diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php
index 34e9b8992c..4936bd293e 100644
--- a/wp-admin/includes/template.php
+++ b/wp-admin/includes/template.php
@@ -268,8 +268,9 @@ function tag_rows( $page = 0, $pagesize = 20, $searchterms = '' ) {
 
 	$args = array('offset' => $start, 'number' => $pagesize, 'hide_empty' => 0);
  
-	if ( !empty( $searchterms ) )
-		$args['name__like'] = '%' . $searchterms;
+	if ( !empty( $searchterms ) ) {
+		$args['name__like'] = '%' . like_escape( $searchterms );
+	}
 
 	$tags = get_terms( 'post_tag', $args );
 	
diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php
index 63de5ce8a9..039255b151 100644
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@@ -1164,6 +1164,15 @@ function attribute_escape($text) {
 	$safe_text = wp_specialchars($text, true);
 	return apply_filters('attribute_escape', $safe_text, $text);
 }
+/**
+ * Escapes text for SQL LIKE special characters % and _
+ *
+ * @param string text the text to be escaped
+ * @return string text, safe for inclusion in LIKE query
+ */
+function like_escape($text) {
+	return str_replace(array("%", "_"), array("\\%", "\\_"), $text);
+}
 
 function wp_make_link_relative( $link ) {
 	return preg_replace('|https?://[^/]+(/.*)|i', '$1', $link );