diff options
| author | zotlabs <mike@macgirvin.com> | 2017-01-12 13:05:36 -0800 |
|---|---|---|
| committer | zotlabs <mike@macgirvin.com> | 2017-01-12 13:05:36 -0800 |
| commit | 9fb8661eef778c89661396810567655c252b57e9 (patch) | |
| tree | 6d0a2c5c86d96cf7ee366fcdb563133aae17cf33 /Zotlabs/Module/Acl.php | |
| parent | 91b81d6a2c25bc6c2c3cc84db78d6e5fc9d6022a (diff) | |
| download | volse-hubzilla-9fb8661eef778c89661396810567655c252b57e9.tar.gz volse-hubzilla-9fb8661eef778c89661396810567655c252b57e9.tar.bz2 volse-hubzilla-9fb8661eef778c89661396810567655c252b57e9.zip | |
missing protect_sprintf which is the source of issue #642 - if a mention search contains % it will result in an SQL vsprintf error
Diffstat (limited to 'Zotlabs/Module/Acl.php')
| -rw-r--r-- | Zotlabs/Module/Acl.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/Zotlabs/Module/Acl.php b/Zotlabs/Module/Acl.php index 29c1e5280..2b364d9ac 100644 --- a/Zotlabs/Module/Acl.php +++ b/Zotlabs/Module/Acl.php @@ -87,8 +87,8 @@ class Acl extends \Zotlabs\Web\Controller { $order_extra2 = "CASE WHEN xchan_name LIKE " . protect_sprintf( "'%" . dbesc($search) . "%'" ) - . " then POSITION('" . dbesc($search) - . "' IN xchan_name) else position('" . dbesc($search) . "' IN xchan_addr) end, "; + . " then POSITION('" . protect_sprintf(dbesc($search)) + . "' IN xchan_name) else position('" . protect_sprintf(dbesc($search)) . "' IN xchan_addr) end, "; $col = ((strpos($search,'@') !== false) ? 'xchan_addr' : 'xchan_name' ); $sql_extra3 = "AND $col like " . protect_sprintf( "'%" . dbesc($search) . "%'" ) . " "; |