-
Task
-
Resolution: Done
-
Medium
-
None
-
None
In some SQL queries, we are using user-supplied strings as patterns for LIKE operator. These user strings need to have special characters escaped, or risk returning incorrect results.
The special characters for LIKE are % and _
As an example, the contains query implementation uses:
AND attributes ->> :containsLeafName LIKE CONCAT('%',:containsValue,'%')
If the user supplies a Cps Path containing %, it will return incorrect results:
//books[contains(@title,"%")]
This would return all books instead of no books, as the pattern would expand to %%%.
- relates to
-
CPS-1760 Handling of special characters in CpsPath queries
- Closed