From 019325011b2a321d1aef4153b2b3f418d330aec2 Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Tue, 18 Jun 2019 17:13:11 -0600
Subject: [PATCH] Update users.php

---
 core/users/users.php | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/core/users/users.php b/core/users/users.php
index ea2e020c32..df1f31b09b 100644
--- a/core/users/users.php
+++ b/core/users/users.php
@@ -51,6 +51,11 @@
 	$order_by = $_GET["order_by"];
 	$order = $_GET["order"];
 
+//validate order by
+	if (strlen($order_by) > 0) {
+		$order_by = preg_replace('#[^a-zA-Z0-9_\-]#', '', $order_by);
+	}
+
 //validate the order
 	switch ($order) {
 		case 'asc':
@@ -71,7 +76,7 @@
 	$superadmins = superadmin_list($db);
 
 //get the user count from the database
-	$sql = "select count(*) as num_rows from view_users where 1 = 1 ";
+	$sql = "select count(*) from view_users as u where 1 = 1 ";
 	if (!(permission_exists('user_all') && $_GET['show'] == 'all')) {
 		$sql .= "and u.domain_uuid = :domain_uuid \n";
 		$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
@@ -86,15 +91,6 @@
 		$sql .= ")\n";
 		$parameters['search'] = '%'.$search.'%';
 	}
-	if (strlen($order_by)> 0) {
-		$sql .= "order by ".$order_by." ".$order." \n";
-	}
-	else {
-		$sql .= "order by u.username asc \n";
-	}
-	$sql .= "limit :rows_per_page offset :offset ";
-	$parameters['rows_per_page'] = $rows_per_page;
-	$parameters['offset'] = $offset;
 	$database = new database;
 	$num_rows = $database->select($sql, $parameters, 'column');
 	unset ($parameters, $sql);