Title: WordPress esc_sql() Last modified: August 30, 2016 --- # WordPress esc_sql() * [designdrumm](https://wordpress.org/support/users/designdrumm/) * (@designdrumm) * [10 years, 6 months ago](https://wordpress.org/support/topic/wordpress-esc_sql/) * I have looked around and could not find anything similar to my question. If anyone can share a link, it would be much appreciated. * With WordPress esc_sql() it says… * > Note: Be careful to use this function correctly. It will only escape values > to be used in strings in the query. That is, it only provides escaping for > values that will be within quotes in the SQL (as in field = ‘{$escaped_value}’). > If your value is not going to be within quotes, your code will still be vulnerable > to SQL injection. For example, this is vulnerable, because the escaped value > is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}. As > such, this function does not escape unquoted numeric values, field names, or > SQL keywords. * if I do a query like so.. * ``` $tablename = TABLE_NAME;//<- define('TABLE_NAME', 'MyTableName'); $wpdb->query("DELETE * FROM ".esc_sql($tablename)." WHERE Var='".esc_sql($Var)."'"); ``` * Will I be protected if I use back-ticks when inserting the table name the same as I would with the single quotes for the Var value? * TIA, designdrumm The topic ‘WordPress esc_sql()’ is closed to new replies. ## Tags * [$wpdb->query](https://wordpress.org/support/topic-tag/wpdb-query/) * [wpdb](https://wordpress.org/support/topic-tag/wpdb/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 0 replies * 1 participant * Last reply from: [designdrumm](https://wordpress.org/support/users/designdrumm/) * Last activity: [10 years, 6 months ago](https://wordpress.org/support/topic/wordpress-esc_sql/) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics