Fix: sql error

2013-03-04 00:01:38 +01:00 · 2013-03-04 00:01:38 +01:00 · 931b556b69
commit 931b556b69
parent 924d01249c
1 changed files with 4 additions and 4 deletions
--- a/htdocs/comm/prospect/fiche.php
+++ b/htdocs/comm/prospect/fiche.php
@ -52,19 +52,19 @@ $object = new Prospect($db);

 if ($action == 'cstc')
 {
-	$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm = ".$_GET["stcomm"];
-	$sql .= " WHERE rowid = ".$socid;
+	$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm = ".$db->escape(GETPOST('stcomm'));
+	$sql.= " WHERE rowid = ".$socid;
 	$db->query($sql);
 }
 // set prospect level
 if ($action == 'setprospectlevel' && $user->rights->societe->creer)
 {
 	$object->fetch($socid);
-	$object->fk_prospectlevel=$_POST['prospect_level_id'];
-	$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_prospectlevel='".$_POST['prospect_level_id'];
+	$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_prospectlevel='".$db->escape(GETPOST('prospect_level_id'))."'";
 	$sql.= " WHERE rowid = ".$socid;
 	$result = $db->query($sql);
 	if (! $result) dol_print_error($result);
+	else $object->fk_prospectlevel=GETPOST('prospect_level_id');
 }