From 42ffb4b3e7578e0211fd2f1055e2b21d45c45286 Mon Sep 17 00:00:00 2001
From: BENKE Charles <charles.fr@benke.fr>
Date: Fri, 21 Feb 2014 22:39:45 +0100
Subject: [PATCH] Update project.class.php

escape ref of project if as ' is typed inside as ref (crazy user)
---
 htdocs/projet/class/project.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php
index 9924dddf4f4..18556fdec37 100644
--- a/htdocs/projet/class/project.class.php
+++ b/htdocs/projet/class/project.class.php
@@ -198,7 +198,7 @@ class Project extends CommonObject
         if (dol_strlen(trim($this->ref)) > 0)
         {
             $sql = "UPDATE " . MAIN_DB_PREFIX . "projet SET";
-            $sql.= " ref='" . $this->ref . "'";
+            $sql.= " ref='" . $this->db->escape($this->ref) . "'";
             $sql.= ", title = '" . $this->db->escape($this->title) . "'";
             $sql.= ", description = '" . $this->db->escape($this->description) . "'";
             $sql.= ", fk_soc = " . ($this->socid > 0 ? $this->socid : "null");