missing protect_sprintf which is the source of issue #642 - if a mention search contains % it will result in an SQL vsprintf error

2017-01-12 13:05:36 -08:00 · 2017-01-12 13:05:36 -08:00 · 9fb8661eef
commit 9fb8661eef
parent 91b81d6a2c
1 changed files with 2 additions and 2 deletions
--- a/Zotlabs/Module/Acl.php
+++ b/Zotlabs/Module/Acl.php
@ -87,8 +87,8 @@ class Acl extends \Zotlabs\Web\Controller {

 			$order_extra2 = "CASE WHEN xchan_name LIKE " 
 					. protect_sprintf( "'%" . dbesc($search) . "%'" ) 
-					. " then POSITION('" . dbesc($search) 
-					. "' IN xchan_name) else position('" . dbesc($search) . "' IN xchan_addr) end, ";
+					. " then POSITION('" . protect_sprintf(dbesc($search)) 
+					. "' IN xchan_name) else position('" . protect_sprintf(dbesc($search)) . "' IN xchan_addr) end, ";

 			$col = ((strpos($search,'@') !== false) ? 'xchan_addr' : 'xchan_name' );
 			$sql_extra3 = "AND $col like " . protect_sprintf( "'%" . dbesc($search) . "%'" ) . " ";