MyBB Community Forums
[Pushed] Find Users should use `escape_string_like()` - Printable Version

+- MyBB Community Forums (https://community.mybb.com)
+-- Forum: Development (https://community.mybb.com/forum-161.html)
+--- Forum: MyBB 1.8 Development (https://community.mybb.com/forum-165.html)
+---- Forum: 1.8 Bugs and Issues (https://community.mybb.com/forum-157.html)
+----- Forum: Pushed (https://community.mybb.com/forum-183.html)
+----- Thread: [Pushed] Find Users should use `escape_string_like()` (/thread-173688.html)



Find Users should use `escape_string_like()` - Nathan Malcolm - 2015-07-29

./admin/modules/user/users.php:3360

$userfield_sql .= ' AND '.$db->escape_string($column)." LIKE '%".$db->escape_string($input)."%'";

should be


$userfield_sql .= ' AND '.$db->escape_string($column)." LIKE '%".$db->escape_string_like($input)."%'";


Reference:

	/**
	 * Escape a string used within a like command.
	 *
	 * @param string The string to be escaped.
	 * @return string The escaped string.
	 */
	function escape_string_like($string)
	{
		return $this->escape_string(str_replace(array('%', '_') , array('\\%' , '\\_') , $string));
	}



RE: Find Users should use `escape_string_like()` - Euan T - 2015-07-29

Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/2171

Thanks for contributing to MyBB!

Regards,
The MyBB Group