WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #10041, comment 10


Ignore:
Timestamp:
02/05/2013 05:33:08 AM (9 years ago)
Author:
miqrogroove
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #10041, comment 10

    initial v1  
    551. Super-global variables should be addslashes() instead of wpdb->escape().  That was changed in [12961].
    66
    7 2. I discovered the list of like-special chars is not limited to \ % _  Apparently single and double quotes are also special at the LIKE layer, so searching literally for hello\\'world becomes an interesting test case.  This contradicts the MySQL manual, but appears to be accurate.  I also confirmed \x, \0, \r, and \n are not special at the LIKE layer.
     72. I discovered the list of like-special chars is not limited to \ % _  Apparently single and double quotes are also special at the LIKE layer, so searching literally for {{{hello\\'world}}} becomes an interesting test case.  This contradicts the MySQL manual, but appears to be accurate.  I also confirmed \x, \0, \r, and \n are not special at the LIKE layer.
    88
    993. We did not yet decide on a new pattern for calling like_escape().  Any time a super-global variable is passed in, it must be stripslashes() first.  We could make that a requirement, or we could create a second function like_escape_global() that includes the call to stripslashes().  In any case, escape() or prepare() must still be used after like_escape(), unless there are more changes.