From 615ed115343b4f49345a30589e45759d1ee3721d Mon Sep 17 00:00:00 2001 From: florian HENRY Date: Fri, 3 Aug 2018 17:09:58 +0200 Subject: [PATCH] fix bad use of test_sql_and_script_inject return int not value tested --- htdocs/core/class/html.form.class.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 776c04bfc41..5c7091ba6e3 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1070,7 +1070,11 @@ class Form $outarray=array(); // Clean $filter that may contains sql conditions so sql code - if (function_exists('test_sql_and_script_inject')) $filter = test_sql_and_script_inject($filter, 3); + if (function_exists('test_sql_and_script_inject')) { + if (test_sql_and_script_inject($filter, 3)>0) { + $filter =''; + } + } // On recherche les societes $sql = "SELECT s.rowid, s.nom as name, s.name_alias, s.client, s.fournisseur, s.code_client, s.code_fournisseur";