Fix SQLi reported by op7ica

2025-12-16 22:41:30 +01:00 · 2018-03-15 01:21:44 +01:00
parent 821a75cef0
commit c62d68f4be
2 changed files with 4 additions and 4 deletions
--- a/htdocs/core/lib/functions2.lib.php
+++ b/htdocs/core/lib/functions2.lib.php
@@ -1451,7 +1451,7 @@ function dol_set_user_param($db, $conf, &$user, $tab)
    foreach ($tab as $key => $value)
    {
        if ($i > 0) $sql.=',';
-        $sql.="'".$key."'";
+        $sql.="'".$this->db->escape($key)."'";
        $i++;
    }
    $sql.= ")";
@@ -1472,7 +1472,7 @@ function dol_set_user_param($db, $conf, &$user, $tab)
        {
            $sql = "INSERT INTO ".MAIN_DB_PREFIX."user_param(fk_user,entity,param,value)";
            $sql.= " VALUES (".$user->id.",".$conf->entity.",";
-            $sql.= " '".$key."','".$db->escape($value)."')";
+            $sql.= " '".$this->db->escape($key)."','".$db->escape($value)."')";

            dol_syslog("functions2.lib::dol_set_user_param", LOG_DEBUG);
            $result=$db->query($sql);
--- a/htdocs/societe/card.php
+++ b/htdocs/societe/card.php
@@ -1682,12 +1682,12 @@ else
            }
            else if ($object->codeclient_modifiable())
            {
-                print '<input type="text" name="code_client" id="customer_code" size="16" value="'.$object->code_client.'" maxlength="15">';
+            	print '<input type="text" name="code_client" id="customer_code" size="16" value="'.dol_escape_htmltag($object->code_client).'" maxlength="15">';
            }
            else
            {
                print $object->code_client;
-                print '<input type="hidden" name="code_client" value="'.$object->code_client.'">';
+                print '<input type="hidden" name="code_client" value="'.dol_escape_htmltag($object->code_client).'">';
            }
            print '</td><td>';
            $s=$modCodeClient->getToolTip($langs,$object,0);