Use PDO::quote() for string escaping

Author: JanJakes

wp-includes/sqlite-ast/class-wp-sqlite-driver.php

@@ -489,6 +489,20 @@ public function get_insert_id() {
 		return $last_insert_id;
 	}
 
+	/**
+	 * Quotes a string for use in a query.
+	 *
+	 * Places quotes around the input string (if required) and escapes special
+	 * characters within the input string. See "PDO::quote()".
+	 *
+	 * @param  string $value The string value to quote.
+	 * @param  int    $type  The type of the parameter. Default is PDO::PARAM_STR.
+	 * @return string        The quoted string.
+	 */
+	public function quote( string $value, int $type = PDO::PARAM_STR ): string {
+		return $this->pdo->quote( $value, $type );
+	}
+
 	/**
 	 * Translate and execute a MySQL query in SQLite.
 	 *

wp-includes/sqlite/class-wp-sqlite-db.php

@@ -119,7 +119,13 @@ public function _real_escape( $data ) {
 		if ( ! is_scalar( $data ) ) {
 			return '';
 		}
-		$escaped = addslashes( $data );
+		if ( $this->dbh instanceof WP_SQLite_Driver ) {
+			// WP_SQLite_Driver::quote() wraps the escaped string with quotes,
+			// while WPDB expects the string to be escaped without them.
+			$escaped = substr( $this->dbh->quote( $data ), 1, -1 );
+		} else {
+			$escaped = addslashes( $data );
+		}
 		return $this->add_placeholder_escape( $escaped );
 	}