From c5272b330ccea32e977b611a9e4b343b17924968 Mon Sep 17 00:00:00 2001
From: SychO9 <sychocouldy@gmail.com>
Date: Sun, 29 Aug 2021 11:57:00 +0100
Subject: [PATCH] fix: Escape like strings

---
 src/User/Search/Gambit/FulltextGambit.php | 2 ++
 src/User/UserRepository.php               | 6 +++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/User/Search/Gambit/FulltextGambit.php b/src/User/Search/Gambit/FulltextGambit.php
index 0522e76d2..d39f36e60 100644
--- a/src/User/Search/Gambit/FulltextGambit.php
+++ b/src/User/Search/Gambit/FulltextGambit.php
@@ -34,6 +34,8 @@ class FulltextGambit implements GambitInterface
      */
     private function getUserSearchSubQuery($searchValue)
     {
+        $searchValue = $this->users->escapeLikeString($searchValue);
+
         return $this->users
             ->query()
             ->select('id')
diff --git a/src/User/UserRepository.php b/src/User/UserRepository.php
index eb828e37a..09d4a4c8b 100644
--- a/src/User/UserRepository.php
+++ b/src/User/UserRepository.php
@@ -102,6 +102,8 @@ class UserRepository
      * @param string $string
      * @param User|null $actor
      * @return array
+     *
+     * @deprecated remove in 2.0 (no longer used since https://github.com/flarum/core/pull/1878)
      */
     public function getIdsForUsername($string, User $actor = null)
     {
@@ -135,8 +137,10 @@ class UserRepository
      *
      * @param string $string
      * @return string
+     *
+     * @internal
      */
-    private function escapeLikeString($string)
+    public function escapeLikeString($string)
     {
         return str_replace(['\\', '%', '_'], ['\\\\', '\%', '\_'], $string);
     }