Dolibarr API sqlfilters leads to script injection protection

Bastian · April 11, 2022, 11:19am

Hi all,

I want to use the API to fetch the stock of a specific product using the stockmovements API GET endpoint.
When calling without sqlfilters I get the list of all products which is fine - but as soon as I add e.g. the t.product_id item as described in the Swagger docs for the sqlfilters :

"(t.product_id:=:95)"

I always get back this error response:

Access refused to 172.21.0.36 by SQL or Script injection protection in main.inc.php - GETPOST type=1 paramkey=0 paramvalue=sqlfilters=&quot;(t.product_id:=:95)&quot; page=/dolibarr/api/index.php/stockmovements?sqlfilters=%22(t.product_id%3A%3D%3A95)%22

Any help is appreciated

Best regards
Bastian

karozans · May 26, 2022, 4:50pm

In the Swagger UI do not use the double quotes. Use the double quotes only if you are doing this call directly from PHP code.