From ce9c3b6738620eac8c030f5c271a330ea4426889 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 25 Feb 2006 12:13:26 +0000 Subject: [PATCH] Fix: bug #15799 --- htdocs/contrat/liste.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/htdocs/contrat/liste.php b/htdocs/contrat/liste.php index c0fab12dc0e..85dcf946f29 100644 --- a/htdocs/contrat/liste.php +++ b/htdocs/contrat/liste.php @@ -1,6 +1,6 @@ - * Copyright (C) 2004-2005 Laurent Destailleur + * Copyright (C) 2004-2006 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -71,10 +71,10 @@ $sql.= " c.rowid as cid, c.ref, c.datec, c.statut, s.nom, s.idp as sidp"; $sql.= " FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."contrat as c"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."contratdet as cd ON c.rowid = cd.fk_contrat"; $sql.= " WHERE c.fk_soc = s.idp "; -if ($search_nom) $sql.= " AND s.nom like '%".$search_nom."%'"; -if ($search_contract) $sql.= " AND c.rowid = '".$search_contract."'"; -if ($sall) $sql.= " AND (s.nom like '%".$sall."%' OR cd.label like '%".$sall."%' OR cd.description like '%".$sall."%')"; -if ($socid > 0) $sql.= " AND s.idp = $socid"; +if ($search_nom) $sql.= " AND s.nom like '%".addslashes($search_nom)."%'"; +if ($search_contract) $sql.= " AND c.rowid = '".addslashes($search_contract)."'"; +if ($sall) $sql.= " AND (s.nom like '%".addslashes($sall)."%' OR cd.label like '%".addslashes($sall)."%' OR cd.description like '%".addslashes($sall)."%')"; +if ($socid > 0) $sql.= " AND s.idp = ".$socid; $sql.= " GROUP BY c.rowid, c.datec, c.statut, s.nom, s.idp"; $sql.= " ORDER BY $sortfield $sortorder"; $sql.= $db->plimit($limit + 1 ,$offset);