Index: autocreate.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/autocreate/autocreate.module,v
retrieving revision 1.5.2.7.2.11
diff -u -r1.5.2.7.2.11 autocreate.module
--- autocreate.module	21 Apr 2009 14:37:37 -0000	1.5.2.7.2.11
+++ autocreate.module	3 Sep 2009 21:55:00 -0000
@@ -301,6 +301,13 @@
 }
 
 /**
+ * helper function for mysql special chars
+ */
+function autocreate_mysql_escape($str) {
+    return preg_replace('/[\[\]%_]/', '\\\\'.'\0', $str);
+}
+
+/**
  * get a list of template nodes that might be associated with the field
  */
 function _autocreate_potential_references($field, $return_full_nodes = FALSE, $string = '', $exact_string = FALSE) {
@@ -311,7 +318,7 @@
   switch ($GLOBALS['db_type']) {
     case 'mysql':
     case 'mysqli':
-      $result = db_query("SELECT n.nid, n.title AS node_title FROM {node} n WHERE n.title REGEXP '%s$' ORDER BY n.title", $template_token);
+      $result = db_query("SELECT n.nid, n.title AS node_title FROM {node} n WHERE n.title REGEXP '%s$' ORDER BY n.title", autocreate_mysql_escape($template_token));
     break;
     case 'pgsql':
       $result = db_query("SELECT n.nid, n.title AS node_title FROM {node} n WHERE n.title ~ '%s$' ORDER BY n.title", $template_token);