Skip to content
Snippets Groups Projects
Commit 52190686 authored by Jared Hancock's avatar Jared Hancock
Browse files

orm: Properly escape LIKE SQL expressions

parent d5d652e2
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 18 additions and 2 deletions
include/class.orm.php
+ 18
2
View file @ 52190686
...@@ -1463,6 +1463,8 @@ class MySqlCompiler extends SqlCompiler { ...@@ -1463,6 +1463,8 @@ class MySqlCompiler extends SqlCompiler {
static $operators = array( static $operators = array(
'exact' => '%1$s = %2$s', 'exact' => '%1$s = %2$s',
'contains' => array('self', '__contains'), 'contains' => array('self', '__contains'),
'startwith' => array('self', '__startswith'),
'endswith' => array('self', '__endswith'),
'gt' => '%1$s > %2$s', 'gt' => '%1$s > %2$s',
'lt' => '%1$s < %2$s', 'lt' => '%1$s < %2$s',
'gte' => '%1$s >= %2$s', 'gte' => '%1$s >= %2$s',
...@@ -1473,10 +1475,24 @@ class MySqlCompiler extends SqlCompiler { ...@@ -1473,10 +1475,24 @@ class MySqlCompiler extends SqlCompiler {
'in' => array('self', '__in'), 'in' => array('self', '__in'),
); );
// Thanks, http://stackoverflow.com/a/3683868
function like_escape($what, $e='\\') {
return str_replace(array($e, '%', '_'), array($e.$e, $e.'%', $e.'_'), $what);
}
function __contains($a, $b) { function __contains($a, $b) {
# {%a} like %{$b}% # {%a} like %{$b}%
# XXX: Escape $b # Escape $b
return sprintf('%s LIKE %s', $a, $this->input($b = "%$b%")); $b = $this->like_escape($b);
return sprintf('%s LIKE %s', $a, $this->input("%$b%"));
}
function __startswith($a, $b) {
$b = $this->like_escape($b);
return sprintf('%s LIKE %s', $a, $this->input("%$b"));
}
function __endswith($a, $b) {
$b = $this->like_escape($b);
return sprintf('%s LIKE %s', $a, $this->input("$b%"));
} }
function __in($a, $b) { function __in($a, $b) {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment