Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix protect use of sanitize to make sql injection

Browse Source
This commit is contained in:
ldestailleur
2025-03-06 03:29:54 +01:00
parent ca9763afc1
commit caead5de9f
5 changed files with 51 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/projet/class/taskstats.class.php
View File

@@ -162,7 +162,7 @@ class TaskStats extends Stats
$sqlwhere[] = " t.datec BETWEEN '".$this->db->idate(dol_get_first_day($this->year, $this->month))."' AND '".$this->db->idate(dol_get_last_day($this->year, $this->month))."'";
}
if (!empty($this->priority)) {
$sqlwhere[] = " t.priority IN (".$this->db->sanitize((string) $this->priority, 1).")";
$sqlwhere[] = " t.priority = ".((int) $this->priority);
}
if (count($sqlwhere) > 0) {