fix(issue): SQL scaping problem when updating a ticket

btry · btry · commit 56ddff2614d3 · 2023-11-07T12:10:45.000+01:00
diff --git a/hook.php b/hook.php
@@ -453,7 +453,9 @@ function plugin_formcreator_hook_update_ticket(CommonDBTM $item) {
 
    $validationStatus = PluginFormcreatorCommon::getTicketStatusForIssue($item);
 
-   $issueName = $item->fields['name'] != '' ? addslashes($item->fields['name']) : '(' . $item->getID() . ')';
+   $issueName = $item->fields['name'] != ''
+      ? $item->fields['name']
+      : '(' . $item->getID() . ')';
    $issue = new PluginFormcreatorIssue();
    $issue->getFromDBByCrit([
       'AND' => [
@@ -480,14 +482,14 @@ function plugin_formcreator_hook_update_ticket(CommonDBTM $item) {
          'items_id'           => $id,
          'display_id'         => "t_$id",
          'itemtype'           => Ticket::class,
-         'name'               => $issueName,
+         'name'               => $DB->escape($issueName),
          'status'             => $validationStatus,
          'date_creation'      => $item->fields['date'],
          'date_mod'           => $item->fields['date_mod'],
          'entities_id'        => $item->fields['entities_id'],
          'is_recursive'       => '0',
          'requester_id'       => $requester,
-         'comment'            => addslashes($item->fields['content']),
+         'comment'            => $DB->escape($item->fields['content']),
       ]);
    }
 
@@ -611,7 +613,10 @@ function plugin_formcreator_hook_update_ticketvalidation(CommonDBTM $item) {
    if ($issue->isNewItem()) {
       return;
    }
-   $issue->update(['status' => $status] + $issue->fields);
+   $issue->update([
+      'id'     => $issue->getID(),
+      'status' => $status
+   ]);
 }
 
 function plugin_formcreator_hook_update_itilFollowup($followup) {
