Actions
Bug #2376
closedImproper LIKE escaping
Description
tab.groupjive.php line 32 AND line 95 (and all other LIKE statements):
$where[] = '( ' . $_CB_database->NameQuote( 'name' ) . ' LIKE ' . $_CB_database->Quote( '%' . $search . '%' ) . ' )';
is not escaped properly for e.g. %
This should be as of CB 1.4 API:
$where[] = '( ' . $_CB_database->NameQuote( 'name' ) . ' LIKE ' . $_CB_database->Quote( '%' . $_CB_database->getEscaped( $search, true ) . '%', false ) . ' )';
Actions