lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

FIX Sql escape

Browse Source
This commit is contained in:
Laurent Destailleur 2018-03-16 18:20:28 +01:00
parent 1a70e7a7c4
commit 2bbf738cb8
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/class/html.formmail.class.php
View File

@ -1011,8 +1011,8 @@ class FormMail extends Form
$sql.= " AND entity IN (".getEntity('c_email_templates').")";
$sql.= " AND (private = 0 OR fk_user = ".$user->id.")"; // Get all public or private owned
if ($active >= 0) $sql.=" AND active = ".$active;
if ($label) $sql.=" AND label ='".$this->db->escape($label)."'";
if (is_object($outputlangs)) $sql.= " AND (lang = '".$outputlangs->defaultlang."' OR lang IS NULL OR lang = '')";
if ($label) $sql.=" AND label ='".$db->escape($label)."'";
if (is_object($outputlangs)) $sql.= " AND (lang = '".$db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')";
if ($id > 0) $sql.= " AND rowid=".$id;
if ($id == -1) $sql.= " AND position=0";
if (is_object($outputlangs)) $sql.= $db->order("position,lang,label","ASC,DESC,ASC"); // We want line with lang set first, then with lang null or ''