From f1c82682b831ac7b0340746efac93495cf618c07 Mon Sep 17 00:00:00 2001 From: brettp Date: Wed, 23 Sep 2009 16:18:23 +0000 Subject: Updated the user picker to avoid possible mysql injection attacks and to search only by leading chars. git-svn-id: http://code.elgg.org/elgg/trunk@3494 36083f99-b078-4883-b0ff-0f9b5a30f544 --- engine/lib/input.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/engine/lib/input.php b/engine/lib/input.php index fd33cb3d7..49eb63f13 100644 --- a/engine/lib/input.php +++ b/engine/lib/input.php @@ -177,6 +177,11 @@ if (!$q = get_input('q')) { exit; } + + $q = mysql_real_escape_string($q); + + // replace mysql vars with escaped strings + $q = str_replace(array('_', '%'), array('\_', '\%'), $q); $match_on = get_input('match_on', 'all'); if ($match_on == 'all' || $match_on[0] == 'all') { @@ -214,7 +219,7 @@ WHERE e.guid = ue.guid AND e.enabled = 'yes' AND ue.banned = 'no' - AND (ue.name LIKE '%$q%' OR ue.username LIKE '$q%') + AND (ue.name LIKE '$q%' OR ue.username LIKE '$q%') LIMIT $limit "; @@ -241,7 +246,7 @@ WHERE e.guid = ge.guid AND e.enabled = 'yes' $owner_where - AND (ge.name LIKE '%$q%' OR ge.description LIKE '%$q%') + AND (ge.name LIKE '$q%' OR ge.description LIKE '%$q%') LIMIT $limit "; if ($entities = get_data($query)) { @@ -268,7 +273,7 @@ AND e.guid = ue.guid AND e.enabled = 'yes' AND ue.banned = 'no' - AND (ue.name LIKE '%$q%' OR ue.username LIKE '$q%') + AND (ue.name LIKE '$q%' OR ue.username LIKE '$q%') LIMIT $limit "; @@ -368,4 +373,4 @@ register_elgg_event_handler('init','system','input_init'); -?> \ No newline at end of file +?> -- cgit v1.2.3