1
1
Fork 0
mirror of https://code.mensbeam.com/MensBeam/Arsse.git synced 2024-12-31 21:12:41 +00:00

Don't embed ito SQL strings with question marks

Fixes #175
This commit is contained in:
J. King 2019-09-12 09:53:43 -04:00
parent be5ad50f54
commit 3da884dfbc
2 changed files with 5 additions and 2 deletions

View file

@ -165,7 +165,7 @@ class Database {
// nulls are pointless to have // nulls are pointless to have
continue; continue;
} elseif (is_string($v)) { } elseif (is_string($v)) {
if (strlen($v) > self::LIMIT_SET_STRING_LENGTH) { if (strlen($v) > self::LIMIT_SET_STRING_LENGTH || strpos($v, "?") !== false) {
$clause[] = "?"; $clause[] = "?";
$params[] = $v; $params[] = $v;
} else { } else {
@ -205,7 +205,7 @@ class Database {
assert(sizeof($cols) > 0, new Exception("arrayEmpty", "cols")); assert(sizeof($cols) > 0, new Exception("arrayEmpty", "cols"));
$embedSet = sizeof($terms) > ((int) (self::LIMIT_SET_SIZE / sizeof($cols))); $embedSet = sizeof($terms) > ((int) (self::LIMIT_SET_SIZE / sizeof($cols)));
foreach ($terms as $term) { foreach ($terms as $term) {
$embedTerm = ($embedSet && strlen($term) <= self::LIMIT_SET_STRING_LENGTH); $embedTerm = ($embedSet && strlen($term) <= self::LIMIT_SET_STRING_LENGTH && strpos($term, "?") === false);
$term = str_replace(["%", "_", "^"], ["^%", "^_", "^^"], $term); $term = str_replace(["%", "_", "^"], ["^%", "^_", "^^"], $term);
$term = "%$term%"; $term = "%$term%";
$term = $embedTerm ? $this->db->literalString($term) : $term; $term = $embedTerm ? $this->db->literalString($term) : $term;

View file

@ -52,6 +52,7 @@ class TestDatabase extends \JKingWeb\Arsse\Test\AbstractTest {
["$stringList", [], array_merge($strings, [null]), "str"], ["$stringList", [], array_merge($strings, [null]), "str"],
["$stringList,?", [$longString], array_merge($strings, [$longString]), "str"], ["$stringList,?", [$longString], array_merge($strings, [$longString]), "str"],
["$stringList,'A''s'", [], array_merge($strings, ["A's"]), "str"], ["$stringList,'A''s'", [], array_merge($strings, ["A's"]), "str"],
["$stringList,?", ["???"], array_merge($strings, ["???"]), "str"],
["$params", $ints, $ints, "bool"], ["$params", $ints, $ints, "bool"],
]; ];
} }
@ -74,6 +75,8 @@ class TestDatabase extends \JKingWeb\Arsse\Test\AbstractTest {
["(".implode(" or ", $clause).")", [], $terms, ["test"], true], ["(".implode(" or ", $clause).")", [], $terms, ["test"], true],
["(".implode(" and ", $clause).")", [], $terms, ["test"], false], ["(".implode(" and ", $clause).")", [], $terms, ["test"], false],
["(".implode(" or ", $clause)." or test like ? escape '^')", ["%$longString%"], array_merge($terms, [$longString]), ["test"], true], ["(".implode(" or ", $clause)." or test like ? escape '^')", ["%$longString%"], array_merge($terms, [$longString]), ["test"], true],
["(".implode(" or ", $clause)." or test like ? escape '^')", ["%Eh?%"], array_merge($terms, ["Eh?"]), ["test"], true],
["(".implode(" or ", $clause)." or test like ? escape '^')", ["%?%"], array_merge($terms, ["?"]), ["test"], true],
]; ];
} }
} }