From 3f66d92903f1b3461b50fff36a0b13b4d56bcbac Mon Sep 17 00:00:00 2001 From: OpenXE <> Date: Thu, 11 Apr 2024 16:57:00 +0200 Subject: [PATCH] erpapi files createdatei added escaping --- www/lib/class.erpapi.php | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/www/lib/class.erpapi.php b/www/lib/class.erpapi.php index 7a62a6b2..9c7c2bfd 100644 --- a/www/lib/class.erpapi.php +++ b/www/lib/class.erpapi.php @@ -37013,11 +37013,35 @@ function Firmendaten($field,$projekt="") if(!$without_log) { - $this->app->DB->Insert("INSERT INTO datei (id,titel,beschreibung,nummer,firma) VALUES - ('','$titel','$beschreibung','$nummer','".$this->app->User->GetFirma()."')"); + $this->app->DB->Insert("INSERT INTO datei ( + id, + titel, + beschreibung, + nummer, + firma + ) VALUES ( + '', + '".$this->app->DB->real_escape_string($titel)."', + '".$this->app->DB->real_escape_string($beschreibung)."', + '".$this->app->DB->real_escape_string($nummer)."', + '".$this->app->User->GetFirma()."' + )" + ); } else { - $this->app->DB->InsertWithoutLog("INSERT INTO datei (id,titel,beschreibung,nummer,firma) VALUES - ('','$titel','$beschreibung','$nummer',1)"); + $this->app->DB->InsertWithoutLog("INSERT INTO datei ( + id, + titel, + beschreibung, + nummer, + firma + ) VALUES ( + '', + '".$this->app->DB->real_escape_string($titel)."', + '".$this->app->DB->real_escape_string($beschreibung)."', + '".$this->app->DB->real_escape_string($nummer)."', + 1 + ) + "); } $fileid = $this->app->DB->GetInsertID();