diff options
author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2019-10-07 21:12:44 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-10-07 21:12:44 +0300 |
commit | 9498af771972c68e20403858ba98cfff7a39ed1e (patch) | |
tree | 31d601d83f5bacb0af9c2bc828bd80e85045a0ac | |
parent | 3542a4c26e594fb8b4464ae1c1c0a5886142ccdc (diff) | |
parent | ba4b3844d27e7b567aff51d155f984e0686a794b (diff) |
Merge pull request #29 from nextcloud/fix/do_not_quote_parameters
Do not quote parameters
-rw-r--r-- | server/lib/UserManager.php | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/server/lib/UserManager.php b/server/lib/UserManager.php index ced8dc7..93497c4 100644 --- a/server/lib/UserManager.php +++ b/server/lib/UserManager.php @@ -127,9 +127,8 @@ class UserManager { * @return array */ private function performSearch($search, $exactMatch, $parameters, $minKarma) { - $operator = $exactMatch ? ' = ' : ' LIKE '; - $limit = $exactMatch ? ' 1 ' : ' 50 '; + $limit = $exactMatch ? 1 : 50; $constraint = ''; if (!empty($parameters)) { @@ -155,12 +154,15 @@ FROM ( ) GROUP BY userId ) AS tmp -WHERE karma >= ' . $minKarma . ' +WHERE karma >= :karma ORDER BY karma -LIMIT ' . $limit); +LIMIT :limit'); + + $stmt->bindParam(':karma', $minKarma, \PDO::PARAM_INT); + $stmt->bindParam(':limit', $limit, \PDO::PARAM_INT); - $search = $exactMatch ? $search : $this->db->quote('%' . $this->escapeWildcard($search) . '%'); - $stmt->bindParam(':search', $search, \PDO::PARAM_STR); + $search = $exactMatch ? $search : '%' . $this->escapeWildcard($search) . '%'; + $stmt->bindParam('search', $search, \PDO::PARAM_STR); // bind parameters foreach ($parameters as $parameter) { |