diff options
author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2019-03-28 10:57:18 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-03-28 10:57:18 +0300 |
commit | 72259dd87bee1dd6d155d2c2f3594c3c9f2e85db (patch) | |
tree | 4dfed01590693c8860ddb06c93999b2d2fd31a05 | |
parent | 3bd22fa209eda800f8af37f490bb5b920f8cf91e (diff) | |
parent | 28ac757467e0665cb6c9de68c6c964aad908b342 (diff) |
Merge pull request #27 from nextcloud/more_escaping
Do more escaping
-rw-r--r-- | server/lib/UserManager.php | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/server/lib/UserManager.php b/server/lib/UserManager.php index 3d1759e..3e19a8a 100644 --- a/server/lib/UserManager.php +++ b/server/lib/UserManager.php @@ -61,6 +61,13 @@ class UserManager { $this->authKey = $authKey; } + private function escapeWildcard(string $input): string { + //Escape % + $output = str_replace('%', '\%', $input); + $output = str_replace('_', '\_', $output); + return $output; + } + public function search(Request $request, Response $response) { $params = $request->getQueryParams(); @@ -141,7 +148,7 @@ WHERE karma >= ' . $minKarma . ' ORDER BY karma LIMIT ' . $limit); - $search = $exactMatch ? $search : '%' . $search . '%'; + $search = $exactMatch ? $search : $this->db->quote('%' . $this->escapeWildcard($search) . '%'); $stmt->bindParam(':search', $search, \PDO::PARAM_STR); $stmt->execute(); |