From ee633626248e5a2728e072b5ae05a74e25582bd4 Mon Sep 17 00:00:00 2001
From: Peter Westwood <westi@git.wordpress.org>
Date: Thu, 7 Jan 2010 08:02:52 +0000
Subject: [PATCH] Use like_escape to make safe search string for like queries.

git-svn-id: https://develop.svn.wordpress.org/trunk@12640 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-admin/ms-sites.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/wp-admin/ms-sites.php b/wp-admin/ms-sites.php
index b41ea14e53..3cc45b5405 100644
--- a/wp-admin/ms-sites.php
+++ b/wp-admin/ms-sites.php
@@ -311,11 +311,12 @@ switch( $_GET['action'] ) {
 		$apage = ( isset($_GET['apage'] ) && intval( $_GET['apage'] ) ) ? absint( $_GET['apage'] ) : 1; 
 		$num = ( isset($_GET['num'] ) && intval( $_GET['num'] ) ) ? absint( $_GET['num'] ) : 15; 
 		$s = wp_specialchars( trim( $_GET[ 's' ] ) );
-
+		$like_s = like_escape($s);
+		
 		$query = "SELECT * FROM {$wpdb->blogs} WHERE site_id = '{$wpdb->siteid}' ";
 
 		if( isset($_GET['blog_name']) ) {
-			$query .= " AND ( {$wpdb->blogs}.domain LIKE '%{$s}%' OR {$wpdb->blogs}.path LIKE '%{$s}%' ) ";
+			$query .= " AND ( {$wpdb->blogs}.domain LIKE '%{$like_s}%' OR {$wpdb->blogs}.path LIKE '%{$like_s}%' ) ";
 		} elseif( isset($_GET['blog_id']) ) {
 			$query .= " AND   blog_id = '". absint( $_GET['blog_id'] )."' ";
 		} elseif( isset($_GET['blog_ip']) ) {
@@ -323,7 +324,7 @@ switch( $_GET['action'] ) {
 				FROM {$wpdb->blogs}, {$wpdb->registration_log}
 				WHERE site_id = '{$wpdb->siteid}'
 				AND {$wpdb->blogs}.blog_id = {$wpdb->registration_log}.blog_id
-				AND {$wpdb->registration_log}.IP LIKE ('%{$s}%')";
+				AND {$wpdb->registration_log}.IP LIKE ('%{$like_s}%')";
 		}
 
 		if( isset( $_GET['sortby'] ) == false ) {