Fixes #3598 sanitizing the $name variable

diff --git a/mod/members/pages/members/search.php b/mod/members/pages/members/search.php
index 39b54990e4cd908f581fdd2e4891e77a896e63d0..94127768a5bbaeb045a28461d023f71f17cd3d35 100644 (file)
--- a/mod/members/pages/members/search.php
+++ b/mod/members/pages/members/search.php
@@ -19,16 +19,16 @@ if ($vars['search_type'] == 'tag') {
        $users = $results['entities'];
        $content = elgg_view_entity_list($users, $count, $offset, $limit, false, false, true);
 } else {
-       $name = get_input('name');
+       $name = sanitize_string(get_input('name'));
 
        $title = elgg_echo('members:title:searchname', array($name));
 
-       global $CONFIG;
+       $db_prefix = elgg_get_config('dbprefix');
        $params = array(
                'type' => 'user',
                'full_view' => false,
-               'joins' => array("join {$CONFIG->dbprefix}users_entity u on e.guid=u.guid"),
-               'wheres' => array("(u.name like \"%{$name}%\" or u.username like \"%{$name}%\")"),
+               'joins' => array("JOIN {$db_prefix}users_entity u ON e.guid=u.guid"),
+               'wheres' => array("(u.name LIKE \"%{$name}%\" OR u.username LIKE \"%{$name}%\")"),
        );
        $content .= elgg_list_entities($params);
 }