Enhance SQL query handling in duplicate merging logic

kodinkat · kodinkat · commit 42d2e85b2634 · 2026-02-25T17:19:39.000Z
- Improved the construction of SQL queries by ensuring consistent escaping of values, particularly for LIKE operations, to enhance security and prevent SQL injection vulnerabilities.
                - Updated the handling of dynamic post types in SQL queries for better clarity and maintainability.
diff --git a/dt-contacts/duplicates-merging.php b/dt-contacts/duplicates-merging.php
@@ -896,17 +896,18 @@ private static function query_for_duplicate_searches_v2( $post_type, $post_id, b
                 foreach ( $search_values as $search_val ){
                     $val = ( strpos( $search_val, '^' ) === 0 ) ? substr( $search_val, 1 ) : $search_val;
                     $op = ( strpos( $search_val, '^' ) === 0 ) ? '=' : 'LIKE';
-                    $esc_val = esc_sql( $val );
                     if ( $op === 'LIKE' ){
-                        $esc_val = '%' . $esc_val . '%';
+                        $esc_val = '%' . esc_sql( $wpdb->esc_like( $val ) ) . '%';
+                    } else {
+                        $esc_val = esc_sql( $val );
                     }
                     if ( !empty( $all_sql ) ){
                         $all_sql .= ' UNION ';
                     }
                     $all_sql .= 'SELECT p.ID, p.post_title, \'post_title\' as field, p.post_title as value
                         FROM ' . $wpdb->posts . ' p
                         JOIN ' . $wpdb->postmeta . ' pm ON ( p.ID = pm.post_id AND pm.meta_key = \'type\' AND pm.meta_value = \'access\' )
-                        WHERE p.post_type = \'contacts\' AND p.post_title ' . $op . ' \'' . $esc_val . '\'
+                        WHERE p.post_type = \'' . esc_sql( $post_type ) . '\' AND p.post_title ' . $op . ' \'' . $esc_val . '\'
                         AND p.ID != ' . (int) $post_id;
                 }
             } else if ( $field_type === 'communication_channel' ){
@@ -931,9 +932,10 @@ private static function query_for_duplicate_searches_v2( $post_type, $post_id, b
                 foreach ( $search_values as $search_val ){
                     $val = ( strpos( $search_val, '^' ) === 0 ) ? substr( $search_val, 1 ) : $search_val;
                     $op = ( strpos( $search_val, '^' ) === 0 ) ? '=' : 'LIKE';
-                    $esc_val = esc_sql( $val );
                     if ( $op === 'LIKE' ){
-                        $esc_val = '%' . $esc_val . '%';
+                        $esc_val = '%' . esc_sql( $wpdb->esc_like( $val ) ) . '%';
+                    } else {
+                        $esc_val = esc_sql( $val );
                     }
                     if ( !empty( $all_sql ) ){
                         $all_sql .= ' UNION ';
