From da2ebb667b7a332ddd8d905bf9b9a8694765fed6 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Fri, 28 Jan 2011 16:33:02 +0100
Subject: aurjson: Escape wildcards in "LIKE" patterns (fixes FS#18626).

Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE", so we need to deal with them separately.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/lib/aurjson.class.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
index 0868cb2d..d545ee0a 100644
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@@ -107,6 +107,7 @@ class AurJSON {
         }
 
         $keyword_string = mysql_real_escape_string($keyword_string, $this->dbh);
+        $keyword_string = addcslashes($keyword_string, '%_');
 
         $query = "SELECT " . implode(',', $this->fields) .
             " FROM Packages WHERE DummyPkg=0 AND " .
-- 
cgit v1.2.3-24-g4f1b