I'm doing some display of nodes and I want to sort them as I display them, doing something like this:

$somenodes = taxonomy_select_nodes($terms, 'or', 2, FALSE, 'n.title');

This lets me sort by title which is handy in listings sometimes.

In order to do this, 2 lines in taxonomy module need to be modified:

Line 824 From:

function taxonomy_select_nodes($tids = array(), $operator = 'or', $depth = 0, $pager = TRUE) {

To:

function taxonomy_select_nodes($tids = array(), $operator = 'or', $depth = 0, $pager = TRUE, $order = 'n.sticky DESC, n.created DESC') {

(this leaves the default sort order intact)

Secondly Line 839 From

$sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $str_tids .') AND n.status = 1 ORDER BY n.sticky DESC, n.created DESC');

To

$sql = 'SELECT DISTINCT(n.nid), n.sticky, n.title, n.created FROM {node} n INNER JOIN {term_node} tn ON n.nid = tn.nid WHERE tn.tid IN ('. $str_tids .') AND n.status = 1 ORDER BY ' . $order;

CommentFileSizeAuthor
#1 taxonomy_24.patch2.34 KBarthurf
taxonomy.module_1.txt42.78 KBarthurf

Comments

arthurf’s picture

arthurf commented
Title: Adding Sort Order to taxonomy_select_nodes » Adding Sort Order to taxonomy_select_nodes Patch
StatusFileSize
new taxonomy_24.patch2.34 KB

Here's a patch file

magico’s picture

magico commented
Version: 4.6.5 » x.y.z
Status: Needs review » Needs work
eaton’s picture

eaton commented

This patch opens up a tremendous, shocking, gaping security hole: by simply appending a chunk of passed-in text to the SQL query, it circumvent's drupal's built-in injection protection. If you need more precise control over taxonomy-based node listings, writing a simple query of your own, or using Views.module for complete control, is a much much better approach.

While something *like* this feature might be a helpful core addition, the current approach is scarily insecure.

ainigma32’s picture

ainigma32 commented
Version: x.y.z » 5.7
Status: Needs work » Fixed

Despite #3 this code was added in May 2005 (!) see http://cvs.drupal.org/viewvc.py/drupal/drupal/modules/taxonomy/taxonomy....

If the current code has introduced a security issue it should be addresses in a new bug report.

I'll set this issue to fixed and, if noone objects, to closed in a little while.

ainigma32’s picture

ainigma32 commented
Status: Fixed » Closed (fixed)

No objections, so setting this issue to closed.