Updated the user picker to avoid possible mysql injection attacks and to search only by leading chars.

git-svn-id: http://code.elgg.org/elgg/trunk@3494 36083f99-b078-4883-b0ff-0f9b5a30f544

1 files changed, 9 insertions, 4 deletions

diff --git a/engine/lib/input.php b/engine/lib/input.php
index fd33cb3d7..49eb63f13 100644
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -177,6 +177,11 @@
 		if (!$q = get_input('q')) {
 			exit;
 		}
+
+		$q = mysql_real_escape_string($q);
+
+		// replace mysql vars with escaped strings
+		$q = str_replace(array('_', '%'), array('\_', '\%'), $q);
 		
 		$match_on = get_input('match_on', 'all');
 		if ($match_on == 'all' || $match_on[0] == 'all') {
@@ -214,7 +219,7 @@
 						WHERE e.guid = ue.guid
 							AND e.enabled = 'yes'
 							AND ue.banned = 'no'
-							AND (ue.name LIKE '%$q%' OR ue.username LIKE '$q%')
+							AND (ue.name LIKE '$q%' OR ue.username LIKE '$q%')
 						LIMIT $limit
 					";
 					
@@ -241,7 +246,7 @@
 						WHERE e.guid = ge.guid
 							AND e.enabled = 'yes'
 							$owner_where
-							AND (ge.name LIKE '%$q%' OR ge.description LIKE '%$q%')
+							AND (ge.name LIKE '$q%' OR ge.description LIKE '%$q%')
 						LIMIT $limit
 					";
 					if ($entities = get_data($query)) {
@@ -268,7 +273,7 @@
 							AND e.guid = ue.guid
 							AND e.enabled = 'yes'
 							AND ue.banned = 'no'
-							AND (ue.name LIKE '%$q%' OR ue.username LIKE '$q%')
+							AND (ue.name LIKE '$q%' OR ue.username LIKE '$q%')
 						LIMIT $limit
 					";
 					
@@ -368,4 +373,4 @@
 	register_elgg_event_handler('init','system','input_init');
         
 	
-?>
\ No newline at end of file
+?>