From bc092c48d46d04ddb53b27d13e0309aa4f10ba9c Mon Sep 17 00:00:00 2001
From: Toby Zerner <toby.zerner@gmail.com>
Date: Fri, 15 Jun 2018 19:19:43 +0930
Subject: [PATCH] Escape string used in LIKE query

---
 framework/core/src/User/UserRepository.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/framework/core/src/User/UserRepository.php b/framework/core/src/User/UserRepository.php
index 8619446b9..f294a63ac 100644
--- a/framework/core/src/User/UserRepository.php
+++ b/framework/core/src/User/UserRepository.php
@@ -90,6 +90,8 @@ class UserRepository
      */
     public function getIdsForUsername($string, User $actor = null)
     {
+        $string = $this->escapeLikeString($string);
+
         $query = User::where('username', 'like', '%'.$string.'%')
             ->orderByRaw('username = ? desc', [$string])
             ->orderByRaw('username like ? desc', [$string.'%']);
@@ -112,4 +114,15 @@ class UserRepository
 
         return $query;
     }
+
+    /**
+     * Escape special characters that can be used as wildcards in a LIKE query.
+     *
+     * @param string $string
+     * @return string
+     */
+    private function escapeLikeString($string)
+    {
+        return str_replace(['\\', '%', '_'], ['\\\\', '\%', '\_'], $string);
+    }
 }