From b86ca9fa9b4c8ea61d85a80569e9c4eb1a8b41b4 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 9 Sep 2016 12:35:42 +0200
Subject: [statistics] Escape % and _ in LIKE queries, translate user input *
 and ? to % and _

---
 modules-available/statistics/inc/filter.inc.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'modules-available/statistics/inc/filter.inc.php')

diff --git a/modules-available/statistics/inc/filter.inc.php b/modules-available/statistics/inc/filter.inc.php
index ecf222e9..19d38140 100644
--- a/modules-available/statistics/inc/filter.inc.php
+++ b/modules-available/statistics/inc/filter.inc.php
@@ -26,12 +26,17 @@ class Filter
 	{
 		global $unique_key;
 		$key = $this->column . '_arg' . ($unique_key++);
+		$addendum = '';
 
 		/* check if we have to do some parsing*/
 		if (Page_Statistics::$columns[$this->column]['type'] == 'date') {
 			$args[$key] = strtotime($this->argument);
 		} else {
 			$args[$key] = $this->argument;
+			if ($this->operator === '~' || $this->operator === '!~') {
+				$args[$key] = str_replace(array('=', '_', '%', '*', '?'), array('==', '=_', '=%', '%', '_'), $args[$key]);
+				$addendum = " ESCAPE '='";
+			}
 		}
 
 		$op = $this->operator;
@@ -41,7 +46,7 @@ class Filter
 			$op = 'NOT LIKE';
 		}
 
-		return $this->column . ' ' . $op . ' :' . $key;
+		return $this->column . ' ' . $op . ' :' . $key . $addendum;
 	}
 
 	/* parse a query into an array of filters */
-- 
cgit v1.2.3-55-g7522