diff options
| author | Alexey Shchepin <alexey@process-one.net> | 2016-05-12 18:32:13 +0300 |
|---|---|---|
| committer | Alexey Shchepin <alexey@process-one.net> | 2016-05-13 17:56:48 +0300 |
| commit | 792f47b4bd3c4f423fd25c31b5f8ae82ac59b28b (patch) | |
| tree | aed1938b1868878cc3463ada565c8ad05b9c05e6 /src/mod_vcard_sql.erl | |
| parent | Fix C2S session data leak (#1078) (diff) | |
Update SQL escaping
Diffstat (limited to 'src/mod_vcard_sql.erl')
| -rw-r--r-- | src/mod_vcard_sql.erl | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/mod_vcard_sql.erl b/src/mod_vcard_sql.erl index 6b8e90333..b8234bf9c 100644 --- a/src/mod_vcard_sql.erl +++ b/src/mod_vcard_sql.erl @@ -227,9 +227,11 @@ make_val(Match, Field, Val) -> Condition = case str:suffix(<<"*">>, Val) of true -> Val1 = str:substr(Val, 1, byte_size(Val) - 1), - SVal = <<(ejabberd_sql:escape_like(Val1))/binary, + SVal = <<(ejabberd_sql:escape( + ejabberd_sql:escape_like_arg_circumflex( + Val1)))/binary, "%">>, - [Field, <<" LIKE '">>, SVal, <<"'">>]; + [Field, <<" LIKE '">>, SVal, <<"' ESCAPE '^'">>]; _ -> SVal = ejabberd_sql:escape(Val), [Field, <<" = '">>, SVal, <<"'">>] |