From 640c3acabe23afc4048cf283b3999586ebfd0fb5 Mon Sep 17 00:00:00 2001
From: Janusz Dobrowolski <janusz@frontaccounting.eu>
Date: Thu, 20 Dec 2018 21:09:08 +0100
Subject: [PATCH] Attach Documents: fixed SQL injection vulnerability.

---
 admin/db/transactions_db.inc | 2 +-
 includes/references.inc      | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/admin/db/transactions_db.inc b/admin/db/transactions_db.inc
index d343b7c4..f7d2d295 100644
--- a/admin/db/transactions_db.inc
+++ b/admin/db/transactions_db.inc
@@ -35,7 +35,7 @@ function get_sql_for_view_transactions($filtertype, $from, $to, &$trans_ref)
  	if ($type_name)
 		$sql .= ", t.$type_name as type";
 	$sql .= " FROM $table_name t LEFT JOIN ".TB_PREF."voided v ON"
-		." t.$trans_no_name=v.id AND v.type=$filtertype";
+		." t.$trans_no_name=v.id AND v.type=".db_escape($filtertype);
 
 	$sql .= " WHERE ISNULL(v.`memo_`)";
 	if ($from != null && $to != null)
diff --git a/includes/references.inc b/includes/references.inc
index 7a919f27..526dc155 100644
--- a/includes/references.inc
+++ b/includes/references.inc
@@ -165,6 +165,7 @@ class references
 		$type_fld = $db_info[1];
 		$tno_fld = $db_info[2];
 		$ref_fld = $db_info[3];
+		$type = db_escape($type);
 
 		// retrieve last ref number in the refline from original transaction table
 		$sql = "SELECT MAX(CAST(SUBSTR($ref_fld, ".(strlen($prefix)+1).",LENGTH($ref_fld)-".(strlen($postfix)+strlen($prefix)).") AS UNSIGNED))"
-- 
2.30.2