tonyair/silverstripe-sqlite3
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-sqlite3 synced 2024-10-22 17:05:37 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1 from silverstripe-security/patch/1.4/SS-2017-008

Browse Source 
[SS-2017-008] Fix SQL injection in search engine
This commit is contained in:
Damian Mooyman 2017-12-07 15:59:01 +13:00 committed by GitHub
commit 2bde2640c3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
code/SQLite3Database.php
View File

@ -228,6 +228,8 @@ class SQLite3Database extends SS_Database {
public function searchEngine($classesToSearch, $keywords, $start, $pageLength, $sortBy = "Relevance DESC", public function searchEngine($classesToSearch, $keywords, $start, $pageLength, $sortBy = "Relevance DESC",
$extraFilter = "", $booleanSearch = false, $alternativeFileFilter = "", $invertedMatch = false $extraFilter = "", $booleanSearch = false, $alternativeFileFilter = "", $invertedMatch = false
) { ) {
$start = (int)$start;
$pageLength = (int)$pageLength;
$keywords = $this->escapeString(str_replace(array('*','+','-','"','\''), '', $keywords)); $keywords = $this->escapeString(str_replace(array('*','+','-','"','\''), '', $keywords));
$htmlEntityKeywords = htmlentities(utf8_decode($keywords)); $htmlEntityKeywords = htmlentities(utf8_decode($keywords));
@ -249,7 +251,7 @@ class SQLite3Database extends SS_Database {
$extraFilters['File'] .= " AND ShowInSearch <> 0"; $extraFilters['File'] .= " AND ShowInSearch <> 0";
} }
$limit = $start . ", " . (int) $pageLength; $limit = $start . ", " . $pageLength;
$notMatch = $invertedMatch ? "NOT " : ""; $notMatch = $invertedMatch ? "NOT " : "";
if($keywords) { if($keywords) {