Ticket #5656: mythweb-5656-escape_regex_special_characters_in_filenames.patch

File mythweb-5656-escape_regex_special_characters_in_filenames.patch, 2.6 KB (added by sphery <mtdean@…>, 16 years ago)

  • mythweb/classes/Database/mysqlicompat.php

     
    8888    }
    8989
    9090/**
     91 * Changes the regexp-special square brackets used for character class/range
     92 * operations to the "match any single character" operator, '.'.  This function
     93 * does not do database-special character escapes.
     94 *
     95 * @param string $string    string to escape
     96 *
     97 * @return string           escaped string
     98/**/
     99    function escape_regex($string) {
     100    // Null?
     101        if (is_null($string))
     102            return 'NULL';
     103    // Just a string
     104        $escaped_string = str_replace('[', '.', $string);
     105        return str_replace(']', '.', $escaped_string);
     106    }
     107
     108/**
    91109 *  Returns an un-executed Database_Query_mysqlicompat object
    92110 *
    93111 *  @param string $query    The query string

  • mythweb/classes/Database/mysql.php

     
    8181    }
    8282
    8383/**
     84 * Changes the regexp-special square brackets used for character class/range
     85 * operations to the "match any single character" operator, '.'.  This function
     86 * does not do database-special character escapes.
     87 *
     88 * @param string $string    string to escape
     89 *
     90 * @return string           escaped string
     91/**/
     92    function escape_regex($string) {
     93    // Null?
     94        if (is_null($string))
     95            return 'NULL';
     96    // Just a string
     97        $escaped_string = str_replace('[', '.', $string);
     98        return str_replace(']', '.', $escaped_string);
     99    }
     100
     101/**
    84102 *  Returns an un-executed Database_Query_mysql object
    85103 *
    86104 *  @param string $query    The query string

  • mythweb/modules/video/handler.php

     
    226227    if (isset($_SESSION['video']['path'])) {
    227228        $escaped_path = str_replace('(', '\\(',$_SESSION['video']['path']);
    228229        $escaped_path = str_replace(')', '\\)',$_SESSION['video']['path']);
    229         $where .= ' AND videometadata.filename RLIKE '.$db->escape($escaped_path.'[/]*[^/]*$');
     230        $where .= ' AND videometadata.filename RLIKE '.$db->escape($db->escape_regex($escaped_path).'[/]*[^/]*$');
    230231    }
    231232// Deal with the parental locks
    232233    if (isset($_REQUEST['VideoAdminPassword']))