summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--web/lib/acctfuncs.inc.php8
-rw-r--r--web/lib/aur.inc.php5
-rw-r--r--web/lib/aurjson.class.php3
-rw-r--r--web/lib/pkgfuncs.inc.php12
4 files changed, 15 insertions, 13 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 8b562592..512e66ce 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -373,19 +373,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
$search_vars[] = "S";
}
if ($U) {
- $q.= "AND Username LIKE '%".db_escape_string($U)."%' ";
+ $q.= "AND Username LIKE '%".db_escape_like($U)."%' ";
$search_vars[] = "U";
}
if ($E) {
- $q.= "AND Email LIKE '%".db_escape_string($E)."%' ";
+ $q.= "AND Email LIKE '%".db_escape_like($E)."%' ";
$search_vars[] = "E";
}
if ($R) {
- $q.= "AND RealName LIKE '%".db_escape_string($R)."%' ";
+ $q.= "AND RealName LIKE '%".db_escape_like($R)."%' ";
$search_vars[] = "R";
}
if ($I) {
- $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' ";
+ $q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' ";
$search_vars[] = "I";
}
switch ($SB) {
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index e4e1cb57..ed0920f9 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -229,6 +229,11 @@ function db_escape_string($string) {
return mysql_real_escape_string($string);
}
+# Escape strings for usage in SQL LIKE operators.
+function db_escape_like($string) {
+ return addcslashes(mysql_real_escape_string($string), '%_');
+}
+
# disconnect from the database
# this won't normally be needed as PHP/reference counting will take care of
# closing the connection once it is no longer referenced
diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
index e6e62f4b..234a3c43 100644
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@@ -195,8 +195,7 @@ class AurJSON {
return $this->json_error('Query arg too small');
}
- $keyword_string = db_escape_string($keyword_string, $this->dbh);
- $keyword_string = addcslashes($keyword_string, '%_');
+ $keyword_string = db_escape_like($keyword_string, $this->dbh);
$where_condition = "( Name LIKE '%{$keyword_string}%' OR " .
"Description LIKE '%{$keyword_string}%' )";
diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index 8d2799cc..558cf3fd 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -457,11 +457,9 @@ function pkg_search_page($SID="", $dbh=NULL) {
}
if (isset($_GET['K'])) {
- $_GET['K'] = db_escape_string(trim($_GET['K']));
-
# Search by maintainer
if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") {
- $q_where .= "AND Users.Username = '".$_GET['K']."' ";
+ $q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' ";
}
# Search by submitter
elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") {
@@ -469,16 +467,16 @@ function pkg_search_page($SID="", $dbh=NULL) {
}
# Search by name
elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") {
- $q_where .= "AND (Name LIKE '%".$_GET['K']."%') ";
+ $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') ";
}
# Search by name (exact match)
elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") {
- $q_where .= "AND (Name = '".$_GET['K']."') ";
+ $q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') ";
}
# Search by name and description (Default)
else {
- $q_where .= "AND (Name LIKE '%".$_GET['K']."%' OR ";
- $q_where .= "Description LIKE '%".$_GET['K']."%') ";
+ $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR ";
+ $q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') ";
}
}