I'm reporting a SQL Injection bug for this plugin.

For the raw queries being ran on index.php - there are no SQL Injection prevention techniques being used.

To resolve this I have changed the raw queries to do.

WHERE a1.string LIKE '%" . sanitise_string($searchstring) . "%' AND a2.value_id=a1.id

sanitise_string() is the Elgg function, which you should reuse instead of doing your own custom addslashes() stuff.

I hope this is patched for the users who are not technically able to patch this themselves.

Regards,
Paul Dragoonis.

Hello,

I have install Market plugin, and I have possibility to send messages with the title of book in title message. So  I create a new post in this plugin, called suppose "Californication", and when I search something in search box system display every book with name "Californication" and users messages with this tile. Everyone can view otheres messages. Thats too bad. How can I delete this option?

This is my scrrenshot

http://img687.imageshack.us/img687/732/bug3g.jpg

@David Stawowy: Have you tried searching as a non admin user. can you still view other person messages then?

Yes, I tried. But every user who send message to somebody have display this messages in search results. When Im logged in Im see my own messages, when Im not logged I dont see this messages.How can I cover this messages?

@David Stawowy: you'll have to program a filter in the file /mod/customsearch/index.php from line 125 down.
$entity->getSubtype != 'message'