Skip to content

Commit

Permalink
Merge branch 'w20_MDL-32907_m23_like' of git://github.com/skodak/moodle
Browse files Browse the repository at this point in the history
  • Loading branch information
Aparup Banerjee committed May 17, 2012
2 parents 331a8fe + ed63f7f commit 7ded1e2
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 2 deletions.
8 changes: 6 additions & 2 deletions lib/dml/pgsql_native_moodle_database.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1118,15 +1118,19 @@ public function sql_like($fieldname, $param, $casesensitive = true, $accentsensi
if (strpos($param, '%') !== false) {
debugging('Potential SQL injection detected, sql_like() expects bound parameters (? or :named)');
}
$escapechar = pg_escape_string($this->pgsql, $escapechar); // prevents problems with C-style escapes of enclosing '\'
if ($escapechar === '\\') {
// Prevents problems with C-style escapes of enclosing '\',
// E'... bellow prevents compatibility warnings.
$escapechar = '\\\\';
}

// postgresql does not support accent insensitive text comparisons, sorry
if ($casesensitive) {
$LIKE = $notlike ? 'NOT LIKE' : 'LIKE';
} else {
$LIKE = $notlike ? 'NOT ILIKE' : 'ILIKE';
}
return "$fieldname $LIKE $param ESCAPE '$escapechar'";
return "$fieldname $LIKE $param ESCAPE E'$escapechar'";
}

public function sql_bitxor($int1, $int2) {
Expand Down
8 changes: 8 additions & 0 deletions lib/dml/tests/dml_test.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3512,6 +3512,14 @@ function test_sql_like() {
$records = $DB->get_records_sql($sql, array("%D%"));
$this->assertEquals(count($records), 6);

// verify usual escaping characters work fine
$sql = "SELECT * FROM {{$tablename}} WHERE ".$DB->sql_like('name', '?', true, true, false, '\\');
$records = $DB->get_records_sql($sql, array("ouc\\_"));
$this->assertEquals(count($records), 1);
$sql = "SELECT * FROM {{$tablename}} WHERE ".$DB->sql_like('name', '?', true, true, false, '|');
$records = $DB->get_records_sql($sql, array("ouc|%"));
$this->assertEquals(count($records), 1);

// TODO: we do not require accent insensitivness yet, just make sure it does not throw errors
$sql = "SELECT * FROM {{$tablename}} WHERE ".$DB->sql_like('name', '?', true, false);
$records = $DB->get_records_sql($sql, array('aui'));
Expand Down

0 comments on commit 7ded1e2

Please sign in to comment.