From d6cd54fda7544c0cb35a4d6d28ab4af74eccfc27 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 10 Apr 2012 01:31:21 +0200
Subject: [PATCH] Revert code because it does not fix security hole completely.
 Also it does work on origin but at a transition level. Sanitizing for command
 line data must not appears inside a function used for http data. I prefer
 fixing this at the source and also using a rule that clean all attacks
 completely instead of a rule that clean "most problem but not all".

---
 htdocs/admin/tools/export.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/admin/tools/export.php b/htdocs/admin/tools/export.php
index f71e821496d..e9e0e66063b 100644
--- a/htdocs/admin/tools/export.php
+++ b/htdocs/admin/tools/export.php
@@ -111,7 +111,7 @@ if ($what == 'mysql')
 	if (! empty($dolibarr_main_db_port)) $param.=" -P ".$dolibarr_main_db_port;
 	if (! $_POST["use_transaction"]) $param.=" -l --single-transaction";
 	if ($_POST["disable_fk"])        $param.=" -K";
-	if ($_POST["sql_compat"] && $_POST["sql_compat"] != 'NONE') $param.=" --compatible=".GETPOST("sql_compat","alpha");
+	if ($_POST["sql_compat"] && $_POST["sql_compat"] != 'NONE') $param.=" --compatible=".preg_replace('/[^a-zA-Z0-9]/','',GETPOST("sql_compat","alpha"));
 	if ($_POST["drop_database"])     $param.=" --add-drop-database";
 	if ($_POST["sql_structure"])
 	{