lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix SQL injection

Browse Source
This commit is contained in:
Laurent Destailleur 2019-05-21 14:39:38 +02:00
parent 61ead06950
commit 5131e7a5b7
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/cashdesk/facturation_verif.php
View File

@ -49,11 +49,11 @@ switch($action)
// Recuperation des donnees en fonction de la source (liste deroulante ou champ texte) ...
if ( $_POST['hdnSource'] == 'LISTE' )
{
$sql.= " AND p.rowid = ".$_POST['selProduit'];
$sql.= " AND p.rowid = ".((int) GETPOST('selProduit', 'int'));
}
else if ( $_POST['hdnSource'] == 'REF' )
{
$sql.= " AND p.ref = '".$_POST['txtRef']."'";
$sql.= " AND p.ref = '".$db->escape(GETPOST('txtRef', 'alpha'))."'";
}
$result = $db->query($sql);