Bug 463688: editusers.cgi no longer lets you search for users using regular expressions - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat r=xiaoou a=LpSolit

1 files changed, 13 insertions, 8 deletions

diff --git a/editusers.cgi b/editusers.cgi
index 23adb6eb7..6dac96788 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -136,23 +136,28 @@ if ($action eq 'search') {
             } else {
                 $expr = "profiles.login_name";
             }
+
+            if ($matchstr =~ /^(regexp|notregexp|exact)$/) {
+                $matchstr ||= '.';
+            }
+            else {
+                $matchstr = '' unless defined $matchstr;
+            }
+            # We can trick_taint because we use the value in a SELECT only,
+            # using a placeholder.
+            trick_taint($matchstr);
+
             if ($matchtype eq 'regexp') {
-                $query .= $dbh->sql_regexp($expr, '?');
-                $matchstr = '.' unless $matchstr;
+                $query .= $dbh->sql_regexp($expr, '?', 0, $dbh->quote($matchstr));
             } elsif ($matchtype eq 'notregexp') {
-                $query .= $dbh->sql_not_regexp($expr, '?');
-                $matchstr = '.' unless $matchstr;
+                $query .= $dbh->sql_not_regexp($expr, '?', 0, $dbh->quote($matchstr));
             } elsif ($matchtype eq 'exact') {
                 $query .= $expr . ' = ?';
-                $matchstr = '.' unless $matchstr;
             } else { # substr or unknown
                 $query .= $dbh->sql_istrcmp($expr, '?', 'LIKE');
                 $matchstr = "%$matchstr%";
             }
             $nextCondition = 'AND';
-            # We can trick_taint because we use the value in a SELECT only,
-            # using a placeholder.
-            trick_taint($matchstr);
             push(@bindValues, $matchstr);
         }