--- loncom/lonsql	2015/08/09 21:43:11	1.95
+++ loncom/lonsql	2017/10/13 20:37:46	1.96
@@ -3,7 +3,7 @@
 # The LearningOnline Network
 # lonsql - LON TCP-MySQL-Server Daemon for handling database requests.
 #
-# $Id: lonsql,v 1.95 2015/08/09 21:43:11 raeburn Exp $
+# $Id: lonsql,v 1.96 2017/10/13 20:37:46 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -490,6 +490,7 @@ sub make_new_child {
                 $userdata{'domain'} = $udom;
                 $result = &allusers_table_update($query,$uname,$udom,\%userdata);
             } else {
+                # Sanity checking of $query needed.
                 # Do an sql query
                 $result = &do_sql_query($query,$arg1,$arg2,$arg3,$searchdomain);
             }
@@ -541,13 +542,20 @@ sub do_user_search {
         my %srchfield = (
                           uname    => 'username',
                           lastname => 'lastname',
+                          email    => 'permanentemail',
                         );
-        if ($srchtype eq 'exact') {
-            $query .= $srchfield{$srchby}.' = '.$dbh->quote($srchterm);
-        } elsif ($srchtype eq 'begins') {
-             $query .= $srchfield{$srchby}.' LIKE '.$dbh->quote($srchterm.'%');
+        if (exists($srchfield{$srchby})) {
+            if ($srchtype eq 'exact') {
+                $query .= $srchfield{$srchby}.' = '.$dbh->quote($srchterm);
+            } elsif ($srchtype eq 'begins') {
+                $query .= $srchfield{$srchby}.' LIKE '.$dbh->quote($srchterm.'%');
+            } else {
+                $query .= $srchfield{$srchby}.' LIKE '.$dbh->quote('%'.$srchterm.'%');
+            }
         } else {
-             $query .= $srchfield{$srchby}.' LIKE '.$dbh->quote('%'.$srchterm.'%');
+            &logthis('<font color="blue">'.
+                     'WARNING: Invalid srchby: '.$srchby.'</font>');  
+            return $result;
         }
     }
     $query .= ") ORDER BY username ";