Security update merged from 2.1.

[fa-stable.git] / dimensions / inquiry / search_dimensions.php

diff --git a/dimensions/inquiry/search_dimensions.php b/dimensions/inquiry/search_dimensions.php
index 5498097a71b9e148762a5e202698f5e3cdb09a79..752b5507ab2574ab164425d76aa1efd8583a5d90 100644 (file)
--- a/dimensions/inquiry/search_dimensions.php
+++ b/dimensions/inquiry/search_dimensions.php
@@ -141,7 +141,7 @@ $sql = "SELECT dim.id,
 
 if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
 {
-       $sql .= " AND reference LIKE '%". $_POST['OrderNumber'] . "%'";
+       $sql .= " AND reference LIKE ".db_escape("%". $_POST['OrderNumber'] . "%");
 } else {
 
        if ($dim == 1)
@@ -154,14 +154,14 @@ if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
 
        if (isset($_POST['type_']) && ($_POST['type_'] > 0))
        {
-               $sql .= " AND type_=" . $_POST['type_'];
+               $sql .= " AND type_=".db_escape($_POST['type_']);
        }
 
        if (isset($_POST['OverdueOnly']))
        {
                $today = date2sql(Today());
 
-               $sql .= " AND due_date < '$today' ";
+               $sql .= " AND due_date < '$today'";
        }
 
        $sql .= " AND date_ >= '" . date2sql($_POST['FromDate']) . "'