Rewrite a function parameter to avoid having to pass SQL

This is not a security fix but rather a cleanup to harden this code and make it harder to accidentally introduce a SQL injection in the future. Signed-off-by: Francois Marier <francois@catalyst.net.nz>

Rewrite a function parameter to avoid having to pass SQL
This is not a security fix but rather a cleanup to harden this code and make it harder to accidentally introduce a SQL injection in the future. Signed-off-by: Francois Marier <francois@catalyst.net.nz>
dc04329d · Francois Marier · a62cb836 · dc04329d · dc04329d
Commit dc04329d authored May 25, 2010 by Francois Marier
--- a/htdocs/blocktype/newviews/lib.php
+++ b/htdocs/blocktype/newviews/lib.php
@@ -51,7 +51,8 @@ class PluginBlocktypeNewViews extends SystemBlocktype {
        $configdata = $instance->get('configdata');
        $nviews = isset($configdata['limit']) ? intval($configdata['limit']) : 5;
-        $views = View::view_search(null, null, null, null, $nviews, 0, true, 'mtime DESC');
+        $sort = array(array('column' => 'mtime', 'desc' => true));
+        $views = View::view_search(null, null, null, null, $nviews, 0, true, $sort);
        $smarty = smarty_core();
        $smarty->assign('loggedin', $USER->is_logged_in());
        $smarty->assign('views', $views->data);

--- a/htdocs/lib/view.php
+++ b/htdocs/lib/view.php
@@ -2214,7 +2214,7 @@ class View {
     * @param integer  $limit
     * @param integer  $offset
     * @param bool     $extra       Return full set of properties on each view including an artefact list
-     * @param string   $sort        Order by
+     * @param array    $sort        Order by, each element of the array is an array containing "column" (string) and "desc" (boolean)
     *
     */
    public static function view_search($query=null, $ownerquery=null, $ownedby=null, $copyableby=null, $limit=null, $offset=0, $extra=true, $sort=null) {
@@ -2333,7 +2333,26 @@ class View {
        }
        $count = count_records_sql('SELECT COUNT (DISTINCT v.id) ' . $from . $where, $ph);
-        $orderby = is_null($sort) ? 'title ASC' : $sort;
+        $orderby = 'title ASC';
+        if (!empty($sort)) {
+            $orderby = '';
+            foreach ($sort as $item) {
+                if (!preg_match('/^[a-zA-Z_0-9"]+$/', $item['column'])) {
+                    continue; // skip this item (it fails validation)
+                }
+                if (!empty($orderby)) {
+                    $orderby .= ', ';
+                }
+                $orderby .= $item['column'];
+                if ($item['desc']) {
+                    $orderby .= ' DESC';
+                }
+                else {
+                    $orderby .= ' ASC';
+                }
+            }
+        }
        $viewdata = get_records_sql_array('
            SELECT * FROM (
                SELECT