diff --git a/framework/core/src/User/UserRepository.php b/framework/core/src/User/UserRepository.php
index 8619446b9..f294a63ac 100644
--- a/framework/core/src/User/UserRepository.php
+++ b/framework/core/src/User/UserRepository.php
@@ -90,6 +90,8 @@ class UserRepository
      */
     public function getIdsForUsername($string, User $actor = null)
     {
+        $string = $this->escapeLikeString($string);
+
         $query = User::where('username', 'like', '%'.$string.'%')
             ->orderByRaw('username = ? desc', [$string])
             ->orderByRaw('username like ? desc', [$string.'%']);
@@ -112,4 +114,15 @@ class UserRepository
 
         return $query;
     }
+
+    /**
+     * Escape special characters that can be used as wildcards in a LIKE query.
+     *
+     * @param string $string
+     * @return string
+     */
+    private function escapeLikeString($string)
+    {
+        return str_replace(['\\', '%', '_'], ['\\\\', '\%', '\_'], $string);
+    }
 }