Home » Functions » esc_sql

Function Name: esc_sql

Explanation: The esc_sql function in WordPress is a crucial tool for securing database queries by escaping user input. It ensures that any potentially harmful characters are properly handled, preventing SQL injection attacks.

When building database queries in WordPress, it is important to sanitize user input to avoid any malicious code being executed. The esc_sql function provides a reliable way to escape special characters, such as quotes or semicolons, before they are passed to the database.


Let’s say you have a user input field where the user enters their name and you want to store it in the database securely. You can utilize the esc_sql function to sanitize the input before inserting it into the database.

$user_name = $_POST[‘user_name’]; // Assuming ‘user_name’ is the name attribute of the input field

$escaped_user_name = esc_sql($user_name); // Sanitizing the user input

// Now you can safely use the escaped value in your database query $query = "INSERT INTO users (name) VALUES (‘$escaped_user_name’)"; $result = $wpdb->query($query);

In the example above, the user input stored in $user_name is passed through the esc_sql function before being used in the database query. This ensures that the value is properly escaped and protects against any potential SQL injection attacks.

Remember to always use the esc_sql function when dealing with user input that will be used in database queries to maintain the security and integrity of your WordPress website.

Learn More on

WordPress snippets using the esc_sql function

Register an account to save your snippets or go Pro to get more features.