From b052bb3400c3f6089752005ae5c61695293e9015 Mon Sep 17 00:00:00 2001
From: Florent Bruneau <florent.bruneau@polytechnique.org>
Date: Sun, 15 Feb 2009 10:30:45 +0100
Subject: [PATCH] Fix a SQL injection vulnerability on a public page o_O.

Signed-off-by: Florent Bruneau <florent.bruneau@polytechnique.org>
---
 modules/payment.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/payment.php b/modules/payment.php
index 7545ae9..d1e8a0e 100644
--- a/modules/payment.php
+++ b/modules/payment.php
@@ -208,7 +208,7 @@ class PaymentModule extends PLModule
             $res = XDB::query("SELECT  rcb.text,c.id,c.text
                                  FROM  paiement.codeRCB AS rcb
                             LEFT JOIN  paiement.codeC   AS c ON rcb.codeC=c.id
-                                WHERE  rcb.id='$champ906'");
+                                WHERE  rcb.id={?}", $champ906);
             if (list($rcb_text, $c_id, $c_text) = $res->fetchOneRow()) {
                 cb_erreur("erreur lors du paiement : $c_text ($c_id)");
             } else{
-- 
2.1.4