From: Andrew Dolgov Date: Sat, 2 Dec 2017 19:58:59 +0000 (+0300) Subject: search_to_sql: quoting fix X-Git-Tag: 17.12~37 X-Git-Url: https://git.wh0rd.org/?p=tt-rss.git;a=commitdiff_plain;h=a2d77092fe46c857f35bcc6cb0ab4f32c5a3547a search_to_sql: quoting fix --- diff --git a/include/functions.php b/include/functions.php index 21cf3fef..9e4ed346 100644 --- a/include/functions.php +++ b/include/functions.php @@ -1384,8 +1384,8 @@ switch ($commandpair[0]) { case "title": if ($commandpair[1]) { - array_push($query_keywords, "($not (LOWER(ttrss_entries.title) LIKE '%". - $pdo->quote(mb_strtolower($commandpair[1]))."%'))"); + array_push($query_keywords, "($not (LOWER(ttrss_entries.title) LIKE ". + $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%') ."))"); } else { array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))"); @@ -1394,8 +1394,8 @@ break; case "author": if ($commandpair[1]) { - array_push($query_keywords, "($not (LOWER(author) LIKE '%". - $pdo->quote(mb_strtolower($commandpair[1]))."%'))"); + array_push($query_keywords, "($not (LOWER(author) LIKE ". + $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%')."))"); } else { array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))"); @@ -1409,8 +1409,8 @@ else if ($commandpair[1] == "false") array_push($query_keywords, "($not (note IS NULL OR note = ''))"); else - array_push($query_keywords, "($not (LOWER(note) LIKE '%". - $pdo->quote(mb_strtolower($commandpair[1]))."%'))"); + array_push($query_keywords, "($not (LOWER(note) LIKE ". + $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%')."))"); } else { array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))");