Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DEV: Use safer SQL functions for string queries in CategoryHashTagDataSource (#26836) 

Instead of `LIKE`, use either `starts_with` or `position`. This way the
term isn't interpreted as a pattern.
This commit is contained in:
Daniel Waterworth 2024-05-01 13:27:46 -05:00 committed by GitHub
parent dc54884c1a
commit 07dc6efdc9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/services/category_hashtag_data_source.rb
View File

@ -60,10 +60,13 @@ class CategoryHashtagDataSource
.includes(:parent_category)
if condition == HashtagAutocompleteService.search_conditions[:starts_with]
base_search = base_search.where("LOWER(slug) LIKE :term", term: "#{term}%")
base_search = base_search.where("starts_with(LOWER(slug), LOWER(:term))", term: term)
elsif condition == HashtagAutocompleteService.search_conditions[:contains]
base_search =
base_search.where("LOWER(name) LIKE :term OR LOWER(slug) LIKE :term", term: "%#{term}%")
base_search.where(
"position(LOWER(:term) IN LOWER(name)) <> 0 OR position(LOWER(:term) IN LOWER(slug)) <> 0",
term: term,
)
else
raise Discourse::InvalidParameters.new("Unknown search condition: #{condition}")
end