feat: add escaping for special db characters in search string criteria

onecx · Jan 11, 2024 · 20ab4b4 · 20ab4b4
1 parent 7d56d64
commit 20ab4b4
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/main/java/io/github/onecx/user/profile/domain/daos/UserProfileDAO.java b/src/main/java/io/github/onecx/user/profile/domain/daos/UserProfileDAO.java
@@ -94,6 +94,12 @@ public Predicate createSearchStringPredicate(CriteriaBuilder criteriaBuilder, Ex
     public Predicate createSearchStringPredicate(CriteriaBuilder criteriaBuilder, Expression<String> column,
             String searchString, final boolean caseInsensitive) {
 
+        // escape the extra DB characters
+        searchString = searchString
+                .replace("\\", "\\\\")
+                .replace("%", "\\%")
+                .replace("_", "\\_");
+
         Expression<String> columnDefinition = column;
         if (caseInsensitive) {
             searchString = searchString.toLowerCase();