Changeset:
        cc0038ba740b
        
https://sourceforge.net/p/mrbs/hg-code/ci/cc0038ba740b8f877c13c6ee580185250db8c81d
Author:
        John Beranek <jbera...@users.sourceforge.net>
Date:
        Sat Sep 17 16:29:09 2016 +0100
Log message:

Fixed incorrect use of sql_syntax_caseless_contains

diffstat:

 web/search.php |  24 +++++++++++++-----------
 1 files changed, 13 insertions(+), 11 deletions(-)

diffs (69 lines):

diff -r aeb55a1aa62f -r cc0038ba740b web/search.php
--- a/web/search.php    Sat Sep 17 13:34:45 2016 +0100
+++ b/web/search.php    Sat Sep 17 16:29:09 2016 +0100
@@ -197,10 +197,9 @@
 // NOTE: sql_syntax_caseless_contains() does the SQL escaping
 
 $sql_params = array();
-$sql_pred = "( " . sql_syntax_caseless_contains("E.create_by", '?')
-  . " OR " . sql_syntax_caseless_contains("E.name", '?')
-  . " OR " . sql_syntax_caseless_contains("E.description", '?');
-array_push($sql_params, $search_str, $search_str, $search_str);
+$sql_pred = "( " . sql_syntax_caseless_contains("E.create_by", $search_str)
+  . " OR " . sql_syntax_caseless_contains("E.name", $search_str)
+  . " OR " . sql_syntax_caseless_contains("E.description", $search_str);
 
 // Also need to search custom fields (but only those with character data,
 // which can include fields that have an associative array of options)
@@ -221,7 +220,7 @@
         if (($key !== '') && (strpos(utf8_strtolower($value), 
utf8_strtolower($search_str)) !== FALSE))
         {
           $sql_pred .= " OR E." . sql_quote($field['name']) . "=?";
-          array_push($sql_params, $key);
+          $sql_params[] = $key;
         }
       }
     }
@@ -232,7 +231,8 @@
   }
 }
 
-$sql_pred .= ") AND E.end_time > $now";
+$sql_pred .= ") AND E.end_time > ?";
+$sql_params[] = $now;
 $sql_pred .= " AND E.room_id = R.id AND R.area_id = A.id";
 
 
@@ -251,7 +251,8 @@
     $sql_pred .= " AND ((A.private_override='public') OR
                         (A.private_override='none' AND ((E.status&" . 
STATUS_PRIVATE . "=0) OR E.create_by = ? OR
                         (A.private_override='private' AND E.create_by = ?))";
-    array_push($sql_params, $user, $user);                
+    $sql_params[] = $user;
+    $sql_params[] = $user;
   }
   else
   {
@@ -268,9 +269,10 @@
 // searches so that we don't have to run it for each page.
 if (!isset($total))
 {
-  $total = sql_query1("SELECT count(*)
-                       FROM $tbl_entry E, $tbl_room R, $tbl_area A
-                       WHERE $sql_pred", $sql_params);
+  $sql = "SELECT count(*)
+          FROM $tbl_entry E, $tbl_room R, $tbl_area A
+          WHERE $sql_pred";
+  $total = sql_query1($sql, $sql_params);
 }
 if ($total < 0)
 {
@@ -315,7 +317,7 @@
   $result = sql_query($sql, $sql_params);
   if (! $result)
   {
-    trigger_error(sql_error(), E_USER_WARNING);
+    trigger_error("sql ".$sql." err ".sql_error(), E_USER_WARNING);
     fatal_error(FALSE, get_vocab("fatal_db_error"));
   }
   $num_records = sql_count($result);

------------------------------------------------------------------------------
_______________________________________________
Mrbs-commits mailing list
Mrbs-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mrbs-commits

Reply via email to