From 6dd78f810e5925e1c6149d5671c16204dda887e6 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Thu, 28 Mar 2019 09:31:20 +0100
Subject: Properly bind keys to search

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 server/lib/UserManager.php | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/server/lib/UserManager.php b/server/lib/UserManager.php
index 3e19a8a..ced8dc7 100644
--- a/server/lib/UserManager.php
+++ b/server/lib/UserManager.php
@@ -130,8 +130,19 @@ class UserManager {
 
 		$operator = $exactMatch ? ' = ' : ' LIKE ';
 		$limit = $exactMatch ? ' 1 ' : ' 50 ';
-		$constraint = empty($parameters) ? '' : ' AND k IN (\'' . implode( '\', \'', $parameters ) . '\') ';
 
+		$constraint = '';
+		if (!empty($parameters)) {
+			$constraint = 'AND (';
+			$c = count($parameters);
+			for ($i = 0; $i < $c; $i++) {
+				if ($i !== 0) {
+					$constraint .= ' OR ';
+				}
+				$constraint .= '(k = :key' . $i . ')';
+			}
+			$constraint .= ')';
+		}
 
 		$stmt = $this->db->prepare('SELECT *
 FROM (
@@ -151,6 +162,12 @@ LIMIT ' . $limit);
 		$search = $exactMatch ? $search : $this->db->quote('%' . $this->escapeWildcard($search) . '%');
 		$stmt->bindParam(':search', $search, \PDO::PARAM_STR);
 
+		// bind parameters
+		foreach ($parameters as $parameter) {
+			$i = 0;
+			$stmt->bindParam(':key'.$i, $this->db->quote($parameter));
+		}
+
 		$stmt->execute();
 
 		/*
-- 
cgit v1.2.3