#4432 closed Defect (fixed)
elgg_get_entities: order_by and group_by options run through sanitise_string()
| Reported by: | mrclay | Owned by: | |
|---|---|---|---|
| Priority: | low | Milestone: | Elgg 1.8.7 |
| Component: | Core | Version: | 1.8.3 |
| Severity: | trivial | Keywords: | |
| Cc: | brett@… | Difficulty: | easy |
Description
To order by last name, one must join in the user entity table and order by REVERSE(SUBSTRING_INDEX(REVERSE(name), ' ', 1)). The problem is that single or double quote chars get escaped (prepending them with \).
Is this escaping necessary?
BTW, I got around it by using CHAR(32) instead of the string.
Change History (7)
comment:1 Changed 14 months ago by brettp
- Difficulty set to easy
- Milestone changed from Needs Review to Elgg 1.8.x
- Priority changed from normal to low
- Severity changed from minor to trivial
- Summary changed from elgg_get_entities: order_by clauses have quotes escaped to elgg_get_entities: order_by and group_by options run through sanitise_string()
comment:2 Changed 13 months ago by mrclay
comment:3 Changed 11 months ago by cash
- Milestone changed from Elgg 1.8.x to Elgg 1.8.7
comment:4 Changed 11 months ago by Steve Clay
- Resolution set to fixed
- Status changed from new to closed
Fixes #4432: Do not escape ORDER BY/GROUP BY clauses in elgg_get_entities
Changeset: 76978dd5620b5664e68a3a4068d5bd07771fe7ea
comment:5 Changed 11 months ago by Cash Costello
Merge pull request #189 from mrclay/t4432
Fix ticket 4432
Changeset: d71309056037adc869319566f9ec53313eb192d8
comment:6 Changed 11 months ago by Steve Clay
Fixes #4432: Do not escape ORDER BY/GROUP BY clauses in elgg_get_entities
Changeset: 76978dd5620b5664e68a3a4068d5bd07771fe7ea
comment:7 Changed 11 months ago by Cash Costello
Merge pull request #189 from mrclay/t4432
Fix ticket 4432
Changeset: d71309056037adc869319566f9ec53313eb192d8
order_by and group_by both run through sanitise_string(). This is a low level attempt to prevent SQL injection attacks for poorly written plugins that pass an order_by or group_by clause directly from input. We don't do that with any other clause, so I think it can be removed for order_by and group_by.