tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch '3042-Punto-de-inyeccion-sql' into 'develop' 

avoid sql injection in visual_map_get_user_layouts function

See merge request artica/pandorafms!1951

Former-commit-id: cd680e3a3df45f6f54c6c2f25d118f97f30b8b81
This commit is contained in:
vgilc 2018-12-21 10:29:31 +01:00
parent d4061641ec 9c2e67f364
commit dd0165fe89
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pandora_console/include/functions_visual_map.php
View File

@ -3465,7 +3465,9 @@ function visual_map_get_user_layouts ($id_user = 0, $only_names = false, $filter
$filter = array (); $filter = array ();
} else { } else {
if(!empty($filter['name'])){ if(!empty($filter['name'])){
$where .= "name LIKE '%".io_safe_output($filter['name'])."%'"; $where .= sprintf("name LIKE '%%%s%%'",
db_escape_string_sql(io_safe_output($filter['name'])));
unset($filter['name']); unset($filter['name']);
} }
} }