From 2cf93c046c790005e66670c5c4bfe5b6b3e72a67 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sun, 3 Dec 2017 13:54:03 +0300 Subject: [PATCH] pref-users: fix sorting the table --- classes/pref/users.php | 9 ++++++--- include/functions.php | 7 +++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/classes/pref/users.php b/classes/pref/users.php index 82893c54..b23950bd 100644 --- a/classes/pref/users.php +++ b/classes/pref/users.php @@ -376,7 +376,10 @@ class Pref_Users extends Handler_Protected { print ""; #pane print "
"; - print "
"; + $sort = validate_field($sort, + ["login", "access_level", "created", "num_feeds", "created", "last_login"], "login"); + + if ($sort != "login") $sort = "$sort DESC"; $sth = $this->pdo->prepare("SELECT tu.id, @@ -388,8 +391,8 @@ class Pref_Users extends Handler_Protected { ttrss_users tu WHERE (:search = '' OR login LIKE :search) AND tu.id > 0 - ORDER BY :sort"); - $sth->execute([":search" => $user_search ? "%$user_search%" : "", ":sort" => $sort]); + ORDER BY $sort"); + $sth->execute([":search" => $user_search ? "%$user_search%" : ""]); print "

"; diff --git a/include/functions.php b/include/functions.php index e781eee5..54fa2bd9 100644 --- a/include/functions.php +++ b/include/functions.php @@ -2548,6 +2548,13 @@ return $bad_tables; } + function validate_field($string, $allowed, $default = "") { + if (in_array($string, $allowed)) + return $string; + else + return $default; + } + function arr_qmarks($arr) { return str_repeat('?,', count($arr) - 1) . '?'; } -- 2.39.5