diff --git a/htdocs/bom/class/bom.class.php b/htdocs/bom/class/bom.class.php index dd861d5dc47..7ad86b59ae8 100644 --- a/htdocs/bom/class/bom.class.php +++ b/htdocs/bom/class/bom.class.php @@ -584,8 +584,8 @@ class BOM extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'bom/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'bom/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'bom/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'bom/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 50bcc1082b0..c1dde5e2aa4 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -1819,8 +1819,8 @@ class Propal extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'propale/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'propale/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'propale/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'propale/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 97919554cdd..b1e2262f109 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -425,8 +425,8 @@ class Commande extends CommonOrder if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'commande/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'commande/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'commande/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'commande/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index ae99dc0bd13..e5b8c0795ed 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -2430,8 +2430,8 @@ class Facture extends CommonInvoice if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'facture/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'facture/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'facture/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'facture/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index ddc5b4247e4..0fb460466ef 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -487,8 +487,8 @@ class Contrat extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'contract/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'contract/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'contract/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'contract/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/core/modules/societe/modules_societe.class.php b/htdocs/core/modules/societe/modules_societe.class.php index d185b4cfcf7..4a873847d8a 100644 --- a/htdocs/core/modules/societe/modules_societe.class.php +++ b/htdocs/core/modules/societe/modules_societe.class.php @@ -393,7 +393,7 @@ abstract class ModeleAccountancyCode * @param int $hidedesc Hide description * @param int $hideref Hide ref * @return int <0 if KO, >0 if OK - * @deprecated Use the new function generateDocument of Facture class + * @deprecated Use the new function generateDocument of Objects class * @see Societe::generateDocument() */ function thirdparty_doc_create(DoliDB $db, Societe $object, $message, $modele, $outputlangs, $hidedetails = 0, $hidedesc = 0, $hideref = 0) diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index 5dc003f9de3..97c67fd7701 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -814,8 +814,8 @@ class Expedition extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'expedition/sending/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'expedition/sending/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'expedition/sending/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'expedition/sending/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/expensereport/class/expensereport.class.php b/htdocs/expensereport/class/expensereport.class.php index b52729e4777..34f60120925 100644 --- a/htdocs/expensereport/class/expensereport.class.php +++ b/htdocs/expensereport/class/expensereport.class.php @@ -1152,8 +1152,8 @@ class ExpenseReport extends CommonObject require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'expensereport/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'expensereport/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'expensereport/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'expensereport/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/fichinter/class/fichinter.class.php b/htdocs/fichinter/class/fichinter.class.php index f8fc4bcff5f..6ff7fac5d08 100644 --- a/htdocs/fichinter/class/fichinter.class.php +++ b/htdocs/fichinter/class/fichinter.class.php @@ -577,8 +577,8 @@ class Fichinter extends CommonObject require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'ficheinter/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'ficheinter/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'ficheinter/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'ficheinter/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php index fd266d17664..9d5bfce0189 100644 --- a/htdocs/fourn/class/fournisseur.commande.class.php +++ b/htdocs/fourn/class/fournisseur.commande.class.php @@ -552,8 +552,8 @@ class CommandeFournisseur extends CommonOrder if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'fournisseur/commande/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'fournisseur/commande/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'fournisseur/commande/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'fournisseur/commande/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index 06e7e57f840..41ac2f126a7 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -1418,8 +1418,8 @@ class FactureFournisseur extends CommonInvoice if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'fournisseur/facture/".get_exdir($this->id, 2, 0, 0, $this, 'invoice_supplier').$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'fournisseur/facture/".get_exdir($this->id, 2, 0, 0, $this, 'invoice_supplier').$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'fournisseur/facture/".get_exdir($this->id, 2, 0, 0, $this, 'invoice_supplier').$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'fournisseur/facture/".get_exdir($this->id, 2, 0, 0, $this, 'invoice_supplier').$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/livraison/class/livraison.class.php b/htdocs/livraison/class/livraison.class.php index 27ef77f2d1f..093a1c3ab1e 100644 --- a/htdocs/livraison/class/livraison.class.php +++ b/htdocs/livraison/class/livraison.class.php @@ -440,8 +440,8 @@ class Livraison extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'expedition/receipt/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'expedition/receipt/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'expedition/receipt/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'expedition/receipt/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/reception/class/reception.class.php b/htdocs/reception/class/reception.class.php index cd2b37adbb9..c939ea44abf 100644 --- a/htdocs/reception/class/reception.class.php +++ b/htdocs/reception/class/reception.class.php @@ -644,8 +644,8 @@ class Reception extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'reception/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'reception/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'reception/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'reception/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php index d458ff0f06b..f3e0315c75f 100644 --- a/htdocs/supplier_proposal/class/supplier_proposal.class.php +++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php @@ -1495,8 +1495,8 @@ class SupplierProposal extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'supplier_proposal/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'supplier_proposal/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'supplier_proposal/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'supplier_proposal/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); }