From 6e331fd45fd3216640c9072068db0469e897519b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 29 Mar 2021 22:51:36 +0200 Subject: [PATCH] Fix CSRF for GET --- htdocs/main.inc.php | 2 +- htdocs/societe/class/societe.class.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index f9b8aa637d2..a6b7a024af3 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -438,7 +438,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl 'confirm_create_user', 'confirm_create_thirdparty', 'confirm_purge', 'confirm_reject_check', 'delete', 'deletefilter', 'deleteoperation', 'deleteprof', 'deletepayment', 'disable', 'doprev', 'donext', 'dvprev', 'dvnext', - 'enable' + 'enable', 'setpricelevel' ); $sensitiveget = false; if (in_array(GETPOST('action', 'aZ09'), $arrayofactiontoforcetokencheck)) { diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index 15454f47e2c..b2387314b94 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -2285,8 +2285,8 @@ class Societe extends CommonObject $now = dol_now(); $sql = "UPDATE ".MAIN_DB_PREFIX."societe"; - $sql .= " SET price_level = '".$this->db->escape($price_level)."'"; - $sql .= " WHERE rowid = ".$this->id; + $sql .= " SET price_level = ".((int) $price_level); + $sql .= " WHERE rowid = ".((int) $this->id); if (!$this->db->query($sql)) { dol_print_error($this->db); @@ -2295,7 +2295,7 @@ class Societe extends CommonObject $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_prices"; $sql .= " (datec, fk_soc, price_level, fk_user_author)"; - $sql .= " VALUES ('".$this->db->idate($now)."', ".$this->id.", '".$this->db->escape($price_level)."', ".$user->id.")"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$this->id.", ".((int) $price_level).", ".$user->id.")"; if (!$this->db->query($sql)) { dol_print_error($this->db);