Escape sql in contact.getquick api CRM-12765

1aba4d9a · colemanw · 40252892 · 1aba4d9a
Commit 1aba4d9a authored 11 years ago by colemanw
--- a/api/v3/Contact.php
+++ b/api/v3/Contact.php
@@ -540,7 +540,7 @@ function civicrm_api3_contact_quicksearch($params) {

 function civicrm_api3_contact_getquick($params) {
  civicrm_api3_verify_mandatory($params, NULL, array('name'));
-  $name = CRM_Utils_Array::value('name', $params);
+  $name = CRM_Utils_Type::escape($params['name'], 'String');

  // get the autocomplete options from settings
  $acpref = explode(CRM_Core_DAO::VALUE_SEPARATOR,
@@ -560,12 +560,13 @@ function civicrm_api3_contact_getquick($params) {
  }
  // If we are doing quicksearch by a field other than name, make sure that field is added to results
  if (!empty($params['field_name'])) {
+    $field_name = CRM_Utils_String::munge($params['field_name']);
    // Unique name contact_id = id
-    if ($params['field_name'] == 'contact_id') {
-      $params['field_name'] = 'id';
+    if ($field_name == 'contact_id') {
+      $field_name = 'id';
    }
    // phone_numeric should be phone
-    $searchField = str_replace('_numeric', '', $params['field_name']);
+    $searchField = str_replace('_numeric', '', $field_name);
    if(!in_array($searchField, $list)) {
      $list[] = $searchField;
    }
@@ -667,11 +668,11 @@ function civicrm_api3_contact_getquick($params) {

  //set default for current_employer or return contact with particular id
  if (CRM_Utils_Array::value('id', $params)) {
-    $where .= " AND cc.id = " .$params['id'];
+    $where .= " AND cc.id = " . (int) $params['id'];
  }

  if (CRM_Utils_Array::value('cid', $params)) {
-    $where .= " AND cc.id <> {$params['cid']}";
+    $where .= " AND cc.id <> " . (int) $params['cid'];
  }

  //contact's based of relationhip type
@@ -696,8 +697,7 @@ function civicrm_api3_contact_getquick($params) {

  //CRM-10687
  if (!empty($params['field_name']) && !empty($params['table_name'])) {
-    $field_name = $params['field_name'];
-    $table_name = $params['table_name'];
+    $table_name = CRM_Utils_String::munge($params['table_name']);
    $whereClause = " WHERE ( $table_name.$field_name LIKE '$strSearch')";
    $exactWhereClause = " WHERE ( $table_name.$field_name = '$name')";
    // Search by id should be exact