Do not quote parameters

* Make sure to not quote the paramters * Use paramters for karma and limit as well Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
author: Roeland Jago Douma <roeland@famdouma.nl> 2019-10-07 16:56:58 +0300
committer: Roeland Jago Douma <roeland@famdouma.nl> 2019-10-07 16:56:58 +0300
commit: ba4b3844d27e7b567aff51d155f984e0686a794b (patch)
tree: 31d601d83f5bacb0af9c2bc828bd80e85045a0ac
parent: 3542a4c26e594fb8b4464ae1c1c0a5886142ccdc (diff)
1 files changed, 8 insertions, 6 deletions
diff --git a/server/lib/UserManager.php b/server/lib/UserManager.php
index ced8dc7..93497c4 100644
--- a/server/lib/UserManager.php
+++ b/server/lib/UserManager.php
@@ -127,9 +127,8 @@ class UserManager {
 	 * @return array
 	 */
 	private function performSearch($search, $exactMatch, $parameters, $minKarma) {
-
 		$operator = $exactMatch ? ' = ' : ' LIKE ';
-		$limit = $exactMatch ? ' 1 ' : ' 50 ';
+		$limit = $exactMatch ? 1 : 50;
 
 		$constraint = '';
 		if (!empty($parameters)) {
@@ -155,12 +154,15 @@ FROM (
 	)
 	GROUP BY userId
 ) AS tmp
-WHERE karma >= ' . $minKarma . '
+WHERE karma >= :karma
 ORDER BY karma
-LIMIT ' . $limit);
+LIMIT :limit');
+
+		$stmt->bindParam(':karma', $minKarma, \PDO::PARAM_INT);
+		$stmt->bindParam(':limit', $limit, \PDO::PARAM_INT);
 
-		$search = $exactMatch ? $search : $this->db->quote('%' . $this->escapeWildcard($search) . '%');
-		$stmt->bindParam(':search', $search, \PDO::PARAM_STR);
+		$search = $exactMatch ? $search : '%' . $this->escapeWildcard($search) . '%';
+		$stmt->bindParam('search', $search, \PDO::PARAM_STR);
 
 		// bind parameters
 		foreach ($parameters as $parameter) {
author	Roeland Jago Douma <roeland@famdouma.nl>	2019-10-07 16:56:58 +0300
committer	Roeland Jago Douma <roeland@famdouma.nl>	2019-10-07 16:56:58 +0300
commit	ba4b3844d27e7b567aff51d155f984e0686a794b (patch)
tree	31d601d83f5bacb0af9c2bc828bd80e85045a0ac
parent	3542a4c26e594fb8b4464ae1c1c0a5886142ccdc (diff)