Improve escaping clarity and docs

Author: JanJakes

wp-includes/mysql/class-wp-mysql-token.php

@@ -62,18 +62,19 @@ public function get_value(): string {
 			 *
 			 * See: https://dev.mysql.com/doc/refman/8.4/en/string-literals.html
 			 */
+			$backslash    = chr( 92 );
 			$replacements = array(
 				/*
 				 * MySQL special character escape sequences.
 				 */
-				'\0'   => chr( 0 ),  // An ASCII NULL (X'00') character.
-				"\'"   => "'",       // A single quote (') character.
-				'\"'   => '"',       // A double quote (") character.
-				'\b'   => chr( 8 ),  // A backspace character.
-				'\n'   => "\n",      // A newline (linefeed) character.
-				'\r'   => "\r",      // A carriage return character.
-				'\t'   => "\t",      // A tab character.
-				'\Z'   => chr( 26 ), // An ASCII 26 (Control+Z) character.
+				( $backslash . '0' ) => chr( 0 ),  // An ASCII NULL character (\0).
+				( $backslash . "'" ) => chr( 39 ), // A single quote character (').
+				( $backslash . '"' ) => chr( 34 ), // A double quote character (").
+				( $backslash . 'b' ) => chr( 8 ),  // A backspace character.
+				( $backslash . 'n' ) => chr( 10 ), // A newline (linefeed) character (\n).
+				( $backslash . 'r' ) => chr( 13 ), // A carriage return character (\r).
+				( $backslash . 't' ) => chr( 9 ),  // A tab character (\t).
+				( $backslash . 'Z' ) => chr( 26 ), // An ASCII 26 (Control+Z) character.
 
 				/*
 				 * Normalize escaping of "%" and "_" characters.
@@ -92,8 +93,8 @@ public function get_value(): string {
 				 *   > of pattern-matching contexts, they evaluate to the strings \% and
 				 *   > \_, not to % and _.
 				 */
-				'\%'   => '\\\\%',
-				'\_'   => '\\\\_',
+				( $backslash . '%' ) => $backslash . $backslash . '%',
+				( $backslash . '_' ) => $backslash . $backslash . '_',
 
 				/*
 				 * Preserve a double backslash as-is, so that the trailing backslash
@@ -102,13 +103,13 @@ public function get_value(): string {
 				 * Resolving "\\" to "\" will be handled in the next step, where all
 				 * other backslash-prefixed characters resolve to their literal values.
 				 */
-				'\\\\' => '\\\\',
+				( $backslash . $backslash )
+					=> $backslash . $backslash,
 
 				/*
 				 * The bounding quotes can also be escaped by being doubled.
 				 */
-				$quote . $quote
-					=> $quote,
+				( $quote . $quote )  => $quote,
 			);
 
 			/*
@@ -127,7 +128,8 @@ public function get_value(): string {
 			 * A backslash with any other character represents the character itself.
 			 * That is, \x evaluates to x, \\ evaluates to \, and \🙂 evaluates to 🙂.
 			 */
-			$value = preg_replace( '/\\\\(.)/u', '$1', $value );
+			$preg_quoted_backslash = preg_quote( $backslash );
+			$value                 = preg_replace( "/$preg_quoted_backslash(.)/u", '$1', $value );
 		}
 		return $value;
 	}

wp-includes/sqlite-ast/class-wp-sqlite-driver.php

@@ -3560,7 +3560,7 @@ private function quote_mysql_identifier( string $unquoted_identifier ): string {
 	}
 
 	/**
-	 * Format a MySQL string literal for output in a CREATE TABLE statement.
+	 * Format a MySQL UTF-8 string literal for output in a CREATE TABLE statement.
 	 *
 	 * We expect UTF-8 strings coming from SQLite. The only characters that must
 	 * be escaped in a single-quoted string for a UTF-8 MySQL dump are ' and \.
@@ -3580,10 +3580,10 @@ private function quote_mysql_identifier( string $unquoted_identifier ): string {
 	 * TODO: We may consider stripping invalid UTF-8 characters, but that's likely
 	 *       to be a bigger project, as these can appear also in other contexts.
 	 *
-	 * @param  string $literal The string literal to escape.
-	 * @return string          The escaped string literal.
+	 * @param  string $utf8_literal The UTF-8 string literal to escape.
+	 * @return string               The escaped string literal.
 	 */
-	private function quote_mysql_utf8_string_literal( string $literal ): string {
+	private function quote_mysql_utf8_string_literal( string $utf8_literal ): string {
 		/*
 		 * We can't use "addcslashes()" here, because it has an unusual handling
 		 * of the ASCII NULL character, escaping it to "\000" instead of "\0".
@@ -3595,14 +3595,15 @@ private function quote_mysql_utf8_string_literal( string $literal ): string {
 		 *   - str_replace( [ 'a', 'b' ], [ 'b', 'c' ], 'ab' ); // 'cc' (bad)
 		 *   - strtr( 'ab', [ 'a' => 'b', 'b' => 'c' ] );       // 'bc' (good)
 		 */
+		$backslash    = chr( 92 );
 		$replacements = array(
-			"'"  => "''",
-			'\\' => '\\\\',
-			"\0" => '\0',
-			"\n" => '\n',
-			"\r" => '\r',
+			"'"        => "''",                    // A single quote character (').
+			$backslash => $backslash . $backslash, // A backslash character (\).
+			chr( 0 )   => $backslash . '0',        // An ASCII NULL character (\0).
+			chr( 10 )  => $backslash . 'n',        // A newline (linefeed) character (\n).
+			chr( 13 )  => $backslash . 'r',        // A carriage return character (\r).
 		);
-		return "'" . strtr( $literal, $replacements ) . "'";
+		return "'" . strtr( $utf8_literal, $replacements ) . "'";
 	}
 
 	/**

wp-includes/sqlite-ast/class-wp-sqlite-information-schema-reconstructor.php

@@ -664,25 +664,26 @@ private function get_mysql_column_type( string $column_type ): string {
 	}
 
 	/**
-	 * Format a MySQL string literal for output in a CREATE TABLE statement.
+	 * Format a MySQL UTF-8 string literal for output in a CREATE TABLE statement.
 	 *
 	 * See WP_SQLite_Driver::quote_mysql_utf8_string_literal().
 	 *
 	 * TODO: This is a copy of WP_SQLite_Driver::quote_mysql_utf8_string_literal().
 	 *       We may consider extracing it to reusable MySQL helpers.
 	 *
-	 * @param  string $literal The string literal to escape.
-	 * @return string          The escaped string literal.
+	 * @param  string $utf8_literal The UTF-8 string literal to escape.
+	 * @return string               The escaped string literal.
 	 */
-	private function quote_mysql_utf8_string_literal( string $literal ): string {
+	private function quote_mysql_utf8_string_literal( string $utf8_literal ): string {
+		$backslash    = chr( 92 );
 		$replacements = array(
-			"'"  => "''",
-			'\\' => '\\\\',
-			"\0" => '\0',
-			"\n" => '\n',
-			"\r" => '\r',
+			"'"        => "''",                    // A single quote character (').
+			$backslash => $backslash . $backslash, // A backslash character (\).
+			chr( 0 )   => $backslash . '0',        // An ASCII NULL character (\0).
+			chr( 10 )  => $backslash . 'n',        // A newline (linefeed) character (\n).
+			chr( 13 )  => $backslash . 'r',        // A carriage return character (\r).
 		);
-		return "'" . strtr( $literal, $replacements ) . "'";
+		return "'" . strtr( $utf8_literal, $replacements ) . "'";
 	}
 
 	/**