From 33429813a654f7a93a7be40b35e9fb7629d74dab Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Wed, 3 Dec 2008 07:00:43 +0000 Subject: Bug 463688: editusers.cgi no longer lets you search for users using regular expressions - Patch by Frédéric Buclin r=mkanat r=xiaoou a=LpSolit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- editusers.cgi | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'editusers.cgi') diff --git a/editusers.cgi b/editusers.cgi index 23adb6eb7..6dac96788 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -136,23 +136,28 @@ if ($action eq 'search') { } else { $expr = "profiles.login_name"; } + + if ($matchstr =~ /^(regexp|notregexp|exact)$/) { + $matchstr ||= '.'; + } + else { + $matchstr = '' unless defined $matchstr; + } + # We can trick_taint because we use the value in a SELECT only, + # using a placeholder. + trick_taint($matchstr); + if ($matchtype eq 'regexp') { - $query .= $dbh->sql_regexp($expr, '?'); - $matchstr = '.' unless $matchstr; + $query .= $dbh->sql_regexp($expr, '?', 0, $dbh->quote($matchstr)); } elsif ($matchtype eq 'notregexp') { - $query .= $dbh->sql_not_regexp($expr, '?'); - $matchstr = '.' unless $matchstr; + $query .= $dbh->sql_not_regexp($expr, '?', 0, $dbh->quote($matchstr)); } elsif ($matchtype eq 'exact') { $query .= $expr . ' = ?'; - $matchstr = '.' unless $matchstr; } else { # substr or unknown $query .= $dbh->sql_istrcmp($expr, '?', 'LIKE'); $matchstr = "%$matchstr%"; } $nextCondition = 'AND'; - # We can trick_taint because we use the value in a SELECT only, - # using a placeholder. - trick_taint($matchstr); push(@bindValues, $matchstr); } -- cgit v1.2.3-24-g4f1b