[loggi-8q5] Escape SQL LIKE wildcards in record search #120

New issue

Closed

opened 2026-02-21 20:55:32 +01:00 by matthias · 0 comments

matthias commented 2026-02-21 20:55:32 +01:00

Owner

Copy link

Bead ID: loggi-8q5
Type: bug
Priority: P2
Status: closed
Close reason: Added escape for SQL LIKE wildcards (%, _, ) in record text search query in routes.py. Uses ilike with explicit escape='' parameter. Added test_records_search_escapes_like_wildcards test.

---

In routes.py entry_records(), the search query uses ilike(f'%{search_q}%') but doesn't escape % and _ characters in user input. Users can inject LIKE wildcards (e.g. searching for '%' matches everything). Escape these characters before building the LIKE pattern.

**Bead ID:** `loggi-8q5` **Type:** bug **Priority:** P2 **Status:** closed **Close reason:** Added escape for SQL LIKE wildcards (%, _, \) in record text search query in routes.py. Uses ilike with explicit escape='\' parameter. Added test_records_search_escapes_like_wildcards test. --- In routes.py entry_records(), the search query uses ilike(f'%{search_q}%') but doesn't escape % and _ characters in user input. Users can inject LIKE wildcards (e.g. searching for '%' matches everything). Escape these characters before building the LIKE pattern.

matthias closed this issue 2026-02-21 21:00:56 +01:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

beads-sync

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

matthias/loggi#120

No description provided.