From a11b5b43998501dec9f1da1332bdba6f209590a5 Mon Sep 17 00:00:00 2001
From: Christophe Battarel <christophe@altairis.fr>
Date: Fri, 29 Apr 2022 10:12:53 +0200
Subject: [PATCH] escape sql string for my Travais friend

---
 htdocs/takepos/ajax/ajax.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/takepos/ajax/ajax.php b/htdocs/takepos/ajax/ajax.php
index 5e0b329676a..e15963efb9a 100644
--- a/htdocs/takepos/ajax/ajax.php
+++ b/htdocs/takepos/ajax/ajax.php
@@ -235,7 +235,7 @@ if ($action == 'getProducts') {
 	$sql .= $hookmanager->resPrint;
 
 	// load only one page of products
-	$sql.= ' LIMIT '. $search_start . ',' . $search_limit;
+	$sql.= ' LIMIT '. $db->escape($search_start) . ',' . $db->escape($search_limit);
 
 	$resql = $db->query($sql);
 	if ($resql) {