Do not allow more than 20 terms in search queries

Specifying a huge number of search terms currently results in complex SQL queries. In practice, queries with more than 20 terms are rarely needed. Ignore everything apart from the first 20 keywords to prevent from potential abuse. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
author: Lukas Fleischer <lfleischer@archlinux.org> 2015-05-22 13:29:59 +0200
committer: Lukas Fleischer <lfleischer@archlinux.org> 2015-05-22 17:09:25 +0200
commit: 0f48341ed67624f8bf113737eac0ba5b989133b3 (patch)
tree: d9ab7053035503f9b38b5e64ddec00f45a207dbc
parent: 20b838a90c5874c11cb68d3ca0bf7cc3bf3c0180 (diff)
download: aurweb-0f48341ed67624f8bf113737eac0ba5b989133b3.tar.xz
1 files changed, 11 insertions, 0 deletions
diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index 8fd629f..11ca591 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -601,10 +601,21 @@ function pkg_search_page($SID="") {
 		}
 		else {
 			/* Search by name and description (default). */
+			$count = 0;
+
 			foreach (str_getcsv($_GET['K'], ' ') as $term) {
+				if ($term == "") {
+					continue;
+				}
+
 				$term = "%" . addcslashes($term, '%_') . "%";
 				$q_where .= "AND (Packages.Name LIKE " . $dbh->quote($term) . " OR ";
 				$q_where .= "Description LIKE " . $dbh->quote($term) . ") ";
+
+				$count++;
+				if ($count >= 20) {
+					break;
+				}
 			}
 		}
 	}
author	Lukas Fleischer <lfleischer@archlinux.org>	2015-05-22 13:29:59 +0200
committer	Lukas Fleischer <lfleischer@archlinux.org>	2015-05-22 17:09:25 +0200
commit	0f48341ed67624f8bf113737eac0ba5b989133b3 (patch)
tree	d9ab7053035503f9b38b5e64ddec00f45a207dbc
parent	20b838a90c5874c11cb68d3ca0bf7cc3bf3c0180 (diff)
download	aurweb-0f48341ed67624f8bf113737eac0ba5b989133b3.tar.xz