Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-14 08:54:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix dangerous sql injection #3327

Browse Source
This commit is contained in:
All-3kcis
2015-09-25 16:31:55 +02:00
parent ea7384cf68
commit 2a84afeee4
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/user/card.php
View File

@@ -384,12 +384,12 @@ if ($action == 'update' && ! $_POST["cancel"])
}
else
{
$object->entity = (empty($_POST["entity"]) ? 0 : $_POST["entity"]);
$object->entity = (GETPOST('entity', 'int') ? 0 : GETPOST('entity', 'int'));
}
}
else
{
$object->entity = (empty($_POST["entity"]) ? 0 : $_POST["entity"]);
$object->entity = (GETPOST('entity', 'int') ? 0 : GETPOST('entity', 'int'));
}
if (GETPOST('deletephoto')) $object->photo='';

2
htdocs/user/class/user.class.php
View File

@@ -1217,7 +1217,7 @@ class User extends CommonObject
if (isset($this->salary) || $this->salary != '') $sql.= ", salary= ".($this->salary != ''?"'".$this->db->escape($this->salary)."'":"null");
if (isset($this->salaryextra) || $this->salaryextra != '') $sql.= ", salaryextra= ".($this->salaryextra != ''?"'".$this->db->escape($this->salaryextra)."'":"null");
$sql.= ", weeklyhours= ".($this->weeklyhours != ''?"'".$this->db->escape($this->weeklyhours)."'":"null");
$sql.= ", entity = '".$this->entity."'";
$sql.= ", entity = '".$this->db->escape($this->entity)."'";
$sql.= " WHERE rowid = ".$this->id;
dol_syslog(get_class($this)."::update", LOG_DEBUG);