From 351c4c465e0922e43a320289ddd6349386bd30fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20Berkm=C3=BCller?= <berkmueller@ideal-bytes.de>
Date: Sat, 10 Jul 2021 13:00:32 +0200
Subject: [PATCH] Fix admin order sorting functionality

Due to a missing query API privided by OXID, SQL strings need to be manipulated directly in admin list controllers.
However, this is very error prone if multiple modules do this. For example one could replace `from oxorder`  with `FROM OXORDER` or `from `oxorder``` (using MySQL identifier quoting. All this results in valid SQL and should be considered to make the extension of the sql string more robust.

For example, the oxid paypal module replaces the unqoted `from oxorder` with a quoted table name:
https://github.com/OXID-eSales/paypal/blob/eb1392f37f34fec5a477d7319cad12aba35722fe/Controller/Admin/OrderList.php#L72

Currently, clicking the admin orders' "sort by payment column" link crashes when the SQL FROM clause is not exactly of the form `from oxorder`.
Because in that case, the joins are not applied and the order by statement extensions in `_prepareOrderByQuery()` use columns that can not be found.

The provided solution makes the extension more robust against different valid sql strings so that clicking the sorting link does not crash.

It works with variants like
* `from oxorder`
* `FROM OXORDER`
* `FROM   oxorder`
* ``FROM `oxorder```
* ...

Further it uses `str_ireplace` as case-insensitive replacement method to be more robust against valid variations.
---
 controllers/admin/admin_payppaypalplusorder_list.php | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/controllers/admin/admin_payppaypalplusorder_list.php b/controllers/admin/admin_payppaypalplusorder_list.php
index ae97c09..9ddedea 100644
--- a/controllers/admin/admin_payppaypalplusorder_list.php
+++ b/controllers/admin/admin_payppaypalplusorder_list.php
@@ -94,7 +94,9 @@ protected function _buildSelectString($oListObject = null)
             LEFT JOIN payppaypalpluspui ON payppaypalpluspui.OXPAYMENTID = payppaypalpluspayment.OXPAYMENTID
         ";
 
-        $sSql = str_replace('from oxorder', $sQ, $sSql);
+        $unquoted = 'oxorder';
+        $quoted = oxDb::getDb()->quoteIdentifier('oxorder');
+        $sSql = preg_replace("/\bfrom\s+(?:\b$unquoted\b|$quoted)/i", $sQ, $sSql);
 
         return $sSql;
     }
@@ -114,9 +116,9 @@ protected function _prepareOrderByQuery($sSql = null)
         $aSorting = parent::getListSorting();
         if ($aSorting['oxorder']['oxpaymenttype']) {
             $sQ = ' ORDER BY payments_oxdesc, IF(ISNULL(payppaypalpluspui_oxid), 0, 1), oxorder.oxbillnr, ';
-            $sSql = str_replace('order by ', $sQ, $sSql);
+            $sSql = str_ireplace('order by ', $sQ, $sSql);
         }
 
         return $sSql;
     }
-}
\ No newline at end of file
+}