From 9fb8661eef778c89661396810567655c252b57e9 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 12 Jan 2017 13:05:36 -0800 Subject: missing protect_sprintf which is the source of issue #642 - if a mention search contains % it will result in an SQL vsprintf error --- Zotlabs/Module/Acl.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Zotlabs/Module') diff --git a/Zotlabs/Module/Acl.php b/Zotlabs/Module/Acl.php index 29c1e5280..2b364d9ac 100644 --- a/Zotlabs/Module/Acl.php +++ b/Zotlabs/Module/Acl.php @@ -87,8 +87,8 @@ class Acl extends \Zotlabs\Web\Controller { $order_extra2 = "CASE WHEN xchan_name LIKE " . protect_sprintf( "'%" . dbesc($search) . "%'" ) - . " then POSITION('" . dbesc($search) - . "' IN xchan_name) else position('" . dbesc($search) . "' IN xchan_addr) end, "; + . " then POSITION('" . protect_sprintf(dbesc($search)) + . "' IN xchan_name) else position('" . protect_sprintf(dbesc($search)) . "' IN xchan_addr) end, "; $col = ((strpos($search,'@') !== false) ? 'xchan_addr' : 'xchan_name' ); $sql_extra3 = "AND $col like " . protect_sprintf( "'%" . dbesc($search) . "%'" ) . " "; -- cgit v1.2.3