In some SQL queries, we are using user-supplied strings as patterns for LIKE operator. These user strings need to have special characters escaped, or risk returning incorrect results.

The special characters for LIKE are % and _

As an example, the contains query implementation uses:

AND attributes ->> :containsLeafName LIKE CONCAT('%',:containsValue,'%')

If the user supplies a Cps Path containing %, it will return incorrect results:

//books[contains(@title,"%")]

This would return all books instead of no books, as the pattern would expand to %%%.