From a3e49fff6eb6454c26111eeaf207c84e9c4ae79f Mon Sep 17 00:00:00 2001 From: westi Date: Thu, 7 Jan 2010 08:02:52 +0000 Subject: [PATCH] Use like_escape to make safe search string for like queries. git-svn-id: http://svn.automattic.com/wordpress/trunk@12640 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/ms-sites.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/wp-admin/ms-sites.php b/wp-admin/ms-sites.php index b41ea14e53..3cc45b5405 100644 --- a/wp-admin/ms-sites.php +++ b/wp-admin/ms-sites.php @@ -311,11 +311,12 @@ switch( $_GET['action'] ) { $apage = ( isset($_GET['apage'] ) && intval( $_GET['apage'] ) ) ? absint( $_GET['apage'] ) : 1; $num = ( isset($_GET['num'] ) && intval( $_GET['num'] ) ) ? absint( $_GET['num'] ) : 15; $s = wp_specialchars( trim( $_GET[ 's' ] ) ); - + $like_s = like_escape($s); + $query = "SELECT * FROM {$wpdb->blogs} WHERE site_id = '{$wpdb->siteid}' "; if( isset($_GET['blog_name']) ) { - $query .= " AND ( {$wpdb->blogs}.domain LIKE '%{$s}%' OR {$wpdb->blogs}.path LIKE '%{$s}%' ) "; + $query .= " AND ( {$wpdb->blogs}.domain LIKE '%{$like_s}%' OR {$wpdb->blogs}.path LIKE '%{$like_s}%' ) "; } elseif( isset($_GET['blog_id']) ) { $query .= " AND blog_id = '". absint( $_GET['blog_id'] )."' "; } elseif( isset($_GET['blog_ip']) ) { @@ -323,7 +324,7 @@ switch( $_GET['action'] ) { FROM {$wpdb->blogs}, {$wpdb->registration_log} WHERE site_id = '{$wpdb->siteid}' AND {$wpdb->blogs}.blog_id = {$wpdb->registration_log}.blog_id - AND {$wpdb->registration_log}.IP LIKE ('%{$s}%')"; + AND {$wpdb->registration_log}.IP LIKE ('%{$like_s}%')"; } if( isset( $_GET['sortby'] ) == false ) {