DB error when sanitized search string results in empty query

[zippity]

When entering a comma "," into the search function, you get the following error displayed at top of page:

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND ((post_status = 'publish' OR post_status = 'private')) ORDER BY post_dat' at line 1] SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND () AND ((post_status = 'publish' OR post_status = 'private')) ORDER BY post_date DESC LIMIT 0, 10

Multiple commas produce the same result.
If you enter anything in addition to the comma, it works fine.

Confirmed.

Single comma search "hack"

This is kind of a hack actually. This basically just gets rid of the extra SQL formatting if $search is empty, thus getting rid of the database error when a user submits a single comma as a search term.

The result?

When a user submits a single comma search all _published_ posts are returned.

Everything else seems OK though.

I guess it's also worth mentioning that commas _are_ being sanitized. The reason for the error is that once the commas are gone WordPress attempts to wrap the search query with "AND ( $search )"

Since $search is null MySQL throws up an error.

The patch also fixes #3722.

I meant #3759.

(In [4911]) Handle empty search query. Props charleshooper. fixes #3722 #3759

(In [4912]) Handle empty search query. Props charleshooper. fixes #3722 #3759

Is labeled an  WordPress Search Function SQL-Injection on seclists today.

That's pretty annoying. Even without the fix there is no SQL injection vulnerability there whatsoever. The error is caused by an empty set of parenthesis. The keyword here is EMPTY.

I had spent a good deal of time making sure nothing could be passed to the query string (before and after this fix,) but I guess all it takes to post to a security mailing list is an email address.