hubhuby Posted August 1, 2008 Posted August 1, 2008 in normal search functions one can search for a series of words by putting them in quotes. but there is a little bug preventing that in osc. test it on the demo shop by entering: "ment ki" as search string. At least the Video "The Replacement Killers" should come up as a result, but it doesnt allthough the exact string is included. Try the same search without the quotes, now the video appears in the results, because the demo shop uses AND as the default operator and is actually searching for "ment" AND "ki". This happens because the search string gets escaped. "ment ki" will result in \"ment ki\" \"ment ki\" will not be treated as a single keyword but be split up into \"ment and ki\" and of course no result will be found. fix: in advanced_search_result.php search for: if (tep_not_null($keywords)) { if (!tep_parse_search_string($keywords, $search_keywords)) { $error = true; $messageStack->add_session('search', ERROR_INVALID_KEYWORDS); } } insert this line before the search string gets split up: $keywords = str_replace('\"', '"', $keywords);//unescape quote so the whole thing would look like this: if (tep_not_null($keywords)) { $keywords = str_replace('\"', '"', $keywords);//unescape quote if (!tep_parse_search_string($keywords, $search_keywords)) { $error = true; $messageStack->add_session('search', ERROR_INVALID_KEYWORDS); } } note -"rawurldecode" is not used because only the " char has that special meaning -there is no possibility to search for strings that include the " char, eg the user cant escape it
spooks Posted August 1, 2008 Posted August 1, 2008 Good point, however with the advent of hackers there is a good reason the " is escaped, so your line un-does the protection a little. Personally instead of: $keywords = str_replace('\"', '"', $keywords);//unescape quote I would use $keywords = str_replace('\"', '', $keywords);//remove quote That means you would at get results, just more than you wanted, but at least, thanks to you, you do get results. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
hubhuby Posted August 6, 2008 Author Posted August 6, 2008 good point but actually i did have that in mind keywords get checked by tep_db_prepare_input and tep_db_input before they get sent to sql (and after we unescape the " char). basicly you can do what you want to the keywords b4 those functions get applied, sql injections arnt possible. anyway the " chars get removed in tep_parse_search_string i had another look at what happens to the keyword strings with the " character: it gets escaped: \" then mysql_real_escape_string escapes that: \\" so the string part in the example in the first post sent to sql would be ... like '%\\"ment%' ... resulting in a search for \"ment unescaping the " char, that part sent to sql would be ... like '%ment ki%' ... resulting in a search for ment ki pls correct me if i'm wrong
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.