lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix sql error

Browse Source
This commit is contained in:
Laurent Destailleur 2021-03-29 21:17:41 +02:00
parent 0d5c613008
commit d93fbcd00b
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/fourn/class/fournisseur.product.class.php
View File

@ -653,7 +653,7 @@ class ProductFournisseur extends Product
$sql .= " WHERE pfp.entity IN (".getEntity('productsupplierprice').")";
$sql .= " AND pfp.fk_soc = s.rowid AND pfp.fk_product = p.rowid";
$sql .= " AND s.status=1"; // only enabled company selected
$sql .= " AND pfp.fk_product = ".$prodid;
$sql .= " AND pfp.fk_product = ".((int) $prodid);
if (empty($sortfield)) {
$sql .= " ORDER BY s.nom, pfp.quantity, pfp.price";
} else {

2
htdocs/main.inc.php
View File

@ -150,7 +150,7 @@ function testSqlAndScriptInject($val, $type)
$inj += preg_match('/"/i', $val); // We refused " in GET parameters value.
}
if ($type == 2) {
$inj += preg_match('/[:;"\'<>\?\(\)]/', $val); // PHP_SELF is a file system (or url path without parameters). It can contains spaces.
$inj += preg_match('/[:;"\'<>\?\(\){}\$%]/', $val); // PHP_SELF is a file system (or url path without parameters). It can contains spaces.
}
return $inj;