wpdb::esc_like()publicWP 4.0.0

First half of escaping for LIKE special characters % and _ before preparing for MySQL.

Use this only before wpdb::prepare() or esc_sql(). Reversing the order is very bad for security.

Example Prepared Statement:

$wild = '%';
$find = 'only 43% of planets';
$like = $wild . $wpdb->esc_like( $find ) . $wild;
$sql  = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_content LIKE %s", $like );

Example Escape Chain:

$sql  = esc_sql( $wpdb->esc_like( $input ) );

Method of the class: wpdb{}

1 time — 0.00001 sec (speed of light) | 50000 times — 0.01 sec (speed of light) | PHP 7.4.8, WP 5.6.2

No Hooks.

Return

String. Text in the form of a LIKE phrase. The output is not SQL safe. Call wpdb::prepare() or wpdb::_real_escape() next.

Usage

global $wpdb;
$wpdb->esc_like( $text );
$text(string) (required)
The raw text to be escaped. The input typed by the user should have no extra or deleted slashes.

Examples

0

#1 Example of preparing a string for a LIKE query

$wild = '%';
$find = 'only 43% of planets';
$like = $wild . $wpdb->esc_like( $find ) . $wild;
$sql  = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_content LIKE %s", $like );

echo $sql; // SELECT * FROM wp_posts WHERE post_content LIKE '{d710cab}only 43\{d710cab} of planets{d710cab}'
0

#2 Example with esc_sql()

$esc_like = $wpdb->esc_like( 'only 43% of planets' );
echo $esc_like;                                        // only 43\% of planets
echo esc_sql( $esc_like );                             // only 43\{f5fa52} of planets
0

#3 Another example of preparing a string for a LIKE query

global $wpdb;
$link = $wpdb->esc_like( $link ); // prepare a string for the LIKE argument
$link = esc_sql( $link ); // clear the variable
$link = '%' . $link . '%'; // create a full LIKE search variable

// find comments in the text or link of the author, there is a specified link
$spammy = $wpdb->query("SELECT comment_approved FROM $wpdb->comments
	WHERE (comment_content LIKE '$link' OR comment_author_url LIKE '$link')
		AND comment_approved = 'spam'
	LIMIT 1;"
);
0

#4 A short recording with prepare()

global $wpdb;

$link = '%' . $wpdb->esc_like( $link ) . '%';

$comment = $wpdb->get_row( $wpdb->prepare(
	"SELECT * FROM $wpdb->comments WHERE comment_author_url LIKE %s LIMIT 1", $link
) );

Changelog

Since 4.0.0 Introduced.

wpdb::esc_like() code WP 6.1.1

public function esc_like( $text ) {
	return addcslashes( $text, '_%\\' );
}