Clean up some edge cases in `sanitize_sql_orderby()`.

Props vortfu, dd32.


Built from https://develop.svn.wordpress.org/trunk@32164


git-svn-id: http://core.svn.wordpress.org/trunk@32139 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Gary Pendergast 2015-04-20 05:42:25 +00:00
parent 2bbd21f543
commit f32bbeeb95
2 changed files with 13 additions and 11 deletions

View File

@ -1362,21 +1362,23 @@ function sanitize_title_with_dashes( $title, $raw_title = '', $context = 'displa
}
/**
* Ensures a string is a valid SQL order by clause.
* Ensures a string is a valid SQL 'order by' clause.
*
* Accepts one or more columns, with or without ASC/DESC, and also accepts
* RAND().
* Accepts one or more columns, with or without a sort order (ASC / DESC).
* e.g. 'column_1', 'column_1, column_2', 'column_1 ASC, column_2 DESC' etc.
*
* Also accepts 'RAND()'.
*
* @since 2.5.1
*
* @param string $orderby Order by string to be checked.
* @return false|string Returns the order by clause if it is a match, false otherwise.
* @param string $orderby Order by clause to be validated.
* @return string|bool Returns $orderby if valid, false otherwise.
*/
function sanitize_sql_orderby( $orderby ){
preg_match('/^\s*([a-z0-9_]+(\s+(ASC|DESC))?(\s*,\s*|\s*$))+|^\s*RAND\(\s*\)\s*$/i', $orderby, $obmatches);
if ( !$obmatches )
return false;
return $orderby;
function sanitize_sql_orderby( $orderby ) {
if ( preg_match( '/^\s*(([a-z0-9_]+|`[a-z0-9_]+`)(\s+(ASC|DESC))?\s*(,\s*(?=[a-z0-9_`])|$))+$/i', $orderby ) || preg_match( '/^\s*RAND\(\s*\)\s*$/i', $orderby ) ) {
return $orderby;
}
return false;
}
/**

View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.2-RC1-32162';
$wp_version = '4.2-RC1-32164';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.