From 0a8402fe648c51822a7a5c2d6b9859bacc44ddd4 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Wed, 18 Feb 2009 20:48:49 +0000
Subject: [PATCH] Protection against bad parameters

---
 htdocs/commande/commande.class.php  | 5 ++++-
 htdocs/contrat/contrat.class.php    | 3 +++
 htdocs/public/paybox/newpayment.php | 5 +++++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/htdocs/commande/commande.class.php b/htdocs/commande/commande.class.php
index a0fb4ef1536..660194a69cc 100644
--- a/htdocs/commande/commande.class.php
+++ b/htdocs/commande/commande.class.php
@@ -813,6 +813,9 @@ class Commande extends CommonObject
 	 */
 	function fetch($id,$ref='')
 	{
+		// Check parameters
+		if (empty($id) && empty($ref)) return -1;
+
 		$sql = 'SELECT c.rowid, c.date_creation, c.ref, c.fk_soc, c.fk_user_author, c.fk_statut';
 		$sql.= ', c.amount_ht, c.total_ht, c.total_ttc, c.tva as total_tva, c.fk_cond_reglement, c.fk_mode_reglement';
 		$sql.= ', '.$this->db->pdate('c.date_commande').' as date_commande';
@@ -829,7 +832,7 @@ class Commande extends CommonObject
 		if ($ref) $sql.= " WHERE c.ref='".$ref."'";
 		else $sql.= " WHERE c.rowid=".$id;
 
-		dolibarr_syslog("Commande::fetch sql=$sql");
+		dolibarr_syslog("Commande::fetch sql=".$sql, LOG_DEBUG);
 		$result = $this->db->query($sql) ;
 		if ($result)
 		{
diff --git a/htdocs/contrat/contrat.class.php b/htdocs/contrat/contrat.class.php
index acf526969c6..3dd021117e6 100644
--- a/htdocs/contrat/contrat.class.php
+++ b/htdocs/contrat/contrat.class.php
@@ -1490,6 +1490,9 @@ class ContratLigne
 	{
 		global $langs,$user;
 
+		// Check parameters
+		if (empty($id) && empty($ref)) return -1;
+
 		$sql = "SELECT";
 		$sql.= " t.rowid,";
 
diff --git a/htdocs/public/paybox/newpayment.php b/htdocs/public/paybox/newpayment.php
index e8642b8d192..fdf79f17bd0 100644
--- a/htdocs/public/paybox/newpayment.php
+++ b/htdocs/public/paybox/newpayment.php
@@ -60,6 +60,11 @@ if (is_numeric($amount) && empty($_REQUEST["tag"]))
 	dolibarr_print_error('','ErrorBadParameters');
 	exit;
 }
+if (! is_numeric($amount) && empty($_REQUEST["ref"]))
+{
+	dolibarr_print_error('','ErrorBadParameters');
+	exit;
+}