Changeset 13082 for trunk/src/bp-core/classes/class-bp-invitation.php

Timestamp:

08/18/2021 12:28:22 AM (4 years ago)

Author:

imath

Message:

Limit orderby values in BP_Invitation.

Ensure that passed orderby value matches a verified database column name.

Props dcavins

(trunk)

File:

• trunk/src/bp-core/classes/class-bp-invitation.php (modified) (2 diffs)

trunk/src/bp-core/classes/class-bp-invitation.php

@@ -131 +131 @@
      */
     public $accepted;
+
+    /**
+     * Columns in the invitations table.
+     *
+     * @since 9.0.0
+     * @access public
+     * @var array
+     */
+    public static $columns = array(
+        'id',
+        'user_id',
+        'inviter_id',
+        'invitee_email',
+        'class',
+        'item_id',
+        'secondary_item_id',
+        'type',
+        'content',
+        'date_modified',
+        'invite_sent',
+        'accepted'
+    );
 
     /** Public Methods ****************************************************/
@@ -474 +496 @@
         // Order by.
         if ( ! empty( $args['order_by'] ) ) {
-            $order_by               = implode( ', ', (array) $args['order_by'] );
-            $conditions['order_by'] = "{$order_by}";
+            $order_by_clean = array();
+            foreach ( (array) $args['order_by'] as $key => $value ) {
+                if ( in_array( $value, self::$columns, true ) ) {
+                    $order_by_clean[] = $value;
+                }
+            }
+            if ( ! empty( $order_by_clean ) ) {
+                $order_by               = implode( ', ', $order_by_clean );
+                $conditions['order_by'] = "{$order_by}";
+            }
         }