From f678906347ac9abdc6473d24c72486d460ffe040 Mon Sep 17 00:00:00 2001
From: Hubert Borderiou <baelmyhu@gmail.com>
Date: Wed, 2 Oct 2013 10:37:25 +0200
Subject: [PATCH] Escape sql wildcards % and _ in admin > user_list > advanced
 search - ref #6735

---
 main/admin/user_list.php      | 10 +++++-----
 main/inc/lib/database.lib.php | 11 +++++++++++
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/main/admin/user_list.php b/main/admin/user_list.php
index 9da1cf55d9..3bdd396c6a 100644
--- a/main/admin/user_list.php
+++ b/main/admin/user_list.php
@@ -400,11 +400,11 @@ function get_user_data($from, $number_of_items, $column, $direction) {
 		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " WHERE (u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%' OR concat(u.firstname,' ',u.lastname) LIKE '%".$keyword."%' OR concat(u.lastname,' ',u.firstname) LIKE '%".$keyword."%' OR u.username LIKE '%".$keyword."%'  OR u.official_code LIKE '%".$keyword."%' OR u.email LIKE '%".$keyword."%' )";
 	} elseif (isset ($_GET['keyword_firstname'])) {
-		$keyword_firstname = Database::escape_string($_GET['keyword_firstname']);
-		$keyword_lastname = Database::escape_string($_GET['keyword_lastname']);
-		$keyword_email = Database::escape_string($_GET['keyword_email']);
-		$keyword_officialcode = Database::escape_string($_GET['keyword_officialcode']);
-		$keyword_username = Database::escape_string($_GET['keyword_username']);
+		$keyword_firstname = Database::escape_sql_wildcards(Database::escape_string($_GET['keyword_firstname']));
+		$keyword_lastname = Database::escape_sql_wildcards(Database::escape_string($_GET['keyword_lastname']));
+		$keyword_email = Database::escape_sql_wildcards(Database::escape_string($_GET['keyword_email']));
+		$keyword_officialcode = Database::escape_sql_wildcards(Database::escape_string($_GET['keyword_officialcode']));
+		$keyword_username = Database::escape_sql_wildcards(Database::escape_string($_GET['keyword_username']));
 		$keyword_status = Database::escape_string($_GET['keyword_status']);
 
 		$query_admin_table = '';
diff --git a/main/inc/lib/database.lib.php b/main/inc/lib/database.lib.php
index 521565eccc..f1595d1e8c 100644
--- a/main/inc/lib/database.lib.php
+++ b/main/inc/lib/database.lib.php
@@ -432,6 +432,17 @@ class Database {
         return self::use_default_connection($connection) ? mysql_error() : mysql_error($connection);
     }
 
+    /**
+     * Escape MySQL wildchars _ and % in LIKE search
+     * @param string            The string to escape
+     * @return string           The escaped string
+     */
+    public static function escape_sql_wildcards($in_txt) {
+        $out_txt = api_preg_replace("/_/", "\_", $in_txt);
+        $out_txt = api_preg_replace("/%/", "\%", $out_txt);
+        return $out_txt;
+    }
+
     /**
      * Escapes a string to insert into the database as text
      * @param string							The string to escape