[5.x] Harden OrderBys (#14474)

duncanmcclean · jasonvarga · web-flow · commit ee88420080d4 · 2026-04-10T11:21:34.000-04:00
Co-authored-by: Jason Varga &lt;jason@pixelfear.com&gt;
diff --git a/src/GraphQL/Queries/AssetsQuery.php b/src/GraphQL/Queries/AssetsQuery.php
@@ -13,6 +13,7 @@
 use Statamic\GraphQL\Queries\Concerns\FiltersQuery;
 use Statamic\GraphQL\Types\AssetInterface;
 use Statamic\GraphQL\Types\JsonArgument;
+use Statamic\Query\OrderBy;
 use Statamic\Support\Str;
 
 class AssetsQuery extends Query
@@ -69,7 +70,9 @@ private function sortQuery($query, $sorts)
                 [$sort, $order] = explode(' ', $sort);
             }
 
-            $query->orderBy($sort, $order);
+            if ($sort = OrderBy::column($sort)) {
+                $query->orderBy($sort, $order);
+            }
         }
     }
 
diff --git a/src/GraphQL/Queries/EntriesQuery.php b/src/GraphQL/Queries/EntriesQuery.php
@@ -16,6 +16,7 @@
 use Statamic\GraphQL\Queries\Concerns\ScopesQuery;
 use Statamic\GraphQL\Types\EntryInterface;
 use Statamic\GraphQL\Types\JsonArgument;
+use Statamic\Query\OrderBy;
 use Statamic\Support\Str;
 
 class EntriesQuery extends Query
@@ -96,7 +97,9 @@ private function sortQuery($query, $sorts)
                 [$sort, $order] = explode(' ', $sort);
             }
 
-            $query->orderBy($sort, $order);
+            if ($sort = OrderBy::column($sort)) {
+                $query->orderBy($sort, $order);
+            }
         }
     }
 
diff --git a/src/GraphQL/Queries/TermsQuery.php b/src/GraphQL/Queries/TermsQuery.php
@@ -13,6 +13,7 @@
 use Statamic\GraphQL\Queries\Concerns\FiltersQuery;
 use Statamic\GraphQL\Types\JsonArgument;
 use Statamic\GraphQL\Types\TermInterface;
+use Statamic\Query\OrderBy;
 use Statamic\Support\Str;
 
 class TermsQuery extends Query
@@ -76,7 +77,9 @@ private function sortQuery($query, $sorts)
                 [$sort, $order] = explode(' ', $sort);
             }
 
-            $query->orderBy($sort, $order);
+            if ($sort = OrderBy::column($sort)) {
+                $query->orderBy($sort, $order);
+            }
         }
     }
 
diff --git a/src/GraphQL/Queries/UsersQuery.php b/src/GraphQL/Queries/UsersQuery.php
@@ -11,6 +11,7 @@
 use Statamic\GraphQL\Queries\Concerns\FiltersQuery;
 use Statamic\GraphQL\Types\JsonArgument;
 use Statamic\GraphQL\Types\UserType;
+use Statamic\Query\OrderBy;
 use Statamic\Support\Str;
 
 class UsersQuery extends Query
@@ -65,7 +66,9 @@ private function sortQuery($query, $sorts)
                 [$sort, $order] = explode(' ', $sort);
             }
 
-            $query->orderBy($sort, $order);
+            if ($sort = OrderBy::column($sort)) {
+                $query->orderBy($sort, $order);
+            }
         }
     }
 
diff --git a/src/Http/Controllers/CP/Assets/BrowserController.php b/src/Http/Controllers/CP/Assets/BrowserController.php
@@ -14,6 +14,7 @@
 use Statamic\Http\Resources\CP\Assets\Folder;
 use Statamic\Http\Resources\CP\Assets\FolderAsset;
 use Statamic\Http\Resources\CP\Assets\SearchedAssetsCollection;
+use Statamic\Query\OrderBy;
 use Statamic\Support\Arr;
 
 class BrowserController extends CpController
@@ -87,8 +88,7 @@ public function folder(Request $request, $container, $path = '/')
         $totalAssets = $folder->queryAssets()->count();
         $totalItems = $totalAssets + $totalFolders;
 
-        if ($request->sort) {
-            $sort = $request->sort;
+        if ($sort = OrderBy::column($request->sort)) {
             $order = $request->order ?? 'asc';
         } else {
             $sort = $container->sortField();
@@ -153,8 +153,8 @@ public function search(Request $request, $container, $path = null)
             $query->where('folder', $path);
         }
 
-        if ($request->sort) {
-            $query->orderBy($request->sort, $request->order ?? 'asc');
+        if ($sort = OrderBy::column($request->sort)) {
+            $query->orderBy($sort, $request->order ?? 'asc');
         }
 
         $this->applyQueryScopes($query, $request->all());

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@`
`13`	`13`	`use Statamic\GraphQL\Queries\Concerns\FiltersQuery;`
`14`	`14`	`use Statamic\GraphQL\Types\AssetInterface;`
`15`	`15`	`use Statamic\GraphQL\Types\JsonArgument;`
	`16`	`+use Statamic\Query\OrderBy;`
`16`	`17`	`use Statamic\Support\Str;`
`17`	`18`
`18`	`19`	`class AssetsQuery extends Query`
`@@ -69,7 +70,9 @@ private function sortQuery($query, $sorts)`
`69`	`70`	`[$sort, $order] = explode(' ', $sort);`
`70`	`71`	`}`
`71`	`72`
`72`		`- $query->orderBy($sort, $order);`
	`73`	`+ if ($sort = OrderBy::column($sort)) {`
	`74`	`+ $query->orderBy($sort, $order);`
	`75`	`+ }`
`73`	`76`	`}`
`74`	`77`	`}`
`75`	`78`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`use Statamic\GraphQL\Queries\Concerns\ScopesQuery;`
`17`	`17`	`use Statamic\GraphQL\Types\EntryInterface;`
`18`	`18`	`use Statamic\GraphQL\Types\JsonArgument;`
	`19`	`+use Statamic\Query\OrderBy;`
`19`	`20`	`use Statamic\Support\Str;`
`20`	`21`
`21`	`22`	`class EntriesQuery extends Query`
`@@ -96,7 +97,9 @@ private function sortQuery($query, $sorts)`
`96`	`97`	`[$sort, $order] = explode(' ', $sort);`
`97`	`98`	`}`
`98`	`99`
`99`		`- $query->orderBy($sort, $order);`
	`100`	`+ if ($sort = OrderBy::column($sort)) {`
	`101`	`+ $query->orderBy($sort, $order);`
	`102`	`+ }`
`100`	`103`	`}`
`101`	`104`	`}`
`102`	`105`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`	`use Statamic\GraphQL\Queries\Concerns\FiltersQuery;`
`12`	`12`	`use Statamic\GraphQL\Types\JsonArgument;`
`13`	`13`	`use Statamic\GraphQL\Types\UserType;`
	`14`	`+use Statamic\Query\OrderBy;`
`14`	`15`	`use Statamic\Support\Str;`
`15`	`16`
`16`	`17`	`class UsersQuery extends Query`
`@@ -65,7 +66,9 @@ private function sortQuery($query, $sorts)`
`65`	`66`	`[$sort, $order] = explode(' ', $sort);`
`66`	`67`	`}`
`67`	`68`
`68`		`- $query->orderBy($sort, $order);`
	`69`	`+ if ($sort = OrderBy::column($sort)) {`
	`70`	`+ $query->orderBy($sort, $order);`
	`71`	`+ }`
`69`	`72`	`}`
`70`	`73`	`}`
`71`	`74`