Properly escape the LIKE comparison in search_orders()

stevegrunwell · stevegrunwell · commit f178687631ce · 2018-01-03T19:09:41.000Z
diff --git a/includes/class-wc-order-data-store-custom-table.php b/includes/class-wc-order-data-store-custom-table.php
@@ -582,9 +582,9 @@ public function search_orders( $term ) {
 				$wpdb->prepare( "
 						SELECT order_id
 						FROM {$wpdb->prefix}woocommerce_order_items as order_items
-						WHERE order_item_name LIKE '%%%s%%'
+						WHERE order_item_name LIKE %s
 						",
-					$term
+					'%' . $wpdb->esc_like( $term ) . '%'
 				)
 			)
 		) );
diff --git a/tests/test-data-store.php b/tests/test-data-store.php
@@ -141,6 +141,21 @@ public function test_search_orders_checks_table_for_product_item_matches() {
 		);
 	}
 
+	public function test_search_orders_checks_table_for_product_item_matches_with_like_comparison() {
+		$product = $this->factory()->product->create_and_get( array(
+			'post_title' => 'foo bar baz',
+		) );
+		$order = $this->factory()->order->create_and_get();
+		$order->add_product( $product );
+		$order->save();
+
+		$this->assertEquals(
+			array( $order->get_id() ),
+			( new WC_Order_Data_Store_Custom_Table() )->search_orders( 'bar' ),
+			'Product items should be searched using a LIKE comparison and wildcards.'
+		);
+	}
+
 	/**
 	 * @dataProvider order_type_provider()
 	 */

Original file line number	Diff line number	Diff line change
`@@ -582,9 +582,9 @@ public function search_orders( $term ) {`
`582`	`582`	`$wpdb->prepare( "`
`583`	`583`	`SELECT order_id`
`584`	`584`	`FROM {$wpdb->prefix}woocommerce_order_items as order_items`
`585`		`- WHERE order_item_name LIKE '%%%s%%'`
	`585`	`+ WHERE order_item_name LIKE %s`
`586`	`586`	`",`
`587`		`- $term`
	`587`	`+ '%' . $wpdb->esc_like( $term ) . '%'`
`588`	`588`	`)`
`589`	`589`	`)`
`590`	`590`	`) );`