lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: security sql injection

Browse Source
This commit is contained in:
Laurent Destailleur 2013-10-07 22:49:33 +02:00
parent 47a9837046
commit 3f94af792b
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/comm/address.php
View File

@ -114,7 +114,7 @@ if ($action == 'add' || $action == 'update')
// Update address
else if ($action == 'update')
{
$result = $object->update($_POST["id"], $socid, $user);
$result = $object->update($id, $socid, $user);
if ($result >= 0)
{

4
htdocs/societe/class/address.class.php
View File

@ -192,12 +192,12 @@ class Address
$sql.= ", address = ".($this->address?"'".$this->db->escape($this->address)."'":"null");
$sql.= ", zip = ".($this->zip?"'".$this->db->escape($this->zip)."'":"null");
$sql.= ", town = ".($this->town?"'".$this->db->escape($this->town)."'":"null");
$sql.= ", fk_pays = '" . ($this->country_id?$this->country_id:'0') ."'";
$sql.= ", fk_pays = '" . ($this->country_id?$this->db->escape($this->country_id):'0') ."'";
$sql.= ", note = ".($this->note?"'".$this->db->escape($this->note)."'":"null");
$sql.= ", phone = ".($this->phone?"'".$this->db->escape($this->phone)."'":"null");
$sql.= ", fax = ".($this->fax?"'".$this->db->escape($this->fax)."'":"null");
if ($user) $sql .= ",fk_user_modif = '".$user->id."'";
$sql .= " WHERE fk_soc = '" . $socid ."' AND rowid = '" . $id ."'";
$sql .= " WHERE fk_soc = '" . $socid ."' AND rowid = '" . $this->db->escape($id) ."'";
dol_syslog(get_class($this)."::Update sql=".$sql, LOG_DEBUG);
$resql=$this->db->query($sql);