Sanitize query to prevent SQL injection via parameter markers

protich · JediKev · commit 193f5fe00756 · 2025-02-03T13:04:14.000-06:00
The previous implementation used the regex `/:(\d+)/i` to remove a
single colon preceding digits. However, this approach did not handle
cases with multiple colons (e.g., "::1"), which could potentially allow
for injection attempts.

This commit updates the regex to `/:+(\d+)/` to match one or more colons
before the digits and replaces them with just the captured number. This
change ensures that all leading colons are removed, effectively
neutralizing any parameter marker injection while preserving the
intended numeric value.
diff --git a/include/class.search.php b/include/class.search.php
@@ -371,8 +371,11 @@ function find($query, QuerySet $criteria, $addRelevance=true) {
         #elseif (count(explode(' ', $query)) == 1)
         #    $mode = ' WITH QUERY EXPANSION';
 
-        // Strip colon (:num) to avoid possible params injection
-        $query = preg_replace('/:(\d+)/i', '$1', $query);
+        // Sanitize query to avoid possible SQL injection via parameter markers
+        // This regex matches one or more colons followed by one or more digits,
+        // and then replaces the match with only the digits (i.e. stripping the colon(s)).
+        $query = preg_replace('/:+(\d+)/', '$1', $query);
+
         // escape query and using it as search
         $search = 'MATCH (Z1.title, Z1.content) AGAINST ('.db_input($query).$mode.')';
 
