No escaping of data

[GoogleCodeExporter]

There is no escaping of query data used in this behaviour. This means that if 
you are using user input as your 
query, you leave yourself open to attack, or at the very least least errors 
when apostrophes are in the query.

This can be fixed by changing the search() function to include some 
sanitization like so:

    function search(&$model, $q, $findOptions = array()) {

// add these two lines here ///////////////////////////////////
        App::import('Sanitize'); 
        $q = Sanitize::escape($q);

        if (!$this->SearchIndex) {
            App::import('Model','SearchIndex');
            $this->SearchIndex = new SearchIndex();
        }
        $this->SearchIndex->searchModels($this->model->name);       
        if (!isset($findOptions['conditions'])) $findOptions['conditions'] = array();
        $findOptions['conditions'] = array_merge($findOptions['conditions'],array("MATCH(SearchIndex.data) 
AGAINST('$q' IN BOOLEAN MODE)"));
        return $this->SearchIndex->find('all',$findOptions);    
    }

Original issue reported on code.google.com by jamierm...@gmail.com on 14 Oct 2008 at 3:04

[GoogleCodeExporter]

Shouldn't sanitization be used at another level?

Original comment by mora...@gmail.com on 3 Dec 2008 at 1:17

[GoogleCodeExporter]

Original comment by calin....@gmail.com on 10 Jun 2009 at 11:00

• Changed state: Fixed