Properly escape \, % and _ in query.

Based on fix proposed in original bug report. Fixes #158.
ivaldi · Feb 12, 2015 · fbb1bea · fbb1bea
1 parent a3f8aed
commit fbb1bea
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 7 deletions.
diff --git a/Gemfile b/Gemfile
@@ -15,10 +15,10 @@ gem 'jquery-rails'
 # foundation form errors
 gem 'foundation_rails_helper'
 
-group :development do
-  # to use debugger
-  gem 'byebug'
+# to use debugger
+gem 'byebug', group: [:development, :test]
 
+group :development do
   # sqlite database during development
   gem 'sqlite3'
 

diff --git a/app/models/ticket.rb b/app/models/ticket.rb
@@ -73,9 +73,10 @@ def self.active_labels(status)
 
   scope :search, ->(term) {
     if !term.nil?
-      term = '%' + term.downcase + '%'
-      where('LOWER(subject) LIKE ? OR LOWER(content) LIKE ?',
-          term, term)
+      term.gsub!(/[\\%_]/) { |m| "!#{m}" }
+      term = "%#{term.downcase}%"
+      where('LOWER(subject) LIKE ? ESCAPE ? OR LOWER(content) LIKE ? ESCAPE ?',
+          term, '!', term, '!')
     end
   }
 

diff --git a/test/fixtures/tickets.yml b/test/fixtures/tickets.yml
@@ -16,7 +16,7 @@ multiple:
   message_id: 'test124@test124'
 
 daves_problem:
-  subject: Dave has a problem
+  subject: Dave has a problem %@#_
   content: Dave has a problem with his computer
   user: dave
   message_id: 'test125@test125'
diff --git a/test/models/ticket_test.rb b/test/models/ticket_test.rb
@@ -57,4 +57,9 @@ class TicketTest < ActiveSupport::TestCase
     assert_equal last.created_at, last.updated_at
   end
 
+  test 'should escape special char search' do
+    assert_equal 1, Ticket.search('%').count
+    assert_equal 1, Ticket.search('_').count
+  end
+
 end