Attach Documents: fixed SQL injection vulnerability.

[fa-stable.git] / admin / db / transactions_db.inc

diff --git a/admin/db/transactions_db.inc b/admin/db/transactions_db.inc
index d343b7c4ba8522119d1e93688bd73101ff4d4244..f7d2d295ec6ff7177c44799ac7c63f56c3dd4c31 100644 (file)
--- a/admin/db/transactions_db.inc
+++ b/admin/db/transactions_db.inc
@@ -35,7 +35,7 @@ function get_sql_for_view_transactions($filtertype, $from, $to, &$trans_ref)
        if ($type_name)
                $sql .= ", t.$type_name as type";
        $sql .= " FROM $table_name t LEFT JOIN ".TB_PREF."voided v ON"
-               ." t.$trans_no_name=v.id AND v.type=$filtertype";
+               ." t.$trans_no_name=v.id AND v.type=".db_escape($filtertype);
 
        $sql .= " WHERE ISNULL(v.`memo_`)";
        if ($from != null && $to != null)