summaryrefslogtreecommitdiffstats
path: root/lib/private
diff options
context:
space:
mode:
authorAaron Wood <aaronjwood@gmail.com>2016-07-20 08:20:45 -0400
committerLukas Reschke <lukas@statuscode.ch>2016-07-20 14:46:47 +0200
commit7c0de08cc44e0b04f23d6f3fa2d6030991935c54 (patch)
tree8a680779c0e7a661a8f1f3d2f998e8cbe543c3da /lib/private
parentb37e1ed17f54916e3321427d92afa3f74ebea1b3 (diff)
downloadnextcloud-server-7c0de08cc44e0b04f23d6f3fa2d6030991935c54.tar.gz
nextcloud-server-7c0de08cc44e0b04f23d6f3fa2d6030991935c54.zip
Escape special characters (#25429)
* Escape LIKE parameter * Escape LIKE parameter * Escape LIKE parameter * Escape LIKE parameter * Escape LIKE parameter * Use correct method in the AbstractMapping class * Change the getNamesBySearch method so that input can be properly escaped while still supporting matches * Don't escape hardcoded wildcard
Diffstat (limited to 'lib/private')
-rw-r--r--lib/private/Group/Database.php4
-rw-r--r--lib/private/Repair/RepairLegacyStorages.php2
2 files changed, 3 insertions, 3 deletions
diff --git a/lib/private/Group/Database.php b/lib/private/Group/Database.php
index 36d19f74cc6..64f249d4d25 100644
--- a/lib/private/Group/Database.php
+++ b/lib/private/Group/Database.php
@@ -285,7 +285,7 @@ class Database extends \OC\Group\Backend {
$parameters = [$gid];
$searchLike = '';
if ($search !== '') {
- $parameters[] = '%' . $search . '%';
+ $parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%';
$searchLike = ' AND `uid` LIKE ?';
}
@@ -311,7 +311,7 @@ class Database extends \OC\Group\Backend {
$parameters = [$gid];
$searchLike = '';
if ($search !== '') {
- $parameters[] = '%' . $search . '%';
+ $parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%';
$searchLike = ' AND `uid` LIKE ?';
}
diff --git a/lib/private/Repair/RepairLegacyStorages.php b/lib/private/Repair/RepairLegacyStorages.php
index 8ef20cdf3c2..096300f51c2 100644
--- a/lib/private/Repair/RepairLegacyStorages.php
+++ b/lib/private/Repair/RepairLegacyStorages.php
@@ -172,7 +172,7 @@ class RepairLegacyStorages implements IRepairStep{
$sql = 'SELECT `id`, `numeric_id` FROM `*PREFIX*storages`'
. ' WHERE `id` LIKE ?'
. ' ORDER BY `id`';
- $result = $this->connection->executeQuery($sql, array($dataDirId . '%'));
+ $result = $this->connection->executeQuery($sql, array($this->connection->escapeLikeParameter($dataDirId) . '%'));
while ($row = $result->fetch()) {
$currentId = $row['id'];
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-29 03:07:24 +0000