\mod_oublog_external::get_blog_allposts_parameters accepts $sort parameter of type PARAM_TEXT.
This is then passed to:
oublog_import_getallposts($params['blogid'], $params['sort'],
Where it's used as:
$sql = "SELECT p.id, p.timeposted, p.title
FROM {oublog_posts} p
INNER JOIN {oublog_instances} bi on bi.id = p.oubloginstancesid
$tagjoin
WHERE bi.userid = ?
AND bi.oublogid = ?
AND p.deletedby IS NULL
$tagwhere
ORDER BY p." . $sort;
It would be a good idea to sanitize / validate the value of $sort before concatenation.
\mod_oublog_external::get_blog_allposts_parameters accepts $sort parameter of type PARAM_TEXT.
This is then passed to: oublog_import_getallposts($params['blogid'], $params['sort'],
Where it's used as:
It would be a good idea to sanitize / validate the value of $sort before concatenation.