Escape sql wildcards % and _ in admin > user_list > advanced search - ref #6735

12 years ago · f678906347
parent 8c771a564d
commit f678906347
2 changed files with 16 additions and 5 deletions
--- a/main/admin/user_list.php
+++ b/main/admin/user_list.php
@ -400,11 +400,11 @@ function get_user_data($from, $number_of_items, $column, $direction) {
 		$keyword = Database::escape_string(trim($_GET['keyword']));
 		$sql .= " WHERE (u.firstname LIKE '%".$keyword."%' OR u.lastname LIKE '%".$keyword."%' OR concat(u.firstname,' ',u.lastname) LIKE '%".$keyword."%' OR concat(u.lastname,' ',u.firstname) LIKE '%".$keyword."%' OR u.username LIKE '%".$keyword."%'  OR u.official_code LIKE '%".$keyword."%' OR u.email LIKE '%".$keyword."%' )";
 	} elseif (isset ($_GET['keyword_firstname'])) {
-		$keyword_firstname = Database::escape_string($_GET['keyword_firstname']);
-		$keyword_lastname = Database::escape_string($_GET['keyword_lastname']);
-		$keyword_email = Database::escape_string($_GET['keyword_email']);
-		$keyword_officialcode = Database::escape_string($_GET['keyword_officialcode']);
-		$keyword_username = Database::escape_string($_GET['keyword_username']);
+		$keyword_firstname = Database::escape_sql_wildcards(Database::escape_string($_GET['keyword_firstname']));
+		$keyword_lastname = Database::escape_sql_wildcards(Database::escape_string($_GET['keyword_lastname']));
+		$keyword_email = Database::escape_sql_wildcards(Database::escape_string($_GET['keyword_email']));
+		$keyword_officialcode = Database::escape_sql_wildcards(Database::escape_string($_GET['keyword_officialcode']));
+		$keyword_username = Database::escape_sql_wildcards(Database::escape_string($_GET['keyword_username']));
 		$keyword_status = Database::escape_string($_GET['keyword_status']);

 		$query_admin_table = '';
--- a/main/inc/lib/database.lib.php
+++ b/main/inc/lib/database.lib.php
@ -432,6 +432,17 @@ class Database {
        return self::use_default_connection($connection) ? mysql_error() : mysql_error($connection);
    }

+    /**
+     * Escape MySQL wildchars _ and % in LIKE search
+     * @param string            The string to escape
+     * @return string           The escaped string
+     */
+    public static function escape_sql_wildcards($in_txt) {
+        $out_txt = api_preg_replace("/_/", "\_", $in_txt);
+        $out_txt = api_preg_replace("/%/", "\%", $out_txt);
+        return $out_txt;
+    }
+
    /**
     * Escapes a string to insert into the database as text
     * @param string							The string to escape