From 8d65dc246963393c22348dbd28901a7611a90e22 Mon Sep 17 00:00:00 2001
From: Andrew Nacin <wp@andrewnacin.com>
Date: Tue, 16 Jul 2013 14:19:03 +0000
Subject: [PATCH] Use wp_slash() in places where we improperly used the DB API
 instead. see #21767.

git-svn-id: http://core.svn.wordpress.org/trunk@24713 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/ajax-actions.php | 6 +++---
 wp-admin/includes/post.php         | 2 +-
 wp-comments-post.php               | 6 +++---
 wp-includes/comment.php            | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php
index ede374db2d..e067ab07eb 100644
--- a/wp-admin/includes/ajax-actions.php
+++ b/wp-admin/includes/ajax-actions.php
@@ -739,9 +739,9 @@ function wp_ajax_replyto_comment( $action ) {
 	$user = wp_get_current_user();
 	if ( $user->exists() ) {
 		$user_ID = $user->ID;
-		$comment_author       = $wpdb->escape($user->display_name);
-		$comment_author_email = $wpdb->escape($user->user_email);
-		$comment_author_url   = $wpdb->escape($user->user_url);
+		$comment_author       = wp_slash( $user->display_name );
+		$comment_author_email = wp_slash( $user->user_email );
+		$comment_author_url   = wp_slash( $user->user_url );
 		$comment_content      = trim($_POST['content']);
 		if ( current_user_can( 'unfiltered_html' ) ) {
 			if ( wp_create_nonce( 'unfiltered-html-comment' ) != $_POST['_wp_unfiltered_html_comment'] ) {
diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php
index 6e53d4017c..be3cf55bf3 100644
--- a/wp-admin/includes/post.php
+++ b/wp-admin/includes/post.php
@@ -646,7 +646,7 @@ function add_meta( $post_ID ) {
 		if ( is_protected_meta( $metakey, 'post' ) || ! current_user_can( 'add_post_meta', $post_ID, $metakey ) )
 			return false;
 
-		$metakey = esc_sql( $metakey );
+		$metakey = wp_slash( $metakey );
 
 		return add_post_meta( $post_ID, $metakey, $metavalue );
 	}
diff --git a/wp-comments-post.php b/wp-comments-post.php
index 194e00f544..7b4a5e9dc0 100644
--- a/wp-comments-post.php
+++ b/wp-comments-post.php
@@ -57,9 +57,9 @@ $user = wp_get_current_user();
 if ( $user->exists() ) {
 	if ( empty( $user->display_name ) )
 		$user->display_name=$user->user_login;
-	$comment_author       = $wpdb->escape($user->display_name);
-	$comment_author_email = $wpdb->escape($user->user_email);
-	$comment_author_url   = $wpdb->escape($user->user_url);
+	$comment_author       = wp_slash( $user->display_name );
+	$comment_author_email = wp_slash( $user->user_email );
+	$comment_author_url   = wp_slash( $user->user_url );
 	if ( current_user_can('unfiltered_html') ) {
 		if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) {
 			kses_remove_filters(); // start with a clean slate
diff --git a/wp-includes/comment.php b/wp-includes/comment.php
index b4020181bc..d3d8db6486 100644
--- a/wp-includes/comment.php
+++ b/wp-includes/comment.php
@@ -1492,7 +1492,7 @@ function wp_update_comment($commentarr) {
 	$comment = get_comment($commentarr['comment_ID'], ARRAY_A);
 
 	// Escape data pulled from DB.
-	$comment = esc_sql($comment);
+	$comment = wp_slash($comment);
 
 	$old_status = $comment['comment_approved'];