Merge pull request #16433 from ATM-Consulting/fix/11.0_contact_updateRoles_sql_injection_of_socid

FIX 11.0 - $this->socid injected in query without checking for empty string
2026-01-20 15:53:16 +01:00 · 2021-02-26 10:22:50 +01:00
parent a779ce36f3 d59ee06438
commit 9db211b1a7
1 changed files with 1 additions and 1 deletions
--- a/htdocs/contact/class/contact.class.php
+++ b/htdocs/contact/class/contact.class.php
@@ -1686,7 +1686,7 @@ class Contact extends CommonObject

 		$this->db->begin();

-		$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_contacts WHERE fk_soc=".$this->socid." AND fk_socpeople=".$this->id; ;
+		$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_contacts WHERE fk_soc=".intval($this->socid)." AND fk_socpeople=".$this->id; ;

 		dol_syslog(__METHOD__, LOG_DEBUG);
 		$result = $this->db->query($sql);