gesellix titlelink plugin_content_title.php sql injection

An attacker can supply a crafted `$phrase` argument containing SQL metacharacters, which is then concatenated directly into SQL queries in `plugin_content_title.php` [patch_id=2243722]. The original code used string interpolation like `" LIKE '%$phrase%'"` and `"= '$phrase'"`, allowing the attacker to break out of the string context and inject arbitrary SQL commands [patch_id=2243722]. The vulnerability is reachable through the Joomla TitleLink plugin's content-linking functionality, where user-controlled input is passed as the `$phrase` parameter.

The vulnerability resides in `j_1_5_x/plugin/titlelink_plugins/plugin_content_title.php` within the `plugin_contentTitle` function. The `$phrase` parameter was directly interpolated into SQL queries without sanitization, both in the `a.alias` and `a.title` WHERE clauses [patch_id=2243722]. The calling function `getByPlugins` in `j_1_5_x/plugin/titlelink.php` also passed the raw `$phrase` to plugins without escaping [patch_id=2243722].

The patch replaces direct string interpolation with calls to `$database->quote()` in `plugin_content_title.php`, which properly escapes the `$phrase` value before embedding it in SQL queries [patch_id=2243722]. Additionally, in `titlelink.php`, the `getByPlugins` function now escapes `$phrase` via `$database->getEscaped()` before passing it to plugin functions, providing defense-in-depth [patch_id=2243722]. The changelog entry confirms the fix addresses "[#20653] SQL Injection: $phrase is escaped now" [ref_id=1].