lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix SQL injection on type parameter in list of events

Browse Source
This commit is contained in:
Laurent Destailleur 2019-12-31 17:52:28 +01:00
parent 08d0d63a04
commit d2efe1d427
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/comm/action/list.php
View File

@ -301,7 +301,7 @@ if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND (a.fk_soc I
if ($socid > 0) $sql.= " AND s.rowid = ".$socid;
// We must filter on assignement table
if ($filtert > 0 || $usergroup > 0) $sql.= " AND ar.fk_actioncomm = a.id AND ar.element_type='user'";
if ($type) $sql.= " AND c.id = ".$type;
if ($type) $sql.= " AND c.id = ".(int) $type;
if ($status == '0') { $sql.= " AND a.percent = 0"; }
if ($status == '-1') { $sql.= " AND a.percent = -1"; } // Not applicable
if ($status == '50') { $sql.= " AND (a.percent > 0 AND a.percent < 100)"; } // Running already started