lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix escaping

Browse Source
This commit is contained in:
Laurent Destailleur 2020-09-20 02:57:15 +02:00
parent f57b4fd2fd
commit 0e4d3c19dd
21 changed files with 58 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/imports/import.php
View File

@ -1147,7 +1147,7 @@ if ($step == 4 && $datatoimport)
// List of existing import profils // List of existing import profils
$sql = "SELECT rowid, label"; $sql = "SELECT rowid, label";
$sql .= " FROM ".MAIN_DB_PREFIX."import_model"; $sql .= " FROM ".MAIN_DB_PREFIX."import_model";
$sql .= " WHERE type = '".$datatoimport."'"; $sql .= " WHERE type = '".$db->escape($datatoimport)."'";
$sql .= " ORDER BY rowid"; $sql .= " ORDER BY rowid";
$resql = $db->query($sql); $resql = $db->query($sql);
if ($resql) if ($resql)

2
htdocs/modulebuilder/template/admin/setup.php
View File

@ -374,7 +374,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) {
$def = array(); $def = array();
$sql = "SELECT nom"; $sql = "SELECT nom";
$sql .= " FROM ".MAIN_DB_PREFIX."document_model"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model";
$sql .= " WHERE type = '".$type."'"; $sql .= " WHERE type = '".$db->escape($type)."'";
$sql .= " AND entity = ".$conf->entity; $sql .= " AND entity = ".$conf->entity;
$resql = $db->query($sql); $resql = $db->query($sql);
if ($resql) if ($resql)

12
htdocs/multicurrency/class/multicurrency.class.php
View File

@ -427,11 +427,11 @@ class MultiCurrency extends CommonObject
{ {
global $db, $user; global $db, $user;
$currency = new MultiCurrency($db); $currency = new MultiCurrency($this->db);
$currency->code = $code; $currency->code = $code;
$currency->name = $code; $currency->name = $code;
$sql = 'SELECT label FROM '.MAIN_DB_PREFIX.'c_currencies WHERE code_iso = \''.$db->escape($code).'\''; $sql = 'SELECT label FROM '.MAIN_DB_PREFIX."c_currencies WHERE code_iso = '".$this->db->escape($code)."'";
dol_syslog(__METHOD__, LOG_DEBUG); dol_syslog(__METHOD__, LOG_DEBUG);
$resql = $db->query($sql); $resql = $db->query($sql);
@ -486,15 +486,15 @@ class MultiCurrency extends CommonObject
* Get id of currency from code * Get id of currency from code
* *
* @param DoliDB $db object db * @param DoliDB $db object db
* @param string $code code value search * @param string $code code value search
* *
* @return int 0 if not found, >0 if OK * @return int 0 if not found, >0 if OK
*/ */
public static function getIdFromCode(&$db, $code) public static function getIdFromCode($db, $code)
{ {
global $conf; global $conf;
$sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'multicurrency WHERE code = \''.$db->escape($code).'\' AND entity = '.$conf->entity; $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX."multicurrency WHERE code = '".$db->escape($code)."' AND entity = ".$conf->entity;
dol_syslog(__METHOD__, LOG_DEBUG); dol_syslog(__METHOD__, LOG_DEBUG);
$resql = $db->query($sql); $resql = $db->query($sql);
@ -512,7 +512,7 @@ class MultiCurrency extends CommonObject
* @return array [0] => id currency * @return array [0] => id currency
* [1] => rate * [1] => rate
*/ */
public static function getIdAndTxFromCode(&$db, $code, $date_document = '') public static function getIdAndTxFromCode($db, $code, $date_document = '')
{ {
global $conf; global $conf;

2
htdocs/product/admin/product.php
View File

@ -378,7 +378,7 @@ print '</table>';
$def = array(); $def = array();
$sql = "SELECT nom"; $sql = "SELECT nom";
$sql .= " FROM ".MAIN_DB_PREFIX."document_model"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model";
$sql .= " WHERE type = '".$type."'"; $sql .= " WHERE type = '".$db->escape($type)."'";
$sql .= " AND entity = ".$conf->entity; $sql .= " AND entity = ".$conf->entity;
$resql = $db->query($sql); $resql = $db->query($sql);
if ($resql) if ($resql)

2
htdocs/product/admin/product_tools.php
View File

@ -184,7 +184,7 @@ if ($action == 'convert')
$sql .= " AND tva_tx = '".$db->escape($oldvatrate)."'"; $sql .= " AND tva_tx = '".$db->escape($oldvatrate)."'";
if ($vat_src_code_old) $sql .= " AND default_vat_code = '".$db->escape($vat_src_code_old)."'"; if ($vat_src_code_old) $sql .= " AND default_vat_code = '".$db->escape($vat_src_code_old)."'";
else " AND default_vat_code = IS NULL"; else " AND default_vat_code = IS NULL";
$sql .= " AND s.fk_pays = '".$country_id."'"; $sql .= " AND s.fk_pays = ".((int) $country_id);
//print $sql; //print $sql;
$resql = $db->query($sql); $resql = $db->query($sql);
if ($resql) if ($resql)

5
htdocs/product/card.php
View File

@ -234,6 +234,7 @@ if (empty($reshook))
$npr = preg_match('/\*/', $tva_tx_txt) ? 1 : 0; $npr = preg_match('/\*/', $tva_tx_txt) ? 1 : 0;
$localtax1 = 0; $localtax2 = 0; $localtax1_type = '0'; $localtax2_type = '0'; $localtax1 = 0; $localtax2 = 0; $localtax1_type = '0'; $localtax2_type = '0';
// If value contains the unique code of vat line (new recommanded method), we use it to find npr and local taxes // If value contains the unique code of vat line (new recommanded method), we use it to find npr and local taxes
$reg = array();
if (preg_match('/\((.*)\)/', $tva_tx_txt, $reg)) if (preg_match('/\((.*)\)/', $tva_tx_txt, $reg))
{ {
// We look into database using code (we can't use get_localtax() because it depends on buyer that is not known). Same in update price. // We look into database using code (we can't use get_localtax() because it depends on buyer that is not known). Same in update price.
@ -241,9 +242,9 @@ if (empty($reshook))
// Get record from code // Get record from code
$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
$sql .= " AND t.code ='".$vatratecode."'"; $sql .= " AND t.code = '".$db->escape($vatratecode)."'";
$resql = $db->query($sql); $resql = $db->query($sql);
if ($resql) if ($resql)
{ {

4
htdocs/product/class/html.formproduct.class.php
View File

@ -112,10 +112,10 @@ class FormProduct
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.fk_entrepot = e.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.fk_entrepot = e.rowid";
if (!empty($fk_product)) if (!empty($fk_product))
{ {
$sql .= " AND ps.fk_product = '".$fk_product."'"; $sql .= " AND ps.fk_product = ".((int) $fk_product);
if (!empty($batch)) if (!empty($batch))
{ {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$batch."'"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$this->db->escape($batch)."'";
} }
} }
$sql .= " WHERE e.entity IN (".getEntity('stock').")"; $sql .= " WHERE e.entity IN (".getEntity('stock').")";

26
htdocs/product/class/product.class.php
View File

@ -929,7 +929,7 @@ class Product extends CommonObject
{ {
if ($detail->batch == $valueforundefinedlot || $detail->batch == 'Undefined') { if ($detail->batch == $valueforundefinedlot || $detail->batch == 'Undefined') {
// We discard this line, we will create it later // We discard this line, we will create it later
$sqlclean = "DELETE FROM ".MAIN_DB_PREFIX."product_batch WHERE batch in('Undefined', '".$valueforundefinedlot."') AND fk_product_stock = ".$ObjW->id; $sqlclean = "DELETE FROM ".MAIN_DB_PREFIX."product_batch WHERE batch in('Undefined', '".$this->db->escape($valueforundefinedlot)."') AND fk_product_stock = ".$ObjW->id;
$result = $this->db->query($sqlclean); $result = $this->db->query($sqlclean);
if (!$result) { if (!$result) {
dol_print_error($this->db); dol_print_error($this->db);
@ -1612,7 +1612,7 @@ class Product extends CommonObject
// If price per customer // If price per customer
require_once DOL_DOCUMENT_ROOT.'/product/class/productcustomerprice.class.php'; require_once DOL_DOCUMENT_ROOT.'/product/class/productcustomerprice.class.php';
$prodcustprice = new Productcustomerprice($db); $prodcustprice = new Productcustomerprice($this->db);
$filter = array('t.fk_product' => $this->id, 't.fk_soc' => $thirdparty_buyer->id); $filter = array('t.fk_product' => $this->id, 't.fk_soc' => $thirdparty_buyer->id);
@ -1749,7 +1749,7 @@ class Product extends CommonObject
if (!empty($conf->global->PRODUCT_USE_SUPPLIER_PACKAGING)) $sql .= ", pfp.packaging"; if (!empty($conf->global->PRODUCT_USE_SUPPLIER_PACKAGING)) $sql .= ", pfp.packaging";
$sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price as pfp"; $sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price as pfp";
$sql .= " WHERE pfp.fk_product = ".$product_id; $sql .= " WHERE pfp.fk_product = ".$product_id;
if ($fourn_ref != 'none') { $sql .= " AND pfp.ref_fourn = '".$fourn_ref."'"; if ($fourn_ref != 'none') { $sql .= " AND pfp.ref_fourn = '".$this->db->escape($fourn_ref)."'";
} }
if ($fk_soc > 0) { $sql .= " AND pfp.fk_soc = ".$fk_soc; if ($fk_soc > 0) { $sql .= " AND pfp.fk_soc = ".$fk_soc;
} }
@ -1922,18 +1922,18 @@ class Product extends CommonObject
// Ne pas mettre de quote sur les numeriques decimaux. // Ne pas mettre de quote sur les numeriques decimaux.
// Ceci provoque des stockages avec arrondis en base au lieu des valeurs exactes. // Ceci provoque des stockages avec arrondis en base au lieu des valeurs exactes.
$sql = "UPDATE ".MAIN_DB_PREFIX."product SET"; $sql = "UPDATE ".MAIN_DB_PREFIX."product SET";
$sql .= " price_base_type='".$newpricebase."',"; $sql .= " price_base_type='".$this->db->escape($newpricebase)."',";
$sql .= " price=".$price.","; $sql .= " price=".$price.",";
$sql .= " price_ttc=".$price_ttc.","; $sql .= " price_ttc=".$price_ttc.",";
$sql .= " price_min=".$price_min.","; $sql .= " price_min=".$price_min.",";
$sql .= " price_min_ttc=".$price_min_ttc.","; $sql .= " price_min_ttc=".$price_min_ttc.",";
$sql .= " localtax1_tx=".($localtax1 >= 0 ? $localtax1 : 'NULL').","; $sql .= " localtax1_tx=".($localtax1 >= 0 ? $localtax1 : 'NULL').",";
$sql .= " localtax2_tx=".($localtax2 >= 0 ? $localtax2 : 'NULL').","; $sql .= " localtax2_tx=".($localtax2 >= 0 ? $localtax2 : 'NULL').",";
$sql .= " localtax1_type=".($localtaxtype1 != '' ? "'".$localtaxtype1."'" : "'0'").","; $sql .= " localtax1_type=".($localtaxtype1 != '' ? "'".$this->db->escape($localtaxtype1)."'" : "'0'").",";
$sql .= " localtax2_type=".($localtaxtype2 != '' ? "'".$localtaxtype2."'" : "'0'").","; $sql .= " localtax2_type=".($localtaxtype2 != '' ? "'".$this->db->escape($localtaxtype2)."'" : "'0'").",";
$sql .= " default_vat_code=".($newdefaultvatcode ? "'".$this->db->escape($newdefaultvatcode)."'" : "null").","; $sql .= " default_vat_code=".($newdefaultvatcode ? "'".$this->db->escape($newdefaultvatcode)."'" : "null").",";
$sql .= " tva_tx='".price2num($newvat)."',"; $sql .= " tva_tx='".price2num($newvat)."',";
$sql .= " recuperableonly='".$newnpr."'"; $sql .= " recuperableonly='".$this->db->escape($newnpr)."'";
$sql .= " WHERE rowid = ".$id; $sql .= " WHERE rowid = ".$id;
dol_syslog(get_class($this)."::update_price", LOG_DEBUG); dol_syslog(get_class($this)."::update_price", LOG_DEBUG);
@ -2942,7 +2942,7 @@ class Product extends CommonObject
global $db, $conf, $user, $hookmanager; global $db, $conf, $user, $hookmanager;
$sql = "SELECT COUNT(DISTINCT f.fk_soc) as nb_customers, COUNT(DISTINCT f.rowid) as nb,"; $sql = "SELECT COUNT(DISTINCT f.fk_soc) as nb_customers, COUNT(DISTINCT f.rowid) as nb,";
$sql .= " COUNT(fd.rowid) as nb_rows, SUM(".$db->ifsql('f.type != 2', 'fd.qty', 'fd.qty * -1').") as qty"; $sql .= " COUNT(fd.rowid) as nb_rows, SUM(".$this->db->ifsql('f.type != 2', 'fd.qty', 'fd.qty * -1').") as qty";
$sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd"; $sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd";
$sql .= ", ".MAIN_DB_PREFIX."facture as f"; $sql .= ", ".MAIN_DB_PREFIX."facture as f";
$sql .= ", ".MAIN_DB_PREFIX."societe as s"; $sql .= ", ".MAIN_DB_PREFIX."societe as s";
@ -3672,8 +3672,8 @@ class Product extends CommonObject
// phpcs:enable // phpcs:enable
$sql = "SELECT fk_product_pere, qty, incdec"; $sql = "SELECT fk_product_pere, qty, incdec";
$sql .= " FROM ".MAIN_DB_PREFIX."product_association"; $sql .= " FROM ".MAIN_DB_PREFIX."product_association";
$sql .= " WHERE fk_product_pere = '".$fk_parent."'"; $sql .= " WHERE fk_product_pere = ".((int) $fk_parent);
$sql .= " AND fk_product_fils = '".$fk_child."'"; $sql .= " AND fk_product_fils = ".((int) $fk_child);
$result = $this->db->query($sql); $result = $this->db->query($sql);
if ($result) { if ($result) {
@ -5371,17 +5371,17 @@ class Product extends CommonObject
global $conf, $db; global $conf, $db;
$sql = "SELECT rowid, level, fk_level, var_percent, var_min_percent FROM ".MAIN_DB_PREFIX."product_pricerules"; $sql = "SELECT rowid, level, fk_level, var_percent, var_min_percent FROM ".MAIN_DB_PREFIX."product_pricerules";
$query = $db->query($sql); $query = $this->db->query($sql);
$rules = array(); $rules = array();
while ($result = $db->fetch_object($query)) { while ($result = $this->db->fetch_object($query)) {
$rules[$result->level] = $result; $rules[$result->level] = $result;
} }
//Because prices can be based on other level's prices, we temporarily store them //Because prices can be based on other level's prices, we temporarily store them
$prices = array( $prices = array(
1 => $baseprice 1 => $baseprice
); );
for ($i = 1; $i <= $conf->global->PRODUIT_MULTIPRICES_LIMIT; $i++) { for ($i = 1; $i <= $conf->global->PRODUIT_MULTIPRICES_LIMIT; $i++) {

4
htdocs/product/class/propalmergepdfproduct.class.php
View File

@ -232,7 +232,7 @@ class Propalmergepdfproduct extends CommonObject
$sql .= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t"; $sql .= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t";
$sql .= " WHERE t.fk_product = ".$product_id; $sql .= " WHERE t.fk_product = ".$product_id;
if ($conf->global->MAIN_MULTILANGS && !empty($lang)) { if ($conf->global->MAIN_MULTILANGS && !empty($lang)) {
$sql .= " AND t.lang = '".$lang."'"; $sql .= " AND t.lang = '".$this->db->escape($lang)."'";
} }
dol_syslog(__METHOD__, LOG_DEBUG); dol_syslog(__METHOD__, LOG_DEBUG);
@ -398,7 +398,7 @@ class Propalmergepdfproduct extends CommonObject
$sql .= " WHERE fk_product=".$product_id; $sql .= " WHERE fk_product=".$product_id;
if ($conf->global->MAIN_MULTILANGS && !empty($lang_id)) { if ($conf->global->MAIN_MULTILANGS && !empty($lang_id)) {
$sql .= " AND lang='".$lang_id."'"; $sql .= " AND lang='".$this->db->escape($lang_id)."'";
} }
dol_syslog(__METHOD__, LOG_DEBUG); dol_syslog(__METHOD__, LOG_DEBUG);

2
htdocs/product/index.php
View File

@ -327,7 +327,7 @@ if ((!empty($conf->product->enabled) || !empty($conf->service->enabled)) && ($us
$sql = "SELECT label"; $sql = "SELECT label";
$sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
$sql .= " WHERE fk_product=".$objp->rowid; $sql .= " WHERE fk_product=".$objp->rowid;
$sql .= " AND lang='".$langs->getDefaultLang()."'"; $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'";
$resultd = $db->query($sql); $resultd = $db->query($sql);
if ($resultd) if ($resultd)

2
htdocs/product/list.php
View File

@ -353,7 +353,7 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count
if (!empty($searchCategoryProductList) || !empty($catid)) $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_product as cp ON p.rowid = cp.fk_product"; // We'll need this table joined to the select in order to filter by categ if (!empty($searchCategoryProductList) || !empty($catid)) $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_product as cp ON p.rowid = cp.fk_product"; // We'll need this table joined to the select in order to filter by categ
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_fournisseur_price as pfp ON p.rowid = pfp.fk_product"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_fournisseur_price as pfp ON p.rowid = pfp.fk_product";
// multilang // multilang
if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang = '".$langs->getDefaultLang()."'"; if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang = '".$db->escape($langs->getDefaultLang())."'";
if (!empty($conf->variants->enabled) && (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD) && !$show_childproducts)) { if (!empty($conf->variants->enabled) && (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD) && !$show_childproducts)) {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac.fk_product_child = p.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac.fk_product_child = p.rowid";

2
htdocs/product/popuprop.php
View File

@ -203,7 +203,7 @@ if ($mode && $mode != '-1') {
$sql = "SELECT label"; $sql = "SELECT label";
$sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
$sql .= " WHERE fk_product=".$prodid; $sql .= " WHERE fk_product=".$prodid;
$sql .= " AND lang='".$langs->getDefaultLang()."'"; $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'";
$sql .= " LIMIT 1"; $sql .= " LIMIT 1";
$resultp = $db->query($sql); $resultp = $db->query($sql);

22
htdocs/product/price.php
View File

@ -127,9 +127,9 @@ if (empty($reshook))
// Get record from code // Get record from code
$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
$sql .= " AND t.code ='".$vatratecode."'"; $sql .= " AND t.code ='".$db->escape($vatratecode)."'";
$resql = $db->query($sql); $resql = $db->query($sql);
if ($resql) if ($resql)
{ {
@ -243,9 +243,9 @@ if (empty($reshook))
// Get record from code // Get record from code
$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
$sql .= " AND t.code ='".$vatratecode."'"; $sql .= " AND t.code ='".$db->escape($vatratecode)."'";
$resql = $db->query($sql); $resql = $db->query($sql);
if ($resql) if ($resql)
{ {
@ -296,9 +296,9 @@ if (empty($reshook))
// Get record from code // Get record from code
$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
$sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1";
$sql .= " AND t.code ='".$vatratecode."'"; $sql .= " AND t.code ='".$db->escape($vatratecode)."'";
$resql = $db->query($sql); $resql = $db->query($sql);
if ($resql) if ($resql)
{ {
@ -436,7 +436,7 @@ if (empty($reshook))
// Ajout / mise à jour // Ajout / mise à jour
if ($rowid > 0) { if ($rowid > 0) {
$sql = "UPDATE ".MAIN_DB_PREFIX."product_price_by_qty SET"; $sql = "UPDATE ".MAIN_DB_PREFIX."product_price_by_qty SET";
$sql .= " price='".$price."',"; $sql .= " price='".$db->escape($price)."',";
$sql .= " unitprice=".$unitPrice.","; $sql .= " unitprice=".$unitPrice.",";
$sql .= " quantity=".$quantity.","; $sql .= " quantity=".$quantity.",";
$sql .= " remise_percent=".$remise_percent.","; $sql .= " remise_percent=".$remise_percent.",";
@ -525,9 +525,9 @@ if (empty($reshook))
// Get record from code // Get record from code
$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
$sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1";
$sql .= " AND t.code ='".$vatratecode."'"; $sql .= " AND t.code ='".$db->escape($vatratecode)."'";
$resql = $db->query($sql); $resql = $db->query($sql);
if ($resql) if ($resql)
{ {
@ -625,9 +625,9 @@ if (empty($reshook))
// Get record from code // Get record from code
$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
$sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1";
$sql .= " AND t.code ='".$vatratecode."'"; $sql .= " AND t.code ='".$db->escape($vatratecode)."'";
$resql = $db->query($sql); $resql = $db->query($sql);
if ($resql) if ($resql)
{ {

2
htdocs/product/reassortlot.php
View File

@ -335,7 +335,7 @@ if ($resql)
$sql = "SELECT label"; $sql = "SELECT label";
$sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
$sql .= " WHERE fk_product=".$objp->rowid; $sql .= " WHERE fk_product=".$objp->rowid;
$sql .= " AND lang='".$langs->getDefaultLang()."'"; $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'";
$sql .= " LIMIT 1"; $sql .= " LIMIT 1";
$result = $db->query($sql); $result = $db->query($sql);

4
htdocs/product/stock/card.php
View File

@ -432,7 +432,7 @@ if ($action == 'create')
if (!empty($user->rights->stock->mouvement->lire)) { if (!empty($user->rights->stock->mouvement->lire)) {
$sql = "SELECT max(m.datem) as datem"; $sql = "SELECT max(m.datem) as datem";
$sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m";
$sql .= " WHERE m.fk_entrepot = '".$object->id."'"; $sql .= " WHERE m.fk_entrepot = ".((int) $object->id);
$resqlbis = $db->query($sql); $resqlbis = $db->query($sql);
if ($resqlbis) { if ($resqlbis) {
$obj = $db->fetch_object($resqlbis); $obj = $db->fetch_object($resqlbis);
@ -555,7 +555,7 @@ if ($action == 'create')
$sql = "SELECT label"; $sql = "SELECT label";
$sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
$sql .= " WHERE fk_product=".$objp->rowid; $sql .= " WHERE fk_product=".$objp->rowid;
$sql .= " AND lang='".$langs->getDefaultLang()."'"; $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'";
$sql .= " LIMIT 1"; $sql .= " LIMIT 1";
$result = $db->query($sql); $result = $db->query($sql);

2
htdocs/product/stock/class/mouvementstock.class.php
View File

@ -418,7 +418,7 @@ class MouvementStock extends CommonObject
$sql .= " fk_entrepot, value, type_mouvement, fk_user_author, label, inventorycode, price, fk_origin, origintype, fk_projet"; $sql .= " fk_entrepot, value, type_mouvement, fk_user_author, label, inventorycode, price, fk_origin, origintype, fk_projet";
$sql .= ")"; $sql .= ")";
$sql .= " VALUES ('".$this->db->idate($now)."', ".$this->product_id.", "; $sql .= " VALUES ('".$this->db->idate($now)."', ".$this->product_id.", ";
$sql .= " ".($batch ? "'".$batch."'" : "null").", "; $sql .= " ".($batch ? "'".$this->db->escape($batch)."'" : "null").", ";
$sql .= " ".($eatby ? "'".$this->db->idate($eatby)."'" : "null").", "; $sql .= " ".($eatby ? "'".$this->db->idate($eatby)."'" : "null").", ";
$sql .= " ".($sellby ? "'".$this->db->idate($sellby)."'" : "null").", "; $sql .= " ".($sellby ? "'".$this->db->idate($sellby)."'" : "null").", ";
$sql .= " ".$this->entrepot_id.", ".$this->qty.", ".((int) $this->type).","; $sql .= " ".$this->entrepot_id.", ".$this->qty.", ".((int) $this->type).",";

2
htdocs/product/stock/movement_card.php
View File

@ -457,7 +457,7 @@ $sql .= " AND e.entity IN (".getEntity('stock').")";
if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) $sql .= " AND p.fk_product_type = 0"; if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) $sql .= " AND p.fk_product_type = 0";
if ($id > 0) $sql .= " AND e.rowid ='".$id."'"; if ($id > 0) $sql .= " AND e.rowid ='".$id."'";
$sql .= dolSqlDateFilter('m.datem', 0, $month, $year); $sql .= dolSqlDateFilter('m.datem', 0, $month, $year);
if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'"; if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct);
if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1); if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1);
if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement); if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement);
if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode); if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode);

4
htdocs/product/stock/movement_list.php
View File

@ -483,7 +483,7 @@ $sql .= " AND e.entity IN (".getEntity('stock').")";
if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) $sql .= " AND p.fk_product_type = 0"; if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) $sql .= " AND p.fk_product_type = 0";
if ($id > 0) $sql .= " AND e.rowid ='".$id."'"; if ($id > 0) $sql .= " AND e.rowid ='".$id."'";
$sql .= dolSqlDateFilter('m.datem', 0, $month, $year); $sql .= dolSqlDateFilter('m.datem', 0, $month, $year);
if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'"; if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct);
if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1); if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1);
if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement); if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement);
if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode); if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode);
@ -624,7 +624,7 @@ if ($resql)
// Last movement // Last movement
$sql = "SELECT MAX(m.datem) as datem"; $sql = "SELECT MAX(m.datem) as datem";
$sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m";
$sql .= " WHERE m.fk_entrepot = '".$object->id."'"; $sql .= " WHERE m.fk_entrepot = ".((int) $object->id);
$resqlbis = $db->query($sql); $resqlbis = $db->query($sql);
if ($resqlbis) if ($resqlbis)
{ {

2
htdocs/product/stock/product.php
View File

@ -710,7 +710,7 @@ if ($id > 0 || $ref)
{ {
$sql = "SELECT max(m.datem) as datem"; $sql = "SELECT max(m.datem) as datem";
$sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m";
$sql .= " WHERE m.fk_product = '".$object->id."'"; $sql .= " WHERE m.fk_product = ".((int) $object->id);
$resqlbis = $db->query($sql); $resqlbis = $db->query($sql);
if ($resqlbis) { if ($resqlbis) {
$obj = $db->fetch_object($resqlbis); $obj = $db->fetch_object($resqlbis);

4
htdocs/product/stock/stockatdate.php
View File

@ -124,7 +124,7 @@ if ($date && $dateIsValid) { // Avoid heavy sql if mandatory date is not defined
$sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " WHERE w.entity IN (".getEntity('stock').")";
$sql .= " AND w.rowid = ps.fk_entrepot"; $sql .= " AND w.rowid = ps.fk_entrepot";
if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) {
$sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")";
} }
if ($productid > 0) { if ($productid > 0) {
$sql .= " AND ps.fk_product = ".$productid; $sql .= " AND ps.fk_product = ".$productid;
@ -175,7 +175,7 @@ if ($date && $dateIsValid) {
$sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " WHERE w.entity IN (".getEntity('stock').")";
$sql .= " AND w.rowid = sm.fk_entrepot"; $sql .= " AND w.rowid = sm.fk_entrepot";
if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) {
$sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")";
} }
if ($mode == 'future') { if ($mode == 'future') {
$sql .= " AND sm.datem <= '".$db->idate($dateendofday)."'"; $sql .= " AND sm.datem <= '".$db->idate($dateendofday)."'";

6
test/phpunit/CodingPhpTest.php
View File

@ -152,7 +152,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
$db=$this->savdb; $db=$this->savdb;
include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/holiday', 'files', 1, '\.php', null, 'fullname'); $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/product', 'files', 1, '\.php', null, 'fullname');
//$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); //$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
foreach ($filesarray as $key => $file) foreach ($filesarray as $key => $file)
@ -186,7 +186,9 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
'TraceableDB.php', 'TraceableDB.php',
'expeditionbatch.class.php', 'expeditionbatch.class.php',
'expensereport_ik.class.php', 'expensereport_ik.class.php',
'expensereport_rule.class.php' 'expensereport_rule.class.php',
'multicurrency.class.php',
'productbatch.class.php'
))) { ))) {
// Must must not found $db-> // Must must not found $db->
$ok=true; $ok=true;