diff --git a/htdocs/boutique/client/fiche.php b/htdocs/boutique/client/fiche.php index 3e67a6a772f..9e7970c9621 100644 --- a/htdocs/boutique/client/fiche.php +++ b/htdocs/boutique/client/fiche.php @@ -28,6 +28,8 @@ require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/boutique/osc_master.inc.php'; include_once DOL_DOCUMENT_ROOT.'/boutique/client/class/boutiqueclient.class.php'; +$id=GETPOST('id', 'int'); + /* * Actions @@ -43,10 +45,10 @@ include_once DOL_DOCUMENT_ROOT.'/boutique/client/class/boutiqueclient.class.php' llxHeader(); -if ($_GET['id']) +if ($id > 0) { $client = new BoutiqueClient($dbosc); - $result = $client->fetch($_GET['id']); + $result = $client->fetch($id); if ( $result ) { print '
'.$langs->trans("CustomerCard").': '.$client->name.'

'; @@ -62,7 +64,7 @@ if ($_GET['id']) */ $sql = "SELECT o.orders_id, o.customers_id, date_purchased, t.value as total"; $sql .= " FROM ".$conf->global->OSC_DB_NAME.".".$conf->global->OSC_DB_TABLE_PREFIX."orders as o, ".$conf->global->OSC_DB_NAME.".".$conf->global->OSC_DB_TABLE_PREFIX."orders_total as t"; - $sql .= " WHERE o.customers_id = " . $_GET['id']; + $sql .= " WHERE o.customers_id = " . $client->id; $sql .= " AND o.orders_id = t.orders_id AND t.class = 'ot_total'"; //echo $sql; $resql=$dbosc->query($sql); diff --git a/htdocs/boutique/commande/fiche.php b/htdocs/boutique/commande/fiche.php index 5753aba6187..c22bbf548ec 100644 --- a/htdocs/boutique/commande/fiche.php +++ b/htdocs/boutique/commande/fiche.php @@ -30,7 +30,7 @@ include_once DOL_DOCUMENT_ROOT.'/boutique/commande/class/boutiquecommande.class. $langs->load("products"); - +$id=GETPOST('id', 'int'); /* * View @@ -39,11 +39,11 @@ $langs->load("products"); llxHeader(); -if ($_GET['id']) +if ($id > 0) { $commande = new BoutiqueCommande($db); - $result = $commande->fetch($_GET['id']); - if ( $result ) + $result = $commande->fetch($id); + if ($result) { print '
'.$langs->trans("OrderCard").': '.$commande->id.'

'; @@ -69,7 +69,7 @@ if ($_GET['id']) */ $sql = "SELECT orders_id, products_id, products_model, products_name, products_price, final_price, products_quantity"; $sql .= " FROM ".$conf->global->OSC_DB_NAME.".".$conf->global->OSC_DB_TABLE_PREFIX."orders_products"; - $sql .= " WHERE orders_id = " . $_GET['id']; + $sql .= " WHERE orders_id = " . $commande->id; //$commande->id; // echo $sql; $resql=$dbosc->query($sql); diff --git a/htdocs/comm/contact.php b/htdocs/comm/contact.php index d1e29fe5a40..eb46f093ccf 100644 --- a/htdocs/comm/contact.php +++ b/htdocs/comm/contact.php @@ -37,7 +37,11 @@ if ($page < 0) { $page = 0; } $limit = $conf->liste_limit; $offset = $limit * $page ; -$type=$_GET["type"]; +$type=GETPOST('type', 'alpha'); +$search_lastname=GETPOST('search_nom')?GETPOST('search_nom'):GETPOST('search_lastname'); // For backward compatibility +$search_firstname=GETPOST('search_prenom')?GETPOST('search_prenom'):GETPOST('search_firstname'); // For backward compatibility +$search_company=GETPOST('search_societe')?GETPOST('search_societe'):GETPOST('search_company'); // For backward compatibility +$contactname=GETPOST('contactname'); // Security check $socid = GETPOST('socid','int'); @@ -91,29 +95,30 @@ if (dol_strlen($stcomm)) $sql.= " AND s.fk_stcomm=$stcomm"; } +// FIXME $begin not exist if (dol_strlen($begin)) // filtre sur la premiere lettre du nom { $sql.= " AND upper(p.name) LIKE '".$begin."%'"; } -if (trim($_GET["search_nom"])) +if (! empty($search_lastname)) { - $sql.= " AND p.name LIKE '%".trim($_GET["search_nom"])."%'"; + $sql.= " AND p.name LIKE '%".$db->escape($search_lastname)."%'"; } -if (trim($_GET["search_prenom"])) +if (! empty($search_firstname)) { - $sql.= " AND p.firstname LIKE '%".trim($_GET["search_prenom"])."%'"; + $sql.= " AND p.firstname LIKE '%".$db->escape($search_firstname)."%'"; } -if (trim($_GET["search_societe"])) +if (! empty($search_company)) { - $sql.= " AND s.nom LIKE '%".trim($_GET["search_societe"])."%'"; + $sql.= " AND s.nom LIKE '%".$db->escape($search_company)."%'"; } -if ($_GET["contactname"]) // acces a partir du module de recherche +if (! empty($contactname)) // acces a partir du module de recherche { - $sql.= " AND (p.name LIKE '%".strtolower($_GET["contactname"])."%' OR lower(p.firstname) LIKE '%".strtolower($_GET["contactname"])."%') "; + $sql.= " AND (p.name LIKE '%".$db->escape(strtolower($contactname))."%' OR lower(p.firstname) LIKE '%".$db->escape(strtolower($contactname))."%') "; $sortfield = "p.name"; $sortorder = "ASC"; } @@ -125,7 +130,7 @@ $resql = $db->query($sql); if ($resql) { $num = $db->num_rows($resql); - + $title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("ListOfContacts") : $langs->trans("ListOfContactsAddresses")); print_barre_liste($title.($label?" (".$label.")":""),$page, $_SERVER["PHP_SELF"], "&type=$type",$sortfield,$sortorder,"",$num); @@ -140,9 +145,9 @@ if ($resql) print '
'; print ''; - print ''; - print ''; - print ''; + print ''; + print ''; + print ''; print ' '; print ''; print "\n"; diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php index d124b836692..e3df88ec3ce 100644 --- a/htdocs/comm/index.php +++ b/htdocs/comm/index.php @@ -35,6 +35,9 @@ if (! $user->rights->societe->lire) accessforbidden(); $langs->load("commercial"); +$action=GETPOST('action', 'alpha'); +$bid=GETPOST('bid', 'int'); + // Securite acces client $socid=GETPOST('socid','int'); if (isset($user->societe_id) && $user->societe_id > 0) @@ -50,23 +53,23 @@ $now=dol_now(); * Actions */ -if (isset($_GET["action"]) && $_GET["action"] == 'add_bookmark') +if ($action == 'add_bookmark' && ! empty($socid)) { - $sql = "DELETE FROM ".MAIN_DB_PREFIX."bookmark WHERE fk_soc = ".$_GET["socid"]." AND fk_user=".$user->id; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."bookmark WHERE fk_soc = ".$db->escape($socid)." AND fk_user=".$user->id; if (! $db->query($sql) ) { dol_print_error($db); } - $sql = "INSERT INTO ".MAIN_DB_PREFIX."bookmark (fk_soc, dateb, fk_user) VALUES (".$_GET["socid"].", ".$db->idate($now).",".$user->id.");"; + $sql = "INSERT INTO ".MAIN_DB_PREFIX."bookmark (fk_soc, dateb, fk_user) VALUES (".$db->escape($socid).", ".$db->idate($now).",".$user->id.");"; if (! $db->query($sql) ) { dol_print_error($db); } } -if (isset($_GET["action"]) && $_GET["action"] == 'del_bookmark') +if ($action == 'del_bookmark' && ! empty($bid)) { - $sql = "DELETE FROM ".MAIN_DB_PREFIX."bookmark WHERE rowid=".$_GET["bid"]; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."bookmark WHERE rowid=".$db->escape($bid); $result = $db->query($sql); } diff --git a/htdocs/compta/bank/annuel.php b/htdocs/compta/bank/annuel.php index 21a41b848d7..b44bccddd52 100644 --- a/htdocs/compta/bank/annuel.php +++ b/htdocs/compta/bank/annuel.php @@ -1,7 +1,7 @@ * Copyright (C) 2004-2010 Laurent Destailleur - * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -27,16 +27,16 @@ require 'pre.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/bank.lib.php'; require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; -// Security check -if (isset($_GET["account"]) || isset($_GET["ref"])) -{ - $id = isset($_GET["account"])?$_GET["account"]:(isset($_GET["ref"])?$_GET["ref"]:''); -} -$fieldid = isset($_GET["ref"])?'ref':'rowid'; -if ($user->societe_id) $socid=$user->societe_id; -$result=restrictedArea($user,'banque',$id,'bank_account','','',$fieldid); +$id=GETPOST('account'); +$ref=GETPOST('ref'); -$year_start=isset($_GET["year_start"])?$_GET["year_start"]:$_POST["year_start"]; +// Security check +$fieldid = (! empty($ref)?$ref:$id); +$fieldname = isset($ref)?'ref':'rowid'; +if ($user->societe_id) $socid=$user->societe_id; +$result=restrictedArea($user,'banque',$fieldid,'bank_account','','',$fieldname); + +$year_start=GETPOST('year_start'); $year_current = strftime("%Y",time()); if (! $year_start) { @@ -55,14 +55,15 @@ $form = new Form($db); // Get account informations $acct = new Account($db); -if ($_GET["account"] && ! preg_match('/,/',$_GET["account"])) // if for a particular account and not a list +if ($id > 0 && ! preg_match('/,/', $id)) // if for a particular account and not a list { - $result=$acct->fetch($_GET["account"]); + $result=$acct->fetch($id); + $id=$acct->id; } -if ($_GET["ref"]) +if (! empty($ref)) { - $result=$acct->fetch(0,$_GET["ref"]); - $_GET["account"]=$acct->id; + $result=$acct->fetch(0, $ref); + $id=$acct->id; } @@ -76,7 +77,8 @@ $sql.= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql.= " WHERE b.fk_account = ba.rowid"; $sql.= " AND ba.entity = ".$conf->entity; $sql.= " AND b.amount >= 0"; -if ($_GET["account"]) $sql .= " AND b.fk_account IN (".$_GET["account"].")"; +if (! empty($id)) + $sql .= " AND b.fk_account IN (".$db->escape($id).")"; $sql.= " GROUP BY dm"; $resql=$db->query($sql); @@ -103,7 +105,8 @@ $sql.= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql.= " WHERE b.fk_account = ba.rowid"; $sql.= " AND ba.entity = ".$conf->entity; $sql.= " AND b.amount <= 0"; -if ($_GET["account"]) $sql.= " AND b.fk_account IN (".$_GET["account"].")"; +if (! empty($id)) + $sql .= " AND b.fk_account IN (".$db->escape($id).")"; $sql.= " GROUP BY dm"; $resql=$db->query($sql); @@ -140,17 +143,17 @@ print ''.$langs->trans("Ref").''; print ''; if ($_GET["account"]) { - if (! preg_match('/,/',$_GET["account"])) + if (! preg_match('/,/', $id)) { print $form->showrefnav($acct, 'ref', $linkback, 1, 'ref'); } else { $bankaccount=new Account($db); - $listid=explode(',',$_GET["account"]); - foreach($listid as $key => $id) + $listid=explode(',', $id); + foreach($listid as $key => $aId) { - $bankaccount->fetch($id); + $bankaccount->fetch($aId); $bankaccount->label=$bankaccount->ref; print $bankaccount->getNomUrl(1); if ($key < (count($listid)-1)) print ', '; @@ -166,7 +169,7 @@ print ''; // Label print ''.$langs->trans("Label").''; print ''; -if ($_GET["account"]) +if (! empty($id)) { print $acct->label; } @@ -254,7 +257,8 @@ $sql.= " FROM ".MAIN_DB_PREFIX."bank as b"; $sql.= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql.= " WHERE b.fk_account = ba.rowid"; $sql.= " AND ba.entity = ".$conf->entity; -if ($_GET["account"]) $sql.= " AND b.fk_account IN (".$_GET["account"].")"; +if (! empty($id)) + $sql.= " AND b.fk_account IN (".$db->escape($id).")"; $resql=$db->query($sql); if ($resql) @@ -273,8 +277,6 @@ print ""; print "\n\n"; -$db->close(); - llxFooter(); - +$db->close(); ?> diff --git a/htdocs/compta/bank/index.php b/htdocs/compta/bank/index.php index 61e73c4a9a3..64ad316dc24 100644 --- a/htdocs/compta/bank/index.php +++ b/htdocs/compta/bank/index.php @@ -1,7 +1,7 @@ * Copyright (C) 2004-2011 Laurent Destailleur - * Copytight (C) 2005-2009 Regis Houssin + * Copytight (C) 2005-2012 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -35,7 +35,7 @@ $langs->load("categories"); if ($user->societe_id) $socid=$user->societe_id; $result=restrictedArea($user,'banque'); -$statut=isset($_GET["statut"])?$_GET["statut"]:''; +$statut=GETPOST('statut'); diff --git a/htdocs/compta/bank/rappro.php b/htdocs/compta/bank/rappro.php index f7389344721..b6e655db021 100644 --- a/htdocs/compta/bank/rappro.php +++ b/htdocs/compta/bank/rappro.php @@ -37,14 +37,15 @@ $langs->load("bills"); if (! $user->rights->banque->consolidate) accessforbidden(); - +$action=GETPOST('action', 'alpha'); +$id=GETPOST('account', 'int'); /* * Actions */ // Conciliation -if ($user->rights->banque->consolidate && $_POST["action"] == 'rappro') +if ($action == 'rappro' && $user->rights->banque->consolidate) { // Definition, nettoyage parametres $num_releve=trim($_POST["num_releve"]); @@ -77,7 +78,7 @@ if ($user->rights->banque->consolidate && $_POST["action"] == 'rappro') /* * Action suppression ecriture */ -if ($_GET["action"] == 'del') +if ($action == 'del') { $accline=new AccountLine($db); $accline->fetch($_GET["rowid"]); @@ -127,13 +128,13 @@ $paymentsupplierstatic=new PaiementFourn($db); $paymentvatstatic=new TVA($db); $acct = new Account($db); -$acct->fetch($_GET["account"]); +$acct->fetch($id); $now=dol_now(); $sql = "SELECT b.rowid, b.dateo as do, b.datev as dv, b.amount, b.label, b.rappro, b.num_releve, b.num_chq, b.fk_type as type"; $sql.= " FROM ".MAIN_DB_PREFIX."bank as b"; -$sql.= " WHERE rappro=0 AND fk_account=".$_GET["account"]; +$sql.= " WHERE rappro=0 AND fk_account=".$acct->id; $sql.= " ORDER BY dateo ASC"; $sql.= " LIMIT 1000"; // Limit to avoid page overload @@ -163,7 +164,7 @@ if ($resql) $var=True; $num = $db->num_rows($resql); - print_fiche_titre($langs->trans("Reconciliation").': '.$acct->label.''); + print_fiche_titre($langs->trans("Reconciliation").': '.$acct->label.''); print '
'; dol_htmloutput_mesg($mesg); @@ -172,7 +173,7 @@ if ($resql) $nbmax=5; $liste=""; $sql = "SELECT DISTINCT num_releve FROM ".MAIN_DB_PREFIX."bank"; - $sql.= " WHERE fk_account=".$_GET["account"]." AND num_releve IS NOT NULL"; + $sql.= " WHERE fk_account=".$acct->id." AND num_releve IS NOT NULL"; $sql.= $db->order("num_releve","DESC"); $sql.= $db->plimit($nbmax+1); print $langs->trans("LastAccountStatements").' : '; @@ -186,7 +187,7 @@ if ($resql) $objr = $db->fetch_object($resqlr); $last_releve = $objr->num_releve; $i++; - $liste=''.$objr->num_releve.'   '.$liste; + $liste=''.$objr->num_releve.'   '.$liste; } if ($numr >= $nbmax) $liste="...   ".$liste; print $liste; @@ -199,10 +200,10 @@ if ($resql) } - print ''; + print ''; print ''; print ""; - print ""; + print "id."\">"; print $langs->trans("InputReceiptNumber").': '; print ''; @@ -251,9 +252,9 @@ if ($resql) print ''; print ''.dol_print_date($db->jdate($objp->dv),"day").""; print '   '; - print ''; + print ''; print img_edit_remove() . " "; - print ''; + print ''; print img_edit_add() .""; print ''; } @@ -380,7 +381,7 @@ if ($resql) print ''; print img_edit(); print '  '; - + $now=dol_now(); if ($db->jdate($objp->do) <= $now) { print ''; diff --git a/htdocs/compta/bank/releve.php b/htdocs/compta/bank/releve.php index f69cf6344e5..98a644fbdd0 100644 --- a/htdocs/compta/bank/releve.php +++ b/htdocs/compta/bank/releve.php @@ -1,7 +1,7 @@ * Copyright (C) 2004-2009 Laurent Destailleur - * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -26,37 +26,39 @@ require 'pre.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/bank.lib.php'; -$action=GETPOST('action'); +$action=GETPOST('action', 'alpha'); $langs->load("companies"); $langs->load("banks"); $langs->load("bills"); +$id=GETPOST('account'); +$ref=GETPOST('ref'); +$dvid=GETPOST('dvid'); +$num=GETPOST('num'); + // Security check -if (isset($_GET["account"]) || isset($_GET["ref"])) -{ - $id = isset($_GET["account"])?$_GET["account"]:(isset($_GET["ref"])?$_GET["ref"]:''); -} -$fieldid = isset($_GET["ref"])?'ref':'rowid'; +$fieldid = (! empty($ref)?$ref:$id); +$fieldname = isset($ref)?'ref':'rowid'; if ($user->societe_id) $socid=$user->societe_id; -$result=restrictedArea($user,'banque',$id,'bank_account','','',$fieldid); +$result=restrictedArea($user,'banque',$fieldid,'bank_account','','',$fieldname); -if ($user->rights->banque->consolidate && $action == 'dvnext') +if ($user->rights->banque->consolidate && $action == 'dvnext' && ! empty($dvid)) { $al = new AccountLine($db); - $al->datev_next($_GET["dvid"]); + $al->datev_next($dvid); } -if ($user->rights->banque->consolidate && $action == 'dvprev') +if ($user->rights->banque->consolidate && $action == 'dvprev' && ! empty($dvid)) { $al = new AccountLine($db); - $al->datev_previous($_GET["dvid"]); + $al->datev_previous($dvid); } -$sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"]; -$sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"]; -$page=isset($_GET["page"])?$_GET["page"]:$_POST["page"]; +$sortfield = GETPOST('sortfield', 'alpha'); +$sortorder = GETPOST('sortorder', 'alpha'); +$page = GETPOST('page', 'int'); if ($page == -1) { $page = 0; } if (! $sortorder) $sortorder="ASC"; if (! $sortfield) $sortfield="s.nom"; @@ -77,24 +79,19 @@ $form = new Form($db); // Load account $acct = new Account($db); -if ($_GET["account"]) +if ($id > 0 || ! empty($ref)) { - $acct->fetch($_GET["account"]); -} -if ($_GET["ref"]) -{ - $acct->fetch(0,$_GET["ref"]); - $_GET["account"]=$acct->id; + $acct->fetch($id, $ref); } -if (! isset($_GET["num"])) +if (! isset($num)) { /* * Vue liste tous releves confondus */ $sql = "SELECT DISTINCT(b.num_releve) as numr"; $sql.= " FROM ".MAIN_DB_PREFIX."bank as b"; - $sql.= " WHERE b.fk_account = ".$_GET["account"]; + $sql.= " WHERE b.fk_account = ".$acct->id; $sql.= " ORDER BY numr DESC"; $sql.= $db->plimit($conf->liste_limit+1,$offset); @@ -130,7 +127,7 @@ if (! isset($_GET["num"])) - print_barre_liste('', $page, $_SERVER["PHP_SELF"], "&account=".$_GET["account"], $sortfield, $sortorder,'',$numrows); + print_barre_liste('', $page, $_SERVER["PHP_SELF"], "&account=".$acct->id, $sortfield, $sortorder,'',$numrows); print ''; print ""; @@ -147,7 +144,7 @@ if (! isset($_GET["num"])) } else { - print "\n"; + print "\n"; } $i++; } @@ -173,8 +170,8 @@ else // Recherche valeur pour num = numero releve precedent $sql = "SELECT DISTINCT(b.num_releve) as num"; $sql.= " FROM ".MAIN_DB_PREFIX."bank as b"; - $sql.= " WHERE b.num_releve < '".$_GET["num"]."'"; - $sql.= " AND b.fk_account = ".$_GET["account"]; + $sql.= " WHERE b.num_releve < '".$db->escape($num)."'"; + $sql.= " AND b.fk_account = ".$acct->id; $sql.= " ORDER BY b.num_releve DESC"; dol_syslog("htdocs/compta/bank/releve.php sql=".$sql); @@ -195,8 +192,8 @@ else // Recherche valeur pour num = numero releve precedent $sql = "SELECT DISTINCT(b.num_releve) as num"; $sql.= " FROM ".MAIN_DB_PREFIX."bank as b"; - $sql.= " WHERE b.num_releve > '".$_GET["num"]."'"; - $sql.= " AND b.fk_account = ".$_GET["account"]; + $sql.= " WHERE b.num_releve > '".$db->escape($num)."'"; + $sql.= " AND b.fk_account = ".$acct->id; $sql.= " ORDER BY b.num_releve ASC"; dol_syslog("htdocs/compta/bank/releve.php sql=".$sql); @@ -214,10 +211,8 @@ else } else { // On veut le releve num - $num=$_GET["num"]; $found=true; } - if (! $found) $num=$_GET["num"]; $mesprevnext ="id\">".img_previous()."  "; $mesprevnext.= $langs->trans("AccountStatement")." $num"; @@ -244,7 +239,7 @@ else // Calcul du solde de depart du releve $sql = "SELECT sum(b.amount) as amount"; $sql.= " FROM ".MAIN_DB_PREFIX."bank as b"; - $sql.= " WHERE b.num_releve < '".$num."'"; + $sql.= " WHERE b.num_releve < '".$db->escape($num)."'"; $sql.= " AND b.fk_account = ".$acct->id; $resql=$db->query($sql); @@ -259,7 +254,7 @@ else $sql = "SELECT b.rowid, b.dateo as do, b.datev as dv"; $sql.= ", b.amount, b.label, b.rappro, b.num_releve, b.num_chq, b.fk_type"; $sql.= " FROM ".MAIN_DB_PREFIX."bank as b"; - $sql.= " WHERE b.num_releve='".$num."'"; + $sql.= " WHERE b.num_releve='".$db->escape($num)."'"; if (!isset($num)) $sql.= " OR b.num_releve is null"; $sql.= " AND b.fk_account = ".$acct->id; $sql.= " ORDER BY b.datev ASC"; @@ -289,10 +284,10 @@ else // Date de valeur print '\n"; diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php index e1d50ef3057..280017a35bc 100644 --- a/htdocs/compta/facture.php +++ b/htdocs/compta/facture.php @@ -994,9 +994,9 @@ else if (($action == 'addline' || $action == 'addline_predef') && $user->rights- $date_end=dol_mktime(GETPOST('date_end'.$predef.'hour'), GETPOST('date_end'.$predef.'min'), GETPOST('date_end'.$predef.'sec'), GETPOST('date_end'.$predef.'month'), GETPOST('date_end'.$predef.'day'), GETPOST('date_end'.$predef.'year')); $price_base_type = (GETPOST('price_base_type', 'alpha')?GETPOST('price_base_type', 'alpha'):'HT'); - // Define special_code for special lines - $special_code=0; - //if (empty($_POST['qty'])) $special_code=3; // Options should not exists on invoices + // Define special_code for special lines + $special_code=0; + //if (empty($_POST['qty'])) $special_code=3; // Options should not exists on invoices // Ecrase $pu par celui du produit // Ecrase $desc par celui du produit diff --git a/htdocs/compta/index.php b/htdocs/compta/index.php index 7cbbbb8e5da..40911915c8e 100644 --- a/htdocs/compta/index.php +++ b/htdocs/compta/index.php @@ -1,7 +1,7 @@ * Copyright (C) 2004-2011 Laurent Destailleur - * Copyright (C) 2005-2009 Regis Houssin + * Copyright (C) 2005-2012 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -27,9 +27,12 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; require_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php'; require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.facture.class.php'; -if (! empty($conf->commande->enabled)) require_once DOL_DOCUMENT_ROOT.'/commande/class/commande.class.php'; -if (! empty($conf->commande->enabled)) require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.commande.class.php'; -if (! empty($conf->tax->enabled)) require_once DOL_DOCUMENT_ROOT.'/compta/sociales/class/chargesociales.class.php'; +if (! empty($conf->commande->enabled)) + require_once DOL_DOCUMENT_ROOT.'/commande/class/commande.class.php'; +if (! empty($conf->commande->enabled)) + require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.commande.class.php'; +if (! empty($conf->tax->enabled)) + require_once DOL_DOCUMENT_ROOT.'/compta/sociales/class/chargesociales.class.php'; // L'espace compta/treso doit toujours etre actif car c'est un espace partage // par de nombreux modules (banque, facture, commande a facturer, etc...) independamment @@ -40,7 +43,11 @@ if (! empty($conf->tax->enabled)) require_once DOL_DOCUMENT_ROOT.'/compta/social $langs->load("compta"); $langs->load("bills"); -if (! empty($conf->commande->enabled)) $langs->load("orders"); +if (! empty($conf->commande->enabled)) + $langs->load("orders"); + +$action=GETPOST('action', 'alpha'); +$bid=GETPOST('bid', 'int'); // Security check $socid=''; @@ -55,7 +62,7 @@ if ($user->societe_id > 0) * Actions */ -if (isset($_GET["action"]) && $_GET["action"] == 'add_bookmark') +if ($action == 'add_bookmark') { $now=dol_now(); @@ -71,9 +78,9 @@ if (isset($_GET["action"]) && $_GET["action"] == 'add_bookmark') } } -if (isset($_GET["action"]) && $_GET["action"] == 'del_bookmark') +if ($action == 'del_bookmark' && ! empty($bid)) { - $sql = "DELETE FROM ".MAIN_DB_PREFIX."bookmark WHERE rowid=".$_GET["bid"]; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."bookmark WHERE rowid=".$db->escape($bid); $result = $db->query($sql); } diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index ace7abcc6b9..73b823a013b 100755 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -51,10 +51,10 @@ $type=GETPOST("type"); $view=GETPOST("view"); $sall=GETPOST("contactname"); -$sortfield = GETPOST("sortfield"); -$sortorder = GETPOST("sortorder"); -$page = GETPOST("page"); -$userid=GETPOST('userid'); +$sortfield = GETPOST('sortfield', 'alpha'); +$sortorder = GETPOST('sortorder', 'alpha'); +$page = GETPOST('page', 'int'); +$userid=GETPOST('userid','int'); $begin=GETPOST('begin'); if (! $sortorder) $sortorder="ASC"; @@ -131,9 +131,9 @@ if (!$user->rights->societe->client->voir && !$socid) //restriction { $sql .= " AND (sc.fk_user = " .$user->id." OR p.fk_soc IS NULL)"; } -if ($userid) // propre au commercial +if (! empty($userid)) // propre au commercial { - $sql .= " AND p.fk_user_creat=".$userid; + $sql .= " AND p.fk_user_creat=".$db->escape($userid); } // Filter to exclude not owned private contacts diff --git a/htdocs/core/db/pgsql.class.php b/htdocs/core/db/pgsql.class.php index 58a07bd1535..7ed1533ee60 100644 --- a/htdocs/core/db/pgsql.class.php +++ b/htdocs/core/db/pgsql.class.php @@ -296,7 +296,7 @@ class DoliDBPgsql // To have postgresql case sensitive $line=str_replace(' LIKE \'',' ILIKE \'',$line); - $line=str_replace(' LIKE BINARY \'',' LIKE \'',$line); + $line=str_replace(' LIKE BINARY \'',' LIKE \'',$line); // Delete using criteria on other table must not declare twice the deleted table // DELETE FROM tabletodelete USING tabletodelete, othertable -> DELETE FROM tabletodelete USING othertable diff --git a/htdocs/societe/ajaxcountries.php b/htdocs/societe/ajaxcountries.php index 3afb95468b7..868e0e1da81 100644 --- a/htdocs/societe/ajaxcountries.php +++ b/htdocs/societe/ajaxcountries.php @@ -30,6 +30,8 @@ if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); require '../main.inc.php'; +$country=GETPOST('pays', 'alpha'); + /* * View @@ -49,14 +51,14 @@ print '
numr&account=".$_GET["account"]."\">$objp->numr
numr&account=".$acct->id."\">$objp->numr
'; - print ''; + print ''; print img_previous().' '; print dol_print_date($db->jdate($objp->dv),"day") .' '; - print ''; + print ''; print img_next().''; print "