diff --git a/functions.inc.php b/functions.inc.php index 6b71b43a..a323f8cd 100644 --- a/functions.inc.php +++ b/functions.inc.php @@ -500,7 +500,7 @@ function get_domain_properties($domain) { * @param string $querypart - core part of the query (starting at "FROM") * @return array */ -function create_page_browser($idxfield, $querypart) { +function create_page_browser($idxfield, $querypart, $sql_params = []) { global $CONF; $page_size = (int) $CONF['page_size']; $label_len = 2; @@ -514,7 +514,7 @@ function create_page_browser($idxfield, $querypart) { # get number of rows $query = "SELECT count(*) as counter FROM (SELECT $idxfield $querypart) AS tmp"; - $result = db_query_one($query); + $result = db_query_one($query, $sql_params); if ($result && isset($result['counter'])) { $count_results = $result['counter'] -1; # we start counting at 0, not 1 } @@ -563,7 +563,7 @@ function create_page_browser($idxfield, $querypart) { # CREATE TEMPORARY SEQUENCE foo MINVALUE 0 MAXVALUE $page_size_zerobase CYCLE # afterwards: DROP SEQUENCE foo - $result = db_query_all($query); + $result = db_query_all($query, $sql_params); foreach ($result as $k => $row) { if (isset($result[$k + 1])) { $row2 = $result[$k + 1]; diff --git a/public/list-virtual.php b/public/list-virtual.php index 45770f0a..32a164da 100644 --- a/public/list-virtual.php +++ b/public/list-virtual.php @@ -177,17 +177,21 @@ $sql_join = ""; $sql_where = " WHERE "; $sql_order = " ORDER BY $table_mailbox.username "; $sql_limit = " LIMIT $page_size OFFSET $fDisplay"; +$sql_params = []; if (count($search) == 0 || !isset($search['_'])) { - $sql_where .= " $table_mailbox.domain='$fDomain' "; + $sql_where .= " $table_mailbox.domain= :domain "; + $sql_params['domain'] = $fDomain; } else { $searchterm = escape_string($search['_']); $sql_where .= db_in_clause("$table_mailbox.domain", $list_domains) . " "; - $sql_where .= " AND ( $table_mailbox.username LIKE '%$searchterm%' OR $table_mailbox.name LIKE '%$searchterm%' "; + $sql_where .= " AND ( $table_mailbox.username LIKE :searchterm OR $table_mailbox.name LIKE :searchterm "; + $sql_params['searchterm'] = "%$searchterm%"; + if ($display_mailbox_aliases) { - $sql_where .= " OR $table_alias.goto LIKE '%$searchterm%' "; + $sql_where .= " OR $table_alias.goto LIKE :searchterm "; } - $sql_where .= " ) "; # $search is already escaped + $sql_where .= " ) "; } if ($display_mailbox_aliases) { $sql_select .= ", $table_alias.goto "; @@ -218,9 +222,10 @@ if (Config::bool('used_quotas') && (! Config::bool('new_quota_table'))) { } $mailbox_pagebrowser_query = "$sql_from\n$sql_join\n$sql_where\n$sql_order" ; + $query = "$sql_select\n$mailbox_pagebrowser_query\n$sql_limit"; -$result = db_query_all($query); +$result = db_query_all($query, $sql_params); $tMailbox = array(); @@ -249,7 +254,6 @@ foreach ($result as $row) { } } if (db_pgsql()) { - // XXX $row['modified'] = date('Y-m-d H:i', strtotime($row['modified'])); $row['created'] = date('Y-m-d H:i', strtotime($row['created'])); $row['active']=('t'==$row['active']) ? 1 : 0; @@ -275,6 +279,7 @@ $tDisplay_next = ""; $tDisplay_next_show = ""; $limit = get_domain_properties($fDomain); + if (isset($limit)) { if ($fDisplay >= $page_size) { $tDisplay_back_show = 1; @@ -447,7 +452,7 @@ class cNav_bar { $nav_bar_alias = new cNav_bar($PALANG['pOverview_alias_title'], $fDisplay, $CONF['page_size'], $pagebrowser_alias, $search); $nav_bar_alias->append_to_url = '&domain='.$fDomain; -$pagebrowser_mailbox = create_page_browser("$table_mailbox.username", $mailbox_pagebrowser_query); +$pagebrowser_mailbox = create_page_browser("$table_mailbox.username", $mailbox_pagebrowser_query, $sql_params); $nav_bar_mailbox = new cNav_bar($PALANG['pOverview_mailbox_title'], $fDisplay, $CONF['page_size'], $pagebrowser_mailbox, $search); $nav_bar_mailbox->append_to_url = '&domain='.$fDomain;