From: Alexey Shchepin <alexey@process-one.net>
Date: Tue, 5 Jul 2016 14:45:37 +0000 (+0300)
Subject: Fix missed escaping in node_flat_sql.erl
X-Git-Tag: 16.08~61
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=be3a4acb5547be957f910bd03c5683eccf797390;p=ejabberd

Fix missed escaping in node_flat_sql.erl
---

diff --git a/src/node_flat_sql.erl b/src/node_flat_sql.erl
index 37615ca1e..8cd8e4ccd 100644
--- a/src/node_flat_sql.erl
+++ b/src/node_flat_sql.erl
@@ -914,12 +914,13 @@ first_in_list(Pred, [H | T]) ->
     end.
 
 itemids(Nidx, {_U, _S, _R} = JID) ->
-    SJID = <<(ejabberd_sql:escape(encode_jid_like(JID)))/binary, "/%">>,
+    SJID = encode_jid(JID),
+    SJIDLike = <<(ejabberd_sql:escape(encode_jid_like(JID)))/binary, "/%">>,
     case catch
 	ejabberd_sql:sql_query_t(
           ?SQL("select @(itemid)s from pubsub_item where "
-               "nodeid=%(Nidx)d and (publisher=%(JID)s"
-               " or publisher like %(SJID)s escape '^') "
+               "nodeid=%(Nidx)d and (publisher=%(SJID)s"
+               " or publisher like %(SJIDLike)s escape '^') "
                "order by modification desc"))
     of
 	{selected, RItems} ->