diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-01-28 16:33:02 +0100 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2011-01-28 16:54:58 +0100 |
commit | da2ebb667b7a332ddd8d905bf9b9a8694765fed6 (patch) | |
tree | c352299ccdcc230e1a9f0e9d2efd633623027267 /web/lib/aurjson.class.php | |
parent | 888aad477c7b92104d6df651dffb9d51f57cfdb4 (diff) | |
download | aur-da2ebb667b7a332ddd8d905bf9b9a8694765fed6.tar.gz aur-da2ebb667b7a332ddd8d905bf9b9a8694765fed6.tar.xz |
aurjson: Escape wildcards in "LIKE" patterns (fixes FS#18626).
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE", so we need to deal with them separately.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/lib/aurjson.class.php')
-rw-r--r-- | web/lib/aurjson.class.php | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php index 0868cb2d..d545ee0a 100644 --- a/web/lib/aurjson.class.php +++ b/web/lib/aurjson.class.php @@ -107,6 +107,7 @@ class AurJSON { } $keyword_string = mysql_real_escape_string($keyword_string, $this->dbh); + $keyword_string = addcslashes($keyword_string, '%_'); $query = "SELECT " . implode(',', $this->fields) . " FROM Packages WHERE DummyPkg=0 AND " . |