Unlike most common MySQL escaping scenarios in PHP, one needs to take extra precautionary measures when implementing a
LIKE queries contain special qualifiers for term matching,
_, which the user could maliciously include in their search terms. These qualifiers enable matching of 0 or more characters and any single character, respectively. MySQL’s own escape function as well as PHP’s magic quotes setting ignores
LIKE qualifiers. For this reason, user’s can abuse insecure systems by complicating
LIKE matching, perhaps skipping indexing by prefixing a
_. This could effectively lead to a Denial of Service (DoS) attack by overloading a decently sized database.
An example attack is as easy as a user inputting data with a prefix of
_ are both common operators, users could unknowingly compromise your system as well. To address this
LIKE security flaw, we need to implement a custom escaping mechanism for the two special qualifiers:
addcslashes() because it functions much the same as
addslashes() and is a much faster alternative to
str_replace() or a regular expression.