[mapguide-commits] r9042 - in trunk/MgDev/Web/src: mapviewerjava mapviewernet mapviewerphp

svn_mapguide at osgeo.org svn_mapguide at osgeo.org
Mon Sep 19 06:54:37 PDT 2016 

Author: jng
Date: 2016-09-19 06:54:37 -0700 (Mon, 19 Sep 2016)
New Revision: 9042

Modified:
   trunk/MgDev/Web/src/mapviewerjava/search.jsp
   trunk/MgDev/Web/src/mapviewernet/search.aspx
   trunk/MgDev/Web/src/mapviewerphp/search.php
Log:
#2556: Escape single quotes in search command input.

Patch by tuceda. PHP/.net versions provided by me.

Modified: trunk/MgDev/Web/src/mapviewerjava/search.jsp
===================================================================
--- trunk/MgDev/Web/src/mapviewerjava/search.jsp	2016-09-19 13:27:57 UTC (rev 9041)
+++ trunk/MgDev/Web/src/mapviewerjava/search.jsp	2016-09-19 13:54:37 UTC (rev 9042)
@@ -105,6 +105,8 @@
         if(layer == null)
             throw new SearchError(MessageFormat.format(MgLocalizer.GetString("SEARCHLAYERNOTFOUND", locale), new Object[] { layerName }), searchError);
 
+        userInput = userInput.replace("'", "''");
+
         //substitute the input tag with the actual user input to make up the filter
         int varIndex = filter.indexOf("$USER_VARIABLE");
         if(varIndex != -1)

Modified: trunk/MgDev/Web/src/mapviewernet/search.aspx
===================================================================
--- trunk/MgDev/Web/src/mapviewernet/search.aspx	2016-09-19 13:27:57 UTC (rev 9041)
+++ trunk/MgDev/Web/src/mapviewernet/search.aspx	2016-09-19 13:54:37 UTC (rev 9042)
@@ -93,6 +93,9 @@
             {
                 throw new SearchError(String.Format(MgLocalizer.GetString("SEARCHLAYERNOTFOUND", locale), new Object[] { layerName }), searchError);
             }
+            
+            //escape single quote in userInput
+            userInput = userInput.Replace("'", "''");
 
             //substitute the input tag with the actual user input to make up the filter
             filter = filter.Replace("$USER_VARIABLE", userInput);

Modified: trunk/MgDev/Web/src/mapviewerphp/search.php
===================================================================
--- trunk/MgDev/Web/src/mapviewerphp/search.php	2016-09-19 13:27:57 UTC (rev 9041)
+++ trunk/MgDev/Web/src/mapviewerphp/search.php	2016-09-19 13:54:37 UTC (rev 9042)
@@ -43,6 +43,7 @@
     $resNames = array();
     $resProps = array();
     $matchLimit = 0;
+    $features = NULL;
 
     GetRequestParameters();
     SetLocalizedFilesPath(GetLocalizationPath());
@@ -77,6 +78,8 @@
         {
             trigger_error(FormatMessage("SEARCHLAYERNOTFOUND", $locale, array($layerName)));
         }
+        
+        $userInput = str_replace("'", "''", $userInput);
 
         //unescape strings
         //

More information about the mapguide-commits mailing list