[wp-trac] [WordPress Trac] #57149: get_table_from_query() doesn't properly handle a prepared escape_like() table name
WordPress Trac
noreply at wordpress.org
Tue Jan 3 18:15:43 UTC 2023
#57149: get_table_from_query() doesn't properly handle a prepared escape_like()
table name
--------------------------+------------------------------
Reporter: prettyboymp | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Database | Version:
Severity: normal | Resolution:
Keywords: | Focuses: multisite
--------------------------+------------------------------
Comment (by prettyboymp):
Replying to [comment:1 johnjamesjacoby]:
>
> Conclusions:
> 1. Table names & Columns in `SHOW ... LIKE %s` queries...
> * ''most likely'' should not use `$wpdb->esc_like()`
> * ''most likely'' should not use `$wpdb->prepare()`
> * ...because it is not absolutely certain that "`_`" is intended to
be wild or literal
Based on the documentation for `$wpdb->esc_like()`, we should be able to
assume that "`_`" is intended to be literal. Any wildcards should be added
to the like string after `$wpdb->esc_like()` is applied to it.
{{{#!php
/**
...
* Example Prepared Statement:
*
* $wild = '%';
* $find = 'only 43% of planets';
* $like = $wild . $wpdb->esc_like( $find ) . $wild;
* $sql = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE
post_content LIKE '%s'", $like );
...
*/
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57149#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list