diff --git a/apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php b/apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php
index d0d348e170ef820e9ee8dd8f29b3c19f156a4303..b319350c7f09eccb4e47d34c7c1099eec59f5013 100644
--- a/apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php
+++ b/apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php
@@ -327,7 +327,7 @@ class CustomPropertiesBackend implements BackendInterface {
 
 		$result = $this->connection->executeQuery(
 			$sql,
-			array($this->user, rtrim($path, '/') . '/%', $requestedProperties),
+			array($this->user, $this->connection->escapeLikeParameter(rtrim($path, '/')) . '/%', $requestedProperties),
 			array(null, null, \Doctrine\DBAL\Connection::PARAM_STR_ARRAY)
 		);
 
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 4d0753696ffefea8d70a0ac8f3f30e95178bbe46..cdf123314773929738d324f535a73b1f7f57125a 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -623,7 +623,7 @@ class Access extends LDAPUtility implements IUserTools {
 	 * "Developers"
 	 */
 	private function _createAltInternalOwnCloudNameForGroups($name) {
-		$usedNames = $this->groupMapper->getNamesBySearch($name.'_%');
+		$usedNames = $this->groupMapper->getNamesBySearch($name, "", '_%');
 		if(!($usedNames) || count($usedNames) === 0) {
 			$lastNo = 1; //will become name_2
 		} else {
diff --git a/apps/user_ldap/lib/Mapping/AbstractMapping.php b/apps/user_ldap/lib/Mapping/AbstractMapping.php
index 54fe7db366fb67ca40a191b90c50568cb03230e8..67fbd9fe8519f71c85198e2135942fffe0c9ade0 100644
--- a/apps/user_ldap/lib/Mapping/AbstractMapping.php
+++ b/apps/user_ldap/lib/Mapping/AbstractMapping.php
@@ -138,16 +138,18 @@ abstract class AbstractMapping {
 	/**
 	 * Searches mapped names by the giving string in the name column
 	 * @param string $search
+	 * @param string $prefixMatch
+	 * @param string $postfixMatch
 	 * @return string[]
 	 */
-	public function getNamesBySearch($search) {
+	public function getNamesBySearch($search, $prefixMatch = "", $postfixMatch = "") {
 		$query = $this->dbc->prepare('
 			SELECT `owncloud_name`
 			FROM `'. $this->getTableName() .'`
 			WHERE `owncloud_name` LIKE ?
 		');
 
-		$res = $query->execute(array($search));
+		$res = $query->execute(array($prefixMatch.$this->dbc->escapeLikeParameter($search).$postfixMatch));
 		$names = array();
 		if($res !== false) {
 			while($row = $query->fetch()) {
diff --git a/apps/user_ldap/tests/Mapping/AbstractMappingTest.php b/apps/user_ldap/tests/Mapping/AbstractMappingTest.php
index ddd99d31709bb83b1f8d543e706a7a46dee3b87d..a2e9f850913e049e3c57c11d3c813247c5b187bc 100644
--- a/apps/user_ldap/tests/Mapping/AbstractMappingTest.php
+++ b/apps/user_ldap/tests/Mapping/AbstractMappingTest.php
@@ -164,7 +164,7 @@ abstract class AbstractMappingTest extends \Test\TestCase {
 	public function testSearch() {
 		list($mapper,) = $this->initTest();
 
-		$names = $mapper->getNamesBySearch('%oo%');
+		$names = $mapper->getNamesBySearch('oo', '%', '%');
 		$this->assertTrue(is_array($names));
 		$this->assertSame(2, count($names));
 		$this->assertTrue(in_array('Foobar', $names));
diff --git a/lib/private/Group/Database.php b/lib/private/Group/Database.php
index 36d19f74cc67b3226c651ce79247dd5e03737c47..64f249d4d25739b1e42b1beb3487f0e5c691cfc8 100644
--- a/lib/private/Group/Database.php
+++ b/lib/private/Group/Database.php
@@ -285,7 +285,7 @@ class Database extends \OC\Group\Backend {
 		$parameters = [$gid];
 		$searchLike = '';
 		if ($search !== '') {
-			$parameters[] = '%' . $search . '%';
+			$parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%';
 			$searchLike = ' AND `uid` LIKE ?';
 		}
 
@@ -311,7 +311,7 @@ class Database extends \OC\Group\Backend {
 		$parameters = [$gid];
 		$searchLike = '';
 		if ($search !== '') {
-			$parameters[] = '%' . $search . '%';
+			$parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%';
 			$searchLike = ' AND `uid` LIKE ?';
 		}
 
diff --git a/lib/private/Repair/RepairLegacyStorages.php b/lib/private/Repair/RepairLegacyStorages.php
index 8ef20cdf3c210a4333921483c5794ede63045236..096300f51c24041b67ceed07b7bb6089f07ebd66 100644
--- a/lib/private/Repair/RepairLegacyStorages.php
+++ b/lib/private/Repair/RepairLegacyStorages.php
@@ -172,7 +172,7 @@ class RepairLegacyStorages implements IRepairStep{
 		$sql = 'SELECT `id`, `numeric_id` FROM `*PREFIX*storages`'
 			. ' WHERE `id` LIKE ?'
 			. ' ORDER BY `id`';
-		$result = $this->connection->executeQuery($sql, array($dataDirId . '%'));
+		$result = $this->connection->executeQuery($sql, array($this->connection->escapeLikeParameter($dataDirId) . '%'));
 
 		while ($row = $result->fetch()) {
 			$currentId = $row['id'];