This may be overzealous in quoting all input not explicitly dealt with otherwise, but it seems prudent to err on the side of caution. Since the order parameter seems to be looking for a column name to use directly, quoting it won't work, so instead I'm validating it against a list of column names from the neatline_records table. This fixes the SQL injection test, and I haven't seen adverse effects, but there may be some in use cases I haven't yet tested.
This may be overzealous in quoting all input not explicitly dealt with otherwise, but it seems prudent to err on the side of caution. Since the
orderparameter seems to be looking for a column name to use directly, quoting it won't work, so instead I'm validating it against a list of column names from the neatline_records table. This fixes the SQL injection test, and I haven't seen adverse effects, but there may be some in use cases I haven't yet tested.