avoid sql injection in visual_map_get_user_layouts function

2018-11-08 14:01:18 +01:00 · 2018-11-08 14:01:18 +01:00 · 9c2e67f364
parent 19fc5863d0
commit 9c2e67f364
1 changed files with 3 additions and 1 deletions
--- a/pandora_console/include/functions_visual_map.php
+++ b/pandora_console/include/functions_visual_map.php
@ -3531,7 +3531,9 @@ function visual_map_get_user_layouts ($id_user = 0, $only_names = false, $filter
 		$filter = array ();
 	} else {
 		if(!empty($filter['name'])){
-			$where .= "name LIKE '%".io_safe_output($filter['name'])."%'";
+			$where .= sprintf("name LIKE '%%%s%%'",
+            	db_escape_string_sql(io_safe_output($filter['name'])));
+
 			unset($filter['name']);
 		}
 	}