mirror of
https://gitlab.archlinux.org/archlinux/aurweb.git
synced 2025-02-03 10:43:03 +01:00
Escape wildcards in "LIKE" patterns
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.
Note that we already fixed this for the RPC interface in commit
da2ebb667b but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
This commit is contained in:
Lukas Fleischer
parent
323d418f02
commit
47c5167acb
4 changed files with 15 additions and 13 deletions
|
|
@ -229,6 +229,11 @@ function db_escape_string($string) {
|
|||
return mysql_real_escape_string($string);
|
||||
}
|
||||
|
||||
# Escape strings for usage in SQL LIKE operators.
|
||||
function db_escape_like($string) {
|
||||
return addcslashes(mysql_real_escape_string($string), '%_');
|
||||
}
|
||||
|
||||
# disconnect from the database
|
||||
# this won't normally be needed as PHP/reference counting will take care of
|
||||
# closing the connection once it is no longer referenced
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue