[BUGFIX] Indexed Search: Escape search strings for LIKE queries 06/42806/4
authorMorton Jonuschat <m.jonuschat@mojocode.de>
Fri, 21 Aug 2015 09:49:22 +0000 (11:49 +0200)
committerAlexander Opitz <opitz.alexander@googlemail.com>
Wed, 26 Aug 2015 06:46:14 +0000 (08:46 +0200)
LIKE queries support special placeholders (_ and %). These characters
need proper escaping before being used in database queries. Use the
escapeStrForLike() method to provide properly escaped strings to the
query.

Resolves: #69227
Releases: master
Change-Id: I29c41bfecdbc13e8156ab9257b906696bc7a5e4f
Reviewed-on: http://review.typo3.org/42806
Tested-by: Philipp Gampe <philipp.gampe@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Alexander Opitz <opitz.alexander@googlemail.com>
Tested-by: Alexander Opitz <opitz.alexander@googlemail.com>
typo3/sysext/indexed_search/Classes/Domain/Repository/IndexSearchRepository.php

index d906489..f2a3d78 100644 (file)
@@ -465,10 +465,14 @@ class IndexSearchRepository {
         */
        protected function searchSentence($sWord) {
                $this->wSelClauses[] = '1=1';
+               $sWord = $this->getDatabaseConnection()->quoteStr(
+                       $this->getDatabaseConnection()->escapeStrForLike($sWord, 'index_fulltext'),
+                       'index_fulltext'
+               );
                return $this->getDatabaseConnection()->exec_SELECTquery(
                        'ISEC.phash',
                        'index_section ISEC, index_fulltext IFT',
-                       'IFT.fulltextdata LIKE \'%' . $this->getDatabaseConnection()->quoteStr($sWord, 'index_fulltext')
+                       'IFT.fulltextdata LIKE \'%' . $sWord
                                . '%\' AND ISEC.phash = IFT.phash'
                                . $this->sectionTableWhere(),
                        'ISEC.phash'