From 222e9ca396d0fb46a72efde03b8527beefda0834 Mon Sep 17 00:00:00 2001 From: Ryan Boren Date: Tue, 29 Jan 2008 17:20:27 +0000 Subject: [PATCH] like_escape() from nbachiyski. see #5684 git-svn-id: https://develop.svn.wordpress.org/trunk@6680 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-admin/includes/template.php | 5 +++-- wp-includes/formatting.php | 9 +++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php index 34e9b8992c..4936bd293e 100644 --- a/wp-admin/includes/template.php +++ b/wp-admin/includes/template.php @@ -268,8 +268,9 @@ function tag_rows( $page = 0, $pagesize = 20, $searchterms = '' ) { $args = array('offset' => $start, 'number' => $pagesize, 'hide_empty' => 0); - if ( !empty( $searchterms ) ) - $args['name__like'] = '%' . $searchterms; + if ( !empty( $searchterms ) ) { + $args['name__like'] = '%' . like_escape( $searchterms ); + } $tags = get_terms( 'post_tag', $args ); diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 63de5ce8a9..039255b151 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -1164,6 +1164,15 @@ function attribute_escape($text) { $safe_text = wp_specialchars($text, true); return apply_filters('attribute_escape', $safe_text, $text); } +/** + * Escapes text for SQL LIKE special characters % and _ + * + * @param string text the text to be escaped + * @return string text, safe for inclusion in LIKE query + */ +function like_escape($text) { + return str_replace(array("%", "_"), array("\\%", "\\_"), $text); +} function wp_make_link_relative( $link ) { return preg_replace('|https?://[^/]+(/.*)|i', '$1', $link );