Skip to content

Commit

Permalink
Escaping variable passed to SQL WHERE clause
Browse files Browse the repository at this point in the history
  • Loading branch information
@tbelliard
tbelliard committed Mar 16, 2017
1 parent ffaffb0 commit 21119f0
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion models/LceService.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ public static function findByCarrierId($id_carrier)
public static function findByCode($service_code)
{
$sql = 'SELECT * FROM '._DB_PREFIX_.'lce_services as s
WHERE s.`code` = "'.$service_code.'"';
WHERE s.`code` = "'.pSQL($service_code).'"';
$row = Db::getInstance(_PS_USE_SQL_SLAVE_)->getRow($sql);
if ($row) {
$service = new self((int) $row['id_service']);
Expand Down

0 comments on commit 21119f0

Please sign in to comment.