From: Jean-Marc Pigeon Date: Tue, 16 Dec 2025 16:18:46 +0000 (-0500) Subject: Adjusting database select . X-Git-Url: https://jmp-git.ovh.safe.ca/?a=commitdiff_plain;h=2c441ad417a029b5b1ec9ee0f72d8b3bf233691b;p=jmp%2Fmailleur Adjusting database select . --- diff --git a/www/devsql.php b/www/devsql.php index e28e60d..19aba76 100644 --- a/www/devsql.php +++ b/www/devsql.php @@ -64,10 +64,13 @@ class devsql { } } + // Quote a string safely for SQL + public function quote(string $str): string { + return $this->connection->quote($str); + } } - //============================================================== // // To open (according DBTYP) A database acces diff --git a/www/lvlmai.php b/www/lvlmai.php index 2c80cfb..363d5cd 100644 --- a/www/lvlmai.php +++ b/www/lvlmai.php @@ -148,10 +148,11 @@ if (isset($_POST['offset'])) $rqst = new probe("actions",$limit,$offset); -if (isset($_POST['columns'])) { //selected database columns name - $cols=intval($_POST['columns']); - $rqst->columns($cols); - } +if (isset($_POST['columns']) && is_array($_POST['columns'])) { + $cols = $_POST['columns']; // conserver tableau tel quel + $rqst->columns($cols); +} + if (isset($_POST['dsearch'])) { $dsearch=trim($_POST['dsearch']); if (strlen($dsearch)>0) { @@ -161,12 +162,13 @@ if (isset($_POST['dsearch'])) { $selectedField = 'rcptto'; // filtrage selon le champ choisi + $safeSearch = $this->db->quote('%' . $dsearch . '%'); if ($selectedField === 'creation') { // pour la date, on peut filtrer par LIKE - $rqst->where("$selectedField::text LIKE '%$dsearch%'"); + $rqst->where("$selectedField::text LIKE $safeSearch"); } else { - $rqst->where("$selectedField LIKE '%$dsearch%'"); + $rqst->where("$selectedField LIKE $safeSearch"); } } }