use prepared statements for global-search

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

lib/Froxlor/Ajax/Ajax.php

@@ -417,10 +417,13 @@ class Ajax
 
 	private function searchStringSql(array $searchfields, $searchtext)
 	{
-		$result = "(";
+		$result = ['sql' => [], 'values' => []];
+		$result['sql'] = "(";
 		foreach ($searchfields as $sf) {
-			$result .= $sf . " LIKE " . \Froxlor\Database\Database::quote('%' . $searchtext . '%') . " OR ";
+			$result['sql'] .= $sf . " LIKE :searchtext OR ";
 		}
-		return substr($result, 0, -3) . ")";
+		$result['sql'] = substr($result['sql'], 0, -3) . ")";
+		$result['values'] = ['searchtext' => '%' . $searchtext . '%'];
+		return $result;
 	}
 }

lib/Froxlor/Api/ApiCommand.php

@@ -2,6 +2,8 @@
 
 namespace Froxlor\Api;
 
+use Exception;
+
 /**
  * This file is part of the Froxlor project.
  * Copyright (c) 2010 the Froxlor Team (see authors).
@@ -287,7 +289,12 @@ abstract class ApiCommand extends ApiParameter
 			$first = true;
 			foreach ($search as $field => $valoper) {
 				if ($field == '_plainsql') {
-					$condition .= $valoper;
+					if (isset($valoper['sql']) && isset($valoper['values']) && is_array($valoper['values'])) {
+						$condition .= $valoper['sql'];
+						foreach ($valoper['values'] as $var => $value) {
+							$query_fields[':' . $var] = $value;
+						}
+					}
 				} else {
 					$cleanfield = str_replace(".", "", $field);
 					$sortfield = explode('.', $field);