When searching for a term with a single quote ('), TinyPortal returns this error:
Database Error
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's and') AS score
FROM smf_tp_articles AS a
LEFT JOIN smf_me...' at line 1
File: /var/www/XXXXX/XXXXXX/web16/web/forum/Sources/TPSearch.php
Line: 201
$what needs to be escaped, I think we can do it with db_quote, I'll look at it when I get the chance.
That would be nice, was not sure how to tackle this
$what = $smcFunc['db_quote'](
'{string:what}',
array(
'what' => $what
)
);
Should do it... can't test it as that's from my phone but I think it's right, might need the global also
We now have this, this this needs to be replaced?
// clean the search
$what = TPUtil::filter('tpsearch_what', 'post', 'string');
Quote from: @rjen on October 22, 2023, 09:47:19 PMWe now have this, this this needs to be replaced?
// clean the search
$what = TPUtil::filter('tpsearch_what', 'post', 'string');
Just after that line, as we need to sanitise it first then escape it.
Nope..
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\'fjr\''%' OR a.body LIKE '%'\'fjr\''%'
AND ((a.pub_start = 0 AND a....' at line 4
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/test/Sources/TPSearch.php
Regel: 205
Quoteelse {
checkSession('post');
// clean the search
$what = TPUtil::filter('tpsearch_what', 'post', 'string');
$what = $smcFunc['db_quote'](
'{string:what}',
array('what' => $what)
);
if(!empty($_POST['tpsearch_title'])) {
$usetitle = true;
}
if(!empty($_POST['tpsearch_body'])) {
$usebody = true;
}
}
Try it after this line
https://github.com/Tinyportal/TinyPortal/blob/448a8fc09001727dcd3c4644d04f662b8756971d/Sources/TPSearch.php#L159
same issue
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'fjr'%' OR a.body LIKE '%'fjr'%'
AND ((a.pub_start = 0 AND a.pub_end ...' at line 4
Bestand: /home/deb77453/domains/fjr-club.nl/public_html/test/Sources/TPSearch.php
Regel: 205
Then it's not being escaped...
:hmm:
Let's just use built in PHP functions... that'll hopefully point where the issue lies.
$mysqli = mysqli_init();
$what = mysqli_real_escape_string($mysqli, $what);
Put it in the second spot: still no change
$what = implode(' ',$words);
$mysqli = mysqli_init();
$what = mysqli_real_escape_string($mysqli, $what);
}
Put it in the first spot: HTTP ERROR 500
Can you please test this PR https://github.com/Tinyportal/TinyPortal/pull/977/commits
It should fix the issue
Just did aquick test, and it works: searching does no longer results in errors, and the ' symbols are included in the search string.
putting 'test' in an article text and 'test' in another
Search for the string test results in hits on the string test without quotes only
Search for the string 'test' results in hits on the string 'test' with quotes only
I assume this is how we want this to work?
Asking this because it reacts slightly differently when putting it in the article TITLE...
putting 'test' in an article title
Search for the string test results in hits on both the strings: test without quotes and the 'test' with quotes
Search for the string 'test' results in hits on the string 'test' with quotes only
It should be a wildcard search so test or 'test' will be returned.
That does depend on your character encoding and database. Not much we can do to change those