Skip to content

Commit

Permalink
MDL-64003 core_message: Use sql_like_escape() in message_search_users
Browse files Browse the repository at this point in the history
  • Loading branch information
Amaia Anabitarte committed Dec 11, 2018
1 parent 44890bd commit f8b46da
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion message/classes/api.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -309,7 +309,7 @@ public static function message_search_users(int $userid, string $search, int $li
$excludeusers = array($userid, $CFG->siteguest);
list($exclude, $excludeparams) = $DB->get_in_or_equal($excludeusers, SQL_PARAMS_NAMED, 'param', false);

$params = array('search' => '%' . $search . '%', 'userid1' => $userid, 'userid2' => $userid);
$params = array('search' => '%' . $DB->sql_like_escape($search) . '%', 'userid1' => $userid, 'userid2' => $userid);

// Ok, let's search for contacts first.
$sql = "SELECT u.id
Expand Down

0 comments on commit f8b46da

Please sign in to comment.