View Issue Details

IDProjectCategoryView StatusLast Update
0003030mantisbtdb mysqlpublic2019-07-17 12:04
ReporterreporterAssigned To 
PrioritynormalSeverityfeatureReproducibilityalways
Status confirmedResolutionopen 
Platformx86OSWindows 2000 
Product Version1.3.0-beta.1 
Summary0003030: back slash in search string not escaped
Description

I have to type in "\" in the search text box to search for "\"

Steps To Reproduce

try to search for any string with one "\" in it
you won't get anything if there is only one "\" in your search string, if you manually escape the "\" (-->"\"), the search will work

TagsNo tags attached.

Relationships

child of 0005460 closedvboctor Critical Issues to Fix for Mantis 1.0.0 Release 

Activities

BertHuijben

BertHuijben

2003-03-03 17:59

reporter   ~0003906

In 0.18.0a3, this seems to be an mysql problem.. (The query is properly escaped towards mysql, but there are no results).

reporter

reporter

2003-03-03 23:40

reporter   ~0003910

according to MYSQL manaul.html:

Note: Because MySQL uses the C escape syntax in strings (for example, \n'), you must double any\' that you use in your LIKE strings. For example, to search for \n', specify it as\n'. To search for \', specify it as\\' (the backslashes are stripped once by the parser and another time when the pattern match is done, leaving a single backslash to be matched).

BertHuijben

BertHuijben

2003-03-04 09:58

reporter   ~0003914

Last edited: 2003-03-04 10:23

I you search for \ you will get the following queries to MySql. (At least I get them on my server)

5 SELECT .... ((summary LIKE '%\%') OR (mantis_bug_text_table.description LIKE '%\%') OR (mantis_bug_text_table.steps_to_reproduce LIKE '%\%') OR (mantis_bug_text_table.additional_information LIKE '%\%') OR (mantis_bug_table.id LIKE '%\%') OR (mantis_bugnote_text_table.note LIKE '%\%')) AND (mantis_bug_text_table.id = mantis_bug_table.bug_text_id)

The backslash is doubled in the query as it should for security.. But after reviewing the mysql manual this is not enough in the LIKE query..

\, % and need an extra \ before.. because \ \% en _ (\\, \\% and \_ after encoding) are escapes for literal \ % and in queries..
(These are parsed after the initial \ parsing of queries)

If it was documented, you might treat is as a feature to allow full LIKE expressions in searching Mantis, but i think it should be fixed for ease of use ;-)

edited on: 03-04-03 10:23

grangeway

grangeway

2014-09-22 15:54

reporter   ~0041281

This is still an issue in the latest code - updating product affected versions