oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixed: UserList asset has SQL injection bug

Browse source
This commit is contained in:
Graham Knop 2010-05-10 13:06:14 -05:00
parent 007391d5f1
commit 06d61ec19d
2 changed files with 6 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
lib/WebGUI/Asset/Wobject/UserList.pm
View file

@ -506,12 +506,16 @@ sub view {
$sql .= " and ".$constraint if ($constraint);
my $sortBy = $form->process('sortBy') || $self->get('sortBy') || 'users.username';
my $sortOrder = $form->process('sortOrder') || $self->get('sortOrder') || 'asc';
my $sortOrder = $form->process('sortOrder') || $self->get('sortOrder');
if (lc $sortOrder ne 'desc') {
$sortOrder = 'asc';
}
my @sortByUserProperties = ('dateCreated', 'lastUpdated', 'karma', 'userId');
if(isIn($sortBy,@sortByUserProperties)){
$sortBy = 'users.'.$sortBy;
}
$sortBy = join '.', map { $self->session->db->quoteIdentifier } split /\./, $sortBy;
$sql .= " order by ".$sortBy." ".$sortOrder;
($defaultPublicProfile) = $self->session->db->quickArray("SELECT dataDefault FROM userProfileField WHERE fieldName='publicProfile'");