Form: get_history sql escaping

author Sven Schöling <s.schoeling@googlemail.com>

Sun, 5 Dec 2021 18:16:52 +0000 (19:16 +0100)

committer Sven Schöling <s.schoeling@googlemail.com>

Sun, 5 Dec 2021 18:28:04 +0000 (19:28 +0100)
author Sven Schöling <s.schoeling@googlemail.com>
Sun, 5 Dec 2021 18:16:52 +0000 (19:16 +0100)
committer Sven Schöling <s.schoeling@googlemail.com>
Sun, 5 Dec 2021 18:28:04 +0000 (19:28 +0100)
diff --git a/SL/Form.pm b/SL/Form.pm

index 2e94589..a01e9a8 100644 (file)
--- a/SL/Form.pm
+++ b/SL/Form.pm
@@ -2956,7 +2956,7 @@ sub get_history {
        qq|SELECT h.employee_id, h.itime::timestamp(0) AS itime, h.addition, h.what_done, emp.name, h.snumbers, h.trans_id AS id | .
        qq|FROM history_erp h | .
        qq|LEFT JOIN employee emp ON (emp.id = h.employee_id) | .
-      qq|WHERE (trans_id = | . $trans_id . qq|) $restriction | .
+      qq|WHERE (trans_id = | . $dbh->quote($trans_id) . qq|) $restriction | .
        $order;
  
      my $sth = $dbh->prepare($query) || $self->dberror($query);
author	Sven Schöling <s.schoeling@googlemail.com>
	Sun, 5 Dec 2021 18:16:52 +0000 (19:16 +0100)
committer	Sven Schöling <s.schoeling@googlemail.com>
	Sun, 5 Dec 2021 18:28:04 +0000 (19:28 +0100)