Fix escape

2019-08-27 14:10:23 +02:00
parent 1dccd27b8f
commit 3eb32360ce
1 changed files with 1 additions and 1 deletions
--- a/htdocs/commande/class/commande.class.php
+++ b/htdocs/commande/class/commande.class.php
@@ -365,7 +365,7 @@ class Commande extends CommonOrder

 		// Validate
 		$sql = "UPDATE ".MAIN_DB_PREFIX."commande";
-		$sql.= " SET ref = '".$num."',";
+		$sql.= " SET ref = '".$this->db->escape($num)."',";
 		$sql.= " fk_statut = ".self::STATUS_VALIDATED.",";
 		$sql.= " date_valid='".$this->db->idate($now)."',";
 		$sql.= " fk_user_valid = ".$user->id;