Fix #ygosha5698
This commit is contained in:
Laurent Destailleur
parent
1c6585f06b
commit
15440917b1
@ -743,7 +743,7 @@ class AccountancyCategory // extends CommonObject
|
||||
}
|
||||
$listofaccount .= "'".$cptcursor."'";
|
||||
}
|
||||
$sql .= " AND t.numero_compte IN (".$listofaccount.")";
|
||||
$sql .= " AND t.numero_compte IN (".$this->db->sanitize($listofaccount).")";
|
||||
} else {
|
||||
$sql .= " AND t.numero_compte = '".$this->db->escape($cpt)."'";
|
||||
}
|
||||
|
||||
@ -126,7 +126,7 @@ class Lettering extends BookKeeping
|
||||
if (count($ids_fact)) {
|
||||
$sql = 'SELECT bk.rowid, facf.ref, facf.ref_supplier ';
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn facf ";
|
||||
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON( bk.fk_doc = facf.rowid AND facf.rowid IN (".implode(',', $ids_fact)."))";
|
||||
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON( bk.fk_doc = facf.rowid AND facf.rowid IN (".$this->db->sanitize(implode(',', $ids_fact))."))";
|
||||
$sql .= " WHERE bk.code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=3 AND entity=".$conf->entity.") ";
|
||||
$sql .= " AND facf.entity = ".$conf->entity;
|
||||
$sql .= " AND ( ";
|
||||
@ -185,7 +185,7 @@ class Lettering extends BookKeeping
|
||||
if (count($ids_fact)) {
|
||||
$sql = 'SELECT bk.rowid, fac.ref, fac.ref_supplier ';
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."facture fac ";
|
||||
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON( bk.fk_doc = fac.rowid AND fac.rowid IN (".implode(',', $ids_fact)."))";
|
||||
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON( bk.fk_doc = fac.rowid AND fac.rowid IN (".$this->db->sanitize(implode(',', $ids_fact))."))";
|
||||
$sql .= " WHERE code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=2 AND entity=".$conf->entity.") ";
|
||||
$sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy
|
||||
$sql .= " AND ( ";
|
||||
@ -255,7 +255,7 @@ class Lettering extends BookKeeping
|
||||
}
|
||||
|
||||
$sql = "SELECT SUM(ABS(debit)) as deb, SUM(ABS(credit)) as cred FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE ";
|
||||
$sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL";
|
||||
$sql .= " rowid IN (".$this->db->sanitize(implode(',', $ids)).") AND date_validated IS NULL";
|
||||
$result = $this->db->query($sql);
|
||||
if ($result) {
|
||||
$obj = $this->db->fetch_object($result);
|
||||
@ -276,7 +276,7 @@ class Lettering extends BookKeeping
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."accounting_bookkeeping SET";
|
||||
$sql .= " lettering_code='".$this->db->escape($lettre)."'";
|
||||
$sql .= " , date_lettering = '".$this->db->idate($now)."'"; // todo correct date it's false
|
||||
$sql .= " WHERE rowid IN (".implode(',', $ids).") AND date_validated IS NULL ";
|
||||
$sql .= " WHERE rowid IN (".$this->db->sanitize(implode(',', $ids)).") AND date_validated IS NULL ";
|
||||
$this->db->begin();
|
||||
|
||||
dol_syslog(get_class($this)."::update sql=".$sql, LOG_DEBUG);
|
||||
|
||||
@ -246,11 +246,11 @@ if (strlen(trim($search_country))) {
|
||||
if ($search_country == 'special_allnotme') {
|
||||
$sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'";
|
||||
} elseif ($search_country == 'special_eec') {
|
||||
$sql .= " AND co.code IN (".$country_code_in_EEC.")";
|
||||
$sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC).")";
|
||||
} elseif ($search_country == 'special_eecnotme') {
|
||||
$sql .= " AND co.code IN (".$country_code_in_EEC_without_me.")";
|
||||
$sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me).")";
|
||||
} elseif ($search_country == 'special_noteec') {
|
||||
$sql .= " AND co.code NOT IN (".$country_code_in_EEC.")";
|
||||
$sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC).")";
|
||||
} else {
|
||||
$sql .= natural_search("co.code", $search_country);
|
||||
}
|
||||
|
||||
@ -238,11 +238,11 @@ if (strlen(trim($search_country))) {
|
||||
if ($search_country == 'special_allnotme') {
|
||||
$sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'";
|
||||
} elseif ($search_country == 'special_eec') {
|
||||
$sql .= " AND co.code IN (".$country_code_in_EEC.")";
|
||||
$sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC).")";
|
||||
} elseif ($search_country == 'special_eecnotme') {
|
||||
$sql .= " AND co.code IN (".$country_code_in_EEC_without_me.")";
|
||||
$sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me).")";
|
||||
} elseif ($search_country == 'special_noteec') {
|
||||
$sql .= " AND co.code NOT IN (".$country_code_in_EEC.")";
|
||||
$sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC).")";
|
||||
} else {
|
||||
$sql .= natural_search("co.code", $search_country);
|
||||
}
|
||||
|
||||
@ -288,11 +288,11 @@ if (strlen(trim($search_country))) {
|
||||
if ($search_country == 'special_allnotme') {
|
||||
$sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'";
|
||||
} elseif ($search_country == 'special_eec') {
|
||||
$sql .= " AND co.code IN (".$country_code_in_EEC.")";
|
||||
$sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC).")";
|
||||
} elseif ($search_country == 'special_eecnotme') {
|
||||
$sql .= " AND co.code IN (".$country_code_in_EEC_without_me.")";
|
||||
$sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me).")";
|
||||
} elseif ($search_country == 'special_noteec') {
|
||||
$sql .= " AND co.code NOT IN (".$country_code_in_EEC.")";
|
||||
$sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC).")";
|
||||
} else {
|
||||
$sql .= natural_search("co.code", $search_country);
|
||||
}
|
||||
|
||||
@ -379,7 +379,7 @@ if ($search_phone_mobile) {
|
||||
$sql .= natural_search("d.phone_mobile", $search_phone_mobile);
|
||||
}
|
||||
if ($search_country) {
|
||||
$sql .= " AND d.country IN (".$search_country.')';
|
||||
$sql .= " AND d.country IN (".$db->sanitize($search_country).')';
|
||||
}
|
||||
|
||||
// Add where from extra fields
|
||||
|
||||
@ -237,7 +237,7 @@ $sql .= ", note";
|
||||
$sql .= ", tms";
|
||||
$sql .= ", entity";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."const";
|
||||
$sql .= " WHERE entity IN (".$user->entity.",".$conf->entity.")";
|
||||
$sql .= " WHERE entity IN (".$db->sanitize($user->entity.",".$conf->entity).")";
|
||||
if ((empty($user->entity) || $user->admin) && $debug) {
|
||||
} elseif (!GETPOST('visible') || GETPOST('visible') != 'all') {
|
||||
// to force for superadmin to debug
|
||||
|
||||
@ -223,7 +223,7 @@ if (empty($conf->multicompany->enabled)) {
|
||||
} else {
|
||||
// If multicompany mode, superadmin (user->entity=0) can see everything, admin are limited to their entities.
|
||||
if ($user->entity) {
|
||||
$sql .= " WHERE entity IN (".$user->entity.",".$conf->entity.")";
|
||||
$sql .= " WHERE entity IN (".$db->sanitize($user->entity.",".$conf->entity).")";
|
||||
}
|
||||
}
|
||||
$sql .= " ORDER BY entity, name ASC";
|
||||
|
||||
@ -484,7 +484,7 @@ if (empty($conf->multicompany->enabled)) {
|
||||
} else {
|
||||
// If multicompany mode, superadmin (user->entity=0) can see everything, admin are limited to their entities.
|
||||
if ($user->entity) {
|
||||
$sql .= " WHERE entity IN (".$user->entity.",".$conf->entity.")";
|
||||
$sql .= " WHERE entity IN (".$db->sanitize($user->entity.",".$conf->entity).")";
|
||||
}
|
||||
}
|
||||
$sql .= " ORDER BY entity, name ASC";
|
||||
|
||||
@ -147,14 +147,14 @@ class AgendaEvents extends DolibarrApi
|
||||
}
|
||||
}
|
||||
if ($user_ids) {
|
||||
$sql .= " AND t.fk_user_action IN (".$user_ids.")";
|
||||
$sql .= " AND t.fk_user_action IN (".$this->db->sanitize($user_ids).")";
|
||||
}
|
||||
if ($socid > 0) {
|
||||
$sql .= " AND t.fk_soc = ".$socid;
|
||||
$sql .= " AND t.fk_soc = ".((int) $socid);
|
||||
}
|
||||
// Insert sale filter
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND sc.fk_user = ".$search_sale;
|
||||
$sql .= " AND sc.fk_user = ".((int) $search_sale);
|
||||
}
|
||||
// Add sql filters
|
||||
if ($sqlfilters) {
|
||||
|
||||
@ -559,34 +559,34 @@ class AdvanceTargetingMailing extends CommonObject
|
||||
$sqlwhere[] = " (t.parent IN (SELECT rowid FROM ".MAIN_DB_PREFIX."societe WHERE (".$str.")))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_status']) && count($arrayquery['cust_status']) > 0) {
|
||||
$sqlwhere[] = " (t.status IN (".implode(',', $arrayquery['cust_status'])."))";
|
||||
$sqlwhere[] = " (t.status IN (".$this->db->sanitize(implode(',', $arrayquery['cust_status']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_typecust']) && count($arrayquery['cust_typecust']) > 0) {
|
||||
$sqlwhere[] = " (t.client IN (".implode(',', $arrayquery['cust_typecust'])."))";
|
||||
$sqlwhere[] = " (t.client IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typecust']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_comm_status']) && count($arrayquery['cust_comm_status'] > 0)) {
|
||||
$sqlwhere[] = " (t.fk_stcomm IN (".implode(',', $arrayquery['cust_comm_status'])."))";
|
||||
$sqlwhere[] = " (t.fk_stcomm IN (".$this->db->sanitize(implode(',', $arrayquery['cust_comm_status']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_prospect_status']) && count($arrayquery['cust_prospect_status']) > 0) {
|
||||
$sqlwhere[] = " (t.fk_prospectlevel IN ('".implode("','", $arrayquery['cust_prospect_status'])."'))";
|
||||
$sqlwhere[] = " (t.fk_prospectlevel IN ('".$this->db->sanitize(implode("','", $arrayquery['cust_prospect_status']))."'))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_typeent']) && count($arrayquery['cust_typeent']) > 0) {
|
||||
$sqlwhere[] = " (t.fk_typent IN (".implode(',', $arrayquery['cust_typeent'])."))";
|
||||
$sqlwhere[] = " (t.fk_typent IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typeent']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_saleman']) && count($arrayquery['cust_saleman']) > 0) {
|
||||
$sqlwhere[] = " (saleman.fk_user IN (".implode(',', $arrayquery['cust_saleman'])."))";
|
||||
$sqlwhere[] = " (saleman.fk_user IN (".$this->db->sanitize(implode(',', $arrayquery['cust_saleman']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_country']) && count($arrayquery['cust_country']) > 0) {
|
||||
$sqlwhere[] = " (t.fk_pays IN (".implode(',', $arrayquery['cust_country'])."))";
|
||||
$sqlwhere[] = " (t.fk_pays IN (".$this->db->sanitize(implode(',', $arrayquery['cust_country']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_effectif_id']) && count($arrayquery['cust_effectif_id']) > 0) {
|
||||
$sqlwhere[] = " (t.fk_effectif IN (".implode(',', $arrayquery['cust_effectif_id'])."))";
|
||||
$sqlwhere[] = " (t.fk_effectif IN (".$this->db->sanitize(implode(',', $arrayquery['cust_effectif_id']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_categ']) && count($arrayquery['cust_categ']) > 0) {
|
||||
$sqlwhere[] = " (custcateg.fk_categorie IN (".implode(',', $arrayquery['cust_categ'])."))";
|
||||
$sqlwhere[] = " (custcateg.fk_categorie IN (".$this->db->sanitize(implode(',', $arrayquery['cust_categ']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_language']) && count($arrayquery['cust_language']) > 0) {
|
||||
$sqlwhere[] = " (t.default_lang IN ('".implode("','", $arrayquery['cust_language'])."'))";
|
||||
$sqlwhere[] = " (t.default_lang IN ('".$this->db->sanitize(implode("','", $arrayquery['cust_language']))."'))";
|
||||
}
|
||||
|
||||
//Standard Extrafield feature
|
||||
@ -797,34 +797,34 @@ class AdvanceTargetingMailing extends CommonObject
|
||||
$sqlwhere[] = " (ts.parent IN (SELECT rowid FROM ".MAIN_DB_PREFIX."societe WHERE (".$str.")))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_status']) && count($arrayquery['cust_status']) > 0) {
|
||||
$sqlwhere[] = " (ts.status IN (".implode(',', $arrayquery['cust_status'])."))";
|
||||
$sqlwhere[] = " (ts.status IN (".$this->db->sanitize(implode(',', $arrayquery['cust_status']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_typecust']) && count($arrayquery['cust_typecust']) > 0) {
|
||||
$sqlwhere[] = " (ts.client IN (".implode(',', $arrayquery['cust_typecust'])."))";
|
||||
$sqlwhere[] = " (ts.client IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typecust']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_comm_status']) && count($arrayquery['cust_comm_status'] > 0)) {
|
||||
$sqlwhere[] = " (ts.fk_stcomm IN (".implode(',', $arrayquery['cust_comm_status'])."))";
|
||||
$sqlwhere[] = " (ts.fk_stcomm IN (".$this->db->sanitize(implode(',', $arrayquery['cust_comm_status']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_prospect_status']) && count($arrayquery['cust_prospect_status']) > 0) {
|
||||
$sqlwhere[] = " (ts.fk_prospectlevel IN ('".implode("','", $arrayquery['cust_prospect_status'])."'))";
|
||||
$sqlwhere[] = " (ts.fk_prospectlevel IN ('".$this->db->sanitize(implode("','", $arrayquery['cust_prospect_status']))."'))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_typeent']) && count($arrayquery['cust_typeent']) > 0) {
|
||||
$sqlwhere[] = " (ts.fk_typent IN (".implode(',', $arrayquery['cust_typeent'])."))";
|
||||
$sqlwhere[] = " (ts.fk_typent IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typeent']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_saleman']) && count($arrayquery['cust_saleman']) > 0) {
|
||||
$sqlwhere[] = " (saleman.fk_user IN (".implode(',', $arrayquery['cust_saleman'])."))";
|
||||
$sqlwhere[] = " (saleman.fk_user IN (".$this->db->sanitize(implode(',', $arrayquery['cust_saleman']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_country']) && count($arrayquery['cust_country']) > 0) {
|
||||
$sqlwhere[] = " (ts.fk_pays IN (".implode(',', $arrayquery['cust_country'])."))";
|
||||
$sqlwhere[] = " (ts.fk_pays IN (".$this->db->sanitize(implode(',', $arrayquery['cust_country']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_effectif_id']) && count($arrayquery['cust_effectif_id']) > 0) {
|
||||
$sqlwhere[] = " (ts.fk_effectif IN (".implode(',', $arrayquery['cust_effectif_id'])."))";
|
||||
$sqlwhere[] = " (ts.fk_effectif IN (".$this->db->sanitize(implode(',', $arrayquery['cust_effectif_id']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_categ']) && count($arrayquery['cust_categ']) > 0) {
|
||||
$sqlwhere[] = " (custcateg.fk_categorie IN (".implode(',', $arrayquery['cust_categ'])."))";
|
||||
$sqlwhere[] = " (custcateg.fk_categorie IN (".$this->db->sanitize(implode(',', $arrayquery['cust_categ']))."))";
|
||||
}
|
||||
if (!empty($arrayquery['cust_language']) && count($arrayquery['cust_language']) > 0) {
|
||||
$sqlwhere[] = " (ts.default_lang IN ('".implode("','", $arrayquery['cust_language'])."'))";
|
||||
$sqlwhere[] = " (ts.default_lang IN ('".$this->db->sanitize(implode("','", $arrayquery['cust_language']))."'))";
|
||||
}
|
||||
|
||||
//Standard Extrafield feature
|
||||
|
||||
@ -181,14 +181,14 @@ class Proposals extends DolibarrApi
|
||||
$sql .= " AND t.fk_soc = sc.fk_soc";
|
||||
}
|
||||
if ($socids) {
|
||||
$sql .= " AND t.fk_soc IN (".$socids.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
|
||||
}
|
||||
// Insert sale filter
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND sc.fk_user = ".$search_sale;
|
||||
$sql .= " AND sc.fk_user = ".((int) $search_sale);
|
||||
}
|
||||
// Add sql filters
|
||||
if ($sqlfilters) {
|
||||
|
||||
@ -2821,7 +2821,7 @@ class Propal extends CommonObject
|
||||
if (count($linkedInvoices) > 0) {
|
||||
$sql = "SELECT rowid as facid, ref, total, datef as df, fk_user_author, fk_statut, paye";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."facture";
|
||||
$sql .= " WHERE rowid IN (".implode(',', $linkedInvoices).")";
|
||||
$sql .= " WHERE rowid IN (".$this->db->sanitize(implode(',', $linkedInvoices)).")";
|
||||
|
||||
dol_syslog(get_class($this)."::InvoiceArrayList", LOG_DEBUG);
|
||||
$resql = $this->db->query($sql);
|
||||
|
||||
@ -184,7 +184,7 @@ class Orders extends DolibarrApi
|
||||
$sql .= " AND t.fk_soc = sc.fk_soc";
|
||||
}
|
||||
if ($socids) {
|
||||
$sql .= " AND t.fk_soc IN (".$socids.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
|
||||
|
||||
@ -2300,8 +2300,8 @@ class Commande extends CommonOrder
|
||||
if (count($array_of_product)) {
|
||||
$sql = "SELECT fk_product, sum(ps.reel) as total";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."product_stock as ps";
|
||||
$sql .= " WHERE ps.fk_product IN (".join(',', $array_of_product).")";
|
||||
$sql .= ' GROUP BY fk_product ';
|
||||
$sql .= " WHERE ps.fk_product IN (".$this->db->sanitize(join(',', $array_of_product)).")";
|
||||
$sql .= ' GROUP BY fk_product';
|
||||
$resql = $this->db->query($sql);
|
||||
if ($resql) {
|
||||
$num = $this->db->num_rows($resql);
|
||||
|
||||
@ -267,7 +267,7 @@ if ($result < 0) {
|
||||
$sql .= " WHERE b.fk_account = ba.rowid";
|
||||
$sql .= " AND ba.entity IN (".getEntity('bank_account').")";
|
||||
if ($id && $_GET["option"] != 'all') {
|
||||
$sql .= " AND b.fk_account IN (".$id.")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($id).")";
|
||||
}
|
||||
|
||||
$resql = $db->query($sql);
|
||||
@ -299,7 +299,7 @@ if ($result < 0) {
|
||||
$sql .= " AND b.datev <= '".($year - $annee)."-12-31 23:59:59'";
|
||||
$sql .= " AND b.amount > 0";
|
||||
if ($id && $_GET["option"] != 'all') {
|
||||
$sql .= " AND b.fk_account IN (".$id.")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($id).")";
|
||||
}
|
||||
$sql .= " GROUP BY date_format(b.datev,'%m');";
|
||||
|
||||
@ -381,7 +381,7 @@ if ($result < 0) {
|
||||
$sql .= " AND b.datev <= '".($year - $annee)."-12-31 23:59:59'";
|
||||
$sql .= " AND b.amount < 0";
|
||||
if ($id && $_GET["option"] != 'all') {
|
||||
$sql .= " AND b.fk_account IN (".$id.")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($id).")";
|
||||
}
|
||||
$sql .= " GROUP BY date_format(b.datev,'%m');";
|
||||
|
||||
|
||||
@ -943,7 +943,7 @@ class Account extends CommonObject
|
||||
$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'accounting_journal as aj ON aj.rowid=ba.fk_accountancy_journal';
|
||||
$sql .= " WHERE ba.entity IN (".getEntity($this->element).")";
|
||||
if ($id) {
|
||||
$sql .= " AND ba.rowid = ".$id;
|
||||
$sql .= " AND ba.rowid = ".((int) $id);
|
||||
}
|
||||
if ($ref) {
|
||||
$sql .= " AND ba.ref = '".$this->db->escape($ref)."'";
|
||||
|
||||
@ -35,10 +35,10 @@ $WIDTH = DolGraph::getDefaultGraphSizeForStats('width', 768);
|
||||
$HEIGHT = DolGraph::getDefaultGraphSizeForStats('height', 200);
|
||||
|
||||
// Security check
|
||||
if (isset($_GET["account"]) || isset($_GET["ref"])) {
|
||||
$id = isset($_GET["account"]) ? $_GET["account"] : (isset($_GET["ref"]) ? $_GET["ref"] : '');
|
||||
if (GETPOST('account') || GETPOST('ref')) {
|
||||
$id = GETPOST('account') ? GETPOST('account') : GETPOST('ref');
|
||||
}
|
||||
$fieldid = isset($_GET["ref"]) ? 'ref' : 'rowid';
|
||||
$fieldid = GETPOST('ref') ? 'ref' : 'rowid';
|
||||
if ($user->socid) {
|
||||
$socid = $user->socid;
|
||||
}
|
||||
@ -66,19 +66,19 @@ $datetime = dol_now();
|
||||
$year = dol_print_date($datetime, "%Y");
|
||||
$month = dol_print_date($datetime, "%m");
|
||||
$day = dol_print_date($datetime, "%d");
|
||||
if (GETPOST("year")) {
|
||||
$year = sprintf("%04d", GETPOST("year"));
|
||||
if (GETPOST("year", 'int')) {
|
||||
$year = sprintf("%04d", GETPOST("year", 'int'));
|
||||
}
|
||||
if (GETPOST("month")) {
|
||||
$month = sprintf("%02d", GETPOST("month"));
|
||||
if (GETPOST("month", 'int')) {
|
||||
$month = sprintf("%02d", GETPOST("month", 'int'));
|
||||
}
|
||||
|
||||
|
||||
$object = new Account($db);
|
||||
if ($_GET["account"] && !preg_match('/,/', $_GET["account"])) { // if for a particular account and not a list
|
||||
$result = $object->fetch(GETPOST("account", "int"));
|
||||
if (GETPOST('account') && !preg_match('/,/', GETPOST('account'))) { // if for a particular account and not a list
|
||||
$result = $object->fetch(GETPOST('account', 'int'));
|
||||
}
|
||||
if ($_GET["ref"]) {
|
||||
if (GETPOST("ref")) {
|
||||
$result = $object->fetch(0, GETPOST("ref"));
|
||||
$account = $object->id;
|
||||
}
|
||||
@ -96,7 +96,7 @@ if ($result < 0) {
|
||||
$sql .= " WHERE b.fk_account = ba.rowid";
|
||||
$sql .= " AND ba.entity IN (".getEntity('bank_account').")";
|
||||
if ($account && $_GET["option"] != 'all') {
|
||||
$sql .= " AND b.fk_account IN (".$account.")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($account).")";
|
||||
}
|
||||
|
||||
$resql = $db->query($sql);
|
||||
@ -138,7 +138,7 @@ if ($result < 0) {
|
||||
$sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'";
|
||||
$sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'";
|
||||
if ($account && $_GET["option"] != 'all') {
|
||||
$sql .= " AND b.fk_account IN (".$account.")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($account).")";
|
||||
}
|
||||
$sql .= " GROUP BY date_format(b.datev,'%Y%m%d')";
|
||||
|
||||
@ -280,7 +280,7 @@ if ($result < 0) {
|
||||
$sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'";
|
||||
$sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'";
|
||||
if ($account && $_GET["option"] != 'all') {
|
||||
$sql .= " AND b.fk_account IN (".$account.")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($account).")";
|
||||
}
|
||||
$sql .= " GROUP BY date_format(b.datev,'%Y%m%d')";
|
||||
|
||||
@ -308,7 +308,7 @@ if ($result < 0) {
|
||||
$sql .= " AND ba.entity IN (".getEntity('bank_account').")";
|
||||
$sql .= " AND b.datev < '".$db->escape($year)."-01-01'";
|
||||
if ($account && $_GET["option"] != 'all') {
|
||||
$sql .= " AND b.fk_account IN (".$account.")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($account).")";
|
||||
}
|
||||
|
||||
$resql = $db->query($sql);
|
||||
@ -416,7 +416,7 @@ if ($result < 0) {
|
||||
$sql .= " WHERE b.fk_account = ba.rowid";
|
||||
$sql .= " AND ba.entity IN (".getEntity('bank_account').")";
|
||||
if ($account && $_GET["option"] != 'all') {
|
||||
$sql .= " AND b.fk_account IN (".$account.")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($account).")";
|
||||
}
|
||||
$sql .= " GROUP BY date_format(b.datev,'%Y%m%d')";
|
||||
|
||||
@ -541,7 +541,7 @@ if ($result < 0) {
|
||||
$sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'";
|
||||
$sql .= " AND b.amount > 0";
|
||||
if ($account && $_GET["option"] != 'all') {
|
||||
$sql .= " AND b.fk_account IN (".$account.")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($account).")";
|
||||
}
|
||||
$sql .= " GROUP BY date_format(b.datev,'%d')";
|
||||
|
||||
@ -576,7 +576,7 @@ if ($result < 0) {
|
||||
$sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'";
|
||||
$sql .= " AND b.amount < 0";
|
||||
if ($account && $_GET["option"] != 'all') {
|
||||
$sql .= " AND b.fk_account IN (".$account.")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($account).")";
|
||||
}
|
||||
$sql .= " GROUP BY date_format(b.datev,'%d')";
|
||||
|
||||
@ -650,7 +650,7 @@ if ($result < 0) {
|
||||
$sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'";
|
||||
$sql .= " AND b.amount > 0";
|
||||
if ($account && $_GET["option"] != 'all') {
|
||||
$sql .= " AND b.fk_account IN (".$account.")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($account).")";
|
||||
}
|
||||
$sql .= " GROUP BY date_format(b.datev,'%m');";
|
||||
|
||||
@ -677,7 +677,7 @@ if ($result < 0) {
|
||||
$sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'";
|
||||
$sql .= " AND b.amount < 0";
|
||||
if ($account && $_GET["option"] != 'all') {
|
||||
$sql .= " AND b.fk_account IN (".$account.")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($account).")";
|
||||
}
|
||||
$sql .= " GROUP BY date_format(b.datev,'%m')";
|
||||
|
||||
|
||||
@ -191,7 +191,7 @@ class Invoices extends DolibarrApi
|
||||
$sql .= " AND t.fk_soc = sc.fk_soc";
|
||||
}
|
||||
if ($socids) {
|
||||
$sql .= " AND t.fk_soc IN (".$socids.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
|
||||
if ($search_sale > 0) {
|
||||
|
||||
@ -4158,13 +4158,13 @@ class Facture extends CommonInvoice
|
||||
$sqlSit .= " AND fs.fk_statut in (".self::STATUS_VALIDATED.",".self::STATUS_CLOSED.")";
|
||||
$sqlSit .= " GROUP BY fs.situation_cycle_ref";
|
||||
$sqlSit .= " ORDER BY fs.situation_counter";
|
||||
$sql .= " AND ( f.type != ".self::TYPE_SITUATION." OR f.rowid IN (".$sqlSit.") )"; // Type non 5 si facture non avoir
|
||||
$sql .= " AND ( f.type != ".self::TYPE_SITUATION." OR f.rowid IN (".$this->db->sanitize($sqlSit).") )"; // Type non 5 si facture non avoir
|
||||
} else {
|
||||
$sql .= " AND f.type != ".self::TYPE_SITUATION; // Type non 5 si facture non avoir
|
||||
}
|
||||
|
||||
if ($socid > 0) {
|
||||
$sql .= " AND f.fk_soc = ".$socid;
|
||||
$sql .= " AND f.fk_soc = ".((int) $socid);
|
||||
}
|
||||
$sql .= " ORDER BY f.ref";
|
||||
|
||||
|
||||
@ -323,9 +323,9 @@ if ($modecompta == 'CREANCES-DETTES') {
|
||||
$sql .= " AND (p.rowid IN ";
|
||||
$sql .= " (SELECT fk_product FROM ".MAIN_DB_PREFIX."categorie_product cp WHERE ";
|
||||
if ($subcat) {
|
||||
$sql .= "cp.fk_categorie IN (".$listofcatsql.")";
|
||||
$sql .= "cp.fk_categorie IN (".$db->sanitize($listofcatsql).")";
|
||||
} else {
|
||||
$sql .= "cp.fk_categorie = ".$selected_cat;
|
||||
$sql .= "cp.fk_categorie = ".((int) $selected_cat);
|
||||
}
|
||||
$sql .= "))";
|
||||
}
|
||||
|
||||
@ -458,7 +458,7 @@ if ($search_societe) {
|
||||
$sql .= natural_search(empty($conf->global->SOCIETE_DISABLE_CONTACTS) ? 's.nom' : 'p.fk_soc', $search_societe);
|
||||
}
|
||||
if ($search_country) {
|
||||
$sql .= " AND p.fk_pays IN (".$search_country.')';
|
||||
$sql .= " AND p.fk_pays IN (".$db->sanitize($search_country).')';
|
||||
}
|
||||
if (strlen($search_poste)) {
|
||||
$sql .= natural_search('p.poste', $search_poste);
|
||||
@ -492,9 +492,8 @@ if (strlen($search_town)) {
|
||||
$sql .= natural_search("p.town", $search_town);
|
||||
}
|
||||
if (count($search_roles) > 0) {
|
||||
$sql .= " AND p.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".implode(',', $search_roles)."))";
|
||||
$sql .= " AND p.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".$db->sanitize(implode(',', $search_roles))."))";
|
||||
}
|
||||
|
||||
if ($search_no_email != '' && $search_no_email >= 0) {
|
||||
$sql .= " AND p.no_email = ".$db->escape($search_no_email);
|
||||
}
|
||||
|
||||
@ -132,14 +132,14 @@ class Contracts extends DolibarrApi
|
||||
$sql .= " AND t.fk_soc = sc.fk_soc";
|
||||
}
|
||||
if ($socids) {
|
||||
$sql .= " AND t.fk_soc IN (".$socids.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
|
||||
}
|
||||
// Insert sale filter
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND sc.fk_user = ".$search_sale;
|
||||
$sql .= " AND sc.fk_user = ".((int) $search_sale);
|
||||
}
|
||||
// Add sql filters
|
||||
if ($sqlfilters) {
|
||||
|
||||
@ -1172,7 +1172,7 @@ class Contrat extends CommonObject
|
||||
$this->db->free($resql);
|
||||
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."contratdet_log ";
|
||||
$sql .= " WHERE ".MAIN_DB_PREFIX."contratdet_log.rowid IN (".implode(",", $tab_resql).")";
|
||||
$sql .= " WHERE ".MAIN_DB_PREFIX."contratdet_log.rowid IN (".$this->db->sanitize(implode(",", $tab_resql)).")";
|
||||
|
||||
dol_syslog(get_class($this)."::delete contratdet_log", LOG_DEBUG);
|
||||
$resql = $this->db->query($sql);
|
||||
|
||||
@ -103,7 +103,7 @@ class box_project extends ModeleBoxes
|
||||
$sql .= " WHERE p.entity IN (".getEntity('project').")"; // Only current entity or severals if permission ok
|
||||
$sql .= " AND p.fk_statut = 1"; // Only open projects
|
||||
if (!$user->rights->projet->all->lire) {
|
||||
$sql .= " AND p.rowid IN (".$projectsListId.")"; // public and assigned to, or restricted to company for external users
|
||||
$sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users
|
||||
}
|
||||
|
||||
$sql .= " ORDER BY p.datec DESC";
|
||||
|
||||
@ -169,7 +169,7 @@ class box_task extends ModeleBoxes
|
||||
$sql .= " AND (pt.progress < 100 OR pt.progress IS NULL ) "; // 100% is done and not displayed
|
||||
$sql .= " AND p.usage_task = 1 ";
|
||||
if (!$user->rights->projet->all->lire) {
|
||||
$sql .= " AND p.rowid IN (".$projectsListId.")"; // public and assigned to, or restricted to company for external users
|
||||
$sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users
|
||||
}
|
||||
|
||||
$sql .= " ORDER BY pt.datee ASC, pt.dateo ASC";
|
||||
|
||||
@ -1218,7 +1218,7 @@ abstract class CommonObject
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."element_contact";
|
||||
$sql .= " WHERE element_id = ".$this->id;
|
||||
if ($listId) {
|
||||
$sql .= " AND fk_c_type_contact IN (".$listId.")";
|
||||
$sql .= " AND fk_c_type_contact IN (".$this->db->sanitize($listId).")";
|
||||
}
|
||||
|
||||
dol_syslog(get_class($this)."::delete_linked_contact", LOG_DEBUG);
|
||||
|
||||
@ -1904,10 +1904,10 @@ class Form
|
||||
$sql .= " AND u.fk_soc = ".$user->socid;
|
||||
}
|
||||
if (is_array($exclude) && $excludeUsers) {
|
||||
$sql .= " AND u.rowid NOT IN (".$excludeUsers.")";
|
||||
$sql .= " AND u.rowid NOT IN (".$this->db->sanitize($excludeUsers).")";
|
||||
}
|
||||
if ($includeUsers) {
|
||||
$sql .= " AND u.rowid IN (".$includeUsers.")";
|
||||
$sql .= " AND u.rowid IN (".$this->db->sanitize($includeUsers).")";
|
||||
}
|
||||
if (!empty($conf->global->USER_HIDE_INACTIVE_IN_COMBOBOX) || $noactive) {
|
||||
$sql .= " AND u.statut <> 0";
|
||||
@ -5661,7 +5661,7 @@ class Form
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
|
||||
$sql .= " WHERE t.fk_pays = c.rowid";
|
||||
$sql .= " AND t.active > 0";
|
||||
$sql .= " AND c.code IN (".$country_code.")";
|
||||
$sql .= " AND c.code IN (".$this->db->sanitize($country_code).")";
|
||||
$sql .= " ORDER BY t.code ASC, t.taux ASC, t.recuperableonly ASC";
|
||||
|
||||
$resql = $this->db->query($sql);
|
||||
@ -7642,17 +7642,17 @@ class Form
|
||||
}
|
||||
|
||||
$possiblelinks = array(
|
||||
'propal'=>array('enabled'=>$conf->propal->enabled, 'perms'=>1, 'label'=>'LinkToProposal', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_client, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."propal as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('propal').')'),
|
||||
'order'=>array('enabled'=>$conf->commande->enabled, 'perms'=>1, 'label'=>'LinkToOrder', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_client, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."commande as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('commande').')'),
|
||||
'invoice'=>array('enabled'=>$conf->facture->enabled, 'perms'=>1, 'label'=>'LinkToInvoice', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_client, t.total as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('invoice').')'),
|
||||
'invoice_template'=>array('enabled'=>$conf->facture->enabled, 'perms'=>1, 'label'=>'LinkToTemplateInvoice', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.titre as ref, t.total as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture_rec as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('invoice').')'),
|
||||
'propal'=>array('enabled'=>$conf->propal->enabled, 'perms'=>1, 'label'=>'LinkToProposal', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_client, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."propal as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('propal').')'),
|
||||
'order'=>array('enabled'=>$conf->commande->enabled, 'perms'=>1, 'label'=>'LinkToOrder', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_client, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."commande as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('commande').')'),
|
||||
'invoice'=>array('enabled'=>$conf->facture->enabled, 'perms'=>1, 'label'=>'LinkToInvoice', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_client, t.total as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('invoice').')'),
|
||||
'invoice_template'=>array('enabled'=>$conf->facture->enabled, 'perms'=>1, 'label'=>'LinkToTemplateInvoice', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.titre as ref, t.total as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture_rec as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('invoice').')'),
|
||||
'contrat'=>array('enabled'=>$conf->contrat->enabled, 'perms'=>1, 'label'=>'LinkToContract',
|
||||
'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_customer as ref_client, t.ref_supplier, SUM(td.total_ht) as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."contrat as t, ".MAIN_DB_PREFIX."contratdet as td WHERE t.fk_soc = s.rowid AND td.fk_contrat = t.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('contract').')'),
|
||||
'fichinter'=>array('enabled'=>$conf->ficheinter->enabled, 'perms'=>1, 'label'=>'LinkToIntervention', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."fichinter as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('intervention').')'),
|
||||
'supplier_proposal'=>array('enabled'=>$conf->supplier_proposal->enabled, 'perms'=>1, 'label'=>'LinkToSupplierProposal', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, '' as ref_supplier, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."supplier_proposal as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('supplier_proposal').')'),
|
||||
'order_supplier'=>array('enabled'=>$conf->supplier_order->enabled, 'perms'=>1, 'label'=>'LinkToSupplierOrder', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_supplier, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."commande_fournisseur as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('commande_fournisseur').')'),
|
||||
'invoice_supplier'=>array('enabled'=>$conf->supplier_invoice->enabled, 'perms'=>1, 'label'=>'LinkToSupplierInvoice', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_supplier, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture_fourn as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('facture_fourn').')'),
|
||||
'ticket'=>array('enabled'=>$conf->ticket->enabled, 'perms'=>1, 'label'=>'LinkToTicket', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.track_id, '0' as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."ticket as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('ticket').')')
|
||||
'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_customer as ref_client, t.ref_supplier, SUM(td.total_ht) as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."contrat as t, ".MAIN_DB_PREFIX."contratdet as td WHERE t.fk_soc = s.rowid AND td.fk_contrat = t.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('contract').')'),
|
||||
'fichinter'=>array('enabled'=>$conf->ficheinter->enabled, 'perms'=>1, 'label'=>'LinkToIntervention', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."fichinter as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('intervention').')'),
|
||||
'supplier_proposal'=>array('enabled'=>$conf->supplier_proposal->enabled, 'perms'=>1, 'label'=>'LinkToSupplierProposal', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, '' as ref_supplier, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."supplier_proposal as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('supplier_proposal').')'),
|
||||
'order_supplier'=>array('enabled'=>$conf->supplier_order->enabled, 'perms'=>1, 'label'=>'LinkToSupplierOrder', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_supplier, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."commande_fournisseur as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('commande_fournisseur').')'),
|
||||
'invoice_supplier'=>array('enabled'=>$conf->supplier_invoice->enabled, 'perms'=>1, 'label'=>'LinkToSupplierInvoice', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_supplier, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture_fourn as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('facture_fourn').')'),
|
||||
'ticket'=>array('enabled'=>$conf->ticket->enabled, 'perms'=>1, 'label'=>'LinkToTicket', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.track_id, '0' as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."ticket as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('ticket').')')
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
@ -705,7 +705,7 @@ class FormCompany extends Form
|
||||
$sql .= " WHERE s.entity IN (".getEntity('societe').")";
|
||||
// For ajax search we limit here. For combo list, we limit later
|
||||
if (is_array($limitto) && count($limitto)) {
|
||||
$sql .= " AND s.rowid IN (".join(',', $limitto).")";
|
||||
$sql .= " AND s.rowid IN (".$this->db->sanitize(join(',', $limitto)).")";
|
||||
}
|
||||
$sql .= " ORDER BY s.nom ASC";
|
||||
|
||||
|
||||
@ -82,7 +82,7 @@ class FormContract
|
||||
if (empty($conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY)) {
|
||||
$sql .= " AND (c.fk_soc=".$socid." OR c.fk_soc IS NULL)";
|
||||
} elseif ($conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY != 'all') {
|
||||
$sql .= " AND (c.fk_soc IN (".$socid.", ".$conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY.") ";
|
||||
$sql .= " AND (c.fk_soc IN (".$this->db->sanitize($socid.", ".$conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY).") ";
|
||||
$sql .= " OR c.fk_soc IS NULL)";
|
||||
}
|
||||
}
|
||||
|
||||
@ -166,16 +166,16 @@ class FormProjets
|
||||
$sql .= ' FROM '.MAIN_DB_PREFIX.'projet as p LEFT JOIN '.MAIN_DB_PREFIX.'societe as s ON s.rowid = p.fk_soc';
|
||||
$sql .= " WHERE p.entity IN (".getEntity('project').")";
|
||||
if ($projectsListId !== false) {
|
||||
$sql .= " AND p.rowid IN (".$projectsListId.")";
|
||||
$sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")";
|
||||
}
|
||||
if ($socid == 0) {
|
||||
$sql .= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)";
|
||||
}
|
||||
if ($socid > 0) {
|
||||
if (empty($conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY)) {
|
||||
$sql .= " AND (p.fk_soc=".$socid." OR p.fk_soc IS NULL)";
|
||||
$sql .= " AND (p.fk_soc=".((int) $socid)." OR p.fk_soc IS NULL)";
|
||||
} elseif ($conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY != 'all') { // PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY is 'all' or a list of ids separated by coma.
|
||||
$sql .= " AND (p.fk_soc IN (".$socid.", ".((int) $conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY).") OR p.fk_soc IS NULL)";
|
||||
$sql .= " AND (p.fk_soc IN (".((int) $socid).", ".((int) $conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY).") OR p.fk_soc IS NULL)";
|
||||
}
|
||||
}
|
||||
if (!empty($filterkey)) {
|
||||
@ -344,7 +344,7 @@ class FormProjets
|
||||
$sql .= " WHERE p.entity IN (".getEntity('project').")";
|
||||
$sql .= " AND t.fk_projet = p.rowid";
|
||||
if ($projectsListId) {
|
||||
$sql .= " AND p.rowid IN (".$projectsListId.")";
|
||||
$sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")";
|
||||
}
|
||||
if ($socid == 0) {
|
||||
$sql .= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)";
|
||||
@ -570,9 +570,9 @@ class FormProjets
|
||||
$sql .= " WHERE ".$projectkey." is null";
|
||||
if (!empty($socid) && $linkedtothirdparty) {
|
||||
if (is_numeric($socid)) {
|
||||
$sql .= " AND t.fk_soc=".$socid;
|
||||
$sql .= " AND t.fk_soc = ".((int) $socid);
|
||||
} else {
|
||||
$sql .= " AND t.fk_soc IN (".$socid.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socid).")";
|
||||
}
|
||||
}
|
||||
if (!in_array($table_element, array('expensereport_det', 'stock_mouvement'))) {
|
||||
|
||||
@ -1087,7 +1087,7 @@ function show_contacts($conf, $langs, $db, $object, $backtopage = '')
|
||||
$sql .= natural_search($searchAddressPhoneDBFields, $search_address);
|
||||
}
|
||||
if (count($search_roles) > 0) {
|
||||
$sql .= " AND t.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".implode(',', $search_roles)."))";
|
||||
$sql .= " AND t.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".$db->sanitize(implode(',', $search_roles))."))";
|
||||
}
|
||||
// Add where from extra fields
|
||||
$extrafieldsobjectkey = $contactstatic->table_element;
|
||||
|
||||
@ -1230,7 +1230,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
|
||||
if ($bentityon) { // only if entity enable
|
||||
$sql .= " AND entity IN (".getEntity($sharetable).")";
|
||||
} elseif (!empty($forceentity)) {
|
||||
$sql .= " AND entity IN (".$forceentity.")";
|
||||
$sql .= " AND entity IN (".$db->sanitize($forceentity).")";
|
||||
}
|
||||
if ($where) {
|
||||
$sql .= $where;
|
||||
@ -1290,7 +1290,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
|
||||
if ($bentityon) { // only if entity enable
|
||||
$sql .= " AND entity IN (".getEntity($sharetable).")";
|
||||
} elseif (!empty($forceentity)) {
|
||||
$sql .= " AND entity IN (".$forceentity.")";
|
||||
$sql .= " AND entity IN (".$db->sanitize($forceentity).")";
|
||||
}
|
||||
if ($where) {
|
||||
$sql .= $where;
|
||||
@ -1351,7 +1351,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
|
||||
if ($bentityon) { // only if entity enable
|
||||
$maskrefclient_sql .= " AND entity IN (".getEntity($sharetable).")";
|
||||
} elseif (!empty($forceentity)) {
|
||||
$sql .= " AND entity IN (".$forceentity.")";
|
||||
$sql .= " AND entity IN (".$db->sanitize($forceentity).")";
|
||||
}
|
||||
if ($where) {
|
||||
$maskrefclient_sql .= $where; //use the same optional where as general mask
|
||||
@ -2254,7 +2254,7 @@ function cleanCorruptedTree($db, $tabletocleantree, $fieldfkparent)
|
||||
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX.$tabletocleantree;
|
||||
$sql .= " SET ".$fieldfkparent." = 0";
|
||||
$sql .= " WHERE rowid IN (".join(',', $listofidtoclean).")"; // So we update only records detected wrong
|
||||
$sql .= " WHERE rowid IN (".$db->sanitize(join(',', $listofidtoclean)).")"; // So we update only records detected wrong
|
||||
$resql = $db->query($sql);
|
||||
if ($resql) {
|
||||
$nb = $db->affected_rows($sql);
|
||||
@ -2271,7 +2271,7 @@ function cleanCorruptedTree($db, $tabletocleantree, $fieldfkparent)
|
||||
// Check and clean orphelins
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX.$tabletocleantree;
|
||||
$sql .= " SET ".$fieldfkparent." = 0";
|
||||
$sql .= " WHERE ".$fieldfkparent." NOT IN (".join(',', $listofid).")"; // So we update only records linked to a non existing parent
|
||||
$sql .= " WHERE ".$fieldfkparent." NOT IN (".$db->sanitize(join(',', $listofid), 1).")"; // So we update only records linked to a non existing parent
|
||||
$resql = $db->query($sql);
|
||||
if ($resql) {
|
||||
$nb = $db->affected_rows($sql);
|
||||
|
||||
@ -2378,9 +2378,9 @@ function print_projecttasks_array($db, $form, $socid, $projectsListId, $mytasks
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."projet_task as t ON p.rowid = t.fk_projet";
|
||||
}
|
||||
$sql .= " WHERE p.entity IN (".getEntity('project').")";
|
||||
$sql .= " AND p.rowid IN (".$projectsListId.")";
|
||||
$sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")";
|
||||
if ($socid) {
|
||||
$sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
|
||||
$sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")";
|
||||
}
|
||||
if ($mytasks) {
|
||||
$sql .= " AND p.rowid = t.fk_projet";
|
||||
@ -2436,7 +2436,7 @@ function print_projecttasks_array($db, $form, $socid, $projectsListId, $mytasks
|
||||
$sql2 .= " FROM ".MAIN_DB_PREFIX."projet as p";
|
||||
$sql2 .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = p.fk_soc";
|
||||
$sql2 .= " LEFT JOIN ".MAIN_DB_PREFIX."projet_task as t ON p.rowid = t.fk_projet";
|
||||
$sql2 .= " WHERE p.rowid IN (".join(',', $arrayidofprojects).")";
|
||||
$sql2 .= " WHERE p.rowid IN (".$db->sanitize(join(',', $arrayidofprojects)).")";
|
||||
$sql2 .= " GROUP BY p.rowid, p.ref, p.title, p.fk_soc, s.rowid, s.nom, s.name_alias, s.code_client, s.code_compta, s.client, s.code_fournisseur, s.code_compta_fournisseur, s.fournisseur,";
|
||||
$sql2 .= " s.logo, s.email, s.entity, p.fk_user_creat, p.public, p.fk_statut, p.fk_opp_status, p.opp_percent, p.opp_amount, p.dateo, p.datee";
|
||||
$sql2 .= " ORDER BY p.title, p.ref";
|
||||
|
||||
@ -595,27 +595,27 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
|
||||
if (($feature == 'user' || $feature == 'usergroup') && !empty($conf->multicompany->enabled)) { // Special for multicompany
|
||||
if (!empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) {
|
||||
if ($conf->entity == 1 && $user->admin && !$user->entity) {
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND dbt.entity IS NOT NULL";
|
||||
} else {
|
||||
$sql .= ",".MAIN_DB_PREFIX."usergroup_user as ug";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND ((ug.fk_user = dbt.rowid";
|
||||
$sql .= " AND ug.entity IN (".getEntity('usergroup')."))";
|
||||
$sql .= " OR dbt.entity = 0)"; // Show always superadmin
|
||||
}
|
||||
} else {
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
|
||||
}
|
||||
} else {
|
||||
$reg = array();
|
||||
if ($parenttableforentity && preg_match('/(.*)@(.*)/', $parenttableforentity, $reg)) {
|
||||
$sql .= ", ".MAIN_DB_PREFIX.$reg[2]." as dbtp";
|
||||
$sql .= " WHERE dbt.".$reg[1]." = dbtp.rowid AND dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$reg[1]." = dbtp.rowid AND dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND dbtp.entity IN (".getEntity($sharedelement, 1).")";
|
||||
} else {
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
|
||||
}
|
||||
}
|
||||
@ -630,7 +630,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
|
||||
$sql = "SELECT COUNT(sc.fk_soc) as nb";
|
||||
$sql .= " FROM (".MAIN_DB_PREFIX."societe_commerciaux as sc";
|
||||
$sql .= ", ".MAIN_DB_PREFIX."societe as s)";
|
||||
$sql .= " WHERE sc.fk_soc IN (".$objectid.")";
|
||||
$sql .= " WHERE sc.fk_soc IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND sc.fk_user = ".$user->id;
|
||||
$sql .= " AND sc.fk_soc = s.rowid";
|
||||
$sql .= " AND s.entity IN (".getEntity($sharedelement, 1).")";
|
||||
@ -638,7 +638,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
|
||||
// If multicompany and internal users with all permissions, check user is in correct entity
|
||||
$sql = "SELECT COUNT(s.rowid) as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."societe as s";
|
||||
$sql .= " WHERE s.rowid IN (".$objectid.")";
|
||||
$sql .= " WHERE s.rowid IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND s.entity IN (".getEntity($sharedelement, 1).")";
|
||||
}
|
||||
} elseif (in_array($feature, $checkother)) { // Test on entity + link to thirdparty. Allowed if link is empty (Ex: contacts...).
|
||||
@ -646,21 +646,21 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
|
||||
if ($user->socid > 0) {
|
||||
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND dbt.fk_soc = ".$user->socid;
|
||||
} elseif (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) {
|
||||
// If internal user: Check permission for internal users that are restricted on their objects
|
||||
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user
|
||||
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
|
||||
} elseif (!empty($conf->multicompany->enabled)) {
|
||||
// If multicompany and internal users with all permissions, check user is in correct entity
|
||||
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
|
||||
}
|
||||
if ($feature == 'agenda') {
|
||||
@ -686,7 +686,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
|
||||
} else {
|
||||
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
|
||||
}
|
||||
} elseif (in_array($feature, $checktask)) {
|
||||
@ -704,7 +704,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
|
||||
} else {
|
||||
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
|
||||
}
|
||||
} elseif (!in_array($feature, $nocheck)) { // By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield
|
||||
@ -715,7 +715,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
|
||||
}
|
||||
$sql = "SELECT COUNT(dbt.".$dbt_keyfield.") as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
|
||||
$sql .= " WHERE dbt.rowid IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.rowid IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND dbt.".$dbt_keyfield." = ".$user->socid;
|
||||
} elseif (!empty($conf->societe->enabled) && !$user->rights->societe->client->voir) {
|
||||
// If internal user: Check permission for internal users that are restricted on their objects
|
||||
@ -726,7 +726,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
|
||||
$sql = "SELECT COUNT(sc.fk_soc) as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
|
||||
$sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
|
||||
$sql .= " AND sc.fk_soc = dbt.".$dbt_keyfield;
|
||||
$sql .= " AND sc.fk_user = ".$user->id;
|
||||
@ -735,7 +735,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
|
||||
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sc.fk_soc = dbt.".$dbt_keyfield." AND sc.fk_user = ".$user->id;
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
|
||||
$sql .= " AND (sc.fk_user = ".$user->id." OR sc.fk_user IS NULL)";
|
||||
}
|
||||
@ -743,7 +743,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
|
||||
// If multicompany and internal users with all permissions, check user is in correct entity
|
||||
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")";
|
||||
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
|
||||
}
|
||||
}
|
||||
|
||||
@ -859,7 +859,7 @@ function getPagesFromSearchCriterias($type, $algo, $searchstring, $max = 25, $so
|
||||
foreach ($tmparrayoftype as $tmptype) {
|
||||
$typestring .= ($typestring ? ", " : "")."'".$db->escape(trim($tmptype))."'";
|
||||
}
|
||||
$sql .= " AND wp.type_container IN (".$typestring.")";
|
||||
$sql .= " AND wp.type_container IN (".$db->sanitize($typestring, 1).")";
|
||||
}
|
||||
$sql .= " AND (";
|
||||
$searchalgo = '';
|
||||
|
||||
@ -125,10 +125,10 @@ class mailing_advthirdparties extends MailingTargets
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."socpeople as socp";
|
||||
$sql .= " WHERE socp.entity IN (".getEntity('socpeople').")";
|
||||
if (count($contactid) > 0) {
|
||||
$sql .= " AND socp.rowid IN (".implode(',', $contactid).")";
|
||||
$sql .= " AND socp.rowid IN (".$this->db->sanitize(implode(',', $contactid)).")";
|
||||
}
|
||||
if (count($socid) > 0) {
|
||||
$sql .= " AND socp.fk_soc IN (".implode(',', $socid).")";
|
||||
$sql .= " AND socp.fk_soc IN (".$this->db->sanitize(implode(',', $socid)).")";
|
||||
}
|
||||
$sql .= " ORDER BY email";
|
||||
|
||||
|
||||
@ -106,7 +106,7 @@ $sql .= " p.rowid as pid, p.ref, p.title, p.public";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."don as d LEFT JOIN ".MAIN_DB_PREFIX."projet AS p";
|
||||
$sql .= " ON p.rowid = d.fk_projet WHERE d.entity IN (".getEntity('donation').")";
|
||||
if ($search_status != '' && $search_status != '-4') {
|
||||
$sql .= " AND d.fk_statut IN (".$db->sanitize($db->escape($search_status)).")";
|
||||
$sql .= " AND d.fk_statut IN (".$db->sanitize($search_status).")";
|
||||
}
|
||||
if (trim($search_ref) != '') {
|
||||
$sql .= natural_search('d.ref', $search_ref);
|
||||
|
||||
@ -129,7 +129,7 @@ class Shipments extends DolibarrApi
|
||||
$sql .= " AND t.fk_soc = sc.fk_soc";
|
||||
}
|
||||
if ($socids) {
|
||||
$sql .= " AND t.fk_soc IN (".$socids.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
|
||||
|
||||
@ -313,13 +313,13 @@ if ($search_state) {
|
||||
$sql .= natural_search("state.nom", $search_state);
|
||||
}
|
||||
if ($search_country) {
|
||||
$sql .= " AND s.fk_pays IN (".$search_country.')';
|
||||
$sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')';
|
||||
}
|
||||
if ($search_tracking) {
|
||||
$sql .= natural_search("e.tracking_number", $search_tracking);
|
||||
}
|
||||
if ($search_type_thirdparty != '' && $search_type_thirdparty > 0) {
|
||||
$sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')';
|
||||
$sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')';
|
||||
}
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale;
|
||||
|
||||
@ -108,7 +108,7 @@ class ExpenseReports extends DolibarrApi
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."expensereport as t";
|
||||
$sql .= ' WHERE t.entity IN ('.getEntity('expensereport').')';
|
||||
if ($user_ids) {
|
||||
$sql .= " AND t.fk_user_author IN (".$user_ids.")";
|
||||
$sql .= " AND t.fk_user_author IN (".$this->db->sanitize($user_ids).")";
|
||||
}
|
||||
|
||||
// Add sql filters
|
||||
|
||||
@ -2367,8 +2367,8 @@ class ExpenseReport extends CommonObject
|
||||
$sql .= " AND ex.entity IN (".getEntity('expensereport').")";
|
||||
if (empty($user->rights->expensereport->readall)) {
|
||||
$userchildids = $user->getAllChildIds(1);
|
||||
$sql .= " AND (ex.fk_user_author IN (".join(',', $userchildids).")";
|
||||
$sql .= " OR ex.fk_user_validator IN (".join(',', $userchildids)."))";
|
||||
$sql .= " AND (ex.fk_user_author IN (".$this->db->sanitize(join(',', $userchildids)).")";
|
||||
$sql .= " OR ex.fk_user_validator IN (".$this->db->sanitize(join(',', $userchildids))."))";
|
||||
}
|
||||
|
||||
$resql = $this->db->query($sql);
|
||||
@ -2414,8 +2414,8 @@ class ExpenseReport extends CommonObject
|
||||
$sql .= " AND ex.entity IN (".getEntity('expensereport').")";
|
||||
if (empty($user->rights->expensereport->readall)) {
|
||||
$userchildids = $user->getAllChildIds(1);
|
||||
$sql .= " AND (ex.fk_user_author IN (".join(',', $userchildids).")";
|
||||
$sql .= " OR ex.fk_user_validator IN (".join(',', $userchildids)."))";
|
||||
$sql .= " AND (ex.fk_user_author IN (".$this->db->sanitize(join(',', $userchildids)).")";
|
||||
$sql .= " OR ex.fk_user_validator IN (".$this->db->sanitize(join(',', $userchildids))."))";
|
||||
}
|
||||
|
||||
$resql = $this->db->query($sql);
|
||||
|
||||
@ -78,11 +78,11 @@ class ExpenseReportStats extends Stats
|
||||
if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)) {
|
||||
$childids = $user->getAllChildIds();
|
||||
$childids[] = $user->id;
|
||||
$this->where .= " AND e.fk_user_author IN (".(join(',', $childids)).")";
|
||||
$this->where .= " AND e.fk_user_author IN (".$this->db->sanitize(join(',', $childids)).")";
|
||||
}
|
||||
|
||||
if ($this->userid > 0) {
|
||||
$this->where .= ' AND e.fk_user_author = '.$this->userid;
|
||||
$this->where .= ' AND e.fk_user_author = '.((int) $this->userid);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -91,7 +91,7 @@ if (empty($user->rights->expensereport->readall) && empty($user->rights->expense
|
||||
&& (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) {
|
||||
$childids = $user->getAllChildIds();
|
||||
$childids[] = $user->id;
|
||||
$sql .= " AND d.fk_user_author IN (".join(',', $childids).")\n";
|
||||
$sql .= " AND d.fk_user_author IN (".$db->sanitize(join(',', $childids)).")\n";
|
||||
}
|
||||
|
||||
$sql .= " GROUP BY tf.code, tf.label";
|
||||
@ -180,11 +180,11 @@ if (empty($user->rights->expensereport->readall) && empty($user->rights->expense
|
||||
&& (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) {
|
||||
$childids = $user->getAllChildIds();
|
||||
$childids[] = $user->id;
|
||||
$sql .= " AND d.fk_user_author IN (".join(',', $childids).")\n";
|
||||
$sql .= " AND d.fk_user_author IN (".$db->sanitize(join(',', $childids)).")\n";
|
||||
}
|
||||
$sql .= ' AND d.entity IN ('.getEntity('expensereport').')';
|
||||
if (!$user->rights->societe->client->voir && !$user->socid) {
|
||||
$sql .= " AND d.fk_user_author = s.rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
|
||||
$sql .= " AND d.fk_user_author = s.rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
|
||||
}
|
||||
if ($socid) {
|
||||
$sql .= " AND d.fk_user_author = ".$socid;
|
||||
|
||||
@ -290,12 +290,12 @@ if ($search_user != '' && $search_user >= 0) {
|
||||
}
|
||||
// Status
|
||||
if ($search_status != '' && $search_status >= 0) {
|
||||
$sql .= " AND d.fk_statut IN (".$db->sanitize($db->escape($search_status)).")";
|
||||
$sql .= " AND d.fk_statut IN (".$db->sanitize($search_status).")";
|
||||
}
|
||||
// RESTRICT RIGHTS
|
||||
if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)
|
||||
&& (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) {
|
||||
$sql .= " AND d.fk_user_author IN (".join(',', $childids).")\n";
|
||||
$sql .= " AND d.fk_user_author IN (".$db->sanitize(join(',', $childids)).")\n";
|
||||
}
|
||||
// Add where from extra fields
|
||||
include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php';
|
||||
|
||||
@ -136,14 +136,14 @@ class Interventions extends DolibarrApi
|
||||
$sql .= " AND t.fk_soc = sc.fk_soc";
|
||||
}
|
||||
if ($socids) {
|
||||
$sql .= " AND t.fk_soc IN (".$socids.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
|
||||
}
|
||||
// Insert sale filter
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND sc.fk_user = ".$search_sale;
|
||||
$sql .= " AND sc.fk_user = ".((int) $search_sale);
|
||||
}
|
||||
// Add sql filters
|
||||
if ($sqlfilters) {
|
||||
|
||||
@ -654,7 +654,7 @@ if ($object->id > 0) {
|
||||
$sql2 .= " AND c.fk_statut IN (".$db->sanitize(CommandeFournisseur::STATUS_RECEIVED_COMPLETELY).")"; // Must match filter in htdocs/fourn/commande/list.php
|
||||
} else {
|
||||
// CommandeFournisseur::STATUS_ORDERSENT.", ".CommandeFournisseur::STATUS_RECEIVED_PARTIALLY.", ".CommandeFournisseur::STATUS_RECEIVED_COMPLETELY
|
||||
$sql2 .= " AND c.fk_statut IN (".$db->sanitize($db->escape($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS)).")";
|
||||
$sql2 .= " AND c.fk_statut IN (".$db->sanitize($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS).")";
|
||||
}
|
||||
$sql2 .= " AND c.billed = 0";
|
||||
// Find order that are not already invoiced
|
||||
|
||||
@ -130,7 +130,7 @@ class SupplierInvoices extends DolibarrApi
|
||||
$sql .= " AND t.fk_soc = sc.fk_soc";
|
||||
}
|
||||
if ($socids) {
|
||||
$sql .= " AND t.fk_soc IN (".$socids.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
|
||||
|
||||
@ -131,10 +131,10 @@ class SupplierOrders extends DolibarrApi
|
||||
$sql .= " AND t.fk_soc = sc.fk_soc";
|
||||
}
|
||||
if (!empty($product_ids)) {
|
||||
$sql .= " AND cd.fk_commande = t.rowid AND cd.fk_product IN (".$product_ids.")";
|
||||
$sql .= " AND cd.fk_commande = t.rowid AND cd.fk_product IN (".$this->db->sanitize($product_ids).")";
|
||||
}
|
||||
if ($socids) {
|
||||
$sql .= " AND t.fk_soc IN (".$socids.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
|
||||
|
||||
@ -116,17 +116,8 @@ if ($user->rights->fournisseur->facture->lire) {
|
||||
$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
|
||||
}
|
||||
if ($socid) {
|
||||
$sql .= " AND s.rowid = ".$socid;
|
||||
$sql .= " AND s.rowid = ".((int) $socid);
|
||||
}
|
||||
|
||||
if (GETPOST('filtre')) {
|
||||
$filtrearr = explode(",", GETPOST('filtre'));
|
||||
foreach ($filtrearr as $fil) {
|
||||
$filt = explode(":", $fil);
|
||||
$sql .= " AND ".$filt[0]." = ".$filt[1];
|
||||
}
|
||||
}
|
||||
|
||||
if ($search_ref) {
|
||||
$sql .= " AND f.ref LIKE '%".$db->escape($search_ref)."%'";
|
||||
}
|
||||
|
||||
@ -475,14 +475,14 @@ $sql .= " state.code_departement as state_code, state.nom as state_name,";
|
||||
$sql .= " country.code as country_code,";
|
||||
$sql .= " p.rowid as project_id, p.ref as project_ref, p.title as project_label,";
|
||||
$sql .= " u.login";
|
||||
if ($search_categ_sup && $search_categ_sup != '-1') {
|
||||
$sql .= ", cs.fk_categorie, cs.fk_soc";
|
||||
}
|
||||
// We need dynamount_payed to be able to sort on status (value is surely wrong because we can count several lines several times due to other left join or link with contacts. But what we need is just 0 or > 0)
|
||||
// TODO Better solution to be able to sort on already payed or remain to pay is to store amount_payed in a denormalized field.
|
||||
if (!$search_all) {
|
||||
$sql .= ', SUM(pf.amount) as dynamount_payed';
|
||||
}
|
||||
if ($search_categ_sup) {
|
||||
$sql .= ", cs.fk_categorie, cs.fk_soc";
|
||||
}
|
||||
// Add fields from extrafields
|
||||
if (!empty($extrafields->attributes[$object->table_element]['label'])) {
|
||||
foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) {
|
||||
@ -580,10 +580,10 @@ if ($search_state) {
|
||||
$sql .= natural_search("state.nom", $search_state);
|
||||
}
|
||||
if ($search_country) {
|
||||
$sql .= " AND s.fk_pays IN (".$search_country.')';
|
||||
$sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')';
|
||||
}
|
||||
if ($search_type_thirdparty != '' && $search_type_thirdparty >= 0) {
|
||||
$sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')';
|
||||
$sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')';
|
||||
}
|
||||
if ($search_montant_ht != '') {
|
||||
$sql .= natural_search('f.total_ht', $search_montant_ht, 1);
|
||||
@ -677,6 +677,9 @@ if (!$search_all) {
|
||||
$sql .= ' country.code,';
|
||||
$sql .= " p.rowid, p.ref, p.title,";
|
||||
$sql .= " u.login";
|
||||
if ($search_categ_sup && $search_categ_sup != '-1') {
|
||||
$sql .= ", cs.fk_categorie, cs.fk_soc";
|
||||
}
|
||||
if (!empty($extrafields->attributes[$object->table_element]['label'])) {
|
||||
foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) {
|
||||
//prevent error with sql_mode=only_full_group_by
|
||||
|
||||
@ -1122,7 +1122,7 @@ class Holiday extends CommonObject
|
||||
$sql .= " AND cp.fk_user = ".(int) $fk_user;
|
||||
$sql .= " AND cp.date_debut <= '".$this->db->idate($timestamp)."' AND cp.date_fin >= '".$this->db->idate($timestamp)."'";
|
||||
if ($status != '-1') {
|
||||
$sql .= " AND cp.statut IN (".$this->db->sanitize($this->db->escape($status)).")";
|
||||
$sql .= " AND cp.statut IN (".$this->db->sanitize($status).")";
|
||||
}
|
||||
|
||||
$resql = $this->db->query($sql);
|
||||
@ -2209,8 +2209,8 @@ class Holiday extends CommonObject
|
||||
$sql .= " AND h.entity IN (".getEntity('holiday').")";
|
||||
if (empty($user->rights->expensereport->readall)) {
|
||||
$userchildids = $user->getAllChildIds(1);
|
||||
$sql .= " AND (h.fk_user IN (".join(',', $userchildids).")";
|
||||
$sql .= " OR h.fk_validator IN (".join(',', $userchildids)."))";
|
||||
$sql .= " AND (h.fk_user IN (".$this->db->sanitize(join(',', $userchildids)).")";
|
||||
$sql .= " OR h.fk_validator IN (".$this->db->sanitize(join(',', $userchildids))."))";
|
||||
}
|
||||
|
||||
$resql = $this->db->query($sql);
|
||||
@ -2251,8 +2251,8 @@ class Holiday extends CommonObject
|
||||
$sql .= " AND h.entity IN (".getEntity('holiday').")";
|
||||
if (empty($user->rights->expensereport->read_all)) {
|
||||
$userchildids = $user->getAllChildIds(1);
|
||||
$sql .= " AND (h.fk_user IN (".join(',', $userchildids).")";
|
||||
$sql .= " OR h.fk_validator IN (".join(',', $userchildids)."))";
|
||||
$sql .= " AND (h.fk_user IN (".$this->db->sanitize(join(',', $userchildids)).")";
|
||||
$sql .= " OR h.fk_validator IN (".$this->db->sanitize(join(',', $userchildids))."))";
|
||||
}
|
||||
|
||||
$resql = $this->db->query($sql);
|
||||
|
||||
@ -344,7 +344,7 @@ if (empty($user->rights->holiday->readall)) {
|
||||
$sql .= ' AND cp.fk_user IN ('.join(',', $childids).')';
|
||||
}
|
||||
if ($id > 0) {
|
||||
$sql .= " AND cp.fk_user IN (".$id.")";
|
||||
$sql .= " AND cp.fk_user IN (".$db->sanitize($id).")";
|
||||
}
|
||||
|
||||
// Add where from extra fields
|
||||
|
||||
@ -166,7 +166,7 @@ if (!empty($conf->global->AGENT_CONTACT_TYPE)) {
|
||||
} else {
|
||||
$sql .= " AND sc.fk_user = u.rowid";
|
||||
}
|
||||
$sql .= " AND f.fk_statut NOT IN (".implode(', ', $invoice_status_except_list).")";
|
||||
$sql .= " AND f.fk_statut NOT IN (".$db->sanitize(implode(', ', $invoice_status_except_list)).")";
|
||||
$sql .= ' AND s.entity IN ('.getEntity('societe').')';
|
||||
$sql .= " AND d.fk_facture = f.rowid";
|
||||
if ($agentid > 0) {
|
||||
|
||||
@ -214,7 +214,7 @@ $sql .= " ,d.fk_product";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."facture as f ";
|
||||
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as d ON d.fk_facture = f.rowid";
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON d.fk_product = p.rowid";
|
||||
$sql .= " WHERE f.fk_statut NOT IN (".implode(', ', $invoice_status_except_list).")";
|
||||
$sql .= " WHERE f.fk_statut NOT IN (".$db->sanitize(implode(', ', $invoice_status_except_list)).")";
|
||||
$sql .= " AND f.entity IN (".getEntity('invoice').") ";
|
||||
if (!empty($startdate)) {
|
||||
$sql .= " AND f.datef >= '".$db->idate($startdate)."'";
|
||||
|
||||
@ -239,7 +239,7 @@ if ($socid > 0) {
|
||||
if (!$user->rights->societe->client->voir && !$socid) {
|
||||
$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
|
||||
}
|
||||
$sql .= " AND f.fk_statut NOT IN (".implode(', ', $invoice_status_except_list).")";
|
||||
$sql .= " AND f.fk_statut NOT IN (".$db->sanitize(implode(', ', $invoice_status_except_list)).")";
|
||||
$sql .= ' AND s.entity IN ('.getEntity('societe').')';
|
||||
$sql .= ' AND f.entity IN ('.getEntity('invoice').')';
|
||||
$sql .= " AND d.fk_facture = f.rowid";
|
||||
|
||||
@ -195,13 +195,13 @@ if (!empty($TSelectedCats)) {
|
||||
}
|
||||
$sql .= " WHERE f.fk_soc = s.rowid";
|
||||
$sql .= ' AND f.entity IN ('.getEntity('invoice').')';
|
||||
$sql .= " AND f.fk_statut NOT IN (".implode(', ', $invoice_status_except_list).")";
|
||||
$sql .= " AND f.fk_statut NOT IN (".$db->sanitize(implode(', ', $invoice_status_except_list)).")";
|
||||
$sql .= " AND d.fk_facture = f.rowid";
|
||||
if ($id > 0) {
|
||||
$sql .= " AND d.fk_product =".$id;
|
||||
}
|
||||
if (!empty($TSelectedCats)) {
|
||||
$sql .= ' AND cp.fk_categorie IN ('.implode(',', $TSelectedCats).')';
|
||||
$sql .= ' AND cp.fk_categorie IN ('.$db->sanitize(implode(',', $TSelectedCats)).')';
|
||||
}
|
||||
if (!empty($startdate)) {
|
||||
$sql .= " AND f.datef >= '".$db->idate($startdate)."'";
|
||||
|
||||
@ -116,13 +116,13 @@ class FormProduct
|
||||
}
|
||||
$sql .= " WHERE e.entity IN (".getEntity('stock').")";
|
||||
if (count($warehouseStatus)) {
|
||||
$sql .= " AND e.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")";
|
||||
$sql .= " AND e.statut IN (".$this->db->sanitize(implode(',', $warehouseStatus)).")";
|
||||
} else {
|
||||
$sql .= " AND e.statut = 1";
|
||||
}
|
||||
|
||||
if (!empty($exclude)) {
|
||||
$sql .= ' AND e.rowid NOT IN('.$this->db->escape(implode(',', $exclude)).')';
|
||||
$sql .= ' AND e.rowid NOT IN('.$this->db->sanitize(implode(',', $exclude)).')';
|
||||
}
|
||||
|
||||
// minimum stock
|
||||
@ -646,7 +646,7 @@ class FormProduct
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.rowid = pb.fk_product_stock";
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entrepot as e on e.rowid = ps.fk_entrepot AND e.entity IN (".getEntity('stock').")";
|
||||
if (!empty($productIdList)) {
|
||||
$sql .= " WHERE ps.fk_product IN (".$productIdList.")";
|
||||
$sql .= " WHERE ps.fk_product IN (".$this->db->sanitize($productIdList).")";
|
||||
}
|
||||
$sql .= " ORDER BY e.ref, pb.batch";
|
||||
|
||||
|
||||
@ -2750,7 +2750,7 @@ class Product extends CommonObject
|
||||
$sql .= " JOIN ".MAIN_DB_PREFIX."facture f ON fd.fk_facture = f.rowid ";
|
||||
$sql .= " JOIN ".MAIN_DB_PREFIX."element_element el ON el.fk_target = f.rowid and el.targettype = 'facture' and sourcetype = 'commande'";
|
||||
$sql .= " JOIN ".MAIN_DB_PREFIX."commande c ON el.fk_source = c.rowid ";
|
||||
$sql .= " WHERE c.fk_statut IN (".$filtrestatut.") AND c.facture = 0 AND fd.fk_product = ".$this->id;
|
||||
$sql .= " WHERE c.fk_statut IN (".$this->db->sanitize($filtrestatut).") AND c.facture = 0 AND fd.fk_product = ".((int) $this->id);
|
||||
dol_syslog(__METHOD__.":: sql $sql", LOG_NOTICE);
|
||||
|
||||
$resql = $this->db->query($sql);
|
||||
@ -4980,7 +4980,7 @@ class Product extends CommonObject
|
||||
$sql .= " AND w.rowid = ps.fk_entrepot";
|
||||
$sql .= " AND ps.fk_product = ".$this->id;
|
||||
if (!empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) {
|
||||
$sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")";
|
||||
$sql .= " AND w.statut IN (".$this->db->sanitize(implode(',', $warehouseStatus)).")";
|
||||
}
|
||||
|
||||
dol_syslog(get_class($this)."::load_stock", LOG_DEBUG);
|
||||
|
||||
@ -133,7 +133,7 @@ if ($date && $dateIsValid) { // Avoid heavy sql if mandatory date is not defined
|
||||
$sql .= " WHERE w.entity IN (".getEntity('stock').")";
|
||||
$sql .= " AND w.rowid = ps.fk_entrepot";
|
||||
if (!empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) {
|
||||
$sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")";
|
||||
$sql .= " AND w.statut IN (".$db->sanitize(implode(',', $warehouseStatus)).")";
|
||||
}
|
||||
if ($productid > 0) {
|
||||
$sql .= " AND ps.fk_product = ".$productid;
|
||||
@ -183,7 +183,7 @@ if ($date && $dateIsValid) {
|
||||
$sql .= " WHERE w.entity IN (".getEntity('stock').")";
|
||||
$sql .= " AND w.rowid = sm.fk_entrepot";
|
||||
if (!empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) {
|
||||
$sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")";
|
||||
$sql .= " AND w.statut IN (".$db->sanitize(implode(',', $warehouseStatus)).")";
|
||||
}
|
||||
if ($mode == 'future') {
|
||||
$sql .= " AND sm.datem <= '".$db->idate($dateendofday)."'";
|
||||
@ -191,10 +191,10 @@ if ($date && $dateIsValid) {
|
||||
$sql .= " AND sm.datem >= '".$db->idate($date)."'";
|
||||
}
|
||||
if ($productid > 0) {
|
||||
$sql .= " AND sm.fk_product = ".$productid;
|
||||
$sql .= " AND sm.fk_product = ".((int) $productid);
|
||||
}
|
||||
if ($fk_warehouse > 0) {
|
||||
$sql .= " AND sm.fk_entrepot = ".$fk_warehouse;
|
||||
$sql .= " AND sm.fk_entrepot = ".((int) $fk_warehouse);
|
||||
}
|
||||
$sql .= " GROUP BY sm.fk_product, sm.fk_entrepot";
|
||||
$resql = $db->query($sql);
|
||||
|
||||
@ -454,7 +454,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH
|
||||
$sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // project i have permission on
|
||||
}
|
||||
if ($mine) { // this may duplicate record if we are contact twice
|
||||
$sql .= " AND ect.fk_c_type_contact IN (".join(',', array_keys($listoftaskcontacttype)).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$user->id;
|
||||
$sql .= " AND ect.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listoftaskcontacttype))).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$user->id;
|
||||
}
|
||||
if ($socid) {
|
||||
$sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
|
||||
|
||||
@ -131,14 +131,14 @@ class Projects extends DolibarrApi
|
||||
$sql .= " AND t.fk_soc = sc.fk_soc";
|
||||
}
|
||||
if ($socids) {
|
||||
$sql .= " AND t.fk_soc IN (".$socids.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
|
||||
}
|
||||
// Insert sale filter
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND sc.fk_user = ".$search_sale;
|
||||
$sql .= " AND sc.fk_user = ".((int) $search_sale);
|
||||
}
|
||||
// Select projects of given category
|
||||
if ($category > 0) {
|
||||
|
||||
@ -135,14 +135,14 @@ class Tasks extends DolibarrApi
|
||||
$sql .= " AND t.fk_soc = sc.fk_soc";
|
||||
}
|
||||
if ($socids) {
|
||||
$sql .= " AND t.fk_soc IN (".$socids.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
|
||||
}
|
||||
// Insert sale filter
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND sc.fk_user = ".$search_sale;
|
||||
$sql .= " AND sc.fk_user = ".((int) $search_sale);
|
||||
}
|
||||
// Add sql filters
|
||||
if ($sqlfilters) {
|
||||
|
||||
@ -653,19 +653,19 @@ class Project extends CommonObject
|
||||
$ids = $this->id;
|
||||
|
||||
if ($type == 'agenda') {
|
||||
$sql = "SELECT id as rowid FROM ".MAIN_DB_PREFIX."actioncomm WHERE fk_project IN (".$ids.") AND entity IN (".getEntity('agenda').")";
|
||||
$sql = "SELECT id as rowid FROM ".MAIN_DB_PREFIX."actioncomm WHERE fk_project IN (".$this->db->sanitize($ids).") AND entity IN (".getEntity('agenda').")";
|
||||
} elseif ($type == 'expensereport') {
|
||||
$sql = "SELECT ed.rowid FROM ".MAIN_DB_PREFIX."expensereport as e, ".MAIN_DB_PREFIX."expensereport_det as ed WHERE e.rowid = ed.fk_expensereport AND e.entity IN (".getEntity('expensereport').") AND ed.fk_projet IN (".$ids.")";
|
||||
$sql = "SELECT ed.rowid FROM ".MAIN_DB_PREFIX."expensereport as e, ".MAIN_DB_PREFIX."expensereport_det as ed WHERE e.rowid = ed.fk_expensereport AND e.entity IN (".getEntity('expensereport').") AND ed.fk_projet IN (".$this->db->sanitize($ids).")";
|
||||
} elseif ($type == 'project_task') {
|
||||
$sql = "SELECT DISTINCT pt.rowid FROM ".MAIN_DB_PREFIX."projet_task as pt WHERE pt.fk_projet IN (".$ids.")";
|
||||
$sql = "SELECT DISTINCT pt.rowid FROM ".MAIN_DB_PREFIX."projet_task as pt WHERE pt.fk_projet IN (".$this->db->sanitize($ids).")";
|
||||
} elseif ($type == 'project_task_time') { // Case we want to duplicate line foreach user
|
||||
$sql = "SELECT DISTINCT pt.rowid, ptt.fk_user FROM ".MAIN_DB_PREFIX."projet_task as pt, ".MAIN_DB_PREFIX."projet_task_time as ptt WHERE pt.rowid = ptt.fk_task AND pt.fk_projet IN (".$ids.")";
|
||||
$sql = "SELECT DISTINCT pt.rowid, ptt.fk_user FROM ".MAIN_DB_PREFIX."projet_task as pt, ".MAIN_DB_PREFIX."projet_task_time as ptt WHERE pt.rowid = ptt.fk_task AND pt.fk_projet IN (".$this->db->sanitize($ids).")";
|
||||
} elseif ($type == 'stock_mouvement') {
|
||||
$sql = 'SELECT ms.rowid, ms.fk_user_author as fk_user FROM '.MAIN_DB_PREFIX."stock_mouvement as ms, ".MAIN_DB_PREFIX."entrepot as e WHERE e.rowid = ms.fk_entrepot AND e.entity IN (".getEntity('stock').") AND ms.origintype = 'project' AND ms.fk_origin IN (".$ids.") AND ms.type_mouvement = 1";
|
||||
$sql = 'SELECT ms.rowid, ms.fk_user_author as fk_user FROM '.MAIN_DB_PREFIX."stock_mouvement as ms, ".MAIN_DB_PREFIX."entrepot as e WHERE e.rowid = ms.fk_entrepot AND e.entity IN (".getEntity('stock').") AND ms.origintype = 'project' AND ms.fk_origin IN (".$this->db->sanitize($ids).") AND ms.type_mouvement = 1";
|
||||
} elseif ($type == 'loan') {
|
||||
$sql = 'SELECT l.rowid, l.fk_user_author as fk_user FROM '.MAIN_DB_PREFIX."loan as l WHERE l.entity IN (".getEntity('loan').") AND l.fk_projet IN (".$ids.")";
|
||||
$sql = 'SELECT l.rowid, l.fk_user_author as fk_user FROM '.MAIN_DB_PREFIX."loan as l WHERE l.entity IN (".getEntity('loan').") AND l.fk_projet IN (".$this->db->sanitize($ids).")";
|
||||
} else {
|
||||
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX.$tablename." WHERE ".$projectkey." IN (".$ids.") AND entity IN (".getEntity($type).")";
|
||||
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX.$tablename." WHERE ".$projectkey." IN (".$this->db->sanitize($ids).") AND entity IN (".getEntity($type).")";
|
||||
}
|
||||
|
||||
if ($dates > 0 && $type == 'loan') {
|
||||
@ -1386,13 +1386,13 @@ class Project extends CommonObject
|
||||
|
||||
if ($mode == 0) {
|
||||
$sql .= " AND ( p.public = 1";
|
||||
$sql .= " OR ( ec.fk_c_type_contact IN (".join(',', array_keys($listofprojectcontacttype)).")";
|
||||
$sql .= " OR ( ec.fk_c_type_contact IN (".$this->db->sanitize(join(',', array_keys($listofprojectcontacttype))).")";
|
||||
$sql .= " AND ec.fk_socpeople = ".$user->id.")";
|
||||
$sql .= " )";
|
||||
} elseif ($mode == 1) {
|
||||
$sql .= " AND ec.element_id = p.rowid";
|
||||
$sql .= " AND (";
|
||||
$sql .= " ( ec.fk_c_type_contact IN (".join(',', array_keys($listofprojectcontacttype)).")";
|
||||
$sql .= " ( ec.fk_c_type_contact IN (".$this->db->sanitize(join(',', array_keys($listofprojectcontacttype))).")";
|
||||
$sql .= " AND ec.fk_socpeople = ".$user->id.")";
|
||||
$sql .= " )";
|
||||
} elseif ($mode == 2) {
|
||||
@ -1974,7 +1974,7 @@ class Project extends CommonObject
|
||||
$sql .= " WHERE p.fk_statut = 1";
|
||||
$sql .= " AND p.entity IN (".getEntity('project').')';
|
||||
if (!empty($projectsListId)) {
|
||||
$sql .= " AND p.rowid IN (".$projectsListId.")";
|
||||
$sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")";
|
||||
}
|
||||
// No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser
|
||||
//if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
|
||||
|
||||
@ -180,11 +180,11 @@ class ProjectStats extends Stats
|
||||
}
|
||||
|
||||
if (!empty($this->status)) {
|
||||
$sqlwhere[] = " t.fk_opp_status IN (".$this->status.")";
|
||||
$sqlwhere[] = " t.fk_opp_status IN (".$this->db->sanitize($this->status).")";
|
||||
}
|
||||
|
||||
if (!$user->rights->projet->all->lire) {
|
||||
$sqlwhere[] = " t.rowid IN (".$projectsListId.")"; // public and assigned to, or restricted to company for external users
|
||||
$sqlwhere[] = " t.rowid IN (".$this->db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users
|
||||
}
|
||||
|
||||
if (count($sqlwhere) > 0) {
|
||||
|
||||
@ -2002,12 +2002,12 @@ class Task extends CommonObject
|
||||
$sql .= " AND t.fk_projet = p.rowid";
|
||||
$sql .= " AND (t.progress IS NULL OR t.progress < 100)"; // tasks to do
|
||||
if (!$user->rights->projet->all->lire) {
|
||||
$sql .= " AND p.rowid IN (".$projectsListId.")";
|
||||
$sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")";
|
||||
}
|
||||
// No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser
|
||||
//if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
|
||||
if ($socid) {
|
||||
$sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
|
||||
$sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")";
|
||||
}
|
||||
// No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser
|
||||
// if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))";
|
||||
@ -2076,7 +2076,7 @@ class Task extends CommonObject
|
||||
$sql .= " WHERE p.entity IN (".getEntity('project', 0).')';
|
||||
$sql .= " AND t.fk_projet = p.rowid"; // tasks to do
|
||||
if ($mine || !$user->rights->projet->all->lire) {
|
||||
$sql .= " AND p.rowid IN (".$projectsListId.")";
|
||||
$sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")";
|
||||
}
|
||||
// No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser
|
||||
//if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
|
||||
|
||||
@ -154,9 +154,8 @@ class TaskStats extends Stats
|
||||
if (!empty($this->yearmonth)) {
|
||||
$sqlwhere[] = " t.datec BETWEEN '".$this->db->idate(dol_get_first_day($this->yearmonth))."' AND '".$this->db->idate(dol_get_last_day($this->yearmonth))."'";
|
||||
}
|
||||
|
||||
if (!empty($this->status)) {
|
||||
$sqlwhere[] = " t.priority IN (".$this->priority.")";
|
||||
if (!empty($this->priority)) {
|
||||
$sqlwhere[] = " t.priority IN (".$this->db->sanitize($this->priority, 1).")";
|
||||
}
|
||||
|
||||
if (count($sqlwhere) > 0) {
|
||||
|
||||
@ -23,10 +23,10 @@ if (!empty($conf->global->PROJECT_USE_OPPORTUNITIES)) {
|
||||
$sql .= " WHERE p.entity IN (".getEntity('project').")";
|
||||
$sql .= " AND p.fk_statut = 1"; // Opend projects only
|
||||
if ($mine || empty($user->rights->projet->all->lire)) {
|
||||
$sql .= " AND p.rowid IN (".$projectsListId.")";
|
||||
$sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")";
|
||||
}
|
||||
if ($socid) {
|
||||
$sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
|
||||
if ($socid > 0) {
|
||||
$sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")";
|
||||
}
|
||||
$sql .= " GROUP BY p.fk_opp_status, cls.code";
|
||||
$resql = $db->query($sql);
|
||||
|
||||
@ -238,7 +238,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."projet as p";
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid";
|
||||
$sql .= " WHERE p.entity IN (".getEntity('project').")";
|
||||
if ($mine || empty($user->rights->projet->all->lire)) {
|
||||
$sql .= " AND p.rowid IN (".$projectsListId.")"; // If we have this test true, it also means projectset is not 2
|
||||
$sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // If we have this test true, it also means projectset is not 2
|
||||
}
|
||||
if ($socid) {
|
||||
$sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
|
||||
@ -338,10 +338,10 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid";
|
||||
$sql .= " WHERE p.entity IN (".getEntity('project').")";
|
||||
$sql .= " AND p.fk_statut = 1";
|
||||
if ($mine || empty($user->rights->projet->all->lire)) {
|
||||
$sql .= " AND p.rowid IN (".$projectsListId.")"; // If we have this test true, it also means projectset is not 2
|
||||
$sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // If we have this test true, it also means projectset is not 2
|
||||
}
|
||||
if ($socid) {
|
||||
$sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
|
||||
if ($socid > 0) {
|
||||
$sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")";
|
||||
}
|
||||
$sql .= " GROUP BY s.rowid, s.nom, s.name_alias, s.code_client, s.code_compta, s.client, s.code_fournisseur, s.code_compta_fournisseur, s.fournisseur, s.logo, s.email, s.entity, s.canvas, s.status";
|
||||
$sql .= $db->order($sortfield, $sortorder);
|
||||
|
||||
@ -370,11 +370,11 @@ if (!empty($conf->categorie->enabled)) {
|
||||
$sql .= Categorie::getFilterSelectQuery(Categorie::TYPE_PROJECT, "p.rowid", $search_category_array);
|
||||
}
|
||||
if (!$user->rights->projet->all->lire) {
|
||||
$sql .= " AND p.rowid IN (".$projectsListId.")"; // public and assigned to, or restricted to company for external users
|
||||
$sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users
|
||||
}
|
||||
// No need to check if company is external user, as filtering of projects must be done by getProjectsAuthorizedForUser
|
||||
if ($socid > 0) {
|
||||
$sql .= " AND (p.fk_soc = ".$socid.")"; // This filter if when we use a hard coded filter on company on url (not related to filter for external users)
|
||||
$sql .= " AND (p.fk_soc = ".((int) $socid).")"; // This filter if when we use a hard coded filter on company on url (not related to filter for external users)
|
||||
}
|
||||
if ($search_ref) {
|
||||
$sql .= natural_search('p.ref', $search_ref);
|
||||
|
||||
@ -334,17 +334,17 @@ if ($search_task_user > 0) {
|
||||
$sql .= " WHERE t.fk_projet = p.rowid";
|
||||
$sql .= " AND p.entity IN (".getEntity('project').')';
|
||||
if (!$user->rights->projet->all->lire) {
|
||||
$sql .= " AND p.rowid IN (".($projectsListId ? $projectsListId : '0').")"; // public and assigned to projects, or restricted to company for external users
|
||||
$sql .= " AND p.rowid IN (".$db->sanitize($projectsListId ? $projectsListId : '0').")"; // public and assigned to projects, or restricted to company for external users
|
||||
}
|
||||
if (is_object($projectstatic) && $projectstatic->id > 0) {
|
||||
$sql .= " AND p.rowid = ".$projectstatic->id;
|
||||
$sql .= " AND p.rowid = ".((int) $projectstatic->id);
|
||||
}
|
||||
// No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser
|
||||
if ($socid) {
|
||||
$sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
|
||||
$sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")";
|
||||
}
|
||||
if ($search_categ > 0) {
|
||||
$sql .= " AND cs.fk_categorie = ".$db->escape($search_categ);
|
||||
$sql .= " AND cs.fk_categorie = ".((int) $search_categ);
|
||||
}
|
||||
if ($search_categ == -2) {
|
||||
$sql .= " AND cs.fk_categorie IS NULL";
|
||||
@ -389,10 +389,10 @@ if ($search_public != '') {
|
||||
$sql .= " AND p.public = ".$db->escape($search_public);
|
||||
}
|
||||
if ($search_project_user > 0) {
|
||||
$sql .= " AND ecp.fk_c_type_contact IN (".join(',', array_keys($listofprojectcontacttype)).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user;
|
||||
$sql .= " AND ecp.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listofprojectcontacttype))).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user;
|
||||
}
|
||||
if ($search_task_user > 0) {
|
||||
$sql .= " AND ect.fk_c_type_contact IN (".join(',', array_keys($listoftaskcontacttype)).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$search_task_user;
|
||||
$sql .= " AND ect.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listoftaskcontacttype))).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$search_task_user;
|
||||
}
|
||||
// Add where from extra fields
|
||||
include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php';
|
||||
|
||||
@ -1036,7 +1036,7 @@ if (($id > 0 || !empty($ref)) || $projectidforalltimes > 0) {
|
||||
if (empty($projectidforalltimes)) {
|
||||
$sql .= " AND t.fk_task =".$object->id;
|
||||
} else {
|
||||
$sql .= " AND pt.fk_projet IN (".$projectidforalltimes.")";
|
||||
$sql .= " AND pt.fk_projet IN (".$db->sanitize($projectidforalltimes).")";
|
||||
}
|
||||
if ($search_note) {
|
||||
$sql .= natural_search('t.note', $search_note);
|
||||
|
||||
@ -472,10 +472,10 @@ if ($search_state) {
|
||||
$sql .= natural_search("state.nom", $search_state);
|
||||
}
|
||||
if ($search_country) {
|
||||
$sql .= " AND s.fk_pays IN (".$search_country.')';
|
||||
$sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')';
|
||||
}
|
||||
if ($search_type_thirdparty != '' && $search_type_thirdparty > 0) {
|
||||
$sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')';
|
||||
$sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')';
|
||||
}
|
||||
if ($search_ref_rcp) {
|
||||
$sql .= natural_search('e.ref', $search_ref_rcp);
|
||||
|
||||
@ -247,7 +247,7 @@ $sql .= " ".MAIN_DB_PREFIX."user as u";
|
||||
$sql .= " WHERE u.rowid = s.fk_user";
|
||||
$sql .= " AND s.entity IN (".getEntity('payment_salaries').")";
|
||||
if (empty($user->rights->salaries->readall)) {
|
||||
$sql .= " AND s.fk_user IN (".join(',', $childids).")";
|
||||
$sql .= " AND s.fk_user IN (".$db->sanitize(join(',', $childids)).")";
|
||||
}
|
||||
|
||||
// Search criteria
|
||||
|
||||
@ -190,22 +190,18 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank_account as ba ON b.fk_account = ba.ro
|
||||
$sql .= " ".MAIN_DB_PREFIX."user as u";
|
||||
$sql .= " WHERE u.rowid = sal.fk_user";
|
||||
$sql .= " AND s.entity IN (".getEntity('payment_salaries').")";
|
||||
if (empty($user->rights->salaries->readall)) $sql .= " AND s.fk_user IN (".join(',', $childids).")";
|
||||
if (empty($user->rights->salaries->readall)) $sql .= " AND s.fk_user IN (".$db->sanitize(join(',', $childids)).")";
|
||||
|
||||
// Search criteria
|
||||
if ($search_ref) $sql .= " AND s.rowid=".((int) $search_ref);
|
||||
if ($search_ref_salary) $sql .= " AND sal.rowid=".((int) $search_ref_salary);
|
||||
if ($search_ref_salary) $sql .= " AND sal.rowid=".((int) $search_ref_salary);
|
||||
if ($search_user) $sql .= natural_search(array('u.login', 'u.lastname', 'u.firstname', 'u.email'), $search_user);
|
||||
if ($search_label) $sql .= natural_search(array('sal.label'), $search_label);
|
||||
if ($search_date_start) $sql .= " AND s.datep >= '".$db->idate($search_date_start)."'";
|
||||
if ($search_date_end) $sql .= " AND s.datep <= '".$db->idate($search_date_end)."'";
|
||||
if ($search_amount) $sql .= natural_search("s.amount", $search_amount, 1);
|
||||
if ($search_account > 0) $sql .= " AND b.fk_account=".((int) $search_account);
|
||||
if ($filtre) {
|
||||
$filtre = str_replace(":", "=", $filtre);
|
||||
$sql .= " AND ".$filtre;
|
||||
}
|
||||
if ($search_type_id) {
|
||||
if ($search_type_id > 0) {
|
||||
$sql .= " AND s.fk_typepayment=".$search_type_id;
|
||||
}
|
||||
$sql .= $db->order($sortfield, $sortorder);
|
||||
|
||||
@ -192,7 +192,7 @@ class Contacts extends DolibarrApi
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON t.fk_soc = s.rowid";
|
||||
$sql .= ' WHERE t.entity IN ('.getEntity('socpeople').')';
|
||||
if ($socids) {
|
||||
$sql .= " AND t.fk_soc IN (".$socids.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
|
||||
if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) {
|
||||
@ -203,7 +203,7 @@ class Contacts extends DolibarrApi
|
||||
}
|
||||
// Insert sale filter
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND sc.fk_user = ".$search_sale;
|
||||
$sql .= " AND sc.fk_user = ".((int) $search_sale);
|
||||
}
|
||||
|
||||
// Select contacts of given category
|
||||
|
||||
@ -187,14 +187,14 @@ class Thirdparties extends DolibarrApi
|
||||
}
|
||||
//if ($email != NULL) $sql.= " AND s.email = \"".$email."\"";
|
||||
if ($socids) {
|
||||
$sql .= " AND t.rowid IN (".$socids.")";
|
||||
$sql .= " AND t.rowid IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
|
||||
}
|
||||
// Insert sale filter
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND sc.fk_user = ".$search_sale;
|
||||
$sql .= " AND sc.fk_user = ".((int) $search_sale);
|
||||
}
|
||||
// Add sql filters
|
||||
if ($sqlfilters) {
|
||||
|
||||
@ -584,7 +584,7 @@ if ($search_region) {
|
||||
$sql .= natural_search("region.nom", $search_region);
|
||||
}
|
||||
if ($search_country && $search_country != '-1') {
|
||||
$sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')';
|
||||
$sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')';
|
||||
}
|
||||
if ($search_email) {
|
||||
$sql .= natural_search("s.email", $search_email);
|
||||
@ -621,7 +621,7 @@ if (strlen($search_vat)) {
|
||||
}
|
||||
// Filter on type of thirdparty
|
||||
if ($search_type > 0 && in_array($search_type, array('1,3', '1,2,3', '2,3'))) {
|
||||
$sql .= " AND s.client IN (".$db->sanitize($db->escape($search_type)).")";
|
||||
$sql .= " AND s.client IN (".$db->sanitize($search_type).")";
|
||||
}
|
||||
if ($search_type > 0 && in_array($search_type, array('4'))) {
|
||||
$sql .= " AND s.fournisseur = 1";
|
||||
|
||||
@ -124,14 +124,14 @@ class Supplierproposals extends DolibarrApi
|
||||
$sql .= " AND t.fk_soc = sc.fk_soc";
|
||||
}
|
||||
if ($socids) {
|
||||
$sql .= " AND t.fk_soc IN (".$socids.")";
|
||||
$sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")";
|
||||
}
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale
|
||||
}
|
||||
// Insert sale filter
|
||||
if ($search_sale > 0) {
|
||||
$sql .= " AND sc.fk_user = ".$search_sale;
|
||||
$sql .= " AND sc.fk_user = ".((int) $search_sale);
|
||||
}
|
||||
// Add sql filters
|
||||
if ($sqlfilters) {
|
||||
|
||||
@ -329,10 +329,10 @@ if ($search_state) {
|
||||
$sql .= natural_search("state.nom", $search_state);
|
||||
}
|
||||
if ($search_country) {
|
||||
$sql .= " AND s.fk_pays IN (".$search_country.')';
|
||||
$sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')';
|
||||
}
|
||||
if ($search_type_thirdparty != '' && $search_type_thirdparty > 0) {
|
||||
$sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')';
|
||||
$sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')';
|
||||
}
|
||||
if ($search_ref) {
|
||||
$sql .= natural_search('sp.ref', $search_ref);
|
||||
|
||||
@ -87,7 +87,7 @@ class Users extends DolibarrApi
|
||||
}
|
||||
$sql .= ' WHERE t.entity IN ('.getEntity('user').')';
|
||||
if ($user_ids) {
|
||||
$sql .= " AND t.rowid IN (".$user_ids.")";
|
||||
$sql .= " AND t.rowid IN (".$this->db->sanitize($user_ids).")";
|
||||
}
|
||||
|
||||
// Select products of given category
|
||||
@ -473,7 +473,7 @@ class Users extends DolibarrApi
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."usergroup as t";
|
||||
$sql .= ' WHERE t.entity IN ('.getEntity('user').')';
|
||||
if ($group_ids) {
|
||||
$sql .= " AND t.rowid IN (".$group_ids.")";
|
||||
$sql .= " AND t.rowid IN (".$this->db->sanitize($group_ids).")";
|
||||
}
|
||||
// Add sql filters
|
||||
if ($sqlfilters) {
|
||||
|
||||
@ -357,7 +357,7 @@ if ($socid > 0) {
|
||||
}
|
||||
//if ($search_user != '') $sql.=natural_search(array('u.login', 'u.lastname', 'u.firstname'), $search_user);
|
||||
if ($search_supervisor > 0) {
|
||||
$sql .= " AND u.fk_user IN (".$db->sanitize($db->escape($search_supervisor)).")";
|
||||
$sql .= " AND u.fk_user IN (".$db->sanitize($search_supervisor).")";
|
||||
}
|
||||
if ($search_thirdparty != '') {
|
||||
$sql .= natural_search(array('s.nom'), $search_thirdparty);
|
||||
@ -393,7 +393,7 @@ if ($search_api_key != '') {
|
||||
$sql .= natural_search("u.api_key", $search_api_key);
|
||||
}
|
||||
if ($search_statut != '' && $search_statut >= 0) {
|
||||
$sql .= " AND u.statut IN (".$db->sanitize($db->escape($search_statut)).")";
|
||||
$sql .= " AND u.statut IN (".$db->sanitize($search_statut).")";
|
||||
}
|
||||
if ($sall) {
|
||||
$sql .= natural_search(array_keys($fieldstosearchall), $sall);
|
||||
|
||||
@ -85,7 +85,7 @@ class ProductAttribute extends CommonObject
|
||||
return -1;
|
||||
}
|
||||
|
||||
$sql = "SELECT rowid, ref, ref_ext, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE rowid = ".(int) $id." AND entity IN (".getEntity('product').")";
|
||||
$sql = "SELECT rowid, ref, ref_ext, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE rowid = ".((int) $id)." AND entity IN (".getEntity('product').")";
|
||||
|
||||
$query = $this->db->query($sql);
|
||||
|
||||
@ -249,7 +249,7 @@ class ProductAttribute extends CommonObject
|
||||
public function countChildProducts()
|
||||
{
|
||||
$sql = "SELECT COUNT(*) count FROM ".MAIN_DB_PREFIX."product_attribute_combination2val pac2v
|
||||
LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac2v.fk_prod_combination = pac.rowid WHERE pac2v.fk_prod_attr = ".(int) $this->id." AND pac.entity IN (".getEntity('product').")";
|
||||
LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac2v.fk_prod_combination = pac.rowid WHERE pac2v.fk_prod_attr = ".((int) $this->id)." AND pac.entity IN (".getEntity('product').")";
|
||||
|
||||
$query = $this->db->query($sql);
|
||||
|
||||
|
||||
@ -106,7 +106,7 @@ class ProductCombination
|
||||
{
|
||||
global $conf;
|
||||
|
||||
$sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE rowid = ".(int) $rowid." AND entity IN (".getEntity('product').")";
|
||||
$sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE rowid = ".((int) $rowid)." AND entity IN (".getEntity('product').")";
|
||||
|
||||
$query = $this->db->query($sql);
|
||||
|
||||
@ -281,7 +281,7 @@ class ProductCombination
|
||||
{
|
||||
global $conf;
|
||||
|
||||
$sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_parent = ".(int) $fk_product_parent." AND entity IN (".getEntity('product').")";
|
||||
$sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_parent = ".((int) $fk_product_parent)." AND entity IN (".getEntity('product').")";
|
||||
|
||||
$query = $this->db->query($sql);
|
||||
|
||||
@ -320,7 +320,7 @@ class ProductCombination
|
||||
public function countNbOfCombinationForFkProductParent($fk_product_parent)
|
||||
{
|
||||
$nb = 0;
|
||||
$sql = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_parent = ".(int) $fk_product_parent." AND entity IN (".getEntity('product').")";
|
||||
$sql = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_parent = ".((int) $fk_product_parent)." AND entity IN (".getEntity('product').")";
|
||||
|
||||
$resql = $this->db->query($sql);
|
||||
if ($resql) {
|
||||
|
||||
@ -426,7 +426,7 @@ class WebsitePage extends CommonObject
|
||||
}
|
||||
$listoflang[] = "'".$this->db->escape(substr(str_replace("'", '', $tmpvalue), 0, 2))."'";
|
||||
}
|
||||
$stringtouse = $key." IN (".join(',', $listoflang).")";
|
||||
$stringtouse = $key." IN (".$this->db->sanitize(join(',', $listoflang)).")";
|
||||
if ($foundnull) {
|
||||
$stringtouse = '('.$stringtouse.' OR '.$key.' IS NULL)';
|
||||
}
|
||||
@ -528,7 +528,7 @@ class WebsitePage extends CommonObject
|
||||
}
|
||||
$listoflang[] = "'".$this->db->escape(substr(str_replace("'", '', $tmpvalue), 0, 2))."'";
|
||||
}
|
||||
$stringtouse = $key." IN (".join(',', $listoflang).")";
|
||||
$stringtouse = $key." IN (".$this->db->sanitize(join(',', $listoflang)).")";
|
||||
if ($foundnull) {
|
||||
$stringtouse = '('.$stringtouse.' OR '.$key.' IS NULL)';
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user