Escape all status
This commit is contained in:
Laurent Destailleur
parent
835cd43565
commit
03fe9d4e97
@ -390,13 +390,13 @@ if ($rowid > 0)
|
||||
}
|
||||
if ($status != '')
|
||||
{
|
||||
$sql.= " AND d.statut IN (".$status.")"; // Peut valoir un nombre ou liste de nombre separes par virgules
|
||||
$sql.= " AND d.statut IN (".$db->escape($status).")"; // Peut valoir un nombre ou liste de nombre separes par virgules
|
||||
}
|
||||
if ($action == 'search')
|
||||
{
|
||||
if (GETPOST('search'))
|
||||
{
|
||||
$sql.= natural_search(array("d.firstname","d.lastname"), GETPOST('search'));
|
||||
$sql.= natural_search(array("d.firstname","d.lastname"), GETPOST('search','alpha'));
|
||||
}
|
||||
}
|
||||
if (! empty($search_lastname))
|
||||
|
||||
@ -640,16 +640,16 @@ class AdvanceTargetingMailing extends CommonObject
|
||||
$sqlwhere[]=$this->transformToSQL('t.firstname',$arrayquery['contact_firstname']);
|
||||
}
|
||||
if (!empty($arrayquery['contact_country']) && count($arrayquery['contact_country'])) {
|
||||
$sqlwhere[]= " (t.fk_pays IN (".implode(',',$arrayquery['contact_country'])."))";
|
||||
$sqlwhere[]= " (t.fk_pays IN (".$db->escape(implode(',',$arrayquery['contact_country']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['contact_status']) && count($arrayquery['contact_status'])>0) {
|
||||
$sqlwhere[]= " (t.statut IN (".implode(',',$arrayquery['contact_status'])."))";
|
||||
$sqlwhere[]= " (t.statut IN (".$db->escape(implode(',',$arrayquery['contact_status']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['contact_civility']) && count($arrayquery['contact_civility'])>0) {
|
||||
$sqlwhere[]= " (t.civility IN ('".implode("','",$arrayquery['contact_civility'])."'))";
|
||||
$sqlwhere[]= " (t.civility IN ('".$db->escape(implode("','",$arrayquery['contact_civility']))."'))";
|
||||
}
|
||||
if ($arrayquery['contact_no_email']!='') {
|
||||
$sqlwhere[]= " (t.no_email='".$arrayquery['contact_no_email']."')";
|
||||
$sqlwhere[]= " (t.no_email='".$db->escape($arrayquery['contact_no_email'])."')";
|
||||
}
|
||||
if ($arrayquery['contact_update_st_dt']!='') {
|
||||
$sqlwhere[]= " (t.tms >= '".$this->db->idate($arrayquery['contact_update_st_dt'])."' AND t.tms <= '".$this->db->idate($arrayquery['contact_update_end_dt'])."')";
|
||||
@ -658,7 +658,7 @@ class AdvanceTargetingMailing extends CommonObject
|
||||
$sqlwhere[]= " (t.datec >= '".$this->db->idate($arrayquery['contact_create_st_dt'])."' AND t.datec <= '".$this->db->idate($arrayquery['contact_create_end_dt'])."')";
|
||||
}
|
||||
if (!empty($arrayquery['contact_categ']) && count($arrayquery['contact_categ'])>0) {
|
||||
$sqlwhere[]= " (contactcateg.fk_categorie IN (".implode(",",$arrayquery['contact_categ'])."))";
|
||||
$sqlwhere[]= " (contactcateg.fk_categorie IN (".$db->escape(implode(",",$arrayquery['contact_categ']))."))";
|
||||
}
|
||||
|
||||
//Standard Extrafield feature
|
||||
|
||||
@ -92,7 +92,7 @@ dol_mkdir($dir);
|
||||
|
||||
|
||||
$stats = new PropaleStats($db, $socid, ($userid>0?$userid:0), $mode);
|
||||
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$object_status.')';
|
||||
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$db->escape($object_status).')';
|
||||
|
||||
// Build graphic number of object
|
||||
$data = $stats->getNbByMonthWithPrevYear($endyear,$startyear);
|
||||
@ -299,7 +299,7 @@ foreach ($data as $val)
|
||||
while (! empty($year) && $oldyear > $year+1)
|
||||
{ // If we have empty year
|
||||
$oldyear--;
|
||||
|
||||
|
||||
print '<tr class="oddeven" height="24">';
|
||||
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$oldyear.'&mode='.$mode.($socid>0?'&socid='.$socid:'').($userid>0?'&userid='.$userid:'').'">'.$oldyear.'</a></td>';
|
||||
print '<td align="right">0</td>';
|
||||
|
||||
@ -88,11 +88,11 @@ dol_mkdir($dir);
|
||||
$stats = new CommandeStats($db, $socid, $mode, ($userid>0?$userid:0));
|
||||
if ($mode == 'customer')
|
||||
{
|
||||
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$object_status.')';
|
||||
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')';
|
||||
}
|
||||
if ($mode == 'supplier')
|
||||
{
|
||||
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$object_status.')';
|
||||
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')';
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -84,11 +84,11 @@ dol_mkdir($dir);
|
||||
$stats = new FactureStats($db, $socid, $mode, ($userid>0?$userid:0));
|
||||
if ($mode == 'customer')
|
||||
{
|
||||
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND f.fk_statut IN ('.$object_status.')';
|
||||
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')';
|
||||
}
|
||||
if ($mode == 'supplier')
|
||||
{
|
||||
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$object_status.')';
|
||||
if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')';
|
||||
}
|
||||
|
||||
// Build graphic number of object
|
||||
@ -299,7 +299,7 @@ foreach ($data as $val)
|
||||
while ($year && $oldyear > $year+1)
|
||||
{ // If we have empty year
|
||||
$oldyear--;
|
||||
|
||||
|
||||
print '<tr class="oddeven" height="24">';
|
||||
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$oldyear.'&mode='.$mode.($socid>0?'&socid='.$socid:'').($userid>0?'&userid='.$userid:'').'">'.$oldyear.'</a></td>';
|
||||
print '<td align="right">0</td>';
|
||||
@ -310,7 +310,7 @@ foreach ($data as $val)
|
||||
print '<td align="right"></td>';
|
||||
print '</tr>';
|
||||
}
|
||||
|
||||
|
||||
print '<tr class="oddeven" height="24">';
|
||||
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$year.'&mode='.$mode.($socid>0?'&socid='.$socid:'').($userid>0?'&userid='.$userid:'').'">'.$year.'</a></td>';
|
||||
print '<td align="right">'.$val['nb'].'</td>';
|
||||
|
||||
@ -1918,7 +1918,7 @@ class Form
|
||||
$sql.= ' WHERE p.entity IN ('.getEntity('product').')';
|
||||
if (count($warehouseStatusArray))
|
||||
{
|
||||
$sql.= ' AND (p.fk_product_type = 1 OR e.statut IN ('.implode(',',$warehouseStatusArray).'))';
|
||||
$sql.= ' AND (p.fk_product_type = 1 OR e.statut IN ('.$db->escape(implode(',',$warehouseStatusArray)).'))';
|
||||
}
|
||||
|
||||
if (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD)) {
|
||||
|
||||
@ -92,11 +92,11 @@ $sql.= " FROM ".MAIN_DB_PREFIX."don as d LEFT JOIN ".MAIN_DB_PREFIX."projet AS p
|
||||
$sql.= " ON p.rowid = d.fk_projet WHERE 1 = 1";
|
||||
if ($statut != '' && $statut != '-1')
|
||||
{
|
||||
$sql .= " AND d.fk_statut IN (".$statut.")";
|
||||
$sql .= " AND d.fk_statut IN (".$db->escape($statut).")";
|
||||
}
|
||||
if (trim($search_ref) != '')
|
||||
{
|
||||
$sql.= natural_search('d.ref',$search_ref);
|
||||
$sql.= natural_search('d.ref', $search_ref);
|
||||
}
|
||||
if (trim($search_all) != '')
|
||||
{
|
||||
|
||||
@ -74,7 +74,7 @@ print load_fiche_titre($title, $mesg);
|
||||
dol_mkdir($dir);
|
||||
|
||||
$stats = new ExpenseReportStats($db, $socid, $userid);
|
||||
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$object_status.')';
|
||||
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$db->escape($object_status).')';
|
||||
|
||||
// Build graphic number of object
|
||||
// $data = array(array('Lib',val1,val2,val3),...)
|
||||
@ -262,7 +262,7 @@ foreach ($data as $val)
|
||||
while ($year && $oldyear > $year+1)
|
||||
{ // If we have empty year
|
||||
$oldyear--;
|
||||
|
||||
|
||||
print '<tr '.$bc[$var].' height="24">';
|
||||
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$oldyear.'&mode='.$mode.'">'.$oldyear.'</a></td>';
|
||||
print '<td align="right">0</td>';
|
||||
@ -271,7 +271,7 @@ foreach ($data as $val)
|
||||
print '</tr>';
|
||||
}
|
||||
|
||||
|
||||
|
||||
print '<tr '.$bc[$var].' height="24">';
|
||||
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$year.'&mode='.$mode.'">'.$year.'</a></td>';
|
||||
print '<td align="right">'.$val['nb'].'</td>';
|
||||
|
||||
@ -75,7 +75,7 @@ print load_fiche_titre($title,'','title_commercial.png');
|
||||
dol_mkdir($dir);
|
||||
|
||||
$stats = new FichinterStats($db, $socid, $mode, ($userid>0?$userid:0));
|
||||
if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$object_status.')';
|
||||
if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')';
|
||||
|
||||
// Build graphic number of object
|
||||
$data = $stats->getNbByMonthWithPrevYear($endyear,$startyear);
|
||||
@ -291,7 +291,7 @@ foreach ($data as $val)
|
||||
while (! empty($year) && $oldyear > $year+1)
|
||||
{ // If we have empty year
|
||||
$oldyear--;
|
||||
|
||||
|
||||
print '<tr '.$bc[$var].' height="24">';
|
||||
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$oldyear.'&mode='.$mode.($socid>0?'&socid='.$socid:'').($userid>0?'&userid='.$userid:'').'">'.$oldyear.'</a></td>';
|
||||
|
||||
@ -304,7 +304,7 @@ foreach ($data as $val)
|
||||
print '</tr>';
|
||||
}
|
||||
|
||||
|
||||
|
||||
print '<tr '.$bc[$var].' height="24">';
|
||||
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$year.'&mode='.$mode.($socid>0?'&socid='.$socid:'').($userid>0?'&userid='.$userid:'').'">'.$year.'</a></td>';
|
||||
print '<td align="right">'.$val['nb'].'</td>';
|
||||
|
||||
@ -535,9 +535,9 @@ if ($search_request_author) $sql.=natural_search(array('u.lastname','u.firstname
|
||||
if ($billed != '' && $billed >= 0) $sql .= " AND cf.billed = ".$billed;
|
||||
|
||||
//Required triple check because statut=0 means draft filter
|
||||
if (GETPOST('statut', 'alpha') !== '')
|
||||
if (GETPOST('statut', 'intcomma') !== '')
|
||||
{
|
||||
$sql .= " AND cf.fk_statut IN (".$db->escape(GETPOST('statut', 'alpha')).")";
|
||||
$sql .= " AND cf.fk_statut IN (".$db->escape($db->escape(GETPOST('statut', 'intcomma'))).")";
|
||||
}
|
||||
if ($search_status != '' && $search_status >= 0)
|
||||
{
|
||||
|
||||
@ -57,7 +57,7 @@ class FormProduct
|
||||
* @param string $batch Add quantity of batch stock in label for product with batch name batch, batch name precedes batch_id. Nothing if ''.
|
||||
* @param string $status warehouse status filter, following comma separated filter options can be used
|
||||
* 'warehouseopen' = select products from open warehouses,
|
||||
* 'warehouseclosed' = select products from closed warehouses,
|
||||
* 'warehouseclosed' = select products from closed warehouses,
|
||||
* 'warehouseinternal' = select products from warehouses for internal correct/transfer only
|
||||
* @param boolean $sumStock sum total stock of a warehouse, default true
|
||||
* @param array $exclude warehouses ids to exclude
|
||||
@ -68,28 +68,28 @@ class FormProduct
|
||||
global $conf, $langs;
|
||||
|
||||
if (empty($fk_product) && count($this->cache_warehouses)) return 0; // Cache already loaded and we do not want a list with information specific to a product
|
||||
|
||||
|
||||
if (is_array($exclude)) $excludeGroups = implode("','",$exclude);
|
||||
|
||||
$warehouseStatus = array();
|
||||
|
||||
if (preg_match('/warehouseclosed/', $status))
|
||||
if (preg_match('/warehouseclosed/', $status))
|
||||
{
|
||||
$warehouseStatus[] = Entrepot::STATUS_CLOSED;
|
||||
}
|
||||
if (preg_match('/warehouseopen/', $status))
|
||||
if (preg_match('/warehouseopen/', $status))
|
||||
{
|
||||
$warehouseStatus[] = Entrepot::STATUS_OPEN_ALL;
|
||||
}
|
||||
if (preg_match('/warehouseinternal/', $status))
|
||||
if (preg_match('/warehouseinternal/', $status))
|
||||
{
|
||||
$warehouseStatus[] = Entrepot::STATUS_OPEN_INTERNAL;
|
||||
}
|
||||
|
||||
|
||||
$sql = "SELECT e.rowid, e.label, e.description, e.fk_parent";
|
||||
if (!empty($fk_product))
|
||||
if (!empty($fk_product))
|
||||
{
|
||||
if (!empty($batch))
|
||||
if (!empty($batch))
|
||||
{
|
||||
$sql.= ", pb.qty as stock";
|
||||
}
|
||||
@ -107,7 +107,7 @@ class FormProduct
|
||||
if (!empty($fk_product))
|
||||
{
|
||||
$sql.= " AND ps.fk_product = '".$fk_product."'";
|
||||
if (!empty($batch))
|
||||
if (!empty($batch))
|
||||
{
|
||||
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$batch."'";
|
||||
}
|
||||
@ -115,15 +115,15 @@ class FormProduct
|
||||
$sql.= " WHERE e.entity IN (".getEntity('stock').")";
|
||||
if (count($warehouseStatus))
|
||||
{
|
||||
$sql.= " AND e.statut IN (".implode(',',$warehouseStatus).")";
|
||||
$sql.= " AND e.statut IN (".$db->escape(implode(',',$warehouseStatus)).")";
|
||||
}
|
||||
else
|
||||
{
|
||||
$sql.= " AND e.statut = 1";
|
||||
}
|
||||
|
||||
if(!empty($exclude)) $sql.= ' AND e.rowid NOT IN('.implode(',', $exclude).')';
|
||||
|
||||
|
||||
if(!empty($exclude)) $sql.= ' AND e.rowid NOT IN('.$db->escape(implode(',', $exclude)).')';
|
||||
|
||||
if ($sumStock && empty($fk_product)) $sql.= " GROUP BY e.rowid, e.label, e.description, e.fk_parent";
|
||||
$sql.= " ORDER BY e.label";
|
||||
|
||||
@ -144,7 +144,7 @@ class FormProduct
|
||||
$this->cache_warehouses[$obj->rowid]['stock'] = $obj->stock;
|
||||
$i++;
|
||||
}
|
||||
|
||||
|
||||
// Full label init
|
||||
foreach($this->cache_warehouses as $obj_rowid=>$tab) {
|
||||
$this->cache_warehouses[$obj_rowid]['full_label'] = $this->get_parent_path($tab);
|
||||
@ -158,18 +158,18 @@ class FormProduct
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Return full path to current warehouse in $tab (recursive function)
|
||||
*
|
||||
*
|
||||
* @param array $tab warehouse data in $this->cache_warehouses line
|
||||
* @param String $final_label full label with all parents, separated by ' >> ' (completed on each call)
|
||||
* @return String full label with all parents, separated by ' >> '
|
||||
*/
|
||||
private function get_parent_path($tab, $final_label='') {
|
||||
|
||||
|
||||
if(empty($final_label)) $final_label = $tab['label'];
|
||||
|
||||
|
||||
if(empty($tab['parent_id'])) return $final_label;
|
||||
else {
|
||||
if(!empty($this->cache_warehouses[$tab['parent_id']])) {
|
||||
@ -177,9 +177,9 @@ class FormProduct
|
||||
return $this->get_parent_path($this->cache_warehouses[$tab['parent_id']], $final_label);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
return $final_label;
|
||||
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
@ -189,7 +189,7 @@ class FormProduct
|
||||
* @param string $htmlname Name of html select html
|
||||
* @param string $filterstatus warehouse status filter, following comma separated filter options can be used
|
||||
* 'warehouseopen' = select products from open warehouses,
|
||||
* 'warehouseclosed' = select products from closed warehouses,
|
||||
* 'warehouseclosed' = select products from closed warehouses,
|
||||
* 'warehouseinternal' = select products from warehouses for internal correct/transfer only
|
||||
* @param int $empty 1=Can be empty, 0 if not
|
||||
* @param int $disabled 1=Select is disabled
|
||||
@ -208,7 +208,7 @@ class FormProduct
|
||||
global $conf,$langs,$user;
|
||||
|
||||
dol_syslog(get_class($this)."::selectWarehouses $selected, $htmlname, $filterstatus, $empty, $disabled, $fk_product, $empty_label, $showstock, $forcecombo, $morecss",LOG_DEBUG);
|
||||
|
||||
|
||||
$out='';
|
||||
if (empty($conf->global->ENTREPOT_EXTRA_STATUS)) $filterstatus = '';
|
||||
$this->loadWarehouses($fk_product, '', $filterstatus, true, $exclude);
|
||||
@ -221,7 +221,7 @@ class FormProduct
|
||||
$out.= $comboenhancement;
|
||||
$nodatarole=($comboenhancement?' data-role="none"':'');
|
||||
}
|
||||
|
||||
|
||||
$out.='<select class="flat'.($morecss?' '.$morecss:'').'"'.($disabled?' disabled':'').' id="'.$htmlname.'" name="'.($htmlname.($disabled?'_disabled':'')).'"'.$nodatarole.'>';
|
||||
if ($empty) $out.='<option value="-1">'.($empty_label?$empty_label:' ').'</option>';
|
||||
foreach($this->cache_warehouses as $id => $arraytypes)
|
||||
|
||||
@ -3750,7 +3750,7 @@ class Product extends CommonObject
|
||||
$sql.= " WHERE w.entity IN (".getEntity('stock').")";
|
||||
$sql.= " AND w.rowid = ps.fk_entrepot";
|
||||
$sql.= " AND ps.fk_product = ".$this->id;
|
||||
if ($conf->global->ENTREPOT_EXTRA_STATUS && count($warehouseStatus)) $sql.= " AND w.statut IN (".implode(',',$warehouseStatus).")";
|
||||
if ($conf->global->ENTREPOT_EXTRA_STATUS && count($warehouseStatus)) $sql.= " AND w.statut IN (".$db->escape(implode(',',$warehouseStatus)).")";
|
||||
|
||||
dol_syslog(get_class($this)."::load_stock", LOG_DEBUG);
|
||||
$result = $this->db->query($sql);
|
||||
|
||||
@ -284,7 +284,7 @@ if ($search_montant_vat != '') $sql.= natural_search("sp.tva", $search_montant_v
|
||||
if ($search_montant_ttc != '') $sql.= natural_search("sp.total", $search_montant_ttc, 1);
|
||||
if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall);
|
||||
if ($socid) $sql.= ' AND s.rowid = '.$socid;
|
||||
if ($search_status >= 0 && $search_status != '') $sql.= ' AND sp.fk_statut IN ('.$search_status.')';
|
||||
if ($search_status >= 0 && $search_status != '') $sql.= ' AND sp.fk_statut IN ('.$db->escape($search_status).')';
|
||||
if ($month > 0)
|
||||
{
|
||||
if ($year > 0 && empty($day))
|
||||
|
||||
Loading…
Reference in New Issue
Block a user