diff options
| author | shadlaws <shad@shadlaws.com> | 2013-01-25 08:47:29 +0100 |
|---|---|---|
| committer | shadlaws <shad@shadlaws.com> | 2013-01-25 08:47:29 +0100 |
| commit | 48bd19808c38a8de20cfece1adc1ffe226da3783 (patch) | |
| tree | d8cdea6ffe7e3862ee38f90082a43e30a7ced0bb /modules/gallery/libraries/MY_Database.php | |
| parent | 4c1dc8457e82bd8960e10416981b5dadfc3aebe4 (diff) | |
#1956 - Escape LIKE queries (for _ and %).
In MySQL queries, _ and % characters are treated as wildcards (similar to ? and *, respectively).
- Added escape_for_like function to MY_Database.php
- Added unit test to Database_Test
- Corrected the five unescaped instances in the code using this function.
Diffstat (limited to 'modules/gallery/libraries/MY_Database.php')
| -rw-r--r-- | modules/gallery/libraries/MY_Database.php | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/modules/gallery/libraries/MY_Database.php b/modules/gallery/libraries/MY_Database.php index aae0bb79..33759b67 100644 --- a/modules/gallery/libraries/MY_Database.php +++ b/modules/gallery/libraries/MY_Database.php @@ -88,4 +88,14 @@ abstract class Database extends Database_Core { static function set_default_instance($db) { self::$instances["default"] = $db; } + + /** + * Escape LIKE queries, add wildcards. In MySQL queries using LIKE, _ and % characters are + * treated as wildcards similar to ? and *, respectively. Therefore, we need to escape _, %, + * and \ (the escape character itself). + */ + static function escape_for_like($value) { + // backslash must go first to avoid double-escaping + return addcslashes($value, '\_%'); + } }
\ No newline at end of file |