diff options
Diffstat (limited to 'search.php')
| -rw-r--r-- | search.php | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/search.php b/search.php index 3e4c0ab3a..6feee2780 100644 --- a/search.php +++ b/search.php @@ -2,7 +2,7 @@ // +-----------------------------------------------------------------------+ // | Piwigo - a PHP based photo gallery | // +-----------------------------------------------------------------------+ -// | Copyright(C) 2008-2013 Piwigo Team http://piwigo.org | +// | Copyright(C) 2008-2014 Piwigo Team http://piwigo.org | // | Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net | // | Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick | // +-----------------------------------------------------------------------+ @@ -47,6 +47,8 @@ if (isset($_POST['submit'])) if (isset($_POST['search_allwords']) and !preg_match('/^\s*$/', $_POST['search_allwords'])) { + check_input_parameter('mode', $_POST, false, '/^(OR|AND)$/'); + $drop_char_match = array( '-','^','$',';','#','&','(',')','<','>','`','\'','"','|',',','@','_', '?','%','~','.','[',']','{','}',':','\\','/','=','\'','!','*'); @@ -73,6 +75,7 @@ if (isset($_POST['submit'])) if (isset($_POST['tags'])) { check_input_parameter('tags', $_POST, true, PATTERN_ID); + check_input_parameter('tag_mode', $_POST, false, '/^(OR|AND)$/'); $search['fields']['tags'] = array( 'words' => $_POST['tags'], @@ -85,7 +88,7 @@ if (isset($_POST['submit'])) $search['fields']['author'] = array( 'words' => preg_split( '/\s+/', - $_POST['search_author'] + strip_tags($_POST['search_author']) ), 'mode' => 'OR', ); @@ -108,10 +111,10 @@ if (isset($_POST['submit'])) { $search['fields'][$type_date.'-after'] = array( 'date' => sprintf( - '%d-%02d-%02d', - $_POST['start_year'], - $_POST['start_month'] != 0 ? $_POST['start_month'] : '01', - $_POST['start_day'] != 0 ? $_POST['start_day'] : '01' + '%d-%02d-%02d', + $_POST['start_year'], + $_POST['start_month'] != 0 ? $_POST['start_month'] : '01', + $_POST['start_day'] != 0 ? $_POST['start_day'] : '01' ), 'inc' => true, ); @@ -121,10 +124,10 @@ if (isset($_POST['submit'])) { $search['fields'][$type_date.'-before'] = array( 'date' => sprintf( - '%d-%02d-%02d', - $_POST['end_year'], - $_POST['end_month'] != 0 ? $_POST['end_month'] : '12', - $_POST['end_day'] != 0 ? $_POST['end_day'] : '31' + '%d-%02d-%02d', + $_POST['end_year'], + $_POST['end_month'] != 0 ? $_POST['end_month'] : '12', + $_POST['end_day'] != 0 ? $_POST['end_day'] : '31' ), 'inc' => true, ); @@ -149,7 +152,7 @@ INSERT INTO '.SEARCH_TABLE.' } else { - array_push($page['errors'], l10n('Empty query. No criteria has been entered.')); + $page['errors'][] = l10n('Empty query. No criteria has been entered.'); } } //----------------------------------------------------------------- redirection |