diff options
| author | shadlaws <shad@shadlaws.com> | 2013-01-25 08:47:29 +0100 |
|---|---|---|
| committer | shadlaws <shad@shadlaws.com> | 2013-01-25 08:47:29 +0100 |
| commit | 48bd19808c38a8de20cfece1adc1ffe226da3783 (patch) | |
| tree | d8cdea6ffe7e3862ee38f90082a43e30a7ced0bb /modules/gallery/libraries | |
| parent | 4c1dc8457e82bd8960e10416981b5dadfc3aebe4 (diff) | |
#1956 - Escape LIKE queries (for _ and %).
In MySQL queries, _ and % characters are treated as wildcards (similar to ? and *, respectively).
- Added escape_for_like function to MY_Database.php
- Added unit test to Database_Test
- Corrected the five unescaped instances in the code using this function.
Diffstat (limited to 'modules/gallery/libraries')
| -rw-r--r-- | modules/gallery/libraries/MY_Database.php | 10 | ||||
| -rw-r--r-- | modules/gallery/libraries/drivers/Cache/Database.php | 4 |
2 files changed, 12 insertions, 2 deletions
diff --git a/modules/gallery/libraries/MY_Database.php b/modules/gallery/libraries/MY_Database.php index aae0bb79..33759b67 100644 --- a/modules/gallery/libraries/MY_Database.php +++ b/modules/gallery/libraries/MY_Database.php @@ -88,4 +88,14 @@ abstract class Database extends Database_Core { static function set_default_instance($db) { self::$instances["default"] = $db; } + + /** + * Escape LIKE queries, add wildcards. In MySQL queries using LIKE, _ and % characters are + * treated as wildcards similar to ? and *, respectively. Therefore, we need to escape _, %, + * and \ (the escape character itself). + */ + static function escape_for_like($value) { + // backslash must go first to avoid double-escaping + return addcslashes($value, '\_%'); + } }
\ No newline at end of file diff --git a/modules/gallery/libraries/drivers/Cache/Database.php b/modules/gallery/libraries/drivers/Cache/Database.php index a7aae92c..8790d0e1 100644 --- a/modules/gallery/libraries/drivers/Cache/Database.php +++ b/modules/gallery/libraries/drivers/Cache/Database.php @@ -69,7 +69,7 @@ class Cache_Database_Driver extends Cache_Driver { ->select() ->from("caches"); foreach ($tags as $tag) { - $db->where("tags", "LIKE", "%<$tag>%"); + $db->where("tags", "LIKE", "%" . Database::escape_for_like("<$tag>") . "%"); } $db_result = $db->execute(); @@ -139,7 +139,7 @@ class Cache_Database_Driver extends Cache_Driver { // Delete all caches } else if ($is_tag === true) { foreach ($keys as $tag) { - $db->where("tags", "LIKE", "%<$tag>%"); + $db->where("tags", "LIKE", "%" . Database::escape_for_like("<$tag>") . "%"); } } else { $db->where("key", "IN", $keys); |