Problem
Like::GetSqlValue (src/query_predicates.cc:97) builds the comparison value as %value% but does not escape % or _ characters contained in the value itself, and the generated LIKE clause (QueryPredicate::Evaluate) has no ESCAPE clause.
Impact
If the user-supplied value contains % or _, those characters act as LIKE wildcards rather than literals, so the match semantics differ from what the caller intended (e.g. searching for 50% matches far more than the literal text). The value is still bound as a parameter, so this is a correctness/robustness problem rather than injection.
Suggested direction
Escape %, _ (and the escape character) in the bound value and emit a corresponding ESCAPE '\\' clause, so the user's text is matched literally.
Problem
Like::GetSqlValue(src/query_predicates.cc:97) builds the comparison value as%value%but does not escape%or_characters contained in the value itself, and the generatedLIKEclause (QueryPredicate::Evaluate) has noESCAPEclause.Impact
If the user-supplied value contains
%or_, those characters act as LIKE wildcards rather than literals, so the match semantics differ from what the caller intended (e.g. searching for50%matches far more than the literal text). The value is still bound as a parameter, so this is a correctness/robustness problem rather than injection.Suggested direction
Escape
%,_(and the escape character) in the bound value and emit a correspondingESCAPE '\\'clause, so the user's text is matched literally.