From: Sven Schöling <s.schoeling@googlemail.com>
Date: Sun, 5 Dec 2021 18:16:52 +0000 (+0100)
Subject: Form: get_history sql escaping
X-Git-Tag: kivitendo-mebil_0.1-0~10^2~2^2~275
X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=90ae24e1d905ee20915b65a8d6d82d94d0694edc;p=kivitendo-erp.git

Form: get_history sql escaping
---

diff --git a/SL/Form.pm b/SL/Form.pm
index 2e9458956..a01e9a8c6 100644
--- a/SL/Form.pm
+++ b/SL/Form.pm
@@ -2956,7 +2956,7 @@ sub get_history {
       qq|SELECT h.employee_id, h.itime::timestamp(0) AS itime, h.addition, h.what_done, emp.name, h.snumbers, h.trans_id AS id | .
       qq|FROM history_erp h | .
       qq|LEFT JOIN employee emp ON (emp.id = h.employee_id) | .
-      qq|WHERE (trans_id = | . $trans_id . qq|) $restriction | .
+      qq|WHERE (trans_id = | . $dbh->quote($trans_id) . qq|) $restriction | .
       $order;
 
     my $sth = $dbh->prepare($query) || $self->dberror($query);