Commit e53b91fe authored by Lukas Fleischer's avatar Lukas Fleischer
Browse files

Escape wildcards in "LIKE" patterns

Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.

Note that we already fixed this for the RPC interface in commit
da2ebb66

 but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.

Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: default avatarDan McGee <dan@archlinux.org>
parent 10b6a8ff
......@@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
$search_vars[] = "S";
}
if ($U) {
$q.= "AND Username LIKE '%".db_escape_string($U)."%' ";
$q.= "AND Username LIKE '%".db_escape_like($U)."%' ";
$search_vars[] = "U";
}
if ($E) {
$q.= "AND Email LIKE '%".db_escape_string($E)."%' ";
$q.= "AND Email LIKE '%".db_escape_like($E)."%' ";
$search_vars[] = "E";
}
if ($R) {
$q.= "AND RealName LIKE '%".db_escape_string($R)."%' ";
$q.= "AND RealName LIKE '%".db_escape_like($R)."%' ";
$search_vars[] = "R";
}
if ($I) {
$q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' ";
$q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' ";
$search_vars[] = "I";
}
switch ($SB) {
......
......@@ -229,6 +229,11 @@ function db_escape_string($string) {
return mysql_real_escape_string($string);
}
# Escape strings for usage in SQL LIKE operators.
function db_escape_like($string) {
return addcslashes(mysql_real_escape_string($string), '%_');
}
# disconnect from the database
# this won't normally be needed as PHP/reference counting will take care of
# closing the connection once it is no longer referenced
......
......@@ -184,8 +184,7 @@ class AurJSON {
return $this->json_error('Query arg too small');
}
$keyword_string = db_escape_string($keyword_string, $this->dbh);
$keyword_string = addcslashes($keyword_string, '%_');
$keyword_string = db_escape_like($keyword_string, $this->dbh);
$where_condition = "( Name LIKE '%{$keyword_string}%' OR " .
"Description LIKE '%{$keyword_string}%' )";
......
......@@ -457,11 +457,9 @@ function pkg_search_page($SID="", $dbh=NULL) {
}
if (isset($_GET['K'])) {
$_GET['K'] = db_escape_string(trim($_GET['K']));
# Search by maintainer
if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") {
$q_where .= "AND Users.Username = '".$_GET['K']."' ";
$q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' ";
}
# Search by submitter
elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") {
......@@ -469,16 +467,16 @@ function pkg_search_page($SID="", $dbh=NULL) {
}
# Search by name
elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") {
$q_where .= "AND (Name LIKE '%".$_GET['K']."%') ";
$q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') ";
}
# Search by name (exact match)
elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") {
$q_where .= "AND (Name = '".$_GET['K']."') ";
$q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') ";
}
# Search by name and description (Default)
else {
$q_where .= "AND (Name LIKE '%".$_GET['K']."%' OR ";
$q_where .= "Description LIKE '%".$_GET['K']."%') ";
$q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR ";
$q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') ";
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment