Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-14 08:54:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix against SQL injection. Add phpunit to detect missing escapement.

Browse Source
This commit is contained in:
Laurent Destailleur
2017-05-12 16:55:11 +02:00
parent 0d11fce834
commit fa290c34fa
57 changed files with 202 additions and 198 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/modules/modCommande.class.php
View File

@@ -256,8 +256,8 @@ class modCommande extends DolibarrModules
}
$sql = array(
"DELETE FROM ".MAIN_DB_PREFIX."document_model WHERE nom = '".$this->const[0][2]."' AND type = 'order' AND entity = ".$conf->entity,
"INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity) VALUES('".$this->const[0][2]."','order',".$conf->entity.")"
"DELETE FROM ".MAIN_DB_PREFIX."document_model WHERE nom = '".$this->db->escape($this->const[0][2])."' AND type = 'order' AND entity = ".$conf->entity,
"INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity) VALUES('".$this->db->escape($this->const[0][2])."','order',".$conf->entity.")"
);
return $this->_init($sql,$options);