search for nothing and get everything search for nothing and get everything
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

search for nothing and get everything

Started by diverdan, October 03, 2006, 04:27:33 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

diverdan

October 03, 2006, 04:27:33 AM Last Edit: October 03, 2006, 02:20:46 PM by Nibbler
in my gallery I have most of my pictures set so that you have to be a registered user to see them.  I felt all secure until I discovered that I could perform a search and return ALL the pictures in my gallery.  Without logging in I went to the search page and I used the OR option and searched for space (" ").  All the pictures in my gallery were returned.  I was then free to click around and view any of them.  Even the admin only restricted group.  I'd post a link but, well, I don't want the world viewing my gallery.

diverdan

#1
October 03, 2006, 04:29:10 AM
oh yeah, forgot to include version info:

URL: https://svn.sourceforge.net/svnroot/coppermine/trunk/stable

Revision: 3301
Node Kind: directory
Schedule: normal
Last Changed Author: gaugau
Last Changed Rev: 3292
Last Changed Date: 2006-09-17 11:57:04 -0700 (Sun, 17 Sep 2006)

Joachim Müller

#2
October 03, 2006, 04:31:50 AM
Please PM me the link

diverdan

#3
October 03, 2006, 08:15:50 AM
looks like this this code just needs some extra parentheses.

This is the sql from my " " search:

mysql> use photogallery;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SELECT COUNT(*) FROM coppermine_pictures WHERE (title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%') OR (title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%') AND aid NOT IN (8,9,10,11,12,13,16,17,20,21,22,24,25,26,27,28,29,32,33,34,35,37,38);
+----------+
| COUNT(*) |
+----------+
|      985 |
+----------+
1 row in set (0.01 sec)

Too many results!
Here is the result when the OR's are wrapped in parentheses and then compared to AND.

mysql> SELECT COUNT(*) FROM coppermine_pictures WHERE ((title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%') OR (title LIKE '%%' OR caption LIKE '%%' OR keywords LIKE '%%')) AND (aid NOT IN (8,9,10,11,12,13,16,17,20,21,22,24,25,26,27,28,29,32,33,34,35,37,38));
+----------+
| COUNT(*) |
+----------+
|       87 |
+----------+
1 row in set (0.01 sec)

mysql>

Ah, the correct number.

Joachim Müller

#4
October 03, 2006, 11:12:36 AM
I tried accessing the site (using the link you PMed me as requested), but your gallery is currently offline. I will try to replicate the issue on my testbed.

Nibbler

#5
October 03, 2006, 02:14:27 PM
include/search.inc.php

Code Select
$sql .= implode($type, $sections);

That should be

Code Select
$sql .= '(' . implode($type, $sections) . ')';

:-[

diverdan

#6
October 03, 2006, 04:27:45 PM
Indeed, I took the gallery offline once I found the SQL but I just didn't have time to find the adjustment in the PHP.  Picked up the fix with an svn up.  Thanks to you both!
Print
Go Up Pages1
User actions