lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

box_project_opportunities.php : Sanitize a string for SQL forging

Browse Source
This commit is contained in:
NextGestion 2023-05-06 10:19:08 +01:00
parent cb11b6c4a7
commit d40a0ff32a
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/boxes/box_project.php
View File

@ -106,7 +106,7 @@ class box_project extends ModeleBoxes
$sql .= " FROM ".MAIN_DB_PREFIX."projet as p";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid";
$sql .= " WHERE p.entity IN (".getEntity('project').")"; // Only current entity or severals if permission ok
$sql .= " AND p.fk_statut = ".(int) $projectstatic::STATUS_VALIDATED; // Only open projects
$sql .= " AND p.fk_statut = ".((int) $projectstatic::STATUS_VALIDATED); // Only open projects
if (empty($user->rights->projet->all->lire)) {
$sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users
}

2
htdocs/core/boxes/box_project_opportunities.php
View File

@ -111,7 +111,7 @@ class box_project_opportunities extends ModeleBoxes
$sql .= " WHERE p.entity IN (".getEntity('project').")"; // Only current entity or severals if permission ok
$sql .= " AND p.usage_opportunity = 1";
$sql .= " AND p.fk_opp_status > 0";
$sql .= " AND p.fk_statut IN (".$projectstatic::STATUS_DRAFT.", ".$projectstatic::STATUS_VALIDATED.")"; // draft and open projects
$sql .= " AND p.fk_statut IN (".$this->db->sanitize($projectstatic::STATUS_DRAFT.", ".$projectstatic::STATUS_VALIDATED).")"; // draft and open projects
//$sql .= " AND p.fk_statut = ".((int) $projectstatic::STATUS_VALIDATED); // Only open projects
if (empty($user->rights->projet->all->lire)) {
$sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users