3.9.7, 3.10.4, 3.11, 4.0
It seems that there are various places where we are allowing to pass SQL (ORDER BY) fragments straight from input to database. See MDL-71241 or MDL-71242.
While a particular solution was applied to fix those issues in the interim... it was agreed that that's not the best way to fix them, because:
1) They are particular to each individual case.
2) They are applied well deep within the APIs, the cleaning/validation must happen earlier, in the entry/external layers.
3) We don't have a central way to clean/validate SQL (ORDER BY) fragments.
For a more elaborated analysis, read this and following comments.
So this issue is about to decide which solutions (param, function or both) we can provide. And, once decided:
1) Implement them, crazily covered.
2) Maybe partially undo MDL-71241 or MDL-71242 and replace them by the solution(s) implemented here.
3) Look for more similar cases, specifically within the external functions and fix them.
4) Of course, document the new param and/or function.
PS: I've added the security level to this issue, to avoid any disclosure of information, but I think that the solutions implemented are more a security benefit, hence I also have added the label. Surely once we know about 3), if there are more cases to fix... we'll can decide which of the 2 (level or label) wins.