Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-10 03:28:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX SQL injection on user/index.php parameter search_statut.

Browse Source
This commit is contained in:
Laurent Destailleur
2017-05-29 09:57:05 +02:00
parent d03d179fa3
commit 70636cc59f
2 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/core/lib/functions.lib.php
View File

@@ -286,6 +286,9 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL)
case 'int':
if (! is_numeric($out)) { $out=''; }
break;
case 'intcomma':
if (preg_match('/[^0-9,]+/i',$out)) $out='';
break;
case 'alpha':
$out=trim($out);
// '"' is dangerous because param in url can close the href= or src= and add javascript functions.