aboutsummaryrefslogtreecommitdiff
path: root/mod/members
diff options
context:
space:
mode:
authorCash Costello <cash.costello@gmail.com>2011-06-22 07:44:10 -0400
committerCash Costello <cash.costello@gmail.com>2011-06-22 07:44:10 -0400
commit49853b53578ea3254543020e553b29a7a33ab0af (patch)
tree3800354f06769f4ace60b185c869fa5d25adb31b /mod/members
parent02d0d33657421e9ce6a03168fe1c96ce143e374c (diff)
downloadelgg-49853b53578ea3254543020e553b29a7a33ab0af.tar.gz
elgg-49853b53578ea3254543020e553b29a7a33ab0af.tar.bz2
Fixes #3598 sanitizing the $name variable
Diffstat (limited to 'mod/members')
-rw-r--r--mod/members/pages/members/search.php8
1 files changed, 4 insertions, 4 deletions
diff --git a/mod/members/pages/members/search.php b/mod/members/pages/members/search.php
index 39b54990e..94127768a 100644
--- a/mod/members/pages/members/search.php
+++ b/mod/members/pages/members/search.php
@@ -19,16 +19,16 @@ if ($vars['search_type'] == 'tag') {
$users = $results['entities'];
$content = elgg_view_entity_list($users, $count, $offset, $limit, false, false, true);
} else {
- $name = get_input('name');
+ $name = sanitize_string(get_input('name'));
$title = elgg_echo('members:title:searchname', array($name));
- global $CONFIG;
+ $db_prefix = elgg_get_config('dbprefix');
$params = array(
'type' => 'user',
'full_view' => false,
- 'joins' => array("join {$CONFIG->dbprefix}users_entity u on e.guid=u.guid"),
- 'wheres' => array("(u.name like \"%{$name}%\" or u.username like \"%{$name}%\")"),
+ 'joins' => array("JOIN {$db_prefix}users_entity u ON e.guid=u.guid"),
+ 'wheres' => array("(u.name LIKE \"%{$name}%\" OR u.username LIKE \"%{$name}%\")"),
);
$content .= elgg_list_entities($params);
}