Fix a SQL injection vulnerability on a public page o_O.

author Florent Bruneau <florent.bruneau@polytechnique.org>

Sun, 15 Feb 2009 09:30:45 +0000 (10:30 +0100)

committer Florent Bruneau <florent.bruneau@polytechnique.org>

Sun, 15 Feb 2009 09:30:45 +0000 (10:30 +0100)
author Florent Bruneau <florent.bruneau@polytechnique.org>
Sun, 15 Feb 2009 09:30:45 +0000 (10:30 +0100)
committer Florent Bruneau <florent.bruneau@polytechnique.org>
Sun, 15 Feb 2009 09:30:45 +0000 (10:30 +0100)
diff --git a/modules/payment.php b/modules/payment.php

index 7545ae9..d1e8a0e 100644 (file)
--- a/modules/payment.php
+++ b/modules/payment.php
@@ -208,7 +208,7 @@ class PaymentModule extends PLModule
              $res = XDB::query("SELECT  rcb.text,c.id,c.text
                                   FROM  paiement.codeRCB AS rcb
                              LEFT JOIN  paiement.codeC   AS c ON rcb.codeC=c.id
-                                WHERE  rcb.id='$champ906'");
+                                WHERE  rcb.id={?}", $champ906);
              if (list($rcb_text, $c_id, $c_text) = $res->fetchOneRow()) {
                  cb_erreur("erreur lors du paiement : $c_text ($c_id)");
              } else{
author	Florent Bruneau <florent.bruneau@polytechnique.org>
	Sun, 15 Feb 2009 09:30:45 +0000 (10:30 +0100)
committer	Florent Bruneau <florent.bruneau@polytechnique.org>
	Sun, 15 Feb 2009 09:30:45 +0000 (10:30 +0100)