search_to_sql: quoting fix

author Andrew Dolgov <noreply@fakecake.org>

Sat, 2 Dec 2017 19:58:59 +0000 (22:58 +0300)

committer Andrew Dolgov <noreply@fakecake.org>

Sat, 2 Dec 2017 19:58:59 +0000 (22:58 +0300)
author Andrew Dolgov <noreply@fakecake.org>
Sat, 2 Dec 2017 19:58:59 +0000 (22:58 +0300)
committer Andrew Dolgov <noreply@fakecake.org>
Sat, 2 Dec 2017 19:58:59 +0000 (22:58 +0300)
diff --git a/include/functions.php b/include/functions.php

index 21cf3fef8372c9094e3d7f6edf56b0f2c63b6a39..9e4ed34627262af14f6b35f68c31ab5423dbec93 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -1384,8 +1384,8 @@
                         switch ($commandpair[0]) {
                                 case "title":
                                         if ($commandpair[1]) {
-                                               array_push($query_keywords, "($not (LOWER(ttrss_entries.title) LIKE '%".
-                                                       $pdo->quote(mb_strtolower($commandpair[1]))."%'))");
+                                               array_push($query_keywords, "($not (LOWER(ttrss_entries.title) LIKE ".
+                                                       $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%') ."))");
                                         } else {
                                                 array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%')
                                                                 OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))");
@@ -1394,8 +1394,8 @@
                                         break;
                                 case "author":
                                         if ($commandpair[1]) {
-                                               array_push($query_keywords, "($not (LOWER(author) LIKE '%".
-                                                       $pdo->quote(mb_strtolower($commandpair[1]))."%'))");
+                                               array_push($query_keywords, "($not (LOWER(author) LIKE ".
+                                                       $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%')."))");
                                         } else {
                                                 array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%')
                                                                 OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))");
@@ -1409,8 +1409,8 @@
                                                 else if ($commandpair[1] == "false")
                                                         array_push($query_keywords, "($not (note IS NULL OR note = ''))");
                                                 else
-                                                       array_push($query_keywords, "($not (LOWER(note) LIKE '%".
-                                                               $pdo->quote(mb_strtolower($commandpair[1]))."%'))");
+                                                       array_push($query_keywords, "($not (LOWER(note) LIKE ".
+                                                               $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%')."))");
                                         } else {
                                                 array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%')
                                                                 OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))");
author	Andrew Dolgov <noreply@fakecake.org>
	Sat, 2 Dec 2017 19:58:59 +0000 (22:58 +0300)
committer	Andrew Dolgov <noreply@fakecake.org>
	Sat, 2 Dec 2017 19:58:59 +0000 (22:58 +0300)