all repos — nasg @ c55a4e756d92ac370585609be5b44bcb26705808 

filter_var is important, mmmkay?
Peter Molnar hello@petermolnar.eu
Mon, 06 Jan 2020 13:57:29 +0000
commit

c55a4e756d92ac370585609be5b44bcb26705808

parent

71a54c631721b9603f3d2e429554862c0a6703bc

1 files changed, 4 insertions(+), 5 deletions(-)

jump to
M templates/Search.j2.phptemplates/Search.j2.php 
@@ -33,9 +33,8 @@ }
 else {
     $q = '';
 }
-
+$q = filter_var($q, FILTER_SANITIZE_STRING);
 $db = new SQLite3('./search.sqlite', SQLITE3_OPEN_READONLY);
-$q = str_replace('-', '+', $q);
 $sql = $db->prepare("
     SELECT
         url, category, title, snippet(data, '', '', '[...]', 5, 24), mtime

@@ -46,7 +45,7 @@ data MATCH :q
     ORDER BY
         category, mtime
 ");
-$sql->bindValue(':q', $q);
+$sql->bindValue(':q', str_replace('-', '+', $q));
 $query = $sql->execute();
 $results = array();
 if($query) {

@@ -118,11 +117,11 @@ ?>
 
 {% extends "base.j2.html" %}
 {% block lang %}{% endblock %}
-{% block title %}Search results for: <?php echo($_GET['q']); ?>{% endblock %}
+{% block title %}Search results for: <?php echo($q); ?>{% endblock %}
 {% block content %}
 
 <main id="main" class="h-feed hatom">
-    <h1>Search results for: <?php echo($_GET['q']); ?></h1>
+    <h1>Search results for: <?php echo($q); ?></h1>
     <dl>
 <?php
     foreach($results as $row) {