diff options
| author | plegall <plg@piwigo.org> | 2014-03-25 12:53:10 +0000 |
|---|---|---|
| committer | plegall <plg@piwigo.org> | 2014-03-25 12:53:10 +0000 |
| commit | 9ce59f1af3895ea827e90ceb3f6a9a27ec4357fb (patch) | |
| tree | 70aaf45b8fbafcd6ce8a5172151f3d6e11d874b8 | |
| parent | 3e09f3ea83f4203cbb7f76fd1b9fb086073a353e (diff) | |
merge r26825 from trunk to branch 2.5
bug 3020 and bug 3021 fixed: additionnal checks in search inputs
git-svn-id: http://piwigo.org/svn/branches/2.5@27933 68402e56-0260-453c-a942-63ccdbb3a9ee
| -rw-r--r-- | include/functions_search.inc.php | 12 | ||||
| -rw-r--r-- | search.php | 5 | ||||
| -rw-r--r-- | search_rules.php | 4 |
3 files changed, 14 insertions, 7 deletions
diff --git a/include/functions_search.inc.php b/include/functions_search.inc.php index 66be23bb4..8e474019a 100644 --- a/include/functions_search.inc.php +++ b/include/functions_search.inc.php @@ -117,9 +117,13 @@ function get_sql_search_clause($search) create_function('&$s','$s="(".$s.")";') ); - array_push( - $clauses, - "\n ". + // make sure the "mode" is either OR or AND + if ($search['fields']['allwords']['mode'] != 'AND' and $search['fields']['allwords']['mode'] != 'OR') + { + $search['fields']['allwords']['mode'] = 'AND'; + } + + $clauses[] = "\n ". implode( "\n ". $search['fields']['allwords']['mode']. @@ -797,4 +801,4 @@ function get_search_results($search_id, $super_order_by, $images_where='') return get_quick_search_results($search['q'], $super_order_by, $images_where); } } -?>
\ No newline at end of file +?> diff --git a/search.php b/search.php index 3e4c0ab3a..84bf8a126 100644 --- a/search.php +++ b/search.php @@ -47,6 +47,8 @@ if (isset($_POST['submit'])) if (isset($_POST['search_allwords']) and !preg_match('/^\s*$/', $_POST['search_allwords'])) { + check_input_parameter('mode', $_POST, false, '/^(OR|AND)$/'); + $drop_char_match = array( '-','^','$',';','#','&','(',')','<','>','`','\'','"','|',',','@','_', '?','%','~','.','[',']','{','}',':','\\','/','=','\'','!','*'); @@ -73,6 +75,7 @@ if (isset($_POST['submit'])) if (isset($_POST['tags'])) { check_input_parameter('tags', $_POST, true, PATTERN_ID); + check_input_parameter('tag_mode', $_POST, false, '/^(OR|AND)$/'); $search['fields']['tags'] = array( 'words' => $_POST['tags'], @@ -85,7 +88,7 @@ if (isset($_POST['submit'])) $search['fields']['author'] = array( 'words' => preg_split( '/\s+/', - $_POST['search_author'] + strip_tags($_POST['search_author']) ), 'mode' => 'OR', ); diff --git a/search_rules.php b/search_rules.php index 1fe8a628d..c2db933c8 100644 --- a/search_rules.php +++ b/search_rules.php @@ -106,7 +106,7 @@ if (isset($search['fields']['author'])) 'search_words', sprintf( l10n('author(s) : %s'), - join(', ', $search['fields']['author']['words']) + join(', ', array_map('strip_tags', $search['fields']['author']['words'])) ) ); } @@ -240,4 +240,4 @@ foreach (array('date_available', 'date_creation') as $datefield) $template->pparse('search_rules'); include(PHPWG_ROOT_PATH.'include/page_tail.php'); -?>
\ No newline at end of file +?> |