correct order by in sql request

10 years ago · 97015d4034
parent b800a8bbe7
commit 97015d4034
1 changed files with 6 additions and 2 deletions
--- a/isso/db/comments.py
+++ b/isso/db/comments.py
@ -114,8 +114,12 @@ class Comments:
                sql.append('AND comments.parent=?')
                sql_args.append(parent)

-        sql.append('ORDER BY ? ASC')
-        sql_args.append(order_by)
+        # custom sanitization
+        if order_by not in ['id', 'created', 'modified', 'likes', 'dislikes']:
+            order_by = 'id'
+        sql.append('ORDER BY ')
+        sql.append(order_by)
+        sql.append(' ASC')

        if limit:
            sql.append('LIMIT ?')