Gossamer Forum
Home : Products : Gossamer Links : Development, Plugins and Globals :

[ Feature request ] Search logging - only allow certain charachters

Quote Reply
[ Feature request ] Search logging - only allow certain charachters
Hi,

One thing thats really annoyed me recently, is people trying to do SQL injection and other JS codes into the search queries. This is fine for the search itself, but when you have "search logging" enabled, it stores stuff like:

Code:
<script>alert("TEST")</script>

Can we not have some regex in place to ONLY log valid queries? Something like:

Code:
^[a-z0-9 _\-\.,@]+$

I've added this into a job I'm currently doing, but would be nice it it was part of the standard script :)

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] [ Feature request ] Search logging - only allow certain charachters In reply to
...in admin/Links/User/Search.pm, here is how I've done it (in case anyone else wants to manually make this hack);

Code:
if (length $query and $CFG->{search_logging} and $args->{nh} == 1) {

I changed to:

Code:
if (length $query and $CFG->{search_logging} and $args->{nh} == 1 and $query =~ /^[a-z0-9 _\-\.,@]+$/i) {

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] [ Feature request ] Search logging - only allow certain charachters In reply to
There are two lines with that code but I belive you need to replace second one, after "# Log the search if it's a new query" right?


Regards.

UnReal Network
Quote Reply
Re: [DeadMan] [ Feature request ] Search logging - only allow certain charachters In reply to
There are 2 instances of:

Code:
if (length $query and $CFG->{search_logging} and $args->{nh} == 1) {

?

If so, change it to my code in both places

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [Andy] [ Feature request ] Search logging - only allow certain charachters In reply to
Yes. The first is here

Code:
my $started;
if (length $query and $CFG->{search_logging} and $args->{nh} == 1) {
if (!defined $time_hires) {
$time_hires = eval { require Time::HiRes } || 0;
}
$started = $time_hires ? Time::HiRes::time() : time;
}

And the second

Code:
# Log the search if it's a new query
if (length $query and $CFG->{search_logging} and $args->{nh} == 1) {
my $elapsed = ($time_hires ? Time::HiRes::time() : time) - $started;
my $results = $link_count || 0;
my $sl = $DB->table('SearchLogs');
my $q = lc $query;
substr($q, 255) = '' if length $q > 255;


I've changed it both

Regards.

UnReal Network
Quote Reply
Re: [DeadMan] [ Feature request ] Search logging - only allow certain charachters In reply to
Ok yeah that looks right

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!