projects / civicrm-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9fa76d5)
CRM-13554
authorDonald A. Lobo <lobo@civicrm.org>
Tue, 8 Oct 2013 12:23:55 +0000 (13:23 +0100)
committerDonald A. Lobo <lobo@civicrm.org>
Tue, 8 Oct 2013 12:23:55 +0000 (13:23 +0100)
----------------------------------------
* CRM-13554: Improve string validation in the query engine
  http://issues.civicrm.org/jira/browse/CRM-13554

CRM/Contact/BAO/Query.php patch | blob | blame | history

diff --git a/CRM/Contact/BAO/Query.php b/CRM/Contact/BAO/Query.php
index ea7e41a501244083141420ac283b44f6d5b14ac4..d7d0271e25c08d1b60c5e7d0fd729cd44fbaaa5d 100644 (file)
--- a/CRM/Contact/BAO/Query.php
+++ b/CRM/Contact/BAO/Query.php
@@ -3996,6 +3996,7 @@ civicrm_relationship.start_date > {$today}
       $sql .= ' GROUP BY contact_a.id';
     }
     if (!empty($sort)) {
+      $sort = CRM_Utils_Type::escape($sort, 'String');
       $sql .= " ORDER BY $sort ";
     }
     if ($row_count > 0 && $offset >= 0) {
@@ -4121,9 +4122,11 @@ civicrm_relationship.start_date > {$today}
               $orderBy = str_replace('sort_name', 'contact_a.sort_name', $orderBy);
             }
 
+            $orderBy = CRM_Utils_Type::escape($orderBy, 'String');
             $order = " ORDER BY $orderBy";
 
             if ($sortOrder) {
+              $sortOrder = CRM_Utils_Type::escape($sortOrder, 'String');
               $order .= " $sortOrder";
             }