From 48bd19808c38a8de20cfece1adc1ffe226da3783 Mon Sep 17 00:00:00 2001
From: shadlaws <shad@shadlaws.com>
Date: Fri, 25 Jan 2013 08:47:29 +0100
Subject: #1956 - Escape LIKE queries (for _ and %). In MySQL queries, _ and %
 characters are treated as wildcards (similar to ? and *, respectively). -
 Added escape_for_like function to MY_Database.php - Added unit test to
 Database_Test - Corrected the five unescaped instances in the code using this
 function.

---
 modules/gallery/helpers/item_rest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/gallery/helpers')

diff --git a/modules/gallery/helpers/item_rest.php b/modules/gallery/helpers/item_rest.php
index 10799567..efeba2ef 100644
--- a/modules/gallery/helpers/item_rest.php
+++ b/modules/gallery/helpers/item_rest.php
@@ -64,7 +64,7 @@ class item_rest_Core {
     }
 
     if (isset($p->name)) {
-      $orm->where("name", "LIKE", "%{$p->name}%");
+      $orm->where("name", "LIKE", "%" . Database::escape_for_like($p->name) . "%");
     }
 
     if (isset($p->type)) {
-- 
cgit v1.2.3