[TYPO3-english] Can anyone help me to check this search function?

Jigal van Hemert jigal.van.hemert at typo3.org
Sat May 19 11:39:38 CEST 2012


First of all people on these lists are expected to use their real names. 
If you cannot use your name as the email sender, please use it in the 
signature below your message.

On 19-5-2012 5:33, typo3 study wrote:
> $likeClause .= ' OR jc.contents LIKE \'%' .$word. '%\'';

Directly using external data in queries makes your code vulnerable to 
SQL injections. Please use the functions in the TYPO3 core API to 
properly escape (and optionally quote) the data:

Only escape data:
$GLOBALS['TYPO3_DB']->quoteStr($str, $table)
Escape data and add quotes around it:
$GLOBALS['TYPO3_DB']->fullQuoteStr($str, $table)
Escape special character for use in LIKE (you still need to use 
$GLOBALS['TYPO3_DB']->escapeStrForLike($str, $table)

For less dynamic queries it's even better to use prepared statements:
With prepared statements you don't need to escape and quote the data 
anymore, that is done internally.

> So if I want to see this function, how could I change the above code?

This is a general programming problem (not related to TYPO3 specific).
I would first make sure that white space before and after the '+' signs 
were removed. Then I would split on spaces; each of those parts would be 
Each part would be split on '+' and each of those subparts AND'ed.

If someone would search on "A B+C D", I'd end up with:
(field LIKE '%A%') OR (field LIKE '%B%' AND field LIKE '%C%') OR (field 
LIKE '%D%')

The extra () won't hurt the query and make the code simpler.

Jigal van Hemert
TYPO3 Core Team member

TYPO3 .... inspiring people to share!
Get involved: typo3.org

More information about the TYPO3-english mailing list