Fixed escapeLike fails to escape backslashes

PaulB

PaulB

Well-known member
Affected version
2.2.8.0
Replacements it performs:
  • % -> \%
  • _ -> \_
However, it neglects to perform:
  • \ -> \\
This means input such as this:
Code: 
\%
Will become:
Code: 
\\%
Which MySQL/MariaDB will interpret as a literal backslash followed by a LIKE wildcard.

While this could theoretically result in security vulnerabilities in some add-ons, I can't find any instances in which this would result in a security issue in vanilla XenForo; it just breaks certain searches.
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.13).

Change log:
Escape backslashes when escaping SQL like clauses
Click to expand...
There may be a delay before changes are rolled out to the XenForo Community.
 

Similar threads

D
How to escape Microsoft blacklisting?
Replies
6
Views
105
D33_UK
D
X
[img align=right] in editor visually appears to escape wrapping bb-code
Replies
0
Views
283
Xon
X
C
As designed Markdown won't escape backticks with backslash
Replies
1
Views
374
Chris D
Chris D
Steffen
Fixed vB4 Import: Use PLAIN BB Code to escape partial BB Code in titles
Replies
1
Views
746
Kier
Kier
Back
Top Bottom