Fix(Core): escape data when check if already exist (#457)

stonebuzz · web-flow · commit 811bf56c5792 · 2025-02-12T11:36:45.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ### Fixed
 
 - Use `global`  configuration for injection links
+- Escape  data when check if already exist
 
 ## [2.14.1] - 2024-12-27
 
diff --git a/inc/commoninjectionlib.class.php b/inc/commoninjectionlib.class.php
@@ -1932,7 +1932,7 @@ private function dataAlreadyInDB($injectionClass, $itemtype)
                                     $where .= " AND `id` IN (SELECT `users_id` FROM glpi_useremails WHERE `email` = '$email') ";
                                 } else {
                                     $where .= " AND `" . $field . "`='" .
-                                    $this->getValueByItemtypeAndName($itemtype, $field) . "'";
+                                    Sanitizer::dbEscape((string) $this->getValueByItemtypeAndName($itemtype, $field)) . "'";
                                 }
                             }
                         }

Original file line number	Diff line number	Diff line change
`@@ -1932,7 +1932,7 @@ private function dataAlreadyInDB($injectionClass, $itemtype)`
`1932`	`1932`	$where .= " AND `id` IN (SELECT `users_id` FROM glpi_useremails WHERE `email` = '$email') ";
`1933`	`1933`	`} else {`
`1934`	`1934`	$where .= " AND `" . $field . "`='" .
`1935`		`- $this->getValueByItemtypeAndName($itemtype, $field) . "'";`
	`1935`	`+ Sanitizer::dbEscape((string) $this->getValueByItemtypeAndName($itemtype, $field)) . "'";`
`1936`	`1936`	`}`
`1937`	`1937`	`}`
`1938`	`1938`	`}`