diff --git a/htdocs/admin/external_rss.php b/htdocs/admin/external_rss.php index 2b94e599a2c..991a0553406 100644 --- a/htdocs/admin/external_rss.php +++ b/htdocs/admin/external_rss.php @@ -92,7 +92,7 @@ if ($action == 'add' || GETPOST("modify")) { // Supprime boite box_external_rss de definition des boites /* $sql = "UPDATE ".MAIN_DB_PREFIX."boxes_def"; $sql.= " SET name = '".$db->escape($boxlabel)."'"; - $sql.= " WHERE file ='box_external_rss.php' AND note like '".$db->escape(GETPOST("norss"))." %'"; + $sql.= " WHERE file ='box_external_rss.php' AND note LIKE '".$db->escape(GETPOST("norss"))." %'"; $resql=$db->query($sql); if (! $resql) diff --git a/htdocs/comm/contact.php b/htdocs/comm/contact.php index 28d10fd9644..6b05f59a921 100644 --- a/htdocs/comm/contact.php +++ b/htdocs/comm/contact.php @@ -120,7 +120,7 @@ if (!empty($search_company)) { $sql .= " AND s.nom LIKE '%".$db->escape($search_company)."%'"; } if (!empty($contactname)) { // access a partir du module de recherche - $sql .= " AND (p.lastname LIKE '%".$db->escape($contactname)."%' OR lower(p.firstname) LIKE '%".$db->escape($contactname)."%') "; + $sql .= " AND (p.lastname LIKE '%".$db->escape($contactname)."%' OR p.firstname LIKE '%".$db->escape($contactname)."%') "; $sortfield = "p.lastname"; $sortorder = "ASC"; } diff --git a/htdocs/commande/customer.php b/htdocs/commande/customer.php index f06ac75dcc9..843a55e0112 100644 --- a/htdocs/commande/customer.php +++ b/htdocs/commande/customer.php @@ -101,7 +101,7 @@ if (GETPOST("search_code_client")) { $sql .= natural_search("s.code_client", GETPOST("search_code_client")); } if (dol_strlen($begin)) { - $sql .= " AND s.nom like '".$db->escape($begin)."'"; + $sql .= " AND s.nom LIKE '".$db->escape($begin)."'"; } // If the internal user must only see his customers, force searching by him $search_sale = 0; diff --git a/htdocs/core/boxes/box_fediverse.php b/htdocs/core/boxes/box_fediverse.php index b4cd84fc642..5682e7119d7 100644 --- a/htdocs/core/boxes/box_fediverse.php +++ b/htdocs/core/boxes/box_fediverse.php @@ -73,7 +73,7 @@ class box_fediverse extends ModeleBoxes $sql = ''; if (!empty($this->paramdef)) { $sql = "SELECT value FROM ".MAIN_DB_PREFIX."const"; - $sql .= " WHERE name like '%SOCIAL_NETWORKS_DATA_".$this->db->escape($this->paramdef)."%'"; + $sql .= " WHERE name LIKE '%SOCIAL_NETWORKS_DATA_".$this->db->escape($this->paramdef)."%'"; } $resql = $this->db->query($sql); $num = $this->db->num_rows($resql); diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index f6d1e48eccc..b4540e15941 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -11722,7 +11722,7 @@ function natural_search($fields, $value, $mode = 0, $nofirstand = 0) if ($newcrit != '') { $numnewcrit = price2num($newcrit); if (is_numeric($numnewcrit)) { - $newres .= $field.' '.$operator.' '.((float) $numnewcrit); // should be a numeric + $newres .= $db->sanitize($field).' '.$operator.' '.((float) $numnewcrit); // should be a numeric } else { $newres .= '1 = 2'; // force false, we received a corrupted data } @@ -11732,10 +11732,10 @@ function natural_search($fields, $value, $mode = 0, $nofirstand = 0) $i2++; // a criteria for 1 more field was added to string } elseif ($mode == 2 || $mode == -2) { $crit = preg_replace('/[^0-9,]/', '', $crit); // ID are always integer - $newres .= ($i2 > 0 ? ' OR ' : '').$field." ".($mode == -2 ? 'NOT ' : ''); + $newres .= ($i2 > 0 ? ' OR ' : '').$db->sanitize($field)." ".($mode == -2 ? 'NOT ' : ''); $newres .= $crit ? "IN (".$db->sanitize($db->escape($crit)).")" : "IN (0)"; if ($mode == -2) { - $newres .= ' OR '.$field.' IS NULL'; + $newres .= ' OR '.$db->sanitize($field).' IS NULL'; } $i2++; // a criteria for 1 more field was added to string } elseif ($mode == 3 || $mode == -3) { @@ -11749,11 +11749,11 @@ function natural_search($fields, $value, $mode = 0, $nofirstand = 0) $listofcodes .= "'".$db->escape($val)."'"; } } - $newres .= ($i2 > 0 ? ' OR ' : '').$field." ".($mode == -3 ? 'NOT ' : '')."IN (".$db->sanitize($listofcodes, 1).")"; + $newres .= ($i2 > 0 ? ' OR ' : '').$db->sanitize($field)." ".($mode == -3 ? 'NOT ' : '')."IN (".$db->sanitize($listofcodes, 1).")"; $i2++; // a criteria for 1 more field was added to string } if ($mode == -3) { - $newres .= ' OR '.$field.' IS NULL'; + $newres .= ' OR '.$db->sanitize($field).' IS NULL'; } } elseif ($mode == 4) { $tmparray = explode(',', $crit); @@ -11762,10 +11762,10 @@ function natural_search($fields, $value, $mode = 0, $nofirstand = 0) foreach ($tmparray as $val) { $val = trim($val); if ($val) { - $newres .= ($i2 > 0 ? " OR (" : "(").$field." LIKE '".$db->escape($val).",%'"; - $newres .= ' OR '.$field." = '".$db->escape($val)."'"; - $newres .= ' OR '.$field." LIKE '%,".$db->escape($val)."'"; - $newres .= ' OR '.$field." LIKE '%,".$db->escape($val).",%'"; + $newres .= ($i2 > 0 ? " OR (" : "(").$db->sanitize($field)." LIKE '".$db->escape($val).",%'"; + $newres .= ' OR '.$db->sanitize($field)." = '".$db->escape($val)."'"; + $newres .= ' OR '.$db->sanitize($field)." LIKE '%,".$db->escape($val)."'"; + $newres .= ' OR '.$db->sanitize($field)." LIKE '%,".$db->escape($val).",%'"; $newres .= ')'; $i2++; // a criteria for 1 more field was added to string (we can add several criteria for the same field as it is a multiselect search criteria) } @@ -11787,7 +11787,7 @@ function natural_search($fields, $value, $mode = 0, $nofirstand = 0) } if (preg_match('/\.(id|rowid)$/', $field)) { // Special case for rowid that is sometimes a ref so used as a search field - $newres .= $field." = ".(is_numeric($tmpcrit) ? ((float) $tmpcrit) : '0'); + $newres .= $db->sanitize($field)." = ".(is_numeric($tmpcrit) ? ((float) $tmpcrit) : '0'); } else { $tmpcrit2 = $tmpcrit; $tmpbefore = '%'; @@ -11795,10 +11795,10 @@ function natural_search($fields, $value, $mode = 0, $nofirstand = 0) $tmps = ''; if (preg_match('/^!/', $tmpcrit)) { - $tmps .= $field." NOT LIKE "; // ! as exclude character + $tmps .= $db->sanitize($field)." NOT LIKE "; // ! as exclude character $tmpcrit2 = preg_replace('/^!/', '', $tmpcrit2); } else { - $tmps .= $field." LIKE "; + $tmps .= $db->sanitize($field)." LIKE "; } $tmps .= "'"; diff --git a/htdocs/core/lib/functions2.lib.php b/htdocs/core/lib/functions2.lib.php index 53eb88ee5e3..2720a51cc67 100644 --- a/htdocs/core/lib/functions2.lib.php +++ b/htdocs/core/lib/functions2.lib.php @@ -1231,9 +1231,9 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ // Get counter in database $counter = 0; $sql = "SELECT MAX(".$sqlstring.") as val"; - $sql .= " FROM ".MAIN_DB_PREFIX.$table; - $sql .= " WHERE ".$field." LIKE '".$db->escape($maskLike) . (getDolGlobalString('SEARCH_FOR_NEXT_VAL_ON_START_ONLY') ? "%" : "") . "'"; - $sql .= " AND ".$field." NOT LIKE '(PROV%)'"; + $sql .= " FROM ".MAIN_DB_PREFIX.$db->sanitize($table); + $sql .= " WHERE ".$db->sanitize($field)." LIKE '".$db->escape($maskLike) . (getDolGlobalString('SEARCH_FOR_NEXT_VAL_ON_START_ONLY') ? "%" : "") . "'"; + $sql .= " AND ".$db->sanitize($field)." NOT LIKE '(PROV%)'"; // To ensure that all variables within the MAX() brackets are integers // This avoid bad detection of max when data are noised with non numeric values at the position of the numero @@ -1299,10 +1299,10 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ } $ref = ''; - $sql = "SELECT ".$field." as ref"; - $sql .= " FROM ".MAIN_DB_PREFIX.$table; - $sql .= " WHERE ".$field." LIKE '".$db->escape($maskLike) . (getDolGlobalString('SEARCH_FOR_NEXT_VAL_ON_START_ONLY') ? "%" : "") . "'"; - $sql .= " AND ".$field." NOT LIKE '%PROV%'"; + $sql = "SELECT ".$db->sanitize($field)." as ref"; + $sql .= " FROM ".MAIN_DB_PREFIX.$db->sanitize($table); + $sql .= " WHERE ".$db->sanitize($field)." LIKE '".$db->escape($maskLike) . (getDolGlobalString('SEARCH_FOR_NEXT_VAL_ON_START_ONLY') ? "%" : "") . "'"; + $sql .= " AND ".$db->sanitize($field)." NOT LIKE '%PROV%'"; if ($bentityon) { // only if entity enable $sql .= " AND entity IN (".getEntity($sharetable).")"; } elseif (!empty($forceentity)) { @@ -1364,8 +1364,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ // Get counter in database $maskrefclient_sql = "SELECT MAX(".$maskrefclient_sqlstring.") as val"; $maskrefclient_sql .= " FROM ".MAIN_DB_PREFIX.$table; - //$sql.= " WHERE ".$field." not like '(%'"; - $maskrefclient_sql .= " WHERE ".$field." LIKE '".$db->escape($maskrefclient_maskLike) . (getDolGlobalString('SEARCH_FOR_NEXT_VAL_ON_START_ONLY') ? "%" : "") . "'"; + $maskrefclient_sql .= " WHERE ".$db->sanitize($field)." LIKE '".$db->escape($maskrefclient_maskLike) . (getDolGlobalString('SEARCH_FOR_NEXT_VAL_ON_START_ONLY') ? "%" : "") . "'"; if ($bentityon) { // only if entity enable $maskrefclient_sql .= " AND entity IN (".getEntity($sharetable).")"; } elseif (!empty($forceentity)) { diff --git a/htdocs/core/modules/DolibarrModules.class.php b/htdocs/core/modules/DolibarrModules.class.php index 0f401ef70a8..6e5c0fddea4 100644 --- a/htdocs/core/modules/DolibarrModules.class.php +++ b/htdocs/core/modules/DolibarrModules.class.php @@ -1762,8 +1762,8 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it $err = 0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; - $sql .= " WHERE ".$this->db->decrypt('name')." like '".$this->db->escape($this->const_name)."_TABS_%'"; - $sql .= " AND entity = ".$conf->entity; + $sql .= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->db->escape($this->const_name)."_TABS_%'"; + $sql .= " AND entity = ".((int) $conf->entity); dol_syslog(get_class($this)."::delete_tabs", LOG_DEBUG); if (!$this->db->query($sql)) { diff --git a/htdocs/core/modules/societe/mod_codeclient_monkey.php b/htdocs/core/modules/societe/mod_codeclient_monkey.php index 5eb500d61c9..fa62b16021e 100644 --- a/htdocs/core/modules/societe/mod_codeclient_monkey.php +++ b/htdocs/core/modules/societe/mod_codeclient_monkey.php @@ -112,9 +112,9 @@ class mod_codeclient_monkey extends ModeleThirdPartyCode // First, we get the max value (response immediate car champ indexe) $posindice = strlen($prefix) + 6; - $sql = "SELECT MAX(CAST(SUBSTRING(".$field." FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL + $sql = "SELECT MAX(CAST(SUBSTRING(".$db->sanitize($field)." FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql .= " FROM ".MAIN_DB_PREFIX."societe"; - $sql .= " WHERE ".$field." LIKE '".$db->escape($prefix)."____-%'"; + $sql .= " WHERE ".$db->sanitize($field)." LIKE '".$db->escape($prefix)."____-%'"; $sql .= " AND entity IN (".getEntity('societe').")"; dol_syslog(get_class($this)."::getNextValue", LOG_DEBUG); diff --git a/htdocs/cron/list.php b/htdocs/cron/list.php index c65e63af98b..36769c6ec44 100644 --- a/htdocs/cron/list.php +++ b/htdocs/cron/list.php @@ -312,7 +312,7 @@ if (GETPOSTISSET('search_processing')) { // Manage filter if (is_array($filter) && count($filter) > 0) { foreach ($filter as $key => $value) { - $sql .= " AND ".$key." LIKE '%".$db->escape($value)."%'"; + $sql .= " AND ".$db->sanitize($key)." LIKE '%".$db->escape($value)."%'"; } } if (!empty($search_module_name)) { diff --git a/htdocs/emailcollector/class/emailcollector.class.php b/htdocs/emailcollector/class/emailcollector.class.php index 344c25a7baf..344ac3e1ac4 100644 --- a/htdocs/emailcollector/class/emailcollector.class.php +++ b/htdocs/emailcollector/class/emailcollector.class.php @@ -2242,7 +2242,7 @@ class EmailCollector extends CommonObject // This is an external reference, we check if we have it in our database if (is_null($objectemail) && isModEnabled('ticket')) { $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."ticket"; - $sql .= " WHERE email_msgid = '".$this->db->escape($reg[1])."' OR origin_references like '%".$this->db->escape($this->db->escapeforlike($reg[1]))."%'"; + $sql .= " WHERE email_msgid = '".$this->db->escape($reg[1])."' OR origin_references LIKE '%".$this->db->escape($this->db->escapeforlike($reg[1]))."%'"; $resql = $this->db->query($sql); if ($resql) { $obj = $this->db->fetch_object($resql); diff --git a/htdocs/eventorganization/class/conferenceorbooth.class.php b/htdocs/eventorganization/class/conferenceorbooth.class.php index 12245ab9643..6d435671c79 100644 --- a/htdocs/eventorganization/class/conferenceorbooth.class.php +++ b/htdocs/eventorganization/class/conferenceorbooth.class.php @@ -336,15 +336,15 @@ class ConferenceOrBooth extends ActionComm if (count($filter) > 0) { foreach ($filter as $key => $value) { if ($key == 't.id' || $key == 't.fk_project' || $key == 't.fk_soc' || $key == 't.fk_action') { - $sqlwhere[] = $key." = ".((int) $value); + $sqlwhere[] = $this->db->sanitize($key)." = ".((int) $value); } elseif (array_key_exists($key, $this->fields) && in_array($this->fields[$key]['type'], array('date', 'datetime', 'timestamp'))) { - $sqlwhere[] = $key." = '".$this->db->idate($value)."'"; + $sqlwhere[] = $this->db->sanitize($key)." = '".$this->db->idate($value)."'"; } elseif ($key == 'customsql') { - $sqlwhere[] = $value; + $sqlwhere[] = $value; // deprecated } elseif (strpos($value, '%') === false) { - $sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')'; + $sqlwhere[] = $this->db->sanitize($key).' IN ('.$this->db->sanitize($this->db->escape($value)).')'; } else { - $sqlwhere[] = $key." LIKE '%".$this->db->escape($value)."%'"; + $sqlwhere[] = $this->db->sanitize($key)." LIKE '%".$this->db->escape($value)."%'"; } } } diff --git a/htdocs/exports/class/export.class.php b/htdocs/exports/class/export.class.php index c53b2d2b506..7da403be52e 100644 --- a/htdocs/exports/class/export.class.php +++ b/htdocs/exports/class/export.class.php @@ -406,9 +406,9 @@ class Export switch ($InfoFieldList[0]) { case 'Text': if (!(strpos($ValueField, '%') === false)) { - $szFilterQuery = " ".$NameField." LIKE '".$this->db->escape($ValueField)."'"; + $szFilterQuery = " ".$this->db->sanitize($NameField)." LIKE '".$this->db->escape($ValueField)."'"; } else { - $szFilterQuery = " ".$NameField." = '".$this->db->escape($ValueField)."'"; + $szFilterQuery = " ".$this->db->sanitize($NameField)." = '".$this->db->escape($ValueField)."'"; } break; case 'Date': diff --git a/htdocs/fourn/contact.php b/htdocs/fourn/contact.php index db229d8de5b..302379acf8e 100644 --- a/htdocs/fourn/contact.php +++ b/htdocs/fourn/contact.php @@ -89,25 +89,24 @@ if (!$user->hasRight("societe", "client", "voir") && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } +/* if (dol_strlen($stcomm)) { - $sql .= " AND s.fk_stcomm=$stcomm"; + $sql .= " AND s.fk_stcomm = ".((int) $stcomm); } - if (dol_strlen($begin)) { - $sql .= " AND p.lastname LIKE '$begin%'"; + $sql .= " AND p.lastname LIKE '".$db->escape($begin)."%'"; } - if ($contactname) { - $sql .= " AND p.lastname LIKE '%".strtolower($contactname)."%'"; + $sql .= " AND p.lastname LIKE '%".$db->escape($contactname)."%'"; $sortfield = "p.lastname"; $sortorder = "ASC"; } - +*/ if ($socid) { $sql .= " AND s.rowid = ".((int) $socid); } -$sql .= " ORDER BY $sortfield $sortorder "; +$sql .= " ORDER BY $sortfield $sortorder"; $sql .= $db->plimit($limit, $offset); $result = $db->query($sql); diff --git a/htdocs/install/repair.php b/htdocs/install/repair.php index d3d8364b810..fc8a3f36c2a 100644 --- a/htdocs/install/repair.php +++ b/htdocs/install/repair.php @@ -1148,7 +1148,7 @@ if ($ok && GETPOST('force_disable_of_modules_not_found', 'alpha')) { foreach ($arraylistofkey as $key) { $sql = "SELECT DISTINCT name, value"; $sql .= " FROM ".MAIN_DB_PREFIX."const as c"; - $sql .= " WHERE name LIKE 'MAIN_MODULE_%_".strtoupper($key)."'"; + $sql .= " WHERE name LIKE 'MAIN_MODULE_%_".strtoupper($db->escape($key))."'"; $sql .= " ORDER BY name"; $resql = $db->query($sql); diff --git a/htdocs/mrp/class/moline.class.php b/htdocs/mrp/class/moline.class.php index 49339ff7055..fc157e805a3 100644 --- a/htdocs/mrp/class/moline.class.php +++ b/htdocs/mrp/class/moline.class.php @@ -299,11 +299,11 @@ class MoLine extends CommonObjectLine if (count($filter) > 0) { foreach ($filter as $key => $value) { if ($key == 't.rowid') { - $sqlwhere[] = $key." = ".((int) $value); + $sqlwhere[] = $this->db->sanitize($key)." = ".((int) $value); } elseif (strpos($key, 'date') !== false) { - $sqlwhere[] = $key." = '".$this->db->idate($value)."'"; + $sqlwhere[] = $this->db->sanitize($key)." = '".$this->db->idate($value)."'"; } else { - $sqlwhere[] = $key." LIKE '%".$this->db->escape($this->db->escapeforlike($value))."%'"; + $sqlwhere[] = $this->db->sanitize($key)." LIKE '%".$this->db->escape($this->db->escapeforlike($value))."%'"; } } } diff --git a/htdocs/product/class/productcustomerprice.class.php b/htdocs/product/class/productcustomerprice.class.php index ec755c8d94c..4e3a7bcc92f 100644 --- a/htdocs/product/class/productcustomerprice.class.php +++ b/htdocs/product/class/productcustomerprice.class.php @@ -605,11 +605,11 @@ class ProductCustomerPrice extends CommonObject if (count($filter) > 0) { foreach ($filter as $key => $value) { if (strpos($key, 'date')) { // To allow $filter['YEAR(s.dated)']=>$year - $sql .= " AND ".$key." = '".$this->db->escape($value)."'"; + $sql .= " AND ".$this->db->sanitize($key)." = '".$this->db->escape($value)."'"; } elseif ($key == 'soc.nom') { - $sql .= " AND ".$key." LIKE '%".$this->db->escape($value)."%'"; + $sql .= " AND ".$this->db->sanitize($key)." LIKE '%".$this->db->escape($value)."%'"; } else { - $sql .= " AND ".$key." = ".((int) $value); + $sql .= " AND ".$this->db->sanitize($key)." = ".((int) $value); } } } diff --git a/htdocs/product/class/productfournisseurprice.class.php b/htdocs/product/class/productfournisseurprice.class.php index 3cdb939670f..d6421263010 100644 --- a/htdocs/product/class/productfournisseurprice.class.php +++ b/htdocs/product/class/productfournisseurprice.class.php @@ -440,13 +440,13 @@ class ProductFournisseurPrice extends CommonObject if (count($filter) > 0) { foreach ($filter as $key => $value) { if ($key == 't.rowid') { - $sqlwhere[] = $key." = ".((int) $value); + $sqlwhere[] = $this->db->sanitize($key)." = ".((int) $value); } elseif (array_key_exists($key, $this->fields) && in_array($this->fields[$key]['type'], array('date', 'datetime', 'timestamp'))) { - $sqlwhere[] = $key." = '".$this->db->idate($value)."'"; + $sqlwhere[] = $this->db->sanitize($key)." = '".$this->db->idate($value)."'"; } elseif (strpos($value, '%') === false) { - $sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')'; + $sqlwhere[] = $this->db->sanitize($key).' IN ('.$this->db->sanitize($this->db->escape($value)).')'; } else { - $sqlwhere[] = $key." LIKE '%".$this->db->escape($this->db->escapeforlike($value))."%'"; + $sqlwhere[] = $this->db->sanitize($key)." LIKE '%".$this->db->escape($this->db->escapeforlike($value))."%'"; } } } diff --git a/htdocs/societe/consumption.php b/htdocs/societe/consumption.php index 128761b3b8e..2a6d965b012 100644 --- a/htdocs/societe/consumption.php +++ b/htdocs/societe/consumption.php @@ -416,7 +416,7 @@ if (!empty($sql_select)) { $sql .= $where; $sql .= dolSqlDateFilter($dateprint, 0, $month, $year); if ($sref) { - $sql .= " AND ".$doc_number." LIKE '%".$db->escape($sref)."%'"; + $sql .= " AND ".$db->sanitize($doc_number)." LIKE '%".$db->escape($sref)."%'"; } if ($sprod_fulldescr) { // We test both case description is correctly saved of was save after dol_escape_htmltag(). diff --git a/htdocs/ticket/class/ticket.class.php b/htdocs/ticket/class/ticket.class.php index 643ebf548f4..cd1e659e1f5 100644 --- a/htdocs/ticket/class/ticket.class.php +++ b/htdocs/ticket/class/ticket.class.php @@ -2104,7 +2104,7 @@ class Ticket extends CommonObject } if (is_array($filters) && !empty($filters)) { foreach ($filters as $field => $value) { - $sql .= " ".$clause." ".$field." LIKE '".$this->db->escape($value)."'"; + $sql .= " ".$clause." ".$this->db->sanitize($field)." LIKE '".$this->db->escape($value)."'"; } if (!empty($email)) { $sql .= ")"; diff --git a/htdocs/website/class/website.class.php b/htdocs/website/class/website.class.php index 98fe79aa763..43dc5599601 100644 --- a/htdocs/website/class/website.class.php +++ b/htdocs/website/class/website.class.php @@ -416,7 +416,7 @@ class Website extends CommonObject $sqlwhere = array(); if (count($filter) > 0) { foreach ($filter as $key => $value) { - $sqlwhere[] = $key." LIKE '%".$this->db->escape($value)."%'"; + $sqlwhere[] = $this->db->sanitize($key)." LIKE '%".$this->db->escape($value)."%'"; } } if (count($sqlwhere) > 0) {