WordPress.org

Make WordPress Core


Ignore:
Timestamp:
06/10/2014 12:29:35 AM (6 years ago)
Author:
wonderboymusic
Message:

LIKE escape sanity:

  • Deprecate like_escape()
  • Add a method to $wpdb, ->esc_like(), and add unit tests

$wpdb::esc_like() is not used yet. As such, many unit tests will throw Unexpected deprecated notice for like_escape. Subsequent commits will alleviate this.

Props miqrogroove.
See #10041.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/wp-db.php

    r28657 r28711  
    11701170
    11711171    /**
     1172     * First half of escaping for LIKE special characters % and _ before preparing for MySQL.
     1173     *
     1174     * Use this only before wpdb::prepare() or esc_sql().  Reversing the order is very bad for security.
     1175     *
     1176     * Example Prepared Statement:
     1177     *  $wild = '%';
     1178     *  $find = 'only 43% of planets';
     1179     *  $like = $wild . $wpdb->esc_like( $find ) . $wild;
     1180     *  $sql  = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_content LIKE %s", $like );
     1181     *
     1182     * Example Escape Chain:
     1183     *  $sql  = esc_sql( $wpdb->esc_like( $input ) );
     1184     *
     1185     * @since 4.0.0
     1186     *
     1187     * @param string $text The raw text to be escaped. The input typed by the user should have no extra or deleted slashes.
     1188     * @return string Text in the form of a LIKE phrase. The output is not SQL safe. Call prepare or real_escape next.
     1189     */
     1190    function esc_like( $text ) {
     1191        return addcslashes( $text, '_%\\' );
     1192    }
     1193
     1194    /**
    11721195     * Print SQL/DB error.
    11731196     *
Note: See TracChangeset for help on using the changeset viewer.