SQL-Injection vermeiden. Fix für Revisionen 2936, 2937.

[kivitendo-erp.git] / SL / IS.pm

diff --git a/SL/IS.pm b/SL/IS.pm
index 2cf1482685572d8d7c23fd2c16ec890f876c89a5..8ecddffde5082fbea0bfc486668ddc0d3e12f8d3 100644 (file)
--- a/SL/IS.pm
+++ b/SL/IS.pm
@@ -1513,7 +1513,13 @@ sub get_customer {
   }
 
   my $cid = conv_i($form->{customer_id});
-  my $payment_id = ($form->{payment_id}) ? "($form->{payment_id} = pt.id) OR" : "";
+  my $payment_id;
+
+  if ($form->{payment_id}) {
+    $payment_id = "(pt.id = ?) OR";
+    push @values, conv_i($form->{payment_id});
+  }
+
   # get customer
   $query =
     qq|SELECT