From cc982ec91526c90afa3eb78568eca065aa4c99a5 Mon Sep 17 00:00:00 2001
From: Andrew O'Neil <andy@andyofniall.net>
Date: Tue, 25 Nov 2008 01:55:27 +0000
Subject: [PATCH] Make sure only fields that exist can be autocompleted on
 MemberTableFields, and never autocomplete on password.

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/cms/branches/2.3@66544 467b73ca-7a2a-4603-9d3b-597d59a354a9
---
 code/SecurityAdmin.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/code/SecurityAdmin.php b/code/SecurityAdmin.php
index 28ed5a50..55619339 100644
--- a/code/SecurityAdmin.php
+++ b/code/SecurityAdmin.php
@@ -81,8 +81,11 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 		$fieldName = $this->urlParams['ID'];
 		$fieldVal = $_REQUEST[$fieldName];
 		$result = '';
+		
+		// Make sure we only autocomplete on keys that actually exist, and that we don't autocomplete on password
+		if(!array_key_exists($fieldName, singleton($this->stat('subitem_class'))->stat('db')) && $fieldName != 'Password') return;
 
-		$matches = DataObject::get($this->stat('subitem_class'),"$fieldName LIKE '" . addslashes($fieldVal) . "%'");
+		$matches = DataObject::get($this->stat('subitem_class'),"$fieldName LIKE '" . Convert::raw2sql($fieldVal) . "%'");
 		if($matches) {
 			$result .= "<ul>";
 			foreach($matches as $match) {
@@ -90,7 +93,6 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 				$data = $match->FirstName;
 				$data .= ",$match->Surname";
 				$data .= ",$match->Email";
-				$data .= ",$match->Password";
 				$result .= "<li>" . $match->$fieldName . "<span class=\"informal\">($match->FirstName $match->Surname, $match->Email)</span><span class=\"informal data\">$data</span></li>";
 			}
 			$result .= "</ul>";
@@ -227,4 +229,4 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
 	}
 }
 
-?>
\ No newline at end of file
+?>