From 01b81da43c774699f4dd121c3a5e6164f2f57236 Mon Sep 17 00:00:00 2001 From: Thierry Bugier Date: Fri, 3 Nov 2023 16:10:40 +0100 Subject: [PATCH] fix(issue): SQL scaping problem when updating a ticket --- hook.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/hook.php b/hook.php index fa9bf51fd..6837610bd 100644 --- a/hook.php +++ b/hook.php @@ -453,7 +453,9 @@ function plugin_formcreator_hook_update_ticket(CommonDBTM $item) { $validationStatus = PluginFormcreatorCommon::getTicketStatusForIssue($item); - $issueName = $item->fields['name'] != '' ? addslashes($item->fields['name']) : '(' . $item->getID() . ')'; + $issueName = $item->fields['name'] != '' + ? $item->fields['name'] + : '(' . $item->getID() . ')'; $issue = new PluginFormcreatorIssue(); $issue->getFromDBByCrit([ 'AND' => [ @@ -480,14 +482,14 @@ function plugin_formcreator_hook_update_ticket(CommonDBTM $item) { 'items_id' => $id, 'display_id' => "t_$id", 'itemtype' => Ticket::class, - 'name' => $issueName, + 'name' => $DB->escape($issueName), 'status' => $validationStatus, 'date_creation' => $item->fields['date'], 'date_mod' => $item->fields['date_mod'], 'entities_id' => $item->fields['entities_id'], 'is_recursive' => '0', 'requester_id' => $requester, - 'comment' => addslashes($item->fields['content']), + 'comment' => $DB->escape($item->fields['content']), ]); } @@ -611,7 +613,10 @@ function plugin_formcreator_hook_update_ticketvalidation(CommonDBTM $item) { if ($issue->isNewItem()) { return; } - $issue->update(['status' => $status] + $issue->fields); + $issue->update([ + 'id' => $issue->getID(), + 'status' => $status + ]); } function plugin_formcreator_hook_update_itilFollowup($followup) {