[Mrbs-commits] SF.net SVN: mrbs:[1120] mrbs/trunk/web/search.php

Fri, 19 Jun 2009 13:51:16 -0700 

Revision: 1120
          http://mrbs.svn.sourceforge.net/mrbs/?rev=1120&view=rev
Author:   jberanek
Date:     2009-06-19 20:50:59 +0000 (Fri, 19 Jun 2009)

Log Message:
-----------
* Added missing SQL escaping to search functionality.

Modified Paths:
--------------
    mrbs/trunk/web/search.php

Modified: mrbs/trunk/web/search.php
===================================================================
--- mrbs/trunk/web/search.php   2009-06-19 20:45:24 UTC (rev 1119)
+++ mrbs/trunk/web/search.php   2009-06-19 20:50:59 UTC (rev 1120)
@@ -35,12 +35,10 @@
 }
 
 // Need all these different versions with different escaping.
-// search_str must be left as the html-escaped version because this is
-// used as the default value for the search box in the header.
 if (!empty($search_str)) 
 {
   $search_url = urlencode($search_str);
-  $search_str = htmlspecialchars($search_str);
+  $search_html = htmlspecialchars($search_str);
 }
 
 print_header($day, $month, $year, $area, isset($room) ? $room : "");
@@ -87,14 +85,14 @@
 }
 
 // now is used so that we only display entries newer than the current time
-echo "<h3>" . get_vocab("search_results") . ": \"<span 
id=\"search_str\">$search_str</span>\"</h3>\n";
+echo "<h3>" . get_vocab("search_results") . ": \"<span 
id=\"search_str\">$search_html</span>\"</h3>\n";
 
 $now = mktime(0, 0, 0, $month, $day, $year);
 
 // This is the main part of the query predicate, used in both queries:
-$sql_pred = "( " . sql_syntax_caseless_contains("E.create_by", $search_str)
-  . " OR " . sql_syntax_caseless_contains("E.name", $search_str)
-  . " OR " . sql_syntax_caseless_contains("E.description", $search_str)
+$sql_pred = "( " . sql_syntax_caseless_contains("E.create_by", 
addslashes($search_str))
+  . " OR " . sql_syntax_caseless_contains("E.name", addslashes($search_str))
+  . " OR " . sql_syntax_caseless_contains("E.description", 
addslashes($search_str))
   . ") AND E.end_time > $now";
 
 # Unless we overriding privacy settings as "public" or user


This was sent by the SourceForge.net collaborative development platform, the 
world's largest Open Source development site.

------------------------------------------------------------------------------
Are you an open source citizen? Join us for the Open Source Bridge conference!
Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
Need another reason to go? 24-hour hacker lounge. Register today!
http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits

Reply via email to