Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Add more robust php unit to detect not escaped sql. Fix not escaped sql

Browse Source
This commit is contained in:
Laurent Destailleur
2017-09-15 15:41:07 +02:00
parent 77056d9adb
commit 5e34b121dd
63 changed files with 420 additions and 438 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/imports/class/import.class.php
View File

@@ -45,7 +45,7 @@ class Import
var $error;
var $errors;
/**
* Constructor
@@ -242,7 +242,7 @@ class Import
$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'import_model (';
$sql.= 'fk_user, label, type, field';
$sql.= ')';
$sql.= " VALUES (".($user->id > 0 ? $user->id : 0).", '".$this->db->escape($this->model_name)."', '".$this->datatoimport."', '".$this->hexa."')";
$sql.= " VALUES (".($user->id > 0 ? $user->id : 0).", '".$this->db->escape($this->model_name)."', '".$this->db->escape($this->datatoimport)."', '".$this->db->escape($this->hexa)."')";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
$resql=$this->db->query($sql);