diff options
| author | lpsolit%gmail.com <> | 2008-12-03 08:00:43 +0100 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2008-12-03 08:00:43 +0100 |
| commit | 33429813a654f7a93a7be40b35e9fb7629d74dab (patch) | |
| tree | 90414530e55ab4ea692c7d193f38f0e2c9f6653a /editusers.cgi | |
| parent | f21dafef9ba8f687094aa944e93bc229c0491e50 (diff) | |
| download | bugzilla-33429813a654f7a93a7be40b35e9fb7629d74dab.tar.gz bugzilla-33429813a654f7a93a7be40b35e9fb7629d74dab.tar.xz | |
Bug 463688: editusers.cgi no longer lets you search for users using regular expressions - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat r=xiaoou a=LpSolit
Diffstat (limited to 'editusers.cgi')
| -rwxr-xr-x | editusers.cgi | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/editusers.cgi b/editusers.cgi index 23adb6eb7..6dac96788 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -136,23 +136,28 @@ if ($action eq 'search') { } else { $expr = "profiles.login_name"; } + + if ($matchstr =~ /^(regexp|notregexp|exact)$/) { + $matchstr ||= '.'; + } + else { + $matchstr = '' unless defined $matchstr; + } + # We can trick_taint because we use the value in a SELECT only, + # using a placeholder. + trick_taint($matchstr); + if ($matchtype eq 'regexp') { - $query .= $dbh->sql_regexp($expr, '?'); - $matchstr = '.' unless $matchstr; + $query .= $dbh->sql_regexp($expr, '?', 0, $dbh->quote($matchstr)); } elsif ($matchtype eq 'notregexp') { - $query .= $dbh->sql_not_regexp($expr, '?'); - $matchstr = '.' unless $matchstr; + $query .= $dbh->sql_not_regexp($expr, '?', 0, $dbh->quote($matchstr)); } elsif ($matchtype eq 'exact') { $query .= $expr . ' = ?'; - $matchstr = '.' unless $matchstr; } else { # substr or unknown $query .= $dbh->sql_istrcmp($expr, '?', 'LIKE'); $matchstr = "%$matchstr%"; } $nextCondition = 'AND'; - # We can trick_taint because we use the value in a SELECT only, - # using a placeholder. - trick_taint($matchstr); push(@bindValues, $matchstr); } |