Skip to content

Commit

Permalink
Merge branch 'develop' into release/3.16.2
Browse files Browse the repository at this point in the history
  • Loading branch information
Jon Waldstein committed Sep 25, 2024
2 parents cabf5a3 + f343437 commit 48006af
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions includes/donors/class-give-donors-query.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -481,14 +481,19 @@ private function get_order_query() {

// Create query.
foreach ( $ordersby as $orderby => $order ) {
/**
* @unreleased Prevent SQL Injection by not using the user defined order value directly in the query.
*/
$sanitizedOrder = $order === 'ASC' ? 'ASC' : 'DESC';

switch ( $table_columns[ $orderby ] ) {
case '%d':
case '%f':
$query[] = "{$this->table_name}.{$orderby}+0 {$order}";
$query[] = "{$this->table_name}.{$orderby}+0 {$sanitizedOrder}";
break;

default:
$query[] = "{$this->table_name}.{$orderby} {$order}";
$query[] = "{$this->table_name}.{$orderby} {$sanitizedOrder}";
}
}

Expand Down

0 comments on commit 48006af

Please sign in to comment.