Notice: The wpdb :: escape function from version 3.6 is deprecated! Use wpdb :: prepare () or esc_sql ().
if ( $user->exists() ) { if ( empty( $user->display_name ) ) $user->display_name=$user->user_login; $comment_author = $wpdb->escape($user->display_name); $comment_author_email = $wpdb->escape($user->user_email); $comment_author_url = $wpdb->escape($user->user_url); $user_ID = get_current_user_id(); if ( current_user_can('unfiltered_html') ) { if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { kses_remove_filters(); // start with a clean slate kses_init_filters(); // set up the filters } } } else { if ( get_option('comment_registration') || 'private' == $status ) wp_die( 'Вы должны зарегистрироваться или войти, чтобы оставлять комментарии.' ); } just $ wpdb-> prepare instead of $ wpdb-> escape does not work
Notice: The wpdb :: prepare function was called incorrectly. The request argument of the wpdb :: prepare () method must contain a conversion handle.
$wpdb->prepare();Required for parameterized queries . You are trying to apply it to data that you have already received. It is desirable to sanitize the obtained data. For WP found this . Anyway, no one bothers you to use strip_tags and htmlspecialchars for string data, or native filters . - romeo