mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-08-13 12:14:06 +02:00
Code Issues Releases Wiki Activity

Hopefully this addresses the \' and '' problems with MSSQL, etc. ... I'd like opinions on the security of doing this.

Browse Source 
git-svn-id: file:///svn/phpbb/trunk@1661 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Paul S. Owen
2001-12-21 15:51:31 +00:00
parent f5afff4c55
commit 6c2e3922b1
4 changed files with 16 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
phpBB/search.php
View File

@@ -294,7 +294,7 @@ else if( $query_keywords != "" || $query_author != "" || $search_id )
$sql = "SELECT user_id
FROM ".USERS_TABLE."
WHERE username LIKE '$query_author'";
WHERE username LIKE '" . str_replace("\'", "''", $query_author) . "'";
$result = $db->sql_query($sql);
if( !$result )
{
@@ -507,7 +507,7 @@ else if( $query_keywords != "" || $query_author != "" || $search_id )
//
if( $query_author != "" )
{
$query_author = str_replace("*", "%", trim($query_author));
$query_author = str_replace("*", "%", trim(str_replace("\'", "''", $query_author)));
}
//
@@ -734,7 +734,7 @@ else if( $query_keywords != "" || $query_author != "" || $search_id )
if( !$result || !$db->sql_affectedrows() )
{
$sql = "INSERT INTO " . SEARCH_TABLE . " (search_id, session_id, search_array)
VALUES($search_id, '" . $userdata['session_id'] . "', '$result_array')";
VALUES($search_id, '" . $userdata['session_id'] . "', '" . str_replace("\'", "''", $result_array) . "')";
if( !$result = $db->sql_query($sql) )
{
message_die(GENERAL_ERROR, "Couldn't insert search results", "", __LINE__, __FILE__, $sql);