From 3194cc455151a2986b92f0b011744654b079d485 Mon Sep 17 00:00:00 2001
From: Jefferson Costa <jeffersonsalvador@gmail.com>
Date: Tue, 26 Nov 2024 10:33:20 -0300
Subject: [PATCH] Fix: Escape MySQL wildcards (%) and (_) in search queries

---
 src/Prettus/Repository/Criteria/RequestCriteria.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Prettus/Repository/Criteria/RequestCriteria.php b/src/Prettus/Repository/Criteria/RequestCriteria.php
index 79734add..cc3ba23b 100644
--- a/src/Prettus/Repository/Criteria/RequestCriteria.php
+++ b/src/Prettus/Repository/Criteria/RequestCriteria.php
@@ -72,9 +72,13 @@ public function apply($model, RepositoryInterface $repository)
                     $condition = trim(strtolower($condition));
 
                     if (isset($searchData[$field])) {
+                        // Escape MySQL wildcards on search
+                        $searchData[$field] = addcslashes($searchData[$field], '%_');
                         $value = ($condition == "like" || $condition == "ilike") ? "%{$searchData[$field]}%" : $searchData[$field];
                     } else {
                         if (!is_null($search) && !in_array($condition,['in','between'])) {
+                            // Escape MySQL wildcards on search
+                            $search = addcslashes($search, '%_');
                             $value = ($condition == "like" || $condition == "ilike") ? "%{$search}%" : $search;
                         }
                     }
@@ -331,4 +335,4 @@ protected function parserFieldsSearch(array $fields = [], array $searchFields =
 
         return $fields;
     }
-}
\ No newline at end of file
+}