Advanced search  

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Pages: [1]   Go Down

Author Topic: search for nothing and get everything  (Read 7000 times)

0 Members and 1 Guest are viewing this topic.

diverdan

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
search for nothing and get everything
« on: October 03, 2006, 04:27:33 am »

in my gallery I have most of my pictures set so that you have to be a registered user to see them.  I felt all secure until I discovered that I could perform a search and return ALL the pictures in my gallery.  Without logging in I went to the search page and I used the OR option and searched for space (" ").  All the pictures in my gallery were returned.  I was then free to click around and view any of them.  Even the admin only restricted group.  I'd post a link but, well, I don't want the world viewing my gallery.
« Last Edit: October 03, 2006, 02:20:46 pm by Nibbler »
Logged

diverdan

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
Re: search for nothing and get everything
« Reply #1 on: October 03, 2006, 04:29:10 am »

oh yeah, forgot to include version info:

URL: https://svn.sourceforge.net/svnroot/coppermine/trunk/stable

Revision: 3301
Node Kind: directory
Schedule: normal
Last Changed Author: gaugau
Last Changed Rev: 3292
Last Changed Date: 2006-09-17 11:57:04 -0700 (Sun, 17 Sep 2006)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: search for nothing and get everything
« Reply #2 on: October 03, 2006, 04:31:50 am »

Please PM me the link
Logged

diverdan

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
Re: search for nothing and get everything
« Reply #3 on: October 03, 2006, 08:15:50 am »

looks like this this code just needs some extra parentheses.

This is the sql from my " " search:

mysql> use photogallery;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SELECT COUNT(*) FROM coppermine_pictures WHERE (title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%') OR (title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%') AND aid NOT IN (8,9,10,11,12,13,16,17,20,21,22,24,25,26,27,28,29,32,33,34,35,37,38);
+----------+
| COUNT(*) |
+----------+
|      985 |
+----------+
1 row in set (0.01 sec)

Too many results!
Here is the result when the OR's are wrapped in parentheses and then compared to AND.

mysql> SELECT COUNT(*) FROM coppermine_pictures WHERE ((title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%') OR (title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%')) AND (aid NOT IN (8,9,10,11,12,13,16,17,20,21,22,24,25,26,27,28,29,32,33,34,35,37,38));
+----------+
| COUNT(*) |
+----------+
|       87 |
+----------+
1 row in set (0.01 sec)

mysql>

Ah, the correct number.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: search for nothing and get everything
« Reply #4 on: October 03, 2006, 11:12:36 am »

I tried accessing the site (using the link you PMed me as requested), but your gallery is currently offline. I will try to replicate the issue on my testbed.
Logged

Nibbler

  • Guest
Re: search for nothing and get everything
« Reply #5 on: October 03, 2006, 02:14:27 pm »

include/search.inc.php

Code: [Select]
$sql .= implode($type, $sections);
That should be

Code: [Select]
$sql .= '(' . implode($type, $sections) . ')';
 :-[
Logged

diverdan

  • Coppermine newbie
  • Offline Offline
  • Posts: 4
Re: search for nothing and get everything
« Reply #6 on: October 03, 2006, 04:27:45 pm »

Indeed, I took the gallery offline once I found the SQL but I just didn't have time to find the adjustment in the PHP.  Picked up the fix with an svn up.  Thanks to you both!
Logged
Pages: [1]   Go Up
 

Page created in 0.021 seconds with 18 queries.