From b7f94b40d6d7d1a4d0b28e3084ce60d1a47c5401 Mon Sep 17 00:00:00 2001
From: Andris Reinman <andris@kreata.ee>
Date: Mon, 13 Jul 2020 10:00:25 +0300
Subject: [PATCH] Use proper escaping for variable column names

---
 lib/models/campaigns.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/models/campaigns.js b/lib/models/campaigns.js
index f2410763..9bdc4710 100644
--- a/lib/models/campaigns.js
+++ b/lib/models/campaigns.js
@@ -60,10 +60,10 @@ module.exports.statsClickedSubscribersByColumn = (campaign, linkId, request, col
             return callback(err);
         }
 
-        let query_template = 'SELECT %s AS data, COUNT(*) AS cnt FROM `subscription__%d` JOIN `campaign_tracker__%d` ON `campaign_tracker__%d`.`list`=%d AND `campaign_tracker__%d`.`subscriber`=`subscription__%d`.`id` AND `campaign_tracker__%d`.`link`=%d  GROUP BY `%s` ORDER BY COUNT(`%s`) DESC, `%s`';
+        let query_template = 'SELECT ?? AS data, COUNT(*) AS cnt FROM `subscription__%d` JOIN `campaign_tracker__%d` ON `campaign_tracker__%d`.`list`=%d AND `campaign_tracker__%d`.`subscriber`=`subscription__%d`.`id` AND `campaign_tracker__%d`.`link`=%d  GROUP BY ?? ORDER BY COUNT(??) DESC, ??';
         let query = util.format(query_template, column, campaign.list, campaign.id, campaign.id, campaign.list, campaign.id, campaign.list, campaign.id, linkId, column, column, column);
 
-        connection.query(query, (err, rows) => {
+        connection.query(query, [column, column, column, column], (err, rows) => {
             connection.release();
             if (err) {
                 return callback(err);