diff options
Diffstat (limited to 'Bugzilla/User.pm')
-rw-r--r-- | Bugzilla/User.pm | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/Bugzilla/User.pm b/Bugzilla/User.pm index ff3d38721..0c2de0f4c 100644 --- a/Bugzilla/User.pm +++ b/Bugzilla/User.pm @@ -84,7 +84,8 @@ sub new { # in the id its already had to validate (or the User.pm object, of course) sub new_from_login { my $invocant = shift; - return $invocant->_create("login_name=?", @_); + my $dbh = Bugzilla->dbh; + return $invocant->_create($dbh->sql_istrcmp('login_name', '?'), @_); } # Internal helper for the above |new| methods @@ -631,14 +632,15 @@ sub match { # Build the query. my $sqlstr = &::SqlQuote($wildstr); - my $query = "SELECT DISTINCT userid, realname, login_name, " .
+ my $query = "SELECT DISTINCT userid, realname, login_name, " . "LENGTH(login_name) AS namelength " . "FROM profiles "; if (&::Param('usevisibilitygroups')) { $query .= ", user_group_map "; } - $query .= "WHERE (login_name LIKE $sqlstr " . - "OR realname LIKE $sqlstr) "; + $query .= "WHERE (" + . $dbh->sql_istrcmp('login_name', $sqlstr, "LIKE") . " OR " . + $dbh->sql_istrcmp('realname', $sqlstr, "LIKE") . ") "; if (&::Param('usevisibilitygroups')) { $query .= "AND user_group_map.user_id = userid " . "AND isbless = 0 " . @@ -664,7 +666,7 @@ sub match { my $sqlstr = &::SqlQuote($str); my $query = "SELECT userid, realname, login_name " . "FROM profiles " . - "WHERE login_name = $sqlstr "; + "WHERE " . $dbh->sql_istrcmp('login_name', $sqlstr); # Exact matches don't care if a user is disabled. &::PushGlobalSQLState(); @@ -1213,8 +1215,9 @@ sub login_to_id ($) { my $dbh = Bugzilla->dbh; # $login will only be used by the following SELECT statement, so it's safe. trick_taint($login); - my $user_id = $dbh->selectrow_array( - "SELECT userid FROM profiles WHERE login_name = ?", undef, $login); + my $user_id = $dbh->selectrow_array("SELECT userid FROM profiles WHERE " . + $dbh->sql_istrcmp('login_name', '?'), + undef, $login); if ($user_id) { return $user_id; } else { |