From e1b9428ef56f70a600f2d414f204f69951420eac Mon Sep 17 00:00:00 2001
From: Andreas Palm <ap@ewsp.de>
Date: Mon, 12 Aug 2024 13:12:02 +0200
Subject: [PATCH] Shopimport: Fix sql escaping

---
 www/lib/class.erpapi.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/www/lib/class.erpapi.php b/www/lib/class.erpapi.php
index 381e6114..30b1f402 100644
--- a/www/lib/class.erpapi.php
+++ b/www/lib/class.erpapi.php
@@ -16624,9 +16624,10 @@ function Gegenkonto($ust_befreit,$ustid='', $doctype = '', $doctypeId = 0)
       $check = $this->app->DB->Select("SELECT $key FROM adresse WHERE id='$adresse' LIMIT 1");
       if($check!=${$key})
       {
-        $this->app->DB->Update("UPDATE adresse SET $key='".${$key}."' WHERE id='$adresse' LIMIT 1");
+        $val = $this->app->DB->real_escape_string(${$key});
+        $this->app->DB->Update("UPDATE adresse SET $key='$val' WHERE id='$adresse' LIMIT 1");
         $logfile = $this->app->DB->Select("SELECT `logfile` FROM adresse WHERE id='$adresse' LIMIT 1");
-        $this->app->DB->Update("UPDATE adresse SET `logfile`='".$logfile." Update Feld $key alt:$check neu:".${$key}.";' WHERE id='$adresse' LIMIT 1");
+        $this->app->DB->Update("UPDATE adresse SET `logfile`='".$logfile." Update Feld $key alt:$check neu:".$val.";' WHERE id='$adresse' LIMIT 1");
       }
 
     }