Fix missed escaping in node_flat_sql.erl

author Alexey Shchepin <alexey@process-one.net>

Tue, 5 Jul 2016 14:45:37 +0000 (17:45 +0300)

committer Alexey Shchepin <alexey@process-one.net>

Tue, 5 Jul 2016 14:45:37 +0000 (17:45 +0300)
author Alexey Shchepin <alexey@process-one.net>
Tue, 5 Jul 2016 14:45:37 +0000 (17:45 +0300)
committer Alexey Shchepin <alexey@process-one.net>
Tue, 5 Jul 2016 14:45:37 +0000 (17:45 +0300)
diff --git a/src/node_flat_sql.erl b/src/node_flat_sql.erl

index 37615ca1e1aaf7273601fa233109eb1ca3dc6f98..8cd8e4ccd2b08e6fc1c5389239b49cfab3badafb 100644 (file)
--- a/src/node_flat_sql.erl
+++ b/src/node_flat_sql.erl
@@ -914,12 +914,13 @@ first_in_list(Pred, [H | T]) ->
      end.
  
  itemids(Nidx, {_U, _S, _R} = JID) ->
-    SJID = <<(ejabberd_sql:escape(encode_jid_like(JID)))/binary, "/%">>,
+    SJID = encode_jid(JID),
+    SJIDLike = <<(ejabberd_sql:escape(encode_jid_like(JID)))/binary, "/%">>,
      case catch
         ejabberd_sql:sql_query_t(
            ?SQL("select @(itemid)s from pubsub_item where "
-               "nodeid=%(Nidx)d and (publisher=%(JID)s"
-               " or publisher like %(SJID)s escape '^') "
+               "nodeid=%(Nidx)d and (publisher=%(SJID)s"
+               " or publisher like %(SJIDLike)s escape '^') "
                 "order by modification desc"))
      of
         {selected, RItems} ->
author	Alexey Shchepin <alexey@process-one.net>
	Tue, 5 Jul 2016 14:45:37 +0000 (17:45 +0300)
committer	Alexey Shchepin <alexey@process-one.net>
	Tue, 5 Jul 2016 14:45:37 +0000 (17:45 +0300)