Fix sanitize

2022-05-20 19:01:25 +02:00 · 2022-05-20 19:01:25 +02:00 · 1452e74431
commit 1452e74431
parent d50e0457f3
1 changed files with 2 additions and 2 deletions
--- a/htdocs/core/tpl/extrafields_list_search_sql.tpl.php
+++ b/htdocs/core/tpl/extrafields_list_search_sql.tpl.php
@ -65,8 +65,8 @@ if (!empty($extrafieldsobjectkey) && !empty($search_array_options) && is_array($
 			if (is_array($crit)) {
 				$crit = implode(' ', $crit); // natural_search() expects a string
 			} elseif ($typ === 'select' and is_string($crit) and strpos($crit, ',') === false) {
-				$critSelect = implode("','", array_map(array($db, 'escape'), explode(',', $crit)));
-				$sql .= " AND (".$extrafieldsobjectprefix.$tmpkey." IN ('".$critSelect."') )";
+				$critSelect = "'".implode("','", array_map(array($db, 'escape'), explode(',', $crit)))."'";
+				$sql .= " AND (".$extrafieldsobjectprefix.$tmpkey." IN (".$db->sanitize($critSelect, 1).") )";
 				continue;
 			}
 			$sql .= natural_search($extrafieldsobjectprefix.$tmpkey, $crit, $mode_search);