From db2a1565541c295faf4d98e1de156315e7f3a07a Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Tue, 24 Feb 2026 16:19:22 +0100
Subject: [PATCH] fixes GHSA-5jwg-cr5q-vjq2 protect filter parameter in
 pwg.user.getList

---
 include/ws_functions/pwg.users.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index c18add751..af5ec1ee7 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -58,7 +58,7 @@ function ws_users_getList($params, &$service)
   $filtered_groups = array();
   if (!empty($params['filter']))
   {
-    $filter_query = 'SELECT id FROM `'. GROUPS_TABLE .'` WHERE name LIKE \'%'. $params['filter'] . '%\';';
+    $filter_query = 'SELECT id FROM `'. GROUPS_TABLE .'` WHERE name LIKE \'%'. pwg_db_real_escape_string($params['filter']) . '%\';';
     $filtered_groups_res = pwg_query($filter_query);
     while ($row = pwg_db_fetch_assoc($filtered_groups_res))
     {