Escape special chars on mysql search driver

humhub · May 7, 2024 · 7aed7d6 · 7aed7d6
1 parent ff2705f
commit 7aed7d6
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/protected/humhub/libs/SearchQuery.php b/protected/humhub/libs/SearchQuery.php
@@ -71,7 +71,7 @@ public function __construct(string $query)
                 if (str_starts_with($term, 'OR ')) {
                     $orTerms[] = preg_replace('/^((?i)OR )?/', '', $term);
                 } elseif (str_starts_with($term, '-') || str_starts_with($term, 'NOT ')) {
-                    $notTerms[] = preg_replace('/^\-?((?i)NOT )?/', '', $term);
+                    $notTerms[] = preg_replace('/^\-*((?i)NOT )?/', '', $term);
                 } else {
                     // Use AND operator by default
 
@@ -84,7 +84,7 @@ public function __construct(string $query)
                         $orTerms = [];
                     }
 
-                    $andTerms[] = preg_replace('/^\+?((?i)AND )?/', '', $term);
+                    $andTerms[] = preg_replace('/^\+*((?i)AND )?/', '', $term);
                 }
             }
         }

diff --git a/protected/humhub/modules/content/search/driver/MysqlDriver.php b/protected/humhub/modules/content/search/driver/MysqlDriver.php
@@ -160,7 +160,7 @@ private function createMysqlFullTextQuery(SearchQuery $query, array $matchFields
 
     protected function prepareKeyword(string $keyword): string
     {
-        return preg_match('/[\s@]/', $keyword) ? '"' . $keyword . '"' : $keyword;
+        return preg_match('/[\s@<>~%\(\)\$]/', $keyword) ? '"' . $keyword . '"' : $keyword;
     }
 
     protected function addQueryFilterVisibility(ActiveQuery $query): ActiveQuery

diff --git a/protected/humhub/tests/codeception/unit/libs/SearchQueryTest.php b/protected/humhub/tests/codeception/unit/libs/SearchQueryTest.php
@@ -34,6 +34,12 @@ public function testTermsWithSigns()
         $query = new SearchQuery('Apple +Banana');
         $this->assertContains('Apple*', $query->andTerms);
         $this->assertContains('Banana*', $query->andTerms);
+
+        $query = new SearchQuery('----Apple +++++Banana "---Orange" "++++Peach"');
+        $this->assertContains('Apple*', $query->notTerms);
+        $this->assertContains('Banana*', $query->andTerms);
+        $this->assertContains('Orange', $query->notTerms);
+        $this->assertContains('Peach', $query->andTerms);
     }
 
     public function testTermsWithWords()
@@ -106,6 +112,5 @@ public function testTermsWithNumbers()
 
         $query = new SearchQuery('"Quote 2024"');
         $this->assertContains('Quote 2024', $query->andTerms);
-
     }
 }