else {
$orderBy = trim($sort->orderBy());
}
+ // Deliberately remove the backticks again, as they mess up the evil
+ // string munging below. This balanced by re-escaping before use.
+ $orderBy = str_replace('`', '', $orderBy);
+
if (!empty($orderBy)) {
// this is special case while searching for
// change log CRM-1718
- if (preg_match('/`sort_name`/i', $orderBy)) {
- $orderBy = str_replace('`sort_name`', '`contact_a`.`sort_name`', $orderBy);
+ if (preg_match('/sort_name/i', $orderBy)) {
+ $orderBy = str_replace('sort_name', 'contact_a.sort_name', $orderBy);
}
- $orderBy = CRM_Utils_Type::escape($orderBy, 'String');
$order = " ORDER BY $orderBy";
if ($sortOrder) {
- $sortOrder = CRM_Utils_Type::escape($sortOrder, 'String');
$order .= " $sortOrder";
}
}
}
+ // The above code relies on crazy brittle string manipulation of a peculiarly-encoded ORDER BY
+ // clause. But this magic helper which forgivingly reescapes ORDER BY.
+ // Note: $sortByChar implies that $order was hard-coded/trusted, so it can do funky things.
+ if ($order && !$sortByChar) {
+ $order = ' ORDER BY ' . CRM_Utils_Type::escape(preg_replace('/^\s*ORDER BY\s*/', '', $order), 'MysqlOrderBy');
+ }
+
if ($rowCount > 0 && $offset >= 0) {
$offset = CRM_Utils_Type::escape($offset, 'Int');
$rowCount = CRM_Utils_Type::escape($rowCount, 'Int');
projects / civicrm-core.git / commitdiff