rooty/OwncloudContactsOfficial
1
0
Fork 0
mirror of https://github.com/owncloudarchive/contacts.git synced 2025-01-19 08:52:22 +01:00
Code Issues Releases Activity

Contacts: Properly prepare query and quote values. thx @eMerzh :)

Browse Source
This commit is contained in:
Thomas Tanghus 2013-03-25 21:34:18 +01:00
parent 6818a92038
commit 6e3e4d263b
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/addressbookprovider.php
View File

@ -133,15 +133,18 @@ class AddressbookProvider implements \OCP\IAddressBook {
public function search($pattern, $searchProperties, $options) { public function search($pattern, $searchProperties, $options) {
$ids = array(); $ids = array();
$results = array(); $results = array();
$query = 'SELECT DISTINCT `contactid` FROM `' . self::PROPERTY_TABLE . '` WHERE 1 AND ('; $query = 'SELECT DISTINCT `contactid` FROM `' . self::PROPERTY_TABLE . '` WHERE (';
$params = array();
foreach($searchProperties as $property) { foreach($searchProperties as $property) {
$query .= '(`name` = "' . $property . '" AND `value` LIKE "%' . $pattern . '%") OR '; $params[] = $property;
$params[] = '%' . $pattern . '%';
$query .= '(`name` = ? AND `value` LIKE ?) OR ';
} }
$query = substr($query, 0, strlen($query) - 4); $query = substr($query, 0, strlen($query) - 4);
$query .= ')'; $query .= ')';
$stmt = \OCP\DB::prepare($query); $stmt = \OCP\DB::prepare($query);
$result = $stmt->execute(); $result = $stmt->execute($params);
if (\OC_DB::isError($result)) { if (\OC_DB::isError($result)) {
\OC_Log::write('contacts', __METHOD__ . 'DB error: ' . \OC_DB::getErrorMessage($result), \OC_Log::write('contacts', __METHOD__ . 'DB error: ' . \OC_DB::getErrorMessage($result),
\OCP\Util::ERROR); \OCP\Util::ERROR);