Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-72096

New helper function for cleaning SQL ORDER BY clauses


      It seems that there are various places where we are allowing to pass SQL (ORDER BY) fragments straight from input to database. See MDL-71241 or MDL-71242.

      While a particular solution was applied to fix those issues in the interim... it was agreed that that's not the best way to fix them, because:

      1) They are particular to each individual case.
      2) They are applied well deep within the APIs, the cleaning/validation must happen earlier, in the entry/external layers.
      3) We don't have a central way to clean/validate SQL (ORDER BY) fragments.

      For a more elaborated analysis, read this and following comments.

      So this issue is about to decide which solutions (param, function or both) we can provide. And, once decided:

      1) Implement them, crazily covered.
      2) Maybe partially undo MDL-71241 or MDL-71242 and replace them by the solution(s) implemented here.
      3) Look for more similar cases, specifically within the external functions and fix them.
      4) Of course, document the new param and/or function.


      PS: I've added the security level to this issue, to avoid any disclosure of information, but I think that the solutions implemented are more a security benefit, hence I also have added the label. Surely once we know about 3), if there are more cases to fix... we'll can decide which of the 2 (level or label) wins.

        1. coverage.png
          17 kB
          Eloy Lafuente (stronk7)
        2. MDL-72096-310.mdk.patch
          12 kB
          Michael Hawkins
        3. MDL-72096-311.mdk.patch
          12 kB
          Michael Hawkins
        4. MDL-72096-39.mdk.patch
          12 kB
          Michael Hawkins
        5. MDL-72096-master.mdk.patch
          12 kB
          Michael Hawkins

            michaelh Michael Hawkins
            stronk7 Eloy Lafuente (stronk7)
            Paul Holden Paul Holden
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            CiBoT CiBoT
            6 Vote for this issue
            8 Start watching this issue


                Original Estimate - Not Specified
                Not Specified
                Remaining Estimate - 0 minutes
                Time Spent - 2 days, 18 minutes
                2d 18m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.