Changeset 13069 for trunk/src/bp-notifications/classes/class-bp-notifications-notification.php

Timestamp:

08/17/2021 06:37:57 PM (4 years ago)

Author:

imath

Message:

Notifications: limit orderby values in BP_Notifications_Notification

Ensure that passed orderby value matches a verified database column name.

Props dcavins

(trunk)

File:

• trunk/src/bp-notifications/classes/class-bp-notifications-notification.php (modified) (2 diffs)

trunk/src/bp-notifications/classes/class-bp-notifications-notification.php

@@ -85 +85 @@
      */
     public $is_new;
+
+    /**
+     * Columns in the notifications table.
+     *
+     * @since 9.1.0
+     * @access public
+     * @var array
+     */
+    public static $columns = array(
+        'id',
+        'user_id',
+        'item_id',
+        'secondary_item_id',
+        'component_name',
+        'component_action',
+        'date_notified',
+        'is_new'
+    );
 
     /** Public Methods ********************************************************/
@@ -407 +425 @@
         // Order by.
         if ( ! empty( $args['order_by'] ) ) {
-            $order_by               = implode( ', ', (array) $args['order_by'] );
-            $conditions['order_by'] = "{$order_by}";
+            $order_by_clean = array();
+            foreach ( (array) $args['order_by'] as $key => $value ) {
+                if ( in_array( $value, self::$columns, true ) ) {
+                    $order_by_clean[] = $value;
+                }
+            }
+            if ( ! empty( $order_by_clean ) ) {
+                $order_by               = implode( ', ', $order_by_clean );
+                $conditions['order_by'] = "{$order_by}";
+            }
         }