From 2bbf738cb8214186a8a7f10829939bac7f4b3a8a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 16 Mar 2018 18:20:28 +0100 Subject: [PATCH] FIX Sql escape --- htdocs/core/class/html.formmail.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/class/html.formmail.class.php b/htdocs/core/class/html.formmail.class.php index 55345d68cc7..f562d36e2a1 100644 --- a/htdocs/core/class/html.formmail.class.php +++ b/htdocs/core/class/html.formmail.class.php @@ -1011,8 +1011,8 @@ class FormMail extends Form $sql.= " AND entity IN (".getEntity('c_email_templates').")"; $sql.= " AND (private = 0 OR fk_user = ".$user->id.")"; // Get all public or private owned if ($active >= 0) $sql.=" AND active = ".$active; - if ($label) $sql.=" AND label ='".$this->db->escape($label)."'"; - if (is_object($outputlangs)) $sql.= " AND (lang = '".$outputlangs->defaultlang."' OR lang IS NULL OR lang = '')"; + if ($label) $sql.=" AND label ='".$db->escape($label)."'"; + if (is_object($outputlangs)) $sql.= " AND (lang = '".$db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')"; if ($id > 0) $sql.= " AND rowid=".$id; if ($id == -1) $sql.= " AND position=0"; if (is_object($outputlangs)) $sql.= $db->order("position,lang,label","ASC,DESC,ASC"); // We want line with lang set first, then with lang null or ''