summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Eilertsen <haraldei@anduin.net>2023-01-29 13:57:03 +0100
committerHarald Eilertsen <haraldei@anduin.net>2023-01-29 13:57:03 +0100
commit8b6999b5bf0e8889bf81681ba9f8067ff4decfce (patch)
treed2fa0987d9a0e1141cdcf43052c5969bab2a45de
parentddc7d33dcff69a1a552e93c966a156ffd5bc3817 (diff)
downloadgigologadmin-8b6999b5bf0e8889bf81681ba9f8067ff4decfce.tar.gz
gigologadmin-8b6999b5bf0e8889bf81681ba9f8067ff4decfce.tar.bz2
gigologadmin-8b6999b5bf0e8889bf81681ba9f8067ff4decfce.zip
Fix concert limit/offset queries.
- offset and limit were sensitive to the order in which they were added, and would be reversed if added in the wrong order. That was a bit confusing. - offset and limit were not sanitized, so they were a vector for SQL injecion. Fixed that now.
-rw-r--r--includes/class-giglogadmin-concert.php9
1 files changed, 5 insertions, 4 deletions
diff --git a/includes/class-giglogadmin-concert.php b/includes/class-giglogadmin-concert.php
index 94b1902..c277648 100644
--- a/includes/class-giglogadmin-concert.php
+++ b/includes/class-giglogadmin-concert.php
@@ -209,7 +209,8 @@ if ( ! class_exists( 'GiglogAdmin_Concert' ) ) {
);
$where = array();
- $lmt = array();
+ $offset = 0;
+ $limit = 15;
foreach ( $filter as $key => $value ) {
switch ( $key ) {
case 'name':
@@ -230,11 +231,11 @@ if ( ! class_exists( 'GiglogAdmin_Concert' ) ) {
break;
case 'offset':
- array_push( $lmt, $value );
+ $offset = intval( $value );
break;
case 'limit':
- array_push( $lmt, $value );
+ $limit = intval( $value );
break;
}
}
@@ -246,7 +247,7 @@ if ( ! class_exists( 'GiglogAdmin_Concert' ) ) {
$query .= ' ORDER BY wpgconcert_date';
if ( ! empty( $lmt ) ) {
- $query .= ' LIMIT ' . implode( ', ', $lmt );
+ $query .= " LIMIT {$offset},{$limit}";
}
return $query;