external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Escape wildcards in "LIKE" patterns

Browse source 
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.

Note that we already fixed this for the RPC interface in commit
da2ebb667b but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
This commit is contained in:
Lukas Fleischer 2011-10-20 08:43:44 +02:00
parent 10b6a8fff7
commit e53b91fe52
4 changed files with 15 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

8
web/lib/acctfuncs.inc.php
View file

@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
$search_vars[] = "S";
}
if ($U) {
$q.= "AND Username LIKE '%".db_escape_string($U)."%' ";
$q.= "AND Username LIKE '%".db_escape_like($U)."%' ";
$search_vars[] = "U";
}
if ($E) {
$q.= "AND Email LIKE '%".db_escape_string($E)."%' ";
$q.= "AND Email LIKE '%".db_escape_like($E)."%' ";
$search_vars[] = "E";
}
if ($R) {
$q.= "AND RealName LIKE '%".db_escape_string($R)."%' ";
$q.= "AND RealName LIKE '%".db_escape_like($R)."%' ";
$search_vars[] = "R";
}
if ($I) {
$q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' ";
$q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' ";
$search_vars[] = "I";
}
switch ($SB) {