Skip to content
Permalink
Browse files Browse the repository at this point in the history
Ajax calls: escape fields
  • Loading branch information
jmontoyaa committed May 28, 2021
1 parent 93be016 commit f7f9357
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 4 deletions.
2 changes: 2 additions & 0 deletions main/inc/ajax/model.ajax.php
Expand Up @@ -109,6 +109,8 @@ function getWhereClause($col, $oper, $val)
'nc' => 'NOT LIKE', //doesn't contain
];

$col = Database::escapeField($col);

if (empty($col)) {
return '';
}
Expand Down
5 changes: 5 additions & 0 deletions main/inc/lib/database.lib.php
Expand Up @@ -833,4 +833,9 @@ public static function listTableColumns($table)
{
return self::getManager()->getConnection()->getSchemaManager()->listTableColumns($table);
}

public static function escapeField($field)
{
return self::escape_string(preg_replace("/[^a-zA-Z0-9_]/", '', $field));
}
}
12 changes: 8 additions & 4 deletions main/inc/lib/extra_field.lib.php
Expand Up @@ -2620,6 +2620,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
}
} else {
// Extra fields
$ruleField = Database::escapeField($rule->field);
if (false === strpos($rule->field, '_second')) {
// No _second
$original_field = str_replace($stringToSearch, '', $rule->field);
Expand All @@ -2642,7 +2643,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
$conditionArray[] = ' ('
.$this->get_where_clause($rule->field, $rule->op, $rule->data)
.') ';
$extraFields[] = ['field' => $rule->field, 'id' => $field_option['id']];
$extraFields[] = ['field' => $ruleField, 'id' => $field_option['id']];
}
break;
case self::FIELD_TYPE_TAG:
Expand All @@ -2654,7 +2655,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
//$where = $this->get_where_clause($rule->field, $rule->op, $rule->data, 'OR');
//$conditionArray[] = " ( $where ) ";
$extraFields[] = [
'field' => $rule->field,
'field' => $ruleField,
'id' => $field_option['id'],
'data' => $rule->data,
];
Expand All @@ -2668,7 +2669,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
$where = $this->get_where_clause($rule->field, $rule->op, $rule->data, 'OR');
$conditionArray[] = " ( $where ) ";
$extraFields[] = [
'field' => $rule->field,
'field' => $ruleField,
'id' => $field_option['id'],
'data' => $rule->data,
];
Expand All @@ -2680,7 +2681,7 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
$original_field = str_replace($stringToSearch, '', $my_field);
$field_option = $this->get_handler_field_info_by_field_variable($original_field);
$extraFields[] = [
'field' => $rule->field,
'field' => $ruleField,
'id' => $field_option['id'],
];
}
Expand All @@ -2701,9 +2702,12 @@ public function getExtraFieldRules($filters, $stringToSearch = 'extra_', $condit
*/
public function get_where_clause($col, $oper, $val, $conditionBetweenOptions = 'OR')
{
$col = Database::escapeField($col);

if (empty($col)) {
return '';
}

$conditionBetweenOptions = in_array($conditionBetweenOptions, ['OR', 'AND']) ? $conditionBetweenOptions : 'OR';
if ('bw' === $oper || 'bn' === $oper) {
$val .= '%';
Expand Down

0 comments on commit f7f9357

Please sign in to comment.