If you check out the source for the $wpdb->insert( $table, $data, $format)
method you will find this comment:
Data to insert (in column => value pairs). Both $data columns and
$data values should be “raw” (neither should be SQL escaped).
so you shouldn’t need to do the SQL escape yourself on the data.
As far as I understand the process, the data inserted into the $wpdb->insert()
method, goes through:
- the
$wpdb->prepare()
method, - which uses
$wpdb->escape_by_ref()
, - which uses
$wpdb->_real_escape()
, for non floating values:! is_float( $string )
, - that uses the PHP wrapper
mysql_real_escape_string()
ormysqli_real_escape_string()
for WP 3.9+ with PHP 5.5+.
From the PHP docs on the mysql_real_escape_string()
function:
Escapes special characters in the unescaped_string, taking into
account the current character set of the connection so that it is safe
to place it in a mysql_query(). If binary data is to be inserted, this
function must be used.
mysql_real_escape_string() calls MySQL’s library function mysql_real_escape_string, which prepends backslashes to the following
characters: \x00, \n, \r, \, ‘, ” and \x1a.
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
But as stated in the Codex page you refer to, in older versions of PHP the addslashes
can be automatically applied to the $_POST
, $_GET
and $_REQUEST
globals. The Magic Quotes feature is deprecated in PHP 5.3 and removed in 5.4.