From 9522b12da1eb21b15844b027560440fb438dd391 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 20 Sep 2020 19:33:18 +0200
Subject: [PATCH] Update api_products.class.php

---
 htdocs/product/class/api_products.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php
index 1a965ba0f8d..e736833514c 100644
--- a/htdocs/product/class/api_products.class.php
+++ b/htdocs/product/class/api_products.class.php
@@ -1360,7 +1360,7 @@ class Products extends DolibarrApi
 
         $sql = 'SELECT ';
         $sql .= 'v.fk_product_attribute, v.rowid, v.ref, v.value FROM '.MAIN_DB_PREFIX.'product_attribute_value as v';
-        $sql .= " WHERE v.fk_product_attribute IN (SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".trim($ref)."')";
+        $sql .= " WHERE v.fk_product_attribute IN (SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".$this->db->escape(trim($ref))."')";
 
         $resql = $this->db->query($sql);