From 2c441ad417a029b5b1ec9ee0f72d8b3bf233691b Mon Sep 17 00:00:00 2001 From: Jean-Marc Pigeon Date: Tue, 16 Dec 2025 11:18:46 -0500 Subject: [PATCH] Adjusting database select . --- www/devsql.php | 5 ++++- www/lvlmai.php | 14 ++++++++------ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/www/devsql.php b/www/devsql.php index e28e60d..19aba76 100644 --- a/www/devsql.php +++ b/www/devsql.php @@ -64,10 +64,13 @@ class devsql { } } + // Quote a string safely for SQL + public function quote(string $str): string { + return $this->connection->quote($str); + } } - //============================================================== // // To open (according DBTYP) A database acces diff --git a/www/lvlmai.php b/www/lvlmai.php index 2c80cfb..363d5cd 100644 --- a/www/lvlmai.php +++ b/www/lvlmai.php @@ -148,10 +148,11 @@ if (isset($_POST['offset'])) $rqst = new probe("actions",$limit,$offset); -if (isset($_POST['columns'])) { //selected database columns name - $cols=intval($_POST['columns']); - $rqst->columns($cols); - } +if (isset($_POST['columns']) && is_array($_POST['columns'])) { + $cols = $_POST['columns']; // conserver tableau tel quel + $rqst->columns($cols); +} + if (isset($_POST['dsearch'])) { $dsearch=trim($_POST['dsearch']); if (strlen($dsearch)>0) { @@ -161,12 +162,13 @@ if (isset($_POST['dsearch'])) { $selectedField = 'rcptto'; // filtrage selon le champ choisi + $safeSearch = $this->db->quote('%' . $dsearch . '%'); if ($selectedField === 'creation') { // pour la date, on peut filtrer par LIKE - $rqst->where("$selectedField::text LIKE '%$dsearch%'"); + $rqst->where("$selectedField::text LIKE $safeSearch"); } else { - $rqst->where("$selectedField LIKE '%$dsearch%'"); + $rqst->where("$selectedField LIKE $safeSearch"); } } } -- 2.47.3