Open-AudIT
https://www.open-audit.org/phpBB3/

search.php bug
https://www.open-audit.org/phpBB3/viewtopic.php?f=8&t=1615
Page 1 of 1

Author:  francisg [ Wed Oct 25, 2006 9:10 pm ]
Post subject:  search.php bug

if the search query returns an empty value, search.php will display an error on line 168
due to
[code]
sort($result_set);
[/code]

before

[code]
$count = count ($result_set);
for ($i=0; $i<$count; $i++){
[/code]

this is obviously easy to fix BUT the bug i do want to ask about is regarding IP address search.php queries.

i have a machine that has the ip address 172.16.10.1 and if I search for that address it returns no results. after reading the code and checking openaudit.system for net_ip_address field, i see this:

[code]
mysql> select net_ip_address from system;
+-----------------+
| net_ip_address |
+-----------------+
| 172.016.010.001 |
+-----------------+
1 rows in set (0.00 sec)

mysql>
[/code]

so i went and read search.php and i see that since searching correctly for an IP address would require some transformation (using the function in include_functions.php called ip_trans_to() ), and as we see the 'search' sql query, it uses $search... so we cannot transform the input because we don't know first hand the nature of the query...

[code]
$sql .= "net_ip_address LIKE '%$search%' OR ";
[/code]

is search.php going to be redesign ? any design ideas or requirements? i need this functionality now so I'm going to implement my own search.php version... (search.php with an 'advanced' search option)

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/