kopia lustrzana https://github.com/friendica/friendica
possible sql injection in search
rodzic
21d79e787e
commit
514c994e6a
|
@ -995,8 +995,8 @@
|
|||
else
|
||||
$sql_extra .= sprintf(" AND `item`.`parent` IN (SELECT distinct(`parent`) from item where ( `author-link` like '%s' or `tag` like '%s' or tag like '%s' )) ",
|
||||
dbesc(protect_sprintf('%' . $myurl)),
|
||||
dbesc(protect_sprintf('%' . $myurl . '\\]%')),
|
||||
dbesc(protect_sprintf('%' . $diasp_url . '\\]%'))
|
||||
dbesc(protect_sprintf('%' . $myurl . ']%')),
|
||||
dbesc(protect_sprintf('%' . $diasp_url . ']%'))
|
||||
);
|
||||
|
||||
if ($max_id > 0)
|
||||
|
|
|
@ -110,7 +110,7 @@ function search_content(&$a) {
|
|||
|
||||
if (get_config('system','use_fulltext_engine')) {
|
||||
if($tag)
|
||||
$sql_extra = sprintf(" AND MATCH (`item`.`tag`) AGAINST ('".'"%s"'."' in boolean mode) ", '#'.protect_sprintf($search));
|
||||
$sql_extra = sprintf(" AND MATCH (`item`.`tag`) AGAINST ('".'"%s"'."' in boolean mode) ", '#'.dbesc(protect_sprintf($search)));
|
||||
else
|
||||
$sql_extra = sprintf(" AND MATCH (`item`.`body`) AGAINST ('".'"%s"'."' in boolean mode) ", dbesc(protect_sprintf($search)));
|
||||
} else {
|
||||
|
|
Ładowanie…
Reference in New Issue