From 514c994e6a323cd8075da1442c32e65f036539ff Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Tue, 29 May 2012 17:14:35 -0700
Subject: possible sql injection in search

---
 mod/search.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'mod')

diff --git a/mod/search.php b/mod/search.php
index 20007ada7..466ffc4c3 100644
--- a/mod/search.php
+++ b/mod/search.php
@@ -110,7 +110,7 @@ function search_content(&$a) {
 
 	if (get_config('system','use_fulltext_engine')) {
 		if($tag)
-			$sql_extra = sprintf(" AND MATCH (`item`.`tag`) AGAINST ('".'"%s"'."' in boolean mode) ", '#'.protect_sprintf($search));
+			$sql_extra = sprintf(" AND MATCH (`item`.`tag`) AGAINST ('".'"%s"'."' in boolean mode) ", '#'.dbesc(protect_sprintf($search)));
 		else
 			$sql_extra = sprintf(" AND MATCH (`item`.`body`) AGAINST ('".'"%s"'."' in boolean mode) ", dbesc(protect_sprintf($search)));
 	} else {
-- 
cgit v1.2.3