From da2ebb667b7a332ddd8d905bf9b9a8694765fed6 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Fri, 28 Jan 2011 16:33:02 +0100 Subject: aurjson: Escape wildcards in "LIKE" patterns (fixes FS#18626). Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE", so we need to deal with them separately. Signed-off-by: Lukas Fleischer --- web/lib/aurjson.class.php | 1 + 1 file changed, 1 insertion(+) diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index 0868cb2..d545ee0 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -107,6 +107,7 @@ class AurJSON { } $keyword_string = mysql_real_escape_string($keyword_string, $this->dbh); + $keyword_string = addcslashes($keyword_string, '%_'); $query = "SELECT " . implode(',', $this->fields) . " FROM Packages WHERE DummyPkg=0 AND " . -- cgit v1.2.3-70-g09d2