Merge pull request #26409 from owncloud/stable9-36d6f3ba8b7b7db8f4d8b2a70504fd184a30cc50

[stable9] Escape special characters (#25429)

2 files changed, 3 insertions, 3 deletions

diff --git a/lib/private/group/database.php b/lib/private/group/database.php
index 9ea0bbb8242..503c29b99c0 100644
--- a/lib/private/group/database.php
+++ b/lib/private/group/database.php
@@ -294,7 +294,7 @@ class OC_Group_Database extends OC_Group_Backend {
 		$parameters = [$gid];
 		$searchLike = '';
 		if ($search !== '') {
-			$parameters[] = '%' . $search . '%';
+			$parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%';
 			$searchLike = ' AND `uid` LIKE ?';
 		}
 
@@ -320,7 +320,7 @@ class OC_Group_Database extends OC_Group_Backend {
 		$parameters = [$gid];
 		$searchLike = '';
 		if ($search !== '') {
-			$parameters[] = '%' . $search . '%';
+			$parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%';
 			$searchLike = ' AND `uid` LIKE ?';
 		}
 
diff --git a/lib/private/repair/repairlegacystorages.php b/lib/private/repair/repairlegacystorages.php
index ee189110a87..1442a3d1a7a 100644
--- a/lib/private/repair/repairlegacystorages.php
+++ b/lib/private/repair/repairlegacystorages.php
@@ -170,7 +170,7 @@ class RepairLegacyStorages extends BasicEmitter {
 		$sql = 'SELECT `id`, `numeric_id` FROM `*PREFIX*storages`'
 			. ' WHERE `id` LIKE ?'
 			. ' ORDER BY `id`';
-		$result = $this->connection->executeQuery($sql, array($dataDirId . '%'));
+		$result = $this->connection->executeQuery($sql, array($this->connection->escapeLikeParameter($dataDirId) . '%'));
 
 		while ($row = $result->fetch()) {
 			$currentId = $row['id'];