summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2011-10-20 08:43:44 +0200
committerLukas Fleischer <archlinux@cryptocrack.de>2011-10-25 09:25:43 +0200
commite53b91fe52be262d94a45769814c1e87c796988b (patch)
tree7500e0c1aef89939d642e703f71d4c1c585fd832
parent10b6a8fff7e6d407421c74889455b969be7f867f (diff)
Escape wildcards in "LIKE" patterns
Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org>
-rw-r--r--web/lib/acctfuncs.inc.php8
-rw-r--r--web/lib/aur.inc.php5
-rw-r--r--web/lib/aurjson.class.php3
-rw-r--r--web/lib/pkgfuncs.inc.php12
4 files changed, 15 insertions, 13 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 9171874..9bd6e51 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
$search_vars[] = "S";
}
if ($U) {
- $q.= "AND Username LIKE '%".db_escape_string($U)."%' ";
+ $q.= "AND Username LIKE '%".db_escape_like($U)."%' ";
$search_vars[] = "U";
}
if ($E) {
- $q.= "AND Email LIKE '%".db_escape_string($E)."%' ";
+ $q.= "AND Email LIKE '%".db_escape_like($E)."%' ";
$search_vars[] = "E";
}
if ($R) {
- $q.= "AND RealName LIKE '%".db_escape_string($R)."%' ";
+ $q.= "AND RealName LIKE '%".db_escape_like($R)."%' ";
$search_vars[] = "R";
}
if ($I) {
- $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' ";
+ $q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' ";
$search_vars[] = "I";
}
switch ($SB) {
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 51c1eff..6bc36ac 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -229,6 +229,11 @@ function db_escape_string($string) {
return mysql_real_escape_string($string);
}
+# Escape strings for usage in SQL LIKE operators.
+function db_escape_like($string) {
+ return addcslashes(mysql_real_escape_string($string), '%_');
+}
+
# disconnect from the database
# this won't normally be needed as PHP/reference counting will take care of
# closing the connection once it is no longer referenced
diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
index edd6872..6c7725c 100644
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@@ -184,8 +184,7 @@ class AurJSON {
return $this->json_error('Query arg too small');
}
- $keyword_string = db_escape_string($keyword_string, $this->dbh);
- $keyword_string = addcslashes($keyword_string, '%_');
+ $keyword_string = db_escape_like($keyword_string, $this->dbh);
$where_condition = "( Name LIKE '%{$keyword_string}%' OR " .
"Description LIKE '%{$keyword_string}%' )";
diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index b078c48..88b18b8 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -457,11 +457,9 @@ function pkg_search_page($SID="", $dbh=NULL) {
}
if (isset($_GET['K'])) {
- $_GET['K'] = db_escape_string(trim($_GET['K']));
-
# Search by maintainer
if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") {
- $q_where .= "AND Users.Username = '".$_GET['K']."' ";
+ $q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' ";
}
# Search by submitter
elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") {
@@ -469,16 +467,16 @@ function pkg_search_page($SID="", $dbh=NULL) {
}
# Search by name
elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") {
- $q_where .= "AND (Name LIKE '%".$_GET['K']."%') ";
+ $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') ";
}
# Search by name (exact match)
elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") {
- $q_where .= "AND (Name = '".$_GET['K']."') ";
+ $q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') ";
}
# Search by name and description (Default)
else {
- $q_where .= "AND (Name LIKE '%".$_GET['K']."%' OR ";
- $q_where .= "Description LIKE '%".$_GET['K']."%') ";
+ $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR ";
+ $q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') ";
}
}