From 038a7fee1ca0810960b8dd099584d16754df69a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Jakes=CC=8C?= <jan@jakes.pro>
Date: Wed, 4 Mar 2020 16:30:55 +0100
Subject: [PATCH] Escape parameter for LIKE statement

[MAILPOET-2645]
---
 lib/Newsletter/Listing/NewsletterListingRepository.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/Newsletter/Listing/NewsletterListingRepository.php b/lib/Newsletter/Listing/NewsletterListingRepository.php
index 4fc3af0cb2..b88d133bc9 100644
--- a/lib/Newsletter/Listing/NewsletterListingRepository.php
+++ b/lib/Newsletter/Listing/NewsletterListingRepository.php
@@ -201,9 +201,10 @@ class NewsletterListingRepository extends ListingRepository {
   }
 
   protected function applySearch(QueryBuilder $queryBuilder, string $search) {
+    $search = str_replace(['\\', '%', '_'], ['\\\\', '\\%', '\\_'], $search); // escape for 'LIKE'
     $queryBuilder
       ->andWhere('n.subject LIKE :search')
-      ->setParameter('search', "%$search%"); // TODO: escape?
+      ->setParameter('search', "%$search%");
   }
 
   protected function applyFilters(QueryBuilder $queryBuilder, array $filters) {