From 163f14e7916fb85b1f8813c334caac0f41728f24 Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Tue, 9 May 2023 15:12:39 -0400
Subject: [PATCH] Fixed Escaping issue with sortby unfortuantly with order_by
 mysql_escape is not enough and must also be filtered with a preg_replace
 Thanks @tdragon6

---
 pagination_head.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pagination_head.php b/pagination_head.php
index f38cc4c1..68766148 100644
--- a/pagination_head.php
+++ b/pagination_head.php
@@ -50,9 +50,12 @@ if (isset($_GET['q'])) {
 
 // Sortby
 if (!empty($_GET['sb'])) {
-    $sb = sanitizeInput($_GET['sb']);
+    $sb = sanitizeInput(preg_replace('/[^a-z_]/', '', $_GET['sb']));
+    
 }
 
+//$sb = $_GET['sb'];
+
 // Date Handling
 if (empty($_GET['canned_date'])) {
     //Prevents lots of undefined variable errors.