diff options
author | Atul Pratap Singh <atulpratapsingh05@gmail.com> | 2012-06-30 09:58:46 +0400 |
---|---|---|
committer | Atul Pratap Singh <atulpratapsingh05@gmail.com> | 2012-06-30 09:58:46 +0400 |
commit | 82ff5dc5e065e142b501ec5c91c4b8b5b6ce08ab (patch) | |
tree | 122cb5316ed0af3acec8b675c349757c346eec2a | |
parent | 0fc4d56effbd927e106125446d91e2eee78e7c93 (diff) |
Improve usage visibility of criteriaSearchString variable
-rw-r--r-- | db_search.php | 22 | ||||
-rw-r--r-- | libraries/db_search.lib.php | 60 |
2 files changed, 39 insertions, 43 deletions
diff --git a/db_search.php b/db_search.php index 440e713dbd..588b17203f 100644 --- a/db_search.php +++ b/db_search.php @@ -64,19 +64,10 @@ if (empty($_REQUEST['criteriaSearchType']) if (empty($_REQUEST['criteriaSearchString']) || ! is_string($_REQUEST['criteriaSearchString']) ) { + $criteriaSearchString = ''; unset($_REQUEST['submit_search']); - $searched = ''; } else { - $searched = htmlspecialchars($_REQUEST['criteriaSearchString']); - // For "as regular expression" (search option 4), we should not treat - // this as an expression that contains a LIKE (second parameter of - // PMA_sqlAddSlashes()). - // - // Usage example: If user is seaching for a literal $ in a regexp search, - // he should enter \$ as the value. - $criteriaSearchString = PMA_sqlAddSlashes( - $_REQUEST['criteriaSearchString'], ($criteriaSearchType == 4 ? false : true) - ); + $criteriaSearchString = $_REQUEST['criteriaSearchString']; } $criteriaTables = array(); @@ -118,8 +109,8 @@ if ( $GLOBALS['is_ajax_request'] != true) { if (isset($_REQUEST['submit_search'])) { $response->addHTML( PMA_dbSearchGetSearchResults( - $criteriaTables, $searched, $searchTypeDescription, - $criteriaSearchString, $criteriaSearchType, + $criteriaTables, $searchTypeDescription, + $criteriaSearchString, $criteriaSearchType, (! empty($criteriaColumnName) ? $criteriaColumnName : '') ) ); @@ -136,8 +127,9 @@ if ($GLOBALS['is_ajax_request'] == true) { // Add search form $response->addHTML( PMA_dbSearchGetSelectionForm( - $searched, $criteriaSearchType, $tables_names_only, $criteriaTables, - $url_params, (! empty($criteriaColumnName) ? $criteriaColumnName : '') + $criteriaSearchString, $criteriaSearchType, $tables_names_only, + $criteriaTables, $url_params, + (! empty($criteriaColumnName) ? $criteriaColumnName : '') ) ); ?> diff --git a/libraries/db_search.lib.php b/libraries/db_search.lib.php index 0eaf37d933..3638270630 100644 --- a/libraries/db_search.lib.php +++ b/libraries/db_search.lib.php @@ -14,7 +14,7 @@ if (! defined('PHPMYADMIN')) { * * @param string $table The table name * @param string $criteriaColumnName Restrict the search to this column - * @param string $criteriaSearchString The string to search + * @param string $criteriaSearchString The search word/phrase/regexp to be searched * @param integer $criteriaSearchType Type of search * (1 -> 1 word at least, 2 -> all words, * 3 -> exact string, 4 -> regexp) @@ -39,12 +39,9 @@ function PMA_getSearchSqls($table, $criteriaColumnName, $criteriaSearchString, // Table to use $sqlstr_from = ' FROM ' . PMA_backquote($GLOBALS['db']) . '.' . PMA_backquote($table); - // Search words or pattern - $search_words = (($criteriaSearchType > 2) - ? array($criteriaSearchString) : explode(' ', $criteriaSearchString)); // Gets where clause for the query $where_clause = PMA_dbSearchGetWhereClause( - $table, $search_words, $criteriaSearchType, $criteriaColumnName + $table, $criteriaSearchString, $criteriaSearchType, $criteriaColumnName ); // Builds complete queries $sql['select_columns'] = $sqlstr_select . ' * ' . $sqlstr_from . $where_clause; @@ -60,24 +57,33 @@ function PMA_getSearchSqls($table, $criteriaColumnName, $criteriaSearchString, /** * Provides where clause for bulding SQL query * - * @param string $table the table name - * @param integer $search_words Search words or pattern - * @param integer $criteriaSearchType Type of search - * (1 -> 1 word at least, 2 -> all words, - * 3 -> exact string, 4 -> regexp) - * @param string $criteriaColumnName Restrict the search to this column + * @param string $table The table name + * @param integer $criteriaSearchString The search word/phrase/regexp to be searched + * @param integer $criteriaSearchType Type of search + * (1 -> 1 word at least, 2 -> all words, + * 3 -> exact string, 4 -> regexp) + * @param string $criteriaColumnName Restrict the search to this column * * @return string The generated where clause */ -function PMA_dbSearchGetWhereClause($table, $search_words, $criteriaSearchType, - $criteriaColumnName +function PMA_dbSearchGetWhereClause($table, $criteriaSearchString, + $criteriaSearchType, $criteriaColumnName ) { $where_clause = ''; // Columns to select $allColumns = PMA_DBI_get_columns($GLOBALS['db'], $table); + $likeClauses = array(); $like_or_regex = (($criteriaSearchType == 4) ? 'REGEXP' : 'LIKE'); $automatic_wildcard = (($criteriaSearchType < 3) ? '%' : ''); - $likeClauses = array(); + // For "as regular expression" (search option 4), LIKE won't be used + // Usage example: If user is seaching for a literal $ in a regexp search, + // he should enter \$ as the value. + $criteriaSearchString = PMA_sqlAddSlashes( + $_REQUEST['criteriaSearchString'], ($criteriaSearchType == 4 ? false : true) + ); + // Search words or pattern + $search_words = (($criteriaSearchType > 2) + ? array($criteriaSearchString) : explode(' ', $criteriaSearchString)); foreach ($search_words as $search_word) { // Eliminates empty values @@ -121,9 +127,8 @@ function PMA_dbSearchGetWhereClause($table, $search_words, $criteriaSearchType, * Displays database search results * * @param array $criteriaTables Tables on which search is to be performed - * @param string $searched The search word/phrase/regexp * @param string $searchTypeDescription Type of search - * @param string $criteriaSearchString The string to search + * @param string $criteriaSearchString The search word/phrase/regexp to be searched * @param integer $criteriaSearchType Type of search * (1 -> 1 word at least, 2 -> all words, * 3 -> exact string, 4 -> regexp) @@ -131,9 +136,8 @@ function PMA_dbSearchGetWhereClause($table, $search_words, $criteriaSearchType, * * @return string HTML for search results */ -function PMA_dbSearchGetSearchResults($criteriaTables, $searched, - $searchTypeDescription, $criteriaSearchString, $criteriaSearchType, - $criteriaColumnName = null +function PMA_dbSearchGetSearchResults($criteriaTables, $searchTypeDescription, + $criteriaSearchString, $criteriaSearchType, $criteriaColumnName = null ) { $html_output = ''; // Displays search string @@ -142,7 +146,7 @@ function PMA_dbSearchGetSearchResults($criteriaTables, $searched, . '<caption class="tblHeaders">' . sprintf( __('Search results for "<i>%s</i>" %s:'), - $searched, $searchTypeDescription + htmlspecialchars($criteriaSearchString), $searchTypeDescription ) . '</caption>'; @@ -242,16 +246,16 @@ function PMA_dbSearchGetResultsRow($each_table, $newsearchsqls, $odd_row) /** * Provides the main search form's html * - * @param string $searched Keyword/Regular expression to be searched - * @param integer $criteriaSearchType Type of search (one word, phrase etc.) - * @param array $tables_names_only Names of all tables - * @param array $criteriaTables Tables on which search is to be performed - * @param array $url_params URL parameters - * @param string $criteriaColumnName Restrict the search to this column + * @param string $criteriaSearchString Keyword/Regular expression earlier entered + * @param integer $criteriaSearchType Type of search (one word, phrase etc.) + * @param array $tables_names_only Names of all tables + * @param array $criteriaTables Tables on which search is to be performed + * @param array $url_params URL parameters + * @param string $criteriaColumnName Restrict the search to this column * * @return string HTML for selection form */ -function PMA_dbSearchGetSelectionForm($searched, $criteriaSearchType, +function PMA_dbSearchGetSelectionForm($criteriaSearchString, $criteriaSearchType, $tables_names_only, $criteriaTables, $url_params, $criteriaColumnName = null ) { $html_output = '<a id="db_search"></a>'; @@ -268,7 +272,7 @@ function PMA_dbSearchGetSelectionForm($searched, $criteriaSearchType, $html_output .= '<td>' . __('Words or values to search for (wildcard: "%"):') . '</td>'; $html_output .= '<td><input type="text" name="criteriaSearchString" size="60"' - . ' value="' . $searched . '" /></td>'; + . ' value="' . htmlspecialchars($criteriaSearchString) . '" /></td>'; $html_output .= '</tr>'; // choices for types of search $html_output .= '<tr>'; |