From bc20a5b531dbd4369ac544215bee18e91a699f10 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Tue, 18 Sep 2007 20:14:25 +0000
Subject: [PATCH] Fix external link queries to escape LIKE metacharacters,
 avoiding massive table scans

---
 includes/LinkFilter.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/includes/LinkFilter.php b/includes/LinkFilter.php
index ee668f08ee..ced76d7591 100644
--- a/includes/LinkFilter.php
+++ b/includes/LinkFilter.php
@@ -51,6 +51,7 @@ class LinkFilter {
 	 * @param $prot        String: protocol
 	 */
 	 public static function makeLike( $filterEntry , $prot = 'http://' ) {
+		$db = wfGetDB( DB_MASTER );
 		if ( substr( $filterEntry, 0, 2 ) == '*.' ) {
 			$subdomains = true;
 			$filterEntry = substr( $filterEntry, 2 );
@@ -83,23 +84,23 @@ class LinkFilter {
 			$mailparts = explode( '@', $host );
 			$domainpart = strtolower( implode( '.', array_reverse( explode( '.', $mailparts[1] ) ) ) );
 			$host = $domainpart . '@' . $mailparts[0];
-			$like = "$prot$host%";
+			$like = $db->escapeLike( "$prot$host" ) . "%";
 		} elseif ( $prot == 'mailto:' ) {
 			// domainpart of email adress only. do not add '.'
 			$host = strtolower( implode( '.', array_reverse( explode( '.', $host ) ) ) );	
-			$like = "$prot$host%";			
+			$like = $db->escapeLike( "$prot$host" ) . "%";			
 		} else {
 			$host = strtolower( implode( '.', array_reverse( explode( '.', $host ) ) ) );	
 			if ( substr( $host, -1, 1 ) !== '.' ) {
 				$host .= '.';
 			}
-			$like = "$prot$host";
+			$like = $db->escapeLike( "$prot$host" );
 
 			if ( $subdomains ) {
 				$like .= '%';
 			}
 			if ( !$subdomains || $path !== '/' ) {
-				$like .= $path . '%';
+				$like .= $db->escapeLike( $path ) . '%';
 			}
 		}
 		return $like;
-- 
2.20.1