Escape wildcards in "LIKE" patterns

Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.

Note that we already fixed this for the RPC interface in commit
da2ebb667b but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>

web/lib/pkgfuncs.inc.php

@@ -457,11 +457,9 @@ function pkg_search_page($SID="", $dbh=NULL) {
 	}
 
 	if (isset($_GET['K'])) {
-		$_GET['K'] = db_escape_string(trim($_GET['K']));
-
 		# Search by maintainer
 		if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") {
-			$q_where .= "AND Users.Username = '".$_GET['K']."' ";
+			$q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' ";
 		}
 		# Search by submitter
 		elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") {
@@ -469,16 +467,16 @@ function pkg_search_page($SID="", $dbh=NULL) {
 		}
 		# Search by name
 		elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") {
-			$q_where .= "AND (Name LIKE '%".$_GET['K']."%') ";
+			$q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') ";
 		}
 		# Search by name (exact match)
 		elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") {
-			$q_where .= "AND (Name = '".$_GET['K']."') ";
+			$q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') ";
 		}
 		# Search by name and description (Default)
 		else {
-			$q_where .= "AND (Name LIKE '%".$_GET['K']."%' OR ";
-			$q_where .= "Description LIKE '%".$_GET['K']."%') ";
+			$q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR ";
+			$q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') ";
 		}
 	}