From: Pierre Habouzit (MadCoder <pierre.habouzit@m4x.org>
Date: Sun, 15 May 2005 19:17:57 +0000 (+0000)
Subject: backport
X-Git-Tag: xorg/old~119
X-Git-Url: http://git.polytechnique.org/?a=commitdiff_plain;h=0b66f0a39d6615afca3ab76776b461cea787e84c;p=platal.git

backport

Patches applied:

 * opensource@polytechnique.org--2005/platal--release--0.9.6--patch-13
   fix #307


git-archimport-id: opensource@polytechnique.org--2005/platal--mainline--0.9--patch-643
---

diff --git a/ChangeLog b/ChangeLog
index 551f201..4f24ee4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,11 @@ New :
 	* Search :
 		- Nickname are used in fast search.									-Car
 
+Fixes (from 0.9.6 branch) :
+
+	* Search :
+		- #307: fix bad escaping in advanced search.						-MC
+
 ================================================================================
 VERSION 0.9.6														 07 May 2004
 
diff --git a/include/search/classes.inc.php b/include/search/classes.inc.php
index 72bb82d..1684a7d 100644
--- a/include/search/classes.inc.php
+++ b/include/search/classes.inc.php
@@ -403,7 +403,8 @@ class RefSField extends SField
 
     function compare()
     {
-        return $this->exact ? "='{$this->value}'" : " LIKE '%{$this->value}%'";
+        $val = addslashes($this->value);
+        return $this->exact ? "='$val}'" : " LIKE '%$val%'";
     }
 
     // }}}
@@ -498,7 +499,7 @@ class StringSField extends SField
      * @param field nom de champ de la bdd concerné par la clause */
     function get_single_where_statement($field)
     {
-        $regexp = strtr($this->value, '-*', '_%');
+        $regexp = strtr(addslashes($this->value), '-*', '_%');
         return "$field LIKE '$regexp%'";
     }
 
@@ -509,7 +510,7 @@ class StringSField extends SField
     function get_order_statement()
     {
         if ($this->value!='' && $this->fieldResultName!='') {
-            return "{$this->fieldResultName}!='{$this->value}'";
+            return "{$this->fieldResultName}!='".addslashes($this->value)."'";
         } else {
             return false;
         }
@@ -529,7 +530,7 @@ class NameSField extends StringSField
     
     function get_single_where_statement($field)
     {
-        $regexp = strtr($this->value, '-*', '_%');
+        $regexp = strtr(addslashes($this->value), '-*', '_%');
         return "$field LIKE '$regexp%' OR $field LIKE '% $regexp%' OR $field LIKE '%-$regexp%'";
     }
 
@@ -539,7 +540,7 @@ class NameSField extends StringSField
     function get_order_statement()
     {
         if ($this->value!='' && $this->fieldResultName!='') {
-            return "{$this->fieldResultName} NOT LIKE '{$this->value}'";
+            return "{$this->fieldResultName} NOT LIKE '".addslashes($this->value)."'";
         } else {
             return false;
         }