From 5194a9152cb18c5530706fc6566f1588dac3d157 Mon Sep 17 00:00:00 2001
From: Jimmy Liow <lyj@hainatravel.com>
Date: Thu, 16 Nov 2023 15:10:52 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E8=BD=AC=E4=B9=89=E9=98=B2?=
 =?UTF-8?q?=E6=AD=A2=20SQL=20=E5=87=BA=E9=94=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../third_party/recommend/models/infoTips_model.php        | 7 ++++---
 application/third_party/recommend/views/welcome.php        | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/application/third_party/recommend/models/infoTips_model.php b/application/third_party/recommend/models/infoTips_model.php
index 7e5c2e68..f441475e 100644
--- a/application/third_party/recommend/models/infoTips_model.php
+++ b/application/third_party/recommend/models/infoTips_model.php
@@ -58,12 +58,13 @@ class infoTips_model extends CI_Model
 
     public function search($keywords, $byWhat) {
       $whereCodition = '';
+
       if ($byWhat == 'byTitle') {
-        $whereCodition .= " and it.it_title like '%" . $keywords . "%'";
+        $whereCodition .= " and it.it_title like '%" . addslashes($keywords) . "%'";
       } else if ($byWhat == 'byLabel') {
-        $whereCodition .= " and it.it_code like '%" . $keywords . "%'";
+        $whereCodition .= " and it.it_code like '%" . addslashes($keywords) . "%'";
       } else if ($byWhat == 'byContent') {
-        $whereCodition .= " and it.it_content like '%" . $keywords . "%'";
+        $whereCodition .= " and it.it_content like '%" . addslashes($keywords) . "%'";
       }
       $searchText = 
         "select it.it_id ,it.it_title,it.it_expires,it.it_code,it.it_content,it.it_sitecode,it.it_datetime 
diff --git a/application/third_party/recommend/views/welcome.php b/application/third_party/recommend/views/welcome.php
index 2bdb8963..b976e3f1 100644
--- a/application/third_party/recommend/views/welcome.php
+++ b/application/third_party/recommend/views/welcome.php
@@ -8,7 +8,7 @@
             <form id="searchForm" method="post" action="<?php echo site_url('thirdparty/recommend/index/search'); ?>" class="navbar-form navbar-left">
           <div class="input-group">
             <input type="text" class="form-control input-sm" name="keywords" id="keywords" value="" style="min-width:450px;">
-            <input type="hidden" name="byWhat" value="<?php echo keywords; ?>" id="byWhatInput" >
+            <input type="hidden" name="byWhat" value="<?php echo $keywords; ?>" id="byWhatInput" >
             <span class="input-group-btn">
               <button class="btn btn-default btn-sm" id="searchByTitleBtn" type="button">搜索标题</button>
               <button class="btn btn-default btn-sm" id="searchByLabelBtn" type="button">搜索标签</button>