diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php
index 44926e4ecf2..a945c37fc4c 100644
--- a/htdocs/compta/facture.php
+++ b/htdocs/compta/facture.php
@@ -50,19 +50,22 @@ $langs->load('main');
if (GETPOST('mesg','int',1) && isset($_SESSION['message'])) $mesg=$_SESSION['message'];
$sall=trim(GETPOST('sall'));
-$projectid=isset($_GET['projectid'])?$_GET['projectid']:0;
+$projectid=(GETPOST('projectid')?GETPOST('projectid','int'):0);
-$id=(GETPOST('id')?GETPOST("id"):GETPOST("facid")); // For backward compatibility
-$ref=GETPOST('ref');
-$socid=GETPOST('socid');
-$action=GETPOST('action');
-$confirm=GETPOST('confirm');
-$lineid=GETPOST('lineid');
-$userid=GETPOST('userid');
-$search_ref=GETPOST('sf_ref')?GETPOST('sf_ref'):GETPOST('search_ref');
+$id=(GETPOST('id')?GETPOST('id','int'):GETPOST('facid','int')); // For backward compatibility
+$ref=GETPOST('ref','alpha');
+$socid=GETPOST('socid','int');
+$action=GETPOST('action','alpha');
+$confirm=GETPOST('confirm','alpha');
+$lineid=GETPOST('lineid','int');
+$userid=GETPOST('userid','int');
+$search_ref=GETPOST('sf_ref')?GETPOST('sf_ref','alpha'):GETPOST('search_ref','alpha');
+$search_societe=GETPOST('search_societe','alpha');
+$search_montant_ht=GETPOST('search_montant_ht','alpha');
+$search_montant_ttc=GETPOST('search_montant_ht','alpha');
// Security check
-$fieldid = isset($_GET["ref"])?'facnumber':'rowid';
+$fieldid = (! empty($ref)?'facnumber':'rowid');
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'facture', $id,'','','fk_soc',$fieldid);
@@ -3053,8 +3056,8 @@ else
$pageprev = $page - 1;
$pagenext = $page + 1;
- $month =GETPOST('month','int');
- $year =GETPOST('year','int');
+ $month = GETPOST('month','int');
+ $year = GETPOST('year','int');
$facturestatic=new Facture($db);
@@ -3088,21 +3091,21 @@ else
$sql .= ' AND ' . trim($filt[0]) . ' = ' . trim($filt[1]);
}
}
- if ($_GET['search_ref'])
+ if ($search_ref)
{
- $sql.= ' AND f.facnumber LIKE \'%'.$db->escape(trim($_GET['search_ref'])).'%\'';
+ $sql.= ' AND f.facnumber LIKE \'%'.$db->escape(trim($search_ref)).'%\'';
}
- if ($_GET['search_societe'])
+ if ($search_societe)
{
- $sql.= ' AND s.nom LIKE \'%'.$db->escape(trim($_GET['search_societe'])).'%\'';
+ $sql.= ' AND s.nom LIKE \'%'.$db->escape(trim($search_societe)).'%\'';
}
- if ($_GET['search_montant_ht'])
+ if ($search_montant_ht)
{
- $sql.= ' AND f.total = \''.$db->escape(trim($_GET['search_montant_ht'])).'\'';
+ $sql.= ' AND f.total = \''.$db->escape(trim($search_montant_ht)).'\'';
}
- if ($_GET['search_montant_ttc'])
+ if ($search_montant_ttc)
{
- $sql.= ' AND f.total_ttc = \''.$db->escape(trim($_GET['search_montant_ttc'])).'\'';
+ $sql.= ' AND f.total_ttc = \''.$db->escape(trim($search_montant_ttc)).'\'';
}
if ($month > 0)
{
@@ -3115,10 +3118,6 @@ else
{
$sql.= " AND f.datef BETWEEN '".$db->idate(dol_get_first_day($year,1,false))."' AND '".$db->idate(dol_get_last_day($year,12,false))."'";
}
- if (trim($search_ref) != '')
- {
- $sql.= ' AND f.facnumber LIKE \'%'.$db->escape(trim($search_ref)) . '%\'';
- }
if (! $sall)
{
$sql.= ' GROUP BY f.rowid, f.facnumber, f.type, f.increment, f.total, f.total_ttc,';
@@ -3183,11 +3182,11 @@ else
print '';
print '| | ';
print '';
- print '';
+ print '';
print ' | ';
- print '';
+ print '';
print ' | ';
- print '';
+ print '';
print ' | ';
print '';
print ' ';
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index eafd2c9cb22..39fc2b599d9 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -185,22 +185,22 @@ function dol_shutdown()
*/
function GETPOST($paramname,$check='',$method=0)
{
- if (empty($method)) $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:'');
- elseif ($method==1) $out = isset($_GET[$paramname])?$_GET[$paramname]:'';
- elseif ($method==2) $out = isset($_POST[$paramname])?$_POST[$paramname]:'';
- elseif ($method==3) $out = isset($_POST[$paramname])?$_POST[$paramname]:(isset($_GET[$paramname])?$_GET[$paramname]:'');
-
- if (!empty($check))
- {
- // Check if numeric
- if ($check == 'int' && ! preg_match('/^[\.,0-9]+$/i',trim($out))) $out='';
- // Check if alpha
- //if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out='';
- // '"' is dangerous because param in url can close the href= or src= and add javascript functions.
- if ($check == 'alpha' && preg_match('/"/',trim($out))) $out='';
- }
-
- return $out;
+ if (empty($method)) $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:'');
+ elseif ($method==1) $out = isset($_GET[$paramname])?$_GET[$paramname]:'';
+ elseif ($method==2) $out = isset($_POST[$paramname])?$_POST[$paramname]:'';
+ elseif ($method==3) $out = isset($_POST[$paramname])?$_POST[$paramname]:(isset($_GET[$paramname])?$_GET[$paramname]:'');
+
+ if (! empty($check))
+ {
+ // Check if numeric
+ if ($check == 'int' && ! preg_match('/^[\.,0-9]+$/i',trim($out))) $out='';
+ // Check if alpha
+ //if ($check == 'alpha' && ! preg_match('/^[ =:@#\/\\\(\)\-\._a-z0-9]+$/i',trim($out))) $out='';
+ // '"' is dangerous because param in url can close the href= or src= and add javascript functions.
+ if ($check == 'alpha' && preg_match('/"/',trim($out))) $out='';
+ }
+
+ return $out;
}
|