diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index b87c4f6964f..6464738629f 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -294,7 +294,8 @@ class UsersController < ApplicationController
 
     results = UserSearch.search term, topic_id
 
-    render :json => results
+    render json: { users: results.as_json( only:    [ :username, :name ],
+                                           methods: :avatar_template ) }
   end
 
   private
diff --git a/app/models/user_search.rb b/app/models/user_search.rb
index 597c38786e5..3795bee6c8c 100644
--- a/app/models/user_search.rb
+++ b/app/models/user_search.rb
@@ -1,15 +1,11 @@
 class UserSearch
 
   def self.search term, topic_id
-    sql = sql term, topic_id
-    results = User.exec_sql(sql, topic_id: topic_id, term_like: "#{term}%", term: term)
-    results = results.map do |r|
-      r["avatar_template"] = User.avatar_template(r["email"])
-      r.delete("email")
-      r
-    end
+    User.find_by_sql sql(term, topic_id)
   end
 
+  private
+
   def self.sql term, topic_id
     sql = "select username, name, email from users u "
     if topic_id
@@ -36,7 +32,12 @@ class UserSearch
     end
 
     sql << " case when last_seen_at is null then 0 else 1 end desc, last_seen_at desc, username asc limit(20)"
-    sql
+
+    sanitize_sql_array(sql, topic_id: topic_id, term_like: "#{term}%", term: term)
+  end
+
+  def self.sanitize_sql_array *args
+    ActiveRecord::Base.send(:sanitize_sql_array, args)
   end
 
 end
\ No newline at end of file