diff options
Diffstat (limited to 'includes/tablesort.inc')
| -rw-r--r-- | includes/tablesort.inc | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/includes/tablesort.inc b/includes/tablesort.inc index d241a0c2d..9c39c5ce8 100644 --- a/includes/tablesort.inc +++ b/includes/tablesort.inc @@ -39,9 +39,14 @@ function tablesort_init($header) { function tablesort_sql($header, $before = '') { $ts = tablesort_init($header); if ($ts['sql']) { - $sql = db_escape_string($ts['sql']); - $sort = drupal_strtoupper(db_escape_string($ts['sort'])); - return " ORDER BY $before $sql $sort"; + // Based on code from db_escape_table(), but this can also contain a dot. + $field = preg_replace('/[^A-Za-z0-9_.]+/', '', $ts['sql']); + + // Sort order can only be ASC or DESC. + $sort = drupal_strtoupper($ts['sort']); + $sort = in_array($sort, array('ASC', 'DESC')) ? $sort : ''; + + return " ORDER BY $before $field $sort"; } } |