From 15440917b1a1c1e06e987663474b6b4d1b4bb46e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 11:30:18 +0100 Subject: [PATCH 01/47] Fix #ygosha5698 --- .../class/accountancycategory.class.php | 2 +- htdocs/accountancy/class/lettering.class.php | 8 ++-- htdocs/accountancy/customer/lines.php | 6 +-- htdocs/accountancy/supplier/lines.php | 6 +-- htdocs/accountancy/supplier/list.php | 6 +-- htdocs/adherents/list.php | 2 +- htdocs/admin/const.php | 2 +- htdocs/admin/system/constall.php | 2 +- htdocs/admin/system/dolibarr.php | 2 +- .../action/class/api_agendaevents.class.php | 6 +-- .../mailing/class/advtargetemailing.class.php | 40 +++++++++---------- .../comm/propal/class/api_proposals.class.php | 4 +- htdocs/comm/propal/class/propal.class.php | 2 +- htdocs/commande/class/api_orders.class.php | 2 +- htdocs/commande/class/commande.class.php | 4 +- htdocs/compta/bank/annuel.php | 6 +-- htdocs/compta/bank/class/account.class.php | 2 +- htdocs/compta/bank/graph.php | 38 +++++++++--------- .../facture/class/api_invoices.class.php | 2 +- htdocs/compta/facture/class/facture.class.php | 4 +- htdocs/compta/stats/cabyprodserv.php | 4 +- htdocs/contact/list.php | 5 +-- htdocs/contrat/class/api_contracts.class.php | 4 +- htdocs/contrat/class/contrat.class.php | 2 +- htdocs/core/boxes/box_project.php | 2 +- htdocs/core/boxes/box_task.php | 2 +- htdocs/core/class/commonobject.class.php | 2 +- htdocs/core/class/html.form.class.php | 26 ++++++------ htdocs/core/class/html.formcompany.class.php | 2 +- htdocs/core/class/html.formcontract.class.php | 2 +- htdocs/core/class/html.formprojet.class.php | 12 +++--- htdocs/core/lib/company.lib.php | 2 +- htdocs/core/lib/functions2.lib.php | 10 ++--- htdocs/core/lib/project.lib.php | 6 +-- htdocs/core/lib/security.lib.php | 32 +++++++-------- htdocs/core/lib/website.lib.php | 2 +- .../mailings/advthirdparties.modules.php | 4 +- htdocs/don/list.php | 2 +- .../expedition/class/api_shipments.class.php | 2 +- htdocs/expedition/list.php | 4 +- .../class/api_expensereports.class.php | 2 +- .../class/expensereport.class.php | 8 ++-- .../class/expensereportstats.class.php | 4 +- htdocs/expensereport/index.php | 6 +-- htdocs/expensereport/list.php | 4 +- .../class/api_interventions.class.php | 4 +- htdocs/fourn/card.php | 2 +- .../class/api_supplier_invoices.class.php | 2 +- .../fourn/class/api_supplier_orders.class.php | 4 +- htdocs/fourn/facture/impayees.php | 11 +---- htdocs/fourn/facture/list.php | 13 +++--- htdocs/holiday/class/holiday.class.php | 10 ++--- htdocs/holiday/list.php | 2 +- htdocs/margin/agentMargins.php | 2 +- htdocs/margin/checkMargins.php | 2 +- htdocs/margin/customerMargins.php | 2 +- htdocs/margin/productMargins.php | 4 +- .../product/class/html.formproduct.class.php | 6 +-- htdocs/product/class/product.class.php | 4 +- htdocs/product/stock/stockatdate.php | 8 ++-- htdocs/projet/activity/index.php | 2 +- htdocs/projet/class/api_projects.class.php | 4 +- htdocs/projet/class/api_tasks.class.php | 4 +- htdocs/projet/class/project.class.php | 20 +++++----- htdocs/projet/class/projectstats.class.php | 4 +- htdocs/projet/class/task.class.php | 6 +-- htdocs/projet/class/taskstats.class.php | 5 +-- htdocs/projet/graph_opportunities.inc.php | 6 +-- htdocs/projet/index.php | 8 ++-- htdocs/projet/list.php | 4 +- htdocs/projet/tasks/list.php | 12 +++--- htdocs/projet/tasks/time.php | 2 +- htdocs/reception/list.php | 4 +- htdocs/salaries/list.php | 2 +- htdocs/salaries/payments.php | 10 ++--- htdocs/societe/class/api_contacts.class.php | 4 +- .../societe/class/api_thirdparties.class.php | 4 +- htdocs/societe/list.php | 4 +- .../class/api_supplier_proposals.class.php | 4 +- htdocs/supplier_proposal/list.php | 4 +- htdocs/user/class/api_users.class.php | 4 +- htdocs/user/list.php | 4 +- .../variants/class/ProductAttribute.class.php | 4 +- .../class/ProductCombination.class.php | 6 +-- htdocs/website/class/websitepage.class.php | 4 +- 85 files changed, 248 insertions(+), 260 deletions(-) diff --git a/htdocs/accountancy/class/accountancycategory.class.php b/htdocs/accountancy/class/accountancycategory.class.php index 292fb55a29f..1bdc0f438bf 100644 --- a/htdocs/accountancy/class/accountancycategory.class.php +++ b/htdocs/accountancy/class/accountancycategory.class.php @@ -743,7 +743,7 @@ class AccountancyCategory // extends CommonObject } $listofaccount .= "'".$cptcursor."'"; } - $sql .= " AND t.numero_compte IN (".$listofaccount.")"; + $sql .= " AND t.numero_compte IN (".$this->db->sanitize($listofaccount).")"; } else { $sql .= " AND t.numero_compte = '".$this->db->escape($cpt)."'"; } diff --git a/htdocs/accountancy/class/lettering.class.php b/htdocs/accountancy/class/lettering.class.php index ad6f186d68f..b2abf01948e 100644 --- a/htdocs/accountancy/class/lettering.class.php +++ b/htdocs/accountancy/class/lettering.class.php @@ -126,7 +126,7 @@ class Lettering extends BookKeeping if (count($ids_fact)) { $sql = 'SELECT bk.rowid, facf.ref, facf.ref_supplier '; $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn facf "; - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON( bk.fk_doc = facf.rowid AND facf.rowid IN (".implode(',', $ids_fact)."))"; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON( bk.fk_doc = facf.rowid AND facf.rowid IN (".$this->db->sanitize(implode(',', $ids_fact))."))"; $sql .= " WHERE bk.code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=3 AND entity=".$conf->entity.") "; $sql .= " AND facf.entity = ".$conf->entity; $sql .= " AND ( "; @@ -185,7 +185,7 @@ class Lettering extends BookKeeping if (count($ids_fact)) { $sql = 'SELECT bk.rowid, fac.ref, fac.ref_supplier '; $sql .= " FROM ".MAIN_DB_PREFIX."facture fac "; - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON( bk.fk_doc = fac.rowid AND fac.rowid IN (".implode(',', $ids_fact)."))"; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON( bk.fk_doc = fac.rowid AND fac.rowid IN (".$this->db->sanitize(implode(',', $ids_fact))."))"; $sql .= " WHERE code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=2 AND entity=".$conf->entity.") "; $sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy $sql .= " AND ( "; @@ -255,7 +255,7 @@ class Lettering extends BookKeeping } $sql = "SELECT SUM(ABS(debit)) as deb, SUM(ABS(credit)) as cred FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE "; - $sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL"; + $sql .= " rowid IN (".$this->db->sanitize(implode(',', $ids)).") AND date_validated IS NULL"; $result = $this->db->query($sql); if ($result) { $obj = $this->db->fetch_object($result); @@ -276,7 +276,7 @@ class Lettering extends BookKeeping $sql = "UPDATE ".MAIN_DB_PREFIX."accounting_bookkeeping SET"; $sql .= " lettering_code='".$this->db->escape($lettre)."'"; $sql .= " , date_lettering = '".$this->db->idate($now)."'"; // todo correct date it's false - $sql .= " WHERE rowid IN (".implode(',', $ids).") AND date_validated IS NULL "; + $sql .= " WHERE rowid IN (".$this->db->sanitize(implode(',', $ids)).") AND date_validated IS NULL "; $this->db->begin(); dol_syslog(get_class($this)."::update sql=".$sql, LOG_DEBUG); diff --git a/htdocs/accountancy/customer/lines.php b/htdocs/accountancy/customer/lines.php index 3b14450fab1..0cd01315d9f 100644 --- a/htdocs/accountancy/customer/lines.php +++ b/htdocs/accountancy/customer/lines.php @@ -246,11 +246,11 @@ if (strlen(trim($search_country))) { if ($search_country == 'special_allnotme') { $sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'"; } elseif ($search_country == 'special_eec') { - $sql .= " AND co.code IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC).")"; } elseif ($search_country == 'special_eecnotme') { - $sql .= " AND co.code IN (".$country_code_in_EEC_without_me.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me).")"; } elseif ($search_country == 'special_noteec') { - $sql .= " AND co.code NOT IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC).")"; } else { $sql .= natural_search("co.code", $search_country); } diff --git a/htdocs/accountancy/supplier/lines.php b/htdocs/accountancy/supplier/lines.php index f661ba42ce9..343d42bab84 100644 --- a/htdocs/accountancy/supplier/lines.php +++ b/htdocs/accountancy/supplier/lines.php @@ -238,11 +238,11 @@ if (strlen(trim($search_country))) { if ($search_country == 'special_allnotme') { $sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'"; } elseif ($search_country == 'special_eec') { - $sql .= " AND co.code IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC).")"; } elseif ($search_country == 'special_eecnotme') { - $sql .= " AND co.code IN (".$country_code_in_EEC_without_me.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me).")"; } elseif ($search_country == 'special_noteec') { - $sql .= " AND co.code NOT IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC).")"; } else { $sql .= natural_search("co.code", $search_country); } diff --git a/htdocs/accountancy/supplier/list.php b/htdocs/accountancy/supplier/list.php index ea61a686883..d74f0facfd7 100644 --- a/htdocs/accountancy/supplier/list.php +++ b/htdocs/accountancy/supplier/list.php @@ -288,11 +288,11 @@ if (strlen(trim($search_country))) { if ($search_country == 'special_allnotme') { $sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'"; } elseif ($search_country == 'special_eec') { - $sql .= " AND co.code IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC).")"; } elseif ($search_country == 'special_eecnotme') { - $sql .= " AND co.code IN (".$country_code_in_EEC_without_me.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me).")"; } elseif ($search_country == 'special_noteec') { - $sql .= " AND co.code NOT IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC).")"; } else { $sql .= natural_search("co.code", $search_country); } diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index a52d551d83e..f2bcf690a48 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -379,7 +379,7 @@ if ($search_phone_mobile) { $sql .= natural_search("d.phone_mobile", $search_phone_mobile); } if ($search_country) { - $sql .= " AND d.country IN (".$search_country.')'; + $sql .= " AND d.country IN (".$db->sanitize($search_country).')'; } // Add where from extra fields diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php index 177a38e382b..93550ea3254 100644 --- a/htdocs/admin/const.php +++ b/htdocs/admin/const.php @@ -237,7 +237,7 @@ $sql .= ", note"; $sql .= ", tms"; $sql .= ", entity"; $sql .= " FROM ".MAIN_DB_PREFIX."const"; -$sql .= " WHERE entity IN (".$user->entity.",".$conf->entity.")"; +$sql .= " WHERE entity IN (".$db->sanitize($user->entity.",".$conf->entity).")"; if ((empty($user->entity) || $user->admin) && $debug) { } elseif (!GETPOST('visible') || GETPOST('visible') != 'all') { // to force for superadmin to debug diff --git a/htdocs/admin/system/constall.php b/htdocs/admin/system/constall.php index 14756541d55..96cb98809ef 100644 --- a/htdocs/admin/system/constall.php +++ b/htdocs/admin/system/constall.php @@ -223,7 +223,7 @@ if (empty($conf->multicompany->enabled)) { } else { // If multicompany mode, superadmin (user->entity=0) can see everything, admin are limited to their entities. if ($user->entity) { - $sql .= " WHERE entity IN (".$user->entity.",".$conf->entity.")"; + $sql .= " WHERE entity IN (".$db->sanitize($user->entity.",".$conf->entity).")"; } } $sql .= " ORDER BY entity, name ASC"; diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php index cfdc196d79d..b4131a4bdde 100644 --- a/htdocs/admin/system/dolibarr.php +++ b/htdocs/admin/system/dolibarr.php @@ -484,7 +484,7 @@ if (empty($conf->multicompany->enabled)) { } else { // If multicompany mode, superadmin (user->entity=0) can see everything, admin are limited to their entities. if ($user->entity) { - $sql .= " WHERE entity IN (".$user->entity.",".$conf->entity.")"; + $sql .= " WHERE entity IN (".$db->sanitize($user->entity.",".$conf->entity).")"; } } $sql .= " ORDER BY entity, name ASC"; diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 9ad3dd8ce51..5d57b9624e3 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -147,14 +147,14 @@ class AgendaEvents extends DolibarrApi } } if ($user_ids) { - $sql .= " AND t.fk_user_action IN (".$user_ids.")"; + $sql .= " AND t.fk_user_action IN (".$this->db->sanitize($user_ids).")"; } if ($socid > 0) { - $sql .= " AND t.fk_soc = ".$socid; + $sql .= " AND t.fk_soc = ".((int) $socid); } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/comm/mailing/class/advtargetemailing.class.php b/htdocs/comm/mailing/class/advtargetemailing.class.php index c811b673197..8de98f67ebe 100644 --- a/htdocs/comm/mailing/class/advtargetemailing.class.php +++ b/htdocs/comm/mailing/class/advtargetemailing.class.php @@ -559,34 +559,34 @@ class AdvanceTargetingMailing extends CommonObject $sqlwhere[] = " (t.parent IN (SELECT rowid FROM ".MAIN_DB_PREFIX."societe WHERE (".$str.")))"; } if (!empty($arrayquery['cust_status']) && count($arrayquery['cust_status']) > 0) { - $sqlwhere[] = " (t.status IN (".implode(',', $arrayquery['cust_status'])."))"; + $sqlwhere[] = " (t.status IN (".$this->db->sanitize(implode(',', $arrayquery['cust_status']))."))"; } if (!empty($arrayquery['cust_typecust']) && count($arrayquery['cust_typecust']) > 0) { - $sqlwhere[] = " (t.client IN (".implode(',', $arrayquery['cust_typecust'])."))"; + $sqlwhere[] = " (t.client IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typecust']))."))"; } if (!empty($arrayquery['cust_comm_status']) && count($arrayquery['cust_comm_status'] > 0)) { - $sqlwhere[] = " (t.fk_stcomm IN (".implode(',', $arrayquery['cust_comm_status'])."))"; + $sqlwhere[] = " (t.fk_stcomm IN (".$this->db->sanitize(implode(',', $arrayquery['cust_comm_status']))."))"; } if (!empty($arrayquery['cust_prospect_status']) && count($arrayquery['cust_prospect_status']) > 0) { - $sqlwhere[] = " (t.fk_prospectlevel IN ('".implode("','", $arrayquery['cust_prospect_status'])."'))"; + $sqlwhere[] = " (t.fk_prospectlevel IN ('".$this->db->sanitize(implode("','", $arrayquery['cust_prospect_status']))."'))"; } if (!empty($arrayquery['cust_typeent']) && count($arrayquery['cust_typeent']) > 0) { - $sqlwhere[] = " (t.fk_typent IN (".implode(',', $arrayquery['cust_typeent'])."))"; + $sqlwhere[] = " (t.fk_typent IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typeent']))."))"; } if (!empty($arrayquery['cust_saleman']) && count($arrayquery['cust_saleman']) > 0) { - $sqlwhere[] = " (saleman.fk_user IN (".implode(',', $arrayquery['cust_saleman'])."))"; + $sqlwhere[] = " (saleman.fk_user IN (".$this->db->sanitize(implode(',', $arrayquery['cust_saleman']))."))"; } if (!empty($arrayquery['cust_country']) && count($arrayquery['cust_country']) > 0) { - $sqlwhere[] = " (t.fk_pays IN (".implode(',', $arrayquery['cust_country'])."))"; + $sqlwhere[] = " (t.fk_pays IN (".$this->db->sanitize(implode(',', $arrayquery['cust_country']))."))"; } if (!empty($arrayquery['cust_effectif_id']) && count($arrayquery['cust_effectif_id']) > 0) { - $sqlwhere[] = " (t.fk_effectif IN (".implode(',', $arrayquery['cust_effectif_id'])."))"; + $sqlwhere[] = " (t.fk_effectif IN (".$this->db->sanitize(implode(',', $arrayquery['cust_effectif_id']))."))"; } if (!empty($arrayquery['cust_categ']) && count($arrayquery['cust_categ']) > 0) { - $sqlwhere[] = " (custcateg.fk_categorie IN (".implode(',', $arrayquery['cust_categ'])."))"; + $sqlwhere[] = " (custcateg.fk_categorie IN (".$this->db->sanitize(implode(',', $arrayquery['cust_categ']))."))"; } if (!empty($arrayquery['cust_language']) && count($arrayquery['cust_language']) > 0) { - $sqlwhere[] = " (t.default_lang IN ('".implode("','", $arrayquery['cust_language'])."'))"; + $sqlwhere[] = " (t.default_lang IN ('".$this->db->sanitize(implode("','", $arrayquery['cust_language']))."'))"; } //Standard Extrafield feature @@ -797,34 +797,34 @@ class AdvanceTargetingMailing extends CommonObject $sqlwhere[] = " (ts.parent IN (SELECT rowid FROM ".MAIN_DB_PREFIX."societe WHERE (".$str.")))"; } if (!empty($arrayquery['cust_status']) && count($arrayquery['cust_status']) > 0) { - $sqlwhere[] = " (ts.status IN (".implode(',', $arrayquery['cust_status'])."))"; + $sqlwhere[] = " (ts.status IN (".$this->db->sanitize(implode(',', $arrayquery['cust_status']))."))"; } if (!empty($arrayquery['cust_typecust']) && count($arrayquery['cust_typecust']) > 0) { - $sqlwhere[] = " (ts.client IN (".implode(',', $arrayquery['cust_typecust'])."))"; + $sqlwhere[] = " (ts.client IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typecust']))."))"; } if (!empty($arrayquery['cust_comm_status']) && count($arrayquery['cust_comm_status'] > 0)) { - $sqlwhere[] = " (ts.fk_stcomm IN (".implode(',', $arrayquery['cust_comm_status'])."))"; + $sqlwhere[] = " (ts.fk_stcomm IN (".$this->db->sanitize(implode(',', $arrayquery['cust_comm_status']))."))"; } if (!empty($arrayquery['cust_prospect_status']) && count($arrayquery['cust_prospect_status']) > 0) { - $sqlwhere[] = " (ts.fk_prospectlevel IN ('".implode("','", $arrayquery['cust_prospect_status'])."'))"; + $sqlwhere[] = " (ts.fk_prospectlevel IN ('".$this->db->sanitize(implode("','", $arrayquery['cust_prospect_status']))."'))"; } if (!empty($arrayquery['cust_typeent']) && count($arrayquery['cust_typeent']) > 0) { - $sqlwhere[] = " (ts.fk_typent IN (".implode(',', $arrayquery['cust_typeent'])."))"; + $sqlwhere[] = " (ts.fk_typent IN (".$this->db->sanitize(implode(',', $arrayquery['cust_typeent']))."))"; } if (!empty($arrayquery['cust_saleman']) && count($arrayquery['cust_saleman']) > 0) { - $sqlwhere[] = " (saleman.fk_user IN (".implode(',', $arrayquery['cust_saleman'])."))"; + $sqlwhere[] = " (saleman.fk_user IN (".$this->db->sanitize(implode(',', $arrayquery['cust_saleman']))."))"; } if (!empty($arrayquery['cust_country']) && count($arrayquery['cust_country']) > 0) { - $sqlwhere[] = " (ts.fk_pays IN (".implode(',', $arrayquery['cust_country'])."))"; + $sqlwhere[] = " (ts.fk_pays IN (".$this->db->sanitize(implode(',', $arrayquery['cust_country']))."))"; } if (!empty($arrayquery['cust_effectif_id']) && count($arrayquery['cust_effectif_id']) > 0) { - $sqlwhere[] = " (ts.fk_effectif IN (".implode(',', $arrayquery['cust_effectif_id'])."))"; + $sqlwhere[] = " (ts.fk_effectif IN (".$this->db->sanitize(implode(',', $arrayquery['cust_effectif_id']))."))"; } if (!empty($arrayquery['cust_categ']) && count($arrayquery['cust_categ']) > 0) { - $sqlwhere[] = " (custcateg.fk_categorie IN (".implode(',', $arrayquery['cust_categ'])."))"; + $sqlwhere[] = " (custcateg.fk_categorie IN (".$this->db->sanitize(implode(',', $arrayquery['cust_categ']))."))"; } if (!empty($arrayquery['cust_language']) && count($arrayquery['cust_language']) > 0) { - $sqlwhere[] = " (ts.default_lang IN ('".implode("','", $arrayquery['cust_language'])."'))"; + $sqlwhere[] = " (ts.default_lang IN ('".$this->db->sanitize(implode("','", $arrayquery['cust_language']))."'))"; } //Standard Extrafield feature diff --git a/htdocs/comm/propal/class/api_proposals.class.php b/htdocs/comm/propal/class/api_proposals.class.php index 84d7cf23385..9f5cdea8000 100644 --- a/htdocs/comm/propal/class/api_proposals.class.php +++ b/htdocs/comm/propal/class/api_proposals.class.php @@ -181,14 +181,14 @@ class Proposals extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 197c9c7074f..3a03254099d 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -2821,7 +2821,7 @@ class Propal extends CommonObject if (count($linkedInvoices) > 0) { $sql = "SELECT rowid as facid, ref, total, datef as df, fk_user_author, fk_statut, paye"; $sql .= " FROM ".MAIN_DB_PREFIX."facture"; - $sql .= " WHERE rowid IN (".implode(',', $linkedInvoices).")"; + $sql .= " WHERE rowid IN (".$this->db->sanitize(implode(',', $linkedInvoices)).")"; dol_syslog(get_class($this)."::InvoiceArrayList", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index 768e6a78c70..d839cf38924 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -184,7 +184,7 @@ class Orders extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index b29b594f8f2..14fc65cf18d 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -2300,8 +2300,8 @@ class Commande extends CommonOrder if (count($array_of_product)) { $sql = "SELECT fk_product, sum(ps.reel) as total"; $sql .= " FROM ".MAIN_DB_PREFIX."product_stock as ps"; - $sql .= " WHERE ps.fk_product IN (".join(',', $array_of_product).")"; - $sql .= ' GROUP BY fk_product '; + $sql .= " WHERE ps.fk_product IN (".$this->db->sanitize(join(',', $array_of_product)).")"; + $sql .= ' GROUP BY fk_product'; $resql = $this->db->query($sql); if ($resql) { $num = $this->db->num_rows($resql); diff --git a/htdocs/compta/bank/annuel.php b/htdocs/compta/bank/annuel.php index 45ae92480a0..686b14362cc 100644 --- a/htdocs/compta/bank/annuel.php +++ b/htdocs/compta/bank/annuel.php @@ -267,7 +267,7 @@ if ($result < 0) { $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if ($id && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$id.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($id).")"; } $resql = $db->query($sql); @@ -299,7 +299,7 @@ if ($result < 0) { $sql .= " AND b.datev <= '".($year - $annee)."-12-31 23:59:59'"; $sql .= " AND b.amount > 0"; if ($id && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$id.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($id).")"; } $sql .= " GROUP BY date_format(b.datev,'%m');"; @@ -381,7 +381,7 @@ if ($result < 0) { $sql .= " AND b.datev <= '".($year - $annee)."-12-31 23:59:59'"; $sql .= " AND b.amount < 0"; if ($id && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$id.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($id).")"; } $sql .= " GROUP BY date_format(b.datev,'%m');"; diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index be38f1311d7..451f855a5fe 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -943,7 +943,7 @@ class Account extends CommonObject $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'accounting_journal as aj ON aj.rowid=ba.fk_accountancy_journal'; $sql .= " WHERE ba.entity IN (".getEntity($this->element).")"; if ($id) { - $sql .= " AND ba.rowid = ".$id; + $sql .= " AND ba.rowid = ".((int) $id); } if ($ref) { $sql .= " AND ba.ref = '".$this->db->escape($ref)."'"; diff --git a/htdocs/compta/bank/graph.php b/htdocs/compta/bank/graph.php index 6dd588f51e1..e2be937aace 100644 --- a/htdocs/compta/bank/graph.php +++ b/htdocs/compta/bank/graph.php @@ -35,10 +35,10 @@ $WIDTH = DolGraph::getDefaultGraphSizeForStats('width', 768); $HEIGHT = DolGraph::getDefaultGraphSizeForStats('height', 200); // Security check -if (isset($_GET["account"]) || isset($_GET["ref"])) { - $id = isset($_GET["account"]) ? $_GET["account"] : (isset($_GET["ref"]) ? $_GET["ref"] : ''); +if (GETPOST('account') || GETPOST('ref')) { + $id = GETPOST('account') ? GETPOST('account') : GETPOST('ref'); } -$fieldid = isset($_GET["ref"]) ? 'ref' : 'rowid'; +$fieldid = GETPOST('ref') ? 'ref' : 'rowid'; if ($user->socid) { $socid = $user->socid; } @@ -66,19 +66,19 @@ $datetime = dol_now(); $year = dol_print_date($datetime, "%Y"); $month = dol_print_date($datetime, "%m"); $day = dol_print_date($datetime, "%d"); -if (GETPOST("year")) { - $year = sprintf("%04d", GETPOST("year")); +if (GETPOST("year", 'int')) { + $year = sprintf("%04d", GETPOST("year", 'int')); } -if (GETPOST("month")) { - $month = sprintf("%02d", GETPOST("month")); +if (GETPOST("month", 'int')) { + $month = sprintf("%02d", GETPOST("month", 'int')); } $object = new Account($db); -if ($_GET["account"] && !preg_match('/,/', $_GET["account"])) { // if for a particular account and not a list - $result = $object->fetch(GETPOST("account", "int")); +if (GETPOST('account') && !preg_match('/,/', GETPOST('account'))) { // if for a particular account and not a list + $result = $object->fetch(GETPOST('account', 'int')); } -if ($_GET["ref"]) { +if (GETPOST("ref")) { $result = $object->fetch(0, GETPOST("ref")); $account = $object->id; } @@ -96,7 +96,7 @@ if ($result < 0) { $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $resql = $db->query($sql); @@ -138,7 +138,7 @@ if ($result < 0) { $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -280,7 +280,7 @@ if ($result < 0) { $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -308,7 +308,7 @@ if ($result < 0) { $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; $sql .= " AND b.datev < '".$db->escape($year)."-01-01'"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $resql = $db->query($sql); @@ -416,7 +416,7 @@ if ($result < 0) { $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -541,7 +541,7 @@ if ($result < 0) { $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; $sql .= " AND b.amount > 0"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%d')"; @@ -576,7 +576,7 @@ if ($result < 0) { $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; $sql .= " AND b.amount < 0"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%d')"; @@ -650,7 +650,7 @@ if ($result < 0) { $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; $sql .= " AND b.amount > 0"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%m');"; @@ -677,7 +677,7 @@ if ($result < 0) { $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; $sql .= " AND b.amount < 0"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $sql .= " GROUP BY date_format(b.datev,'%m')"; diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php index ad44dbe6637..9c224b057ab 100644 --- a/htdocs/compta/facture/class/api_invoices.class.php +++ b/htdocs/compta/facture/class/api_invoices.class.php @@ -191,7 +191,7 @@ class Invoices extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index b0690675b53..da3620165dd 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -4158,13 +4158,13 @@ class Facture extends CommonInvoice $sqlSit .= " AND fs.fk_statut in (".self::STATUS_VALIDATED.",".self::STATUS_CLOSED.")"; $sqlSit .= " GROUP BY fs.situation_cycle_ref"; $sqlSit .= " ORDER BY fs.situation_counter"; - $sql .= " AND ( f.type != ".self::TYPE_SITUATION." OR f.rowid IN (".$sqlSit.") )"; // Type non 5 si facture non avoir + $sql .= " AND ( f.type != ".self::TYPE_SITUATION." OR f.rowid IN (".$this->db->sanitize($sqlSit).") )"; // Type non 5 si facture non avoir } else { $sql .= " AND f.type != ".self::TYPE_SITUATION; // Type non 5 si facture non avoir } if ($socid > 0) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $sql .= " ORDER BY f.ref"; diff --git a/htdocs/compta/stats/cabyprodserv.php b/htdocs/compta/stats/cabyprodserv.php index 25d9d4b9460..4ecbe6d56d0 100644 --- a/htdocs/compta/stats/cabyprodserv.php +++ b/htdocs/compta/stats/cabyprodserv.php @@ -323,9 +323,9 @@ if ($modecompta == 'CREANCES-DETTES') { $sql .= " AND (p.rowid IN "; $sql .= " (SELECT fk_product FROM ".MAIN_DB_PREFIX."categorie_product cp WHERE "; if ($subcat) { - $sql .= "cp.fk_categorie IN (".$listofcatsql.")"; + $sql .= "cp.fk_categorie IN (".$db->sanitize($listofcatsql).")"; } else { - $sql .= "cp.fk_categorie = ".$selected_cat; + $sql .= "cp.fk_categorie = ".((int) $selected_cat); } $sql .= "))"; } diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index 53ebbdfddd9..3890155f116 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -458,7 +458,7 @@ if ($search_societe) { $sql .= natural_search(empty($conf->global->SOCIETE_DISABLE_CONTACTS) ? 's.nom' : 'p.fk_soc', $search_societe); } if ($search_country) { - $sql .= " AND p.fk_pays IN (".$search_country.')'; + $sql .= " AND p.fk_pays IN (".$db->sanitize($search_country).')'; } if (strlen($search_poste)) { $sql .= natural_search('p.poste', $search_poste); @@ -492,9 +492,8 @@ if (strlen($search_town)) { $sql .= natural_search("p.town", $search_town); } if (count($search_roles) > 0) { - $sql .= " AND p.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".implode(',', $search_roles)."))"; + $sql .= " AND p.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".$db->sanitize(implode(',', $search_roles))."))"; } - if ($search_no_email != '' && $search_no_email >= 0) { $sql .= " AND p.no_email = ".$db->escape($search_no_email); } diff --git a/htdocs/contrat/class/api_contracts.class.php b/htdocs/contrat/class/api_contracts.class.php index c6a834331c9..cf821ccb2c6 100644 --- a/htdocs/contrat/class/api_contracts.class.php +++ b/htdocs/contrat/class/api_contracts.class.php @@ -132,14 +132,14 @@ class Contracts extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index 02929f281a8..64d2b5e2c0a 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -1172,7 +1172,7 @@ class Contrat extends CommonObject $this->db->free($resql); $sql = "DELETE FROM ".MAIN_DB_PREFIX."contratdet_log "; - $sql .= " WHERE ".MAIN_DB_PREFIX."contratdet_log.rowid IN (".implode(",", $tab_resql).")"; + $sql .= " WHERE ".MAIN_DB_PREFIX."contratdet_log.rowid IN (".$this->db->sanitize(implode(",", $tab_resql)).")"; dol_syslog(get_class($this)."::delete contratdet_log", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/core/boxes/box_project.php b/htdocs/core/boxes/box_project.php index 04aa812ea34..9f1204c4dc4 100644 --- a/htdocs/core/boxes/box_project.php +++ b/htdocs/core/boxes/box_project.php @@ -103,7 +103,7 @@ class box_project extends ModeleBoxes $sql .= " WHERE p.entity IN (".getEntity('project').")"; // Only current entity or severals if permission ok $sql .= " AND p.fk_statut = 1"; // Only open projects if (!$user->rights->projet->all->lire) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; // public and assigned to, or restricted to company for external users + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users } $sql .= " ORDER BY p.datec DESC"; diff --git a/htdocs/core/boxes/box_task.php b/htdocs/core/boxes/box_task.php index 0650b10a872..16cd41ce564 100644 --- a/htdocs/core/boxes/box_task.php +++ b/htdocs/core/boxes/box_task.php @@ -169,7 +169,7 @@ class box_task extends ModeleBoxes $sql .= " AND (pt.progress < 100 OR pt.progress IS NULL ) "; // 100% is done and not displayed $sql .= " AND p.usage_task = 1 "; if (!$user->rights->projet->all->lire) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; // public and assigned to, or restricted to company for external users + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users } $sql .= " ORDER BY pt.datee ASC, pt.dateo ASC"; diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 253ed9a1d02..f743deaa894 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -1218,7 +1218,7 @@ abstract class CommonObject $sql = "DELETE FROM ".MAIN_DB_PREFIX."element_contact"; $sql .= " WHERE element_id = ".$this->id; if ($listId) { - $sql .= " AND fk_c_type_contact IN (".$listId.")"; + $sql .= " AND fk_c_type_contact IN (".$this->db->sanitize($listId).")"; } dol_syslog(get_class($this)."::delete_linked_contact", LOG_DEBUG); diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index d75ec44798f..d03462d17e8 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1904,10 +1904,10 @@ class Form $sql .= " AND u.fk_soc = ".$user->socid; } if (is_array($exclude) && $excludeUsers) { - $sql .= " AND u.rowid NOT IN (".$excludeUsers.")"; + $sql .= " AND u.rowid NOT IN (".$this->db->sanitize($excludeUsers).")"; } if ($includeUsers) { - $sql .= " AND u.rowid IN (".$includeUsers.")"; + $sql .= " AND u.rowid IN (".$this->db->sanitize($includeUsers).")"; } if (!empty($conf->global->USER_HIDE_INACTIVE_IN_COMBOBOX) || $noactive) { $sql .= " AND u.statut <> 0"; @@ -5661,7 +5661,7 @@ class Form $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; $sql .= " WHERE t.fk_pays = c.rowid"; $sql .= " AND t.active > 0"; - $sql .= " AND c.code IN (".$country_code.")"; + $sql .= " AND c.code IN (".$this->db->sanitize($country_code).")"; $sql .= " ORDER BY t.code ASC, t.taux ASC, t.recuperableonly ASC"; $resql = $this->db->query($sql); @@ -7642,17 +7642,17 @@ class Form } $possiblelinks = array( - 'propal'=>array('enabled'=>$conf->propal->enabled, 'perms'=>1, 'label'=>'LinkToProposal', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_client, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."propal as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('propal').')'), - 'order'=>array('enabled'=>$conf->commande->enabled, 'perms'=>1, 'label'=>'LinkToOrder', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_client, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."commande as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('commande').')'), - 'invoice'=>array('enabled'=>$conf->facture->enabled, 'perms'=>1, 'label'=>'LinkToInvoice', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_client, t.total as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('invoice').')'), - 'invoice_template'=>array('enabled'=>$conf->facture->enabled, 'perms'=>1, 'label'=>'LinkToTemplateInvoice', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.titre as ref, t.total as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture_rec as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('invoice').')'), + 'propal'=>array('enabled'=>$conf->propal->enabled, 'perms'=>1, 'label'=>'LinkToProposal', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_client, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."propal as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('propal').')'), + 'order'=>array('enabled'=>$conf->commande->enabled, 'perms'=>1, 'label'=>'LinkToOrder', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_client, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."commande as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('commande').')'), + 'invoice'=>array('enabled'=>$conf->facture->enabled, 'perms'=>1, 'label'=>'LinkToInvoice', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_client, t.total as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('invoice').')'), + 'invoice_template'=>array('enabled'=>$conf->facture->enabled, 'perms'=>1, 'label'=>'LinkToTemplateInvoice', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.titre as ref, t.total as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture_rec as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('invoice').')'), 'contrat'=>array('enabled'=>$conf->contrat->enabled, 'perms'=>1, 'label'=>'LinkToContract', - 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_customer as ref_client, t.ref_supplier, SUM(td.total_ht) as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."contrat as t, ".MAIN_DB_PREFIX."contratdet as td WHERE t.fk_soc = s.rowid AND td.fk_contrat = t.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('contract').')'), - 'fichinter'=>array('enabled'=>$conf->ficheinter->enabled, 'perms'=>1, 'label'=>'LinkToIntervention', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."fichinter as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('intervention').')'), - 'supplier_proposal'=>array('enabled'=>$conf->supplier_proposal->enabled, 'perms'=>1, 'label'=>'LinkToSupplierProposal', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, '' as ref_supplier, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."supplier_proposal as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('supplier_proposal').')'), - 'order_supplier'=>array('enabled'=>$conf->supplier_order->enabled, 'perms'=>1, 'label'=>'LinkToSupplierOrder', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_supplier, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."commande_fournisseur as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('commande_fournisseur').')'), - 'invoice_supplier'=>array('enabled'=>$conf->supplier_invoice->enabled, 'perms'=>1, 'label'=>'LinkToSupplierInvoice', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_supplier, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture_fourn as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('facture_fourn').')'), - 'ticket'=>array('enabled'=>$conf->ticket->enabled, 'perms'=>1, 'label'=>'LinkToTicket', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.track_id, '0' as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."ticket as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$listofidcompanytoscan.') AND t.entity IN ('.getEntity('ticket').')') + 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_customer as ref_client, t.ref_supplier, SUM(td.total_ht) as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."contrat as t, ".MAIN_DB_PREFIX."contratdet as td WHERE t.fk_soc = s.rowid AND td.fk_contrat = t.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('contract').')'), + 'fichinter'=>array('enabled'=>$conf->ficheinter->enabled, 'perms'=>1, 'label'=>'LinkToIntervention', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."fichinter as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('intervention').')'), + 'supplier_proposal'=>array('enabled'=>$conf->supplier_proposal->enabled, 'perms'=>1, 'label'=>'LinkToSupplierProposal', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, '' as ref_supplier, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."supplier_proposal as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('supplier_proposal').')'), + 'order_supplier'=>array('enabled'=>$conf->supplier_order->enabled, 'perms'=>1, 'label'=>'LinkToSupplierOrder', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_supplier, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."commande_fournisseur as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('commande_fournisseur').')'), + 'invoice_supplier'=>array('enabled'=>$conf->supplier_invoice->enabled, 'perms'=>1, 'label'=>'LinkToSupplierInvoice', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.ref_supplier, t.total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."facture_fourn as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('facture_fourn').')'), + 'ticket'=>array('enabled'=>$conf->ticket->enabled, 'perms'=>1, 'label'=>'LinkToTicket', 'sql'=>"SELECT s.rowid as socid, s.nom as name, s.client, t.rowid, t.ref, t.track_id, '0' as total_ht FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."ticket as t WHERE t.fk_soc = s.rowid AND t.fk_soc IN (".$this->db->sanitize($listofidcompanytoscan).') AND t.entity IN ('.getEntity('ticket').')') ); } diff --git a/htdocs/core/class/html.formcompany.class.php b/htdocs/core/class/html.formcompany.class.php index 45a5995df28..2af5cae96f6 100644 --- a/htdocs/core/class/html.formcompany.class.php +++ b/htdocs/core/class/html.formcompany.class.php @@ -705,7 +705,7 @@ class FormCompany extends Form $sql .= " WHERE s.entity IN (".getEntity('societe').")"; // For ajax search we limit here. For combo list, we limit later if (is_array($limitto) && count($limitto)) { - $sql .= " AND s.rowid IN (".join(',', $limitto).")"; + $sql .= " AND s.rowid IN (".$this->db->sanitize(join(',', $limitto)).")"; } $sql .= " ORDER BY s.nom ASC"; diff --git a/htdocs/core/class/html.formcontract.class.php b/htdocs/core/class/html.formcontract.class.php index c764b7fc17e..46a1e240cf6 100644 --- a/htdocs/core/class/html.formcontract.class.php +++ b/htdocs/core/class/html.formcontract.class.php @@ -82,7 +82,7 @@ class FormContract if (empty($conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY)) { $sql .= " AND (c.fk_soc=".$socid." OR c.fk_soc IS NULL)"; } elseif ($conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY != 'all') { - $sql .= " AND (c.fk_soc IN (".$socid.", ".$conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY.") "; + $sql .= " AND (c.fk_soc IN (".$this->db->sanitize($socid.", ".$conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY).") "; $sql .= " OR c.fk_soc IS NULL)"; } } diff --git a/htdocs/core/class/html.formprojet.class.php b/htdocs/core/class/html.formprojet.class.php index 422a193030a..af611605095 100644 --- a/htdocs/core/class/html.formprojet.class.php +++ b/htdocs/core/class/html.formprojet.class.php @@ -166,16 +166,16 @@ class FormProjets $sql .= ' FROM '.MAIN_DB_PREFIX.'projet as p LEFT JOIN '.MAIN_DB_PREFIX.'societe as s ON s.rowid = p.fk_soc'; $sql .= " WHERE p.entity IN (".getEntity('project').")"; if ($projectsListId !== false) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; } if ($socid == 0) { $sql .= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)"; } if ($socid > 0) { if (empty($conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY)) { - $sql .= " AND (p.fk_soc=".$socid." OR p.fk_soc IS NULL)"; + $sql .= " AND (p.fk_soc=".((int) $socid)." OR p.fk_soc IS NULL)"; } elseif ($conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY != 'all') { // PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY is 'all' or a list of ids separated by coma. - $sql .= " AND (p.fk_soc IN (".$socid.", ".((int) $conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY).") OR p.fk_soc IS NULL)"; + $sql .= " AND (p.fk_soc IN (".((int) $socid).", ".((int) $conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY).") OR p.fk_soc IS NULL)"; } } if (!empty($filterkey)) { @@ -344,7 +344,7 @@ class FormProjets $sql .= " WHERE p.entity IN (".getEntity('project').")"; $sql .= " AND t.fk_projet = p.rowid"; if ($projectsListId) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; } if ($socid == 0) { $sql .= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)"; @@ -570,9 +570,9 @@ class FormProjets $sql .= " WHERE ".$projectkey." is null"; if (!empty($socid) && $linkedtothirdparty) { if (is_numeric($socid)) { - $sql .= " AND t.fk_soc=".$socid; + $sql .= " AND t.fk_soc = ".((int) $socid); } else { - $sql .= " AND t.fk_soc IN (".$socid.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socid).")"; } } if (!in_array($table_element, array('expensereport_det', 'stock_mouvement'))) { diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index 05b3a717a49..3c2884e4b5b 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -1087,7 +1087,7 @@ function show_contacts($conf, $langs, $db, $object, $backtopage = '') $sql .= natural_search($searchAddressPhoneDBFields, $search_address); } if (count($search_roles) > 0) { - $sql .= " AND t.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".implode(',', $search_roles)."))"; + $sql .= " AND t.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".$db->sanitize(implode(',', $search_roles))."))"; } // Add where from extra fields $extrafieldsobjectkey = $contactstatic->table_element; diff --git a/htdocs/core/lib/functions2.lib.php b/htdocs/core/lib/functions2.lib.php index 9fd7f5e7e8a..0703df95255 100644 --- a/htdocs/core/lib/functions2.lib.php +++ b/htdocs/core/lib/functions2.lib.php @@ -1230,7 +1230,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ if ($bentityon) { // only if entity enable $sql .= " AND entity IN (".getEntity($sharetable).")"; } elseif (!empty($forceentity)) { - $sql .= " AND entity IN (".$forceentity.")"; + $sql .= " AND entity IN (".$db->sanitize($forceentity).")"; } if ($where) { $sql .= $where; @@ -1290,7 +1290,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ if ($bentityon) { // only if entity enable $sql .= " AND entity IN (".getEntity($sharetable).")"; } elseif (!empty($forceentity)) { - $sql .= " AND entity IN (".$forceentity.")"; + $sql .= " AND entity IN (".$db->sanitize($forceentity).")"; } if ($where) { $sql .= $where; @@ -1351,7 +1351,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ if ($bentityon) { // only if entity enable $maskrefclient_sql .= " AND entity IN (".getEntity($sharetable).")"; } elseif (!empty($forceentity)) { - $sql .= " AND entity IN (".$forceentity.")"; + $sql .= " AND entity IN (".$db->sanitize($forceentity).")"; } if ($where) { $maskrefclient_sql .= $where; //use the same optional where as general mask @@ -2254,7 +2254,7 @@ function cleanCorruptedTree($db, $tabletocleantree, $fieldfkparent) $sql = "UPDATE ".MAIN_DB_PREFIX.$tabletocleantree; $sql .= " SET ".$fieldfkparent." = 0"; - $sql .= " WHERE rowid IN (".join(',', $listofidtoclean).")"; // So we update only records detected wrong + $sql .= " WHERE rowid IN (".$db->sanitize(join(',', $listofidtoclean)).")"; // So we update only records detected wrong $resql = $db->query($sql); if ($resql) { $nb = $db->affected_rows($sql); @@ -2271,7 +2271,7 @@ function cleanCorruptedTree($db, $tabletocleantree, $fieldfkparent) // Check and clean orphelins $sql = "UPDATE ".MAIN_DB_PREFIX.$tabletocleantree; $sql .= " SET ".$fieldfkparent." = 0"; - $sql .= " WHERE ".$fieldfkparent." NOT IN (".join(',', $listofid).")"; // So we update only records linked to a non existing parent + $sql .= " WHERE ".$fieldfkparent." NOT IN (".$db->sanitize(join(',', $listofid), 1).")"; // So we update only records linked to a non existing parent $resql = $db->query($sql); if ($resql) { $nb = $db->affected_rows($sql); diff --git a/htdocs/core/lib/project.lib.php b/htdocs/core/lib/project.lib.php index f2dbacc3ab4..8fef0916ff8 100644 --- a/htdocs/core/lib/project.lib.php +++ b/htdocs/core/lib/project.lib.php @@ -2378,9 +2378,9 @@ function print_projecttasks_array($db, $form, $socid, $projectsListId, $mytasks $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."projet_task as t ON p.rowid = t.fk_projet"; } $sql .= " WHERE p.entity IN (".getEntity('project').")"; - $sql .= " AND p.rowid IN (".$projectsListId.")"; + $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; if ($socid) { - $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; + $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; } if ($mytasks) { $sql .= " AND p.rowid = t.fk_projet"; @@ -2436,7 +2436,7 @@ function print_projecttasks_array($db, $form, $socid, $projectsListId, $mytasks $sql2 .= " FROM ".MAIN_DB_PREFIX."projet as p"; $sql2 .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = p.fk_soc"; $sql2 .= " LEFT JOIN ".MAIN_DB_PREFIX."projet_task as t ON p.rowid = t.fk_projet"; - $sql2 .= " WHERE p.rowid IN (".join(',', $arrayidofprojects).")"; + $sql2 .= " WHERE p.rowid IN (".$db->sanitize(join(',', $arrayidofprojects)).")"; $sql2 .= " GROUP BY p.rowid, p.ref, p.title, p.fk_soc, s.rowid, s.nom, s.name_alias, s.code_client, s.code_compta, s.client, s.code_fournisseur, s.code_compta_fournisseur, s.fournisseur,"; $sql2 .= " s.logo, s.email, s.entity, p.fk_user_creat, p.public, p.fk_statut, p.fk_opp_status, p.opp_percent, p.opp_amount, p.dateo, p.datee"; $sql2 .= " ORDER BY p.title, p.ref"; diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 5bcad053795..0b22748a528 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -595,27 +595,27 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand if (($feature == 'user' || $feature == 'usergroup') && !empty($conf->multicompany->enabled)) { // Special for multicompany if (!empty($conf->global->MULTICOMPANY_TRANSVERSE_MODE)) { if ($conf->entity == 1 && $user->admin && !$user->entity) { - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IS NOT NULL"; } else { $sql .= ",".MAIN_DB_PREFIX."usergroup_user as ug"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND ((ug.fk_user = dbt.rowid"; $sql .= " AND ug.entity IN (".getEntity('usergroup')."))"; $sql .= " OR dbt.entity = 0)"; // Show always superadmin } } else { - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } } else { $reg = array(); if ($parenttableforentity && preg_match('/(.*)@(.*)/', $parenttableforentity, $reg)) { $sql .= ", ".MAIN_DB_PREFIX.$reg[2]." as dbtp"; - $sql .= " WHERE dbt.".$reg[1]." = dbtp.rowid AND dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$reg[1]." = dbtp.rowid AND dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbtp.entity IN (".getEntity($sharedelement, 1).")"; } else { - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } } @@ -630,7 +630,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand $sql = "SELECT COUNT(sc.fk_soc) as nb"; $sql .= " FROM (".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql .= ", ".MAIN_DB_PREFIX."societe as s)"; - $sql .= " WHERE sc.fk_soc IN (".$objectid.")"; + $sql .= " WHERE sc.fk_soc IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND sc.fk_user = ".$user->id; $sql .= " AND sc.fk_soc = s.rowid"; $sql .= " AND s.entity IN (".getEntity($sharedelement, 1).")"; @@ -638,7 +638,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand // If multicompany and internal users with all permissions, check user is in correct entity $sql = "SELECT COUNT(s.rowid) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE s.rowid IN (".$objectid.")"; + $sql .= " WHERE s.rowid IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND s.entity IN (".getEntity($sharedelement, 1).")"; } } elseif (in_array($feature, $checkother)) { // Test on entity + link to thirdparty. Allowed if link is empty (Ex: contacts...). @@ -646,21 +646,21 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand if ($user->socid > 0) { $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.fk_soc = ".$user->socid; } elseif (!empty($conf->societe->enabled) && ($user->rights->societe->lire && !$user->rights->societe->client->voir)) { // If internal user: Check permission for internal users that are restricted on their objects $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } elseif (!empty($conf->multicompany->enabled)) { // If multicompany and internal users with all permissions, check user is in correct entity $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } if ($feature == 'agenda') { @@ -686,7 +686,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand } else { $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } } elseif (in_array($feature, $checktask)) { @@ -704,7 +704,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand } else { $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } } elseif (!in_array($feature, $nocheck)) { // By default (case of $checkdefault), we check on object entity + link to third party on field $dbt_keyfield @@ -715,7 +715,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand } $sql = "SELECT COUNT(dbt.".$dbt_keyfield.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " WHERE dbt.rowid IN (".$objectid.")"; + $sql .= " WHERE dbt.rowid IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.".$dbt_keyfield." = ".$user->socid; } elseif (!empty($conf->societe->enabled) && !$user->rights->societe->client->voir) { // If internal user: Check permission for internal users that are restricted on their objects @@ -726,7 +726,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand $sql = "SELECT COUNT(sc.fk_soc) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; $sql .= " AND sc.fk_soc = dbt.".$dbt_keyfield; $sql .= " AND sc.fk_user = ".$user->id; @@ -735,7 +735,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sc.fk_soc = dbt.".$dbt_keyfield." AND sc.fk_user = ".$user->id; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; $sql .= " AND (sc.fk_user = ".$user->id." OR sc.fk_user IS NULL)"; } @@ -743,7 +743,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand // If multicompany and internal users with all permissions, check user is in correct entity $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; + $sql .= " WHERE dbt.".$dbt_select." IN (".$db->sanitize($objectid, 1).")"; $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; } } diff --git a/htdocs/core/lib/website.lib.php b/htdocs/core/lib/website.lib.php index 2eb44c517f7..170202717c8 100644 --- a/htdocs/core/lib/website.lib.php +++ b/htdocs/core/lib/website.lib.php @@ -859,7 +859,7 @@ function getPagesFromSearchCriterias($type, $algo, $searchstring, $max = 25, $so foreach ($tmparrayoftype as $tmptype) { $typestring .= ($typestring ? ", " : "")."'".$db->escape(trim($tmptype))."'"; } - $sql .= " AND wp.type_container IN (".$typestring.")"; + $sql .= " AND wp.type_container IN (".$db->sanitize($typestring, 1).")"; } $sql .= " AND ("; $searchalgo = ''; diff --git a/htdocs/core/modules/mailings/advthirdparties.modules.php b/htdocs/core/modules/mailings/advthirdparties.modules.php index 9f434be9498..d067f43c273 100644 --- a/htdocs/core/modules/mailings/advthirdparties.modules.php +++ b/htdocs/core/modules/mailings/advthirdparties.modules.php @@ -125,10 +125,10 @@ class mailing_advthirdparties extends MailingTargets $sql .= " FROM ".MAIN_DB_PREFIX."socpeople as socp"; $sql .= " WHERE socp.entity IN (".getEntity('socpeople').")"; if (count($contactid) > 0) { - $sql .= " AND socp.rowid IN (".implode(',', $contactid).")"; + $sql .= " AND socp.rowid IN (".$this->db->sanitize(implode(',', $contactid)).")"; } if (count($socid) > 0) { - $sql .= " AND socp.fk_soc IN (".implode(',', $socid).")"; + $sql .= " AND socp.fk_soc IN (".$this->db->sanitize(implode(',', $socid)).")"; } $sql .= " ORDER BY email"; diff --git a/htdocs/don/list.php b/htdocs/don/list.php index 9798cd02eea..9a2d1402e17 100644 --- a/htdocs/don/list.php +++ b/htdocs/don/list.php @@ -106,7 +106,7 @@ $sql .= " p.rowid as pid, p.ref, p.title, p.public"; $sql .= " FROM ".MAIN_DB_PREFIX."don as d LEFT JOIN ".MAIN_DB_PREFIX."projet AS p"; $sql .= " ON p.rowid = d.fk_projet WHERE d.entity IN (".getEntity('donation').")"; if ($search_status != '' && $search_status != '-4') { - $sql .= " AND d.fk_statut IN (".$db->sanitize($db->escape($search_status)).")"; + $sql .= " AND d.fk_statut IN (".$db->sanitize($search_status).")"; } if (trim($search_ref) != '') { $sql .= natural_search('d.ref', $search_ref); diff --git a/htdocs/expedition/class/api_shipments.class.php b/htdocs/expedition/class/api_shipments.class.php index 42564f7dd72..cc5267cdd47 100644 --- a/htdocs/expedition/class/api_shipments.class.php +++ b/htdocs/expedition/class/api_shipments.class.php @@ -129,7 +129,7 @@ class Shipments extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale diff --git a/htdocs/expedition/list.php b/htdocs/expedition/list.php index 327e9a030e0..a4a09e06808 100644 --- a/htdocs/expedition/list.php +++ b/htdocs/expedition/list.php @@ -313,13 +313,13 @@ if ($search_state) { $sql .= natural_search("state.nom", $search_state); } if ($search_country) { - $sql .= " AND s.fk_pays IN (".$search_country.')'; + $sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')'; } if ($search_tracking) { $sql .= natural_search("e.tracking_number", $search_tracking); } if ($search_type_thirdparty != '' && $search_type_thirdparty > 0) { - $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; + $sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')'; } if ($search_sale > 0) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale; diff --git a/htdocs/expensereport/class/api_expensereports.class.php b/htdocs/expensereport/class/api_expensereports.class.php index 98da4534e0c..13148e4247a 100644 --- a/htdocs/expensereport/class/api_expensereports.class.php +++ b/htdocs/expensereport/class/api_expensereports.class.php @@ -108,7 +108,7 @@ class ExpenseReports extends DolibarrApi $sql .= " FROM ".MAIN_DB_PREFIX."expensereport as t"; $sql .= ' WHERE t.entity IN ('.getEntity('expensereport').')'; if ($user_ids) { - $sql .= " AND t.fk_user_author IN (".$user_ids.")"; + $sql .= " AND t.fk_user_author IN (".$this->db->sanitize($user_ids).")"; } // Add sql filters diff --git a/htdocs/expensereport/class/expensereport.class.php b/htdocs/expensereport/class/expensereport.class.php index 89178693a43..496f57812a6 100644 --- a/htdocs/expensereport/class/expensereport.class.php +++ b/htdocs/expensereport/class/expensereport.class.php @@ -2367,8 +2367,8 @@ class ExpenseReport extends CommonObject $sql .= " AND ex.entity IN (".getEntity('expensereport').")"; if (empty($user->rights->expensereport->readall)) { $userchildids = $user->getAllChildIds(1); - $sql .= " AND (ex.fk_user_author IN (".join(',', $userchildids).")"; - $sql .= " OR ex.fk_user_validator IN (".join(',', $userchildids)."))"; + $sql .= " AND (ex.fk_user_author IN (".$this->db->sanitize(join(',', $userchildids)).")"; + $sql .= " OR ex.fk_user_validator IN (".$this->db->sanitize(join(',', $userchildids))."))"; } $resql = $this->db->query($sql); @@ -2414,8 +2414,8 @@ class ExpenseReport extends CommonObject $sql .= " AND ex.entity IN (".getEntity('expensereport').")"; if (empty($user->rights->expensereport->readall)) { $userchildids = $user->getAllChildIds(1); - $sql .= " AND (ex.fk_user_author IN (".join(',', $userchildids).")"; - $sql .= " OR ex.fk_user_validator IN (".join(',', $userchildids)."))"; + $sql .= " AND (ex.fk_user_author IN (".$this->db->sanitize(join(',', $userchildids)).")"; + $sql .= " OR ex.fk_user_validator IN (".$this->db->sanitize(join(',', $userchildids))."))"; } $resql = $this->db->query($sql); diff --git a/htdocs/expensereport/class/expensereportstats.class.php b/htdocs/expensereport/class/expensereportstats.class.php index 3d627cbce8d..ec71f530f51 100644 --- a/htdocs/expensereport/class/expensereportstats.class.php +++ b/htdocs/expensereport/class/expensereportstats.class.php @@ -78,11 +78,11 @@ class ExpenseReportStats extends Stats if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)) { $childids = $user->getAllChildIds(); $childids[] = $user->id; - $this->where .= " AND e.fk_user_author IN (".(join(',', $childids)).")"; + $this->where .= " AND e.fk_user_author IN (".$this->db->sanitize(join(',', $childids)).")"; } if ($this->userid > 0) { - $this->where .= ' AND e.fk_user_author = '.$this->userid; + $this->where .= ' AND e.fk_user_author = '.((int) $this->userid); } } diff --git a/htdocs/expensereport/index.php b/htdocs/expensereport/index.php index 541c2c0738e..f9792d5b68c 100644 --- a/htdocs/expensereport/index.php +++ b/htdocs/expensereport/index.php @@ -91,7 +91,7 @@ if (empty($user->rights->expensereport->readall) && empty($user->rights->expense && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) { $childids = $user->getAllChildIds(); $childids[] = $user->id; - $sql .= " AND d.fk_user_author IN (".join(',', $childids).")\n"; + $sql .= " AND d.fk_user_author IN (".$db->sanitize(join(',', $childids)).")\n"; } $sql .= " GROUP BY tf.code, tf.label"; @@ -180,11 +180,11 @@ if (empty($user->rights->expensereport->readall) && empty($user->rights->expense && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) { $childids = $user->getAllChildIds(); $childids[] = $user->id; - $sql .= " AND d.fk_user_author IN (".join(',', $childids).")\n"; + $sql .= " AND d.fk_user_author IN (".$db->sanitize(join(',', $childids)).")\n"; } $sql .= ' AND d.entity IN ('.getEntity('expensereport').')'; if (!$user->rights->societe->client->voir && !$user->socid) { - $sql .= " AND d.fk_user_author = s.rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; + $sql .= " AND d.fk_user_author = s.rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } if ($socid) { $sql .= " AND d.fk_user_author = ".$socid; diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php index 35642ead0c4..51022f8c40b 100644 --- a/htdocs/expensereport/list.php +++ b/htdocs/expensereport/list.php @@ -290,12 +290,12 @@ if ($search_user != '' && $search_user >= 0) { } // Status if ($search_status != '' && $search_status >= 0) { - $sql .= " AND d.fk_statut IN (".$db->sanitize($db->escape($search_status)).")"; + $sql .= " AND d.fk_statut IN (".$db->sanitize($search_status).")"; } // RESTRICT RIGHTS if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous) && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) { - $sql .= " AND d.fk_user_author IN (".join(',', $childids).")\n"; + $sql .= " AND d.fk_user_author IN (".$db->sanitize(join(',', $childids)).")\n"; } // Add where from extra fields include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php'; diff --git a/htdocs/fichinter/class/api_interventions.class.php b/htdocs/fichinter/class/api_interventions.class.php index a5ba127a54d..17aa2b3db53 100644 --- a/htdocs/fichinter/class/api_interventions.class.php +++ b/htdocs/fichinter/class/api_interventions.class.php @@ -136,14 +136,14 @@ class Interventions extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/fourn/card.php b/htdocs/fourn/card.php index 6db5ba5cad3..3d67f025d6a 100644 --- a/htdocs/fourn/card.php +++ b/htdocs/fourn/card.php @@ -654,7 +654,7 @@ if ($object->id > 0) { $sql2 .= " AND c.fk_statut IN (".$db->sanitize(CommandeFournisseur::STATUS_RECEIVED_COMPLETELY).")"; // Must match filter in htdocs/fourn/commande/list.php } else { // CommandeFournisseur::STATUS_ORDERSENT.", ".CommandeFournisseur::STATUS_RECEIVED_PARTIALLY.", ".CommandeFournisseur::STATUS_RECEIVED_COMPLETELY - $sql2 .= " AND c.fk_statut IN (".$db->sanitize($db->escape($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS)).")"; + $sql2 .= " AND c.fk_statut IN (".$db->sanitize($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS).")"; } $sql2 .= " AND c.billed = 0"; // Find order that are not already invoiced diff --git a/htdocs/fourn/class/api_supplier_invoices.class.php b/htdocs/fourn/class/api_supplier_invoices.class.php index 953092120e4..5e977473146 100644 --- a/htdocs/fourn/class/api_supplier_invoices.class.php +++ b/htdocs/fourn/class/api_supplier_invoices.class.php @@ -130,7 +130,7 @@ class SupplierInvoices extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale diff --git a/htdocs/fourn/class/api_supplier_orders.class.php b/htdocs/fourn/class/api_supplier_orders.class.php index d75abb17e90..8076900b100 100644 --- a/htdocs/fourn/class/api_supplier_orders.class.php +++ b/htdocs/fourn/class/api_supplier_orders.class.php @@ -131,10 +131,10 @@ class SupplierOrders extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if (!empty($product_ids)) { - $sql .= " AND cd.fk_commande = t.rowid AND cd.fk_product IN (".$product_ids.")"; + $sql .= " AND cd.fk_commande = t.rowid AND cd.fk_product IN (".$this->db->sanitize($product_ids).")"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale diff --git a/htdocs/fourn/facture/impayees.php b/htdocs/fourn/facture/impayees.php index 7019b90b868..89f8a23d16d 100644 --- a/htdocs/fourn/facture/impayees.php +++ b/htdocs/fourn/facture/impayees.php @@ -116,17 +116,8 @@ if ($user->rights->fournisseur->facture->lire) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } - - if (GETPOST('filtre')) { - $filtrearr = explode(",", GETPOST('filtre')); - foreach ($filtrearr as $fil) { - $filt = explode(":", $fil); - $sql .= " AND ".$filt[0]." = ".$filt[1]; - } - } - if ($search_ref) { $sql .= " AND f.ref LIKE '%".$db->escape($search_ref)."%'"; } diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php index 7c6ed0c5e16..50fdfef6e47 100644 --- a/htdocs/fourn/facture/list.php +++ b/htdocs/fourn/facture/list.php @@ -475,14 +475,14 @@ $sql .= " state.code_departement as state_code, state.nom as state_name,"; $sql .= " country.code as country_code,"; $sql .= " p.rowid as project_id, p.ref as project_ref, p.title as project_label,"; $sql .= " u.login"; +if ($search_categ_sup && $search_categ_sup != '-1') { + $sql .= ", cs.fk_categorie, cs.fk_soc"; +} // We need dynamount_payed to be able to sort on status (value is surely wrong because we can count several lines several times due to other left join or link with contacts. But what we need is just 0 or > 0) // TODO Better solution to be able to sort on already payed or remain to pay is to store amount_payed in a denormalized field. if (!$search_all) { $sql .= ', SUM(pf.amount) as dynamount_payed'; } -if ($search_categ_sup) { - $sql .= ", cs.fk_categorie, cs.fk_soc"; -} // Add fields from extrafields if (!empty($extrafields->attributes[$object->table_element]['label'])) { foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) { @@ -580,10 +580,10 @@ if ($search_state) { $sql .= natural_search("state.nom", $search_state); } if ($search_country) { - $sql .= " AND s.fk_pays IN (".$search_country.')'; + $sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')'; } if ($search_type_thirdparty != '' && $search_type_thirdparty >= 0) { - $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; + $sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')'; } if ($search_montant_ht != '') { $sql .= natural_search('f.total_ht', $search_montant_ht, 1); @@ -677,6 +677,9 @@ if (!$search_all) { $sql .= ' country.code,'; $sql .= " p.rowid, p.ref, p.title,"; $sql .= " u.login"; + if ($search_categ_sup && $search_categ_sup != '-1') { + $sql .= ", cs.fk_categorie, cs.fk_soc"; + } if (!empty($extrafields->attributes[$object->table_element]['label'])) { foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) { //prevent error with sql_mode=only_full_group_by diff --git a/htdocs/holiday/class/holiday.class.php b/htdocs/holiday/class/holiday.class.php index 7943df254c1..243d65b5078 100644 --- a/htdocs/holiday/class/holiday.class.php +++ b/htdocs/holiday/class/holiday.class.php @@ -1122,7 +1122,7 @@ class Holiday extends CommonObject $sql .= " AND cp.fk_user = ".(int) $fk_user; $sql .= " AND cp.date_debut <= '".$this->db->idate($timestamp)."' AND cp.date_fin >= '".$this->db->idate($timestamp)."'"; if ($status != '-1') { - $sql .= " AND cp.statut IN (".$this->db->sanitize($this->db->escape($status)).")"; + $sql .= " AND cp.statut IN (".$this->db->sanitize($status).")"; } $resql = $this->db->query($sql); @@ -2209,8 +2209,8 @@ class Holiday extends CommonObject $sql .= " AND h.entity IN (".getEntity('holiday').")"; if (empty($user->rights->expensereport->readall)) { $userchildids = $user->getAllChildIds(1); - $sql .= " AND (h.fk_user IN (".join(',', $userchildids).")"; - $sql .= " OR h.fk_validator IN (".join(',', $userchildids)."))"; + $sql .= " AND (h.fk_user IN (".$this->db->sanitize(join(',', $userchildids)).")"; + $sql .= " OR h.fk_validator IN (".$this->db->sanitize(join(',', $userchildids))."))"; } $resql = $this->db->query($sql); @@ -2251,8 +2251,8 @@ class Holiday extends CommonObject $sql .= " AND h.entity IN (".getEntity('holiday').")"; if (empty($user->rights->expensereport->read_all)) { $userchildids = $user->getAllChildIds(1); - $sql .= " AND (h.fk_user IN (".join(',', $userchildids).")"; - $sql .= " OR h.fk_validator IN (".join(',', $userchildids)."))"; + $sql .= " AND (h.fk_user IN (".$this->db->sanitize(join(',', $userchildids)).")"; + $sql .= " OR h.fk_validator IN (".$this->db->sanitize(join(',', $userchildids))."))"; } $resql = $this->db->query($sql); diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index 4474aecf748..e6f63614fcc 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -344,7 +344,7 @@ if (empty($user->rights->holiday->readall)) { $sql .= ' AND cp.fk_user IN ('.join(',', $childids).')'; } if ($id > 0) { - $sql .= " AND cp.fk_user IN (".$id.")"; + $sql .= " AND cp.fk_user IN (".$db->sanitize($id).")"; } // Add where from extra fields diff --git a/htdocs/margin/agentMargins.php b/htdocs/margin/agentMargins.php index 717e2d02c1b..a8db68d9fec 100644 --- a/htdocs/margin/agentMargins.php +++ b/htdocs/margin/agentMargins.php @@ -166,7 +166,7 @@ if (!empty($conf->global->AGENT_CONTACT_TYPE)) { } else { $sql .= " AND sc.fk_user = u.rowid"; } -$sql .= " AND f.fk_statut NOT IN (".implode(', ', $invoice_status_except_list).")"; +$sql .= " AND f.fk_statut NOT IN (".$db->sanitize(implode(', ', $invoice_status_except_list)).")"; $sql .= ' AND s.entity IN ('.getEntity('societe').')'; $sql .= " AND d.fk_facture = f.rowid"; if ($agentid > 0) { diff --git a/htdocs/margin/checkMargins.php b/htdocs/margin/checkMargins.php index f61d8d02e55..43ff6ef6b9f 100644 --- a/htdocs/margin/checkMargins.php +++ b/htdocs/margin/checkMargins.php @@ -214,7 +214,7 @@ $sql .= " ,d.fk_product"; $sql .= " FROM ".MAIN_DB_PREFIX."facture as f "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as d ON d.fk_facture = f.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON d.fk_product = p.rowid"; -$sql .= " WHERE f.fk_statut NOT IN (".implode(', ', $invoice_status_except_list).")"; +$sql .= " WHERE f.fk_statut NOT IN (".$db->sanitize(implode(', ', $invoice_status_except_list)).")"; $sql .= " AND f.entity IN (".getEntity('invoice').") "; if (!empty($startdate)) { $sql .= " AND f.datef >= '".$db->idate($startdate)."'"; diff --git a/htdocs/margin/customerMargins.php b/htdocs/margin/customerMargins.php index 05d5aa1ca5c..ac30d223806 100644 --- a/htdocs/margin/customerMargins.php +++ b/htdocs/margin/customerMargins.php @@ -239,7 +239,7 @@ if ($socid > 0) { if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } -$sql .= " AND f.fk_statut NOT IN (".implode(', ', $invoice_status_except_list).")"; +$sql .= " AND f.fk_statut NOT IN (".$db->sanitize(implode(', ', $invoice_status_except_list)).")"; $sql .= ' AND s.entity IN ('.getEntity('societe').')'; $sql .= ' AND f.entity IN ('.getEntity('invoice').')'; $sql .= " AND d.fk_facture = f.rowid"; diff --git a/htdocs/margin/productMargins.php b/htdocs/margin/productMargins.php index 0ac47243723..43afbaa0e92 100644 --- a/htdocs/margin/productMargins.php +++ b/htdocs/margin/productMargins.php @@ -195,13 +195,13 @@ if (!empty($TSelectedCats)) { } $sql .= " WHERE f.fk_soc = s.rowid"; $sql .= ' AND f.entity IN ('.getEntity('invoice').')'; -$sql .= " AND f.fk_statut NOT IN (".implode(', ', $invoice_status_except_list).")"; +$sql .= " AND f.fk_statut NOT IN (".$db->sanitize(implode(', ', $invoice_status_except_list)).")"; $sql .= " AND d.fk_facture = f.rowid"; if ($id > 0) { $sql .= " AND d.fk_product =".$id; } if (!empty($TSelectedCats)) { - $sql .= ' AND cp.fk_categorie IN ('.implode(',', $TSelectedCats).')'; + $sql .= ' AND cp.fk_categorie IN ('.$db->sanitize(implode(',', $TSelectedCats)).')'; } if (!empty($startdate)) { $sql .= " AND f.datef >= '".$db->idate($startdate)."'"; diff --git a/htdocs/product/class/html.formproduct.class.php b/htdocs/product/class/html.formproduct.class.php index 56efd8565d1..718acef6970 100644 --- a/htdocs/product/class/html.formproduct.class.php +++ b/htdocs/product/class/html.formproduct.class.php @@ -116,13 +116,13 @@ class FormProduct } $sql .= " WHERE e.entity IN (".getEntity('stock').")"; if (count($warehouseStatus)) { - $sql .= " AND e.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; + $sql .= " AND e.statut IN (".$this->db->sanitize(implode(',', $warehouseStatus)).")"; } else { $sql .= " AND e.statut = 1"; } if (!empty($exclude)) { - $sql .= ' AND e.rowid NOT IN('.$this->db->escape(implode(',', $exclude)).')'; + $sql .= ' AND e.rowid NOT IN('.$this->db->sanitize(implode(',', $exclude)).')'; } // minimum stock @@ -646,7 +646,7 @@ class FormProduct $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.rowid = pb.fk_product_stock"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entrepot as e on e.rowid = ps.fk_entrepot AND e.entity IN (".getEntity('stock').")"; if (!empty($productIdList)) { - $sql .= " WHERE ps.fk_product IN (".$productIdList.")"; + $sql .= " WHERE ps.fk_product IN (".$this->db->sanitize($productIdList).")"; } $sql .= " ORDER BY e.ref, pb.batch"; diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index f195fa0c5e7..71b74a8a1db 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -2750,7 +2750,7 @@ class Product extends CommonObject $sql .= " JOIN ".MAIN_DB_PREFIX."facture f ON fd.fk_facture = f.rowid "; $sql .= " JOIN ".MAIN_DB_PREFIX."element_element el ON el.fk_target = f.rowid and el.targettype = 'facture' and sourcetype = 'commande'"; $sql .= " JOIN ".MAIN_DB_PREFIX."commande c ON el.fk_source = c.rowid "; - $sql .= " WHERE c.fk_statut IN (".$filtrestatut.") AND c.facture = 0 AND fd.fk_product = ".$this->id; + $sql .= " WHERE c.fk_statut IN (".$this->db->sanitize($filtrestatut).") AND c.facture = 0 AND fd.fk_product = ".((int) $this->id); dol_syslog(__METHOD__.":: sql $sql", LOG_NOTICE); $resql = $this->db->query($sql); @@ -4980,7 +4980,7 @@ class Product extends CommonObject $sql .= " AND w.rowid = ps.fk_entrepot"; $sql .= " AND ps.fk_product = ".$this->id; if (!empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; + $sql .= " AND w.statut IN (".$this->db->sanitize(implode(',', $warehouseStatus)).")"; } dol_syslog(get_class($this)."::load_stock", LOG_DEBUG); diff --git a/htdocs/product/stock/stockatdate.php b/htdocs/product/stock/stockatdate.php index 5a3b0cb0a9c..bdac3a70f54 100644 --- a/htdocs/product/stock/stockatdate.php +++ b/htdocs/product/stock/stockatdate.php @@ -133,7 +133,7 @@ if ($date && $dateIsValid) { // Avoid heavy sql if mandatory date is not defined $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = ps.fk_entrepot"; if (!empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")"; + $sql .= " AND w.statut IN (".$db->sanitize(implode(',', $warehouseStatus)).")"; } if ($productid > 0) { $sql .= " AND ps.fk_product = ".$productid; @@ -183,7 +183,7 @@ if ($date && $dateIsValid) { $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = sm.fk_entrepot"; if (!empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")"; + $sql .= " AND w.statut IN (".$db->sanitize(implode(',', $warehouseStatus)).")"; } if ($mode == 'future') { $sql .= " AND sm.datem <= '".$db->idate($dateendofday)."'"; @@ -191,10 +191,10 @@ if ($date && $dateIsValid) { $sql .= " AND sm.datem >= '".$db->idate($date)."'"; } if ($productid > 0) { - $sql .= " AND sm.fk_product = ".$productid; + $sql .= " AND sm.fk_product = ".((int) $productid); } if ($fk_warehouse > 0) { - $sql .= " AND sm.fk_entrepot = ".$fk_warehouse; + $sql .= " AND sm.fk_entrepot = ".((int) $fk_warehouse); } $sql .= " GROUP BY sm.fk_product, sm.fk_entrepot"; $resql = $db->query($sql); diff --git a/htdocs/projet/activity/index.php b/htdocs/projet/activity/index.php index c49ca736bbb..fe2188de904 100644 --- a/htdocs/projet/activity/index.php +++ b/htdocs/projet/activity/index.php @@ -454,7 +454,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // project i have permission on } if ($mine) { // this may duplicate record if we are contact twice - $sql .= " AND ect.fk_c_type_contact IN (".join(',', array_keys($listoftaskcontacttype)).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$user->id; + $sql .= " AND ect.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listoftaskcontacttype))).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$user->id; } if ($socid) { $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; diff --git a/htdocs/projet/class/api_projects.class.php b/htdocs/projet/class/api_projects.class.php index c650512c5dd..47536986a80 100644 --- a/htdocs/projet/class/api_projects.class.php +++ b/htdocs/projet/class/api_projects.class.php @@ -131,14 +131,14 @@ class Projects extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Select projects of given category if ($category > 0) { diff --git a/htdocs/projet/class/api_tasks.class.php b/htdocs/projet/class/api_tasks.class.php index 518b3576e34..748d9ce2594 100644 --- a/htdocs/projet/class/api_tasks.class.php +++ b/htdocs/projet/class/api_tasks.class.php @@ -135,14 +135,14 @@ class Tasks extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php index 137757eae1a..5d6c4b4825a 100644 --- a/htdocs/projet/class/project.class.php +++ b/htdocs/projet/class/project.class.php @@ -653,19 +653,19 @@ class Project extends CommonObject $ids = $this->id; if ($type == 'agenda') { - $sql = "SELECT id as rowid FROM ".MAIN_DB_PREFIX."actioncomm WHERE fk_project IN (".$ids.") AND entity IN (".getEntity('agenda').")"; + $sql = "SELECT id as rowid FROM ".MAIN_DB_PREFIX."actioncomm WHERE fk_project IN (".$this->db->sanitize($ids).") AND entity IN (".getEntity('agenda').")"; } elseif ($type == 'expensereport') { - $sql = "SELECT ed.rowid FROM ".MAIN_DB_PREFIX."expensereport as e, ".MAIN_DB_PREFIX."expensereport_det as ed WHERE e.rowid = ed.fk_expensereport AND e.entity IN (".getEntity('expensereport').") AND ed.fk_projet IN (".$ids.")"; + $sql = "SELECT ed.rowid FROM ".MAIN_DB_PREFIX."expensereport as e, ".MAIN_DB_PREFIX."expensereport_det as ed WHERE e.rowid = ed.fk_expensereport AND e.entity IN (".getEntity('expensereport').") AND ed.fk_projet IN (".$this->db->sanitize($ids).")"; } elseif ($type == 'project_task') { - $sql = "SELECT DISTINCT pt.rowid FROM ".MAIN_DB_PREFIX."projet_task as pt WHERE pt.fk_projet IN (".$ids.")"; + $sql = "SELECT DISTINCT pt.rowid FROM ".MAIN_DB_PREFIX."projet_task as pt WHERE pt.fk_projet IN (".$this->db->sanitize($ids).")"; } elseif ($type == 'project_task_time') { // Case we want to duplicate line foreach user - $sql = "SELECT DISTINCT pt.rowid, ptt.fk_user FROM ".MAIN_DB_PREFIX."projet_task as pt, ".MAIN_DB_PREFIX."projet_task_time as ptt WHERE pt.rowid = ptt.fk_task AND pt.fk_projet IN (".$ids.")"; + $sql = "SELECT DISTINCT pt.rowid, ptt.fk_user FROM ".MAIN_DB_PREFIX."projet_task as pt, ".MAIN_DB_PREFIX."projet_task_time as ptt WHERE pt.rowid = ptt.fk_task AND pt.fk_projet IN (".$this->db->sanitize($ids).")"; } elseif ($type == 'stock_mouvement') { - $sql = 'SELECT ms.rowid, ms.fk_user_author as fk_user FROM '.MAIN_DB_PREFIX."stock_mouvement as ms, ".MAIN_DB_PREFIX."entrepot as e WHERE e.rowid = ms.fk_entrepot AND e.entity IN (".getEntity('stock').") AND ms.origintype = 'project' AND ms.fk_origin IN (".$ids.") AND ms.type_mouvement = 1"; + $sql = 'SELECT ms.rowid, ms.fk_user_author as fk_user FROM '.MAIN_DB_PREFIX."stock_mouvement as ms, ".MAIN_DB_PREFIX."entrepot as e WHERE e.rowid = ms.fk_entrepot AND e.entity IN (".getEntity('stock').") AND ms.origintype = 'project' AND ms.fk_origin IN (".$this->db->sanitize($ids).") AND ms.type_mouvement = 1"; } elseif ($type == 'loan') { - $sql = 'SELECT l.rowid, l.fk_user_author as fk_user FROM '.MAIN_DB_PREFIX."loan as l WHERE l.entity IN (".getEntity('loan').") AND l.fk_projet IN (".$ids.")"; + $sql = 'SELECT l.rowid, l.fk_user_author as fk_user FROM '.MAIN_DB_PREFIX."loan as l WHERE l.entity IN (".getEntity('loan').") AND l.fk_projet IN (".$this->db->sanitize($ids).")"; } else { - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX.$tablename." WHERE ".$projectkey." IN (".$ids.") AND entity IN (".getEntity($type).")"; + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX.$tablename." WHERE ".$projectkey." IN (".$this->db->sanitize($ids).") AND entity IN (".getEntity($type).")"; } if ($dates > 0 && $type == 'loan') { @@ -1386,13 +1386,13 @@ class Project extends CommonObject if ($mode == 0) { $sql .= " AND ( p.public = 1"; - $sql .= " OR ( ec.fk_c_type_contact IN (".join(',', array_keys($listofprojectcontacttype)).")"; + $sql .= " OR ( ec.fk_c_type_contact IN (".$this->db->sanitize(join(',', array_keys($listofprojectcontacttype))).")"; $sql .= " AND ec.fk_socpeople = ".$user->id.")"; $sql .= " )"; } elseif ($mode == 1) { $sql .= " AND ec.element_id = p.rowid"; $sql .= " AND ("; - $sql .= " ( ec.fk_c_type_contact IN (".join(',', array_keys($listofprojectcontacttype)).")"; + $sql .= " ( ec.fk_c_type_contact IN (".$this->db->sanitize(join(',', array_keys($listofprojectcontacttype))).")"; $sql .= " AND ec.fk_socpeople = ".$user->id.")"; $sql .= " )"; } elseif ($mode == 2) { @@ -1974,7 +1974,7 @@ class Project extends CommonObject $sql .= " WHERE p.fk_statut = 1"; $sql .= " AND p.entity IN (".getEntity('project').')'; if (!empty($projectsListId)) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; } // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser //if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; diff --git a/htdocs/projet/class/projectstats.class.php b/htdocs/projet/class/projectstats.class.php index 3ec82edf366..42c5ae2135f 100644 --- a/htdocs/projet/class/projectstats.class.php +++ b/htdocs/projet/class/projectstats.class.php @@ -180,11 +180,11 @@ class ProjectStats extends Stats } if (!empty($this->status)) { - $sqlwhere[] = " t.fk_opp_status IN (".$this->status.")"; + $sqlwhere[] = " t.fk_opp_status IN (".$this->db->sanitize($this->status).")"; } if (!$user->rights->projet->all->lire) { - $sqlwhere[] = " t.rowid IN (".$projectsListId.")"; // public and assigned to, or restricted to company for external users + $sqlwhere[] = " t.rowid IN (".$this->db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users } if (count($sqlwhere) > 0) { diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php index 9a72124199c..c9762c0043c 100644 --- a/htdocs/projet/class/task.class.php +++ b/htdocs/projet/class/task.class.php @@ -2002,12 +2002,12 @@ class Task extends CommonObject $sql .= " AND t.fk_projet = p.rowid"; $sql .= " AND (t.progress IS NULL OR t.progress < 100)"; // tasks to do if (!$user->rights->projet->all->lire) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; } // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser //if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; if ($socid) { - $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; + $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; } // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser // if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))"; @@ -2076,7 +2076,7 @@ class Task extends CommonObject $sql .= " WHERE p.entity IN (".getEntity('project', 0).')'; $sql .= " AND t.fk_projet = p.rowid"; // tasks to do if ($mine || !$user->rights->projet->all->lire) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; } // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser //if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; diff --git a/htdocs/projet/class/taskstats.class.php b/htdocs/projet/class/taskstats.class.php index d18950ec482..8a5234b956f 100644 --- a/htdocs/projet/class/taskstats.class.php +++ b/htdocs/projet/class/taskstats.class.php @@ -154,9 +154,8 @@ class TaskStats extends Stats if (!empty($this->yearmonth)) { $sqlwhere[] = " t.datec BETWEEN '".$this->db->idate(dol_get_first_day($this->yearmonth))."' AND '".$this->db->idate(dol_get_last_day($this->yearmonth))."'"; } - - if (!empty($this->status)) { - $sqlwhere[] = " t.priority IN (".$this->priority.")"; + if (!empty($this->priority)) { + $sqlwhere[] = " t.priority IN (".$this->db->sanitize($this->priority, 1).")"; } if (count($sqlwhere) > 0) { diff --git a/htdocs/projet/graph_opportunities.inc.php b/htdocs/projet/graph_opportunities.inc.php index cf8cc1dd34d..b6b4470dd15 100644 --- a/htdocs/projet/graph_opportunities.inc.php +++ b/htdocs/projet/graph_opportunities.inc.php @@ -23,10 +23,10 @@ if (!empty($conf->global->PROJECT_USE_OPPORTUNITIES)) { $sql .= " WHERE p.entity IN (".getEntity('project').")"; $sql .= " AND p.fk_statut = 1"; // Opend projects only if ($mine || empty($user->rights->projet->all->lire)) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; + $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; } - if ($socid) { - $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; + if ($socid > 0) { + $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; } $sql .= " GROUP BY p.fk_opp_status, cls.code"; $resql = $db->query($sql); diff --git a/htdocs/projet/index.php b/htdocs/projet/index.php index 600a246cf94..78e9d85aa1a 100644 --- a/htdocs/projet/index.php +++ b/htdocs/projet/index.php @@ -238,7 +238,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."projet as p"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid"; $sql .= " WHERE p.entity IN (".getEntity('project').")"; if ($mine || empty($user->rights->projet->all->lire)) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; // If we have this test true, it also means projectset is not 2 + $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // If we have this test true, it also means projectset is not 2 } if ($socid) { $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; @@ -338,10 +338,10 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on p.fk_soc = s.rowid"; $sql .= " WHERE p.entity IN (".getEntity('project').")"; $sql .= " AND p.fk_statut = 1"; if ($mine || empty($user->rights->projet->all->lire)) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; // If we have this test true, it also means projectset is not 2 + $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // If we have this test true, it also means projectset is not 2 } -if ($socid) { - $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; +if ($socid > 0) { + $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; } $sql .= " GROUP BY s.rowid, s.nom, s.name_alias, s.code_client, s.code_compta, s.client, s.code_fournisseur, s.code_compta_fournisseur, s.fournisseur, s.logo, s.email, s.entity, s.canvas, s.status"; $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index e6b381a6650..3e81b529ac8 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -370,11 +370,11 @@ if (!empty($conf->categorie->enabled)) { $sql .= Categorie::getFilterSelectQuery(Categorie::TYPE_PROJECT, "p.rowid", $search_category_array); } if (!$user->rights->projet->all->lire) { - $sql .= " AND p.rowid IN (".$projectsListId.")"; // public and assigned to, or restricted to company for external users + $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // public and assigned to, or restricted to company for external users } // No need to check if company is external user, as filtering of projects must be done by getProjectsAuthorizedForUser if ($socid > 0) { - $sql .= " AND (p.fk_soc = ".$socid.")"; // This filter if when we use a hard coded filter on company on url (not related to filter for external users) + $sql .= " AND (p.fk_soc = ".((int) $socid).")"; // This filter if when we use a hard coded filter on company on url (not related to filter for external users) } if ($search_ref) { $sql .= natural_search('p.ref', $search_ref); diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php index 57f9ec2b24f..801c792cf7d 100644 --- a/htdocs/projet/tasks/list.php +++ b/htdocs/projet/tasks/list.php @@ -334,17 +334,17 @@ if ($search_task_user > 0) { $sql .= " WHERE t.fk_projet = p.rowid"; $sql .= " AND p.entity IN (".getEntity('project').')'; if (!$user->rights->projet->all->lire) { - $sql .= " AND p.rowid IN (".($projectsListId ? $projectsListId : '0').")"; // public and assigned to projects, or restricted to company for external users + $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId ? $projectsListId : '0').")"; // public and assigned to projects, or restricted to company for external users } if (is_object($projectstatic) && $projectstatic->id > 0) { - $sql .= " AND p.rowid = ".$projectstatic->id; + $sql .= " AND p.rowid = ".((int) $projectstatic->id); } // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser if ($socid) { - $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")"; + $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; } if ($search_categ > 0) { - $sql .= " AND cs.fk_categorie = ".$db->escape($search_categ); + $sql .= " AND cs.fk_categorie = ".((int) $search_categ); } if ($search_categ == -2) { $sql .= " AND cs.fk_categorie IS NULL"; @@ -389,10 +389,10 @@ if ($search_public != '') { $sql .= " AND p.public = ".$db->escape($search_public); } if ($search_project_user > 0) { - $sql .= " AND ecp.fk_c_type_contact IN (".join(',', array_keys($listofprojectcontacttype)).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user; + $sql .= " AND ecp.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listofprojectcontacttype))).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user; } if ($search_task_user > 0) { - $sql .= " AND ect.fk_c_type_contact IN (".join(',', array_keys($listoftaskcontacttype)).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$search_task_user; + $sql .= " AND ect.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listoftaskcontacttype))).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$search_task_user; } // Add where from extra fields include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php'; diff --git a/htdocs/projet/tasks/time.php b/htdocs/projet/tasks/time.php index eb1c394d8cf..597d885d088 100644 --- a/htdocs/projet/tasks/time.php +++ b/htdocs/projet/tasks/time.php @@ -1036,7 +1036,7 @@ if (($id > 0 || !empty($ref)) || $projectidforalltimes > 0) { if (empty($projectidforalltimes)) { $sql .= " AND t.fk_task =".$object->id; } else { - $sql .= " AND pt.fk_projet IN (".$projectidforalltimes.")"; + $sql .= " AND pt.fk_projet IN (".$db->sanitize($projectidforalltimes).")"; } if ($search_note) { $sql .= natural_search('t.note', $search_note); diff --git a/htdocs/reception/list.php b/htdocs/reception/list.php index 661c14c9d01..b77742dd71d 100644 --- a/htdocs/reception/list.php +++ b/htdocs/reception/list.php @@ -472,10 +472,10 @@ if ($search_state) { $sql .= natural_search("state.nom", $search_state); } if ($search_country) { - $sql .= " AND s.fk_pays IN (".$search_country.')'; + $sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')'; } if ($search_type_thirdparty != '' && $search_type_thirdparty > 0) { - $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; + $sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')'; } if ($search_ref_rcp) { $sql .= natural_search('e.ref', $search_ref_rcp); diff --git a/htdocs/salaries/list.php b/htdocs/salaries/list.php index 7bc75f52793..907f16f21bc 100644 --- a/htdocs/salaries/list.php +++ b/htdocs/salaries/list.php @@ -247,7 +247,7 @@ $sql .= " ".MAIN_DB_PREFIX."user as u"; $sql .= " WHERE u.rowid = s.fk_user"; $sql .= " AND s.entity IN (".getEntity('payment_salaries').")"; if (empty($user->rights->salaries->readall)) { - $sql .= " AND s.fk_user IN (".join(',', $childids).")"; + $sql .= " AND s.fk_user IN (".$db->sanitize(join(',', $childids)).")"; } // Search criteria diff --git a/htdocs/salaries/payments.php b/htdocs/salaries/payments.php index 5c0b0c73956..3e6630dbaf1 100644 --- a/htdocs/salaries/payments.php +++ b/htdocs/salaries/payments.php @@ -190,22 +190,18 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank_account as ba ON b.fk_account = ba.ro $sql .= " ".MAIN_DB_PREFIX."user as u"; $sql .= " WHERE u.rowid = sal.fk_user"; $sql .= " AND s.entity IN (".getEntity('payment_salaries').")"; -if (empty($user->rights->salaries->readall)) $sql .= " AND s.fk_user IN (".join(',', $childids).")"; +if (empty($user->rights->salaries->readall)) $sql .= " AND s.fk_user IN (".$db->sanitize(join(',', $childids)).")"; // Search criteria if ($search_ref) $sql .= " AND s.rowid=".((int) $search_ref); -if ($search_ref_salary) $sql .= " AND sal.rowid=".((int) $search_ref_salary); +if ($search_ref_salary) $sql .= " AND sal.rowid=".((int) $search_ref_salary); if ($search_user) $sql .= natural_search(array('u.login', 'u.lastname', 'u.firstname', 'u.email'), $search_user); if ($search_label) $sql .= natural_search(array('sal.label'), $search_label); if ($search_date_start) $sql .= " AND s.datep >= '".$db->idate($search_date_start)."'"; if ($search_date_end) $sql .= " AND s.datep <= '".$db->idate($search_date_end)."'"; if ($search_amount) $sql .= natural_search("s.amount", $search_amount, 1); if ($search_account > 0) $sql .= " AND b.fk_account=".((int) $search_account); -if ($filtre) { - $filtre = str_replace(":", "=", $filtre); - $sql .= " AND ".$filtre; -} -if ($search_type_id) { +if ($search_type_id > 0) { $sql .= " AND s.fk_typepayment=".$search_type_id; } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/societe/class/api_contacts.class.php b/htdocs/societe/class/api_contacts.class.php index 37ad82602fb..3993ad38e5f 100644 --- a/htdocs/societe/class/api_contacts.class.php +++ b/htdocs/societe/class/api_contacts.class.php @@ -192,7 +192,7 @@ class Contacts extends DolibarrApi $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON t.fk_soc = s.rowid"; $sql .= ' WHERE t.entity IN ('.getEntity('socpeople').')'; if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) { @@ -203,7 +203,7 @@ class Contacts extends DolibarrApi } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Select contacts of given category diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index ed62e5a224f..cd356d2e2a2 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -187,14 +187,14 @@ class Thirdparties extends DolibarrApi } //if ($email != NULL) $sql.= " AND s.email = \"".$email."\""; if ($socids) { - $sql .= " AND t.rowid IN (".$socids.")"; + $sql .= " AND t.rowid IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php index 74685d37b05..6ac6d35e4eb 100644 --- a/htdocs/societe/list.php +++ b/htdocs/societe/list.php @@ -584,7 +584,7 @@ if ($search_region) { $sql .= natural_search("region.nom", $search_region); } if ($search_country && $search_country != '-1') { - $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')'; + $sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')'; } if ($search_email) { $sql .= natural_search("s.email", $search_email); @@ -621,7 +621,7 @@ if (strlen($search_vat)) { } // Filter on type of thirdparty if ($search_type > 0 && in_array($search_type, array('1,3', '1,2,3', '2,3'))) { - $sql .= " AND s.client IN (".$db->sanitize($db->escape($search_type)).")"; + $sql .= " AND s.client IN (".$db->sanitize($search_type).")"; } if ($search_type > 0 && in_array($search_type, array('4'))) { $sql .= " AND s.fournisseur = 1"; diff --git a/htdocs/supplier_proposal/class/api_supplier_proposals.class.php b/htdocs/supplier_proposal/class/api_supplier_proposals.class.php index 953f1d274fe..1368cce7811 100644 --- a/htdocs/supplier_proposal/class/api_supplier_proposals.class.php +++ b/htdocs/supplier_proposal/class/api_supplier_proposals.class.php @@ -124,14 +124,14 @@ class Supplierproposals extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($socids) { - $sql .= " AND t.fk_soc IN (".$socids.")"; + $sql .= " AND t.fk_soc IN (".$this->db->sanitize($socids).")"; } if ($search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php index 3ad210b2f77..6851bbb4021 100644 --- a/htdocs/supplier_proposal/list.php +++ b/htdocs/supplier_proposal/list.php @@ -329,10 +329,10 @@ if ($search_state) { $sql .= natural_search("state.nom", $search_state); } if ($search_country) { - $sql .= " AND s.fk_pays IN (".$search_country.')'; + $sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')'; } if ($search_type_thirdparty != '' && $search_type_thirdparty > 0) { - $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; + $sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')'; } if ($search_ref) { $sql .= natural_search('sp.ref', $search_ref); diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index 9415366061d..2f8972ceafe 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -87,7 +87,7 @@ class Users extends DolibarrApi } $sql .= ' WHERE t.entity IN ('.getEntity('user').')'; if ($user_ids) { - $sql .= " AND t.rowid IN (".$user_ids.")"; + $sql .= " AND t.rowid IN (".$this->db->sanitize($user_ids).")"; } // Select products of given category @@ -473,7 +473,7 @@ class Users extends DolibarrApi $sql .= " FROM ".MAIN_DB_PREFIX."usergroup as t"; $sql .= ' WHERE t.entity IN ('.getEntity('user').')'; if ($group_ids) { - $sql .= " AND t.rowid IN (".$group_ids.")"; + $sql .= " AND t.rowid IN (".$this->db->sanitize($group_ids).")"; } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/user/list.php b/htdocs/user/list.php index aef0d3e31c9..ec7b7335b02 100644 --- a/htdocs/user/list.php +++ b/htdocs/user/list.php @@ -357,7 +357,7 @@ if ($socid > 0) { } //if ($search_user != '') $sql.=natural_search(array('u.login', 'u.lastname', 'u.firstname'), $search_user); if ($search_supervisor > 0) { - $sql .= " AND u.fk_user IN (".$db->sanitize($db->escape($search_supervisor)).")"; + $sql .= " AND u.fk_user IN (".$db->sanitize($search_supervisor).")"; } if ($search_thirdparty != '') { $sql .= natural_search(array('s.nom'), $search_thirdparty); @@ -393,7 +393,7 @@ if ($search_api_key != '') { $sql .= natural_search("u.api_key", $search_api_key); } if ($search_statut != '' && $search_statut >= 0) { - $sql .= " AND u.statut IN (".$db->sanitize($db->escape($search_statut)).")"; + $sql .= " AND u.statut IN (".$db->sanitize($search_statut).")"; } if ($sall) { $sql .= natural_search(array_keys($fieldstosearchall), $sall); diff --git a/htdocs/variants/class/ProductAttribute.class.php b/htdocs/variants/class/ProductAttribute.class.php index b823cbea470..a4e9f92eb10 100644 --- a/htdocs/variants/class/ProductAttribute.class.php +++ b/htdocs/variants/class/ProductAttribute.class.php @@ -85,7 +85,7 @@ class ProductAttribute extends CommonObject return -1; } - $sql = "SELECT rowid, ref, ref_ext, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE rowid = ".(int) $id." AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, ref, ref_ext, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE rowid = ".((int) $id)." AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -249,7 +249,7 @@ class ProductAttribute extends CommonObject public function countChildProducts() { $sql = "SELECT COUNT(*) count FROM ".MAIN_DB_PREFIX."product_attribute_combination2val pac2v - LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac2v.fk_prod_combination = pac.rowid WHERE pac2v.fk_prod_attr = ".(int) $this->id." AND pac.entity IN (".getEntity('product').")"; + LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac2v.fk_prod_combination = pac.rowid WHERE pac2v.fk_prod_attr = ".((int) $this->id)." AND pac.entity IN (".getEntity('product').")"; $query = $this->db->query($sql); diff --git a/htdocs/variants/class/ProductCombination.class.php b/htdocs/variants/class/ProductCombination.class.php index 8606b12602d..d16ae4e2134 100644 --- a/htdocs/variants/class/ProductCombination.class.php +++ b/htdocs/variants/class/ProductCombination.class.php @@ -106,7 +106,7 @@ class ProductCombination { global $conf; - $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE rowid = ".(int) $rowid." AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE rowid = ".((int) $rowid)." AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -281,7 +281,7 @@ class ProductCombination { global $conf; - $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_parent = ".(int) $fk_product_parent." AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_parent = ".((int) $fk_product_parent)." AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -320,7 +320,7 @@ class ProductCombination public function countNbOfCombinationForFkProductParent($fk_product_parent) { $nb = 0; - $sql = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_parent = ".(int) $fk_product_parent." AND entity IN (".getEntity('product').")"; + $sql = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_parent = ".((int) $fk_product_parent)." AND entity IN (".getEntity('product').")"; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/website/class/websitepage.class.php b/htdocs/website/class/websitepage.class.php index f59b8bbc5a5..3dbdb353a3e 100644 --- a/htdocs/website/class/websitepage.class.php +++ b/htdocs/website/class/websitepage.class.php @@ -426,7 +426,7 @@ class WebsitePage extends CommonObject } $listoflang[] = "'".$this->db->escape(substr(str_replace("'", '', $tmpvalue), 0, 2))."'"; } - $stringtouse = $key." IN (".join(',', $listoflang).")"; + $stringtouse = $key." IN (".$this->db->sanitize(join(',', $listoflang)).")"; if ($foundnull) { $stringtouse = '('.$stringtouse.' OR '.$key.' IS NULL)'; } @@ -528,7 +528,7 @@ class WebsitePage extends CommonObject } $listoflang[] = "'".$this->db->escape(substr(str_replace("'", '', $tmpvalue), 0, 2))."'"; } - $stringtouse = $key." IN (".join(',', $listoflang).")"; + $stringtouse = $key." IN (".$this->db->sanitize(join(',', $listoflang)).")"; if ($foundnull) { $stringtouse = '('.$stringtouse.' OR '.$key.' IS NULL)'; } From 6a0e0f4c0633ada48bda8640836f6396e88b5b7e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 12:00:41 +0100 Subject: [PATCH 02/47] Fix #ygosha5698 --- htdocs/accountancy/customer/lines.php | 2 +- htdocs/accountancy/customer/list.php | 6 +++--- htdocs/accountancy/expensereport/lines.php | 2 +- htdocs/accountancy/supplier/lines.php | 2 +- htdocs/comm/propal/index.php | 2 +- htdocs/comm/propal/list.php | 2 +- htdocs/comm/propal/stats/index.php | 2 +- htdocs/commande/list.php | 4 ++-- htdocs/commande/stats/index.php | 4 ++-- htdocs/compta/accounting-files.php | 16 ++++++++-------- htdocs/compta/bank/graph.php | 2 +- .../deplacement/class/deplacementstats.class.php | 8 ++++---- htdocs/compta/deplacement/index.php | 4 ++-- htdocs/compta/deplacement/list.php | 2 +- htdocs/compta/facture/card.php | 2 +- htdocs/compta/facture/class/facture.class.php | 2 +- htdocs/compta/facture/stats/index.php | 6 +++--- htdocs/core/class/defaultvalues.class.php | 2 +- htdocs/core/class/html.form.class.php | 2 +- htdocs/core/lib/invoice2.lib.php | 4 ++-- htdocs/core/lib/website2.lib.php | 2 +- htdocs/core/modules/modDeplacement.class.php | 2 +- htdocs/core/modules/modExpedition.class.php | 2 +- htdocs/core/modules/modReception.class.php | 2 +- htdocs/core/modules/modSociete.class.php | 4 ++-- htdocs/fourn/class/fournisseur.facture.class.php | 2 +- htdocs/holiday/define_holiday.php | 2 +- htdocs/holiday/list.php | 2 +- htdocs/margin/customerMargins.php | 4 ++-- htdocs/product/stats/card.php | 2 +- htdocs/product/stats/commande.php | 4 ++-- htdocs/product/stats/commande_fournisseur.php | 4 ++-- htdocs/product/stats/facture.php | 4 ++-- htdocs/product/stats/facture_fournisseur.php | 4 ++-- htdocs/product/stats/propal.php | 4 ++-- htdocs/product/stats/supplier_proposal.php | 4 ++-- htdocs/public/recruitment/index.php | 2 +- htdocs/public/ticket/list.php | 2 +- htdocs/salaries/class/salariesstats.class.php | 2 +- htdocs/takepos/ajax/ajax.php | 2 +- htdocs/ticket/class/ticket.class.php | 2 +- htdocs/ticket/class/ticketstats.class.php | 2 +- test/phpunit/CodingPhpTest.php | 12 ++++++++++++ 43 files changed, 80 insertions(+), 68 deletions(-) diff --git a/htdocs/accountancy/customer/lines.php b/htdocs/accountancy/customer/lines.php index 0cd01315d9f..f52bc45f635 100644 --- a/htdocs/accountancy/customer/lines.php +++ b/htdocs/accountancy/customer/lines.php @@ -129,7 +129,7 @@ if (is_array($changeaccount) && count($changeaccount) > 0 && $user->rights->acco $sql1 = "UPDATE ".MAIN_DB_PREFIX."facturedet as l"; $sql1 .= " SET l.fk_code_ventilation=".(GETPOST('account_parent', 'int') > 0 ? GETPOST('account_parent', 'int') : '0'); - $sql1 .= ' WHERE l.rowid IN ('.implode(',', $changeaccount).')'; + $sql1 .= ' WHERE l.rowid IN ('.$db->sanitize(implode(',', $changeaccount)).')'; dol_syslog('accountancy/customer/lines.php::changeaccount sql= '.$sql1); $resql1 = $db->query($sql1); diff --git a/htdocs/accountancy/customer/list.php b/htdocs/accountancy/customer/list.php index 7014474ce4f..177b33f3ded 100644 --- a/htdocs/accountancy/customer/list.php +++ b/htdocs/accountancy/customer/list.php @@ -283,11 +283,11 @@ if (strlen(trim($search_country))) { if ($search_country == 'special_allnotme') { $sql .= " AND co.code <> '".$db->escape($mysoc->country_code)."'"; } elseif ($search_country == 'special_eec') { - $sql .= " AND co.code IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC).")"; } elseif ($search_country == 'special_eecnotme') { - $sql .= " AND co.code IN (".$country_code_in_EEC_without_me.")"; + $sql .= " AND co.code IN (".$db->sanitize($country_code_in_EEC_without_me).")"; } elseif ($search_country == 'special_noteec') { - $sql .= " AND co.code NOT IN (".$country_code_in_EEC.")"; + $sql .= " AND co.code NOT IN (".$db->sanitize($country_code_in_EEC).")"; } else { $sql .= natural_search("co.code", $search_country); } diff --git a/htdocs/accountancy/expensereport/lines.php b/htdocs/accountancy/expensereport/lines.php index d29e39d7f37..df50eaaff87 100644 --- a/htdocs/accountancy/expensereport/lines.php +++ b/htdocs/accountancy/expensereport/lines.php @@ -119,7 +119,7 @@ if (is_array($changeaccount) && count($changeaccount) > 0 && $user->rights->acco $sql1 = "UPDATE ".MAIN_DB_PREFIX."expensereport_det as erd"; $sql1 .= " SET erd.fk_code_ventilation=".(GETPOST('account_parent', 'int') > 0 ? GETPOST('account_parent', 'int') : '0'); - $sql1 .= ' WHERE erd.rowid IN ('.implode(',', $changeaccount).')'; + $sql1 .= ' WHERE erd.rowid IN ('.$db->sanitize(implode(',', $changeaccount)).')'; dol_syslog('accountancy/expensereport/lines.php::changeaccount sql= '.$sql1); $resql1 = $db->query($sql1); diff --git a/htdocs/accountancy/supplier/lines.php b/htdocs/accountancy/supplier/lines.php index 343d42bab84..530ed189e19 100644 --- a/htdocs/accountancy/supplier/lines.php +++ b/htdocs/accountancy/supplier/lines.php @@ -130,7 +130,7 @@ if (is_array($changeaccount) && count($changeaccount) > 0) { $sql1 = "UPDATE ".MAIN_DB_PREFIX."facture_fourn_det as l"; $sql1 .= " SET l.fk_code_ventilation=".(GETPOST('account_parent', 'int') > 0 ? GETPOST('account_parent', 'int') : '0'); - $sql1 .= ' WHERE l.rowid IN ('.implode(',', $changeaccount).')'; + $sql1 .= ' WHERE l.rowid IN ('.$db->sanitize(implode(',', $changeaccount)).')'; dol_syslog('accountancy/supplier/lines.php::changeaccount sql= '.$sql1); $resql1 = $db->query($sql1); diff --git a/htdocs/comm/propal/index.php b/htdocs/comm/propal/index.php index 812561a63b1..156dbafbf2a 100644 --- a/htdocs/comm/propal/index.php +++ b/htdocs/comm/propal/index.php @@ -106,7 +106,7 @@ if ($user->socid) { if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } -$sql .= " AND p.fk_statut IN (".implode(" ,", $listofstatus).")"; +$sql .= " AND p.fk_statut IN (".$db->sanitize(implode(" ,", $listofstatus)).")"; $sql .= " GROUP BY p.fk_statut"; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index 4c8ee0894f5..b4c63365bf8 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -565,7 +565,7 @@ if ($socid > 0) { $sql .= ' AND s.rowid = '.$socid; } if ($search_status != '' && $search_status != '-1') { - $sql .= ' AND p.fk_statut IN ('.$db->sanitize($db->escape($search_status)).')'; + $sql .= ' AND p.fk_statut IN ('.$db->sanitize($search_status).')'; } if ($search_date_start) { $sql .= " AND p.datep >= '".$db->idate($search_date_start)."'"; diff --git a/htdocs/comm/propal/stats/index.php b/htdocs/comm/propal/stats/index.php index 3cb6de90a8d..4ae18df12f8 100644 --- a/htdocs/comm/propal/stats/index.php +++ b/htdocs/comm/propal/stats/index.php @@ -103,7 +103,7 @@ dol_mkdir($dir); $stats = new PropaleStats($db, $socid, ($userid > 0 ? $userid : 0), $mode, ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($object_status != '' && $object_status >= 0) { - $stats->where .= ' AND p.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; + $stats->where .= ' AND p.fk_statut IN ('.$db->sanitize($object_status).')'; } // Build graphic number of object diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php index 73ac91c7098..117f7557db3 100644 --- a/htdocs/commande/list.php +++ b/htdocs/commande/list.php @@ -426,10 +426,10 @@ if ($search_state) { $sql .= natural_search("state.nom", $search_state); } if ($search_country) { - $sql .= " AND s.fk_pays IN (".$search_country.')'; + $sql .= " AND s.fk_pays IN (".$db->sanitize($search_country).')'; } if ($search_type_thirdparty) { - $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')'; + $sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')'; } if ($search_company) { $sql .= natural_search('s.nom', $search_company); diff --git a/htdocs/commande/stats/index.php b/htdocs/commande/stats/index.php index 0c9b80c3883..090d07baf81 100644 --- a/htdocs/commande/stats/index.php +++ b/htdocs/commande/stats/index.php @@ -96,12 +96,12 @@ dol_mkdir($dir); $stats = new CommandeStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { if ($object_status != '' && $object_status >= -1) { - $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; + $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($object_status).')'; } } if ($mode == 'supplier') { if ($object_status != '' && $object_status >= 0) { - $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; + $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($object_status).')'; } } diff --git a/htdocs/compta/accounting-files.php b/htdocs/compta/accounting-files.php index fed0e025f4c..d369f36c32f 100644 --- a/htdocs/compta/accounting-files.php +++ b/htdocs/compta/accounting-files.php @@ -173,7 +173,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= "SELECT t.rowid as id, t.entity, t.ref, t.paye as paid, t.total as total_ht, t.total_ttc, t.tva as total_vat, t.multicurrency_code as currency, t.fk_soc, t.datef as date, t.date_lim_reglement as date_due, 'Invoice' as item, s.nom as thirdparty_name, s.code_client as thirdparty_code, c.code as country_code, s.tva_intra as vatnum, ".PAY_CREDIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."facture as t LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = t.fk_soc LEFT JOIN ".MAIN_DB_PREFIX."c_country as c ON c.rowid = s.fk_pays"; $sql .= " WHERE datef between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; $sql .= " AND t.fk_statut <> ".Facture::STATUS_DRAFT; } // Vendor invoices @@ -184,7 +184,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, t.entity, t.ref, t.paye as paid, t.total_ht, t.total_ttc, t.total_tva as total_vat, t.multicurrency_code as currency, t.fk_soc, t.datef as date, t.date_lim_reglement as date_due, 'SupplierInvoice' as item, s.nom as thirdparty_name, s.code_fournisseur as thirdparty_code, c.code as country_code, s.tva_intra as vatnum, ".PAY_DEBIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as t LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = t.fk_soc LEFT JOIN ".MAIN_DB_PREFIX."c_country as c ON c.rowid = s.fk_pays"; $sql .= " WHERE datef between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; $sql .= " AND t.fk_statut <> ".FactureFournisseur::STATUS_DRAFT; } // Expense reports @@ -195,7 +195,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, t.entity, t.ref, t.paid, t.total_ht, t.total_ttc, t.total_tva as total_vat, t.multicurrency_code as currency, t.fk_user_author as fk_soc, t.date_fin as date, t.date_fin as date_due, 'ExpenseReport' as item, CONCAT(CONCAT(u.lastname, ' '), u.firstname) as thirdparty_name, '' as thirdparty_code, c.code as country_code, '' as vatnum, ".PAY_DEBIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."expensereport as t LEFT JOIN ".MAIN_DB_PREFIX."user as u ON u.rowid = t.fk_user_author LEFT JOIN ".MAIN_DB_PREFIX."c_country as c ON c.rowid = u.fk_country"; $sql .= " WHERE date_fin between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; $sql .= " AND t.fk_statut <> ".ExpenseReport::STATUS_DRAFT; } // Donations @@ -206,7 +206,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, t.entity, t.ref, paid, amount as total_ht, amount as total_ttc, 0 as total_vat, '".$db->escape($conf->currency)."' as currency, 0 as fk_soc, t.datedon as date, t.datedon as date_due, 'Donation' as item, t.societe as thirdparty_name, '' as thirdparty_code, c.code as country_code, '' as vatnum, ".PAY_CREDIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."don as t LEFT JOIN ".MAIN_DB_PREFIX."c_country as c ON c.rowid = t.fk_country"; $sql .= " WHERE datedon between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; $sql .= " AND t.fk_statut <> ".Don::STATUS_DRAFT; } // Payments of salaries @@ -217,7 +217,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, t.entity, t.label as ref, 1 as paid, amount as total_ht, amount as total_ttc, 0 as total_vat, '".$db->escape($conf->currency)."' as currency, t.fk_user as fk_soc, t.datep as date, t.dateep as date_due, 'SalaryPayment' as item, CONCAT(CONCAT(u.lastname, ' '), u.firstname) as thirdparty_name, '' as thirdparty_code, c.code as country_code, '' as vatnum, ".PAY_DEBIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."payment_salary as t LEFT JOIN ".MAIN_DB_PREFIX."user as u ON u.rowid = t.fk_user LEFT JOIN ".MAIN_DB_PREFIX."c_country as c ON c.rowid = u.fk_country"; $sql .= " WHERE datep between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; //$sql.=" AND fk_statut <> ".PaymentSalary::STATUS_DRAFT; } // Social contributions @@ -228,7 +228,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, t.entity, t.libelle as ref, t.paye as paid, t.amount as total_ht, t.amount as total_ttc, 0 as total_vat, '".$db->escape($conf->currency)."' as currency, 0 as fk_soc, t.date_ech as date, t.periode as date_due, 'SocialContributions' as item, '' as thirdparty_name, '' as thirdparty_code, '' as country_code, '' as vatnum, ".PAY_DEBIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."chargesociales as t"; $sql .= " WHERE t.date_ech between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; //$sql.=" AND fk_statut <> ".ChargeSociales::STATUS_DRAFT; } // Various payments @@ -239,7 +239,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, t.entity, t.ref, 1 as paid, t.amount as total_ht, t.amount as total_ttc, 0 as total_vat, '".$db->escape($conf->currency)."' as currency, 0 as fk_soc, t.datep as date, t.datep as date_due, 'VariousPayment' as item, '' as thirdparty_name, '' as thirdparty_code, '' as country_code, '' as vatnum, sens"; $sql .= " FROM ".MAIN_DB_PREFIX."payment_various as t"; $sql .= " WHERE datep between ".$wheretail; - $sql .= " AND t.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND t.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; } // Loan payments if (GETPOST('selectloanspayment') && !empty($listofchoices['selectloanspayment']['perms'])) { @@ -249,7 +249,7 @@ if (($action == 'searchfiles' || $action == 'dl')) { $sql .= " SELECT t.rowid as id, l.entity, l.label as ref, 1 as paid, (t.amount_capital+t.amount_insurance+t.amount_interest) as total_ht, (t.amount_capital+t.amount_insurance+t.amount_interest) as total_ttc, 0 as total_vat, '".$db->escape($conf->currency)."' as currency, 0 as fk_soc, t.datep as date, t.datep as date_due, 'LoanPayment' as item, '' as thirdparty_name, '' as thirdparty_code, '' as country_code, '' as vatnum, ".PAY_DEBIT." as sens"; $sql .= " FROM ".MAIN_DB_PREFIX."payment_loan as t LEFT JOIN ".MAIN_DB_PREFIX."loan as l ON l.rowid = t.fk_loan"; $sql .= " WHERE datep between ".$wheretail; - $sql .= " AND l.entity IN (".($entity == 1 ? '0,1' : $entity).')'; + $sql .= " AND l.entity IN (".$db->sanitize($entity == 1 ? '0,1' : $entity).')'; } if ($sql) { diff --git a/htdocs/compta/bank/graph.php b/htdocs/compta/bank/graph.php index e2be937aace..4c0efec57d2 100644 --- a/htdocs/compta/bank/graph.php +++ b/htdocs/compta/bank/graph.php @@ -166,7 +166,7 @@ if ($result < 0) { $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; $sql .= " AND b.datev < '".$db->escape($year)."-".sprintf("%02s", $month)."-01'"; if ($account && $_GET["option"] != 'all') { - $sql .= " AND b.fk_account IN (".$account.")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($account).")"; } $resql = $db->query($sql); diff --git a/htdocs/compta/deplacement/class/deplacementstats.class.php b/htdocs/compta/deplacement/class/deplacementstats.class.php index bb99b477584..64cee98c33b 100644 --- a/htdocs/compta/deplacement/class/deplacementstats.class.php +++ b/htdocs/compta/deplacement/class/deplacementstats.class.php @@ -64,13 +64,13 @@ class DeplacementStats extends Stats $this->where = " fk_statut > 0"; $this->where .= " AND entity = ".$conf->entity; - if ($this->socid) { - $this->where .= " AND fk_soc = ".$this->socid; + if ($this->socid > 0) { + $this->where .= " AND fk_soc = ".((int) $this->socid); } if (is_array($this->userid) && count($this->userid) > 0) { - $this->where .= ' AND fk_user IN ('.join(',', $this->userid).')'; + $this->where .= ' AND fk_user IN ('.$this->db->sanitize(join(',', $this->userid)).')'; } elseif ($this->userid > 0) { - $this->where .= ' AND fk_user = '.$this->userid; + $this->where .= ' AND fk_user = '.((int) $this->userid); } } diff --git a/htdocs/compta/deplacement/index.php b/htdocs/compta/deplacement/index.php index 780835b0c5e..659eada708b 100644 --- a/htdocs/compta/deplacement/index.php +++ b/htdocs/compta/deplacement/index.php @@ -76,7 +76,7 @@ $sql = "SELECT count(d.rowid) as nb, sum(d.km) as km, d.type"; $sql .= " FROM ".MAIN_DB_PREFIX."deplacement as d"; $sql .= " WHERE d.entity = ".$conf->entity; if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) { - $sql .= ' AND d.fk_user IN ('.join(',', $childids).')'; + $sql .= ' AND d.fk_user IN ('.$db->sanitize(join(',', $childids)).')'; } $sql .= " GROUP BY d.type"; $sql .= " ORDER BY d.type"; @@ -156,7 +156,7 @@ if (!$user->rights->societe->client->voir && !$user->socid) { $sql .= " WHERE u.rowid = d.fk_user"; $sql .= " AND d.entity = ".$conf->entity; if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) { - $sql .= ' AND d.fk_user IN ('.join(',', $childids).')'; + $sql .= ' AND d.fk_user IN ('.$db->sanitize(join(',', $childids)).')'; } if (!$user->rights->societe->client->voir && !$user->socid) { $sql .= " AND d.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; diff --git a/htdocs/compta/deplacement/list.php b/htdocs/compta/deplacement/list.php index 46d17c30e96..a36d7867716 100644 --- a/htdocs/compta/deplacement/list.php +++ b/htdocs/compta/deplacement/list.php @@ -102,7 +102,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " WHERE d.fk_user = u.rowid"; $sql .= " AND d.entity = ".$conf->entity; if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) { - $sql .= ' AND d.fk_user IN ('.join(',', $childids).')'; + $sql .= ' AND d.fk_user IN ('.$db->sanitize(join(',', $childids)).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND (sc.fk_user = ".$user->id." OR d.fk_soc IS NULL) "; diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index 925885e4e7a..fd8a9c1045d 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -2571,7 +2571,7 @@ if (empty($reshook)) { $sql .= ' SET situation_cycle_ref='.$newCycle; $sql .= ' , situation_final=0'; $sql .= ' , situation_counter='.$object->situation_counter; - $sql .= ' WHERE rowid IN ('.implode(',', $linkedCreditNotesList).')'; + $sql .= ' WHERE rowid IN ('.$db->sanitize(implode(',', $linkedCreditNotesList)).')'; $resql = $db->query($sql); if (!$resql) { diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index da3620165dd..84f97d61ef0 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -2248,7 +2248,7 @@ class Facture extends CommonInvoice if (count($list_rowid_det)) { $sql = 'UPDATE '.MAIN_DB_PREFIX.'societe_remise_except'; $sql .= ' SET fk_facture = NULL, fk_facture_line = NULL'; - $sql .= ' WHERE fk_facture_line IN ('.join(',', $list_rowid_det).')'; + $sql .= ' WHERE fk_facture_line IN ('.$this->db->sanitize(join(',', $list_rowid_det)).')'; dol_syslog(get_class($this)."::delete", LOG_DEBUG); if (!$this->db->query($sql)) { diff --git a/htdocs/compta/facture/stats/index.php b/htdocs/compta/facture/stats/index.php index 2818fa5f3b9..96c414db350 100644 --- a/htdocs/compta/facture/stats/index.php +++ b/htdocs/compta/facture/stats/index.php @@ -103,16 +103,16 @@ dol_mkdir($dir); $stats = new FactureStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { if ($object_status != '' && $object_status >= 0) { - $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; + $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($object_status).')'; } if (is_array($custcats) && !empty($custcats)) { $stats->from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie_societe as cat ON (f.fk_soc = cat.fk_soc)'; - $stats->where .= ' AND cat.fk_categorie IN ('.implode(',', $custcats).')'; + $stats->where .= ' AND cat.fk_categorie IN ('.$db->sanitize(implode(',', $custcats)).')'; } } if ($mode == 'supplier') { if ($object_status != '' && $object_status >= 0) { - $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; + $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($object_status).')'; } } diff --git a/htdocs/core/class/defaultvalues.class.php b/htdocs/core/class/defaultvalues.class.php index 8c835ed649e..c6be235b89a 100644 --- a/htdocs/core/class/defaultvalues.class.php +++ b/htdocs/core/class/defaultvalues.class.php @@ -272,7 +272,7 @@ class DefaultValues extends CommonObject } elseif ($key == 'customsql') { $sqlwhere[] = $value; } elseif (is_array($value)) { - $sqlwhere[] = $key.' IN ('.implode(',', $value).')'; + $sqlwhere[] = $key.' IN ('.$this->db->sanitize(implode(',', $value)).')'; } else { $sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\''; } diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index d03462d17e8..b3bac2a0e1d 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -8502,7 +8502,7 @@ class Form $sql = 'SELECT rowid, label FROM '.MAIN_DB_PREFIX.'c_exp_tax_cat WHERE active = 1'; $sql .= ' AND entity IN (0,'.getEntity('exp_tax_cat').')'; if (!empty($excludeid)) { - $sql .= ' AND rowid NOT IN ('.implode(',', $excludeid).')'; + $sql .= ' AND rowid NOT IN ('.$this->db->sanitize(implode(',', $excludeid)).')'; } $sql .= ' ORDER BY label'; diff --git a/htdocs/core/lib/invoice2.lib.php b/htdocs/core/lib/invoice2.lib.php index ca5fc61b60a..e6680293b64 100644 --- a/htdocs/core/lib/invoice2.lib.php +++ b/htdocs/core/lib/invoice2.lib.php @@ -130,7 +130,7 @@ function rebuild_merge_pdf($db, $langs, $conf, $diroutputpdf, $newlangid, $filte } else { $sqlwhere .= " AND"; } - $sqlwhere .= ' f.fk_soc NOT IN ('.join(',', $thirdpartiesid).')'; + $sqlwhere .= ' f.fk_soc NOT IN ('.$db->sanitize(join(',', $thirdpartiesid)).')'; } if (in_array('onlythirdparties', $filter) && is_array($thirdpartiesid)) { if (empty($sqlwhere)) { @@ -138,7 +138,7 @@ function rebuild_merge_pdf($db, $langs, $conf, $diroutputpdf, $newlangid, $filte } else { $sqlwhere .= " AND"; } - $sqlwhere .= ' f.fk_soc IN ('.join(',', $thirdpartiesid).')'; + $sqlwhere .= ' f.fk_soc IN ('.$db->sanitize(join(',', $thirdpartiesid)).')'; } if ($sqlwhere) { $sql .= $sqlwhere; diff --git a/htdocs/core/lib/website2.lib.php b/htdocs/core/lib/website2.lib.php index 2efeec151a3..e9a5aa6309f 100644 --- a/htdocs/core/lib/website2.lib.php +++ b/htdocs/core/lib/website2.lib.php @@ -214,7 +214,7 @@ function dolSavePageContent($filetpl, Website $object, WebsitePage $objectpage) } } // Add "has translation pages" - $sql = 'SELECT rowid as id, lang, pageurl from '.MAIN_DB_PREFIX.'website_page where fk_page IN ('.$objectpage->id.($translationof ? ", ".$translationof : "").")"; + $sql = 'SELECT rowid as id, lang, pageurl from '.MAIN_DB_PREFIX.'website_page where fk_page IN ('.$db->sanitize($objectpage->id.($translationof ? ', '.$translationof : '')).")"; $resql = $db->query($sql); if ($resql) { $num_rows = $db->num_rows($resql); diff --git a/htdocs/core/modules/modDeplacement.class.php b/htdocs/core/modules/modDeplacement.class.php index 0f92e8a7e6c..f0f06395565 100644 --- a/htdocs/core/modules/modDeplacement.class.php +++ b/htdocs/core/modules/modDeplacement.class.php @@ -143,7 +143,7 @@ class modDeplacement extends DolibarrModules $childids[] = $user->id; if (empty($user->rights->deplacement->readall) && empty($user->rights->deplacement->lire_tous)) { - $this->export_sql_end[$r] .= ' AND d.fk_user IN ('.join(',', $childids).')'; + $this->export_sql_end[$r] .= ' AND d.fk_user IN ('.$this->db->sanitize(join(',', $childids)).')'; } } } diff --git a/htdocs/core/modules/modExpedition.class.php b/htdocs/core/modules/modExpedition.class.php index ba8568ba13e..238eef2d6fe 100644 --- a/htdocs/core/modules/modExpedition.class.php +++ b/htdocs/core/modules/modExpedition.class.php @@ -313,7 +313,7 @@ class modExpedition extends DolibarrModules $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p on cd.fk_product = p.rowid'; $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product_extrafields as extraprod ON p.rowid = extraprod.fk_object'; if ($idcontacts && !empty($conf->global->SHIPMENT_ADD_CONTACTS_IN_EXPORT)) { - $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'element_contact as ee ON ee.element_id = cd.fk_commande AND ee.fk_c_type_contact IN ('.$idcontacts.')'; + $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'element_contact as ee ON ee.element_id = cd.fk_commande AND ee.fk_c_type_contact IN ('.$this->db->sanitize($idcontacts).')'; $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'socpeople as sp ON sp.rowid = ee.fk_socpeople'; $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'socpeople_extrafields as extra3 ON sp.rowid = extra3.fk_object'; } diff --git a/htdocs/core/modules/modReception.class.php b/htdocs/core/modules/modReception.class.php index 247a4faeddc..02f17cf0fbe 100644 --- a/htdocs/core/modules/modReception.class.php +++ b/htdocs/core/modules/modReception.class.php @@ -236,7 +236,7 @@ class modReception extends DolibarrModules $this->export_sql_end[$r] .= ' , '.MAIN_DB_PREFIX.'commande_fournisseurdet as cd'; $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p on cd.fk_product = p.rowid'; if ($idcontacts && !empty($conf->global->RECEPTION_ADD_CONTACTS_IN_EXPORT)) { - $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'element_contact as ee ON ee.element_id = cd.fk_commande AND ee.fk_c_type_contact IN ('.$idcontacts.')'; + $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'element_contact as ee ON ee.element_id = cd.fk_commande AND ee.fk_c_type_contact IN ('.$this->db->sanitize($idcontacts).')'; $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'socpeople as sp ON sp.rowid = ee.fk_socpeople'; $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'socpeople_extrafields as extra3 ON sp.rowid = extra3.fk_object'; } diff --git a/htdocs/core/modules/modSociete.class.php b/htdocs/core/modules/modSociete.class.php index 38ca03ffe3b..f30709445b3 100644 --- a/htdocs/core/modules/modSociete.class.php +++ b/htdocs/core/modules/modSociete.class.php @@ -343,7 +343,7 @@ class modSociete extends DolibarrModules $this->export_sql_end[$r] .= ' AND (sc.fk_user = '.$user->id.' '; if (!empty($conf->global->SOCIETE_EXPORT_SUBORDINATES_CHILDS)) { $subordinatesids = $user->getAllChildIds(); - $this->export_sql_end[$r] .= count($subordinatesids) > 0 ? ' OR (sc.fk_user IN ('.implode(',', $subordinatesids).')' : ''; + $this->export_sql_end[$r] .= count($subordinatesids) > 0 ? ' OR (sc.fk_user IN ('.$this->db->sanitize(implode(',', $subordinatesids)).')' : ''; } $this->export_sql_end[$r] .= ')'; } @@ -413,7 +413,7 @@ class modSociete extends DolibarrModules $this->export_sql_end[$r] .= ' AND (sc.fk_user = '.$user->id.' '; if (!empty($conf->global->SOCIETE_EXPORT_SUBORDINATES_CHILDS)) { $subordinatesids = $user->getAllChildIds(); - $this->export_sql_end[$r] .= count($subordinatesids) > 0 ? ' OR (sc.fk_user IN ('.implode(',', $subordinatesids).')' : ''; + $this->export_sql_end[$r] .= count($subordinatesids) > 0 ? ' OR (sc.fk_user IN ('.$this->db->sanitize(implode(',', $subordinatesids)).')' : ''; } $this->export_sql_end[$r] .= ')'; } diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index dccb3901069..e7a7766e3be 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -1196,7 +1196,7 @@ class FactureFournisseur extends CommonInvoice if (count($list_rowid_det)) { $sql = 'UPDATE '.MAIN_DB_PREFIX.'societe_remise_except'; $sql .= ' SET fk_invoice_supplier = NULL, fk_invoice_supplier_line = NULL'; - $sql .= ' WHERE fk_invoice_supplier_line IN ('.join(',', $list_rowid_det).')'; + $sql .= ' WHERE fk_invoice_supplier_line IN ('.$this->db->sanitize(join(',', $list_rowid_det)).')'; dol_syslog(get_class($this)."::delete", LOG_DEBUG); if (!$this->db->query($sql)) { diff --git a/htdocs/holiday/define_holiday.php b/htdocs/holiday/define_holiday.php index e57e12dcaee..b3d2c25adda 100644 --- a/htdocs/holiday/define_holiday.php +++ b/htdocs/holiday/define_holiday.php @@ -230,7 +230,7 @@ $filters = ''; $userchilds = array(); if (empty($user->rights->holiday->readall)) { $userchilds = $user->getAllChildIds(1); - $filters .= ' AND u.rowid IN ('.join(', ', $userchilds).')'; + $filters .= ' AND u.rowid IN ('.$db->sanitize(join(', ', $userchilds)).')'; } if (!empty($search_name)) { $filters .= natural_search(array('u.firstname', 'u.lastname'), $search_name); diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index e6f63614fcc..f49a3145af9 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -341,7 +341,7 @@ if (!empty($search_status) && $search_status != -1) { } if (empty($user->rights->holiday->readall)) { - $sql .= ' AND cp.fk_user IN ('.join(',', $childids).')'; + $sql .= ' AND cp.fk_user IN ('.$db->sanitize(join(',', $childids)).')'; } if ($id > 0) { $sql .= " AND cp.fk_user IN (".$db->sanitize($id).")"; diff --git a/htdocs/margin/customerMargins.php b/htdocs/margin/customerMargins.php index ac30d223806..1a1e83a2567 100644 --- a/htdocs/margin/customerMargins.php +++ b/htdocs/margin/customerMargins.php @@ -245,10 +245,10 @@ $sql .= ' AND f.entity IN ('.getEntity('invoice').')'; $sql .= " AND d.fk_facture = f.rowid"; $sql .= " AND (d.product_type = 0 OR d.product_type = 1)"; if (!empty($TSelectedProducts)) { - $sql .= ' AND d.fk_product IN ('.implode(',', $TSelectedProducts).')'; + $sql .= ' AND d.fk_product IN ('.$db->sanitize(implode(',', $TSelectedProducts)).')'; } if (!empty($TSelectedCats)) { - $sql .= ' AND cp.fk_categorie IN ('.implode(',', $TSelectedCats).')'; + $sql .= ' AND cp.fk_categorie IN ('.$db->sanitize(implode(',', $TSelectedCats)).')'; } if (!empty($startdate)) { $sql .= " AND f.datef >= '".$db->idate($startdate)."'"; diff --git a/htdocs/product/stats/card.php b/htdocs/product/stats/card.php index a47bc79c84a..5f94b6bf9cc 100644 --- a/htdocs/product/stats/card.php +++ b/htdocs/product/stats/card.php @@ -337,7 +337,7 @@ if ($result || empty($id)) { $categ = new Categorie($db); $categ->fetch($search_categ); $listofprodids = $categ->getObjectsInCateg('product', 1); - $morefilters = ' AND d.fk_product IN ('.((is_array($listofprodids) && count($listofprodids)) ? join(',', $listofprodids) : '0').')'; + $morefilters = ' AND d.fk_product IN ('.$db->sanitize((is_array($listofprodids) && count($listofprodids)) ? join(',', $listofprodids) : '0').')'; } if ($search_categ == -2) { $morefilters = ' AND d.fk_product NOT IN (SELECT cp.fk_product from '.MAIN_DB_PREFIX.'categorie_product as cp)'; diff --git a/htdocs/product/stats/commande.php b/htdocs/product/stats/commande.php index cb5087c63f2..4eaa0a3b3b8 100644 --- a/htdocs/product/stats/commande.php +++ b/htdocs/product/stats/commande.php @@ -153,10 +153,10 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND d.fk_commande = c.rowid"; $sql .= " AND d.fk_product =".$product->id; if (!empty($search_month)) { - $sql .= ' AND MONTH(c.date_commande) IN ('.$search_month.')'; + $sql .= ' AND MONTH(c.date_commande) IN ('.$db->sanitize($search_month).')'; } if (!empty($search_year)) { - $sql .= ' AND YEAR(c.date_commande) IN ('.$search_year.')'; + $sql .= ' AND YEAR(c.date_commande) IN ('.$db->sanitize($search_year).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; diff --git a/htdocs/product/stats/commande_fournisseur.php b/htdocs/product/stats/commande_fournisseur.php index 16dd040887d..dcc2b9c0cee 100644 --- a/htdocs/product/stats/commande_fournisseur.php +++ b/htdocs/product/stats/commande_fournisseur.php @@ -153,10 +153,10 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND d.fk_commande = c.rowid"; $sql .= " AND d.fk_product =".$product->id; if (!empty($search_month)) { - $sql .= ' AND MONTH(c.date_commande) IN ('.$search_month.')'; + $sql .= ' AND MONTH(c.date_commande) IN ('.$db->sanitize($search_month).')'; } if (!empty($search_year)) { - $sql .= ' AND YEAR(c.date_commande) IN ('.$search_year.')'; + $sql .= ' AND YEAR(c.date_commande) IN ('.$db->sanitize($search_year).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; diff --git a/htdocs/product/stats/facture.php b/htdocs/product/stats/facture.php index 271a834570b..e0d262ee1fb 100644 --- a/htdocs/product/stats/facture.php +++ b/htdocs/product/stats/facture.php @@ -170,10 +170,10 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND d.fk_facture = f.rowid"; $sql .= " AND d.fk_product =".$product->id; if (!empty($search_month)) { - $sql .= ' AND MONTH(f.datef) IN ('.$search_month.')'; + $sql .= ' AND MONTH(f.datef) IN ('.$db->sanitize($search_month).')'; } if (!empty($search_year)) { - $sql .= ' AND YEAR(f.datef) IN ('.$search_year.')'; + $sql .= ' AND YEAR(f.datef) IN ('.$db->sanitize($search_year).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; diff --git a/htdocs/product/stats/facture_fournisseur.php b/htdocs/product/stats/facture_fournisseur.php index a42615fdaa9..497aa3574bf 100644 --- a/htdocs/product/stats/facture_fournisseur.php +++ b/htdocs/product/stats/facture_fournisseur.php @@ -153,10 +153,10 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND d.fk_facture_fourn = f.rowid"; $sql .= " AND d.fk_product =".$product->id; if (!empty($search_month)) { - $sql .= ' AND MONTH(f.datef) IN ('.$search_month.')'; + $sql .= ' AND MONTH(f.datef) IN ('.$db->sanitize($search_month).')'; } if (!empty($search_year)) { - $sql .= ' AND YEAR(f.datef) IN ('.$search_year.')'; + $sql .= ' AND YEAR(f.datef) IN ('.$db->sanitize($search_year).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; diff --git a/htdocs/product/stats/propal.php b/htdocs/product/stats/propal.php index 7d08f3ab9c3..95f2884c7b5 100644 --- a/htdocs/product/stats/propal.php +++ b/htdocs/product/stats/propal.php @@ -154,10 +154,10 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND d.fk_propal = p.rowid"; $sql .= " AND d.fk_product =".$product->id; if (!empty($search_month)) { - $sql .= ' AND MONTH(p.datep) IN ('.$search_month.')'; + $sql .= ' AND MONTH(p.datep) IN ('.$db->sanitize($search_month).')'; } if (!empty($search_year)) { - $sql .= ' AND YEAR(p.datep) IN ('.$search_year.')'; + $sql .= ' AND YEAR(p.datep) IN ('.$db->sanitize($search_year).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; diff --git a/htdocs/product/stats/supplier_proposal.php b/htdocs/product/stats/supplier_proposal.php index e18dc17867f..d918ce7c7d2 100644 --- a/htdocs/product/stats/supplier_proposal.php +++ b/htdocs/product/stats/supplier_proposal.php @@ -154,10 +154,10 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND d.fk_supplier_proposal = p.rowid"; $sql .= " AND d.fk_product =".$product->id; if (!empty($search_month)) { - $sql .= ' AND MONTH(p.datep) IN ('.$search_month.')'; + $sql .= ' AND MONTH(p.datep) IN ('.$db->sanitize($search_month).')'; } if (!empty($search_year)) { - $sql .= ' AND YEAR(p.datep) IN ('.$search_year.')'; + $sql .= ' AND YEAR(p.datep) IN ('.$db->sanitize($search_year).')'; } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; diff --git a/htdocs/public/recruitment/index.php b/htdocs/public/recruitment/index.php index c7381059a39..5118f7ebfc0 100644 --- a/htdocs/public/recruitment/index.php +++ b/htdocs/public/recruitment/index.php @@ -261,7 +261,7 @@ if ($display_ticket_list) { $sql .= ' AND '.$key.' = \''.$value.'\''; } elseif ($key == 't.fk_statut') { if (is_array($value) && count($value) > 0) { - $sql .= 'AND '.$key.' IN ('.implode(',', $value).')'; + $sql .= 'AND '.$key.' IN ('.$db->sanitize(implode(',', $value)).')'; } else { $sql .= ' AND '.$key.' = '.$db->escape($value); } diff --git a/htdocs/public/ticket/list.php b/htdocs/public/ticket/list.php index befeee00a7b..945e58630fe 100644 --- a/htdocs/public/ticket/list.php +++ b/htdocs/public/ticket/list.php @@ -364,7 +364,7 @@ if ($action == "view_ticketlist") { $sql .= " AND ".$key." = '".$db->escape($value)."'"; } elseif ($key == 't.fk_statut') { if (is_array($value) && count($value) > 0) { - $sql .= 'AND '.$key.' IN ('.implode(',', $value).')'; + $sql .= 'AND '.$key.' IN ('.$db->sanitize(implode(',', $value)).')'; } else { $sql .= ' AND '.$key.' = '.$db->escape($value); } diff --git a/htdocs/salaries/class/salariesstats.class.php b/htdocs/salaries/class/salariesstats.class.php index 123dc044a4a..0614f174416 100644 --- a/htdocs/salaries/class/salariesstats.class.php +++ b/htdocs/salaries/class/salariesstats.class.php @@ -67,7 +67,7 @@ class SalariesStats extends Stats $this->where .= " AND fk_soc = ".$this->socid; } if (is_array($this->userid) && count($this->userid) > 0) { - $this->where .= ' AND fk_user IN ('.join(',', $this->userid).')'; + $this->where .= ' AND fk_user IN ('.$db->sanitize(join(',', $this->userid)).')'; } elseif ($this->userid > 0) { $this->where .= ' AND fk_user = '.$this->userid; } diff --git a/htdocs/takepos/ajax/ajax.php b/htdocs/takepos/ajax/ajax.php index c9cdb681267..0ccdeb86b9b 100644 --- a/htdocs/takepos/ajax/ajax.php +++ b/htdocs/takepos/ajax/ajax.php @@ -111,7 +111,7 @@ if ($action == 'getProducts') { $sql = 'SELECT rowid, ref, label, tosell, tobuy, barcode, price FROM '.MAIN_DB_PREFIX.'product as p'; $sql .= ' WHERE entity IN ('.getEntity('product').')'; if ($filteroncategids) { - $sql .= ' AND EXISTS (SELECT cp.fk_product FROM '.MAIN_DB_PREFIX.'categorie_product as cp WHERE cp.fk_product = p.rowid AND cp.fk_categorie IN ('.$filteroncategids.'))'; + $sql .= ' AND EXISTS (SELECT cp.fk_product FROM '.MAIN_DB_PREFIX.'categorie_product as cp WHERE cp.fk_product = p.rowid AND cp.fk_categorie IN ('.$db->sanitize($filteroncategids).'))'; } $sql .= ' AND tosell = 1'; $sql .= natural_search(array('ref', 'label', 'barcode'), $term); diff --git a/htdocs/ticket/class/ticket.class.php b/htdocs/ticket/class/ticket.class.php index 237edd265de..0ba818b8e0b 100644 --- a/htdocs/ticket/class/ticket.class.php +++ b/htdocs/ticket/class/ticket.class.php @@ -717,7 +717,7 @@ class Ticket extends CommonObject $sql .= " AND ".$key." = '".$this->db->escape($value)."'"; } elseif ($key == 't.fk_statut') { if (is_array($value) && count($value) > 0) { - $sql .= 'AND '.$key.' IN ('.implode(',', $value).')'; + $sql .= 'AND '.$key.' IN ('.$this->db->sanitize(implode(',', $value)).')'; } else { $sql .= ' AND '.$key.' = '.$this->db->escape($value); } diff --git a/htdocs/ticket/class/ticketstats.class.php b/htdocs/ticket/class/ticketstats.class.php index 588037a6d2f..51449c6b233 100644 --- a/htdocs/ticket/class/ticketstats.class.php +++ b/htdocs/ticket/class/ticketstats.class.php @@ -67,7 +67,7 @@ class TicketStats extends Stats $this->where .= " AND fk_soc = ".$this->socid; } if (is_array($this->userid) && count($this->userid) > 0) { - $this->where .= ' AND fk_user_create IN ('.join(',', $this->userid).')'; + $this->where .= ' AND fk_user_create IN ('.$this->db->sanitize(join(',', $this->userid)).')'; } elseif ($this->userid > 0) { $this->where .= ' AND fk_user_create = '.$this->userid; } diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 06c702a6a58..6fe5f0d8863 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -311,6 +311,18 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.'); //exit; + // Check string IN (".xxx with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request. + preg_match_all('/ IN \([\'"]\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER); + foreach ($matches as $key => $val) { + if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'self::STA', 'Commande:', 'CommandeF', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::'))) { + $ok=false; + break; + } + //if ($reg[0] != 'db') $ok=false; + } + //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; + $this->assertTrue($ok, 'Found non sanitized string in building of a IN or NOT IN sql request '.$file['relativename'].' - Bad.'); + //exit; // Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped. $ok=true; From 6063b02bf4414919c208548febbadc3cb65b28c7 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 12:47:23 +0100 Subject: [PATCH 03/47] Fix #ygosha5698 --- htdocs/core/class/discount.class.php | 4 ++-- htdocs/core/class/html.form.class.php | 14 +++++++------- htdocs/core/class/html.formcontract.class.php | 2 +- htdocs/core/class/html.formprojet.class.php | 2 +- .../modules/mailings/advthirdparties.modules.php | 2 +- .../eventorganization/conferenceorbooth_list.php | 2 +- htdocs/holiday/class/holiday.class.php | 2 +- htdocs/holiday/month_report.php | 2 +- htdocs/hrm/index.php | 4 ++-- htdocs/install/repair.php | 2 +- htdocs/projet/card.php | 2 +- htdocs/projet/class/project.class.php | 2 +- htdocs/projet/class/task.class.php | 10 +++++----- htdocs/projet/comment.php | 2 +- htdocs/projet/contact.php | 2 +- htdocs/projet/document.php | 2 +- htdocs/projet/element.php | 2 +- htdocs/projet/ganttview.php | 2 +- htdocs/projet/info.php | 2 +- htdocs/projet/list.php | 4 ++-- htdocs/projet/note.php | 2 +- htdocs/projet/tasks.php | 2 +- htdocs/projet/tasks/comment.php | 4 ++-- htdocs/projet/tasks/contact.php | 4 ++-- htdocs/projet/tasks/document.php | 4 ++-- htdocs/projet/tasks/note.php | 4 ++-- htdocs/projet/tasks/task.php | 4 ++-- htdocs/projet/tasks/time.php | 10 +++++----- htdocs/salaries/class/salariesstats.class.php | 2 +- htdocs/ticket/card.php | 2 +- htdocs/ticket/list.php | 2 +- htdocs/user/list.php | 2 +- test/phpunit/CodingPhpTest.php | 4 ++-- 33 files changed, 56 insertions(+), 56 deletions(-) diff --git a/htdocs/core/class/discount.class.php b/htdocs/core/class/discount.class.php index 310f141fc1c..061332c2e8b 100644 --- a/htdocs/core/class/discount.class.php +++ b/htdocs/core/class/discount.class.php @@ -597,12 +597,12 @@ class DiscountAbsolute $sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture as f'; $sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.$invoice->id; - $sql .= ' AND f.type IN ('.$invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE.', '.$invoice::TYPE_SITUATION.')'; // Find discount coming from credit note or excess received + $sql .= ' AND f.type IN ('.$this->db->sanitize($invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE.', '.$invoice::TYPE_SITUATION).')'; // Find discount coming from credit note or excess received } elseif ($invoice->element == 'invoice_supplier') { $sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture_fourn as f'; $sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.$invoice->id; - $sql .= ' AND f.type IN ('.$invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE.')'; // Find discount coming from credit note or excess paid + $sql .= ' AND f.type IN ('.$this->db->sanitize($invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE).')'; // Find discount coming from credit note or excess paid } else { $this->error = get_class($this)."::getSumCreditNotesUsed was called with a bad object as a first parameter"; dol_print_error($this->error); diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index b3bac2a0e1d..021ca10ebb9 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1887,7 +1887,7 @@ class Form if (!empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity) { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entity as e ON e.rowid=u.entity"; if ($force_entity) { - $sql .= " WHERE u.entity IN (0,".$force_entity.")"; + $sql .= " WHERE u.entity IN (0, ".$force_entity.")"; } else { $sql .= " WHERE u.entity IS NOT NULL"; } @@ -1897,7 +1897,7 @@ class Form $sql .= " ON ug.fk_user = u.rowid"; $sql .= " WHERE ug.entity = ".$conf->entity; } else { - $sql .= " WHERE u.entity IN (0,".$conf->entity.")"; + $sql .= " WHERE u.entity IN (0, ".$conf->entity.")"; } } if (!empty($user->socid)) { @@ -8314,11 +8314,11 @@ class Form // Permettre l'exclusion de groupes if (is_array($exclude)) { - $excludeGroups = implode("','", $exclude); + $excludeGroups = implode(",", $exclude); } // Permettre l'inclusion de groupes if (is_array($include)) { - $includeGroups = implode("','", $include); + $includeGroups = implode(",", $include); } if (!is_array($selected)) { @@ -8344,10 +8344,10 @@ class Form $sql .= " WHERE ug.entity IN (0, ".$conf->entity.")"; } if (is_array($exclude) && $excludeGroups) { - $sql .= " AND ug.rowid NOT IN ('".$excludeGroups."')"; + $sql .= " AND ug.rowid NOT IN (".$this->db->sanitize($excludeGroups).")"; } if (is_array($include) && $includeGroups) { - $sql .= " AND ug.rowid IN ('".$includeGroups."')"; + $sql .= " AND ug.rowid IN (".$this->db->sanitize($includeGroups).")"; } $sql .= " ORDER BY ug.nom ASC"; @@ -8709,7 +8709,7 @@ class Form $sql .= ' '.MAIN_DB_PREFIX.'facture as f'; $sql .= " WHERE p.entity IN (".getEntity('project').")"; $sql .= " AND f.fk_projet = p.rowid AND f.fk_statut=0"; //Brouillons seulement - //if ($projectsListId) $sql.= " AND p.rowid IN (".$projectsListId.")"; + //if ($projectsListId) $sql.= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; //if ($socid == 0) $sql.= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)"; //if ($socid > 0) $sql.= " AND (p.fk_soc=".$socid." OR p.fk_soc IS NULL)"; $sql .= " GROUP BY f.ref ORDER BY p.ref, f.ref ASC"; diff --git a/htdocs/core/class/html.formcontract.class.php b/htdocs/core/class/html.formcontract.class.php index 46a1e240cf6..eb0f1baaef1 100644 --- a/htdocs/core/class/html.formcontract.class.php +++ b/htdocs/core/class/html.formcontract.class.php @@ -76,7 +76,7 @@ class FormContract $sql .= ' c.ref_customer, c.ref_supplier'; $sql .= ' FROM '.MAIN_DB_PREFIX.'contrat as c'; $sql .= " WHERE c.entity = ".$conf->entity; - //if ($contratListId) $sql.= " AND c.rowid IN (".$contratListId.")"; + //if ($contratListId) $sql.= " AND c.rowid IN (".$this->db->sanitize($contratListId).")"; if ($socid > 0) { // CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY is 'all' or a list of ids separated by coma. if (empty($conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY)) { diff --git a/htdocs/core/class/html.formprojet.class.php b/htdocs/core/class/html.formprojet.class.php index af611605095..aff77ce7285 100644 --- a/htdocs/core/class/html.formprojet.class.php +++ b/htdocs/core/class/html.formprojet.class.php @@ -175,7 +175,7 @@ class FormProjets if (empty($conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY)) { $sql .= " AND (p.fk_soc=".((int) $socid)." OR p.fk_soc IS NULL)"; } elseif ($conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY != 'all') { // PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY is 'all' or a list of ids separated by coma. - $sql .= " AND (p.fk_soc IN (".((int) $socid).", ".((int) $conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY).") OR p.fk_soc IS NULL)"; + $sql .= " AND (p.fk_soc IN (".$this->db->sanitize(((int) $socid).", ".$conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY).") OR p.fk_soc IS NULL)"; } } if (!empty($filterkey)) { diff --git a/htdocs/core/modules/mailings/advthirdparties.modules.php b/htdocs/core/modules/mailings/advthirdparties.modules.php index d067f43c273..cbf668b6c67 100644 --- a/htdocs/core/modules/mailings/advthirdparties.modules.php +++ b/htdocs/core/modules/mailings/advthirdparties.modules.php @@ -79,7 +79,7 @@ class mailing_advthirdparties extends MailingTargets $sql = "SELECT s.rowid as id, s.email as email, s.nom as name, null as fk_contact"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s LEFT OUTER JOIN ".MAIN_DB_PREFIX."societe_extrafields se ON se.fk_object=s.rowid"; $sql .= " WHERE s.entity IN (".getEntity('societe').")"; - $sql .= " AND s.rowid IN (".implode(',', $socid).")"; + $sql .= " AND s.rowid IN (".$this->db->sanitize(implode(',', $socid)).")"; $sql .= " ORDER BY email"; // Stock recipients emails into targets table diff --git a/htdocs/eventorganization/conferenceorbooth_list.php b/htdocs/eventorganization/conferenceorbooth_list.php index f4cda255cdb..ea189d4be9b 100644 --- a/htdocs/eventorganization/conferenceorbooth_list.php +++ b/htdocs/eventorganization/conferenceorbooth_list.php @@ -265,7 +265,7 @@ if ($projectid > 0) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->project->all->lire) { $objectsListId = $project->getProjectsAuthorizedForUser($user, 0, 0); - $project->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $project->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($project, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/holiday/class/holiday.class.php b/htdocs/holiday/class/holiday.class.php index 243d65b5078..4b5c742b3f1 100644 --- a/htdocs/holiday/class/holiday.class.php +++ b/htdocs/holiday/class/holiday.class.php @@ -479,7 +479,7 @@ class Holiday extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."holiday as cp, ".MAIN_DB_PREFIX."user as uu, ".MAIN_DB_PREFIX."user as ua"; $sql .= " WHERE cp.entity IN (".getEntity('holiday').")"; $sql .= " AND cp.fk_user = uu.rowid AND cp.fk_validator = ua.rowid"; // Hack pour la recherche sur le tableau - $sql .= " AND cp.fk_user IN (".$user_id.")"; + $sql .= " AND cp.fk_user IN (".$this->db->sanitize($user_id).")"; // Selection filter if (!empty($filter)) { diff --git a/htdocs/holiday/month_report.php b/htdocs/holiday/month_report.php index 37497fd1810..62991a6e0ee 100644 --- a/htdocs/holiday/month_report.php +++ b/htdocs/holiday/month_report.php @@ -154,7 +154,7 @@ if (!empty($search_employee)) { $sql .= " AND cp.fk_user = '".$db->escape($search_employee)."'"; } if (!empty($search_type)) { - $sql .= ' AND cp.fk_type IN ('.$db->escape($search_type).')'; + $sql .= ' AND cp.fk_type IN ('.$db->sanitize($search_type).')'; } if (!empty($search_description)) { $sql .= natural_search('cp.description', $search_description); diff --git a/htdocs/hrm/index.php b/htdocs/hrm/index.php index e40ceb3f9ba..f169ce60b37 100644 --- a/htdocs/hrm/index.php +++ b/htdocs/hrm/index.php @@ -182,7 +182,7 @@ if (!empty($conf->holiday->enabled) && $user->rights->holiday->read) { $sql .= " WHERE u.rowid = x.fk_user"; $sql .= " AND x.entity = ".$conf->entity; if (empty($user->rights->holiday->readall)) { - $sql .= ' AND x.fk_user IN ('.join(',', $childids).')'; + $sql .= ' AND x.fk_user IN ('.$db->sanitize(join(',', $childids)).')'; } //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " AND x.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; //if (!empty($socid)) $sql.= " AND x.fk_soc = ".$socid; @@ -263,7 +263,7 @@ if (!empty($conf->expensereport->enabled) && $user->rights->expensereport->lire) $sql .= " WHERE u.rowid = x.fk_user_author"; $sql .= " AND x.entity = ".$conf->entity; if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)) { - $sql .= ' AND x.fk_user_author IN ('.join(',', $childids).')'; + $sql .= ' AND x.fk_user_author IN ('.$db->sanitize(join(',', $childids)).')'; } //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " AND x.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; //if (!empty($socid)) $sql.= " AND x.fk_soc = ".$socid; diff --git a/htdocs/install/repair.php b/htdocs/install/repair.php index 80678abe24f..ccb787680b3 100644 --- a/htdocs/install/repair.php +++ b/htdocs/install/repair.php @@ -1175,7 +1175,7 @@ if ($ok && GETPOST('clean_perm_table', 'alpha')) { foreach ($conf->modules as $key => $val) { $listofmods .= ($listofmods ? ',' : '')."'".$val."'"; } - $sql = 'SELECT id, libelle as label, module from '.MAIN_DB_PREFIX.'rights_def WHERE module not in ('.$listofmods.') AND id > 100000'; + $sql = 'SELECT id, libelle as label, module from '.MAIN_DB_PREFIX.'rights_def WHERE module NOT IN ('.$db->sanitize($listofmods).') AND id > 100000'; $resql = $db->query($sql); if ($resql) { $num = $db->num_rows($resql); diff --git a/htdocs/projet/card.php b/htdocs/projet/card.php index 5d0f197568c..3999e448730 100644 --- a/htdocs/projet/card.php +++ b/htdocs/projet/card.php @@ -978,7 +978,7 @@ if ($action == 'create' && $user->rights->projet->creer) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php index 5d6c4b4825a..8bf9c727f4e 100644 --- a/htdocs/projet/class/project.class.php +++ b/htdocs/projet/class/project.class.php @@ -2055,7 +2055,7 @@ class Project extends CommonObject $sql .= " p.entity IN (".getEntity('project').")"; if (!$user->rights->projet->all->lire) { $projectsListId = $this->getProjectsAuthorizedForUser($user, 0, 1); - $sql .= "AND p.rowid IN (".$projectsListId.")"; + $sql .= "AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; } $resql = $this->db->query($sql); diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php index c9762c0043c..44638c00f46 100644 --- a/htdocs/projet/class/task.class.php +++ b/htdocs/projet/class/task.class.php @@ -868,13 +868,13 @@ class Task extends CommonObject $sql .= " AND p.fk_soc = ".$socid; } if ($projectid) { - $sql .= " AND p.rowid in (".$projectid.")"; + $sql .= " AND p.rowid IN (".$this->db->sanitize($projectid).")"; } if ($filteronproj) { $sql .= natural_search(array("p.ref", "p.title"), $filteronproj); } if ($filteronprojstatus && $filteronprojstatus != '-1') { - $sql .= " AND p.fk_statut IN (".$filteronprojstatus.")"; + $sql .= " AND p.fk_statut IN (".$this->db->sanitize($filteronprojstatus).")"; } if ($morewherefilter) { $sql .= $morewherefilter; @@ -1062,10 +1062,10 @@ class Task extends CommonObject $sql .= " AND ctc.source = 'internal'"; if ($projectid) { if ($userp) { - $sql .= " AND pt.rowid in (".$projectid.")"; + $sql .= " AND pt.rowid IN (".$this->db->sanitize($projectid).")"; } if ($usert) { - $sql .= " AND pt.fk_projet in (".$projectid.")"; + $sql .= " AND pt.fk_projet IN (".$this->db->sanitize($projectid).")"; } } if ($taskid) { @@ -1073,7 +1073,7 @@ class Task extends CommonObject $sql .= " ERROR SHOULD NOT HAPPENS"; } if ($usert) { - $sql .= " AND pt.rowid = ".$taskid; + $sql .= " AND pt.rowid = ".((int) $taskid); } } //print $sql; diff --git a/htdocs/projet/comment.php b/htdocs/projet/comment.php index ac00e0adfad..5ddd2cd163b 100644 --- a/htdocs/projet/comment.php +++ b/htdocs/projet/comment.php @@ -112,7 +112,7 @@ $morehtmlref .= ''; // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/contact.php b/htdocs/projet/contact.php index 8fc018ab8ab..fe434891fa9 100644 --- a/htdocs/projet/contact.php +++ b/htdocs/projet/contact.php @@ -300,7 +300,7 @@ if ($id > 0 || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/document.php b/htdocs/projet/document.php index 795e10f2739..d7bcd722988 100644 --- a/htdocs/projet/document.php +++ b/htdocs/projet/document.php @@ -141,7 +141,7 @@ if ($object->id > 0) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/element.php b/htdocs/projet/element.php index f72b1eba7d2..a71d8c4a602 100644 --- a/htdocs/projet/element.php +++ b/htdocs/projet/element.php @@ -222,7 +222,7 @@ $morehtmlref .= ''; // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " te.rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " te.rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/ganttview.php b/htdocs/projet/ganttview.php index b4dbc21e894..c5e5b20fb88 100644 --- a/htdocs/projet/ganttview.php +++ b/htdocs/projet/ganttview.php @@ -123,7 +123,7 @@ if (($id > 0 && is_numeric($id)) || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/info.php b/htdocs/projet/info.php index d99da02caa6..b8c6ae046cf 100644 --- a/htdocs/projet/info.php +++ b/htdocs/projet/info.php @@ -136,7 +136,7 @@ $morehtmlref .= ''; // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index 3e81b529ac8..a9849ef9f20 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -414,7 +414,7 @@ if ($search_opp_status) { $sql .= " AND p.fk_opp_status IS NOT NULL AND p.fk_opp_status <> -1 AND p.fk_opp_status NOT IN (SELECT rowid FROM ".MAIN_DB_PREFIX."c_lead_status WHERE code IN ('WON','LOST'))"; } if ($search_opp_status == 'notopenedopp') { - $sql .= " AND (p.fk_opp_status IS NULL OR p.fk_opp_status = -1 OR p.fk_opp_status IN (SELECT rowid FROM ".MAIN_DB_PREFIX."c_lead_status WHERE code IN ('WON')))"; + $sql .= " AND (p.fk_opp_status IS NULL OR p.fk_opp_status = -1 OR p.fk_opp_status IN (SELECT rowid FROM ".MAIN_DB_PREFIX."c_lead_status WHERE code = 'WON'))"; } if ($search_opp_status == 'none') { $sql .= " AND (p.fk_opp_status IS NULL OR p.fk_opp_status = -1)"; @@ -431,7 +431,7 @@ if ($search_sale > 0) { // No check is done on company permission because readability is managed by public status of project and assignement. //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))"; if ($search_project_user > 0) { - $sql .= " AND ecp.fk_c_type_contact IN (".join(',', array_keys($listofprojectcontacttype)).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user; + $sql .= " AND ecp.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listofprojectcontacttype))).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user; } if ($search_opp_amount != '') { $sql .= natural_search('p.opp_amount', $search_opp_amount, 1); diff --git a/htdocs/projet/note.php b/htdocs/projet/note.php index a1ef737ddc7..8b65156570a 100644 --- a/htdocs/projet/note.php +++ b/htdocs/projet/note.php @@ -101,7 +101,7 @@ if ($id > 0 || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/tasks.php b/htdocs/projet/tasks.php index 07724753f2d..cb2f92c34a4 100644 --- a/htdocs/projet/tasks.php +++ b/htdocs/projet/tasks.php @@ -450,7 +450,7 @@ if ($id > 0 || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/projet/tasks/comment.php b/htdocs/projet/tasks/comment.php index 8ce97133493..c0ebc6850cc 100644 --- a/htdocs/projet/tasks/comment.php +++ b/htdocs/projet/tasks/comment.php @@ -135,7 +135,7 @@ if ($id > 0 || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0); - $projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -289,7 +289,7 @@ if ($id > 0 || !empty($ref)) { if (!GETPOST('withproject') || empty($projectstatic->id)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); - $object->next_prev_filter = " fk_projet in (".$projectsListId.")"; + $object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")"; } else { $object->next_prev_filter = " fk_projet = ".$projectstatic->id; } diff --git a/htdocs/projet/tasks/contact.php b/htdocs/projet/tasks/contact.php index 7916c236fb3..c6a7fcb3b45 100644 --- a/htdocs/projet/tasks/contact.php +++ b/htdocs/projet/tasks/contact.php @@ -197,7 +197,7 @@ if ($id > 0 || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0); - $projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -320,7 +320,7 @@ if ($id > 0 || !empty($ref)) { if (!GETPOST('withproject') || empty($projectstatic->id)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); - $object->next_prev_filter = " fk_projet in (".$projectsListId.")"; + $object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")"; } else { $object->next_prev_filter = " fk_projet = ".$projectstatic->id; } diff --git a/htdocs/projet/tasks/document.php b/htdocs/projet/tasks/document.php index afa63f7eee4..967cc0438da 100644 --- a/htdocs/projet/tasks/document.php +++ b/htdocs/projet/tasks/document.php @@ -154,7 +154,7 @@ if ($object->id > 0) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0); - $projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -278,7 +278,7 @@ if ($object->id > 0) { if (!GETPOST('withproject') || empty($projectstatic->id)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); - $object->next_prev_filter = " fk_projet in (".$projectsListId.")"; + $object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")"; } else { $object->next_prev_filter = " fk_projet = ".$projectstatic->id; } diff --git a/htdocs/projet/tasks/note.php b/htdocs/projet/tasks/note.php index 2452cc71d86..4d581afc30a 100644 --- a/htdocs/projet/tasks/note.php +++ b/htdocs/projet/tasks/note.php @@ -129,7 +129,7 @@ if ($object->id > 0) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0); - $projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -247,7 +247,7 @@ if ($object->id > 0) { if (!GETPOST('withproject') || empty($projectstatic->id)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); - $object->next_prev_filter = " fk_projet in (".$projectsListId.")"; + $object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")"; } else { $object->next_prev_filter = " fk_projet = ".$projectstatic->id; } diff --git a/htdocs/projet/tasks/task.php b/htdocs/projet/tasks/task.php index 828b32c599f..6ec9f7d3126 100644 --- a/htdocs/projet/tasks/task.php +++ b/htdocs/projet/tasks/task.php @@ -240,7 +240,7 @@ if ($id > 0 || !empty($ref)) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0); - $projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -479,7 +479,7 @@ if ($id > 0 || !empty($ref)) { if (!GETPOST('withproject') || empty($projectstatic->id)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); - $object->next_prev_filter = " fk_projet in (".$projectsListId.")"; + $object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")"; } else { $object->next_prev_filter = " fk_projet = ".$projectstatic->id; } diff --git a/htdocs/projet/tasks/time.php b/htdocs/projet/tasks/time.php index 597d885d088..883fe737e56 100644 --- a/htdocs/projet/tasks/time.php +++ b/htdocs/projet/tasks/time.php @@ -429,7 +429,7 @@ if ($action == 'confirm_generateinvoice') { // Update lineid into line of timespent $sql = 'UPDATE '.MAIN_DB_PREFIX.'projet_task_time SET invoice_line_id = '.$lineid.', invoice_id = '.$tmpinvoice->id; - $sql .= ' WHERE rowid in ('.join(',', $toselect).') AND fk_user = '.$userid; + $sql .= ' WHERE rowid IN ('.$db->sanitize(join(',', $toselect)).') AND fk_user = '.((int) $userid); $result = $db->query($sql); if (!$result) { $error++; @@ -468,7 +468,7 @@ if ($action == 'confirm_generateinvoice') { // Update lineid into line of timespent $sql = 'UPDATE '.MAIN_DB_PREFIX.'projet_task_time SET invoice_line_id = '.$lineid.', invoice_id = '.$tmpinvoice->id; - $sql .= ' WHERE rowid in ('.join(',', $toselect).') AND fk_user = '.$userid; + $sql .= ' WHERE rowid IN ('.$db->sanitize(join(',', $toselect)).') AND fk_user = '.((int) $userid); $result = $db->query($sql); if (!$result) { $error++; @@ -504,7 +504,7 @@ if ($action == 'confirm_generateinvoice') { // Update lineid into line of timespent $sql = 'UPDATE '.MAIN_DB_PREFIX.'projet_task_time SET invoice_line_id = '.$lineid.', invoice_id = '.$tmpinvoice->id; - $sql .= ' WHERE rowid in ('.join(',', $toselect).')'; + $sql .= ' WHERE rowid IN ('.$db->sanitize(join(',', $toselect)).')'; $result = $db->query($sql); if (!$result) { $error++; @@ -600,7 +600,7 @@ if (($id > 0 || !empty($ref)) || $projectidforalltimes > 0) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0); - $projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); @@ -761,7 +761,7 @@ if (($id > 0 || !empty($ref)) || $projectidforalltimes > 0) { if (!GETPOST('withproject') || empty($projectstatic->id)) { $projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1); - $object->next_prev_filter = " fk_projet in (".$projectsListId.")"; + $object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")"; } else { $object->next_prev_filter = " fk_projet = ".$projectstatic->id; } diff --git a/htdocs/salaries/class/salariesstats.class.php b/htdocs/salaries/class/salariesstats.class.php index 0614f174416..f8a7d618fb0 100644 --- a/htdocs/salaries/class/salariesstats.class.php +++ b/htdocs/salaries/class/salariesstats.class.php @@ -67,7 +67,7 @@ class SalariesStats extends Stats $this->where .= " AND fk_soc = ".$this->socid; } if (is_array($this->userid) && count($this->userid) > 0) { - $this->where .= ' AND fk_user IN ('.$db->sanitize(join(',', $this->userid)).')'; + $this->where .= ' AND fk_user IN ('.$this->db->sanitize(join(',', $this->userid)).')'; } elseif ($this->userid > 0) { $this->where .= ' AND fk_user = '.$this->userid; } diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php index c5e27979121..da04a37dc93 100644 --- a/htdocs/ticket/card.php +++ b/htdocs/ticket/card.php @@ -804,7 +804,7 @@ if ($action == 'create' || $action == 'presend') { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $projectstat->getProjectsAuthorizedForUser($user, $mine, 0); - $projectstat->next_prev_filter = " rowid in (".(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; + $projectstat->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; } print $form->showrefnav($projectstat, 'ref', $linkback, 1, 'ref', 'ref', ''); print ''; diff --git a/htdocs/ticket/list.php b/htdocs/ticket/list.php index 53bc1281d5b..b774f659d0c 100644 --- a/htdocs/ticket/list.php +++ b/htdocs/ticket/list.php @@ -555,7 +555,7 @@ if ($projectid > 0 || $project_ref) { // Define a complementary filter for search of next/prev ref. if (!$user->rights->projet->all->lire) { $objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0); - $object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")"; + $object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")"; } dol_banner_tab($object, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref); diff --git a/htdocs/user/list.php b/htdocs/user/list.php index ec7b7335b02..75cea8b604d 100644 --- a/htdocs/user/list.php +++ b/htdocs/user/list.php @@ -411,7 +411,7 @@ if ($search_categ == -2) { $sql .= " AND cu.fk_categorie IS NULL"; } if ($mode == 'employee' && empty($user->rights->salaries->readall)) { - $sql .= " AND u.fk_user IN (".join(',', $childids).")"; + $sql .= " AND u.fk_user IN (".$db->sanitize(join(',', $childids)).")"; } // Add where from extra fields include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php'; diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 6fe5f0d8863..42470a1ddb6 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -171,7 +171,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $db=$this->savdb; include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; - $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); + $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname', SORT_ASC, 0, 0, '', 1); //$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); foreach ($filesarray as $key => $file) { @@ -314,7 +314,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase // Check string IN (".xxx with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request. preg_match_all('/ IN \([\'"]\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { - if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'self::STA', 'Commande:', 'CommandeF', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::'))) { + if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'WON\',\'L', 'self::STA', 'Commande:', 'CommandeF', 'Entrepot:', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::', 'Ticket::S'))) { $ok=false; break; } From ca1715df960e344d697cd1b6f7412818a9279ef0 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 13:31:06 +0100 Subject: [PATCH 04/47] Add some protection for SQL injection --- htdocs/adherents/class/adherent_type.class.php | 6 +++--- htdocs/adherents/list.php | 4 ++-- htdocs/adherents/subscription/list.php | 2 +- htdocs/admin/perms.php | 2 +- htdocs/asset/class/asset_type.class.php | 2 +- htdocs/bom/class/api_boms.class.php | 4 ++-- htdocs/categories/class/categorie.class.php | 4 ++-- htdocs/comm/action/class/actioncomm.class.php | 8 ++++---- htdocs/comm/contact.php | 2 +- htdocs/comm/index.php | 2 +- htdocs/comm/propal/class/propal.class.php | 2 +- htdocs/comm/propal/index.php | 2 +- htdocs/commande/class/api_orders.class.php | 2 +- htdocs/commande/index.php | 2 +- htdocs/compta/bank/account_statement_document.php | 8 ++++---- htdocs/compta/bank/bankentries_list.php | 4 ++-- htdocs/compta/bank/various_payment/list.php | 4 ---- htdocs/compta/deplacement/index.php | 2 +- htdocs/compta/deplacement/list.php | 4 ++-- htdocs/compta/facture/class/facture.class.php | 2 +- htdocs/compta/facture/index.php | 6 +++--- htdocs/compta/facture/list.php | 9 +-------- htdocs/compta/paiement/class/paiement.class.php | 4 ++-- htdocs/compta/paiement/list.php | 6 +++--- htdocs/compta/paymentbybanktransfer/index.php | 2 +- htdocs/compta/prelevement/card.php | 4 ++-- htdocs/compta/prelevement/create.php | 2 +- htdocs/compta/prelevement/demandes.php | 4 ++-- htdocs/compta/prelevement/factures.php | 4 ++-- htdocs/compta/prelevement/fiche-rejet.php | 2 +- htdocs/compta/prelevement/index.php | 2 +- htdocs/compta/prelevement/line.php | 4 ++-- htdocs/compta/resultat/index.php | 2 +- htdocs/compta/resultat/result.php | 2 +- htdocs/compta/sociales/list.php | 4 ---- htdocs/core/class/html.form.class.php | 6 +++--- htdocs/product/class/product.class.php | 2 +- htdocs/product/list.php | 6 +++--- htdocs/product/popuprop.php | 2 +- htdocs/product/reassort.php | 10 +++++----- htdocs/product/reassortlot.php | 10 +++++----- htdocs/product/stats/commande.php | 2 +- htdocs/product/stats/commande_fournisseur.php | 2 +- htdocs/product/stats/contrat.php | 2 +- htdocs/product/stats/facture.php | 2 +- htdocs/product/stats/facture_fournisseur.php | 2 +- htdocs/product/stats/mo.php | 2 +- htdocs/product/stats/propal.php | 2 +- htdocs/product/stats/supplier_proposal.php | 2 +- htdocs/product/stock/class/entrepot.class.php | 2 +- htdocs/product/stock/movement_card.php | 4 ++-- htdocs/product/stock/movement_list.php | 4 ++-- htdocs/projet/class/task.class.php | 4 ++-- htdocs/projet/list.php | 2 +- htdocs/salaries/list.php | 4 ---- htdocs/societe/class/api_thirdparties.class.php | 8 ++++---- htdocs/societe/index.php | 4 ++-- htdocs/societe/website.php | 2 +- htdocs/stripe/class/stripe.class.php | 2 +- .../class/supplier_proposal.class.php | 4 ++-- htdocs/takepos/invoice.php | 2 +- htdocs/ticket/list.php | 2 +- htdocs/user/class/api_users.class.php | 2 +- htdocs/user/class/user.class.php | 10 +++++----- htdocs/user/home.php | 2 +- htdocs/user/list.php | 2 +- htdocs/user/perms.php | 2 +- htdocs/website/class/website.class.php | 2 +- htdocs/zapier/class/api_zapier.class.php | 4 ++-- 69 files changed, 113 insertions(+), 132 deletions(-) diff --git a/htdocs/adherents/class/adherent_type.class.php b/htdocs/adherents/class/adherent_type.class.php index c4402a157bd..b4347277b5d 100644 --- a/htdocs/adherents/class/adherent_type.class.php +++ b/htdocs/adherents/class/adherent_type.class.php @@ -176,7 +176,7 @@ class AdherentType extends CommonObject $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."adherent_type_lang"; $sql .= " WHERE fk_type=".$this->id; - $sql .= " AND lang='".$key."'"; + $sql .= " AND lang = '".$this->db->escape($key)."'"; $result = $this->db->query($sql); @@ -202,7 +202,7 @@ class AdherentType extends CommonObject $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."adherent_type_lang"; $sql .= " WHERE fk_type=".$this->id; - $sql .= " AND lang='".$key."'"; + $sql .= " AND lang = '".$this->db->escape($key)."'"; $result = $this->db->query($sql); @@ -552,7 +552,7 @@ class AdherentType extends CommonObject $sql = "SELECT a.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."adherent as a"; $sql .= " WHERE a.entity IN (".getEntity('member').")"; - $sql .= " AND a.fk_adherent_type = ".$this->id; + $sql .= " AND a.fk_adherent_type = ".((int) $this->id); if (!empty($excludefilter)) { $sql .= ' AND ('.$excludefilter.')'; } diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index f2bcf690a48..b06a7538aae 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -302,13 +302,13 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on (s.rowid = d.fk_soc)"; $sql .= ", ".MAIN_DB_PREFIX."adherent_type as t"; $sql .= " WHERE d.fk_adherent_type = t.rowid "; if ($catid > 0) { - $sql .= " AND cm.fk_categorie = ".$db->escape($catid); + $sql .= " AND cm.fk_categorie = ".((int) $catid); } if ($catid == -2) { $sql .= " AND cm.fk_categorie IS NULL"; } if ($search_categ > 0) { - $sql .= " AND cm.fk_categorie = ".$db->escape($search_categ); + $sql .= " AND cm.fk_categorie = ".((int) $search_categ); } if ($search_categ == -2) { $sql .= " AND cm.fk_categorie IS NULL"; diff --git a/htdocs/adherents/subscription/list.php b/htdocs/adherents/subscription/list.php index a69962e84b6..27c3dd247c7 100644 --- a/htdocs/adherents/subscription/list.php +++ b/htdocs/adherents/subscription/list.php @@ -191,7 +191,7 @@ if ($search_note) { $sql .= natural_search('c.note', $search_note); } if ($search_account > 0) { - $sql .= " AND b.fk_account = ".urldecode($search_account); + $sql .= " AND b.fk_account = ".((int) $search_account); } if ($search_amount) { $sql .= natural_search('c.subscription', $search_amount, 1); diff --git a/htdocs/admin/perms.php b/htdocs/admin/perms.php index e60f2118f2c..31304c85819 100644 --- a/htdocs/admin/perms.php +++ b/htdocs/admin/perms.php @@ -132,7 +132,7 @@ print ''."\n"; $sql = "SELECT r.id, r.libelle as label, r.module, r.module_position, r.perms, r.subperms, r.bydefault"; $sql .= " FROM ".MAIN_DB_PREFIX."rights_def as r"; $sql .= " WHERE r.libelle NOT LIKE 'tou%'"; // On ignore droits "tous" -$sql .= " AND r.entity = ".$entity; +$sql .= " AND r.entity = ".((int) $entity); if (empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { $sql .= " AND r.perms NOT LIKE '%_advance'"; // Hide advanced perms if option is not enabled } diff --git a/htdocs/asset/class/asset_type.class.php b/htdocs/asset/class/asset_type.class.php index 6b345aaef68..17943f4dfd4 100644 --- a/htdocs/asset/class/asset_type.class.php +++ b/htdocs/asset/class/asset_type.class.php @@ -332,7 +332,7 @@ class AssetType extends CommonObject /** * Return array of Asset objects for asset type this->id (or all if this->id not defined) * - * @param string $excludefilter Filter to exclude + * @param string $excludefilter Filter to exclude. This parameter must not be provided by input of users * @param int $mode 0=Return array of asset instance * 1=Return array of asset instance without extra data * 2=Return array of asset id only diff --git a/htdocs/bom/class/api_boms.class.php b/htdocs/bom/class/api_boms.class.php index 24ec68d0e2f..b0f536140dd 100644 --- a/htdocs/bom/class/api_boms.class.php +++ b/htdocs/bom/class/api_boms.class.php @@ -134,14 +134,14 @@ class Boms extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($restrictonsocid && $socid) { - $sql .= " AND t.fk_soc = ".$socid; + $sql .= " AND t.fk_soc = ".((int) $socid); } if ($restrictonsocid && $search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($restrictonsocid && $search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } if ($sqlfilters) { if (!DolibarrApi::_checkFilters($sqlfilters)) { diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index ba8ffe0e89f..880b0cc69df 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -1300,7 +1300,7 @@ class Categorie extends CommonObject $sql = "SELECT c.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."categorie as c "; $sql .= " WHERE c.entity IN (".getEntity('category').")"; - $sql .= " AND c.type = ".$type; + $sql .= " AND c.type = ".((int) $type); $sql .= " AND c.fk_parent = ".$this->fk_parent; $sql .= " AND c.label = '".$this->db->escape($this->label)."'"; @@ -1792,7 +1792,7 @@ class Categorie extends CommonObject $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."categorie_lang"; $sql .= " WHERE fk_category=".$this->id; - $sql .= " AND lang='".$key."'"; + $sql .= " AND lang = '".$this->db->escape($key)."'"; $result = $this->db->query($sql); diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 21c130cafac..4bef5ddcd16 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -1227,17 +1227,17 @@ class ActionComm extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."actioncomm as a"; $sql .= " WHERE a.entity IN (".getEntity('agenda').")"; if (!empty($socid)) { - $sql .= " AND a.fk_soc = ".$socid; + $sql .= " AND a.fk_soc = ".((int) $socid); } if (!empty($elementtype)) { if ($elementtype == 'project') { - $sql .= ' AND a.fk_project = '.$fk_element; + $sql .= ' AND a.fk_project = '.((int) $fk_element); } elseif ($elementtype == 'contact') { $sql .= ' AND a.id IN'; $sql .= " (SELECT fk_actioncomm FROM ".MAIN_DB_PREFIX."actioncomm_resources WHERE"; - $sql .= " element_type = 'socpeople' AND fk_element = ".$fk_element.')'; + $sql .= " element_type = 'socpeople' AND fk_element = ".((int) $fk_element).')'; } else { - $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$db->escape($elementtype)."'"; + $sql .= " AND a.fk_element = ".((int) $fk_element)." AND a.elementtype = '".$db->escape($elementtype)."'"; } } if (!empty($filter)) { diff --git a/htdocs/comm/contact.php b/htdocs/comm/contact.php index b1e8b3c3768..8a921e1c358 100644 --- a/htdocs/comm/contact.php +++ b/htdocs/comm/contact.php @@ -101,7 +101,7 @@ if ($type == "f") { $sql .= " AND s.fournisseur = 1"; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if (dol_strlen($stcomm)) { diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php index b720ff638c9..b727a18b76f 100644 --- a/htdocs/comm/index.php +++ b/htdocs/comm/index.php @@ -169,7 +169,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $resql = $db->query($sql); diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 3a03254099d..3674356af20 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -2734,7 +2734,7 @@ class Propal extends CommonObject $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($draft) { $sql .= " AND p.fk_statut = ".self::STATUS_DRAFT; diff --git a/htdocs/comm/propal/index.php b/htdocs/comm/propal/index.php index 156dbafbf2a..2005e51571b 100644 --- a/htdocs/comm/propal/index.php +++ b/htdocs/comm/propal/index.php @@ -372,7 +372,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propale->lire) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY p.rowid DESC"; diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index d839cf38924..17b7d4285b4 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -191,7 +191,7 @@ class Orders extends DolibarrApi } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/commande/index.php b/htdocs/commande/index.php index 4b6fcc7d8aa..66798c94157 100644 --- a/htdocs/commande/index.php +++ b/htdocs/commande/index.php @@ -209,7 +209,7 @@ if (!empty($conf->commande->enabled)) { $sql .= " AND c.entity IN (".getEntity('commande').")"; $sql .= " AND c.fk_statut = 0"; if ($socid) { - $sql .= " AND c.fk_soc = ".$socid; + $sql .= " AND c.fk_soc = ".((int) $socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; diff --git a/htdocs/compta/bank/account_statement_document.php b/htdocs/compta/bank/account_statement_document.php index ea4911e7050..e144f6acbe0 100644 --- a/htdocs/compta/bank/account_statement_document.php +++ b/htdocs/compta/bank/account_statement_document.php @@ -79,12 +79,12 @@ $result = restrictedArea($user, 'banque', $object->id, 'bank_account', '', ''); // Define number of receipt to show (current, previous or next one ?) $found = false; -if ($_GET["rel"] == 'prev') { +if (GETPOST("rel") == 'prev') { // Recherche valeur pour num = numero releve precedent $sql = "SELECT DISTINCT(b.num_releve) as num"; $sql .= " FROM ".MAIN_DB_PREFIX."bank as b"; $sql .= " WHERE b.num_releve < '".$db->escape($numref)."'"; - $sql .= " AND b.fk_account = ".$id; + $sql .= " AND b.fk_account = ".((int) $id); $sql .= " ORDER BY b.num_releve DESC"; dol_syslog("htdocs/compta/bank/releve.php", LOG_DEBUG); @@ -97,12 +97,12 @@ if ($_GET["rel"] == 'prev') { $found = true; } } -} elseif ($_GET["rel"] == 'next') { +} elseif (GETPOST("rel") == 'next') { // Recherche valeur pour num = numero releve precedent $sql = "SELECT DISTINCT(b.num_releve) as num"; $sql .= " FROM ".MAIN_DB_PREFIX."bank as b"; $sql .= " WHERE b.num_releve > '".$db->escape($numref)."'"; - $sql .= " AND b.fk_account = ".$id; + $sql .= " AND b.fk_account = ".((int) $id); $sql .= " ORDER BY b.num_releve ASC"; dol_syslog("htdocs/compta/bank/releve.php", LOG_DEBUG); diff --git a/htdocs/compta/bank/bankentries_list.php b/htdocs/compta/bank/bankentries_list.php index 37ef8a5da76..f07b38045f2 100644 --- a/htdocs/compta/bank/bankentries_list.php +++ b/htdocs/compta/bank/bankentries_list.php @@ -581,7 +581,7 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if ($search_account > 0) { - $sql .= " AND b.fk_account = ".$search_account; + $sql .= " AND b.fk_account = ".((int) $search_account); } // Search period criteria if (dol_strlen($search_dt_start) > 0) { @@ -607,7 +607,7 @@ if ($search_num_releve) { $sql .= natural_search("b.num_releve", $search_num_releve); } if ($search_conciliated != '' && $search_conciliated != '-1') { - $sql .= " AND b.rappro = ".urlencode($search_conciliated); + $sql .= " AND b.rappro = ".((int) $search_conciliated); } if ($search_thirdparty_user) { $sql.= " AND (b.rowid IN "; diff --git a/htdocs/compta/bank/various_payment/list.php b/htdocs/compta/bank/various_payment/list.php index 39cbb91fde1..65542598351 100644 --- a/htdocs/compta/bank/various_payment/list.php +++ b/htdocs/compta/bank/various_payment/list.php @@ -264,10 +264,6 @@ if ($search_accountancy_subledger > 0) { if ($typeid > 0) { $sql .= " AND v.fk_typepayment=".$typeid; } -if ($filtre) { - $filtre = str_replace(":", "=", $filtre); - $sql .= " AND ".$filtre; -} if ($search_all) { $sql .= natural_search(array_keys($fieldstosearchall), $search_all); } diff --git a/htdocs/compta/deplacement/index.php b/htdocs/compta/deplacement/index.php index 659eada708b..547f0676b7b 100644 --- a/htdocs/compta/deplacement/index.php +++ b/htdocs/compta/deplacement/index.php @@ -162,7 +162,7 @@ if (!$user->rights->societe->client->voir && !$user->socid) { $sql .= " AND d.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND d.fk_soc = ".$socid; + $sql .= " AND d.fk_soc = ".((int) $socid); } $sql .= $db->order("d.tms", "DESC"); $sql .= $db->plimit($max, 0); diff --git a/htdocs/compta/deplacement/list.php b/htdocs/compta/deplacement/list.php index a36d7867716..61d30ea1345 100644 --- a/htdocs/compta/deplacement/list.php +++ b/htdocs/compta/deplacement/list.php @@ -108,11 +108,11 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND (sc.fk_user = ".$user->id." OR d.fk_soc IS NULL) "; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($search_ref) { - $sql .= " AND d.rowid=".$search_ref; + $sql .= " AND d.rowid = ".((int) $search_ref); } if ($search_name) { $sql .= natural_search('u.lastname', $search_name); diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 84f97d61ef0..1afa9347f67 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -4033,7 +4033,7 @@ class Facture extends CommonInvoice $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($draft) { $sql .= " AND f.fk_statut = ".self::STATUS_DRAFT; diff --git a/htdocs/compta/facture/index.php b/htdocs/compta/facture/index.php index 4939fbb6a95..a4d6dd6fec7 100644 --- a/htdocs/compta/facture/index.php +++ b/htdocs/compta/facture/index.php @@ -232,7 +232,7 @@ function getDraftTable($maxCount = 500, $socid = 0) $sql .= " AND f.entity IN (".getEntity('facture').")"; $sql .= " AND f.fk_statut = ".Facture::STATUS_DRAFT; if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; @@ -329,7 +329,7 @@ function getLatestEditTable($maxCount = 5, $socid = 0) $sql .= " WHERE f.fk_soc = s.rowid"; $sql .= " AND f.entity IN (".getEntity('facture').")"; if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; @@ -432,7 +432,7 @@ function getOpenTable($maxCount = 500, $socid = 0) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY f.rowid DESC"; $sql .= $db->plimit($maxCount, 0); diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index 31365b33b58..6cf770cb79c 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -513,14 +513,7 @@ if ($userid) { if ($userid == -1) { $sql .= ' AND f.fk_user_author IS NULL'; } else { - $sql .= ' AND f.fk_user_author = '.$userid; - } -} -if ($filtre) { - $aFilter = explode(',', $filtre); - foreach ($aFilter as $filter) { - $filt = explode(':', $filter); - $sql .= ' AND '.$db->escape(trim($filt[0])).' = '.$db->escape(trim($filt[1])); + $sql .= ' AND f.fk_user_author = '.((int) $userid); } } if ($search_ref) { diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index 42b05f39263..73962cabaca 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -171,9 +171,9 @@ class Paiement extends CommonObject if ($id > 0) { $sql .= ' AND p.rowid = '.((int) $id); } elseif ($ref) { - $sql .= " AND p.ref = '".$ref."'"; + $sql .= " AND p.ref = '".$this->db->escape($ref)."'"; } elseif ($fk_bank) { - $sql .= ' AND p.fk_bank = '.$fk_bank; + $sql .= ' AND p.fk_bank = '.((int) $fk_bank); } $resql = $this->db->query($sql); diff --git a/htdocs/compta/paiement/list.php b/htdocs/compta/paiement/list.php index 269acd29600..75c63620b0b 100644 --- a/htdocs/compta/paiement/list.php +++ b/htdocs/compta/paiement/list.php @@ -200,13 +200,13 @@ if (GETPOST("orphelins", "alpha")) { $sql .= " AND sc.fk_user = ".$user->id; } if ($socid > 0) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } if ($userid) { if ($userid == -1) { $sql .= " AND f.fk_user_author IS NULL"; } else { - $sql .= " AND f.fk_user_author = ".$userid; + $sql .= " AND f.fk_user_author = ".((int) $userid); } } @@ -216,7 +216,7 @@ if (GETPOST("orphelins", "alpha")) { $sql .= natural_search('p.ref', $search_ref); } if ($search_account > 0) { - $sql .= " AND b.fk_account=".$search_account; + $sql .= " AND b.fk_account=".((int) $search_account); } if ($search_paymenttype != '') { $sql .= " AND c.code='".$db->escape($search_paymenttype)."'"; diff --git a/htdocs/compta/paymentbybanktransfer/index.php b/htdocs/compta/paymentbybanktransfer/index.php index 92bc7ec6ff8..a705353112c 100644 --- a/htdocs/compta/paymentbybanktransfer/index.php +++ b/htdocs/compta/paymentbybanktransfer/index.php @@ -115,7 +115,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $resql = $db->query($sql); diff --git a/htdocs/compta/prelevement/card.php b/htdocs/compta/prelevement/card.php index 24ea982f01b..d04e7131edc 100644 --- a/htdocs/compta/prelevement/card.php +++ b/htdocs/compta/prelevement/card.php @@ -351,12 +351,12 @@ if ($id > 0 || $ref) { $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_lignes as pl"; $sql .= ", ".MAIN_DB_PREFIX."prelevement_bons as pb"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE pl.fk_prelevement_bons = ".$id; + $sql .= " WHERE pl.fk_prelevement_bons = ".((int) $id); $sql .= " AND pl.fk_prelevement_bons = pb.rowid"; $sql .= " AND pb.entity = ".$conf->entity; $sql .= " AND pl.fk_soc = s.rowid"; if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/compta/prelevement/create.php b/htdocs/compta/prelevement/create.php index deb5fe2fcd5..e12c50b75f5 100644 --- a/htdocs/compta/prelevement/create.php +++ b/htdocs/compta/prelevement/create.php @@ -319,7 +319,7 @@ if ($type == 'bank-transfer') { $sql .= " AND pfd.fk_facture = f.rowid"; } if ($socid > 0) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $nbtotalofrecords = ''; diff --git a/htdocs/compta/prelevement/demandes.php b/htdocs/compta/prelevement/demandes.php index 9d0fa17d246..266097f7a2d 100644 --- a/htdocs/compta/prelevement/demandes.php +++ b/htdocs/compta/prelevement/demandes.php @@ -141,14 +141,14 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } if (!$status) { $sql .= " AND pfd.traite = 0"; } $sql .= " AND pfd.ext_payment_id IS NULL"; if ($status) { - $sql .= " AND pfd.traite = ".$status; + $sql .= " AND pfd.traite = ".((int) $status); } $sql .= " AND f.total_ttc > 0"; if (empty($conf->global->WITHDRAWAL_ALLOW_ANY_INVOICE_STATUS)) { diff --git a/htdocs/compta/prelevement/factures.php b/htdocs/compta/prelevement/factures.php index 301a5c7808c..23511a4a00a 100644 --- a/htdocs/compta/prelevement/factures.php +++ b/htdocs/compta/prelevement/factures.php @@ -195,10 +195,10 @@ if ($object->type != 'bank-transfer') { $sql .= " AND f.entity IN (".getEntity('supplier_invoice').")"; } if ($object->id > 0) { - $sql .= " AND p.rowid=".$object->id; + $sql .= " AND p.rowid = ".((int) $object->id); } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/compta/prelevement/fiche-rejet.php b/htdocs/compta/prelevement/fiche-rejet.php index 62c3c4849f8..9a4f209e134 100644 --- a/htdocs/compta/prelevement/fiche-rejet.php +++ b/htdocs/compta/prelevement/fiche-rejet.php @@ -177,7 +177,7 @@ $sql .= " AND pl.fk_soc = s.rowid"; $sql .= " AND pl.statut = 3 "; $sql .= " AND pr.fk_prelevement_lignes = pl.rowid"; if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY pl.amount DESC"; diff --git a/htdocs/compta/prelevement/index.php b/htdocs/compta/prelevement/index.php index 2da8e1f0812..6e537159721 100644 --- a/htdocs/compta/prelevement/index.php +++ b/htdocs/compta/prelevement/index.php @@ -115,7 +115,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $resql = $db->query($sql); diff --git a/htdocs/compta/prelevement/line.php b/htdocs/compta/prelevement/line.php index 68ca3795fe3..73c985355b1 100644 --- a/htdocs/compta/prelevement/line.php +++ b/htdocs/compta/prelevement/line.php @@ -262,9 +262,9 @@ if ($id) { $sql .= " AND f.fk_soc = s.rowid"; $sql .= " AND pf.fk_facture = f.rowid"; $sql .= " AND f.entity IN (".getEntity('invoice').")"; - $sql .= " AND pl.rowid=".$id; + $sql .= " AND pl.rowid = ".((int) $id); if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY $sortfield $sortorder "; $sql .= $db->plimit($conf->liste_limit + 1, $offset); diff --git a/htdocs/compta/resultat/index.php b/htdocs/compta/resultat/index.php index e5b86ba762e..272d6808b32 100644 --- a/htdocs/compta/resultat/index.php +++ b/htdocs/compta/resultat/index.php @@ -347,7 +347,7 @@ if (!empty($conf->facture->enabled) && ($modecompta == 'CREANCES-DETTES' || $mod $sql .= " AND f.entity = ".$conf->entity; if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $sql .= " GROUP BY dm"; diff --git a/htdocs/compta/resultat/result.php b/htdocs/compta/resultat/result.php index 91932100565..8ef75bf5846 100644 --- a/htdocs/compta/resultat/result.php +++ b/htdocs/compta/resultat/result.php @@ -281,7 +281,7 @@ if ($modecompta == 'CREANCES-DETTES') { if (! empty($date_start) && ! empty($date_end)) $sql.= " AND t.doc_date >= '".$db->idate($date_start)."' AND t.doc_date <= '".$db->idate($date_end)."'"; if (! empty($month)) { - $sql .= " AND MONTH(t.doc_date) = " . $month; + $sql .= " AND MONTH(t.doc_date) = " . ((int) $month); } $resql = $db->query($sql); if ($resql) diff --git a/htdocs/compta/sociales/list.php b/htdocs/compta/sociales/list.php index dff6a887f0f..48c6936a225 100644 --- a/htdocs/compta/sociales/list.php +++ b/htdocs/compta/sociales/list.php @@ -209,10 +209,6 @@ if ($year > 0) { $sql .= "OR (cs.periode IS NULL AND date_format(cs.date_ech, '%Y') = '".$db->escape($year)."')"; $sql .= ")"; } -if ($filtre) { - $filtre = str_replace(":", "=", $filtre); - $sql .= " AND ".$filtre; -} if ($search_typeid) { $sql .= " AND cs.fk_type=".$db->escape($search_typeid); } diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 021ca10ebb9..309ebba3062 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -4129,7 +4129,7 @@ class Form * * @param string $selected Id shipping mode pre-selected * @param string $htmlname Name of select zone - * @param string $filtre To filter list + * @param string $filtre To filter list. This parameter must not come from input of users * @param int $useempty 1=Add an empty value in list, 2=Add an empty value in list only if there is more than 2 entries. * @param string $moreattrib To add more attribute on select * @param int $noinfoadmin 0=Add admin info, 1=Disable admin info @@ -4324,7 +4324,7 @@ class Form * @param string $selected Id account pre-selected * @param string $htmlname Name of select zone * @param int $status Status of searched accounts (0=open, 1=closed, 2=both) - * @param string $filtre To filter list + * @param string $filtre To filter list. This parameter must not come from input of users * @param int $useempty 1=Add an empty value in list, 2=Add an empty value in list only if there is more than 2 entries. * @param string $moreattrib To add more attribute on select * @param int $showcurrency Show currency in label @@ -4410,7 +4410,7 @@ class Form * @param string $selected Id establishment pre-selected * @param string $htmlname Name of select zone * @param int $status Status of searched establishment (0=open, 1=closed, 2=both) - * @param string $filtre To filter list + * @param string $filtre To filter list. This parameter must not come from input of users * @param int $useempty 1=Add an empty value in list, 2=Add an empty value in list only if there is more than 2 entries. * @param string $moreattrib To add more attribute on select * @return int <0 if error, Num of establishment found if OK (0, 1, 2, ...) diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 71b74a8a1db..76adb4a3485 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -3543,7 +3543,7 @@ class Product extends CommonObject $sql .= " AND p.fk_soc = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid > 0) { - $sql .= " AND p.fk_soc = ".$socid; + $sql .= " AND p.fk_soc = ".((int) $socid); } $sql .= $morefilter; $sql .= " GROUP BY date_format(p.date_valid,'%Y%m')"; diff --git a/htdocs/product/list.php b/htdocs/product/list.php index 32d36d2d6f6..dfd15249585 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -475,13 +475,13 @@ if ($fourn_id > 0) { $sql .= " AND pfp.fk_soc = ".((int) $fourn_id); } if ($search_country) { - $sql .= " AND p.fk_country = ".$search_country; + $sql .= " AND p.fk_country = ".((int) $search_country); } if ($search_state) { - $sql .= " AND p.fk_state = ".$search_state; + $sql .= " AND p.fk_state = ".((int) $search_state); } if ($search_finished >= 0 && $search_finished !== '') { - $sql .= " AND p.finished = ".$search_finished; + $sql .= " AND p.finished = ".((int) $search_finished); } if ($search_accountancy_code_sell) { $sql .= natural_search('p.accountancy_code_sell', $search_accountancy_code_sell); diff --git a/htdocs/product/popuprop.php b/htdocs/product/popuprop.php index 001635be24b..2b84f11ac66 100644 --- a/htdocs/product/popuprop.php +++ b/htdocs/product/popuprop.php @@ -140,7 +140,7 @@ $sql .= ", ".MAIN_DB_PREFIX."product as p"; $sql .= ' WHERE p.entity IN ('.getEntity('product').')'; $sql .= " AND p.rowid = pd.fk_product"; if ($type !== '') { - $sql .= " AND fk_product_type = ".$type; + $sql .= " AND fk_product_type = ".((int) $type); } $sql .= " GROUP BY p.rowid, p.label, p.ref, p.fk_product_type"; diff --git a/htdocs/product/reassort.php b/htdocs/product/reassort.php index e0d1d7447a0..815b49911dd 100644 --- a/htdocs/product/reassort.php +++ b/htdocs/product/reassort.php @@ -177,19 +177,19 @@ if ($snom) { $sql .= natural_search('p.label', $snom); } if (!empty($tosell)) { - $sql .= " AND p.tosell = ".$tosell; + $sql .= " AND p.tosell = ".((int) $tosell); } if (!empty($tobuy)) { - $sql .= " AND p.tobuy = ".$tobuy; + $sql .= " AND p.tobuy = ".((int) $tobuy); } if (!empty($canvas)) { $sql .= " AND p.canvas = '".$db->escape($canvas)."'"; } -if ($catid) { - $sql .= " AND cp.fk_categorie = ".$catid; +if ($catid > 0) { + $sql .= " AND cp.fk_categorie = ".((int) $catid); } if ($fourn_id > 0) { - $sql .= " AND p.rowid = pf.fk_product AND pf.fk_soc = ".$fourn_id; + $sql .= " AND p.rowid = pf.fk_product AND pf.fk_soc = ".((int) $fourn_id); } // Insert categ filter if ($search_categ) { diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php index 5983d5e6b4e..8a5da81ca5b 100644 --- a/htdocs/product/reassortlot.php +++ b/htdocs/product/reassortlot.php @@ -165,19 +165,19 @@ if ($snom) { $sql .= natural_search("p.label", $snom); } if (!empty($tosell)) { - $sql .= " AND p.tosell = ".$tosell; + $sql .= " AND p.tosell = ".((int) $tosell); } if (!empty($tobuy)) { - $sql .= " AND p.tobuy = ".$tobuy; + $sql .= " AND p.tobuy = ".((int) $tobuy); } if (!empty($canvas)) { $sql .= " AND p.canvas = '".$db->escape($canvas)."'"; } -if ($catid) { - $sql .= " AND cp.fk_categorie = ".$catid; +if ($catid > 0) { + $sql .= " AND cp.fk_categorie = ".((int) $catid); } if ($fourn_id > 0) { - $sql .= " AND p.rowid = pf.fk_product AND pf.fk_soc = ".$fourn_id; + $sql .= " AND p.rowid = pf.fk_product AND pf.fk_soc = ".((int) $fourn_id); } // Insert categ filter if ($search_categ) { diff --git a/htdocs/product/stats/commande.php b/htdocs/product/stats/commande.php index 4eaa0a3b3b8..fe8016f362a 100644 --- a/htdocs/product/stats/commande.php +++ b/htdocs/product/stats/commande.php @@ -162,7 +162,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND c.fk_soc = ".$socid; + $sql .= " AND c.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/commande_fournisseur.php b/htdocs/product/stats/commande_fournisseur.php index dcc2b9c0cee..bc8346e39b1 100644 --- a/htdocs/product/stats/commande_fournisseur.php +++ b/htdocs/product/stats/commande_fournisseur.php @@ -162,7 +162,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND c.fk_soc = ".$socid; + $sql .= " AND c.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/contrat.php b/htdocs/product/stats/contrat.php index 93778a19047..e419593208c 100644 --- a/htdocs/product/stats/contrat.php +++ b/htdocs/product/stats/contrat.php @@ -148,7 +148,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " GROUP BY c.rowid, c.ref, c.ref_customer, c.ref_supplier, c.date_contrat, c.statut, s.nom, s.rowid, s.code_client"; $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/facture.php b/htdocs/product/stats/facture.php index e0d262ee1fb..fa7d4fae24f 100644 --- a/htdocs/product/stats/facture.php +++ b/htdocs/product/stats/facture.php @@ -179,7 +179,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/facture_fournisseur.php b/htdocs/product/stats/facture_fournisseur.php index 497aa3574bf..018f1c28f02 100644 --- a/htdocs/product/stats/facture_fournisseur.php +++ b/htdocs/product/stats/facture_fournisseur.php @@ -162,7 +162,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $sql .= " ORDER BY $sortfield $sortorder "; diff --git a/htdocs/product/stats/mo.php b/htdocs/product/stats/mo.php index 479dbdd1a17..1cabfd9ef85 100644 --- a/htdocs/product/stats/mo.php +++ b/htdocs/product/stats/mo.php @@ -140,7 +140,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND c.entity IN (".getEntity('mo').")"; $sql .= " AND cd.fk_product =".$product->id; if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " GROUP BY c.rowid, c.ref, c.date_valid, c.status"; //$sql .= ", s.nom, s.rowid, s.code_client"; diff --git a/htdocs/product/stats/propal.php b/htdocs/product/stats/propal.php index 95f2884c7b5..7dfc8b6d1db 100644 --- a/htdocs/product/stats/propal.php +++ b/htdocs/product/stats/propal.php @@ -163,7 +163,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND p.fk_soc = ".$socid; + $sql .= " AND p.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/supplier_proposal.php b/htdocs/product/stats/supplier_proposal.php index d918ce7c7d2..86689786b2d 100644 --- a/htdocs/product/stats/supplier_proposal.php +++ b/htdocs/product/stats/supplier_proposal.php @@ -163,7 +163,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND p.fk_soc = ".$socid; + $sql .= " AND p.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stock/class/entrepot.class.php b/htdocs/product/stock/class/entrepot.class.php index 9d601dc9687..30dba05e417 100644 --- a/htdocs/product/stock/class/entrepot.class.php +++ b/htdocs/product/stock/class/entrepot.class.php @@ -547,7 +547,7 @@ class Entrepot extends CommonObject $sql = "SELECT rowid, ref as label"; $sql .= " FROM ".MAIN_DB_PREFIX."entrepot"; $sql .= " WHERE entity IN (".getEntity('stock').")"; - $sql .= " AND statut = ".$status; + $sql .= " AND statut = ".((int) $status); $result = $this->db->query($sql); $i = 0; diff --git a/htdocs/product/stock/movement_card.php b/htdocs/product/stock/movement_card.php index 6dc3c665e15..31c71d9e2bd 100644 --- a/htdocs/product/stock/movement_card.php +++ b/htdocs/product/stock/movement_card.php @@ -456,7 +456,7 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON m.fk_user_author = u.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lot as pl ON m.batch = pl.batch AND m.fk_product = pl.fk_product"; $sql .= " WHERE m.fk_product = p.rowid"; if ($msid > 0) { - $sql .= " AND m.rowid = ".$msid; + $sql .= " AND m.rowid = ".((int) $msid); } $sql .= " AND m.fk_entrepot = e.rowid"; $sql .= " AND e.entity IN (".getEntity('stock').")"; @@ -464,7 +464,7 @@ if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) { $sql .= " AND p.fk_product_type = 0"; } if ($id > 0) { - $sql .= " AND e.rowid ='".$id."'"; + $sql .= " AND e.rowid = ".((int) $id); } $sql .= dolSqlDateFilter('m.datem', 0, $month, $year); if ($idproduct > 0) { diff --git a/htdocs/product/stock/movement_list.php b/htdocs/product/stock/movement_list.php index 62cbe7f8620..65192df842f 100644 --- a/htdocs/product/stock/movement_list.php +++ b/htdocs/product/stock/movement_list.php @@ -503,7 +503,7 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON m.fk_user_author = u.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lot as pl ON m.batch = pl.batch AND m.fk_product = pl.fk_product"; $sql .= " WHERE m.fk_product = p.rowid"; if ($msid > 0) { - $sql .= " AND m.rowid = ".$msid; + $sql .= " AND m.rowid = ".((int) $msid); } $sql .= " AND m.fk_entrepot = e.rowid"; $sql .= " AND e.entity IN (".getEntity('stock').")"; @@ -511,7 +511,7 @@ if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) { $sql .= " AND p.fk_product_type = 0"; } if ($id > 0) { - $sql .= " AND e.rowid ='".$id."'"; + $sql .= " AND e.rowid = ".((int) $id); } if (!empty($search_date_start)) { $sql .= " AND m.datem >= '" . $db->idate($search_date_start) . "'"; diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php index 44638c00f46..091409539a8 100644 --- a/htdocs/projet/class/task.class.php +++ b/htdocs/projet/class/task.class.php @@ -1266,10 +1266,10 @@ class Task extends CommonObject $sql .= $morewherefilter; } if ($id > 0) { - $sql .= " AND t.fk_task = ".$id; + $sql .= " AND t.fk_task = ".((int) $id); } if ($userid > 0) { - $sql .= " AND t.fk_user = ".$userid; + $sql .= " AND t.fk_user = ".((int) $userid); } dol_syslog(get_class($this)."::getSummaryOfTimeSpent", LOG_DEBUG); diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index a9849ef9f20..e907ab3b06e 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -426,7 +426,7 @@ if ($search_public != '') { // For external user, no check is done on company permission because readability is managed by public status of project and assignement. //if ($socid > 0) $sql.= " AND s.rowid = ".$socid; if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // No check is done on company permission because readability is managed by public status of project and assignement. //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))"; diff --git a/htdocs/salaries/list.php b/htdocs/salaries/list.php index 907f16f21bc..c007c160a86 100644 --- a/htdocs/salaries/list.php +++ b/htdocs/salaries/list.php @@ -275,10 +275,6 @@ if ($search_account > 0) { if ($search_status != '' && $search_status >= 0) { $sql .= " AND s.paye = ".$db->escape($search_status); } -if ($filtre) { - $filtre = str_replace(":", "=", $filtre); - $sql .= " AND ".$filtre; -} if ($search_type_id) { $sql .= " AND s.fk_typepayment=".$search_type_id; } diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index cd356d2e2a2..f0cf3fa595a 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -1364,10 +1364,10 @@ class Thirdparties extends DolibarrApi $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_rib"; if ($id) { - $sql .= " WHERE fk_soc = ".$id." "; + $sql .= " WHERE fk_soc = ".((int) $id); } if ($companybankid) { - $sql .= " AND rowid = ".$companybankid.""; + $sql .= " AND rowid = ".((int) $companybankid); } $i = 0; @@ -1433,9 +1433,9 @@ class Thirdparties extends DolibarrApi * We select all the records that match the socid */ $sql = "SELECT rowid, fk_soc, key_account, site, date_creation, tms FROM ".MAIN_DB_PREFIX."societe_account"; - $sql .= " WHERE fk_soc = $id"; + $sql .= " WHERE fk_soc = ".((int) $id); if ($site) { - $sql .= " AND site ='$site'"; + $sql .= " AND site ='".$this->db-escape($site)."'"; } $result = $this->db->query($sql); diff --git a/htdocs/societe/index.php b/htdocs/societe/index.php index b76a80e1148..c87d260f23e 100644 --- a/htdocs/societe/index.php +++ b/htdocs/societe/index.php @@ -101,8 +101,8 @@ $sql .= ' WHERE s.entity IN ('.getEntity('societe').')'; if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } -if ($socid) { - $sql .= " AND s.rowid = ".$socid; +if ($socid > 0) { + $sql .= " AND s.rowid = ".((int) $socid); } if (!$user->rights->fournisseur->lire) { $sql .= " AND (s.fournisseur <> 1 OR s.client <> 0)"; // client=0, fournisseur=0 must be visible diff --git a/htdocs/societe/website.php b/htdocs/societe/website.php index e7a1e086228..e34672bfd1d 100644 --- a/htdocs/societe/website.php +++ b/htdocs/societe/website.php @@ -283,7 +283,7 @@ if ($objectwebsiteaccount->ismultientitymanaged == 1) { } else { $sql .= " WHERE 1 = 1"; } -$sql .= " AND fk_soc = ".$object->id; +$sql .= " AND fk_soc = ".((int) $object->id); foreach ($search as $key => $val) { $mode_search = (($objectwebsiteaccount->isInt($objectwebsiteaccount->fields[$key]) || $objectwebsiteaccount->isFloat($objectwebsiteaccount->fields[$key])) ? 1 : 0); if ($search[$key] != '') { diff --git a/htdocs/stripe/class/stripe.class.php b/htdocs/stripe/class/stripe.class.php index 9caf72c20e1..7f325090b5e 100644 --- a/htdocs/stripe/class/stripe.class.php +++ b/htdocs/stripe/class/stripe.class.php @@ -100,7 +100,7 @@ class Stripe extends CommonObject $sql .= " WHERE service = '".$this->db->escape($mode)."'"; $sql .= " AND entity = ".((int) $entity); if ($fk_soc > 0) { - $sql .= " AND fk_soc = ".$fk_soc; + $sql .= " AND fk_soc = ".((int) $fk_soc); } else { $sql .= " AND fk_soc IS NULL"; } diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php index 78b1df5f6a4..158829ea425 100644 --- a/htdocs/supplier_proposal/class/supplier_proposal.class.php +++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php @@ -1209,9 +1209,9 @@ class SupplierProposal extends CommonObject $sql .= " WHERE p.fk_statut = c.id"; $sql .= " AND p.entity IN (".getEntity('supplier_proposal').")"; if ($ref) { - $sql .= " AND p.ref='".$ref."'"; + $sql .= " AND p.ref = '".$this->db->escape($ref)."'"; } else { - $sql .= " AND p.rowid=".$rowid; + $sql .= " AND p.rowid = ".((int) $rowid); } dol_syslog(get_class($this)."::fetch", LOG_DEBUG); diff --git a/htdocs/takepos/invoice.php b/htdocs/takepos/invoice.php index 7fd162c5fbd..669b37bf806 100644 --- a/htdocs/takepos/invoice.php +++ b/htdocs/takepos/invoice.php @@ -1419,7 +1419,7 @@ if ($placeid > 0) { $sql .= " ".MAIN_DB_PREFIX."product_stock as ps"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = ps.fk_product"; $sql .= " WHERE ps.reel != 0"; - $sql .= " AND ps.fk_entrepot = ".$conf->global->$constantforkey; + $sql .= " AND ps.fk_entrepot = ".((int) $conf->global->$constantforkey); $sql .= " AND e.entity IN (".getEntity('stock').")"; $sql .= " AND ps.fk_product = ".$line->fk_product; $resql = $db->query($sql); diff --git a/htdocs/ticket/list.php b/htdocs/ticket/list.php index b774f659d0c..4137680b0f7 100644 --- a/htdocs/ticket/list.php +++ b/htdocs/ticket/list.php @@ -346,7 +346,7 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON (t.fk_soc = s.rowid)"; $sql .= " WHERE t.entity IN (".getEntity($object->element).")"; if ($socid > 0) { - $sql .= " AND t.fk_soc = ".$socid; + $sql .= " AND t.fk_soc = ".((int) $socid); } foreach ($search as $key => $val) { diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index 2f8972ceafe..803b517a354 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -93,7 +93,7 @@ class Users extends DolibarrApi // Select products of given category if ($category > 0) { $sql .= " AND c.fk_categorie = ".$this->db->escape($category); - $sql .= " AND c.fk_user = t.rowid "; + $sql .= " AND c.fk_user = t.rowid"; } // Add sql filters diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 2ac519b0a26..c1224285c7c 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -2229,7 +2229,7 @@ class User extends CommonObject /** * Add user into a group * - * @param int $group Id of group + * @param int $group Id of group * @param int $entity Entity * @param int $notrigger Disable triggers * @return int <0 if KO, >0 if OK @@ -2245,7 +2245,7 @@ class User extends CommonObject $sql = "DELETE FROM ".MAIN_DB_PREFIX."usergroup_user"; $sql .= " WHERE fk_user = ".$this->id; - $sql .= " AND fk_usergroup = ".$group; + $sql .= " AND fk_usergroup = ".((int) $group); $sql .= " AND entity = ".$entity; $result = $this->db->query($sql); @@ -2286,7 +2286,7 @@ class User extends CommonObject /** * Remove a user from a group * - * @param int $group Id of group + * @param int $group Id of group * @param int $entity Entity * @param int $notrigger Disable triggers * @return int <0 if KO, >0 if OK @@ -2302,7 +2302,7 @@ class User extends CommonObject $sql = "DELETE FROM ".MAIN_DB_PREFIX."usergroup_user"; $sql .= " WHERE fk_user = ".$this->id; - $sql .= " AND fk_usergroup = ".$group; + $sql .= " AND fk_usergroup = ".((int) $group); $sql .= " AND entity = ".$entity; $result = $this->db->query($sql); @@ -3065,7 +3065,7 @@ class User extends CommonObject * fullpath = chemin complet compose des id: "_grandparentid_parentid_id" * * @param int $deleteafterid Removed all users including the leaf $deleteafterid (and all its child) in user tree. - * @param string $filter SQL filter on users + * @param string $filter SQL filter on users. This parameter must not come from user intput. * @return array Array of users $this->users. Note: $this->parentof is also set. */ public function get_full_tree($deleteafterid = 0, $filter = '') diff --git a/htdocs/user/home.php b/htdocs/user/home.php index dfb201bc441..4a41b3fd899 100644 --- a/htdocs/user/home.php +++ b/htdocs/user/home.php @@ -128,7 +128,7 @@ if ($reshook > 0) { $sql .= " WHERE u.entity IN (".getEntity('user').")"; } if (!empty($socid)) { - $sql .= " AND u.fk_soc = ".$socid; + $sql .= " AND u.fk_soc = ".((int) $socid); } $sql .= $db->order("u.datec", "DESC"); $sql .= $db->plimit($max); diff --git a/htdocs/user/list.php b/htdocs/user/list.php index 75cea8b604d..eeb7118bb2e 100644 --- a/htdocs/user/list.php +++ b/htdocs/user/list.php @@ -353,7 +353,7 @@ if ($reshook > 0) { $sql .= " WHERE u.entity IN (".getEntity('user').")"; } if ($socid > 0) { - $sql .= " AND u.fk_soc = ".$socid; + $sql .= " AND u.fk_soc = ".((int) $socid); } //if ($search_user != '') $sql.=natural_search(array('u.login', 'u.lastname', 'u.firstname'), $search_user); if ($search_supervisor > 0) { diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php index f14fcee2e0f..48b44d2fc57 100644 --- a/htdocs/user/perms.php +++ b/htdocs/user/perms.php @@ -194,7 +194,7 @@ $permsuser = array(); $sql = "SELECT DISTINCT ur.fk_id"; $sql .= " FROM ".MAIN_DB_PREFIX."user_rights as ur"; $sql .= " WHERE ur.entity = ".$entity; -$sql .= " AND ur.fk_user = ".$object->id; +$sql .= " AND ur.fk_user = ".((int) $object->id); dol_syslog("get user perms", LOG_DEBUG); $result = $db->query($sql); diff --git a/htdocs/website/class/website.class.php b/htdocs/website/class/website.class.php index 1d30b71ad0a..27ede3cd0ef 100644 --- a/htdocs/website/class/website.class.php +++ b/htdocs/website/class/website.class.php @@ -1415,7 +1415,7 @@ class Website extends CommonObject $sql = "SELECT wp.rowid, wp.lang, wp.pageurl, wp.fk_page"; $sql .= " FROM ".MAIN_DB_PREFIX."website_page as wp"; $sql .= " WHERE wp.fk_website = ".$website->id; - $sql .= " AND (wp.fk_page = ".$pageid." OR wp.rowid = ".$pageid; + $sql .= " AND (wp.fk_page = ".((int) $pageid)." OR wp.rowid = ".((int) $pageid); if ($tmppage->fk_page > 0) { $sql .= " OR wp.fk_page = ".$tmppage->fk_page." OR wp.rowid = ".$tmppage->fk_page; } diff --git a/htdocs/zapier/class/api_zapier.class.php b/htdocs/zapier/class/api_zapier.class.php index f5447bfa804..ebf62d115ab 100644 --- a/htdocs/zapier/class/api_zapier.class.php +++ b/htdocs/zapier/class/api_zapier.class.php @@ -180,7 +180,7 @@ class ZapierApi extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($restrictonsocid && $socid) { - $sql .= " AND t.fk_soc = ".$socid; + $sql .= " AND t.fk_soc = ".((int) $socid); } if ($restrictonsocid && $search_sale > 0) { // Join for the needed table to filter by sale @@ -188,7 +188,7 @@ class ZapierApi extends DolibarrApi } // Insert sale filter if ($restrictonsocid && $search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } if ($sqlfilters) { if (!DolibarrApi::_checkFilters($sqlfilters)) { From 4ff26bd8c5491d0639bc69ea3352ece863bf67e6 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 13:39:34 +0100 Subject: [PATCH 05/47] Removed deprecated code --- htdocs/compta/index.php | 2 - htdocs/fourn/facture/impayees.php | 318 ------------------------------ 2 files changed, 320 deletions(-) delete mode 100644 htdocs/fourn/facture/impayees.php diff --git a/htdocs/compta/index.php b/htdocs/compta/index.php index a4c19f4d039..9c3544b512e 100644 --- a/htdocs/compta/index.php +++ b/htdocs/compta/index.php @@ -1208,8 +1208,6 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU print ''; print $langs->trans("BillsSuppliersUnpaid", $num).' '; print ''; - // TODO: "impayees.php" looks very outdatetd and should be set to deprecated or directly remove in the next version - // print ''.$num.''; print ''; print ''; diff --git a/htdocs/fourn/facture/impayees.php b/htdocs/fourn/facture/impayees.php deleted file mode 100644 index 89f8a23d16d..00000000000 --- a/htdocs/fourn/facture/impayees.php +++ /dev/null @@ -1,318 +0,0 @@ - - * Copyright (C) 2004 Eric Seigne - * Copyright (C) 2004-2012 Laurent Destailleur - * Copyright (C) 2005-2012 Regis Houssin - * Copyright (C) 2012 Vinicius Nogueira - * Copyright (C) 2012 Juanjo Menent - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ - -/** - * \file htdocs/fourn/facture/impayees.php - * \ingroup facture - * \brief Page to list all unpaid invoices - */ - -require '../../main.inc.php'; -require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.class.php'; -require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.facture.class.php'; -require_once DOL_DOCUMENT_ROOT.'/compta/paiement/class/paiement.class.php'; - -if (!$user->rights->fournisseur->facture->lire) { - accessforbidden(); -} - -$langs->loadLangs(array("companies", "bills")); - -$socid = GETPOST('socid', 'int'); -$option = GETPOST('option'); - -// Security check -if ($user->socid > 0) { - $action = ''; - $socid = $user->socid; -} - -$sortfield = GETPOST("sortfield", 'alpha'); -$sortorder = GETPOST("sortorder", 'alpha'); - -$search_ref = GETPOST('search_ref', 'alpha'); -$search_ref_supplier = GETPOST('search_ref_supplier', 'alpha'); -$search_company = GETPOST('search_company', 'alpha'); -$search_amount_no_tax = GETPOST('search_amount_no_tax', 'alpha'); -$search_amount_all_tax = GETPOST('search_amount_all_tax', 'alpha'); - -$limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); -if (empty($page) || $page == -1) { - $page = 0; -} // If $page is not defined, or '' or -1 -$offset = $limit * $page; -$pageprev = $page - 1; -$pagenext = $page + 1; -if (!$sortfield) { - $sortfield = "f.date_lim_reglement"; -} -if (!$sortorder) { - $sortorder = "ASC"; -} - -if (GETPOST('button_removefilter_x', 'alpha') || GETPOST('button_removefilter', 'alpha')) { // Both test are required to be compatible with all browsers - $search_ref = ""; - $search_ref_supplier = ""; - $search_company = ""; - $search_amount_no_tax = ""; - $search_amount_all_tax = ""; -} - -/* - * View - */ - -$now = dol_now(); - -llxHeader('', $langs->trans("BillsSuppliersUnpaid")); - -$title = $langs->trans("BillsSuppliersUnpaid"); - -$facturestatic = new FactureFournisseur($db); -$companystatic = new Societe($db); - -if ($user->rights->fournisseur->facture->lire) { - $sql = "SELECT s.rowid as socid, s.nom as name,"; - $sql .= " f.rowid, f.ref, f.ref_supplier, f.total_ht, f.total_ttc,"; - $sql .= " f.datef as df, f.date_lim_reglement as datelimite, "; - $sql .= " f.paye as paye, f.rowid as facid, f.fk_statut"; - $sql .= " ,sum(pf.amount) as am"; - if (!$user->rights->societe->client->voir && !$socid) { - $sql .= ", sc.fk_soc, sc.fk_user "; - } - $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; - if (!$user->rights->societe->client->voir && !$socid) { - $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - } - $sql .= ",".MAIN_DB_PREFIX."facture_fourn as f"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."paiementfourn_facturefourn as pf ON f.rowid=pf.fk_facturefourn "; - $sql .= " WHERE f.entity = ".$conf->entity; - $sql .= " AND f.fk_soc = s.rowid"; - $sql .= " AND f.paye = 0 AND f.fk_statut = 1"; - if ($option == 'late') { - $sql .= " AND f.date_lim_reglement < '".$db->idate(dol_now() - $conf->facture->fournisseur->warning_delay)."'"; - } - if (!$user->rights->societe->client->voir && !$socid) { - $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; - } - if ($socid) { - $sql .= " AND s.rowid = ".((int) $socid); - } - if ($search_ref) { - $sql .= " AND f.ref LIKE '%".$db->escape($search_ref)."%'"; - } - if ($search_ref_supplier) { - $sql .= " AND f.ref_supplier LIKE '%".$db->escape($search_ref_supplier)."%'"; - } - - if ($search_company) { - $sql .= " AND s.nom LIKE '%".$db->escape($search_company)."%'"; - } - - if ($search_amount_no_tax) { - $sql .= " AND f.total_ht = '".$db->escape($search_amount_no_tax)."'"; - } - - if ($search_amount_all_tax) { - $sql .= " AND f.total_ttc = '".$db->escape($search_amount_all_tax)."'"; - } - - if (dol_strlen(GETPOST('sf_re')) > 0) { - $sql .= " AND f.ref_supplier LIKE '%".$db->escape(GETPOST('sf_re'))."%'"; - } - - $sql .= " GROUP BY s.rowid, s.nom, f.rowid, f.ref, f.ref_supplier, f.total_ht, f.total_ttc, f.datef, f.date_lim_reglement, f.paye, f.fk_statut"; - if (!$user->rights->societe->client->voir && !$socid) { - $sql .= ", sc.fk_soc, sc.fk_user "; - } - $sql .= $db->order($sortfield, $sortorder); - if (!in_array("f.ref_supplier", explode(',', $sortfield))) { - $sql .= ", f.ref_supplier DESC"; - } - - $resql = $db->query($sql); - if ($resql) { - $num = $db->num_rows($resql); - - if ($socid) { - $soc = new Societe($db); - $soc->fetch($socid); - } - - $param = ''; - if ($socid) { - $param .= "&socid=".$socid; - } - - if ($search_ref) { - $param .= '&search_ref='.urlencode($search_ref); - } - if ($search_ref_supplier) { - $param .= '&search_ref_supplier='.urlencode($search_ref_supplier); - } - if ($search_company) { - $param .= '&search_company='.urlencode($search_company); - } - if ($search_amount_no_tax) { - $param .= '&search_amount_no_tax='.urlencode($search_amount_no_tax); - } - if ($search_amount_all_tax) { - $param .= '&search_amount_all_tax='.urlencode($search_amount_all_tax); - } - - $param .= ($option ? "&option=".$option : ""); - if (!empty($late)) { - $param .= '&late='.urlencode($late); - } - $urlsource = str_replace('&', '&', $param); - - $titre = ($socid ? $langs->trans("BillsSuppliersUnpaidForCompany", $soc->name) : $langs->trans("BillsSuppliersUnpaid")); - - if ($option == 'late') { - $titre .= ' ('.$langs->trans("Late").')'; - } else { - $titre .= ' ('.$langs->trans("All").')'; - } - - $link = ''; - if (empty($option)) { - $link = ''.$langs->trans("ShowUnpaidLateOnly").''; - } elseif ($option == 'late') { - $link = ''.$langs->trans("ShowUnpaidAll").''; - } - print load_fiche_titre($titre, $link); - - print_barre_liste('', '', $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', 0); // We don't want pagination on this page - $i = 0; - print '
'; - - print ''; - print ''; - print_liste_field_titre("Ref", $_SERVER["PHP_SELF"], "f.rowid", "", $param, "", $sortfield, $sortorder); - print_liste_field_titre("RefSupplier", $_SERVER["PHP_SELF"], "f.ref_supplier", "", $param, "", $sortfield, $sortorder); - print_liste_field_titre("Date", $_SERVER["PHP_SELF"], "f.datef", "", $param, '', $sortfield, $sortorder, 'center '); - print_liste_field_titre("DateDue", $_SERVER["PHP_SELF"], "f.date_lim_reglement", "", $param, '', $sortfield, $sortorder, 'center '); - print_liste_field_titre("Company", $_SERVER["PHP_SELF"], "s.nom", "", $param, "", $sortfield, $sortorder); - print_liste_field_titre("AmountHT", $_SERVER["PHP_SELF"], "f.total_ht", "", $param, '', $sortfield, $sortorder, 'right '); - print_liste_field_titre("AmountTTC", $_SERVER["PHP_SELF"], "f.total_ttc", "", $param, '', $sortfield, $sortorder, 'right '); - print_liste_field_titre("AlreadyPaid", $_SERVER["PHP_SELF"], "am", "", $param, '', $sortfield, $sortorder, 'right '); - print_liste_field_titre("Status", $_SERVER["PHP_SELF"], "fk_statut,paye,am", "", $param, '', $sortfield, $sortorder, 'right '); - print "\n"; - - // Lines with filter fields - print ''; - print ''; - print ''; - print ''; - print ''; - print ''; - print ''; - print "\n"; - - if ($num > 0) { - $total_ht = 0; - $total_ttc = 0; - $total_paid = 0; - - while ($i < $num) { - $objp = $db->fetch_object($resql); - - $facturestatic->statut = $objp->fk_statut; - $facturestatic->date_echeance = $db->jdate($objp->datelimite); - - - - print ''; - $classname = "impayee"; - - print '\n"; - - print ''; - - print '\n"; - print '\n"; - - print ''; - - print ""; - print ""; - print ""; - - // Show invoice status - print ''; - - print "\n"; - $total_ht += $objp->total_ht; - $total_ttc += $objp->total_ttc; - $total_paid += $objp->am; - - $i++; - } - - print ''; - print ""; - print ""; - print ""; - print ""; - print ''; - print "\n"; - } - - print "
'; - print ''; - print '  '; - print ''; - print ''; - print ''; - print ''; - print ''; - print ''; - $searchpicto = $form->showFilterAndCheckAddButtons(0); - print $searchpicto; - print '
'; - $facturestatic->id = $objp->facid; - $facturestatic->ref = $objp->ref; - print $facturestatic->getNomUrl(1); - print "'.dol_trunc($objp->ref_supplier, 12).''.dol_print_date($db->jdate($objp->df), 'day')."'.dol_print_date($db->jdate($objp->datelimite), 'day'); - if ($facturestatic->hasDelay()) { - print img_warning($langs->trans("Late")); - } - print "'; - $companystatic->id = $objp->socid; - $companystatic->name = $objp->name; - print $companystatic->getNomUrl(1, 'supplier', 32); - print '".price($objp->total_ht)."".price($objp->total_ttc)."".price($objp->am)."'; - print $facturestatic->LibStatut($objp->paye, $objp->fk_statut, 5, $objp->am); - print '
".$langs->trans("Total").": ".price($total_ht)."".price($total_ttc)."".price($total_paid)." 
"; - - print '
'; - - $db->free($resql); - } else { - dol_print_error($db); - } -} - -// End of page -llxFooter(); -$db->close(); From 7b011334937ec33119e411f956d14aa16216efca Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 13:41:43 +0100 Subject: [PATCH 06/47] Fix escape --- htdocs/societe/class/api_thirdparties.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index f0cf3fa595a..ddc9fa41fdb 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -1435,7 +1435,7 @@ class Thirdparties extends DolibarrApi $sql = "SELECT rowid, fk_soc, key_account, site, date_creation, tms FROM ".MAIN_DB_PREFIX."societe_account"; $sql .= " WHERE fk_soc = ".((int) $id); if ($site) { - $sql .= " AND site ='".$this->db-escape($site)."'"; + $sql .= " AND site ='".$this->db->escape($site)."'"; } $result = $this->db->query($sql); From e79284ea2955c80793d593d7322e2127a2d90243 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 13:56:19 +0100 Subject: [PATCH 07/47] FIX Vulnerability: Idor leading to lock admin users. --- htdocs/user/card.php | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/htdocs/user/card.php b/htdocs/user/card.php index d4373812f61..cfc63a01411 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -89,7 +89,7 @@ if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { // Define value to know what current user can do on properties of edited user if ($id) { - // $user est le user qui edite, $id est l'id de l'utilisateur edite + // $user is the current logged user, $id is the user we want to edit $caneditfield = ((($user->id == $id) && $user->rights->user->self->creer) || (($user->id != $id) && $user->rights->user->user->creer)); $caneditpassword = ((($user->id == $id) && $user->rights->user->self->password) @@ -122,6 +122,7 @@ $socialnetworks = getArrayOfSocialNetworks(); // Initialize technical object to manage hooks. Note that conf->hooks_modules contains array $hookmanager->initHooks(array('usercard', 'globalcard')); +$error = 0; /** @@ -136,11 +137,17 @@ if ($reshook < 0) { if (empty($reshook)) { if ($action == 'confirm_disable' && $confirm == "yes" && $candisableuser) { - if ($id <> $user->id) { + if ($id <> $user->id) { // A user can't disable itself $object->fetch($id); - $object->setstatus(0); - header("Location: ".$_SERVER['PHP_SELF'].'?id='.$id); - exit; + if ($object->admin && empty($user->admin)) { + // If user to delete is an admin user and if logged user is not admin, we deny the operation. + $error++; + setEventMessages($langs->trans("OnlyAdminUsersCanDisableAdminUsers"), null, 'errors'); + } else { + $object->setstatus(0); + header("Location: ".$_SERVER['PHP_SELF'].'?id='.$id); + exit; + } } } if ($action == 'confirm_enable' && $confirm == "yes" && $candisableuser) { From 897d6531449eb1ca4a1f5282e49b313ef422bada Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 16:09:18 +0100 Subject: [PATCH 08/47] Debug default date for vat reports --- htdocs/compta/tva/card.php | 8 +- htdocs/compta/tva/clients.php | 66 +-------------- htdocs/compta/tva/index.php | 97 ++-------------------- htdocs/compta/tva/initdatesforvat.inc.php | 98 +++++++++++++++++++++++ htdocs/compta/tva/quadri_detail.php | 97 ++++++---------------- htdocs/core/lib/tax.lib.php | 31 ++++--- htdocs/langs/en_US/compta.lang | 2 +- 7 files changed, 155 insertions(+), 244 deletions(-) create mode 100644 htdocs/compta/tva/initdatesforvat.inc.php diff --git a/htdocs/compta/tva/card.php b/htdocs/compta/tva/card.php index 1aaf8c60748..c4daeb801c6 100755 --- a/htdocs/compta/tva/card.php +++ b/htdocs/compta/tva/card.php @@ -461,16 +461,14 @@ if ($action == 'create') { $reshook = $hookmanager->executeHooks('formObjectOptions', $parameters, $object, $action); // Note that $action and $object may have been modified by hook print $hookmanager->resPrint; - // Bouton Save payment - print ''; - print $langs->trans("ClosePaidVATAutomatically"); - print ''; - print ''; print dol_get_fiche_end(); print '
'; + print ''; + print ' '.$langs->trans("ClosePaidVATAutomatically").''; + print '
'; print ''; print '     '; print ''; diff --git a/htdocs/compta/tva/clients.php b/htdocs/compta/tva/clients.php index 7ec5ad5b4f1..1640daeb1c6 100644 --- a/htdocs/compta/tva/clients.php +++ b/htdocs/compta/tva/clients.php @@ -43,71 +43,7 @@ require_once DOL_DOCUMENT_ROOT.'/expensereport/class/paymentexpensereport.class. // Load translation files required by the page $langs->loadLangs(array("other", "compta", "banks", "bills", "companies", "product", "trips", "admin")); - -$now = dol_now(); -$current_date = dol_getdate($now); -if (empty($conf->global->SOCIETE_FISCAL_MONTH_START)) { - $conf->global->SOCIETE_FISCAL_MONTH_START = 1; -} - -// Date range -$year = GETPOST("year", "int"); -if (empty($year)) { - $year_current = $current_date['year']; - $year_start = $year_current; -} else { - $year_current = $year; - $year_start = $year; -} -$date_start = dol_mktime(0, 0, 0, GETPOST("date_startmonth"), GETPOST("date_startday"), GETPOST("date_startyear")); -$date_end = dol_mktime(23, 59, 59, GETPOST("date_endmonth"), GETPOST("date_endday"), GETPOST("date_endyear")); -// Set default period if not defined -if (empty($date_start) || empty($date_end)) { // We define date_start and date_end - $q = GETPOST("q", "int"); - if (empty($q)) { - if (GETPOST("month", 'int')) { - $date_start = dol_get_first_day($year_start, GETPOST("month", 'int'), false); - $date_end = dol_get_last_day($year_start, GETPOST("month", 'int'), false); - } else { - if (empty($conf->global->MAIN_INFO_VAT_RETURN) || $conf->global->MAIN_INFO_VAT_RETURN == 2) { // quaterly vat, we take last past complete quarter - $date_start = dol_time_plus_duree(dol_get_first_day($year_start, $current_date['mon'], false), -3 - (($current_date['mon'] - $conf->global->SOCIETE_FISCAL_MONTH_START) % 3), 'm'); - $date_end = dol_time_plus_duree($date_start, 3, 'm') - 1; - } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 3) { // yearly vat - if ($current_date['mon'] < $conf->global->SOCIETE_FISCAL_MONTH_START) { - if (($conf->global->SOCIETE_FISCAL_MONTH_START - $current_date['mon']) > 6) { // If period started from less than 6 years, we show past year - $year_start--; - } - } else { - if (($current_date['mon'] - $conf->global->SOCIETE_FISCAL_MONTH_START) < 6) { // If perdio started from less than 6 years, we show past year - $year_start--; - } - } - $date_start = dol_get_first_day($year_start, $conf->global->SOCIETE_FISCAL_MONTH_START, false); - $date_end = dol_time_plus_duree($date_start, 1, 'y') - 1; - } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 1) { // monthly vat, we take last past complete month - $date_start = dol_time_plus_duree(dol_get_first_day($year_start, $current_date['mon'], false), -1, 'm'); - $date_end = dol_time_plus_duree($date_start, 1, 'm') - 1; - } - } - } else { - if ($q == 1) { - $date_start = dol_get_first_day($year_start, 1, false); - $date_end = dol_get_last_day($year_start, 3, false); - } - if ($q == 2) { - $date_start = dol_get_first_day($year_start, 4, false); - $date_end = dol_get_last_day($year_start, 6, false); - } - if ($q == 3) { - $date_start = dol_get_first_day($year_start, 7, false); - $date_end = dol_get_last_day($year_start, 9, false); - } - if ($q == 4) { - $date_start = dol_get_first_day($year_start, 10, false); - $date_end = dol_get_last_day($year_start, 12, false); - } - } -} +include DOL_DOCUMENT_ROOT.'/compta/tva/initdatesforvat.inc.php'; $min = price2num(GETPOST("min", "alpha")); if (empty($min)) { diff --git a/htdocs/compta/tva/index.php b/htdocs/compta/tva/index.php index ba2669077c9..63b834d7821 100644 --- a/htdocs/compta/tva/index.php +++ b/htdocs/compta/tva/index.php @@ -37,99 +37,15 @@ require_once DOL_DOCUMENT_ROOT.'/compta/localtax/class/localtax.class.php'; // Load translation files required by the page $langs->loadLangs(array("other", "compta", "banks", "bills", "companies", "product", "trips", "admin")); -$form = new Form($db); -$now = dol_now(); -$current_date = dol_getdate($now); -if (empty($conf->global->SOCIETE_FISCAL_MONTH_START)) { - $conf->global->SOCIETE_FISCAL_MONTH_START = 1; -} - $refresh = GETPOSTISSET('submit') ? true : false; +$year_current = GETPOSTISSET('year') ? GETPOST('year', 'int') : dol_print_date($now, '%Y', 'tzserver'); +$year_start = $year_current; +$month_current = GETPOSTISSET('month') ? GETPOST('month', 'int') : dol_print_date($now, '%m', 'tzserver'); +$month_start = $month_current; -if ($refresh === false) { - $year_current = dol_print_date('%Y', $now); - $month_current = dol_print_date('%m', $now); +$refresh = true; - // 1 : Monthly (by default) - // 2 : Quarterly - // 3 : Annual - if ($conf->global->MAIN_INFO_VAT_RETURN == 2) { - // quarterly - $year = $year_current; - if ($month_current >= 7 && $month_current <= 9) { - $month_start = 4; - $month_end = 6; - } elseif ($month_current >= 10 && $month_current <= 12) { - $month_start = 7; - $month_end = 9; - } elseif ($month_current >= 1 && $month_current <= 3) { - $month_start = 10; - $month_end = 12; - $year--; - } else { - $month_start = 1; - $month_end = 3; - } - $date_start = dol_get_first_day($year, $month_start); - $date_end = dol_get_last_day($year, $month_end); - } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 3) { - // annual - $date_start = dol_get_first_day($year_current, 1); - $date_end = dol_get_last_day($year_current, 12); - } else { - // monthly by default - $year = $year_current; - $month_last = $month_current - 1; - if ($month_last <= 0) { - $month_last = $month_last + 12; - $year--; - } - $date_start = dol_get_first_day($year, $month_last); - $date_end = dol_get_last_day($year, $month_last); - } -} else { - // Date range - $year = GETPOST("year", "int"); - if (empty($year)) { - $year_current = dol_print_date(dol_now(), "%Y"); - if ($conf->global->SOCIETE_FISCAL_MONTH_START > dol_print_date(dol_now(), "%m")) $year_current--; - $year_start = $year_current; - } else { - $year_current = $year; - $year_start = $year; - } - $date_start = dol_mktime(0, 0, 0, GETPOST("date_startmonth"), GETPOST("date_startday"), GETPOST("date_startyear")); - $date_end = dol_mktime(23, 59, 59, GETPOST("date_endmonth"), GETPOST("date_endday"), GETPOST("date_endyear")); - if (empty($date_start) || empty($date_end)) {// We define date_start and date_end - $q = GETPOST("q", "int"); - if (empty($q)) { - if (GETPOST("month", "int")) { - $date_start = dol_get_first_day($year_start, GETPOST("month", "int"), false); - $date_end = dol_get_last_day($year_start, GETPOST("month", "int"), false); - } else { - $date_start = dol_get_first_day($year_start, $conf->global->SOCIETE_FISCAL_MONTH_START, false); - $date_end = dol_time_plus_duree($date_start, 1, 'y') - 1; - } - } else { - if ($q == 1) { - $date_start = dol_get_first_day($year_start, 1, false); - $date_end = dol_get_last_day($year_start, 3, false); - } - if ($q == 2) { - $date_start = dol_get_first_day($year_start, 4, false); - $date_end = dol_get_last_day($year_start, 6, false); - } - if ($q == 3) { - $date_start = dol_get_first_day($year_start, 7, false); - $date_end = dol_get_last_day($year_start, 9, false); - } - if ($q == 4) { - $date_start = dol_get_first_day($year_start, 10, false); - $date_end = dol_get_last_day($year_start, 12, false); - } - } - } -} +include DOL_DOCUMENT_ROOT.'/compta/tva/initdatesforvat.inc.php'; // Define modetax (0 or 1) // 0=normal, 1=option vat for services is on debit, 2=option on payments for products @@ -255,6 +171,7 @@ function pt($db, $sql, $date) * View */ +$form = new Form($db); $company_static = new Societe($db); $tva = new Tva($db); diff --git a/htdocs/compta/tva/initdatesforvat.inc.php b/htdocs/compta/tva/initdatesforvat.inc.php new file mode 100644 index 00000000000..8039fce728f --- /dev/null +++ b/htdocs/compta/tva/initdatesforvat.inc.php @@ -0,0 +1,98 @@ + + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * or see https://www.gnu.org/ + */ + +/** + * \file htdocs/compta/tva/initdatesforvat.inc.php + * \brief Set value for date_start and date_end + */ + +$now = dol_now(); +$current_date = dol_getdate($now); +if (empty($conf->global->SOCIETE_FISCAL_MONTH_START)) { + $conf->global->SOCIETE_FISCAL_MONTH_START = 1; +} + +// Date range +$year = GETPOST("year", "int"); +if (empty($year)) { + $year_current = $current_date['year']; + $year_start = $year_current; +} else { + $year_current = $year; + $year_start = $year; +} +$date_start = dol_mktime(0, 0, 0, GETPOST("date_startmonth"), GETPOST("date_startday"), GETPOST("date_startyear"), 'tzserver'); +$date_end = dol_mktime(23, 59, 59, GETPOST("date_endmonth"), GETPOST("date_endday"), GETPOST("date_endyear"), 'tzserver'); +// Set default period if not defined +if (empty($date_start) || empty($date_end)) { // We define date_start and date_end + $q = GETPOST("q", "int"); + if (empty($q)) { + if (GETPOST("month", 'int')) { + $date_start = dol_get_first_day($year_start, GETPOST("month", 'int'), 'tzserver'); + $date_end = dol_get_last_day($year_start, GETPOST("month", 'int'), 'tzserver'); + } else { + if (empty($conf->global->MAIN_INFO_VAT_RETURN) || $conf->global->MAIN_INFO_VAT_RETURN == 2) { // quaterly vat, we take last past complete quarter + $date_start = dol_time_plus_duree(dol_get_first_day($year_start, $current_date['mon'], false), -3 - (($current_date['mon'] - $conf->global->SOCIETE_FISCAL_MONTH_START) % 3), 'm'); + $date_end = dol_time_plus_duree($date_start, 3, 'm') - 1; + } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 3) { // yearly vat + if ($current_date['mon'] < $conf->global->SOCIETE_FISCAL_MONTH_START) { + if (($conf->global->SOCIETE_FISCAL_MONTH_START - $current_date['mon']) > 6) { // If period started from less than 6 years, we show past year + $year_start--; + } + } else { + if (($current_date['mon'] - $conf->global->SOCIETE_FISCAL_MONTH_START) < 6) { // If perdio started from less than 6 years, we show past year + $year_start--; + } + } + $date_start = dol_get_first_day($year_start, $conf->global->SOCIETE_FISCAL_MONTH_START, 'tzserver'); + $date_end = dol_time_plus_duree($date_start, 1, 'y') - 1; + } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 1) { // monthly vat, we take last past complete month + $date_start = dol_time_plus_duree(dol_get_first_day($year_start, $current_date['mon'], false), -1, 'm'); + $date_end = dol_time_plus_duree($date_start, 1, 'm') - 1; + } + } + } else { + if ($q == 1) { + $date_start = dol_get_first_day($year_start, 1, 'tzserver'); + $date_end = dol_get_last_day($year_start, 3, 'tzserver'); + } + if ($q == 2) { + $date_start = dol_get_first_day($year_start, 4, 'tzserver'); + $date_end = dol_get_last_day($year_start, 6, 'tzserver'); + } + if ($q == 3) { + $date_start = dol_get_first_day($year_start, 7, 'tzserver'); + $date_end = dol_get_last_day($year_start, 9, 'tzserver'); + } + if ($q == 4) { + $date_start = dol_get_first_day($year_start, 10, 'tzserver'); + $date_end = dol_get_last_day($year_start, 12, 'tzserver'); + } + } +} + +//print dol_print_date($date_start, 'day').' '.dol_print_date($date_end, 'day'); + +$tmp = dol_getdate($date_start); +$date_start_day = $tmp['mday']; +$date_start_month = $tmp['mon']; +$date_start_year = $tmp['year']; +$tmp = dol_getdate($date_end); +$date_end_day = $tmp['mday']; +$date_end_month = $tmp['mon']; +$date_end_year = $tmp['year']; diff --git a/htdocs/compta/tva/quadri_detail.php b/htdocs/compta/tva/quadri_detail.php index 590999c7b31..07071b250e5 100644 --- a/htdocs/compta/tva/quadri_detail.php +++ b/htdocs/compta/tva/quadri_detail.php @@ -45,68 +45,11 @@ require_once DOL_DOCUMENT_ROOT.'/expensereport/class/paymentexpensereport.class. // Load translation files required by the page $langs->loadLangs(array("other", "compta", "banks", "bills", "companies", "product", "trips", "admin")); -$now = dol_now(); -$refresh = GETPOSTISSET('submit') ? true : false; +$refresh = (GETPOSTISSET('submit') || GETPOSTISSET('vat_rate_show') || GETPOSTISSET('invoice_type')) ? true : false; $invoice_type = GETPOSTISSET('invoice_type') ? GETPOST('invoice_type', 'alpha') : ''; $vat_rate_show = GETPOSTISSET('vat_rate_show') ? GETPOST('vat_rate_show', 'int') : -1; -$year_current = GETPOSTISSET('year') ? GETPOST('year', 'int') : intval(strftime('%Y', $now)); -$year_start = $year_current; -$month_current = GETPOSTISSET('month') ? GETPOST('month', 'int') : intval(strftime('%m', $now)); -$month_start = $month_current; -if ($refresh === false) { - $date_start = dol_get_first_day($year_start, $month_start); - $date_end = dol_get_last_day($year_start, $month_start); -} else { - // Date range - //$year=GETPOST("year", "int"); - //if (empty($year)) - //{ - // $year_current = strftime("%Y", dol_now()); - // $year_start = $year_current; - //} else { - // $year_current = $year; - // $year_start = $year; - //} - - $date_start=dol_mktime(0, 0, 0, GETPOST("date_startmonth"), GETPOST("date_startday"), GETPOST("date_startyear")); - $date_end=dol_mktime(23, 59, 59, GETPOST("date_endmonth"), GETPOST("date_endday"), GETPOST("date_endyear")); - // Quarter - if (empty($date_start) || empty($date_end)) { // We define date_start and date_end - $q=GETPOST("q", "int"); - if (empty($q)) { - if (GETPOST("month", "int")) { - $date_start=dol_get_first_day($year_start, GETPOST("month", "int"), false); - $date_end=dol_get_last_day($year_start, GETPOST("month", "int"), false); - } else { - $date_start=dol_get_first_day($year_start, empty($conf->global->SOCIETE_FISCAL_MONTH_START)?1:$conf->global->SOCIETE_FISCAL_MONTH_START, false); - if (empty($conf->global->MAIN_INFO_VAT_RETURN) || $conf->global->MAIN_INFO_VAT_RETURN == 2) { - $date_end=dol_time_plus_duree($date_start, 3, 'm') - 1; - } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 3) { - $date_end = dol_time_plus_duree($date_start, 1, 'y') - 1; - } elseif ($conf->global->MAIN_INFO_VAT_RETURN == 1) { - $date_end = dol_time_plus_duree($date_start, 1, 'm') - 1; - } - } - } else { - if ($q == 1) { - $date_start=dol_get_first_day($year_start, 1, false); $date_end=dol_get_last_day($year_start, 3, false); - } - if ($q == 2) { - $date_start=dol_get_first_day($year_start, 4, false); $date_end=dol_get_last_day($year_start, 6, false); - } - if ($q == 3) { - $date_start=dol_get_first_day($year_start, 7, false); $date_end=dol_get_last_day($year_start, 9, false); - } - if ($q == 4) { - $date_start=dol_get_first_day($year_start, 10, false); $date_end=dol_get_last_day($year_start, 12, false); - } - } - } -} - -$month_start = strftime('%m', $date_start); -$year_start = strftime('%Y', $date_start); +include DOL_DOCUMENT_ROOT.'/compta/tva/initdatesforvat.inc.php'; $min = price2num(GETPOST("min", "alpha")); if (empty($min)) { @@ -131,7 +74,6 @@ if ($user->socid) { $result = restrictedArea($user, 'tax', '', '', 'charges'); - /* * View */ @@ -154,7 +96,7 @@ foreach ($listofparams as $param) { } } -$title = $langs->trans("VATReport")." ".dol_print_date($date_start)." -> ".dol_print_date($date_end); +$title = $langs->trans("VATReport")." ".dol_print_date($date_start, '', 'tzserver')." -> ".dol_print_date($date_end, '', 'tzserver'); llxHeader('', $title, '', '', 0, 0, '', '', $morequerystring); @@ -182,8 +124,10 @@ if ($modetax == 2) { } $calcmode .= ' ('.$langs->trans("TaxModuleSetupToModifyRules", DOL_URL_ROOT.'/admin/taxes.php').')'; // Set period -$period = $form->selectDate($date_start, 'date_start', 0, 0, 0, '', 1, 0).' - '.$form->selectDate($date_end, 'date_end', 0, 0, 0, '', 1, 0); -$prevyear = $year_start; +$period = $form->selectDate($date_start, 'date_start', 0, 0, 0, '', 1, 0, 0, '', '', '', '', 1, '', '', 'tzserver'); +$period .= ' - '; +$period .= $form->selectDate($date_end, 'date_end', 0, 0, 0, '', 1, 0, 0, '', '', '', '', 1, '', '', 'tzserver'); +$prevyear = $date_start_year; $prevquarter = $q; if ($prevquarter > 1) { $prevquarter--; @@ -191,7 +135,7 @@ if ($prevquarter > 1) { $prevquarter = 4; $prevyear--; } -$nextyear = $year_start; +$nextyear = $date_start_year; $nextquarter = $q; if ($nextquarter < 4) { $nextquarter++; @@ -256,9 +200,13 @@ print '
'; print ''; $y = $year_current; -$total = 0; $i = 0; -$columns = 5; + +$columns = 7; +$span = $columns; +if ($modetax != 1) { + $span += 2; +} // Load arrays of datas $x_coll = tax_by_rate('vat', $db, 0, 0, $date_start, $date_end, $modetax, 'sell'); @@ -383,11 +331,6 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $x_paye_sum = 0; $x_paye_ht = 0; - $span = $columns; - if ($modetax != 1) { - $span += 2; - } - //print ''; // Customers invoices @@ -429,7 +372,11 @@ if (!is_array($x_coll) || !is_array($x_paye)) { print ""; print ''; print ''."\n"; @@ -642,7 +589,11 @@ if (!is_array($x_coll) || !is_array($x_paye)) { print ""; print ''; print ''."\n"; diff --git a/htdocs/core/lib/tax.lib.php b/htdocs/core/lib/tax.lib.php index c66d16b6736..0d8cc2f8d52 100644 --- a/htdocs/core/lib/tax.lib.php +++ b/htdocs/core/lib/tax.lib.php @@ -167,7 +167,8 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(f.datef,'%m') > ".(($q - 1) * 3)." AND date_format(f.datef,'%m') <= ".($q * 3).")"; + $sql .= " AND f.datef > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND f.datef >= '".$db->idate($date_start)."' AND f.datef <= '".$db->idate($date_end)."'"; @@ -212,7 +213,8 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(pa.datep,'%m') > ".(($q - 1) * 3)." AND date_format(pa.datep,'%m') <= ".($q * 3).")"; + $sql .= " AND pa.datep > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND pa.datep >= '".$db->idate($date_start)."' AND pa.datep <= '".$db->idate($date_end)."'"; @@ -330,7 +332,8 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(f.datef,'%m') > ".(($q - 1) * 3)." AND date_format(f.datef,'%m') <= ".($q * 3).")"; + $sql .= " AND f.datef > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND f.datef >= '".$db->idate($date_start)."' AND f.datef <= '".$db->idate($date_end)."'"; @@ -375,7 +378,8 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(pa.datep,'%m') > ".(($q - 1) * 3)." AND date_format(pa.datep,'%m') <= ".($q * 3).")"; + $sql .= " AND pa.datep > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND pa.datep >= '".$db->idate($date_start)."' AND pa.datep <= '".$db->idate($date_end)."'"; @@ -484,7 +488,8 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " AND p.datep <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(p.datep,'%m') > ".(($q - 1) * 3)." AND date_format(p.datep,'%m') <= ".($q * 3).")"; + $sql .= " AND p.datep > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND p.datep <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND p.datep >= '".$db->idate($date_start)."' AND p.datep <= '".$db->idate($date_end)."'"; @@ -662,7 +667,8 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(f.datef,'%m') > ".(($q - 1) * 3)." AND date_format(f.datef,'%m') <= ".($q * 3).")"; + $sql .= " AND f.datef > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND f.datef >= '".$db->idate($date_start)."' AND f.datef <= '".$db->idate($date_end)."'"; @@ -703,7 +709,8 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(pa.datep,'%m') > ".(($q - 1) * 3)." AND date_format(pa.datep,'%m') <= ".($q * 3).")"; + $sql .= " AND pa.datep > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND pa.datep >= '".$db->idate($date_start)."' AND pa.datep <= '".$db->idate($date_end)."'"; @@ -715,6 +722,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire } $sql .= " ORDER BY d.rowid, d.".$fk_facture.", pf.rowid"; } + //print $sql; if (!$sql) { return -1; @@ -819,7 +827,8 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(f.datef,'%m') > ".(($q - 1) * 3)." AND date_format(f.datef,'%m') <= ".($q * 3).")"; + $sql .= " AND f.datef > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND f.datef <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND f.datef >= '".$db->idate($date_start)."' AND f.datef <= '".$db->idate($date_end)."'"; @@ -860,7 +869,8 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(pa.datep,'%m') > ".(($q - 1) * 3)." AND date_format(pa.datep,'%m') <= ".($q * 3).")"; + $sql .= " AND pa.datep > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND pa.datep <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND pa.datep >= '".$db->idate($date_start)."' AND pa.datep <= '".$db->idate($date_end)."'"; @@ -969,7 +979,8 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " AND p.datep <= '".$db->idate(dol_get_last_day($y, 12, false))."'"; } if ($q) { - $sql .= " AND (date_format(p.datep,'%m') > ".(($q - 1) * 3)." AND date_format(p.datep,'%m') <= ".($q * 3).")"; + $sql .= " AND p.datep > '".$db->idate(dol_get_first_day($y, (($q - 1) * 3) + 1, false))."'"; + $sql .= " AND p.datep <= '".$db->idate(dol_get_last_day($y, ($q * 3), false))."'"; } if ($date_start && $date_end) { $sql .= " AND p.datep >= '".$db->idate($date_start)."' AND p.datep <= '".$db->idate($date_end)."'"; diff --git a/htdocs/langs/en_US/compta.lang b/htdocs/langs/en_US/compta.lang index 3f892e3b29c..d42d8845aeb 100644 --- a/htdocs/langs/en_US/compta.lang +++ b/htdocs/langs/en_US/compta.lang @@ -86,7 +86,7 @@ PaymentCustomerInvoice=Customer invoice payment PaymentSupplierInvoice=vendor invoice payment PaymentSocialContribution=Social/fiscal tax payment PaymentVat=VAT payment -AutomaticCreationPayment=Automatically record the payment of the salary +AutomaticCreationPayment=Automatically record the payment ListPayment=List of payments ListOfCustomerPayments=List of customer payments ListOfSupplierPayments=List of vendor payments From df9546662a07bb4e19d389ae7455b6edaf185dde Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 16:17:18 +0100 Subject: [PATCH 09/47] Fix trans --- htdocs/core/menus/init_menu_auguria.sql | 2 +- htdocs/core/menus/standard/eldy.lib.php | 6 +++--- htdocs/langs/en_US/companies.lang | 7 ++++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/htdocs/core/menus/init_menu_auguria.sql b/htdocs/core/menus/init_menu_auguria.sql index efa0c44a4ff..1a5550f3e72 100644 --- a/htdocs/core/menus/init_menu_auguria.sql +++ b/htdocs/core/menus/init_menu_auguria.sql @@ -233,7 +233,7 @@ insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, left insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->tax->enabled && empty($conf->global->TAX_DISABLE_VAT_MENUS) && $leftmenu=="tax_vat"', __HANDLER__, 'left', 2301__+MAX_llx_menu__, 'billing', '', 2300__+MAX_llx_menu__, '/compta/tva/card.php?mainmenu=billing&leftmenu=tax_vat&action=create', 'New', 2, 'companies', '$user->rights->tax->charges->creer', '', 0, 0, __ENTITY__); insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->tax->enabled && empty($conf->global->TAX_DISABLE_VAT_MENUS) && $leftmenu=="tax_vat"', __HANDLER__, 'left', 2302__+MAX_llx_menu__, 'billing', '', 2300__+MAX_llx_menu__, '/compta/tva/list.php?mainmenu=billing&leftmenu=tax_vat', 'List', 2, 'companies', '$user->rights->tax->charges->lire', '', 0, 1, __ENTITY__); insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->tax->enabled && empty($conf->global->TAX_DISABLE_VAT_MENUS) && $leftmenu=="tax_vat"', __HANDLER__, 'left', 2303__+MAX_llx_menu__, 'billing', '', 2300__+MAX_llx_menu__, '/compta/tva/index.php?mainmenu=billing&leftmenu=tax_vat', 'ReportByMonth', 2, 'companies', '$user->rights->tax->charges->lire', '', 0, 2, __ENTITY__); -insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->tax->enabled && empty($conf->global->TAX_DISABLE_VAT_MENUS) && $leftmenu=="tax_vat"', __HANDLER__, 'left', 2304__+MAX_llx_menu__, 'billing', '', 2300__+MAX_llx_menu__, '/compta/tva/clients.php?mainmenu=billing&leftmenu=tax_vat', 'ReportByCustomers', 2, 'companies', '$user->rights->tax->charges->lire', '', 0, 3, __ENTITY__); +insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->tax->enabled && empty($conf->global->TAX_DISABLE_VAT_MENUS) && $leftmenu=="tax_vat"', __HANDLER__, 'left', 2304__+MAX_llx_menu__, 'billing', '', 2300__+MAX_llx_menu__, '/compta/tva/clients.php?mainmenu=billing&leftmenu=tax_vat', 'ReportByThirdparties', 2, 'companies', '$user->rights->tax->charges->lire', '', 0, 3, __ENTITY__); insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->tax->enabled && empty($conf->global->TAX_DISABLE_VAT_MENUS) && $leftmenu=="tax_vat"', __HANDLER__, 'left', 2305__+MAX_llx_menu__, 'billing', '', 2300__+MAX_llx_menu__, '/compta/tva/quadri_detail.php?mainmenu=billing&leftmenu=tax_vat', 'ReportByQuarter', 2, 'companies', '$user->rights->tax->charges->lire', '', 0, 4, __ENTITY__); -- Salary insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->salaries->enabled', __HANDLER__, 'left', 2210__+MAX_llx_menu__, 'billing', 'tax_sal', 6__+MAX_llx_menu__, '/salaries/list.php?mainmenu=billing&leftmenu=tax_salary', 'Salaries', 0, 'salaries', '$user->rights->salaries->read', '', 0, 10, __ENTITY__); diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php index 89e63c16db4..99fcea707e2 100644 --- a/htdocs/core/menus/standard/eldy.lib.php +++ b/htdocs/core/menus/standard/eldy.lib.php @@ -1104,7 +1104,7 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM $newmenu->add("/compta/tva/list.php?leftmenu=tax_vat", $langs->trans("List"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/tva/payments.php?mode=tvaonly&leftmenu=tax_vat", $langs->trans("Payments"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/tva/index.php?leftmenu=tax_vat", $langs->trans("ReportByMonth"), 2, $user->rights->tax->charges->lire); - $newmenu->add("/compta/tva/clients.php?leftmenu=tax_vat", $langs->trans("ReportByCustomers"), 2, $user->rights->tax->charges->lire); + $newmenu->add("/compta/tva/clients.php?leftmenu=tax_vat", $langs->trans("ReportByThirdparties"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/tva/quadri_detail.php?leftmenu=tax_vat", $langs->trans("ReportByQuarter"), 2, $user->rights->tax->charges->lire); } @@ -1115,7 +1115,7 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM $newmenu->add("/compta/localtax/card.php?leftmenu=tax_1_vat&action=create&localTaxType=1", $langs->trans("New"), 2, $user->rights->tax->charges->creer); $newmenu->add("/compta/localtax/list.php?leftmenu=tax_1_vat&localTaxType=1", $langs->trans("List"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/localtax/index.php?leftmenu=tax_1_vat&localTaxType=1", $langs->trans("ReportByMonth"), 2, $user->rights->tax->charges->lire); - $newmenu->add("/compta/localtax/clients.php?leftmenu=tax_1_vat&localTaxType=1", $langs->trans("ReportByCustomers"), 2, $user->rights->tax->charges->lire); + $newmenu->add("/compta/localtax/clients.php?leftmenu=tax_1_vat&localTaxType=1", $langs->trans("ReportByThirdparties"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/localtax/quadri_detail.php?leftmenu=tax_1_vat&localTaxType=1", $langs->trans("ReportByQuarter"), 2, $user->rights->tax->charges->lire); } } @@ -1126,7 +1126,7 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM $newmenu->add("/compta/localtax/card.php?leftmenu=tax_2_vat&action=create&localTaxType=2", $langs->trans("New"), 2, $user->rights->tax->charges->creer); $newmenu->add("/compta/localtax/list.php?leftmenu=tax_2_vat&localTaxType=2", $langs->trans("List"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/localtax/index.php?leftmenu=tax_2_vat&localTaxType=2", $langs->trans("ReportByMonth"), 2, $user->rights->tax->charges->lire); - $newmenu->add("/compta/localtax/clients.php?leftmenu=tax_2_vat&localTaxType=2", $langs->trans("ReportByCustomers"), 2, $user->rights->tax->charges->lire); + $newmenu->add("/compta/localtax/clients.php?leftmenu=tax_2_vat&localTaxType=2", $langs->trans("ReportByThirdparties"), 2, $user->rights->tax->charges->lire); $newmenu->add("/compta/localtax/quadri_detail.php?leftmenu=tax_2_vat&localTaxType=2", $langs->trans("ReportByQuarter"), 2, $user->rights->tax->charges->lire); } } diff --git a/htdocs/langs/en_US/companies.lang b/htdocs/langs/en_US/companies.lang index 42180dde04f..93e1f560f5e 100644 --- a/htdocs/langs/en_US/companies.lang +++ b/htdocs/langs/en_US/companies.lang @@ -43,9 +43,10 @@ Individual=Private individual ToCreateContactWithSameName=Will automatically create a contact/address with same information as the third party under the third party. In most cases, even if your third party is a physical person, creating a third party alone is enough. ParentCompany=Parent company Subsidiaries=Subsidiaries -ReportByMonth=Report by month -ReportByCustomers=Report by customer -ReportByQuarter=Report by rate +ReportByMonth=Report per month +ReportByCustomers=Report per customer +ReportByThirdparties=Report per thirdparty +ReportByQuarter=Report per rate CivilityCode=Civility code RegisteredOffice=Registered office Lastname=Last name From 5d6fb0cfeaa686c50cb8372beb5c88256736df37 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 18:11:44 +0100 Subject: [PATCH 10/47] Perf: Enhance performance of VAT report --- htdocs/compta/tva/clients.php | 61 +++++++++++---- htdocs/compta/tva/quadri_detail.php | 71 ++++++++++++++++- htdocs/core/lib/tax.lib.php | 117 ++++++++++++++++++++++++---- 3 files changed, 218 insertions(+), 31 deletions(-) diff --git a/htdocs/compta/tva/clients.php b/htdocs/compta/tva/clients.php index 1640daeb1c6..a7c82d32f81 100644 --- a/htdocs/compta/tva/clients.php +++ b/htdocs/compta/tva/clients.php @@ -52,16 +52,16 @@ if (empty($min)) { // Define modetax (0 or 1) // 0=normal, 1=option vat for services is on debit, 2=option on payments for products -$modetax = $conf->global->TAX_MODE; +$modetax = (empty($conf->global->TAX_MODE) ? 0 : $conf->global->TAX_MODE); if (GETPOSTISSET("modetax")) { - $modetax = GETPOST("modetax", 'int'); + $modetax = GETPOSTINT("modetax"); } if (empty($modetax)) { $modetax = 0; } // Security check -$socid = GETPOST('socid', 'int'); +$socid = GETPOSTINT('socid'); if ($user->socid) { $socid = $user->socid; } @@ -120,7 +120,7 @@ if ($modetax == 2) { $calcmode .= ' ('.$langs->trans("TaxModuleSetupToModifyRules", DOL_URL_ROOT.'/admin/taxes.php').')'; // Set period $period = $form->selectDate($date_start, 'date_start', 0, 0, 0, '', 1, 0).' - '.$form->selectDate($date_end, 'date_end', 0, 0, 0, '', 1, 0); -$prevyear = $year_start; +$prevyear = $date_start_year; $prevquarter = $q; if ($prevquarter > 1) { $prevquarter--; @@ -128,7 +128,7 @@ if ($prevquarter > 1) { $prevquarter = 4; $prevyear--; } -$nextyear = $year_start; +$nextyear = $date_start_year; $nextquarter = $q; if ($nextquarter < 4) { $nextquarter++; @@ -198,6 +198,10 @@ $y = $year_current; $total = 0; $i = 0; $columns = 5; +$span = $columns; +if ($modetax != 1) { + $span += 2; +} // Load arrays of datas $x_coll = tax_by_thirdparty('vat', $db, 0, $date_start, $date_end, $modetax, 'sell'); @@ -226,7 +230,21 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $invoice_customer->id = $x_coll[$my_coll_thirdpartyid]['facid'][$id]; $invoice_customer->ref = $x_coll[$my_coll_thirdpartyid]['facnum'][$id]; $invoice_customer->type = $x_coll[$my_coll_thirdpartyid]['type'][$id]; - $company_static->fetch($x_coll[$my_coll_thirdpartyid]['company_id'][$id]); + + //$company_static->fetch($x_coll[$my_coll_thirdpartyid]['company_id'][$id]); + $company_static->id = $x_coll[$my_coll_thirdpartyid]['company_id'][$id]; + $company_static->name = $x_coll[$my_coll_thirdpartyid]['company_name'][$id]; + $company_static->name_alias = $x_coll[$my_coll_thirdpartyid]['company_alias'][$id]; + $company_static->email = $x_coll[$my_coll_thirdpartyid]['company_email'][$id]; + $company_static->tva_intra = $x_coll[$my_coll_thirdpartyid]['tva_intra'][$id]; + $company_static->client = $x_coll[$my_coll_thirdpartyid]['company_client'][$id]; + $company_static->fournisseur = $x_coll[$my_coll_thirdpartyid]['company_fournisseur'][$id]; + $company_static->status = $x_coll[$my_coll_thirdpartyid]['company_status'][$id]; + $company_static->code_client = $x_coll[$my_coll_thirdpartyid]['company_customer_code'][$id]; + $company_static->code_compta_client = $x_coll[$my_coll_thirdpartyid]['company_customer_accounting_code'][$id]; + $company_static->code_fournisseur = $x_coll[$my_coll_thirdpartyid]['company_supplier_code'][$id]; + $company_static->code_compta_fournisseur = $x_coll[$my_coll_thirdpartyid]['company_supplier_accounting_code'][$id]; + $x_both[$my_coll_thirdpartyid]['coll']['detail'][] = array( 'id' =>$x_coll[$my_coll_thirdpartyid]['facid'][$id], 'descr' =>$x_coll[$my_coll_thirdpartyid]['descr'][$id], @@ -241,7 +259,9 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'drate' =>$x_coll[$my_coll_thirdpartyid]['drate'][$id], 'datef' =>$x_coll[$my_coll_thirdpartyid]['datef'][$id], 'datep' =>$x_coll[$my_coll_thirdpartyid]['datep'][$id], + 'company_link'=>$company_static->getNomUrl(1, '', 20), + 'ddate_start'=>$x_coll[$my_coll_thirdpartyid]['ddate_start'][$id], 'ddate_end' =>$x_coll[$my_coll_thirdpartyid]['ddate_end'][$id], 'totalht' =>$x_coll[$my_coll_thirdpartyid]['totalht_list'][$id], @@ -290,7 +310,21 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $invoice_supplier->id = $x_paye[$my_paye_thirdpartyid]['facid'][$id]; $invoice_supplier->ref = $x_paye[$my_paye_thirdpartyid]['facnum'][$id]; $invoice_supplier->type = $x_paye[$my_paye_thirdpartyid]['type'][$id]; - $company_static->fetch($x_paye[$my_paye_thirdpartyid]['company_id'][$id]); + + //$company_static->fetch($x_paye[$my_paye_thirdpartyid]['company_id'][$id]); + $company_static->id = $x_paye[$my_paye_thirdpartyid]['company_id'][$id]; + $company_static->name = $x_paye[$my_paye_thirdpartyid]['company_name'][$id]; + $company_static->name_alias = $x_paye[$my_paye_thirdpartyid]['company_alias'][$id]; + $company_static->email = $x_paye[$my_paye_thirdpartyid]['company_email'][$id]; + $company_static->tva_intra = $x_paye[$my_paye_thirdpartyid]['tva_intra'][$id]; + $company_static->client = $x_paye[$my_paye_thirdpartyid]['company_client'][$id]; + $company_static->fournisseur = $x_paye[$my_paye_thirdpartyid]['company_fournisseur'][$id]; + $company_static->status = $x_paye[$my_paye_thirdpartyid]['company_status'][$id]; + $company_static->code_client = $x_paye[$my_paye_thirdpartyid]['company_customer_code'][$id]; + $company_static->code_compta_client = $x_paye[$my_paye_thirdpartyid]['company_customer_accounting_code'][$id]; + $company_static->code_fournisseur = $x_paye[$my_paye_thirdpartyid]['company_supplier_code'][$id]; + $company_static->code_compta_fournisseur = $x_paye[$my_paye_thirdpartyid]['company_supplier_accounting_code'][$id]; + $x_both[$my_paye_thirdpartyid]['paye']['detail'][] = array( 'id' =>$x_paye[$my_paye_thirdpartyid]['facid'][$id], 'descr' =>$x_paye[$my_paye_thirdpartyid]['descr'][$id], @@ -305,7 +339,9 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'drate' =>$x_paye[$my_coll_thirdpartyid]['drate'][$id], 'datef' =>$x_paye[$my_paye_thirdpartyid]['datef'][$id], 'datep' =>$x_paye[$my_paye_thirdpartyid]['datep'][$id], + 'company_link'=>$company_static->getNomUrl(1, '', 20), + 'ddate_start'=>$x_paye[$my_paye_thirdpartyid]['ddate_start'][$id], 'ddate_end' =>$x_paye[$my_paye_thirdpartyid]['ddate_end'][$id], 'totalht' =>price2num($x_paye[$my_paye_thirdpartyid]['totalht_list'][$id]), @@ -325,11 +361,6 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $x_paye_sum = 0; $x_paye_ht = 0; - $span = $columns; - if ($modetax != 1) { - $span += 2; - } - //print ''; // Customers invoices @@ -514,7 +545,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { } } - if (count($x_coll) == 0) { // Show a total ine if nothing shown + if (count($x_coll) == 0) { // Show a total line if nothing shown print ''; print ''; print ''; @@ -598,7 +629,9 @@ if (!is_array($x_coll) || !is_array($x_paye)) { } // Company name - print ''; + print ''; // Description print ''; // Company name - print ''; + print ''; // Description print ''; + print ''; // Description print ''; - // Print table headers for this quadri - expenses now + // Print table headers for this quadri - expenses print ''; print ''; print ''; @@ -779,7 +779,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { print '
'..')
'; print $langs->trans('Rate') . ' : ' . vatrate($rate) . '%'; - print ' - ' . img_picto('', 'chevron-down', 'class="paddingrightonly"') . $langs->trans('VATReportShowByRateDetails') . ''; + print ' - ' . img_picto('', 'chevron-down', 'class="paddingrightonly"') . $langs->trans('VATReportShowByRateDetails') . ''; print '
'; print $langs->trans('Rate') . ' : ' . vatrate($rate) . '%'; - print ' - ' . img_picto('', 'chevron-down', 'class="paddingrightonly"') . $langs->trans('VATReportShowByRateDetails') . ''; + print ' - ' . img_picto('', 'chevron-down', 'class="paddingrightonly"') . $langs->trans('VATReportShowByRateDetails') . ''; print '
'..')
'.$langs->trans("Total").':'.$fields['company_link'].''; + print $fields['company_link']; + print ''; diff --git a/htdocs/compta/tva/quadri_detail.php b/htdocs/compta/tva/quadri_detail.php index 07071b250e5..4b2396a4fc9 100644 --- a/htdocs/compta/tva/quadri_detail.php +++ b/htdocs/compta/tva/quadri_detail.php @@ -235,7 +235,21 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $invoice_customer->id = $x_coll[$my_coll_rate]['facid'][$id]; $invoice_customer->ref = $x_coll[$my_coll_rate]['facnum'][$id]; $invoice_customer->type = $x_coll[$my_coll_rate]['type'][$id]; - $company_static->fetch($x_coll[$my_coll_rate]['company_id'][$id]); + + //$company_static->fetch($x_coll[$my_coll_rate]['company_id'][$id]); + $company_static->id = $x_coll[$my_coll_rate]['company_id'][$id]; + $company_static->name = $x_coll[$my_coll_rate]['company_name'][$id]; + $company_static->name_alias = $x_coll[$my_coll_rate]['company_alias'][$id]; + $company_static->email = $x_coll[$my_coll_rate]['company_email'][$id]; + $company_static->tva_intra = $x_coll[$my_coll_rate]['tva_intra'][$id]; + $company_static->client = $x_coll[$my_coll_rate]['company_client'][$id]; + $company_static->fournisseur = $x_coll[$my_coll_rate]['company_fournisseur'][$id]; + $company_static->status = $x_coll[$my_coll_rate]['company_status'][$id]; + $company_static->code_client = $x_coll[$my_coll_rate]['company_customer_code'][$id]; + $company_static->code_compta_client = $x_coll[$my_coll_rate]['company_customer_accounting_code'][$id]; + $company_static->code_fournisseur = $x_coll[$my_coll_rate]['company_supplier_code'][$id]; + $company_static->code_compta_fournisseur = $x_coll[$my_coll_rate]['company_supplier_accounting_code'][$id]; + $x_both[$my_coll_rate]['coll']['detail'][] = array( 'id' =>$x_coll[$my_coll_rate]['facid'][$id], 'descr' =>$x_coll[$my_coll_rate]['descr'][$id], @@ -249,7 +263,9 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'dtype' =>$x_coll[$my_coll_rate]['dtype'][$id], 'datef' =>$x_coll[$my_coll_rate]['datef'][$id], 'datep' =>$x_coll[$my_coll_rate]['datep'][$id], + 'company_link'=>$company_static->getNomUrl(1, '', 20), + 'ddate_start'=>$x_coll[$my_coll_rate]['ddate_start'][$id], 'ddate_end' =>$x_coll[$my_coll_rate]['ddate_end'][$id], 'totalht' =>$x_coll[$my_coll_rate]['totalht_list'][$id], @@ -297,7 +313,20 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $invoice_supplier->id = $x_paye[$my_paye_rate]['facid'][$id]; $invoice_supplier->ref = $x_paye[$my_paye_rate]['facnum'][$id]; $invoice_supplier->type = $x_paye[$my_paye_rate]['type'][$id]; - $company_static->fetch($x_paye[$my_paye_rate]['company_id'][$id]); + + $company_static->id = $x_paye[$my_paye_rate]['company_id'][$id]; + $company_static->name = $x_paye[$my_paye_rate]['company_name'][$id]; + $company_static->name_alias = $x_paye[$my_paye_rate]['company_alias'][$id]; + $company_static->email = $x_paye[$my_paye_rate]['company_email'][$id]; + $company_static->tva_intra = $x_paye[$my_paye_rate]['tva_intra'][$id]; + $company_static->client = $x_paye[$my_paye_rate]['company_client'][$id]; + $company_static->fournisseur = $x_paye[$my_paye_rate]['company_fournisseur'][$id]; + $company_static->status = $x_paye[$my_paye_rate]['company_status'][$id]; + $company_static->code_client = $x_paye[$my_paye_rate]['company_customer_code'][$id]; + $company_static->code_compta_client = $x_paye[$my_paye_rate]['company_customer_accounting_code'][$id]; + $company_static->code_fournisseur = $x_paye[$my_paye_rate]['company_supplier_code'][$id]; + $company_static->code_compta_fournisseur = $x_paye[$my_paye_rate]['company_supplier_accounting_code'][$id]; + $x_both[$my_paye_rate]['paye']['detail'][] = array( 'id' =>$x_paye[$my_paye_rate]['facid'][$id], 'descr' =>$x_paye[$my_paye_rate]['descr'][$id], @@ -311,7 +340,9 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'dtype' =>$x_paye[$my_paye_rate]['dtype'][$id], 'datef' =>$x_paye[$my_paye_rate]['datef'][$id], 'datep' =>$x_paye[$my_paye_rate]['datep'][$id], + 'company_link'=>$company_static->getNomUrl(1, '', 20), + 'ddate_start'=>$x_paye[$my_paye_rate]['ddate_start'][$id], 'ddate_end' =>$x_paye[$my_paye_rate]['ddate_end'][$id], 'totalht' =>price2num($x_paye[$my_paye_rate]['totalht_list'][$id]), @@ -420,6 +451,19 @@ if (!is_array($x_coll) || !is_array($x_paye)) { if ($invoice_type == 'customer' && $vat_rate_show == $rate) { if (is_array($x_both[$rate]['coll']['detail'])) { foreach ($x_both[$rate]['coll']['detail'] as $index => $fields) { + /*$company_static->id = $fields['company_id']; + $company_static->name = $fields['company_name']; + $company_static->name_alias = $fields['company_alias']; + $company_static->email = $fields['company_email']; + $company_static->tva_intra = $fields['tva_intra']; + $company_static->client = $fields['company_client']; + $company_static->fournisseur = $fields['company_fournisseur']; + $company_static->status = $fields['company_status']; + $company_static->code_client = $fields['company_client']; + $company_static->code_compta_client = $fields['company_customer_code']; + $company_static->code_fournisseur = $fields['company_customer_accounting_code']; + $company_static->code_compta_fournisseur = $fields['company_supplier_accounting_code'];*/ + // Define type // We MUST use dtype (type in line). We can use something else, only if dtype is really unknown. $type = (isset($fields['dtype']) ? $fields['dtype'] : $fields['ptype']); @@ -446,7 +490,10 @@ if (!is_array($x_coll) || !is_array($x_paye)) { else print '' . $fields['company_link'] . ''; + //print $company_static->getNomUrl(1); + print $fields['company_link']; + print ''; @@ -635,6 +682,19 @@ if (!is_array($x_coll) || !is_array($x_paye)) { if ($invoice_type == 'supplier' && $vat_rate_show == $rate) { foreach ($x_both[$rate]['paye']['detail'] as $index => $fields) { + /*$company_static->id = $fields['company_id']; + $company_static->name = $fields['company_name']; + $company_static->name_alias = $fields['company_alias']; + $company_static->email = $fields['company_email']; + $company_static->tva_intra = $fields['tva_intra']; + $company_static->client = $fields['company_client']; + $company_static->fournisseur = $fields['company_fournisseur']; + $company_static->status = $fields['company_status']; + $company_static->code_client = $fields['company_client']; + $company_static->code_compta_client = $fields['company_customer_code']; + $company_static->code_fournisseur = $fields['company_customer_accounting_code']; + $company_static->code_compta_fournisseur = $fields['company_supplier_accounting_code'];*/ + // Define type // We MUST use dtype (type in line). We can use something else, only if dtype is really unknown. $type = (isset($fields['dtype']) ? $fields['dtype'] : $fields['ptype']); @@ -664,7 +724,10 @@ if (!is_array($x_coll) || !is_array($x_paye)) { } // Company name - print '' . $fields['company_link'] . ''; + //print $company_static->getNomUrl(1); + print $fields['company_link']; + print ''; diff --git a/htdocs/core/lib/tax.lib.php b/htdocs/core/lib/tax.lib.php index 0d8cc2f8d52..fa8219c41c7 100644 --- a/htdocs/core/lib/tax.lib.php +++ b/htdocs/core/lib/tax.lib.php @@ -143,7 +143,11 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; $sql .= " 0 as payment_id, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; @@ -184,7 +188,11 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; $sql .= " pa.datep as datep"; @@ -265,8 +273,20 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $list[$assoc['company_id']]['dtype'][] = $assoc['dtype']; $list[$assoc['company_id']]['datef'][] = $db->jdate($assoc['datef']); $list[$assoc['company_id']]['datep'][] = $db->jdate($assoc['datep']); + $list[$assoc['company_id']]['company_name'][] = $assoc['company_name']; $list[$assoc['company_id']]['company_id'][] = $assoc['company_id']; + $list[$assoc['company_id']]['company_alias'][] = $assoc['company_alias']; + $list[$assoc['company_id']]['company_email'][] = $assoc['company_email']; + $list[$assoc['company_id']]['company_tva_intra'][] = $assoc['company_tva_intra']; + $list[$assoc['company_id']]['company_client'][] = $assoc['company_client']; + $list[$assoc['company_id']]['company_fournisseur'][] = $assoc['company_fournisseur']; + $list[$assoc['company_id']]['company_customer_code'][] = $assoc['company_customer_code']; + $list[$assoc['company_id']]['company_supplier_code'][] = $assoc['company_supplier_code']; + $list[$assoc['company_id']]['company_customer_accounting_code'][] = $assoc['company_customer_accounting_code']; + $list[$assoc['company_id']]['company_supplier_accounting_code'][] = $assoc['company_supplier_accounting_code']; + $list[$assoc['company_id']]['company_status'][] = $assoc['company_status']; + $list[$assoc['company_id']]['drate'][] = $assoc['rate']; $list[$assoc['company_id']]['ddate_start'][] = $db->jdate($assoc['date_start']); $list[$assoc['company_id']]['ddate_end'][] = $db->jdate($assoc['date_end']); @@ -308,7 +328,11 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; $sql .= " 0 as payment_id, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; @@ -349,7 +373,11 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; $sql .= " pa.datep as datep"; @@ -430,8 +458,20 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $list[$assoc['company_id']]['dtype'][] = $assoc['dtype']; $list[$assoc['company_id']]['datef'][] = $db->jdate($assoc['datef']); $list[$assoc['company_id']]['datep'][] = $db->jdate($assoc['datep']); + $list[$assoc['company_id']]['company_name'][] = $assoc['company_name']; $list[$assoc['company_id']]['company_id'][] = $assoc['company_id']; + $list[$assoc['company_id']]['company_alias'][] = $assoc['company_alias']; + $list[$assoc['company_id']]['company_email'][] = $assoc['company_email']; + $list[$assoc['company_id']]['company_tva_intra'][] = $assoc['company_tva_intra']; + $list[$assoc['company_id']]['company_client'][] = $assoc['company_client']; + $list[$assoc['company_id']]['company_fournisseur'][] = $assoc['company_fournisseur']; + $list[$assoc['company_id']]['company_customer_code'][] = $assoc['company_customer_code']; + $list[$assoc['company_id']]['company_supplier_code'][] = $assoc['company_supplier_code']; + $list[$assoc['company_id']]['company_customer_accounting_code'][] = $assoc['company_customer_accounting_code']; + $list[$assoc['company_id']]['company_supplier_accounting_code'][] = $assoc['company_supplier_accounting_code']; + $list[$assoc['company_id']]['company_status'][] = $assoc['company_status']; + $list[$assoc['company_id']]['drate'][] = $assoc['rate']; $list[$assoc['company_id']]['ddate_start'][] = $db->jdate($assoc['date_start']); $list[$assoc['company_id']]['ddate_end'][] = $db->jdate($assoc['date_end']); @@ -539,8 +579,20 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $list[$assoc['company_id']]['dtotal_ttc'][] = $assoc['total_ttc']; $list[$assoc['company_id']]['dtype'][] = 'ExpenseReportPayment'; $list[$assoc['company_id']]['datef'][] = $assoc['datef']; + $list[$assoc['company_id']]['company_name'][] = ''; $list[$assoc['company_id']]['company_id'][] = ''; + $list[$assoc['company_id']]['company_alias'][] = ''; + $list[$assoc['company_id']]['company_email'][] = ''; + $list[$assoc['company_id']]['company_tva_intra'][] = ''; + $list[$assoc['company_id']]['company_client'][] = ''; + $list[$assoc['company_id']]['company_fournisseur'][] = ''; + $list[$assoc['company_id']]['company_customer_code'][] = ''; + $list[$assoc['company_id']]['company_supplier_code'][] = ''; + $list[$assoc['company_id']]['company_customer_accounting_code'][] = ''; + $list[$assoc['company_id']]['company_supplier_accounting_code'][] = ''; + $list[$assoc['company_id']]['company_status'][] = ''; + $list[$assoc['company_id']]['user_id'][] = $assoc['fk_user_author']; $list[$assoc['company_id']]['drate'][] = $assoc['rate']; $list[$assoc['company_id']]['ddate_start'][] = $db->jdate($assoc['date_start']); @@ -635,7 +687,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $total_localtax2 = 'total_localtax2'; - // CAS DES BIENS/PRODUITS + // CASE OF PRODUCTS/GOODS // Define sql request $sql = ''; @@ -645,7 +697,11 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; $sql .= " 0 as payment_id, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f"; @@ -684,7 +740,11 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; $sql .= " pa.datep as datep"; @@ -722,7 +782,6 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire } $sql .= " ORDER BY d.rowid, d.".$fk_facture.", pf.rowid"; } - //print $sql; if (!$sql) { return -1; @@ -763,8 +822,20 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $list[$assoc['rate']]['dtype'][] = $assoc['dtype']; $list[$assoc['rate']]['datef'][] = $db->jdate($assoc['datef']); $list[$assoc['rate']]['datep'][] = $db->jdate($assoc['datep']); + $list[$assoc['rate']]['company_name'][] = $assoc['company_name']; $list[$assoc['rate']]['company_id'][] = $assoc['company_id']; + $list[$assoc['rate']]['company_alias'][] = $assoc['company_alias']; + $list[$assoc['rate']]['company_email'][] = $assoc['company_email']; + $list[$assoc['rate']]['company_tva_intra'][] = $assoc['company_tva_intra']; + $list[$assoc['rate']]['company_client'][] = $assoc['company_client']; + $list[$assoc['rate']]['company_fournisseur'][] = $assoc['company_fournisseur']; + $list[$assoc['rate']]['company_customer_code'][] = $assoc['company_customer_code']; + $list[$assoc['rate']]['company_supplier_code'][] = $assoc['company_supplier_code']; + $list[$assoc['rate']]['company_customer_accounting_code'][] = $assoc['company_customer_accounting_code']; + $list[$assoc['rate']]['company_supplier_accounting_code'][] = $assoc['company_supplier_accounting_code']; + $list[$assoc['rate']]['company_status'][] = $assoc['company_status']; + $list[$assoc['rate']]['ddate_start'][] = $db->jdate($assoc['date_start']); $list[$assoc['rate']]['ddate_end'][] = $db->jdate($assoc['date_end']); @@ -795,7 +866,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire } - // CAS DES SERVICES + // CASE OF SERVICES // Define sql request $sql = ''; @@ -805,7 +876,11 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; $sql .= " 0 as payment_id, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f"; @@ -844,7 +919,11 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql = "SELECT d.rowid, d.product_type as dtype, d.".$fk_facture." as facid, d.$f_rate as rate, d.total_ht as total_ht, d.total_ttc as total_ttc, d.".$total_tva." as total_vat, d.description as descr,"; $sql .= " d.".$total_localtax1." as total_localtax1, d.".$total_localtax2." as total_localtax2, "; $sql .= " d.date_start as date_start, d.date_end as date_end,"; - $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef, s.nom as company_name, s.rowid as company_id,"; + $sql .= " f.".$invoicefieldref." as facnum, f.type, f.total_ttc as ftotal_ttc, f.datef,"; + $sql .= " s.nom as company_name, s.name_alias as company_alias, s.rowid as company_id, s.client as company_client, s.fournisseur as company_fournisseur, s.email as company_email,"; + $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; + $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; + $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; $sql .= " pa.datep as datep"; @@ -922,11 +1001,23 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $list[$assoc['rate']]['dtype'][] = $assoc['dtype']; $list[$assoc['rate']]['datef'][] = $db->jdate($assoc['datef']); $list[$assoc['rate']]['datep'][] = $db->jdate($assoc['datep']); - $list[$assoc['rate']]['company_name'][] = $assoc['company_name']; - $list[$assoc['rate']]['company_id'][] = $assoc['company_id']; + $list[$assoc['rate']]['ddate_start'][] = $db->jdate($assoc['date_start']); $list[$assoc['rate']]['ddate_end'][] = $db->jdate($assoc['date_end']); + $list[$assoc['rate']]['company_name'][] = $assoc['company_name']; + $list[$assoc['rate']]['company_id'][] = $assoc['company_id']; + $list[$assoc['rate']]['company_alias'][] = $assoc['company_alias']; + $list[$assoc['rate']]['company_email'][] = $assoc['company_email']; + $list[$assoc['rate']]['company_tva_intra'][] = $assoc['company_tva_intra']; + $list[$assoc['rate']]['company_client'][] = $assoc['company_client']; + $list[$assoc['rate']]['company_fournisseur'][] = $assoc['company_fournisseur']; + $list[$assoc['rate']]['company_customer_code'][] = $assoc['company_customer_code']; + $list[$assoc['rate']]['company_supplier_code'][] = $assoc['company_supplier_code']; + $list[$assoc['rate']]['company_customer_accounting_code'][] = $assoc['company_customer_accounting_code']; + $list[$assoc['rate']]['company_supplier_accounting_code'][] = $assoc['company_supplier_accounting_code']; + $list[$assoc['rate']]['company_status'][] = $assoc['company_status']; + $list[$assoc['rate']]['facid'][] = $assoc['facid']; $list[$assoc['rate']]['facnum'][] = $assoc['facnum']; $list[$assoc['rate']]['type'][] = $assoc['type']; From 5a8d757a307d2c4ab8f4108c059789b1ef5fa47f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 18:23:29 +0100 Subject: [PATCH 11/47] Add missing data --- htdocs/compta/tva/clients.php | 15 +++++++++++++++ htdocs/core/lib/tax.lib.php | 8 ++++---- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/htdocs/compta/tva/clients.php b/htdocs/compta/tva/clients.php index a7c82d32f81..2161702ae1c 100644 --- a/htdocs/compta/tva/clients.php +++ b/htdocs/compta/tva/clients.php @@ -248,9 +248,13 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $x_both[$my_coll_thirdpartyid]['coll']['detail'][] = array( 'id' =>$x_coll[$my_coll_thirdpartyid]['facid'][$id], 'descr' =>$x_coll[$my_coll_thirdpartyid]['descr'][$id], + 'pid' =>$x_coll[$my_coll_thirdpartyid]['pid'][$id], 'pref' =>$x_coll[$my_coll_thirdpartyid]['pref'][$id], 'ptype' =>$x_coll[$my_coll_thirdpartyid]['ptype'][$id], + 'pstatus' =>$x_paye[$my_coll_thirdpartyid]['pstatus'][$id], + 'pstatusbuy'=>$x_paye[$my_coll_thirdpartyid]['pstatusbuy'][$id], + 'payment_id'=>$x_coll[$my_coll_thirdpartyid]['payment_id'][$id], 'payment_amount'=>$x_coll[$my_coll_thirdpartyid]['payment_amount'][$id], 'ftotal_ttc'=>$x_coll[$my_coll_thirdpartyid]['ftotal_ttc'][$id], @@ -291,9 +295,13 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $x_both[$my_paye_thirdpartyid]['paye']['detail'][] = array( 'id' =>$x_paye[$my_paye_thirdpartyid]['facid'][$id], 'descr' =>$x_paye[$my_paye_thirdpartyid]['descr'][$id], + 'pid' =>$x_paye[$my_paye_thirdpartyid]['pid'][$id], 'pref' =>$x_paye[$my_paye_thirdpartyid]['pref'][$id], 'ptype' =>$x_paye[$my_paye_thirdpartyid]['ptype'][$id], + 'pstatus' =>$x_paye[$my_paye_thirdpartyid]['pstatus'][$id], + 'pstatusbuy' =>$x_paye[$my_paye_thirdpartyid]['pstatusbuy'][$id], + 'payment_id' =>$x_paye[$my_paye_thirdpartyid]['payment_id'][$id], 'payment_amount' =>$x_paye[$my_paye_thirdpartyid]['payment_amount'][$id], 'ftotal_ttc' =>price2num($x_paye[$my_paye_thirdpartyid]['ftotal_ttc'][$id]), @@ -328,9 +336,13 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $x_both[$my_paye_thirdpartyid]['paye']['detail'][] = array( 'id' =>$x_paye[$my_paye_thirdpartyid]['facid'][$id], 'descr' =>$x_paye[$my_paye_thirdpartyid]['descr'][$id], + 'pid' =>$x_paye[$my_paye_thirdpartyid]['pid'][$id], 'pref' =>$x_paye[$my_paye_thirdpartyid]['pref'][$id], 'ptype' =>$x_paye[$my_paye_thirdpartyid]['ptype'][$id], + 'pstatus' =>$x_paye[$my_paye_thirdpartyid]['pstatus'][$id], + 'pstatusbuy'=>$x_paye[$my_paye_thirdpartyid]['pstatusbuy'][$id], + 'payment_id'=>$x_paye[$my_paye_thirdpartyid]['payment_id'][$id], 'payment_amount'=>$x_paye[$my_paye_thirdpartyid]['payment_amount'][$id], 'ftotal_ttc'=>price2num($x_paye[$my_paye_thirdpartyid]['ftotal_ttc'][$id]), @@ -450,6 +462,9 @@ if (!is_array($x_coll) || !is_array($x_paye)) { $product_static->id = $fields['pid']; $product_static->ref = $fields['pref']; $product_static->type = $fields['dtype']; // We force with the type of line to have type how line is registered + $product_static->status = $fields['pstatus']; + $product_static->status_buy = $fields['pstatusbuy']; + print $product_static->getNomUrl(1); if (dol_string_nohtmltag($fields['descr'])) { print ' - '.dol_trunc(dol_string_nohtmltag($fields['descr']), 24); diff --git a/htdocs/core/lib/tax.lib.php b/htdocs/core/lib/tax.lib.php index fa8219c41c7..062915939ac 100644 --- a/htdocs/core/lib/tax.lib.php +++ b/htdocs/core/lib/tax.lib.php @@ -148,7 +148,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; - $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; + $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype, p.tosell as pstatus, p.tobuy as pstatusbuy,"; $sql .= " 0 as payment_id, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; $sql .= " ".MAIN_DB_PREFIX."societe as s,"; @@ -193,7 +193,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; - $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; + $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype, p.tosell as pstatus, p.tobuy as pstatusbuy,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; $sql .= " pa.datep as datep"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; @@ -333,7 +333,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; - $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; + $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype, p.tosell as pstatus, p.tobuy as pstatusbuy,"; $sql .= " 0 as payment_id, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; $sql .= " ".MAIN_DB_PREFIX."societe as s,"; @@ -378,7 +378,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " s.code_client as company_customer_code, s.code_fournisseur as company_supplier_code,"; $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; - $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; + $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype, p.tosell as pstatus, p.tobuy as pstatusbuy,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; $sql .= " pa.datep as datep"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; From 010b08444465b006f6e12879036145a96e4e941f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 18:32:36 +0100 Subject: [PATCH 12/47] Do not load each invoice of payment for tooltip --- htdocs/compta/tva/quadri_detail.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/compta/tva/quadri_detail.php b/htdocs/compta/tva/quadri_detail.php index 4b2396a4fc9..a3bfcbfdbc0 100644 --- a/htdocs/compta/tva/quadri_detail.php +++ b/htdocs/compta/tva/quadri_detail.php @@ -546,7 +546,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { //print $fields['totalht']."-".$fields['payment_amount']."-".$fields['ftotal_ttc']; if ($fields['payment_amount'] && $fields['ftotal_ttc']) { $payment_static->id = $fields['payment_id']; - print $payment_static->getNomUrl(2); + print $payment_static->getNomUrl(2, '', '', 0).' '; } if (($type == 0 && $conf->global->TAX_MODE_SELL_PRODUCT == 'invoice') || ($type == 1 && $conf->global->TAX_MODE_SELL_SERVICE == 'invoice')) { @@ -612,7 +612,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { // Blank line print '
 
'.$elementsup.''.$langs->trans("DateInvoice").''; if ($fields['payment_amount'] && $fields['ftotal_ttc']) { $paymentfourn_static->id = $fields['payment_id']; - print $paymentfourn_static->getNomUrl(2); + print $paymentfourn_static->getNomUrl(2, '', '', 0).' '; } if (($type == 0 && $conf->global->TAX_MODE_BUY_PRODUCT == 'invoice') From f405505e0f450317631e31e4ede7fcb3a5416737 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 18:34:01 +0100 Subject: [PATCH 13/47] Do not load each invoice of payment for tooltip --- htdocs/compta/tva/clients.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/compta/tva/clients.php b/htdocs/compta/tva/clients.php index 2161702ae1c..1a0959575e8 100644 --- a/htdocs/compta/tva/clients.php +++ b/htdocs/compta/tva/clients.php @@ -510,7 +510,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { //print $fields['totalht']."-".$fields['payment_amount']."-".$fields['ftotal_ttc']; if ($fields['payment_amount'] && $fields['ftotal_ttc']) { $payment_static->id = $fields['payment_id']; - print $payment_static->getNomUrl(2); + print $payment_static->getNomUrl(2, '', '', 0).' '; } if (($type == 0 && $conf->global->TAX_MODE_SELL_PRODUCT == 'invoice') || ($type == 1 && $conf->global->TAX_MODE_SELL_SERVICE == 'invoice')) { @@ -698,7 +698,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { print ''; if ($fields['payment_amount'] && $fields['ftotal_ttc']) { $paymentfourn_static->id = $fields['payment_id']; - print $paymentfourn_static->getNomUrl(2); + print $paymentfourn_static->getNomUrl(2, '', '', 0); } if (($type == 0 && $conf->global->TAX_MODE_BUY_PRODUCT == 'invoice') From cce4ebdb8c115ba29a32a3bc595be34ede46dc33 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 18:50:47 +0100 Subject: [PATCH 14/47] Clean code --- .../compta/paiement/class/paiement.class.php | 3 ++- htdocs/compta/tva/clients.php | 5 +++++ htdocs/compta/tva/quadri_detail.php | 2 ++ htdocs/core/lib/tax.lib.php | 21 ++++++++++++------- 4 files changed, 22 insertions(+), 9 deletions(-) diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index 73962cabaca..91759ad824f 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -1127,9 +1127,10 @@ class Paiement extends CommonObject * @param string $option Sur quoi pointe le lien * @param string $mode 'withlistofinvoices'=Include list of invoices into tooltip * @param int $notooltip 1=Disable tooltip + * @param string $morecss Add more CSS * @return string Chaine avec URL */ - public function getNomUrl($withpicto = 0, $option = '', $mode = 'withlistofinvoices', $notooltip = 0) + public function getNomUrl($withpicto = 0, $option = '', $mode = 'withlistofinvoices', $notooltip = 0, $morecss = '') { global $conf, $langs; diff --git a/htdocs/compta/tva/clients.php b/htdocs/compta/tva/clients.php index 1a0959575e8..5b990258672 100644 --- a/htdocs/compta/tva/clients.php +++ b/htdocs/compta/tva/clients.php @@ -256,6 +256,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'pstatusbuy'=>$x_paye[$my_coll_thirdpartyid]['pstatusbuy'][$id], 'payment_id'=>$x_coll[$my_coll_thirdpartyid]['payment_id'][$id], + 'payment_ref'=>$x_coll[$my_coll_thirdpartyid]['payment_ref'][$id], 'payment_amount'=>$x_coll[$my_coll_thirdpartyid]['payment_amount'][$id], 'ftotal_ttc'=>$x_coll[$my_coll_thirdpartyid]['ftotal_ttc'][$id], 'dtotal_ttc'=>$x_coll[$my_coll_thirdpartyid]['dtotal_ttc'][$id], @@ -303,6 +304,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'pstatusbuy' =>$x_paye[$my_paye_thirdpartyid]['pstatusbuy'][$id], 'payment_id' =>$x_paye[$my_paye_thirdpartyid]['payment_id'][$id], + 'payment_ref' =>$x_paye[$my_paye_thirdpartyid]['payment_ref'][$id], 'payment_amount' =>$x_paye[$my_paye_thirdpartyid]['payment_amount'][$id], 'ftotal_ttc' =>price2num($x_paye[$my_paye_thirdpartyid]['ftotal_ttc'][$id]), 'dtotal_ttc' =>price2num($x_paye[$my_paye_thirdpartyid]['dtotal_ttc'][$id]), @@ -344,6 +346,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'pstatusbuy'=>$x_paye[$my_paye_thirdpartyid]['pstatusbuy'][$id], 'payment_id'=>$x_paye[$my_paye_thirdpartyid]['payment_id'][$id], + 'payment_ref'=>$x_paye[$my_paye_thirdpartyid]['payment_ref'][$id], 'payment_amount'=>$x_paye[$my_paye_thirdpartyid]['payment_amount'][$id], 'ftotal_ttc'=>price2num($x_paye[$my_paye_thirdpartyid]['ftotal_ttc'][$id]), 'dtotal_ttc'=>price2num($x_paye[$my_paye_thirdpartyid]['dtotal_ttc'][$id]), @@ -510,6 +513,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { //print $fields['totalht']."-".$fields['payment_amount']."-".$fields['ftotal_ttc']; if ($fields['payment_amount'] && $fields['ftotal_ttc']) { $payment_static->id = $fields['payment_id']; + $payment_static->ref = $fields['payment_ref']; print $payment_static->getNomUrl(2, '', '', 0).' '; } if (($type == 0 && $conf->global->TAX_MODE_SELL_PRODUCT == 'invoice') @@ -698,6 +702,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { print ''; if ($fields['payment_amount'] && $fields['ftotal_ttc']) { $paymentfourn_static->id = $fields['payment_id']; + $paymentfourn_static->ref = $fields['payment_ref']; print $paymentfourn_static->getNomUrl(2, '', '', 0); } diff --git a/htdocs/compta/tva/quadri_detail.php b/htdocs/compta/tva/quadri_detail.php index a3bfcbfdbc0..6ad97562c55 100644 --- a/htdocs/compta/tva/quadri_detail.php +++ b/htdocs/compta/tva/quadri_detail.php @@ -546,6 +546,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { //print $fields['totalht']."-".$fields['payment_amount']."-".$fields['ftotal_ttc']; if ($fields['payment_amount'] && $fields['ftotal_ttc']) { $payment_static->id = $fields['payment_id']; + $payment_static->ref = $fields['payment_ref']; print $payment_static->getNomUrl(2, '', '', 0).' '; } if (($type == 0 && $conf->global->TAX_MODE_SELL_PRODUCT == 'invoice') @@ -779,6 +780,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { print ''; if ($fields['payment_amount'] && $fields['ftotal_ttc']) { $paymentfourn_static->id = $fields['payment_id']; + $paymentfourn_static->ref = $fields['payment_ref']; print $paymentfourn_static->getNomUrl(2, '', '', 0).' '; } diff --git a/htdocs/core/lib/tax.lib.php b/htdocs/core/lib/tax.lib.php index 062915939ac..743a847b2f2 100644 --- a/htdocs/core/lib/tax.lib.php +++ b/htdocs/core/lib/tax.lib.php @@ -149,7 +149,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype, p.tosell as pstatus, p.tobuy as pstatusbuy,"; - $sql .= " 0 as payment_id, 0 as payment_amount"; + $sql .= " 0 as payment_id, '' as payment_ref, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; $sql .= " ".MAIN_DB_PREFIX."societe as s,"; $sql .= " ".MAIN_DB_PREFIX.$invoicedettable." as d"; @@ -195,7 +195,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype, p.tosell as pstatus, p.tobuy as pstatusbuy,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; - $sql .= " pa.datep as datep"; + $sql .= " pa.datep as datep, pa.ref as payment_ref"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; $sql .= " ".MAIN_DB_PREFIX.$paymentfacturetable." as pf,"; $sql .= " ".MAIN_DB_PREFIX.$paymenttable." as pa,"; @@ -334,7 +334,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype, p.tosell as pstatus, p.tobuy as pstatusbuy,"; - $sql .= " 0 as payment_id, 0 as payment_amount"; + $sql .= " 0 as payment_id, '' as payment_ref, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; $sql .= " ".MAIN_DB_PREFIX."societe as s,"; $sql .= " ".MAIN_DB_PREFIX.$invoicedettable." as d"; @@ -380,7 +380,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype, p.tosell as pstatus, p.tobuy as pstatusbuy,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; - $sql .= " pa.datep as datep"; + $sql .= " pa.datep as datep, pa.ref as payment_ref"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f,"; $sql .= " ".MAIN_DB_PREFIX.$paymentfacturetable." as pf,"; $sql .= " ".MAIN_DB_PREFIX.$paymenttable." as pa,"; @@ -492,6 +492,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $list[$assoc['company_id']]['ptype'][] = $assoc['ptype']; $list[$assoc['company_id']]['payment_id'][] = $assoc['payment_id']; + $list[$assoc['company_id']]['payment_ref'][] = $assoc['payment_ref']; $list[$assoc['company_id']]['payment_amount'][] = $assoc['payment_amount']; $company_id = $assoc['company_id']; @@ -614,6 +615,7 @@ function tax_by_thirdparty($type, $db, $y, $date_start, $date_end, $modetax, $di $list[$assoc['company_id']]['ptype'][] = 'ExpenseReportPayment'; $list[$assoc['company_id']]['payment_id'][] = $assoc['payment_id']; + $list[$assoc['company_id']]['payment_ref'][] = $assoc['payment_ref']; $list[$assoc['company_id']]['payment_amount'][] = $assoc['payment_amount']; $company_id = $assoc['company_id']; @@ -703,7 +705,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; - $sql .= " 0 as payment_id, 0 as payment_amount"; + $sql .= " 0 as payment_id, '' as payment_ref, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$invoicedettable." as d ON d.".$fk_facture."=f.rowid"; @@ -747,7 +749,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; - $sql .= " pa.datep as datep"; + $sql .= " pa.datep as datep, pa.ref as payment_ref"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$paymentfacturetable." as pf ON pf.".$fk_facture2." = f.rowid";; $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$paymenttable." as pa ON pa.rowid = pf.".$fk_payment; @@ -855,6 +857,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $list[$assoc['rate']]['ptype'][] = $assoc['ptype']; $list[$assoc['rate']]['payment_id'][] = $assoc['payment_id']; + $list[$assoc['rate']]['payment_ref'][] = $assoc['payment_ref']; $list[$assoc['rate']]['payment_amount'][] = $assoc['payment_amount']; $rate = $assoc['rate']; @@ -882,7 +885,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " s.code_compta as company_customer_accounting_code, s.code_compta_fournisseur as company_supplier_accounting_code,"; $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; - $sql .= " 0 as payment_id, 0 as payment_amount"; + $sql .= " 0 as payment_id, '' as payment_ref, 0 as payment_amount"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$invoicedettable." as d ON d.".$fk_facture." = f.rowid"; @@ -926,7 +929,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $sql .= " s.status as company_status, s.tva_intra as company_tva_intra,"; $sql .= " p.rowid as pid, p.ref as pref, p.fk_product_type as ptype,"; $sql .= " pf.".$fk_payment." as payment_id, pf.amount as payment_amount,"; - $sql .= " pa.datep as datep"; + $sql .= " pa.datep as datep, pa.ref as payment_ref"; $sql .= " FROM ".MAIN_DB_PREFIX.$invoicetable." as f"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$paymentfacturetable." as pf ON pf.".$fk_facture2." = f.rowid"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$paymenttable." as pa ON pa.rowid = pf.".$fk_payment; @@ -1034,6 +1037,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $list[$assoc['rate']]['ptype'][] = $assoc['ptype']; $list[$assoc['rate']]['payment_id'][] = $assoc['payment_id']; + $list[$assoc['rate']]['payment_ref'][] = $assoc['payment_ref']; $list[$assoc['rate']]['payment_amount'][] = $assoc['payment_amount']; $rate = $assoc['rate']; @@ -1144,6 +1148,7 @@ function tax_by_rate($type, $db, $y, $q, $date_start, $date_end, $modetax, $dire $list[$assoc['rate']]['ptype'][] = 'ExpenseReportPayment'; $list[$assoc['rate']]['payment_id'][] = $assoc['payment_id']; + $list[$assoc['rate']]['payment_ref'][] = $assoc['payment_ref']; $list[$assoc['rate']]['payment_amount'][] = $assoc['payment_amount']; $rate = $assoc['rate']; From ca0a04fb61b046bc32c919dc6b1ee09468259bcb Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 18:56:02 +0100 Subject: [PATCH 15/47] Fix missing payment ref --- htdocs/compta/tva/quadri_detail.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/htdocs/compta/tva/quadri_detail.php b/htdocs/compta/tva/quadri_detail.php index 6ad97562c55..d3871968ed5 100644 --- a/htdocs/compta/tva/quadri_detail.php +++ b/htdocs/compta/tva/quadri_detail.php @@ -257,6 +257,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'pref' =>$x_coll[$my_coll_rate]['pref'][$id], 'ptype' =>$x_coll[$my_coll_rate]['ptype'][$id], 'payment_id'=>$x_coll[$my_coll_rate]['payment_id'][$id], + 'payment_ref'=>$x_coll[$my_coll_rate]['payment_ref'][$id], 'payment_amount'=>$x_coll[$my_coll_rate]['payment_amount'][$id], 'ftotal_ttc'=>$x_coll[$my_coll_rate]['ftotal_ttc'][$id], 'dtotal_ttc'=>$x_coll[$my_coll_rate]['dtotal_ttc'][$id], @@ -299,6 +300,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'pref' =>$x_paye[$my_paye_rate]['pref'][$id], 'ptype' =>$x_paye[$my_paye_rate]['ptype'][$id], 'payment_id' =>$x_paye[$my_paye_rate]['payment_id'][$id], + 'payment_ref' =>$x_paye[$my_paye_rate]['payment_ref'][$id], 'payment_amount' =>$x_paye[$my_paye_rate]['payment_amount'][$id], 'ftotal_ttc' =>price2num($x_paye[$my_paye_rate]['ftotal_ttc'][$id]), 'dtotal_ttc' =>price2num($x_paye[$my_paye_rate]['dtotal_ttc'][$id]), @@ -334,6 +336,7 @@ if (!is_array($x_coll) || !is_array($x_paye)) { 'pref' =>$x_paye[$my_paye_rate]['pref'][$id], 'ptype' =>$x_paye[$my_paye_rate]['ptype'][$id], 'payment_id'=>$x_paye[$my_paye_rate]['payment_id'][$id], + 'payment_ref'=>$x_paye[$my_paye_rate]['payment_ref'][$id], 'payment_amount'=>$x_paye[$my_paye_rate]['payment_amount'][$id], 'ftotal_ttc'=>price2num($x_paye[$my_paye_rate]['ftotal_ttc'][$id]), 'dtotal_ttc'=>price2num($x_paye[$my_paye_rate]['dtotal_ttc'][$id]), From 146706bafa5ea2001effe53d33d2dccd32f77929 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 19:11:29 +0100 Subject: [PATCH 16/47] Fix label --- htdocs/compta/tva/payments.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/compta/tva/payments.php b/htdocs/compta/tva/payments.php index 73e2dae0e05..4eec7ca85a1 100644 --- a/htdocs/compta/tva/payments.php +++ b/htdocs/compta/tva/payments.php @@ -122,7 +122,7 @@ if (!empty($conf->tax->enabled) && $user->rights->tax->charges->lire) { print_liste_field_titre("DatePayment", $_SERVER["PHP_SELF"], "ptva.datep", "", $param, 'align="center"', $sortfield, $sortorder); print_liste_field_titre("Type", $_SERVER["PHP_SELF"], "pct.code", "", $param, '', $sortfield, $sortorder); print_liste_field_titre("BankAccount", $_SERVER["PHP_SELF"], "bank.ref", "", $param, '', $sortfield, $sortorder); - print_liste_field_titre("LabelContrib", $_SERVER["PHP_SELF"], "tva.label", "", $param, '', $sortfield, $sortorder); + print_liste_field_titre("VATDeclaration", $_SERVER["PHP_SELF"], "tva.label", "", $param, '', $sortfield, $sortorder); //print_liste_field_titre("TypeContrib", $_SERVER["PHP_SELF"], "tva.fk_type", "", $param, '', $sortfield, $sortorder); print_liste_field_titre("PeriodEndDate", $_SERVER["PHP_SELF"], "tva.datev", "", $param, 'width="140px"', $sortfield, $sortorder); print_liste_field_titre("ExpectedToPay", $_SERVER["PHP_SELF"], "tva.amount", "", $param, 'class="right"', $sortfield, $sortorder); From 3f07317f308f7ec39973e18364e91ab9f97251e8 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 19:19:18 +0100 Subject: [PATCH 17/47] FIx #yogosha5695 --- htdocs/install/fileconf.php | 2 +- htdocs/install/inc.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/install/fileconf.php b/htdocs/install/fileconf.php index cfe42adc79f..0ca5805ba24 100644 --- a/htdocs/install/fileconf.php +++ b/htdocs/install/fileconf.php @@ -33,7 +33,7 @@ global $langs; $err = 0; -$setuplang = GETPOST("selectlang", '', 3) ?GETPOST("selectlang", '', 3) : (isset($_GET["lang"]) ? $_GET["lang"] : 'auto'); +$setuplang = GETPOST("selectlang", '', 3) ? GETPOST("selectlang", '', 3) : (GETPOST('lang', 'alpha', 1) ? GETPOST('lang', 'alpha', 1) : 'auto'); $langs->setDefaultLang($setuplang); $langs->loadLangs(array("install", "errors")); diff --git a/htdocs/install/inc.php b/htdocs/install/inc.php index 91ceae9eaaa..27a3fc01abd 100644 --- a/htdocs/install/inc.php +++ b/htdocs/install/inc.php @@ -518,7 +518,7 @@ function pFooter($nonext = 0, $setuplang = '', $jscheckfunction = '', $withpleas } } if ($setuplang) { - print ''; + print ''; } print ''."\n"; From f7ba0ee381961237cdf5d1c4c7d4781afb515731 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 22:50:43 +0100 Subject: [PATCH 18/47] Fix set of parent company with ajax --- htdocs/core/class/html.form.class.php | 25 +++++++++++++++++-------- htdocs/societe/ajax/company.php | 6 ++++++ htdocs/societe/card.php | 4 ++-- 3 files changed, 25 insertions(+), 10 deletions(-) diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 309ebba3062..848b07bd450 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1227,9 +1227,10 @@ class Form * @param int $hidelabel Hide label (0=no, 1=yes, 2=show search icon (before) and placeholder, 3 search icon after) * @param array $ajaxoptions Options for ajax_autocompleter * @param bool $multiple add [] in the name of element and add 'multiple' attribut (not working with ajax_autocompleter) + * @param array $excludeids Exclude IDs from the select combo * @return string HTML string with select box for thirdparty. */ - public function select_company($selected = '', $htmlname = 'socid', $filter = '', $showempty = '', $showtype = 0, $forcecombo = 0, $events = array(), $limit = 0, $morecss = 'minwidth100', $moreparam = '', $selected_input_value = '', $hidelabel = 1, $ajaxoptions = array(), $multiple = false) + public function select_company($selected = '', $htmlname = 'socid', $filter = '', $showempty = '', $showtype = 0, $forcecombo = 0, $events = array(), $limit = 0, $morecss = 'minwidth100', $moreparam = '', $selected_input_value = '', $hidelabel = 1, $ajaxoptions = array(), $multiple = false, $excludeids = array()) { // phpcs:enable global $conf, $user, $langs; @@ -1237,6 +1238,9 @@ class Form $out = ''; if (!empty($conf->use_javascript_ajax) && !empty($conf->global->COMPANY_USE_SEARCH_TO_SELECT) && !$forcecombo) { + if (is_null($ajaxoptions)) { + $ajaxoptions = array(); + } // No immediate load of all database $placeholder = ''; if ($selected && empty($selected_input_value)) { @@ -1247,7 +1251,7 @@ class Form unset($societetmp); } // mode 1 - $urloption = 'htmlname='.urlencode($htmlname).'&outjson=1&filter='.urlencode($filter).($showtype ? '&showtype='.urlencode($showtype) : ''); + $urloption = 'htmlname='.urlencode($htmlname).'&outjson=1&filter='.urlencode($filter).(empty($excludeids) ? '' : '&excludeids='.join(',', $excludeids)).($showtype ? '&showtype='.urlencode($showtype) : ''); $out .= ajax_autocompleter($selected, $htmlname, DOL_URL_ROOT.'/societe/ajax/company.php', $urloption, $conf->global->COMPANY_USE_SEARCH_TO_SELECT, 0, $ajaxoptions); $out .= ''; if (empty($hidelabel)) { @@ -1264,7 +1268,7 @@ class Form } } else { // Immediate load of all database - $out .= $this->select_thirdparty_list($selected, $htmlname, $filter, $showempty, $showtype, $forcecombo, $events, '', 0, $limit, $morecss, $moreparam, $multiple); + $out .= $this->select_thirdparty_list($selected, $htmlname, $filter, $showempty, $showtype, $forcecombo, $events, '', 0, $limit, $morecss, $moreparam, $multiple, $excludeids); } return $out; @@ -1277,7 +1281,7 @@ class Form * * @param string $selected Preselected type * @param string $htmlname Name of field in form - * @param string $filter Optional filters criteras (example: 's.rowid <> x', 's.client in (1,3)') + * @param string $filter Optional filters criteras (example: 's.rowid NOT IN (x)', 's.client IN (1,3)'). Do not use a filter coming from input of users. * @param string $showempty Add an empty field (Can be '1' or text to use on empty line like 'SelectThirdParty') * @param int $showtype Show third party type in combolist (customer, prospect or supplier) * @param int $forcecombo Force to use standard HTML select component without beautification @@ -1288,9 +1292,10 @@ class Form * @param string $morecss Add more css styles to the SELECT component * @param string $moreparam Add more parameters onto the select tag. For example 'style="width: 95%"' to avoid select2 component to go over parent container * @param bool $multiple add [] in the name of element and add 'multiple' attribut + * @param array $excludeids Exclude IDs from the select combo * @return string HTML string with */ - public function select_thirdparty_list($selected = '', $htmlname = 'socid', $filter = '', $showempty = '', $showtype = 0, $forcecombo = 0, $events = array(), $filterkey = '', $outputmode = 0, $limit = 0, $morecss = 'minwidth100', $moreparam = '', $multiple = false) + public function select_thirdparty_list($selected = '', $htmlname = 'socid', $filter = '', $showempty = '', $showtype = 0, $forcecombo = 0, $events = array(), $filterkey = '', $outputmode = 0, $limit = 0, $morecss = 'minwidth100', $moreparam = '', $multiple = false, $excludeids = array()) { // phpcs:enable global $conf, $user, $langs; @@ -1338,6 +1343,9 @@ class Form if (!empty($conf->global->COMPANY_HIDE_INACTIVE_IN_COMBOBOX)) { $sql .= " AND s.status <> 0"; } + if (!empty($excludeids)) { + $sql .= " AND rowid NOT IN (".$this->db->sanitize(join(',', $excludeids)).")"; + } // Add criteria if ($filterkey && $filterkey != '') { $sql .= " AND ("; @@ -5472,15 +5480,16 @@ class Form * @param string $page Page * @param string $selected Id preselected * @param string $htmlname Name of HTML select - * @param string $filter optional filters criteras + * @param string $filter Optional filters criteras. Do not use a filter coming from input of users. * @param int $showempty Add an empty field * @param int $showtype Show third party type in combolist (customer, prospect or supplier) * @param int $forcecombo Force to use combo box * @param array $events Event options. Example: array(array('method'=>'getContacts', 'url'=>dol_buildpath('/core/ajax/contacts.php',1), 'htmlname'=>'contactid', 'params'=>array('add-customer-contact'=>'disabled'))) * @param int $nooutput No print output. Return it only. + * @param array $excludeids Exclude IDs from the select combo * @return void|string */ - public function form_thirdparty($page, $selected = '', $htmlname = 'socid', $filter = '', $showempty = 0, $showtype = 0, $forcecombo = 0, $events = array(), $nooutput = 0) + public function form_thirdparty($page, $selected = '', $htmlname = 'socid', $filter = '', $showempty = 0, $showtype = 0, $forcecombo = 0, $events = array(), $nooutput = 0, $excludeids = array()) { // phpcs:enable global $langs; @@ -5490,7 +5499,7 @@ class Form $out .= '
'; $out .= ''; $out .= ''; - $out .= $this->select_company($selected, $htmlname, $filter, $showempty, $showtype, $forcecombo, $events); + $out .= $this->select_company($selected, $htmlname, $filter, $showempty, $showtype, $forcecombo, $events, 0, 'minwidth100', '', '', 1, array(), false, $excludeids); $out .= ''; $out .= '
'; } else { diff --git a/htdocs/societe/ajax/company.php b/htdocs/societe/ajax/company.php index ba33386f360..57edbcebc1d 100644 --- a/htdocs/societe/ajax/company.php +++ b/htdocs/societe/ajax/company.php @@ -48,6 +48,7 @@ $filter = GETPOST('filter', 'alpha'); $outjson = (GETPOST('outjson', 'int') ? GETPOST('outjson', 'int') : 0); $action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); +$excludeids = GETPOST('excludeids', 'intcomma'); $showtype = GETPOST('showtype', 'int'); @@ -102,6 +103,11 @@ if (!empty($action) && $action == 'fetch' && !empty($id)) { if (!is_object($form)) { $form = new Form($db); } + + if (!empty($excludeids)) { + $filter .= 'rowid NOT IN ('.$db->sanitize($excludeids).')'; + } + $arrayresult = $form->select_thirdparty_list(0, $htmlname, $filter, 1, $showtype, 0, null, $searchkey, $outjson); $db->close(); diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php index e7d40037155..d42ed635e82 100644 --- a/htdocs/societe/card.php +++ b/htdocs/societe/card.php @@ -2399,7 +2399,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { 'name' => 'soc_origin', 'label' => $langs->trans('MergeOriginThirdparty'), 'type' => 'other', - 'value' => $form->select_company('', 'soc_origin', 's.rowid <> '.$object->id, 'SelectThirdParty', 0, 0, array(), 0, 'minwidth200') + 'value' => $form->select_company('', 'soc_origin', '', 'SelectThirdParty', 0, 0, array(), 0, 'minwidth200', '', '', 1, null, false, array($object->id)) ) ); @@ -2773,7 +2773,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { print '
'; print ''; $html_name = ($action == 'editparentcompany') ? 'parent_id' : 'none'; - $form->form_thirdparty($_SERVER['PHP_SELF'].'?socid='.$object->id, $object->parent, $html_name, 's.rowid <> '.$object->id, 1); + $form->form_thirdparty($_SERVER['PHP_SELF'].'?socid='.$object->id, $object->parent, $html_name, '', 1, 0, 0, null, 0, array($object->id)); print ''; } From 2d5fbfc105ce5d5962632d54c663fe3c40f89e18 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 22 Mar 2021 23:43:28 +0100 Subject: [PATCH 19/47] Fix php8 --- .../compta/paiement/class/paiement.class.php | 2 +- htdocs/fourn/class/paiementfourn.class.php | 22 +++++++++++++++---- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index 91759ad824f..9dcc57a47f2 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -1167,7 +1167,7 @@ class Paiement extends CommonObject $linkclose = ''; if (empty($notooltip)) { if (!empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) { - $label = $langs->trans("ShowMyObject"); + $label = $langs->trans("Payment"); $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; } $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; diff --git a/htdocs/fourn/class/paiementfourn.class.php b/htdocs/fourn/class/paiementfourn.class.php index 41c780f70c8..b64cd32e4d6 100644 --- a/htdocs/fourn/class/paiementfourn.class.php +++ b/htdocs/fourn/class/paiementfourn.class.php @@ -529,9 +529,10 @@ class PaiementFourn extends Paiement * @param string $option Sur quoi pointe le lien * @param string $mode 'withlistofinvoices'=Include list of invoices into tooltip * @param int $notooltip 1=Disable tooltip + * @param string $morecss Add more CSS * @return string Chaine avec URL */ - public function getNomUrl($withpicto = 0, $option = '', $mode = 'withlistofinvoices', $notooltip = 0) + public function getNomUrl($withpicto = 0, $option = '', $mode = 'withlistofinvoices', $notooltip = 0, $morecss = '') { global $langs; @@ -547,13 +548,26 @@ class PaiementFourn extends Paiement $text = $langs->trans($reg[1]); } - $label = ''.$langs->trans("Payment").'
'; + $label = img_picto('', $this->picto).' '.$langs->trans("Payment").'
'; $label .= ''.$langs->trans("Ref").': '.$text; if ($this->datepaye ? $this->datepaye : $this->date) { - $label .= '
'.$langs->trans("Date").': '.dol_print_date($this->datepaye ? $this->datepaye : $this->date, 'dayhour'); + $label .= '
'.$langs->trans("Date").': '.dol_print_date($this->datepaye ? $this->datepaye : $this->date, 'dayhour', 'tzuser'); } - $linkstart = ''; + $linkclose = ''; + if (empty($notooltip)) { + if (!empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) { + $label = $langs->trans("Payment"); + $linkclose .= ' alt="'.dol_escape_htmltag($label, 1).'"'; + } + $linkclose .= ' title="'.dol_escape_htmltag($label, 1).'"'; + $linkclose .= ' class="classfortooltip'.($morecss ? ' '.$morecss : '').'"'; + } else { + $linkclose = ($morecss ? ' class="'.$morecss.'"' : ''); + } + + $linkstart = ''; $linkend = ''; $result .= $linkstart; From bc9b4fa637f6722c418ab3444c86d4e50ce95cce Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 23 Mar 2021 00:35:30 +0100 Subject: [PATCH 20/47] Fix id --- htdocs/install/mysql/data/llx_accounting_account_dz.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/install/mysql/data/llx_accounting_account_dz.sql b/htdocs/install/mysql/data/llx_accounting_account_dz.sql index 0a80cf0f4b4..3895c1ff604 100644 --- a/htdocs/install/mysql/data/llx_accounting_account_dz.sql +++ b/htdocs/install/mysql/data/llx_accounting_account_dz.sql @@ -24,7 +24,7 @@ -- ID 15000 - 15811 -- ADD 1300000 to rowid # Do no remove this comment -- -INSERT IGNORE INTO llx_accounting_account (rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (17000,'NSCF','CAPIT','1',0,'Comptes de capitaux','1'); +INSERT IGNORE INTO llx_accounting_account (rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (15000,'NSCF','CAPIT','1',0,'Comptes de capitaux','1'); INSERT IGNORE INTO llx_accounting_account (rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (15001,'NSCF','CAPIT','10',17000,'Capital, réserves et assimilés','1'); INSERT IGNORE INTO llx_accounting_account (rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (15002,'NSCF','CAPIT','101',15001,'Capital émis','1'); INSERT IGNORE INTO llx_accounting_account (rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (15003,'NSCF','CAPIT','1011',15002,'Capital souscrit, non appelé','1'); From e3b019f92373bbc2c195a40e1a35f8eabcc62be2 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 23 Mar 2021 01:32:17 +0100 Subject: [PATCH 21/47] Clean code --- htdocs/adherents/card.php | 36 +++++++++---------- htdocs/adherents/class/adherent.class.php | 2 +- htdocs/adherents/index.php | 2 +- htdocs/admin/eventorganization.php | 4 +-- htdocs/core/lib/functions.lib.php | 10 +++--- .../modules/modEventOrganization.class.php | 6 ++-- .../class/conferenceorbooth.class.php | 2 +- .../conferenceorbooth_list.php | 4 +-- htdocs/langs/en_US/eventorganization.lang | 4 +-- .../core/modules/modMyModule.class.php | 2 ++ htdocs/theme/eldy/badges.inc.php | 4 +-- htdocs/theme/eldy/btn.inc.php | 2 +- htdocs/theme/eldy/theme_vars.inc.php | 1 + htdocs/theme/md/badges.inc.php | 24 +++++++++++-- htdocs/theme/md/theme_vars.inc.php | 1 + 15 files changed, 65 insertions(+), 39 deletions(-) diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index 57e510719bb..b75bce38ca9 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -1830,7 +1830,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Send if (empty($user->socid)) { if ($object->statut == 1) { - print '
'.$langs->trans('SendMail').'
'; + print '
'.$langs->trans('SendMail').'
'."\n"; } } @@ -1856,17 +1856,17 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Modify if ($user->rights->adherent->creer) { - print '
'.$langs->trans("Modify")."
"; + print '
'.$langs->trans("Modify").'
'."\n"; } else { - print '
'.$langs->trans("Modify").'
'; + print '
'.$langs->trans("Modify").'
'."\n"; } // Validate if ($object->statut == -1) { if ($user->rights->adherent->creer) { - print '
'.$langs->trans("Validate")."
\n"; + print '
'.$langs->trans("Validate").'
'."\n"; } else { - print '
'.$langs->trans("Validate").'
'; + print '
'.$langs->trans("Validate").'
'."\n"; } } @@ -1875,7 +1875,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { if ($user->rights->adherent->creer) { print '
'.$langs->trans("Reenable")."
\n"; } else { - print '
'.$langs->trans("Reenable")."
"; + print '
'.$langs->trans("Reenable").'
'."\n"; } } @@ -1884,7 +1884,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { if ($user->rights->adherent->supprimer) { print '
'.$langs->trans("Resiliate")."
\n"; } else { - print '
'.$langs->trans("Resiliate")."
"; + print '
'.$langs->trans("Resiliate").'
'."\n"; } } @@ -1893,7 +1893,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { if ($user->rights->adherent->supprimer) { print '
'.$langs->trans("Exclude")."
\n"; } else { - print '
'.$langs->trans("Exclude")."
"; + print '
'.$langs->trans("Exclude").'
'."\n"; } } @@ -1901,12 +1901,12 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { if (!empty($conf->societe->enabled) && !$object->socid) { if ($user->rights->societe->creer) { if ($object->statut != -1) { - print '
'.$langs->trans("CreateDolibarrThirdParty").'
'; + print '
'.$langs->trans("CreateDolibarrThirdParty").'
'."\n";; } else { - print '
'.$langs->trans("CreateDolibarrThirdParty").'
'; + print '
'.$langs->trans("CreateDolibarrThirdParty").'
'."\n"; } } else { - print '
'.$langs->trans("CreateDolibarrThirdParty")."
"; + print '
'.$langs->trans("CreateDolibarrThirdParty").'
'."\n"; } } @@ -1914,12 +1914,12 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { if (!$user->socid && !$object->user_id) { if ($user->rights->user->user->creer) { if ($object->statut != -1) { - print '
'.$langs->trans("CreateDolibarrLogin").'
'; + print '
'.$langs->trans("CreateDolibarrLogin").'
'."\n"; } else { - print '
'.$langs->trans("CreateDolibarrLogin").'
'; + print '
'.$langs->trans("CreateDolibarrLogin").'
'."\n"; } } else { - print '
'.$langs->trans("CreateDolibarrLogin")."
"; + print '
'.$langs->trans("CreateDolibarrLogin").'
'."\n"; } } @@ -1928,18 +1928,18 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { $isinspip = $mailmanspip->is_in_spip($object); if ($isinspip == 1) { - print '
'.$langs->trans("DeleteIntoSpip")."
\n"; + print '
'.$langs->trans("DeleteIntoSpip").'
'."\n"; } if ($isinspip == 0) { - print '
'.$langs->trans("AddIntoSpip")."
\n"; + print '
'.$langs->trans("AddIntoSpip").'
'."\n"; } } // Delete if ($user->rights->adherent->supprimer) { - print '
'.$langs->trans("Delete")."
\n"; + print '
'.$langs->trans("Delete").'
'."\n"; } else { - print '
'.$langs->trans("Delete")."
"; + print '
'.$langs->trans("Delete").'
'."\n"; } } } diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index bb56eaf4947..8803ce032fa 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -2279,7 +2279,7 @@ class Adherent extends CommonObject $labelStatus = $langs->trans("MemberStatusResiliated"); $labelStatusShort = $langs->trans("MemberStatusResiliatedShort"); } elseif ($status == -2) { - $statusType = 'status8'; + $statusType = 'status10'; $labelStatus = $langs->trans("MemberStatusExcluded"); $labelStatusShort = $langs->trans("MemberStatusExcludedShort"); } diff --git a/htdocs/adherents/index.php b/htdocs/adherents/index.php index 517649c4b61..803ef89bb22 100644 --- a/htdocs/adherents/index.php +++ b/htdocs/adherents/index.php @@ -233,7 +233,7 @@ if ($conf->use_javascript_ajax) { include_once DOL_DOCUMENT_ROOT.'/core/class/dolgraph.class.php'; $dolgraph = new DolGraph(); $dolgraph->SetData($dataseries); - $dolgraph->SetDataColor(array($badgeStatus1, $badgeStatus4, $badgeStatus8, $badgeStatus6, '-'.$badgeStatus0)); + $dolgraph->SetDataColor(array($badgeStatus1, $badgeStatus4, '-'.$badgeStatus8, $badgeStatus6, '-'.$badgeStatus0)); $dolgraph->setShowLegend(2); $dolgraph->setShowPercent(1); $dolgraph->SetType(array('pie')); diff --git a/htdocs/admin/eventorganization.php b/htdocs/admin/eventorganization.php index 8625f182f47..23fc463f3b5 100644 --- a/htdocs/admin/eventorganization.php +++ b/htdocs/admin/eventorganization.php @@ -201,7 +201,7 @@ if ($action == 'edit') { print ''; print ''; - print ''; + print ''; foreach ($arrayofparameters as $constname => $val) { if ($val['enabled']==1) { @@ -266,7 +266,7 @@ if ($action == 'edit') { } else { if (!empty($arrayofparameters)) { print '
'.$langs->trans("Parameter").''.$langs->trans("Value").'
'.$langs->trans("Parameter").''.$langs->trans("Value").'
'; - print ''; + print ''; foreach ($arrayofparameters as $constname => $val) { if ($val['enabled']==1) { diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index ab9a476c923..948ddc09499 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -3524,7 +3524,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'info', 'intervention', 'inventory', 'label', 'language', 'link', 'list', 'listlight', 'loan', 'lot', 'long-arrow-alt-right', 'margin', 'map-marker-alt', 'member', 'meeting', 'money-bill-alt', 'movement', 'mrp', 'note', 'next', 'object_accounting', 'object_account', 'object_accountline', 'object_action', 'object_asset', 'object_barcode', 'object_bill', 'object_billr', 'object_billa', 'object_billd', 'object_bom', - 'object_category', 'object_conversation', 'object_bookmark', 'object_bug', 'object_clock', 'object_dolly', 'object_dollyrevert', + 'object_category', 'conferenceorbooth', 'object_conversation', 'object_bookmark', 'object_bug', 'object_clock', 'object_dolly', 'object_dollyrevert', 'object_folder', 'object_folder-open','object_generic', 'object_list-alt', 'object_calendar', 'object_calendarweek', 'object_calendarmonth', 'object_calendarday', 'object_calendarperuser', 'object_cash-register', 'object_company', 'object_contact', 'object_contract', 'object_cron', 'object_donation', 'object_dynamicprice', @@ -3549,7 +3549,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'shapes', 'supplier_proposal', 'supplier_order', 'supplier_invoice', 'timespent', 'title_setup', 'title_accountancy', 'title_bank', 'title_hrm', 'title_agenda', 'user-cog', 'website', - 'eventorganization', 'object_eventorganization' + 'conferenceorbooth', 'eventorganization', 'object_eventorganization' ))) { $pictowithouttext = str_replace('object_', '', $pictowithouttext); @@ -3597,7 +3597,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'uparrow'=>'mail-forward', 'vcard'=>'address-card', 'jabber'=>'comment-o', 'website'=>'globe-americas', - 'eventorganization'=>'id-badge' + 'conferenceorbooth'=>'chalkboard-teacher', 'eventorganization'=>'project-diagram' ); if ($pictowithouttext == 'off') { $fakey = 'fa-square'; @@ -3630,7 +3630,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ if (in_array($pictowithouttext, array('dollyrevert', 'member', 'members', 'contract', 'group', 'resource', 'shipment'))) { $morecss = 'em092'; } - if (in_array($pictowithouttext, array('collab', 'holiday', 'project'))) { + if (in_array($pictowithouttext, array('conferenceorbooth', 'collab', 'eventorganization', 'holiday', 'project'))) { $morecss = 'em088'; } if (in_array($pictowithouttext, array('intervention', 'info', 'payment', 'loan', 'stock', 'technic'))) { @@ -3652,6 +3652,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'action'=>'infobox-action', 'account'=>'infobox-bank_account', 'accountline'=>'infobox-bank_account', 'accountancy'=>'infobox-bank_account', 'asset'=>'infobox-bank_account', 'bank_account'=>'bg-infobox-bank_account', 'bill'=>'infobox-commande', 'billa'=>'infobox-commande', 'billr'=>'infobox-commande', 'billd'=>'infobox-commande', + 'conferenceorbooth'=>'infobox-project', 'cash-register'=>'infobox-bank_account', 'contract'=>'infobox-contrat', 'check'=>'font-status4', 'collab'=>'infobox-action', 'conversation'=>'infobox-contrat', 'donation'=>'infobox-commande', 'dollyrevert'=>'flip', 'ecm'=>'infobox-action', 'hrm'=>'infobox-adherent', 'group'=>'infobox-adherent', 'intervention'=>'infobox-contrat', @@ -3661,6 +3662,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'user'=>'infobox-adherent', 'users'=>'infobox-adherent', 'error'=>'pictoerror', 'warning'=>'pictowarning', 'switch_on'=>'font-status4', 'holiday'=>'infobox-holiday', 'info'=>'opacityhigh', 'invoice'=>'infobox-commande', 'loan'=>'infobox-bank_account', + 'eventorganization'=>'infobox-project', 'payment'=>'infobox-bank_account', 'poll'=>'infobox-adherent', 'pos'=>'infobox-bank_account', 'project'=>'infobox-project', 'projecttask'=>'infobox-project', 'propal'=>'infobox-propal', 'recruitmentjobposition'=>'infobox-adherent', 'recruitmentcandidature'=>'infobox-adherent', 'resource'=>'infobox-action', diff --git a/htdocs/core/modules/modEventOrganization.class.php b/htdocs/core/modules/modEventOrganization.class.php index 386da21d798..244b4f41cab 100644 --- a/htdocs/core/modules/modEventOrganization.class.php +++ b/htdocs/core/modules/modEventOrganization.class.php @@ -341,6 +341,7 @@ class modEventOrganization extends DolibarrModules 'fk_menu'=>'fk_mainmenu=project', // '' if this is a top menu. For left menu, use 'fk_mainmenu=xxx' or 'fk_mainmenu=xxx,fk_leftmenu=yyy' where xxx is mainmenucode and yyy is a leftmenucode 'type'=>'left', // This is a Left menu entry 'titre'=>'EventOrganizationMenuLeft', + 'prefix' => img_picto('', 'eventorganization', 'class="paddingright pictofixedwidth"'), 'mainmenu'=>'project', 'leftmenu'=>'eventorganization', 'url'=>'', @@ -355,7 +356,7 @@ class modEventOrganization extends DolibarrModules 'fk_menu'=>'fk_mainmenu=project,fk_leftmenu=eventorganization', // '' if this is a top menu. For left menu, use 'fk_mainmenu=xxx' or 'fk_mainmenu=xxx,fk_leftmenu=yyy' where xxx is mainmenucode and yyy is a leftmenucode 'type'=>'left', // This is a Left menu entry 'titre'=>'List', - 'url'=>'/projet/list.php?search_usage_event_organization=1&mainmenu=project', + 'url'=>'/projet/list.php?search_usage_event_organization=1&mainmenu=project&contextpage=organizedevents', 'langs'=>'eventorganization@eventorganization', // Lang file to use (without .lang) by module. File must be in langs/code_CODE/ directory. 'position'=>1000+$r, 'enabled'=>'$conf->eventorganization->enabled', // Define condition to show or hide menu entry. Use '$conf->eventorganization->enabled' if entry must be visible if module is enabled. Use '$leftmenu==\'system\'' to show if leftmenu system is selected. @@ -378,7 +379,8 @@ class modEventOrganization extends DolibarrModules $this->menu[$r++]=array( 'fk_menu'=>'fk_mainmenu=project', // '' if this is a top menu. For left menu, use 'fk_mainmenu=xxx' or 'fk_mainmenu=xxx,fk_leftmenu=yyy' where xxx is mainmenucode and yyy is a leftmenucode 'type'=>'left', // This is a Left menu entry - 'titre'=>'EventOrganizationMenuLeft', + 'titre'=>'ConferenceOrBooth', + 'prefix' => img_picto('', 'conferenceorbooth', 'class="paddingright pictofixedwidth"'), 'mainmenu'=>'project', 'leftmenu'=>'eventorganizationconforbooth', 'url'=>'', diff --git a/htdocs/eventorganization/class/conferenceorbooth.class.php b/htdocs/eventorganization/class/conferenceorbooth.class.php index 7f28d40dd29..d91181d0c51 100644 --- a/htdocs/eventorganization/class/conferenceorbooth.class.php +++ b/htdocs/eventorganization/class/conferenceorbooth.class.php @@ -61,7 +61,7 @@ class ConferenceOrBooth extends ActionComm /** * @var string String with name of icon for conferenceorbooth. Must be the part after the 'object_' into object_conferenceorbooth.png */ - public $picto = 'conferenceorbooth@eventorganization'; + public $picto = 'conferenceorbooth'; const STATUS_DRAFT = 0; diff --git a/htdocs/eventorganization/conferenceorbooth_list.php b/htdocs/eventorganization/conferenceorbooth_list.php index ea189d4be9b..89e614cc3ba 100644 --- a/htdocs/eventorganization/conferenceorbooth_list.php +++ b/htdocs/eventorganization/conferenceorbooth_list.php @@ -554,9 +554,9 @@ print ''; print ''; print ''; -$newcardbutton = dolGetButtonTitle($langs->trans('New'), '', 'fa fa-plus-circle', dol_buildpath('/eventorganization/conferenceorbooth_card.php', 1).'?action=create'.(!empty($project->id)?'&fk_project='.$project->id:'').(!empty($project->socid)?'&fk_soc='.$project->socid:'').'&backtopage='.urlencode($_SERVER['PHP_SELF']).(!empty($project->id)?'?projectid='.$project->id:''), '', $permissiontoadd); +$newcardbutton = dolGetButtonTitle($langs->trans('New'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/eventorganization/conferenceorbooth_card.php?action=create'.(!empty($project->id)?'&fk_project='.$project->id:'').(!empty($project->socid)?'&fk_soc='.$project->socid:'').'&backtopage='.urlencode($_SERVER['PHP_SELF']).(!empty($project->id)?'?projectid='.$project->id:''), '', $permissiontoadd); -print_barre_liste($title, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'object_'.$object->picto, 0, $newcardbutton, '', $limit, 0, 0, 1); +print_barre_liste($title, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, $object->picto, 0, $newcardbutton, '', $limit, 0, 0, 1); // Add code for pre mass action (confirmation or email presend form) $topicmail = "SendConferenceOrBoothRef"; diff --git a/htdocs/langs/en_US/eventorganization.lang b/htdocs/langs/en_US/eventorganization.lang index 5444ed59e3d..82f18107a5c 100644 --- a/htdocs/langs/en_US/eventorganization.lang +++ b/htdocs/langs/en_US/eventorganization.lang @@ -32,8 +32,8 @@ EventOrganizationConferenceOrBoothMenuLeft = Conference Or Booth EventOrganizationSetup = Event Organization setup Settings = Settings EventOrganizationSetupPage = Event Organization setup page -EVENTORGANIZATION_TASK_LABEL = Task label created when validate -EVENTORGANIZATION_TASK_LABELTooltip = When validate a Conference or a booth, some tasks will be created in the project

for example:
Send Call for Conference
Send Call for Booth
Receive call for conferences
Receive call for Booth
Open subscriptions to events for attendees
Send remind of event to speakers
Send remind of event to Booth hoster
Send remind of event to attendees +EVENTORGANIZATION_TASK_LABEL = Label of tasks to create automatically when project is validated +EVENTORGANIZATION_TASK_LABELTooltip = When you validate an organized event, some tasks can be automatically created in the project

For example:
Send Call for Conference
Send Call for Booth
Receive call for conferences
Receive call for Booth
Open subscriptions to events for attendees
Send remind of event to speakers
Send remind of event to Booth hoster
Send remind of event to attendees EVENTORGANIZATION_CATEG_THIRDPARTY_CONF = Category to add to third-parties automatically created when someone suggests a conference EVENTORGANIZATION_CATEG_THIRDPARTY_BOOTH = Category to add to third-parties automatically created when they suggests a booth EVENTORGANIZATION_TEMPLATE_EMAIL_ASK_CONF = Template of email to send after receiving a suggestion of a conference. diff --git a/htdocs/modulebuilder/template/core/modules/modMyModule.class.php b/htdocs/modulebuilder/template/core/modules/modMyModule.class.php index e4f662c9e99..322c043a26c 100644 --- a/htdocs/modulebuilder/template/core/modules/modMyModule.class.php +++ b/htdocs/modulebuilder/template/core/modules/modMyModule.class.php @@ -290,6 +290,7 @@ class modMyModule extends DolibarrModules 'fk_menu'=>'', // '' if this is a top menu. For left menu, use 'fk_mainmenu=xxx' or 'fk_mainmenu=xxx,fk_leftmenu=yyy' where xxx is mainmenucode and yyy is a leftmenucode 'type'=>'top', // This is a Top menu entry 'titre'=>'ModuleMyModuleName', + 'prefix' => img_picto('', $this->picto, 'class="paddingright pictofixedwidth"'), 'mainmenu'=>'mymodule', 'leftmenu'=>'', 'url'=>'/mymodule/mymoduleindex.php', @@ -306,6 +307,7 @@ class modMyModule extends DolibarrModules 'fk_menu'=>'fk_mainmenu=mymodule', // '' if this is a top menu. For left menu, use 'fk_mainmenu=xxx' or 'fk_mainmenu=xxx,fk_leftmenu=yyy' where xxx is mainmenucode and yyy is a leftmenucode 'type'=>'left', // This is a Top menu entry 'titre'=>'MyObject', + 'prefix' => img_picto('', $this->picto, 'class="paddingright pictofixedwidth"'), 'mainmenu'=>'mymodule', 'leftmenu'=>'myobject', 'url'=>'/mymodule/mymoduleindex.php', diff --git a/htdocs/theme/eldy/badges.inc.php b/htdocs/theme/eldy/badges.inc.php index f3f311eccca..dcb61499b63 100644 --- a/htdocs/theme/eldy/badges.inc.php +++ b/htdocs/theme/eldy/badges.inc.php @@ -205,7 +205,7 @@ a.badge-dark:focus, a.badge-dark:hover { /* STATUS BADGES */ em; + margin: 0em em; padding: 0.6em em; display: inline-block; text-align: center; diff --git a/htdocs/theme/eldy/theme_vars.inc.php b/htdocs/theme/eldy/theme_vars.inc.php index 8bb2fd3bbca..82cbf9cf2a9 100644 --- a/htdocs/theme/eldy/theme_vars.inc.php +++ b/htdocs/theme/eldy/theme_vars.inc.php @@ -114,6 +114,7 @@ $badgeStatus6 = '#cad2d2'; $badgeStatus7 = '#25a580'; $badgeStatus8 = '#993013'; $badgeStatus9 = '#e7f0f0'; +$badgeStatus10 = '#993013'; // status color ajustement for color blind $colorblind_deuteranopes_badgeStatus4 = $colorblind_deuteranopes_badgeStatus7 = $colorblind_deuteranopes_badgeSuccess; //! text color black diff --git a/htdocs/theme/md/badges.inc.php b/htdocs/theme/md/badges.inc.php index 7dd0229ae46..fd1b1122a17 100644 --- a/htdocs/theme/md/badges.inc.php +++ b/htdocs/theme/md/badges.inc.php @@ -1,7 +1,8 @@ +} +?> /*
'.$langs->trans("Parameter").''.$langs->trans("Value").'
'.$langs->trans("Parameter").''.$langs->trans("Value").'