On Thu, Oct 20, 2011 at 1:52 AM, Lukas Fleischer <[email protected]> wrote: > Percent signs ("%") and underscores ("_") are not escaped by > mysql_real_escape_string() and are interpreted as wildcards if combined > with "LIKE". Write a wrapper function db_escape_like() and use it where > appropriate. > > Note that we already fixed this for the RPC interface in commit > da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. > This patch should fix all remaining flaws reported in FS#26527. > > Signed-off-by: Lukas Fleischer <[email protected]> Looks good to me.
Signed-off-by: Dan McGee <[email protected]> > --- > web/lib/acctfuncs.inc.php | 8 ++++---- > web/lib/aur.inc.php | 5 +++++ > web/lib/aurjson.class.php | 3 +-- > web/lib/pkgfuncs.inc.php | 12 +++++------- > 4 files changed, 15 insertions(+), 13 deletions(-) > > diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php > index 692dd19..96a478b 100644 > --- a/web/lib/acctfuncs.inc.php > +++ b/web/lib/acctfuncs.inc.php > @@ -372,19 +372,19 @@ function > search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", > $search_vars[] = "S"; > } > if ($U) { > - $q.= "AND Username LIKE '%".db_escape_string($U)."%' "; > + $q.= "AND Username LIKE '%".db_escape_like($U)."%' "; > $search_vars[] = "U"; > } > if ($E) { > - $q.= "AND Email LIKE '%".db_escape_string($E)."%' "; > + $q.= "AND Email LIKE '%".db_escape_like($E)."%' "; > $search_vars[] = "E"; > } > if ($R) { > - $q.= "AND RealName LIKE '%".db_escape_string($R)."%' "; > + $q.= "AND RealName LIKE '%".db_escape_like($R)."%' "; > $search_vars[] = "R"; > } > if ($I) { > - $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' "; > + $q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' "; > $search_vars[] = "I"; > } > switch ($SB) { > diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php > index 51c1eff..6bc36ac 100644 > --- a/web/lib/aur.inc.php > +++ b/web/lib/aur.inc.php > @@ -229,6 +229,11 @@ function db_escape_string($string) { > return mysql_real_escape_string($string); > } > > +# Escape strings for usage in SQL LIKE operators. > +function db_escape_like($string) { > + return addcslashes(mysql_real_escape_string($string), '%_'); > +} > + > # disconnect from the database > # this won't normally be needed as PHP/reference counting will take care of > # closing the connection once it is no longer referenced > diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php > index e6e62f4..234a3c4 100644 > --- a/web/lib/aurjson.class.php > +++ b/web/lib/aurjson.class.php > @@ -195,8 +195,7 @@ class AurJSON { > return $this->json_error('Query arg too small'); > } > > - $keyword_string = db_escape_string($keyword_string, $this->dbh); > - $keyword_string = addcslashes($keyword_string, '%_'); > + $keyword_string = db_escape_like($keyword_string, $this->dbh); > > $where_condition = "( Name LIKE '%{$keyword_string}%' OR " . > "Description LIKE '%{$keyword_string}%' )"; > diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php > index b078c48..88b18b8 100644 > --- a/web/lib/pkgfuncs.inc.php > +++ b/web/lib/pkgfuncs.inc.php > @@ -457,11 +457,9 @@ function pkg_search_page($SID="", $dbh=NULL) { > } > > if (isset($_GET['K'])) { > - $_GET['K'] = db_escape_string(trim($_GET['K'])); > - > # Search by maintainer > if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") { > - $q_where .= "AND Users.Username = '".$_GET['K']."' "; > + $q_where .= "AND Users.Username = > '".db_escape_string($_GET['K'])."' "; > } > # Search by submitter > elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") { > @@ -469,16 +467,16 @@ function pkg_search_page($SID="", $dbh=NULL) { > } > # Search by name > elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") { > - $q_where .= "AND (Name LIKE '%".$_GET['K']."%') "; > + $q_where .= "AND (Name LIKE > '%".db_escape_like($_GET['K'])."%') "; > } > # Search by name (exact match) > elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") { > - $q_where .= "AND (Name = '".$_GET['K']."') "; > + $q_where .= "AND (Name = > '".db_escape_string($_GET['K'])."') "; > } > # Search by name and description (Default) > else { > - $q_where .= "AND (Name LIKE '%".$_GET['K']."%' OR "; > - $q_where .= "Description LIKE '%".$_GET['K']."%') "; > + $q_where .= "AND (Name LIKE > '%".db_escape_like($_GET['K'])."%' OR "; > + $q_where .= "Description LIKE > '%".db_escape_like($_GET['K'])."%') "; > } > } > > -- > 1.7.7 > >
