[HttpKernel] added escaping to the profiler SQLite storage

symfony · Jan 8, 2011 · 10fee8c · 10fee8c
1 parent 50809d2
commit 10fee8c
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Controller/ProfilerController.php b/src/Symfony/Bundle/WebProfilerBundle/Controller/ProfilerController.php
@@ -233,7 +233,7 @@ public function searchAction()
         $tokens = $profiler->find($ip, $url, $limit);
 
         $response = $this->container->get('response');
-        $response->setRedirect($this->container->get('router')->generate('_profiler_search_results', array('token' => $tokens[0]['token'])));
+        $response->setRedirect($this->container->get('router')->generate('_profiler_search_results', array('token' => $tokens ? $tokens[0]['token'] : '')));
 
         return $response;
     }

diff --git a/src/Symfony/Component/HttpKernel/Profiler/SQLiteProfilerStorage.php b/src/Symfony/Component/HttpKernel/Profiler/SQLiteProfilerStorage.php
@@ -40,19 +40,20 @@ public function __construct($store, $lifetime = 86400)
      */
     public function find($ip, $url, $limit)
     {
+        $db = $this->initDb();
+
         $criteria = array();
 
         if ($ip = preg_replace('/[^\d\.]/', '', $ip)) {
-            $criteria[] = ' ip LIKE "%'.$ip.'%"';
+            $criteria[] = " ip LIKE '%".$ip."%'";
         }
 
         if ($url) {
-            $criteria[] = ' url LIKE "%'.$url.'%"';
+            $criteria[] = " url LIKE '%".$db->escapeString($url)."%'";
         }
 
         $criteria = $criteria ? 'WHERE '.implode(' AND ', $criteria) : '';
 
-        $db = $this->initDb();
         $tokens = $this->fetch($db, 'SELECT token, ip, url, time FROM data '.$criteria.' ORDER BY time DESC LIMIT '.((integer) $limit));
         $this->close($db);