From 1aba4d9aca40b4ea7e1bd72599bdb17f36dfd2cc Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Tue, 4 Jun 2013 11:13:43 -0700
Subject: [PATCH] Escape sql in contact.getquick api CRM-12765

---
 api/v3/Contact.php | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/api/v3/Contact.php b/api/v3/Contact.php
index b42f968bde..93050462b5 100644
--- a/api/v3/Contact.php
+++ b/api/v3/Contact.php
@@ -540,7 +540,7 @@ function civicrm_api3_contact_quicksearch($params) {
 
 function civicrm_api3_contact_getquick($params) {
   civicrm_api3_verify_mandatory($params, NULL, array('name'));
-  $name = CRM_Utils_Array::value('name', $params);
+  $name = CRM_Utils_Type::escape($params['name'], 'String');
 
   // get the autocomplete options from settings
   $acpref = explode(CRM_Core_DAO::VALUE_SEPARATOR,
@@ -560,12 +560,13 @@ function civicrm_api3_contact_getquick($params) {
   }
   // If we are doing quicksearch by a field other than name, make sure that field is added to results
   if (!empty($params['field_name'])) {
+    $field_name = CRM_Utils_String::munge($params['field_name']);
     // Unique name contact_id = id
-    if ($params['field_name'] == 'contact_id') {
-      $params['field_name'] = 'id';
+    if ($field_name == 'contact_id') {
+      $field_name = 'id';
     }
     // phone_numeric should be phone
-    $searchField = str_replace('_numeric', '', $params['field_name']);
+    $searchField = str_replace('_numeric', '', $field_name);
     if(!in_array($searchField, $list)) {
       $list[] = $searchField;
     }
@@ -667,11 +668,11 @@ function civicrm_api3_contact_getquick($params) {
 
   //set default for current_employer or return contact with particular id
   if (CRM_Utils_Array::value('id', $params)) {
-    $where .= " AND cc.id = " .$params['id'];
+    $where .= " AND cc.id = " . (int) $params['id'];
   }
 
   if (CRM_Utils_Array::value('cid', $params)) {
-    $where .= " AND cc.id <> {$params['cid']}";
+    $where .= " AND cc.id <> " . (int) $params['cid'];
   }
 
   //contact's based of relationhip type
@@ -696,8 +697,7 @@ function civicrm_api3_contact_getquick($params) {
 
   //CRM-10687
   if (!empty($params['field_name']) && !empty($params['table_name'])) {
-    $field_name = $params['field_name'];
-    $table_name = $params['table_name'];
+    $table_name = CRM_Utils_String::munge($params['table_name']);
     $whereClause = " WHERE ( $table_name.$field_name LIKE '$strSearch')";
     $exactWhereClause = " WHERE ( $table_name.$field_name = '$name')";
     // Search by id should be exact
-- 
GitLab