diff options
| author | Simon Rettberg | 2016-09-09 12:35:42 +0200 |
|---|---|---|
| committer | Simon Rettberg | 2016-09-09 12:35:42 +0200 |
| commit | b86ca9fa9b4c8ea61d85a80569e9c4eb1a8b41b4 (patch) | |
| tree | 0a977609c0f9e9a011f2053db27f35b8c9e685bb | |
| parent | [statistics] Fix currentuser filter (diff) | |
| download | slx-admin-b86ca9fa9b4c8ea61d85a80569e9c4eb1a8b41b4.tar.gz slx-admin-b86ca9fa9b4c8ea61d85a80569e9c4eb1a8b41b4.tar.xz slx-admin-b86ca9fa9b4c8ea61d85a80569e9c4eb1a8b41b4.zip | |
[statistics] Escape % and _ in LIKE queries, translate user input * and ? to % and _
| -rw-r--r-- | modules-available/statistics/inc/filter.inc.php | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/modules-available/statistics/inc/filter.inc.php b/modules-available/statistics/inc/filter.inc.php index ecf222e9..19d38140 100644 --- a/modules-available/statistics/inc/filter.inc.php +++ b/modules-available/statistics/inc/filter.inc.php @@ -26,12 +26,17 @@ class Filter { global $unique_key; $key = $this->column . '_arg' . ($unique_key++); + $addendum = ''; /* check if we have to do some parsing*/ if (Page_Statistics::$columns[$this->column]['type'] == 'date') { $args[$key] = strtotime($this->argument); } else { $args[$key] = $this->argument; + if ($this->operator === '~' || $this->operator === '!~') { + $args[$key] = str_replace(array('=', '_', '%', '*', '?'), array('==', '=_', '=%', '%', '_'), $args[$key]); + $addendum = " ESCAPE '='"; + } } $op = $this->operator; @@ -41,7 +46,7 @@ class Filter $op = 'NOT LIKE'; } - return $this->column . ' ' . $op . ' :' . $key; + return $this->column . ' ' . $op . ' :' . $key . $addendum; } /* parse a query into an array of filters */ |