Gossamer Forum: Products: Gossamer Links: Development, Plugins and Globals: [ Feature request ] Search logging

Jan 8, 2012, 5:22 AM

Andy

Veteran / Moderator (17366 posts)

Jan 8, 2012, 5:22 AM

Post #1 of 6

Shortcut

[ Feature request ] Search logging - only allow certain charachters

Hi,

One thing thats really annoyed me recently, is people trying to do SQL injection and other JS codes into the search queries. This is fine for the search itself, but when you have "search logging" enabled, it stores stuff like:

Code:
<script>alert("TEST")</script>

Can we not have some regex in place to ONLY log valid queries? Something like:

Code:
^[a-z0-9 _\-\.,@]+$

I've added this into a job I'm currently doing, but would be nice it it was part of the standard script :)

Cheers

Andy (mod)
andy@ultranerds.co.uk

IMPORTANT: I've now moved to ultranerds.co.uk, and the .com will no longer work!
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package (plugins total "value" $3,325 & rising, for just $350)| GLinks ULTRA Package PRO (plugins total "value" $5,625 & rising, for just $500)
Support Forum | Links SQL Plugins | DMOZ Dumps | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Compare our different Plugin packages *new* Free CSS Templates

Jan 8, 2012, 5:24 AM

Andy

Veteran / Moderator (17366 posts)

Jan 8, 2012, 5:24 AM

Post #2 of 6

Shortcut

Re: [Andy] [ Feature request ] Search logging - only allow certain charachters In reply to

...in admin/Links/User/Search.pm, here is how I've done it (in case anyone else wants to manually make this hack);

Code:
if (length $query and $CFG->{search_logging} and $args->{nh} == 1) {

I changed to:

Code:
if (length $query and $CFG->{search_logging} and $args->{nh} == 1 and $query =~ /^[a-z0-9 _\-\.,@]+$/i) {

Cheers

Andy (mod)
andy@ultranerds.co.uk

Jan 30, 2012, 10:14 AM

DeadMan

User (474 posts)

Jan 30, 2012, 10:14 AM

Post #3 of 6

Shortcut

Re: [Andy] [ Feature request ] Search logging - only allow certain charachters In reply to

There are two lines with that code but I belive you need to replace second one, after "# Log the search if it's a new query" right?

Regards.

UnReal Network

Jan 30, 2012, 10:16 AM

Andy

Veteran / Moderator (17366 posts)

Jan 30, 2012, 10:16 AM

Post #4 of 6

Shortcut

Re: [DeadMan] [ Feature request ] Search logging - only allow certain charachters In reply to

There are 2 instances of:

Code:
if (length $query and $CFG->{search_logging} and $args->{nh} == 1) {

?

If so, change it to my code in both places

Cheers

Andy (mod)
andy@ultranerds.co.uk

Jan 30, 2012, 11:17 AM

DeadMan

User (474 posts)

Jan 30, 2012, 11:17 AM

Post #5 of 6

Shortcut

Re: [Andy] [ Feature request ] Search logging - only allow certain charachters In reply to

Yes. The first is here

Code:
    my $started; 
    if (length $query and $CFG->{search_logging} and $args->{nh} == 1) { 
        if (!defined $time_hires) { 
            $time_hires = eval { require Time::HiRes } || 0; 
        } 
        $started = $time_hires ? Time::HiRes::time() : time; 
    }

And the second

Code:
# Log the search if it's a new query 
    if (length $query and $CFG->{search_logging} and $args->{nh} == 1) { 
        my $elapsed = ($time_hires ? Time::HiRes::time() : time) - $started; 
        my $results = $link_count || 0; 
        my $sl = $DB->table('SearchLogs'); 
        my $q = lc $query; 
        substr($q, 255) = '' if length $q > 255;

I've changed it both

Regards.

UnReal Network

Jan 30, 2012, 11:20 AM

Andy

Veteran / Moderator (17366 posts)

Jan 30, 2012, 11:20 AM

Post #6 of 6

Shortcut

Re: [DeadMan] [ Feature request ] Search logging - only allow certain charachters In reply to

Ok yeah that looks right

Cheers

Andy (mod)
andy@ultranerds.co.uk