From 2ac06a875c9231bfcb7844dda17442862f1f9d6b Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Wed, 10 Nov 2010 19:18:06 +0000
Subject: [PATCH] Fix: sql injection

---
 htdocs/main.inc.php | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 0378d6a1b45..20c89718321 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -73,6 +73,7 @@ function test_sql_and_script_inject($val)
 	$sql_inj += preg_match('/update.+set.+=/i', $val);
 	$sql_inj += preg_match('/insert[\s]+into/i', $val);
 	$sql_inj += preg_match('/select.+from/i', $val);
+	$sql_inj += preg_match('/union.+select/i', $val);
 	$sql_inj += preg_match('/<script/i', $val);
 	return $sql_inj;
 }
@@ -857,7 +858,7 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
 			$mini='';$ext='.js';
 			if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x01)) { $mini='_mini'; $ext='.jgz'; }	// mini='_mini', ext='.gz'
 
-			// JQuery. Must be before other includes (prototype/scriptaculous)
+			// JQuery. Must be before other includes (prototype/scriptaculous/...)
 			print '<!-- Includes for JQuery -->'."\n";
             print '<script type="text/javascript" src="'.DOL_URL_ROOT.'/includes/jquery/js/jquery-1.4.3.min'.$ext.'"></script>'."\n";
 			print '<script type="text/javascript" src="'.DOL_URL_ROOT.'/includes/jquery/js/jquery-ui-1.8.5.custom.min'.$ext.'"></script>'."\n";
@@ -868,13 +869,6 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs
 			{
 				print '<script type="text/javascript" src="'.DOL_URL_ROOT.'/includes/jquery/plugins/layout/jquery.layout-latest'.$ext.'"></script>'."\n";
 			}
-
-            // This one is required for some Ajax features
-			if (! empty($conf->global->MAIN_USE_PROTOTYPE))
-			{
-                print '<!-- Includes for Prototype -->'."\n";
-                print '<script type="text/javascript" src="'.DOL_URL_ROOT.'/includes/scriptaculous/lib/prototype'.$mini.$ext.'"></script>'."\n";
-			}
 		}
 
 		// Output module javascript