From 48bd19808c38a8de20cfece1adc1ffe226da3783 Mon Sep 17 00:00:00 2001
From: shadlaws <shad@shadlaws.com>
Date: Fri, 25 Jan 2013 08:47:29 +0100
Subject: #1956 - Escape LIKE queries (for _ and %). In MySQL queries, _ and %
 characters are treated as wildcards (similar to ? and *, respectively). -
 Added escape_for_like function to MY_Database.php - Added unit test to
 Database_Test - Corrected the five unescaped instances in the code using this
 function.

---
 modules/tag/controllers/tags.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/tag/controllers')

diff --git a/modules/tag/controllers/tags.php b/modules/tag/controllers/tags.php
index 77ad7f50..77d45a95 100644
--- a/modules/tag/controllers/tags.php
+++ b/modules/tag/controllers/tags.php
@@ -52,7 +52,7 @@ class Tags_Controller extends Controller {
     $limit = Input::instance()->get("limit");
     $tag_part = ltrim(end($tag_parts));
     $tag_list = ORM::factory("tag")
-      ->where("name", "LIKE", "{$tag_part}%")
+      ->where("name", "LIKE", Database::escape_for_like($tag_part) . "%")
       ->order_by("name", "ASC")
       ->limit($limit)
       ->find_all();
-- 
cgit v1.2.3