[SQLiteProfilerStorage] Escape special chars in URLs and IPs
This commit is contained in:
parent
e975a09003
commit
9770944a1d
@ -40,21 +40,23 @@ class SQLiteProfilerStorage implements ProfilerStorageInterface
|
||||
*/
|
||||
public function find($ip, $url, $limit)
|
||||
{
|
||||
$db = $this->initDb();
|
||||
|
||||
$criteria = array();
|
||||
$args = array();
|
||||
|
||||
if ($ip = preg_replace('/[^\d\.]/', '', $ip)) {
|
||||
$criteria[] = " ip LIKE '%".$ip."%'";
|
||||
$criteria[] = 'ip LIKE :ip';
|
||||
$args[':ip'] = '%'.$ip.'%';
|
||||
}
|
||||
|
||||
if ($url) {
|
||||
$criteria[] = " url LIKE '%".$db->escapeString($url)."%'";
|
||||
$criteria[] = 'url LIKE :url ESCAPE "\"';
|
||||
$args[':url'] = '%'.addcslashes($url, '%_').'%';
|
||||
}
|
||||
|
||||
$criteria = $criteria ? 'WHERE '.implode(' AND ', $criteria) : '';
|
||||
|
||||
$tokens = $this->fetch($db, 'SELECT token, ip, url, time FROM data '.$criteria.' ORDER BY time DESC LIMIT '.((integer) $limit));
|
||||
$db = $this->initDb();
|
||||
$tokens = $this->fetch($db, 'SELECT token, ip, url, time FROM data '.$criteria.' ORDER BY time DESC LIMIT '.((integer) $limit), $args);
|
||||
$this->close($db);
|
||||
|
||||
return $tokens;
|
||||
|
Reference in New Issue
Block a user