Help
Sign In
thereisonlycode
/
logbot
2
0
Fork 0
Files
Browse Source

fix sql escaping in 'logbot-util delete'

Byron Jones 6 years ago
parent
9c6587060a
commit
aed5b75594
3 changed files with 16 additions and 10 deletions
Split View Show Diff Stats
  1. 6 3
      lib/LogBot/Database.pm
  2. 6 4
      lib/LogBot/Web/Search.pm
  3. 4 3
      logbot-util

+ 6 - 3
lib/LogBot/Database.pm
View File 

@@ -191,9 +191,12 @@ sub replace_sql_placeholders {
 
 }
 
 
 sub like_value {
 
-    my ($value) = @_;
 
-    $value =~ s/(?=[\\%_])/\\/g;
 
-    return '%' . $value . '%';
 
+    my ($field, $value) = @_;
 
+    my $condition = $field . ' LIKE ?';
 
+    if ($value =~ s/(?=[\\%_])/\\/g) {
 
+        $condition .= ' ESCAPE \'\\\'';
 
+    }
 
+    return ($condition, '%' . $value . '%');
 
 }
 
 
 1;

+ 6 - 4
lib/LogBot/Web/Search.pm
View File 

@@ -122,8 +122,9 @@ sub render {
 
             # arbitrary amount of hits, switch to a substring search, which
 
             # will execute much faster.
 
             if ($count == -1 || $count > $SEARCH_FTS_LIMIT) {
 
-                push @where,  'text LIKE ? ESCAPE \'\\\'';
 
-                push @values, like_value($q);
 
+                my ($condition, $value) = like_value(text => $q);
 
+                push @where,  $condition;
 
+                push @values, $value;
 
 
             } else {
 
                 #<<<
 
@@ -137,8 +138,9 @@ sub render {
 
             }
 
 
         } else {
 
-            push @where,  'text LIKE ? ESCAPE \'\\\'';
 
-            push @values, like_value($q);
 
+            my ($condition, $value) = like_value(text => $q);
 
+            push @where,  $condition;
 
+            push @values, $value;
 
         }
 
     }

+ 4 - 3
logbot-util
View File 

@@ -81,8 +81,9 @@ if ($command eq 'backup') {
 
         if ($query) {
 
             my @parts;
 
             foreach my $word (quotewords('\s+', 0, $query)) {
 
-                push @parts,  '(text LIKE ?)';
 
-                push @values, like_value($word);
 
+                my ($condition, $value) = like_value(text => $word);
 
+                push @parts,  $condition;
 
+                push @values, $value;
 
             }
 
             push @where, join(' AND ', @parts);
 
         }
 
@@ -92,7 +93,7 @@ if ($command eq 'backup') {
 
         }
 
         die "query not provided\n" unless @where;
 
 
-        my $sql_filter = 'FROM logs WHERE (' . join(') AND (', @where) . ') ESCAPE \'\\\' ORDER BY channel,time';
 
+        my $sql_filter = 'FROM logs WHERE (' . join(') AND (', @where) . ') ORDER BY channel,time';
 
         my $sql_select = "SELECT * $sql_filter";
 
         my $sql_count  = "SELECT COUNT(*) $sql_filter";
 
         say replace_sql_placeholders($dbh, $sql_select, \@values);