val
/
ubuntu-bots
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Activity

Fix a small SQL injection issue and update copyright of factoids.cgi

This commit is contained in:
Terence Simpson 2008-12-10 06:48:18 +00:00
parent 7fc67de3d6
commit 4094c59f58
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Encyclopedia/factoids.cgi
View File

@ -1,6 +1,7 @@
#!/usr/bin/python
###
# Copyright (c) 2006,2007 Dennis Kaarsemaker
# Copyright (C) 2008 Terence Simpson <tsimpson@ubuntu.com> (stdin on irc.freenode.net)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of version 2 of the GNU General Public License as
@ -63,12 +64,12 @@ if search:
query2 = "SELECT COUNT(name) FROM facts WHERE "
bogus = False
for k in keys:
k = k.replace("'","\'")
k = repr('%' + k + '%')
if bogus:
query1 += ' OR '
query2 += ' OR '
query1 += "name LIKE '%%%s%%' OR VAlUE LIKE '%%%s%%'" % (k, k)
query2 += "name LIKE '%%%s%%' OR VAlUE LIKE '%%%s%%'" % (k, k)
query1 += "name LIKE %s OR VAlUE LIKE %s" % (k, k)
query2 += "name LIKE %s OR VAlUE LIKE %s" % (k, k)
bogus=True
query1 += ') ORDER BY %s LIMIT %d, %d' % (order_by, NUM_PER_PAGE*page, NUM_PER_PAGE)