Update SQL escaping

author: Alexey Shchepin <alexey@process-one.net> 2016-05-12 18:32:13 +0300
committer: Alexey Shchepin <alexey@process-one.net> 2016-05-13 17:56:48 +0300
commit: 792f47b4bd3c4f423fd25c31b5f8ae82ac59b28b (patch)
tree: aed1938b1868878cc3463ada565c8ad05b9c05e6 /src/sql_queries.erl
parent: Fix C2S session data leak (#1078) (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/src/sql_queries.erl b/src/sql_queries.erl
index e1374a817..121117574 100644
--- a/src/sql_queries.erl
+++ b/src/sql_queries.erl
@@ -231,12 +231,12 @@ list_users(LServer,
 	   [{prefix, Prefix}, {limit, Limit}, {offset, Offset}])
     when is_binary(Prefix) and is_integer(Limit) and
 	   is_integer(Offset) ->
-    SPrefix = ejabberd_sql:escape_like_arg(Prefix),
+    SPrefix = ejabberd_sql:escape_like_arg_circumflex(Prefix),
     SPrefix2 = <<SPrefix/binary, $%>>,
     ejabberd_sql:sql_query(
       LServer,
       ?SQL("select @(username)s from users "
-           "where username like %(SPrefix2)s "
+           "where username like %(SPrefix2)s escape '^' "
            "order by username "
            "limit %(Limit)d offset %(Offset)d")).
 
@@ -264,12 +264,12 @@ users_number(LServer) ->
 
 users_number(LServer, [{prefix, Prefix}])
     when is_binary(Prefix) ->
-    SPrefix = ejabberd_sql:escape_like_arg(Prefix),
+    SPrefix = ejabberd_sql:escape_like_arg_circumflex(Prefix),
     SPrefix2 = <<SPrefix/binary, $%>>,
     ejabberd_sql:sql_query(
       LServer,
       ?SQL("select @(count(*))d from users "
-           "where username like %(SPrefix2)s"));
+           "where username like %(SPrefix2)s escape '^'"));
 users_number(LServer, []) ->
     users_number(LServer).
author	Alexey Shchepin <alexey@process-one.net>	2016-05-12 18:32:13 +0300
committer	Alexey Shchepin <alexey@process-one.net>	2016-05-13 17:56:48 +0300
commit	792f47b4bd3c4f423fd25c31b5f8ae82ac59b28b (patch)
tree	aed1938b1868878cc3463ada565c8ad05b9c05e6 /src/sql_queries.erl
parent	Fix C2S session data leak (#1078) (diff)