From 4094c59f58595d14342bab62035fe7267ba9b3e3 Mon Sep 17 00:00:00 2001 From: Terence Simpson Date: Wed, 10 Dec 2008 06:48:18 +0000 Subject: [PATCH] Fix a small SQL injection issue and update copyright of factoids.cgi --- Encyclopedia/factoids.cgi | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Encyclopedia/factoids.cgi b/Encyclopedia/factoids.cgi index 000beaa..f1aa3c4 100755 --- a/Encyclopedia/factoids.cgi +++ b/Encyclopedia/factoids.cgi @@ -1,6 +1,7 @@ #!/usr/bin/python ### # Copyright (c) 2006,2007 Dennis Kaarsemaker +# Copyright (C) 2008 Terence Simpson (stdin on irc.freenode.net) # # This program is free software; you can redistribute it and/or modify # it under the terms of version 2 of the GNU General Public License as @@ -63,12 +64,12 @@ if search: query2 = "SELECT COUNT(name) FROM facts WHERE " bogus = False for k in keys: - k = k.replace("'","\'") + k = repr('%' + k + '%') if bogus: query1 += ' OR ' query2 += ' OR ' - query1 += "name LIKE '%%%s%%' OR VAlUE LIKE '%%%s%%'" % (k, k) - query2 += "name LIKE '%%%s%%' OR VAlUE LIKE '%%%s%%'" % (k, k) + query1 += "name LIKE %s OR VAlUE LIKE %s" % (k, k) + query2 += "name LIKE %s OR VAlUE LIKE %s" % (k, k) bogus=True query1 += ') ORDER BY %s LIMIT %d, %d' % (order_by, NUM_PER_PAGE*page, NUM_PER_PAGE)