Update SQL escaping

author: Alexey Shchepin <alexey@process-one.net> 2016-05-12 18:32:13 +0300
committer: Alexey Shchepin <alexey@process-one.net> 2016-05-13 17:56:48 +0300
commit: 792f47b4bd3c4f423fd25c31b5f8ae82ac59b28b (patch)
tree: aed1938b1868878cc3463ada565c8ad05b9c05e6 /src/nodetree_tree_sql.erl
parent: Fix C2S session data leak (#1078) (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/src/nodetree_tree_sql.erl b/src/nodetree_tree_sql.erl
index b56543395..17ae91b52 100644
--- a/src/nodetree_tree_sql.erl
+++ b/src/nodetree_tree_sql.erl
@@ -196,11 +196,11 @@ get_subnodes_tree(Host, Node, _From) ->
 
 get_subnodes_tree(Host, Node) ->
     H = node_flat_sql:encode_host(Host),
-    N = ejabberd_sql:escape(Node),
+    N = ejabberd_sql:escape(ejabberd_sql:escape_like_arg_circumflex(Node)),
     case catch
 	ejabberd_sql:sql_query_t([<<"select node, parent, type, nodeid from "
 		    "pubsub_node where host='">>,
-		H, <<"' and node like '">>, N, <<"%';">>])
+		H, <<"' and node like '">>, N, <<"%' escape '^';">>])
     of
 	{selected,
 		    [<<"node">>, <<"parent">>, <<"type">>, <<"nodeid">>], RItems} ->
@@ -256,10 +256,10 @@ create_node(Host, Node, Type, Owner, Options, Parents) ->
 
 delete_node(Host, Node) ->
     H = node_flat_sql:encode_host(Host),
-    N = ejabberd_sql:escape(Node),
+    N = ejabberd_sql:escape(ejabberd_sql:escape_like_arg_circumflex(Node)),
     Removed = get_subnodes_tree(Host, Node),
     catch ejabberd_sql:sql_query_t([<<"delete from pubsub_node where host='">>,
-	    H, <<"' and node like '">>, N, <<"%';">>]),
+	    H, <<"' and node like '">>, N, <<"%' escape '^';">>]),
     Removed.
 
 %% helpers
author	Alexey Shchepin <alexey@process-one.net>	2016-05-12 18:32:13 +0300
committer	Alexey Shchepin <alexey@process-one.net>	2016-05-13 17:56:48 +0300
commit	792f47b4bd3c4f423fd25c31b5f8ae82ac59b28b (patch)
tree	aed1938b1868878cc3463ada565c8ad05b9c05e6 /src/nodetree_tree_sql.erl
parent	Fix C2S session data leak (#1078) (diff)