WordPress.org

Make WordPress Core

Ticket #10041: 10041.6.diff

File 10041.6.diff, 1.6 KB (added by wonderboymusic, 9 years ago)
  • wp-includes/bookmark.php

    diff --git wp-includes/bookmark.php wp-includes/bookmark.php
    index ab4b8c8..c987f9c 100644
    function get_bookmarks($args = '') { 
    186186        }
    187187
    188188        if ( ! empty($search) ) {
    189                 $search = like_escape($search);
     189                $search = esc_sql( like_escape( stripslashes( $search ) ) );
    190190                $search = " AND ( (link_url LIKE '%$search%') OR (link_name LIKE '%$search%') OR (link_description LIKE '%$search%') ) ";
    191191        }
    192192
  • wp-includes/formatting.php

    diff --git wp-includes/formatting.php wp-includes/formatting.php
    index 83f5269..3d84c5d 100644
    function tag_escape($tag_name) { 
    27462746 *
    27472747 * @since 2.5.0
    27482748 *
    2749  * @param string $text The text to be escaped.
    2750  * @return string text, safe for inclusion in LIKE query.
     2749 * @param string $text The text to be escaped (expected unslashed).
     2750 * @return string text, NOT safe for inclusion in LIKE query (needs an additional esc_sql()).
    27512751 */
    2752 function like_escape($text) {
    2753         return str_replace(array("%", "_"), array("\\%", "\\_"), $text);
     2752function like_escape( $text ) {
     2753        return addcslashes( $text, '_%\\' );
    27542754}
    27552755
    27562756/**
  • wp-includes/taxonomy.php

    diff --git wp-includes/taxonomy.php wp-includes/taxonomy.php
    index d527ee1..f1c51e3 100644
    function get_terms($taxonomies, $args = '') { 
    13561356        }
    13571357
    13581358        if ( !empty($search) ) {
    1359                 $search = like_escape($search);
     1359                $search = esc_sql( like_escape( stripslashes( $search ) ) );
    13601360                $where .= $wpdb->prepare( " AND (t.name LIKE %s)", '%' . $search . '%');
    13611361        }
    13621362