0002960: custom sorting in oxarticlelist->_getCategorySelect unsafe

ID	Project	Category	View Status	Date Submitted	Last Update

0002960	OXID eShop (all versions)	4.07. Source code, Test	public	2011-06-06 14:11	2012-12-10 13:44

Reporter	tjungcl	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	won't fix
Product Version	4.5.0 revision 34568

Summary	0002960: custom sorting in oxarticlelist->_getCategorySelect unsafe
Description	in _getCategorySelect a sql-statement is created which contains customSorting. This looks for example like: ... ORDER BY oxvarminprice asc, oc.oxpos, oc.oxobjectid This works fine as long as the SQL stays untouched. To make the statement safer for custom sortings defined in the admin, future versions, modules, etc, the customSorting should also define the table/view where the sorting-field comes from: ... ORDER BY $sArticleTable.oxvarminprice asc, oc.oxpos, oc.oxobjectid
Tags	No tags attached.

Theme	Both
Browser	All
PHP Version	any
Database Version	any

birute_meilutyte 2011-06-08 15:25 reporter ~0004714	@developers: check from source code side

arvydas_vapsva 2011-08-24 09:00 reporter ~0005092 Last edited: 2011-08-24 09:02	this is a good idea to keep in mind while refactoring (in major release), thnx! We added this notice to our TODO list. But now you can use oxArticleList::setCustomSorting( $sSorting );