fix: corrected query, closes #4310

Author: thorsten

CHANGELOG.md

@@ -8,6 +8,7 @@ This is a log of major user-visible changes in each phpMyFAQ release.
 
 ### phpMyFAQ v4.1.4 - unreleased
 
+- updated third party dependencies (Thorsten)
 - fixed bugs (Thorsten)
 
 ### phpMyFAQ v4.1.3 – 2026-05-14

phpmyfaq/src/phpMyFAQ/Search/Database/PdoPgsql.php

@@ -71,7 +71,7 @@ public function search(string $searchTerm): mixed
                 FROM
                     %s %s %s %s
                 WHERE
-                    (%s) ILIKE ('%%%s%%') ESCAPE '\\'
+                    (%s) ILIKE ('%%%s%%') ESCAPE '='
                     %s
                     %s",
                 $columns,

phpmyfaq/src/phpMyFAQ/Search/Database/Pgsql.php

@@ -72,7 +72,7 @@ public function search(string $searchTerm): mixed
                 FROM
                     %s %s %s %s
                 WHERE
-                    (%s) ILIKE ('%%%s%%') ESCAPE '\\'
+                    (%s) ILIKE ('%%%s%%') ESCAPE '='
                     %s
                     %s",
                 $columns,

phpmyfaq/src/phpMyFAQ/Search/SearchDatabase.php

@@ -274,7 +274,7 @@ public function getMatchClause(string $searchTerm = ''): string
                 }
 
                 $where = sprintf(
-                    "%s%s LIKE '%%%s%%' ESCAPE '\\'",
+                    "%s%s LIKE '%%%s%%' ESCAPE '='",
                     $where,
                     $this->matchingColumns[$j],
                     self::escapeLikeWildcards($this->configuration->getDb()->escape($keys[$i])),
@@ -299,9 +299,16 @@ public function disableRelevance(): void
     /**
      * Escapes LIKE wildcard metacharacters (%, _) in a search term
      * to prevent LIKE wildcard injection.
+     *
+     * Uses '=' as the LIKE escape character (see the ESCAPE clauses in the
+     * driver queries). A backslash cannot be used here: in MySQL/MariaDB
+     * string literals a trailing backslash escapes the closing quote, which
+     * breaks the query, while SQLite rejects a doubled backslash as a
+     * multi-character ESCAPE. '=' is literal in every supported database and
+     * is not a LIKE metacharacter.
      */
     protected static function escapeLikeWildcards(string $term): string
     {
-        return str_replace(['\\', '%', '_'], ['\\\\', '\\%', '\\_'], $term);
+        return str_replace(['=', '%', '_'], ['==', '=%', '=_'], $term);
     }
 }

tests/phpMyFAQ/Search/SearchDatabaseTest.php

@@ -149,7 +149,7 @@ public function testGetMatchClause()
     {
         $this->searchDatabase->setMatchingColumns(['faqdata.author']);
         $this->assertEquals(
-            " (faqdata.author LIKE '%Thorsten%' ESCAPE '\\')",
+            " (faqdata.author LIKE '%Thorsten%' ESCAPE '=')",
             $this->searchDatabase->getMatchClause('Thorsten'),
         );
         $this->assertIsString($this->searchDatabase->getMatchClause('Thorsten'));
@@ -159,7 +159,7 @@ public function testGetMatchClauseWithTwoSearchTerms()
     {
         $this->searchDatabase->setMatchingColumns(['faqdata.author']);
         $this->assertEquals(
-            " (faqdata.author LIKE '%Thorsten%' ESCAPE '\\') OR (faqdata.author LIKE '%Rinne%' ESCAPE '\\')",
+            " (faqdata.author LIKE '%Thorsten%' ESCAPE '=') OR (faqdata.author LIKE '%Rinne%' ESCAPE '=')",
             $this->searchDatabase->getMatchClause('Thorsten Rinne'),
         );
         $this->assertIsString($this->searchDatabase->getMatchClause('Thorsten'));
@@ -169,7 +169,7 @@ public function testGetMatchClauseWithTwoColumns()
     {
         $this->searchDatabase->setMatchingColumns(['faqdata.author', 'faqdata.thema']);
         $this->assertEquals(
-            " (faqdata.author LIKE '%Thorsten%' ESCAPE '\\' OR faqdata.thema LIKE '%Thorsten%' ESCAPE '\\')",
+            " (faqdata.author LIKE '%Thorsten%' ESCAPE '=' OR faqdata.thema LIKE '%Thorsten%' ESCAPE '=')",
             $this->searchDatabase->getMatchClause('Thorsten'),
         );
         $this->assertIsString($this->searchDatabase->getMatchClause('Thorsten'));