lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX Missing database escaping on supplier price insert/update

Browse Source
This commit is contained in:
Laurent Destailleur 2016-03-31 21:47:32 +02:00
parent 00bf8caa8c
commit 2a19326a3f
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/product/class/product.class.php
View File

@ -2506,7 +2506,7 @@ class Product extends CommonObject
$sql = "SELECT rowid, fk_product";
$sql.= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price";
$sql.= " WHERE fk_soc = ".$id_fourn;
$sql.= " AND ref_fourn = '".$ref_fourn."'";
$sql.= " AND ref_fourn = '".$this->db->escape($ref_fourn)."'";
$sql.= " AND fk_product != ".$this->id;
$sql.= " AND entity = ".$conf->entity;
@ -2528,7 +2528,7 @@ class Product extends CommonObject
$sql = "SELECT rowid";
$sql.= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price";
$sql.= " WHERE fk_soc = ".$id_fourn;
if ($ref_fourn) $sql.= " AND ref_fourn = '".$ref_fourn."'";
if ($ref_fourn) $sql.= " AND ref_fourn = '".$this->db->escape($ref_fourn)."'";
else $sql.= " AND (ref_fourn = '' OR ref_fourn IS NULL)";
$sql.= " AND quantity = '".$quantity."'";
$sql.= " AND fk_product = ".$this->id;
@ -2557,7 +2557,7 @@ class Product extends CommonObject
$sql.= ", ".$conf->entity;
$sql.= ", ".$this->id;
$sql.= ", ".$id_fourn;
$sql.= ", '".$ref_fourn."'";
$sql.= ", '".$this->db->escape($ref_fourn)."'";
$sql.= ", ".$quantity;
$sql.= ", ".$user->id;
$sql.= ", 0";