From d5d4b8d8e09994a3f31e97870d6b61e409211eff Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 26 Sep 2021 14:21:23 +0200 Subject: [PATCH] Fix escape the undescore on search in website module --- htdocs/core/db/Database.interface.php | 8 ++++++++ htdocs/core/db/mysqli.class.php | 11 +++++++++++ htdocs/core/db/pgsql.class.php | 11 +++++++++++ htdocs/core/db/sqlite3.class.php | 11 +++++++++++ htdocs/core/lib/website.lib.php | 7 ++++--- htdocs/debugbar/class/TraceableDB.php | 11 +++++++++++ 6 files changed, 56 insertions(+), 3 deletions(-) diff --git a/htdocs/core/db/Database.interface.php b/htdocs/core/db/Database.interface.php index 898421978db..f3e5d45afef 100644 --- a/htdocs/core/db/Database.interface.php +++ b/htdocs/core/db/Database.interface.php @@ -177,6 +177,14 @@ interface Database */ public function escape($stringtoencode); + /** + * Escape a string to insert data + * + * @param string $stringtoencode String to escape + * @return string String escaped + */ + public function escapeunderscore($stringtoencode); + /** * Sanitize a string for SQL forging * diff --git a/htdocs/core/db/mysqli.class.php b/htdocs/core/db/mysqli.class.php index 343f4c8cc3e..3a8aabd3bf9 100644 --- a/htdocs/core/db/mysqli.class.php +++ b/htdocs/core/db/mysqli.class.php @@ -430,6 +430,17 @@ class DoliDBMysqli extends DoliDB return $this->db->real_escape_string($stringtoencode); } + /** + * Escape a string to insert data + * + * @param string $stringtoencode String to escape + * @return string String escaped + */ + public function escapeunderscore($stringtoencode) + { + return str_replace('_', '\_', $stringtoencode); + } + /** * Return generic error code of last operation. * diff --git a/htdocs/core/db/pgsql.class.php b/htdocs/core/db/pgsql.class.php index 5a9d47dc40c..543e24a1b12 100644 --- a/htdocs/core/db/pgsql.class.php +++ b/htdocs/core/db/pgsql.class.php @@ -700,6 +700,17 @@ class DoliDBPgsql extends DoliDB return pg_escape_string($stringtoencode); } + /** + * Escape a string to insert data + * + * @param string $stringtoencode String to escape + * @return string String escaped + */ + public function escapeunderscore($stringtoencode) + { + return str_replace('_', '\_', $stringtoencode); + } + /** * Format a SQL IF * diff --git a/htdocs/core/db/sqlite3.class.php b/htdocs/core/db/sqlite3.class.php index 563ccb19aac..008c7311ac8 100644 --- a/htdocs/core/db/sqlite3.class.php +++ b/htdocs/core/db/sqlite3.class.php @@ -635,6 +635,17 @@ class DoliDBSqlite3 extends DoliDB return Sqlite3::escapeString($stringtoencode); } + /** + * Escape a string to insert data + * + * @param string $stringtoencode String to escape + * @return string String escaped + */ + public function escapeunderscore($stringtoencode) + { + return str_replace('_', '\_', $stringtoencode); + } + /** * Renvoie le code erreur generique de l'operation precedente. * diff --git a/htdocs/core/lib/website.lib.php b/htdocs/core/lib/website.lib.php index 89fd777cd20..20380e02aab 100644 --- a/htdocs/core/lib/website.lib.php +++ b/htdocs/core/lib/website.lib.php @@ -866,11 +866,11 @@ function getPagesFromSearchCriterias($type, $algo, $searchstring, $max = 25, $so $sql .= " AND ("; $searchalgo = ''; if (preg_match('/meta/', $algo)) { - $searchalgo .= ($searchalgo ? ' OR ' : '')."wp.title LIKE '%".$db->escape($searchstring)."%' OR wp.description LIKE '%".$db->escape($searchstring)."%'"; - $searchalgo .= ($searchalgo ? ' OR ' : '')."wp.keywords LIKE '".$db->escape($searchstring).",%' OR wp.keywords LIKE '% ".$db->escape($searchstring)."%'"; // TODO Use a better way to scan keywords + $searchalgo .= ($searchalgo ? ' OR ' : '')."wp.title LIKE '%".$db->escapeunderscore($db->escape($searchstring))."%' OR wp.description LIKE '%".$db->escapeunderscore($db->escape($searchstring))."%'"; + $searchalgo .= ($searchalgo ? ' OR ' : '')."wp.keywords LIKE '".$db->escapeunderscore($db->escape($searchstring)).",%' OR wp.keywords LIKE '% ".$db->escapeunderscore($db->escape($searchstring))."%'"; // TODO Use a better way to scan keywords } if (preg_match('/content/', $algo)) { - $searchalgo .= ($searchalgo ? ' OR ' : '')."wp.content LIKE '%".$db->escape($searchstring)."%'"; + $searchalgo .= ($searchalgo ? ' OR ' : '')."wp.content LIKE '%".$db->escapeunderscore($db->escape($searchstring))."%'"; } $sql .= $searchalgo; if (is_array($otherfilters) && !empty($otherfilters['category'])) { @@ -879,6 +879,7 @@ function getPagesFromSearchCriterias($type, $algo, $searchstring, $max = 25, $so $sql .= ")"; $sql .= $db->order($sortfield, $sortorder); $sql .= $db->plimit($max); + //print $sql; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/debugbar/class/TraceableDB.php b/htdocs/debugbar/class/TraceableDB.php index af11f4c1d67..093e9b36280 100644 --- a/htdocs/debugbar/class/TraceableDB.php +++ b/htdocs/debugbar/class/TraceableDB.php @@ -250,6 +250,17 @@ class TraceableDB extends DoliDB return $this->db->escape($stringtoencode); } + /** + * Escape a string to insert data + * + * @param string $stringtoencode String to escape + * @return string String escaped + */ + public function escapeunderscore($stringtoencode) + { + return $this->db->escapeunderscore($stringtoencode); + } + // phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps /** * Get last ID after an insert INSERT