vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-06-28 14:20:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

LIKE escape sanity:

Browse Source 
* Deprecate `like_escape()`
* Add a method to `$wpdb`, `->esc_like()`, and add unit tests

`$wpdb::esc_like()` is not used yet. As such, many unit tests will throw `Unexpected deprecated notice for like_escape`. Subsequent commits will alleviate this.

Props miqrogroove.
See #10041.


git-svn-id: https://develop.svn.wordpress.org/trunk@28711 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Scott Taylor
2014-06-10 00:29:35 +00:00
parent 12ea157f2c
commit 2a551f57a4
5 changed files with 138 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/wp-includes/wp-db.php
View File

@@ -1168,6 +1168,29 @@ class wpdb {
return @vsprintf( $query, $args );
}
/**
* First half of escaping for LIKE special characters % and _ before preparing for MySQL.
*
* Use this only before wpdb::prepare() or esc_sql(). Reversing the order is very bad for security.
*
* Example Prepared Statement:
* $wild = '%';
* $find = 'only 43% of planets';
* $like = $wild . $wpdb->esc_like( $find ) . $wild;
* $sql = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_content LIKE %s", $like );
*
* Example Escape Chain:
* $sql = esc_sql( $wpdb->esc_like( $input ) );
*
* @since 4.0.0
*
* @param string $text The raw text to be escaped. The input typed by the user should have no extra or deleted slashes.
* @return string Text in the form of a LIKE phrase. The output is not SQL safe. Call prepare or real_escape next.
*/
function esc_like( $text ) {
return addcslashes( $text, '_%\\' );
}
/**
* Print SQL/DB error.
*