Index: wp-includes/post.php
===================================================================
--- wp-includes/post.php	(revision 7585)
+++ wp-includes/post.php	(working copy)
@@ -460,6 +460,10 @@
 	if (!empty($exclusions))
 		$exclusions .= ')';
 
+	// orderby
+	if ( preg_match( '/.+ (ASC|DESC)/i', $orderby ) )
+		$order = ''; // orderby has its own order, so we'll use that
+
 	$query  = "SELECT DISTINCT * FROM $wpdb->posts ";
 	$query .= empty( $category ) ? '' : ", $wpdb->term_relationships, $wpdb->term_taxonomy  ";
 	$query .= empty( $meta_key ) ? '' : ", $wpdb->postmeta ";
Index: wp-includes/media.php
===================================================================
--- wp-includes/media.php	(revision 7585)
+++ wp-includes/media.php	(working copy)
@@ -339,9 +339,9 @@
 	$output = apply_filters('post_gallery', '', $attr);
 	if ( $output != '' )
 		return $output;
-		
+
 	extract(shortcode_atts(array(
-		'orderby'    => 'menu_order ASC, ID ASC',
+		'orderby'    => '',
 		'id'         => $post->ID,
 		'itemtag'    => 'dl',
 		'icontag'    => 'dt',
@@ -351,8 +351,21 @@
 	), $attr));
 
 	$id = intval($id);
-	$orderby = addslashes($orderby);
-	$attachments = get_children("post_parent=$id&post_type=attachment&post_mime_type=image&orderby=\"{$orderby}\"");
+	
+	$order_cols = array(
+		'id' => 'ID',
+		'menu_order' => 'menu_order',
+		'name' => 'post_name',
+		'date' => 'post_date',
+		'title' => 'post_title',
+		'caption' => 'post_excerpt',
+		'random' => 'rand()',
+	);
+	$orderby = sanitize_orderby($orderby, $order_cols);
+	if ( !$orderby )
+		$orderby = 'menu_order ASC, ID ASC';
+		
+	$attachments = get_children("post_parent=$id&post_type=attachment&post_mime_type=image&orderby={$orderby}");
 
 	if ( empty($attachments) )
 		return '';
@@ -426,7 +439,7 @@
 function adjacent_image_link($prev = true) {
 	global $post;
 	$post = get_post($post);
-	$attachments = array_values(get_children("post_parent=$post->post_parent&post_type=attachment&post_mime_type=image&orderby=\"menu_order ASC, ID ASC\""));
+	$attachments = array_values(get_children("post_parent=$post->post_parent&post_type=attachment&post_mime_type=image&orderby=menu_order ASC, ID ASC"));
 
 	foreach ( $attachments as $k => $attachment )
 		if ( $attachment->ID == $post->ID )
Index: wp-includes/formatting.php
===================================================================
--- wp-includes/formatting.php	(revision 7585)
+++ wp-includes/formatting.php	(working copy)
@@ -366,6 +366,23 @@
 	return $title;
 }
 
+// take a user-provided orderby string like 'foo, -bar' and turn it into a valid SQL ORDER BY clause
+function sanitize_orderby($orderby, $column_names) {
+	$out = array();
+	$items = explode(',', $orderby);
+	foreach ($items as $item) {
+		// items might look like 'foo', '+foo' or '-foo'
+		if ( preg_match('/^([-+]?)\s*(\w+)$/', trim($item), $m) ) {
+			$direction = ( $m[1] == '-' ? 'DESC' : 'ASC' );
+			$column = strtolower($m[2]);
+			if ( isset( $column_names[$column] ) )
+				$out[] = "{$column_names[$column]} {$direction}";
+		}
+	}
+
+	return join(', ', $out);
+}
+
 function convert_chars($content, $deprecated = '') {
 	// Translation of invalid Unicode references range to valid range
 	$wp_htmltranswinuni = array(