From f2368967649f142e8ac472c71477062ec44ea41b Mon Sep 17 00:00:00 2001 From: Michael Kaufmann Date: Wed, 9 Mar 2022 14:10:44 +0100 Subject: [PATCH] use prepared statements for global-search Signed-off-by: Michael Kaufmann --- lib/Froxlor/Ajax/Ajax.php | 9 ++++++--- lib/Froxlor/Api/ApiCommand.php | 9 ++++++++- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/lib/Froxlor/Ajax/Ajax.php b/lib/Froxlor/Ajax/Ajax.php index 25c235a1..20204a34 100644 --- a/lib/Froxlor/Ajax/Ajax.php +++ b/lib/Froxlor/Ajax/Ajax.php @@ -417,10 +417,13 @@ class Ajax private function searchStringSql(array $searchfields, $searchtext) { - $result = "("; + $result = ['sql' => [], 'values' => []]; + $result['sql'] = "("; foreach ($searchfields as $sf) { - $result .= $sf . " LIKE " . \Froxlor\Database\Database::quote('%' . $searchtext . '%') . " OR "; + $result['sql'] .= $sf . " LIKE :searchtext OR "; } - return substr($result, 0, -3) . ")"; + $result['sql'] = substr($result['sql'], 0, -3) . ")"; + $result['values'] = ['searchtext' => '%' . $searchtext . '%']; + return $result; } } diff --git a/lib/Froxlor/Api/ApiCommand.php b/lib/Froxlor/Api/ApiCommand.php index b2b0b994..62f502ee 100644 --- a/lib/Froxlor/Api/ApiCommand.php +++ b/lib/Froxlor/Api/ApiCommand.php @@ -2,6 +2,8 @@ namespace Froxlor\Api; +use Exception; + /** * This file is part of the Froxlor project. * Copyright (c) 2010 the Froxlor Team (see authors). @@ -287,7 +289,12 @@ abstract class ApiCommand extends ApiParameter $first = true; foreach ($search as $field => $valoper) { if ($field == '_plainsql') { - $condition .= $valoper; + if (isset($valoper['sql']) && isset($valoper['values']) && is_array($valoper['values'])) { + $condition .= $valoper['sql']; + foreach ($valoper['values'] as $var => $value) { + $query_fields[':' . $var] = $value; + } + } } else { $cleanfield = str_replace(".", "", $field); $sortfield = explode('.', $field);