Escape special characters in filter value for improved SQL query safety

Cyperghost · Cyperghost · commit 6271cb2325f4 · 2025-06-10T10:34:04.000+02:00
diff --git a/wcfsetup/install/files/lib/system/condition/type/user/AbstractUserStringConditionType.class.php b/wcfsetup/install/files/lib/system/condition/type/user/AbstractUserStringConditionType.class.php
@@ -62,6 +62,8 @@ public function getLabel(): string
     public function applyFilter(DatabaseObjectList $objectList): void
     {
         ["condition" => $condition, "value" => $value] = $this->filter;
+        $value = \addcslashes($value, '_%');
+
         $filter = match ($condition) {
             "_%" => $value . '%',
             "%_%" => '%' . $value . '%',

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,8 @@ public function getLabel(): string`
`62`	`62`	`public function applyFilter(DatabaseObjectList $objectList): void`
`63`	`63`	`{`
`64`	`64`	`["condition" => $condition, "value" => $value] = $this->filter;`
	`65`	`+ $value = \addcslashes($value, '_%');`
	`66`	`+`
`65`	`67`	`$filter = match ($condition) {`
`66`	`68`	`"_%" => $value . '%',`
`67`	`69`	`"%_%" => '%' . $value . '%',`