+ function _escape($data) {
+ if ( is_array($data) ) {
+ foreach ( (array) $data as $k => $v ) {
+ if ( is_array($v) )
+ $data[$k] = $this->_escape( $v );
+ else
+ $data[$k] = $this->_real_escape( $v );
+ }
+ } else {
+ $data = $this->_real_escape( $data );
+ }
+
+ return $data;
+ }
+
+ /**
+ * Escapes content for insertion into the database using addslashes(), for security
+ *
+ * @since 0.71
+ *
+ * @param string|array $data
+ * @return string query safe string
+ */
+ function escape($data) {
+ if ( is_array($data) ) {
+ foreach ( (array) $data as $k => $v ) {
+ if ( is_array($v) )
+ $data[$k] = $this->escape( $v );
+ else
+ $data[$k] = $this->_weak_escape( $v );
+ }
+ } else {
+ $data = $this->_weak_escape( $data );
+ }
+
+ return $data;
+ }
+
+ /**
+ * Escapes content by reference for insertion into the database, for security
+ *
+ * @since 2.3.0
+ *
+ * @param string $s
+ */
+ function escape_by_ref(&$string) {
+ $string = $this->_real_escape( $string );
+ }
+
+ /**
+ * Prepares a SQL query for safe execution. Uses sprintf()-like syntax.
+ *
+ * This function only supports a small subset of the sprintf syntax; it only supports %d (decimal number), %s (string).
+ * Does not support sign, padding, alignment, width or precision specifiers.
+ * Does not support argument numbering/swapping.
+ *
+ * May be called like {@link http://php.net/sprintf sprintf()} or like {@link http://php.net/vsprintf vsprintf()}.
+ *
+ * Both %d and %s should be left unquoted in the query string.
+ *
+ * <code>
+ * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 )
+ * </code>
+ *
+ * @link http://php.net/sprintf Description of syntax.
+ * @since 2.3.0
+ *
+ * @param string $query Query statement with sprintf()-like placeholders
+ * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called like {@link http://php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}.
+ * @param mixed $args,... further variables to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}.
+ * @return null|string Sanitized query string
+ */
+ function prepare($query = null) { // ( $query, *$args )
+ if ( is_null( $query ) )
+ return;
+ $args = func_get_args();
+ array_shift($args);
+ // If args were passed as an array (as in vsprintf), move them up
+ if ( isset($args[0]) && is_array($args[0]) )
+ $args = $args[0];
+ $query = str_replace("'%s'", '%s', $query); // in case someone mistakenly already singlequoted it
+ $query = str_replace('"%s"', '%s', $query); // doublequote unquoting
+ $query = str_replace('%s', "'%s'", $query); // quote the strings
+ array_walk($args, array(&$this, 'escape_by_ref'));
+ return @vsprintf($query, $args);
+ }