From 49853b53578ea3254543020e553b29a7a33ab0af Mon Sep 17 00:00:00 2001
From: Cash Costello <cash.costello@gmail.com>
Date: Wed, 22 Jun 2011 07:44:10 -0400
Subject: Fixes #3598 sanitizing the $name variable

---
 mod/members/pages/members/search.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/mod/members/pages/members/search.php b/mod/members/pages/members/search.php
index 39b54990e..94127768a 100644
--- a/mod/members/pages/members/search.php
+++ b/mod/members/pages/members/search.php
@@ -19,16 +19,16 @@ if ($vars['search_type'] == 'tag') {
 	$users = $results['entities'];
 	$content = elgg_view_entity_list($users, $count, $offset, $limit, false, false, true);
 } else {
-	$name = get_input('name');
+	$name = sanitize_string(get_input('name'));
 
 	$title = elgg_echo('members:title:searchname', array($name));
 
-	global $CONFIG;
+	$db_prefix = elgg_get_config('dbprefix');
 	$params = array(
 		'type' => 'user',
 		'full_view' => false,
-		'joins' => array("join {$CONFIG->dbprefix}users_entity u on e.guid=u.guid"),
-		'wheres' => array("(u.name like \"%{$name}%\" or u.username like \"%{$name}%\")"),
+		'joins' => array("JOIN {$db_prefix}users_entity u ON e.guid=u.guid"),
+		'wheres' => array("(u.name LIKE \"%{$name}%\" OR u.username LIKE \"%{$name}%\")"),
 	);
 	$content .= elgg_list_entities($params);
 }
-- 
cgit v1.2.3