[wp-trac] [WordPress Trac] #10041: like_escape() should escape backslashes too
WordPress Trac
noreply at wordpress.org
Mon May 19 14:20:31 UTC 2014
#10041: like_escape() should escape backslashes too
---------------------------------+-----------------------------
Reporter: miau_jp | Owner:
Type: defect (bug) | Status: reopened
Priority: high | Milestone: Future Release
Component: Formatting | Version: 2.8
Severity: normal | Resolution:
Keywords: 4.0-early has-patch | Focuses:
---------------------------------+-----------------------------
Comment (by Denis-de-Bernardy):
+1 to suggested alternative implementation in the latest patch. Quick and
dirty tests:
{{{
function esc_like_orig($str) {
return str_replace(array("%", "_"), array("\\%", "\\_"), $str);
}
function esc_like_bad($str) {
return addcslashes($str, '_%');
}
function esc_like1($str) {
return addcslashes($str, '_%\\');
}
function esc_like2($str) {
return addcslashes(addslashes($str), '%_');
}
foreach (array(
'foo%bar',
'foo_bar',
'foo\\bar',
'foo\'bar',
'foo"bar',
'foo\'"\\b\\%_a_%\\\'"r',
) as $val) {
echo "<h1>$val</h1>";
var_dump(
esc_like_orig($val),
$wpdb->get_var($wpdb->prepare("SELECT %s LIKE %s", $val,
esc_like_orig($val))),
$wpdb->get_var("SELECT '".esc_sql($val)."' LIKE
'".esc_sql(esc_like_orig($val))."'"),
esc_like_bad($val),
$wpdb->get_var($wpdb->prepare("SELECT %s LIKE %s", $val,
esc_like_bad($val))),
$wpdb->get_var("SELECT '".esc_sql($val)."' LIKE
'".esc_sql(esc_like_bad($val))."'"),
esc_like1($val),
$wpdb->get_var($wpdb->prepare("SELECT %s LIKE %s", $val,
esc_like1($val))),
$wpdb->get_var("SELECT '".esc_sql($val)."' LIKE
'".esc_sql(esc_like1($val))."'"),
esc_like2($val),
$wpdb->get_var($wpdb->prepare("SELECT %s LIKE %s", $val,
esc_like2($val))),
$wpdb->get_var("SELECT '".esc_sql($val)."' LIKE
'".esc_sql(esc_like2($val))."'")
);
}
}}}
In the above, `esc_like1()` (suggested in the patch) and `esc_like2()`
(suggested earlier) cover the bases as needed, in contrast to the current
implementation (`esc_like_orig()`) and `esc_like_bad()` which was
incorrectly suggested in the original report.
I'd add the keyword "commit", but I don't seem to be able to.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/10041#comment:42>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list