github/datasette
1
0
Fork 0
mirror of https://github.com/simonw/datasette.git synced 2025-12-10 16:51:24 +01:00
Code Issues Projects Releases Packages Wiki Activity

Correctly escape sort-by columns in SQL (refs #189)

Browse source
This commit is contained in:
Simon Willison 2018-04-08 19:25:14 -07:00 committed by Simon Willison
commit bfb19e3a17
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
datasette/app.py
View file

@ -616,10 +616,10 @@ class TableView(RowTableShared):
# Allow for custom sort order # Allow for custom sort order
sort = special_args.get('_sort') sort = special_args.get('_sort')
if sort: if sort:
order_by = sort order_by = escape_sqlite(sort)
sort_desc = special_args.get('_sort_desc') sort_desc = special_args.get('_sort_desc')
if sort_desc: if sort_desc:
order_by = '{} desc'.format(sort_desc) order_by = '{} desc'.format(escape_sqlite(sort_desc))
count_sql = 'select count(*) from {table_name} {where}'.format( count_sql = 'select count(*) from {table_name} {where}'.format(
table_name=escape_sqlite(table), table_name=escape_sqlite(table),