lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Qual] More robust sorting

Browse Source 
Only allow valid values and discard others.
Do not use user supplied data in SQL query.
This commit is contained in:
Raphaël Doursenaud 2015-12-02 21:12:23 +01:00
parent d6d2a2fadb
commit 0c5c762c1c
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/core/db/DoliDB.class.php
View File

@ -221,7 +221,7 @@ abstract class DoliDB implements Database
* Define sort criteria of request
*
* @param string $sortfield List of sort fields, separated by comma. Example: 't1.fielda, t2.fieldb'
* @param string $sortorder Sort order
* @param 'ASC'|'DESC' $sortorder Sort order
* @return string String to provide syntax of a sort sql string
*/
function order($sortfield=null,$sortorder=null)
@ -236,9 +236,11 @@ abstract class DoliDB implements Database
else $return.=',';
$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
if (! empty($sortorder))
{
$return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
// Only ASC and DESC values are valid SQL
if ($sortorder === 'ASC') {
$return .= ' ASC';
} elseif ($sortorder === 'DESC') {
$return .= ' DESC';
}
}
return $return;