pax/booru-viewer
1
0
Fork 0
Code Issues Releases 18 Activity

db: escape LIKE wildcards in search_library_meta

Browse Source 
Same fix as audit #5 applied to get_bookmarks (lines 490-499) but
missed here. Without ESCAPE, searching 'cat_ear' also matches
'catxear' because _ is a SQL LIKE wildcard that matches any single
character.
This commit is contained in:
pax 2026-04-11 19:28:59 -05:00
parent 37f89c0bf8
commit b28cc0d104
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
booru_viewer/core/db.py
View File

@ -767,9 +767,14 @@ class Database:
def search_library_meta(self, query: str) -> set[int]: def search_library_meta(self, query: str) -> set[int]:
"""Search library metadata by tags. Returns matching post IDs.""" """Search library metadata by tags. Returns matching post IDs."""
escaped = (
query.replace("\\", "\\\\")
.replace("%", "\\%")
.replace("_", "\\_")
)
rows = self.conn.execute( rows = self.conn.execute(
"SELECT post_id FROM library_meta WHERE tags LIKE ?", "SELECT post_id FROM library_meta WHERE tags LIKE ? ESCAPE '\\'",
(f"%{query}%",), (f"%{escaped}%",),
).fetchall() ).fetchall()
return {r["post_id"] for r in rows} return {r["post_id"] for r in rows}