Fix SQL injection vulnerability in orderby parameter across all helper files

Copilot · iftakharul-islam · Copilot · commit 470f26e5fc39 · 2026-03-02T08:46:14.000Z
Co-authored-by: iftakharul-islam &lt;88052038+iftakharul-islam@users.noreply.github.com&gt;
diff --git a/src/Activity/Helper/Activity.php b/src/Activity/Helper/Activity.php
@@ -598,7 +598,9 @@ private function orderby() {
 			$order[] =  $this->tb_activity . '.' . esc_sql($key) . ' ' . esc_sql($value);
         }
         
-        $this->orderby = "ORDER BY " . implode( ', ', $order);
+        if ( !empty( $order ) ) {
+            $this->orderby = "ORDER BY " . implode( ', ', $order );
+        }
 
         return $this;
     }
diff --git a/src/Comment/Helper/Comment.php b/src/Comment/Helper/Comment.php
@@ -395,7 +395,9 @@ private function orderby() {
 			$order[] =  $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);
         }
 
-        $this->orderby = "ORDER BY " . implode( ', ', $order);
+        if ( !empty( $order ) ) {
+            $this->orderby = "ORDER BY " . implode( ', ', $order );
+        }
 
         return $this;
     }
diff --git a/src/Discussion_Board/Helper/Discussion_Board.php b/src/Discussion_Board/Helper/Discussion_Board.php
@@ -690,7 +690,9 @@ private function orderby() {
 			$order[] =  $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);
         }
 
-        $this->orderby = "ORDER BY " . implode( ', ', $order);
+        if ( !empty( $order ) ) {
+            $this->orderby = "ORDER BY " . implode( ', ', $order );
+        }
 
         return $this;
     }
diff --git a/src/File/Helper/File.php b/src/File/Helper/File.php
@@ -328,7 +328,9 @@ private function orderby() {
 			$order[] =  $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);
         }
 
-        $this->orderby = "ORDER BY " . implode( ', ', $order);
+        if ( !empty( $order ) ) {
+            $this->orderby = "ORDER BY " . implode( ', ', $order );
+        }
 
         return $this;
     }
diff --git a/src/Milestone/Helper/Milestone.php b/src/Milestone/Helper/Milestone.php
@@ -597,7 +597,9 @@ private function orderby() {
 			$order[] =  $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);
         }
 
-        $this->orderby = "ORDER BY " . implode( ', ', $order);
+        if ( !empty( $order ) ) {
+            $this->orderby = "ORDER BY " . implode( ', ', $order );
+        }
 
         return $this;
     }
diff --git a/src/Task/Helper/Task.php b/src/Task/Helper/Task.php
@@ -1950,7 +1950,9 @@ private function orderby() {
 			$order[] =  $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);
 	    }
 
-	    $this->orderby = "ORDER BY " . implode( ', ', $order);
+	    if ( !empty( $order ) ) {
+	        $this->orderby = "ORDER BY " . implode( ', ', $order );
+	    }
 	    
 		return $this;
 	}
diff --git a/src/Task_List/Helper/Task_List.php b/src/Task_List/Helper/Task_List.php
@@ -1002,7 +1002,9 @@ private function orderby() {
 			$order[] =  $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);
         }
 
-        $this->orderby = "ORDER BY " . implode( ', ', $order);
+        if ( !empty( $order ) ) {
+            $this->orderby = "ORDER BY " . implode( ', ', $order );
+        }
 
         return $this;
     }
diff --git a/src/User/Helper/User.php b/src/User/Helper/User.php
@@ -221,7 +221,9 @@ private function orderby() {
 			$order[] =  $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);
         }
 
-        $this->orderby = "ORDER BY " . implode( ', ', $order);
+        if ( !empty( $order ) ) {
+            $this->orderby = "ORDER BY " . implode( ', ', $order );
+        }
 
         return $this;
     }

Original file line number	Diff line number	Diff line change
`@@ -598,7 +598,9 @@ private function orderby() {`
`598`	`598`	`$order[] = $this->tb_activity . '.' . esc_sql($key) . ' ' . esc_sql($value);`
`599`	`599`	`}`
`600`	`600`
`601`		`- $this->orderby = "ORDER BY " . implode( ', ', $order);`
	`601`	`+ if ( !empty( $order ) ) {`
	`602`	`+ $this->orderby = "ORDER BY " . implode( ', ', $order );`
	`603`	`+ }`
`602`	`604`
`603`	`605`	`return $this;`
`604`	`606`	`}`
Original file line number	Diff line number	Diff line change
`@@ -395,7 +395,9 @@ private function orderby() {`
`395`	`395`	`$order[] = $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);`
`396`	`396`	`}`
`397`	`397`
`398`		`- $this->orderby = "ORDER BY " . implode( ', ', $order);`
	`398`	`+ if ( !empty( $order ) ) {`
	`399`	`+ $this->orderby = "ORDER BY " . implode( ', ', $order );`
	`400`	`+ }`
`399`	`401`
`400`	`402`	`return $this;`
`401`	`403`	`}`
Original file line number	Diff line number	Diff line change
`@@ -690,7 +690,9 @@ private function orderby() {`
`690`	`690`	`$order[] = $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);`
`691`	`691`	`}`
`692`	`692`
`693`		`- $this->orderby = "ORDER BY " . implode( ', ', $order);`
	`693`	`+ if ( !empty( $order ) ) {`
	`694`	`+ $this->orderby = "ORDER BY " . implode( ', ', $order );`
	`695`	`+ }`
`694`	`696`
`695`	`697`	`return $this;`
`696`	`698`	`}`
Original file line number	Diff line number	Diff line change
`@@ -328,7 +328,9 @@ private function orderby() {`
`328`	`328`	`$order[] = $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);`
`329`	`329`	`}`
`330`	`330`
`331`		`- $this->orderby = "ORDER BY " . implode( ', ', $order);`
	`331`	`+ if ( !empty( $order ) ) {`
	`332`	`+ $this->orderby = "ORDER BY " . implode( ', ', $order );`
	`333`	`+ }`
`332`	`334`
`333`	`335`	`return $this;`
`334`	`336`	`}`
Original file line number	Diff line number	Diff line change
`@@ -597,7 +597,9 @@ private function orderby() {`
`597`	`597`	`$order[] = $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);`
`598`	`598`	`}`
`599`	`599`
`600`		`- $this->orderby = "ORDER BY " . implode( ', ', $order);`
	`600`	`+ if ( !empty( $order ) ) {`
	`601`	`+ $this->orderby = "ORDER BY " . implode( ', ', $order );`
	`602`	`+ }`
`601`	`603`
`602`	`604`	`return $this;`
`603`	`605`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1950,7 +1950,9 @@ private function orderby() {`
`1950`	`1950`	`$order[] = $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);`
`1951`	`1951`	`}`
`1952`	`1952`
`1953`		`- $this->orderby = "ORDER BY " . implode( ', ', $order);`
	`1953`	`+ if ( !empty( $order ) ) {`
	`1954`	`+ $this->orderby = "ORDER BY " . implode( ', ', $order );`
	`1955`	`+ }`
`1954`	`1956`
`1955`	`1957`	`return $this;`
`1956`	`1958`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1002,7 +1002,9 @@ private function orderby() {`
`1002`	`1002`	`$order[] = $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);`
`1003`	`1003`	`}`
`1004`	`1004`
`1005`		`- $this->orderby = "ORDER BY " . implode( ', ', $order);`
	`1005`	`+ if ( !empty( $order ) ) {`
	`1006`	`+ $this->orderby = "ORDER BY " . implode( ', ', $order );`
	`1007`	`+ }`
`1006`	`1008`
`1007`	`1009`	`return $this;`
`1008`	`1010`	`}`
Original file line number	Diff line number	Diff line change
`@@ -221,7 +221,9 @@ private function orderby() {`
`221`	`221`	`$order[] = $tb_pj . '.' . esc_sql($key) . ' ' . esc_sql($value);`
`222`	`222`	`}`
`223`	`223`
`224`		`- $this->orderby = "ORDER BY " . implode( ', ', $order);`
	`224`	`+ if ( !empty( $order ) ) {`
	`225`	`+ $this->orderby = "ORDER BY " . implode( ', ', $order );`
	`226`	`+ }`
`225`	`227`
`226`	`228`	`return $this;`
`227`	`229`	`}`