From 61c420aed791cc9ea3a3c3393f546695d67bba7c Mon Sep 17 00:00:00 2001 From: GuillaumeValadas Date: Thu, 15 Aug 2024 12:46:52 +0200 Subject: [PATCH] Fix search issue with special characters, and escape them in SQL. #844 (#846) * Fix search issue with special characters, and escape them in SQL. #844 * Update functions_entries.inc.php Co-authored-by: Garvin Hicking <38074677+fe-hicking@users.noreply.github.com> * Update functions_entries.inc.php Co-authored-by: Garvin Hicking <38074677+fe-hicking@users.noreply.github.com> * #844 Simplify code removing If statement because we escape term search anyway + change alias to mysqli_real_escape_string * Issue #844 Bring back if statement to switch over boolean mode or not + change regex to only catch BOOLEAN Operator that prefix a word * Update regex boolean mode is trigger only on operator followed by words * Fix typo on regex * #844 add another regex to avoid boolean operator alone that could lead to error --------- Co-authored-by: Garvin Hicking Co-authored-by: Garvin Hicking <38074677+fe-hicking@users.noreply.github.com> --- include/db/mysqli.inc.php | 2 +- include/functions_entries.inc.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/db/mysqli.inc.php b/include/db/mysqli.inc.php index 28157c49f..882487040 100644 --- a/include/db/mysqli.inc.php +++ b/include/db/mysqli.inc.php @@ -189,7 +189,7 @@ function serendipity_db_matched_rows() { */ function serendipity_db_escape_string($string) { global $serendipity; - return mysqli_escape_string($serendipity['dbConn'], $string); + return mysqli_real_escape_string($serendipity['dbConn'], $string); } /** diff --git a/include/functions_entries.inc.php b/include/functions_entries.inc.php index c870244f3..523281e72 100644 --- a/include/functions_entries.inc.php +++ b/include/functions_entries.inc.php @@ -882,7 +882,7 @@ function &serendipity_searchEntries($term, $limit = '', $searchresults = '') { $cond['distinct'] = ''; $term = str_replace('"', '"', $term); $relevance_enabled = true; - if (preg_match('@["\+\-\*~<>\(\)]+@', $term)) { + if (preg_match('@[\+\-\*~<>\(\)"].[\S]*@', $term) && preg_match('@\s*[\+\-\*~<>\(\)]\s*$@', $term) === 0 ) { $cond['find_part'] = "MATCH(title,body,extended) AGAINST('$term' IN BOOLEAN MODE)"; } else { $cond['find_part'] = "MATCH(title,body,extended) AGAINST('$term')";