Really sanitize orderBy and groupBy values

58938e24 · Alexander Butenko · 1548e293 · 58938e24 · 58938e24
Commit 58938e24 authored May 07, 2014 by Alexander Butenko
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

MysqliDb.php MysqliDb.php +2 -2

tests.php tests.php +1 -0

No files found.
--- a/MysqliDb.php
+++ b/MysqliDb.php
@@ -339,7 +339,7 @@ class MysqliDb
    {
        $allowedDirection = Array ("ASC", "DESC");
        $orderbyDirection = strtoupper (trim ($orderbyDirection));
-        $orderByField = filter_var($orderByField, FILTER_SANITIZE_STRING);
+        $orderByField = preg_replace ("/[^-a-z0-9\.\(\),]+/i",'', $orderByField);

        if (empty($orderbyDirection) || !in_array ($orderbyDirection, $allowedDirection))
            die ('Wrong order direction: '.$orderbyDirection);
@@ -359,7 +359,7 @@ class MysqliDb
     */
    public function groupBy($groupByField)
    {
-        $groupByField = filter_var($groupByField, FILTER_SANITIZE_STRING);
+        $groupByField = preg_replace ("/[^-a-z0-9\.\(\),]+/i",'', $groupByField);

        $this->_groupBy[] = $groupByField;
        return $this;

--- a/tests.php
+++ b/tests.php
@@ -181,6 +181,7 @@ if ($db->count != 1) {

 $db->join("users u", "p.userId=u.id", "LEFT");
 $db->where("u.login",'user2');
+$db->orderBy("CONCAT(u.login, u.firstName)");
 $products = $db->get ("products p", null, "u.login, p.productName");
 if ($db->count != 2) {
    echo "Invalid products count on join ()";