[BUGFIX] Escape search strings for LIKE in DatabaseConnection::searchQuery 99/42899/2
authorMorton Jonuschat <m.jonuschat@mojocode.de>
Fri, 28 Aug 2015 06:43:28 +0000 (08:43 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Wed, 9 Sep 2015 10:28:25 +0000 (12:28 +0200)
LIKE queries support special placeholders (_ and %). These characters
need proper escaping before being used in database queries. Use the
escapeStrForLike() method to provide properly escaped strings to the
query.

Resolves: #69241
Releases: master
Change-Id: I92316e5a8c6c410307e2a332e73189ef9f9fddd2
Reviewed-on: http://review.typo3.org/42899
Reviewed-by: Alexander Opitz <opitz.alexander@googlemail.com>
Tested-by: Alexander Opitz <opitz.alexander@googlemail.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
typo3/sysext/core/Classes/Database/DatabaseConnection.php
typo3/sysext/core/Tests/Unit/Database/DatabaseConnectionTest.php

index cb2db35..5ccb39d 100644 (file)
@@ -722,7 +722,7 @@ class DatabaseConnection {
 
                $queryParts = array();
                foreach ($searchWords as $sw) {
-                       $like = ' LIKE \'%' . $this->quoteStr($sw, $table) . '%\'';
+                       $like = ' LIKE \'%' . $this->quoteStr($this->escapeStrForLike($sw, $table), $table) . '%\'';
                        $queryParts[] = $table . '.' . implode(($like . ' OR ' . $table . '.'), $fields) . $like;
                }
                $query = '(' . implode(') ' . $constraint . ' (', $queryParts) . ')';
index 3950dd5..ec73cc9 100644 (file)
@@ -131,6 +131,14 @@ class DatabaseConnectionTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
                                'AND'
                        ),
 
+                       'One search word with special chars (for like)' => array(
+                               '(pages.title LIKE \'%TYPO3\\_100\\%%\')',
+                               array('TYPO3_100%'),
+                               array('title'),
+                               'pages',
+                               'AND'
+                       ),
+
                        'One search word in multiple fields' => array(
                                '(pages.title LIKE \'%TYPO3%\' OR pages.keyword LIKE \'%TYPO3%\' OR pages.description LIKE \'%TYPO3%\')',
                                array('TYPO3'),
@@ -362,4 +370,4 @@ class DatabaseConnectionTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
                $this->assertEquals($expectedResult, $sanitizedArray);
        }
 
-}
\ No newline at end of file
+}