Open sf23103 opened 4 years ago
Passing the search string through the function mysqli_real_escape_string()
is in order.
Line 70 in global/code/Database.class.php
:
$query = str_replace('{PREFIX}', $this->table_prefix, $query);
can be changed to:
$query = str_replace('{PREFIX}', $this->table_prefix, $this->dbh->quote($query));
I found an ugly fatal error message: when on the page with the clients list, and then using the search field to search the clients name, and adding an apostrophe at the end of the name. No, I don't have any client names with an apostrophe at the end, it was a total typo, but yikes it didn't like that typo!!!
Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' OR first_name LIKE '%coolnamehere'%' OR email LIKE '%coolnamehere'%' OR account_id LIKE '' at line 3 in /ft_path/global/code/Database.class.php:71 Stack trace: #0 /ft_path/global/code/Database.class.php(71): PDO->prepare('\n SE...') #1 /ft_path/global/code/Clients.class.php(315): FormTools\Database->query('\n SE...') #2 /ft_path/admin/clients/index.php(42): FormTools\Clients::searchClients(Array) #3 {main} thrown in /ft_path/global/code/Database.class.php on line 71