switch ($fieldName) {
case 'contact_sub_type':
if (!empty($props['contact_type'])) {
- $params['condition'] = "parent_id = (SELECT id FROM civicrm_contact_type WHERE name='{$props['contact_type']}')";
+ $params['condition'] = CRM_Core_DAO::composeQuery('parent_id = (SELECT id FROM civicrm_contact_type WHERE name = %1)', [
+ 1 => [$props['contact_type'], 'String'],
+ ]);
}
break;
$query .= $condition;
}
- $query .= " ORDER BY v.{$orderBy}";
+ $query .= " ORDER BY %2";
- $p = [1 => [$name, 'String']];
+ $p = [
+ 1 => [$name, 'String'],
+ 2 => ['v.' . $orderBy, 'MysqlOrderBy'],
+ ];
$dao = CRM_Core_DAO::executeQuery($query, $p);
$var = self::valuesCommon($dao, $flip, $grouping, $localize, $labelColumnName);
unset($original_domain, $domainIDs, $optionValues);
}
+ public static function orderByCases(): array {
+ return [
+ ['weight', FALSE],
+ ['id`; DELETE FROM contact; SELECT id FROM contact WHERE `id', TRUE],
+ ];
+ }
+
+ /**
+ * Test to ensure that OrderBy in CRM_Core_OptionGroup::values is sanitised
+ * @dataProvider orderByCases
+ */
+ public function testOrderBy($case, $expectException): void {
+ try {
+ CRM_Core_OptionGroup::values('from_email_address', FALSE, FALSE, FALSE, NULL, 'label', TRUE, FALSE, 'value', $case);
+ $this->assertFalse($expectException);
+ }
+ catch (CRM_Core_Exception $e) {
+ $this->assertTrue($expectException);
+ }
+ }
+
}
projects / civicrm-core.git / commitdiff