On 27.03.2018 at 20:34, Romero, Fernando wrote:
> <?php
>
> $empresa = $_POST['empresa'];
> $mes = $_POST['meses'];
> $anio = $_POST['anio'];
>
>
>
> if ( $_POST ) {
> $result=pg_query("SELECT empresa, sum(valor) valor FROM trabajos WHERE empresa='$empresa' and to_char(fecha, 'TMMONTH')::varchar = '$mes' and date_part('year', fecha)= '$anio'
> group by empresa");
This looks like a potentially exploitable SQL injection vulnerability,
see <http://www.php.net/manual/en/security.database.sql-injection.php>.
--
Christoph M. Becker
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
