diff --git a/app/models/account/entry.rb b/app/models/account/entry.rb
index cdc6410c..eeada207 100644
--- a/app/models/account/entry.rb
+++ b/app/models/account/entry.rb
@@ -137,7 +137,7 @@ class Account::Entry < ApplicationRecord
 
     def search(params)
       query = all
-      query = query.where("account_entries.name ILIKE ?", "%#{params[:search]}%") if params[:search].present?
+      query = query.where("account_entries.name ILIKE ?", "%#{sanitize_sql_like(params[:search])}%") if params[:search].present?
       query = query.where("account_entries.date >= ?", params[:start_date]) if params[:start_date].present?
       query = query.where("account_entries.date <= ?", params[:end_date]) if params[:end_date].present?
 
diff --git a/test/models/account/entry_test.rb b/test/models/account/entry_test.rb
index edea8464..3e160524 100644
--- a/test/models/account/entry_test.rb
+++ b/test/models/account/entry_test.rb
@@ -62,6 +62,9 @@ class Account::EntryTest < ActiveSupport::TestCase
     params = params.merge(categories: [ category.name ], merchants: [ merchant.name ]) # transaction specific search param
 
     assert_equal 1, family.entries.search(params).size
+
+    params = { search: "%" }
+    assert_equal 0, family.entries.search(params).size
   end
 
   test "can calculate total spending for a group of transactions" do