Are these {xxx...} placeholders for % in a LIKE statement normal? If so, when do they get converted back to %‘s?
SHELL
wp> global $wpdb;
wp> $q = "%s";
=> string(2) "%s"
wp> $pq = $wpdb->prepare($q, '%hi%');
=> string(136) "'{6e039dc0b074a5ff6828a070d0c24708d132341f32dff55a053f1410beabaacd}hi{6e039dc0b074a5ff6828a070d0c24708d132341f32dff55a053f1410beabaacd}'"
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Yes, they’re normal. They were added in 4.8.3 to fix an SQL injection vulnerability.
You can read an article describing the technical reasons for this happening here and the ticket for the change here.
The placeholder characters are replaced by the random characters on the last line of $wpdb->prepare() with the $wpdb->add_placeholder_escape() function, which calls $wpdb->placeholder_escape() internally.
These placeholders are removed in $wpdb->query() by the $wpdb->remove_placeholder_escape() function which is added as a filter to the query hook.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0