Escape user input in LIKE queries via escapeLikeValue()

BurntimeX · BurntimeX · commit d3b0ea766e23 · 2026-06-09T17:53:42.000+02:00
Multiple SQL queries used `LIKE ?` with raw user-controlled input concatenated with `%` wildcards. Without escaping, `%` and `_` characters in the input were interpreted as wildcards, allowing broader matches than intended and enabling potential information disclosure via crafted search strings.
diff --git a/wcfsetup/install/files/lib/command/style/CopyStyle.class.php b/wcfsetup/install/files/lib/command/style/CopyStyle.class.php
@@ -145,7 +145,7 @@ private function getUniqueStyleName(Style $style): string
                     AND styleID <> ?";
         $statement = WCF::getDB()->prepare($sql);
         $statement->execute([
-            $style->styleName . '%',
+            WCF::getDB()->escapeLikeValue($style->styleName) . '%',
             $style->styleID,
         ]);
         $numbers = [];
diff --git a/wcfsetup/install/files/lib/data/article/ArticleAction.class.php b/wcfsetup/install/files/lib/data/article/ArticleAction.class.php
@@ -930,7 +930,7 @@ public function search()
                 ORDER BY    title";
         $statement = WCF::getDB()->prepare($sql, 5);
         $statement->execute([
-            '%' . $this->parameters['searchString'] . '%',
+            '%' . WCF::getDB()->escapeLikeValue($this->parameters['searchString']) . '%',
             WCF::getLanguage()->languageID,
         ]);
 
diff --git a/wcfsetup/install/files/lib/data/package/update/PackageUpdateAction.class.php b/wcfsetup/install/files/lib/data/package/update/PackageUpdateAction.class.php
@@ -94,7 +94,7 @@ public function search()
 
         $conditions = new PreparedStatementConditionBuilder();
         $conditions->add("package_update.packageUpdateServerID IN (?)", [\array_keys($availableUpdateServers)]);
-        $searchString = '%' . $this->parameters['searchString'] . '%';
+        $searchString = '%' . WCF::getDB()->escapeLikeValue($this->parameters['searchString']) . '%';
         $conditions->add(
             "(package_update.package LIKE ? OR package_update.packageDescription LIKE ? OR package_update.packageName LIKE ?)",
             [$searchString, $searchString, $searchString]
diff --git a/wcfsetup/install/files/lib/data/page/PageAction.class.php b/wcfsetup/install/files/lib/data/page/PageAction.class.php
@@ -370,7 +370,7 @@ public function search()
                 ORDER BY    name";
         $statement = WCF::getDB()->prepare($sql, 5);
         $statement->execute([
-            '%' . $this->parameters['searchString'] . '%',
+            '%' . WCF::getDB()->escapeLikeValue($this->parameters['searchString']) . '%',
             0,
         ]);
 
diff --git a/wcfsetup/install/files/lib/data/search/keyword/SearchKeywordAction.class.php b/wcfsetup/install/files/lib/data/search/keyword/SearchKeywordAction.class.php
@@ -53,7 +53,7 @@ public function getSearchResultList()
                 WHERE       keyword LIKE ?
                 ORDER BY    searches DESC";
         $statement = WCF::getDB()->prepare($sql, 10);
-        $statement->execute([$this->parameters['data']['searchString'] . '%']);
+        $statement->execute([WCF::getDB()->escapeLikeValue($this->parameters['data']['searchString']) . '%']);
         while ($row = $statement->fetchArray()) {
             $list[] = [
                 'label' => $row['keyword'],
diff --git a/wcfsetup/install/files/lib/data/tag/TagAction.class.php b/wcfsetup/install/files/lib/data/tag/TagAction.class.php
@@ -129,7 +129,7 @@ public function getSearchResultList()
         $list = [];
 
         $conditionBuilder = new PreparedStatementConditionBuilder();
-        $conditionBuilder->add("name LIKE ?", [$this->parameters['data']['searchString'] . '%']);
+        $conditionBuilder->add("name LIKE ?", [WCF::getDB()->escapeLikeValue($this->parameters['data']['searchString']) . '%']);
         if (!empty($excludedSearchValues)) {
             $conditionBuilder->add("name NOT IN (?)", [$excludedSearchValues]);
         }
diff --git a/wcfsetup/install/files/lib/data/user/UserAction.class.php b/wcfsetup/install/files/lib/data/user/UserAction.class.php
@@ -606,7 +606,7 @@ public function getSearchResultList()
         }
 
         // find users
-        $searchString = \addcslashes($searchString, '_%');
+        $searchString = WCF::getDB()->escapeLikeValue($searchString);
         $parameters = [
             'searchString' => $searchString,
         ];
diff --git a/wcfsetup/install/files/lib/form/UserSearchForm.class.php b/wcfsetup/install/files/lib/form/UserSearchForm.class.php
@@ -209,7 +209,7 @@ protected function search()
     protected function buildStaticConditions()
     {
         if (!empty($this->username)) {
-            $this->conditions->add("user_table.username LIKE ?", ['%' . \addcslashes($this->username, '_%') . '%']);
+            $this->conditions->add("user_table.username LIKE ?", ['%' . WCF::getDB()->escapeLikeValue($this->username) . '%']);
         }
     }
 
diff --git a/wcfsetup/install/files/lib/system/endpoint/controller/core/messages/GetMentionSuggestions.class.php b/wcfsetup/install/files/lib/system/endpoint/controller/core/messages/GetMentionSuggestions.class.php
@@ -70,7 +70,7 @@ public function __invoke(ServerRequestInterface $request, array $variables): Res
     private function getUsers(string $query): array
     {
         $userProfileList = new UserProfileList();
-        $userProfileList->getConditionBuilder()->add("username LIKE ?", [$query . '%']);
+        $userProfileList->getConditionBuilder()->add("username LIKE ?", [WCF::getDB()->escapeLikeValue($query) . '%']);
 
         $userProfileList->sqlLimit = 10;
         $userProfileList->readObjects();
diff --git a/wcfsetup/install/files/lib/system/html/input/node/HtmlInputNodeTextParser.class.php b/wcfsetup/install/files/lib/system/html/input/node/HtmlInputNodeTextParser.class.php
@@ -290,7 +290,7 @@ protected function lookupUsernames(array $usernames)
 
         if (!empty($likeValues)) {
             for ($i = 0, $length = \count($likeValues); $i < $length; $i++) {
-                $conditions->add('username LIKE ?', [\str_replace('%', '', $likeValues[$i]) . '%']);
+                $conditions->add('username LIKE ?', [WCF::getDB()->escapeLikeValue($likeValues[$i]) . '%']);
             }
         }
 
diff --git a/wcfsetup/install/files/lib/system/listView/user/MembersListView.class.php b/wcfsetup/install/files/lib/system/listView/user/MembersListView.class.php
@@ -114,7 +114,7 @@ public function applyFilter(DatabaseObjectList $list, string $value): void
                 if ($value == '#') {
                     $list->getConditionBuilder()->add("SUBSTRING(username,1,1) IN ('0', '1', '2', '3', '4', '5', '6', '7', '8', '9')");
                 } else {
-                    $list->getConditionBuilder()->add("username LIKE ?", [$value . '%']);
+                    $list->getConditionBuilder()->add("username LIKE ?", [WCF::getDB()->escapeLikeValue($value) . '%']);
                 }
             }
         };
diff --git a/wcfsetup/install/files/lib/system/page/handler/ArticlePageHandler.class.php b/wcfsetup/install/files/lib/system/page/handler/ArticlePageHandler.class.php
@@ -69,7 +69,7 @@ public function lookup($searchString)
                 FROM    wcf1_article_content
                 WHERE   title LIKE ?
             )',
-            ['%' . $searchString . '%']
+            ['%' . WCF::getDB()->escapeLikeValue($searchString) . '%']
         );
         $articleList->sqlLimit = 10;
         $articleList->sqlOrderBy = 'title';
diff --git a/wcfsetup/install/files/lib/system/page/handler/TDecoratedCategoryLookupPageHandler.class.php b/wcfsetup/install/files/lib/system/page/handler/TDecoratedCategoryLookupPageHandler.class.php
@@ -110,7 +110,7 @@ public function lookup($searchString)
         );
         $conditionBuilder->add(
             '(category.title LIKE ? OR language_item.languageItemValue LIKE ?)',
-            ['%' . $searchString . '%', '%' . $searchString . '%']
+            ['%' . WCF::getDB()->escapeLikeValue($searchString) . '%', '%' . WCF::getDB()->escapeLikeValue($searchString) . '%']
         );
         $sql = "SELECT      DISTINCT categoryID
                 FROM        wcf1_category category
diff --git a/wcfsetup/install/files/lib/system/page/handler/TUserLookupPageHandler.class.php b/wcfsetup/install/files/lib/system/page/handler/TUserLookupPageHandler.class.php
@@ -4,6 +4,7 @@
 
 use wcf\data\user\UserProfileList;
 use wcf\system\cache\runtime\UserRuntimeCache;
+use wcf\system\WCF;
 
 /**
  * Provides the `isValid` and `lookup` methods for looking up users.
@@ -38,7 +39,7 @@ public function isValid($objectID)
     public function lookup($searchString)
     {
         $userList = new UserProfileList();
-        $userList->getConditionBuilder()->add('user_table.username LIKE ?', ['%' . $searchString . '%']);
+        $userList->getConditionBuilder()->add('user_table.username LIKE ?', ['%' . WCF::getDB()->escapeLikeValue($searchString) . '%']);
         $userList->readObjects();
 
         $results = [];
diff --git a/wcfsetup/install/files/lib/system/page/handler/TrophyPageHandler.class.php b/wcfsetup/install/files/lib/system/page/handler/TrophyPageHandler.class.php
@@ -54,7 +54,7 @@ public function lookup($searchString)
             ON          language_item.languageItem = trophy.title";
         $trophyList->getConditionBuilder()->add(
             '(trophy.title LIKE ? OR language_item.languageItemValue LIKE ?)',
-            ['%' . $searchString . '%', '%' . $searchString . '%']
+            ['%' . WCF::getDB()->escapeLikeValue($searchString) . '%', '%' . WCF::getDB()->escapeLikeValue($searchString) . '%']
         );
         $trophyList->sqlLimit = 10;
         $trophyList->sqlOrderBy = 'title';
diff --git a/wcfsetup/install/files/lib/system/search/acp/ArticleACPSearchResultProvider.class.php b/wcfsetup/install/files/lib/system/search/acp/ArticleACPSearchResultProvider.class.php
@@ -27,7 +27,7 @@ public function search($query)
         $results = [];
 
         $contentList = new ArticleContentList();
-        $contentList->getConditionBuilder()->add('article_content.title LIKE ?', ['%' . $query . '%']);
+        $contentList->getConditionBuilder()->add('article_content.title LIKE ?', ['%' . WCF::getDB()->escapeLikeValue($query) . '%']);
         $contentList->sqlLimit = 10;
         $contentList->sqlOrderBy = 'article_content.title';
         $contentList->readObjects();
diff --git a/wcfsetup/install/files/lib/system/search/acp/BoxACPSearchResultProvider.class.php b/wcfsetup/install/files/lib/system/search/acp/BoxACPSearchResultProvider.class.php
@@ -28,7 +28,7 @@ public function search($query)
 
         $boxList = new BoxList();
         $boxList->getConditionBuilder()->add('box.boxType <> ?', ['menu']);
-        $boxList->getConditionBuilder()->add('box.name LIKE ?', ['%' . $query . '%']);
+        $boxList->getConditionBuilder()->add('box.name LIKE ?', ['%' . WCF::getDB()->escapeLikeValue($query) . '%']);
         $boxList->sqlLimit = 10;
         $boxList->sqlOrderBy = 'box.name';
         $boxList->readObjects();
diff --git a/wcfsetup/install/files/lib/system/search/acp/OptionACPSearchResultProvider.class.php b/wcfsetup/install/files/lib/system/search/acp/OptionACPSearchResultProvider.class.php
@@ -39,7 +39,7 @@ public function search($query)
         $conditions = new PreparedStatementConditionBuilder();
         $conditions->add("languageID = ?", [WCF::getLanguage()->languageID]);
         $conditions->add("languageItem LIKE ?", ['wcf.acp.option.%']);
-        $conditions->add("languageItemValue LIKE ?", ['%' . $query . '%']);
+        $conditions->add("languageItemValue LIKE ?", ['%' . WCF::getDB()->escapeLikeValue($query) . '%']);
 
         $sql = "SELECT      languageItem
                 FROM        wcf1_language_item
@@ -71,7 +71,7 @@ public function search($query)
             $conditions->add('optionName IN (?)', [$optionNames]);
         }
         if (ENABLE_DEBUG_MODE && ENABLE_DEVELOPER_TOOLS) {
-            $conditions->add('optionName LIKE ?', ['%' . $query . '%']);
+            $conditions->add('optionName LIKE ?', ['%' . WCF::getDB()->escapeLikeValue($query) . '%']);
         }
 
         $sql = "SELECT  optionName, categoryName, options, permissions, hidden
diff --git a/wcfsetup/install/files/lib/system/search/acp/PackageACPSearchResultProvider.class.php b/wcfsetup/install/files/lib/system/search/acp/PackageACPSearchResultProvider.class.php
@@ -33,7 +33,7 @@ public function search($query)
         $conditions = new PreparedStatementConditionBuilder();
         $conditions->add("languageID = ?", [WCF::getLanguage()->languageID]);
         $conditions->add("languageItem LIKE ?", ['wcf.acp.package.packageName.package%']);
-        $conditions->add("languageItemValue LIKE ?", ['%' . $query . '%']);
+        $conditions->add("languageItemValue LIKE ?", ['%' . WCF::getDB()->escapeLikeValue($query) . '%']);
 
         $sql = "SELECT  languageItem
                 FROM    wcf1_language_item
@@ -58,8 +58,8 @@ public function search($query)
                     " . (\count($conditions->getParameters()) ? "OR " . $conditions : "");
         $statement = WCF::getDB()->prepare($sql);
         $statement->execute(\array_merge([
-            '%' . $query . '%',
-            '%' . $query . '%',
+            '%' . WCF::getDB()->escapeLikeValue($query) . '%',
+            '%' . WCF::getDB()->escapeLikeValue($query) . '%',
         ], $conditions->getParameters()));
 
         while ($package = $statement->fetchObject(Package::class)) {
diff --git a/wcfsetup/install/files/lib/system/search/acp/PageACPSearchResultProvider.class.php b/wcfsetup/install/files/lib/system/search/acp/PageACPSearchResultProvider.class.php
@@ -27,7 +27,7 @@ public function search($query)
         $results = [];
 
         $pageList = new PageList();
-        $pageList->getConditionBuilder()->add('page.name LIKE ?', ['%' . $query . '%']);
+        $pageList->getConditionBuilder()->add('page.name LIKE ?', ['%' . WCF::getDB()->escapeLikeValue($query) . '%']);
         $pageList->sqlLimit = 10;
         $pageList->sqlOrderBy = 'page.name';
         $pageList->readObjects();
diff --git a/wcfsetup/install/files/lib/system/search/acp/TrophyACPSearchResultProvider.class.php b/wcfsetup/install/files/lib/system/search/acp/TrophyACPSearchResultProvider.class.php
@@ -31,7 +31,7 @@ public function search($query)
         $conditions = new PreparedStatementConditionBuilder();
         $conditions->add("languageID = ?", [WCF::getLanguage()->languageID]);
         $conditions->add("languageItem LIKE ?", ['wcf.user.trophy.title%']);
-        $conditions->add("languageItemValue LIKE ?", ['%' . $query . '%']);
+        $conditions->add("languageItemValue LIKE ?", ['%' . WCF::getDB()->escapeLikeValue($query) . '%']);
 
         $sql = "SELECT  languageItem
                 FROM    wcf1_language_item
@@ -55,7 +55,7 @@ public function search($query)
                     " . (!empty($conditions->getParameters()) ? "OR " . $conditions : "");
         $statement = WCF::getDB()->prepare($sql);
         $statement->execute(\array_merge([
-            '%' . $query . '%',
+            '%' . WCF::getDB()->escapeLikeValue($query) . '%',
         ], $conditions->getParameters()));
 
         while ($trophy = $statement->fetchObject(Trophy::class)) {
diff --git a/wcfsetup/install/files/lib/system/search/acp/UserACPSearchResultProvider.class.php b/wcfsetup/install/files/lib/system/search/acp/UserACPSearchResultProvider.class.php
@@ -27,10 +27,10 @@ public function search($query)
         }
 
         $conditionBuilder = new PreparedStatementConditionBuilder(true, 'OR');
-        $conditionBuilder->add("username LIKE ?", [[$query . '%']]);
+        $conditionBuilder->add("username LIKE ?", [[WCF::getDB()->escapeLikeValue($query) . '%']]);
 
         if (WCF::getSession()->getPermission('admin.user.canEditMailAddress')) {
-            $conditionBuilder->add("email LIKE ?", [[$query . '%']]);
+            $conditionBuilder->add("email LIKE ?", [[WCF::getDB()->escapeLikeValue($query) . '%']]);
         }
 
         $sql = "SELECT  *
diff --git a/wcfsetup/install/files/lib/system/search/acp/UserGroupOptionACPSearchResultProvider.class.php b/wcfsetup/install/files/lib/system/search/acp/UserGroupOptionACPSearchResultProvider.class.php
@@ -51,7 +51,7 @@ public function search($query)
         $conditions = new PreparedStatementConditionBuilder();
         $conditions->add("languageID = ?", [WCF::getLanguage()->languageID]);
         $conditions->add("languageItem LIKE ?", ['wcf.acp.group.option.%']);
-        $conditions->add("languageItemValue LIKE ?", ['%' . $query . '%']);
+        $conditions->add("languageItemValue LIKE ?", ['%' . WCF::getDB()->escapeLikeValue($query) . '%']);
 
         $sql = "SELECT      languageItem
                 FROM        wcf1_language_item
@@ -79,7 +79,7 @@ public function search($query)
             $conditions->add("optionName IN (?)", [\array_keys($languageItems)]);
         }
         if (ENABLE_DEBUG_MODE && ENABLE_DEVELOPER_TOOLS) {
-            $conditions->add('optionName LIKE ?', ['%' . $query . '%']);
+            $conditions->add('optionName LIKE ?', ['%' . WCF::getDB()->escapeLikeValue($query) . '%']);
         }
 
         $sql = "SELECT  optionID, optionName, categoryName, permissions, options

Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ public function getSearchResultList()`
`129`	`129`	`$list = [];`
`130`	`130`
`131`	`131`	`$conditionBuilder = new PreparedStatementConditionBuilder();`
`132`		`- $conditionBuilder->add("name LIKE ?", [$this->parameters['data']['searchString'] . '%']);`
	`132`	`+ $conditionBuilder->add("name LIKE ?", [WCF::getDB()->escapeLikeValue($this->parameters['data']['searchString']) . '%']);`
`133`	`133`	`if (!empty($excludedSearchValues)) {`
`134`	`134`	`$conditionBuilder->add("name NOT IN (?)", [$excludedSearchValues]);`
`135`	`135`	`}`
Original file line number	Diff line number	Diff line change
`@@ -606,7 +606,7 @@ public function getSearchResultList()`
`606`	`606`	`}`
`607`	`607`
`608`	`608`	`// find users`
`609`		`- $searchString = \addcslashes($searchString, '_%');`
	`609`	`+ $searchString = WCF::getDB()->escapeLikeValue($searchString);`
`610`	`610`	`$parameters = [`
`611`	`611`	`'searchString' => $searchString,`
`612`	`612`	`];`
Original file line number	Diff line number	Diff line change
`@@ -209,7 +209,7 @@ protected function search()`
`209`	`209`	`protected function buildStaticConditions()`
`210`	`210`	`{`
`211`	`211`	`if (!empty($this->username)) {`
`212`		`- $this->conditions->add("user_table.username LIKE ?", ['%' . \addcslashes($this->username, '_%') . '%']);`
	`212`	`+ $this->conditions->add("user_table.username LIKE ?", ['%' . WCF::getDB()->escapeLikeValue($this->username) . '%']);`
`213`	`213`	`}`
`214`	`214`	`}`
`215`	`215`
Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ public function __invoke(ServerRequestInterface $request, array $variables): Res`
`70`	`70`	`private function getUsers(string $query): array`
`71`	`71`	`{`
`72`	`72`	`$userProfileList = new UserProfileList();`
`73`		`- $userProfileList->getConditionBuilder()->add("username LIKE ?", [$query . '%']);`
	`73`	`+ $userProfileList->getConditionBuilder()->add("username LIKE ?", [WCF::getDB()->escapeLikeValue($query) . '%']);`
`74`	`74`
`75`	`75`	`$userProfileList->sqlLimit = 10;`
`76`	`76`	`$userProfileList->readObjects();`
Original file line number	Diff line number	Diff line change
`@@ -290,7 +290,7 @@ protected function lookupUsernames(array $usernames)`
`290`	`290`
`291`	`291`	`if (!empty($likeValues)) {`
`292`	`292`	`for ($i = 0, $length = \count($likeValues); $i < $length; $i++) {`
`293`		`- $conditions->add('username LIKE ?', [\str_replace('%', '', $likeValues[$i]) . '%']);`
	`293`	`+ $conditions->add('username LIKE ?', [WCF::getDB()->escapeLikeValue($likeValues[$i]) . '%']);`
`294`	`294`	`}`
`295`	`295`	`}`
`296`	`296`