[wp-trac] [WordPress Trac] #42653: % sign is changed to alphanumeric combination of numbers in curly braces, by core.

WordPress Trac noreply at wordpress.org
Wed Nov 22 09:12:45 UTC 2017 

#42653: % sign is changed to alphanumeric combination of numbers in curly braces,
by core.
---------------------------+------------------------------
 Reporter:  hostingreview  |       Owner:
     Type:  defect (bug)   |      Status:  new
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Query          |     Version:  4.9
 Severity:  normal         |  Resolution:
 Keywords:  2nd-opinion    |     Focuses:  template
---------------------------+------------------------------

Comment (by hostingreview):

 Replying to [comment:2 johnjamesjacoby]:
 > Replying to [comment:1 jeremyescott]:
 > > So you might want to review the whys behind 4.8.3's security patch.
 > >
 > > https://make.wordpress.org/core/2017/10/31/changed-behaviour-of-
 esc_sql-in-wordpress-4-8-3/
 > >
 > > This isn't a bug, I'm pretty sure.
 >
 > The hashing itself is intentional, but if you're seeing them, either
 something is wrong or you've hooked in to the `query` filter before
 they're swapped back.
 >
 > See this comment from @otto42 specifically, which describes exactly the
 issue you're seeing:
 >
 > https://make.wordpress.org/core/2017/10/31/changed-behaviour-of-esc_sql-
 in-wordpress-4-8-3/#comment-33156
 >
 > I wasn't a ''huge'' fan of this approach for the reasons outlined above,
 but I also don't have a better solution yet either.
 >
 > Suggest to close as wontfix, but I've added the 2nd Opinion keyword to
 get others to chime in. cc @pento.

 I've hooked into this with this:
 {{{#!php
 <?php
 /**
  * Filter for Hosting Companies Listing, for special ranking
 functionality.
  *
  * @param $where
  *
  * @return mixed|string
  */
 function where_rank_by_category( $where ) {
         global $wpdb;
         if ( strpos( $where, "ranking_" ) !== false ) {
                 $where = str_replace( "meta_key = 'ranking_%", "meta_key
 LIKE 'ranking_%", $wpdb->remove_placeholder_escape( $where ) );
                 $where .= ' AND LEFT(mt1.meta_key, LOCATE(\'_rank\',
 mt1.meta_key)) = LEFT(mt2.meta_key, LOCATE(\'_rank\', mt2.meta_key))';
         }

         return $where;
 }
 }}}

 $wpdb->remove_placeholder_escape wasn't there before. I've added it after
 reading this: [https://make.wordpress.org/core/2017/10/31/changed-
 behaviour-of-esc_sql-in-wordpress-4-8-3/#comment-33136]

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42653#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list