diff options
| author | Tim Almdal <tnalmdal@shaw.ca> | 2009-03-03 03:52:21 +0000 |
|---|---|---|
| committer | Tim Almdal <tnalmdal@shaw.ca> | 2009-03-03 03:52:21 +0000 |
| commit | 7bcab31f5d982f8197045ee8499fe6e23635e8e4 (patch) | |
| tree | 64790ab9102658aa8eda3a9f1b5a9ce100a1407c | |
| parent | 14c1f455788a305102c9e2b1cb742c1fd38f4d41 (diff) | |
Fix issue identified by security review... some table names where not
being translated.
| -rw-r--r-- | modules/search/helpers/search.php | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/modules/search/helpers/search.php b/modules/search/helpers/search.php index 6e5da473..3e425289 100644 --- a/modules/search/helpers/search.php +++ b/modules/search/helpers/search.php @@ -35,14 +35,14 @@ class search_Core { // limit statement. It's possible that if we get rid of the limit (but keep the offset) on // the 2nd query and combine the two, it might be faster than making 2 separate queries. $count_query = "SELECT COUNT(*) AS C " . - "FROM `items` JOIN `search_records` ON (`items`.`id` = `search_records`.`item_id`) " . - "WHERE MATCH(`search_records`.`data`) AGAINST ('$q' IN BOOLEAN MODE) " . + "FROM {items} JOIN {search_records} ON ({items}.`id` = {search_records}.`item_id`) " . + "WHERE MATCH({search_records}.`data`) AGAINST ('$q' IN BOOLEAN MODE) " . $access_sql; $count = $db->query($count_query)->current()->C; - $query = "SELECT `items`.*, MATCH(`search_records`.`data`) AGAINST ('$q') AS `score` " . - "FROM `items` JOIN `search_records` ON (`items`.`id` = `search_records`.`item_id`) " . - "WHERE MATCH(`search_records`.`data`) AGAINST ('$q' IN BOOLEAN MODE) " . + $query = "SELECT {items}.*, MATCH({search_records}.`data`) AGAINST ('$q') AS `score` " . + "FROM {items} JOIN {search_records} ON ({items}.`id` = {search_records}.`item_id`) " . + "WHERE MATCH({search_records}.`data`) AGAINST ('$q' IN BOOLEAN MODE) " . $access_sql . "ORDER BY `score` DESC " . "LIMIT $offset, $limit"; |