Escape the order_by parameters so that we avoid invalid SQL being executed

alextselegidis · alextselegidis · commit 0f0d71cfe069 · 2025-04-28T09:37:35.000+03:00
diff --git a/application/models/Admins_model.php b/application/models/Admins_model.php
@@ -205,7 +205,7 @@ public function get(
         }
 
         if ($order_by !== null) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $admins = $this->db->get_where('users', ['id_roles' => $role_id], $limit, $offset)->result_array();
@@ -512,7 +512,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
diff --git a/application/models/Appointments_model.php b/application/models/Appointments_model.php
@@ -185,7 +185,7 @@ public function get(
         }
 
         if ($order_by) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $appointments = $this->db
@@ -492,7 +492,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
diff --git a/application/models/Blocked_periods_model.php b/application/models/Blocked_periods_model.php
@@ -241,7 +241,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
@@ -273,7 +273,7 @@ public function get(
         }
 
         if ($order_by !== null) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $blocked_periods = $this->db->get('blocked_periods', $limit, $offset)->result_array();
diff --git a/application/models/Consents_model.php b/application/models/Consents_model.php
@@ -206,7 +206,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
@@ -238,7 +238,7 @@ public function get(
         }
 
         if ($order_by !== null) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $consents = $this->db->get('consents', $limit, $offset)->result_array();
diff --git a/application/models/Customers_model.php b/application/models/Customers_model.php
@@ -167,7 +167,7 @@ public function get(
         }
 
         if ($order_by !== null) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $customers = $this->db->get_where('users', ['id_roles' => $role_id], $limit, $offset)->result_array();
@@ -415,7 +415,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
diff --git a/application/models/Providers_model.php b/application/models/Providers_model.php
@@ -219,7 +219,7 @@ public function get(
         }
 
         if ($order_by !== null) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $providers = $this->db->get_where('users', ['id_roles' => $role_id], $limit, $offset)->result_array();
@@ -701,7 +701,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
diff --git a/application/models/Roles_model.php b/application/models/Roles_model.php
@@ -283,7 +283,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
@@ -315,7 +315,7 @@ public function get(
         }
 
         if ($order_by !== null) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $roles = $this->db->get('roles', $limit, $offset)->result_array();
diff --git a/application/models/Secretaries_model.php b/application/models/Secretaries_model.php
@@ -217,7 +217,7 @@ public function get(
         }
 
         if ($order_by !== null) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $secretaries = $this->db->get_where('users', ['id_roles' => $role_id], $limit, $offset)->result_array();
@@ -538,7 +538,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
diff --git a/application/models/Service_categories_model.php b/application/models/Service_categories_model.php
@@ -235,7 +235,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
@@ -267,7 +267,7 @@ public function get(
         }
 
         if ($order_by !== null) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $service_categories = $this->db->get('service_categories', $limit, $offset)->result_array();
diff --git a/application/models/Services_model.php b/application/models/Services_model.php
@@ -318,7 +318,7 @@ public function get(
         }
 
         if ($order_by !== null) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $services = $this->db->get('services', $limit, $offset)->result_array();
@@ -361,7 +361,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
diff --git a/application/models/Settings_model.php b/application/models/Settings_model.php
@@ -226,7 +226,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
@@ -258,7 +258,7 @@ public function get(
         }
 
         if ($order_by !== null) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $settings = $this->db->get('settings', $limit, $offset)->result_array();
diff --git a/application/models/Unavailabilities_model.php b/application/models/Unavailabilities_model.php
@@ -153,7 +153,7 @@ public function get(
         }
 
         if ($order_by) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $unavailabilities = $this->db
@@ -330,7 +330,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
diff --git a/application/models/Users_model.php b/application/models/Users_model.php
@@ -355,7 +355,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
@@ -388,7 +388,7 @@ public function get(
         }
 
         if ($order_by !== null) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $users = $this->db->get('users', $limit, $offset)->result_array();
diff --git a/application/models/Webhooks_model.php b/application/models/Webhooks_model.php
@@ -221,7 +221,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,
             ->group_end()
             ->limit($limit)
             ->offset($offset)
-            ->order_by($order_by)
+            ->order_by($this->db->escape($order_by))
             ->get()
             ->result_array();
 
@@ -253,7 +253,7 @@ public function get(
         }
 
         if ($order_by !== null) {
-            $this->db->order_by($order_by);
+            $this->db->order_by($this->db->escape($order_by));
         }
 
         $webhooks = $this->db->get('webhooks', $limit, $offset)->result_array();

Original file line number	Diff line number	Diff line change
`@@ -205,7 +205,7 @@ public function get(`
`205`	`205`	`}`
`206`	`206`
`207`	`207`	`if ($order_by !== null) {`
`208`		`- $this->db->order_by($order_by);`
	`208`	`+ $this->db->order_by($this->db->escape($order_by));`
`209`	`209`	`}`
`210`	`210`
`211`	`211`	`$admins = $this->db->get_where('users', ['id_roles' => $role_id], $limit, $offset)->result_array();`
`@@ -512,7 +512,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,`
`512`	`512`	`->group_end()`
`513`	`513`	`->limit($limit)`
`514`	`514`	`->offset($offset)`
`515`		`- ->order_by($order_by)`
	`515`	`+ ->order_by($this->db->escape($order_by))`
`516`	`516`	`->get()`
`517`	`517`	`->result_array();`
`518`	`518`
Original file line number	Diff line number	Diff line change
`@@ -185,7 +185,7 @@ public function get(`
`185`	`185`	`}`
`186`	`186`
`187`	`187`	`if ($order_by) {`
`188`		`- $this->db->order_by($order_by);`
	`188`	`+ $this->db->order_by($this->db->escape($order_by));`
`189`	`189`	`}`
`190`	`190`
`191`	`191`	`$appointments = $this->db`
`@@ -492,7 +492,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,`
`492`	`492`	`->group_end()`
`493`	`493`	`->limit($limit)`
`494`	`494`	`->offset($offset)`
`495`		`- ->order_by($order_by)`
	`495`	`+ ->order_by($this->db->escape($order_by))`
`496`	`496`	`->get()`
`497`	`497`	`->result_array();`
`498`	`498`
Original file line number	Diff line number	Diff line change
`@@ -241,7 +241,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,`
`241`	`241`	`->group_end()`
`242`	`242`	`->limit($limit)`
`243`	`243`	`->offset($offset)`
`244`		`- ->order_by($order_by)`
	`244`	`+ ->order_by($this->db->escape($order_by))`
`245`	`245`	`->get()`
`246`	`246`	`->result_array();`
`247`	`247`
`@@ -273,7 +273,7 @@ public function get(`
`273`	`273`	`}`
`274`	`274`
`275`	`275`	`if ($order_by !== null) {`
`276`		`- $this->db->order_by($order_by);`
	`276`	`+ $this->db->order_by($this->db->escape($order_by));`
`277`	`277`	`}`
`278`	`278`
`279`	`279`	`$blocked_periods = $this->db->get('blocked_periods', $limit, $offset)->result_array();`
Original file line number	Diff line number	Diff line change
`@@ -206,7 +206,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,`
`206`	`206`	`->group_end()`
`207`	`207`	`->limit($limit)`
`208`	`208`	`->offset($offset)`
`209`		`- ->order_by($order_by)`
	`209`	`+ ->order_by($this->db->escape($order_by))`
`210`	`210`	`->get()`
`211`	`211`	`->result_array();`
`212`	`212`
`@@ -238,7 +238,7 @@ public function get(`
`238`	`238`	`}`
`239`	`239`
`240`	`240`	`if ($order_by !== null) {`
`241`		`- $this->db->order_by($order_by);`
	`241`	`+ $this->db->order_by($this->db->escape($order_by));`
`242`	`242`	`}`
`243`	`243`
`244`	`244`	`$consents = $this->db->get('consents', $limit, $offset)->result_array();`
Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,7 @@ public function get(`
`167`	`167`	`}`
`168`	`168`
`169`	`169`	`if ($order_by !== null) {`
`170`		`- $this->db->order_by($order_by);`
	`170`	`+ $this->db->order_by($this->db->escape($order_by));`
`171`	`171`	`}`
`172`	`172`
`173`	`173`	`$customers = $this->db->get_where('users', ['id_roles' => $role_id], $limit, $offset)->result_array();`
`@@ -415,7 +415,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,`
`415`	`415`	`->group_end()`
`416`	`416`	`->limit($limit)`
`417`	`417`	`->offset($offset)`
`418`		`- ->order_by($order_by)`
	`418`	`+ ->order_by($this->db->escape($order_by))`
`419`	`419`	`->get()`
`420`	`420`	`->result_array();`
`421`	`421`
Original file line number	Diff line number	Diff line change
`@@ -219,7 +219,7 @@ public function get(`
`219`	`219`	`}`
`220`	`220`
`221`	`221`	`if ($order_by !== null) {`
`222`		`- $this->db->order_by($order_by);`
	`222`	`+ $this->db->order_by($this->db->escape($order_by));`
`223`	`223`	`}`
`224`	`224`
`225`	`225`	`$providers = $this->db->get_where('users', ['id_roles' => $role_id], $limit, $offset)->result_array();`
`@@ -701,7 +701,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,`
`701`	`701`	`->group_end()`
`702`	`702`	`->limit($limit)`
`703`	`703`	`->offset($offset)`
`704`		`- ->order_by($order_by)`
	`704`	`+ ->order_by($this->db->escape($order_by))`
`705`	`705`	`->get()`
`706`	`706`	`->result_array();`
`707`	`707`
Original file line number	Diff line number	Diff line change
`@@ -283,7 +283,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,`
`283`	`283`	`->group_end()`
`284`	`284`	`->limit($limit)`
`285`	`285`	`->offset($offset)`
`286`		`- ->order_by($order_by)`
	`286`	`+ ->order_by($this->db->escape($order_by))`
`287`	`287`	`->get()`
`288`	`288`	`->result_array();`
`289`	`289`
`@@ -315,7 +315,7 @@ public function get(`
`315`	`315`	`}`
`316`	`316`
`317`	`317`	`if ($order_by !== null) {`
`318`		`- $this->db->order_by($order_by);`
	`318`	`+ $this->db->order_by($this->db->escape($order_by));`
`319`	`319`	`}`
`320`	`320`
`321`	`321`	`$roles = $this->db->get('roles', $limit, $offset)->result_array();`
Original file line number	Diff line number	Diff line change
`@@ -217,7 +217,7 @@ public function get(`
`217`	`217`	`}`
`218`	`218`
`219`	`219`	`if ($order_by !== null) {`
`220`		`- $this->db->order_by($order_by);`
	`220`	`+ $this->db->order_by($this->db->escape($order_by));`
`221`	`221`	`}`
`222`	`222`
`223`	`223`	`$secretaries = $this->db->get_where('users', ['id_roles' => $role_id], $limit, $offset)->result_array();`
`@@ -538,7 +538,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,`
`538`	`538`	`->group_end()`
`539`	`539`	`->limit($limit)`
`540`	`540`	`->offset($offset)`
`541`		`- ->order_by($order_by)`
	`541`	`+ ->order_by($this->db->escape($order_by))`
`542`	`542`	`->get()`
`543`	`543`	`->result_array();`
`544`	`544`
Original file line number	Diff line number	Diff line change
`@@ -235,7 +235,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,`
`235`	`235`	`->group_end()`
`236`	`236`	`->limit($limit)`
`237`	`237`	`->offset($offset)`
`238`		`- ->order_by($order_by)`
	`238`	`+ ->order_by($this->db->escape($order_by))`
`239`	`239`	`->get()`
`240`	`240`	`->result_array();`
`241`	`241`
`@@ -267,7 +267,7 @@ public function get(`
`267`	`267`	`}`
`268`	`268`
`269`	`269`	`if ($order_by !== null) {`
`270`		`- $this->db->order_by($order_by);`
	`270`	`+ $this->db->order_by($this->db->escape($order_by));`
`271`	`271`	`}`
`272`	`272`
`273`	`273`	`$service_categories = $this->db->get('service_categories', $limit, $offset)->result_array();`
Original file line number	Diff line number	Diff line change
`@@ -318,7 +318,7 @@ public function get(`
`318`	`318`	`}`
`319`	`319`
`320`	`320`	`if ($order_by !== null) {`
`321`		`- $this->db->order_by($order_by);`
	`321`	`+ $this->db->order_by($this->db->escape($order_by));`
`322`	`322`	`}`
`323`	`323`
`324`	`324`	`$services = $this->db->get('services', $limit, $offset)->result_array();`
`@@ -361,7 +361,7 @@ public function search(string $keyword, ?int $limit = null, ?int $offset = null,`
`361`	`361`	`->group_end()`
`362`	`362`	`->limit($limit)`
`363`	`363`	`->offset($offset)`
`364`		`- ->order_by($order_by)`
	`364`	`+ ->order_by($this->db->escape($order_by))`
`365`	`365`	`->get()`
`366`	`366`	`->result_array();`
`367`	`367`