Changeset:
cc0038ba740b
https://sourceforge.net/p/mrbs/hg-code/ci/cc0038ba740b8f877c13c6ee580185250db8c81d
Author:
John Beranek <[email protected]>
Date:
Sat Sep 17 16:29:09 2016 +0100
Log message:
Fixed incorrect use of sql_syntax_caseless_contains
diffstat:
web/search.php | 24 +++++++++++++-----------
1 files changed, 13 insertions(+), 11 deletions(-)
diffs (69 lines):
diff -r aeb55a1aa62f -r cc0038ba740b web/search.php
--- a/web/search.php Sat Sep 17 13:34:45 2016 +0100
+++ b/web/search.php Sat Sep 17 16:29:09 2016 +0100
@@ -197,10 +197,9 @@
// NOTE: sql_syntax_caseless_contains() does the SQL escaping
$sql_params = array();
-$sql_pred = "( " . sql_syntax_caseless_contains("E.create_by", '?')
- . " OR " . sql_syntax_caseless_contains("E.name", '?')
- . " OR " . sql_syntax_caseless_contains("E.description", '?');
-array_push($sql_params, $search_str, $search_str, $search_str);
+$sql_pred = "( " . sql_syntax_caseless_contains("E.create_by", $search_str)
+ . " OR " . sql_syntax_caseless_contains("E.name", $search_str)
+ . " OR " . sql_syntax_caseless_contains("E.description", $search_str);
// Also need to search custom fields (but only those with character data,
// which can include fields that have an associative array of options)
@@ -221,7 +220,7 @@
if (($key !== '') && (strpos(utf8_strtolower($value),
utf8_strtolower($search_str)) !== FALSE))
{
$sql_pred .= " OR E." . sql_quote($field['name']) . "=?";
- array_push($sql_params, $key);
+ $sql_params[] = $key;
}
}
}
@@ -232,7 +231,8 @@
}
}
-$sql_pred .= ") AND E.end_time > $now";
+$sql_pred .= ") AND E.end_time > ?";
+$sql_params[] = $now;
$sql_pred .= " AND E.room_id = R.id AND R.area_id = A.id";
@@ -251,7 +251,8 @@
$sql_pred .= " AND ((A.private_override='public') OR
(A.private_override='none' AND ((E.status&" .
STATUS_PRIVATE . "=0) OR E.create_by = ? OR
(A.private_override='private' AND E.create_by = ?))";
- array_push($sql_params, $user, $user);
+ $sql_params[] = $user;
+ $sql_params[] = $user;
}
else
{
@@ -268,9 +269,10 @@
// searches so that we don't have to run it for each page.
if (!isset($total))
{
- $total = sql_query1("SELECT count(*)
- FROM $tbl_entry E, $tbl_room R, $tbl_area A
- WHERE $sql_pred", $sql_params);
+ $sql = "SELECT count(*)
+ FROM $tbl_entry E, $tbl_room R, $tbl_area A
+ WHERE $sql_pred";
+ $total = sql_query1($sql, $sql_params);
}
if ($total < 0)
{
@@ -315,7 +317,7 @@
$result = sql_query($sql, $sql_params);
if (! $result)
{
- trigger_error(sql_error(), E_USER_WARNING);
+ trigger_error("sql ".$sql." err ".sql_error(), E_USER_WARNING);
fatal_error(FALSE, get_vocab("fatal_db_error"));
}
$num_records = sql_count($result);
------------------------------------------------------------------------------
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
