Merge branch 'dev' of https://github.com/strangerstudios/pmpro-member…

…-directory into dev
strangerstudios · Feb 19, 2024 · abcaf1c · abcaf1c
2 parents 4760a2d + bbd72d0
commit abcaf1c
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/templates/directory.php b/templates/directory.php
@@ -83,6 +83,11 @@ function pmpromd_shortcode($atts, $content=null, $code="")
 	else
 		$s = "";
 
+	// Set the default order value to be either ASC or DESC.
+	if ( $order !== 'DESC' ) {
+		$order = 'ASC';
+	}
+
 	if(isset($_REQUEST['pn']))
 		$pn = intval($_REQUEST['pn']);
 	else
@@ -107,7 +112,9 @@ function pmpromd_shortcode($atts, $content=null, $code="")
 
 $sql_parts['GROUP'] = "GROUP BY u.ID ";
 
-$sql_parts['ORDER'] = "ORDER BY ". esc_sql($order_by) . " " . $order . " ";
+// Clean up order_by to only include text, underscores and periods.
+$order_by = preg_replace( '/[^a-z._]/', '', $order_by );
+$sql_parts['ORDER'] = "ORDER BY ". esc_sql( $order_by ) . " " . esc_sql( $order ) . " ";
 
 $sql_parts['LIMIT'] = "LIMIT $start, $limit";
 
@@ -136,6 +143,7 @@ function pmpromd_shortcode($atts, $content=null, $code="")
 
 // If levels are passed in.
 if ( $levels ) {
+	$levels = preg_replace('/[^0-9,]/', '', $levels ); // Only allow commas and numeric values.
 	$sql_parts['WHERE'] .= "AND mu.membership_id IN(" . esc_sql($levels) . ") ";
 }