]> git.openstreetmap.org Git - nominatim.git/blobdiff - lib/SearchDescription.php
don't trust words from word table to be sanatized
[nominatim.git] / lib / SearchDescription.php
index d84c8bf80c7e8a643fc6ebae066c01b720a1bf6e..42e5af309854b76967cc3079e35f32c0ceedae76 100644 (file)
@@ -1,9 +1,9 @@
 <?php
 
-require_once(CONST_BasePath.'/lib/SpecialSearchOperator.php');
-
 namespace Nominatim;
 
+require_once(CONST_BasePath.'/lib/SpecialSearchOperator.php');
+
 /**
  * Description of a single interpretation of a search query.
  */
@@ -201,7 +201,9 @@ class SearchDescription
             // We need to try the case where the postal code is the primary element
             // (i.e. no way to tell if it is (postalcode, city) OR (city, postalcode)
             // so try both.
-            if (!$this->sPostcode && $bWordInQuery) {
+            if (!$this->sPostcode && $bWordInQuery
+                && pg_escape_string($aSearchTerm['word']) == $aSearchTerm['word']
+            ) {
                 // If we have structured search or this is the first term,
                 // make the postcode the primary search element.
                 if ($this->iOperator == Operator::NONE
@@ -239,6 +241,9 @@ class SearchDescription
                 if (preg_match_all("/[^0-9]/", $oSearch->sHouseNumber, $aMatches) > 2) {
                     $oSearch->iSearchRank++;
                 }
+                if (!isset($aSearchTerm['word_id'])) {
+                    $oSearch->iSearchRank++;
+                }
                 // also must not appear in the middle of the address
                 if (sizeof($this->aAddress) || sizeof($this->aAddressNonSearch)) {
                     $oSearch->iSearchRank++;
@@ -446,7 +451,7 @@ class SearchDescription
             $sSQL .= 'WHERE ';
         }
 
-        $sSQL .= "p.postcode = '".pg_escape_string(reset($this->aName))."'";
+        $sSQL .= "p.postcode = '".reset($this->aName)."'";
         $sCountryTerm = $this->countryCodeSQL('p.country_code', $sCountryList);
         if ($sCountryTerm) {
             $sSQL .= ' AND '.$sCountryTerm;