From 3b4ea76538d7ba9811a351aa020ae7f21a0f4f8f Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Thu, 24 Feb 2011 18:11:12 +0000 Subject: [PATCH] Fix: compatibility with pgsql, replace all addslashes by $this->db->escape in class --- htdocs/adherents/class/adherent.class.php | 24 +++++----- .../class/adherent_options.class.php | 4 +- .../adherents/class/adherent_type.class.php | 8 ++-- htdocs/adherents/class/cotisation.class.php | 4 +- htdocs/bookmarks/class/bookmark.class.php | 6 +-- htdocs/categories/class/categorie.class.php | 8 ++-- htdocs/comm/action/class/actioncomm.class.php | 10 ++--- htdocs/comm/mailing/class/mailing.class.php | 6 +-- htdocs/comm/propal/class/propal.class.php | 16 +++---- htdocs/commande/class/commande.class.php | 12 ++--- htdocs/compta/bank/class/account.class.php | 32 +++++++------- htdocs/compta/bank/class/bankcateg.class.php | 4 +- .../deplacement/class/deplacement.class.php | 8 ++-- htdocs/compta/dons/class/don.class.php | 28 ++++++------ .../facture/class/facture-rec.class.php | 4 +- htdocs/compta/facture/class/facture.class.php | 32 +++++++------- .../facture/class/paymentterm.class.php | 12 ++--- .../cheque/class/remisecheque.class.php | 2 +- .../compta/paiement/class/paiement.class.php | 2 +- .../class/bon-prelevement.class.php | 2 +- .../sociales/class/chargesociales.class.php | 4 +- .../class/paymentsocialcontribution.class.php | 6 +-- htdocs/compta/tva/class/tva.class.php | 8 ++-- htdocs/contact/class/contact.class.php | 34 +++++++------- htdocs/contrat/class/contrat.class.php | 14 +++--- htdocs/core/class/commonobject.class.php | 10 ++--- htdocs/core/class/discount.class.php | 2 +- htdocs/core/class/events.class.php | 4 +- htdocs/core/class/menubase.class.php | 20 ++++----- htdocs/core/class/notify.class.php | 2 +- htdocs/ecm/class/ecmdirectory.class.php | 8 ++-- htdocs/expedition/class/expedition.class.php | 12 ++--- htdocs/fichinter/class/fichinter.class.php | 10 ++--- htdocs/fourn/class/fournisseur.class.php | 2 +- .../class/fournisseur.commande.class.php | 12 ++--- .../fourn/class/fournisseur.facture.class.php | 20 ++++----- htdocs/fourn/class/paiementfourn.class.php | 2 +- htdocs/imports/class/import.class.php | 2 +- htdocs/livraison/class/livraison.class.php | 6 +-- .../canvas/default/product.default.class.php | 8 ++-- .../canvas/service/product.service.class.php | 10 ++--- htdocs/product/class/product.class.php | 44 +++++++++---------- htdocs/product/stock/class/entrepot.class.php | 12 ++--- .../stock/class/mouvementstock.class.php | 2 +- htdocs/projet/class/project.class.php | 10 ++--- htdocs/projet/class/task.class.php | 8 ++-- htdocs/societe/class/address.class.php | 12 ++--- .../class/companybankaccount.class.php | 8 ++-- htdocs/societe/class/societe.class.php | 38 ++++++++-------- 49 files changed, 277 insertions(+), 277 deletions(-) diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index bff1fe94d4a..9991a5ad397 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -388,21 +388,21 @@ class Adherent extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET"; $sql.= " civilite = ".($this->civilite_id?"'".$this->civilite_id."'":"null"); - $sql.= ", prenom = ".($this->prenom?"'".addslashes($this->prenom)."'":"null"); - $sql.= ", nom=" .($this->nom?"'".addslashes($this->nom)."'":"null"); - $sql.= ", login=" .($this->login?"'".addslashes($this->login)."'":"null"); - $sql.= ", societe=" .($this->societe?"'".addslashes($this->societe)."'":"null"); + $sql.= ", prenom = ".($this->prenom?"'".$this->db->escape($this->prenom)."'":"null"); + $sql.= ", nom=" .($this->nom?"'".$this->db->escape($this->nom)."'":"null"); + $sql.= ", login=" .($this->login?"'".$this->db->escape($this->login)."'":"null"); + $sql.= ", societe=" .($this->societe?"'".$this->db->escape($this->societe)."'":"null"); $sql.= ", fk_soc=" .($this->fk_soc > 0?"'".$this->fk_soc."'":"null"); - $sql.= ", adresse=" .($this->adresse?"'".addslashes($this->adresse)."'":"null"); - $sql.= ", cp=" .($this->cp?"'".addslashes($this->cp)."'":"null"); - $sql.= ", ville=" .($this->ville?"'".addslashes($this->ville)."'":"null"); + $sql.= ", adresse=" .($this->adresse?"'".$this->db->escape($this->adresse)."'":"null"); + $sql.= ", cp=" .($this->cp?"'".$this->db->escape($this->cp)."'":"null"); + $sql.= ", ville=" .($this->ville?"'".$this->db->escape($this->ville)."'":"null"); $sql.= ", pays=" .($this->pays_id>0?"'".$this->pays_id."'":"null"); $sql.= ", fk_departement=".($this->fk_departement>0?"'".$this->fk_departement."'":"null"); $sql.= ", email=" ."'".$this->email."'"; - $sql.= ", phone=" .($this->phone?"'".addslashes($this->phone)."'":"null"); - $sql.= ", phone_perso=" .($this->phone_perso?"'".addslashes($this->phone_perso)."'":"null"); - $sql.= ", phone_mobile=" .($this->phone_mobile?"'".addslashes($this->phone_mobile)."'":"null"); - $sql.= ", note=" .($this->note?"'".addslashes($this->note)."'":"null"); + $sql.= ", phone=" .($this->phone?"'".$this->db->escape($this->phone)."'":"null"); + $sql.= ", phone_perso=" .($this->phone_perso?"'".$this->db->escape($this->phone_perso)."'":"null"); + $sql.= ", phone_mobile=" .($this->phone_mobile?"'".$this->db->escape($this->phone_mobile)."'":"null"); + $sql.= ", note=" .($this->note?"'".$this->db->escape($this->note)."'":"null"); $sql.= ", photo=" .($this->photo?"'".$this->photo."'":"null"); $sql.= ", public=" ."'".$this->public."'"; $sql.= ", statut=" .$this->statut; @@ -743,7 +743,7 @@ class Adherent extends CommonObject } // Mise a jour - $sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET pass = '".addslashes($password_indatabase)."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET pass = '".$this->db->escape($password_indatabase)."'"; $sql.= " WHERE rowid = ".$this->id; //dol_syslog("Adherent::Password sql=hidden"); diff --git a/htdocs/adherents/class/adherent_options.class.php b/htdocs/adherents/class/adherent_options.class.php index d34a679f307..5473d27b82f 100644 --- a/htdocs/adherents/class/adherent_options.class.php +++ b/htdocs/adherents/class/adherent_options.class.php @@ -135,7 +135,7 @@ class AdherentOptions { $sql = "INSERT INTO ".MAIN_DB_PREFIX."adherent_options_label(name, label, type, pos, size, entity)"; $sql.= " VALUES('".$attrname."',"; - $sql.= " '".addslashes($label)."',"; + $sql.= " '".$this->db->escape($label)."',"; $sql.= " '".$type."',"; $sql.= " '".$pos."',"; $sql.= " '".$size."',"; @@ -292,7 +292,7 @@ class AdherentOptions $sql.= ") VALUES ("; $sql.= "'".$attrname."',"; $sql.= " ".$conf->entity.","; - $sql.= " '".addslashes($label)."',"; + $sql.= " '".$this->db->escape($label)."',"; $sql.= " '".$type."',"; $sql.= " '".$size."'"; $sql.= ")"; diff --git a/htdocs/adherents/class/adherent_type.class.php b/htdocs/adherents/class/adherent_type.class.php index ab65490a06c..4d633205006 100644 --- a/htdocs/adherents/class/adherent_type.class.php +++ b/htdocs/adherents/class/adherent_type.class.php @@ -89,7 +89,7 @@ class AdherentType extends CommonObject $sql.= "libelle"; $sql.= ", entity"; $sql.= ") VALUES ("; - $sql.= "'".addslashes($this->libelle)."'"; + $sql.= "'".$this->db->escape($this->libelle)."'"; $sql.= ", ".$conf->entity; $sql.= ")"; @@ -119,11 +119,11 @@ class AdherentType extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."adherent_type "; $sql.= "SET "; $sql.= "statut = ".$this->statut.","; - $sql.= "libelle = '".addslashes($this->libelle) ."',"; + $sql.= "libelle = '".$this->db->escape($this->libelle) ."',"; $sql.= "cotisation = '".$this->cotisation."',"; - $sql.= "note = '".addslashes($this->note)."',"; + $sql.= "note = '".$this->db->escape($this->note)."',"; $sql.= "vote = '".$this->vote."',"; - $sql.= "mail_valid = '".addslashes($this->mail_valid)."'"; + $sql.= "mail_valid = '".$this->db->escape($this->mail_valid)."'"; $sql .= " WHERE rowid = $this->id"; diff --git a/htdocs/adherents/class/cotisation.class.php b/htdocs/adherents/class/cotisation.class.php index dd5c6e11d49..00327a1e822 100644 --- a/htdocs/adherents/class/cotisation.class.php +++ b/htdocs/adherents/class/cotisation.class.php @@ -79,7 +79,7 @@ class Cotisation extends CommonObject $sql.= " VALUES (".$this->fk_adherent.", ".$this->db->idate(mktime()).","; $sql.= " ".$this->db->idate($this->dateh).","; $sql.= " ".$this->db->idate($this->datef).","; - $sql.= " ".$this->amount.",'".addslashes($this->note)."')"; + $sql.= " ".$this->amount.",'".$this->db->escape($this->note)."')"; dol_syslog("Cotisation::create sql=".$sql); $resql = $this->db->query($sql); @@ -157,7 +157,7 @@ class Cotisation extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."cotisation SET "; $sql .= " fk_adherent = ".$this->fk_adherent.","; - $sql .= " note=".($this->note ? "'".addslashes($this->note)."'" : 'null').","; + $sql .= " note=".($this->note ? "'".$this->db->escape($this->note)."'" : 'null').","; $sql .= " cotisation = '".price2num($this->amount)."',"; $sql .= " dateadh='".$this->db->idate($this->dateh)."',"; $sql .= " datef='".$this->db->idate($this->datef)."',"; diff --git a/htdocs/bookmarks/class/bookmark.class.php b/htdocs/bookmarks/class/bookmark.class.php index 29fd0ecd645..183a5c3b83c 100644 --- a/htdocs/bookmarks/class/bookmark.class.php +++ b/htdocs/bookmarks/class/bookmark.class.php @@ -111,7 +111,7 @@ class Bookmark $sql.= ($this->fk_user > 0?"'".$this->fk_user."'":"0").","; $sql.= " ".$this->db->idate(gmmktime()).","; $sql.= " '".$this->url."', '".$this->target."',"; - $sql.= " '".addslashes($this->title)."', '".$this->favicon."', '".$this->position."'"; + $sql.= " '".$this->db->escape($this->title)."', '".$this->favicon."', '".$this->position."'"; if ($this->fk_soc) $sql.=",".$this->fk_soc; $sql.= ")"; @@ -157,9 +157,9 @@ class Bookmark $sql = "UPDATE ".MAIN_DB_PREFIX."bookmark"; $sql.= " SET fk_user = ".($this->fk_user > 0?"'".$this->fk_user."'":"0"); $sql.= " ,dateb = '".$this->db->idate($this->datec)."'"; - $sql.= " ,url = '".addslashes($this->url)."'"; + $sql.= " ,url = '".$this->db->escape($this->url)."'"; $sql.= " ,target = '".$this->target."'"; - $sql.= " ,title = '".addslashes($this->title)."'"; + $sql.= " ,title = '".$this->db->escape($this->title)."'"; $sql.= " ,favicon = '".$this->favicon."'"; $sql.= " ,position = '".$this->position."'"; $sql.= " WHERE rowid = ".$this->id; diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index 9484e379a0c..18d5b7dfbfd 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -142,7 +142,7 @@ class Categorie $sql.= "fk_soc,"; } $sql.= "visible, type) "; - $sql.= "VALUES ('".addslashes($this->label)."', '".addslashes($this->description)."',"; + $sql.= "VALUES ('".$this->db->escape($this->label)."', '".$this->db->escape($this->description)."',"; if ($conf->global->CATEGORY_ASSIGNED_TO_A_CUSTOMER) { $sql.= ($this->socid != -1 ? $this->socid : 'null').","; @@ -230,10 +230,10 @@ class Categorie } $sql = "UPDATE ".MAIN_DB_PREFIX."categorie"; - $sql.= " SET label = '".addslashes($this->label)."'"; + $sql.= " SET label = '".$this->db->escape($this->label)."'"; if ($this->description) { - $sql .= ", description = '".addslashes($this->description)."'"; + $sql .= ", description = '".$this->db->escape($this->description)."'"; } if ($conf->global->CATEGORY_ASSIGNED_TO_A_CUSTOMER) { @@ -807,7 +807,7 @@ class Categorie { $sql = "SELECT count(c.rowid)"; $sql.= " FROM ".MAIN_DB_PREFIX."categorie as c, ".MAIN_DB_PREFIX."categorie_association as ca"; - $sql.= " WHERE c.label = '".addslashes($this -> label)."' AND type=".$this->type; + $sql.= " WHERE c.label = '".$this->db->escape($this -> label)."' AND type=".$this->type; dol_syslog("Categorie::already_exists sql=".$sql); $res = $this->db->query($sql); if ($res) diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index f964c0785dc..b3780d03cf1 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -188,12 +188,12 @@ class ActionComm extends CommonObject $sql.= " '".$this->type_id."',"; $sql.= ($this->societe->id>0?" '".$this->societe->id."'":"null").","; $sql.= ($this->fk_project>0?" '".$this->fk_project."'":"null").","; - $sql.= " '".addslashes($this->note)."',"; + $sql.= " '".$this->db->escape($this->note)."',"; $sql.= ($this->contact->id > 0?"'".$this->contact->id."'":"null").","; $sql.= ($user->id > 0 ? "'".$user->id."'":"null").","; $sql.= ($this->usertodo->id > 0?"'".$this->usertodo->id."'":"null").","; $sql.= ($this->userdone->id > 0?"'".$this->userdone->id."'":"null").","; - $sql.= "'".addslashes($this->label)."','".$this->percentage."','".$this->priority."','".$this->fulldayevent."','".addslashes($this->location)."','".$this->punctual."',"; + $sql.= "'".$this->db->escape($this->label)."','".$this->percentage."','".$this->priority."','".$this->fulldayevent."','".$this->db->escape($this->location)."','".$this->punctual."',"; $sql.= ($this->facid?$this->facid:"null").","; $sql.= ($this->propalrowid?$this->propalrowid:"null").","; $sql.= ($this->orderrowid?$this->orderrowid:"null").","; @@ -383,18 +383,18 @@ class ActionComm extends CommonObject //print 'eeea'.$this->datep.'-'.(strval($this->datep) != '').'-'.$this->db->idate($this->datep); $sql = "UPDATE ".MAIN_DB_PREFIX."actioncomm "; $sql.= " SET percent='".$this->percentage."'"; - $sql.= ", label = ".($this->label ? "'".addslashes($this->label)."'":"null"); + $sql.= ", label = ".($this->label ? "'".$this->db->escape($this->label)."'":"null"); $sql.= ", datep = ".(strval($this->datep)!='' ? "'".$this->db->idate($this->datep)."'" : 'null'); $sql.= ", datep2 = ".(strval($this->datef)!='' ? "'".$this->db->idate($this->datef)."'" : 'null'); //$sql.= ", datea = ".(strval($this->date)!='' ? "'".$this->db->idate($this->date)."'" : 'null'); //$sql.= ", datea2 = ".(strval($this->dateend)!='' ? "'".$this->db->idate($this->dateend)."'" : 'null'); - $sql.= ", note = ".($this->note ? "'".addslashes($this->note)."'":"null"); + $sql.= ", note = ".($this->note ? "'".$this->db->escape($this->note)."'":"null"); $sql.= ", fk_soc =". ($this->societe->id > 0 ? "'".$this->societe->id."'":"null"); $sql.= ", fk_project =". ($this->fk_project > 0 ? "'".$this->fk_project."'":"null"); $sql.= ", fk_contact =". ($this->contact->id > 0 ? "'".$this->contact->id."'":"null"); $sql.= ", priority = '".$this->priority."'"; $sql.= ", fulldayevent = '".$this->fulldayevent."'"; - $sql.= ", location = ".($this->location ? "'".addslashes($this->location)."'":"null"); + $sql.= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'":"null"); $sql.= ", fk_user_mod = '".$user->id."'"; $sql.= ", fk_user_action=".($this->usertodo->id > 0 ? "'".$this->usertodo->id."'":"null"); $sql.= ", fk_user_done=".($this->userdone->id > 0 ? "'".$this->userdone->id."'":"null"); diff --git a/htdocs/comm/mailing/class/mailing.class.php b/htdocs/comm/mailing/class/mailing.class.php index 563de7ed284..9cc4b1f7aff 100644 --- a/htdocs/comm/mailing/class/mailing.class.php +++ b/htdocs/comm/mailing/class/mailing.class.php @@ -143,9 +143,9 @@ class Mailing extends CommonObject function update($user) { $sql = "UPDATE ".MAIN_DB_PREFIX."mailing "; - $sql .= " SET titre = '".addslashes($this->titre)."'"; - $sql .= ", sujet = '".addslashes($this->sujet)."'"; - $sql .= ", body = '".addslashes($this->body)."'"; + $sql .= " SET titre = '".$this->db->escape($this->titre)."'"; + $sql .= ", sujet = '".$this->db->escape($this->sujet)."'"; + $sql .= ", body = '".$this->db->escape($this->body)."'"; $sql .= ", email_from = '".$this->email_from."'"; $sql .= ", email_replyto = '".$this->email_replyto."'"; $sql .= ", email_errorsto = '".$this->email_errorsto."'"; diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 4a02a1ca4ee..1e074de3169 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -484,7 +484,7 @@ class Propal extends CommonObject $sql.= " , tva_tx=".price2num($txtva); $sql.= " , localtax1_tx=".price2num($txlocaltax1); $sql.= " , localtax2_tx=".price2num($txlocaltax2); - $sql.= " , description='".addslashes($desc)."'"; + $sql.= " , description='".$this->db->escape($desc)."'"; $sql.= " , total_ht=".price2num($total_ht); $sql.= " , total_tva=".price2num($total_tva); $sql.= " , total_localtax1=".price2num($total_localtax1); @@ -631,13 +631,13 @@ class Propal extends CommonObject $sql.= ", '".$this->db->idate($now)."'"; $sql.= ", '(PROV)'"; $sql.= ", ".($user->id > 0 ? "'".$user->id."'":"null"); - $sql.= ", '".addslashes($this->note)."'"; - $sql.= ", '".addslashes($this->note_public)."'"; + $sql.= ", '".$this->db->escape($this->note)."'"; + $sql.= ", '".$this->db->escape($this->note_public)."'"; $sql.= ", '".$this->modelpdf."'"; $sql.= ", '".$this->db->idate($this->fin_validite)."'"; $sql.= ", ".$this->cond_reglement_id; $sql.= ", ".$this->mode_reglement_id; - $sql.= ", '".addslashes($this->ref_client)."'"; + $sql.= ", '".$this->db->escape($this->ref_client)."'"; $sql.= ", ".($this->date_livraison!=''?"'".$this->db->idate($this->date_livraison)."'":'null'); $sql.= ", ".$conf->entity; $sql.= ")"; @@ -1237,7 +1237,7 @@ class Propal extends CommonObject { dol_syslog('Propale::set_ref_client this->id='.$this->id.', ref_client='.$ref_client); - $sql = 'UPDATE '.MAIN_DB_PREFIX.'propal SET ref_client = '.(empty($ref_client) ? 'NULL' : '\''.addslashes($ref_client).'\''); + $sql = 'UPDATE '.MAIN_DB_PREFIX.'propal SET ref_client = '.(empty($ref_client) ? 'NULL' : '\''.$this->db->escape($ref_client).'\''); $sql.= ' WHERE rowid = '.$this->id; if ($this->db->query($sql) ) { @@ -1340,7 +1340,7 @@ class Propal extends CommonObject $this->db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."propal"; - $sql.= " SET fk_statut = ".$statut.", note = '".addslashes($note)."', date_cloture=".$this->db->idate(mktime()).", fk_user_cloture=".$user->id; + $sql.= " SET fk_statut = ".$statut.", note = '".$this->db->escape($note)."', date_cloture=".$this->db->idate(mktime()).", fk_user_cloture=".$user->id; $sql.= " WHERE rowid = ".$this->id; $resql=$this->db->query($sql); @@ -2315,7 +2315,7 @@ class PropaleLigne $sql.= ' info_bits, '; $sql.= ' total_ht, total_tva, total_localtax1, total_localtax2, total_ttc, special_code, rang, marge_tx, marque_tx)'; $sql.= " VALUES (".$this->fk_propal.","; - $sql.= " '".addslashes($this->desc)."',"; + $sql.= " '".$this->db->escape($this->desc)."',"; $sql.= " ".($this->fk_product?"'".$this->fk_product."'":"null").","; $sql.= " '".$this->product_type."',"; $sql.= " ".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").","; @@ -2379,7 +2379,7 @@ class PropaleLigne // Mise a jour ligne en base $sql = "UPDATE ".MAIN_DB_PREFIX."propaldet SET"; - $sql.= " description='".addslashes($this->desc)."'"; + $sql.= " description='".$this->db->escape($this->desc)."'"; if ($fk_remise_except) $sql.= ",fk_remise_except=".$this->fk_remise_except; else $sql.= ",fk_remise_except=null"; $sql.= ",tva_tx='".price2num($this->tva_tx)."'"; diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 8efb251b062..6a5b2e8e3cb 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -571,9 +571,9 @@ class Commande extends CommonObject $sql.= " VALUES ('(PROV)',".$this->socid.", ".$this->db->idate(gmmktime()).", ".$user->id.", ".$this->fk_project; $sql.= ", ".$this->db->idate($this->date_commande); $sql.= ", ".($this->source>=0 && $this->source != '' ?$this->source:'null'); - $sql.= ", '".addslashes($this->note)."'"; - $sql.= ", '".addslashes($this->note_public)."'"; - $sql.= ", '".addslashes($this->ref_client)."', '".$this->modelpdf."'"; + $sql.= ", '".$this->db->escape($this->note)."'"; + $sql.= ", '".$this->db->escape($this->note_public)."'"; + $sql.= ", '".$this->db->escape($this->ref_client)."', '".$this->modelpdf."'"; $sql.= ", ".($this->cond_reglement_id>0?"'".$this->cond_reglement_id."'":"null"); $sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"null"); $sql.= ", ".($this->date_livraison?"'".$this->db->idate($this->date_livraison)."'":"null"); @@ -1769,7 +1769,7 @@ class Commande extends CommonObject dol_syslog('Commande::set_ref_client this->id='.$this->id.', ref_client='.$ref_client); $sql = 'UPDATE '.MAIN_DB_PREFIX.'commande SET'; - $sql.= ' ref_client = '.(empty($ref_client) ? 'NULL' : '\''.addslashes($ref_client).'\''); + $sql.= ' ref_client = '.(empty($ref_client) ? 'NULL' : '\''.$this->db->escape($ref_client).'\''); $sql.= ' WHERE rowid = '.$this->id; if ($this->db->query($sql) ) @@ -1886,7 +1886,7 @@ class Commande extends CommonObject // Mise a jour ligne en base $sql = "UPDATE ".MAIN_DB_PREFIX."commandedet SET"; - $sql.= " description='".addslashes($desc)."'"; + $sql.= " description='".$this->db->escape($desc)."'"; $sql.= ",price='".price2num($price)."'"; $sql.= ",subprice='".price2num($subprice)."'"; $sql.= ",remise='".price2num($remise)."'"; @@ -2620,7 +2620,7 @@ class OrderLine $sql.= ' special_code, rang, marge_tx, marque_tx,'; $sql.= ' info_bits, total_ht, total_tva, total_localtax1, total_localtax2, total_ttc, date_start, date_end)'; $sql.= " VALUES (".$this->fk_commande.","; - $sql.= " '".addslashes($this->desc)."',"; + $sql.= " '".$this->db->escape($this->desc)."',"; $sql.= " '".price2num($this->qty)."',"; $sql.= " '".price2num($this->tva_tx)."',"; $sql.= " '".price2num($this->localtax1_tx)."',"; diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index 4561ffd8e20..059f0b53ef9 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -130,7 +130,7 @@ class Account extends CommonObject $sql.= "'".$line_id."'"; $sql.= ", '".$url_id."'"; $sql.= ", '".$url."'"; - $sql.= ", '".addslashes($label)."'"; + $sql.= ", '".$this->db->escape($label)."'"; $sql.= ", '".$type."'"; $sql.= ")"; @@ -258,14 +258,14 @@ class Account extends CommonObject $sql.= "'".$this->db->idate(mktime())."'"; $sql.= ", '".$this->db->idate($date)."'"; $sql.= ", '".$this->db->idate($datev)."'"; - $sql.= ", '".addslashes($label)."'"; + $sql.= ", '".$this->db->escape($label)."'"; $sql.= ", ".price2num($amount); $sql.= ", '".$user->id."'"; $sql.= ", ".($num_chq?"'".$num_chq."'":"null"); $sql.= ", '".$this->rowid."'"; $sql.= ", '".$oper."'"; - $sql.= ", ".($emetteur?"'".addslashes($emetteur)."'":"null"); - $sql.= ", ".($banque?"'".addslashes($banque)."'":"null"); + $sql.= ", ".($emetteur?"'".$this->db->escape($emetteur)."'":"null"); + $sql.= ", ".($banque?"'".$this->db->escape($banque)."'":"null"); $sql.= ")"; dol_syslog("Account::addline sql=".$sql); @@ -347,15 +347,15 @@ class Account extends CommonObject $sql.= ", fk_pays"; $sql.= ") VALUES ("; $sql.= "'".$this->db->idate($now)."'"; - $sql.= ", '".addslashes($this->ref)."'"; - $sql.= ", '".addslashes($this->label)."'"; + $sql.= ", '".$this->db->escape($this->ref)."'"; + $sql.= ", '".$this->db->escape($this->label)."'"; $sql.= ", ".$conf->entity; - $sql.= ", '".addslashes($this->account_number)."'"; + $sql.= ", '".$this->db->escape($this->account_number)."'"; $sql.= ", '".$this->currency_code."'"; $sql.= ", ".$this->rappro; $sql.= ", ".price2num($this->min_allowed); $sql.= ", ".price2num($this->min_desired); - $sql.= ", '".addslashes($this->comment)."'"; + $sql.= ", '".$this->db->escape($this->comment)."'"; $sql.= ", ".($this->fk_departement>0?"'".$this->fk_departement."'":"null"); $sql.= ", ".$this->fk_pays; $sql.= ")"; @@ -438,8 +438,8 @@ class Account extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."bank_account SET "; - $sql.= " ref = '".addslashes($this->ref)."'"; - $sql.= ",label = '".addslashes($this->label)."'"; + $sql.= " ref = '".$this->db->escape($this->ref)."'"; + $sql.= ",label = '".$this->db->escape($this->label)."'"; $sql.= ",courant = ".$this->courant; $sql.= ",clos = ".$this->clos; @@ -451,7 +451,7 @@ class Account extends CommonObject $sql.= ",min_allowed = '".price2num($this->min_allowed)."'"; $sql.= ",min_desired = '".price2num($this->min_desired)."'"; - $sql.= ",comment = '".addslashes($this->comment)."'"; + $sql.= ",comment = '".$this->db->escape($this->comment)."'"; $sql.= ",fk_departement = ".($this->fk_departement>0?"'".$this->fk_departement."'":"null"); $sql.= ",fk_pays = ".$this->fk_pays; @@ -496,16 +496,16 @@ class Account extends CommonObject } $sql = "UPDATE ".MAIN_DB_PREFIX."bank_account SET "; - $sql.= " bank = '".addslashes($this->bank)."'"; + $sql.= " bank = '".$this->db->escape($this->bank)."'"; $sql.= ",code_banque='".$this->code_banque."'"; $sql.= ",code_guichet='".$this->code_guichet."'"; $sql.= ",number='".$this->number."'"; $sql.= ",cle_rib='".$this->cle_rib."'"; $sql.= ",bic='".$this->bic."'"; $sql.= ",iban_prefix = '".$this->iban."'"; - $sql.= ",domiciliation='".addslashes($this->domiciliation)."'"; - $sql.= ",proprio = '".addslashes($this->proprio)."'"; - $sql.= ",adresse_proprio = '".addslashes($this->adresse_proprio)."'"; + $sql.= ",domiciliation='".$this->db->escape($this->domiciliation)."'"; + $sql.= ",proprio = '".$this->db->escape($this->proprio)."'"; + $sql.= ",adresse_proprio = '".$this->db->escape($this->adresse_proprio)."'"; $sql.= ",fk_departement = ".($this->fk_departement>0?"'".$this->fk_departement."'":"null"); $sql.= ",fk_pays = ".$this->fk_pays; $sql.= " WHERE rowid = ".$this->id; @@ -548,7 +548,7 @@ class Account extends CommonObject $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_departements as d ON ba.fk_departement = d.rowid'; $sql.= " WHERE entity = ".$conf->entity; if ($id) $sql.= " AND ba.rowid = ".$id; - if ($ref) $sql.= " AND ba.ref = '".addslashes($ref)."'"; + if ($ref) $sql.= " AND ba.ref = '".$this->db->escape($ref)."'"; dol_syslog("Account::fetch sql=".$sql); $result = $this->db->query($sql); diff --git a/htdocs/compta/bank/class/bankcateg.class.php b/htdocs/compta/bank/class/bankcateg.class.php index 817289b369b..9d304b1073a 100644 --- a/htdocs/compta/bank/class/bankcateg.class.php +++ b/htdocs/compta/bank/class/bankcateg.class.php @@ -83,7 +83,7 @@ class BankCateg // extends CommonObject $sql.= "label"; $sql.= ", entity"; $sql.= ") VALUES ("; - $sql.= " ".(! isset($this->label)?'NULL':"'".addslashes($this->label)."'").""; + $sql.= " ".(! isset($this->label)?'NULL':"'".$this->db->escape($this->label)."'").""; $sql.= ", ".$conf->entity; $sql.= ")"; @@ -189,7 +189,7 @@ class BankCateg // extends CommonObject // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."bank_categ SET"; - $sql.= " label=".(isset($this->label)?"'".addslashes($this->label)."'":"null").""; + $sql.= " label=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null").""; $sql.= " WHERE rowid=".$this->id; $sql.= " AND entity = ".$conf->entity; diff --git a/htdocs/compta/deplacement/class/deplacement.class.php b/htdocs/compta/deplacement/class/deplacement.class.php index 3005de4a907..adf0866c7cb 100644 --- a/htdocs/compta/deplacement/class/deplacement.class.php +++ b/htdocs/compta/deplacement/class/deplacement.class.php @@ -103,8 +103,8 @@ class Deplacement extends CommonObject $sql.= ", ".$user->id; $sql.= ", ".$this->fk_user; $sql.= ", '".$this->type."'"; - $sql.= ", ".($this->note?"'".addslashes($this->note)."'":"null"); - $sql.= ", ".($this->note_public?"'".addslashes($this->note_public)."'":"null"); + $sql.= ", ".($this->note?"'".$this->db->escape($this->note)."'":"null"); + $sql.= ", ".($this->note_public?"'".$this->db->escape($this->note_public)."'":"null"); $sql.= ", ".($this->fk_project > 0? $this->fk_project : 0); $sql.= ", ".($this->fk_soc > 0? $this->fk_soc : "null"); $sql.= ")"; @@ -166,8 +166,8 @@ class Deplacement extends CommonObject $sql .= " , type = '".$this->type."'"; $sql .= " , fk_user = ".$this->fk_user; $sql .= " , fk_soc = ".($this->socid > 0?$this->socid:'null'); - $sql .= " , note = ".($this->note?"'".addslashes($this->note)."'":"null"); - $sql .= " , note_public = ".($this->note_public?"'".addslashes($this->note_public)."'":"null"); + $sql .= " , note = ".($this->note?"'".$this->db->escape($this->note)."'":"null"); + $sql .= " , note_public = ".($this->note_public?"'".$this->db->escape($this->note_public)."'":"null"); $sql .= " , fk_projet = ".($this->fk_project>0?$this->fk_project:0); $sql .= " WHERE rowid = ".$this->id; diff --git a/htdocs/compta/dons/class/don.class.php b/htdocs/compta/dons/class/don.class.php index 827a91aa9ec..7ea861c701b 100644 --- a/htdocs/compta/dons/class/don.class.php +++ b/htdocs/compta/dons/class/don.class.php @@ -321,16 +321,16 @@ class Don extends CommonObject $sql.= ", ".$conf->entity; $sql.= ", ".price2num($this->amount); $sql.= ", ".$this->modepaiementid; - $sql.= ", '".addslashes($this->prenom)."'"; - $sql.= ", '".addslashes($this->nom)."'"; - $sql.= ", '".addslashes($this->societe)."'"; - $sql.= ", '".addslashes($this->adresse)."'"; + $sql.= ", '".$this->db->escape($this->prenom)."'"; + $sql.= ", '".$this->db->escape($this->nom)."'"; + $sql.= ", '".$this->db->escape($this->societe)."'"; + $sql.= ", '".$this->db->escape($this->adresse)."'"; $sql.= ", '".$this->cp."'"; - $sql.= ", '".addslashes($this->ville)."'"; - $sql.= ", '".addslashes($this->pays)."'"; // TODO use fk_pays + $sql.= ", '".$this->db->escape($this->ville)."'"; + $sql.= ", '".$this->db->escape($this->pays)."'"; // TODO use fk_pays $sql.= ", ".$this->public; $sql.= ", ".($this->fk_project > 0?$this->fk_project:"null"); - $sql.= ", '".addslashes($this->note)."'"; + $sql.= ", '".$this->db->escape($this->note)."'"; $sql.= ", ".$user->id; $sql.= ", null"; $sql.= ", '".$this->date."'"; @@ -363,16 +363,16 @@ class Don extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."don SET "; $sql .= "amount = " . price2num($this->amount); $sql .= ",fk_paiement = ".$this->modepaiementid; - $sql .= ",prenom = '".addslashes($this->prenom)."'"; - $sql .= ",nom='".addslashes($this->nom)."'"; - $sql .= ",societe='".addslashes($this->societe)."'"; - $sql .= ",adresse='".addslashes($this->adresse)."'"; + $sql .= ",prenom = '".$this->db->escape($this->prenom)."'"; + $sql .= ",nom='".$this->db->escape($this->nom)."'"; + $sql .= ",societe='".$this->db->escape($this->societe)."'"; + $sql .= ",adresse='".$this->db->escape($this->adresse)."'"; $sql .= ",cp='".$this->cp."'"; - $sql .= ",ville='".addslashes($this->ville)."'"; - $sql .= ",pays='".addslashes($this->pays)."'"; // TODO use fk_pays + $sql .= ",ville='".$this->db->escape($this->ville)."'"; + $sql .= ",pays='".$this->db->escape($this->pays)."'"; // TODO use fk_pays $sql .= ",public=".$this->public; $sql .= ",fk_don_projet=".($this->fk_project>0?$this->fk_project:'null'); - $sql .= ",note='".addslashes($this->note)."'"; + $sql .= ",note='".$this->db->escape($this->note)."'"; $sql .= ",datedon='".$this->date."'"; $sql .= ",email='".$this->email."'"; $sql .= ",fk_statut=".$this->statut; diff --git a/htdocs/compta/facture/class/facture-rec.class.php b/htdocs/compta/facture/class/facture-rec.class.php index f4ff780484c..f8f0397c167 100644 --- a/htdocs/compta/facture/class/facture-rec.class.php +++ b/htdocs/compta/facture/class/facture-rec.class.php @@ -127,7 +127,7 @@ class FactureRec extends Facture $sql.= ", ".$this->db->idate(mktime()); $sql.= ", '".$facsrc->amount."'"; $sql.= ", '".$facsrc->remise."'"; - $sql.= ", '".addslashes($this->note)."'"; + $sql.= ", '".$this->db->escape($this->note)."'"; $sql.= ", '".$user->id."'"; $sql.= ", ".($facsrc->fk_project?"'".$facsrc->fk_project."'":"null"); $sql.= ", '".$facsrc->cond_reglement_id."'"; @@ -477,7 +477,7 @@ class FactureRec extends Facture $sql.= ", special_code"; $sql.= ") VALUES ("; $sql.= "'".$facid."'"; - $sql.= ", '".addslashes($desc)."'"; + $sql.= ", '".$this->db->escape($desc)."'"; $sql.= ", ".price2num($price); $sql.= ", ".price2num($qty); $sql.= ", ".price2num($txtva); diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index b505e67f777..7525c5a8428 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -860,10 +860,10 @@ class Facture extends CommonObject // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."facture SET"; - $sql.= " facnumber=".(isset($this->ref)?"'".addslashes($this->ref)."'":"null").","; + $sql.= " facnumber=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"null").","; $sql.= " type=".(isset($this->type)?$this->type:"null").","; - $sql.= " ref_client=".(isset($this->ref_client)?"'".addslashes($this->ref_client)."'":"null").","; - $sql.= " increment=".(isset($this->increment)?"'".addslashes($this->increment)."'":"null").","; + $sql.= " ref_client=".(isset($this->ref_client)?"'".$this->db->escape($this->ref_client)."'":"null").","; + $sql.= " increment=".(isset($this->increment)?"'".$this->db->escape($this->increment)."'":"null").","; $sql.= " fk_soc=".(isset($this->socid)?$this->socid:"null").","; $sql.= " datec=".(strval($this->date_creation)!='' ? "'".$this->db->idate($this->date_creation)."'" : 'null').","; $sql.= " datef=".(strval($this->date)!='' ? "'".$this->db->idate($this->date)."'" : 'null').","; @@ -873,8 +873,8 @@ class Facture extends CommonObject $sql.= " remise_percent=".(isset($this->remise_percent)?$this->remise_percent:"null").","; $sql.= " remise_absolue=".(isset($this->remise_absolue)?$this->remise_absolue:"null").","; $sql.= " remise=".(isset($this->remise)?$this->remise:"null").","; - $sql.= " close_code=".(isset($this->close_code)?"'".addslashes($this->close_code)."'":"null").","; - $sql.= " close_note=".(isset($this->close_note)?"'".addslashes($this->close_note)."'":"null").","; + $sql.= " close_code=".(isset($this->close_code)?"'".$this->db->escape($this->close_code)."'":"null").","; + $sql.= " close_note=".(isset($this->close_note)?"'".$this->db->escape($this->close_note)."'":"null").","; $sql.= " tva=".(isset($this->total_tva)?$this->total_tva:"null").","; $sql.= " localtax1=".(isset($this->total_localtax1)?$this->total_localtax1:"null").","; $sql.= " localtax2=".(isset($this->total_localtax2)?$this->total_localtax2:"null").","; @@ -888,10 +888,10 @@ class Facture extends CommonObject $sql.= " fk_cond_reglement=".(isset($this->cond_reglement_id)?$this->cond_reglement_id:"null").","; $sql.= " fk_mode_reglement=".(isset($this->mode_reglement_id)?$this->mode_reglement_id:"null").","; $sql.= " date_lim_reglement=".(strval($this->date_lim_reglement)!='' ? "'".$this->db->idate($this->date_lim_reglement)."'" : 'null').","; - $sql.= " note=".(isset($this->note)?"'".addslashes($this->note)."'":"null").","; - $sql.= " note_public=".(isset($this->note_public)?"'".addslashes($this->note_public)."'":"null").","; - $sql.= " model_pdf=".(isset($this->modelpdf)?"'".addslashes($this->modelpdf)."'":"null").","; - $sql.= " import_key=".(isset($this->import_key)?"'".addslashes($this->import_key)."'":"null").""; + $sql.= " note=".(isset($this->note)?"'".$this->db->escape($this->note)."'":"null").","; + $sql.= " note_public=".(isset($this->note_public)?"'".$this->db->escape($this->note_public)."'":"null").","; + $sql.= " model_pdf=".(isset($this->modelpdf)?"'".$this->db->escape($this->modelpdf)."'":"null").","; + $sql.= " import_key=".(isset($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null").""; $sql.= " WHERE rowid=".$this->id; @@ -1028,7 +1028,7 @@ class Facture extends CommonObject if (empty($ref_client)) $sql .= ' SET ref_client = NULL'; else - $sql .= ' SET ref_client = \''.addslashes($ref_client).'\''; + $sql .= ' SET ref_client = \''.$this->db->escape($ref_client).'\''; $sql .= ' WHERE rowid = '.$this->id; if ($this->db->query($sql)) { @@ -1216,8 +1216,8 @@ class Facture extends CommonObject $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture SET'; $sql.= ' fk_statut=2'; if (! $close_code) $sql.= ', paye=1'; - if ($close_code) $sql.= ", close_code='".addslashes($close_code)."'"; - if ($close_note) $sql.= ", close_note='".addslashes($close_note)."'"; + if ($close_code) $sql.= ", close_code='".$this->db->escape($close_code)."'"; + if ($close_note) $sql.= ", close_note='".$this->db->escape($close_note)."'"; $sql.= ' WHERE rowid = '.$this->id; $resql = $this->db->query($sql); @@ -1325,8 +1325,8 @@ class Facture extends CommonObject $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture SET'; $sql.= ' fk_statut=3'; - if ($close_code) $sql.= ", close_code='".addslashes($close_code)."'"; - if ($close_note) $sql.= ", close_note='".addslashes($close_note)."'"; + if ($close_code) $sql.= ", close_code='".$this->db->escape($close_code)."'"; + if ($close_note) $sql.= ", close_note='".$this->db->escape($close_note)."'"; $sql.= ' WHERE rowid = '.$this->id; $resql = $this->db->query($sql); @@ -3202,7 +3202,7 @@ class FactureLigne $sql.= ' rang, special_code,'; $sql.= ' info_bits, total_ht, total_tva, total_localtax1, total_localtax2, total_ttc)'; $sql.= " VALUES (".$this->fk_facture.","; - $sql.= " '".addslashes($this->desc)."',"; + $sql.= " '".$this->db->escape($this->desc)."',"; $sql.= " ".price2num($this->qty).","; $sql.= " ".price2num($this->tva_tx).","; $sql.= " ".price2num($this->localtax1_tx).","; @@ -3329,7 +3329,7 @@ class FactureLigne // Mise a jour ligne en base $sql = "UPDATE ".MAIN_DB_PREFIX."facturedet SET"; - $sql.= " description='".addslashes($this->desc)."'"; + $sql.= " description='".$this->db->escape($this->desc)."'"; $sql.= ",subprice=".price2num($this->subprice).""; $sql.= ",price=".price2num($this->price).""; $sql.= ",remise=".price2num($this->remise).""; diff --git a/htdocs/compta/facture/class/paymentterm.class.php b/htdocs/compta/facture/class/paymentterm.class.php index c52a3234cf6..f435361ed61 100644 --- a/htdocs/compta/facture/class/paymentterm.class.php +++ b/htdocs/compta/facture/class/paymentterm.class.php @@ -113,11 +113,11 @@ class PaymentTerm // extends CommonObject $sql.= ") VALUES ("; $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").","; - $sql.= " ".(! isset($this->code)?'NULL':"'".addslashes($this->code)."'").","; + $sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").","; $sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->sortorder."'").","; $sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").","; - $sql.= " ".(! isset($this->libelle)?'NULL':"'".addslashes($this->libelle)."'").","; - $sql.= " ".(! isset($this->libelle_facture)?'NULL':"'".addslashes($this->libelle_facture)."'").","; + $sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").","; + $sql.= " ".(! isset($this->libelle_facture)?'NULL':"'".$this->db->escape($this->libelle_facture)."'").","; $sql.= " ".(! isset($this->fdm)?'NULL':"'".$this->fdm."'").","; $sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->nbjour."'").","; $sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->decalage."'").""; @@ -292,11 +292,11 @@ class PaymentTerm // extends CommonObject // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."c_payment_term SET"; - $sql.= " code=".(isset($this->code)?"'".addslashes($this->code)."'":"null").","; + $sql.= " code=".(isset($this->code)?"'".$this->db->escape($this->code)."'":"null").","; $sql.= " sortorder=".(isset($this->sortorder)?$this->sortorder:"null").","; $sql.= " active=".(isset($this->active)?$this->active:"null").","; - $sql.= " libelle=".(isset($this->libelle)?"'".addslashes($this->libelle)."'":"null").","; - $sql.= " libelle_facture=".(isset($this->libelle_facture)?"'".addslashes($this->libelle_facture)."'":"null").","; + $sql.= " libelle=".(isset($this->libelle)?"'".$this->db->escape($this->libelle)."'":"null").","; + $sql.= " libelle_facture=".(isset($this->libelle_facture)?"'".$this->db->escape($this->libelle_facture)."'":"null").","; $sql.= " fdm=".(isset($this->fdm)?$this->fdm:"null").","; $sql.= " nbjour=".(isset($this->nbjour)?$this->nbjour:"null").","; $sql.= " decalage=".(isset($this->decalage)?$this->decalage:"null").""; diff --git a/htdocs/compta/paiement/cheque/class/remisecheque.class.php b/htdocs/compta/paiement/cheque/class/remisecheque.class.php index 5d52f2d1e06..c36cc582deb 100644 --- a/htdocs/compta/paiement/cheque/class/remisecheque.class.php +++ b/htdocs/compta/paiement/cheque/class/remisecheque.class.php @@ -73,7 +73,7 @@ class RemiseCheque extends CommonObject $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."bank_account as ba ON bc.fk_bank_account = ba.rowid"; $sql.= " WHERE bc.entity = ".$conf->entity; if ($id) $sql.= " AND bc.rowid = ".$id; - if ($ref) $sql.= " AND bc.number = '".addslashes($ref)."'"; + if ($ref) $sql.= " AND bc.number = '".$this->db->escape($ref)."'"; dol_syslog("RemiseCheque::fetch sql=".$sql, LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index b9ef13b93e5..67446d51795 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -150,7 +150,7 @@ class Paiement $this->db->begin(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."paiement (datec, datep, amount, fk_paiement, num_paiement, note, fk_user_creat)"; - $sql.= " VALUES ('".$this->db->idate($now)."', '".$this->db->idate($this->datepaye)."', '".$totalamount."', ".$this->paiementid.", '".$this->num_paiement."', '".addslashes($this->note)."', ".$user->id.")"; + $sql.= " VALUES ('".$this->db->idate($now)."', '".$this->db->idate($this->datepaye)."', '".$totalamount."', ".$this->paiementid.", '".$this->num_paiement."', '".$this->db->escape($this->note)."', ".$user->id.")"; dol_syslog(get_class($this)."::Create insert paiement sql=".$sql); $resql = $this->db->query($sql); diff --git a/htdocs/compta/prelevement/class/bon-prelevement.class.php b/htdocs/compta/prelevement/class/bon-prelevement.class.php index e102cfdba28..c43586e7fa3 100644 --- a/htdocs/compta/prelevement/class/bon-prelevement.class.php +++ b/htdocs/compta/prelevement/class/bon-prelevement.class.php @@ -208,7 +208,7 @@ class BonPrelevement extends CommonObject $sql.= ") VALUES ("; $sql.= $this->id; $sql.= ", ".$client_id; - $sql.= ", '".addslashes($client_nom)."'"; + $sql.= ", '".$this->db->escape($client_nom)."'"; $sql.= ", '".price2num($amount)."'"; $sql.= ", '".$code_banque."'"; $sql.= ", '".$code_guichet."'"; diff --git a/htdocs/compta/sociales/class/chargesociales.class.php b/htdocs/compta/sociales/class/chargesociales.class.php index 816bdba38d4..b0358c51fbf 100644 --- a/htdocs/compta/sociales/class/chargesociales.class.php +++ b/htdocs/compta/sociales/class/chargesociales.class.php @@ -123,7 +123,7 @@ class ChargeSociales extends CommonObject $this->db->begin(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."chargesociales (fk_type, libelle, date_ech, periode, amount)"; - $sql.= " VALUES (".$this->type.",'".addslashes($this->lib)."',"; + $sql.= " VALUES (".$this->type.",'".$this->db->escape($this->lib)."',"; $sql.= " '".$this->db->idate($this->date_ech)."','".$this->db->idate($this->periode)."',"; $sql.= " ".price2num($newamount); $sql.= ")"; @@ -180,7 +180,7 @@ class ChargeSociales extends CommonObject $this->db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."chargesociales"; - $sql.= " SET libelle='".addslashes($this->lib)."',"; + $sql.= " SET libelle='".$this->db->escape($this->lib)."',"; $sql.= " date_ech='".$this->db->idate($this->date_ech)."',"; $sql.= " periode='".$this->db->idate($this->periode)."'"; $sql.= " WHERE rowid=".$this->id; diff --git a/htdocs/compta/sociales/class/paymentsocialcontribution.class.php b/htdocs/compta/sociales/class/paymentsocialcontribution.class.php index 33280164094..f3d1713d661 100644 --- a/htdocs/compta/sociales/class/paymentsocialcontribution.class.php +++ b/htdocs/compta/sociales/class/paymentsocialcontribution.class.php @@ -117,7 +117,7 @@ class PaymentSocialContribution extends CommonObject $sql.= " VALUES ($this->chid, '".$this->db->idate($now)."',"; $sql.= " '".$this->db->idate($this->datepaye)."',"; $sql.= " ".$totalamount.","; - $sql.= " ".$this->paiementtype.", '".addslashes($this->num_paiement)."', '".addslashes($this->note)."', ".$user->id.","; + $sql.= " ".$this->paiementtype.", '".$this->db->escape($this->num_paiement)."', '".$this->db->escape($this->note)."', ".$user->id.","; $sql.= " 0)"; dol_syslog(get_class($this)."::create sql=".$sql); @@ -254,8 +254,8 @@ class PaymentSocialContribution extends CommonObject $sql.= " datep=".(dol_strlen($this->datep)!=0 ? "'".$this->db->idate($this->datep)."'" : 'null').","; $sql.= " amount=".(isset($this->amount)?$this->amount:"null").","; $sql.= " fk_typepaiement=".(isset($this->fk_typepaiement)?$this->fk_typepaiement:"null").","; - $sql.= " num_paiement=".(isset($this->num_paiement)?"'".addslashes($this->num_paiement)."'":"null").","; - $sql.= " note=".(isset($this->note)?"'".addslashes($this->note)."'":"null").","; + $sql.= " num_paiement=".(isset($this->num_paiement)?"'".$this->db->escape($this->num_paiement)."'":"null").","; + $sql.= " note=".(isset($this->note)?"'".$this->db->escape($this->note)."'":"null").","; $sql.= " fk_bank=".(isset($this->fk_bank)?$this->fk_bank:"null").","; $sql.= " fk_user_creat=".(isset($this->fk_user_creat)?$this->fk_user_creat:"null").","; $sql.= " fk_user_modif=".(isset($this->fk_user_modif)?$this->fk_user_modif:"null").""; diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index 5763732673f..c684fb1e469 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -172,8 +172,8 @@ class Tva extends CommonObject $sql.= " datep=".$this->db->idate($this->datep).","; $sql.= " datev=".$this->db->idate($this->datev).","; $sql.= " amount='".$this->amount."',"; - $sql.= " label='".addslashes($this->label)."',"; - $sql.= " note='".addslashes($this->note)."',"; + $sql.= " label='".$this->db->escape($this->label)."',"; + $sql.= " note='".$this->db->escape($this->note)."',"; $sql.= " fk_bank='".$this->fk_bank."',"; $sql.= " fk_user_creat='".$this->fk_user_creat."',"; $sql.= " fk_user_modif='".$this->fk_user_modif."'"; @@ -504,8 +504,8 @@ class Tva extends CommonObject $sql.= ") "; $sql.= " VALUES ('".$this->db->idate($this->datep)."',"; $sql.= "'".$this->db->idate($this->datev)."'," . $this->amount; - if ($this->note) $sql.=", '".addslashes($this->note)."'"; - if ($this->label) $sql.=", '".addslashes($this->label)."'"; + if ($this->note) $sql.=", '".$this->db->escape($this->note)."'"; + if ($this->label) $sql.=", '".$this->db->escape($this->label)."'"; $sql.=", '".$user->id."', NULL"; $sql.= ")"; diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index 74ce917d490..654c1167659 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -112,7 +112,7 @@ class Contact extends CommonObject $sql.= " VALUES ('".$this->db->idate($now)."',"; if ($this->socid > 0) $sql.= " ".$this->socid.","; else $sql.= "null,"; - $sql.= "'".addslashes($this->name)."',"; + $sql.= "'".$this->db->escape($this->name)."',"; $sql.= " ".($user->id > 0 ? "'".$user->id."'":"null").","; $sql.= " ".$this->priv.","; $sql.= " ".($this->canvas?"'".$this->canvas."'":"null"); @@ -204,24 +204,24 @@ class Contact extends CommonObject $this->db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."socpeople SET "; - if ($this->socid > 0) $sql .= " fk_soc='".addslashes($this->socid)."',"; + if ($this->socid > 0) $sql .= " fk_soc='".$this->db->escape($this->socid)."',"; if ($this->socid == -1) $sql .= " fk_soc=null,"; - $sql .= " civilite='".addslashes($this->civilite_id)."'"; - $sql .= ", name='".addslashes($this->name)."'"; - $sql .= ", firstname='".addslashes($this->firstname)."'"; - $sql .= ", address='".addslashes($this->address)."'"; - $sql .= ", cp='".addslashes($this->cp)."'"; - $sql .= ", ville='".addslashes($this->ville)."'"; + $sql .= " civilite='".$this->db->escape($this->civilite_id)."'"; + $sql .= ", name='".$this->db->escape($this->name)."'"; + $sql .= ", firstname='".$this->db->escape($this->firstname)."'"; + $sql .= ", address='".$this->db->escape($this->address)."'"; + $sql .= ", cp='".$this->db->escape($this->cp)."'"; + $sql .= ", ville='".$this->db->escape($this->ville)."'"; $sql .= ", fk_pays=".($this->fk_pays>0?$this->fk_pays:'NULL'); $sql .= ", fk_departement=".($this->fk_departement>0?$this->fk_departement:'NULL'); - $sql .= ", poste='".addslashes($this->poste)."'"; - $sql .= ", fax='".addslashes($this->fax)."'"; - $sql .= ", email='".addslashes($this->email)."'"; - $sql .= ", note='".addslashes($this->note)."'"; - $sql .= ", phone = '".addslashes($this->phone_pro)."'"; - $sql .= ", phone_perso = '".addslashes($this->phone_perso)."'"; - $sql .= ", phone_mobile = '".addslashes($this->phone_mobile)."'"; - $sql .= ", jabberid = '".addslashes($this->jabberid)."'"; + $sql .= ", poste='".$this->db->escape($this->poste)."'"; + $sql .= ", fax='".$this->db->escape($this->fax)."'"; + $sql .= ", email='".$this->db->escape($this->email)."'"; + $sql .= ", note='".$this->db->escape($this->note)."'"; + $sql .= ", phone = '".$this->db->escape($this->phone_pro)."'"; + $sql .= ", phone_perso = '".$this->db->escape($this->phone_perso)."'"; + $sql .= ", phone_mobile = '".$this->db->escape($this->phone_mobile)."'"; + $sql .= ", jabberid = '".$this->db->escape($this->jabberid)."'"; $sql .= ", priv = '".$this->priv."'"; $sql .= ", fk_user_modif=".($user->id > 0 ? "'".$user->id."'":"null"); $sql .= ", default_lang=".($this->default_lang?"'".$this->default_lang."'":"null"); @@ -752,7 +752,7 @@ class Contact extends CommonObject { $sql = "SELECT count(mc.email) as nb"; $sql.= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc"; - $sql.= " WHERE mc.email = '".addslashes($this->email)."'"; + $sql.= " WHERE mc.email = '".$this->db->escape($this->email)."'"; $sql.= " AND mc.statut=1"; // -1 erreur, 0 non envoye, 1 envoye avec succes $resql=$this->db->query($sql); if ($resql) diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index 7f40aae4b95..de65ba51672 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -154,7 +154,7 @@ class Contrat extends CommonObject $sql.= " date_fin_validite = ".(dol_strlen($date_end)!=0?"'".$this->db->idate($date_end)."'":"null").","; $sql.= " fk_user_ouverture = ".$user->id.","; $sql.= " date_cloture = null,"; - $sql.= " commentaire = '".addslashes($comment)."'"; + $sql.= " commentaire = '".$this->db->escape($comment)."'"; $sql.= " WHERE rowid = ".$line_id . " AND (statut = 0 OR statut = 3 OR statut = 5)"; dol_syslog("Contrat::active_line sql=".$sql); @@ -200,7 +200,7 @@ class Contrat extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET statut = 5,"; $sql.= " date_cloture = '".$this->db->idate($date_end)."',"; $sql.= " fk_user_cloture = ".$user->id.","; - $sql.= " commentaire = '".addslashes($comment)."'"; + $sql.= " commentaire = '".$this->db->escape($comment)."'"; $sql.= " WHERE rowid = ".$line_id . " AND statut = 4"; $resql = $this->db->query($sql) ; @@ -885,7 +885,7 @@ class Contrat extends CommonObject $sql.= " price_ht, remise"; // \TODO A virer if ($date_start > 0) { $sql.= ",date_ouverture_prevue"; } if ($date_end > 0) { $sql.= ",date_fin_validite"; } - $sql.= ") VALUES ($this->id, '" . addslashes($label) . "','" . addslashes($desc) . "',"; + $sql.= ") VALUES ($this->id, '" . $this->db->escape($label) . "','" . $this->db->escape($desc) . "',"; $sql.= ($fk_product>0 ? $fk_product : "null").","; $sql.= " '".$qty."',"; $sql.= " '".$txtva."',"; @@ -978,7 +978,7 @@ class Contrat extends CommonObject $this->db->begin(); - $sql = "UPDATE ".MAIN_DB_PREFIX."contratdet set description='".addslashes($desc)."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."contratdet set description='".$this->db->escape($desc)."'"; $sql .= ",price_ht='" . price2num($price)."'"; $sql .= ",subprice='" . price2num($subprice)."'"; $sql .= ",remise='" . price2num($remise)."'"; @@ -1794,8 +1794,8 @@ class ContratLigne $sql.= " fk_contrat='".$this->fk_contrat."',"; $sql.= " fk_product=".($this->fk_product?"'".$this->fk_product."'":'null').","; $sql.= " statut='".$this->statut."',"; - $sql.= " label='".addslashes($this->label)."',"; - $sql.= " description='".addslashes($this->description)."',"; + $sql.= " label='".$this->db->escape($this->label)."',"; + $sql.= " description='".$this->db->escape($this->description)."',"; $sql.= " date_commande=".($this->date_commande!=''?$this->db->idate($this->date_commande):"null").","; $sql.= " date_ouverture_prevue=".($this->date_ouverture_prevue!=''?$this->db->idate($this->date_ouverture_prevue):"null").","; $sql.= " date_ouverture=".($this->date_ouverture!=''?$this->db->idate($this->date_ouverture):"null").","; @@ -1819,7 +1819,7 @@ class ContratLigne $sql.= " fk_user_author=".($this->fk_user_author >= 0?$this->fk_user_author:"NULL").","; $sql.= " fk_user_ouverture=".($this->fk_user_ouverture > 0?$this->fk_user_ouverture:"NULL").","; $sql.= " fk_user_cloture=".($this->fk_user_cloture > 0?$this->fk_user_cloture:"NULL").","; - $sql.= " commentaire='".addslashes($this->commentaire)."'"; + $sql.= " commentaire='".$this->db->escape($this->commentaire)."'"; $sql.= " WHERE rowid=".$this->id; dol_syslog("ContratLigne::update sql=".$sql, LOG_DEBUG); diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 6acbdbdd728..42755cc0125 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -563,7 +563,7 @@ class CommonObject $sql.= " FROM ".MAIN_DB_PREFIX.$this->table_element." as te"; if ($this->ismultientitymanaged == 2 || ($this->element != 'societe' && !$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ", ".MAIN_DB_PREFIX."societe as s"; // If we need to link to societe to limit select to entity if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON ".$alias.".rowid = sc.fk_soc"; - $sql.= " WHERE te.".$fieldid." < '".addslashes($this->ref)."'"; + $sql.= " WHERE te.".$fieldid." < '".$this->db->escape($this->ref)."'"; if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " AND sc.fk_user = " .$user->id; if (! empty($filter)) $sql.=" AND ".$filter; if ($this->ismultientitymanaged == 2 || ($this->element != 'societe' && !$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to entity @@ -584,7 +584,7 @@ class CommonObject $sql.= " FROM ".MAIN_DB_PREFIX.$this->table_element." as te"; if ($this->ismultientitymanaged == 2 || ($this->element != 'societe' && !$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ", ".MAIN_DB_PREFIX."societe as s"; // If we need to link to societe to limit select to entity if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON ".$alias.".rowid = sc.fk_soc"; - $sql.= " WHERE te.".$fieldid." > '".addslashes($this->ref)."'"; + $sql.= " WHERE te.".$fieldid." > '".$this->db->escape($this->ref)."'"; if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " AND sc.fk_user = " .$user->id; if (isset($filter)) $sql.=" AND ".$filter; if ($this->ismultientitymanaged == 2 || ($this->element != 'societe' && !$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to entity @@ -925,11 +925,11 @@ class CommonObject // TODO uniformize fields note_private if ($this->table_element == 'fichinter' || $this->table_element == 'projet' || $this->table_element == 'projet_task') { - $sql.= " SET note_private = '".addslashes($note)."'"; + $sql.= " SET note_private = '".$this->db->escape($note)."'"; } else { - $sql.= " SET note = '".addslashes($note)."'"; + $sql.= " SET note = '".$this->db->escape($note)."'"; } $sql.= " WHERE rowid =". $this->id; @@ -961,7 +961,7 @@ class CommonObject } $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; - $sql.= " SET note_public = '".addslashes($note_public)."'"; + $sql.= " SET note_public = '".$this->db->escape($note_public)."'"; $sql.= " WHERE rowid =". $this->id; dol_syslog("CommonObject::update_note_public sql=".$sql); diff --git a/htdocs/core/class/discount.class.php b/htdocs/core/class/discount.class.php index 3576670709f..0105bf15379 100644 --- a/htdocs/core/class/discount.class.php +++ b/htdocs/core/class/discount.class.php @@ -152,7 +152,7 @@ class DiscountAbsolute $sql.= " amount_ht, amount_tva, amount_ttc, tva_tx,"; $sql.= " fk_facture_source"; $sql.= ")"; - $sql.= " VALUES (".$this->db->idate($this->datec!=''?$this->datec:dol_now()).", ".$this->fk_soc.", ".$user->id.", '".addslashes($this->description)."',"; + $sql.= " VALUES (".$this->db->idate($this->datec!=''?$this->datec:dol_now()).", ".$this->fk_soc.", ".$user->id.", '".$this->db->escape($this->description)."',"; $sql.= " ".$this->amount_ht.", ".$this->amount_tva.", ".$this->amount_ttc.", ".$this->tva_tx.","; $sql.= " ".($this->fk_facture_source?"'".$this->fk_facture_source."'":"null"); $sql.= ")"; diff --git a/htdocs/core/class/events.class.php b/htdocs/core/class/events.class.php index 5a512e2dc67..79f87ddfb6b 100644 --- a/htdocs/core/class/events.class.php +++ b/htdocs/core/class/events.class.php @@ -98,7 +98,7 @@ class Events // extends CommonObject $sql.= " ".($_SERVER['HTTP_USER_AGENT']?"'".dol_trunc($_SERVER['HTTP_USER_AGENT'],250)."'":'NULL').","; $sql.= " ".$this->db->idate($this->dateevent).","; $sql.= " ".($user->id?"'".$user->id."'":'NULL').","; - $sql.= " '".addslashes($this->description)."'"; + $sql.= " '".$this->db->escape($this->description)."'"; $sql.= ")"; dol_syslog("Events::create sql=".$sql, LOG_DEBUG); @@ -139,7 +139,7 @@ class Events // extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."events SET"; $sql.= " type='".$this->type."',"; $sql.= " dateevent=".$this->db->idate($this->dateevent).","; - $sql.= " description='".addslashes($this->description)."'"; + $sql.= " description='".$this->db->escape($this->description)."'"; $sql.= " WHERE rowid=".$this->id; dol_syslog("Events::update sql=".$sql, LOG_DEBUG); diff --git a/htdocs/core/class/menubase.class.php b/htdocs/core/class/menubase.class.php index ed36037fc96..20ea6ec8518 100644 --- a/htdocs/core/class/menubase.class.php +++ b/htdocs/core/class/menubase.class.php @@ -195,20 +195,20 @@ class Menubase // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."menu SET"; - $sql.= " menu_handler='".addslashes($this->menu_handler)."',"; - $sql.= " module='".addslashes($this->module)."',"; + $sql.= " menu_handler='".$this->db->escape($this->menu_handler)."',"; + $sql.= " module='".$this->db->escape($this->module)."',"; $sql.= " type='".$this->type."',"; - $sql.= " mainmenu='".addslashes($this->mainmenu)."',"; + $sql.= " mainmenu='".$this->db->escape($this->mainmenu)."',"; $sql.= " fk_menu='".$this->fk_menu."',"; $sql.= " position='".$this->position."',"; - $sql.= " url='".addslashes($this->url)."',"; - $sql.= " target='".addslashes($this->target)."',"; - $sql.= " titre='".addslashes($this->titre)."',"; - $sql.= " langs='".addslashes($this->langs)."',"; + $sql.= " url='".$this->db->escape($this->url)."',"; + $sql.= " target='".$this->db->escape($this->target)."',"; + $sql.= " titre='".$this->db->escape($this->titre)."',"; + $sql.= " langs='".$this->db->escape($this->langs)."',"; $sql.= " level='".$this->level."',"; - $sql.= " leftmenu='".addslashes($this->leftmenu)."',"; - $sql.= " perms='".addslashes($this->perms)."',"; - $sql.= " enabled='".addslashes($this->enabled)."',"; + $sql.= " leftmenu='".$this->db->escape($this->leftmenu)."',"; + $sql.= " perms='".$this->db->escape($this->perms)."',"; + $sql.= " enabled='".$this->db->escape($this->enabled)."',"; $sql.= " usertype='".$this->user."'"; $sql.= " WHERE rowid=".$this->id; diff --git a/htdocs/core/class/notify.class.php b/htdocs/core/class/notify.class.php index a82fc109e65..05fc5274567 100644 --- a/htdocs/core/class/notify.class.php +++ b/htdocs/core/class/notify.class.php @@ -208,7 +208,7 @@ class Notify $sendto = htmlentities($sendto); $sql = "INSERT INTO ".MAIN_DB_PREFIX."notify (daten, fk_action, fk_contact, objet_type, objet_id, email)"; - $sql.= " VALUES (".$this->db->idate(mktime()).", ".$actiondefid." ,".$obj->cid." , '".$objet_type."', ".$objet_id.", '".addslashes($obj->email)."')"; + $sql.= " VALUES (".$this->db->idate(mktime()).", ".$actiondefid." ,".$obj->cid." , '".$objet_type."', ".$objet_id.", '".$this->db->escape($obj->email)."')"; dol_syslog("Notify::send sql=".$sql); if (! $this->db->query($sql) ) { diff --git a/htdocs/ecm/class/ecmdirectory.class.php b/htdocs/ecm/class/ecmdirectory.class.php index 25dbe90ea83..dbc8126226e 100644 --- a/htdocs/ecm/class/ecmdirectory.class.php +++ b/htdocs/ecm/class/ecmdirectory.class.php @@ -131,10 +131,10 @@ class EcmDirectory // extends CommonObject $sql.= "date_c,"; $sql.= "fk_user_c"; $sql.= ") VALUES ("; - $sql.= " '".addslashes($this->label)."',"; + $sql.= " '".$this->db->escape($this->label)."',"; $sql.= " '".$conf->entity."',"; $sql.= " '".$this->fk_parent."',"; - $sql.= " '".addslashes($this->description)."',"; + $sql.= " '".$this->db->escape($this->description)."',"; $sql.= " ".($this->cachenbofdoc).","; $sql.= " '".$this->db->idate($this->date_c)."',"; $sql.= " '".$this->fk_user_c."'"; @@ -201,9 +201,9 @@ class EcmDirectory // extends CommonObject // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."ecm_directories SET"; - $sql.= " label='".addslashes($this->label)."',"; + $sql.= " label='".$this->db->escape($this->label)."',"; $sql.= " fk_parent='".$this->fk_parent."',"; - $sql.= " description='".addslashes($this->description)."'"; + $sql.= " description='".$this->db->escape($this->description)."'"; $sql.= " WHERE rowid=".$this->id; dol_syslog("EcmDirectories::update sql=".$sql, LOG_DEBUG); diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index db63e017cd8..cc1f52dedaf 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -182,7 +182,7 @@ class Expedition extends CommonObject $sql.= ", ".$this->socid; $sql.= ", ".($this->fk_delivery_address>0?$this->fk_delivery_address:"null"); $sql.= ", ".($this->expedition_method_id>0?$this->expedition_method_id:"null"); - $sql.= ", '".addslashes($this->tracking_number)."'"; + $sql.= ", '".$this->db->escape($this->tracking_number)."'"; $sql.= ", ".$this->weight; $sql.= ", ".$this->sizeS; // TODO Should use this->trueDepth $sql.= ", ".$this->sizeW; // TODO Should use this->trueWidth @@ -664,8 +664,8 @@ class Expedition extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."expedition SET"; $sql.= " tms=".(dol_strlen($this->tms)!=0 ? "'".$this->db->idate($this->tms)."'" : 'null').","; - $sql.= " ref=".(isset($this->ref)?"'".addslashes($this->ref)."'":"null").","; - $sql.= " ref_customer=".(isset($this->ref_customer)?"'".addslashes($this->ref_customer)."'":"null").","; + $sql.= " ref=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"null").","; + $sql.= " ref_customer=".(isset($this->ref_customer)?"'".$this->db->escape($this->ref_customer)."'":"null").","; $sql.= " fk_soc=".(isset($this->socid)?$this->socid:"null").","; $sql.= " date_creation=".(dol_strlen($this->date_creation)!=0 ? "'".$this->db->idate($this->date_creation)."'" : 'null').","; $sql.= " fk_user_author=".(isset($this->fk_user_author)?$this->fk_user_author:"null").","; @@ -675,7 +675,7 @@ class Expedition extends CommonObject $sql.= " date_delivery=".(dol_strlen($this->date_delivery)!=0 ? "'".$this->db->idate($this->date_delivery)."'" : 'null').","; $sql.= " fk_address=".(isset($this->fk_adresse_livraison)?$this->fk_adresse_livraison:"null").","; $sql.= " fk_expedition_methode=".(isset($this->expedition_method_id)?$this->expedition_method_id:"null").","; - $sql.= " tracking_number=".(isset($this->tracking_number)?"'".addslashes($this->tracking_number)."'":"null").","; + $sql.= " tracking_number=".(isset($this->tracking_number)?"'".$this->db->escape($this->tracking_number)."'":"null").","; $sql.= " fk_statut=".(isset($this->statut)?$this->statut:"null").","; $sql.= " height=".(isset($this->trueHeight)?$this->trueHeight:"null").","; $sql.= " width=".(isset($this->trueWidth)?$this->trueWidth:"null").","; @@ -683,8 +683,8 @@ class Expedition extends CommonObject $sql.= " size=".(isset($this->trueDepth)?$this->trueDepth:"null").","; $sql.= " weight_units=".(isset($this->weight_units)?$this->weight_units:"null").","; $sql.= " weight=".(isset($this->trueWeight)?$this->trueWeight:"null").","; - $sql.= " note=".(isset($this->note)?"'".addslashes($this->note)."'":"null").","; - $sql.= " model_pdf=".(isset($this->model_pdf)?"'".addslashes($this->model_pdf)."'":"null").","; + $sql.= " note=".(isset($this->note)?"'".$this->db->escape($this->note)."'":"null").","; + $sql.= " model_pdf=".(isset($this->model_pdf)?"'".$this->db->escape($this->model_pdf)."'":"null").","; $sql.= " entity=".$conf->entity; $sql.= " WHERE rowid=".$this->id; diff --git a/htdocs/fichinter/class/fichinter.class.php b/htdocs/fichinter/class/fichinter.class.php index ef80f05f3e9..e26ab4bc00a 100644 --- a/htdocs/fichinter/class/fichinter.class.php +++ b/htdocs/fichinter/class/fichinter.class.php @@ -141,7 +141,7 @@ class Fichinter extends CommonObject $sql.= ", '".$this->ref."'"; $sql.= ", ".$conf->entity; $sql.= ", ".$this->author; - $sql.= ", ".($this->description?"'".addslashes($this->description)."'":"null"); + $sql.= ", ".($this->description?"'".$this->db->escape($this->description)."'":"null"); $sql.= ", '".$this->modelpdf."'"; $sql.= ", ".($this->fk_project ? $this->fk_project : 0); $sql.= ", ".$this->statut; @@ -180,7 +180,7 @@ class Fichinter extends CommonObject * Insertion dans la base */ $sql = "UPDATE ".MAIN_DB_PREFIX."fichinter SET "; - $sql.= ", description = '".addslashes($this->description)."'"; + $sql.= ", description = '".$this->db->escape($this->description)."'"; $sql.= ", duree = ".$this->duree; $sql.= ", fk_projet = ".$this->fk_project; $sql.= " WHERE rowid = ".$id; @@ -638,7 +638,7 @@ class Fichinter extends CommonObject if ($user->rights->ficheinter->creer) { $sql = "UPDATE ".MAIN_DB_PREFIX."fichinter "; - $sql.= " SET description = '".addslashes($description)."'"; + $sql.= " SET description = '".$this->db->escape($description)."'"; $sql.= " WHERE rowid = ".$this->id; $sql.= " AND entity = ".$conf->entity; $sql.= " AND fk_statut = 0"; @@ -895,7 +895,7 @@ class FichinterLigne $sql = 'INSERT INTO '.MAIN_DB_PREFIX.'fichinterdet'; $sql.= ' (fk_fichinter, description, date, duree, rang)'; $sql.= " VALUES (".$this->fk_fichinter.","; - $sql.= " '".addslashes($this->desc)."',"; + $sql.= " '".$this->db->escape($this->desc)."',"; $sql.= " ".$this->db->idate($this->datei).","; $sql.= " ".$this->duration.","; $sql.= ' '.$rangToUse; @@ -938,7 +938,7 @@ class FichinterLigne // Mise a jour ligne en base $sql = "UPDATE ".MAIN_DB_PREFIX."fichinterdet SET"; - $sql.= " description='".addslashes($this->desc)."'"; + $sql.= " description='".$this->db->escape($this->desc)."'"; $sql.= ",date=".$this->db->idate($this->datei); $sql.= ",duree=".$this->duration; $sql.= ",rang='".$this->rang."'"; diff --git a/htdocs/fourn/class/fournisseur.class.php b/htdocs/fourn/class/fournisseur.class.php index cea327c9b49..0a6d25e6674 100644 --- a/htdocs/fourn/class/fournisseur.class.php +++ b/htdocs/fourn/class/fournisseur.class.php @@ -222,7 +222,7 @@ class Fournisseur extends Societe { $sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie (label,visible,type)"; $sql.= " VALUES "; - $sql.= " ('".addslashes($name)."',1,1)"; + $sql.= " ('".$this->db->escape($name)."',1,1)"; dol_syslog("Fournisseur::CreateCategory sql=".$sql); $resql = $this->db->query($sql); diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php index 895d9452039..8838332bca4 100644 --- a/htdocs/fourn/class/fournisseur.commande.class.php +++ b/htdocs/fourn/class/fournisseur.commande.class.php @@ -232,7 +232,7 @@ class CommandeFournisseur extends Commande $sql = "INSERT INTO ".MAIN_DB_PREFIX."commande_fournisseur_log (datelog, fk_commande, fk_statut, fk_user, comment)"; $sql.= " VALUES (".$this->db->idate($datelog).",".$this->id.", ".$statut.", "; $sql.= $user->id.", "; - $sql.= ($comment?"'".addslashes($comment)."'":'null'); + $sql.= ($comment?"'".$this->db->escape($comment)."'":'null'); $sql.= ")"; dol_syslog("FournisseurCommande::log sql=".$sql, LOG_DEBUG); @@ -926,7 +926,7 @@ class CommandeFournisseur extends Commande $sql.= " qty, tva_tx, localtax1_tx, localtax2_tx, remise_percent, subprice, remise, ref,"; $sql.= " total_ht, total_tva, total_localtax1, total_localtax2, total_ttc"; $sql.= ")"; - $sql.= " VALUES (".$this->id.", '" . addslashes($label) . "','" . addslashes($desc) . "',"; + $sql.= " VALUES (".$this->id.", '" . $this->db->escape($label) . "','" . $this->db->escape($desc) . "',"; if ($fk_product) { $sql.= $fk_product.","; } else { $sql.= "null,"; } $sql.= "'".$product_type."',"; @@ -1230,7 +1230,7 @@ class CommandeFournisseur extends Commande $sql = "INSERT INTO ".MAIN_DB_PREFIX."commande_fournisseurdet"; $sql .= " (fk_commande,label,description,fk_product, price, qty, tva_tx, localtax1_tx, localtax2_tx, remise_percent, subprice, remise, ref)"; - $sql .= " VALUES (".$idc.", '" . addslashes($libelle) . "','" . addslashes($comclient->lines[$i]->desc) . "'"; + $sql .= " VALUES (".$idc.", '" . $this->db->escape($libelle) . "','" . $this->db->escape($comclient->lines[$i]->desc) . "'"; $sql .= ",".$comclient->lines[$i]->fk_product.",'".price2num($comclient->lines[$i]->price)."'"; $sql .= ", '".$comclient->lines[$i]->qty."', ".$comclient->lines[$i]->tva_tx.", ".$comclient->lines[$i]->localtax1_tx.", ".$comclient->lines[$i]->localtax2_tx.", ".$comclient->lines[$i]->remise_percent; $sql .= ", '".price2num($comclient->lines[$i]->subprice)."','0','".$ref."') ;"; @@ -1257,8 +1257,8 @@ class CommandeFournisseur extends Commande $result = 0; $sql = "UPDATE ".MAIN_DB_PREFIX."commande_fournisseur"; - $sql.= " SET note ='".addslashes($note)."',"; - $sql.= " note_public ='".addslashes($note_public)."'"; + $sql.= " SET note ='".$this->db->escape($note)."',"; + $sql.= " note_public ='".$this->db->escape($note_public)."'"; $sql.= " WHERE rowid = ".$this->id; dol_syslog("CommandeFournisseur::UpdateNote sql=".$sql); @@ -1424,7 +1424,7 @@ class CommandeFournisseur extends Commande // Mise a jour ligne en base $sql = "UPDATE ".MAIN_DB_PREFIX."commande_fournisseurdet SET"; - $sql.= " description='".addslashes($desc)."'"; + $sql.= " description='".$this->db->escape($desc)."'"; $sql.= ",subprice='".price2num($subprice)."'"; $sql.= ",remise='".price2num($remise)."'"; $sql.= ",remise_percent='".price2num($remise_percent)."'"; diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index be0aa69a82b..d346e79ca30 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -569,19 +569,19 @@ class FactureFournisseur extends Facture // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."facture_fourn SET"; - $sql.= " facnumber=".(isset($this->facnumber)?"'".addslashes($this->facnumber)."'":"null").","; + $sql.= " facnumber=".(isset($this->facnumber)?"'".$this->db->escape($this->facnumber)."'":"null").","; $sql.= " entity=".(isset($this->entity)?$this->entity:"null").","; $sql.= " type=".(isset($this->type)?$this->type:"null").","; $sql.= " fk_soc=".(isset($this->fk_soc)?$this->fk_soc:"null").","; $sql.= " datec=".(dol_strlen($this->datec)!=0 ? "'".$this->db->idate($this->datec)."'" : 'null').","; $sql.= " datef=".(dol_strlen($this->date)!=0 ? "'".$this->db->idate($this->date)."'" : 'null').","; $sql.= " tms=".(dol_strlen($this->tms)!=0 ? "'".$this->db->idate($this->tms)."'" : 'null').","; - $sql.= " libelle=".(isset($this->label)?"'".addslashes($this->label)."'":"null").","; + $sql.= " libelle=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " paye=".(isset($this->paye)?$this->paye:"null").","; $sql.= " amount=".(isset($this->amount)?$this->amount:"null").","; $sql.= " remise=".(isset($this->remise)?$this->remise:"null").","; - $sql.= " close_code=".(isset($this->close_code)?"'".addslashes($this->close_code)."'":"null").","; - $sql.= " close_note=".(isset($this->close_note)?"'".addslashes($this->close_note)."'":"null").","; + $sql.= " close_code=".(isset($this->close_code)?"'".$this->db->escape($this->close_code)."'":"null").","; + $sql.= " close_note=".(isset($this->close_note)?"'".$this->db->escape($this->close_note)."'":"null").","; $sql.= " tva=".(isset($this->tva)?$this->tva:"null").","; $sql.= " localtax1=".(isset($this->localtax1)?$this->localtax1:"null").","; $sql.= " localtax2=".(isset($this->localtax2)?$this->localtax2:"null").","; @@ -596,10 +596,10 @@ class FactureFournisseur extends Facture $sql.= " fk_projet=".(isset($this->fk_project)?$this->fk_project:"null").","; $sql.= " fk_cond_reglement=".(isset($this->fk_cond_reglement)?$this->fk_cond_reglement:"null").","; $sql.= " date_lim_reglement=".(dol_strlen($this->date_echeance)!=0 ? "'".$this->db->idate($this->date_echeance)."'" : 'null').","; - $sql.= " note=".(isset($this->note)?"'".addslashes($this->note)."'":"null").","; - $sql.= " note_public=".(isset($this->note_public)?"'".addslashes($this->note_public)."'":"null").","; - $sql.= " model_pdf=".(isset($this->model_pdf)?"'".addslashes($this->model_pdf)."'":"null").","; - $sql.= " import_key=".(isset($this->import_key)?"'".addslashes($this->import_key)."'":"null").""; + $sql.= " note=".(isset($this->note)?"'".$this->db->escape($this->note)."'":"null").","; + $sql.= " note_public=".(isset($this->note_public)?"'".$this->db->escape($this->note_public)."'":"null").","; + $sql.= " model_pdf=".(isset($this->model_pdf)?"'".$this->db->escape($this->model_pdf)."'":"null").","; + $sql.= " import_key=".(isset($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null").""; $sql.= " WHERE rowid=".$this->id; $this->db->begin(); @@ -700,7 +700,7 @@ class FactureFournisseur extends Facture { if ($user->rights->fournisseur->facture->creer) { - $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture_fourn SET facnumber = '.(empty($ref_supplier) ? 'NULL' : '\''.addslashes($ref_supplier).'\''); + $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture_fourn SET facnumber = '.(empty($ref_supplier) ? 'NULL' : '\''.$this->db->escape($ref_supplier).'\''); $sql.= ' WHERE rowid = '.$this->id; dol_syslog("FactureFournisseur::set_ref_supplier sql=".$sql); @@ -1096,7 +1096,7 @@ class FactureFournisseur extends Facture } $sql = "UPDATE ".MAIN_DB_PREFIX."facture_fourn_det SET"; - $sql.= " description ='".addslashes($label)."'"; + $sql.= " description ='".$this->db->escape($label)."'"; $sql.= ", pu_ht = ".price2num($pu_ht); $sql.= ", pu_ttc = ".price2num($pu_ttc); $sql.= ", qty = ".price2num($qty); diff --git a/htdocs/fourn/class/paiementfourn.class.php b/htdocs/fourn/class/paiementfourn.class.php index 9f04b9b5e3a..ea4bd666e1e 100644 --- a/htdocs/fourn/class/paiementfourn.class.php +++ b/htdocs/fourn/class/paiementfourn.class.php @@ -145,7 +145,7 @@ class PaiementFourn extends Paiement $sql = 'INSERT INTO '.MAIN_DB_PREFIX.'paiementfourn ('; $sql.= 'datec, datep, amount, fk_paiement, num_paiement, note, fk_user_author, fk_bank)'; $sql.= ' VALUES ('.$this->db->idate(mktime()).','; - $sql.= " ".$this->db->idate($this->datepaye).", '".$this->total."', ".$this->paiementid.", '".$this->num_paiement."', '".addslashes($this->note)."', ".$user->id.", 0)"; + $sql.= " ".$this->db->idate($this->datepaye).", '".$this->total."', ".$this->paiementid.", '".$this->num_paiement."', '".$this->db->escape($this->note)."', ".$user->id.", 0)"; dol_syslog("PaiementFourn::create sql=".$sql); $resql = $this->db->query($sql); diff --git a/htdocs/imports/class/import.class.php b/htdocs/imports/class/import.class.php index 911d81da033..f7bcf3f8099 100644 --- a/htdocs/imports/class/import.class.php +++ b/htdocs/imports/class/import.class.php @@ -230,7 +230,7 @@ class Import $sql = 'INSERT INTO '.MAIN_DB_PREFIX.'import_model ('; $sql.= 'label, type, field)'; - $sql.= " VALUES ('".addslashes($this->model_name)."', '".$this->datatoimport."', '".$this->hexa."')"; + $sql.= " VALUES ('".$this->db->escape($this->model_name)."', '".$this->datatoimport."', '".$this->hexa."')"; dol_syslog("Import::create sql=".$sql, LOG_DEBUG); $resql=$this->db->query($sql); diff --git a/htdocs/livraison/class/livraison.class.php b/htdocs/livraison/class/livraison.class.php index 509642857aa..328590249b7 100644 --- a/htdocs/livraison/class/livraison.class.php +++ b/htdocs/livraison/class/livraison.class.php @@ -125,7 +125,7 @@ class Livraison extends CommonObject $numref = "(PROV".$this->id.")"; $sql = "UPDATE ".MAIN_DB_PREFIX."livraison "; - $sql.= "SET ref = '".addslashes($numref)."'"; + $sql.= "SET ref = '".$this->db->escape($numref)."'"; $sql.= " WHERE rowid = ".$this->id; dol_syslog("Livraison::create sql=".$sql, LOG_DEBUG); @@ -220,7 +220,7 @@ class Livraison extends CommonObject $sql.= " fk_product, description, qty)"; $sql.= " VALUES (".$this->id.",".$commande_ligne_id.","; $sql.= " ".($idprod>0?$idprod:"null").","; - $sql.= " ".($description?"'".addslashes($description)."'":"null").","; + $sql.= " ".($description?"'".$this->db->escape($description)."'":"null").","; $sql.= $qty.")"; dol_syslog("Livraison::create_line sql=".$sql, LOG_DEBUG); @@ -365,7 +365,7 @@ class Livraison extends CommonObject } $sql = "UPDATE ".MAIN_DB_PREFIX."livraison SET"; - $sql.= " ref='".addslashes($this->ref)."'"; + $sql.= " ref='".$this->db->escape($this->ref)."'"; $sql.= ", fk_statut = 1"; $sql.= ", date_valid = ".$this->db->idate(mktime()); $sql.= ", fk_user_valid = ".$user->id; diff --git a/htdocs/product/canvas/default/product.default.class.php b/htdocs/product/canvas/default/product.default.class.php index 025a4e2a77c..41e9b68fc61 100644 --- a/htdocs/product/canvas/default/product.default.class.php +++ b/htdocs/product/canvas/default/product.default.class.php @@ -207,7 +207,7 @@ class ProductDefault extends Product { if ($field['enabled']) { - $sql.= $clause." ".$field['name']." LIKE '%".addslashes($sall)."%'"; + $sql.= $clause." ".$field['name']." LIKE '%".$this->db->escape($sall)."%'"; if ($clause=='') $clause = ' OR'; } } @@ -220,17 +220,17 @@ class ProductDefault extends Product if ($field['enabled']) { $fieldname = "s".$field['alias']; - if (${$fieldname}) $sql.= " AND ".$field['name']." LIKE '%".addslashes(${$fieldname})."%'"; + if (${$fieldname}) $sql.= " AND ".$field['name']." LIKE '%".$this->db->escape(${$fieldname})."%'"; } } if (isset($_GET["tosell"]) && dol_strlen($_GET["tosell"]) > 0) { - $sql.= " AND p.tosell = ".addslashes($_GET["tosell"]); + $sql.= " AND p.tosell = ".$this->db->escape($_GET["tosell"]); } if (isset($_GET["canvas"]) && dol_strlen($_GET["canvas"]) > 0) { - $sql.= " AND p.canvas = '".addslashes($_GET["canvas"])."'"; + $sql.= " AND p.canvas = '".$this->db->escape($_GET["canvas"])."'"; } $sql.= $this->db->order($sortfield,$sortorder); $sql.= $this->db->plimit($limit + 1 ,$offset); diff --git a/htdocs/product/canvas/service/product.service.class.php b/htdocs/product/canvas/service/product.service.class.php index 015d2bed812..cde84e16fb6 100644 --- a/htdocs/product/canvas/service/product.service.class.php +++ b/htdocs/product/canvas/service/product.service.class.php @@ -155,18 +155,18 @@ class ProductService extends Product if (!$user->rights->service->hidden) $sql.=' AND (p.hidden=0 OR p.fk_product_type != 1)'; if ($sall) { - $sql.= " AND (p.ref like '%".addslashes($sall)."%' OR p.label like '%".addslashes($sall)."%' OR p.description like '%".addslashes($sall)."%' OR p.note like '%".addslashes($sall)."%')"; + $sql.= " AND (p.ref like '%".$this->db->escape($sall)."%' OR p.label like '%".$this->db->escape($sall)."%' OR p.description like '%".$this->db->escape($sall)."%' OR p.note like '%".$this->db->escape($sall)."%')"; } if ($sref) $sql.= " AND p.ref like '%".$sref."%'"; if ($sbarcode) $sql.= " AND p.barcode like '%".$sbarcode."%'"; - if ($snom) $sql.= " AND p.label like '%".addslashes($snom)."%'"; + if ($snom) $sql.= " AND p.label like '%".$this->db->escape($snom)."%'"; if (isset($_GET["tosell"]) && dol_strlen($_GET["tosell"]) > 0) { - $sql.= " AND p.tosell = ".addslashes($_GET["tosell"]); + $sql.= " AND p.tosell = ".$this->db->escape($_GET["tosell"]); } if (isset($_GET["canvas"]) && dol_strlen($_GET["canvas"]) > 0) { - $sql.= " AND p.canvas = '".addslashes($_GET["canvas"])."'"; + $sql.= " AND p.canvas = '".$this->db->escape($_GET["canvas"])."'"; } if($catid) { @@ -179,7 +179,7 @@ class ProductService extends Product // Insert categ filter if ($search_categ) { - $sql .= " AND cp.fk_categorie = ".addslashes($search_categ); + $sql .= " AND cp.fk_categorie = ".$this->db->escape($search_categ); } $sql.= $this->db->order($sortfield,$sortorder); $sql.= $this->db->plimit($limit + 1 ,$offset); diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 4b14070037b..090f22e67fb 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -290,7 +290,7 @@ class Product extends CommonObject $sql.= ", '".$this->ref."'"; $sql.= ", ".price2num($price_min_ht); $sql.= ", ".price2num($price_min_ttc); - $sql.= ", ".($this->libelle?"'".addslashes($this->libelle)."'":"null"); + $sql.= ", ".($this->libelle?"'".$this->db->escape($this->libelle)."'":"null"); $sql.= ", ".$user->id; $sql.= ", ".$this->type; $sql.= ", ".price2num($price_ht); @@ -448,7 +448,7 @@ class Product extends CommonObject $this->accountancy_code_sell= trim($this->accountancy_code_sell); $sql = "UPDATE ".MAIN_DB_PREFIX."product"; - $sql.= " SET label = '" . addslashes($this->libelle) ."'"; + $sql.= " SET label = '" . $this->db->escape($this->libelle) ."'"; $sql.= ",ref = '" . $this->ref ."'"; $sql.= ",tva_tx = " . $this->tva_tx; @@ -469,10 +469,10 @@ class Product extends CommonObject $sql.= ",volume = " . ($this->volume!='' ? "'".$this->volume."'" : 'null'); $sql.= ",volume_units = " . ($this->volume_units!='' ? "'".$this->volume_units."'" : 'null'); $sql.= ",seuil_stock_alerte = " . ((isset($this->seuil_stock_alerte) && $this->seuil_stock_alerte != '') ? "'".$this->seuil_stock_alerte."'" : "null"); - $sql.= ",description = '" . addslashes($this->description) ."'"; - $sql.= ",customcode = '" . addslashes($this->customcode) ."'"; + $sql.= ",description = '" . $this->db->escape($this->description) ."'"; + $sql.= ",customcode = '" . $this->db->escape($this->customcode) ."'"; $sql.= ",fk_country = " . ($this->country_id > 0 ? $this->country_id : 'null'); - $sql.= ",note = '" . addslashes($this->note) ."'"; + $sql.= ",note = '" . $this->db->escape($this->note) ."'"; $sql.= ",duration = '" . $this->duration_value . $this->duration_unit ."'"; $sql.= ",accountancy_code_buy = '" . $this->accountancy_code_buy."'"; $sql.= ",accountancy_code_sell= '" . $this->accountancy_code_sell."'"; @@ -627,17 +627,17 @@ class Product extends CommonObject if ($this->db->num_rows($result)) // si aucune ligne dans la base { $sql2 = "UPDATE ".MAIN_DB_PREFIX."product_lang"; - $sql2.= " SET label='".addslashes($this->libelle)."',"; - $sql2.= " description='".addslashes($this->description)."',"; - $sql2.= " note='".addslashes($this->note)."'"; + $sql2.= " SET label='".$this->db->escape($this->libelle)."',"; + $sql2.= " description='".$this->db->escape($this->description)."',"; + $sql2.= " note='".$this->db->escape($this->note)."'"; $sql2.= " WHERE fk_product=".$this->id." AND lang='".$key."'"; } else { $sql2 = "INSERT INTO ".MAIN_DB_PREFIX."product_lang (fk_product, lang, label, description, note)"; - $sql2.= " VALUES(".$this->id.",'".$key."','". addslashes($this->libelle); - $sql2.= "','".addslashes($this->description); - $sql2.= "','".addslashes($this->note)."')"; + $sql2.= " VALUES(".$this->id.",'".$key."','". $this->db->escape($this->libelle); + $sql2.= "','".$this->db->escape($this->description); + $sql2.= "','".$this->db->escape($this->note)."')"; } if (!$this->db->query($sql2)) return -1; } @@ -646,17 +646,17 @@ class Product extends CommonObject if ($this->db->num_rows($result)) // si aucune ligne dans la base { $sql2 = "UPDATE ".MAIN_DB_PREFIX."product_lang"; - $sql2.= " SET label='".addslashes($this->multilangs["$key"]["libelle"])."',"; - $sql2.= " description='".addslashes($this->multilangs["$key"]["description"])."',"; - $sql2.= " note='".addslashes($this->multilangs["$key"]["note"])."'"; + $sql2.= " SET label='".$this->db->escape($this->multilangs["$key"]["libelle"])."',"; + $sql2.= " description='".$this->db->escape($this->multilangs["$key"]["description"])."',"; + $sql2.= " note='".$this->db->escape($this->multilangs["$key"]["note"])."'"; $sql2.= " WHERE fk_product=".$this->id." AND lang='".$key."'"; } else { $sql2 = "INSERT INTO ".MAIN_DB_PREFIX."product_lang (fk_product, lang, label, description, note)"; - $sql2.= " VALUES(".$this->id.",'".$key."','". addslashes($this->multilangs["$key"]["libelle"]); - $sql2.= "','".addslashes($this->multilangs["$key"]["description"]); - $sql2.= "','".addslashes($this->multilangs["$key"]["note"])."')"; + $sql2.= " VALUES(".$this->id.",'".$key."','". $this->db->escape($this->multilangs["$key"]["libelle"]); + $sql2.= "','".$this->db->escape($this->multilangs["$key"]["description"]); + $sql2.= "','".$this->db->escape($this->multilangs["$key"]["note"])."')"; } // on ne sauvegarde pas des champs vides @@ -990,7 +990,7 @@ class Product extends CommonObject $sql.= " import_key"; $sql.= " FROM ".MAIN_DB_PREFIX."product"; if ($id) $sql.= " WHERE rowid = '".$id."'"; - if ($ref) $sql.= " WHERE ref = '".addslashes($ref)."'"; + if ($ref) $sql.= " WHERE ref = '".$this->db->escape($ref)."'"; dol_syslog("Product::fetch sql=".$sql); $result = $this->db->query($sql); @@ -2097,7 +2097,7 @@ class Product extends CommonObject $prods = array (); while ($record = $this->db->fetch_array ($res)) { - $prods[addslashes($record['label'])] = array(0=>$record['id']); + $prods[$this->db->escape($record['label'])] = array(0=>$record['id']); } return $prods; } @@ -2127,12 +2127,12 @@ class Product extends CommonObject $prods = array(); while ($rec = $this->db->fetch_array($res)) { - //$prods[addslashes($rec['label'])]= array(0=>$rec['id'],1=>$rec['qty'],2=>$rec['fk_product_type']); - $prods[addslashes($rec['label'])]= array(0=>$rec['id'],1=>$rec['qty']); + //$prods[$this->db->escape($rec['label'])]= array(0=>$rec['id'],1=>$rec['qty'],2=>$rec['fk_product_type']); + $prods[$this->db->escape($rec['label'])]= array(0=>$rec['id'],1=>$rec['qty']); $listofchilds=$this->getChildsArbo($rec['id']); foreach($listofchilds as $keyChild => $valueChild) { - $prods[addslashes($rec['label'])][$keyChild] = $valueChild; + $prods[$this->db->escape($rec['label'])][$keyChild] = $valueChild; } } //var_dump($prods); diff --git a/htdocs/product/stock/class/entrepot.class.php b/htdocs/product/stock/class/entrepot.class.php index 309c18845cd..939ca52a5a2 100644 --- a/htdocs/product/stock/class/entrepot.class.php +++ b/htdocs/product/stock/class/entrepot.class.php @@ -81,7 +81,7 @@ class Entrepot extends CommonObject $this->db->begin(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."entrepot (datec, fk_user_author, label)"; - $sql .= " VALUES (".$this->db->idate(mktime()).",".$user->id.",'".addslashes($this->libelle)."')"; + $sql .= " VALUES (".$this->db->idate(mktime()).",".$user->id.",'".$this->db->escape($this->libelle)."')"; dol_syslog("Entrepot::create sql=".$sql); $result=$this->db->query($sql); @@ -127,13 +127,13 @@ class Entrepot extends CommonObject */ function update($id, $user) { - $this->libelle=addslashes(trim($this->libelle)); - $this->description=addslashes(trim($this->description)); + $this->libelle=$this->db->escape(trim($this->libelle)); + $this->description=$this->db->escape(trim($this->description)); - $this->lieu=addslashes(trim($this->lieu)); - $this->address=addslashes(trim($this->address)); + $this->lieu=$this->db->escape(trim($this->lieu)); + $this->address=$this->db->escape(trim($this->address)); $this->cp=trim($this->cp); - $this->ville=addslashes(trim($this->ville)); + $this->ville=$this->db->escape(trim($this->ville)); $this->pays_id=trim($this->pays_id?$this->pays_id:0); $sql = "UPDATE ".MAIN_DB_PREFIX."entrepot "; diff --git a/htdocs/product/stock/class/mouvementstock.class.php b/htdocs/product/stock/class/mouvementstock.class.php index 4ac54f0e184..2258ec6fc26 100644 --- a/htdocs/product/stock/class/mouvementstock.class.php +++ b/htdocs/product/stock/class/mouvementstock.class.php @@ -75,7 +75,7 @@ class MouvementStock $sql.= " (datem, fk_product, fk_entrepot, value, type_mouvement, fk_user_author, label, price)"; $sql.= " VALUES ('".$this->db->idate($now)."', ".$fk_product.", ".$entrepot_id.", ".$qty.", ".$type.","; $sql.= " ".$user->id.","; - $sql.= " '".addslashes($label)."',"; + $sql.= " '".$this->db->escape($label)."',"; $sql.= " '".price2num($price)."')"; dol_syslog("MouvementStock::_create sql=".$sql, LOG_DEBUG); diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php index 545e9fdbafb..56a333911f3 100644 --- a/htdocs/projet/class/project.class.php +++ b/htdocs/projet/class/project.class.php @@ -103,9 +103,9 @@ class Project extends CommonObject $sql.= ", dateo"; $sql.= ", datee"; $sql.= ") VALUES ("; - $sql.= "'".addslashes($this->ref)."'"; - $sql.= ", '".addslashes($this->title)."'"; - $sql.= ", '".addslashes($this->description)."'"; + $sql.= "'".$this->db->escape($this->ref)."'"; + $sql.= ", '".$this->db->escape($this->title)."'"; + $sql.= ", '".$this->db->escape($this->description)."'"; $sql.= ", ".($this->socid > 0?$this->socid:"null"); $sql.= ", ".$user->id; $sql.= ", 0"; @@ -178,8 +178,8 @@ class Project extends CommonObject { $sql = "UPDATE ".MAIN_DB_PREFIX."projet SET"; $sql.= " ref='".$this->ref."'"; - $sql.= ", title = '".addslashes($this->title)."'"; - $sql.= ", description = '".addslashes($this->description)."'"; + $sql.= ", title = '".$this->db->escape($this->title)."'"; + $sql.= ", description = '".$this->db->escape($this->description)."'"; $sql.= ", fk_soc = ".($this->socid > 0?$this->socid:"null"); $sql.= ", fk_statut = ".$this->statut; $sql.= ", public = ".($this->public?1:0); diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php index 4e7bbd01fb0..28f3f1b31e1 100644 --- a/htdocs/projet/class/task.class.php +++ b/htdocs/projet/class/task.class.php @@ -253,8 +253,8 @@ class Task extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."projet_task SET"; $sql.= " fk_projet=".(isset($this->fk_project)?$this->fk_project:"null").","; $sql.= " fk_task_parent=".(isset($this->fk_task_parent)?$this->fk_task_parent:"null").","; - $sql.= " label=".(isset($this->label)?"'".addslashes($this->label)."'":"null").","; - $sql.= " description=".(isset($this->description)?"'".addslashes($this->description)."'":"null").","; + $sql.= " label=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null").","; + $sql.= " description=".(isset($this->description)?"'".$this->db->escape($this->description)."'":"null").","; $sql.= " duration_effective=".(isset($this->duration_effective)?$this->duration_effective:"null").","; $sql.= " dateo=".($this->date_start!=''?$this->db->idate($this->date_start):'null').","; $sql.= " datee=".($this->date_end!=''?$this->db->idate($this->date_end):'null').","; @@ -670,7 +670,7 @@ class Task extends CommonObject $sql.= ", '".$this->db->idate($this->timespent_date)."'"; $sql.= ", ".$this->timespent_duration; $sql.= ", ".$this->timespent_fk_user; - $sql.= ", ".(isset($this->timespent_note)?"'".addslashes($this->timespent_note)."'":"null"); + $sql.= ", ".(isset($this->timespent_note)?"'".$this->db->escape($this->timespent_note)."'":"null"); $sql.= ")"; dol_syslog(get_class($this)."::addTimeSpent sql=".$sql, LOG_DEBUG); @@ -777,7 +777,7 @@ class Task extends CommonObject $sql.= " task_date = '".$this->db->idate($this->timespent_date)."',"; $sql.= " task_duration = ".$this->timespent_duration.","; $sql.= " fk_user = ".$this->timespent_fk_user.","; - $sql.= " note = ".(isset($this->timespent_note)?"'".addslashes($this->timespent_note)."'":"null"); + $sql.= " note = ".(isset($this->timespent_note)?"'".$this->db->escape($this->timespent_note)."'":"null"); $sql.= " WHERE rowid = ".$this->timespent_id; dol_syslog(get_class($this)."::updateTimeSpent sql=".$sql, LOG_DEBUG); diff --git a/htdocs/societe/class/address.class.php b/htdocs/societe/class/address.class.php index 588eaed6e7a..3fc3c9d6538 100644 --- a/htdocs/societe/class/address.class.php +++ b/htdocs/societe/class/address.class.php @@ -88,7 +88,7 @@ class Address if ($result >= 0) { $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_address (label, fk_soc, name, datec, fk_user_creat) "; - $sql .= " VALUES ('".addslashes($this->label)."', '".$socid."', '".addslashes($this->name)."', ".$this->db->idate(mktime()).", '".$user->id."')"; + $sql .= " VALUES ('".$this->db->escape($this->label)."', '".$socid."', '".$this->db->escape($this->name)."', ".$this->db->idate(mktime()).", '".$user->id."')"; $result=$this->db->query($sql); if ($result) @@ -190,18 +190,18 @@ class Address dol_syslog("Address::Update verify ok"); $sql = "UPDATE ".MAIN_DB_PREFIX."societe_address"; - $sql.= " SET label = '" . addslashes($this->label) ."'"; // Champ obligatoire - $sql.= ",name = '" . addslashes($this->name) ."'"; // Champ obligatoire - $sql.= ",address = '" . addslashes($this->address) ."'"; + $sql.= " SET label = '" . $this->db->escape($this->label) ."'"; // Champ obligatoire + $sql.= ",name = '" . $this->db->escape($this->name) ."'"; // Champ obligatoire + $sql.= ",address = '" . $this->db->escape($this->address) ."'"; if ($this->cp) { $sql .= ",cp = '" . $this->cp ."'"; } if ($this->ville) - { $sql .= ",ville = '" . addslashes($this->ville) ."'"; } + { $sql .= ",ville = '" . $this->db->escape($this->ville) ."'"; } $sql .= ",fk_pays = '" . ($this->pays_id?$this->pays_id:'0') ."'"; - $sql.= ",note = '" . addslashes($this->note) ."'"; + $sql.= ",note = '" . $this->db->escape($this->note) ."'"; if ($this->tel) { $sql .= ",tel = '" . $this->tel ."'"; } diff --git a/htdocs/societe/class/companybankaccount.class.php b/htdocs/societe/class/companybankaccount.class.php index 7c7a050fdc0..0b052868c19 100644 --- a/htdocs/societe/class/companybankaccount.class.php +++ b/htdocs/societe/class/companybankaccount.class.php @@ -107,16 +107,16 @@ class CompanyBankAccount } $sql = "UPDATE ".MAIN_DB_PREFIX."societe_rib SET "; - $sql .= " bank = '" .addslashes($this->bank)."'"; + $sql .= " bank = '" .$this->db->escape($this->bank)."'"; $sql .= ",code_banque='".$this->code_banque."'"; $sql .= ",code_guichet='".$this->code_guichet."'"; $sql .= ",number='".$this->number."'"; $sql .= ",cle_rib='".$this->cle_rib."'"; $sql .= ",bic='".$this->bic."'"; $sql .= ",iban_prefix = '".$this->iban_prefix."'"; - $sql .= ",domiciliation='".addslashes($this->domiciliation)."'"; - $sql .= ",proprio = '".addslashes($this->proprio)."'"; - $sql .= ",adresse_proprio = '".addslashes($this->adresse_proprio)."'"; + $sql .= ",domiciliation='".$this->db->escape($this->domiciliation)."'"; + $sql .= ",proprio = '".$this->db->escape($this->proprio)."'"; + $sql .= ",adresse_proprio = '".$this->db->escape($this->adresse_proprio)."'"; $sql .= " WHERE fk_soc = ".$this->socid; $result = $this->db->query($sql); diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index 9b84dd33e11..100b7da06eb 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -429,28 +429,28 @@ class Societe extends CommonObject dol_syslog("Societe::Update verify ok"); $sql = "UPDATE ".MAIN_DB_PREFIX."societe"; - $sql.= " SET nom = '" . addslashes($this->nom) ."'"; // Champ obligatoire + $sql.= " SET nom = '" . $this->db->escape($this->nom) ."'"; // Champ obligatoire $sql.= ",datea = '".$this->db->idate(mktime())."'"; - $sql.= ",address = '" . addslashes($this->address) ."'"; + $sql.= ",address = '" . $this->db->escape($this->address) ."'"; $sql.= ",cp = ".($this->cp?"'".$this->cp."'":"null"); - $sql.= ",ville = ".($this->ville?"'".addslashes($this->ville)."'":"null"); + $sql.= ",ville = ".($this->ville?"'".$this->db->escape($this->ville)."'":"null"); $sql .= ",fk_departement = '" . ($this->departement_id?$this->departement_id:'0') ."'"; $sql .= ",fk_pays = '" . ($this->pays_id?$this->pays_id:'0') ."'"; - $sql .= ",tel = ".($this->tel?"'".addslashes($this->tel)."'":"null"); - $sql .= ",fax = ".($this->fax?"'".addslashes($this->fax)."'":"null"); - $sql .= ",email = ".($this->email?"'".addslashes($this->email)."'":"null"); - $sql .= ",url = ".($this->url?"'".addslashes($this->url)."'":"null"); + $sql .= ",tel = ".($this->tel?"'".$this->db->escape($this->tel)."'":"null"); + $sql .= ",fax = ".($this->fax?"'".$this->db->escape($this->fax)."'":"null"); + $sql .= ",email = ".($this->email?"'".$this->db->escape($this->email)."'":"null"); + $sql .= ",url = ".($this->url?"'".$this->db->escape($this->url)."'":"null"); - $sql .= ",siren = '". addslashes($this->siren) ."'"; - $sql .= ",siret = '". addslashes($this->siret) ."'"; - $sql .= ",ape = '". addslashes($this->ape) ."'"; - $sql .= ",idprof4 = '". addslashes($this->idprof4) ."'"; + $sql .= ",siren = '". $this->db->escape($this->siren) ."'"; + $sql .= ",siret = '". $this->db->escape($this->siret) ."'"; + $sql .= ",ape = '". $this->db->escape($this->ape) ."'"; + $sql .= ",idprof4 = '". $this->db->escape($this->idprof4) ."'"; $sql .= ",tva_assuj = ".($this->tva_assuj!=''?"'".$this->tva_assuj."'":"null"); - $sql .= ",tva_intra = '" . addslashes($this->tva_intra) ."'"; + $sql .= ",tva_intra = '" . $this->db->escape($this->tva_intra) ."'"; // Local taxes $sql .= ",localtax1_assuj = ".($this->localtax1_assuj!=''?"'".$this->localtax1_assuj."'":"null"); @@ -458,7 +458,7 @@ class Societe extends CommonObject $sql .= ",capital = ".$this->capital; - $sql .= ",prefix_comm = ".($this->prefix_comm?"'".addslashes($this->prefix_comm)."'":"null"); + $sql .= ",prefix_comm = ".($this->prefix_comm?"'".$this->db->escape($this->prefix_comm)."'":"null"); $sql .= ",fk_effectif = ".($this->effectif_id?"'".$this->effectif_id."'":"null"); @@ -476,24 +476,24 @@ class Societe extends CommonObject { //$this->check_codeclient(); - $sql .= ", code_client = ".($this->code_client?"'".addslashes($this->code_client)."'":"null"); + $sql .= ", code_client = ".($this->code_client?"'".$this->db->escape($this->code_client)."'":"null"); // Attention get_codecompta peut modifier le code suivant le module utilise if (empty($this->code_compta)) $this->get_codecompta('customer'); - $sql .= ", code_compta = ".($this->code_compta?"'".addslashes($this->code_compta)."'":"null"); + $sql .= ", code_compta = ".($this->code_compta?"'".$this->db->escape($this->code_compta)."'":"null"); } if ($allowmodcodefournisseur) { //$this->check_codefournisseur(); - $sql .= ", code_fournisseur = ".($this->code_fournisseur?"'".addslashes($this->code_fournisseur)."'":"null"); + $sql .= ", code_fournisseur = ".($this->code_fournisseur?"'".$this->db->escape($this->code_fournisseur)."'":"null"); // Attention get_codecompta peut modifier le code suivant le module utilise if (empty($this->code_compta_fournisseur)) $this->get_codecompta('supplier'); - $sql .= ", code_compta_fournisseur = ".($this->code_compta_fournisseur?"'".addslashes($this->code_compta_fournisseur)."'":"null"); + $sql .= ", code_compta_fournisseur = ".($this->code_compta_fournisseur?"'".$this->db->escape($this->code_compta_fournisseur)."'":"null"); } $sql .= ", fk_user_modif = ".($user->id > 0 ? "'".$user->id."'":"null"); $sql .= " WHERE rowid = '" . $id ."'"; @@ -1135,7 +1135,7 @@ class Societe extends CommonObject $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_remise "; $sql.= " (datec, fk_soc, remise_client, note, fk_user_author)"; $sql.= " VALUES (".$this->db->idate(mktime()).", ".$this->id.", '".$remise."',"; - $sql.= " '".addslashes($note)."',"; + $sql.= " '".$this->db->escape($note)."',"; $sql.= " ".$user->id; $sql.= ")"; @@ -2147,7 +2147,7 @@ class Societe extends CommonObject $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_log (datel, fk_soc, fk_statut, fk_user, author, label)"; $sql.= " VALUES ('".$dateaction."', ".$socid.", ".$id_status.","; $sql.= "'".$user->id."',"; - $sql.= "'".addslashes($user->login)."',"; + $sql.= "'".$this->db->escape($user->login)."',"; $sql.= "'Change statut from ".$oldstcomm." to ".$stcommid."'"; $sql.= ")"; $result = $thi->db->query($sql);