Added query escaping in method for getting zone

retailcrm · Jul 10, 2023 · a375804 · a375804
2 parents 22a9c2d + a56ce78
commit a375804
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## v4.1.12
+* Added escaping for db query in method for getting zone
+
 ## v4.1.11
 * Fixed the transfer of the weight offers
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-4.1.11
+4.1.12
diff --git a/src/upload/system/library/retailcrm/lib/repository/DataRepository.php b/src/upload/system/library/retailcrm/lib/repository/DataRepository.php
@@ -124,6 +124,7 @@ public function getCountryByIsoCode($isoCode) {
      * @return array
      */
     public function getZoneByName($name) {
+        $name = $this->db->escape($name);
         $query = $this->db->query("SELECT * FROM `" . DB_PREFIX . "zone` WHERE name = '" . $name . "'");
 
         return $query->row;

diff --git a/tests/system/lib/repository/DataRepositoryAdminTest.php b/tests/system/lib/repository/DataRepositoryAdminTest.php
@@ -19,6 +19,8 @@ public function testGetZoneByName() {
 
         $this->assertNotEmpty($zone);
         $this->assertNotEmpty($zone['zone_id']);
+
+        $repository->getZoneByName('Rostov-na-Do\'nu');
     }
 
     public function testGetCurrencyByCode() {