From a9ca35b671057aa8efc287a55e70c73132017c1e Mon Sep 17 00:00:00 2001
From: Daniel Waterworth <me@danielwaterworth.com>
Date: Thu, 2 May 2024 10:13:45 -0500
Subject: [PATCH] DEV: Use safer SQL functions for string queries when looking
 for tags (#26838)

---
 lib/discourse_tagging.rb | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/lib/discourse_tagging.rb b/lib/discourse_tagging.rb
index 9a92dcfcd71..c5ca6bad163 100644
--- a/lib/discourse_tagging.rb
+++ b/lib/discourse_tagging.rb
@@ -510,16 +510,14 @@ module DiscourseTagging
     term = opts[:term]
     if term.present?
       builder_params[:cleaned_term] = term
-      term = term.gsub("_", "\\_").downcase
 
       if opts[:term_type] == DiscourseTagging.term_types[:starts_with]
-        builder_params[:term] = "#{term}%"
+        builder.where("starts_with(LOWER(name), LOWER(:cleaned_term))")
+        sql.gsub!("/*and_name_like*/", "AND starts_with(LOWER(t.name), LOWER(:cleaned_term))")
       else
-        builder_params[:term] = "%#{term}%"
+        builder.where("position(LOWER(:cleaned_term) IN LOWER(t.name)) <> 0")
+        sql.gsub!("/*and_name_like*/", "AND position(LOWER(:cleaned_term) IN LOWER(t.name)) <> 0")
       end
-
-      builder.where("LOWER(name) LIKE :term")
-      sql.gsub!("/*and_name_like*/", "AND LOWER(t.name) LIKE :term")
     else
       sql.gsub!("/*and_name_like*/", "")
     end