CRM-13554 - validate values of order by

----------------------------------------
* CRM-13554: Improve string validation in the query engine
  http://issues.civicrm.org/jira/browse/CRM-13554

diff --git a/CRM/Activity/BAO/Activity.php b/CRM/Activity/BAO/Activity.php
index d28b76373d90a12db2816591c238ad305c27d7a0..99c4abfbd64a71873814d5a2f54716179c2cf976 100644 (file)
--- a/CRM/Activity/BAO/Activity.php
+++ b/CRM/Activity/BAO/Activity.php
@@ -738,7 +738,8 @@ class CRM_Activity_BAO_Activity extends CRM_Activity_DAO_Activity {
         }
       }
       elseif (trim($input['sort'])) {
-        $order = " ORDER BY {$input['sort']}";
+        $sort = CRM_Utils_Type::escape($input['sort'], 'String');
+        $order = " ORDER BY $sort ";
       }
     }
 

diff --git a/CRM/Batch/BAO/Batch.php b/CRM/Batch/BAO/Batch.php
index d203cbd134e74d227ce55ee4ef14f902f7d5a30a..62a86667cb3902c889853391ec9c74225b0d73d7 100644 (file)
--- a/CRM/Batch/BAO/Batch.php
+++ b/CRM/Batch/BAO/Batch.php
@@ -266,7 +266,7 @@ class CRM_Batch_BAO_Batch extends CRM_Batch_DAO_Batch {
 
     $orderBy = ' ORDER BY batch.id desc';
     if (!empty($params['sort'])) {
-      $orderBy = ' ORDER BY ' . $params['sort'];
+      $orderBy = ' ORDER BY ' . CRM_Utils_Type::escape($params['sort'], 'String');
     }
 
     $query = "
@@ -633,8 +633,8 @@ class CRM_Batch_BAO_Batch extends CRM_Batch_DAO_Batch {
     }
 
     $orderBy = " ORDER BY civicrm_financial_trxn.id";
-    if (CRM_Utils_Array::value('sort', $params)) {
-      $orderBy = ' ORDER BY ' . CRM_Utils_Array::value('sort', $params);
+    if (!empty($params['sort'])) {
+      $orderBy = ' ORDER BY ' . CRM_Utils_Type::escape($params['sort'], 'String');
     }
 
     $from = "civicrm_financial_trxn

diff --git a/CRM/Case/BAO/Case.php b/CRM/Case/BAO/Case.php
index 05c534bca64ab72e97e8feb3516f812cd34fa22c..cc1c024110bf211ec9f486d814697d9703280981 100644 (file)
--- a/CRM/Case/BAO/Case.php
+++ b/CRM/Case/BAO/Case.php
@@ -1066,7 +1066,9 @@ SELECT case_status.label AS case_status, status_id, case_type.label AS case_type
       $orderBy = " ORDER BY overdue_date ASC, display_date DESC, weight DESC";
     }
     else {
-      $orderBy = " ORDER BY {$sortname} {$sortorder}";
+      $sort = "{$sortname} {$sortorder}";
+      $sort = CRM_Utils_Type::escape($sort, 'String');
+      $orderBy = " ORDER BY $sort ";
       if ($sortname != 'display_date') {
         $orderBy .= ', display_date DESC';
       }

diff --git a/CRM/Contact/BAO/Group.php b/CRM/Contact/BAO/Group.php
index 5fd504daeda6195a7e9a6918f67950dc656a35b1..1007b8c6cd12ae868b2c73f94987518c784ad62f 100644 (file)
--- a/CRM/Contact/BAO/Group.php
+++ b/CRM/Contact/BAO/Group.php
@@ -728,8 +728,8 @@ class CRM_Contact_BAO_Group extends CRM_Contact_DAO_Group {
     }
 
     $orderBy = ' ORDER BY groups.title asc';
-    if (CRM_Utils_Array::value('sort', $params)) {
-      $orderBy = ' ORDER BY ' . CRM_Utils_Array::value('sort', $params);
+    if (!empty($params['sort'])) {
+      $orderBy = ' ORDER BY ' . CRM_Utils_Type::escape($params['sort'], 'String');
     }
 
     $select = $from = $where = "";

diff --git a/CRM/Contact/Form/Search/Custom/ActivitySearch.php b/CRM/Contact/Form/Search/Custom/ActivitySearch.php
index 5113f49fa40cc6482e898d84a6de1a513270eaaf..088480f3b95e1d8fa40c642fbaddf8b57718dd3e 100644 (file)
--- a/CRM/Contact/Form/Search/Custom/ActivitySearch.php
+++ b/CRM/Contact/Form/Search/Custom/ActivitySearch.php
@@ -201,6 +201,7 @@ class CRM_Contact_Form_Search_Custom_ActivitySearch implements CRM_Contact_Form_
       // Define ORDER BY for query in $sort, with default value
       if (!empty($sort)) {
         if (is_string($sort)) {
+          $sort = CRM_Utils_Type::escape($sort, 'String');
           $sql .= " ORDER BY $sort ";
         }
         else {

diff --git a/CRM/Contact/Form/Search/Custom/Base.php b/CRM/Contact/Form/Search/Custom/Base.php
index 781cfc907115a755ab2d688ffd2f92621298b0f6..a7f5488393157cbb05eabca3cca09a53efd9c66f 100644 (file)
--- a/CRM/Contact/Form/Search/Custom/Base.php
+++ b/CRM/Contact/Form/Search/Custom/Base.php
@@ -124,6 +124,7 @@ class CRM_Contact_Form_Search_Custom_Base {
   function addSortOffset(&$sql, $offset, $rowcount, $sort) {
     if (!empty($sort)) {
       if (is_string($sort)) {
+        $sort = CRM_Utils_Type::escape($sort, 'String');
         $sql .= " ORDER BY $sort ";
       }
       else {

diff --git a/CRM/Contact/Form/Search/Custom/EmployerListing.php b/CRM/Contact/Form/Search/Custom/EmployerListing.php
index 2b304afabb580f483da6b67651ecf367f798a27a..681bc4e7f8d58680b1a80a3474159cb5ac91bb13 100644 (file)
--- a/CRM/Contact/Form/Search/Custom/EmployerListing.php
+++ b/CRM/Contact/Form/Search/Custom/EmployerListing.php
@@ -134,6 +134,7 @@ class CRM_Contact_Form_Search_Custom_EmployerListing implements CRM_Contact_Form
     // Define ORDER BY for query in $sort, with default value
     if (!empty($sort)) {
       if (is_string($sort)) {
+        $sort = CRM_Utils_Type::escape($sort, 'String');
         $sql .= " ORDER BY $sort ";
       }
       else {

diff --git a/CRM/Contact/Form/Search/Custom/Group.php b/CRM/Contact/Form/Search/Custom/Group.php
index bfc95e9ebaba707340327e5fea8bb892ee8a3577..8c3d7dbe35c4920e1f3c7c1cd574c30d8cdd77b6 100644 (file)
--- a/CRM/Contact/Form/Search/Custom/Group.php
+++ b/CRM/Contact/Form/Search/Custom/Group.php
@@ -228,6 +228,7 @@ class CRM_Contact_Form_Search_Custom_Group extends CRM_Contact_Form_Search_Custo
     if (!$justIDs) {
       if (!empty($sort)) {
         if (is_string($sort)) {
+          $sort = CRM_Utils_Type::escape($sort, 'String');
           $sql .= " ORDER BY $sort ";
         }
         else {

diff --git a/CRM/Contact/Form/Search/Custom/TagContributions.php b/CRM/Contact/Form/Search/Custom/TagContributions.php
index eeb89e9a8a1000866568b29328be3237596a26bf..5ba6a07e03c93b6d5dcd6daed1b3e725787164f7 100644 (file)
--- a/CRM/Contact/Form/Search/Custom/TagContributions.php
+++ b/CRM/Contact/Form/Search/Custom/TagContributions.php
@@ -120,6 +120,7 @@ WHERE  $where
       // Define ORDER BY for query in $sort, with default value
       if (!empty($sort)) {
         if (is_string($sort)) {
+          $sort = CRM_Utils_Type::escape($sort, 'String');
           $sql .= " ORDER BY $sort ";
         }
         else {

diff --git a/CRM/Core/BAO/FinancialTrxn.php b/CRM/Core/BAO/FinancialTrxn.php
index 90109b33bd438edb1f05e58f72299b9a37ee2bd1..fe5899fe8d3185484ab5b37b082b59928fc3515f 100644 (file)
--- a/CRM/Core/BAO/FinancialTrxn.php
+++ b/CRM/Core/BAO/FinancialTrxn.php
@@ -128,8 +128,13 @@ class CRM_Core_BAO_FinancialTrxn extends CRM_Financial_DAO_FinancialTrxn {
     if (!$newTrxn) {
       $condition = " AND ((ceft1.entity_table IS NOT NULL) OR (cft.payment_instrument_id IS NOT NULL AND ceft1.entity_table IS NULL)) ";
     }
+
+    if ($orderBy) {
+      $orderBy = CRM_Utils_Type::escape($orderBy, 'String');
+    }
+
     $query = "SELECT ceft.id, ceft.financial_trxn_id FROM `civicrm_financial_trxn` cft
-LEFT JOIN civicrm_entity_financial_trxn ceft 
+LEFT JOIN civicrm_entity_financial_trxn ceft
 ON ceft.financial_trxn_id = cft.id AND ceft.entity_table = 'civicrm_contribution'
 LEFT JOIN civicrm_entity_financial_trxn ceft1
 ON ceft1.financial_trxn_id = cft.id AND ceft1.entity_table = 'civicrm_financial_item'
@@ -137,8 +142,8 @@ LEFT JOIN civicrm_financial_item cfi ON ceft1.entity_table = 'civicrm_financial_
 WHERE ceft.entity_id = %1 AND (cfi.entity_table <> 'civicrm_financial_trxn' or cfi.entity_table is NULL)
 {$condition}
 ORDER BY cft.id {$orderBy}
-LIMIT 1;"; 
- 
+LIMIT 1;";
+
     $params = array(1 => array($entity_id, 'Integer'));
     $dao = CRM_Core_DAO::executeQuery($query, $params);
     if ($dao->fetch()) {
@@ -163,7 +168,7 @@ LIMIT 1;";
   static function getFinancialTrxnTotal($entity_id) {
     $query = "
       SELECT (ft.amount+SUM(ceft.amount)) AS total FROM civicrm_entity_financial_trxn AS ft
-LEFT JOIN civicrm_entity_financial_trxn AS ceft ON ft.financial_trxn_id = ceft.entity_id 
+LEFT JOIN civicrm_entity_financial_trxn AS ceft ON ft.financial_trxn_id = ceft.entity_id
 WHERE ft.entity_table = 'civicrm_contribution' AND ft.entity_id = %1
         ";
 
@@ -236,7 +241,7 @@ WHERE  ef2.financial_trxn_id =%1
   static function getFinancialTrxnLineTotal($entity_id, $entity_table = 'civicrm_contribution') {
     $query = "SELECT lt.price_field_value_id AS id, ft.financial_trxn_id,ft.amount AS amount FROM civicrm_entity_financial_trxn AS ft
 LEFT JOIN civicrm_financial_item AS fi ON fi.id = ft.entity_id AND fi.entity_table = 'civicrm_line_item' AND ft.entity_table = 'civicrm_financial_item'
-LEFT JOIN civicrm_line_item AS lt ON lt.id = fi.entity_id AND lt.entity_table = %2 
+LEFT JOIN civicrm_line_item AS lt ON lt.id = fi.entity_id AND lt.entity_table = %2
 WHERE lt.entity_id = %1 ";
 
     $sqlParams = array(1 => array($entity_id, 'Integer'), 2 => array($entity_table, 'String'));
@@ -261,11 +266,11 @@ WHERE lt.entity_id = %1 ";
    */
   static function deleteFinancialTrxn($entity_id) {
     $query = "DELETE ceft1, cfi, ceft, cft FROM `civicrm_financial_trxn` cft
-LEFT JOIN civicrm_entity_financial_trxn ceft 
+LEFT JOIN civicrm_entity_financial_trxn ceft
   ON ceft.financial_trxn_id = cft.id AND ceft.entity_table = 'civicrm_contribution'
 LEFT JOIN civicrm_entity_financial_trxn ceft1
   ON ceft1.financial_trxn_id = cft.id AND ceft1.entity_table = 'civicrm_financial_item'
-LEFT JOIN civicrm_financial_item cfi 
+LEFT JOIN civicrm_financial_item cfi
   ON ceft1.entity_table = 'civicrm_financial_item' and cfi.id = ceft1.entity_id
 WHERE ceft.entity_id = %1";
     CRM_Core_DAO::executeQuery($query, array(1 => array($entity_id, 'Integer')));
@@ -282,7 +287,7 @@ WHERE ceft.entity_id = %1";
     if ((!CRM_Utils_Array::value('financial_type_id', $params) || !CRM_Utils_Array::value('contributionId', $params)) && !CRM_Utils_Array::value('oldPremium', $params)) {
       return;
     }
-    
+
     if (CRM_Utils_Array::value('cost', $params)) {
       $contributionStatuses = CRM_Contribute_PseudoConstant::contributionStatus(NULL, 'name');
       $financialAccountType = CRM_Contribute_PseudoConstant::financialAccountType($params['financial_type_id']);
@@ -343,7 +348,7 @@ WHERE ceft.entity_id = %1";
     $params['trxnParams']['from_financial_account_id'] = $params['to_financial_account_id'];
     $params['trxnParams']['to_financial_account_id'] = $financialAccount;
     $params['trxnParams']['total_amount'] = $amount;
-    $params['trxnParams']['fee_amount'] = 
+    $params['trxnParams']['fee_amount'] =
       $params['trxnParams']['net_amount'] = 0;
     $params['trxnParams']['status_id'] = CRM_Core_OptionGroup::getValue('contribution_status','Completed','name');
     $params['trxnParams']['contribution_id'] = isset($params['contribution']->id) ? $params['contribution']->id : $params['contribution_id'];
@@ -352,7 +357,7 @@ WHERE ceft.entity_id = %1";
       $financialTrxnID = CRM_Core_BAO_FinancialTrxn::getFinancialTrxnId($params['trxnParams']['contribution_id'], 'DESC');
       $params['entity_id'] = $financialTrxnID['financialTrxnId'];
     }
-    $fItemParams = 
+    $fItemParams =
       array(
         'financial_account_id' => $financialAccount,
         'contact_id' => CRM_Core_DAO::getFieldValue('CRM_Core_DAO_Domain', $domainId, 'contact_id'),

diff --git a/CRM/Mailing/Event/BAO/Bounce.php b/CRM/Mailing/Event/BAO/Bounce.php
index 10d4ae842efaab512e4f2c8dc3411e3348d2f70b..ce6647a197eea4bed4ab2e476c9c97a75d245844 100644 (file)
--- a/CRM/Mailing/Event/BAO/Bounce.php
+++ b/CRM/Mailing/Event/BAO/Bounce.php
@@ -230,6 +230,7 @@ class CRM_Mailing_Event_BAO_Bounce extends CRM_Mailing_Event_DAO_Bounce {
     $orderBy = "sort_name ASC, {$bounce}.time_stamp DESC";
     if ($sort) {
       if (is_string($sort)) {
+        $sort = CRM_Utils_Type::escape($sort, 'String');
         $orderBy = $sort;
       }
       else {

diff --git a/CRM/Mailing/Event/BAO/Delivered.php b/CRM/Mailing/Event/BAO/Delivered.php
index 6c01049559b8cb6fb5e8d25f60aee13ef2fbdc53..35bfd3a88189d413803db4e81c4d4fea0caea524 100644 (file)
--- a/CRM/Mailing/Event/BAO/Delivered.php
+++ b/CRM/Mailing/Event/BAO/Delivered.php
@@ -195,6 +195,7 @@ class CRM_Mailing_Event_BAO_Delivered extends CRM_Mailing_Event_DAO_Delivered {
     $orderBy = "sort_name ASC, {$delivered}.time_stamp DESC";
     if ($sort) {
       if (is_string($sort)) {
+        $sort = CRM_Utils_Type::escape($sort, 'String');
         $orderBy = $sort;
       }
       else {

diff --git a/CRM/Mailing/Event/BAO/Forward.php b/CRM/Mailing/Event/BAO/Forward.php
index 9f479685f52e73729b1b3443d2e10f9bb7c8e39d..f37883cfe16b15d72e7c97085aa9a91868b7be4b 100644 (file)
--- a/CRM/Mailing/Event/BAO/Forward.php
+++ b/CRM/Mailing/Event/BAO/Forward.php
@@ -331,6 +331,7 @@ class CRM_Mailing_Event_BAO_Forward extends CRM_Mailing_Event_DAO_Forward {
     $orderBy = "sort_name ASC, {$forward}.time_stamp DESC";
     if ($sort) {
       if (is_string($sort)) {
+        $sort = CRM_Utils_Type::escape($sort, 'String');
         $orderBy = $sort;
       }
       else {

diff --git a/CRM/Mailing/Event/BAO/Opened.php b/CRM/Mailing/Event/BAO/Opened.php
index 0f434ed5b64de76ce06a8bbf315c06fee1d452b6..39398590436333706fcc2a9e7ea1100100ee6e99 100644 (file)
--- a/CRM/Mailing/Event/BAO/Opened.php
+++ b/CRM/Mailing/Event/BAO/Opened.php
@@ -169,11 +169,11 @@ class CRM_Mailing_Event_BAO_Opened extends CRM_Mailing_Event_DAO_Opened {
     if (!empty($job_id)) {
       $query .= " AND $job.id = " . CRM_Utils_Type::escape($job_id, 'Integer');
     }
-    
+
     if (!empty($contact_id)) {
       $query .= " AND $contact.id = " . CRM_Utils_Type::escape($contact_id, 'Integer');
     }
-    
+
     if ($is_distinct) {
       $query .= " GROUP BY $queue.id ";
     }
@@ -181,6 +181,7 @@ class CRM_Mailing_Event_BAO_Opened extends CRM_Mailing_Event_DAO_Opened {
     $orderBy = "sort_name ASC, {$open}.time_stamp DESC";
     if ($sort) {
       if (is_string($sort)) {
+        $sort = CRM_Utils_Type::escape($sort, 'String');
         $orderBy = $sort;
       }
       else {

diff --git a/CRM/Mailing/Event/BAO/Queue.php b/CRM/Mailing/Event/BAO/Queue.php
index 14f220ce727e4d79df8b8af35c94ebcdacf4bbca..9a9bec5fb485b5b860811e10bf362e078a2805de 100644 (file)
--- a/CRM/Mailing/Event/BAO/Queue.php
+++ b/CRM/Mailing/Event/BAO/Queue.php
@@ -114,10 +114,10 @@ class CRM_Mailing_Event_BAO_Queue extends CRM_Mailing_Event_DAO_Queue {
   public static function getEmailAddress($queue_id) {
     $email = CRM_Core_BAO_Email::getTableName();
     $eq    = self::getTableName();
-    $query = "  SELECT      $email.email as email 
-                    FROM        $email 
-                    INNER JOIN  $eq 
-                    ON          $eq.email_id = $email.id 
+    $query = "  SELECT      $email.email as email
+                    FROM        $email
+                    INNER JOIN  $eq
+                    ON          $eq.email_id = $email.id
                     WHERE       $eq.id = " . CRM_Utils_Type::rule($queue_id, 'Integer');
 
     $q = new CRM_Mailing_Event_BAO_Queue();
@@ -190,6 +190,7 @@ class CRM_Mailing_Event_BAO_Queue extends CRM_Mailing_Event_DAO_Queue {
     $orderBy = "sort_name ASC, {$job}.start_date DESC";
     if ($sort) {
       if (is_string($sort)) {
+        $sort = CRM_Utils_Type::escape($sort, 'String');
         $orderBy = $sort;
       }
       else {

diff --git a/CRM/Mailing/Event/BAO/Reply.php b/CRM/Mailing/Event/BAO/Reply.php
index 59034e1baa166005f469a039cc48419b7d107340..aba6052ddf7f9183aff1b8898d8a1a6eebffe49a 100644 (file)
--- a/CRM/Mailing/Event/BAO/Reply.php
+++ b/CRM/Mailing/Event/BAO/Reply.php
@@ -396,6 +396,7 @@ class CRM_Mailing_Event_BAO_Reply extends CRM_Mailing_Event_DAO_Reply {
     $orderBy = "sort_name ASC, {$reply}.time_stamp DESC";
     if ($sort) {
       if (is_string($sort)) {
+        $sort = CRM_Utils_Type::escape($sort, 'String');
         $orderBy = $sort;
       }
       else {

diff --git a/CRM/Mailing/Event/BAO/TrackableURLOpen.php b/CRM/Mailing/Event/BAO/TrackableURLOpen.php
index ba7e7b247d179fa127af9dfe1a59af806a51dddc..fa17c73dda7e5e29852de30ce6084453297e9120 100644 (file)
--- a/CRM/Mailing/Event/BAO/TrackableURLOpen.php
+++ b/CRM/Mailing/Event/BAO/TrackableURLOpen.php
@@ -223,6 +223,7 @@ class CRM_Mailing_Event_BAO_TrackableURLOpen extends CRM_Mailing_Event_DAO_Track
     $orderBy = "sort_name ASC, {$click}.time_stamp DESC";
     if ($sort) {
       if (is_string($sort)) {
+        $sort = CRM_Utils_Type::escape($sort, 'String');
         $orderBy = $sort;
       }
       else {

diff --git a/CRM/Mailing/Event/BAO/Unsubscribe.php b/CRM/Mailing/Event/BAO/Unsubscribe.php
index 1910ab37a28f194c8997054ef77432bdd17c6c27..4555c12c14e163b97bd335870335171fbf62c923 100644 (file)
--- a/CRM/Mailing/Event/BAO/Unsubscribe.php
+++ b/CRM/Mailing/Event/BAO/Unsubscribe.php
@@ -528,6 +528,7 @@ WHERE  email = %2
     $orderBy = "sort_name ASC, {$unsub}.time_stamp DESC";
     if ($sort) {
       if (is_string($sort)) {
+        $sort = CRM_Utils_Type::escape($sort, 'String');
         $orderBy = $sort;
       }
       else {