Escape underscores in generated like conditions

Resolves #11898
craftcms · Sep 8, 2022 · 214255e · 214255e
1 parent f3e77c5
commit 214255e
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 ### Changed
 - `resave/*` commands now have a `--touch` option. When passed, elements’ `dateUpdated` timestamps will be updated as they’re resaved. ([#11849](https://github.com/craftcms/cms/discussions/11849))
+- Underscores within query param values that begin/end with `*` are now escaped, so they aren’t treated as wildcard characters by the `like` condition. ([#11898](https://github.com/craftcms/cms/issues/11898))
 - `craft\services\Elements::resaveElements()` now has a `$touch` argument.
 
 ### Fixed

diff --git a/src/helpers/Db.php b/src/helpers/Db.php
@@ -553,6 +553,10 @@ public static function parseParam(string $column, $value, string $defaultOperato
                     } else {
                         $operator = $operator === '=' ? 'like' : 'not like';
                     }
+
+                    // Escape underscores as they are treated as wildcards by LIKE in MySQL and PostgreSQL
+                    $val = preg_replace('/(?<!\\\)_/', '\\_', $val);
+
                     $condition[] = [$operator, $column, $val, false];
                     continue;
                 }