From e53b91fe52be262d94a45769814c1e87c796988b Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Thu, 20 Oct 2011 08:43:44 +0200
Subject: Escape wildcards in "LIKE" patterns

Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.

Note that we already fixed this for the RPC interface in commit
da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
---
 web/lib/aurjson.class.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'web/lib/aurjson.class.php')

diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
index edd6872e..6c7725c0 100644
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@@ -184,8 +184,7 @@ class AurJSON {
             return $this->json_error('Query arg too small');
         }
 
-        $keyword_string = db_escape_string($keyword_string, $this->dbh);
-        $keyword_string = addcslashes($keyword_string, '%_');
+        $keyword_string = db_escape_like($keyword_string, $this->dbh);
 
         $where_condition = "( Name LIKE '%{$keyword_string}%' OR " .
             "Description LIKE '%{$keyword_string}%' )";
-- 
cgit v1.2.3-24-g4f1b