Security: ActivityLog query vulnerable to SQL wildcard injection

[Snider]

Description

The ActivityLog component uses user input in LIKE queries without sanitizing SQL wildcards.

Location

• File: src/View/Modal/Admin/ActivityLog.php
• Lines: 58-62

Issue

The search term is used directly in a LIKE clause:

->where('description', 'like', '%'.$this->searchTerm.'%')
->orWhere('subject_type', 'like', '%'.$this->searchTerm.'%')

If a user enters % or _ characters, they are interpreted as SQL wildcards:

• % matches any sequence of characters
• _ matches any single character

This allows:

1. Broader searches than intended
2. Potential performance issues with leading wildcards
3. Information disclosure through wildcard enumeration

Recommendation

1. Escape SQL wildcards in user input: str_replace(['%', '_'], ['%', '_'], $searchTerm)
2. Consider using full-text search for better performance and security
3. Add input validation/sanitization for search terms
4. Limit search result count to prevent enumeration

Severity

Low - Information disclosure limited to data user already has access to