From 9770944a1d6176b91fc08e062a9ba37e7d39cc9e Mon Sep 17 00:00:00 2001
From: Victor Berchet <victor.berchet@yahoo.com>
Date: Thu, 6 Jan 2011 18:50:52 +0100
Subject: [PATCH] [SQLiteProfilerStorage] Escape special chars in URLs and IPs

---
 .../HttpKernel/Profiler/SQLiteProfilerStorage.php    | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/Symfony/Component/HttpKernel/Profiler/SQLiteProfilerStorage.php b/src/Symfony/Component/HttpKernel/Profiler/SQLiteProfilerStorage.php
index f495c13a19..1b219fea19 100644
--- a/src/Symfony/Component/HttpKernel/Profiler/SQLiteProfilerStorage.php
+++ b/src/Symfony/Component/HttpKernel/Profiler/SQLiteProfilerStorage.php
@@ -40,21 +40,23 @@ class SQLiteProfilerStorage implements ProfilerStorageInterface
      */
     public function find($ip, $url, $limit)
     {
-        $db = $this->initDb();
-
         $criteria = array();
+        $args = array();
 
         if ($ip = preg_replace('/[^\d\.]/', '', $ip)) {
-            $criteria[] = " ip LIKE '%".$ip."%'";
+            $criteria[] = 'ip LIKE :ip';
+            $args[':ip'] = '%'.$ip.'%';
         }
 
         if ($url) {
-            $criteria[] = " url LIKE '%".$db->escapeString($url)."%'";
+            $criteria[] = 'url LIKE :url ESCAPE "\"';
+            $args[':url'] = '%'.addcslashes($url, '%_').'%';
         }
 
         $criteria = $criteria ? 'WHERE '.implode(' AND ', $criteria) : '';
 
-        $tokens = $this->fetch($db, 'SELECT token, ip, url, time FROM data '.$criteria.' ORDER BY time DESC LIMIT '.((integer) $limit));
+        $db = $this->initDb();
+        $tokens = $this->fetch($db, 'SELECT token, ip, url, time FROM data '.$criteria.' ORDER BY time DESC LIMIT '.((integer) $limit), $args);
         $this->close($db);
 
         return $tokens;