From 20c874d441a3c9ffbb6e4d201146e7ce7b7fc5d8 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 25 Oct 2021 18:48:44 +0200 Subject: [PATCH] Fix escape sql params. --- htdocs/core/class/infobox.class.php | 2 +- htdocs/don/card.php | 2 +- htdocs/expensereport/card.php | 2 +- htdocs/product/ajax/products.php | 2 +- test/phpunit/CodingPhpTest.php | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/htdocs/core/class/infobox.class.php b/htdocs/core/class/infobox.class.php index bdd0f79a0aa..07962e6e98d 100644 --- a/htdocs/core/class/infobox.class.php +++ b/htdocs/core/class/infobox.class.php @@ -215,7 +215,7 @@ class InfoBox /** * Save order of boxes for area and user * - * @param DoliDB $dbs Database handler + * @param DoliDB $dbs Database handler * @param int $zone Name of area (0 for Homepage, ...) * @param string $boxorder List of boxes with correct order 'A:123,456,...-B:789,321...' * @param int $userid Id of user diff --git a/htdocs/don/card.php b/htdocs/don/card.php index b4c84c15203..6bfa9130363 100644 --- a/htdocs/don/card.php +++ b/htdocs/don/card.php @@ -787,7 +787,7 @@ if (!empty($id) && $action != 'edit') { $sql .= " FROM ".MAIN_DB_PREFIX."payment_donation as p"; $sql .= ", ".MAIN_DB_PREFIX."c_paiement as c "; $sql .= ", ".MAIN_DB_PREFIX."don as d"; - $sql .= " WHERE d.rowid = '".$id."'"; + $sql .= " WHERE d.rowid = ".((int) $id); $sql .= " AND p.fk_donation = d.rowid"; $sql .= " AND d.entity IN (".getEntity('donation').")"; $sql .= " AND p.fk_typepayment = c.id"; diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php index 92c12f74e6d..b711a65d25a 100644 --- a/htdocs/expensereport/card.php +++ b/htdocs/expensereport/card.php @@ -1924,7 +1924,7 @@ if ($action == 'create') { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as c ON p.fk_typepayment = c.id"; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank as b ON p.fk_bank = b.rowid'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank_account as ba ON b.fk_account = ba.rowid'; - $sql .= " WHERE e.rowid = '".$id."'"; + $sql .= " WHERE e.rowid = ".((int) $id); $sql .= " AND p.fk_expensereport = e.rowid"; $sql .= ' AND e.entity IN ('.getEntity('expensereport').')'; $sql .= " ORDER BY dp"; diff --git a/htdocs/product/ajax/products.php b/htdocs/product/ajax/products.php index 9ba8d9cec09..84562bf95a4 100644 --- a/htdocs/product/ajax/products.php +++ b/htdocs/product/ajax/products.php @@ -144,7 +144,7 @@ if (!empty($action) && $action == 'fetch' && !empty($id)) { if (!$found && isset($price_level) && $price_level >= 1 && (!empty($conf->global->PRODUIT_MULTIPRICES) || !empty($conf->global->PRODUIT_CUSTOMER_PRICES_BY_QTY_MULTIPRICES))) { // If we need a particular price level (from 1 to 6) $sql = "SELECT price, price_ttc, price_base_type, tva_tx"; $sql .= " FROM ".MAIN_DB_PREFIX."product_price "; - $sql .= " WHERE fk_product = '".$id."'"; + $sql .= " WHERE fk_product = ".((int) $id); $sql .= " AND entity IN (".getEntity('productprice').")"; $sql .= " AND price_level = ".((int) $price_level); $sql .= " ORDER BY date_price"; diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index c0bf927e382..2681164c857 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -363,9 +363,9 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase // Check string sql|set|WHERE|...'".$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request. $ok=true; $matches=array(); - preg_match_all('/(sql|SET|WHERE|INSERT|VALUES).+\s*\'"\s*\.\s*\$(........)/', $filecontent, $matches, PREG_SET_ORDER); + preg_match_all('/(sql|SET|WHERE|INSERT|VALUES).+\s*\'"\s*\.\s*\$(.......)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { - if (! in_array($val[2], array('this->db', 'this->es', 'db->esca', 'dbs->esc', 'mydb->es', 'dbsessio', 'db->idat', 'escapedl', 'excludeG', 'includeG'))) { + if (! in_array($val[2], array('this->d', 'this->e', 'db->esc', 'dbs->es', 'mydb->e', 'dbsessi', 'db->ida', 'escaped', 'exclude', 'include'))) { $ok=false; // This will generate error break; }