Bug 27715: Sanitize order by DT params
We are not on the safe side when we build the ORDER BY clause from the
DataTables parameters.
I've started to limit the columns by using Koha::Objects->columns, but
for instance for the patron search we need (at least) the columns from
the branches, categories and members tables.
It seems easier, and still safe, to use a regex.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@helsinki.fi>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
projects / koha.git / commit