diff options
| author | Simon L'nu <simon.lnu@gmail.com> | 2012-05-31 23:22:19 -0400 |
|---|---|---|
| committer | Simon L'nu <simon.lnu@gmail.com> | 2012-05-31 23:22:19 -0400 |
| commit | b1dacd6d838ecf75fe828279e57c2e7a866be22f (patch) | |
| tree | 46b41c1f463ab90588f109105c95e85dad8fd432 /mod/search.php | |
| parent | 04119d31e51c749cfa81b9a8ac5f52005d71f8c4 (diff) | |
| parent | 93bc29a711637c84a4ffc380078277de89af4e6d (diff) | |
| download | volse-hubzilla-b1dacd6d838ecf75fe828279e57c2e7a866be22f.tar.gz volse-hubzilla-b1dacd6d838ecf75fe828279e57c2e7a866be22f.tar.bz2 volse-hubzilla-b1dacd6d838ecf75fe828279e57c2e7a866be22f.zip | |
Merge branch 'master', remote-tracking branch 'remotes/upstream/master'
* remotes/upstream/master:
turn registration code into a standalone function for re-use
query using both `id` and `parent`
prevent email from leaking in feeds
y didn't i think of this b4?
some zero theming on settings page
missing delimiter
transition to beta for private forums
rev update
Friendicaland - you can't 'live' on a demo server.
Create a "potential default group" called "Friends" on registration.
fix private photos that also have a size specification
private group tests, cont.
hide private group if desired
prvgroup should see intros
private group fix
possible sql injection in search
bugfixes: private photo embeds and search for strings with %
* master:
Diffstat (limited to 'mod/search.php')
| -rw-r--r-- | mod/search.php | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/mod/search.php b/mod/search.php index d4cd9d967..466ffc4c3 100644 --- a/mod/search.php +++ b/mod/search.php @@ -110,18 +110,19 @@ function search_content(&$a) { if (get_config('system','use_fulltext_engine')) { if($tag) - $sql_extra = sprintf(" AND MATCH (`item`.`tag`) AGAINST ('".'"%s"'."' in boolean mode) ", '#'.preg_quote($search)); + $sql_extra = sprintf(" AND MATCH (`item`.`tag`) AGAINST ('".'"%s"'."' in boolean mode) ", '#'.dbesc(protect_sprintf($search))); else - $sql_extra = sprintf(" AND MATCH (`item`.`body`) AGAINST ('".'"%s"'."' in boolean mode) ", dbesc(preg_quote($search))); + $sql_extra = sprintf(" AND MATCH (`item`.`body`) AGAINST ('".'"%s"'."' in boolean mode) ", dbesc(protect_sprintf($search))); } else { if($tag) - $sql_extra = sprintf(" AND `item`.`tag` REGEXP '%s' ", dbesc('\\]' . preg_quote($search) . '\\[')); + $sql_extra = sprintf(" AND `item`.`tag` REGEXP '%s' ", dbesc('\\]' . protect_sprintf(preg_quote($search)) . '\\[')); else - $sql_extra = sprintf(" AND `item`.`body` REGEXP '%s' ", dbesc(preg_quote($search))); + $sql_extra = sprintf(" AND `item`.`body` REGEXP '%s' ", dbesc(protect_sprintf(preg_quote($search)))); } + // Here is the way permissions work in the search module... // Only public posts can be shown // OR your own posts if you are a logged in member |