Fixed escapeLike fails to escape backslashes


Well-known member
Affected version
Replacements it performs:
  • % -> \%
  • _ -> \_
However, it neglects to perform:
  • \ -> \\
This means input such as this:
Will become:
Which MySQL/MariaDB will interpret as a literal backslash followed by a LIKE wildcard.

While this could theoretically result in security vulnerabilities in some add-ons, I can't find any instances in which this would result in a security issue in vanilla XenForo; it just breaks certain searches.
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.13).

Change log:
Escape backslashes when escaping SQL like clauses
There may be a delay before changes are rolled out to the XenForo Community.
Top Bottom