tlhunter
commented
12 years ago Open tlhunter opened 12 years ago
tlhunter
commented
12 years ago tlhunter
commented
12 years ago I'll accept the pull request, however, I think the same issue exists in the other controllers (most of them have a list_items() method).
Column sorting variables should use a switch statement to make sure they're valid.
Just skimming, and e.g. in: controllers/invoice.php $data['invoices'] = $this->invoice_model->select_multiple($this->session->userdata('company_id'), $page, $this->pref_user['per_page'], TRUE, $sort_col); $sort_col appears to be just uri_segment 2 of list_items. select_multiple() then calls: $sql = "SELECT id, name, DATEDIFF(NOW(), duedate) AS past_due FROM invoice WHERE company_id = " . $this->db->escape($company_id) . " ORDER BY $sort_col"; $sort_col is left as-is. It is certainly more difficult, since '()' aren't permitted in the uri, and we're already in the ORDER BY clause, but I think it may still be doable to get some blindsql into there.
--mmmooo