From ce70ea3501c23a2ca12cf6480e25cdec7664d02f Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Sun, 3 Jul 2016 16:50:28 +0200
Subject: [PATCH] [stable9] Use paramterized parameter for
 \OC\SystemTag\SystemTagManager

$nameSearchPattern was passed in and directly appended to the SQL query. Luckily the code path isn't reached anywhere in Nextcloud or the included apps.
---
 lib/private/systemtag/systemtagmanager.php | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/lib/private/systemtag/systemtagmanager.php b/lib/private/systemtag/systemtagmanager.php
index 76a60a9132..51e605cc2f 100644
--- a/lib/private/systemtag/systemtagmanager.php
+++ b/lib/private/systemtag/systemtagmanager.php
@@ -124,10 +124,7 @@ class SystemTagManager implements ISystemTagManager {
 
 		if (!empty($nameSearchPattern)) {
 			$query->andWhere(
-				$query->expr()->like(
-					'name',
-					$query->expr()->literal('%' . $this->connection->escapeLikeParameter($nameSearchPattern). '%')
-				)
+				$query->expr()->like('name', $query->createNamedParameter('%' . $this->connection->escapeLikeParameter($nameSearchPattern) . '%'))
 			);
 		}