From e53b91fe52be262d94a45769814c1e87c796988b Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Thu, 20 Oct 2011 08:43:44 +0200 Subject: Escape wildcards in "LIKE" patterns Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by: Lukas Fleischer Signed-off-by: Dan McGee --- web/lib/acctfuncs.inc.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'web/lib/acctfuncs.inc.php') diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 9171874..9bd6e51 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="", $search_vars[] = "S"; } if ($U) { - $q.= "AND Username LIKE '%".db_escape_string($U)."%' "; + $q.= "AND Username LIKE '%".db_escape_like($U)."%' "; $search_vars[] = "U"; } if ($E) { - $q.= "AND Email LIKE '%".db_escape_string($E)."%' "; + $q.= "AND Email LIKE '%".db_escape_like($E)."%' "; $search_vars[] = "E"; } if ($R) { - $q.= "AND RealName LIKE '%".db_escape_string($R)."%' "; + $q.= "AND RealName LIKE '%".db_escape_like($R)."%' "; $search_vars[] = "R"; } if ($I) { - $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' "; + $q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' "; $search_vars[] = "I"; } switch ($SB) { -- cgit v1.2.3-70-g09d2