makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 06:08:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fixed: better SQL escaping

Browse source 
Removed: extended inserts on mssql and sqlite, were they really worth it?


git-svn-id: file:///svn/phpbb/trunk@6181 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Ludovic Arnaud 2006-07-15 14:23:26 +00:00
parent 0bc61ae76c
commit 3b4944a476
1 changed files with 5 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
phpBB/includes/search/fulltext_native_improved.php
View file

@ -989,8 +989,8 @@ class fulltext_native_improved extends search_backend
if (sizeof($unique_add_words)) if (sizeof($unique_add_words))
{ {
$sql = 'SELECT word_id, word_text $sql = 'SELECT word_id, word_text
FROM ' . SEARCH_WORDLIST_TABLE . ' FROM ' . SEARCH_WORDLIST_TABLE . "
WHERE word_text IN (' . implode(', ', preg_replace('#^(.*)$#', '\'$1\'', $unique_add_words)) . ')'; WHERE word_text IN ('" . implode("','", array_map(array(&$db, 'sql_escape'), $unique_add_words)) . "')";
$result = $db->sql_query($sql); $result = $db->sql_query($sql);
$word_ids = array(); $word_ids = array();
@ -1010,19 +1010,7 @@ class fulltext_native_improved extends search_backend
case 'mysql4': case 'mysql4':
case 'mysqli': case 'mysqli':
$sql = 'INSERT INTO ' . SEARCH_WORDLIST_TABLE . " (word_text) $sql = 'INSERT INTO ' . SEARCH_WORDLIST_TABLE . " (word_text)
VALUES ('" . implode("'),('", array_map(array($db, 'sql_escape'), $new_words)) . "')"; VALUES ('" . implode("'),('", array_map(array(&$db, 'sql_escape'), $new_words)) . "')";
$db->sql_query($sql);
break;
case 'mssql':
case 'mssql_odbc':
case 'sqlite':
$new_words = array_map(array($db, 'sql_escape'), $new_words);
// make sure the longest word comes first, so nothing will be truncated
usort($new_words, array(&$this, 'strlencmp'));
$sql = 'INSERT INTO ' . SEARCH_WORDLIST_TABLE . ' (word_text) ' . implode(' UNION ALL ', preg_replace('#^(.*)$#', "SELECT '\$1'", $new_words));
$db->sql_query($sql); $db->sql_query($sql);
break; break;
@ -1068,8 +1056,8 @@ class fulltext_native_improved extends search_backend
{ {
$sql = 'INSERT INTO ' . SEARCH_WORDMATCH_TABLE . " (post_id, word_id, title_match) $sql = 'INSERT INTO ' . SEARCH_WORDMATCH_TABLE . " (post_id, word_id, title_match)
SELECT $post_id, word_id, $title_match SELECT $post_id, word_id, $title_match
FROM " . SEARCH_WORDLIST_TABLE . ' FROM " . SEARCH_WORDLIST_TABLE . "
WHERE word_text IN (' . implode(', ', preg_replace('#^(.*)$#', '\'$1\'', $word_ary)) . ')'; WHERE word_text IN ('" . implode("','", array_map(array(&$db, 'sql_escape'), $word_ary)) . "')";
$db->sql_query($sql); $db->sql_query($sql);
} }
} }