Page MenuHomePhabricator

escapeLike should double escape \
Closed, ResolvedPublic

Description

In http://dev.mysql.com/doc/refman/5.0/en/string-comparison-functions.html there is note:

Because MySQL uses C escape syntax in strings (for example, “\n” to represent a newline character), you must double any “\” that you use in LIKE strings. For example, to search for “\n”, specify it as “\\n”. To search for “\”, specify it as “\\\\”; this is because the backslashes are stripped once by the parser and again when the pattern match is made, leaving a single backslash to be matched against. (Exception: At the end of the pattern string, backslash can be specified as “\\”. At the end of the string, backslash stands for itself because there is nothing following to escape.)

This will break if literal \ is in user input, failing to provide matches. PostgreSQL seems to have same behaviour. Suggested fix is to escape \ one more time in escapeLike:

  • $s=str_replace(array('%','_'),array('\%','\_'),$s);

+ $s=str_replace(array('%','_','\\'),array('\%','\_','\\\\'),$s);


Version: 1.15.x
Severity: normal

Details

Reference
bz17150

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:26 PM
bzimport set Reference to bz17150.
bzimport added a subscriber: Unknown Object (MLST).