From ac674aae6af79d077516390f2e632f7a3fbb50e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20FRANCE?=
 <frederic34@users.noreply.github.com>
Date: Mon, 2 Dec 2019 20:45:28 +0100
Subject: [PATCH] Update product.class.php

---
 htdocs/product/class/product.class.php | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index 68675b3e9dd..e6ffd8888b3 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -1308,7 +1308,7 @@ class Product extends CommonObject
                 $sql = "SELECT rowid";
                 $sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
                 $sql .= " WHERE fk_product=".$this->id;
-                $sql .= " AND lang='".$key."'";
+                $sql .= " AND lang='".$this->db->escape($key)."'";
 
                 $result = $this->db->query($sql);
 
@@ -1330,7 +1330,8 @@ class Product extends CommonObject
                     $sql2 .= ")";
                     $sql2 .= " VALUES(".$this->id.",'".$this->db->escape($key)."','".$this->db->escape($this->label)."',";
                     $sql2 .= " '".$this->db->escape($this->description)."'";
-                    if (!empty($conf->global->PRODUCT_USE_OTHER_FIELD_IN_TRANSLATION)) { $sql2 .= ", '".$this->db->escape($this->other)."'";
+                    if (!empty($conf->global->PRODUCT_USE_OTHER_FIELD_IN_TRANSLATION)) {
+                        $sql2 .= ", '".$this->db->escape($this->other)."'";
                     }
                     $sql2 .= ")";
                 }
@@ -1344,7 +1345,7 @@ class Product extends CommonObject
                 $sql = "SELECT rowid";
                 $sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
                 $sql .= " WHERE fk_product=".$this->id;
-                $sql .= " AND lang='".$key."'";
+                $sql .= " AND lang='".$this->db->escape($key)."'";
 
                 $result = $this->db->query($sql);
 
@@ -1354,7 +1355,8 @@ class Product extends CommonObject
                     $sql2 .= " SET ";
                     $sql2 .= " label='".$this->db->escape($this->multilangs["$key"]["label"])."',";
                     $sql2 .= " description='".$this->db->escape($this->multilangs["$key"]["description"])."'";
-                    if (!empty($conf->global->PRODUCT_USE_OTHER_FIELD_IN_TRANSLATION)) { $sql2 .= ", note='".$this->db->escape($this->multilangs["$key"]["other"])."'";
+                    if (!empty($conf->global->PRODUCT_USE_OTHER_FIELD_IN_TRANSLATION)) {
+                        $sql2 .= ", note='".$this->db->escape($this->multilangs["$key"]["other"])."'";
                     }
                     $sql2 .= " WHERE fk_product=".$this->id." AND lang='".$this->db->escape($key)."'";
                 }
@@ -1366,7 +1368,8 @@ class Product extends CommonObject
                     $sql2 .= ")";
                     $sql2 .= " VALUES(".$this->id.",'".$this->db->escape($key)."','".$this->db->escape($this->multilangs["$key"]["label"])."',";
                     $sql2 .= " '".$this->db->escape($this->multilangs["$key"]["description"])."'";
-                    if (!empty($conf->global->PRODUCT_USE_OTHER_FIELD_IN_TRANSLATION)) { $sql2 .= ", '".$this->db->escape($this->multilangs["$key"]["other"])."'";
+                    if (!empty($conf->global->PRODUCT_USE_OTHER_FIELD_IN_TRANSLATION)) {
+                        $sql2 .= ", '".$this->db->escape($this->multilangs["$key"]["other"])."'";
                     }
                     $sql2 .= ")";
                 }