chore: validate orderby param for payment query

impress-org · Jul 12, 2019 · 97b9b5f · 97b9b5f
1 parent 6adb2e7
commit 97b9b5f
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/includes/payments/class-payments-query.php b/includes/payments/class-payments-query.php
@@ -815,6 +815,26 @@ public function gateway_filter() {
 	private function get_sql() {
 		global $wpdb;
 
+		$allowed_keys = array(
+			'post_name',
+			'post_author',
+			'post_date',
+			'post_title',
+			'post_status',
+			'post_modified',
+			'post_parent',
+			'post_type',
+			'menu_order',
+			'comment_count',
+		);
+
+		$this->args['orderby'] = 'post_parent__in';
+
+		// Whitelist orderby.
+		if( ! in_array( $this->args['orderby'], $allowed_keys ) ) {
+			$this->args['orderby'] = 'ID';
+		}
+
 		$where = "WHERE {$wpdb->posts}.post_type = 'give_payment'";
 		$where .= " AND {$wpdb->posts}.post_status IN ('" . implode( "','", $this->args['post_status'] ) . "')";