From 48bd19808c38a8de20cfece1adc1ffe226da3783 Mon Sep 17 00:00:00 2001
From: shadlaws <shad@shadlaws.com>
Date: Fri, 25 Jan 2013 08:47:29 +0100
Subject: #1956 - Escape LIKE queries (for _ and %). In MySQL queries, _ and %
 characters are treated as wildcards (similar to ? and *, respectively). -
 Added escape_for_like function to MY_Database.php - Added unit test to
 Database_Test - Corrected the five unescaped instances in the code using this
 function.

---
 modules/gallery/libraries/drivers/Cache/Database.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules/gallery/libraries/drivers/Cache/Database.php')

diff --git a/modules/gallery/libraries/drivers/Cache/Database.php b/modules/gallery/libraries/drivers/Cache/Database.php
index a7aae92c..8790d0e1 100644
--- a/modules/gallery/libraries/drivers/Cache/Database.php
+++ b/modules/gallery/libraries/drivers/Cache/Database.php
@@ -69,7 +69,7 @@ class Cache_Database_Driver extends Cache_Driver {
       ->select()
       ->from("caches");
     foreach ($tags as $tag) {
-      $db->where("tags", "LIKE", "%<$tag>%");
+      $db->where("tags", "LIKE", "%" . Database::escape_for_like("<$tag>") . "%");
     }
     $db_result = $db->execute();
 
@@ -139,7 +139,7 @@ class Cache_Database_Driver extends Cache_Driver {
       // Delete all caches
     } else if ($is_tag === true) {
       foreach ($keys as $tag) {
-        $db->where("tags", "LIKE", "%<$tag>%");
+        $db->where("tags", "LIKE", "%" . Database::escape_for_like("<$tag>") . "%");
       }
     } else {
       $db->where("key", "IN", $keys);
-- 
cgit v1.2.3