[wp-trac] [WordPress Trac] #56933: Unexpected quotes around search text in custom LIKE queries
WordPress Trac
noreply at wordpress.org
Wed Dec 7 18:05:54 UTC 2022
#56933: Unexpected quotes around search text in custom LIKE queries
-------------------------------------------------+-------------------------
Reporter: AlanP57 | Owner:
| hellofromTonya
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 6.1
Component: Database | Version: 6.1
Severity: normal | Resolution: fixed
Keywords: has-testing-info commit has-patch | Focuses:
has-unit-tests dev-reviewed |
-------------------------------------------------+-------------------------
Comment (by craigfrancis):
I've created a new PR to support `%i` - [https://github.com/WordPress
/wordpress-develop/pull/3724 3724].
It supports `'%%%s%%'`, `'%%%s'`, etc; but this undocumented feature will
ideally be removed in the future.
Please note the
[https://developer.wordpress.org/reference/classes/wpdb/prepare/ prepare
documentation] says "percentage wildcards [...] cannot be inserted
directly in the query string". The original example should use `"LIKE %s"`
and the value provided as either:
- `'%' . $search_string . '%'`
- `'%' . $wpdb->esc_like( $search_string ) . '%'`.
Ideally wpdb should quote all user values, as we cannot rely on developers
never making a mistake (as this often introduces an Injection
Vulnerability).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56933#comment:23>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list