Browse Source

Fix #466 - sanity check sort var before using.

MOODLE_36_STABLE
Dan Marsden 5 years ago
parent
commit
61c7f15e15
  1. 6
      absentee.php
  2. 8
      coursesummary.php

6
absentee.php

@ -101,6 +101,12 @@ $table->setup();
$sortcolumns = $table->get_sort_columns(); $sortcolumns = $table->get_sort_columns();
// Now do sorting if specified. // Now do sorting if specified.
// Sanity check $sort var before including in sql. Make sure it matches a known column.
$allowedsort = array_diff(array_keys($table->columns), $table->column_nosort);
if (!in_array($sort, $allowedsort)) {
$sort = '';
}
$orderby = ' ORDER BY percent ASC'; $orderby = ' ORDER BY percent ASC';
if (!empty($sort)) { if (!empty($sort)) {
$direction = ' DESC'; $direction = ' DESC';

8
coursesummary.php

@ -94,8 +94,14 @@ $table->setup();
// Work out direction of sort required. // Work out direction of sort required.
$sortcolumns = $table->get_sort_columns(); $sortcolumns = $table->get_sort_columns();
// Now do sorting if specified.
// Sanity check $sort var before including in sql. Make sure it matches a known column.
$allowedsort = array_diff(array_keys($table->columns), $table->column_nosort);
if (!in_array($sort, $allowedsort)) {
$sort = '';
}
// Now do sorting if specified.
$orderby = ' ORDER BY percentage ASC'; $orderby = ' ORDER BY percentage ASC';
if (!empty($sort)) { if (!empty($sort)) {
$direction = ' DESC'; $direction = ' DESC';

Loading…
Cancel
Save