https://bugzilla.wikimedia.org/show_bug.cgi?id=17150
Summary: escapeLike should double escape \
Product: MediaWiki
Version: 1.15-svn
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: Normal
Component: Database
AssignedTo: [email protected]
ReportedBy: [email protected]
In http://dev.mysql.com/doc/refman/5.0/en/string-comparison-functions.html
there is note:
Because MySQL uses C escape syntax in strings (for example, “\n” to
represent a newline character), you must double any “\” that you use in
LIKE strings. For example, to search for “\n”, specify it as “\\n”. To
search for “\”, specify it as “\\\\”; this is because the backslashes
are stripped once by the parser and again when the pattern match is made,
leaving a single backslash to be matched against. (Exception: At the end of the
pattern string, backslash can be specified as “\\”. At the end of the
string, backslash stands for itself because there is nothing following to
escape.)
This will break if literal \ is in user input, failing to provide matches.
PostgreSQL seems to have same behaviour. Suggested fix is to escape \ one more
time in escapeLike:
- $s=str_replace(array('%','_'),array('\%','\_'),$s);
+ $s=str_replace(array('%','_','\\'),array('\%','\_','\\\\'),$s);
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
