Browse Source

fix sql injection reported by Mehdi Oudad

Laurent Destailleur 3 years ago
parent
commit
85fe1d6d1e
1 changed files with 5 additions and 5 deletions
  1. 5 5
      htdocs/exports/class/export.class.php

+ 5 - 5
htdocs/exports/class/export.class.php

@@ -379,13 +379,13 @@ class Export
 	 */
 	public function conditionDate($Field, $Value, $Sens)
 	{
-		// TODO date_format is forbidden, not performant and not portable. Use instead BETWEEN
+		// TODO date_format is forbidden, not performant and not portable. Use instead $Value to forge the range date.
 		if (strlen($Value) == 4) {
-			$Condition = " date_format(".$Field.",'%Y') ".$Sens." '".$Value."'";
+			$Condition = " date_format(".$Field.",'%Y') ".$Sens." '".$this->db->escape($Value)."'";
 		} elseif (strlen($Value) == 6) {
-			$Condition = " date_format(".$Field.",'%Y%m') ".$Sens." '".$Value."'";
+			$Condition = " date_format(".$Field.",'%Y%m') ".$Sens." '".$this->db->escape($Value)."'";
 		} else {
-			$Condition = " date_format(".$Field.",'%Y%m%d') ".$Sens." ".$Value;
+			$Condition = " date_format(".$Field.",'%Y%m%d') ".$Sens." '".$this->db->escape($Value)."'";
 		}
 		return $Condition;
 	}
@@ -416,7 +416,7 @@ class Export
 			case 'Duree':
 			case 'Numeric':
 			case 'Number':
-				// Must be a string text to allow to use comparison strings like "<= 999"
+				// Must be a string text to allow to use comparison strings like "<= 99.9"
 				$szFilterField = '<input type="text" size="6" name="'.$NameField.'" value="'.$ValueField.'">';
 				break;
 			case 'Status':