esc_sql for $order attribute

* Security improvement for $order
strangerstudios · Feb 19, 2024 · 7885e15 · 7885e15
1 parent 162ef7a
commit 7885e15
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/templates/directory.php b/templates/directory.php
@@ -114,7 +114,7 @@ function pmpromd_shortcode($atts, $content=null, $code="")
 
 // Clean up order_by to only include text, underscores and periods.
 $order_by = preg_replace( '/[^a-z._]/', '', $order_by );
-$sql_parts['ORDER'] = "ORDER BY ". esc_sql($order_by) . " " . $order . " ";
+$sql_parts['ORDER'] = "ORDER BY ". esc_sql( $order_by ) . " " . esc_sql( $order ) . " ";
 
 $sql_parts['LIMIT'] = "LIMIT $start, $limit";