#1956 - Escape LIKE queries (for _ and %).

In MySQL queries, _ and % characters are treated as wildcards (similar to ? and *, respectively).
- Added escape_for_like function to MY_Database.php
- Added unit test to Database_Test
- Corrected the five unescaped instances in the code using this function.

1 files changed, 1 insertions, 1 deletions

diff --git a/modules/g2_import/controllers/g2.php b/modules/g2_import/controllers/g2.php
index 5a76940e..0645266b 100644
--- a/modules/g2_import/controllers/g2.php
+++ b/modules/g2_import/controllers/g2.php
@@ -49,7 +49,7 @@ class G2_Controller extends Controller {
         if ($view == "core.DownloadItem") {
           $where[] = array("resource_type", "IN", array("file", "resize", "thumbnail", "full"));
         } else if ($view) {
-          $where[] = array("g2_url", "like", "%g2_view=$view%");
+          $where[] = array("g2_url", "LIKE", "%" . Database::escape_for_like("g2_view=$view") . "%");
         } // else: Assuming that the first search hit is sufficiently good.
       } else if ($path) {
         $where = array(array("g2_url", "IN", array($path, str_replace(" ", "+", $path))));