Actually, the development version of WordPress has been implementing a new “prepare” method of the WordPress DB class. The “prepare” method uses vsprintf to makes sure sure, for example, that integers are truly integers, which should accomplish the same thing as Kierznowski’s proposed escape_int and escape_str methods.

And WordPress once actually did use mysql_real_escape_string(), over two and a half years ago. The problem is that WordPress’s minimum requirements specify only that one use PHP version 4.2 or newer. However, mysql_real_escape_string() was not introduced until PHP version 4.3.0, so WordPress had to rely on an alternate way of escaping queries, one that apparently has caused some trouble, so the whole thing was bypassed. However, PHP 4.3.0 functions have crept into development WordPress already, so it’s likely by the time of the next release (version 2.5) in the spring, that the minimum version will have increased and WordPress will be free to use mysql_real_escape_string.