From 97015d40348ce8fc7d1f055bdba1d2848309ebfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20Zimmermann?= <theo.zim@free.fr>
Date: Thu, 13 Nov 2014 13:56:40 +0100
Subject: [PATCH] correct order by in sql request

---
 isso/db/comments.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/isso/db/comments.py b/isso/db/comments.py
index 84ed27e..496a4e5 100644
--- a/isso/db/comments.py
+++ b/isso/db/comments.py
@@ -114,8 +114,12 @@ class Comments:
                 sql.append('AND comments.parent=?')
                 sql_args.append(parent)
 
-        sql.append('ORDER BY ? ASC')
-        sql_args.append(order_by)
+        # custom sanitization
+        if order_by not in ['id', 'created', 'modified', 'likes', 'dislikes']:
+            order_by = 'id'
+        sql.append('ORDER BY ')
+        sql.append(order_by)
+        sql.append(' ASC')
 
         if limit:
             sql.append('LIMIT ?')