diff --git a/htdocs/comm/mailing/list.php b/htdocs/comm/mailing/list.php index 43441306e34..8ca6b889310 100644 --- a/htdocs/comm/mailing/list.php +++ b/htdocs/comm/mailing/list.php @@ -40,10 +40,9 @@ $pagenext = $page + 1; if (! $sortorder) $sortorder="DESC"; if (! $sortfield) $sortfield="m.date_creat"; -$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"]; -$sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"]; - -$filteremail=$_REQUEST["filteremail"]?$_REQUEST["filteremail"]:''; +$sall=GETPOST("sall","alpha"); +$sref=GETPOST("sref","alpha"); +$filteremail=GETPOST('filteremail','alpha'); @@ -62,8 +61,8 @@ if ($filteremail) $sql.= " FROM ".MAIN_DB_PREFIX."mailing as m, ".MAIN_DB_PREFIX."mailing_cibles as mc"; $sql.= " WHERE m.rowid = mc.fk_mailing AND m.entity = ".$conf->entity; $sql.= " AND mc.email = '".$db->escape($filteremail)."'"; - if ($sref) $sql.= " AND m.rowid = '".$sref."'"; - if ($sall) $sql.= " AND (m.titre like '%".$sall."%' OR m.sujet like '%".$sall."%' OR m.body like '%".$sall."%')"; + if ($sref) $sql.= " AND m.rowid = '".$db->escape($sref)."'"; + if ($sall) $sql.= " AND (m.titre like '%".$db->escape($sall)."%' OR m.sujet like '%".$db->escape($sall)."%' OR m.body like '%".$db->escape($sall)."%')"; if (! $sortorder) $sortorder="ASC"; if (! $sortfield) $sortfield="m.rowid"; $sql.= $db->order($sortfield,$sortorder); @@ -74,8 +73,8 @@ else $sql = "SELECT m.rowid, m.titre, m.nbemail, m.statut, m.date_creat as datec, m.date_envoi as date_envoi"; $sql.= " FROM ".MAIN_DB_PREFIX."mailing as m"; $sql.= " WHERE m.entity = ".$conf->entity; - if ($sref) $sql.= " AND m.rowid = '".$sref."'"; - if ($sall) $sql.= " AND (m.titre like '%".$sall."%' OR m.sujet like '%".$sall."%' OR m.body like '%".$sall."%')"; + if ($sref) $sql.= " AND m.rowid = '".$db->escape($sref)."'"; + if ($sall) $sql.= " AND (m.titre like '%".$db->escape($sall)."%' OR m.sujet like '%".$db->escape($sall)."%' OR m.body like '%".$db->escape($sall)."%')"; if (! $sortorder) $sortorder="ASC"; if (! $sortfield) $sortfield="m.rowid"; $sql.= $db->order($sortfield,$sortorder); @@ -94,7 +93,7 @@ if ($result) $i = 0; - $param = "&sall=".$sall; + $param = "&sall=".urlencode($sall); if ($filteremail) $param.='&filteremail='.urlencode($filteremail); print '
'; @@ -111,11 +110,11 @@ if ($result) print ''; print ''; - print ''; + print ''; print ''; // Title print ''; - print ''; + print ''; print ''; print ' '; if (! $filteremail) print ' ';