#94 sorting capabilities


it allows to sort records by any column. it is used in virtual list only just now, but another sections are supported too.

- functions.inc.php: added function get_sort()
- list-virtual.php: it uses session for limit (paging) and calls get_sort()
- templates/list-virtual_mailbox.tpl, templates/list-virtual_alias.tpl: table headers became links


  • Martin Jaros

    Martin Jaros - 2011-01-06

    sorting patch

  • GingerDog

    GingerDog - 2012-04-19

    Hi -

    Thanks for taking the time to submit this patch.

    Some feedback.

    1. It's vulnerable to SQL Injection - although you call safeget & escape_string on the data from $_GET, what you're embedding within the SQL query is not enclosed within quote marks (i.e. you're doing the equivalent of " ...... FROM foo ORDER BY {$_GET['key']} ASC"

    I think the best way to solve this is to change the code so that there is a known 'good' list of fields which you are allowed to do a sort by on - and not accept any input from the end user.

    2. I'm not overly keen on seeing @ within code; I'd rather it was checked with isset or something instead.

    3. I don't like the way the order will flip on each page load if $_GET['sort'] is present. This will be painful if you're on e.g. page 5 of 15, and trying to advance through the records.

    I've pasted in what seems a better get_sort() function below - no doubt SF will screw up my indentation ...


    * This attempts to persist a sort order on records when viewing in a list.
    * See https://sourceforge.net/tracker/?func=detail&aid=3152352&group_id=191583&atid=937966
    * @param string $default_column - the default column if neither $_GET['sort'] or $_POST['sort'] are set. Column MUST be one of the ones defined in $allowed_columns
    * @param string $default_dir - ASC or DESC
    * @return string some SQL (e.g. 'foobar ASC')
    function get_sort($default_column, $default_dir = 'ASC') {

    $allowed_columns = array('address', 'goto', 'modified', 'active');
    $allowed_dirs = array('ASC', 'DESC');

    if(!in_array($default_dir, $allowed_dirs)) {
    die("Invalid sort direction");

    $fSort = false;
    if (isset ($_GET['sort'])) {
    if(in_array($_GET['sort'], $allowed_columns)) {
    $fSort = safeget('sort');
    if (isset ($_POST['sort'])) {
    if(in_array($_POST['sort'], $allowed_columns)) {
    $fSort = safepost('sort');

    // if nothing in $_GET/$_POST; see if we have anything in $_SESSION.
    if(false == $fSort) {
    if (isset($_SESSION['sort'])) {
    $fSort = $_SESSION['sort'];
    $fSortDir = $_SESSION['sort_dir'];
    } else {
    // No? oh, well, let's default to whatever was passed in
    $fSort = $default_column;
    $fSortDir = 'ASC';
    } else {
    // we had something in $_GET/$_POST; store it in $_SESSION for later on.
    $_SESSION['sort_dir'] = $fSortdir = 'ASC';
    $_SESSION['sort'] = $fSort;
    return $fSort . ' ' . $fSortDir;

  • GingerDog

    GingerDog - 2012-04-19
    • status: open --> open-rejected
  • GingerDog

    GingerDog - 2012-04-19


    * patch needs work;
    * I don't think it can/will merge with the current trunk easily.
    * security problems exist within it.

  • Christian Boltz

    Christian Boltz - 2016-05-15
    • status: open-rejected --> closed-rejected
    • Group: --> SVN (please specify revision!)

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks