From 2c4e6da36a68f1e6da880585e3dc4ee2535a7d25 Mon Sep 17 00:00:00 2001 From: jpb Date: Mon, 19 Apr 2021 14:02:46 +0200 Subject: [PATCH] add escape to date --- htdocs/multicurrency/multicurrency_rate.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/multicurrency/multicurrency_rate.php b/htdocs/multicurrency/multicurrency_rate.php index 7445a6ed274..373d2a23304 100644 --- a/htdocs/multicurrency/multicurrency_rate.php +++ b/htdocs/multicurrency/multicurrency_rate.php @@ -299,7 +299,7 @@ $sql .= ' FROM '.MAIN_DB_PREFIX.'multicurrency_rate as cr '; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."multicurrency AS m ON cr.fk_multicurrency = m.rowid"; if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall); if ($search_date_sync && $search_date_sync_end ) { - $sql .= " AND (cr.date_sync BETWEEN '".$db->idate($search_date_sync)."' AND '".$db->idate($search_date_sync_end)."')"; + $sql .= " AND (cr.date_sync BETWEEN '".$db->escape($db->idate($search_date_sync))."' AND '".$db->escape($db->idate($search_date_sync_end))."')"; } elseif ($search_date_sync && !$search_date_sync_end) { $sql .= natural_search('cr.date_sync', $db->idate($search_date_sync)); }