[wp-trac] [WordPress Trac] #10041: like_escape() should escape backslashes too

[WordPress Trac]

#10041: like_escape() should escape backslashes too
--------------------------------------------+-------------------------------
 Reporter:  miau_jp                         |        Owner:          
     Type:  defect (bug)                    |       Status:  reopened
 Priority:  low                             |    Milestone:  3.0     
Component:  Formatting                      |      Version:  2.8     
 Severity:  minor                           |   Resolution:          
 Keywords:  has-patch early has-unit-tests  |  
--------------------------------------------+-------------------------------

Comment(by miqrogroove):

 #12123 closed as dupe.  See also [12961].

 In the course of discussing the input paths in IRC, we came to some
 conclusions:

 1. Super-global variables should be addslashes() instead of
 wpdb->escape().  That was changed in [12961].

 2. I discovered the list of like-special chars is not limited to \ % _
 Apparently single and double quotes are also special at the LIKE layer, so
 searching literally for hello\\'world becomes an interesting test case.
 This contradicts the MySQL manual, but appears to be accurate.  I also
 confirmed \x, \0, \r, and \n are not special at the LIKE layer.

 3. We did not yet decide on a new pattern for calling like_escape().  Any
 time a super-global variable is passed in, it must be stripslashes()
 first.  We could make that a requirement, or we could create a second
 function like_escape_global() that includes the call to stripslashes().
 In any case, escape() or prepare() must still be used after like_escape(),
 unless there are more changes.

 4. Most instances of LIKE do not currently use like_escape().  A partial
 list was included in #12060.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10041#comment:10>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software