[Aminet-commit] r140 - trunk/phpinclude/include
aminet-discuss at aminet.net
aminet-discuss at aminet.net
Sun Nov 9 22:49:33 CET 2008
Author: mendoza
Date: 2008-11-09 13:49:33 -0800 (Sun, 09 Nov 2008)
New Revision: 140
Modified:
trunk/phpinclude/include/search.php
Log:
avoid sql injections
Modified: trunk/phpinclude/include/search.php
===================================================================
--- trunk/phpinclude/include/search.php 2008-11-09 21:48:47 UTC (rev 139)
+++ trunk/phpinclude/include/search.php 2008-11-09 21:49:33 UTC (rev 140)
@@ -116,9 +116,9 @@
foreach(querytoarray($_SEARCH['name']) as $elem) {
$elem = preg_replace("/_/",'\_',$elem);
if (preg_match("/\*|%|#?\?/",$elem)) {
- array_push($name_array," (pkg_name LIKE '$elem') ");
+ array_push($name_array, sprintf(" (pkg_name LIKE '%s') ", mysql_real_escape_string($elem)));
} else if ($elem != "") {
- array_push($name_array," (pkg_name LIKE '%$elem%') ");
+ array_push($name_array, sprintf(" (pkg_name LIKE '%%%s%%') ", mysql_real_escape_string($elem)));
}
}
$where_name = implode("AND",$name_array);
@@ -133,9 +133,9 @@
foreach(querytoarray($_SEARCH['desc']) as $elem) {
$elem = preg_replace("/_/",'\_',$elem);
if (preg_match("/\*|#?\?|%/",$elem)) {
- array_push($desc_array," (pkg_desc LIKE '$elem') ");
+ array_push($desc_array, sprintf(" (pkg_desc LIKE '%s') ", mysql_real_escape_string($elem)));
} else if ($elem != "") {
- array_push($desc_array," (pkg_desc LIKE '%$elem%') ");
+ array_push($desc_array, sprintf(" (pkg_desc LIKE '%%%s%%') ", mysql_real_escape_string($elem)));
}
}
$where_desc = $_SEARCH['q_desc']." (".implode("AND",$desc_array).")";
@@ -161,9 +161,9 @@
break;
}
if (preg_match("/\//",$elem)) {
- array_push($path_array," (pkg_path LIKE '$elem') ");
+ array_push($path_array, sprintf(" (pkg_path LIKE '%s') ", mysql_real_escape_string($elem)));
} else {
- array_push($path_array," (pkg_path LIKE '$elem%') ");
+ array_push($path_array, sprintf(" (pkg_path LIKE '%s%%') ", mysql_real_escape_string($elem)));
}
}
$where_path = $_SEARCH['q_path']." (".implode("OR",$path_array).")";
@@ -189,9 +189,9 @@
break;
}
if (preg_match("/-/",$elem)) {
- array_push($arch_array," (arch_name LIKE '$elem') ");
+ array_push($arch_array, sprintf(" (arch_name LIKE '%s') ", mysql_real_escape_string($elem)));
} else {
- array_push($arch_array," (arch_name LIKE '$elem%') ");
+ array_push($arch_array, sprintf(" (arch_name LIKE '%s%%') ", mysql_real_escape_string($elem)));
}
}
$where_arch = "AND pkg_id = pa_pkg_id AND arch_id = pa_arch_id ".$_SEARCH['q_arch']." (".implode("OR",$arch_array).")";
@@ -211,7 +211,7 @@
if ($_SEARCH['m_readme'] == "INDEX") {
$_SEARCH['m_readme'] = "INDEX";
foreach(querytoarray($readme) as $elem) {
- array_push($readme_array," (readme_index.keyword LIKE '%$elem%') ");
+ array_push($readme_array, sprintf(" (readme_index.keyword LIKE '%%%s%%') ", mysql_real_escape_string($elem)));
}
$where_readme = $_SEARCH['q_readme']." (".implode("AND",$readme_array).") ";
$from .= " JOIN readme_index on readme_index.package = pkg_id";
@@ -223,7 +223,8 @@
# }
# $where_readme = " $_SEARCH['q_readme'] (".implode("AND",$readme_array).")";
if (!preg_match("/[\s\"]/",$_SEARCH['readme'])) { $_SEARCH['readme'] = "\"".$_SEARCH['readme']."\""; }
- $where_readme = $_SEARCH['q_readme']." MATCH readme_content AGAINST ('".$_SEARCH['readme']."' IN BOOLEAN MODE) ";
+ $where_readme = $_SEARCH['q_readme']." MATCH readme_content AGAINST
+('".mysql_real_escape_string($_SEARCH['readme'])."' IN BOOLEAN MODE) ";
$from .= " JOIN readme on pkg_id=readme_id";
}
$nowhere=0;
@@ -240,7 +241,8 @@
# }
# $where_content = " $q_content (".implode("AND",$content_array).")";
if (!preg_match("/[\s\"]/",$_SEARCH['content'])) { $_SEARCH['content'] = "\"".$_SEARCH['content']."\""; }
- $where_content = $_SEARCH['q_content']." MATCH listing_content AGAINST ('".$_SEARCH['content']."' IN BOOLEAN MODE) ";
+ $where_content = $_SEARCH['q_content']." MATCH listing_content AGAINST
+('".mysql_real_escape_string($_SEARCH['content'])."' IN BOOLEAN MODE) ";
$from .= " JOIN listing on pkg_id=listing_id";
$nowhere=0;
}
More information about the Aminet-commit
mailing list