From 37ce5d9fca25ad67a4988f3fd733bd76b631a431 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 10 Apr 2012 01:25:52 +0200
Subject: [PATCH] Revert code because it does not fix security hole completely.
 Also it does work on origin but at a transition level. Sanitizing for command
 line data must not appears inside a function used for http data. I prefer
 fixing this at the source and also using a rule that clean all attacks
 completely instead of a rule that clean "most problem but not all".

---
 htdocs/admin/tools/export.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/admin/tools/export.php b/htdocs/admin/tools/export.php
index 644af28bbf6..9aed78a84ef 100644
--- a/htdocs/admin/tools/export.php
+++ b/htdocs/admin/tools/export.php
@@ -127,7 +127,7 @@ if ($what == 'mysql')
     if (! empty($dolibarr_main_db_port)) $param.=" -P ".$dolibarr_main_db_port;
     if (! GETPOST("use_transaction"))    $param.=" -l --single-transaction";
     if (GETPOST("disable_fk"))           $param.=" -K";
-    if (GETPOST("sql_compat") && GETPOST("sql_compat") != 'NONE') $param.=" --compatible=".GETPOST("sql_compat","alpha");
+    if (GETPOST("sql_compat") && GETPOST("sql_compat") != 'NONE') $param.=" --compatible=".preg_replace('/[^a-zA-Z0-9]/','',GETPOST("sql_compat","alpha"));
     if (GETPOST("drop_database"))        $param.=" --add-drop-database";
     if (GETPOST("sql_structure"))
     {