From ba93e7ad94552e5f0e3384289dac4f4c19f970ca Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Mon, 21 Oct 2013 15:56:34 -0700
Subject: [PATCH] CRM-13550 - API - Port 2nd patch from 4.2

---
 api/v3/utils.php | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/api/v3/utils.php b/api/v3/utils.php
index e8592987c8..d2b84c3782 100644
--- a/api/v3/utils.php
+++ b/api/v3/utils.php
@@ -656,11 +656,15 @@ function _civicrm_api3_get_options_from_params(&$params, $queryObject = FALSE, $
 
 
   $options = array(
-    'offset' => CRM_Utils_Rule::integer($offset),
-    'sort' => CRM_Utils_Rule::string($sort),
-    'limit' => CRM_Utils_Rule::integer($limit),
+    'offset' => CRM_Utils_Rule::integer($offset) ? $offset : NULL,
+    'sort' => CRM_Utils_Rule::string($sort) ? $sort : NULL,
+    'limit' => CRM_Utils_Rule::integer($limit) ? $limit : NULL,
     'return' => !empty($returnProperties) ? $returnProperties : NULL,
   );
+
+  if($options['sort'] && stristr($options['sort'], 'SELECT')) {
+    throw new API_Exception('invalid string in sort options');
+  }
   if (!$queryObject) {
     return $options;
   }
@@ -680,7 +684,10 @@ function _civicrm_api3_get_options_from_params(&$params, $queryObject = FALSE, $
     }
     elseif (in_array($n, $otherVars)) {}
     else{
-      $inputParams[$n] = CRM_Utils_Rule::string($v);
+      $inputParams[$n] = $v;
+      if($v && !is_array($v) && stristr($v, 'SELECT')) {
+        throw new API_Exception('invalid string');
+      }
     }
   }
   $options['return'] = array_merge($returnProperties, $legacyreturnProperties);
-- 
2.25.1