Ticket #10041: miqro-10041-part1.patch
File miqro-10041-part1.patch, 6.0 KB (added by , 11 years ago) |
---|
-
src/wp-includes/deprecated.php
3459 3459 } 3460 3460 3461 3461 /** 3462 * Formerly used to escape strings before searching the DB. It was poorly documented and never worked as described. 3463 * 3464 * @since 2.5.0 3465 * @deprecated 4.0.0 3466 * @deprecated Use wpdb::esc_like() 3467 * 3468 * @param string $text The text to be escaped. 3469 * @return string text, safe for inclusion in LIKE query. 3470 */ 3471 function like_escape($text) { 3472 _deprecated_function( __FUNCTION__, '4.0', 'wpdb::esc_like()' ); 3473 return str_replace(array("%", "_"), array("\\%", "\\_"), $text); 3474 } 3475 3476 /** 3462 3477 * Determines if the URL can be accessed over SSL. 3463 3478 * 3464 3479 * Determines if the URL can be accessed over SSL by using the WordPress HTTP API to access -
src/wp-includes/formatting.php
3100 3100 } 3101 3101 3102 3102 /** 3103 * Escapes text for SQL LIKE special characters % and _.3104 *3105 * @since 2.5.03106 *3107 * @param string $text The text to be escaped.3108 * @return string text, safe for inclusion in LIKE query.3109 */3110 function like_escape($text) {3111 return str_replace(array("%", "_"), array("\\%", "\\_"), $text);3112 }3113 3114 /**3115 3103 * Convert full URL paths to absolute paths. 3116 3104 * 3117 3105 * Removes the http or https protocols and the domain. Keeps the path '/' at the -
src/wp-includes/wp-db.php
1169 1169 } 1170 1170 1171 1171 /** 1172 * First half of escaping for LIKE special characters % and _ before preparing for MySQL. 1173 * 1174 * Use this only before wpdb::prepare() or esc_sql(). Reversing the order is very bad for security. 1175 * 1176 * Example Prepared Statement: 1177 * $wild = '%'; 1178 * $find = 'only 43% of planets'; 1179 * $like = $wild . $wpdb->esc_like( $find ) . $wild; 1180 * $sql = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_content LIKE %s", $like ); 1181 * 1182 * Example Escape Chain: 1183 * $sql = esc_sql( $wpdb->esc_like( $input ) ); 1184 * 1185 * @since 4.0.0 1186 * 1187 * @param string $text The raw text to be escaped. The input typed by the user should have no extra or deleted slashes. 1188 * @return string Text in the form of a LIKE phrase. The output is not SQL safe. Call prepare or real_escape next. 1189 */ 1190 function esc_like($text) { 1191 return addcslashes( $text, '_%\\' ); 1192 } 1193 1194 /** 1172 1195 * Print SQL/DB error. 1173 1196 * 1174 1197 * @since 0.71 -
tests/phpunit/tests/db.php
105 105 } else { 106 106 setlocale( LC_ALL, $locale_setting ); 107 107 } 108 } 109 110 /** 111 * @ticket 10041 112 */ 113 function test_esc_like() { 114 global $wpdb; 115 116 $inputs = array( 117 'howdy%', //Single Percent 118 'howdy_', //Single Underscore 119 'howdy\\', //Single slash 120 'howdy\\howdy%howdy_', //The works 121 'howdy\'"[[]*#[^howdy]!+)(*&$#@!~|}{=--`/.,<>?', //Plain text 122 ); 123 $expected = array( 124 'howdy\\%', 125 'howdy\\_', 126 'howdy\\\\', 127 'howdy\\\\howdy\\%howdy\\_', 128 'howdy\'"[[]*#[^howdy]!+)(*&$#@!~|}{=--`/.,<>?', 129 ); 130 131 foreach ($inputs as $key => $input) { 132 $this->assertEquals($expected[$key], $wpdb->esc_like($input)); 108 133 } 109 134 } 110 135 111 136 /** 137 * Test LIKE Queries 138 * 139 * Make sure $wpdb is fully compatible with esc_like() by testing the identity of various strings. 140 * When escaped properly, a string literal is always LIKE itself (1) 141 * and never LIKE any other string literal (0) no matter how crazy the SQL looks. 142 * 143 * @ticket 10041 144 * @dataProvider data_like_query 145 * @param $data string The haystack, raw. 146 * @param $like string The like phrase, raw. 147 * @param $result string The expected comparison result; '1' = true, '0' = false 148 */ 149 function test_like_query( $data, $like, $result ) { 150 global $wpdb; 151 return $this->assertEquals( $result, $wpdb->get_var( $wpdb->prepare( "SELECT %s LIKE %s", $data, $wpdb->esc_like( $like ) ) ) ); 152 } 153 154 function data_like_query() { 155 return array( 156 array( 157 'aaa', 158 'aaa', 159 '1', 160 ), 161 array( 162 'a\\aa', // SELECT 'a\\aa' # This represents a\aa in both languages. 163 'a\\aa', // LIKE 'a\\\\aa' 164 '1', 165 ), 166 array( 167 'a%aa', 168 'a%aa', 169 '1', 170 ), 171 array( 172 'aaaa', 173 'a%aa', 174 '0', 175 ), 176 array( 177 'a\\%aa', // SELECT 'a\\%aa' 178 'a\\%aa', // LIKE 'a\\\\\\%aa' # The PHP literal would be "LIKE 'a\\\\\\\\\\\\%aa'". This is why we need reliable escape functions! 179 '1', 180 ), 181 array( 182 'a%aa', 183 'a\\%aa', 184 '0', 185 ), 186 array( 187 'a\\%aa', 188 'a%aa', 189 '0', 190 ), 191 array( 192 'a_aa', 193 'a_aa', 194 '1', 195 ), 196 array( 197 'aaaa', 198 'a_aa', 199 '0', 200 ), 201 array( 202 'howdy\'"[[]*#[^howdy]!+)(*&$#@!~|}{=--`/.,<>?', 203 'howdy\'"[[]*#[^howdy]!+)(*&$#@!~|}{=--`/.,<>?', 204 '1', 205 ), 206 ); 207 } 208 } 209 210 /** 112 211 * @ticket 18510 113 212 */ 114 213 function test_wpdb_supposedly_protected_properties() { -
tests/phpunit/tests/formatting/LikeEscape.php
1 <?php2 3 /**4 * @group formatting5 */6 class Tests_Formatting_LikeEscape extends WP_UnitTestCase {7 /**8 * @ticket 100419 */10 function test_like_escape() {11 12 $inputs = array(13 'howdy%', //Single Percent14 'howdy_', //Single Underscore15 'howdy\\', //Single slash16 'howdy\\howdy%howdy_', //The works17 );18 $expected = array(19 "howdy\\%",20 'howdy\\_',21 'howdy\\\\',22 'howdy\\\\howdy\\%howdy\\_'23 );24 25 foreach ($inputs as $key => $input) {26 $this->assertEquals($expected[$key], like_escape($input));27 }28 }29 }