From 48bd19808c38a8de20cfece1adc1ffe226da3783 Mon Sep 17 00:00:00 2001
From: shadlaws <shad@shadlaws.com>
Date: Fri, 25 Jan 2013 08:47:29 +0100
Subject: #1956 - Escape LIKE queries (for _ and %). In MySQL queries, _ and %
 characters are treated as wildcards (similar to ? and *, respectively). -
 Added escape_for_like function to MY_Database.php - Added unit test to
 Database_Test - Corrected the five unescaped instances in the code using this
 function.

---
 modules/g2_import/controllers/g2.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/g2_import')

diff --git a/modules/g2_import/controllers/g2.php b/modules/g2_import/controllers/g2.php
index 5a76940e..0645266b 100644
--- a/modules/g2_import/controllers/g2.php
+++ b/modules/g2_import/controllers/g2.php
@@ -49,7 +49,7 @@ class G2_Controller extends Controller {
         if ($view == "core.DownloadItem") {
           $where[] = array("resource_type", "IN", array("file", "resize", "thumbnail", "full"));
         } else if ($view) {
-          $where[] = array("g2_url", "like", "%g2_view=$view%");
+          $where[] = array("g2_url", "LIKE", "%" . Database::escape_for_like("g2_view=$view") . "%");
         } // else: Assuming that the first search hit is sufficiently good.
       } else if ($path) {
         $where = array(array("g2_url", "IN", array($path, str_replace(" ", "+", $path))));
-- 
cgit v1.2.3