Improve usage visibility of criteriaSearchString variable

author: Atul Pratap Singh <atulpratapsingh05@gmail.com> 2012-06-30 09:58:46 +0400
committer: Atul Pratap Singh <atulpratapsingh05@gmail.com> 2012-06-30 09:58:46 +0400
commit: 82ff5dc5e065e142b501ec5c91c4b8b5b6ce08ab (patch)
tree: 122cb5316ed0af3acec8b675c349757c346eec2a
parent: 0fc4d56effbd927e106125446d91e2eee78e7c93 (diff)
2 files changed, 39 insertions, 43 deletions
diff --git a/db_search.php b/db_search.php
index 440e713dbd..588b17203f 100644
--- a/db_search.php
+++ b/db_search.php
@@ -64,19 +64,10 @@ if (empty($_REQUEST['criteriaSearchType'])
 if (empty($_REQUEST['criteriaSearchString'])
     || ! is_string($_REQUEST['criteriaSearchString'])
 ) {
+    $criteriaSearchString = '';
     unset($_REQUEST['submit_search']);
-    $searched = '';
 } else {
-    $searched = htmlspecialchars($_REQUEST['criteriaSearchString']);
-    // For "as regular expression" (search option 4), we should not treat
-    // this as an expression that contains a LIKE (second parameter of
-    // PMA_sqlAddSlashes()).
-    //
-    // Usage example: If user is seaching for a literal $ in a regexp search,
-    // he should enter \$ as the value.
-    $criteriaSearchString = PMA_sqlAddSlashes(
-        $_REQUEST['criteriaSearchString'], ($criteriaSearchType == 4 ? false : true)
-    );
+    $criteriaSearchString = $_REQUEST['criteriaSearchString'];
 }
 
 $criteriaTables = array();
@@ -118,8 +109,8 @@ if ( $GLOBALS['is_ajax_request'] != true) {
 if (isset($_REQUEST['submit_search'])) {
     $response->addHTML(
         PMA_dbSearchGetSearchResults(
-            $criteriaTables, $searched, $searchTypeDescription,
-            $criteriaSearchString, $criteriaSearchType,
+            $criteriaTables, $searchTypeDescription,
+            $criteriaSearchString, $criteriaSearchType, 
             (! empty($criteriaColumnName) ? $criteriaColumnName : '')
         )
     );
@@ -136,8 +127,9 @@ if ($GLOBALS['is_ajax_request'] == true) {
 // Add search form
 $response->addHTML(
     PMA_dbSearchGetSelectionForm(
-        $searched, $criteriaSearchType, $tables_names_only, $criteriaTables,
-        $url_params, (! empty($criteriaColumnName) ? $criteriaColumnName : '')
+        $criteriaSearchString, $criteriaSearchType, $tables_names_only,
+        $criteriaTables, $url_params,
+        (! empty($criteriaColumnName) ? $criteriaColumnName : '')
     )
 );
 ?>
diff --git a/libraries/db_search.lib.php b/libraries/db_search.lib.php
index 0eaf37d933..3638270630 100644
--- a/libraries/db_search.lib.php
+++ b/libraries/db_search.lib.php
@@ -14,7 +14,7 @@ if (! defined('PHPMYADMIN')) {
  *
  * @param string  $table                The table name
  * @param string  $criteriaColumnName   Restrict the search to this column
- * @param string  $criteriaSearchString The string to search
+ * @param string  $criteriaSearchString The search word/phrase/regexp to be searched
  * @param integer $criteriaSearchType   Type of search
  *                                      (1 -> 1 word at least, 2 -> all words,
  *                                      3 -> exact string, 4 -> regexp)
@@ -39,12 +39,9 @@ function PMA_getSearchSqls($table, $criteriaColumnName, $criteriaSearchString,
     // Table to use
     $sqlstr_from = ' FROM '
         . PMA_backquote($GLOBALS['db']) . '.' . PMA_backquote($table);
-    // Search words or pattern
-    $search_words    = (($criteriaSearchType > 2)
-        ? array($criteriaSearchString) : explode(' ', $criteriaSearchString));
     // Gets where clause for the query
     $where_clause = PMA_dbSearchGetWhereClause(
-        $table, $search_words, $criteriaSearchType, $criteriaColumnName
+        $table, $criteriaSearchString, $criteriaSearchType, $criteriaColumnName
     );
     // Builds complete queries
     $sql['select_columns'] = $sqlstr_select . ' * ' . $sqlstr_from . $where_clause;
@@ -60,24 +57,33 @@ function PMA_getSearchSqls($table, $criteriaColumnName, $criteriaSearchString,
 /**
  * Provides where clause for bulding SQL query
  *
- * @param string  $table              the table name
- * @param integer $search_words       Search words or pattern
- * @param integer $criteriaSearchType Type of search
- *                                    (1 -> 1 word at least, 2 -> all words,
- *                                    3 -> exact string, 4 -> regexp)
- * @param string  $criteriaColumnName Restrict the search to this column
+ * @param string  $table                The table name
+ * @param integer $criteriaSearchString The search word/phrase/regexp to be searched
+ * @param integer $criteriaSearchType   Type of search
+ *                                      (1 -> 1 word at least, 2 -> all words,
+ *                                      3 -> exact string, 4 -> regexp)
+ * @param string  $criteriaColumnName   Restrict the search to this column
  *
  * @return string The generated where clause
  */
-function PMA_dbSearchGetWhereClause($table, $search_words, $criteriaSearchType,
-    $criteriaColumnName
+function PMA_dbSearchGetWhereClause($table, $criteriaSearchString,
+    $criteriaSearchType, $criteriaColumnName
 ) {
     $where_clause = '';
     // Columns to select
     $allColumns = PMA_DBI_get_columns($GLOBALS['db'], $table);
+    $likeClauses = array();
     $like_or_regex   = (($criteriaSearchType == 4) ? 'REGEXP' : 'LIKE');
     $automatic_wildcard   = (($criteriaSearchType < 3) ? '%' : '');
-    $likeClauses = array();
+    // For "as regular expression" (search option 4), LIKE won't be used
+    // Usage example: If user is seaching for a literal $ in a regexp search,
+    // he should enter \$ as the value.
+    $criteriaSearchString = PMA_sqlAddSlashes(
+        $_REQUEST['criteriaSearchString'], ($criteriaSearchType == 4 ? false : true)
+    );
+    // Search words or pattern
+    $search_words    = (($criteriaSearchType > 2)
+        ? array($criteriaSearchString) : explode(' ', $criteriaSearchString));
 
     foreach ($search_words as $search_word) {
         // Eliminates empty values
@@ -121,9 +127,8 @@ function PMA_dbSearchGetWhereClause($table, $search_words, $criteriaSearchType,
  * Displays database search results
  *
  * @param array   $criteriaTables        Tables on which search is to be performed
- * @param string  $searched              The search word/phrase/regexp
  * @param string  $searchTypeDescription Type of search
- * @param string  $criteriaSearchString  The string to search
+ * @param string  $criteriaSearchString  The search word/phrase/regexp to be searched
  * @param integer $criteriaSearchType    Type of search
  *                                       (1 -> 1 word at least, 2 -> all words,
  *                                       3 -> exact string, 4 -> regexp)
@@ -131,9 +136,8 @@ function PMA_dbSearchGetWhereClause($table, $search_words, $criteriaSearchType,
  *
  * @return string HTML for search results
  */
-function PMA_dbSearchGetSearchResults($criteriaTables, $searched,
-    $searchTypeDescription, $criteriaSearchString, $criteriaSearchType,
-    $criteriaColumnName = null
+function PMA_dbSearchGetSearchResults($criteriaTables, $searchTypeDescription,
+    $criteriaSearchString, $criteriaSearchType, $criteriaColumnName = null
 ) {
     $html_output = '';
     // Displays search string
@@ -142,7 +146,7 @@ function PMA_dbSearchGetSearchResults($criteriaTables, $searched,
         . '<caption class="tblHeaders">'
         . sprintf(
             __('Search results for "<i>%s</i>" %s:'),
-            $searched, $searchTypeDescription
+            htmlspecialchars($criteriaSearchString), $searchTypeDescription
         )
         . '</caption>';
 
@@ -242,16 +246,16 @@ function PMA_dbSearchGetResultsRow($each_table, $newsearchsqls, $odd_row)
 /**
  * Provides the main search form's html
  *
- * @param string  $searched           Keyword/Regular expression to be searched
- * @param integer $criteriaSearchType Type of search (one word, phrase etc.)
- * @param array   $tables_names_only  Names of all tables
- * @param array   $criteriaTables     Tables on which search is to be performed
- * @param array   $url_params         URL parameters
- * @param string  $criteriaColumnName Restrict the search to this column
+ * @param string  $criteriaSearchString Keyword/Regular expression earlier entered
+ * @param integer $criteriaSearchType   Type of search (one word, phrase etc.)
+ * @param array   $tables_names_only    Names of all tables
+ * @param array   $criteriaTables       Tables on which search is to be performed
+ * @param array   $url_params           URL parameters
+ * @param string  $criteriaColumnName   Restrict the search to this column
  *
  * @return string HTML for selection form
  */
-function PMA_dbSearchGetSelectionForm($searched, $criteriaSearchType,
+function PMA_dbSearchGetSelectionForm($criteriaSearchString, $criteriaSearchType,
     $tables_names_only, $criteriaTables, $url_params, $criteriaColumnName = null
 ) {
     $html_output = '<a id="db_search"></a>';
@@ -268,7 +272,7 @@ function PMA_dbSearchGetSelectionForm($searched, $criteriaSearchType,
     $html_output .= '<td>' . __('Words or values to search for (wildcard: "%"):')
         . '</td>';
     $html_output .= '<td><input type="text" name="criteriaSearchString" size="60"'
-        . ' value="' . $searched . '" /></td>';
+        . ' value="' . htmlspecialchars($criteriaSearchString) . '" /></td>';
     $html_output .= '</tr>';
     // choices for types of search
     $html_output .= '<tr>';
author	Atul Pratap Singh <atulpratapsingh05@gmail.com>	2012-06-30 09:58:46 +0400
committer	Atul Pratap Singh <atulpratapsingh05@gmail.com>	2012-06-30 09:58:46 +0400
commit	82ff5dc5e065e142b501ec5c91c4b8b5b6ce08ab (patch)
tree	122cb5316ed0af3acec8b675c349757c346eec2a
parent	0fc4d56effbd927e106125446d91e2eee78e7c93 (diff)