From 6bc9b1f60b82eaf6267f6c708d4cf1408de13662 Mon Sep 17 00:00:00 2001 From: Francis Whittle Date: Fri, 12 Oct 2018 16:36:14 +1100 Subject: [PATCH] CIVICRM-990: Quote fee levels for regular expression in Participant search. --- CRM/Event/BAO/Query.php | 4 +++- CRM/Event/Form/Search.php | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CRM/Event/BAO/Query.php b/CRM/Event/BAO/Query.php index 1f96e40b19..7d90935bc6 100644 --- a/CRM/Event/BAO/Query.php +++ b/CRM/Event/BAO/Query.php @@ -340,11 +340,13 @@ class CRM_Event_BAO_Query extends CRM_Core_BAO_Query { return; case 'participant_fee_id': + $val_regexp = []; foreach ($value as $k => &$val) { $val = CRM_Core_DAO::getFieldValue('CRM_Price_DAO_PriceFieldValue', $val, 'label'); + $val_regexp[$k] = CRM_Core_DAO::escapeString(preg_quote(trim($val))); $val = CRM_Core_DAO::escapeString(trim($val)); } - $feeLabel = implode('|', $value); + $feeLabel = implode('|', $val_regexp); $query->_where[$grouping][] = "civicrm_participant.fee_level REGEXP '{$feeLabel}'"; $query->_qill[$grouping][] = ts("Fee level") . " IN " . implode(', ', $value); $query->_tables['civicrm_participant'] = $query->_whereTables['civicrm_participant'] = 1; diff --git a/CRM/Event/Form/Search.php b/CRM/Event/Form/Search.php index c5b73d8140..a1421cbe3a 100644 --- a/CRM/Event/Form/Search.php +++ b/CRM/Event/Form/Search.php @@ -209,11 +209,13 @@ class CRM_Event_Form_Search extends CRM_Core_Form_Search { // CRM-15379 if (!empty($this->_formValues['participant_fee_id'])) { $participant_fee_id = $this->_formValues['participant_fee_id']; + $val_regexp = []; foreach ($participant_fee_id as $k => &$val) { $val = CRM_Core_DAO::getFieldValue('CRM_Price_DAO_PriceFieldValue', $val, 'label'); + $val_regexp[$k] = CRM_Core_DAO::escapeString(preg_quote(trim($val))); $val = CRM_Core_DAO::escapeString(trim($val)); } - $feeLabel = implode('|', $participant_fee_id); + $feeLabel = implode('|', $val_regexp); $seatClause[] = "( participant.fee_level REGEXP '{$feeLabel}' )"; } -- 2.25.1