fix: Time-Based Blind SQL Injection via options[stato] Parameter

Pek5892 · Pek5892 · commit 3581edc3a195 · 2026-03-05T11:12:44.000+01:00
diff --git a/modules/contratti/ajax/select.php b/modules/contratti/ajax/select.php
@@ -57,7 +57,7 @@
             $stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
                 ? $superselect['stato']
                 : 'is_pianificabile';
-            $where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE '.$stato.' = 1)';
+            $where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE `'.str_replace('`', '', $stato).'` = 1)';
         }
 
         if (!empty($search)) {
diff --git a/modules/ordini/ajax/select.php b/modules/ordini/ajax/select.php
@@ -53,6 +53,7 @@
                     ? $superselect['stato']
                     : 'is_fatturabile';
                 $where[] = '`or_statiordine`.'.$stato.' = 1';
+                $where[] = '`or_statiordine`.`'.str_replace('`', '', $stato).'` = 1';
             }
         }
 
diff --git a/modules/preventivi/ajax/select.php b/modules/preventivi/ajax/select.php
@@ -60,7 +60,7 @@
                 $stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
                     ? $superselect['stato']
                     : 'is_pianificabile';
-                $where[] = '('.$stato.' = 1)';
+                $where[] = '(`'.str_replace('`', '', $stato).'` = 1)';
             }
 
             if (!empty($search)) {

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@`
`57`	`57`	`$stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)`
`58`	`58`	`? $superselect['stato']`
`59`	`59`	`: 'is_pianificabile';`
`60`		- $where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE '.$stato.' = 1)';
	`60`	+ $where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE `'.str_replace('`', '', $stato).'` = 1)';
`61`	`61`	`}`
`62`	`62`
`63`	`63`	`if (!empty($search)) {`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@`
`53`	`53`	`? $superselect['stato']`
`54`	`54`	`: 'is_fatturabile';`
`55`	`55`	$where[] = '`or_statiordine`.'.$stato.' = 1';
	`56`	+ $where[] = '`or_statiordine`.`'.str_replace('`', '', $stato).'` = 1';
`56`	`57`	`}`
`57`	`58`	`}`
`58`	`59`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@`
`60`	`60`	`$stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)`
`61`	`61`	`? $superselect['stato']`
`62`	`62`	`: 'is_pianificabile';`
`63`		`- $where[] = '('.$stato.' = 1)';`
	`63`	+ $where[] = '(`'.str_replace('`', '', $stato).'` = 1)';
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`if (!empty($search)) {`