$sql = "$select $from $where $having";
if (!empty($sort)) {
+ $sort = CRM_Utils_Type::escape($sort, 'MysqlOrderBy');
$sql .= " ORDER BY $sort ";
}
if (!empty($rowCount)) {
$options = array(
'offset' => CRM_Utils_Rule::integer($offset) ? $offset : NULL,
- 'sort' => CRM_Utils_Rule::string($sort) ? $sort : NULL,
'limit' => CRM_Utils_Rule::integer($limit) ? $limit : NULL,
'is_count' => $is_count,
'return' => !empty($returnProperties) ? $returnProperties : array(),
);
+ $finalSort = array();
+ if (is_array($sort)) {
+ foreach ($sort as $s) {
+ if (CRM_Utils_Rule::mysqlOrderBy($s)) {
+ $finalSort[] = $s;
+ }
+ else {
+ throw new API_Exception("Unknown field specified for sort. Cannot order by '$s'");
+ }
+ }
+ }
+ elseif ($sort) {
+ if (CRM_Utils_Rule::mysqlOrderBy($sort)) {
+ $finalSort[] = $sort;
+ }
+ else {
+ throw new API_Exception("Unknown field specified for sort. Cannot order by '$sort'");
+ }
+ }
+
+ $options['sort'] = !empty($finalSort) ? implode(', ', $finalSort) : NULL;
if ($options['sort'] && stristr($options['sort'], 'SELECT')) {
throw new API_Exception('invalid string in sort options');
$dao->limit((int) $options['offset'], (int) $options['limit']);
}
if (!empty($options['sort'])) {
+ $options['sort'] = CRM_Utils_Type::escape($options['sort'], 'MysqlOrderBy');
$dao->orderBy($options['sort']);
}
}
civicrm_api3($Entity, 'Create');
}
+ /**
+ * @dataProvider entities_create
+ *
+ * Check that create doesn't work with an invalid
+ * @param $Entity
+ * @throws \PHPUnit_Framework_IncompleteTestError
+ */
+ public function testInvalidSort_get($Entity) {
+ $invalidEntitys = array('ActivityType', 'Setting', 'System');
+ if (in_array($Entity, $invalidEntitys)) {
+ $this->markTestSkipped('It seems OK for setting to skip here as it silently sips invalid params');
+ }
+ $result = $this->callAPIFailure($Entity, 'get', array('options' => array('sort' => 'sleep(1)')));
+ }
+
/**
* @dataProvider entities_create
*
projects / civicrm-core.git / commitdiff