diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2019-03-28 11:34:24 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-03-28 11:34:24 +0300 |
| commit | 73386151dc933022f8fa4a818952c736493bfc51 (patch) | |
| tree | f55e1f318bd28da2f3464990ea974c93cb9404db | |
| parent | 72259dd87bee1dd6d155d2c2f3594c3c9f2e85db (diff) | |
| parent | 6dd78f810e5925e1c6149d5671c16204dda887e6 (diff) | |
Merge pull request #28 from nextcloud/enh/properly_bind_keys_to_searchv0.3.0
Properly bind keys to search
| -rw-r--r-- | server/lib/UserManager.php | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/server/lib/UserManager.php b/server/lib/UserManager.php index 3e19a8a..ced8dc7 100644 --- a/server/lib/UserManager.php +++ b/server/lib/UserManager.php @@ -130,8 +130,19 @@ class UserManager { $operator = $exactMatch ? ' = ' : ' LIKE '; $limit = $exactMatch ? ' 1 ' : ' 50 '; - $constraint = empty($parameters) ? '' : ' AND k IN (\'' . implode( '\', \'', $parameters ) . '\') '; + $constraint = ''; + if (!empty($parameters)) { + $constraint = 'AND ('; + $c = count($parameters); + for ($i = 0; $i < $c; $i++) { + if ($i !== 0) { + $constraint .= ' OR '; + } + $constraint .= '(k = :key' . $i . ')'; + } + $constraint .= ')'; + } $stmt = $this->db->prepare('SELECT * FROM ( @@ -151,6 +162,12 @@ LIMIT ' . $limit); $search = $exactMatch ? $search : $this->db->quote('%' . $this->escapeWildcard($search) . '%'); $stmt->bindParam(':search', $search, \PDO::PARAM_STR); + // bind parameters + foreach ($parameters as $parameter) { + $i = 0; + $stmt->bindParam(':key'.$i, $this->db->quote($parameter)); + } + $stmt->execute(); /* |