From f1c82682b831ac7b0340746efac93495cf618c07 Mon Sep 17 00:00:00 2001
From: brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Wed, 23 Sep 2009 16:18:23 +0000
Subject: Updated the user picker to avoid possible mysql injection attacks and
 to search only by leading chars.

git-svn-id: http://code.elgg.org/elgg/trunk@3494 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 engine/lib/input.php | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/engine/lib/input.php b/engine/lib/input.php
index fd33cb3d7..49eb63f13 100644
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -177,6 +177,11 @@
 		if (!$q = get_input('q')) {
 			exit;
 		}
+
+		$q = mysql_real_escape_string($q);
+
+		// replace mysql vars with escaped strings
+		$q = str_replace(array('_', '%'), array('\_', '\%'), $q);
 		
 		$match_on = get_input('match_on', 'all');
 		if ($match_on == 'all' || $match_on[0] == 'all') {
@@ -214,7 +219,7 @@
 						WHERE e.guid = ue.guid
 							AND e.enabled = 'yes'
 							AND ue.banned = 'no'
-							AND (ue.name LIKE '%$q%' OR ue.username LIKE '$q%')
+							AND (ue.name LIKE '$q%' OR ue.username LIKE '$q%')
 						LIMIT $limit
 					";
 					
@@ -241,7 +246,7 @@
 						WHERE e.guid = ge.guid
 							AND e.enabled = 'yes'
 							$owner_where
-							AND (ge.name LIKE '%$q%' OR ge.description LIKE '%$q%')
+							AND (ge.name LIKE '$q%' OR ge.description LIKE '%$q%')
 						LIMIT $limit
 					";
 					if ($entities = get_data($query)) {
@@ -268,7 +273,7 @@
 							AND e.guid = ue.guid
 							AND e.enabled = 'yes'
 							AND ue.banned = 'no'
-							AND (ue.name LIKE '%$q%' OR ue.username LIKE '$q%')
+							AND (ue.name LIKE '$q%' OR ue.username LIKE '$q%')
 						LIMIT $limit
 					";
 					
@@ -368,4 +373,4 @@
 	register_elgg_event_handler('init','system','input_init');
         
 	
-?>
\ No newline at end of file
+?>
-- 
cgit v1.2.3