From d83906508d158feb59afb0fdcaadf6ce372894ec Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Mon, 28 Mar 2022 20:39:35 +0100
Subject: [PATCH] Fix potential sql injection in add_company - post.php

---
 post.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/post.php b/post.php
index 2ca8b0e9..54ce0ba2 100644
--- a/post.php
+++ b/post.php
@@ -509,7 +509,7 @@ if(isset($_POST['add_company'])){
     mysqli_query($mysqli,"INSERT INTO companies SET company_name = '$name', company_address = '$address', company_city = '$city', company_state = '$state', company_zip = '$zip', company_country = '$country', company_phone = '$phone', company_email = '$email', company_website = '$website', company_locale = '$locale', company_currency = '$currency_code',company_created_at = NOW()");
 
     $company_id = mysqli_insert_id($mysqli);
-    $config_base_url = $_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']);
+    $config_base_url = mysqli_real_escape_string($mysqli,$_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']));
     $config_api_key = keygen();
     
     mkdir("uploads/clients/$company_id");