Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Update advanced search results to remove a possible SQL injection vector

  • Loading branch information...
commit 9861f31be78bf3881e7898230356cdf639a0891e 1 parent 191c3e4
Mark Evans markkevans authored haraldpdl committed
Showing with 10 additions and 10 deletions.
  1. +10 −10 catalog/advanced_search_result.php
20 catalog/advanced_search_result.php
View
@@ -271,39 +271,39 @@
$where_str .= " group by p.products_id, tr.tax_priority";
}
- if ( (!isset($HTTP_GET_VARS['sort'])) || (!preg_match('/[1-8][ad]/i', $HTTP_GET_VARS['sort'])) || (substr($HTTP_GET_VARS['sort'], 0, 1) > sizeof($column_list)) ) {
+ if ( (!isset($HTTP_GET_VARS['sort'])) || (!preg_match('/^[1-8][ad]$/', $HTTP_GET_VARS['sort'])) || (substr($HTTP_GET_VARS['sort'], 0, 1) > sizeof($column_list)) ) {
for ($i=0, $n=sizeof($column_list); $i<$n; $i++) {
if ($column_list[$i] == 'PRODUCT_LIST_NAME') {
$HTTP_GET_VARS['sort'] = $i+1 . 'a';
- $order_str = ' order by pd.products_name';
+ $order_str = " order by pd.products_name";
break;
}
}
} else {
$sort_col = substr($HTTP_GET_VARS['sort'], 0 , 1);
$sort_order = substr($HTTP_GET_VARS['sort'], 1);
- $order_str = ' order by ';
+
switch ($column_list[$sort_col-1]) {
case 'PRODUCT_LIST_MODEL':
- $order_str .= "p.products_model " . ($sort_order == 'd' ? "desc" : "") . ", pd.products_name";
+ $order_str = " order by p.products_model " . ($sort_order == 'd' ? 'desc' : '') . ", pd.products_name";
break;
case 'PRODUCT_LIST_NAME':
- $order_str .= "pd.products_name " . ($sort_order == 'd' ? "desc" : "");
+ $order_str = " order by pd.products_name " . ($sort_order == 'd' ? 'desc' : '');
break;
case 'PRODUCT_LIST_MANUFACTURER':
- $order_str .= "m.manufacturers_name " . ($sort_order == 'd' ? "desc" : "") . ", pd.products_name";
+ $order_str = " order by m.manufacturers_name " . ($sort_order == 'd' ? 'desc' : '') . ", pd.products_name";
break;
case 'PRODUCT_LIST_QUANTITY':
- $order_str .= "p.products_quantity " . ($sort_order == 'd' ? "desc" : "") . ", pd.products_name";
+ $order_str = " order by p.products_quantity " . ($sort_order == 'd' ? 'desc' : '') . ", pd.products_name";
break;
case 'PRODUCT_LIST_IMAGE':
- $order_str .= "pd.products_name";
+ $order_str = " order by pd.products_name";
break;
case 'PRODUCT_LIST_WEIGHT':
- $order_str .= "p.products_weight " . ($sort_order == 'd' ? "desc" : "") . ", pd.products_name";
+ $order_str = " order by p.products_weight " . ($sort_order == 'd' ? 'desc' : '') . ", pd.products_name";
break;
case 'PRODUCT_LIST_PRICE':
- $order_str .= "final_price " . ($sort_order == 'd' ? "desc" : "") . ", pd.products_name";
+ $order_str = " order by final_price " . ($sort_order == 'd' ? 'desc' : '') . ", pd.products_name";
break;
}
}
Please sign in to comment.
Something went wrong with that request. Please try again.