From ddd13d987a5015a610bc4cbda53b9e9261773b93 Mon Sep 17 00:00:00 2001 From: Peter van Dijk Date: Fri, 14 Feb 2020 17:47:47 +0100 Subject: [PATCH] auth gsqlite3: handle escaping correctly for API search. Fixes #8791 --- modules/gsqlite3backend/gsqlite3backend.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/gsqlite3backend/gsqlite3backend.cc b/modules/gsqlite3backend/gsqlite3backend.cc index 92a2ec21e2..7a66238c7f 100644 --- a/modules/gsqlite3backend/gsqlite3backend.cc +++ b/modules/gsqlite3backend/gsqlite3backend.cc @@ -153,8 +153,8 @@ public: declare(suffix, "insert-comment-query", "", "INSERT INTO comments (domain_id, name, type, modified_at, account, comment) VALUES (:domain_id, :qname, :qtype, :modified_at, :account, :content)"); declare(suffix, "delete-comment-rrset-query", "", "DELETE FROM comments WHERE domain_id=:domain_id AND name=:qname AND type=:qtype"); declare(suffix, "delete-comments-query", "", "DELETE FROM comments WHERE domain_id=:domain_id"); - declare(suffix, "search-records-query", "", record_query+" name LIKE :value OR content LIKE :value2 LIMIT :limit"); - declare(suffix, "search-comments-query", "", "SELECT domain_id,name,type,modified_at,account,comment FROM comments WHERE name LIKE :value OR comment LIKE :value2 LIMIT :limit"); + declare(suffix, "search-records-query", "", record_query+" name LIKE :value ESCAPE '\\' OR content LIKE :value2 ESCAPE '\\' LIMIT :limit"); + declare(suffix, "search-comments-query", "", "SELECT domain_id,name,type,modified_at,account,comment FROM comments WHERE name LIKE :value ESCAPE '\\' OR comment LIKE :value2 ESCAPE '\\' LIMIT :limit"); } //! Constructs a new gSQLite3Backend object. -- 2.47.2