difference between VARCHAR and CHAR?
  17. T-SQL split string based on delimiter
  18. Finding duplicate values in a SQL table
  19. MySQL Cannot Add Foreign Key Constraint
  20. Oracle error : ORA-00905: Missing keyword
  21. How to split the name string in mysql?
  22. How do I import an SQL file using the command line in MySQL?
  23. Sql Server equivalent of a COUNTIF aggregate function
  24. Column name or number of supplied values does not match table definition
  25. How do I do multiple CASE WHEN conditions using SQL Server 2008?
  26. Difference between JOIN and INNER JOIN
  27. ORA-12560: TNS:protocol adaptor error
  28. What is the difference between JOIN and UNION?
  29. MySQL Multiple Joins in one query?
  30. “CASE” statement within “WHERE” clause in SQL Server 2008
  31. ORA-00972 identifier is too long alias column name
  32. What is the difference between Scope_Identity(), Identity(), @@Identity, and Ident_Current()?
  33. SQL – HAVING vs. WHERE
  34. What’s the difference between RANK() and DENSE_RANK() functions in oracle?
  35. Combining “LIKE” and “IN” for SQL Server
  36. Oracle – ORA-01489: result of string concatenation is too long [duplicate]
  37. SQL Server WITH statement
  38. How to SUM two fields within an SQL query
  39. DateTime2 vs DateTime in SQL Server
  40. Difference between numeric, float and decimal in SQL Server
  41. “ORA-01438: value larger than specified precision allowed for this column” when inserting 3
  42. Algebra Relational sql GROUP BY SORT BY ORDER BY
  43. Oracle “Partition By” Keyword
  44. ERROR: there is no unique constraint matching given keys for referenced table “bar”
  45. What is the equivalent of ‘describe table’ in SQL Server?
  46. How do I query for all dates greater than a certain date in SQL Server?
  47. Add a column with a default value to an existing table in SQL Server
  48. Cast from VARCHAR to INT – MySQL
  49. SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax — PHP — PDO [duplicate]
  50. Using group by on multiple columns
  51. What is the purpose of using WHERE 1=1 in SQL statements?
  52. Conversion failed when converting the varchar value ‘simple, ‘ to data type int
  53. postgresql: error duplicate key value violates unique constraint
  54. Is there a workaround for ORA-01795: maximum number of expressions in a list is 1000 error?
  55. How do you force mysql LIKE to be case sensitive?
  56. ORA-06502: PL/SQL: numeric or value error: character string buffer too small
  57. What is the difference between a stored procedure and a view?
  58. Bulk load data conversion error (truncation)
  59. Insert into a MySQL table or update if exists
  60. Convert timestamp to date in Oracle SQL
  61. How to order by with union in SQL?
  62. Update statement with inner join on Oracle
  63. PostgreSQL create table if not exists
  64. Incorrect syntax near ”
  65. MySQL: Can’t create table (errno: 150)
  66. Join vs. sub-query
  67. Alternative to except in MySQL
  68. DATEDIFF function in Oracle
  69. GROUP BY and COUNT using ActiveRecord
  70. MySQL – Get row number on select
  71. Arithmetic overflow error converting varchar to data type numeric. ’10’ <= 9.00
  72. Difference between EXISTS and IN in SQL?
  73. What does * mean in sql?
  74. How to truncate the text returned for a column in a MySQL query
  75. INSERT VALUES WHERE NOT EXISTS
  76. Using union and order by clause in mysql
  77. Difference between `load data inpath ` and `location` in hive?
  78. How to implement LIMIT with SQL Server? [duplicate]
  79. What’s the best way to dedupe a table?
  80. Moving database with phpMyAdmin
  81. How To Write An Inner Join With WP Query
  82. How do I escape a table name or column name in SQL? esc_sql doesn’t do this
  83. Update user_login, user_nicename, and display_name
  84. Change sticky status of posts from phpMyAdmin
  85. Fetch all Posts where logged in user has commented
  86. Best Way to Merge a Dev and Live Site to Become a Staging Site?
  87. Needing to move content from postmeta to posts in sql [closed]
  88. How to import a Typo3 database to a wordpress site?
  89. WordPress can I manually add columns in users table and display it in the default manage user plugin and registration form? [closed]
  90. What does the $posts_join filter join to?
  91. Help me SELECT thumbnail from SQL and use
  92. How to delete ALL comments from certain category in WordPress database?
  93. Why is my insert row only inserting the final row from the loop into the database rather than just inserting one
  94. What steps do I need to take to install a local copy of a live website?
  95. Duplicate WP Migration affecting site on separate domain?
  96. Analog category_and (WP) in sql query
  97. Creating a “forum” – showing last post or last commented post
  98. SQL query to check whether a meta key is set or not for a post in post_meta table
  99. How to get the sum of each post with the same date
  100. How to dump a Microsoft SQL Server database to a SQL script?