From 2719c4eb43d9c8aa87aabe05c43c51b3ecd4f0cc Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 16 Aug 2018 01:01:38 +0200
Subject: [PATCH] Fix escape

---
 htdocs/comm/propal/class/propal.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php
index 4da98896b54..12fe76a522a 100644
--- a/htdocs/comm/propal/class/propal.class.php
+++ b/htdocs/comm/propal/class/propal.class.php
@@ -1338,7 +1338,7 @@ class Propal extends CommonObject
 
 		if ($ref) {
 			$sql.= " AND p.entity IN (".getEntity('propal').")"; // Dont't use entity if you use rowid
-			$sql.= " AND p.ref='".$ref."'";
+			$sql.= " AND p.ref='".$this->db->escape($ref)."'";
 		}
 		else $sql.= " AND p.rowid=".$rowid;