Really sanitize orderBy and groupBy values

avbdr · avbdr · commit 58938e24e99e · 2014-05-07T10:01:25.000+03:00
diff --git a/MysqliDb.php b/MysqliDb.php
@@ -339,7 +339,7 @@ public function orderBy($orderByField, $orderbyDirection = "DESC")
     {
         $allowedDirection = Array ("ASC", "DESC");
         $orderbyDirection = strtoupper (trim ($orderbyDirection));
-        $orderByField = filter_var($orderByField, FILTER_SANITIZE_STRING);
+        $orderByField = preg_replace ("/[^-a-z0-9\.\(\),]+/i",'', $orderByField);
 
         if (empty($orderbyDirection) || !in_array ($orderbyDirection, $allowedDirection))
             die ('Wrong order direction: '.$orderbyDirection);
@@ -359,7 +359,7 @@ public function orderBy($orderByField, $orderbyDirection = "DESC")
      */
     public function groupBy($groupByField)
     {
-        $groupByField = filter_var($groupByField, FILTER_SANITIZE_STRING);
+        $groupByField = preg_replace ("/[^-a-z0-9\.\(\),]+/i",'', $groupByField);
 
         $this->_groupBy[] = $groupByField;
         return $this;
diff --git a/tests.php b/tests.php
@@ -181,6 +181,7 @@ function createTable ($name, $data) {
 
 $db->join("users u", "p.userId=u.id", "LEFT");
 $db->where("u.login",'user2');
+$db->orderBy("CONCAT(u.login, u.firstName)");
 $products = $db->get ("products p", null, "u.login, p.productName");
 if ($db->count != 2) {
     echo "Invalid products count on join ()";
