Index: lams_common/src/java/org/lamsfoundation/lams/lesson/dao/hibernate/LessonDAO.java =================================================================== diff -u -rfba2480356aa5ddda0c8308eb917d72d16aa32eb -rff448aacbef534e7fb4b5a76fe497eee0e9439da --- lams_common/src/java/org/lamsfoundation/lams/lesson/dao/hibernate/LessonDAO.java (.../LessonDAO.java) (revision fba2480356aa5ddda0c8308eb917d72d16aa32eb) +++ lams_common/src/java/org/lamsfoundation/lams/lesson/dao/hibernate/LessonDAO.java (.../LessonDAO.java) (revision ff448aacbef534e7fb4b5a76fe497eee0e9439da) @@ -28,6 +28,7 @@ import java.util.List; import java.util.Map; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringUtils; import org.hibernate.FetchMode; import org.hibernate.Query; @@ -153,6 +154,7 @@ if (!StringUtils.isBlank(searchPhrase)) { String[] tokens = searchPhrase.trim().split("\\s+"); for (String token : tokens) { + token = StringEscapeUtils.escapeSql(token).replace("\\", "\\\\"); queryTextBuilder.append(" AND (users.firstName LIKE '%").append(token) .append("%' OR users.lastName LIKE '%").append(token).append("%' OR users.login LIKE '%") .append(token).append("%')"); @@ -178,6 +180,7 @@ if (!StringUtils.isBlank(searchPhrase)) { String[] tokens = searchPhrase.trim().split("\\s+"); for (String token : tokens) { + token = StringEscapeUtils.escapeSql(token).replace("\\", "\\\\"); queryTextBuilder.append(" AND (users.firstName LIKE '%").append(token) .append("%' OR users.lastName LIKE '%").append(token).append("%' OR users.login LIKE '%") .append(token).append("%')"); @@ -334,6 +337,7 @@ queryTextBuilder.append(" WHERE"); String[] tokens = searchPhrase.trim().split("\\s+"); for (String token : tokens) { + token = StringEscapeUtils.escapeSql(token).replace("\\", "\\\\"); queryTextBuilder.append(" (users.first_name LIKE '%").append(token) .append("%' OR users.last_name LIKE '%").append(token).append("%' OR users.login LIKE '%") .append(token).append("%') AND"); Index: lams_common/src/java/org/lamsfoundation/lams/usermanagement/dao/hibernate/UserDAO.java =================================================================== diff -u -r353fe07604639c2166ed68fbf832810959f3f3cf -rff448aacbef534e7fb4b5a76fe497eee0e9439da --- lams_common/src/java/org/lamsfoundation/lams/usermanagement/dao/hibernate/UserDAO.java (.../UserDAO.java) (revision 353fe07604639c2166ed68fbf832810959f3f3cf) +++ lams_common/src/java/org/lamsfoundation/lams/usermanagement/dao/hibernate/UserDAO.java (.../UserDAO.java) (revision ff448aacbef534e7fb4b5a76fe497eee0e9439da) @@ -19,25 +19,25 @@ @SuppressWarnings("unchecked") @Override public List getAllUsersPaged(int page, int size, String sortBy, String sortOrder, String searchPhrase) { - + switch (sortBy) { - case "userId": - sortBy = "user.userId + 0 "; - break; - case "login": - sortBy = "user.login "; - break; - case "firstName": - sortBy = "user.firstName "; - break; - case "lastName": - sortBy = "user.lastName "; - break; - case "email": - sortBy = "user.email "; - break; + case "userId": + sortBy = "user.userId + 0 "; + break; + case "login": + sortBy = "user.login "; + break; + case "firstName": + sortBy = "user.firstName "; + break; + case "lastName": + sortBy = "user.lastName "; + break; + case "email": + sortBy = "user.email "; + break; } - + StringBuilder queryBuilder = new StringBuilder( "SELECT user.userId, user.login, user.firstName, user.lastName, user.email FROM User user WHERE user.disabledFlag=0 "); // support for custom search from a toolbar @@ -155,9 +155,9 @@ private static void addNameSearch(StringBuilder queryBuilder, String entityName, String searchPhrase) { if (!StringUtils.isBlank(searchPhrase)) { - String[] tokens = StringEscapeUtils.escapeSql(searchPhrase).trim().split("\\s+"); + String[] tokens = searchPhrase.trim().split("\\s+"); for (String token : tokens) { - String escToken = StringEscapeUtils.escapeSql(token); + String escToken = StringEscapeUtils.escapeSql(token).replace("\\", "\\\\"); queryBuilder.append(" AND (").append(entityName).append(".firstName LIKE '%").append(escToken) .append("%' OR ").append(entityName).append(".lastName LIKE '%").append(escToken) .append("%' OR ").append(entityName).append(".login LIKE '%").append(escToken).append("%' OR ")