wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Escape like parameters in database user backend

Browse source 
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
Lukas Reschke 2017-03-15 22:46:40 +01:00
parent 93c9a06761
commit 085891a15d
No known key found for this signature in database
GPG key ID: B9F6980CF6E759B1
1 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
lib/private/User/Database.php
View file

@ -68,6 +68,9 @@ class Database extends Backend implements IUserBackend {
/** @var EventDispatcher */ /** @var EventDispatcher */
private $eventDispatcher; private $eventDispatcher;
/** @var \OCP\IDBConnection */
private $connection;
/** /**
* \OC\User\Database constructor. * \OC\User\Database constructor.
* *
@ -76,6 +79,7 @@ class Database extends Backend implements IUserBackend {
public function __construct($eventDispatcher = null) { public function __construct($eventDispatcher = null) {
$this->cache = new CappedMemoryCache(); $this->cache = new CappedMemoryCache();
$this->eventDispatcher = $eventDispatcher ? $eventDispatcher : \OC::$server->getEventDispatcher(); $this->eventDispatcher = $eventDispatcher ? $eventDispatcher : \OC::$server->getEventDispatcher();
$this->connection = \OC::$server->getDatabaseConnection();
} }
/** /**
@ -185,8 +189,8 @@ class Database extends Backend implements IUserBackend {
$parameters = []; $parameters = [];
$searchLike = ''; $searchLike = '';
if ($search !== '') { if ($search !== '') {
$parameters[] = '%' . $search . '%'; $parameters[] = '%' . $this->connection->escapeLikeParameter($search) . '%';
$parameters[] = '%' . $search . '%'; $parameters[] = '%' . $this->connection->escapeLikeParameter($search) . '%';
$searchLike = ' WHERE LOWER(`displayname`) LIKE LOWER(?) OR ' $searchLike = ' WHERE LOWER(`displayname`) LIKE LOWER(?) OR '
. 'LOWER(`uid`) LIKE LOWER(?)'; . 'LOWER(`uid`) LIKE LOWER(?)';
} }
@ -275,7 +279,7 @@ class Database extends Backend implements IUserBackend {
$parameters = []; $parameters = [];
$searchLike = ''; $searchLike = '';
if ($search !== '') { if ($search !== '') {
$parameters[] = '%' . $search . '%'; $parameters[] = '%' . $this->connection->escapeLikeParameter($search) . '%';
$searchLike = ' WHERE LOWER(`uid`) LIKE LOWER(?)'; $searchLike = ' WHERE LOWER(`uid`) LIKE LOWER(?)';
} }