Updated the user picker to avoid possible mysql injection attacks and to search only...

author brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>

Wed, 23 Sep 2009 16:18:23 +0000 (16:18 +0000)

committer brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>

Wed, 23 Sep 2009 16:18:23 +0000 (16:18 +0000)
author brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Wed, 23 Sep 2009 16:18:23 +0000 (16:18 +0000)
committer brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Wed, 23 Sep 2009 16:18:23 +0000 (16:18 +0000)
diff --git a/engine/lib/input.php b/engine/lib/input.php

index fd33cb3d75fa2ad6687557fcce12e34725a97142..49eb63f13c0c5cb479e3c647dca3666a1db287b5 100644 (file)
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -177,6 +177,11 @@
                 if (!$q = get_input('q')) {
                         exit;
                 }
+
+               $q = mysql_real_escape_string($q);
+
+               // replace mysql vars with escaped strings
+               $q = str_replace(array('_', '%'), array('\_', '\%'), $q);
                 
                 $match_on = get_input('match_on', 'all');
                 if ($match_on == 'all' || $match_on[0] == 'all') {
@@ -214,7 +219,7 @@
                                                 WHERE e.guid = ue.guid
                                                         AND e.enabled = 'yes'
                                                         AND ue.banned = 'no'
-                                                       AND (ue.name LIKE '%$q%' OR ue.username LIKE '$q%')
+                                                       AND (ue.name LIKE '$q%' OR ue.username LIKE '$q%')
                                                 LIMIT $limit
                                         ";
                                         
@@ -241,7 +246,7 @@
                                                 WHERE e.guid = ge.guid
                                                         AND e.enabled = 'yes'
                                                         $owner_where
-                                                       AND (ge.name LIKE '%$q%' OR ge.description LIKE '%$q%')
+                                                       AND (ge.name LIKE '$q%' OR ge.description LIKE '%$q%')
                                                 LIMIT $limit
                                         ";
                                         if ($entities = get_data($query)) {
@@ -268,7 +273,7 @@
                                                         AND e.guid = ue.guid
                                                         AND e.enabled = 'yes'
                                                         AND ue.banned = 'no'
-                                                       AND (ue.name LIKE '%$q%' OR ue.username LIKE '$q%')
+                                                       AND (ue.name LIKE '$q%' OR ue.username LIKE '$q%')
                                                 LIMIT $limit
                                         ";
                                         
@@ -368,4 +373,4 @@
         register_elgg_event_handler('init','system','input_init');
          
         
-?>
-\ No newline at end of file
+?>
author	brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
	Wed, 23 Sep 2009 16:18:23 +0000 (16:18 +0000)
committer	brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
	Wed, 23 Sep 2009 16:18:23 +0000 (16:18 +0000)