[aur-dev] [PATCH 2/2] Escape wildcards in "LIKE" patterns
Dan McGee
dpmcgee at gmail.com
Thu Oct 20 10:00:14 EDT 2011
On Thu, Oct 20, 2011 at 1:52 AM, Lukas Fleischer
<archlinux at cryptocrack.de> wrote:
> Percent signs ("%") and underscores ("_") are not escaped by
> mysql_real_escape_string() and are interpreted as wildcards if combined
> with "LIKE". Write a wrapper function db_escape_like() and use it where
> appropriate.
>
> Note that we already fixed this for the RPC interface in commit
> da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places.
> This patch should fix all remaining flaws reported in FS#26527.
>
> Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
Looks good to me.
Signed-off-by: Dan McGee <dan at archlinux.org>
> ---
> web/lib/acctfuncs.inc.php | 8 ++++----
> web/lib/aur.inc.php | 5 +++++
> web/lib/aurjson.class.php | 3 +--
> web/lib/pkgfuncs.inc.php | 12 +++++-------
> 4 files changed, 15 insertions(+), 13 deletions(-)
>
> diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
> index 692dd19..96a478b 100644
> --- a/web/lib/acctfuncs.inc.php
> +++ b/web/lib/acctfuncs.inc.php
> @@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
> $search_vars[] = "S";
> }
> if ($U) {
> - $q.= "AND Username LIKE '%".db_escape_string($U)."%' ";
> + $q.= "AND Username LIKE '%".db_escape_like($U)."%' ";
> $search_vars[] = "U";
> }
> if ($E) {
> - $q.= "AND Email LIKE '%".db_escape_string($E)."%' ";
> + $q.= "AND Email LIKE '%".db_escape_like($E)."%' ";
> $search_vars[] = "E";
> }
> if ($R) {
> - $q.= "AND RealName LIKE '%".db_escape_string($R)."%' ";
> + $q.= "AND RealName LIKE '%".db_escape_like($R)."%' ";
> $search_vars[] = "R";
> }
> if ($I) {
> - $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' ";
> + $q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' ";
> $search_vars[] = "I";
> }
> switch ($SB) {
> diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
> index 51c1eff..6bc36ac 100644
> --- a/web/lib/aur.inc.php
> +++ b/web/lib/aur.inc.php
> @@ -229,6 +229,11 @@ function db_escape_string($string) {
> return mysql_real_escape_string($string);
> }
>
> +# Escape strings for usage in SQL LIKE operators.
> +function db_escape_like($string) {
> + return addcslashes(mysql_real_escape_string($string), '%_');
> +}
> +
> # disconnect from the database
> # this won't normally be needed as PHP/reference counting will take care of
> # closing the connection once it is no longer referenced
> diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
> index e6e62f4..234a3c4 100644
> --- a/web/lib/aurjson.class.php
> +++ b/web/lib/aurjson.class.php
> @@ -195,8 +195,7 @@ class AurJSON {
> return $this->json_error('Query arg too small');
> }
>
> - $keyword_string = db_escape_string($keyword_string, $this->dbh);
> - $keyword_string = addcslashes($keyword_string, '%_');
> + $keyword_string = db_escape_like($keyword_string, $this->dbh);
>
> $where_condition = "( Name LIKE '%{$keyword_string}%' OR " .
> "Description LIKE '%{$keyword_string}%' )";
> diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
> index b078c48..88b18b8 100644
> --- a/web/lib/pkgfuncs.inc.php
> +++ b/web/lib/pkgfuncs.inc.php
> @@ -457,11 +457,9 @@ function pkg_search_page($SID="", $dbh=NULL) {
> }
>
> if (isset($_GET['K'])) {
> - $_GET['K'] = db_escape_string(trim($_GET['K']));
> -
> # Search by maintainer
> if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") {
> - $q_where .= "AND Users.Username = '".$_GET['K']."' ";
> + $q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' ";
> }
> # Search by submitter
> elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") {
> @@ -469,16 +467,16 @@ function pkg_search_page($SID="", $dbh=NULL) {
> }
> # Search by name
> elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") {
> - $q_where .= "AND (Name LIKE '%".$_GET['K']."%') ";
> + $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') ";
> }
> # Search by name (exact match)
> elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") {
> - $q_where .= "AND (Name = '".$_GET['K']."') ";
> + $q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') ";
> }
> # Search by name and description (Default)
> else {
> - $q_where .= "AND (Name LIKE '%".$_GET['K']."%' OR ";
> - $q_where .= "Description LIKE '%".$_GET['K']."%') ";
> + $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR ";
> + $q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') ";
> }
> }
>
> --
> 1.7.7
>
>
More information about the aur-dev
mailing list