Should wildcards be allowed doesnt it pose a securtity risk?
However I find it a very useful module but when a user searches for exmaple for '%u%', it is a very heavy query. Perhaps de lenght of the string should be the length with the wildcards excluded.
A feature request could be also a checkbox in the admin section wether you allow wildcards or not.

CommentFileSizeAuthor
#2 finduser_wildcard.patch851 bytesdomidc

Comments

domidc’s picture

In order to prevent injection of sql wildcards, a simple line needs to be added to the validate function:

function finduser_form_validate($form_id, $form_values, $form) {
  if ($form_values['search_by'] != 'email') {
    // remove wildcards
    $form_values['search_text'] = str_replace('%', '', $form_values['search_text']);
    if (strlen($form_values['search_text']) < variable_get('finduser_minimum_characters', 3)) {
      form_set_error('search_text', t('Your search text needs to be @d characters or longer.', array('@d' => variable_get('finduser_minimum_characters', 3))));
    }
  }
}
domidc’s picture

Title: search with wildcard% » prevent injection of % wildcard in the search string
Priority: Normal » Critical
StatusFileSize
new851 bytes

A patch fixing the wildcard problem posted earlier is attached to this post.

domidc’s picture

Version: 5.x-1.0-beta2 » 5.x-1.x-dev

Changing to the right version

toemaz’s picture

Status: Active » Fixed

Committed to the HEAD.

Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.