Merge pull request #137 from Zimmi48/master

correct order by in sql request
2014-11-17 19:49:08 +01:00 · 2014-11-17 19:49:08 +01:00 · 8918c4a186
commit 8918c4a186
parent b800a8bbe7 97015d4034
1 changed files with 6 additions and 2 deletions
--- a/isso/db/comments.py
+++ b/isso/db/comments.py
@ -114,8 +114,12 @@ class Comments:
                sql.append('AND comments.parent=?')
                sql_args.append(parent)

-        sql.append('ORDER BY ? ASC')
-        sql_args.append(order_by)
+        # custom sanitization
+        if order_by not in ['id', 'created', 'modified', 'likes', 'dislikes']:
+            order_by = 'id'
+        sql.append('ORDER BY ')
+        sql.append(order_by)
+        sql.append(' ASC')

        if limit:
            sql.append('LIMIT ?')