Open AlexanderOMara opened 3 years ago
Hmm, interesting! I'm assuming that a prepared statement was used in the latter example because we're using raw
methods (as we should be!!!! Not escaping there would be very bad...). Not sure we can (or need to) use prepared statements with non-raw Eloquent methods, so if we were escaping, it'd be manual.
Do we want to allow wildcards in user searches? That could have conceivable use cases, I suppose?
There's a lot of wrong information on the internet about prepare statements when it comes to LIKE expressions. AFAIK, you actually can't use a prepare statement to get around having to escape the wildcard characters in the string, because LIKE operates on the string data itself.
Ah my bad, I missed the $string = $this->escapeLikeString($string);
line :facepalm:
Welp since we have a solution, if we want to change this behavior, I suppose we could just copy over the method. I'm not sure that we'd want to create a whole util class just for this.
Is there precompiled, such as select * from table where a = "?", And it prevents SQL injection??
If you filter or replace the characters entered by the user, it may also be regarded as an SQL search statement error. You prefer to encounter special characters and directly return zero records
Bug Report
Current Behavior Currently if I do a search for
%%%
in the search bar, it matches all the users. This is because%
and_
are wildcards in theLIKE
queries.Steps to Reproduce
%%%
Expected Behavior I wouldn't expect any users to match.
Screenshots
Environment
Possible Solution See these functions where the string simply has the
%
appended without escaping the string first. https://github.com/flarum/core/blob/023871ef86d436cc14631ee63cbbfd3ef9fd4bf1/src/User/Search/Gambit/FulltextGambit.php#L35-L53These functions on the other hand do escape the value first. https://github.com/flarum/core/blob/46794483005b03455ceb128acfd057c26fa4639f/src/User/UserRepository.php#L106-L142