Bug #2376
Improper LIKE escaping
| Status: | Closed | Start date: | 03/08/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | beat | % Done: | 100% | |
| Category: | - | |||
| Target version: | 2.0 |
Description
tab.groupjive.php line 32 AND line 95 (and all other LIKE statements):
$where[] = '( ' . $_CB_database->NameQuote( 'name' ) . ' LIKE ' . $_CB_database->Quote( '%' . $search . '%' ) . ' )';
is not escaped properly for e.g. %
This should be as of CB 1.4 API:
$where[] = '( ' . $_CB_database->NameQuote( 'name' ) . ' LIKE ' . $_CB_database->Quote( '%' . $_CB_database->getEscaped( $search, true ) . '%', false ) . ' )';
History
#1 Updated by beat about 2 years ago
line 157 and 227 and others too
#2 Updated by krileon about 2 years ago
- Status changed from New to Resolved
- Assignee changed from krileon to beat
- % Done changed from 0 to 100
Fixed with r1603
#3 Updated by krileon about 2 years ago
- Status changed from Resolved to Closed