forum.coppermine-gallery.net

Dev Board => cpg1.4 Testing/Bugs => cpg1.4 Testing/Bugs: FIXED/CLOSED => Topic started by: diverdan on October 03, 2006, 04:27:33 am

Title: search for nothing and get everything
Post by: diverdan on October 03, 2006, 04:27:33 am

in my gallery I have most of my pictures set so that you have to be a registered user to see them.  I felt all secure until I discovered that I could perform a search and return ALL the pictures in my gallery.  Without logging in I went to the search page and I used the OR option and searched for space (" ").  All the pictures in my gallery were returned.  I was then free to click around and view any of them.  Even the admin only restricted group.  I'd post a link but, well, I don't want the world viewing my gallery.

Title: Re: search for nothing and get everything
Post by: diverdan on October 03, 2006, 04:29:10 am

oh yeah, forgot to include version info:

URL: https://svn.sourceforge.net/svnroot/coppermine/trunk/stable

Revision: 3301
Node Kind: directory
Schedule: normal
Last Changed Author: gaugau
Last Changed Rev: 3292
Last Changed Date: 2006-09-17 11:57:04 -0700 (Sun, 17 Sep 2006)

Title: Re: search for nothing and get everything
Post by: Joachim Müller on October 03, 2006, 04:31:50 am

Please PM me the link

Title: Re: search for nothing and get everything
Post by: diverdan on October 03, 2006, 08:15:50 am

looks like this this code just needs some extra parentheses.

This is the sql from my " " search:

mysql> use photogallery;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SELECT COUNT(*) FROM coppermine_pictures WHERE (title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%') OR (title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%') AND aid NOT IN (8,9,10,11,12,13,16,17,20,21,22,24,25,26,27,28,29,32,33,34,35,37,38);
+----------+
| COUNT(*) |
+----------+
|      985 |
+----------+
1 row in set (0.01 sec)

Too many results!
Here is the result when the OR's are wrapped in parentheses and then compared to AND.

mysql> SELECT COUNT(*) FROM coppermine_pictures WHERE ((title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%') OR (title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%')) AND (aid NOT IN (8,9,10,11,12,13,16,17,20,21,22,24,25,26,27,28,29,32,33,34,35,37,38));
+----------+
| COUNT(*) |
+----------+
|       87 |
+----------+
1 row in set (0.01 sec)

mysql>

Ah, the correct number.

Title: Re: search for nothing and get everything
Post by: Joachim Müller on October 03, 2006, 11:12:36 am

I tried accessing the site (using the link you PMed me as requested), but your gallery is currently offline. I will try to replicate the issue on my testbed.

Title: Re: search for nothing and get everything
Post by: Nibbler on October 03, 2006, 02:14:27 pm

include/search.inc.php

Code: [Select]

$sql .= implode($type, $sections);
That should be

Code: [Select]

$sql .= '(' . implode($type, $sections) . ')';
 :-[

Title: Re: search for nothing and get everything
Post by: diverdan on October 03, 2006, 04:27:45 pm

Indeed, I took the gallery offline once I found the SQL but I just didn't have time to find the adjustment in the PHP.  Picked up the fix with an svn up.  Thanks to you both!