From 614a6ab861fc991da390cdeca137e96ee4dcde2c Mon Sep 17 00:00:00 2001 From: Sarah Hoffmann Date: Sun, 8 Oct 2017 17:36:38 +0200 Subject: [PATCH] don't trust words from word table to be sanatized --- lib/SearchDescription.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/SearchDescription.php b/lib/SearchDescription.php index 533c0ab4..42e5af30 100644 --- a/lib/SearchDescription.php +++ b/lib/SearchDescription.php @@ -201,7 +201,9 @@ class SearchDescription // We need to try the case where the postal code is the primary element // (i.e. no way to tell if it is (postalcode, city) OR (city, postalcode) // so try both. - if (!$this->sPostcode && $bWordInQuery) { + if (!$this->sPostcode && $bWordInQuery + && pg_escape_string($aSearchTerm['word']) == $aSearchTerm['word'] + ) { // If we have structured search or this is the first term, // make the postcode the primary search element. if ($this->iOperator == Operator::NONE @@ -239,6 +241,9 @@ class SearchDescription if (preg_match_all("/[^0-9]/", $oSearch->sHouseNumber, $aMatches) > 2) { $oSearch->iSearchRank++; } + if (!isset($aSearchTerm['word_id'])) { + $oSearch->iSearchRank++; + } // also must not appear in the middle of the address if (sizeof($this->aAddress) || sizeof($this->aAddressNonSearch)) { $oSearch->iSearchRank++; @@ -446,7 +451,7 @@ class SearchDescription $sSQL .= 'WHERE '; } - $sSQL .= "p.postcode = '".pg_escape_string(reset($this->aName))."'"; + $sSQL .= "p.postcode = '".reset($this->aName)."'"; $sCountryTerm = $this->countryCodeSQL('p.country_code', $sCountryList); if ($sCountryTerm) { $sSQL .= ' AND '.$sCountryTerm; -- 2.39.5