diff --git a/absentee.php b/absentee.php index 9badad8..1fcc288 100644 --- a/absentee.php +++ b/absentee.php @@ -101,6 +101,12 @@ $table->setup(); $sortcolumns = $table->get_sort_columns(); // Now do sorting if specified. +// Sanity check $sort var before including in sql. Make sure it matches a known column. +$allowedsort = array_diff(array_keys($table->columns), $table->column_nosort); +if (!in_array($sort, $allowedsort)) { + $sort = ''; +} + $orderby = ' ORDER BY percent ASC'; if (!empty($sort)) { $direction = ' DESC'; diff --git a/coursesummary.php b/coursesummary.php index 3d2bf51..45f4488 100644 --- a/coursesummary.php +++ b/coursesummary.php @@ -94,8 +94,14 @@ $table->setup(); // Work out direction of sort required. $sortcolumns = $table->get_sort_columns(); -// Now do sorting if specified. +// Sanity check $sort var before including in sql. Make sure it matches a known column. +$allowedsort = array_diff(array_keys($table->columns), $table->column_nosort); +if (!in_array($sort, $allowedsort)) { + $sort = ''; +} + +// Now do sorting if specified. $orderby = ' ORDER BY percentage ASC'; if (!empty($sort)) { $direction = ' DESC';