FIX missing escape()

2022-04-22 08:47:57 +02:00 · 2022-04-22 08:47:57 +02:00 · 2f03a15956
commit 2f03a15956
parent b58c1c37db
1 changed files with 1 additions and 1 deletions
--- a/htdocs/mrp/ajax/interface.php
+++ b/htdocs/mrp/ajax/interface.php
@ -61,7 +61,7 @@ if ($action == 'updateselectbatchbywarehouse' && $permissiontoproduce) {
 	$sql .= " JOIN " . MAIN_DB_PREFIX . "product_stock as ps on ps.rowid = pb.fk_product_stock";
 	$sql .= " JOIN " . MAIN_DB_PREFIX . "entrepot as e on e.rowid = ps.fk_entrepot AND e.entity IN (" . getEntity('stock') . ")";
 	$sql .= " WHERE ps.fk_product = " .((int) $fk_product);
-	if ($batch) $sql.= " AND pb.batch = '" . $batch . "'";
+	if ($batch) $sql.= " AND pb.batch = '" . $db->escape($batch) . "'";
 	$sql .= " ORDER BY e.ref, pb.batch";

 	$resql = $db->query($sql);