diff options
author | Roeland Jago Douma <roeland@famdouma.nl> | 2019-10-07 16:56:58 +0300 |
---|---|---|
committer | Roeland Jago Douma <roeland@famdouma.nl> | 2019-10-07 16:56:58 +0300 |
commit | ba4b3844d27e7b567aff51d155f984e0686a794b (patch) | |
tree | 31d601d83f5bacb0af9c2bc828bd80e85045a0ac | |
parent | 3542a4c26e594fb8b4464ae1c1c0a5886142ccdc (diff) |
Do not quote parameters
* Make sure to not quote the paramters
* Use paramters for karma and limit as well
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
-rw-r--r-- | server/lib/UserManager.php | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/server/lib/UserManager.php b/server/lib/UserManager.php index ced8dc7..93497c4 100644 --- a/server/lib/UserManager.php +++ b/server/lib/UserManager.php @@ -127,9 +127,8 @@ class UserManager { * @return array */ private function performSearch($search, $exactMatch, $parameters, $minKarma) { - $operator = $exactMatch ? ' = ' : ' LIKE '; - $limit = $exactMatch ? ' 1 ' : ' 50 '; + $limit = $exactMatch ? 1 : 50; $constraint = ''; if (!empty($parameters)) { @@ -155,12 +154,15 @@ FROM ( ) GROUP BY userId ) AS tmp -WHERE karma >= ' . $minKarma . ' +WHERE karma >= :karma ORDER BY karma -LIMIT ' . $limit); +LIMIT :limit'); + + $stmt->bindParam(':karma', $minKarma, \PDO::PARAM_INT); + $stmt->bindParam(':limit', $limit, \PDO::PARAM_INT); - $search = $exactMatch ? $search : $this->db->quote('%' . $this->escapeWildcard($search) . '%'); - $stmt->bindParam(':search', $search, \PDO::PARAM_STR); + $search = $exactMatch ? $search : '%' . $this->escapeWildcard($search) . '%'; + $stmt->bindParam('search', $search, \PDO::PARAM_STR); // bind parameters foreach ($parameters as $parameter) { |