From 3e795f3f87a602b8ea77759f89fe0cb791b616ae Mon Sep 17 00:00:00 2001
From: brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Mon, 9 Nov 2009 21:07:29 +0000
Subject: Sanitising strings to avoid sql insertion hacks.

git-svn-id: http://code.elgg.org/elgg/trunk@3646 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 mod/search/start.php | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'mod/search/start.php')

diff --git a/mod/search/start.php b/mod/search/start.php
index 02f7da494..aa76c13b2 100644
--- a/mod/search/start.php
+++ b/mod/search/start.php
@@ -334,6 +334,7 @@ function search_get_where_sql($table, $fields, $params) {
 	// switch to literal mode
 	if (strlen($query) < $CONFIG->search_info['min_chars']) {
 		$likes = array();
+		$query = sanitise_string($query);
 		foreach ($fields as $field) {
 			$likes[] = "$field LIKE '%$query%'";
 		}
@@ -352,6 +353,8 @@ function search_get_where_sql($table, $fields, $params) {
 		if (strlen($query) < 6) {
 			//$options .= ' WITH QUERY EXPANSION';
 		}
+		$query = sanitise_string($query);
+
 		// if query is shorter than the ft_min_word_len switch to literal mode.
 		$fields_str = implode(',', $fields);
 		//$where = "($table.guid = e.guid AND (MATCH ($fields_str) AGAINST ('$query' $options)))";
-- 
cgit v1.2.3