Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-08 00:52:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX SQL Injections reported by mu shcor (ADLab of Venustech)

Browse Source
This commit is contained in:
Laurent Destailleur
2018-06-25 14:06:09 +02:00
parent d9fc1e0b5d
commit 36402c22ee
4 changed files with 35 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
htdocs/core/class/html.form.class.php
View File

@@ -1044,7 +1044,7 @@ class Form
*
* @param string $selected Preselected type
* @param string $htmlname Name of field in form
* @param string $filter optional filters criteras (example: 's.rowid <> x', 's.client in (1,3)')
* @param string $filter Optional filters criteras (example: 's.rowid <> x', 's.client in (1,3)')
* @param string $showempty Add an empty field (Can be '1' or text to use on empty line like 'SelectThirdParty')
* @param int $showtype Show third party type in combolist (customer, prospect or supplier)
* @param int $forcecombo Force to use standard HTML select component without beautification
@@ -1064,6 +1064,9 @@ class Form
$num=0;
$outarray=array();
// Clean $filter that may contains sql conditions so sql code
if (function_exists('test_sql_and_script_inject')) $filter = test_sql_and_script_inject($filter, 3);
// On recherche les societes
$sql = "SELECT s.rowid, s.nom as name, s.name_alias, s.client, s.fournisseur, s.code_client, s.code_fournisseur";
$sql.= " FROM ".MAIN_DB_PREFIX ."societe as s";