View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0003030 | mantisbt | db mysql | public | 2003-03-03 15:22 | 2019-07-17 12:04 |
Reporter | Assigned To | ||||
Priority | normal | Severity | feature | Reproducibility | always |
Status | confirmed | Resolution | open | ||
Platform | x86 | OS | Windows 2000 | ||
Product Version | 1.3.0-beta.1 | ||||
Summary | 0003030: back slash in search string not escaped | ||||
Description | I have to type in "\" in the search text box to search for "\" | ||||
Steps To Reproduce | try to search for any string with one "\" in it | ||||
Tags | No tags attached. | ||||
In 0.18.0a3, this seems to be an mysql problem.. (The query is properly escaped towards mysql, but there are no results). |
|
according to MYSQL manaul.html: Note: Because MySQL uses the C escape syntax in strings (for example, |
|
I you search for \ you will get the following queries to MySql. (At least I get them on my server) 5 SELECT .... ((summary LIKE '%\%') OR (mantis_bug_text_table.description LIKE '%\%') OR (mantis_bug_text_table.steps_to_reproduce LIKE '%\%') OR (mantis_bug_text_table.additional_information LIKE '%\%') OR (mantis_bug_table.id LIKE '%\%') OR (mantis_bugnote_text_table.note LIKE '%\%')) AND (mantis_bug_text_table.id = mantis_bug_table.bug_text_id) The backslash is doubled in the query as it should for security.. But after reviewing the mysql manual this is not enough in the LIKE query.. \, % and need an extra \ before.. because \ \% en _ (\\, \\% and \_ after encoding) are escapes for literal \ % and in queries.. If it was documented, you might treat is as a feature to allow full LIKE expressions in searching Mantis, but i think it should be fixed for ease of use ;-) edited on: 03-04-03 10:23 |
|
This is still an issue in the latest code - updating product affected versions |
|