Protection against bad parameters

2009-02-18 20:48:49 +00:00 · 2009-02-18 20:48:49 +00:00 · 0a8402fe64
commit 0a8402fe64
parent 4940d95e9d
3 changed files with 12 additions and 1 deletions
--- a/htdocs/commande/commande.class.php
+++ b/htdocs/commande/commande.class.php
@ -813,6 +813,9 @@ class Commande extends CommonObject
 	 */
 	function fetch($id,$ref='')
 	{
+		// Check parameters
+		if (empty($id) && empty($ref)) return -1;
+
 		$sql = 'SELECT c.rowid, c.date_creation, c.ref, c.fk_soc, c.fk_user_author, c.fk_statut';
 		$sql.= ', c.amount_ht, c.total_ht, c.total_ttc, c.tva as total_tva, c.fk_cond_reglement, c.fk_mode_reglement';
 		$sql.= ', '.$this->db->pdate('c.date_commande').' as date_commande';
@ -829,7 +832,7 @@ class Commande extends CommonObject
 		if ($ref) $sql.= " WHERE c.ref='".$ref."'";
 		else $sql.= " WHERE c.rowid=".$id;

-		dolibarr_syslog("Commande::fetch sql=$sql");
+		dolibarr_syslog("Commande::fetch sql=".$sql, LOG_DEBUG);
 		$result = $this->db->query($sql) ;
 		if ($result)
 		{
--- a/htdocs/contrat/contrat.class.php
+++ b/htdocs/contrat/contrat.class.php
@ -1490,6 +1490,9 @@ class ContratLigne
 	{
 		global $langs,$user;

+		// Check parameters
+		if (empty($id) && empty($ref)) return -1;
+
 		$sql = "SELECT";
 		$sql.= " t.rowid,";

--- a/htdocs/public/paybox/newpayment.php
+++ b/htdocs/public/paybox/newpayment.php
@ -60,6 +60,11 @@ if (is_numeric($amount) && empty($_REQUEST["tag"]))
 	dolibarr_print_error('','ErrorBadParameters');
 	exit;
 }
+if (! is_numeric($amount) && empty($_REQUEST["ref"]))
+{
+	dolibarr_print_error('','ErrorBadParameters');
+	exit;
+}