From bfb19e3a178ba9b2dab2f90f90a398b54a73d34e Mon Sep 17 00:00:00 2001
From: Simon Willison <swillison@gmail.com>
Date: Sun, 8 Apr 2018 19:25:14 -0700
Subject: [PATCH] Correctly escape sort-by columns in SQL (refs #189)

---
 datasette/app.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/datasette/app.py b/datasette/app.py
index 17a82109a5..576a82fd94 100644
--- a/datasette/app.py
+++ b/datasette/app.py
@@ -616,10 +616,10 @@ async def data(self, request, name, hash, table):
         # Allow for custom sort order
         sort = special_args.get('_sort')
         if sort:
-            order_by = sort
+            order_by = escape_sqlite(sort)
         sort_desc = special_args.get('_sort_desc')
         if sort_desc:
-            order_by = '{} desc'.format(sort_desc)
+            order_by = '{} desc'.format(escape_sqlite(sort_desc))
 
         count_sql = 'select count(*) from {table_name} {where}'.format(
             table_name=escape_sqlite(table),