View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000334 | XMB1 | Bugs | public | 2010-01-23 18:37 | 2010-02-24 17:57 |
| Reporter | miqrogroove | Assigned To | miqrogroove | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 1.9.10 | ||||
| Target Version | 1.9.11.08 | Fixed in Version | 1.9.11.08 | ||
| Summary | 0000334: like_escape() Doesn't Slash Values Correctly | ||||
| Description | like_escape() misses some wildcard injections due to double-slash treatment of LIKE values inside of SQL string literals. Discussion and patch posted at http://forums.xmbforum.com/viewthread.php?tid=775351 | ||||
| Tags | No tags attached. | ||||
| MySQL Version | |||||
| PHP Version | |||||
| Web Server | |||||
| Browser | |||||
| Flags | |||||
| Original Reporter | |||||
| SVN Revision | 2219 | ||||
|
|
While discussing like_escape() with the WordPress guys, I discovered the like-special set of characters is not limited to \ % _ as described by the MySQL manual. This is going to need more testing and more patching. |
|
|
Okay, it looks like the first patch will hold. For some reason, MySQL decided quote slashing would be optional in LIKE values, so ' and \' always (?) have the same meaning. This means LIKE '\'' and LIKE '\\\'' are identical (?) until proven otherwise. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2010-01-23 18:37 | miqrogroove | New Issue | |
| 2010-01-23 18:37 | miqrogroove | Status | new => assigned |
| 2010-01-23 18:37 | miqrogroove | Assigned To | => miqrogroove |
| 2010-01-23 18:38 | miqrogroove | SVN Revision | => 2219 |
| 2010-01-23 18:38 | miqrogroove | Status | assigned => resolved |
| 2010-01-23 18:38 | miqrogroove | Fixed in Version | => 1.9.11.08 |
| 2010-01-23 18:38 | miqrogroove | Resolution | open => fixed |
| 2010-02-04 16:33 | miqrogroove | Note Added: 0000226 | |
| 2010-02-04 16:33 | miqrogroove | Status | resolved => feedback |
| 2010-02-04 16:33 | miqrogroove | Resolution | fixed => reopened |
| 2010-02-04 19:40 | miqrogroove | Note Added: 0000227 | |
| 2010-02-04 19:40 | miqrogroove | Status | feedback => resolved |
| 2010-02-04 19:40 | miqrogroove | Resolution | reopened => fixed |
| 2010-02-24 17:57 | miqrogroove | Status | resolved => closed |
