2021-03-10, 05:01 AM
As reported by Cloud on Discord.
The problem is line #225 of memberlist.php, which uses the variable
A fix is to change that line from:
to:
The problem is line #225 of memberlist.php, which uses the variable
$username_like_query
, which has been escaped for a LIKE condition, whereas we need it to be escaped as an ordinary string.A fix is to change that line from:
$search_query .= " AND u.username='{$username_like_query}'";
to:
$username_esc = $db->escape_string($search_username);
$search_query .= " AND u.username='{$username_esc}'";