Deprecate the escapeString() helper (#4506)

Developers are strongly encouraged to use prepared statements. If this is not
possible for compatibility reasons, they should use the `->escapeString()`
method directly.

Deprecating the helper ultimately allows cleaning up core.functions.php which
has become a dumping ground for all type of stuff over time.

Co-authored-by: Alexander Ebert <ebert@woltlab.com>

diff --git a/wcfsetup/install/files/lib/core.functions.php b/wcfsetup/install/files/lib/core.functions.php
index f98bb53f37509607468d5444e152bc908d5ff451..9212eed50e776491edb3d7f8aa1129ead976b041 100644 (file)
--- a/wcfsetup/install/files/lib/core.functions.php
+++ b/wcfsetup/install/files/lib/core.functions.php
@@ -18,11 +18,7 @@ namespace {
        spl_autoload_register([WCF::class, 'autoload']);
        
        /**
-        * Escapes a string for use in sql query.
-        * 
-        * @see \wcf\system\database\Database::escapeString()
-        * @param       string          $string
-        * @return      string
+        * @deprecated 5.5 Use prepared statements if possible. Directly call WCF::getDB()->escapeString() if prepared statements cannot be used.
         */
        function escapeString($string) {
                return WCF::getDB()->escapeString($string);