FIX SQL injection on user/index.php parameter search_statut.

Conflicts: htdocs/user/index.php
2017-05-29 09:57:05 +02:00
parent cc37a7d848
commit d037515e37
2 changed files with 32 additions and 29 deletions
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -250,6 +250,9 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL)
 	        case 'int':
 	            if (! is_numeric($out)) { $out=''; }
 	            break;
+	        case 'intcomma':
+	            if (preg_match('/[^0-9,]+/i',$out)) $out='';
+	            break;
 	        case 'alpha':
 	            $out=trim($out);
 	            // '"' is dangerous because param in url can close the href= or src= and add javascript functions.