From 956eb11172846b28fc773772d826ff70a5285c22 Mon Sep 17 00:00:00 2001 From: simnandez Date: Wed, 28 Mar 2012 16:49:36 +0100 Subject: [PATCH 1/2] Fix: Sanitize data --- htdocs/admin/commande.php | 14 +++++++------- htdocs/admin/confexped.php | 4 ++-- htdocs/admin/contract.php | 10 +++++----- htdocs/admin/expedition.php | 32 ++++++++++++++++---------------- htdocs/admin/fichinter.php | 24 ++++++++++++------------ htdocs/admin/livraison.php | 22 +++++++++++----------- 6 files changed, 53 insertions(+), 53 deletions(-) diff --git a/htdocs/admin/commande.php b/htdocs/admin/commande.php index 7472191a48a..569ac1b8b69 100644 --- a/htdocs/admin/commande.php +++ b/htdocs/admin/commande.php @@ -47,8 +47,8 @@ $value = GETPOST('value','alpha'); if ($action == 'updateMask') { - $maskconstorder=GETPOST("maskconstorder"); - $maskorder=GETPOST("maskorder"); + $maskconstorder=GETPOST('maskconstorder','alpha'); + $maskorder=GETPOST('maskorder','alpha'); if ($maskconstorder) $res = dolibarr_set_const($db,$maskconstorder,$maskorder,'chaine',0,'',$conf->entity); @@ -66,7 +66,7 @@ if ($action == 'updateMask') if ($action == 'specimen') { - $modele=GETPOST("module"); + $modele=GETPOST('module','alpha'); $commande = new Commande($db); $commande->initAsSpecimen(); @@ -111,8 +111,8 @@ if ($action == 'specimen') if ($action == 'set') { - $label = GETPOST("label"); - $scandir = GETPOST("scandir"); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); $type='order'; $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; @@ -142,8 +142,8 @@ if ($action == 'del') if ($action == 'setdoc') { - $label = GETPOST("label"); - $scandir = GETPOST("scandir"); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); $db->begin(); diff --git a/htdocs/admin/confexped.php b/htdocs/admin/confexped.php index 24c505a27ef..3e04767c840 100644 --- a/htdocs/admin/confexped.php +++ b/htdocs/admin/confexped.php @@ -2,7 +2,7 @@ /* Copyright (C) 2004-2010 Laurent Destailleur * Copyright (C) 2005-2009 Regis Houssin * Copyright (C) 2006 Andre Cianfarani - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -34,7 +34,7 @@ $langs->load("deliveries"); if (!$user->admin) accessforbidden(); -$action=GETPOST("action"); +$action=GETPOST('action','alpha'); // Shipment note if ($action == 'activate_sending') diff --git a/htdocs/admin/contract.php b/htdocs/admin/contract.php index 3288f574739..ca97e97f2e2 100644 --- a/htdocs/admin/contract.php +++ b/htdocs/admin/contract.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -30,8 +30,8 @@ $langs->load("errors"); if (!$user->admin) accessforbidden(); -$action = GETPOST("action"); -$value = GETPOST("value"); +$action = GETPOST('action','alpha'); +$value = GETPOST('value','alpha'); if (empty($conf->global->CONTRACT_ADDON)) { @@ -45,8 +45,8 @@ if (empty($conf->global->CONTRACT_ADDON)) if ($action == 'updateMask') { - $maskconst=$_POST['maskconstcontract']; - $maskvalue=$_POST['maskcontract']; + $maskconst = GETPOST('maskconstcontract','alpha'); + $maskvalue = GETPOST('maskcontract','alpha'); if ($maskconst) $res = dolibarr_set_const($db,$maskconst,$maskvalue,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; diff --git a/htdocs/admin/expedition.php b/htdocs/admin/expedition.php index ceb7cc98886..4a593953bee 100644 --- a/htdocs/admin/expedition.php +++ b/htdocs/admin/expedition.php @@ -5,7 +5,7 @@ * Copyright (C) 2004 Benoit Mortier * Copyright (C) 2004 Eric Seigne * Copyright (C) 2005-2011 Regis Houssin - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -37,8 +37,8 @@ $langs->load("deliveries"); if (!$user->admin) accessforbidden(); -$action=GETPOST("action"); -$value=GETPOST("value"); +$action=GETPOST('action','alpha'); +$value=GETPOST('value','alpha'); if (empty($conf->global->EXPEDITION_ADDON_NUMBER)) { @@ -51,7 +51,7 @@ if (empty($conf->global->EXPEDITION_ADDON_NUMBER)) */ if ($action == 'specimen') { - $modele=GETPOST("module"); + $modele=GETPOST('module','alpha'); $exp = new Expedition($db); $exp->initAsSpecimen(); @@ -89,8 +89,8 @@ if ($action == 'specimen') // Activate a model if ($action == 'set') { - $label = GETPOST("label"); - $scandir = GETPOST("scandir"); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); $type='shipping'; $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; @@ -121,8 +121,8 @@ if ($action == 'del') // Set default model if ($action == 'setdoc') { - $label = GETPOST("label"); - $scandir = GETPOST("scandir"); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); $db->begin(); @@ -158,9 +158,9 @@ if ($action == 'setdoc') // TODO A quoi servent les methode d'expedition ? if ($action == 'setmethod' || $action== 'setmod') { - $module=GETPOST("module"); - $moduleid=GETPOST("moduleid"); - $statut=GETPOST("statut"); + $module=GETPOST('module','alpha'); + $moduleid=GETPOST('moduleid','alpha'); + $statut=GETPOST('statut','alpha'); require_once(DOL_DOCUMENT_ROOT."/core/modules/expedition/methode_expedition_$module.modules.php"); @@ -231,7 +231,7 @@ if ($action == 'setmod') // TODO Verifier si module numerotation choisi peut etre active // par appel methode canBeActivated - $module=GETPOST("module"); + $module=GETPOST('module','alpha'); dolibarr_set_const($db, "EXPEDITION_ADDON",$module,'chaine',0,'',$conf->entity); @@ -239,8 +239,8 @@ if ($action == 'setmod') if ($action == 'updateMask') { - $maskconst=GETPOST("maskconstexpedition"); - $maskvalue=GETPOST("maskexpedition"); + $maskconst=GETPOST('maskconstexpedition','alpha'); + $maskvalue=GETPOST('maskexpedition','alpha'); if ($maskconst) $res = dolibarr_set_const($db,$maskconst,$maskvalue,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; @@ -262,7 +262,7 @@ if ($action == 'setmodel') if ($action == 'set_SHIPPING_DRAFT_WATERMARK') { - $draft=GETPOST("SHIPPING_DRAFT_WATERMARK"); + $draft=GETPOST('SHIPPING_DRAFT_WATERMARK','alpha'); $res = dolibarr_set_const($db, "SHIPPING_DRAFT_WATERMARK",trim($draft),'chaine',0,'',$conf->entity); if (! $res > 0) $error++; @@ -279,7 +279,7 @@ if ($action == 'set_SHIPPING_DRAFT_WATERMARK') if ($action == 'set_SHIPPING_FREE_TEXT') { - $free=GETPOST("SHIPPING_FREE_TEXT"); + $free=GETPOST('SHIPPING_FREE_TEXT','alpha'); $res = dolibarr_set_const($db, "SHIPPING_FREE_TEXT",$free,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; diff --git a/htdocs/admin/fichinter.php b/htdocs/admin/fichinter.php index 863ecf32bd2..354c0eb745d 100644 --- a/htdocs/admin/fichinter.php +++ b/htdocs/admin/fichinter.php @@ -5,7 +5,7 @@ * Copyright (C) 2004 Benoit Mortier * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2008 Raphael Bertrand (Resultic) - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011-2012 Juanjo Menent * Copyright (C) 2011-2012 Philippe Grand * * This program is free software; you can redistribute it and/or modify @@ -39,8 +39,8 @@ $langs->load("interventions"); if (!$user->admin) accessforbidden(); -$action = GETPOST("action"); -$value = GETPOST("value"); +$action = GETPOST('action','alpha'); +$value = GETPOST('value','alpha'); /* @@ -48,8 +48,8 @@ $value = GETPOST("value"); */ if ($action == 'updateMask') { - $maskconst=GETPOST("maskconst"); - $maskvalue=GETPOST("maskvalue"); + $maskconst=GETPOST('maskconst','alpha'); + $maskvalue=GETPOST('maskvalue','alpha'); if ($maskconst) $res = dolibarr_set_const($db,$maskconst,$maskvalue,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; @@ -66,7 +66,7 @@ if ($action == 'updateMask') if ($action == 'set_FICHINTER_FREE_TEXT') { - $freetext= GETPOST("FICHINTER_FREE_TEXT"); + $freetext= GETPOST('FICHINTER_FREE_TEXT','alpha'); $res = dolibarr_set_const($db, "FICHINTER_FREE_TEXT",$freetext,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; @@ -83,7 +83,7 @@ if ($action == 'set_FICHINTER_FREE_TEXT') if ($action == 'set_FICHINTER_DRAFT_WATERMARK') { - $draft= GETPOST("FICHINTER_DRAFT_WATERMARK"); + $draft= GETPOST('FICHINTER_DRAFT_WATERMARK','alpha'); $res = dolibarr_set_const($db, "FICHINTER_DRAFT_WATERMARK",trim($draft),'chaine',0,'',$conf->entity); @@ -101,7 +101,7 @@ if ($action == 'set_FICHINTER_DRAFT_WATERMARK') if ($action == 'specimen') { - $modele=$_GET["module"]; + $modele= GETPOST('module','alpha'); $inter = new Fichinter($db); $inter->initAsSpecimen(); @@ -146,8 +146,8 @@ if ($action == 'specimen') if ($action == 'set') { - $label = GETPOST("label"); - $scandir = GETPOST("scandir"); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); $type='ficheinter'; $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; @@ -177,8 +177,8 @@ if ($action == 'del') if ($action == 'setdoc') { - $label = GETPOST("label"); - $scandir = GETPOST("scandir"); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); $db->begin(); diff --git a/htdocs/admin/livraison.php b/htdocs/admin/livraison.php index 666e4fa6fbe..3878d025edc 100644 --- a/htdocs/admin/livraison.php +++ b/htdocs/admin/livraison.php @@ -5,7 +5,7 @@ * Copyright (C) 2004 Benoit Mortier * Copyright (C) 2004 Eric Seigne * Copyright (C) 2005-2011 Regis Houssin - * Copyright (C) 2011 Juanjo Menent + * Copyright (C) 2011-2012 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -36,8 +36,8 @@ $langs->load("deliveries"); if (!$user->admin) accessforbidden(); -$action = GETPOST("action"); -$value = GETPOST("value"); +$action = GETPOST('action','alpha'); +$value = GETPOST('value','alpha'); /* * Actions @@ -45,8 +45,8 @@ $value = GETPOST("value"); if ($action == 'updateMask') { - $maskconstdelivery=GETPOST("maskconstdelivery"); - $maskdelivery=GETPOST("maskdelivery"); + $maskconstdelivery=GETPOST('maskconstdelivery','alpha'); + $maskdelivery=GETPOST('maskdelivery','alpha'); if ($maskconstdelivery) $res = dolibarr_set_const($db,$maskconstdelivery,$maskdelivery,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; @@ -63,7 +63,7 @@ if ($action == 'updateMask') if ($action == 'specimen') { - $modele=GETPOST("module"); + $modele=GETPOST('module','alpha'); $sending = new Livraison($db); $sending->initAsSpecimen(); @@ -99,8 +99,8 @@ if ($action == 'specimen') if ($action == 'set') { - $label = GETPOST("label"); - $scandir = GETPOST("scandir"); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); $type='delivery'; $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; @@ -127,8 +127,8 @@ if ($action == 'del') if ($action == 'setdoc') { - $label = GETPOST("label"); - $scandir = GETPOST("scandir"); + $label = GETPOST('label','alpha'); + $scandir = GETPOST('scandir','alpha'); $db->begin(); if (dolibarr_set_const($db, "LIVRAISON_ADDON_PDF",$value,'chaine',0,'',$conf->entity)) @@ -162,7 +162,7 @@ if ($action == 'setdoc') if ($action == 'set_DELIVERY_FREE_TEXT') { - $free=GETPOST("DELIVERY_FREE_TEXT"); + $free=GETPOST('DELIVERY_FREE_TEXT','alpha'); $res=dolibarr_set_const($db, "DELIVERY_FREE_TEXT",$free,'chaine',0,'',$conf->entity); if (! $res > 0) $error++; From b204ad5b845498e9e2dcccdb008c061da3575374 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 29 Mar 2012 01:39:56 +0800 Subject: [PATCH 2/2] Fix: multicompany compatibility --- htdocs/categories/class/categorie.class.php | 24 +++++++++++++-------- htdocs/categories/viewcat.php | 4 ++-- htdocs/societe/info.php | 9 ++++---- htdocs/societe/soc.php | 2 +- 4 files changed, 23 insertions(+), 16 deletions(-) diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index 2a8e52e7cad..409f7329be2 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -523,22 +523,28 @@ class Categorie /** * Return list of contents of a category * - * @param string $field Field name for select in table. Full field name will be fk_field. - * @param string $classname PHP Class of object to store entity - * @param string $table Table name for select in table. Full table name will be PREFIX_categorie_table. + * @param string $field Field name for select in table. Full field name will be fk_field. + * @param string $classname PHP Class of object to store entity + * @param string $category_table Table name for select in table. Full table name will be PREFIX_categorie_table. + * @param string $object_table Table name for select in table. Full table name will be PREFIX_table. * @return void */ - function get_type($field,$classname,$table='') + function get_type($field,$classname,$category_table='',$object_table='') { $objs = array(); // Clean parameters - if (empty($table)) $table=$field; + if (empty($category_table)) $category_table=$field; + if (empty($object_table)) $object_table=$field; - $sql = "SELECT fk_".$field." FROM ".MAIN_DB_PREFIX."categorie_".$table; - $sql.= " WHERE fk_categorie = ".$this->id; + $sql = "SELECT c.fk_".$field; + $sql.= " FROM ".MAIN_DB_PREFIX."categorie_".$category_table." as c"; + $sql.= ", ".MAIN_DB_PREFIX.$object_table." as o"; + $sql.= " WHERE c.fk_categorie = ".$this->id; + $sql.= " AND c.fk_".$field." = o.rowid"; + $sql.= " AND o.entity IN (".getEntity($field, 1).")"; - dol_syslog("Categorie::get_type sql=".$sql); + dol_syslog(get_class($this)."::get_type sql=".$sql); $resql = $this->db->query($sql); if ($resql) { @@ -553,7 +559,7 @@ class Categorie else { $this->error=$this->db->error().' sql='.$sql; - dol_syslog("Categorie::get_type ".$this->error, LOG_ERR); + dol_syslog(get_class($this)."::get_type ".$this->error, LOG_ERR); return -1; } } diff --git a/htdocs/categories/viewcat.php b/htdocs/categories/viewcat.php index bcf8fd65675..5d3fa1d0a55 100644 --- a/htdocs/categories/viewcat.php +++ b/htdocs/categories/viewcat.php @@ -322,7 +322,7 @@ if ($object->type == 3) { require_once(DOL_DOCUMENT_ROOT."/adherents/class/adherent.class.php"); - $prods = $object->get_type("member","Adherent"); + $prods = $object->get_type("member","Adherent","","adherent"); if ($prods < 0) { dol_print_error($db,$object->error); @@ -358,7 +358,7 @@ if ($object->type == 3) } } -$db->close(); llxFooter(); +$db->close(); ?> \ No newline at end of file diff --git a/htdocs/societe/info.php b/htdocs/societe/info.php index e743eb53a1e..67701ee4fa7 100644 --- a/htdocs/societe/info.php +++ b/htdocs/societe/info.php @@ -1,6 +1,7 @@ - * Copyright (C) 2010 Juanjo Menent +/* Copyright (C) 2004-2009 Laurent Destailleur + * Copyright (C) 2005-2012 Regis Houssin + * Copyright (C) 2010 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -32,9 +33,9 @@ $langs->load("other"); if ($conf->notification->enabled) $langs->load("mails"); // Security check -$socid = isset($_GET["socid"])?$_GET["socid"]:''; +$socid = GETPOST('socid','int'); if ($user->societe_id) $socid=$user->societe_id; -$result = restrictedArea($user, 'societe','',''); +$result = restrictedArea($user, 'societe', $socid, '&societe'); /* diff --git a/htdocs/societe/soc.php b/htdocs/societe/soc.php index 2a9e3a3efdf..b81d158ed22 100644 --- a/htdocs/societe/soc.php +++ b/htdocs/societe/soc.php @@ -66,7 +66,7 @@ if (! empty($canvas)) } // Security check -$result = restrictedArea($user, 'societe', $socid, '&societe', '', '', '', $objcanvas); +$result = restrictedArea($user, 'societe', $socid, '&societe', '', 'fk_soc', 'rowid', $objcanvas); // Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array include_once(DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php');