From 42e28941d03f8436f314c6f1d261eeaa35bfb1a0 Mon Sep 17 00:00:00 2001 From: Gauthier PC portable 024 Date: Mon, 25 Jan 2021 10:22:31 +0100 Subject: [PATCH] FIX : sql db escape missing --- htdocs/compta/tva/class/tva.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index 76a4001d1b4..2db413cbf9d 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -470,7 +470,7 @@ class Tva extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f"; if ($year) { - $sql .= " WHERE f.datef >= '".$year."-01-01' AND f.datef <= '".$year."-12-31' "; + $sql .= " WHERE f.datef >= '".$this->db->escape($year)."-01-01' AND f.datef <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql);