rails · rafaelfranca · Mar 25, 2022 · Mar 25, 2022
diff --git a/activerecord/lib/active_record/sanitization.rb b/activerecord/lib/active_record/sanitization.rb
@@ -107,8 +107,11 @@ def sanitize_sql_hash_for_assignment(attrs, table)
       #   sanitize_sql_like("snake_cased_string", "!")
       #   # => "snake!_cased!_string"
       def sanitize_sql_like(string, escape_character = "\\")
-        pattern = Regexp.union(escape_character, "%", "_")
-        string.gsub(pattern) { |x| [escape_character, x].join }
+        if string.include?(escape_character) && escape_character != "%" && escape_character != "_"
+          string = string.gsub(escape_character, '\0\0')
+        end
+
+        string.gsub(/(?=[%_])/, escape_character)
       end
 
       # Accepts an array of conditions. The array has each value

diff --git a/activerecord/test/cases/sanitize_test.rb b/activerecord/test/cases/sanitize_test.rb
@@ -75,6 +75,11 @@ def test_sanitize_sql_like_with_custom_escape_character
     assert_equal "normal string 42", Binary.sanitize_sql_like("normal string 42", "!")
   end
 
+  def test_sanitize_sql_like_with_wildcard_as_escape_character
+    assert_equal "1__000_%", Binary.sanitize_sql_like("1_000%", "_")
+    assert_equal "1%_000%%", Binary.sanitize_sql_like("1_000%", "%")
+  end
+
   def test_sanitize_sql_like_example_use_case
     searchable_post = Class.new(Post) do
       def self.search_as_method(term)