[aur-dev] [PATCH 2/2] Escape wildcards in "LIKE" patterns

Dan McGee dpmcgee at gmail.com
Thu Oct 20 10:00:14 EDT 2011 

On Thu, Oct 20, 2011 at 1:52 AM, Lukas Fleischer
<archlinux at cryptocrack.de> wrote:
> Percent signs ("%") and underscores ("_") are not escaped by
> mysql_real_escape_string() and are interpreted as wildcards if combined
> with "LIKE". Write a wrapper function db_escape_like() and use it where
> appropriate.
>
> Note that we already fixed this for the RPC interface in commit
> da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places.
> This patch should fix all remaining flaws reported in FS#26527.
>
> Signed-off-by: Lukas Fleischer <archlinux at cryptocrack.de>
Looks good to me.

Signed-off-by: Dan McGee <dan at archlinux.org>

> ---
>  web/lib/acctfuncs.inc.php |    8 ++++----
>  web/lib/aur.inc.php       |    5 +++++
>  web/lib/aurjson.class.php |    3 +--
>  web/lib/pkgfuncs.inc.php  |   12 +++++-------
>  4 files changed, 15 insertions(+), 13 deletions(-)
>
> diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
> index 692dd19..96a478b 100644
> --- a/web/lib/acctfuncs.inc.php
> +++ b/web/lib/acctfuncs.inc.php
> @@ -372,19 +372,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
>                $search_vars[] = "S";
>        }
>        if ($U) {
> -               $q.= "AND Username LIKE '%".db_escape_string($U)."%' ";
> +               $q.= "AND Username LIKE '%".db_escape_like($U)."%' ";
>                $search_vars[] = "U";
>        }
>        if ($E) {
> -               $q.= "AND Email LIKE '%".db_escape_string($E)."%' ";
> +               $q.= "AND Email LIKE '%".db_escape_like($E)."%' ";
>                $search_vars[] = "E";
>        }
>        if ($R) {
> -               $q.= "AND RealName LIKE '%".db_escape_string($R)."%' ";
> +               $q.= "AND RealName LIKE '%".db_escape_like($R)."%' ";
>                $search_vars[] = "R";
>        }
>        if ($I) {
> -               $q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' ";
> +               $q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' ";
>                $search_vars[] = "I";
>        }
>        switch ($SB) {
> diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
> index 51c1eff..6bc36ac 100644
> --- a/web/lib/aur.inc.php
> +++ b/web/lib/aur.inc.php
> @@ -229,6 +229,11 @@ function db_escape_string($string) {
>        return mysql_real_escape_string($string);
>  }
>
> +# Escape strings for usage in SQL LIKE operators.
> +function db_escape_like($string) {
> +       return addcslashes(mysql_real_escape_string($string), '%_');
> +}
> +
>  # disconnect from the database
>  # this won't normally be needed as PHP/reference counting will take care of
>  # closing the connection once it is no longer referenced
> diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
> index e6e62f4..234a3c4 100644
> --- a/web/lib/aurjson.class.php
> +++ b/web/lib/aurjson.class.php
> @@ -195,8 +195,7 @@ class AurJSON {
>             return $this->json_error('Query arg too small');
>         }
>
> -        $keyword_string = db_escape_string($keyword_string, $this->dbh);
> -        $keyword_string = addcslashes($keyword_string, '%_');
> +        $keyword_string = db_escape_like($keyword_string, $this->dbh);
>
>         $where_condition = "( Name LIKE '%{$keyword_string}%' OR " .
>             "Description LIKE '%{$keyword_string}%' )";
> diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
> index b078c48..88b18b8 100644
> --- a/web/lib/pkgfuncs.inc.php
> +++ b/web/lib/pkgfuncs.inc.php
> @@ -457,11 +457,9 @@ function pkg_search_page($SID="", $dbh=NULL) {
>        }
>
>        if (isset($_GET['K'])) {
> -               $_GET['K'] = db_escape_string(trim($_GET['K']));
> -
>                # Search by maintainer
>                if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") {
> -                       $q_where .= "AND Users.Username = '".$_GET['K']."' ";
> +                       $q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' ";
>                }
>                # Search by submitter
>                elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") {
> @@ -469,16 +467,16 @@ function pkg_search_page($SID="", $dbh=NULL) {
>                }
>                # Search by name
>                elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") {
> -                       $q_where .= "AND (Name LIKE '%".$_GET['K']."%') ";
> +                       $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') ";
>                }
>                # Search by name (exact match)
>                elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") {
> -                       $q_where .= "AND (Name = '".$_GET['K']."') ";
> +                       $q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') ";
>                }
>                # Search by name and description (Default)
>                else {
> -                       $q_where .= "AND (Name LIKE '%".$_GET['K']."%' OR ";
> -                       $q_where .= "Description LIKE '%".$_GET['K']."%') ";
> +                       $q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR ";
> +                       $q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') ";
>                }
>        }
>
> --
> 1.7.7
>
>

More information about the aur-dev mailing list