Create a new function da_sql_limit() and use that to pass LIMIT arguments to the...

[freeradius.git] / dialup_admin / lib / sql / find.php3

diff --git a/dialup_admin/lib/sql/find.php3 b/dialup_admin/lib/sql/find.php3
index f3b0c94..04bb354 100644 (file)
--- a/dialup_admin/lib/sql/find.php3
+++ b/dialup_admin/lib/sql/find.php3
@@ -6,13 +6,21 @@ else{
        exit();
 }
 
+unset($found_users);
+
 $link = @da_sql_pconnect($config);
 if ($link){
-       if (($search_IN == 'name' || $search_IN == 'ou') && $config[sql_use_user_info_table] == 'true'){
-               $attr = ($search_IN == 'name') ? 'name' : 'department';
+       $search = da_sql_escape_string($search);
+       if (!is_numeric($max_results))
+               $max_results = 10;
+       if ($max_results > 500)
+               $max_results = 10;
+       if (($search_IN == 'name' || $search_IN == 'department' || $search_IN == 'username') && 
+                       $config[sql_use_user_info_table] == 'true'){
                $res = @da_sql_query($link,$config,
-               "SELECT username FROM $config[sql_user_info_table] WHERE
-               lower($attr) LIKE '%$search%' LIMIT $max_results;");
+               "SELECT da_sql_limit($max_results,0,$config) username FROM $config[sql_user_info_table] WHERE
+               lower($search_IN) LIKE '%$search%'
+               da_sql_limit($max_results,1,$config) da_sql_limit($max_results,2,$config);");
                if ($res){
                        while(($row = @da_sql_fetch_array($res,$config)))
                                $found_users[] = $row[username];
@@ -28,8 +36,10 @@ if ($link){
                }
                $table = ($attr_type[$radius_attr] == 'checkItem') ? $config[sql_check_table] : $config[sql_reply_table];
                $attr = $attrmap[$radius_attr];
+               $attr = da_sql_escape_string($attr);
                $res = @da_sql_query($link,$config,
-               "SELECT username FROM $table WHERE attribute = '$attr' AND value LIKE '%$search%' LIMIT $max_results;");
+               "SELECT da_sql_limit($max_results,0,$config) username FROM $table WHERE attribute = '$attr'
+               AND value LIKE '%$search%' da_sql_limit($max_results,1,$config) da_sql_limit($max_results,2,$config);");
                if ($res){
                        while(($row = @da_sql_fetch_array($res,$config)))
                                $found_users[] = $row[username];