From a2d77092fe46c857f35bcc6cb0ab4f32c5a3547a Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sat, 2 Dec 2017 22:58:59 +0300 Subject: [PATCH] search_to_sql: quoting fix --- include/functions.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/include/functions.php b/include/functions.php index 21cf3fef..9e4ed346 100644 --- a/include/functions.php +++ b/include/functions.php @@ -1384,8 +1384,8 @@ switch ($commandpair[0]) { case "title": if ($commandpair[1]) { - array_push($query_keywords, "($not (LOWER(ttrss_entries.title) LIKE '%". - $pdo->quote(mb_strtolower($commandpair[1]))."%'))"); + array_push($query_keywords, "($not (LOWER(ttrss_entries.title) LIKE ". + $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%') ."))"); } else { array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))"); @@ -1394,8 +1394,8 @@ break; case "author": if ($commandpair[1]) { - array_push($query_keywords, "($not (LOWER(author) LIKE '%". - $pdo->quote(mb_strtolower($commandpair[1]))."%'))"); + array_push($query_keywords, "($not (LOWER(author) LIKE ". + $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%')."))"); } else { array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))"); @@ -1409,8 +1409,8 @@ else if ($commandpair[1] == "false") array_push($query_keywords, "($not (note IS NULL OR note = ''))"); else - array_push($query_keywords, "($not (LOWER(note) LIKE '%". - $pdo->quote(mb_strtolower($commandpair[1]))."%'))"); + array_push($query_keywords, "($not (LOWER(note) LIKE ". + $pdo->quote('%' . mb_strtolower($commandpair[1]) . '%')."))"); } else { array_push($query_keywords, "(UPPER(ttrss_entries.title) $not LIKE UPPER('%$k%') OR UPPER(ttrss_entries.content) $not LIKE UPPER('%$k%'))"); -- 2.39.2