From 348ab4765cf16fdceb7533c0fb22be6c87626c37 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 6 Sep 2019 15:20:04 +0200
Subject: [PATCH] Fix sql injection

---
 htdocs/categories/viewcat.php          | 2 +-
 htdocs/product/class/product.class.php | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/htdocs/categories/viewcat.php b/htdocs/categories/viewcat.php
index a7170b799a2..a7a0767c6b5 100644
--- a/htdocs/categories/viewcat.php
+++ b/htdocs/categories/viewcat.php
@@ -40,7 +40,7 @@ $type = GETPOST('type', 'az09');
 $action=GETPOST('action', 'aZ09');
 $confirm    = GETPOST('confirm', 'alpha');
 $removeelem = GETPOST('removeelem', 'int');
-$elemid     = GETPOST('elemid', 'alpha');
+$elemid     = GETPOST('elemid', 'int');
 
 if ($id == "" && $label == "")
 {
diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index 9c515d619c6..dd5544a9a06 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -284,14 +284,14 @@ class Product extends CommonObject
      * @var int
      */
     public $barcode_type;
-    
+
     /**
      * Main Barcode type code
      *
      * @var string
      */
     public $barcode_type_code;
-    
+
     /**
      * Additional barcodes (Some products have different barcodes according to the country of origin of manufacture)
      *
@@ -2052,7 +2052,7 @@ class Product extends CommonObject
         $sql.= " fk_price_expression, price_autogen";
         $sql.= " FROM ".MAIN_DB_PREFIX."product";
         if ($id) {
-            $sql.= " WHERE rowid = ".$this->db->escape($id);
+            $sql.= " WHERE rowid = ".(int) $id;
         } else {
             $sql.= " WHERE entity IN (".getEntity($this->element).")";
             if ($ref) {