From a199bfd5d092e756ca526dc89ae186c0119c05ba Mon Sep 17 00:00:00 2001 From: Doug Bell Date: Wed, 27 Oct 2010 16:14:46 -0500 Subject: [PATCH] add quoting and validation to search assets --- lib/WebGUI/Admin.pm | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/lib/WebGUI/Admin.pm b/lib/WebGUI/Admin.pm index 7a7822a79..4bc156aaa 100644 --- a/lib/WebGUI/Admin.pm +++ b/lib/WebGUI/Admin.pm @@ -360,9 +360,13 @@ as a WHERE clause. Does not return WHERE, as you could also use it for HAVING sub getSqlFromQueryString { my ( $self, $queryString ) = @_; + my $dbh = $self->session->db->dbh; my $sqp = Search::QueryParser->new( defField => 'keywords' ); my $query = $sqp->parse( $queryString ); + my %isValidOp; + @isValidOp{qw( = != < > <= >= : )} = 1; + # Recursion is recursive my $part = sub { my ( $query, $conj ) = @_; @@ -372,20 +376,26 @@ sub getSqlFromQueryString { push @parts, $self->getSqlFromQueryString( $_ ); } elsif ( $part->{field} eq 'keywords' ) { - push @parts, "MATCH ($part->{field}) AGAINST ('" - . $self->getKeywordString( $part->{value} ) - . "')"; + push @parts, "MATCH (" . $dbh->quote_identifier($part->{field}) . ") AGAINST (" + . $dbh->quote( $self->getKeywordString( $part->{value} ) ) + . ")"; } else { - # TODO: Add op validation - # TODO: Add field quoting - # TODO: Add value quoting + next unless $isValidOp{ $part->{op} }; if ( $part->{op} eq ':' ) { my $value = '%' . $part->{value} . '%'; - push @parts, "$part->{field} LIKE '$value'"; + push @parts, join " ", + $dbh->quote_identifier($part->{field}), + 'LIKE', + $dbh->quote($value), + ; } - else { - push @parts, "$part->{field} $part->{op} '$part->{value}'" + elsif { + push @parts, join " ", + $dbh->quote_identifier($part->{field}), + $part->{op}, + $dbh->quote($part->{value}), + ; } } }