X-Git-Url: https://git.wh0rd.org/?a=blobdiff_plain;f=classes%2Fpref%2Fusers.php;h=ad48e7a722a4b5be521a544da2b3fdf353859c25;hb=57932e183745bada9c6183056597cb5276f68d10;hp=82893c5487376384c50e225be2895cb1503ca328;hpb=4ee398a41e2176d4a5c997920db35cb6bed12f2e;p=tt-rss.git
diff --git a/classes/pref/users.php b/classes/pref/users.php
index 82893c54..ad48e7a7 100644
--- a/classes/pref/users.php
+++ b/classes/pref/users.php
@@ -20,12 +20,14 @@ class Pref_Users extends Handler_Protected {
function edit() {
global $access_level_names;
+ print "
";
- $user_search = trim($_REQUEST["search"]);
+ $user_search = trim(clean($_REQUEST["search"]));
if (array_key_exists("search", $_REQUEST)) {
$_SESSION["prefs_user_search"] = $user_search;
@@ -344,7 +344,7 @@ class Pref_Users extends Handler_Protected {
__('Search')."
";
- $sort = $_REQUEST["sort"];
+ $sort = clean($_REQUEST["sort"]);
if (!$sort || $sort == "undefined") {
$sort = "login";
@@ -376,7 +376,10 @@ class Pref_Users extends Handler_Protected {
print ""; #pane
print "";
- print "
";
+ $sort = validate_field($sort,
+ ["login", "access_level", "created", "num_feeds", "created", "last_login"], "login");
+
+ if ($sort != "login") $sort = "$sort DESC";
$sth = $this->pdo->prepare("SELECT
tu.id,
@@ -388,8 +391,8 @@ class Pref_Users extends Handler_Protected {
ttrss_users tu
WHERE
(:search = '' OR login LIKE :search) AND tu.id > 0
- ORDER BY :sort");
- $sth->execute([":search" => $user_search ? "%$user_search%" : "", ":sort" => $sort]);
+ ORDER BY $sort");
+ $sth->execute([":search" => $user_search ? "%$user_search%" : ""]);
print "
";
@@ -453,4 +456,4 @@ class Pref_Users extends Handler_Protected {
print ""; #container
}
- }
\ No newline at end of file
+ }