From 717a1daf28ad5a9bdcf6c98a6be5d879a34d24af Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 12 Mar 2018 20:26:47 +0100
Subject: [PATCH] Fix sql injection

---
 htdocs/ticketsup/class/ticketsup.class.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/htdocs/ticketsup/class/ticketsup.class.php b/htdocs/ticketsup/class/ticketsup.class.php
index b76cb9a0861..34fc63f8366 100644
--- a/htdocs/ticketsup/class/ticketsup.class.php
+++ b/htdocs/ticketsup/class/ticketsup.class.php
@@ -894,12 +894,12 @@ class Ticketsup extends CommonObject
 
         if (!$error) {
         	$sql = "DELETE FROM " . MAIN_DB_PREFIX . "ticketsup_logs";
-        	$sql .= " WHERE fk_track_id = '" . $this->track_id . "'";
+        	$sql .= " WHERE fk_track_id = '" . $this->db->escape($this->track_id) . "'";
         	$resql = $this->db->query($sql);
         }
         if (!$error) {
         	$sql = "DELETE FROM " . MAIN_DB_PREFIX . "ticketsup_msg";
-        	$sql .= " WHERE fk_track_id = '" . $this->track_id . "'";
+        	$sql .= " WHERE fk_track_id = '" . $this->db->escape($this->track_id) . "'";
         	$resql = $this->db->query($sql);
         }