Clean up some edge cases in `sanitize_sql_orderby()`. Merge of [32164] to the 3.7 branch.

Props vortfu, dd32.


Built from https://develop.svn.wordpress.org/branches/3.7@32192


git-svn-id: http://core.svn.wordpress.org/branches/3.7@32165 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/formatting.php

@@ -1053,22 +1053,24 @@ function sanitize_title_with_dashes( $title, $raw_title = '', $context = 'displa
 }
 
 /**
- * Ensures a string is a valid SQL order by clause.
+ * Ensures a string is a valid SQL 'order by' clause.
  *
- * Accepts one or more columns, with or without ASC/DESC, and also accepts
+ * Accepts one or more columns, with or without a sort order (ASC / DESC).
- * RAND().
+ * e.g. 'column_1', 'column_1, column_2', 'column_1 ASC, column_2 DESC' etc.
+ *
+ * Also accepts 'RAND()'.
  *
  * @since 2.5.1
  *
- * @param string $orderby Order by string to be checked.
+ * @param string $orderby Order by clause to be validated.
- * @return string|bool Returns the order by clause if it is a match, false otherwise.
+ * @return string|bool Returns $orderby if valid, false otherwise.
  */
 function sanitize_sql_orderby( $orderby ) {
-	preg_match('/^\s*([a-z0-9_]+(\s+(ASC|DESC))?(\s*,\s*|\s*$))+|^\s*RAND\(\s*\)\s*$/i', $orderby, $obmatches);
+	if ( preg_match( '/^\s*(([a-z0-9_]+|`[a-z0-9_]+`)(\s+(ASC|DESC))?\s*(,\s*(?=[a-z0-9_`])|$))+$/i', $orderby ) || preg_match( '/^\s*RAND\(\s*\)\s*$/i', $orderby ) ) {
-	if ( !$obmatches )
-		return false;
 		return $orderby;
 	}
+	return false;
+}
 
 /**
  * Sanitizes an HTML classname to ensure it only contains valid characters.