pref-users: fix sorting the table

author Andrew Dolgov <noreply@fakecake.org>

Sun, 3 Dec 2017 10:54:03 +0000 (13:54 +0300)

committer Andrew Dolgov <noreply@fakecake.org>

Sun, 3 Dec 2017 10:54:31 +0000 (13:54 +0300)
author Andrew Dolgov <noreply@fakecake.org>
Sun, 3 Dec 2017 10:54:03 +0000 (13:54 +0300)
committer Andrew Dolgov <noreply@fakecake.org>
Sun, 3 Dec 2017 10:54:31 +0000 (13:54 +0300)
diff --git a/classes/pref/users.php b/classes/pref/users.php

index 82893c5487376384c50e225be2895cb1503ca328..b23950bd3ba96331f8a3723dd223a32918c5aaba 100644 (file)
--- a/classes/pref/users.php
+++ b/classes/pref/users.php
@@ -376,7 +376,10 @@ class Pref_Users extends Handler_Protected {
                         print "</div>"; #pane
                         print "<div id=\"pref-user-content\" dojoType=\"dijit.layout.ContentPane\" region=\"center\">";
  
-                       print "<div id=\"sticky-status-msg\"></div>";
+                       $sort = validate_field($sort,
+                               ["login", "access_level", "created", "num_feeds", "created", "last_login"], "login");
+
+                       if ($sort != "login") $sort = "$sort DESC";
  
                         $sth = $this->pdo->prepare("SELECT
                                         tu.id,
@@ -388,8 +391,8 @@ class Pref_Users extends Handler_Protected {
                                         ttrss_users tu
                                 WHERE
                                         (:search = '' OR login LIKE :search) AND tu.id > 0
-                               ORDER BY :sort");
-                       $sth->execute([":search" => $user_search ? "%$user_search%" : "", ":sort" => $sort]);
+                               ORDER BY $sort");
+                       $sth->execute([":search" => $user_search ? "%$user_search%" : ""]);
  
                         print "<p><table width=\"100%\" cellspacing=\"0\"
                                 class=\"prefUserList\" id=\"prefUserList\">";
diff --git a/include/functions.php b/include/functions.php

index e781eee51fab1c5841696091052662086aad15f5..54fa2bd9d140c1ab0deceb1285437306c16ea2e2 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -2548,6 +2548,13 @@
                 return $bad_tables;
         }
  
+       function validate_field($string, $allowed, $default = "") {
+               if (in_array($string, $allowed))
+                       return $string;
+               else
+                       return $default;
+       }
+
      function arr_qmarks($arr) {
          return str_repeat('?,', count($arr) - 1) . '?';
      }
author	Andrew Dolgov <noreply@fakecake.org>
	Sun, 3 Dec 2017 10:54:03 +0000 (13:54 +0300)
committer	Andrew Dolgov <noreply@fakecake.org>
	Sun, 3 Dec 2017 10:54:31 +0000 (13:54 +0300)
classes/pref/users.php		patch \| blob \| blame \| history
include/functions.php		patch \| blob \| blame \| history