Adjusting database select .

diff --git a/www/devsql.php b/www/devsql.php
index e28e60d774cd2fe4cdd8c9aff160666ee50612c7..19aba76bcc0f2d3cc72d6969eff3b6765343f2cb 100644 (file)
--- a/www/devsql.php
+++ b/www/devsql.php
@@ -64,10 +64,13 @@ class devsql     {
         }
     }
 
+  //      Quote a string safely for SQL
+  public function quote(string $str): string {
+    return $this->connection->quote($str);
+    }
   }
 
 
-
 //==============================================================
 //
 //     To open (according DBTYP) A database acces

diff --git a/www/lvlmai.php b/www/lvlmai.php
index 2c80cfb3c0c203f214842e8bab9a9c64392c3354..363d5cdbb2a8fff354b1b101e874fb5d53e926b0 100644 (file)
--- a/www/lvlmai.php
+++ b/www/lvlmai.php
@@ -148,10 +148,11 @@ if (isset($_POST['offset']))
 
 $rqst = new probe("actions",$limit,$offset);
 
-if (isset($_POST['columns'])) {   //selected database columns name
-  $cols=intval($_POST['columns']);
-  $rqst->columns($cols);
-  }
+if (isset($_POST['columns']) && is_array($_POST['columns'])) {
+    $cols = $_POST['columns']; // conserver tableau tel quel
+    $rqst->columns($cols);
+}
+
 if (isset($_POST['dsearch'])) {
   $dsearch=trim($_POST['dsearch']);
   if (strlen($dsearch)>0) {
@@ -161,12 +162,13 @@ if (isset($_POST['dsearch'])) {
     $selectedField = 'rcptto';
 
   // filtrage selon le champ choisi
+  $safeSearch = $this->db->quote('%' . $dsearch . '%');
   if ($selectedField === 'creation') {
     // pour la date, on peut filtrer par LIKE
-    $rqst->where("$selectedField::text LIKE '%$dsearch%'");
+    $rqst->where("$selectedField::text LIKE $safeSearch");
     }
   else {
-    $rqst->where("$selectedField LIKE '%$dsearch%'");
+    $rqst->where("$selectedField LIKE $safeSearch");
     }
   }
 }