Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Add more robust php unit to detect not escaped sql. Fix not escaped sql

Browse Source
This commit is contained in:
Laurent Destailleur
2017-09-15 15:41:07 +02:00
parent 77056d9adb
commit 5e34b121dd
63 changed files with 420 additions and 438 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/modules/fichinter/mod_pacific.php
View File

@@ -74,7 +74,7 @@ class mod_pacific extends ModeleNumRefFicheinter
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."fichinter";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " WHERE entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -110,7 +110,7 @@ class mod_pacific extends ModeleNumRefFicheinter
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."fichinter";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);