View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0003030||mantisbt||db mysql||public||2003-03-03 15:22||2019-07-17 12:04|
|Summary||0003030: back slash in search string not escaped|
I have to type in "\" in the search text box to search for "\"
|Steps To Reproduce|
try to search for any string with one "\" in it
|Tags||No tags attached.|
In 0.18.0a3, this seems to be an mysql problem.. (The query is properly escaped towards mysql, but there are no results).
according to MYSQL manaul.html:
Note: Because MySQL uses the C escape syntax in strings (for example,
I you search for \ you will get the following queries to MySql. (At least I get them on my server)
5 SELECT .... ((summary LIKE '%\%') OR (mantis_bug_text_table.description LIKE '%\%') OR (mantis_bug_text_table.steps_to_reproduce LIKE '%\%') OR (mantis_bug_text_table.additional_information LIKE '%\%') OR (mantis_bug_table.id LIKE '%\%') OR (mantis_bugnote_text_table.note LIKE '%\%')) AND (mantis_bug_text_table.id = mantis_bug_table.bug_text_id)
The backslash is doubled in the query as it should for security.. But after reviewing the mysql manual this is not enough in the LIKE query..
\, % and need an extra \ before.. because \ \% en _ (\\, \\% and \_ after encoding) are escapes for literal \ % and in queries..
If it was documented, you might treat is as a feature to allow full LIKE expressions in searching Mantis, but i think it should be fixed for ease of use ;-)
edited on: 03-04-03 10:23
This is still an issue in the latest code - updating product affected versions