Possible escape issue in searches

[MrMike]

When searching for a term with a single quote ('), TinyPortal returns this error:

Code Select Expand

Database Error
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's and') AS score
FROM smf_tp_articles AS a
LEFT JOIN smf_me...' at line 1
File: /var/www/XXXXX/XXXXXX/web16/web/forum/Sources/TPSearch.php
Line: 201


[tino]

$what needs to be escaped, I think we can do it with db_quote, I'll look at it when I get the chance.

[@rjen]

That would be nice, was not sure how to tackle this

[tino]

Code Select Expand

$what = $smcFunc['db_quote'](
'{string:what}',
array(
'what' => $what
)
);


Should do it... can't test it as that's from my phone but I think it's right, might need the global also

[@rjen]

We now have this, this this needs to be replaced?

Code Select Expand

        // clean the search
        $what = TPUtil::filter('tpsearch_what', 'post', 'string');

[tino]

We now have this, this this needs to be replaced?

Code Select Expand

        // clean the search
        $what = TPUtil::filter('tpsearch_what', 'post', 'string');

Just after that line, as we need to sanitise it first then escape it.

[@rjen]

Nope..

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\'fjr\''%' OR a.body LIKE '%'\'fjr\''%'
AND ((a.pub_start = 0 AND a....' at line 4
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/test/Sources/TPSearch.php
Regel: 205

else {
        checkSession('post');
        // clean the search
        $what = TPUtil::filter('tpsearch_what', 'post', 'string');
      $what = $smcFunc['db_quote'](
      '{string:what}',
      array('what' => $what)
      );
        if(!empty($_POST['tpsearch_title'])) {
            $usetitle = true;
        }
        if(!empty($_POST['tpsearch_body'])) {
            $usebody = true;
        }
    }

[tino]

Try it after this line

https://github.com/Tinyportal/TinyPortal/blob/448a8fc09001727dcd3c4644d04f662b8756971d/Sources/TPSearch.php#L159

[@rjen]

same issue

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'fjr'%' OR a.body LIKE '%'fjr'%'
AND ((a.pub_start = 0 AND a.pub_end ...' at line 4
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/test/Sources/TPSearch.php
Regel: 205

[tino]

Then it's not being escaped...

 

[tino]

Let's just use built in PHP functions... that'll hopefully point where the issue lies.

Code Select Expand

$mysqli = mysqli_init();
$what = mysqli_real_escape_string($mysqli, $what);


[@rjen]

Put it in the second spot: still no change

Code Select Expand

$what = implode(' ',$words);
$mysqli = mysqli_init();
$what = mysqli_real_escape_string($mysqli, $what);
}
Put it in the first spot: HTTP ERROR 500

[tino]

Can you please test this PR https://github.com/Tinyportal/TinyPortal/pull/977/commits

It should fix the issue

[@rjen]

Just did  aquick test, and it works: searching does no longer results in errors, and the ' symbols are included in the search string.

putting 'test' in an article text and 'test' in another

Search for the string test results in hits on the string test without quotes only
Search for the string 'test' results in hits on the string 'test' with quotes only

I assume this is how we want this to work?

Asking this because it reacts slightly differently when putting it in the article TITLE...

putting 'test' in an article title

Search for the string test results in hits on both the strings: test without quotes and the 'test' with quotes
Search for the string 'test' results in hits on the string 'test' with quotes only

[tino]

It should be a wildcard search so test or 'test' will be returned.

That does depend on your character encoding and database. Not much we can do to change those