mirror of
https://github.com/WordPress/WordPress.git
synced 2024-12-22 17:18:32 +01:00
LIKE
escape sanity:
* Deprecate `like_escape()` * Add a method to `$wpdb`, `->esc_like()`, and add unit tests `$wpdb::esc_like()` is not used yet. As such, many unit tests will throw `Unexpected deprecated notice for like_escape`. Subsequent commits will alleviate this. Props miqrogroove. See #10041. Built from https://develop.svn.wordpress.org/trunk@28711 git-svn-id: http://core.svn.wordpress.org/trunk@28527 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
df7be9cd80
commit
82bdc78500
@ -3458,6 +3458,21 @@ function format_to_post( $content ) {
|
||||
return $content;
|
||||
}
|
||||
|
||||
/**
|
||||
* Formerly used to escape strings before searching the DB. It was poorly documented and never worked as described.
|
||||
*
|
||||
* @since 2.5.0
|
||||
* @deprecated 4.0.0
|
||||
* @deprecated Use wpdb::esc_like()
|
||||
*
|
||||
* @param string $text The text to be escaped.
|
||||
* @return string text, safe for inclusion in LIKE query.
|
||||
*/
|
||||
function like_escape($text) {
|
||||
_deprecated_function( __FUNCTION__, '4.0', 'wpdb::esc_like()' );
|
||||
return str_replace( array( "%", "_" ), array( "\\%", "\\_" ), $text );
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines if the URL can be accessed over SSL.
|
||||
*
|
||||
|
@ -3099,18 +3099,6 @@ function tag_escape($tag_name) {
|
||||
return apply_filters( 'tag_escape', $safe_tag, $tag_name );
|
||||
}
|
||||
|
||||
/**
|
||||
* Escapes text for SQL LIKE special characters % and _.
|
||||
*
|
||||
* @since 2.5.0
|
||||
*
|
||||
* @param string $text The text to be escaped.
|
||||
* @return string text, safe for inclusion in LIKE query.
|
||||
*/
|
||||
function like_escape($text) {
|
||||
return str_replace(array("%", "_"), array("\\%", "\\_"), $text);
|
||||
}
|
||||
|
||||
/**
|
||||
* Convert full URL paths to absolute paths.
|
||||
*
|
||||
|
@ -4,7 +4,7 @@
|
||||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '4.0-alpha-20140609';
|
||||
$wp_version = '4.0-alpha-20140610';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
@ -1168,6 +1168,29 @@ class wpdb {
|
||||
return @vsprintf( $query, $args );
|
||||
}
|
||||
|
||||
/**
|
||||
* First half of escaping for LIKE special characters % and _ before preparing for MySQL.
|
||||
*
|
||||
* Use this only before wpdb::prepare() or esc_sql(). Reversing the order is very bad for security.
|
||||
*
|
||||
* Example Prepared Statement:
|
||||
* $wild = '%';
|
||||
* $find = 'only 43% of planets';
|
||||
* $like = $wild . $wpdb->esc_like( $find ) . $wild;
|
||||
* $sql = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_content LIKE %s", $like );
|
||||
*
|
||||
* Example Escape Chain:
|
||||
* $sql = esc_sql( $wpdb->esc_like( $input ) );
|
||||
*
|
||||
* @since 4.0.0
|
||||
*
|
||||
* @param string $text The raw text to be escaped. The input typed by the user should have no extra or deleted slashes.
|
||||
* @return string Text in the form of a LIKE phrase. The output is not SQL safe. Call prepare or real_escape next.
|
||||
*/
|
||||
function esc_like( $text ) {
|
||||
return addcslashes( $text, '_%\\' );
|
||||
}
|
||||
|
||||
/**
|
||||
* Print SQL/DB error.
|
||||
*
|
||||
|
Loading…
Reference in New Issue
Block a user