From fca0452802fb12fcb8df2e51f4cfc7cbc668a16c Mon Sep 17 00:00:00 2001
From: "Wiktor S. Ovalle Correa" <w.s.ovalle@mudita.com>
Date: Thu, 17 Jun 2021 10:18:28 +0200
Subject: [PATCH] [EGD-6947] Fix SQL vulnerabilities

These were potential security holes allowing SQL injections.
---
 module-db/Tables/ContactsNameTable.cpp | 6 +++---
 module-db/Tables/NotesTable.cpp        | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/module-db/Tables/ContactsNameTable.cpp b/module-db/Tables/ContactsNameTable.cpp
index a771a8b9f18100b2f45c56b5d6095bf6bc2b2943..97da664fe9909956daace68d6dadced1e72a8033 100644
--- a/module-db/Tables/ContactsNameTable.cpp
+++ b/module-db/Tables/ContactsNameTable.cpp
@@ -184,8 +184,8 @@ std::size_t ContactsNameTable::GetCountByName(const std::string &name)
 
     if (!namePart1.empty() && !namePart2.empty()) {
         queryRet = db->query(
-            "SELECT COUNT(*) FROM contact_name WHERE (name_primary like '%s%%' AND name_alternative like '%s%%') OR "
-            "(name_primary like '%s%%' AND name_alternative like '%s%%');",
+            "SELECT COUNT(*) FROM contact_name WHERE (name_primary like '%q%%' AND name_alternative like '%q%%') OR "
+            "(name_primary like '%q%%' AND name_alternative like '%q%%');",
             namePart1.c_str(),
             namePart2.c_str(),
             namePart2.c_str(),
@@ -193,7 +193,7 @@ std::size_t ContactsNameTable::GetCountByName(const std::string &name)
     }
     else {
         queryRet = db->query(
-            "SELECT COUNT(*) FROM contact_name WHERE name_primary like '%s%%' OR name_alternative like '%s%%';",
+            "SELECT COUNT(*) FROM contact_name WHERE name_primary like '%q%%' OR name_alternative like '%q%%';",
             namePart1.c_str(),
             namePart1.c_str());
     }
diff --git a/module-db/Tables/NotesTable.cpp b/module-db/Tables/NotesTable.cpp
index da963d701b264979394223497247f1797c74e64b..966fc9391302854cc0c598634b2008610749b2fe 100644
--- a/module-db/Tables/NotesTable.cpp
+++ b/module-db/Tables/NotesTable.cpp
@@ -125,7 +125,7 @@ std::pair<std::vector<NotesTableRow>, int> NotesTable::getByText(const std::stri
 {
 
     unsigned int count = 0;
-    auto queryRet      = db->query("SELECT COUNT(*), INSTR(snippet,'%s') pos FROM notes WHERE pos > 0;", text.c_str());
+    auto queryRet      = db->query("SELECT COUNT(*), INSTR(snippet,'%q') pos FROM notes WHERE pos > 0;", text.c_str());
     if (queryRet && queryRet->getRowCount() != 0) {
         count = (*queryRet)[0].getUInt32();
     }