diff options
| author | Aaron Wood <aaronjwood@gmail.com> | 2016-07-20 08:20:45 -0400 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2016-07-20 14:46:47 +0200 |
| commit | 7c0de08cc44e0b04f23d6f3fa2d6030991935c54 (patch) | |
| tree | 8a680779c0e7a661a8f1f3d2f998e8cbe543c3da /lib/private/Group/Database.php | |
| parent | b37e1ed17f54916e3321427d92afa3f74ebea1b3 (diff) | |
| download | nextcloud-server-7c0de08cc44e0b04f23d6f3fa2d6030991935c54.tar.gz nextcloud-server-7c0de08cc44e0b04f23d6f3fa2d6030991935c54.zip | |
Escape special characters (#25429)
* Escape LIKE parameter
* Escape LIKE parameter
* Escape LIKE parameter
* Escape LIKE parameter
* Escape LIKE parameter
* Use correct method in the AbstractMapping class
* Change the getNamesBySearch method so that input can be properly escaped while still supporting matches
* Don't escape hardcoded wildcard
Diffstat (limited to 'lib/private/Group/Database.php')
| -rw-r--r-- | lib/private/Group/Database.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/private/Group/Database.php b/lib/private/Group/Database.php index 36d19f74cc6..64f249d4d25 100644 --- a/lib/private/Group/Database.php +++ b/lib/private/Group/Database.php @@ -285,7 +285,7 @@ class Database extends \OC\Group\Backend { $parameters = [$gid]; $searchLike = ''; if ($search !== '') { - $parameters[] = '%' . $search . '%'; + $parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%'; $searchLike = ' AND `uid` LIKE ?'; } @@ -311,7 +311,7 @@ class Database extends \OC\Group\Backend { $parameters = [$gid]; $searchLike = ''; if ($search !== '') { - $parameters[] = '%' . $search . '%'; + $parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%'; $searchLike = ' AND `uid` LIKE ?'; } |