Fix: bug #15799
This commit is contained in:
Laurent Destailleur
parent
fa94aef0e5
commit
00af1e952e
@ -1,6 +1,6 @@
|
||||
<?php
|
||||
/* Copyright (C) 2001-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2004-2005 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2004-2006 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -18,7 +18,6 @@
|
||||
*
|
||||
* $Id$
|
||||
* $Source$
|
||||
*
|
||||
*/
|
||||
|
||||
/**
|
||||
@ -60,13 +59,13 @@ $sql .= " WHERE s.fk_stcomm = st.id AND s.client=1";
|
||||
if ($socidp) $sql .= " AND s.idp = $socidp";
|
||||
if ($user->societe_id) $sql .= " AND s.idp = " .$user->societe_id;
|
||||
|
||||
if ($search_nom) $sql .= " AND s.nom like '%".strtolower($search_nom)."%'";
|
||||
if ($search_ville) $sql .= " AND s.ville like '%".strtolower($search_ville)."%'";
|
||||
if ($search_code) $sql .= " AND s.code_client like '%".strtolower($search_code)."%'";
|
||||
if ($search_nom) $sql .= " AND s.nom like '%".addslashes(strtolower($search_nom))."%'";
|
||||
if ($search_ville) $sql .= " AND s.ville like '%".addslashes(strtolower($search_ville))."%'";
|
||||
if ($search_code) $sql .= " AND s.code_client like '%".addslashes(strtolower($search_code))."%'";
|
||||
|
||||
if ($socname)
|
||||
{
|
||||
$sql .= " AND lower(s.nom) like '%".strtolower($socname)."%'";
|
||||
$sql .= " AND lower(s.nom) like '%".addslashes(strtolower($socname))."%'";
|
||||
$sortfield = "lower(s.nom)";
|
||||
$sortorder = "ASC";
|
||||
}
|
||||
|
||||
@ -1210,17 +1210,17 @@ else
|
||||
|
||||
if (!empty($_GET['search_ref']))
|
||||
{
|
||||
$sql .= " AND p.ref LIKE '%".$_GET['search_ref']."%'";
|
||||
$sql .= " AND p.ref LIKE '%".addslashes($_GET['search_ref'])."%'";
|
||||
}
|
||||
if (!empty($_GET['search_societe']))
|
||||
{
|
||||
$sql .= " AND s.nom LIKE '%".$_GET['search_societe']."%'";
|
||||
$sql .= " AND s.nom LIKE '%".addslashes($_GET['search_societe'])."%'";
|
||||
}
|
||||
if (!empty($_GET['search_montant_ht']))
|
||||
{
|
||||
$sql .= " AND p.price='".$_GET['search_montant_ht']."'";
|
||||
$sql .= " AND p.price='".addslashes($_GET['search_montant_ht'])."'";
|
||||
}
|
||||
if ($sall) $sql.= " AND (s.nom like '%".$sall."%' OR p.note like '%".$sall."%' OR pd.description like '%".$sall."%')";
|
||||
if ($sall) $sql.= " AND (s.nom like '%".addslashes($sall)."%' OR p.note like '%".addslashes($sall)."%' OR pd.description like '%".addslashes($sall)."%')";
|
||||
if ($socidp) $sql .= ' AND s.idp = '.$socidp;
|
||||
if ($_GET['viewstatut'] <> '')
|
||||
{
|
||||
@ -1236,7 +1236,7 @@ else
|
||||
}
|
||||
if (strlen($_POST['sf_ref']) > 0)
|
||||
{
|
||||
$sql .= " AND p.ref like '%".$_POST["sf_ref"] . "%'";
|
||||
$sql .= " AND p.ref like '%".addslashes($_POST["sf_ref"]) . "%'";
|
||||
}
|
||||
$sql .= ' ORDER BY '.$sortfield.' '.$sortorder.', p.ref DESC';
|
||||
$sql .= $db->plimit($limit + 1,$offset);
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<?php
|
||||
/* Copyright (C) 2002-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2004 Éric Seigne <eric.seigne@ryxeo.com>
|
||||
* Copyright (C) 2004-2005 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2004-2006 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005 Marc Barilley / Ocebo <marc@ocebo.com>
|
||||
* Copyright (C) 2005-2006 Regis Houssin <regis.houssin@cap-networks.com>
|
||||
* Copyright (C) 2006 Andre Cianfarani <acianfa@free.fr>
|
||||
@ -2030,19 +2030,19 @@ else
|
||||
}
|
||||
if ($_GET['search_ref'])
|
||||
{
|
||||
$sql .= ' AND f.facnumber like \'%'.$_GET['search_ref'].'%\'';
|
||||
$sql .= ' AND f.facnumber like \'%'.addslashes($_GET['search_ref']).'%\'';
|
||||
}
|
||||
if ($_GET['search_societe'])
|
||||
{
|
||||
$sql .= ' AND s.nom like \'%'.$_GET['search_societe'].'%\'';
|
||||
$sql .= ' AND s.nom like \'%'.addslashes($_GET['search_societe']).'%\'';
|
||||
}
|
||||
if ($_GET['search_montant_ht'])
|
||||
{
|
||||
$sql .= ' AND f.total = \''.$_GET['search_montant_ht'].'\'';
|
||||
$sql .= ' AND f.total = \''.addslashes($_GET['search_montant_ht']).'\'';
|
||||
}
|
||||
if ($_GET['search_montant_ttc'])
|
||||
{
|
||||
$sql .= ' AND f.total_ttc = \''.$_GET['search_montant_ttc'].'\'';
|
||||
$sql .= ' AND f.total_ttc = \''.addslashes($_GET['search_montant_ttc']).'\'';
|
||||
}
|
||||
if ($year > 0)
|
||||
{
|
||||
@ -2050,11 +2050,11 @@ else
|
||||
}
|
||||
if ($_POST['sf_ref'])
|
||||
{
|
||||
$sql .= ' AND f.facnumber like \'%'.$_POST['sf_ref'] . '%\'';
|
||||
$sql .= ' AND f.facnumber like \'%'.addslashes($_POST['sf_ref']) . '%\'';
|
||||
}
|
||||
if ($sall)
|
||||
{
|
||||
$sql .= ' AND (s.nom like \'%'.$sall.'%\' OR f.facnumber like \'%'.$sall.'%\' OR f.note like \'%'.$sall.'%\' OR fd.description like \'%'.$sall.'%\')';
|
||||
$sql .= ' AND (s.nom like \'%'.addslashes($sall).'%\' OR f.facnumber like \'%'.addslashes($sall).'%\' OR f.note like \'%'.addslashes($sall).'%\' OR fd.description like \'%'.addslashes($sall).'%\')';
|
||||
}
|
||||
|
||||
$sql .= ' GROUP BY f.facnumber';
|
||||
|
||||
Loading…
Reference in New Issue
Block a user