aurjson: Escape wildcards in "LIKE" patterns (fixes FS#18626).

Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE", so we need to deal with them separately.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

web/lib/aurjson.class.php

@@ -107,6 +107,7 @@ class AurJSON {
         }
 
         $keyword_string = mysql_real_escape_string($keyword_string, $this->dbh);
+        $keyword_string = addcslashes($keyword_string, '%_');
 
         $query = "SELECT " . implode(',', $this->fields) .
             " FROM Packages WHERE DummyPkg=0 AND " .