Another adjustment for the pre-escaped filter values

splitbrain · splitbrain · commit c73abd3ae255 · 2023-07-18T09:12:23.000+02:00
diff --git a/syntax/cloud.php b/syntax/cloud.php
@@ -91,12 +91,13 @@ public function _buildSQL(&$data)
             $cnt = 0;
 
             foreach ($data['filter'] as $filter) {
+                //Note: value is already escaped
                 $col = $filter['key'];
                 $closecompare = ($filter['compare'] == 'IN(' ? ')' : '');
 
                 if (preg_match('/^%(\w+)%$/', $col, $m) && isset($fields[$m[1]])) {
                     $where .= " " . $filter['logic'] . " pages." . $fields[$m[1]] .
-                        " " . $filter['compare'] . " '" . $filter['value'] . "'" . $closecompare;
+                        " " . $filter['compare'] . " " . $filter['value'] . $closecompare;
                     $pagesjoin = ' LEFT JOIN pages ON pages.pid = data.pid';
                 } else {
                     // filter by hidden column?
@@ -107,7 +108,7 @@ public function _buildSQL(&$data)
                     }
 
                     $where .= ' ' . $filter['logic'] . ' ' . $tables[$col] . '.value ' . $filter['compare'] .
-                        " '" . $filter['value'] . "'" . $closecompare; //value is already escaped
+                        " " . $filter['value'] . $closecompare;
                 }
             }
         }
diff --git a/syntax/related.php b/syntax/related.php
@@ -126,13 +126,14 @@ function _buildSQL(&$data, $id = null)
             $where .= ' AND ( 1=1 ';
 
             foreach ($data['filter'] as $filter) {
+                // note: value is already escaped
                 $col = $filter['key'];
                 $closecompare = ($filter['compare'] == 'IN(' ? ')' : '');
 
                 if ($col == '%pageid%') {
-                    $where .= " " . $filter['logic'] . " pages.page " . $filter['compare'] . " '" . $filter['value'] . "'" . $closecompare;
+                    $where .= " " . $filter['logic'] . " pages.page " . $filter['compare'] . " " . $filter['value'] . $closecompare;
                 } elseif ($col == '%title%') {
-                    $where .= " " . $filter['logic'] . " pages.title " . $filter['compare'] . " '" . $filter['value'] . "'" . $closecompare;
+                    $where .= " " . $filter['logic'] . " pages.title " . $filter['compare'] . " " . $filter['value'] . $closecompare;
                 } else {
                     // filter by hidden column?
                     if (!$tables[$col]) {
@@ -142,7 +143,7 @@ function _buildSQL(&$data, $id = null)
                     }
 
                     $where .= ' ' . $filter['logic'] . ' ' . $tables[$col] . '.value ' . $filter['compare'] .
-                        " '" . $filter['value'] . "'" . $closecompare; //value is already escaped
+                        " " . $filter['value'] . $closecompare;
                 }
             }
 

Original file line number	Diff line number	Diff line change
`@@ -91,12 +91,13 @@ public function _buildSQL(&$data)`
`91`	`91`	`$cnt = 0;`
`92`	`92`
`93`	`93`	`foreach ($data['filter'] as $filter) {`
	`94`	`+ //Note: value is already escaped`
`94`	`95`	`$col = $filter['key'];`
`95`	`96`	`$closecompare = ($filter['compare'] == 'IN(' ? ')' : '');`
`96`	`97`
`97`	`98`	`if (preg_match('/^%(\w+)%$/', $col, $m) && isset($fields[$m[1]])) {`
`98`	`99`	`$where .= " " . $filter['logic'] . " pages." . $fields[$m[1]] .`
`99`		`- " " . $filter['compare'] . " '" . $filter['value'] . "'" . $closecompare;`
	`100`	`+ " " . $filter['compare'] . " " . $filter['value'] . $closecompare;`
`100`	`101`	`$pagesjoin = ' LEFT JOIN pages ON pages.pid = data.pid';`
`101`	`102`	`} else {`
`102`	`103`	`// filter by hidden column?`
`@@ -107,7 +108,7 @@ public function _buildSQL(&$data)`
`107`	`108`	`}`
`108`	`109`
`109`	`110`	`$where .= ' ' . $filter['logic'] . ' ' . $tables[$col] . '.value ' . $filter['compare'] .`
`110`		`- " '" . $filter['value'] . "'" . $closecompare; //value is already escaped`
	`111`	`+ " " . $filter['value'] . $closecompare;`
`111`	`112`	`}`
`112`	`113`	`}`
`113`	`114`	`}`