From 0c5c762c1c4833688f9b6c1c15462f13aca2a3e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Doursenaud?= <rdoursenaud@gpcsolutions.fr>
Date: Wed, 2 Dec 2015 21:12:23 +0100
Subject: [PATCH] [Qual] More robust sorting

Only allow valid values and discard others.
Do not use user supplied data in SQL query.
---
 htdocs/core/db/DoliDB.class.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/htdocs/core/db/DoliDB.class.php b/htdocs/core/db/DoliDB.class.php
index f1909a91ea0..4103b095330 100644
--- a/htdocs/core/db/DoliDB.class.php
+++ b/htdocs/core/db/DoliDB.class.php
@@ -221,7 +221,7 @@ abstract class DoliDB implements Database
 	 * Define sort criteria of request
 	 *
 	 * @param	string	$sortfield  List of sort fields, separated by comma. Example: 't1.fielda, t2.fieldb'
-	 * @param	string	$sortorder  Sort order
+	 * @param	'ASC'|'DESC'	$sortorder  Sort order
 	 * @return	string      		String to provide syntax of a sort sql string
 	 */
 	function order($sortfield=null,$sortorder=null)
@@ -236,9 +236,11 @@ abstract class DoliDB implements Database
 				else $return.=',';
 
 				$return.=preg_replace('/[^0-9a-z_\.]/i','',$val);
-				if (! empty($sortorder))
-				{
-					$return.=' '.preg_replace('/[^0-9a-z]/i','',$sortorder);
+				// Only ASC and DESC values are valid SQL
+				if ($sortorder === 'ASC') {
+					$return .= ' ASC';
+				} elseif ($sortorder === 'DESC') {
+					$return .= ' DESC';
 				}
 			}
 			return $return;