diff options
author | Lukas Reschke <lukas@owncloud.com> | 2016-07-03 16:54:41 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@owncloud.com> | 2016-07-03 16:54:41 +0200 |
commit | dc5fea504b195cf1e36f9a129d1f77ce7c91de13 (patch) | |
tree | 57e7e988ac66ccdf7223f6d8408edaa06e9b735c | |
parent | 5b4cea4b366e9420a70cad4b817c1594da2ad0fe (diff) | |
download | nextcloud-server-dc5fea504b195cf1e36f9a129d1f77ce7c91de13.tar.gz nextcloud-server-dc5fea504b195cf1e36f9a129d1f77ce7c91de13.zip |
[master] Use paramterized parameter for \OC\SystemTag\SystemTagManager
$nameSearchPattern was passed in and directly appended to the SQL query. Luckily the code path isn't reached anywhere in Nextcloud or the included apps.
-rw-r--r-- | lib/private/SystemTag/SystemTagManager.php | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/lib/private/SystemTag/SystemTagManager.php b/lib/private/SystemTag/SystemTagManager.php index 2b0ef03e471..3e32582025f 100644 --- a/lib/private/SystemTag/SystemTagManager.php +++ b/lib/private/SystemTag/SystemTagManager.php @@ -140,10 +140,7 @@ class SystemTagManager implements ISystemTagManager { if (!empty($nameSearchPattern)) { $query->andWhere( - $query->expr()->like( - 'name', - $query->expr()->literal('%' . $this->connection->escapeLikeParameter($nameSearchPattern). '%') - ) + $query->expr()->like('name', $query->createNamedParameter('%' . $this->connection->escapeLikeParameter($nameSearchPattern) . '%')) ); } |