Permalink
Browse files

Fixing SQL statements using LIKE... the string value needs to be esca…

…ped twice.
  • Loading branch information...
1 parent f938af9 commit 682fc237427089745662f5205bfdac733a949639 @a-fung committed Oct 24, 2012
Showing with 12 additions and 6 deletions.
  1. +6 −3 source/aspnetserver/Manga.cs
  2. +6 −3 source/haxe/afung/mangaWeb3/server/Manga.hx
@@ -246,7 +246,8 @@ public static Manga GetByPath(string path)
private static Manga[] GetSameFileName(int cid, string path)
{
string fileName = Database.Quote(path.Substring(path.LastIndexOf("\\")));
- fileName = fileName.Substring(1, fileName.Length - 2).Replace("\\", "\\\\").Replace("%", "\\%");
+ fileName = Database.Quote(fileName.Substring(1, fileName.Length - 2));
+ fileName = fileName.Substring(1, fileName.Length - 2).Replace("%", "\\%");
string where = "`cid`=" + Database.Quote(cid.ToString()) + " AND `path` LIKE '%" + fileName + "'";
return GetMangas(where);
@@ -328,7 +329,8 @@ public static Manga[] GetMangaList(AjaxBase ajax, MangaFilter filter)
if (filter.search.title != null && filter.search.title != "")
{
string title = Database.Quote(filter.search.title);
- title = title.Substring(1, title.Length - 2).Replace("\\", "\\\\").Replace("%", "\\%");
+ title = Database.Quote(title.Substring(1, title.Length - 2));
+ title = title.Substring(1, title.Length - 2).Replace("%", "\\%");
where += " AND `title` LIKE '%" + title + "%'";
}
@@ -383,7 +385,8 @@ public static Manga[] GetMangaList(AjaxBase ajax, MangaFilter filter)
else
{
string actualPath = Database.Quote(index == -1 ? collection.Path.Substring(0, collection.Path.Length - 1) : collection.Path + relativePath);
- actualPath = actualPath.Substring(1, actualPath.Length - 2).Replace("\\", "\\\\").Replace("%", "\\%");
+ actualPath = Database.Quote(actualPath.Substring(1, actualPath.Length - 2));
+ actualPath = actualPath.Substring(1, actualPath.Length - 2).Replace("%", "\\%");
where += " AND `cid`=" + Database.Quote(collection.Id.ToString());
where += " AND `path` LIKE '" + actualPath + "\\\\\\\\%'" + (folderSetting == 2 ? " AND `path` NOT LIKE '" + actualPath + "\\\\\\\\%\\\\\\\\%'" : "");
}
@@ -209,7 +209,8 @@ class Manga
private static function GetSameFileName(cid:Int, path:String):Array<Manga>
{
var fileName:String = Database.Quote(path.substr(path.lastIndexOf("/")));
- fileName = StringTools.replace(StringTools.replace(fileName.substr(1, fileName.length - 2), "\\", "\\\\"), "%", "\\%");
+ fileName = Database.Quote(fileName.substr(1, fileName.length - 2));
+ fileName = StringTools.replace(fileName.substr(1, fileName.length - 2), "%", "\\%");
var where:String = "`cid`=" + Database.Quote(Std.string(cid)) + " AND `path` COLLATE utf8_bin LIKE '%" + fileName + "'";
return GetMangas(where);
@@ -291,7 +292,8 @@ class Manga
if (filter.search.title != null && filter.search.title != "")
{
var title:String = Database.Quote(filter.search.title);
- title = StringTools.replace(StringTools.replace(title.substr(1, title.length - 2), "\\", "\\\\"), "%", "\\%");
+ title = Database.Quote(title.substr(1, title.length - 2));
+ title = StringTools.replace(title.substr(1, title.length - 2), "%", "\\%");
where += " AND `title` LIKE '%" + title + "%'";
}
@@ -346,7 +348,8 @@ class Manga
else
{
var actualPath:String = Database.Quote(index == -1 ? collection.Path.substr(0, collection.Path.length - 1) : collection.Path + relativePath);
- actualPath = StringTools.replace(StringTools.replace(actualPath.substr(1, actualPath.length - 2), "\\", "\\\\"), "%", "\\%");
+ actualPath = Database.Quote(actualPath.substr(1, actualPath.length - 2));
+ actualPath = StringTools.replace(actualPath.substr(1, actualPath.length - 2), "%", "\\%");
where += " AND `cid`=" + Database.Quote(Std.string(collection.Id));
where += " AND `path` COLLATE utf8_bin LIKE '" + actualPath + "/%'" + (folderSetting == 2 ? " AND `path` COLLATE utf8_bin NOT LIKE '" + actualPath + "/%/%'" : "");
}

0 comments on commit 682fc23

Please sign in to comment.