Make WordPress Core

Changeset 32164


Ignore:
Timestamp:
04/20/2015 05:41:37 AM (9 years ago)
Author:
pento
Message:

Clean up some edge cases in sanitize_sql_orderby().

Props vortfu, dd32.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/formatting.php

    r32161 r32164  
    13631363
    13641364/**
    1365  * Ensures a string is a valid SQL order by clause.
    1366  *
    1367  * Accepts one or more columns, with or without ASC/DESC, and also accepts
    1368  * RAND().
     1365 * Ensures a string is a valid SQL 'order by' clause.
     1366 *
     1367 * Accepts one or more columns, with or without a sort order (ASC / DESC).
     1368 * e.g. 'column_1', 'column_1, column_2', 'column_1 ASC, column_2 DESC' etc.
     1369 *
     1370 * Also accepts 'RAND()'.
    13691371 *
    13701372 * @since 2.5.1
    13711373 *
    1372  * @param string $orderby Order by string to be checked.
    1373  * @return false|string Returns the order by clause if it is a match, false otherwise.
    1374  */
    1375 function sanitize_sql_orderby( $orderby ){
    1376     preg_match('/^\s*([a-z0-9_]+(\s+(ASC|DESC))?(\s*,\s*|\s*$))+|^\s*RAND\(\s*\)\s*$/i', $orderby, $obmatches);
    1377     if ( !$obmatches )
    1378         return false;
    1379     return $orderby;
     1374 * @param string $orderby Order by clause to be validated.
     1375 * @return string|bool Returns $orderby if valid, false otherwise.
     1376 */
     1377function sanitize_sql_orderby( $orderby ) {
     1378    if ( preg_match( '/^\s*(([a-z0-9_]+|`[a-z0-9_]+`)(\s+(ASC|DESC))?\s*(,\s*(?=[a-z0-9_`])|$))+$/i', $orderby ) || preg_match( '/^\s*RAND\(\s*\)\s*$/i', $orderby ) ) {
     1379        return $orderby;
     1380    }
     1381    return false;
    13801382}
    13811383
  • trunk/tests/phpunit/tests/formatting/SanitizeOrderby.php

    r25002 r32164  
    11<?php
    22
    3 /* // @todo These tests need to be rewritten for sanitize_sql_orderby
     3/**
     4 * @group sanitize_sql_orderby
     5 */
    46class Tests_Formatting_SanitizeOrderby extends WP_UnitTestCase {
    5     function test_empty() {
    6         $cols = array('a' => 'a');
    7         $this->assertEquals( '', sanitize_sql_orderby('', $cols) );
    8         $this->assertEquals( '', sanitize_sql_orderby('  ', $cols) );
    9         $this->assertEquals( '', sanitize_sql_orderby("\t", $cols) );
    10         $this->assertEquals( '', sanitize_sql_orderby(null, $cols) );
    11         $this->assertEquals( '', sanitize_sql_orderby(0, $cols) );
    12         $this->assertEquals( '', sanitize_sql_orderby('+', $cols) );
    13         $this->assertEquals( '', sanitize_sql_orderby('-', $cols) );
     7
     8    /**
     9     * @covers ::sanitize_sql_orderby
     10     * @dataProvider valid_orderbys
     11     */
     12    function test_valid( $orderby ) {
     13        $this->assertEquals( $orderby, sanitize_sql_orderby( $orderby ) );
     14    }
     15    function valid_orderbys() {
     16        return array(
     17            array( '1' ),
     18            array( '1 ASC' ),
     19            array( '1 ASC, 2' ),
     20            array( '1 ASC, 2 DESC' ),
     21            array( '1 ASC, 2 DESC, 3' ),
     22            array( '       1      DESC' ),
     23            array( 'field ASC' ),
     24            array( 'field1 ASC, field2' ),
     25            array( 'field_1 ASC, field_2 DESC' ),
     26            array( 'field1, field2 ASC' ),
     27            array( '`field1`' ),
     28            array( '`field1` ASC' ),
     29            array( '`field` ASC, `field2`' ),
     30            array( 'RAND()' ),
     31            array( '   RAND(  )   ' ),
     32        );
    1433    }
    1534
    16     function test_unknown_column() {
    17         $cols = array('name' => 'post_name', 'date' => 'post_date');
    18         $this->assertEquals( '', sanitize_sql_orderby('unknown_column', $cols) );
    19         $this->assertEquals( '', sanitize_sql_orderby('+unknown_column', $cols) );
    20         $this->assertEquals( '', sanitize_sql_orderby('-unknown_column', $cols) );
    21         $this->assertEquals( '', sanitize_sql_orderby('-unknown1,+unknown2,unknown3', $cols) );
    22         $this->assertEquals( 'post_name ASC', sanitize_sql_orderby('name,unknown_column', $cols) );
    23         $this->assertEquals( '', sanitize_sql_orderby('!@#$%^&*()_=~`\'",./', $cols) );
     35    /**
     36     * @covers ::sanitize_sql_orderby
     37     * @dataProvider invalid_orderbys
     38     */
     39    function test_invalid( $orderby ) {
     40        $this->assertFalse( sanitize_sql_orderby( $orderby ) );
    2441    }
    25 
    26     function test_valid() {
    27         $cols = array('name' => 'post_name', 'date' => 'post_date', 'random' => 'rand()');
    28         $this->assertEquals( 'post_name ASC', sanitize_sql_orderby('name', $cols) );
    29         $this->assertEquals( 'post_name ASC', sanitize_sql_orderby('+name', $cols) );
    30         $this->assertEquals( 'post_name DESC', sanitize_sql_orderby('-name', $cols) );
    31         $this->assertEquals( 'post_date ASC, post_name ASC', sanitize_sql_orderby('date,name', $cols) );
    32         $this->assertEquals( 'post_date ASC, post_name ASC', sanitize_sql_orderby(' date , name ', $cols) );
    33         $this->assertEquals( 'post_name DESC, post_date ASC', sanitize_sql_orderby('-name,date', $cols) );
    34         $this->assertEquals( 'post_name ASC, post_date ASC', sanitize_sql_orderby('name ,+ date', $cols) );
    35         $this->assertEquals( 'rand() ASC', sanitize_sql_orderby('random', $cols) );
     42    function invalid_orderbys() {
     43        return array(
     44            array( '' ),
     45            array( '1 2' ),
     46            array( '1, 2 3' ),
     47            array( '1 DESC, ' ),
     48            array( 'field-1' ),
     49            array( 'field DESC,' ),
     50            array( 'field1 field2' ),
     51            array( 'field RAND()' ),
     52            array( 'RAND() ASC' ),
     53            array( '`field1` ASC, `field2' ),
     54            array( 'field, !@#$%^' ),
     55        );
    3656    }
    3757}
    38 */
Note: See TracChangeset for help on using the changeset viewer.