增加 SQL like 转义处理

2 years ago · 71fe63bf4a
parent 5194a9152c
commit 71fe63bf4a
3 changed files with 5 additions and 5 deletions
--- a/application/third_party/recommend/controllers/index.php
+++ b/application/third_party/recommend/controllers/index.php
@ -35,7 +35,7 @@ class Index extends CI_Controller
      $data = array();
      $data['groupList'] = $this->Information_model->group_list();
      $data['tipsList'] = $this->infoTips_model->search($keywords, $byWhat);
-      $data['keywords'] = $keywords;
+      $data['lastKeyword'] = $keywords;
      $this->load->view('bootstrap3/header', $data);
      $this->load->view('welcome');
      $this->load->view('bootstrap3/footer');
--- a/application/third_party/recommend/models/infoTips_model.php
+++ b/application/third_party/recommend/models/infoTips_model.php
@ -60,11 +60,11 @@ class infoTips_model extends CI_Model
      $whereCodition = '';

      if ($byWhat == 'byTitle') {
-        $whereCodition .= " and it.it_title like '%" . addslashes($keywords) . "%'";
+        $whereCodition .= " and it.it_title like '%" . $this->HT->escape_str($keywords) . "%'";
      } else if ($byWhat == 'byLabel') {
-        $whereCodition .= " and it.it_code like '%" . addslashes($keywords) . "%'";
+        $whereCodition .= " and it.it_code like '%" . $this->HT->escape_str($keywords) . "%'";
      } else if ($byWhat == 'byContent') {
-        $whereCodition .= " and it.it_content like '%" . addslashes($keywords) . "%'";
+        $whereCodition .= " and it.it_content like '%" . $this->HT->escape_str($keywords) . "%'";
      }
      $searchText = 
        "select it.it_id ,it.it_title,it.it_expires,it.it_code,it.it_content,it.it_sitecode,it.it_datetime 
--- a/application/third_party/recommend/views/welcome.php
+++ b/application/third_party/recommend/views/welcome.php
@ -8,7 +8,7 @@
            <form id="searchForm" method="post" action="<?php echo site_url('thirdparty/recommend/index/search'); ?>" class="navbar-form navbar-left">
          <div class="input-group">
            <input type="text" class="form-control input-sm" name="keywords" id="keywords" value="" style="min-width:450px;">
-            <input type="hidden" name="byWhat" value="<?php echo $keywords; ?>" id="byWhatInput" >
+            <input type="hidden" name="byWhat" value="<?php if (!empty($lastKeyword)) {echo $lastKeyword;} ?>" id="byWhatInput" >
            <span class="input-group-btn">
              <button class="btn btn-default btn-sm" id="searchByTitleBtn" type="button">搜索标题</button>
              <button class="btn btn-default btn-sm" id="searchByLabelBtn" type="button">搜索标签</button>