From 9fb8661eef778c89661396810567655c252b57e9 Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Thu, 12 Jan 2017 13:05:36 -0800
Subject: missing protect_sprintf which is the source of issue #642 - if a
 mention search contains % it will result in an SQL vsprintf error

---
 Zotlabs/Module/Acl.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'Zotlabs/Module/Acl.php')

diff --git a/Zotlabs/Module/Acl.php b/Zotlabs/Module/Acl.php
index 29c1e5280..2b364d9ac 100644
--- a/Zotlabs/Module/Acl.php
+++ b/Zotlabs/Module/Acl.php
@@ -87,8 +87,8 @@ class Acl extends \Zotlabs\Web\Controller {
 
 			$order_extra2 = "CASE WHEN xchan_name LIKE " 
 					. protect_sprintf( "'%" . dbesc($search) . "%'" ) 
-					. " then POSITION('" . dbesc($search) 
-					. "' IN xchan_name) else position('" . dbesc($search) . "' IN xchan_addr) end, ";
+					. " then POSITION('" . protect_sprintf(dbesc($search)) 
+					. "' IN xchan_name) else position('" . protect_sprintf(dbesc($search)) . "' IN xchan_addr) end, ";
 
 			$col = ((strpos($search,'@') !== false) ? 'xchan_addr' : 'xchan_name' );
 			$sql_extra3 = "AND $col like " . protect_sprintf( "'%" . dbesc($search) . "%'" ) . " ";
-- 
cgit v1.2.3