From 668c2561a924a6abefa23b56c89a26fa493e94f6 Mon Sep 17 00:00:00 2001 From: Mattias Michaux Date: Tue, 24 May 2016 07:29:06 +0200 Subject: [PATCH] Readded escaping to CRM_Utils_Sort and fixed str_replace in CRM_Contact_BAO_Query->searchQuery() --- CRM/Contact/BAO/Query.php | 4 ++-- CRM/Utils/Sort.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CRM/Contact/BAO/Query.php b/CRM/Contact/BAO/Query.php index d0c25c7517..235b3713ed 100644 --- a/CRM/Contact/BAO/Query.php +++ b/CRM/Contact/BAO/Query.php @@ -4573,8 +4573,8 @@ civicrm_relationship.is_permission_a_b = 0 if (!empty($orderBy)) { // this is special case while searching for // change log CRM-1718 - if (preg_match('/sort_name/i', $orderBy)) { - $orderBy = str_replace('sort_name', 'contact_a.sort_name', $orderBy); + if (preg_match('/`sort_name`/i', $orderBy)) { + $orderBy = str_replace('`sort_name`', '`contact_a`.`sort_name`', $orderBy); } $orderBy = CRM_Utils_Type::escape($orderBy, 'String'); diff --git a/CRM/Utils/Sort.php b/CRM/Utils/Sort.php index fec2d400e3..55e2b97704 100644 --- a/CRM/Utils/Sort.php +++ b/CRM/Utils/Sort.php @@ -152,11 +152,11 @@ class CRM_Utils_Sort { $this->_vars[$this->_currentSortID]['direction'] == self::DONTCARE ) { $this->_vars[$this->_currentSortID]['name'] = str_replace(' ', '_', $this->_vars[$this->_currentSortID]['name']); - return $this->_vars[$this->_currentSortID]['name'] . ' asc'; + return CRM_Utils_Type::escape($this->_vars[$this->_currentSortID]['name'], 'MysqlColumnNameOrAlias') . ' asc'; } else { $this->_vars[$this->_currentSortID]['name'] = str_replace(' ', '_', $this->_vars[$this->_currentSortID]['name']); - return $this->_vars[$this->_currentSortID]['name'] . ' desc'; + return CRM_Utils_Type::escape($this->_vars[$this->_currentSortID]['name'], 'MysqlColumnNameOrAlias') . ' desc'; } } -- 2.25.1