From 3e93f27d98f079a4389cd200b154105a8d851894 Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Sun, 25 Jun 2017 01:27:41 +0200 Subject: [PATCH 01/17] Update index.php --- htdocs/api/index.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/htdocs/api/index.php b/htdocs/api/index.php index 1e04590da14..c1233295674 100644 --- a/htdocs/api/index.php +++ b/htdocs/api/index.php @@ -29,6 +29,10 @@ if (! defined("NOLOGIN")) define("NOLOGIN",'1'); if (! defined("NOCSRFCHECK")) define("NOCSRFCHECK",'1'); +$DOLAPIENTITY = $_SERVER['HTTP_DOLAPIENTITY']; +$entity=(! empty($DOLAPIENTITY) ? (int) $DOLAPIENTITY : (! empty($DOLAPIENTITY) ? (int) $DOLAPIENTITY : 1)); +if (is_numeric($entity)) define("DOLENTITY", $entity); + $res=0; if (! $res && file_exists("../main.inc.php")) $res=include '../main.inc.php'; if (! $res) die("Include of main fails"); From 5cba2f0daf7d39b2818ba6f49b901d9cb852c10d Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Fri, 15 Sep 2017 01:58:55 +0200 Subject: [PATCH 02/17] Update list.php --- htdocs/don/list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/don/list.php b/htdocs/don/list.php index 24ee68eb0f7..e8a9524e734 100644 --- a/htdocs/don/list.php +++ b/htdocs/don/list.php @@ -89,7 +89,7 @@ $sql = "SELECT d.rowid, d.datedon, d.firstname, d.lastname, d.societe,"; $sql.= " d.amount, d.fk_statut as statut, "; $sql.= " p.rowid as pid, p.ref, p.title, p.public"; $sql.= " FROM ".MAIN_DB_PREFIX."don as d LEFT JOIN ".MAIN_DB_PREFIX."projet AS p"; -$sql.= " ON p.rowid = d.fk_projet WHERE 1 = 1"; +$sql.= " ON p.rowid = d.fk_projet WHERE d.entity IN (".getEntity('don').")"; if ($statut >= 0) { $sql .= " AND d.fk_statut = ".$statut; From b9e087984787570109ff58d4d52099bd59a481bf Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Fri, 15 Sep 2017 10:57:22 +0200 Subject: [PATCH 03/17] NEW: Add hook addAdminLdapOptions and doAction in ldap admin page NEW: complete_head_from_modules() in ldap_prepare_head() --- ChangeLog | 4 ++ htdocs/admin/ldap.php | 87 +++++++++++++++++++++--------------- htdocs/core/lib/ldap.lib.php | 12 ++++- 3 files changed, 64 insertions(+), 39 deletions(-) diff --git a/ChangeLog b/ChangeLog index c64bec0d881..69005b0c492 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ English Dolibarr ChangeLog ***** ChangeLog for 7.0.0 compared to 6.0.* ***** +For developers: +NEW: Add hook addAdminLdapOptions and doAction in ldap admin page +NEW: complete_head_from_modules() in ldap_prepare_head() + WARNING: Following changes may create regression for some external modules, but were necessary to make Dolibarr better: diff --git a/htdocs/admin/ldap.php b/htdocs/admin/ldap.php index dd084894b3d..b0c9c30559a 100644 --- a/htdocs/admin/ldap.php +++ b/htdocs/admin/ldap.php @@ -1,10 +1,10 @@ - * Copyright (C) 2004 Sebastien Di Cintio - * Copyright (C) 2004 Benoit Mortier - * Copyright (C) 2005 Regis Houssin - * Copyright (C) 2006-2011 Laurent Destailleur - * Copyright (C) 2011-2013 Juanjo Menent +/* Copyright (C) 2004 Rodolphe Quiedeville + * Copyright (C) 2004 Sebastien Di Cintio + * Copyright (C) 2004 Benoit Mortier + * Copyright (C) 2005-2017 Regis Houssin + * Copyright (C) 2006-2011 Laurent Destailleur + * Copyright (C) 2011-2013 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -34,46 +34,54 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/ldap.lib.php'; $langs->load("admin"); if (!$user->admin) - accessforbidden(); + accessforbidden(); - $action = GETPOST('action','aZ09'); +$action = GETPOST('action','aZ09'); + +// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context +$hookmanager->initHooks(array('adminldap','globaladmin')); /* * Actions */ -if ($action == 'setvalue' && $user->admin) +$parameters=array(); +$reshook=$hookmanager->executeHooks('doActions',$parameters,'',$action); // Note that $action and $object may have been modified by some hooks +if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); + +if (empty($reshook)) { - $error=0; + if ($action == 'setvalue' && $user->admin) + { + $error=0; - $db->begin(); - if (! dolibarr_set_const($db, 'LDAP_SERVER_TYPE',GETPOST("type"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SERVER_PROTOCOLVERSION',GETPOST("LDAP_SERVER_PROTOCOLVERSION"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SERVER_HOST',GETPOST("host"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SERVER_HOST_SLAVE',GETPOST("slave"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SERVER_PORT',GETPOST("port"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SERVER_DN',GETPOST("dn"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_ADMIN_DN',GETPOST("admin"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_ADMIN_PASS',GETPOST("pass"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SERVER_USE_TLS',GETPOST("usetls"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SYNCHRO_ACTIVE',GETPOST("activesynchro"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_CONTACT_ACTIVE',GETPOST("activecontact"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_MEMBER_ACTIVE',GETPOST("activemembers"),'chaine',0,'',$conf->entity)) $error++; + $db->begin(); + if (! dolibarr_set_const($db, 'LDAP_SERVER_TYPE',GETPOST("type"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SERVER_PROTOCOLVERSION',GETPOST("LDAP_SERVER_PROTOCOLVERSION"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SERVER_HOST',GETPOST("host"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SERVER_HOST_SLAVE',GETPOST("slave"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SERVER_PORT',GETPOST("port"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SERVER_DN',GETPOST("dn"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_ADMIN_DN',GETPOST("admin"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_ADMIN_PASS',GETPOST("pass"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SERVER_USE_TLS',GETPOST("usetls"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SYNCHRO_ACTIVE',GETPOST("activesynchro"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_CONTACT_ACTIVE',GETPOST("activecontact"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_MEMBER_ACTIVE',GETPOST("activemembers"),'chaine',0,'',$conf->entity)) $error++; - if (! $error) - { - $db->commit(); - setEventMessages($langs->trans("SetupSaved"), null, 'mesgs'); - } - else - { - $db->rollback(); - dol_print_error($db); - } + if (! $error) + { + $db->commit(); + setEventMessages($langs->trans("SetupSaved"), null, 'mesgs'); + } + else + { + $db->rollback(); + dol_print_error($db); + } + } } - - /* * View */ @@ -149,6 +157,11 @@ if (! empty($conf->adherent->enabled)) print ''.$langs->trans("LDAPDnMemberActiveExample").''; } +// Fields from hook +$parameters=array(); +$reshook=$hookmanager->executeHooks('addAdminLdapOptions',$parameters); // Note that $action and $object may have been modified by hook +print $hookmanager->resPrint; + print ''; print ''.$langs->trans("Parameter").''; print ''.$langs->trans("Value").''; @@ -193,11 +206,11 @@ print ''.$langs->trans("LDAPServerExample").''; print ''.$langs->trans("LDAPServerPort").''; if (! empty($conf->global->LDAP_SERVER_PORT)) { - print ''; + print ''; } else { - print ''; + print ''; } print ''.$langs->trans("LDAPServerPortExample").''; diff --git a/htdocs/core/lib/ldap.lib.php b/htdocs/core/lib/ldap.lib.php index d4ef7a2ed7a..f684af594e5 100644 --- a/htdocs/core/lib/ldap.lib.php +++ b/htdocs/core/lib/ldap.lib.php @@ -1,5 +1,6 @@ +/* Copyright (C) 2006 Laurent Destailleur + * Copyright (C) 2006-2017 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -30,6 +31,7 @@ function ldap_prepare_head() { global $langs, $conf, $user; + $langs->load("ldap"); // Onglets @@ -73,6 +75,12 @@ function ldap_prepare_head() $h++; } + // Show more tabs from modules + // Entries must be declared in modules descriptor with line + // $this->tabs = array('entity:+tabname:Title:@mymodule:/mymodule/mypage.php?id=__ID__'); to add new tab + // $this->tabs = array('entity:-tabname); to remove a tab + complete_head_from_modules($conf,$langs,'',$head,$h,'ldap'); + return $head; } @@ -147,7 +155,7 @@ function show_ldap_content($result,$level,$count,$var,$hide=0,$subcount=0) $hide=0; if (! is_numeric($key)) { - + print ''; print ''; print $key; From a213a5d5fd7ee70498dc1217bcda413d81bce76f Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Fri, 15 Sep 2017 11:12:56 +0200 Subject: [PATCH 04/17] Fix: missing empty $object --- htdocs/admin/ldap.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/admin/ldap.php b/htdocs/admin/ldap.php index b0c9c30559a..d5720835f3c 100644 --- a/htdocs/admin/ldap.php +++ b/htdocs/admin/ldap.php @@ -46,7 +46,7 @@ $hookmanager->initHooks(array('adminldap','globaladmin')); */ $parameters=array(); -$reshook=$hookmanager->executeHooks('doActions',$parameters,'',$action); // Note that $action and $object may have been modified by some hooks +$reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); if (empty($reshook)) From 25cd1ee27ae7f287994eaaf646e54a7bbf88dc31 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Fri, 15 Sep 2017 11:19:19 +0200 Subject: [PATCH 05/17] Fix: avoid Warning: A non-numeric value encountered --- htdocs/admin/modules.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/admin/modules.php b/htdocs/admin/modules.php index 53c497c74fe..ce67595a0f7 100644 --- a/htdocs/admin/modules.php +++ b/htdocs/admin/modules.php @@ -51,9 +51,9 @@ $search_version=GETPOST('search_version','alpha'); // For dolistore search $options = array(); $options['per_page'] = 20; -$options['categorie'] = GETPOST('categorie', 'int') + 0; -$options['start'] = GETPOST('start', 'int') + 0; -$options['end'] = GETPOST('end', 'int') + 0; +$options['categorie'] = ((GETPOST('categorie', 'int')?GETPOST('categorie', 'int'):0) + 0); +$options['start'] = ((GETPOST('start', 'int')?GETPOST('start', 'int'):0) + 0); +$options['end'] = ((GETPOST('end', 'int')?GETPOST('end', 'int'):0) + 0); $options['search'] = GETPOST('search_keyword', 'alpha'); $dolistore = new Dolistore($options); From db319803ec6ce74eff5545b85dcb37ae583c3899 Mon Sep 17 00:00:00 2001 From: florian HENRY Date: Fri, 15 Sep 2017 12:17:18 +0200 Subject: [PATCH 06/17] add sreach on extrafeilds on contract service list --- htdocs/contrat/services.php | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/htdocs/contrat/services.php b/htdocs/contrat/services.php index cd445e682eb..433f0bae4b2 100644 --- a/htdocs/contrat/services.php +++ b/htdocs/contrat/services.php @@ -237,6 +237,23 @@ if (! empty($filter_opouvertureprevue) && $filter_opouvertureprevue != -1 && $fi if (! empty($filter_op1) && $filter_op1 != -1 && $filter_date1 != '') $sql.= " AND cd.date_ouverture ".$filter_op1." '".$db->idate($filter_date1)."'"; if (! empty($filter_op2) && $filter_op2 != -1 && $filter_date2 != '') $sql.= " AND cd.date_fin_validite ".$filter_op2." '".$db->idate($filter_date2)."'"; if (! empty($filter_opcloture) && $filter_opcloture != -1 && $filter_datecloture != '') $sql.= " AND cd.date_cloture ".$filter_opcloture." '".$db->idate($filter_datecloture)."'"; +// Add where from extra fields +foreach ($search_array_options as $key => $val) +{ + $crit=$val; + $tmpkey=preg_replace('/search_options_/','',$key); + $typ=$extrafields->attribute_type[$tmpkey]; + $mode_search_extrafields=0; + if (in_array($typ, array('int','double'))) $mode_search_extrafields=1; // Search on a numeric + + if ($val && ( ($crit != '' && in_array($typ, array('sellist'))) || ! empty($crit))) + { + $sql .= ' AND ef.'.$tmpkey.'='.$crit; + } else if ($val && ( ($crit != '' && ! in_array($typ, array('select'))) || ! empty($crit))) { + $sql .= natural_search('ef.'.$tmpkey, $crit, $mode_search_extrafields); + } +} + $sql .= $db->order($sortfield,$sortorder); $nbtotalofrecords = ''; @@ -464,7 +481,7 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab $align=$extrafields->getAlignFlag($key); $typeofextrafield=$extrafields->attribute_type[$key]; print ''; - if (in_array($typeofextrafield, array('varchar', 'int', 'double', 'select'))) + if (in_array($typeofextrafield, array('varchar', 'int', 'double', 'select')) && empty($extrafields->attribute_computed[$key])) { $crit=$val; $tmpkey=preg_replace('/search_options_/','',$key); @@ -473,6 +490,11 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab if (in_array($typeofextrafield, array('int', 'double'))) $searchclass='searchnum'; print ''; } + else + { + // for the type as 'checkbox', 'chkbxlst', 'sellist' we should use code instead of id (example: I declare a 'chkbxlst' to have a link with dictionnairy, I have to extend it with the 'code' instead 'rowid') + echo $extrafields->showInputField($key, $search_array_options['search_options_'.$key], '', '', 'search_'); + } print ''; } } From 2abb38afdf35025e3b53aa50a10d7c7c0e0fcb42 Mon Sep 17 00:00:00 2001 From: tysauron Date: Fri, 15 Sep 2017 12:48:57 +0200 Subject: [PATCH 07/17] Beaucoup beaucoup plus rapide Pour moi passe de 4 secondes a 0,8 (grosse base) --- htdocs/core/lib/agenda.lib.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/core/lib/agenda.lib.php b/htdocs/core/lib/agenda.lib.php index 0a4ad9ffcc9..d50e9f572ad 100644 --- a/htdocs/core/lib/agenda.lib.php +++ b/htdocs/core/lib/agenda.lib.php @@ -221,8 +221,8 @@ function show_array_actions_to_do($max=5) $sql = "SELECT a.id, a.label, a.datep as dp, a.datep2 as dp2, a.fk_user_author, a.percent,"; $sql.= " c.code, c.libelle as type_label,"; $sql.= " s.nom as sname, s.rowid, s.client"; - $sql.= " FROM ".MAIN_DB_PREFIX."c_actioncomm as c LEFT JOIN "; - $sql.= " ".MAIN_DB_PREFIX."actioncomm as a ON c.id = a.fk_action"; + $sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as a LEFT JOIN "; + $sql.= " ".MAIN_DB_PREFIX."c_actioncomm as c ON c.id = a.fk_action"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON a.fk_soc = s.rowid"; if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE a.entity = ".$conf->entity; @@ -318,8 +318,8 @@ function show_array_last_actions_done($max=5) $sql = "SELECT a.id, a.percent, a.datep as da, a.datep2 as da2, a.fk_user_author, a.label,"; $sql.= " c.code, c.libelle,"; $sql.= " s.rowid, s.nom as sname, s.client"; - $sql.= " FROM ".MAIN_DB_PREFIX."c_actioncomm as c LEFT JOIN "; - $sql.= " ".MAIN_DB_PREFIX."actioncomm as a ON c.id = a.fk_action "; + $sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as a LEFT JOIN "; + $sql.= " ".MAIN_DB_PREFIX."c_actioncomm as c ON c.id = a.fk_action "; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON a.fk_soc = s.rowid"; if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE a.entity = ".$conf->entity; From 4f15c90aeee5dcd6162b1936228a3b5b37e2772e Mon Sep 17 00:00:00 2001 From: tysauron Date: Fri, 15 Sep 2017 12:58:13 +0200 Subject: [PATCH 08/17] Pour ne pas charger les membres d'un groupe lorsque l'on charge les groupe d'un user (sinon avec 200 user et 30 groupes = 6000 objects . trop lourd) --- htdocs/user/class/usergroup.class.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/htdocs/user/class/usergroup.class.php b/htdocs/user/class/usergroup.class.php index 5240605c25c..1dac2e1672b 100644 --- a/htdocs/user/class/usergroup.class.php +++ b/htdocs/user/class/usergroup.class.php @@ -75,7 +75,7 @@ class UserGroup extends CommonObject * @param string $groupname name du groupe a charger * @return int <0 if KO, >0 if OK */ - function fetch($id='', $groupname='') + function fetch($id='', $groupname='', $load_members = true) { global $conf; @@ -107,7 +107,8 @@ class UserGroup extends CommonObject $this->datec = $obj->datec; $this->datem = $obj->datem; - $this->members=$this->listUsersForGroup(); + if($load_members) + $this->members=$this->listUsersForGroup(); // Retreive all extrafield for group @@ -138,7 +139,7 @@ class UserGroup extends CommonObject * @param int $userid User id to search * @return array Array of groups objects */ - function listGroupsForUser($userid) + function listGroupsForUser($userid, $load_members = true) { global $conf, $user; @@ -168,7 +169,7 @@ class UserGroup extends CommonObject if (! array_key_exists($obj->rowid, $ret)) { $newgroup=new UserGroup($this->db); - $newgroup->fetch($obj->rowid); + $newgroup->fetch($obj->rowid, '', $load_members); $ret[$obj->rowid]=$newgroup; } From 5e34b121dd0445c908f37fa42e901b7af025dcaa Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 15 Sep 2017 15:41:07 +0200 Subject: [PATCH 09/17] Add more robust php unit to detect not escaped sql. Fix not escaped sql --- .../class/accountancysystem.class.php | 2 +- .../class/accountingaccount.class.php | 106 ++++++++--------- htdocs/adherents/class/adherent.class.php | 16 +-- htdocs/bookmarks/class/bookmark.class.php | 10 +- htdocs/categories/class/categorie.class.php | 8 +- htdocs/comm/action/class/actioncomm.class.php | 44 +++---- .../mailing/class/advtargetemailing.class.php | 2 +- htdocs/comm/propal/class/propal.class.php | 22 ++-- htdocs/commande/class/commande.class.php | 20 ++-- htdocs/compta/bank/class/account.class.php | 28 ++--- .../deplacement/class/deplacement.class.php | 2 +- .../facture/class/facture-rec.class.php | 10 +- htdocs/compta/facture/class/facture.class.php | 10 +- .../facture/class/paymentterm.class.php | 22 +--- .../compta/localtax/class/localtax.class.php | 12 +- .../salaries/class/paymentsalary.class.php | 10 +- .../sociales/class/chargesociales.class.php | 14 +-- htdocs/compta/tva/class/tva.class.php | 18 +-- htdocs/contact/class/contact.class.php | 10 +- htdocs/contrat/class/contrat.class.php | 20 ++-- htdocs/core/class/ccountry.class.php | 4 +- htdocs/core/class/commonobject.class.php | 18 +-- htdocs/core/class/cstate.class.php | 4 +- htdocs/core/class/ctypent.class.php | 4 +- htdocs/core/class/discount.class.php | 2 +- htdocs/core/class/events.class.php | 8 +- htdocs/core/class/link.class.php | 16 +-- htdocs/core/class/menubase.class.php | 24 ++-- htdocs/core/modules/DolibarrModules.class.php | 6 +- .../modules/cheque/mod_chequereceipt_mint.php | 4 +- .../modules/commande/mod_commande_marbre.php | 4 +- .../modules/contract/mod_contract_serpis.php | 4 +- .../expedition/mod_expedition_safor.php | 4 +- .../expensereport/mod_expensereport_jade.php | 4 +- .../core/modules/facture/mod_facture_mars.php | 8 +- .../modules/facture/mod_facture_terre.php | 10 +- htdocs/core/modules/fichinter/mod_pacific.php | 4 +- .../modules/livraison/mod_livraison_jade.php | 4 +- .../modules/payment/mod_payment_cicada.php | 4 +- .../modules/project/mod_project_simple.php | 4 +- .../modules/project/task/mod_task_simple.php | 4 +- .../modules/propale/mod_propale_marbre.php | 4 +- .../mod_facture_fournisseur_cactus.php | 8 +- .../mod_commande_fournisseur_muguet.php | 4 +- .../mod_supplier_payment_bronan.php | 4 +- .../mod_supplier_proposal_marbre.php | 4 +- htdocs/cron/class/cronjob.class.php | 2 +- htdocs/ecm/class/ecmdirectory.class.php | 6 +- htdocs/expedition/class/expedition.class.php | 2 +- .../class/fournisseur.commande.class.php | 16 +-- .../fournisseur.commande.dispatch.class.php | 22 ++-- .../fourn/class/fournisseur.facture.class.php | 10 +- htdocs/holiday/class/holiday.class.php | 4 +- htdocs/imports/class/import.class.php | 4 +- htdocs/product/class/product.class.php | 42 +++---- .../class/productcustomerprice.class.php | 22 ++-- .../class/propalmergepdfproduct.class.php | 108 +++++++++--------- htdocs/projet/class/task.class.php | 10 +- htdocs/resource/class/dolresource.class.php | 14 +-- htdocs/societe/class/societe.class.php | 18 +-- .../class/supplier_proposal.class.php | 18 +-- htdocs/websites/class/website.class.php | 2 +- test/phpunit/CodingPhpTest.php | 4 +- 63 files changed, 420 insertions(+), 438 deletions(-) diff --git a/htdocs/accountancy/class/accountancysystem.class.php b/htdocs/accountancy/class/accountancysystem.class.php index 68beff8d043..f14a3e7f761 100644 --- a/htdocs/accountancy/class/accountancysystem.class.php +++ b/htdocs/accountancy/class/accountancysystem.class.php @@ -107,7 +107,7 @@ class AccountancySystem $sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_system"; $sql .= " (date_creation, fk_user_author, numero, label)"; - $sql .= " VALUES ('" . $this->db->idate($now) . "'," . $user->id . ",'" . $this->numero . "','" . $this->label . "')"; + $sql .= " VALUES ('" . $this->db->idate($now) . "'," . $user->id . ",'" . $this->db->escape($this->numero) . "','" . $this->db->escape($this->label) . "')"; dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/accountancy/class/accountingaccount.class.php b/htdocs/accountancy/class/accountingaccount.class.php index 1dad83512e3..137c4f5fe37 100644 --- a/htdocs/accountancy/class/accountingaccount.class.php +++ b/htdocs/accountancy/class/accountingaccount.class.php @@ -47,7 +47,7 @@ class AccountingAccount extends CommonObject var $fk_user_modif; var $active; // duplicate with status var $status; - + /** * Constructor * @@ -56,7 +56,7 @@ class AccountingAccount extends CommonObject function __construct($db) { $this->db = $db; } - + /** * Load record in memory * @@ -67,7 +67,7 @@ class AccountingAccount extends CommonObject */ function fetch($rowid = null, $account_number = null, $limittocurrentchart = 0) { global $conf; - + if ($rowid || $account_number) { $sql = "SELECT a.rowid as rowid, a.datec, a.tms, a.fk_pcg_version, a.pcg_type, a.pcg_subtype, a.account_number, a.account_parent, a.label, a.fk_accounting_category, a.fk_user_author, a.fk_user_modif, a.active"; $sql .= ", ca.label as category_label"; @@ -87,7 +87,7 @@ class AccountingAccount extends CommonObject $result = $this->db->query($sql); if ($result) { $obj = $this->db->fetch_object($result); - + if ($obj) { $this->id = $obj->rowid; $this->rowid = $obj->rowid; @@ -105,7 +105,7 @@ class AccountingAccount extends CommonObject $this->fk_user_modif = $obj->fk_user_modif; $this->active = $obj->active; $this->status = $obj->active; - + return $this->id; } else { return 0; @@ -117,7 +117,7 @@ class AccountingAccount extends CommonObject } return - 1; } - + /** * Insert new accounting account in chart of accounts * @@ -129,7 +129,7 @@ class AccountingAccount extends CommonObject global $conf; $error = 0; $now = dol_now(); - + // Clean parameters if (isset($this->fk_pcg_version)) $this->fk_pcg_version = trim($this->fk_pcg_version); @@ -149,7 +149,7 @@ class AccountingAccount extends CommonObject $this->fk_user_author = trim($this->fk_user_author); if (isset($this->active)) $this->active = trim($this->active); - + if (empty($this->pcg_type) || $this->pcg_type == '-1') { $this->pcg_type = 'XXXXXX'; @@ -160,7 +160,7 @@ class AccountingAccount extends CommonObject } // Check parameters // Put here code to add control on parameters values - + // Insert request $sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_account("; $sql .= "datec"; @@ -179,31 +179,31 @@ class AccountingAccount extends CommonObject $sql .= ", " . $conf->entity; $sql .= ", " . (empty($this->fk_pcg_version) ? 'NULL' : "'" . $this->db->escape($this->fk_pcg_version) . "'"); $sql .= ", " . (empty($this->pcg_type) ? 'NULL' : "'" . $this->db->escape($this->pcg_type) . "'"); - $sql .= ", " . (empty($this->pcg_subtype) ? 'NULL' : "'" . $this->pcg_subtype . "'"); - $sql .= ", " . (empty($this->account_number) ? 'NULL' : "'" . $this->account_number . "'"); + $sql .= ", " . (empty($this->pcg_subtype) ? 'NULL' : "'" . $this->db->escape($this->pcg_subtype) . "'"); + $sql .= ", " . (empty($this->account_number) ? 'NULL' : "'" . $this->db->escape($this->account_number) . "'"); $sql .= ", " . (empty($this->account_parent) ? 'NULL' : "'" . $this->db->escape($this->account_parent) . "'"); $sql .= ", " . (empty($this->label) ? 'NULL' : "'" . $this->db->escape($this->label) . "'"); $sql .= ", " . (empty($this->account_category) ? 'NULL' : "'" . $this->db->escape($this->account_category) . "'"); $sql .= ", " . $user->id; $sql .= ", " . (! isset($this->active) ? 'NULL' : $this->db->escape($this->active)); $sql .= ")"; - + $this->db->begin(); - + dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG); $resql = $this->db->query($sql); if (! $resql) { $error ++; $this->errors[] = "Error " . $this->db->lasterror(); } - + if (! $error) { $this->id = $this->db->last_insert_id(MAIN_DB_PREFIX . "accounting_account"); - + // if (! $notrigger) { // Uncomment this and change MYOBJECT to your own tag if you // want this action calls a trigger. - + // // Call triggers // include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php'; // $interface=new Interfaces($this->db); @@ -212,7 +212,7 @@ class AccountingAccount extends CommonObject // // End call triggers // } } - + // Commit or rollback if ($error) { foreach ( $this->errors as $errmsg ) { @@ -226,14 +226,14 @@ class AccountingAccount extends CommonObject return $this->id; } } - + /** * Update record * * @param User $user Use making update * @return int <0 if KO, >0 if OK */ - function update($user) + function update($user) { // Check parameters if (empty($this->pcg_type) || $this->pcg_type == '-1') @@ -244,9 +244,9 @@ class AccountingAccount extends CommonObject { $this->pcg_subtype = 'XXXXXX'; } - + $this->db->begin(); - + $sql = "UPDATE " . MAIN_DB_PREFIX . "accounting_account "; $sql .= " SET fk_pcg_version = " . ($this->fk_pcg_version ? "'" . $this->db->escape($this->fk_pcg_version) . "'" : "null"); $sql .= " , pcg_type = " . ($this->pcg_type ? "'" . $this->db->escape($this->pcg_type) . "'" : "null"); @@ -258,7 +258,7 @@ class AccountingAccount extends CommonObject $sql .= " , fk_user_modif = " . $user->id; $sql .= " , active = " . $this->active; $sql .= " WHERE rowid = " . $this->id; - + dol_syslog(get_class($this) . "::update sql=" . $sql, LOG_DEBUG); $result = $this->db->query($sql); if ($result) { @@ -270,7 +270,7 @@ class AccountingAccount extends CommonObject return - 1; } } - + /** * Check usage of accounting code * @@ -278,16 +278,16 @@ class AccountingAccount extends CommonObject */ function checkUsage() { global $langs; - + $sql = "(SELECT fk_code_ventilation FROM " . MAIN_DB_PREFIX . "facturedet"; $sql .= " WHERE fk_code_ventilation=" . $this->id . ")"; $sql .= "UNION"; $sql .= "(SELECT fk_code_ventilation FROM " . MAIN_DB_PREFIX . "facture_fourn_det"; $sql .= " WHERE fk_code_ventilation=" . $this->id . ")"; - + dol_syslog(get_class($this) . "::checkUsage sql=" . $sql, LOG_DEBUG); $resql = $this->db->query($sql); - + if ($resql) { $num = $this->db->num_rows($resql); if ($num > 0) { @@ -301,7 +301,7 @@ class AccountingAccount extends CommonObject return - 1; } } - + /** * Delete object in database * @@ -311,18 +311,18 @@ class AccountingAccount extends CommonObject */ function delete($user, $notrigger = 0) { $error = 0; - + $result = $this->checkUsage(); - + if ($result > 0) { - + $this->db->begin(); - + // if (! $error) { // if (! $notrigger) { // Uncomment this and change MYOBJECT to your own tag if you // want this action calls a trigger. - + // // Call triggers // include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php'; // $interface=new Interfaces($this->db); @@ -331,11 +331,11 @@ class AccountingAccount extends CommonObject // // End call triggers // } // } - + if (! $error) { $sql = "DELETE FROM " . MAIN_DB_PREFIX . "accounting_account"; $sql .= " WHERE rowid=" . $this->id; - + dol_syslog(get_class($this) . "::delete sql=" . $sql); $resql = $this->db->query($sql); if (! $resql) { @@ -343,7 +343,7 @@ class AccountingAccount extends CommonObject $this->errors[] = "Error " . $this->db->lasterror(); } } - + // Commit or rollback if ($error) { foreach ( $this->errors as $errmsg ) { @@ -360,7 +360,7 @@ class AccountingAccount extends CommonObject return - 1; } } - + /** * Return clicable name (with picto eventually) * @@ -375,7 +375,7 @@ class AccountingAccount extends CommonObject { global $langs, $conf, $user; require_once DOL_DOCUMENT_ROOT.'/core/lib/accounting.lib.php'; - + if (! empty($conf->dol_no_mouse_hover)) $notooltip=1; // Force disable tooltips $result = ''; @@ -412,7 +412,7 @@ class AccountingAccount extends CommonObject { $linkstart = ''; $linkclose = ''; - $linkend = ''; + $linkend = ''; } $label_link = length_accountg($this->account_number); @@ -423,7 +423,7 @@ class AccountingAccount extends CommonObject if ($withpicto != 2) $result.=$linkstart . $label_link . $linkend; return $result; } - + /** * Information on record * @@ -434,10 +434,10 @@ class AccountingAccount extends CommonObject $sql = 'SELECT a.rowid, a.datec, a.fk_user_author, a.fk_user_modif, a.tms'; $sql .= ' FROM ' . MAIN_DB_PREFIX . 'accounting_account as a'; $sql .= ' WHERE a.rowid = ' . $id; - + dol_syslog(get_class($this) . '::info sql=' . $sql); $result = $this->db->query($sql); - + if ($result) { if ($this->db->num_rows($result)) { $obj = $this->db->fetch_object($result); @@ -460,7 +460,7 @@ class AccountingAccount extends CommonObject dol_print_error($this->db); } } - + /** * Account desactivate * @@ -469,17 +469,17 @@ class AccountingAccount extends CommonObject */ function account_desactivate($id) { $result = $this->checkUsage(); - + if ($result > 0) { $this->db->begin(); - + $sql = "UPDATE " . MAIN_DB_PREFIX . "accounting_account "; $sql .= "SET active = '0'"; $sql .= " WHERE rowid = " . $this->db->escape($id); - + dol_syslog(get_class($this) . "::desactivate sql=" . $sql, LOG_DEBUG); $result = $this->db->query($sql); - + if ($result) { $this->db->commit(); return 1; @@ -492,7 +492,7 @@ class AccountingAccount extends CommonObject return - 1; } } - + /** * Account activate * @@ -501,11 +501,11 @@ class AccountingAccount extends CommonObject */ function account_activate($id) { $this->db->begin(); - + $sql = "UPDATE " . MAIN_DB_PREFIX . "accounting_account "; $sql .= "SET active = '1'"; $sql .= " WHERE rowid = " . $this->db->escape($id); - + dol_syslog(get_class($this) . "::activate sql=" . $sql, LOG_DEBUG); $result = $this->db->query($sql); if ($result) { @@ -517,8 +517,8 @@ class AccountingAccount extends CommonObject return - 1; } } - - + + /** * Retourne le libelle du statut d'un user (actif, inactif) * @@ -529,7 +529,7 @@ class AccountingAccount extends CommonObject { return $this->LibStatut($this->status,$mode); } - + /** * Renvoi le libelle d'un statut donne * @@ -541,7 +541,7 @@ class AccountingAccount extends CommonObject { global $langs; $langs->load('users'); - + if ($mode == 0) { $prefix=''; diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index a7ffafcbb79..85665280275 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -325,10 +325,10 @@ class Adherent extends CommonObject $sql.= " '".$this->db->idate($this->datec)."'"; $sql.= ", ".($this->login?"'".$this->db->escape($this->login)."'":"null"); $sql.= ", ".($user->id>0?$user->id:"null"); // Can be null because member can be created by a guest or a script - $sql.= ", null, null, '".$this->morphy."'"; - $sql.= ", '".$this->typeid."'"; + $sql.= ", null, null, '".$this->db->escape($this->morphy)."'"; + $sql.= ", ".$this->typeid; $sql.= ", ".$conf->entity; - $sql.= ", ".(! empty($this->import_key) ? "'".$this->import_key."'":"null"); + $sql.= ", ".(! empty($this->import_key) ? "'".$this->db->escape($this->import_key)."'":"null"); $sql.= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); @@ -447,17 +447,17 @@ class Adherent extends CommonObject $this->db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET"; - $sql.= " civility = ".(!is_null($this->civility_id)?"'".$this->civility_id."'":"null"); + $sql.= " civility = ".(!is_null($this->civility_id)?$this->db->escape($this->civility_id):"null"); $sql.= ", firstname = ".($this->firstname?"'".$this->db->escape($this->firstname)."'":"null"); $sql.= ", lastname=" .($this->lastname?"'".$this->db->escape($this->lastname)."'":"null"); $sql.= ", login=" .($this->login?"'".$this->db->escape($this->login)."'":"null"); $sql.= ", societe=" .($this->societe?"'".$this->db->escape($this->societe)."'":"null"); - $sql.= ", fk_soc=" .($this->fk_soc > 0?"'".$this->fk_soc."'":"null"); + $sql.= ", fk_soc=" .($this->fk_soc > 0?$this->db->escape($this->fk_soc):"null"); $sql.= ", address=" .($this->address?"'".$this->db->escape($this->address)."'":"null"); $sql.= ", zip=" .($this->zip?"'".$this->db->escape($this->zip)."'":"null"); $sql.= ", town=" .($this->town?"'".$this->db->escape($this->town)."'":"null"); - $sql.= ", country=".($this->country_id>0?"'".$this->country_id."'":"null"); - $sql.= ", state_id=".($this->state_id>0?"'".$this->state_id."'":"null"); + $sql.= ", country=".($this->country_id>0?$this->db->escape($this->country_id):"null"); + $sql.= ", state_id=".($this->state_id>0?$this->db->escape($this->state_id):"null"); $sql.= ", email='".$this->db->escape($this->email)."'"; $sql.= ", skype='".$this->db->escape($this->skype)."'"; $sql.= ", phone=" .($this->phone?"'".$this->db->escape($this->phone)."'":"null"); @@ -465,7 +465,7 @@ class Adherent extends CommonObject $sql.= ", phone_mobile=" .($this->phone_mobile?"'".$this->db->escape($this->phone_mobile)."'":"null"); $sql.= ", note_private=" .($this->note_private?"'".$this->db->escape($this->note_private)."'":"null"); $sql.= ", note_public=" .($this->note_public?"'".$this->db->escape($this->note_public)."'":"null"); - $sql.= ", photo=" .($this->photo?"'".$this->photo."'":"null"); + $sql.= ", photo=" .($this->photo?"'".$this->db->escape($this->photo)."'":"null"); $sql.= ", public='".$this->db->escape($this->public)."'"; $sql.= ", statut=" .$this->statut; $sql.= ", fk_adherent_type=".$this->typeid; diff --git a/htdocs/bookmarks/class/bookmark.class.php b/htdocs/bookmarks/class/bookmark.class.php index 55302e103f7..b72089e61b8 100644 --- a/htdocs/bookmarks/class/bookmark.class.php +++ b/htdocs/bookmarks/class/bookmark.class.php @@ -120,11 +120,11 @@ class Bookmark extends CommonObject $sql.= ",title,favicon,position"; $sql.= ",entity"; $sql.= ") VALUES ("; - $sql.= ($this->fk_user > 0?"'".$this->fk_user."'":"0").","; + $sql.= ($this->fk_user > 0 ? $this->fk_user:"0").","; $sql.= " '".$this->db->idate($now)."',"; - $sql.= " '".$this->url."', '".$this->target."',"; - $sql.= " '".$this->db->escape($this->title)."', '".$this->favicon."', '".$this->position."'"; - $sql.= ", '".$conf->entity."'"; + $sql.= " '".$this->db->escape($this->url)."', '".$this->db->escape($this->target)."',"; + $sql.= " '".$this->db->escape($this->title)."', '".$this->db->escape($this->favicon)."', '".$this->db->escape($this->position)."'"; + $sql.= ", ".$this->db->escape($conf->entity); $sql.= ")"; dol_syslog("Bookmark::update", LOG_DEBUG); @@ -168,7 +168,7 @@ class Bookmark extends CommonObject if (empty($this->position)) $this->position=0; $sql = "UPDATE ".MAIN_DB_PREFIX."bookmark"; - $sql.= " SET fk_user = ".($this->fk_user > 0?"'".$this->fk_user."'":"0"); + $sql.= " SET fk_user = ".($this->fk_user > 0 ? $this->fk_user :"0"); $sql.= " ,dateb = '".$this->db->idate($this->datec)."'"; $sql.= " ,url = '".$this->db->escape($this->url)."'"; $sql.= " ,target = '".$this->db->escape($this->target)."'"; diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index 7a1a3985dd9..5cbe56554dd 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -311,7 +311,7 @@ class Categorie extends CommonObject $sql.= " import_key,"; $sql.= " entity"; $sql.= ") VALUES ("; - $sql.= $this->fk_parent.","; + $sql.= $this->db->escape($this->fk_parent).","; $sql.= "'".$this->db->escape($this->label)."',"; $sql.= "'".$this->db->escape($this->description)."',"; $sql.= "'".$this->db->escape($this->color)."',"; @@ -319,10 +319,10 @@ class Categorie extends CommonObject { $sql.= ($this->socid != -1 ? $this->socid : 'null').","; } - $sql.= "'".$this->visible."',"; - $sql.= $type.","; + $sql.= "'".$this->db->escape($this->visible)."',"; + $sql.= $this->db->escape($type).","; $sql.= (! empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":'null').","; - $sql.= $conf->entity; + $sql.= $this->db->escape($conf->entity); $sql.= ")"; $res = $this->db->query($sql); diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index c337616ed41..b59d47adb9e 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -296,23 +296,23 @@ class ActionComm extends CommonObject $sql.= "elementtype,"; $sql.= "entity"; $sql.= ") VALUES ("; - $sql.= "'".$this->db->idate($now)."',"; - $sql.= (strval($this->datep)!=''?"'".$this->db->idate($this->datep)."'":"null").","; - $sql.= (strval($this->datef)!=''?"'".$this->db->idate($this->datef)."'":"null").","; - $sql.= ((isset($this->durationp) && $this->durationp >= 0 && $this->durationp != '')?"'".$this->durationp."'":"null").","; // deprecated + $sql.= "'".$this->db->idate($now)."', "; + $sql.= (strval($this->datep)!=''?"'".$this->db->idate($this->datep)."'":"null").", "; + $sql.= (strval($this->datef)!=''?"'".$this->db->idate($this->datef)."'":"null").", "; + $sql.= ((isset($this->durationp) && $this->durationp >= 0 && $this->durationp != '')?"'".$this->db->escape($this->durationp)."'":"null").", "; // deprecated $sql.= (isset($this->type_id)?$this->type_id:"null").","; - $sql.= (isset($this->type_code)?" '".$this->type_code."'":"null").","; - $sql.= ((isset($this->socid) && $this->socid > 0)?" '".$this->socid."'":"null").","; - $sql.= ((isset($this->fk_project) && $this->fk_project > 0)?" '".$this->fk_project."'":"null").","; - $sql.= " '".$this->db->escape($this->note)."',"; - $sql.= ((isset($this->contactid) && $this->contactid > 0)?"'".$this->contactid."'":"null").","; - $sql.= (isset($user->id) && $user->id > 0 ? "'".$user->id."'":"null").","; - $sql.= ($userownerid>0?"'".$userownerid."'":"null").","; - $sql.= ($userdoneid>0?"'".$userdoneid."'":"null").","; - $sql.= "'".$this->db->escape($this->label)."','".$this->percentage."','".$this->priority."','".$this->fulldayevent."','".$this->db->escape($this->location)."','".$this->punctual."',"; - $sql.= "'".$this->transparency."',"; - $sql.= (! empty($this->fk_element)?$this->fk_element:"null").","; - $sql.= (! empty($this->elementtype)?"'".$this->elementtype."'":"null").","; + $sql.= (isset($this->type_code)?" '".$this->db->escape($this->type_code)."'":"null").", "; + $sql.= ((isset($this->socid) && $this->socid > 0) ? $this->socid:"null").", "; + $sql.= ((isset($this->fk_project) && $this->fk_project > 0) ? $this->fk_project:"null").", "; + $sql.= " '".$this->db->escape($this->note)."', "; + $sql.= ((isset($this->contactid) && $this->contactid > 0) ? $this->contactid:"null").", "; + $sql.= (isset($user->id) && $user->id > 0 ? $user->id:"null").", "; + $sql.= ($userownerid>0 ? $userownerid:"null").", "; + $sql.= ($userdoneid>0 ? $userdoneid:"null").", "; + $sql.= "'".$this->db->escape($this->label)."','".$this->db->escape($this->percentage)."','".$this->db->escape($this->priority)."','".$this->db->escape($this->fulldayevent)."','".$this->db->escape($this->location)."','".$this->db->escape($this->punctual)."', "; + $sql.= "'".$this->db->escape($this->transparency)."', "; + $sql.= (! empty($this->fk_element)?$this->fk_element:"null").", "; + $sql.= (! empty($this->elementtype)?"'".$this->db->escape($this->elementtype)."'":"null").", "; $sql.= $conf->entity; $sql.= ")"; @@ -758,11 +758,11 @@ class ActionComm extends CommonObject $sql.= ", label = ".($this->label ? "'".$this->db->escape($this->label)."'":"null"); $sql.= ", datep = ".(strval($this->datep)!='' ? "'".$this->db->idate($this->datep)."'" : 'null'); $sql.= ", datep2 = ".(strval($this->datef)!='' ? "'".$this->db->idate($this->datef)."'" : 'null'); - $sql.= ", durationp = ".(isset($this->durationp) && $this->durationp >= 0 && $this->durationp != ''?"'".$this->durationp."'":"null"); // deprecated + $sql.= ", durationp = ".(isset($this->durationp) && $this->durationp >= 0 && $this->durationp != ''?"'".$this->db->escape($this->durationp)."'":"null"); // deprecated $sql.= ", note = ".($this->note ? "'".$this->db->escape($this->note)."'":"null"); - $sql.= ", fk_project =". ($this->fk_project > 0 ? "'".$this->fk_project."'":"null"); - $sql.= ", fk_soc =". ($socid > 0 ? "'".$socid."'":"null"); - $sql.= ", fk_contact =". ($contactid > 0 ? "'".$contactid."'":"null"); + $sql.= ", fk_project =". ($this->fk_project > 0 ? $this->fk_project:"null"); + $sql.= ", fk_soc =". ($socid > 0 ? $socid:"null"); + $sql.= ", fk_contact =". ($contactid > 0 ? $contactid:"null"); $sql.= ", priority = '".$this->db->escape($this->priority)."'"; $sql.= ", fulldayevent = '".$this->db->escape($this->fulldayevent)."'"; $sql.= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'":"null"); @@ -770,8 +770,8 @@ class ActionComm extends CommonObject $sql.= ", fk_user_mod = ".$user->id; $sql.= ", fk_user_action=".($userownerid > 0 ? "'".$userownerid."'":"null"); $sql.= ", fk_user_done=".($userdoneid > 0 ? "'".$userdoneid."'":"null"); - if (! empty($this->fk_element)) $sql.= ", fk_element=".($this->fk_element?$this->fk_element:"null"); - if (! empty($this->elementtype)) $sql.= ", elementtype=".($this->elementtype?"'".$this->elementtype."'":"null"); + if (! empty($this->fk_element)) $sql.= ", fk_element=".($this->fk_element?$this->db->escape($this->fk_element):"null"); + if (! empty($this->elementtype)) $sql.= ", elementtype=".($this->elementtype?"'".$this->db->escape($this->elementtype)."'":"null"); $sql.= " WHERE id=".$this->id; dol_syslog(get_class($this)."::update", LOG_DEBUG); diff --git a/htdocs/comm/mailing/class/advtargetemailing.class.php b/htdocs/comm/mailing/class/advtargetemailing.class.php index 8e8941c23fb..b8f5bddc4e3 100644 --- a/htdocs/comm/mailing/class/advtargetemailing.class.php +++ b/htdocs/comm/mailing/class/advtargetemailing.class.php @@ -121,7 +121,7 @@ class AdvanceTargetingMailing extends CommonObject $sql.= " ".(! isset($this->name)?'NULL':"'".$this->db->escape($this->name)."'").","; $sql.= " ".$conf->entity.","; - $sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->fk_mailing."'").","; + $sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->db->escape($this->fk_mailing)."'").","; $sql.= " ".(! isset($this->filtervalue)?'NULL':"'".$this->db->escape($this->filtervalue)."'").","; $sql.= " ".$user->id.","; $sql.= " '".$this->db->idate(dol_now())."',"; diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 4dea3053d23..ec89ad69fa4 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -938,7 +938,7 @@ class Propal extends CommonObject $sql.= ", '".$this->db->escape($this->multicurrency_code)."'"; $sql.= ", ".(double) $this->multicurrency_tx; $sql.= ")"; - + dol_syslog(get_class($this)."::create", LOG_DEBUG); $resql=$this->db->query($sql); if ($resql) @@ -3772,28 +3772,28 @@ class PropaleLigne extends CommonObjectLine $sql.= ' date_start, date_end'; $sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc)'; $sql.= " VALUES (".$this->fk_propal.","; - $sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").","; + $sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").","; $sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " '".$this->db->escape($this->desc)."',"; - $sql.= " ".($this->fk_product?"'".$this->fk_product."'":"null").","; - $sql.= " '".$this->product_type."',"; - $sql.= " ".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").","; + $sql.= " ".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":"null").","; + $sql.= " '".$this->db->escape($this->product_type)."',"; + $sql.= " ".($this->fk_remise_except?"'".$this->db->escape($this->fk_remise_except)."'":"null").","; $sql.= " ".price2num($this->qty).","; - $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").","; + $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").","; $sql.= " ".price2num($this->tva_tx).","; $sql.= " ".price2num($this->localtax1_tx).","; $sql.= " ".price2num($this->localtax2_tx).","; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= " ".($this->subprice?price2num($this->subprice):"null").","; $sql.= " ".price2num($this->remise_percent).","; - $sql.= " ".(isset($this->info_bits)?"'".$this->info_bits."'":"null").","; + $sql.= " ".(isset($this->info_bits)?"'".$this->db->escape($this->info_bits)."'":"null").","; $sql.= " ".price2num($this->total_ht).","; $sql.= " ".price2num($this->total_tva).","; $sql.= " ".price2num($this->total_localtax1).","; $sql.= " ".price2num($this->total_localtax2).","; $sql.= " ".price2num($this->total_ttc).","; - $sql.= " ".(!empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null").","; + $sql.= " ".(!empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null").","; $sql.= " ".(isset($this->pa_ht)?"'".price2num($this->pa_ht)."'":"null").","; $sql.= ' '.$this->special_code.','; $sql.= ' '.$this->rang.','; @@ -3975,7 +3975,7 @@ class PropaleLigne extends CommonObjectLine $sql.= ", total_localtax1=".price2num($this->total_localtax1).""; $sql.= ", total_localtax2=".price2num($this->total_localtax2).""; } - $sql.= ", fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null"); + $sql.= ", fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null"); $sql.= ", buy_price_ht=".price2num($this->pa_ht); if (strlen($this->special_code)) $sql.= ", special_code=".$this->special_code; $sql.= ", fk_parent_line=".($this->fk_parent_line>0?$this->fk_parent_line:"null"); diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 03ca41027d6..a13e626fe20 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -775,11 +775,11 @@ class Commande extends CommonOrder $sql.= ", ".($this->ref_client?"'".$this->db->escape($this->ref_client)."'":"null"); $sql.= ", ".($this->ref_int?"'".$this->db->escape($this->ref_int)."'":"null"); $sql.= ", '".$this->db->escape($this->modelpdf)."'"; - $sql.= ", ".($this->cond_reglement_id>0?"'".$this->cond_reglement_id."'":"null"); - $sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"null"); + $sql.= ", ".($this->cond_reglement_id>0?$this->cond_reglement_id:"null"); + $sql.= ", ".($this->mode_reglement_id>0?$this->mode_reglement_id:"null"); $sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL'); - $sql.= ", ".($this->availability_id>0?"'".$this->availability_id."'":"null"); - $sql.= ", ".($this->demand_reason_id>0?"'".$this->demand_reason_id."'":"null"); + $sql.= ", ".($this->availability_id>0?$this->availability_id:"null"); + $sql.= ", ".($this->demand_reason_id>0?$this->demand_reason_id:"null"); $sql.= ", ".($this->date_livraison?"'".$this->db->idate($this->date_livraison)."'":"null"); $sql.= ", ".($this->fk_delivery_address>0?$this->fk_delivery_address:'NULL'); $sql.= ", ".($this->shipping_method_id>0?$this->shipping_method_id:'NULL'); @@ -3995,18 +3995,18 @@ class OrderLine extends CommonOrderLine $sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc'; $sql.= ')'; $sql.= " VALUES (".$this->fk_commande.","; - $sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").","; + $sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").","; $sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " '".$this->db->escape($this->desc)."',"; $sql.= " '".price2num($this->qty)."',"; - $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").","; + $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").","; $sql.= " '".price2num($this->tva_tx)."',"; $sql.= " '".price2num($this->localtax1_tx)."',"; $sql.= " '".price2num($this->localtax2_tx)."',"; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").','; - $sql.= " '".$this->product_type."',"; + $sql.= " '".$this->db->escape($this->product_type)."',"; $sql.= " '".price2num($this->remise_percent)."',"; $sql.= " ".($this->subprice!=''?"'".price2num($this->subprice)."'":"null").","; $sql.= " ".($this->price!=''?"'".price2num($this->price)."'":"null").","; @@ -4016,7 +4016,7 @@ class OrderLine extends CommonOrderLine $sql.= ' '.$this->rang.','; $sql.= ' '.(! empty($this->fk_fournprice)?$this->fk_fournprice:"null").','; $sql.= ' '.price2num($this->pa_ht).','; - $sql.= " '".$this->info_bits."',"; + $sql.= " '".$this->db->escape($this->info_bits)."',"; $sql.= " '".price2num($this->total_ht)."',"; $sql.= " '".price2num($this->total_tva)."',"; $sql.= " '".price2num($this->total_localtax1)."',"; diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index 47c3e5122ff..a25447da224 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -573,21 +573,21 @@ class Account extends CommonObject $sql.= ", '".$this->db->escape($this->account_number)."'"; $sql.= ", ".($this->fk_accountancy_journal > 0 ? $this->db->escape($this->fk_accountancy_journal) : "null"); $sql.= ", '".$this->db->escape($this->bank)."'"; - $sql.= ", '".$this->code_banque."'"; - $sql.= ", '".$this->code_guichet."'"; - $sql.= ", '".$this->number."'"; - $sql.= ", '".$this->cle_rib."'"; - $sql.= ", '".$this->bic."'"; - $sql.= ", '".$this->iban."'"; + $sql.= ", '".$this->db->escape($this->code_banque)."'"; + $sql.= ", '".$this->db->escape($this->code_guichet)."'"; + $sql.= ", '".$this->db->escape($this->number)."'"; + $sql.= ", '".$this->db->escape($this->cle_rib)."'"; + $sql.= ", '".$this->db->escape($this->bic)."'"; + $sql.= ", '".$this->db->escape($this->iban)."'"; $sql.= ", '".$this->db->escape($this->domiciliation)."'"; $sql.= ", '".$this->db->escape($this->proprio)."'"; $sql.= ", '".$this->db->escape($this->owner_address)."'"; - $sql.= ", '".$this->currency_code."'"; + $sql.= ", '".$this->db->escape($this->currency_code)."'"; $sql.= ", ".$this->rappro; $sql.= ", ".price2num($this->min_allowed); $sql.= ", ".price2num($this->min_desired); $sql.= ", '".$this->db->escape($this->comment)."'"; - $sql.= ", ".($this->state_id>0?"'".$this->state_id."'":"null"); + $sql.= ", ".($this->state_id>0?$this->state_id:"null"); $sql.= ", ".$this->country_id; $sql.= ")"; @@ -702,7 +702,7 @@ class Account extends CommonObject $sql.= ",courant = ".$this->courant; $sql.= ",clos = ".$this->clos; $sql.= ",rappro = ".$this->rappro; - $sql.= ",url = ".($this->url?"'".$this->url."'":"null"); + $sql.= ",url = ".($this->url?"'".$this->db->escape($this->url)."'":"null"); $sql.= ",account_number = '".$this->db->escape($this->account_number)."'"; $sql.= ",fk_accountancy_journal = ".($this->fk_accountancy_journal > 0 ? $this->db->escape($this->fk_accountancy_journal) : "null"); $sql.= ",bank = '".$this->db->escape($this->bank)."'"; @@ -722,7 +722,7 @@ class Account extends CommonObject $sql.= ",min_desired = ".($this->min_desired != '' ? price2num($this->min_desired) : "null"); $sql.= ",comment = '".$this->db->escape($this->comment)."'"; - $sql.= ",state_id = ".($this->state_id>0?"'".$this->state_id."'":"null"); + $sql.= ",state_id = ".($this->state_id>0?$this->state_id:"null"); $sql.= ",fk_pays = ".$this->country_id; $sql.= " WHERE rowid = ".$this->id; @@ -807,7 +807,7 @@ class Account extends CommonObject $sql.= ",domiciliation='".$this->db->escape($this->domiciliation)."'"; $sql.= ",proprio = '".$this->db->escape($this->proprio)."'"; $sql.= ",owner_address = '".$this->db->escape($this->owner_address)."'"; - $sql.= ",state_id = ".($this->state_id>0?"'".$this->state_id."'":"null"); + $sql.= ",state_id = ".($this->state_id>0?$this->state_id:"null"); $sql.= ",fk_pays = ".$this->country_id; $sql.= " WHERE rowid = ".$this->id; $sql.= " AND entity = ".$conf->entity; @@ -1694,9 +1694,9 @@ class AccountLine extends CommonObject $sql .= ", '".$this->db->idate($this->datev)."'"; $sql .= ", '".$this->db->escape($this->label)."'"; $sql .= ", ".price2num($this->amount); - $sql .= ", ".($this->fk_user_author > 0 ? "'".$this->fk_user_author."'":"null"); - $sql .= ", ".($this->num_chq ? "'".$this->num_chq."'" : "null"); - $sql .= ", '".$this->fk_account."'"; + $sql .= ", ".($this->fk_user_author > 0 ? $this->fk_user_author :"null"); + $sql .= ", ".($this->num_chq ? "'".$this->db->escape($this->num_chq)."'" : "null"); + $sql .= ", '".$this->db->escape($this->fk_account)."'"; $sql .= ", '".$this->db->escape($this->fk_type)."'"; $sql .= ", ".($this->emetteur ? "'".$this->db->escape($this->emetteur)."'" : "null"); $sql .= ", ".($this->bank_chq ? "'".$this->db->escape($this->bank_chq)."'" : "null"); diff --git a/htdocs/compta/deplacement/class/deplacement.class.php b/htdocs/compta/deplacement/class/deplacement.class.php index ea8b85c55af..c0a4ef94613 100644 --- a/htdocs/compta/deplacement/class/deplacement.class.php +++ b/htdocs/compta/deplacement/class/deplacement.class.php @@ -107,7 +107,7 @@ class Deplacement extends CommonObject $sql.= ", ".$conf->entity; $sql.= ", ".$user->id; $sql.= ", ".$this->fk_user; - $sql.= ", '".$this->type."'"; + $sql.= ", '".$this->db->escape($this->type)."'"; $sql.= ", ".($this->note_private?"'".$this->db->escape($this->note_private)."'":"null"); $sql.= ", ".($this->note_public?"'".$this->db->escape($this->note_public)."'":"null"); $sql.= ", ".($this->fk_project > 0? $this->fk_project : 0); diff --git a/htdocs/compta/facture/class/facture-rec.class.php b/htdocs/compta/facture/class/facture-rec.class.php index 9319bf6fdec..b12f848323d 100644 --- a/htdocs/compta/facture/class/facture-rec.class.php +++ b/htdocs/compta/facture/class/facture-rec.class.php @@ -141,7 +141,7 @@ class FactureRec extends CommonInvoice $sql.= ", nb_gen_max"; $sql.= ", auto_validate"; $sql.= ") VALUES ("; - $sql.= "'".$this->titre."'"; + $sql.= "'".$this->db->escape($this->titre)."'"; $sql.= ", ".$facsrc->socid; $sql.= ", ".$conf->entity; $sql.= ", '".$this->db->idate($now)."'"; @@ -149,11 +149,11 @@ class FactureRec extends CommonInvoice $sql.= ", ".(!empty($facsrc->remise)?$this->remise:'0'); $sql.= ", ".(!empty($this->note_private)?("'".$this->db->escape($this->note_private)."'"):"NULL"); $sql.= ", ".(!empty($this->note_public)?("'".$this->db->escape($this->note_public)."'"):"NULL"); - $sql.= ", '".$user->id."'"; + $sql.= ", '".$this->db->escape($user->id)."'"; $sql.= ", ".(! empty($facsrc->fk_project)?"'".$facsrc->fk_project."'":"null"); $sql.= ", ".(! empty($facsrc->fk_account)?"'".$facsrc->fk_account."'":"null"); - $sql.= ", '".$facsrc->cond_reglement_id."'"; - $sql.= ", '".$facsrc->mode_reglement_id."'"; + $sql.= ", '".$this->db->escape($facsrc->cond_reglement_id)."'"; + $sql.= ", '".$this->db->escape($facsrc->mode_reglement_id)."'"; $sql.= ", ".$this->usenewprice; $sql.= ", ".$this->frequency; $sql.= ", '".$this->db->escape($this->unit_frequency)."'"; @@ -1504,7 +1504,7 @@ class FactureLigneRec extends CommonInvoiceLine $sql.= ", localtax1_type='".$this->db->escape($this->localtax1_type)."'"; $sql.= ", localtax2_tx=".price2num($this->localtax2_tx); $sql.= ", localtax2_type='".$this->db->escape($this->localtax2_type)."'"; - $sql.= ", fk_product=".(! empty($this->fk_product)?"'".$this->fk_product."'":"null"); + $sql.= ", fk_product=".($this->fk_product > 0 ? $this->fk_product :"null"); $sql.= ", product_type=".$this->product_type; $sql.= ", remise_percent='".price2num($this->remise_percent)."'"; $sql.= ", subprice='".price2num($this->subprice)."'"; diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index aaf54ec55ce..ef1ca35bde3 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -4446,16 +4446,16 @@ class FactureLigne extends CommonInvoiceLine $sql.= ' fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc'; $sql.= ')'; $sql.= " VALUES (".$this->fk_facture.","; - $sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").","; + $sql.= " ".($this->fk_parent_line>0 ? $this->fk_parent_line:"null").","; $sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " '".$this->db->escape($this->desc)."',"; $sql.= " ".price2num($this->qty).","; - $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").","; + $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").","; $sql.= " ".price2num($this->tva_tx).","; $sql.= " ".price2num($this->localtax1_tx).","; $sql.= " ".price2num($this->localtax2_tx).","; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").','; $sql.= " ".$this->product_type.","; $sql.= " ".price2num($this->remise_percent).","; @@ -4468,7 +4468,7 @@ class FactureLigne extends CommonInvoiceLine $sql.= ' '.$this->special_code.','; $sql.= ' '.(! empty($this->fk_fournprice)?$this->fk_fournprice:"null").','; $sql.= ' '.price2num($this->pa_ht).','; - $sql.= " '".$this->info_bits."',"; + $sql.= " '".$this->db->escape($this->info_bits)."',"; $sql.= " ".price2num($this->total_ht).","; $sql.= " ".price2num($this->total_tva).","; $sql.= " ".price2num($this->total_ttc).","; diff --git a/htdocs/compta/facture/class/paymentterm.class.php b/htdocs/compta/facture/class/paymentterm.class.php index 2899e3fae56..a34705c8476 100644 --- a/htdocs/compta/facture/class/paymentterm.class.php +++ b/htdocs/compta/facture/class/paymentterm.class.php @@ -85,13 +85,11 @@ class PaymentTerm // extends CommonObject if (isset($this->decalage)) $this->decalage=trim($this->decalage); - // Check parameters // Put here code to add control on parameters values // Insert request $sql = "INSERT INTO ".MAIN_DB_PREFIX."c_payment_term("; - $sql.= "rowid,"; $sql.= "code,"; $sql.= "sortorder,"; @@ -101,21 +99,16 @@ class PaymentTerm // extends CommonObject $sql.= "type_cdr,"; $sql.= "nbjour,"; $sql.= "decalage"; - - $sql.= ") VALUES ("; - - $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").","; + $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").","; $sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").","; - $sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->sortorder."'").","; - $sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").","; + $sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->db->escape($this->sortorder)."'").","; + $sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'").","; $sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").","; $sql.= " ".(! isset($this->libelle_facture)?'NULL':"'".$this->db->escape($this->libelle_facture)."'").","; - $sql.= " ".(! isset($this->type_cdr)?'NULL':"'".$this->type_cdr."'").","; - $sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->nbjour."'").","; - $sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->decalage."'").""; - - + $sql.= " ".(! isset($this->type_cdr)?'NULL':"'".$this->db->escape($this->type_cdr)."'").","; + $sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->db->escape($this->nbjour)."'").","; + $sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->db->escape($this->decalage)."'").""; $sql.= ")"; $this->db->begin(); @@ -285,7 +278,6 @@ class PaymentTerm // extends CommonObject // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."c_payment_term SET"; - $sql.= " code=".(isset($this->code)?"'".$this->db->escape($this->code)."'":"null").","; $sql.= " sortorder=".(isset($this->sortorder)?$this->sortorder:"null").","; $sql.= " active=".(isset($this->active)?$this->active:"null").","; @@ -294,8 +286,6 @@ class PaymentTerm // extends CommonObject $sql.= " type_cdr=".(isset($this->type_cdr)?$this->type_cdr:"null").","; $sql.= " nbjour=".(isset($this->nbjour)?$this->nbjour:"null").","; $sql.= " decalage=".(isset($this->decalage)?$this->decalage:"null").""; - - $sql.= " WHERE rowid=".$this->id; $this->db->begin(); diff --git a/htdocs/compta/localtax/class/localtax.class.php b/htdocs/compta/localtax/class/localtax.class.php index 870c123b468..570942590c2 100644 --- a/htdocs/compta/localtax/class/localtax.class.php +++ b/htdocs/compta/localtax/class/localtax.class.php @@ -87,12 +87,12 @@ class Localtax extends CommonObject $sql.= " '".$this->db->idate($this->tms)."',"; $sql.= " '".$this->db->idate($this->datep)."',"; $sql.= " '".$this->db->idate($this->datev)."',"; - $sql.= " '".$this->amount."',"; - $sql.= " '".$this->label."',"; - $sql.= " '".$this->note."',"; - $sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->fk_bank."'").","; - $sql.= " '".$this->fk_user_creat."',"; - $sql.= " '".$this->fk_user_modif."'"; + $sql.= " '".$this->db->escape($this->amount)."',"; + $sql.= " '".$this->db->escape($this->label)."',"; + $sql.= " '".$this->db->escape($this->note)."',"; + $sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->db->escape($this->fk_bank)."'").","; + $sql.= " '".$this->db->escape($this->fk_user_creat)."',"; + $sql.= " '".$this->db->escape($this->fk_user_modif)."'"; $sql.= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); diff --git a/htdocs/compta/salaries/class/paymentsalary.class.php b/htdocs/compta/salaries/class/paymentsalary.class.php index ee2832cb08e..7fbbaf43d48 100644 --- a/htdocs/compta/salaries/class/paymentsalary.class.php +++ b/htdocs/compta/salaries/class/paymentsalary.class.php @@ -108,7 +108,7 @@ class PaymentSalary extends CommonObject $sql.= " datesp='".$this->db->idate($this->datesp)."',"; $sql.= " dateep='".$this->db->idate($this->dateep)."',"; $sql.= " note='".$this->db->escape($this->note)."',"; - $sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").","; + $sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->db->escape($this->fk_bank)."'":"null").","; $sql.= " fk_user_author=".$this->fk_user_author.","; $sql.= " fk_user_modif=".$this->fk_user_modif; @@ -344,18 +344,18 @@ class PaymentSalary extends CommonObject $sql.= ", entity"; $sql.= ") "; $sql.= " VALUES ("; - $sql.= "'".$this->fk_user."'"; + $sql.= "'".$this->db->escape($this->fk_user)."'"; $sql.= ", '".$this->db->idate($this->datep)."'"; $sql.= ", '".$this->db->idate($this->datev)."'"; $sql.= ", ".$this->amount; $sql.= ", ".($this->salary > 0 ? $this->salary : "null"); - $sql.= ", '".$this->type_payment."'"; - $sql.= ", '".$this->num_payment."'"; + $sql.= ", '".$this->db->escape($this->type_payment)."'"; + $sql.= ", '".$this->db->escape($this->num_payment)."'"; if ($this->note) $sql.= ", '".$this->db->escape($this->note)."'"; $sql.= ", '".$this->db->escape($this->label)."'"; $sql.= ", '".$this->db->idate($this->datesp)."'"; $sql.= ", '".$this->db->idate($this->dateep)."'"; - $sql.= ", '".$user->id."'"; + $sql.= ", '".$this->db->escape($user->id)."'"; $sql.= ", '".$this->db->idate($now)."'"; $sql.= ", NULL"; $sql.= ", ".$conf->entity; diff --git a/htdocs/compta/sociales/class/chargesociales.class.php b/htdocs/compta/sociales/class/chargesociales.class.php index cf359d691ec..83fe7d8b6b6 100644 --- a/htdocs/compta/sociales/class/chargesociales.class.php +++ b/htdocs/compta/sociales/class/chargesociales.class.php @@ -26,7 +26,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/commonobject.class.php'; -/** +/** * Classe permettant la gestion des paiements des charges * La tva collectee n'est calculee que sur les factures payees. */ @@ -36,7 +36,7 @@ class ChargeSociales extends CommonObject public $table='chargesociales'; public $table_element='chargesociales'; public $picto = 'bill'; - + /** * {@inheritdoc} */ @@ -110,7 +110,7 @@ class ChargeSociales extends CommonObject $this->paye = $obj->paye; $this->periode = $this->db->jdate($obj->periode); $this->import_key = $this->import_key; - + $this->db->free($resql); return 1; @@ -171,8 +171,8 @@ class ChargeSociales extends CommonObject $sql = "INSERT INTO ".MAIN_DB_PREFIX."chargesociales (fk_type, fk_account, fk_mode_reglement, libelle, date_ech, periode, amount, fk_projet, entity, fk_user_author, date_creation)"; $sql.= " VALUES (".$this->type; - $sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL'); - $sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"NULL"); + $sql.= ", ".($this->fk_account>0 ? $this->fk_account:'NULL'); + $sql.= ", ".($this->mode_reglement_id>0 ? $this->mode_reglement_id:"NULL"); $sql.= ", '".$this->db->escape($this->lib)."'"; $sql.= ", '".$this->db->idate($this->date_ech)."'"; $sql.= ", '".$this->db->idate($this->periode)."'"; @@ -378,7 +378,7 @@ class ChargeSociales extends CommonObject if ($return) return 1; else return -1; } - + /** * Retourne le libelle du statut d'une charge (impaye, payee) * @@ -445,7 +445,7 @@ class ChargeSociales extends CommonObject if ($statut == 0 && $alreadypaid > 0) return $langs->trans("BillStatusStarted").' '.img_picto($langs->trans("BillStatusStarted"), 'statut3'); if ($statut == 1) return $langs->trans("Paid").' '.img_picto($langs->trans("Paid"), 'statut6'); } - + return "Error, mode/status not found"; } diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index df1bc8c03cf..5d170faf67e 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -106,12 +106,12 @@ class Tva extends CommonObject $sql.= " '".$this->db->idate($now)."',"; $sql.= " '".$this->db->idate($this->datep)."',"; $sql.= " '".$this->db->idate($this->datev)."',"; - $sql.= " '".$this->amount."',"; - $sql.= " '".$this->label."',"; - $sql.= " '".$this->note."',"; - $sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->fk_bank."'").","; - $sql.= " '".$this->fk_user_creat."',"; - $sql.= " '".$this->fk_user_modif."'"; + $sql.= " '".$this->db->escape($this->amount)."',"; + $sql.= " '".$this->db->escape($this->label)."',"; + $sql.= " '".$this->db->escape($this->note)."',"; + $sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->db->escape($this->fk_bank)."'").","; + $sql.= " '".$this->db->escape($this->fk_user_creat)."',"; + $sql.= " '".$this->db->escape($this->fk_user_modif)."'"; $sql.= ")"; @@ -535,11 +535,11 @@ class Tva extends CommonObject $sql.= "'".$this->db->idate($this->datep)."'"; $sql.= ", '".$this->db->idate($this->datev)."'"; $sql.= ", ".$this->amount; - $sql.= ", '".$this->type_payment."'"; - $sql.= ", '".$this->num_payment."'"; + $sql.= ", '".$this->db->escape($this->type_payment)."'"; + $sql.= ", '".$this->db->escape($this->num_payment)."'"; if ($this->note) $sql.=", '".$this->db->escape($this->note)."'"; if ($this->label) $sql.=", '".$this->db->escape($this->label)."'"; - $sql.= ", '".$user->id."'"; + $sql.= ", '".$this->db->escape($user->id)."'"; $sql.= ", NULL"; $sql.= ", ".$conf->entity; $sql.= ")"; diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index 3b7ce848731..2329ae63685 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -200,7 +200,7 @@ class Contact extends CommonObject $sql.= " ".(! empty($this->canvas)?"'".$this->db->escape($this->canvas)."'":"null").","; $sql.= " ".$conf->entity.","; $sql.= "'".$this->db->escape($this->ref_ext)."',"; - $sql.= " ".(! empty($this->import_key)?"'".$this->import_key."'":"null"); + $sql.= " ".(! empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null"); $sql.= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); @@ -319,9 +319,9 @@ class Contact extends CommonObject $sql .= ", jabberid = ".(isset($this->jabberid)?"'".$this->db->escape($this->jabberid)."'":"null"); $sql .= ", priv = '".$this->db->escape($this->priv)."'"; $sql .= ", statut = ".$this->statut; - $sql .= ", fk_user_modif=".($user->id > 0 ? "'".$user->id."'":"NULL"); - $sql .= ", default_lang=".($this->default_lang?"'".$this->default_lang."'":"NULL"); - $sql .= ", no_email=".($this->no_email?"'".$this->no_email."'":"0"); + $sql .= ", fk_user_modif=".($user->id > 0 ? "'".$this->db->escape($user->id)."'":"NULL"); + $sql .= ", default_lang=".($this->default_lang?"'".$this->db->escape($this->default_lang)."'":"NULL"); + $sql .= ", no_email=".($this->no_email?"'".$this->db->escape($this->no_email)."'":"0"); $sql .= " WHERE rowid=".$this->db->escape($id); dol_syslog(get_class($this)."::update", LOG_DEBUG); @@ -492,7 +492,7 @@ class Contact extends CommonObject // Mis a jour contact $sql = "UPDATE ".MAIN_DB_PREFIX."socpeople SET"; $sql.= " birthday=".($this->birthday ? "'".$this->db->idate($this->birthday)."'" : "null"); - $sql.= ", photo = ".($this->photo? "'".$this->photo."'" : "null"); + $sql.= ", photo = ".($this->photo? "'".$this->db->escape($this->photo)."'" : "null"); if ($user) $sql .= ", fk_user_modif=".$user->id; $sql.= " WHERE rowid=".$this->db->escape($id); diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index cb9466e26f6..6e9fc443e03 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -928,7 +928,7 @@ class Contrat extends CommonObject $sql.= ",".($this->commercial_signature_id>0?$this->commercial_signature_id:"NULL"); $sql.= ",".($this->commercial_suivi_id>0?$this->commercial_suivi_id:"NULL"); $sql.= ",".($this->fk_project>0?$this->fk_project:"NULL"); - $sql.= ", ".(dol_strlen($this->ref)<=0 ? "null" : "'".$this->ref."'"); + $sql.= ", ".(dol_strlen($this->ref)<=0 ? "null" : "'".$this->db->escape($this->ref)."'"); $sql.= ", ".$conf->entity; $sql.= ", ".(!empty($this->note_private)?("'".$this->db->escape($this->note_private)."'"):"NULL"); $sql.= ", ".(!empty($this->note_public)?("'".$this->db->escape($this->note_public)."'"):"NULL"); @@ -2872,7 +2872,7 @@ class ContratLigne extends CommonObjectLine // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET"; $sql.= " fk_contrat=".$this->fk_contrat.","; - $sql.= " fk_product=".($this->fk_product?"'".$this->fk_product."'":'null').","; + $sql.= " fk_product=".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":'null').","; $sql.= " statut=".$this->statut.","; $sql.= " label='".$this->db->escape($this->label)."',"; $sql.= " description='".$this->db->escape($this->description)."',"; @@ -3009,16 +3009,16 @@ class ContratLigne extends CommonObjectLine if ($this->date_fin_validite > 0) { $sql.= ",date_fin_validite"; } $sql.= ") VALUES ($this->fk_contrat, '', '" . $this->db->escape($this->description) . "',"; $sql.= ($this->fk_product>0 ? $this->fk_product : "null").","; - $sql.= " '".$this->qty."',"; - $sql.= " '".$this->vat_src_code."',"; - $sql.= " '".$this->tva_tx."',"; - $sql.= " '".$this->localtax1_tx."',"; - $sql.= " '".$this->localtax2_tx."',"; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->qty)."',"; + $sql.= " '".$this->db->escape($this->vat_src_code)."',"; + $sql.= " '".$this->db->escape($this->tva_tx)."',"; + $sql.= " '".$this->db->escape($this->localtax1_tx)."',"; + $sql.= " '".$this->db->escape($this->localtax2_tx)."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= " ".price2num($this->remise_percent).",".price2num($this->subprice).","; $sql.= " ".price2num($this->total_ht).",".price2num($this->total_tva).",".price2num($this->total_localtax1).",".price2num($this->total_localtax2).",".price2num($this->total_ttc).","; - $sql.= " '".$this->info_bits."',"; + $sql.= " '".$this->db->escape($this->info_bits)."',"; $sql.= " ".price2num($this->price_ht).",".price2num($this->remise).","; if ($this->fk_fournprice > 0) $sql.= ' '.$this->fk_fournprice.','; else $sql.= ' null,'; diff --git a/htdocs/core/class/ccountry.class.php b/htdocs/core/class/ccountry.class.php index d0e6dfe190a..7964510c91c 100644 --- a/htdocs/core/class/ccountry.class.php +++ b/htdocs/core/class/ccountry.class.php @@ -88,11 +88,11 @@ class Ccountry // extends CommonObject $sql.= "label,"; $sql.= "active"; $sql.= ") VALUES ("; - $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").","; + $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").","; $sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").","; $sql.= " ".(! isset($this->code_iso)?'NULL':"'".$this->db->escape($this->code_iso)."'").","; $sql.= " ".(! isset($this->label)?'NULL':"'".$this->db->escape($this->label)."'").","; - $sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").""; + $sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'").""; $sql.= ")"; $this->db->begin(); diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 1dc910d373f..54a907a3c0f 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -580,8 +580,8 @@ abstract class CommonObject $sql = "SELECT tc.rowid"; $sql.= " FROM ".MAIN_DB_PREFIX."c_type_contact as tc"; $sql.= " WHERE tc.element='".$this->db->escape($this->element)."'"; - $sql.= " AND tc.source='".$source."'"; - $sql.= " AND tc.code='".$type_contact."' AND tc.active=1"; + $sql.= " AND tc.source='".$this->db->escape($source)."'"; + $sql.= " AND tc.code='".$this->db->escape($type_contact)."' AND tc.active=1"; //print $sql; $resql=$this->db->query($sql); if ($resql) @@ -2475,9 +2475,9 @@ abstract class CommonObject $sql.= ", targettype"; $sql.= ") VALUES ("; $sql.= $origin_id; - $sql.= ", '".$origin."'"; + $sql.= ", '".$this->db->escape($origin)."'"; $sql.= ", ".$this->id; - $sql.= ", '".$this->element."'"; + $sql.= ", '".$this->db->escape($this->element)."'"; $sql.= ")"; dol_syslog(get_class($this)."::add_object_linked", LOG_DEBUG); @@ -3812,11 +3812,11 @@ abstract class CommonObject $sql.= ", mandatory"; $sql.= ") VALUES ("; $sql.= $resource_id; - $sql.= ", '".$resource_type."'"; - $sql.= ", '".$this->id."'"; - $sql.= ", '".$this->element."'"; - $sql.= ", '".$busy."'"; - $sql.= ", '".$mandatory."'"; + $sql.= ", '".$this->db->escape($resource_type)."'"; + $sql.= ", '".$this->db->escape($this->id)."'"; + $sql.= ", '".$this->db->escape($this->element)."'"; + $sql.= ", '".$this->db->escape($busy)."'"; + $sql.= ", '".$this->db->escape($mandatory)."'"; $sql.= ")"; dol_syslog(get_class($this)."::add_element_resource", LOG_DEBUG); diff --git a/htdocs/core/class/cstate.class.php b/htdocs/core/class/cstate.class.php index a2a84d3b9ed..ae2adde87d4 100644 --- a/htdocs/core/class/cstate.class.php +++ b/htdocs/core/class/cstate.class.php @@ -85,10 +85,10 @@ class Cstate // extends CommonObject $sql.= "nom,"; $sql.= "active"; $sql.= ") VALUES ("; - $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").","; + $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").","; $sql.= " ".(! isset($this->code_departement)?'NULL':"'".$this->db->escape($this->code_departement)."'").","; $sql.= " ".(! isset($this->nom)?'NULL':"'".$this->db->escape($this->nom)."'").","; - $sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").""; + $sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'").""; $sql.= ")"; $this->db->begin(); diff --git a/htdocs/core/class/ctypent.class.php b/htdocs/core/class/ctypent.class.php index c7894c7c848..b3bb750bd80 100644 --- a/htdocs/core/class/ctypent.class.php +++ b/htdocs/core/class/ctypent.class.php @@ -91,10 +91,10 @@ class Ctypent // extends CommonObject $sql.= ") VALUES ("; - $sql.= " ".(! isset($this->id)?'NULL':"'".$this->id."'").","; + $sql.= " ".(! isset($this->id)?'NULL':"'".$this->db->escape($this->id)."'").","; $sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").","; $sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").","; - $sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").","; + $sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->active($this->active)."'").","; $sql.= " ".(! isset($this->module)?'NULL':"'".$this->db->escape($this->module)."'").""; diff --git a/htdocs/core/class/discount.class.php b/htdocs/core/class/discount.class.php index 443534eb1b3..16cb219f718 100644 --- a/htdocs/core/class/discount.class.php +++ b/htdocs/core/class/discount.class.php @@ -158,7 +158,7 @@ class DiscountAbsolute $sql.= ")"; $sql.= " VALUES (".$conf->entity.", '".$this->db->idate($this->datec!=''?$this->datec:dol_now())."', ".$this->fk_soc.", ".$user->id.", '".$this->db->escape($this->description)."',"; $sql.= " ".$this->amount_ht.", ".$this->amount_tva.", ".$this->amount_ttc.", ".$this->tva_tx.","; - $sql.= " ".($this->fk_facture_source?"'".$this->fk_facture_source."'":"null"); + $sql.= " ".($this->fk_facture_source ? "'".$this->db->escape($this->fk_facture_source)."'":"null"); $sql.= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); diff --git a/htdocs/core/class/events.class.php b/htdocs/core/class/events.class.php index 68f033870c2..5a88956e5bc 100644 --- a/htdocs/core/class/events.class.php +++ b/htdocs/core/class/events.class.php @@ -126,12 +126,12 @@ class Events // extends CommonObject $sql.= "fk_user,"; $sql.= "description"; $sql.= ") VALUES ("; - $sql.= " '".$this->type."',"; + $sql.= " '".$this->db->escape($this->type)."',"; $sql.= " ".$conf->entity.","; - $sql.= " '".$_SERVER['REMOTE_ADDR']."',"; - $sql.= " ".($_SERVER['HTTP_USER_AGENT']?"'".dol_trunc($_SERVER['HTTP_USER_AGENT'],250)."'":'NULL').","; + $sql.= " '".$this->db->escape($_SERVER['REMOTE_ADDR'])."',"; + $sql.= " ".($_SERVER['HTTP_USER_AGENT']?"'".$this->db->escape(dol_trunc($_SERVER['HTTP_USER_AGENT'],250))."'":'NULL').","; $sql.= " '".$this->db->idate($this->dateevent)."',"; - $sql.= " ".($user->id?"'".$user->id."'":'NULL').","; + $sql.= " ".($user->id?"'".$this->db->escape($user->id)."'":'NULL').","; $sql.= " '".$this->db->escape(dol_trunc($this->description,250))."'"; $sql.= ")"; diff --git a/htdocs/core/class/link.class.php b/htdocs/core/class/link.class.php index f604e85e11d..0441c04a86e 100644 --- a/htdocs/core/class/link.class.php +++ b/htdocs/core/class/link.class.php @@ -89,7 +89,7 @@ class Link extends CommonObject $sql .= " VALUES ('".$conf->entity."', '".$this->db->idate($this->datea)."'"; $sql .= ", '" . $this->db->escape($this->url) . "'"; $sql .= ", '" . $this->db->escape($this->label) . "'"; - $sql .= ", '" . $this->objecttype . "'"; + $sql .= ", '" . $this->db->escape($this->objecttype) . "'"; $sql .= ", " . $this->objectid . ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); @@ -100,7 +100,7 @@ class Link extends CommonObject if ($this->id > 0) { // Call trigger $result=$this->call_trigger('LINK_CREATE',$user); - if ($result < 0) $error++; + if ($result < 0) $error++; // End call triggers } else { $error++; @@ -283,20 +283,20 @@ class Link extends CommonObject public static function count($db, $objecttype, $objectid) { global $conf; - + $sql = "SELECT COUNT(rowid) as nb FROM " . MAIN_DB_PREFIX . "links"; $sql .= " WHERE objecttype = '" . $objecttype . "' AND objectid = " . $objectid; if ($conf->entity != 0) $sql .= " AND entity = " . $conf->entity; - + $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql); if ($obj) return $obj->nb; - } + } return -1; } - + /** * Loads a link from database * @@ -354,8 +354,8 @@ class Link extends CommonObject // Call trigger $result=$this->call_trigger('LINK_DELETE',$user); - if ($result < 0) return -1; - // End call triggers + if ($result < 0) return -1; + // End call triggers $this->db->begin(); diff --git a/htdocs/core/class/menubase.class.php b/htdocs/core/class/menubase.class.php index 431c5d19eeb..f011119e08e 100644 --- a/htdocs/core/class/menubase.class.php +++ b/htdocs/core/class/menubase.class.php @@ -144,15 +144,15 @@ class Menubase $sql.= "enabled,"; $sql.= "usertype"; $sql.= ") VALUES ("; - $sql.= " '".$this->menu_handler."',"; - $sql.= " '".$conf->entity."',"; - $sql.= " '".$this->module."',"; - $sql.= " '".$this->type."',"; - $sql.= " ".($this->mainmenu?"'".$this->mainmenu."'":"''").","; // Can't be null - $sql.= " ".($this->leftmenu?"'".$this->leftmenu."'":"null").","; - $sql.= " '".$this->fk_menu."',"; - $sql.= " ".($this->fk_mainmenu?"'".$this->fk_mainmenu."'":"null").","; - $sql.= " ".($this->fk_leftmenu?"'".$this->fk_leftmenu."'":"null").","; + $sql.= " '".$this->db->escape($this->menu_handler)."',"; + $sql.= " '".$this->db->escape($conf->entity)."',"; + $sql.= " '".$this->db->escape($this->module)."',"; + $sql.= " '".$this->db->escape($this->type)."',"; + $sql.= " ".($this->mainmenu?"'".$this->db->escape($this->mainmenu)."'":"''").","; // Can't be null + $sql.= " ".($this->leftmenu?"'".$this->db->escape($this->leftmenu)."'":"null").","; + $sql.= " '".$this->db->escape($this->fk_menu)."',"; + $sql.= " ".($this->fk_mainmenu?"'".$this->db->escape($this->fk_mainmenu)."'":"null").","; + $sql.= " ".($this->fk_leftmenu?"'".$this->db->escape($this->fk_leftmenu)."'":"null").","; $sql.= " '".(int) $this->position."',"; $sql.= " '".$this->db->escape($this->url)."',"; $sql.= " '".$this->db->escape($this->target)."',"; @@ -160,7 +160,7 @@ class Menubase $sql.= " '".$this->db->escape($this->langs)."',"; $sql.= " '".$this->db->escape($this->perms)."',"; $sql.= " '".$this->db->escape($this->enabled)."',"; - $sql.= " '".$this->user."'"; + $sql.= " '".$this->db->escape($this->user)."'"; $sql.= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); @@ -220,8 +220,8 @@ class Menubase $sql.= " mainmenu='".$this->db->escape($this->mainmenu)."',"; $sql.= " leftmenu='".$this->db->escape($this->leftmenu)."',"; $sql.= " fk_menu='".$this->db->escape($this->fk_menu)."',"; - $sql.= " fk_mainmenu=".($this->fk_mainmenu?"'".$this->fk_mainmenu."'":"null").","; - $sql.= " fk_leftmenu=".($this->fk_leftmenu?"'".$this->fk_leftmenu."'":"null").","; + $sql.= " fk_mainmenu=".($this->fk_mainmenu?"'".$this->db->escape($this->fk_mainmenu)."'":"null").","; + $sql.= " fk_leftmenu=".($this->fk_leftmenu?"'".$this->db->escape($this->fk_leftmenu)."'":"null").","; $sql.= " position=".($this->position > 0 ? $this->position : 0).","; $sql.= " url='".$this->db->escape($this->url)."',"; $sql.= " target='".$this->db->escape($this->target)."',"; diff --git a/htdocs/core/modules/DolibarrModules.class.php b/htdocs/core/modules/DolibarrModules.class.php index c41a889d10e..bdf8effe23c 100644 --- a/htdocs/core/modules/DolibarrModules.class.php +++ b/htdocs/core/modules/DolibarrModules.class.php @@ -1426,7 +1426,7 @@ class DolibarrModules // Can not be abstract, because we need to insta $err=0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; - $sql.= " WHERE ".$this->db->decrypt('name')." like '".$this->const_name."_TABS_%'"; + $sql.= " WHERE ".$this->db->decrypt('name')." like '".$this->db->escape($this->const_name)."_TABS_%'"; $sql.= " AND entity = ".$conf->entity; dol_syslog(get_class($this)."::delete_tabs", LOG_DEBUG); @@ -2019,7 +2019,7 @@ class DolibarrModules // Can not be abstract, because we need to insta $err=0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; - $sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->const_name."_DIR_%'"; + $sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->db->escape($this->const_name)."_DIR_%'"; $sql.= " AND entity = ".$conf->entity; dol_syslog(get_class($this)."::delete_dirs", LOG_DEBUG); @@ -2128,7 +2128,7 @@ class DolibarrModules // Can not be abstract, because we need to insta if (is_array($value) && isset($value['entity'])) $entity = $value['entity']; $sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; - $sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->const_name."_".strtoupper($key)."'"; + $sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->db->escape($this->const_name)."_".strtoupper($key)."'"; $sql.= " AND entity = ".$entity; dol_syslog(get_class($this)."::delete_const_".$key."", LOG_DEBUG); diff --git a/htdocs/core/modules/cheque/mod_chequereceipt_mint.php b/htdocs/core/modules/cheque/mod_chequereceipt_mint.php index 2656ffa23d5..1c028559ddc 100644 --- a/htdocs/core/modules/cheque/mod_chequereceipt_mint.php +++ b/htdocs/core/modules/cheque/mod_chequereceipt_mint.php @@ -73,7 +73,7 @@ class mod_chequereceipt_mint extends ModeleNumRefChequeReceipts $posindice=9; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."bordereau_cheque"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -107,7 +107,7 @@ class mod_chequereceipt_mint extends ModeleNumRefChequeReceipts $posindice=9; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."bordereau_cheque"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref like '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/commande/mod_commande_marbre.php b/htdocs/core/modules/commande/mod_commande_marbre.php index 92c8f55581c..fdea573f584 100644 --- a/htdocs/core/modules/commande/mod_commande_marbre.php +++ b/htdocs/core/modules/commande/mod_commande_marbre.php @@ -73,7 +73,7 @@ class mod_commande_marbre extends ModeleNumRefCommandes $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."commande"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -107,7 +107,7 @@ class mod_commande_marbre extends ModeleNumRefCommandes $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."commande"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/contract/mod_contract_serpis.php b/htdocs/core/modules/contract/mod_contract_serpis.php index b909b762541..a76d61a04ae 100644 --- a/htdocs/core/modules/contract/mod_contract_serpis.php +++ b/htdocs/core/modules/contract/mod_contract_serpis.php @@ -72,7 +72,7 @@ class mod_contract_serpis extends ModelNumRefContracts $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."contrat"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -105,7 +105,7 @@ class mod_contract_serpis extends ModelNumRefContracts $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."contrat"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/expedition/mod_expedition_safor.php b/htdocs/core/modules/expedition/mod_expedition_safor.php index 581657c6547..6d2b115d6b3 100644 --- a/htdocs/core/modules/expedition/mod_expedition_safor.php +++ b/htdocs/core/modules/expedition/mod_expedition_safor.php @@ -71,7 +71,7 @@ class mod_expedition_safor extends ModelNumRefExpedition $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."expedition"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -104,7 +104,7 @@ class mod_expedition_safor extends ModelNumRefExpedition $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."expedition"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/expensereport/mod_expensereport_jade.php b/htdocs/core/modules/expensereport/mod_expensereport_jade.php index ae70a60dbf3..e6da5fab7eb 100644 --- a/htdocs/core/modules/expensereport/mod_expensereport_jade.php +++ b/htdocs/core/modules/expensereport/mod_expensereport_jade.php @@ -72,7 +72,7 @@ class mod_expensereport_jade extends ModeleNumRefExpenseReport $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."expensereport"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -105,7 +105,7 @@ class mod_expensereport_jade extends ModeleNumRefExpenseReport $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."expensereport"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/facture/mod_facture_mars.php b/htdocs/core/modules/facture/mod_facture_mars.php index 15d3ce53fa8..f31d5a7f451 100644 --- a/htdocs/core/modules/facture/mod_facture_mars.php +++ b/htdocs/core/modules/facture/mod_facture_mars.php @@ -37,7 +37,7 @@ class mod_facture_mars extends ModeleNumRefFactures var $prefixcreditnote='AV'; var $error=''; - + /** * Constructor */ @@ -48,7 +48,7 @@ class mod_facture_mars extends ModeleNumRefFactures $this->prefixinvoice = $conf->global->INVOICE_NUMBERING_MARS_FORCE_PREFIX; } } - + /** * Renvoi la description du modele de numerotation * @@ -89,7 +89,7 @@ class mod_facture_mars extends ModeleNumRefFactures $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture"; - $sql.= " WHERE facnumber LIKE '".$this->prefixinvoice."____-%'"; + $sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixinvoice)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -111,7 +111,7 @@ class mod_facture_mars extends ModeleNumRefFactures $posindice=8; $sql = "SELECT MAX(SUBSTRING(facnumber FROM ".$posindice.")) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture"; - $sql.= " WHERE facnumber LIKE '".$this->prefixcreditnote."____-%'"; + $sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/facture/mod_facture_terre.php b/htdocs/core/modules/facture/mod_facture_terre.php index b2a2f22cd12..cf2ea28f162 100644 --- a/htdocs/core/modules/facture/mod_facture_terre.php +++ b/htdocs/core/modules/facture/mod_facture_terre.php @@ -35,7 +35,7 @@ class mod_facture_terre extends ModeleNumRefFactures var $prefixdeposit='AC'; var $error=''; - + /** * Constructor */ @@ -46,7 +46,7 @@ class mod_facture_terre extends ModeleNumRefFactures $this->prefixinvoice = $conf->global->INVOICE_NUMBERING_TERRE_FORCE_PREFIX; } } - + /** * Renvoi la description du modele de numerotation * @@ -87,7 +87,7 @@ class mod_facture_terre extends ModeleNumRefFactures $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture"; - $sql.= " WHERE facnumber LIKE '".$this->prefixinvoice."____-%'"; + $sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixinvoice)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -109,7 +109,7 @@ class mod_facture_terre extends ModeleNumRefFactures $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture"; - $sql.= " WHERE facnumber LIKE '".$this->prefixcreditnote."____-%'"; + $sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -130,7 +130,7 @@ class mod_facture_terre extends ModeleNumRefFactures $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture"; - $sql.= " WHERE facnumber LIKE '".$this->prefixdeposit."____-%'"; + $sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixdeposit)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/fichinter/mod_pacific.php b/htdocs/core/modules/fichinter/mod_pacific.php index 65e5aa979b9..c9f42f12949 100644 --- a/htdocs/core/modules/fichinter/mod_pacific.php +++ b/htdocs/core/modules/fichinter/mod_pacific.php @@ -74,7 +74,7 @@ class mod_pacific extends ModeleNumRefFicheinter $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."fichinter"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " WHERE entity = ".$conf->entity; $resql=$db->query($sql); @@ -110,7 +110,7 @@ class mod_pacific extends ModeleNumRefFicheinter $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."fichinter"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/livraison/mod_livraison_jade.php b/htdocs/core/modules/livraison/mod_livraison_jade.php index 3480bb6d609..cbb630543c7 100644 --- a/htdocs/core/modules/livraison/mod_livraison_jade.php +++ b/htdocs/core/modules/livraison/mod_livraison_jade.php @@ -80,7 +80,7 @@ class mod_livraison_jade extends ModeleNumRefDeliveryOrder $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."livraison"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -114,7 +114,7 @@ class mod_livraison_jade extends ModeleNumRefDeliveryOrder $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."livraison"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/payment/mod_payment_cicada.php b/htdocs/core/modules/payment/mod_payment_cicada.php index 482261e9fe1..6c75557864b 100644 --- a/htdocs/core/modules/payment/mod_payment_cicada.php +++ b/htdocs/core/modules/payment/mod_payment_cicada.php @@ -73,7 +73,7 @@ class mod_payment_cicada extends ModeleNumRefPayments $posindice=9; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."paiement"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -107,7 +107,7 @@ class mod_payment_cicada extends ModeleNumRefPayments $posindice=9; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."paiement"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/project/mod_project_simple.php b/htdocs/core/modules/project/mod_project_simple.php index 49e4586d07b..fca1954c48a 100644 --- a/htdocs/core/modules/project/mod_project_simple.php +++ b/htdocs/core/modules/project/mod_project_simple.php @@ -75,7 +75,7 @@ class mod_project_simple extends ModeleNumRefProjects $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."projet"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); if ($resql) @@ -111,7 +111,7 @@ class mod_project_simple extends ModeleNumRefProjects $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."projet"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/project/task/mod_task_simple.php b/htdocs/core/modules/project/task/mod_task_simple.php index 97203d402d5..fe4087cbd15 100644 --- a/htdocs/core/modules/project/task/mod_task_simple.php +++ b/htdocs/core/modules/project/task/mod_task_simple.php @@ -76,7 +76,7 @@ class mod_task_simple extends ModeleNumRefTask $sql = "SELECT MAX(CAST(SUBSTRING(task.ref FROM " . $posindice . ") AS SIGNED)) as max"; $sql .= " FROM " . MAIN_DB_PREFIX . "projet_task AS task, "; $sql .= MAIN_DB_PREFIX . "projet AS project WHERE task.fk_projet=project.rowid"; - $sql .= " AND task.ref LIKE '" . $this->prefix . "____-%'"; + $sql .= " AND task.ref LIKE '" . $this->db->escape($this->prefix) . "____-%'"; $sql .= " AND project.entity = " . $conf->entity; $resql=$db->query($sql); if ($resql) @@ -112,7 +112,7 @@ class mod_task_simple extends ModeleNumRefTask $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."projet_task"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $resql=$db->query($sql); if ($resql) diff --git a/htdocs/core/modules/propale/mod_propale_marbre.php b/htdocs/core/modules/propale/mod_propale_marbre.php index 28260de97d8..0e434fb1e38 100644 --- a/htdocs/core/modules/propale/mod_propale_marbre.php +++ b/htdocs/core/modules/propale/mod_propale_marbre.php @@ -75,7 +75,7 @@ class mod_propale_marbre extends ModeleNumRefPropales $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."propal"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -112,7 +112,7 @@ class mod_propale_marbre extends ModeleNumRefPropales $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."propal"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php b/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php index 6e875af78f2..fafde547659 100644 --- a/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php +++ b/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php @@ -82,7 +82,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn"; - $sql.= " WHERE ref LIKE '".$this->prefixinvoice."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefixinvoice)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); if ($resql) @@ -103,7 +103,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn"; - $sql.= " WHERE ref LIKE '".$this->prefixcreditnote."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -124,7 +124,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn"; - $sql.= " WHERE ref LIKE '".$this->prefixdeposit."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefixdeposit)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -202,7 +202,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices { $date=$object->date; // This is invoice date (not creation date) $yymm = strftime("%y%m",$date); - + if ($max >= (pow(10, 4) - 1)) $num=$max+1; // If counter > 9999, we do not format on 4 chars, we take number as it is else $num = sprintf("%04s",$max+1); diff --git a/htdocs/core/modules/supplier_order/mod_commande_fournisseur_muguet.php b/htdocs/core/modules/supplier_order/mod_commande_fournisseur_muguet.php index 0a017e3bc51..9788ac4c887 100644 --- a/htdocs/core/modules/supplier_order/mod_commande_fournisseur_muguet.php +++ b/htdocs/core/modules/supplier_order/mod_commande_fournisseur_muguet.php @@ -85,7 +85,7 @@ class mod_commande_fournisseur_muguet extends ModeleNumRefSuppliersOrders $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."commande_fournisseur"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); if ($resql) @@ -120,7 +120,7 @@ class mod_commande_fournisseur_muguet extends ModeleNumRefSuppliersOrders $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."commande_fournisseur"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/supplier_payment/mod_supplier_payment_bronan.php b/htdocs/core/modules/supplier_payment/mod_supplier_payment_bronan.php index c94ef4296c0..b7eee9a3544 100644 --- a/htdocs/core/modules/supplier_payment/mod_supplier_payment_bronan.php +++ b/htdocs/core/modules/supplier_payment/mod_supplier_payment_bronan.php @@ -73,7 +73,7 @@ class mod_supplier_payment_bronan extends ModeleNumRefSupplierPayments $posindice=9; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."paiementfourn"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -107,7 +107,7 @@ class mod_supplier_payment_bronan extends ModeleNumRefSupplierPayments $posindice=10; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."paiementfourn"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/supplier_proposal/mod_supplier_proposal_marbre.php b/htdocs/core/modules/supplier_proposal/mod_supplier_proposal_marbre.php index 07d027a68dd..26ccb038dda 100644 --- a/htdocs/core/modules/supplier_proposal/mod_supplier_proposal_marbre.php +++ b/htdocs/core/modules/supplier_proposal/mod_supplier_proposal_marbre.php @@ -75,7 +75,7 @@ class mod_supplier_proposal_marbre extends ModeleNumRefSupplierProposal $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."supplier_proposal"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -112,7 +112,7 @@ class mod_supplier_proposal_marbre extends ModeleNumRefSupplierProposal $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."supplier_proposal"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/cron/class/cronjob.class.php b/htdocs/cron/class/cronjob.class.php index 00f8d5d6ae0..5ba542c6945 100644 --- a/htdocs/cron/class/cronjob.class.php +++ b/htdocs/cron/class/cronjob.class.php @@ -201,7 +201,7 @@ class Cronjob extends CommonObject $sql.= " ".(! isset($this->lastresult)?'NULL':"'".$this->db->escape($this->lastresult)."'").","; $sql.= " ".(! isset($this->datelastresult) || dol_strlen($this->datelastresult)==0?'NULL':"'".$this->db->idate($this->datelastresult)."'").","; $sql.= " ".(! isset($this->lastoutput)?'NULL':"'".$this->db->escape($this->lastoutput)."'").","; - $sql.= " ".(! isset($this->unitfrequency)?'NULL':"'".$this->unitfrequency."'").","; + $sql.= " ".(! isset($this->unitfrequency)?'NULL':"'".$this->db->escape($this->unitfrequency)."'").","; $sql.= " ".(! isset($this->frequency)?'0':$this->frequency).","; $sql.= " ".(! isset($this->status)?'0':$this->status).","; $sql.= " ".$user->id.","; diff --git a/htdocs/ecm/class/ecmdirectory.class.php b/htdocs/ecm/class/ecmdirectory.class.php index 5f713bdab91..07c8b0aff00 100644 --- a/htdocs/ecm/class/ecmdirectory.class.php +++ b/htdocs/ecm/class/ecmdirectory.class.php @@ -134,12 +134,12 @@ class EcmDirectory // extends CommonObject $sql.= "fk_user_c"; $sql.= ") VALUES ("; $sql.= " '".$this->db->escape($this->label)."',"; - $sql.= " '".$conf->entity."',"; - $sql.= " '".$this->fk_parent."',"; + $sql.= " '".$this->db->escape($conf->entity)."',"; + $sql.= " '".$this->db->escape($this->fk_parent)."',"; $sql.= " '".$this->db->escape($this->description)."',"; $sql.= " ".$this->cachenbofdoc.","; $sql.= " '".$this->db->idate($this->date_c)."',"; - $sql.= " '".$this->fk_user_c."'"; + $sql.= " '".$this->db->escape($this->fk_user_c)."'"; $sql.= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index 9e057106dd8..6c54c2e6615 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -1769,7 +1769,7 @@ class Expedition extends CommonObject if ($id=='') { $sql = "INSERT INTO ".MAIN_DB_PREFIX."c_shipment_mode (code, libelle, description, tracking)"; - $sql.=" VALUES ('".$this->update['code']."','".$this->update['libelle']."','".$this->update['description']."','".$this->update['tracking']."')"; + $sql.=" VALUES ('".$this->db->escape($this->update['code'])."','".$this->db->escape($this->update['libelle'])."','".$this->db->escape($this->update['description'])."','".$this->db->escape($this->update['tracking'])."')"; $resql = $this->db->query($sql); } else diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php index 0c2c7044e5d..b2353a3bf97 100644 --- a/htdocs/fourn/class/fournisseur.commande.class.php +++ b/htdocs/fourn/class/fournisseur.commande.class.php @@ -1414,7 +1414,7 @@ class CommandeFournisseur extends CommonOrder if ($remise_percent == 0 && $prod->remise_percent !=0) $remise_percent =$prod->remise_percent; - + } if ($result == 0) // If result == 0, we failed to found the supplier reference price { @@ -2678,14 +2678,14 @@ class CommandeFournisseur extends CommonOrder if ($db->num_rows($query)) { $obj = $db->fetch_object($query); - + $string = $langs->trans($obj->code); if ($string == $obj->code) { $string = $obj->label != '-' ? $obj->label : ''; } return $string; - } + } } else dol_print_error($db); } @@ -3129,15 +3129,15 @@ class CommandeFournisseurLigne extends CommonOrderLine $sql.= " ".($this->date_end?"'".$this->db->idate($this->date_end)."'":"null").","; if ($this->fk_product) { $sql.= $this->fk_product.","; } else { $sql.= "null,"; } - $sql.= "'".$this->product_type."',"; - $sql.= "'".$this->qty."', "; + $sql.= "'".$this->db->escape($this->product_type)."',"; + $sql.= "'".$this->db->escape($this->qty)."', "; - $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").","; + $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").","; $sql.= " ".$this->tva_tx.", "; $sql.= " ".$this->localtax1_tx.","; $sql.= " ".$this->localtax2_tx.","; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= " ".$this->remise_percent.", ".price2num($this->subprice,'MU').", '".$this->db->escape($this->ref_supplier)."',"; $sql.= " ".price2num($this->total_ht).","; $sql.= " ".price2num($this->total_tva).","; diff --git a/htdocs/fourn/class/fournisseur.commande.dispatch.class.php b/htdocs/fourn/class/fournisseur.commande.dispatch.class.php index 7fd56f81aac..a72e225b535 100644 --- a/htdocs/fourn/class/fournisseur.commande.dispatch.class.php +++ b/htdocs/fourn/class/fournisseur.commande.dispatch.class.php @@ -105,14 +105,11 @@ class CommandeFournisseurDispatch extends CommonObject if (isset($this->status)) $this->status=trim($this->status); if (isset($this->batch)) $this->batch=trim($this->batch); - - // Check parameters // Put here code to add control on parameters values // Insert request $sql = "INSERT INTO ".MAIN_DB_PREFIX.$this->table_element."("; - $sql.= "fk_commande,"; $sql.= "fk_product,"; $sql.= "fk_commandefourndet,"; @@ -125,24 +122,19 @@ class CommandeFournisseurDispatch extends CommonObject $sql.= "batch,"; $sql.= "eatby,"; $sql.= "sellby"; - - $sql.= ") VALUES ("; - - $sql.= " ".(! isset($this->fk_commande)?'NULL':"'".$this->fk_commande."'").","; - $sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->fk_product."'").","; - $sql.= " ".(! isset($this->fk_commandefourndet)?'NULL':"'".$this->fk_commandefourndet."'").","; - $sql.= " ".(! isset($this->qty)?'NULL':"'".$this->qty."'").","; - $sql.= " ".(! isset($this->fk_entrepot)?'NULL':"'".$this->fk_entrepot."'").","; - $sql.= " ".(! isset($this->fk_user)?'NULL':"'".$this->fk_user."'").","; + $sql.= " ".(! isset($this->fk_commande)?'NULL':"'".$this->db->escape($this->fk_commande)."'").","; + $sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->db->escape($this->fk_product)."'").","; + $sql.= " ".(! isset($this->fk_commandefourndet)?'NULL':"'".$this->db->escape($this->fk_commandefourndet)."'").","; + $sql.= " ".(! isset($this->qty)?'NULL':"'".$this->db->escape($this->qty)."'").","; + $sql.= " ".(! isset($this->fk_entrepot)?'NULL':"'".$this->db->escape($this->fk_entrepot)."'").","; + $sql.= " ".(! isset($this->fk_user)?'NULL':"'".$this->db->escape($this->fk_user)."'").","; $sql.= " ".(! isset($this->datec) || dol_strlen($this->datec)==0?'NULL':"'".$this->db->idate($this->datec)."'").","; $sql.= " ".(! isset($this->comment)?'NULL':"'".$this->db->escape($this->comment)."'").","; - $sql.= " ".(! isset($this->status)?'NULL':"'".$this->status."'").","; + $sql.= " ".(! isset($this->status)?'NULL':"'".$this->db->escape($this->status)."'").","; $sql.= " ".(! isset($this->batch)?'NULL':"'".$this->db->escape($this->batch)."'").","; $sql.= " ".(! isset($this->eatby) || dol_strlen($this->eatby)==0?'NULL':"'".$this->db->idate($this->eatby)."'").","; $sql.= " ".(! isset($this->sellby) || dol_strlen($this->sellby)==0?'NULL':"'".$this->db->idate($this->sellby)."'").""; - - $sql.= ")"; $this->db->begin(); diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index 339f22f5132..fff684e2cbc 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -2701,17 +2701,17 @@ class SupplierInvoiceLine extends CommonObjectLine $sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc'; $sql.= ')'; $sql.= " VALUES (".$this->fk_facture_fourn.","; - $sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").","; + $sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").","; $sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " '".$this->db->escape($this->desc)."',"; $sql.= " ".price2num($this->qty).","; - $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").","; + $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").","; $sql.= " ".price2num($this->tva_tx).","; $sql.= " ".price2num($this->localtax1_tx).","; $sql.= " ".price2num($this->localtax2_tx).","; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").','; $sql.= " ".$this->product_type.","; $sql.= " ".price2num($this->remise_percent).","; @@ -2722,7 +2722,7 @@ class SupplierInvoiceLine extends CommonObjectLine $sql.= ' '.(!empty($this->fk_code_ventilation)?$this->fk_code_ventilation:0).','; $sql.= ' '.$this->rang.','; $sql.= ' '.$this->special_code.','; - $sql.= " '".$this->info_bits."',"; + $sql.= " '".$this->db->escape($this->info_bits)."',"; $sql.= " ".price2num($this->total_ht).","; $sql.= " ".price2num($this->total_tva).","; $sql.= " ".price2num($this->total_ttc).","; diff --git a/htdocs/holiday/class/holiday.class.php b/htdocs/holiday/class/holiday.class.php index 4815bee4b00..ad9ead401dd 100644 --- a/htdocs/holiday/class/holiday.class.php +++ b/htdocs/holiday/class/holiday.class.php @@ -143,14 +143,14 @@ class Holiday extends CommonObject $sql.= "fk_user_create,"; $sql.= "entity"; $sql.= ") VALUES ("; - $sql.= "'".$this->fk_user."',"; + $sql.= "'".$this->db->escape($this->fk_user)."',"; $sql.= " '".$this->db->idate($now)."',"; $sql.= " '".$this->db->escape($this->description)."',"; $sql.= " '".$this->db->idate($this->date_debut)."',"; $sql.= " '".$this->db->idate($this->date_fin)."',"; $sql.= " ".$this->halfday.","; $sql.= " '1',"; - $sql.= " '".$this->fk_validator."',"; + $sql.= " '".$this->db->escape($this->fk_validator)."',"; $sql.= " ".$this->fk_type.","; $sql.= " ".$user->id.","; $sql.= " ".$conf->entity; diff --git a/htdocs/imports/class/import.class.php b/htdocs/imports/class/import.class.php index 828e0f53719..2235812bae8 100644 --- a/htdocs/imports/class/import.class.php +++ b/htdocs/imports/class/import.class.php @@ -45,7 +45,7 @@ class Import var $error; var $errors; - + /** * Constructor @@ -242,7 +242,7 @@ class Import $sql = 'INSERT INTO '.MAIN_DB_PREFIX.'import_model ('; $sql.= 'fk_user, label, type, field'; $sql.= ')'; - $sql.= " VALUES (".($user->id > 0 ? $user->id : 0).", '".$this->db->escape($this->model_name)."', '".$this->datatoimport."', '".$this->hexa."')"; + $sql.= " VALUES (".($user->id > 0 ? $user->id : 0).", '".$this->db->escape($this->model_name)."', '".$this->db->escape($this->datatoimport)."', '".$this->db->escape($this->hexa)."')"; dol_syslog(get_class($this)."::create", LOG_DEBUG); $resql=$this->db->query($sql); diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 7aecf127fea..d3347557332 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -536,12 +536,12 @@ class Product extends CommonObject $sql.= ", ".$this->type; $sql.= ", ".price2num($price_ht); $sql.= ", ".price2num($price_ttc); - $sql.= ", '".$this->price_base_type."'"; + $sql.= ", '".$this->db->escape($this->price_base_type)."'"; $sql.= ", ".$this->status; $sql.= ", ".$this->status_buy; - $sql.= ", '".$this->accountancy_code_buy."'"; - $sql.= ", '".$this->accountancy_code_sell."'"; - $sql.= ", '".$this->canvas."'"; + $sql.= ", '".$this->db->escape($this->accountancy_code_buy)."'"; + $sql.= ", '".$this->db->escape($this->accountancy_code_sell)."'"; + $sql.= ", '".$this->db->escape($this->canvas)."'"; $sql.= ", ".((! isset($this->finished) || $this->finished < 0 || $this->finished == '') ? 'null' : (int) $this->finished); $sql.= ", ".((empty($this->status_batch) || $this->status_batch < 0)? '0':$this->status_batch); $sql.= ", ".(!$this->fk_unit ? 'NULL' : $this->fk_unit); @@ -853,8 +853,8 @@ class Product extends CommonObject $sql.= ", recuperableonly = " . $this->tva_npr; $sql.= ", localtax1_tx = " . $this->localtax1_tx; $sql.= ", localtax2_tx = " . $this->localtax2_tx; - $sql.= ", localtax1_type = " . ($this->localtax1_type!=''?"'".$this->localtax1_type."'":"'0'"); - $sql.= ", localtax2_type = " . ($this->localtax2_type!=''?"'".$this->localtax2_type."'":"'0'"); + $sql.= ", localtax1_type = " . ($this->localtax1_type!=''?"'".$this->db->escape($this->localtax1_type)."'":"'0'"); + $sql.= ", localtax2_type = " . ($this->localtax2_type!=''?"'".$this->db->escape($this->localtax2_type)."'":"'0'"); $sql.= ", barcode = ". (empty($this->barcode)?"null":"'".$this->db->escape($this->barcode)."'"); $sql.= ", fk_barcode_type = ". (empty($this->barcode_type)?"null":$this->db->escape($this->barcode_type)); @@ -863,19 +863,19 @@ class Product extends CommonObject $sql.= ", tobuy = " . $this->status_buy; $sql.= ", tobatch = " . ((empty($this->status_batch) || $this->status_batch < 0) ? '0' : $this->status_batch); $sql.= ", finished = " . ((! isset($this->finished) || $this->finished < 0) ? "null" : (int) $this->finished); - $sql.= ", weight = " . ($this->weight!='' ? "'".$this->weight."'" : 'null'); - $sql.= ", weight_units = " . ($this->weight_units!='' ? "'".$this->weight_units."'": 'null'); - $sql.= ", length = " . ($this->length!='' ? "'".$this->length."'" : 'null'); - $sql.= ", length_units = " . ($this->length_units!='' ? "'".$this->length_units."'" : 'null'); - $sql.= ", width= " . ($this->width!='' ? "'".$this->width."'" : 'null'); - $sql.= ", width_units = " . ($this->width_units!='' ? "'".$this->width_units."'" : 'null'); - $sql.= ", height = " . ($this->height!='' ? "'".$this->height."'" : 'null'); - $sql.= ", height_units = " . ($this->height_units!='' ? "'".$this->height_units."'" : 'null'); - $sql.= ", surface = " . ($this->surface!='' ? "'".$this->surface."'" : 'null'); - $sql.= ", surface_units = " . ($this->surface_units!='' ? "'".$this->surface_units."'" : 'null'); - $sql.= ", volume = " . ($this->volume!='' ? "'".$this->volume."'" : 'null'); - $sql.= ", volume_units = " . ($this->volume_units!='' ? "'".$this->volume_units."'" : 'null'); - $sql.= ", seuil_stock_alerte = " . ((isset($this->seuil_stock_alerte) && $this->seuil_stock_alerte != '') ? "'".$this->seuil_stock_alerte."'" : "null"); + $sql.= ", weight = " . ($this->weight!='' ? "'".$this->db->escape($this->weight)."'" : 'null'); + $sql.= ", weight_units = " . ($this->weight_units!='' ? "'".$this->db->escape($this->weight_units)."'": 'null'); + $sql.= ", length = " . ($this->length!='' ? "'".$this->db->escape($this->length)."'" : 'null'); + $sql.= ", length_units = " . ($this->length_units!='' ? "'".$this->db->escape($this->length_units)."'" : 'null'); + $sql.= ", width= " . ($this->width!='' ? "'".$this->db->escape($this->width)."'" : 'null'); + $sql.= ", width_units = " . ($this->width_units!='' ? "'".$this->db->escape($this->width_units)."'" : 'null'); + $sql.= ", height = " . ($this->height!='' ? "'".$this->db->escape($this->height)."'" : 'null'); + $sql.= ", height_units = " . ($this->height_units!='' ? "'".$this->db->escape($this->height_units)."'" : 'null'); + $sql.= ", surface = " . ($this->surface!='' ? "'".$this->db->escape($this->surface)."'" : 'null'); + $sql.= ", surface_units = " . ($this->surface_units!='' ? "'".$this->db->escape($this->surface_units)."'" : 'null'); + $sql.= ", volume = " . ($this->volume!='' ? "'".$this->db->escape($this->volume)."'" : 'null'); + $sql.= ", volume_units = " . ($this->volume_units!='' ? "'".$this->db->escape($this->volume_units)."'" : 'null'); + $sql.= ", seuil_stock_alerte = " . ((isset($this->seuil_stock_alerte) && $this->seuil_stock_alerte != '') ? "'".$this->db->escape($this->seuil_stock_alerte)."'" : "null"); $sql.= ", description = '" . $this->db->escape($this->description) ."'"; $sql.= ", url = " . ($this->url?"'".$this->db->escape($this->url)."'":'null'); $sql.= ", customcode = '" . $this->db->escape($this->customcode) ."'"; @@ -1439,8 +1439,8 @@ class Product extends CommonObject // Add new price $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_price(price_level,date_price, fk_product, fk_user_author, price, price_ttc, price_base_type,tosell, tva_tx, default_vat_code, recuperableonly,"; $sql.= " localtax1_tx, localtax2_tx, localtax1_type, localtax2_type, price_min,price_min_ttc,price_by_qty,entity,fk_price_expression) "; - $sql.= " VALUES(".($level?$level:1).", '".$this->db->idate($now)."',".$this->id.",".$user->id.",".$this->price.",".$this->price_ttc.",'".$this->price_base_type."',".$this->status.",".$this->tva_tx.", ".($this->default_vat_code?("'".$this->default_vat_code."'"):"null").",".$this->tva_npr.","; - $sql.= " ".$this->localtax1_tx.", ".$this->localtax2_tx.", '".$this->localtax1_type."', '".$this->localtax2_type."', ".$this->price_min.",".$this->price_min_ttc.",".$this->price_by_qty.",".$conf->entity.",".($this->fk_price_expression > 0?$this->fk_price_expression:'null'); + $sql.= " VALUES(".($level?$level:1).", '".$this->db->idate($now)."',".$this->id.",".$user->id.",".$this->price.",".$this->price_ttc.",'".$this->db->escape($this->price_base_type)."',".$this->status.",".$this->tva_tx.", ".($this->default_vat_code?("'".$this->db->escape($this->default_vat_code)."'"):"null").",".$this->tva_npr.","; + $sql.= " ".$this->localtax1_tx.", ".$this->localtax2_tx.", '".$this->db->escape($this->localtax1_type)."', '".$this->db->escape($this->localtax2_type)."', ".$this->price_min.",".$this->price_min_ttc.",".$this->price_by_qty.",".$conf->entity.",".($this->fk_price_expression > 0?$this->fk_price_expression:'null'); $sql.= ")"; dol_syslog(get_class($this)."::_log_price", LOG_DEBUG); diff --git a/htdocs/product/class/productcustomerprice.class.php b/htdocs/product/class/productcustomerprice.class.php index f8ca6366ddc..3b83ae6b858 100644 --- a/htdocs/product/class/productcustomerprice.class.php +++ b/htdocs/product/class/productcustomerprice.class.php @@ -161,19 +161,19 @@ class Productcustomerprice extends CommonObject $sql .= ") VALUES ("; $sql .= " " . $conf->entity . ","; $sql .= " '" . $this->db->idate(dol_now()) . "',"; - $sql .= " " . (! isset($this->fk_product) ? 'NULL' : "'" . $this->fk_product . "'") . ","; - $sql .= " " . (! isset($this->fk_soc) ? 'NULL' : "'" . $this->fk_soc . "'") . ","; - $sql .= " " . (empty($this->price) ? '0' : "'" . $this->price . "'") . ","; - $sql .= " " . (empty($this->price_ttc) ? '0' : "'" . $this->price_ttc . "'") . ","; - $sql .= " " . (empty($this->price_min) ? '0' : "'" . $this->price_min . "'") . ","; - $sql .= " " . (empty($this->price_min_ttc) ? '0' : "'" . $this->price_min_ttc . "'") . ","; + $sql .= " " . (! isset($this->fk_product) ? 'NULL' : "'" . $this->db->escape($this->fk_product) . "'") . ","; + $sql .= " " . (! isset($this->fk_soc) ? 'NULL' : "'" . $this->db->escape($this->fk_soc) . "'") . ","; + $sql .= " " . (empty($this->price) ? '0' : "'" . $this->db->escape($this->price) . "'") . ","; + $sql .= " " . (empty($this->price_ttc) ? '0' : "'" . $this->db->escape($this->price_ttc) . "'") . ","; + $sql .= " " . (empty($this->price_min) ? '0' : "'" . $this->db->escape($this->price_min) . "'") . ","; + $sql .= " " . (empty($this->price_min_ttc) ? '0' : "'" . $this->db->escape($this->price_min_ttc) . "'") . ","; $sql .= " " . (! isset($this->price_base_type) ? 'NULL' : "'" . $this->db->escape($this->price_base_type) . "'") . ","; $sql .= " ".($this->default_vat_code ? "'".$this->db->escape($this->default_vat_code)."'" : "null").","; $sql .= " " . (! isset($this->tva_tx) ? 'NULL' : (empty($this->tva_tx)?0:$this->tva_tx)) . ","; - $sql .= " " . (! isset($this->recuperableonly) ? 'NULL' : "'" . $this->recuperableonly . "'") . ","; - $sql .= " " . (empty($this->localtax1_type) ? "'0'" : "'" . $this->localtax1_type . "'") . ","; + $sql .= " " . (! isset($this->recuperableonly) ? 'NULL' : "'" . $this->db->escape($this->recuperableonly) . "'") . ","; + $sql .= " " . (empty($this->localtax1_type) ? "'0'" : "'" . $this->db->escape($this->localtax1_type) . "'") . ","; $sql .= " " . (! isset($this->localtax1_tx) ? 'NULL' : (empty($this->localtax1_tx)?0:$this->localtax1_tx)) . ","; - $sql .= " " . (empty($this->localtax2_type) ? "'0'" : "'" . $this->localtax2_type . "'") . ","; + $sql .= " " . (empty($this->localtax2_type) ? "'0'" : "'" . $this->db->escape($this->localtax2_type) . "'") . ","; $sql .= " " . (! isset($this->localtax2_tx) ? 'NULL' : (empty($this->localtax2_tx)?0:$this->localtax2_tx)) . ","; $sql .= " " . $user->id . ","; $sql .= " " . (! isset($this->import_key) ? 'NULL' : "'" . $this->db->escape($this->import_key) . "'") . ""; @@ -660,8 +660,8 @@ class Productcustomerprice extends CommonObject $sql .= " recuperableonly=" . (isset($this->recuperableonly) ? $this->recuperableonly : "null") . ","; $sql .= " localtax1_tx=" . (isset($this->localtax1_tx) ? (empty($this->localtax1_tx)?0:$this->localtax1_tx) : "null") . ","; $sql .= " localtax2_tx=" . (isset($this->localtax2_tx) ? (empty($this->localtax2_tx)?0:$this->localtax2_tx) : "null") . ","; - $sql .= " localtax1_type=" . (! empty($this->localtax1_type) ? "'".$this->localtax1_type."'": "'0'") . ","; - $sql .= " localtax2_type=" . (! empty($this->localtax2_type) ? "'".$this->localtax2_type."'": "'0'") . ","; + $sql .= " localtax1_type=" . (! empty($this->localtax1_type) ? "'".$this->db->escape($this->localtax1_type)."'": "'0'") . ","; + $sql .= " localtax2_type=" . (! empty($this->localtax2_type) ? "'".$this->db->escape($this->localtax2_type)."'": "'0'") . ","; $sql .= " fk_user=" . $user->id . ","; $sql .= " import_key=" . (isset($this->import_key) ? "'" . $this->db->escape($this->import_key) . "'" : "null") . ""; diff --git a/htdocs/product/class/propalmergepdfproduct.class.php b/htdocs/product/class/propalmergepdfproduct.class.php index 865589692fb..87fdd132878 100644 --- a/htdocs/product/class/propalmergepdfproduct.class.php +++ b/htdocs/product/class/propalmergepdfproduct.class.php @@ -33,7 +33,7 @@ class Propalmergepdfproduct extends CommonObject { var $element='propal_merge_pdf_product'; //!< Id that identify managed objects var $table_element='propal_merge_pdf_product'; //!< Name of table without prefix where object is stored - + var $fk_product; var $file_name; var $fk_user_author; @@ -41,10 +41,10 @@ class Propalmergepdfproduct extends CommonObject var $datec=''; var $tms=''; var $lang; - + var $lines=array(); - + /** @@ -72,7 +72,7 @@ class Propalmergepdfproduct extends CommonObject $error=0; // Clean parameters - + if (isset($this->fk_product)) $this->fk_product=trim($this->fk_product); if (isset($this->file_name)) $this->file_name=trim($this->file_name); if (isset($this->fk_user_author)) $this->fk_user_author=trim($this->fk_user_author); @@ -80,14 +80,14 @@ class Propalmergepdfproduct extends CommonObject if (isset($this->lang)) $this->lang=trim($this->lang); if (isset($this->import_key)) $this->import_key=trim($this->import_key); - + // Check parameters // Put here code to add control on parameters values // Insert request $sql = "INSERT INTO ".MAIN_DB_PREFIX."propal_merge_pdf_product("; - + $sql.= "fk_product,"; $sql.= "file_name,"; if ($conf->global->MAIN_MULTILANGS) { @@ -97,10 +97,10 @@ class Propalmergepdfproduct extends CommonObject $sql.= "fk_user_mod,"; $sql.= "datec"; - + $sql.= ") VALUES ("; - - $sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->fk_product."'").","; + + $sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->db->escape($this->fk_product)."'").","; $sql.= " ".(! isset($this->file_name)?'NULL':"'".$this->db->escape($this->file_name)."'").","; if ($conf->global->MAIN_MULTILANGS) { $sql.= " ".(! isset($this->lang)?'NULL':"'".$this->db->escape($this->lang)."'").","; @@ -109,7 +109,7 @@ class Propalmergepdfproduct extends CommonObject $sql.= " ".$user->id.","; $sql.= " '".$this->db->idate(dol_now())."'"; - + $sql.= ")"; $this->db->begin(); @@ -164,10 +164,10 @@ class Propalmergepdfproduct extends CommonObject function fetch($id) { global $langs,$conf; - + $sql = "SELECT"; $sql.= " t.rowid,"; - + $sql.= " t.fk_product,"; $sql.= " t.file_name,"; $sql.= " t.lang,"; @@ -177,7 +177,7 @@ class Propalmergepdfproduct extends CommonObject $sql.= " t.tms,"; $sql.= " t.import_key"; - + $sql.= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t"; $sql.= " WHERE t.rowid = ".$id; @@ -190,7 +190,7 @@ class Propalmergepdfproduct extends CommonObject $obj = $this->db->fetch_object($resql); $this->id = $obj->rowid; - + $this->fk_product = $obj->fk_product; $this->file_name = $obj->file_name; if ($conf->global->MAIN_MULTILANGS) { @@ -202,7 +202,7 @@ class Propalmergepdfproduct extends CommonObject $this->tms = $this->db->jdate($obj->tms); $this->import_key = $obj->import_key; - + } $this->db->free($resql); @@ -215,7 +215,7 @@ class Propalmergepdfproduct extends CommonObject return -1; } } - + /** * Load object in memory from the database * @@ -226,10 +226,10 @@ class Propalmergepdfproduct extends CommonObject function fetch_by_product($product_id, $lang='') { global $langs,$conf; - + $sql = "SELECT"; $sql.= " t.rowid,"; - + $sql.= " t.fk_product,"; $sql.= " t.file_name,"; $sql.= " t.lang,"; @@ -238,14 +238,14 @@ class Propalmergepdfproduct extends CommonObject $sql.= " t.datec,"; $sql.= " t.tms,"; $sql.= " t.import_key"; - - + + $sql.= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t"; $sql.= " WHERE t.fk_product = ".$product_id; if ($conf->global->MAIN_MULTILANGS && !empty($lang)) { $sql.= " AND t.lang = '".$lang."'"; } - + dol_syslog(get_class($this)."::".__METHOD__, LOG_DEBUG); $resql=$this->db->query($sql); if ($resql) @@ -253,11 +253,11 @@ class Propalmergepdfproduct extends CommonObject if ($this->db->num_rows($resql)) { while($obj = $this->db->fetch_object($resql)) { - + $line = new PropalmergepdfproductLine(); - + $line->id = $obj->rowid; - + $line->fk_product = $obj->fk_product; $line->file_name = $obj->file_name; if ($conf->global->MAIN_MULTILANGS) { @@ -268,21 +268,21 @@ class Propalmergepdfproduct extends CommonObject $line->datec = $this->db->jdate($obj->datec); $line->tms = $this->db->jdate($obj->tms); $line->import_key = $obj->import_key; - - + + if ($conf->global->MAIN_MULTILANGS) { $this->lines[$obj->file_name.'_'.$obj->lang]=$line; }else { $this->lines[$obj->file_name]=$line; } - - + + } - - + + } $this->db->free($resql); - + return 1; } else @@ -307,21 +307,21 @@ class Propalmergepdfproduct extends CommonObject $error=0; // Clean parameters - + if (isset($this->fk_product)) $this->fk_product=trim($this->fk_product); if (isset($this->file_name)) $this->file_name=trim($this->file_name); if (isset($this->fk_user_mod)) $this->fk_user_mod=trim($this->fk_user_mod); if (isset($this->lang)) $this->lang=trim($this->lang); - - + + // Check parameters // Put here code to add a control on parameters values // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."propal_merge_pdf_product SET"; - + $sql.= " fk_product=".(isset($this->fk_product)?$this->fk_product:"null").","; $sql.= " file_name=".(isset($this->file_name)?"'".$this->db->escape($this->file_name)."'":"null").","; if ($conf->global->MAIN_MULTILANGS) { @@ -329,7 +329,7 @@ class Propalmergepdfproduct extends CommonObject } $sql.= " fk_user_mod=".$user->id; - + $sql.= " WHERE rowid=".$this->id; $this->db->begin(); @@ -430,7 +430,7 @@ class Propalmergepdfproduct extends CommonObject return 1; } } - + /** * Delete object in database * @@ -444,16 +444,16 @@ class Propalmergepdfproduct extends CommonObject { global $conf, $langs; $error=0; - + $this->db->begin(); - + if (! $error) { if (! $notrigger) { // Uncomment this and change MYOBJECT to your own tag if you // want this action calls a trigger. - + //// Call triggers //include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php'; //$interface=new Interfaces($this->db); @@ -462,21 +462,21 @@ class Propalmergepdfproduct extends CommonObject //// End call triggers } } - + if (! $error) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product"; $sql.= " WHERE fk_product=".$product_id; - + if ($conf->global->MAIN_MULTILANGS && !empty($lang_id)) { $sql.= " AND lang='".$lang_id."'"; } - + dol_syslog(get_class($this)."::".__METHOD__, LOG_DEBUG); $resql = $this->db->query($sql); if (! $resql) { $error++; $this->errors[]="Error ".$this->db->lasterror(); } } - + // Commit or rollback if ($error) { @@ -494,7 +494,7 @@ class Propalmergepdfproduct extends CommonObject return 1; } } - + /** * Delete object in database * @@ -505,16 +505,16 @@ class Propalmergepdfproduct extends CommonObject { global $conf, $langs; $error=0; - + $this->db->begin(); - + if (! $error) { if (! $notrigger) { // Uncomment this and change MYOBJECT to your own tag if you // want this action calls a trigger. - + //// Call triggers //include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php'; //$interface=new Interfaces($this->db); @@ -523,17 +523,17 @@ class Propalmergepdfproduct extends CommonObject //// End call triggers } } - + if (! $error) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product"; $sql.= " WHERE fk_product=".$this->fk_product." AND file_name='".$this->db->escape($this->file_name)."'"; - + dol_syslog(get_class($this)."::".__METHOD__, LOG_DEBUG); $resql = $this->db->query($sql); if (! $resql) { $error++; $this->errors[]="Error ".$this->db->lasterror(); } } - + // Commit or rollback if ($error) { @@ -617,7 +617,7 @@ class Propalmergepdfproduct extends CommonObject function initAsSpecimen() { $this->id=0; - + $this->fk_product=''; $this->file_name=''; $this->fk_user_author=''; @@ -626,7 +626,7 @@ class Propalmergepdfproduct extends CommonObject $this->tms=''; $this->import_key=''; - + } } @@ -637,7 +637,7 @@ class Propalmergepdfproduct extends CommonObject class PropalmergepdfproductLine { var $id; - + var $fk_product; var $file_name; var $lang; diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php index 910583782b9..10a78e017c8 100644 --- a/htdocs/projet/class/task.class.php +++ b/htdocs/projet/class/task.class.php @@ -301,7 +301,7 @@ class Task extends CommonObject // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."projet_task SET"; $sql.= " fk_projet=".(isset($this->fk_project)?$this->fk_project:"null").","; - $sql.= " ref=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"'".$this->id."'").","; + $sql.= " ref=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"'".$this->db->escape($this->id)."'").","; $sql.= " fk_task_parent=".(isset($this->fk_task_parent)?$this->fk_task_parent:"null").","; $sql.= " label=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " description=".(isset($this->description)?"'".$this->db->escape($this->description)."'":"null").","; @@ -1251,7 +1251,7 @@ class Task extends CommonObject $newDuration = $this->timespent_duration - $this->timespent_old_duration; $sql = "UPDATE ".MAIN_DB_PREFIX."projet_task"; - $sql.= " SET duration_effective = (SELECT SUM(task_duration) FROM ".MAIN_DB_PREFIX."projet_task_time as ptt where ptt.fk_task = ".$this->id.")"; + $sql.= " SET duration_effective = (SELECT SUM(task_duration) FROM ".MAIN_DB_PREFIX."projet_task_time as ptt where ptt.fk_task = ".$this->db->escape($this->id).")"; $sql.= " WHERE rowid = ".$this->id; dol_syslog(get_class($this)."::updateTimeSpent", LOG_DEBUG); @@ -1303,7 +1303,7 @@ class Task extends CommonObject if (! $error) { $sql = "UPDATE ".MAIN_DB_PREFIX."projet_task"; - $sql.= " SET duration_effective = duration_effective - '".$this->timespent_duration."'"; + $sql.= " SET duration_effective = duration_effective - ".$this->db->escape($this->timespent_duration?$this->timespent_duration:0); $sql.= " WHERE rowid = ".$this->id; dol_syslog(get_class($this)."::delTimeSpent", LOG_DEBUG); @@ -1899,7 +1899,7 @@ class TaskComment extends CommonObject $sql.= ", '".(isset($this->fk_task)?$this->fk_task:"null")."'"; $sql.= ", '".(isset($this->fk_user)?$this->fk_user:"null")."'"; $sql.= ", ".(!empty($this->entity)?$this->entity:'1'); - $sql.= ", ".(!empty($this->import_key)?"'".$this->import_key."'":"null"); + $sql.= ", ".(!empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null"); $sql.= ")"; //var_dump($this->db); @@ -2024,7 +2024,7 @@ class TaskComment extends CommonObject $sql.= " fk_task=".(isset($this->fk_task)?$this->fk_task:"null").","; $sql.= " fk_user=".(isset($this->fk_user)?$this->fk_user:"null").","; $sql.= " entity=".(!empty($this->entity)?$this->entity:'1').","; - $sql.= " import_key=".(!empty($this->import_key)?"'".$this->import_key."'":"null"); + $sql.= " import_key=".(!empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null"); $sql.= " WHERE rowid=".$this->id; $this->db->begin(); diff --git a/htdocs/resource/class/dolresource.class.php b/htdocs/resource/class/dolresource.class.php index 10485dda4be..6dc093f6142 100644 --- a/htdocs/resource/class/dolresource.class.php +++ b/htdocs/resource/class/dolresource.class.php @@ -33,7 +33,7 @@ class Dolresource extends CommonObject public $element='dolresource'; //!< Id that identify managed objects public $table_element='resource'; //!< Name of table without prefix where object is stored public $picto = 'resource'; - + public $resource_id; public $resource_type; public $element_id; @@ -843,7 +843,7 @@ class Dolresource extends CommonObject // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."element_resources SET"; $sql.= " resource_id=".(isset($this->resource_id)?"'".$this->db->escape($this->resource_id)."'":"null").","; - $sql.= " resource_type=".(isset($this->resource_type)?"'".$this->resource_type."'":"null").","; + $sql.= " resource_type=".(isset($this->resource_type)?"'".$this->db->escape($this->resource_type)."'":"null").","; $sql.= " element_id=".(isset($this->element_id)?$this->element_id:"null").","; $sql.= " element_type=".(isset($this->element_type)?"'".$this->db->escape($this->element_type)."'":"null").","; $sql.= " busy=".(isset($this->busy)?$this->busy:"null").","; @@ -1019,8 +1019,8 @@ class Dolresource extends CommonObject $result.=$link.$this->ref.$linkend; return $result; } - - + + /** * Retourne le libelle du status d'un user (actif, inactif) * @@ -1031,7 +1031,7 @@ class Dolresource extends CommonObject { return $this->LibStatut($this->status,$mode); } - + /** * Return the status * @@ -1042,7 +1042,7 @@ class Dolresource extends CommonObject static function LibStatut($status,$mode=0) { global $langs; - + return ''; - } + } } diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index d702e4beb14..8fa7081acad 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -859,13 +859,13 @@ class Societe extends CommonObject $sql .= ",idprof5 = '". $this->db->escape($this->idprof5) ."'"; $sql .= ",idprof6 = '". $this->db->escape($this->idprof6) ."'"; - $sql .= ",tva_assuj = ".($this->tva_assuj!=''?"'".$this->tva_assuj."'":"null"); + $sql .= ",tva_assuj = ".($this->tva_assuj!=''?"'".$this->db->escape($this->tva_assuj)."'":"null"); $sql .= ",tva_intra = '" . $this->db->escape($this->tva_intra) ."'"; $sql .= ",status = " .$this->status; // Local taxes - $sql .= ",localtax1_assuj = ".($this->localtax1_assuj!=''?"'".$this->localtax1_assuj."'":"null"); - $sql .= ",localtax2_assuj = ".($this->localtax2_assuj!=''?"'".$this->localtax2_assuj."'":"null"); + $sql .= ",localtax1_assuj = ".($this->localtax1_assuj!=''?"'".$this->db->escape($this->localtax1_assuj)."'":"null"); + $sql .= ",localtax2_assuj = ".($this->localtax2_assuj!=''?"'".$this->db->escape($this->localtax2_assuj)."'":"null"); if($this->localtax1_assuj==1) { if($this->localtax1_value!='') @@ -1565,7 +1565,7 @@ class Societe extends CommonObject // Positionne remise courante $sql = "UPDATE ".MAIN_DB_PREFIX."societe "; $sql.= " SET remise_client = '".$this->db->escape($remise)."'"; - $sql.= " WHERE rowid = " . $this->id .";"; + $sql.= " WHERE rowid = " . $this->id; $resql=$this->db->query($sql); if (! $resql) { @@ -1698,7 +1698,7 @@ class Societe extends CommonObject else $sql.= " WHERE entity in (0, ".$conf->entity.")"; - $sql.= " AND u.rowid = sc.fk_user AND sc.fk_soc =".$this->id; + $sql.= " AND u.rowid = sc.fk_user AND sc.fk_soc = ".$this->id; $resql = $this->db->query($sql); if ($resql) @@ -1751,7 +1751,7 @@ class Societe extends CommonObject $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_prices"; $sql .= " (datec, fk_soc, price_level, fk_user_author)"; - $sql .= " VALUES ('".$this->db->idate($now)."',".$this->id.",'".$this->db->escape($price_level)."',".$user->id.")"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$this->id.", '".$this->db->escape($price_level)."', ".$user->id.")"; if (! $this->db->query($sql)) { @@ -2947,17 +2947,17 @@ class Societe extends CommonObject } /** - * Charge la liste des categories fournisseurs + * Insert link supplier - category * * @param int $categorie_id Id of category * @return int 0 if success, <> 0 if error */ function AddFournisseurInCategory($categorie_id) { - if ($categorie_id > 0) + if ($categorie_id > 0 && $this->id > 0) { $sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie_fournisseur (fk_categorie, fk_soc) "; - $sql.= " VALUES ('".$categorie_id."','".$this->id."');"; + $sql.= " VALUES (".$categorie_id.", ".$this->id.")"; if ($resql=$this->db->query($sql)) return 0; } diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php index c37555efdb7..53c2d4215df 100644 --- a/htdocs/supplier_proposal/class/supplier_proposal.class.php +++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php @@ -2829,27 +2829,27 @@ class SupplierProposalLine extends CommonObjectLine $sql.= ' ref_fourn,'; $sql.= ' fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc, fk_unit)'; $sql.= " VALUES (".$this->fk_supplier_proposal.","; - $sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").","; + $sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").","; $sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " '".$this->db->escape($this->desc)."',"; - $sql.= " ".($this->fk_product?"'".$this->fk_product."'":"null").","; - $sql.= " '".$this->product_type."',"; - $sql.= " ".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").","; + $sql.= " ".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":"null").","; + $sql.= " '".$this->db->escape($this->product_type)."',"; + $sql.= " ".($this->fk_remise_except?"'".$this->db->escape($this->fk_remise_except)."'":"null").","; $sql.= " ".price2num($this->qty).","; $sql.= " ".price2num($this->tva_tx).","; $sql.= " ".price2num($this->localtax1_tx).","; $sql.= " ".price2num($this->localtax2_tx).","; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= " ".(!empty($this->subprice)?price2num($this->subprice):"null").","; $sql.= " ".price2num($this->remise_percent).","; - $sql.= " ".(isset($this->info_bits)?"'".$this->info_bits."'":"null").","; + $sql.= " ".(isset($this->info_bits)?"'".$this->db->escape($this->info_bits)."'":"null").","; $sql.= " ".price2num($this->total_ht).","; $sql.= " ".price2num($this->total_tva).","; $sql.= " ".price2num($this->total_localtax1).","; $sql.= " ".price2num($this->total_localtax2).","; $sql.= " ".price2num($this->total_ttc).","; - $sql.= " ".(!empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null").","; + $sql.= " ".(!empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null").","; $sql.= " ".(isset($this->pa_ht)?"'".price2num($this->pa_ht)."'":"null").","; $sql.= ' '.$this->special_code.','; $sql.= ' '.$this->rang.','; @@ -3025,7 +3025,7 @@ class SupplierProposalLine extends CommonObjectLine $sql.= " , total_localtax1=".price2num($this->total_localtax1).""; $sql.= " , total_localtax2=".price2num($this->total_localtax2).""; } - $sql.= " , fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null"); + $sql.= " , fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null"); $sql.= " , buy_price_ht=".price2num($this->pa_ht); if (strlen($this->special_code)) $sql.= " , special_code=".$this->special_code; $sql.= " , fk_parent_line=".($this->fk_parent_line>0?$this->fk_parent_line:"null"); diff --git a/htdocs/websites/class/website.class.php b/htdocs/websites/class/website.class.php index 2fd86208934..8a1b30d936d 100644 --- a/htdocs/websites/class/website.class.php +++ b/htdocs/websites/class/website.class.php @@ -140,7 +140,7 @@ class Website extends CommonObject $sql .= ' '.(! isset($this->description)?'NULL':"'".$this->db->escape($this->description)."'").','; $sql .= ' '.(! isset($this->status)?'NULL':$this->status).','; $sql .= ' '.(! isset($this->fk_default_home)?'NULL':$this->fk_default_home).','; - $sql .= ' '.(! isset($this->virtualhost)?'NULL':"'".$this->virtualhost)."',"; + $sql .= ' '.(! isset($this->virtualhost)?'NULL':"'".$this->db->escape($this->virtualhost)."'").","; $sql .= ' '.(! isset($this->fk_user_create)?$user->id:$this->fk_user_create).','; $sql .= ' '.(! isset($this->date_creation) || dol_strlen($this->date_creation)==0?'NULL':"'".$this->db->idate($this->date_creation)."'").","; $sql .= ' '.(! isset($this->date_modification) || dol_strlen($this->date_modification)==0?'NULL':"'".$this->db->idate($this->date_creation)."'"); diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 7deb7f9e655..073adc8ef9a 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -177,10 +177,10 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase $ok=true; $matches=array(); // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. - preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER); + preg_match_all('/(=|sql.+)\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER); foreach($matches as $key => $val) { - if ($val[1] != 'db->' && $val[1] != 'esca') + if ($val[2] != 'db->' && $val[2] != 'esca') { $ok=false; break; From 3c7c53f321396d37dd3b6233c3398d78d96b3dad Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 15 Sep 2017 15:55:43 +0200 Subject: [PATCH 10/17] Update services.php --- htdocs/contrat/services.php | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/htdocs/contrat/services.php b/htdocs/contrat/services.php index 433f0bae4b2..4a7658e5c9d 100644 --- a/htdocs/contrat/services.php +++ b/htdocs/contrat/services.php @@ -240,20 +240,17 @@ if (! empty($filter_opcloture) && $filter_opcloture != -1 && $filter_datecloture // Add where from extra fields foreach ($search_array_options as $key => $val) { - $crit=$val; - $tmpkey=preg_replace('/search_options_/','',$key); - $typ=$extrafields->attribute_type[$tmpkey]; - $mode_search_extrafields=0; - if (in_array($typ, array('int','double'))) $mode_search_extrafields=1; // Search on a numeric - - if ($val && ( ($crit != '' && in_array($typ, array('sellist'))) || ! empty($crit))) - { - $sql .= ' AND ef.'.$tmpkey.'='.$crit; - } else if ($val && ( ($crit != '' && ! in_array($typ, array('select'))) || ! empty($crit))) { - $sql .= natural_search('ef.'.$tmpkey, $crit, $mode_search_extrafields); - } + $crit=$val; + $tmpkey=preg_replace('/search_options_/','',$key); + $typ=$extrafields->attribute_type[$tmpkey]; + $mode_search_extrafields=0; + if (in_array($typ, array('int','double','real'))) $mode_search_extrafields=1; // Search on a numeric + if (in_array($typ, array('sellist')) && $crit != '0' && $crit != '-1') $mode_search_extrafields=2; // Search on a foreign key int + if ($crit != '' && (! in_array($typ, array('select','sellist')) || $crit != '0')) + { + $sql .= natural_search('ef.'.$tmpkey, $crit, $mode_search_extrafields); + } } - $sql .= $db->order($sortfield,$sortorder); $nbtotalofrecords = ''; From 8dcd864477f193d2ef0f5bd0999ca6a5d3cf6a43 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 15 Sep 2017 15:57:07 +0200 Subject: [PATCH 11/17] Rename var $mode to avoid conflicts --- htdocs/modulebuilder/template/myobject_list.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/htdocs/modulebuilder/template/myobject_list.php b/htdocs/modulebuilder/template/myobject_list.php index 0d30d50df55..a605e765290 100644 --- a/htdocs/modulebuilder/template/myobject_list.php +++ b/htdocs/modulebuilder/template/myobject_list.php @@ -216,8 +216,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab $sql.= " WHERE t.entity IN (".getEntity('myobject').")"; foreach($search as $key => $val) { - $mode=(($object->isInt($object->fields[$key]) || $object->isFloat($object->fields[$key]))?1:0); - if ($search[$key] != '') $sql.=natural_search($key, $search[$key], (($key == 'status')?2:$mode)); + $mode_search=(($object->isInt($object->fields[$key]) || $object->isFloat($object->fields[$key]))?1:0); + if ($search[$key] != '') $sql.=natural_search($key, $search[$key], (($key == 'status')?2:$mode_search)); } if ($search_all) $sql.= natural_search(array_keys($fieldstosearchall), $search_all); // Add where from extra fields @@ -226,12 +226,12 @@ foreach ($search_array_options as $key => $val) $crit=$val; $tmpkey=preg_replace('/search_options_/','',$key); $typ=$extrafields->attribute_type[$tmpkey]; - $mode=0; - if (in_array($typ, array('int','double','real'))) $mode=1; // Search on a numeric - if (in_array($typ, array('sellist')) && $crit != '0' && $crit != '-1') $mode=2; // Search on a foreign key int + $mode_search=0; + if (in_array($typ, array('int','double','real'))) $mode_search=1; // Search on a numeric + if (in_array($typ, array('sellist')) && $crit != '0' && $crit != '-1') $mode_search=2; // Search on a foreign key int if ($crit != '' && (! in_array($typ, array('select','sellist')) || $crit != '0')) { - $sql .= natural_search('ef.'.$tmpkey, $crit, $mode); + $sql .= natural_search('ef.'.$tmpkey, $crit, $mode_search); } } // Add where from hooks From 3dbf4cf1767c699e7959c020bcf82bbebf44f63c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 15 Sep 2017 15:58:02 +0200 Subject: [PATCH 12/17] Update services.php --- htdocs/contrat/services.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/contrat/services.php b/htdocs/contrat/services.php index 4a7658e5c9d..e5a5c21c00b 100644 --- a/htdocs/contrat/services.php +++ b/htdocs/contrat/services.php @@ -243,12 +243,12 @@ foreach ($search_array_options as $key => $val) $crit=$val; $tmpkey=preg_replace('/search_options_/','',$key); $typ=$extrafields->attribute_type[$tmpkey]; - $mode_search_extrafields=0; - if (in_array($typ, array('int','double','real'))) $mode_search_extrafields=1; // Search on a numeric - if (in_array($typ, array('sellist')) && $crit != '0' && $crit != '-1') $mode_search_extrafields=2; // Search on a foreign key int + $mode_search=0; + if (in_array($typ, array('int','double','real'))) $mode_search=1; // Search on a numeric + if (in_array($typ, array('sellist')) && $crit != '0' && $crit != '-1') $mode_search=2; // Search on a foreign key int if ($crit != '' && (! in_array($typ, array('select','sellist')) || $crit != '0')) { - $sql .= natural_search('ef.'.$tmpkey, $crit, $mode_search_extrafields); + $sql .= natural_search('ef.'.$tmpkey, $crit, $mode_search); } } $sql .= $db->order($sortfield,$sortorder); From c9df29941855f84f8212198092e983fdd9f1c6c8 Mon Sep 17 00:00:00 2001 From: florian HENRY Date: Fri, 15 Sep 2017 16:06:25 +0200 Subject: [PATCH 13/17] NEW: confirm form style to accept or reject proposal --- htdocs/comm/propal/card.php | 45 ++++++++++++------------------------- 1 file changed, 14 insertions(+), 31 deletions(-) diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index 7987555e569..a00ec8b8ee1 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -611,7 +611,7 @@ if (empty($reshook)) // prevent browser refresh from closing proposal several times if ($object->statut == Propal::STATUS_VALIDATED) { - $result=$object->cloture($user, GETPOST('statut'), GETPOST('note')); + $result=$object->cloture($user, GETPOST('statut','int'), GETPOST('note_private','san_alpha')); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); @@ -1686,6 +1686,18 @@ if ($action == 'create') $formconfirm = $form->formconfirm($_SERVER["PHP_SELF"] . '?id=' . $object->id, $langs->trans('ClonePropal'), $langs->trans('ConfirmClonePropal', $object->ref), 'confirm_clone', $formquestion, 'yes', 1); } + if ($action == 'statut') + { + //Form to close proposal (signed or not) + $formquestion = array( + array('type' => 'select','name' => 'statut','label' => $langs->trans("CloseAs"),'values' => array(2=>$object->labelstatut [2],3=>$object->labelstatut [3])), + //array('type' => 'other','name' => 'note_private', 'label' => $langs->trans("Note"),'value' => '')); + array('type' => 'text', 'name' => 'note_private', 'label' => $langs->trans("Note"),'value' => $object->note_private)); + + $formconfirm = $form->formconfirm($_SERVER["PHP_SELF"] . '?id=' . $object->id, $langs->trans('SetAcceptedRefused'), '', 'setstatut', $formquestion, '', 1, 250); + + } + // Confirm delete else if ($action == 'delete') { $formconfirm = $form->formconfirm($_SERVER["PHP_SELF"] . '?id=' . $object->id, $langs->trans('DeleteProp'), $langs->trans('ConfirmDeleteProp', $object->ref), 'confirm_delete', '', 0, 1); @@ -2213,35 +2225,6 @@ if ($action == 'create') dol_fiche_end(); - if ($action == 'statut') - { - /* - * Form to close proposal (signed or not) - */ - $form_close = '
'; - $form_close .= ''; - $form_close .= ''; - $form_close .= ''; - $form_close .= ''; - $form_close .= ''; - $form_close .= '
' . $langs->trans("CloseAs") . ''; - $form_close .= ''; - $form_close .= ''; - $form_close .= '
' . $langs->trans('Note') . '
'; - $form_close .= ''; - $form_close .= '   '; - $form_close .= ' '; - $form_close .= '
'; - - print $form_close; - } - /* * Boutons Actions */ @@ -2253,7 +2236,7 @@ if ($action == 'create') // modified by hook if (empty($reshook)) { - if ($action != 'statut' && $action != 'editline') + if ($action != 'editline') { // Validate if ($object->statut == Propal::STATUS_DRAFT && $object->total_ttc >= 0 && count($object->lines) > 0) From a0e5868fd987a9bd120eb726cac0a5b719d5de0c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 15 Sep 2017 16:41:10 +0200 Subject: [PATCH 14/17] Fix typo --- htdocs/modulebuilder/template/class/myobject.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/modulebuilder/template/class/myobject.class.php b/htdocs/modulebuilder/template/class/myobject.class.php index 3ff2fc41eae..1ad33b502ad 100644 --- a/htdocs/modulebuilder/template/class/myobject.class.php +++ b/htdocs/modulebuilder/template/class/myobject.class.php @@ -339,7 +339,7 @@ class MyObject extends CommonObject * Return the status * * @param int $status Id status - * @param int $mode 0=long label, 1=short label, 2=Picto + short label, 3=Picto, 4=Picto + long label, 5=Short label + Picto, 5=Long label + Picto + * @param int $mode 0=long label, 1=short label, 2=Picto + short label, 3=Picto, 4=Picto + long label, 5=Short label + Picto, 6=Long label + Picto * @return string Label of status */ static function LibStatut($status,$mode=0) From 3ca90df524f7e72e0c4402d77e8df4b6fe54b68c Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Fri, 15 Sep 2017 18:21:50 +0200 Subject: [PATCH 15/17] Fix: translation --- htdocs/core/menus/standard/eldy.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php index 26047336644..45ac75d5e40 100644 --- a/htdocs/core/menus/standard/eldy.lib.php +++ b/htdocs/core/menus/standard/eldy.lib.php @@ -664,7 +664,7 @@ function print_left_eldy_menu($db,$menu_array_before,$menu_array_after,&$tabMenu } // Contacts - $newmenu->add("/societe/index.php?leftmenu=thirdparties", (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("ThirdParty") : $langs->trans("ContactsAddresses")), 0, $user->rights->societe->contact->lire, '', $mainmenu, 'contacts'); + $newmenu->add("/societe/index.php?leftmenu=thirdparties", (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("Contacts") : $langs->trans("ContactsAddresses")), 0, $user->rights->societe->contact->lire, '', $mainmenu, 'contacts'); $newmenu->add("/contact/card.php?leftmenu=contacts&action=create", (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("NewContact") : $langs->trans("NewContactAddress")), 1, $user->rights->societe->contact->creer); $newmenu->add("/contact/list.php?leftmenu=contacts", $langs->trans("List"), 1, $user->rights->societe->contact->lire); if (empty($conf->global->SOCIETE_DISABLE_PROSPECTS)) $newmenu->add("/contact/list.php?leftmenu=contacts&type=p", $langs->trans("Prospects"), 2, $user->rights->societe->contact->lire); From b63b0933e749852a84a0be194e99d4b68b90e17f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 15 Sep 2017 18:57:39 +0200 Subject: [PATCH 16/17] Update card.php --- htdocs/comm/propal/card.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index a00ec8b8ee1..18add332294 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -611,7 +611,7 @@ if (empty($reshook)) // prevent browser refresh from closing proposal several times if ($object->statut == Propal::STATUS_VALIDATED) { - $result=$object->cloture($user, GETPOST('statut','int'), GETPOST('note_private','san_alpha')); + $result=$object->cloture($user, GETPOST('statut','int'), GETPOST('note_private','alpha')); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); From 55e31796d278f37fa257617bb37fbcc3f3c3510d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 15 Sep 2017 19:08:39 +0200 Subject: [PATCH 17/17] Code comment --- htdocs/product/composition/card.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/product/composition/card.php b/htdocs/product/composition/card.php index 8fe496ca5ee..db288eb9dff 100644 --- a/htdocs/product/composition/card.php +++ b/htdocs/product/composition/card.php @@ -552,7 +552,8 @@ if ($id > 0 || ! empty($ref)) // check if a product is not already a parent product of this one $prod_arbo=new Product($db); $prod_arbo->id=$objp->rowid; - if ($prod_arbo->type==Product::TYPE_ASSEMBLYKIT || $prod_arbo->type== Product::TYPE_STOCKKIT) + // This type is not supported (not required to have virtual products working). + if ($prod_arbo->type == Product::TYPE_ASSEMBLYKIT || $prod_arbo->type == Product::TYPE_STOCKKIT) { $is_pere=0; $prod_arbo->get_sousproduits_arbo();