Sanitising strings to avoid sql insertion hacks.

git-svn-id: http://code.elgg.org/elgg/trunk@3646 36083f99-b078-4883-b0ff-0f9b5a30f544
author: brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> 2009-11-09 21:07:29 +0000
committer: brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544> 2009-11-09 21:07:29 +0000
commit: 3e795f3f87a602b8ea77759f89fe0cb791b616ae (patch)
tree: b2bde8f319e9676d9cd7dc561525c508b926bd3a /mod/search/start.php
parent: 867c8c94a1bed4bc862bc22f05922a5d9492b401 (diff)
download: elgg-3e795f3f87a602b8ea77759f89fe0cb791b616ae.tar.gz
elgg-3e795f3f87a602b8ea77759f89fe0cb791b616ae.tar.bz2
1 files changed, 3 insertions, 0 deletions
diff --git a/mod/search/start.php b/mod/search/start.php
index 02f7da494..aa76c13b2 100644
--- a/mod/search/start.php
+++ b/mod/search/start.php
@@ -334,6 +334,7 @@ function search_get_where_sql($table, $fields, $params) {
 	// switch to literal mode
 	if (strlen($query) < $CONFIG->search_info['min_chars']) {
 		$likes = array();
+		$query = sanitise_string($query);
 		foreach ($fields as $field) {
 			$likes[] = "$field LIKE '%$query%'";
 		}
@@ -352,6 +353,8 @@ function search_get_where_sql($table, $fields, $params) {
 		if (strlen($query) < 6) {
 			//$options .= ' WITH QUERY EXPANSION';
 		}
+		$query = sanitise_string($query);
+
 		// if query is shorter than the ft_min_word_len switch to literal mode.
 		$fields_str = implode(',', $fields);
 		//$where = "($table.guid = e.guid AND (MATCH ($fields_str) AGAINST ('$query' $options)))";
author	brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>	2009-11-09 21:07:29 +0000
committer	brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>	2009-11-09 21:07:29 +0000
commit	3e795f3f87a602b8ea77759f89fe0cb791b616ae (patch)
tree	b2bde8f319e9676d9cd7dc561525c508b926bd3a /mod/search/start.php
parent	867c8c94a1bed4bc862bc22f05922a5d9492b401 (diff)
download	elgg-3e795f3f87a602b8ea77759f89fe0cb791b616ae.tar.gz elgg-3e795f3f87a602b8ea77759f89fe0cb791b616ae.tar.bz2