Fixed: unescaped SQL strings make Bertie cry

git-svn-id: file:///svn/phpbb/trunk@6176 89ea8834-ac86-4346-8a33-228a782c2dd0

1 files changed, 8 insertions, 5 deletions

diff --git a/phpBB/includes/search/fulltext_native_improved.php b/phpBB/includes/search/fulltext_native_improved.php
index a5c2b5aed8..4d8fd3aaa1 100644
--- a/phpBB/includes/search/fulltext_native_improved.php
+++ b/phpBB/includes/search/fulltext_native_improved.php
@@ -27,6 +27,7 @@ include_once($phpbb_root_path . 'includes/search/search.' . $phpEx);
 */
 class fulltext_native_improved extends search_backend
 {
+	var $stats;
 	var $word_length = array();
 	var $common_words = array();
 	var $must_contain_ids = array();
@@ -1006,16 +1007,18 @@ class fulltext_native_improved extends search_backend
 				switch (SQL_LAYER)
 				{
 					case 'mysql':
-						$sql = 'INSERT INTO ' . SEARCH_WORDLIST_TABLE . ' (word_text)
-							VALUES ' . implode(', ', preg_replace('#^(.*)$#', '(\'$1\')', $new_words));
+					case 'mysql4':
+					case 'mysqli':
+						$sql = 'INSERT INTO ' . SEARCH_WORDLIST_TABLE . " (word_text)
+							VALUES ('" . implode("'),('", array_map(array($db, 'sql_escape'), $new_words)) . "')";
 						$db->sql_query($sql);
 					break;
 
-					case 'mysql4':
-					case 'mysqli':
 					case 'mssql':
 					case 'mssql_odbc':
 					case 'sqlite':
+						$new_words = array_map(array($db, 'sql_escape'), $new_words);
+
 						// make sure the longest word comes first, so nothing will be truncated
 						usort($new_words, array(&$this, 'strlencmp'));
 
@@ -1027,7 +1030,7 @@ class fulltext_native_improved extends search_backend
 						foreach ($new_words as $word)
 						{
 							$sql = 'INSERT INTO ' . SEARCH_WORDLIST_TABLE . " (word_text)
-								VALUES ('$word')";
+								VALUES ('" . $db->sql_escape($word) . "')";
 							$db->sql_query($sql);
 						}
 				}