From 6e3e4d263b92f898d714596ab531dbe0381623d8 Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Mon, 25 Mar 2013 21:34:18 +0100
Subject: [PATCH] Contacts: Properly prepare query and quote values. thx
 @eMerzh :)

---
 lib/addressbookprovider.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/addressbookprovider.php b/lib/addressbookprovider.php
index b6af6f9d..dd872e9d 100644
--- a/lib/addressbookprovider.php
+++ b/lib/addressbookprovider.php
@@ -133,15 +133,18 @@ class AddressbookProvider implements \OCP\IAddressBook {
 	public function search($pattern, $searchProperties, $options) {
 		$ids = array();
 		$results = array();
-		$query = 'SELECT DISTINCT `contactid` FROM `' . self::PROPERTY_TABLE . '` WHERE 1 AND (';
+		$query = 'SELECT DISTINCT `contactid` FROM `' . self::PROPERTY_TABLE . '` WHERE (';
+		$params = array();
 		foreach($searchProperties as $property) {
-			$query .= '(`name` = "' . $property . '" AND `value` LIKE "%' . $pattern . '%") OR ';
+			$params[] = $property;
+			$params[] = '%' . $pattern . '%';
+			$query .= '(`name` = ? AND `value` LIKE ?) OR ';
 		}
 		$query = substr($query, 0, strlen($query) - 4);
 		$query .= ')';
 
 		$stmt = \OCP\DB::prepare($query);
-		$result = $stmt->execute();
+		$result = $stmt->execute($params);
 		if (\OC_DB::isError($result)) {
 			\OC_Log::write('contacts', __METHOD__ . 'DB error: ' . \OC_DB::getErrorMessage($result), 
 				\OCP\Util::ERROR);