lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix non-sanitize string in SQL request

Browse Source
This commit is contained in:
Thomas Negre 2022-03-01 09:17:56 +01:00
parent fc7f097c25
commit 14d9bf0322
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/contrat/class/contrat.class.php
View File

@ -2144,12 +2144,12 @@ class Contrat extends CommonObject
$sql .= " FROM ".MAIN_DB_PREFIX."contrat as c";
if (!empty($product_categories)) {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."contratdet as cd ON cd.fk_contrat = c.rowid";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."categorie_product as cp ON cp.fk_product = cd.fk_product AND cp.fk_categorie IN (".implode(', ', $product_categories).")";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."categorie_product as cp ON cp.fk_product = cd.fk_product AND cp.fk_categorie IN (".$this->db->sanitize(implode(', ', $product_categories)).")";
}
$sql .= " WHERE c.fk_soc =".((int) $this->socid);
$sql .= ($option == 'others') ? " AND c.rowid <> ".((int) $this->id) : "";
$sql .= (!empty($status)) ? " AND c.statut IN (".implode(', ', $status).")" : "";
$sql .= (!empty($line_status)) ? " AND cd.statut IN (".implode(', ', $line_status).")" : "";
$sql .= (!empty($status)) ? " AND c.statut IN (".$this->db->sanitize(implode(', ', $status)).")" : "";
$sql .= (!empty($line_status)) ? " AND cd.statut IN (".$this->db->sanitize(implode(', ', $line_status)).")" : "";
$sql .= " GROUP BY c.rowid";
dol_syslog(get_class($this)."::getOtherContracts()", LOG_DEBUG);