Add more robust php unit to detect not escaped sql. Fix not escaped sql

2025-12-07 10:08:27 +01:00 · 2017-09-15 15:41:07 +02:00
parent 77056d9adb
commit 5e34b121dd
63 changed files with 420 additions and 438 deletions
--- a/htdocs/core/modules/cheque/mod_chequereceipt_mint.php
+++ b/htdocs/core/modules/cheque/mod_chequereceipt_mint.php
@@ -73,7 +73,7 @@ class mod_chequereceipt_mint extends ModeleNumRefChequeReceipts
 		$posindice=9;
 		$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
 		$sql.= " FROM ".MAIN_DB_PREFIX."bordereau_cheque";
-		$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
+		$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
 		$sql.= " AND entity = ".$conf->entity;

 		$resql=$db->query($sql);
@@ -107,7 +107,7 @@ class mod_chequereceipt_mint extends ModeleNumRefChequeReceipts
 		$posindice=9;
 		$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
 		$sql.= " FROM ".MAIN_DB_PREFIX."bordereau_cheque";
-		$sql.= " WHERE ref like '".$this->prefix."____-%'";
+		$sql.= " WHERE ref like '".$this->db->escape($this->prefix)."____-%'";
 		$sql.= " AND entity = ".$conf->entity;

 		$resql=$db->query($sql);