lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix SQLi

Browse Source
This commit is contained in:
Laurent Destailleur 2018-03-15 02:12:01 +01:00
parent 4957ea9178
commit c4eea1f0e0
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/class/translate.class.php
View File

@ -895,7 +895,7 @@ class Translate
$sql = "SELECT ".$fieldlabel." as label";
$sql.= " FROM ".MAIN_DB_PREFIX.$tablename;
$sql.= " WHERE ".$fieldkey." = '".($keyforselect?$keyforselect:$key)."'";
$sql.= " WHERE ".$fieldkey." = '".$db->escape($keyforselect?$keyforselect:$key)."'";
if ($filteronentity) $sql.= " AND entity IN (" . getEntity($tablename). ')';
dol_syslog(get_class($this).'::getLabelFromKey', LOG_DEBUG);
$resql = $db->query($sql);
@ -977,7 +977,7 @@ class Translate
$sql = "SELECT code_iso, label, unicode";
$sql.= " FROM ".MAIN_DB_PREFIX."c_currencies";
$sql.= " WHERE active = 1";
if (! empty($currency_code)) $sql.=" AND code_iso = '".$currency_code."'";
if (! empty($currency_code)) $sql.=" AND code_iso = '".$db->escape($currency_code)."'";
//$sql.= " ORDER BY code_iso ASC"; // Not required, a sort is done later
dol_syslog(get_class($this).'::loadCacheCurrencies', LOG_DEBUG);