Index: lams_common/src/java/org/lamsfoundation/lams/lesson/dao/hibernate/LessonDAO.java =================================================================== RCS file: /usr/local/cvsroot/lams_common/src/java/org/lamsfoundation/lams/lesson/dao/hibernate/LessonDAO.java,v diff -u -r1.39.2.14 -r1.39.2.15 --- lams_common/src/java/org/lamsfoundation/lams/lesson/dao/hibernate/LessonDAO.java 22 Sep 2016 10:17:02 -0000 1.39.2.14 +++ lams_common/src/java/org/lamsfoundation/lams/lesson/dao/hibernate/LessonDAO.java 11 Nov 2016 08:48:13 -0000 1.39.2.15 @@ -28,6 +28,7 @@ import java.util.List; import java.util.Map; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringUtils; import org.hibernate.FetchMode; import org.hibernate.Query; @@ -153,6 +154,7 @@ if (!StringUtils.isBlank(searchPhrase)) { String[] tokens = searchPhrase.trim().split("\\s+"); for (String token : tokens) { + token = StringEscapeUtils.escapeSql(token).replace("\\", "\\\\"); queryTextBuilder.append(" AND (users.firstName LIKE '%").append(token) .append("%' OR users.lastName LIKE '%").append(token).append("%' OR users.login LIKE '%") .append(token).append("%')"); @@ -178,6 +180,7 @@ if (!StringUtils.isBlank(searchPhrase)) { String[] tokens = searchPhrase.trim().split("\\s+"); for (String token : tokens) { + token = StringEscapeUtils.escapeSql(token).replace("\\", "\\\\"); queryTextBuilder.append(" AND (users.firstName LIKE '%").append(token) .append("%' OR users.lastName LIKE '%").append(token).append("%' OR users.login LIKE '%") .append(token).append("%')"); @@ -334,6 +337,7 @@ queryTextBuilder.append(" WHERE"); String[] tokens = searchPhrase.trim().split("\\s+"); for (String token : tokens) { + token = StringEscapeUtils.escapeSql(token).replace("\\", "\\\\"); queryTextBuilder.append(" (users.first_name LIKE '%").append(token) .append("%' OR users.last_name LIKE '%").append(token).append("%' OR users.login LIKE '%") .append(token).append("%') AND"); Index: lams_common/src/java/org/lamsfoundation/lams/usermanagement/dao/hibernate/UserDAO.java =================================================================== RCS file: /usr/local/cvsroot/lams_common/src/java/org/lamsfoundation/lams/usermanagement/dao/hibernate/UserDAO.java,v diff -u -r1.8.2.6 -r1.8.2.7 --- lams_common/src/java/org/lamsfoundation/lams/usermanagement/dao/hibernate/UserDAO.java 27 Oct 2016 16:00:52 -0000 1.8.2.6 +++ lams_common/src/java/org/lamsfoundation/lams/usermanagement/dao/hibernate/UserDAO.java 11 Nov 2016 08:48:13 -0000 1.8.2.7 @@ -19,25 +19,25 @@ @SuppressWarnings("unchecked") @Override public List getAllUsersPaged(int page, int size, String sortBy, String sortOrder, String searchPhrase) { - + switch (sortBy) { - case "userId": - sortBy = "user.userId + 0 "; - break; - case "login": - sortBy = "user.login "; - break; - case "firstName": - sortBy = "user.firstName "; - break; - case "lastName": - sortBy = "user.lastName "; - break; - case "email": - sortBy = "user.email "; - break; + case "userId": + sortBy = "user.userId + 0 "; + break; + case "login": + sortBy = "user.login "; + break; + case "firstName": + sortBy = "user.firstName "; + break; + case "lastName": + sortBy = "user.lastName "; + break; + case "email": + sortBy = "user.email "; + break; } - + StringBuilder queryBuilder = new StringBuilder( "SELECT user.userId, user.login, user.firstName, user.lastName, user.email FROM User user WHERE user.disabledFlag=0 "); // support for custom search from a toolbar @@ -155,9 +155,9 @@ private static void addNameSearch(StringBuilder queryBuilder, String entityName, String searchPhrase) { if (!StringUtils.isBlank(searchPhrase)) { - String[] tokens = StringEscapeUtils.escapeSql(searchPhrase).trim().split("\\s+"); + String[] tokens = searchPhrase.trim().split("\\s+"); for (String token : tokens) { - String escToken = StringEscapeUtils.escapeSql(token); + String escToken = StringEscapeUtils.escapeSql(token).replace("\\", "\\\\"); queryBuilder.append(" AND (").append(entityName).append(".firstName LIKE '%").append(escToken) .append("%' OR ").append(entityName).append(".lastName LIKE '%").append(escToken) .append("%' OR ").append(entityName).append(".login LIKE '%").append(escToken).append("%' OR ")