projects
/
fa-stable.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Security update merged from 2.1.
[fa-stable.git]
/
dimensions
/
inquiry
/
search_dimensions.php
diff --git
a/dimensions/inquiry/search_dimensions.php
b/dimensions/inquiry/search_dimensions.php
index 5498097a71b9e148762a5e202698f5e3cdb09a79..752b5507ab2574ab164425d76aa1efd8583a5d90 100644
(file)
--- a/
dimensions/inquiry/search_dimensions.php
+++ b/
dimensions/inquiry/search_dimensions.php
@@
-141,7
+141,7
@@
$sql = "SELECT dim.id,
if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
{
if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
{
- $sql .= " AND reference LIKE
'%". $_POST['OrderNumber'] . "%'"
;
+ $sql .= " AND reference LIKE
".db_escape("%". $_POST['OrderNumber'] . "%")
;
} else {
if ($dim == 1)
} else {
if ($dim == 1)
@@
-154,14
+154,14
@@
if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
if (isset($_POST['type_']) && ($_POST['type_'] > 0))
{
if (isset($_POST['type_']) && ($_POST['type_'] > 0))
{
- $sql .= " AND type_="
. $_POST['type_']
;
+ $sql .= " AND type_="
.db_escape($_POST['type_'])
;
}
if (isset($_POST['OverdueOnly']))
{
$today = date2sql(Today());
}
if (isset($_POST['OverdueOnly']))
{
$today = date2sql(Today());
- $sql .= " AND due_date < '$today'
";
+ $sql .= " AND due_date < '$today'";
}
$sql .= " AND date_ >= '" . date2sql($_POST['FromDate']) . "'
}
$sql .= " AND date_ >= '" . date2sql($_POST['FromDate']) . "'