possible sql injection in search

author: friendica <info@friendica.com> 2012-05-29 17:14:35 -0700
committer: friendica <info@friendica.com> 2012-05-29 17:14:35 -0700
commit: 514c994e6a323cd8075da1442c32e65f036539ff (patch)
tree: bfc585c96c00b7e76ca20eb4334ba6d8d18d23b6 /mod/search.php
parent: 21d79e787ef6a1fd183a4f439c2488110841b530 (diff)
download: volse-hubzilla-514c994e6a323cd8075da1442c32e65f036539ff.tar.gz
volse-hubzilla-514c994e6a323cd8075da1442c32e65f036539ff.tar.bz2
volse-hubzilla-514c994e6a323cd8075da1442c32e65f036539ff.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/mod/search.php b/mod/search.php
index 20007ada7..466ffc4c3 100644
--- a/mod/search.php
+++ b/mod/search.php
@@ -110,7 +110,7 @@ function search_content(&$a) {
 
 	if (get_config('system','use_fulltext_engine')) {
 		if($tag)
-			$sql_extra = sprintf(" AND MATCH (`item`.`tag`) AGAINST ('".'"%s"'."' in boolean mode) ", '#'.protect_sprintf($search));
+			$sql_extra = sprintf(" AND MATCH (`item`.`tag`) AGAINST ('".'"%s"'."' in boolean mode) ", '#'.dbesc(protect_sprintf($search)));
 		else
 			$sql_extra = sprintf(" AND MATCH (`item`.`body`) AGAINST ('".'"%s"'."' in boolean mode) ", dbesc(protect_sprintf($search)));
 	} else {
author	friendica <info@friendica.com>	2012-05-29 17:14:35 -0700
committer	friendica <info@friendica.com>	2012-05-29 17:14:35 -0700
commit	514c994e6a323cd8075da1442c32e65f036539ff (patch)
tree	bfc585c96c00b7e76ca20eb4334ba6d8d18d23b6 /mod/search.php
parent	21d79e787ef6a1fd183a4f439c2488110841b530 (diff)
download	volse-hubzilla-514c994e6a323cd8075da1442c32e65f036539ff.tar.gz volse-hubzilla-514c994e6a323cd8075da1442c32e65f036539ff.tar.bz2 volse-hubzilla-514c994e6a323cd8075da1442c32e65f036539ff.zip