Skip to content

Commit

Permalink
Add VIP: comment for orderby sanitization on users Indexable
Browse files Browse the repository at this point in the history 
#112
  • Loading branch information
@rebeccahum
rebeccahum committed Nov 2, 2021
1 parent ad6cf22 commit bc65863
Showing 1 changed file with 1 addition and 6 deletions.
7 changes: 1 addition & 6 deletions includes/classes/Indexable/User/User.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -728,18 +728,13 @@ public function query_db( $args ) {
$args['order'] = 'desc';
}

/**
* Sanitize the ORDER BY clause
*/
// VIP: Sanitize orderby in advance to avoid quotes to work with mariadb since $wpdb->prepare quotes placeholders
$orderby_args = sanitize_sql_orderby( "{$args['orderby']} {$args['order']}" );
$orderby = $orderby_args ? sprintf( 'ORDER BY %s', $orderby_args ) : '';

/**
* WP_User_Query doesn't let us get users across all blogs easily. This is the best
* way to do that.
*
* The $wpdb->prepare will quote placeholders.
* We are sanitizing orderby in advance and putting it as a variable to avoid quotes.
*/
// @codingStandardsIgnoreStart
$objects = $wpdb->get_results( $wpdb->prepare( "SELECT SQL_CALC_FOUND_ROWS ID FROM {$wpdb->users} {$orderby} LIMIT %d, %d", (int) $args['offset'], (int) $args['number'] ) );
Expand Down

0 comments on commit bc65863

Please sign in to comment.