diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index eab1d445558..ccfe09eec0c 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -506,7 +506,7 @@ class FactureFournisseur extends CommonInvoice dol_syslog("There is ".count($this->lines)." lines that are invoice lines objects"); foreach ($this->lines as $i => $val) { $sql = 'INSERT INTO '.MAIN_DB_PREFIX.'facture_fourn_det (fk_facture_fourn, special_code, fk_remise_except)'; - $sql .= ' VALUES ('.$this->id.','.intval($this->lines[$i]->special_code).','.($this->lines[$i]->fk_remise_except > 0 ? $this->lines[$i]->fk_remise_except : 'NULL').')'; + $sql .= " VALUES (".((int) $this->id).", ".((int) $this->lines[$i]->special_code).", ".($this->lines[$i]->fk_remise_except > 0 ? ((int) $this->lines[$i]->fk_remise_except) : 'NULL').')'; $resql_insert = $this->db->query($sql); if ($resql_insert) { @@ -552,7 +552,7 @@ class FactureFournisseur extends CommonInvoice } $sql = 'INSERT INTO '.MAIN_DB_PREFIX.'facture_fourn_det (fk_facture_fourn, special_code, fk_remise_except)'; - $sql .= ' VALUES ('.$this->id.','.intval($this->lines[$i]->special_code).','.($this->lines[$i]->fk_remise_except > 0 ? $this->lines[$i]->fk_remise_except : 'NULL').')'; + $sql .= " VALUES (".((int) $this->id).", ".((int) $this->lines[$i]->special_code).", ".($this->lines[$i]->fk_remise_except > 0 ? ((int) $this->lines[$i]->fk_remise_except) : 'NULL').')'; $resql_insert = $this->db->query($sql); if ($resql_insert) { @@ -1375,7 +1375,7 @@ class FactureFournisseur extends CommonInvoice if ($close_note) { $sql .= ", close_note='".$this->db->escape($close_note)."'"; } - $sql .= ', fk_user_closing = '.$user->id; + $sql .= ', fk_user_closing = '.((int) $user->id); $sql .= ", date_closing = '".$this->db->idate($now)."'"; $sql .= ' WHERE rowid = '.((int) $this->id); diff --git a/htdocs/fourn/class/paiementfourn.class.php b/htdocs/fourn/class/paiementfourn.class.php index 2227e2b8c0a..fa58139b7e7 100644 --- a/htdocs/fourn/class/paiementfourn.class.php +++ b/htdocs/fourn/class/paiementfourn.class.php @@ -201,8 +201,8 @@ class PaiementFourn extends Paiement $sql = 'INSERT INTO '.MAIN_DB_PREFIX.'paiementfourn ('; $sql .= 'ref, entity, datec, datep, amount, multicurrency_amount, fk_paiement, num_paiement, note, fk_user_author, fk_bank)'; - $sql .= " VALUES ('".$this->db->escape($ref)."', ".$conf->entity.", '".$this->db->idate($now)."',"; - $sql .= " '".$this->db->idate($this->datepaye)."', '".$total."', '".$mtotal."', ".$this->paiementid.", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note_private)."', ".$user->id.", 0)"; + $sql .= " VALUES ('".$this->db->escape($ref)."', ".((int) $conf->entity).", '".$this->db->idate($now)."',"; + $sql .= " '".$this->db->idate($this->datepaye)."', ".((float) $total).", ".((float) $mtotal).", ".((int) $this->paiementid).", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note_private)."', ".((int) $user->id).", 0)"; $resql = $this->db->query($sql); if ($resql) { @@ -214,7 +214,7 @@ class PaiementFourn extends Paiement if (is_numeric($amount) && $amount <> 0) { $amount = price2num($amount); $sql = 'INSERT INTO '.MAIN_DB_PREFIX.'paiementfourn_facturefourn (fk_facturefourn, fk_paiementfourn, amount, multicurrency_amount)'; - $sql .= ' VALUES ('.$facid.','.$this->id.',\''.$amount.'\', \''.$this->multicurrency_amounts[$key].'\')'; + $sql .= " VALUES (".((int) $facid).", ".((int) $this->id).", ".((float) $amount).', '.((float) $this->multicurrency_amounts[$key]).')'; $resql = $this->db->query($sql); if ($resql) { $invoice = new FactureFournisseur($this->db); diff --git a/htdocs/fourn/commande/card.php b/htdocs/fourn/commande/card.php index b981d46b764..c2cb03a27cb 100644 --- a/htdocs/fourn/commande/card.php +++ b/htdocs/fourn/commande/card.php @@ -243,9 +243,9 @@ if (empty($reshook)) { // Update supplier $sql = 'UPDATE '.MAIN_DB_PREFIX.'commande_fournisseur'; - $sql .= ' SET fk_soc='.$new_socid; - $sql .= ' WHERE fk_soc='.$object->thirdparty->id; - $sql .= ' AND rowid='.$object->id; + $sql .= ' SET fk_soc = '.((int) $new_socid); + $sql .= ' WHERE fk_soc = '.((int) $object->thirdparty->id); + $sql .= ' AND rowid = '.((int) $object->id); $res = $db->query($sql); @@ -258,8 +258,8 @@ if (empty($reshook)) { foreach ($object->lines as $l) { $sql = 'SELECT price, unitprice, tva_tx, ref_fourn'; $sql .= ' FROM '.MAIN_DB_PREFIX.'product_fournisseur_price'; - $sql .= ' WHERE fk_product='.$l->fk_product; - $sql .= ' AND fk_soc='.$new_socid; + $sql .= ' WHERE fk_product = '.((int) $l->fk_product); + $sql .= ' AND fk_soc = '.((int) $new_socid); $sql .= ' ORDER BY unitprice ASC'; $resql = $db->query($sql); diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php index e4d10cbb23d..ef39e7502f6 100644 --- a/htdocs/fourn/commande/list.php +++ b/htdocs/fourn/commande/list.php @@ -769,7 +769,7 @@ if ($search_total_ttc != '') { $sql .= natural_search('cf.total_ttc', $search_total_ttc, 1); } if ($search_multicurrency_code != '') { - $sql .= ' AND cf.multicurrency_code = "'.$db->escape($search_multicurrency_code).'"'; + $sql .= " AND cf.multicurrency_code = '".$db->escape($search_multicurrency_code)."'"; } if ($search_multicurrency_tx != '') { $sql .= natural_search('cf.multicurrency_tx', $search_multicurrency_tx, 1); diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php index 527cd851709..358b1c59c1b 100644 --- a/htdocs/fourn/facture/list.php +++ b/htdocs/fourn/facture/list.php @@ -606,7 +606,7 @@ if ($filter && $filter != -1) { $aFilter = explode(',', $filter); foreach ($aFilter as $fil) { $filt = explode(':', $fil); - $sql .= ' AND '.$db->escape(trim($filt[0]))." = '".$db->escape(trim($filt[1]))."'"; + $sql .= " AND ".$db->escape(trim($filt[0]))." = '".$db->escape(trim($filt[1]))."'"; } } if ($search_sale > 0) { @@ -655,7 +655,7 @@ if (!$search_all) { // Add HAVING from hooks $parameters = array(); $reshook = $hookmanager->executeHooks('printFieldListHaving', $parameters, $object); // Note that $action and $object may have been modified by hook -$sql .= !empty($hookmanager->resPrint) ? (' HAVING 1=1 ' . $hookmanager->resPrint) : ''; +$sql .= !empty($hookmanager->resPrint) ? (" HAVING 1=1 " . $hookmanager->resPrint) : ""; $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/fourn/facture/paiement.php b/htdocs/fourn/facture/paiement.php index f0967453701..b5bc33b78c0 100644 --- a/htdocs/fourn/facture/paiement.php +++ b/htdocs/fourn/facture/paiement.php @@ -510,8 +510,8 @@ if ($action == 'create' || $action == 'confirm_paiement' || $action == 'add_paie $sql .= ' SUM(pf.amount) as am, SUM(pf.multicurrency_amount) as multicurrency_am'; $sql .= ' FROM '.MAIN_DB_PREFIX.'facture_fourn as f'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'paiementfourn_facturefourn as pf ON pf.fk_facturefourn = f.rowid'; - $sql .= " WHERE f.entity = ".$conf->entity; - $sql .= ' AND f.fk_soc = '.$object->socid; + $sql .= " WHERE f.entity = ".((int) $conf->entity); + $sql .= ' AND f.fk_soc = '.((int) $object->socid); $sql .= ' AND f.paye = 0'; $sql .= ' AND f.fk_statut = 1'; // Status=0 => unvalidated, Status=2 => canceled if ($object->type != FactureFournisseur::TYPE_CREDIT_NOTE) { diff --git a/htdocs/install/lib/repair.lib.php b/htdocs/install/lib/repair.lib.php index bd54e55ebde..aa0866fac69 100644 --- a/htdocs/install/lib/repair.lib.php +++ b/htdocs/install/lib/repair.lib.php @@ -88,7 +88,7 @@ function checkLinkedElements($sourcetype, $targettype) $out = $langs->trans('SourceType').': '.$sourcetype.' => '.$langs->trans('TargetType').': '.$targettype.' '; $sql = 'SELECT rowid, fk_source, fk_target FROM '.MAIN_DB_PREFIX.'element_element'; - $sql .= ' WHERE sourcetype="'.$sourcetype.'" AND targettype="'.$targettype.'"'; + $sql .= " WHERE sourcetype='".$db->escape($sourcetype)."' AND targettype='".$db->escape($targettype)."'"; $resql = $db->query($sql); if ($resql) { $num = $db->num_rows($resql); diff --git a/htdocs/install/repair.php b/htdocs/install/repair.php index 037c7ee4b82..8160f6e89b8 100644 --- a/htdocs/install/repair.php +++ b/htdocs/install/repair.php @@ -1236,7 +1236,7 @@ if ($ok && GETPOST('force_utf8_on_tables', 'alpha')) { print ''; print $table; - $sql = 'ALTER TABLE '.$table.' CONVERT TO CHARACTER SET utf8 COLLATE utf8_unicode_ci'; + $sql = "ALTER TABLE ".$table." CONVERT TO CHARACTER SET utf8 COLLATE utf8_unicode_ci"; print ''; if ($force_utf8_on_tables == 'confirmed') { $resql = $db->query($sql); @@ -1282,8 +1282,8 @@ if ($ok && GETPOST('force_utf8mb4_on_tables', 'alpha')) { print ''; print $table; - $sql1 = 'ALTER TABLE '.$table.' ROW_FORMAT=dynamic;'; - $sql2 = 'ALTER TABLE '.$table.' CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci'; + $sql1 = "ALTER TABLE ".$table." ROW_FORMAT=dynamic"; + $sql2 = "ALTER TABLE ".$table." CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci"; print ''; print ''; if ($force_utf8mb4_on_tables == 'confirmed') { @@ -1407,25 +1407,25 @@ if ($ok && GETPOST('repair_link_dispatch_lines_supplier_order_lines')) { $first_iteration = false; } else { $sql_attach_values = array( - $obj_dispatch->fk_commande, - $obj_dispatch->fk_product, - $obj_line->rowid, - $qty_for_line, - $obj_dispatch->fk_entrepot, - $obj_dispatch->fk_user, - $obj_dispatch->datec ? '"'.$db->escape($obj_dispatch->datec).'"' : 'NULL', - $obj_dispatch->comment ? '"'.$db->escape($obj_dispatch->comment).'"' : 'NULL', - $obj_dispatch->status ?: 'NULL', - $obj_dispatch->tms ? '"'.$db->escape($obj_dispatch->tms).'"' : 'NULL', - $obj_dispatch->batch ?: 'NULL', - $obj_dispatch->eatby ? '"'.$db->escape($obj_dispatch->eatby).'"' : 'NULL', - $obj_dispatch->sellby ? '"'.$db->escape($obj_dispatch->sellby).'"' : 'NULL' + ((int) $obj_dispatch->fk_commande), + ((int) $obj_dispatch->fk_product), + ((int) $obj_line->rowid), + ((float) $qty_for_line), + ((int) $obj_dispatch->fk_entrepot), + ((int) $obj_dispatch->fk_user), + $obj_dispatch->datec ? "'".$db->idate($db->jdate($obj_dispatch->datec))."'" : 'NULL', + $obj_dispatch->comment ? "'".$db->escape($obj_dispatch->comment)."'" : 'NULL', + $obj_dispatch->status ? ((int) $obj_dispatch->status) : 'NULL', + $obj_dispatch->tms ? "'".$db->idate($db->jdate($obj_dispatch->tms))."'" : 'NULL', + $obj_dispatch->batch ? "'".$db->escape($obj_dispatch->batch)."'" : 'NULL', + $obj_dispatch->eatby ? "'".$db->escape($obj_dispatch->eatby)."'" : 'NULL', + $obj_dispatch->sellby ? "'".$db->escape($obj_dispatch->sellby)."'" : 'NULL' ); $sql_attach_values = join(', ', $sql_attach_values); $sql_attach = 'INSERT INTO '.MAIN_DB_PREFIX.'commande_fournisseur_dispatch'; $sql_attach .= ' (fk_commande, fk_product, fk_commandefourndet, qty, fk_entrepot, fk_user, datec, comment, status, tms, batch, eatby, sellby)'; - $sql_attach .= ' VALUES ('.$sql_attach_values.')'; + $sql_attach .= " VALUES (".$sql_attach_values.")"; } if ($repair_link_dispatch_lines_supplier_order_lines == 'confirmed') { diff --git a/htdocs/install/step5.php b/htdocs/install/step5.php index 0958ef7bb3b..b434612afcd 100644 --- a/htdocs/install/step5.php +++ b/htdocs/install/step5.php @@ -234,7 +234,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) { // Insert MAIN_VERSION_FIRST_INSTALL in a dedicated transaction. So if it fails (when first install was already done), we can do other following requests. $db->begin(); dolibarr_install_syslog('step5: set MAIN_VERSION_FIRST_INSTALL const to '.$targetversion, LOG_DEBUG); - $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_VERSION_FIRST_INSTALL', 1).",".$db->encrypt($targetversion, 1).",'chaine',0,'Dolibarr version when first install',0)"); + $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name, value, type, visible, note, entity) values('".$db->escape($db->encrypt('MAIN_VERSION_FIRST_INSTALL'))."', '".$db->escape($db->encrypt($targetversion))."', 'chaine', 0, 'Dolibarr version when first install', 0)"); if ($resql) { $conf->global->MAIN_VERSION_FIRST_INSTALL = $targetversion; $db->commit(); @@ -246,11 +246,11 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) { $db->begin(); dolibarr_install_syslog('step5: set MAIN_VERSION_LAST_INSTALL const to '.$targetversion, LOG_DEBUG); - $resql = $db->query("DELETE FROM ".MAIN_DB_PREFIX."const WHERE ".$db->decrypt('name')."='MAIN_VERSION_LAST_INSTALL'"); + $resql = $db->query("DELETE FROM ".MAIN_DB_PREFIX."const WHERE ".$db->decrypt('name')." = 'MAIN_VERSION_LAST_INSTALL'"); if (!$resql) { dol_print_error($db, 'Error in setup program'); } - $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_VERSION_LAST_INSTALL', 1).",".$db->encrypt($targetversion, 1).",'chaine',0,'Dolibarr version when last install',0)"); + $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values('".$db->escape($db->encrypt('MAIN_VERSION_LAST_INSTALL'))."', '".$db->escape($db->encrypt($targetversion))."', 'chaine', 0, 'Dolibarr version when last install', 0)"); if (!$resql) { dol_print_error($db, 'Error in setup program'); } @@ -258,11 +258,11 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) { if ($useforcedwizard) { dolibarr_install_syslog('step5: set MAIN_REMOVE_INSTALL_WARNING const to 1', LOG_DEBUG); - $resql = $db->query("DELETE FROM ".MAIN_DB_PREFIX."const WHERE ".$db->decrypt('name')."='MAIN_REMOVE_INSTALL_WARNING'"); + $resql = $db->query("DELETE FROM ".MAIN_DB_PREFIX."const WHERE ".$db->decrypt('name')." = 'MAIN_REMOVE_INSTALL_WARNING'"); if (!$resql) { dol_print_error($db, 'Error in setup program'); } - $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_REMOVE_INSTALL_WARNING', 1).",".$db->encrypt(1, 1).",'chaine',1,'Disable install warnings',0)"); + $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values('".$db->escape($db->encrypt('MAIN_REMOVE_INSTALL_WARNING'))."', '".$db->escape($db->encrypt(1))."', 'chaine', 1, 'Disable install warnings', 0)"); if (!$resql) { dol_print_error($db, 'Error in setup program'); } @@ -326,11 +326,11 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) { if ($tagdatabase) { dolibarr_install_syslog('step5: set MAIN_VERSION_LAST_UPGRADE const to value '.$targetversion); - $resql = $db->query("DELETE FROM ".MAIN_DB_PREFIX."const WHERE ".$db->decrypt('name')."='MAIN_VERSION_LAST_UPGRADE'"); + $resql = $db->query("DELETE FROM ".MAIN_DB_PREFIX."const WHERE ".$db->decrypt('name')." = 'MAIN_VERSION_LAST_UPGRADE'"); if (!$resql) { dol_print_error($db, 'Error in setup program'); } - $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) VALUES (".$db->encrypt('MAIN_VERSION_LAST_UPGRADE', 1).",".$db->encrypt($targetversion, 1).",'chaine',0,'Dolibarr version for last upgrade',0)"); + $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name, value, type, visible, note, entity) VALUES ('".$db->escape($db->encrypt('MAIN_VERSION_LAST_UPGRADE'))."', '".$db->escape($db->encrypt($targetversion))."', 'chaine', 0, 'Dolibarr version for last upgrade', 0)"); if (!$resql) { dol_print_error($db, 'Error in setup program'); } @@ -346,7 +346,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) { } // May fail if parameter already defined - $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) VALUES (".$db->encrypt('MAIN_LANG_DEFAULT', 1).",".$db->encrypt($setuplang, 1).",'chaine',0,'Default language',1)"); + $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) VALUES ('".$db->escape($db->encrypt('MAIN_LANG_DEFAULT'))."', '".$db->escape($db->encrypt($setuplang))."', 'chaine', 0, 'Default language', 1)"); //if (! $resql) dol_print_error($db,'Error in setup program'); $db->close(); diff --git a/htdocs/install/upgrade.php b/htdocs/install/upgrade.php index e349317b0c4..7f4a8ac7bad 100644 --- a/htdocs/install/upgrade.php +++ b/htdocs/install/upgrade.php @@ -270,6 +270,7 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ $values = $db->fetch_array($resql); $i = 0; $createsql = $values[1]; + $reg = aray(); while (preg_match('/CONSTRAINT `(0_[0-9a-zA-Z]+|[_0-9a-zA-Z]+_ibfk_[0-9]+)`/i', $createsql, $reg) && $i < 100) { $sqldrop = "ALTER TABLE ".$val." DROP FOREIGN KEY ".$reg[1]; $resqldrop = $db->query($sqldrop); @@ -282,7 +283,7 @@ if (!GETPOST('action', 'aZ09') || preg_match('/upgrade/i', GETPOST('action', 'aZ $db->free($resql); } else { if ($db->lasterrno() != 'DB_ERROR_NOSUCHTABLE') { - print ''.$sql.' : '.$db->lasterror()."\n"; + print ''.dol_escape_htmltag($sql).' : '.dol_escape_htmltag($db->lasterror())."\n"; } } } diff --git a/htdocs/install/upgrade2.php b/htdocs/install/upgrade2.php index 974dd4c8324..368e05c5b04 100644 --- a/htdocs/install/upgrade2.php +++ b/htdocs/install/upgrade2.php @@ -692,7 +692,7 @@ function migrate_paiements($db, $langs, $conf) $num = count($row); for ($i = 0; $i < $num; $i++) { $sql = "INSERT INTO ".MAIN_DB_PREFIX."paiement_facture (fk_facture, fk_paiement, amount)"; - $sql .= " VALUES (".$row[$i][1].",".$row[$i][0].",".$row[$i][2].")"; + $sql .= " VALUES (".((int) $row[$i][1]).",".((int) $row[$i][0]).",".((float) $row[$i][2]).")"; $res += $db->query($sql); @@ -803,7 +803,7 @@ function migrate_paiements_orphelins_1($db, $langs, $conf) $facid = $obj->rowid; $sql = "INSERT INTO ".MAIN_DB_PREFIX."paiement_facture (fk_facture, fk_paiement, amount)"; - $sql .= " VALUES (".((int) $facid).",".((int) $row[$i]['paymentid']).",".$row[$i]['pamount'].")"; + $sql .= " VALUES (".((int) $facid).",".((int) $row[$i]['paymentid']).", ".((float) $row[$i]['pamount']).")"; $res += $db->query($sql); @@ -914,7 +914,7 @@ function migrate_paiements_orphelins_2($db, $langs, $conf) $facid = $obj->rowid; $sql = "INSERT INTO ".MAIN_DB_PREFIX."paiement_facture (fk_facture, fk_paiement, amount)"; - $sql .= " VALUES (".((int) $facid).",".((int) $row[$i]['paymentid']).",".$row[$i]['pamount'].")"; + $sql .= " VALUES (".((int) $facid).",".((int) $row[$i]['paymentid']).", ".((float) $row[$i]['pamount']).")"; $res += $db->query($sql); @@ -1002,14 +1002,14 @@ function migrate_contracts_det($db, $langs, $conf) $sql .= "date_ouverture_prevue, date_ouverture, date_fin_validite, tva_tx, qty,"; $sql .= "subprice, price_ht, fk_user_author, fk_user_ouverture)"; $sql .= " VALUES ("; - $sql .= $obj->cref.", ".($obj->fk_product ? $obj->fk_product : 0).", "; + $sql .= ((int) $obj->cref).", ".($obj->fk_product ? ((int) $obj->fk_product) : 0).", "; $sql .= "0, "; $sql .= "'".$db->escape($obj->label)."', null, "; - $sql .= ($obj->date_contrat ? "'".$db->escape($obj->date_contrat)."'" : "null").", "; + $sql .= ($obj->date_contrat ? "'".$db->idate($db->jdate($obj->date_contrat))."'" : "null").", "; $sql .= "null, "; $sql .= "null, "; - $sql .= "'".$db->escape($obj->tva_tx)."' , 1, "; - $sql .= "'".$db->escape($obj->price)."', '".$db->escape($obj->price)."', ".$obj->fk_user_author.","; + $sql .= ((float) $obj->tva_tx).", 1, "; + $sql .= ((float) $obj->price).", ".((float) $obj->price).", ".((int) $obj->fk_user_author).","; $sql .= "null"; $sql .= ")"; @@ -2020,7 +2020,7 @@ function migrate_commande_expedition($db, $langs, $conf) $obj = $db->fetch_object($resql); $sql = "INSERT INTO ".MAIN_DB_PREFIX."co_exp (fk_expedition,fk_commande)"; - $sql .= " VALUES (".$obj->rowid.",".$obj->fk_commande.")"; + $sql .= " VALUES (".((int) $obj->rowid).", ".((int) $obj->fk_commande).")"; $resql2 = $db->query($sql); if (!$resql2) { @@ -2088,15 +2088,15 @@ function migrate_commande_livraison($db, $langs, $conf) $obj = $db->fetch_object($resql); $sql = "INSERT INTO ".MAIN_DB_PREFIX."co_liv (fk_livraison,fk_commande)"; - $sql .= " VALUES (".$obj->rowid.",".$obj->fk_commande.")"; + $sql .= " VALUES (".((int) $obj->rowid).", ".((int) $obj->fk_commande).")"; $resql2 = $db->query($sql); if ($resql2) { $delivery_date = $db->jdate($obj->delivery_date); $sqlu = "UPDATE ".MAIN_DB_PREFIX."livraison SET"; - $sqlu .= " ref_client='".$db->escape($obj->ref_client)."'"; - $sqlu .= ", date_livraison='".$db->idate($delivery_date)."'"; + $sqlu .= " ref_client = '".$db->escape($obj->ref_client)."'"; + $sqlu .= ", date_livraison = '".$db->idate($delivery_date)."'"; $sqlu .= " WHERE rowid = ".((int) $obj->rowid); $resql3 = $db->query($sqlu); if (!$resql3) { @@ -3361,7 +3361,7 @@ function migrate_clean_association($db, $langs, $conf) // And we insert only each record once foreach ($couples as $key => $val) { $sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie_association(fk_categorie_mere,fk_categorie_fille)"; - $sql .= " VALUES(".$val['mere'].", ".$val['fille'].")"; + $sql .= " VALUES(".((int) $val['mere']).", ".((int) $val['fille']).")"; dolibarr_install_syslog("upgrade: insert association"); $resqli = $db->query($sql); if (!$resqli) { @@ -3493,7 +3493,7 @@ function migrate_event_assignement($db, $langs, $conf) $obj = $db->fetch_object($resql); $sqlUpdate = "INSERT INTO ".MAIN_DB_PREFIX."actioncomm_resources(fk_actioncomm, element_type, fk_element) "; - $sqlUpdate .= "VALUES(".$obj->id.", 'user', ".$obj->fk_user_action.")"; + $sqlUpdate .= "VALUES(".((int) $obj->id).", 'user', ".((int) $obj->fk_user_action).")"; $result = $db->query($sqlUpdate); if (!$result) { @@ -3559,7 +3559,7 @@ function migrate_event_assignement_contact($db, $langs, $conf) $obj = $db->fetch_object($resql); $sqlUpdate = "INSERT INTO ".MAIN_DB_PREFIX."actioncomm_resources(fk_actioncomm, element_type, fk_element) "; - $sqlUpdate .= "VALUES(".$obj->id.", 'socpeople', ".$obj->fk_contact.")"; + $sqlUpdate .= "VALUES(".((int) $obj->id).", 'socpeople', ".((int) $obj->fk_contact).")"; $result = $db->query($sqlUpdate); if (!$result) { @@ -4605,7 +4605,7 @@ function migrate_users_socialnetworks() $sqlupd .= ', googleplus=null'; $sqlupd .= ', youtube=null'; $sqlupd .= ', whatsapp=null'; - $sqlupd .= ' WHERE rowid='.$obj->rowid; + $sqlupd .= ' WHERE rowid = '.((int) $obj->rowid); //print $sqlupd."
"; $resqlupd = $db->query($sqlupd); if (!$resqlupd) { @@ -4696,7 +4696,7 @@ function migrate_members_socialnetworks() $sqlupd .= ', googleplus=null'; $sqlupd .= ', youtube=null'; $sqlupd .= ', whatsapp=null'; - $sqlupd .= ' WHERE rowid='.$obj->rowid; + $sqlupd .= ' WHERE rowid = '.((int) $obj->rowid); //print $sqlupd."
"; $resqlupd = $db->query($sqlupd); if (!$resqlupd) { @@ -4791,7 +4791,7 @@ function migrate_contacts_socialnetworks() $sqlupd .= ', googleplus=null'; $sqlupd .= ', youtube=null'; $sqlupd .= ', whatsapp=null'; - $sqlupd .= ' WHERE rowid='.$obj->rowid; + $sqlupd .= ' WHERE rowid = '.((int) $obj->rowid); //print $sqlupd."
"; $resqlupd = $db->query($sqlupd); if (!$resqlupd) { @@ -4881,7 +4881,7 @@ function migrate_thirdparties_socialnetworks() $sqlupd .= ', googleplus=null'; $sqlupd .= ', youtube=null'; $sqlupd .= ', whatsapp=null'; - $sqlupd .= ' WHERE rowid='.$obj->rowid; + $sqlupd .= ' WHERE rowid = '.((int) $obj->rowid); //print $sqlupd."
"; $resqlupd = $db->query($sqlupd); if (!$resqlupd) { @@ -4945,7 +4945,7 @@ function migrate_export_import_profiles($mode = 'export') if ($mode == 'export') { $sqlupd .= ", filter = '".$db->escape($newfilter)."'"; } - $sqlupd .= ' WHERE rowid='.$obj->rowid; + $sqlupd .= ' WHERE rowid = '.((int) $obj->rowid); $resultstring .= ''.$sqlupd."\n"; $resqlupd = $db->query($sqlupd); if (!$resqlupd) { diff --git a/htdocs/intracommreport/class/intracommreport.class.php b/htdocs/intracommreport/class/intracommreport.class.php index 9675d1f3860..d3f34fc149b 100644 --- a/htdocs/intracommreport/class/intracommreport.class.php +++ b/htdocs/intracommreport/class/intracommreport.class.php @@ -437,7 +437,7 @@ class IntracommReport extends CommonObject */ public function getNextDeclarationNumber() { - $resql = $this->db->query('SELECT MAX(numero_declaration) as max_declaration_number FROM '.MAIN_DB_PREFIX.$this->table_element.' WHERE exporttype="'.$this->exporttype.'"'); + $resql = $this->db->query('SELECT MAX(numero_declaration) as max_declaration_number FROM '.MAIN_DB_PREFIX.$this->table_element." WHERE exporttype='".$this->db->escape($this->exporttype)."'"); if ($resql) { $res = $this->db->fetch_object($resql); } diff --git a/htdocs/loan/payment/card.php b/htdocs/loan/payment/card.php index 675401e34f9..0292fbf5b2c 100644 --- a/htdocs/loan/payment/card.php +++ b/htdocs/loan/payment/card.php @@ -156,8 +156,8 @@ $disable_delete = 0; $sql = 'SELECT l.rowid as id, l.label, l.paid, l.capital as capital, pl.amount_capital, pl.amount_insurance, pl.amount_interest'; $sql .= ' FROM '.MAIN_DB_PREFIX.'payment_loan as pl,'.MAIN_DB_PREFIX.'loan as l'; $sql .= ' WHERE pl.fk_loan = l.rowid'; -$sql .= ' AND l.entity = '.$conf->entity; -$sql .= ' AND pl.rowid = '.$payment->id; +$sql .= ' AND l.entity = '.((int) $conf->entity); +$sql .= ' AND pl.rowid = '.((int) $payment->id); dol_syslog("loan/payment/card.php", LOG_DEBUG); $resql = $db->query($sql); diff --git a/htdocs/margin/checkMargins.php b/htdocs/margin/checkMargins.php index d12c827cc3e..1349e02d2d8 100644 --- a/htdocs/margin/checkMargins.php +++ b/htdocs/margin/checkMargins.php @@ -106,8 +106,8 @@ if (empty($reshook)) { $invoicedet_id = $tmp_array[1]; if (!empty($invoicedet_id)) { $sql = 'UPDATE '.MAIN_DB_PREFIX.'facturedet'; - $sql .= ' SET buy_price_ht=\''.price2num($value).'\''; - $sql .= ' WHERE rowid='.$invoicedet_id; + $sql .= " SET buy_price_ht = ".((float) price2num($value)); + $sql .= ' WHERE rowid = '.((int) $invoicedet_id); $result = $db->query($sql); if (!$result) { setEventMessages($db->lasterror, null, 'errors'); diff --git a/htdocs/modulebuilder/template/core/modules/modMyModule.class.php b/htdocs/modulebuilder/template/core/modules/modMyModule.class.php index 9db4bcb9854..de9188e714d 100644 --- a/htdocs/modulebuilder/template/core/modules/modMyModule.class.php +++ b/htdocs/modulebuilder/template/core/modules/modMyModule.class.php @@ -456,10 +456,10 @@ class modMyModule extends DolibarrModules } $sql = array_merge($sql, array( - "DELETE FROM ".MAIN_DB_PREFIX."document_model WHERE nom = 'standard_".strtolower($myTmpObjectKey)."' AND type = '".strtolower($myTmpObjectKey)."' AND entity = ".$conf->entity, - "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity) VALUES('standard_".strtolower($myTmpObjectKey)."','".strtolower($myTmpObjectKey)."',".$conf->entity.")", - "DELETE FROM ".MAIN_DB_PREFIX."document_model WHERE nom = 'generic_".strtolower($myTmpObjectKey)."_odt' AND type = '".strtolower($myTmpObjectKey)."' AND entity = ".$conf->entity, - "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity) VALUES('generic_".strtolower($myTmpObjectKey)."_odt', '".strtolower($myTmpObjectKey)."', ".$conf->entity.")" + "DELETE FROM ".MAIN_DB_PREFIX."document_model WHERE nom = 'standard_".strtolower($myTmpObjectKey)."' AND type = '".$this->db->escape(strtolower($myTmpObjectKey))."' AND entity = ".((int) $conf->entity), + "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity) VALUES('standard_".strtolower($myTmpObjectKey)."', '".$this->db->escape(strtolower($myTmpObjectKey))."', ".((int) $conf->entity).")", + "DELETE FROM ".MAIN_DB_PREFIX."document_model WHERE nom = 'generic_".strtolower($myTmpObjectKey)."_odt' AND type = '".$this->db->escape(strtolower($myTmpObjectKey))."' AND entity = ".((int) $conf->entity), + "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity) VALUES('generic_".strtolower($myTmpObjectKey)."_odt', '".$this->db->escape(strtolower($myTmpObjectKey))."', ".((int) $conf->entity).")" )); } } diff --git a/htdocs/multicurrency/class/multicurrency.class.php b/htdocs/multicurrency/class/multicurrency.class.php index 8c2e01f9ceb..a811a396811 100644 --- a/htdocs/multicurrency/class/multicurrency.class.php +++ b/htdocs/multicurrency/class/multicurrency.class.php @@ -130,7 +130,7 @@ class MultiCurrency extends CommonObject if (empty($this->entity) || $this->entity <= 0) { $this->entity = $conf->entity; } - $now = date('Y-m-d H:i:s'); + $now = dol_now(); // Insert request $sql = 'INSERT INTO '.MAIN_DB_PREFIX.$this->table_element.'('; @@ -140,11 +140,11 @@ class MultiCurrency extends CommonObject $sql .= ' date_create,'; $sql .= ' fk_user'; $sql .= ') VALUES ('; - $sql .= ' \''.$this->db->escape($this->code).'\','; - $sql .= ' \''.$this->db->escape($this->name).'\','; - $sql .= ' \''.$this->entity.'\','; - $sql .= ' \''.$now.'\','; - $sql .= ' \''.$user->id.'\''; + $sql .= " '".$this->db->escape($this->code)."',"; + $sql .= " '".$this->db->escape($this->name)."',"; + $sql .= " ".((int) $this->entity).","; + $sql .= " '".$this->db->idate($now)."',"; + $sql .= " ".((int) $user->id); $sql .= ')'; $this->db->begin(); @@ -479,8 +479,8 @@ class MultiCurrency extends CommonObject { $sql = 'SELECT cr.rowid'; $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element_line.' as cr'; - $sql .= ' WHERE cr.fk_multicurrency = '.((int) $this->id); - $sql .= ' AND cr.date_sync = (SELECT MAX(cr2.date_sync) FROM '.MAIN_DB_PREFIX.$this->table_element_line.' AS cr2 WHERE cr2.fk_multicurrency = '.((int) $this->id).')'; + $sql .= " WHERE cr.fk_multicurrency = ".((int) $this->id); + $sql .= " AND cr.date_sync = (SELECT MAX(cr2.date_sync) FROM ".MAIN_DB_PREFIX.$this->table_element_line." AS cr2 WHERE cr2.fk_multicurrency = ".((int) $this->id).")"; dol_syslog(__METHOD__, LOG_DEBUG); $resql = $this->db->query($sql); @@ -781,7 +781,7 @@ class CurrencyRate extends CommonObjectLine $sql .= ' fk_multicurrency,'; $sql .= ' entity'; $sql .= ') VALUES ('; - $sql .= ' '.$this->rate.','; + $sql .= ' '.((float) $this->rate).','; $sql .= " '".$this->db->idate($now)."',"; $sql .= " ".((int) $fk_multicurrency).","; $sql .= " ".((int) $this->entity); @@ -880,13 +880,13 @@ class CurrencyRate extends CommonObjectLine $this->rate = price2num($this->rate); // Update request - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element.' SET'; - $sql .= ' rate='.$this->rate; + $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; + $sql .= "SET rate =".((float) $this->rate); if (!empty($this->date_sync)) { $sql .= ", date_sync='".$this->db->idate($this->date_sync)."'"; } if (!empty($this->fk_multicurrency)) { - $sql .= ', fk_multicurrency='.$this->fk_multicurrency; + $sql .= ', fk_multicurrency='.((int) $this->fk_multicurrency); } $sql .= ' WHERE rowid='.((int) $this->id); diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 4dcdb0df538..e51c553809d 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -1722,8 +1722,8 @@ class Product extends CommonObject // Add new price $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_price(price_level,date_price, fk_product, fk_user_author, price, price_ttc, price_base_type,tosell, tva_tx, default_vat_code, recuperableonly,"; $sql .= " localtax1_tx, localtax2_tx, localtax1_type, localtax2_type, price_min,price_min_ttc,price_by_qty,entity,fk_price_expression) "; - $sql .= " VALUES(".($level ? $level : 1).", '".$this->db->idate($now)."', ".$this->id.", ".$user->id.", ".price2num($this->price).", ".price2num($this->price_ttc).",'".$this->db->escape($this->price_base_type)."',".((int) $this->status).", ".price2num($this->tva_tx).", ".($this->default_vat_code ? ("'".$this->db->escape($this->default_vat_code)."'") : "null").", ".((int) $this->tva_npr).","; - $sql .= " ".price2num($this->localtax1_tx).", ".price2num($this->localtax2_tx).", '".$this->db->escape($this->localtax1_type)."', '".$this->db->escape($this->localtax2_type)."', ".price2num($this->price_min).", ".price2num($this->price_min_ttc).", ".price2num($this->price_by_qty).", ".$conf->entity.",".($this->fk_price_expression > 0 ? ((int) $this->fk_price_expression) : 'null'); + $sql .= " VALUES(".($level ? ((int) $level) : 1).", '".$this->db->idate($now)."', ".((int) $this->id).", ".((int) $user->id).", ".((float) price2num($this->price)).", ".((float) price2num($this->price_ttc)).",'".$this->db->escape($this->price_base_type)."',".((int) $this->status).", ".((float) price2num($this->tva_tx)).", ".($this->default_vat_code ? ("'".$this->db->escape($this->default_vat_code)."'") : "null").", ".((int) $this->tva_npr).","; + $sql .= " ".price2num($this->localtax1_tx).", ".price2num($this->localtax2_tx).", '".$this->db->escape($this->localtax1_type)."', '".$this->db->escape($this->localtax2_type)."', ".price2num($this->price_min).", ".price2num($this->price_min_ttc).", ".price2num($this->price_by_qty).", ".((int) $conf->entity).",".($this->fk_price_expression > 0 ? ((int) $this->fk_price_expression) : 'null'); $sql .= ")"; dol_syslog(get_class($this)."::_log_price", LOG_DEBUG); @@ -5742,7 +5742,8 @@ class Product extends CommonObject $label_type = 'short_label'; } - $sql = 'select '.$label_type.', code from '.MAIN_DB_PREFIX.'c_units where rowid='.$this->fk_unit; + $sql = "SELECT ".$label_type.", code from ".MAIN_DB_PREFIX."c_units where rowid = ".((int) $this->fk_unit); + $resql = $this->db->query($sql); if ($resql && $this->db->num_rows($resql) > 0) { $res = $this->db->fetch_array($resql); @@ -5750,7 +5751,7 @@ class Product extends CommonObject $this->db->free($resql); return $label; } else { - $this->error = $this->db->error().' sql='.$sql; + $this->error = $this->db->error(); dol_syslog(get_class($this)."::getLabelOfUnit Error ".$this->error, LOG_ERR); return -1; } diff --git a/htdocs/product/class/productcustomerprice.class.php b/htdocs/product/class/productcustomerprice.class.php index a5e2581d69b..61cba58c374 100644 --- a/htdocs/product/class/productcustomerprice.class.php +++ b/htdocs/product/class/productcustomerprice.class.php @@ -521,7 +521,7 @@ class Productcustomerprice extends CommonObject if (count($filter) > 0) { foreach ($filter as $key => $value) { if (strpos($key, 'date')) { // To allow $filter['YEAR(s.dated)']=>$year - $sql .= " AND ".$key." = '".$db->escape($value)."'"; + $sql .= " AND ".$key." = '".$this->db->escape($value)."'"; } elseif ($key == 'soc.nom') { $sql .= " AND ".$key." LIKE '%".$this->db->escape($value)."%'"; } else { diff --git a/htdocs/product/fournisseurs.php b/htdocs/product/fournisseurs.php index 9451fec435e..938e8d0655c 100644 --- a/htdocs/product/fournisseurs.php +++ b/htdocs/product/fournisseurs.php @@ -279,16 +279,16 @@ if (empty($reshook)) { foreach ($extrafield_values as $key => $value) { $sql .= str_replace('options_', '', $key).', '; } - $sql = substr($sql, 0, strlen($sql) - 2).") VALUES (".$object->product_fourn_price_id.", "; + $sql = substr($sql, 0, strlen($sql) - 2).") VALUES (".((int) $object->product_fourn_price_id).", "; foreach ($extrafield_values as $key => $value) { - $sql .= '"'.$value.'", '; + $sql .= "'".$db->escape($value)."', "; } $sql = substr($sql, 0, strlen($sql) - 2).')'; } else { // update the existing one $sql = "UPDATE ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields SET "; foreach ($extrafield_values as $key => $value) { - $sql .= str_replace('options_', '', $key).' = "'.$value.'", '; + $sql .= str_replace('options_', '', $key)." = '".$db->escape($value)."', "; } $sql = substr($sql, 0, strlen($sql) - 2).' WHERE fk_object = '.((int) $object->product_fourn_price_id); } diff --git a/htdocs/product/inventory/class/inventory.class.php b/htdocs/product/inventory/class/inventory.class.php index e17a1fd418f..a6d1504a42c 100644 --- a/htdocs/product/inventory/class/inventory.class.php +++ b/htdocs/product/inventory/class/inventory.class.php @@ -286,10 +286,10 @@ class Inventory extends CommonObject $sql .= " AND p.fk_product_type = 0"; } if ($this->fk_product > 0) { - $sql .= ' AND ps.fk_product = '.$this->fk_product; + $sql .= ' AND ps.fk_product = '.((int) $this->fk_product); } if ($this->fk_warehouse > 0) { - $sql .= ' AND ps.fk_entrepot = '.$this->fk_warehouse; + $sql .= ' AND ps.fk_entrepot = '.((int) $this->fk_warehouse); } $inventoryline = new InventoryLine($this->db); diff --git a/htdocs/product/stats/contrat.php b/htdocs/product/stats/contrat.php index cb7c84fc863..65302ef2c7d 100644 --- a/htdocs/product/stats/contrat.php +++ b/htdocs/product/stats/contrat.php @@ -127,10 +127,10 @@ if ($id > 0 || !empty($ref)) { $now = dol_now(); $sql = "SELECT"; - $sql .= ' sum('.$db->ifsql("cd.statut=0", 1, 0).') as nb_initial,'; - $sql .= ' sum('.$db->ifsql("cd.statut=4 AND cd.date_fin_validite > '".$db->idate($now)."'", 1, 0).") as nb_running,"; - $sql .= ' sum('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NULL OR cd.date_fin_validite <= '".$db->idate($now)."')", 1, 0).') as nb_late,'; - $sql .= ' sum('.$db->ifsql("cd.statut=5", 1, 0).') as nb_closed,'; + $sql .= " sum(".$db->ifsql("cd.statut=0", 1, 0).') as nb_initial,'; + $sql .= " sum(".$db->ifsql("cd.statut=4 AND cd.date_fin_validite > '".$db->idate($now)."'", 1, 0).") as nb_running,"; + $sql .= " sum(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NULL OR cd.date_fin_validite <= '".$db->idate($now)."')", 1, 0).') as nb_late,'; + $sql .= " sum(".$db->ifsql("cd.statut=5", 1, 0).') as nb_closed,'; $sql .= " c.rowid as rowid, c.ref, c.ref_customer, c.ref_supplier, c.date_contrat, c.statut as statut,"; $sql .= " s.nom as name, s.rowid as socid, s.code_client"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; diff --git a/htdocs/product/stats/mo.php b/htdocs/product/stats/mo.php index 5a5c33312ca..9ad400fe0de 100644 --- a/htdocs/product/stats/mo.php +++ b/htdocs/product/stats/mo.php @@ -127,10 +127,10 @@ if ($id > 0 || !empty($ref)) { $now = dol_now(); $sql = "SELECT"; - $sql .= ' sum('.$db->ifsql("cd.role='toconsume'", "cd.qty", 0).') as nb_toconsume,'; - $sql .= ' sum('.$db->ifsql("cd.role='consumed'", "cd.qty", 0).') as nb_consumed,'; - $sql .= ' sum('.$db->ifsql("cd.role='toproduce'", "cd.qty", 0).') as nb_toproduce,'; - $sql .= ' sum('.$db->ifsql("cd.role='produced'", "cd.qty", 0).') as nb_produced,'; + $sql .= " sum(".$db->ifsql("cd.role='toconsume'", "cd.qty", 0).') as nb_toconsume,'; + $sql .= " sum(".$db->ifsql("cd.role='consumed'", "cd.qty", 0).') as nb_consumed,'; + $sql .= " sum(".$db->ifsql("cd.role='toproduce'", "cd.qty", 0).') as nb_toproduce,'; + $sql .= " sum(".$db->ifsql("cd.role='produced'", "cd.qty", 0).') as nb_produced,'; $sql .= " c.rowid as rowid, c.ref, c.date_valid, c.status"; //$sql .= " s.nom as name, s.rowid as socid, s.code_client"; $sql .= " FROM ".MAIN_DB_PREFIX."mrp_mo as c"; diff --git a/htdocs/product/stock/class/entrepot.class.php b/htdocs/product/stock/class/entrepot.class.php index 04dcddb8fab..37f6f76d216 100644 --- a/htdocs/product/stock/class/entrepot.class.php +++ b/htdocs/product/stock/class/entrepot.class.php @@ -205,7 +205,7 @@ class Entrepot extends CommonObject $this->db->begin(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."entrepot (ref, entity, datec, fk_user_author, fk_parent, fk_project)"; - $sql .= " VALUES ('".$this->db->escape($this->label)."', ".$conf->entity.", '".$this->db->idate($now)."', ".$user->id.", ".($this->fk_parent > 0 ? $this->fk_parent : "NULL").", ".($this->fk_project > 0 ? $this->fk_project : "NULL").")"; + $sql .= " VALUES ('".$this->db->escape($this->label)."', ".((int) $conf->entity).", '".$this->db->idate($now)."', ".((int) $user->id).", ".($this->fk_parent > 0 ? ((int) $this->fk_parent) : "NULL").", ".($this->fk_project > 0 ? ((int) $this->fk_project) : "NULL").")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); $result = $this->db->query($sql); diff --git a/htdocs/product/stock/class/mouvementstock.class.php b/htdocs/product/stock/class/mouvementstock.class.php index f0c7d51c86b..dd1b2202956 100644 --- a/htdocs/product/stock/class/mouvementstock.class.php +++ b/htdocs/product/stock/class/mouvementstock.class.php @@ -428,7 +428,7 @@ class MouvementStock extends CommonObject $sql .= " datem, fk_product, batch, eatby, sellby,"; $sql .= " fk_entrepot, value, type_mouvement, fk_user_author, label, inventorycode, price, fk_origin, origintype, fk_projet"; $sql .= ")"; - $sql .= " VALUES ('".$this->db->idate($now)."', ".$this->product_id.", "; + $sql .= " VALUES ('".$this->db->idate($now)."', ".((int) $this->product_id).", "; $sql .= " ".($batch ? "'".$this->db->escape($batch)."'" : "null").", "; $sql .= " ".($eatby ? "'".$this->db->idate($eatby)."'" : "null").", "; $sql .= " ".($sellby ? "'".$this->db->idate($sellby)."'" : "null").", "; @@ -436,7 +436,7 @@ class MouvementStock extends CommonObject $sql .= " ".((int) $user->id).","; $sql .= " '".$this->db->escape($label)."',"; $sql .= " ".($inventorycode ? "'".$this->db->escape($inventorycode)."'" : "null").","; - $sql .= " ".price2num($price).","; + $sql .= " ".((float) price2num($price)).","; $sql .= " ".((int) $fk_origin).","; $sql .= " '".$this->db->escape($origintype)."',"; $sql .= " ".((int) $fk_project); @@ -634,12 +634,7 @@ class MouvementStock extends CommonObject $sql .= " t.sellby,"; $sql .= " t.fk_projet as fk_project"; $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' as t'; - $sql .= ' WHERE 1 = 1'; - //if (null !== $ref) { - //$sql .= ' AND t.ref = ' . '\'' . $ref . '\''; - //} else { - $sql .= ' AND t.rowid = '.((int) $id); - //} + $sql .= ' WHERE t.rowid = '.((int) $id); $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/product/stock/list.php b/htdocs/product/stock/list.php index cba4c43bce1..a6fef44bb05 100644 --- a/htdocs/product/stock/list.php +++ b/htdocs/product/stock/list.php @@ -259,7 +259,7 @@ foreach ($search as $key => $val) { $mode_search = 2; } if ($search[$key] != '') { - $sql .= natural_search((($key == 'ref') ? 't.ref' : 't.'.$class_key), $search[$key], (($key == 'status') ? 2 : $mode_search)); + $sql .= natural_search((($key == "ref") ? "t.ref" : "t.".$class_key), $search[$key], (($key == 'status') ? 2 : $mode_search)); } } if ($search_all) { diff --git a/htdocs/product/stock/replenish.php b/htdocs/product/stock/replenish.php index ece4d8e3298..ba3011e3c0e 100644 --- a/htdocs/product/stock/replenish.php +++ b/htdocs/product/stock/replenish.php @@ -345,11 +345,11 @@ $sql .= ' p.desiredstock, p.seuil_stock_alerte,'; if (!empty($conf->global->STOCK_ALLOW_ADD_LIMIT_STOCK_BY_WAREHOUSE) && $fk_entrepot > 0) { $sql .= ' pse.desiredstock as desiredstockpse, pse.seuil_stock_alerte as seuil_stock_alertepse,'; } -$sql .= ' '.$sqldesiredtock.' as desiredstockcombined, '.$sqlalertstock.' as seuil_stock_alertecombined,'; +$sql .= " ".$sqldesiredtock." as desiredstockcombined, ".$sqlalertstock." as seuil_stock_alertecombined,"; $sql .= ' s.fk_product,'; -$sql .= ' SUM('.$db->ifsql("s.reel IS NULL", "0", "s.reel").') as stock_physique'; +$sql .= " SUM(".$db->ifsql("s.reel IS NULL", "0", "s.reel").') as stock_physique'; if (!empty($conf->global->STOCK_ALLOW_ADD_LIMIT_STOCK_BY_WAREHOUSE) && $fk_entrepot > 0) { - $sql .= ', SUM('.$db->ifsql("s.reel IS NULL OR s.fk_entrepot <> ".$fk_entrepot, "0", "s.reel").') as stock_real_warehouse'; + $sql .= ", SUM(".$db->ifsql("s.reel IS NULL OR s.fk_entrepot <> ".$fk_entrepot, "0", "s.reel").') as stock_real_warehouse'; } // Add fields from hooks @@ -478,45 +478,45 @@ if ($usevirtualstock) { } $sql .= ' HAVING ('; - $sql .= ' ('.$sqldesiredtock.' >= 0 AND ('.$sqldesiredtock.' > SUM('.$db->ifsql("s.reel IS NULL", "0", "s.reel").')'; - $sql .= ' - ('.$sqlCommandesCli.' - '.$sqlExpeditionsCli.') + ('.$sqlCommandesFourn.' - '.$sqlReceptionFourn.') + ('.$sqlProductionToProduce.' - '.$sqlProductionToConsume.')))'; + $sql .= " (".$sqldesiredtock." >= 0 AND (".$sqldesiredtock." > SUM(".$db->ifsql("s.reel IS NULL", "0", "s.reel").')'; + $sql .= " - (".$sqlCommandesCli." - ".$sqlExpeditionsCli.") + (".$sqlCommandesFourn." - ".$sqlReceptionFourn.") + (".$sqlProductionToProduce." - ".$sqlProductionToConsume.")))"; $sql .= ' OR'; if ($includeproductswithoutdesiredqty == 'on') { - $sql .= ' (('.$sqlalertstock.' >= 0 OR '.$sqlalertstock.' IS NULL) AND ('.$db->ifsql("$sqlalertstock IS NULL", "0", $sqlalertstock).' > SUM('.$db->ifsql("s.reel IS NULL", "0", "s.reel").')'; + $sql .= " ((".$sqlalertstock." >= 0 OR ".$sqlalertstock." IS NULL) AND (".$db->ifsql($sqlalertstock." IS NULL", "0", $sqlalertstock)." > SUM(".$db->ifsql("s.reel IS NULL", "0", "s.reel").")"; } else { - $sql .= ' ('.$sqlalertstock.' >= 0 AND ('.$sqlalertstock.' > SUM('.$db->ifsql("s.reel IS NULL", "0", "s.reel").')'; + $sql .= " (".$sqlalertstock." >= 0 AND (".$sqlalertstock." > SUM(".$db->ifsql("s.reel IS NULL", "0", "s.reel").')'; } - $sql .= ' - ('.$sqlCommandesCli.' - '.$sqlExpeditionsCli.') + ('.$sqlCommandesFourn.' - '.$sqlReceptionFourn.') + ('.$sqlProductionToProduce.' - '.$sqlProductionToConsume.')))'; - $sql .= ')'; + $sql .= " - (".$sqlCommandesCli." - ".$sqlExpeditionsCli.") + (".$sqlCommandesFourn." - ".$sqlReceptionFourn.") + (".$sqlProductionToProduce." - ".$sqlProductionToConsume.")))"; + $sql .= ")"; if ($salert == 'on') { // Option to see when stock is lower than alert $sql .= ' AND ('; if ($includeproductswithoutdesiredqty == 'on') { - $sql .= '('.$sqlalertstock.' >= 0 OR '.$sqlalertstock.' IS NULL) AND ('.$db->ifsql("$sqlalertstock IS NULL", "0", $sqlalertstock).' > SUM('.$db->ifsql("s.reel IS NULL", "0", "s.reel").')'; + $sql .= "(".$sqlalertstock." >= 0 OR ".$sqlalertstock." IS NULL) AND (".$db->ifsql($sqlalertstock." IS NULL", "0", $sqlalertstock)." > SUM(".$db->ifsql("s.reel IS NULL", "0", "s.reel").")"; } else { - $sql .= $sqlalertstock.' >= 0 AND ('.$sqlalertstock.' > SUM('.$db->ifsql("s.reel IS NULL", "0", "s.reel").')'; + $sql .= $sqlalertstock." >= 0 AND (".$sqlalertstock." > SUM(".$db->ifsql("s.reel IS NULL", "0", "s.reel").")"; } - $sql .= ' - ('.$sqlCommandesCli.' - '.$sqlExpeditionsCli.') + ('.$sqlCommandesFourn.' - '.$sqlReceptionFourn.') + ('.$sqlProductionToProduce.' - '.$sqlProductionToConsume.'))'; - $sql .= ')'; + $sql .= " - (".$sqlCommandesCli." - ".$sqlExpeditionsCli.") + (".$sqlCommandesFourn." - ".$sqlReceptionFourn.") + (".$sqlProductionToProduce." - ".$sqlProductionToConsume."))"; + $sql .= ")"; $alertchecked = 'checked'; } } else { $sql .= ' HAVING ('; - $sql .= '('.$sqldesiredtock.' >= 0 AND ('.$sqldesiredtock.' > SUM('.$db->ifsql("s.reel IS NULL", "0", "s.reel").')))'; + $sql .= "(".$sqldesiredtock." >= 0 AND (".$sqldesiredtock." > SUM(".$db->ifsql("s.reel IS NULL", "0", "s.reel").")))"; $sql .= ' OR'; if ($includeproductswithoutdesiredqty == 'on') { - $sql .= ' (('.$sqlalertstock.' >= 0 OR '.$sqlalertstock.' IS NULL) AND ('.$db->ifsql("$sqlalertstock IS NULL", "0", $sqlalertstock).' > SUM('.$db->ifsql("s.reel IS NULL", "0", "s.reel").')))'; + $sql .= " ((".$sqlalertstock." >= 0 OR ".$sqlalertstock." IS NULL) AND (".$db->ifsql($sqlalertstock." IS NULL", "0", $sqlalertstock)." > SUM(".$db->ifsql("s.reel IS NULL", "0", "s.reel").')))'; } else { - $sql .= ' ('.$sqlalertstock.' >= 0 AND ('.$sqlalertstock.' > SUM('.$db->ifsql("s.reel IS NULL", "0", "s.reel").')))'; + $sql .= " (".$sqlalertstock." >= 0 AND (".$sqlalertstock." > SUM(".$db->ifsql("s.reel IS NULL", "0", "s.reel").')))'; } $sql .= ')'; if ($salert == 'on') { // Option to see when stock is lower than alert - $sql .= ' AND ('; + $sql .= " AND ("; if ($includeproductswithoutdesiredqty == 'on') { - $sql .= ' ('.$sqlalertstock.' >= 0 OR '.$sqlalertstock.' IS NULL) AND ('.$db->ifsql("$sqlalertstock IS NULL", "0", $sqlalertstock).' > SUM('.$db->ifsql("s.reel IS NULL", "0", "s.reel").'))'; + $sql .= " (".$sqlalertstock." >= 0 OR ".$sqlalertstock." IS NULL) AND (".$db->ifsql($sqlalertstock." IS NULL", "0", $sqlalertstock)." > SUM(".$db->ifsql("s.reel IS NULL", "0", "s.reel")."))"; } else { - $sql .= ' '.$sqlalertstock.' >= 0 AND ('.$sqlalertstock.' > SUM('.$db->ifsql("s.reel IS NULL", "0", "s.reel").'))'; + $sql .= " ".$sqlalertstock." >= 0 AND (".$sqlalertstock." > SUM(".$db->ifsql("s.reel IS NULL", "0", "s.reel").'))'; } $sql .= ')'; $alertchecked = 'checked'; @@ -802,7 +802,7 @@ while ($i < ($limit ? min($num, $limit) : $num)) { $sql = 'SELECT label,description'; $sql .= ' FROM '.MAIN_DB_PREFIX.'product_lang'; $sql .= ' WHERE fk_product = '.((int) $objp->rowid); - $sql .= ' AND lang = "'.$langs->getDefaultLang().'"'; + $sql .= " AND lang = '".$db->escape($langs->getDefaultLang())."'"; $sql .= ' LIMIT 1'; $resqlm = $db->query($sql); diff --git a/htdocs/product/stock/stockatdate.php b/htdocs/product/stock/stockatdate.php index 4892004db72..83c57a4a81d 100644 --- a/htdocs/product/stock/stockatdate.php +++ b/htdocs/product/stock/stockatdate.php @@ -272,7 +272,7 @@ if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) { $sql .= " AND p.fk_product_type = 0"; } if (!empty($canvas)) { - $sql .= ' AND p.canvas = "'.$db->escape($canvas).'"'; + $sql .= " AND p.canvas = '".$db->escape($canvas)."'"; } if ($fk_warehouse > 0) { $sql .= ' GROUP BY p.rowid, p.ref, p.label, p.description, p.price, p.price_ttc, p.price_base_type, p.fk_product_type, p.desiredstock, p.seuil_stock_alerte,'; @@ -488,7 +488,7 @@ while ($i < ($limit ? min($num, $limit) : $num)) { $sql = 'SELECT label,description'; $sql .= ' FROM '.MAIN_DB_PREFIX.'product_lang'; $sql .= ' WHERE fk_product = '.((int) $objp->rowid); - $sql .= ' AND lang = "'.$langs->getDefaultLang().'"'; + $sql .= " AND lang = '".$db->escape($langs->getDefaultLang())."'"; $sql .= ' LIMIT 1'; $resqlm = $db->query($sql); diff --git a/htdocs/projet/class/projectstats.class.php b/htdocs/projet/class/projectstats.class.php index f437c8a5e10..1439ecd5f20 100644 --- a/htdocs/projet/class/projectstats.class.php +++ b/htdocs/projet/class/projectstats.class.php @@ -165,15 +165,15 @@ class ProjectStats extends Stats $sqlwhere[] = ' t.entity IN ('.getEntity('project').')'; if (!empty($this->userid)) { - $sqlwhere[] = ' t.fk_user_resp='.$this->userid; + $sqlwhere[] = ' t.fk_user_resp = '.((int) $this->userid); } // Forced filter on socid is similar to forced filter on project. TODO Use project assignement to allow to not use filter on project if (!empty($this->socid)) { - $sqlwhere[] = ' t.fk_soc='.$this->socid; + $sqlwhere[] = ' t.fk_soc = '.((int) $this->socid); } if (!empty($this->year) && empty($this->yearmonth)) { - $sqlwhere[] = " date_format(t.datec,'%Y')='".$this->db->escape($this->year)."'"; + $sqlwhere[] = " date_format(t.datec,'%Y') = '".$this->db->escape($this->year)."'"; } if (!empty($this->yearmonth)) { $sqlwhere[] = " t.datec BETWEEN '".$this->db->idate(dol_get_first_day($this->yearmonth))."' AND '".$this->db->idate(dol_get_last_day($this->yearmonth))."'"; diff --git a/htdocs/projet/class/taskstats.class.php b/htdocs/projet/class/taskstats.class.php index 1eb6fda915f..594ad38d723 100644 --- a/htdocs/projet/class/taskstats.class.php +++ b/htdocs/projet/class/taskstats.class.php @@ -142,11 +142,11 @@ class TaskStats extends Stats $sqlwhere[] = ' t.entity IN ('.getEntity('project').')'; if (!empty($this->userid)) { - $sqlwhere[] = ' t.fk_user_resp='.$this->userid; + $sqlwhere[] = ' t.fk_user_resp = '.((int) $this->userid); } // Forced filter on socid is similar to forced filter on project. TODO Use project assignement to allow to not use filter on project if (!empty($this->socid)) { - $sqlwhere[] = ' p.fk_soc='.$this->socid; // Link on thirdparty is on project, not on task + $sqlwhere[] = ' p.fk_soc = '.((int) $this->socid); // Link on thirdparty is on project, not on task } if (!empty($this->year) && empty($this->yearmonth)) { $sqlwhere[] = " date_format(t.datec,'%Y')='".$this->db->escape($this->year)."'"; diff --git a/htdocs/public/emailing/mailing-read.php b/htdocs/public/emailing/mailing-read.php index ea9eeb377e7..7fac6ff323e 100644 --- a/htdocs/public/emailing/mailing-read.php +++ b/htdocs/public/emailing/mailing-read.php @@ -128,13 +128,13 @@ if (!empty($tag)) { //Update status communication of thirdparty prospect if ($obj->source_id > 0 && $obj->source_type == 'thirdparty' && $obj->entity) { - $sql = "UPDATE ".MAIN_DB_PREFIX.'societe SET fk_stcomm = 3 WHERE fk_stcomm <> -1 AND entity = '.$obj->entity.' AND rowid = '.((int) $obj->source_id); + $sql = "UPDATE ".MAIN_DB_PREFIX.'societe SET fk_stcomm = 3 WHERE fk_stcomm <> -1 AND entity = '.((int) $obj->entity).' AND rowid = '.((int) $obj->source_id); $resql = $db->query($sql); } //Update status communication of contact prospect if ($obj->source_id > 0 && $obj->source_type == 'contact' && $obj->entity) { - $sql = "UPDATE ".MAIN_DB_PREFIX.'societe SET fk_stcomm = 3 WHERE fk_stcomm <> -1 AND entity = '.$obj->entity.' AND rowid IN (SELECT sc.fk_soc FROM '.MAIN_DB_PREFIX.'socpeople AS sc WHERE sc.rowid = '.((int) $obj->source_id).')'; + $sql = "UPDATE ".MAIN_DB_PREFIX.'societe SET fk_stcomm = 3 WHERE fk_stcomm <> -1 AND entity = '.((int) $obj->entity).' AND rowid IN (SELECT sc.fk_soc FROM '.MAIN_DB_PREFIX.'socpeople AS sc WHERE sc.rowid = '.((int) $obj->source_id).')'; $resql = $db->query($sql); } } diff --git a/htdocs/public/emailing/mailing-unsubscribe.php b/htdocs/public/emailing/mailing-unsubscribe.php index 6648bafd07a..76a73e8de05 100644 --- a/htdocs/public/emailing/mailing-unsubscribe.php +++ b/htdocs/public/emailing/mailing-unsubscribe.php @@ -149,7 +149,7 @@ if (!empty($tag) && ($unsuscrib == '1')) { */ // Update status communication of email (new usage) - $sql = "INSERT INTO ".MAIN_DB_PREFIX."mailing_unsubscribe (date_creat, entity, email, unsubscribegroup, ip) VALUES ('".$db->idate(dol_now())."', ".$db->escape($obj->entity).", '".$db->escape($obj->email)."', '', '".$db->escape(getUserRemoteIP())."')"; + $sql = "INSERT INTO ".MAIN_DB_PREFIX."mailing_unsubscribe (date_creat, entity, email, unsubscribegroup, ip) VALUES ('".$db->idate(dol_now())."', ".((int) $obj->entity).", '".$db->escape($obj->email)."', '', '".$db->escape(getUserRemoteIP())."')"; $resql = $db->query($sql); //if (! $resql) dol_print_error($db); No test on errors, may fail if already unsubscribed diff --git a/htdocs/public/payment/paymentok.php b/htdocs/public/payment/paymentok.php index e65f3ef31fc..f39d6735dad 100644 --- a/htdocs/public/payment/paymentok.php +++ b/htdocs/public/payment/paymentok.php @@ -585,7 +585,7 @@ if ($ispaymentok) { } } else { $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_account (fk_soc, login, key_account, site, site_account, status, entity, date_creation, fk_user_creat)"; - $sql .= " VALUES (".$object->fk_soc.", '', '".$db->escape($stripecu)."', 'stripe', '".$db->escape($stripearrayofkeysbyenv[$servicestatus]['publishable_key'])."', ".$servicestatus.", ".$conf->entity.", '".$db->idate(dol_now())."', 0)"; + $sql .= " VALUES (".((int) $object->fk_soc).", '', '".$db->escape($stripecu)."', 'stripe', '".$db->escape($stripearrayofkeysbyenv[$servicestatus]['publishable_key'])."', ".((int) $servicestatus).", ".((int) $conf->entity).", '".$db->idate(dol_now())."', 0)"; $resql = $db->query($sql); if (!$resql) { // should not happen $error++; diff --git a/htdocs/public/recruitment/index.php b/htdocs/public/recruitment/index.php index e576d5abde2..840fd1f4d8f 100644 --- a/htdocs/public/recruitment/index.php +++ b/htdocs/public/recruitment/index.php @@ -273,13 +273,13 @@ if ($display_ticket_list) { } } } - $sql .= " ORDER BY ".$sortfield.' '.$sortorder; + $sql .= $db->order($sortfield, $sortorder); $resql = $db->query($sql); if ($resql) { $num_total = $db->num_rows($resql); if (!empty($limit)) { - $sql .= ' '.$db->plimit($limit + 1, $offset); + $sql .= $db->plimit($limit + 1, $offset); } $resql = $db->query($sql); diff --git a/htdocs/public/ticket/list.php b/htdocs/public/ticket/list.php index 5fea0ee94a1..87b0a68ede3 100644 --- a/htdocs/public/ticket/list.php +++ b/htdocs/public/ticket/list.php @@ -374,13 +374,13 @@ if ($action == "view_ticketlist") { } } //$sql .= " GROUP BY t.track_id"; - $sql .= " ORDER BY ".$sortfield.' '.$sortorder; + $sql .= $db->order($sortfield, $sortorder); $resql = $db->query($sql); if ($resql) { $num_total = $db->num_rows($resql); if (!empty($limit)) { - $sql .= ' '.$db->plimit($limit + 1, $offset); + $sql .= $db->plimit($limit + 1, $offset); } $resql = $db->query($sql); diff --git a/htdocs/reception/list.php b/htdocs/reception/list.php index 3541a1b8065..7f4a820bf41 100644 --- a/htdocs/reception/list.php +++ b/htdocs/reception/list.php @@ -506,7 +506,7 @@ foreach ($search_array_options as $key => $val) { $mode = 2; // Search on a foreign key int } if ($crit != '' && (!in_array($typ, array('select', 'sellist')) || $crit != '0')) { - $sql .= natural_search('ef.'.$tmpkey, $crit, $mode); + $sql .= natural_search("ef.".$tmpkey, $crit, $mode); } } // Add where from hooks diff --git a/htdocs/societe/admin/societe.php b/htdocs/societe/admin/societe.php index c87289da390..b9b2046fd90 100644 --- a/htdocs/societe/admin/societe.php +++ b/htdocs/societe/admin/societe.php @@ -115,7 +115,7 @@ if ($action == 'set') { $type = 'company'; $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; - $sql .= " VALUES ('".$db->escape($value)."','".$db->escape($type)."',".$conf->entity.", "; + $sql .= " VALUES ('".$db->escape($value)."', '".$db->escape($type)."', ".((int) $conf->entity).", "; $sql .= ($label ? "'".$db->escape($label)."'" : 'null').", "; $sql .= (!empty($scandir) ? "'".$db->escape($scandir)."'" : "null"); $sql .= ")"; @@ -130,7 +130,7 @@ if ($action == 'set') { if ($action == 'del') { $type = 'company'; $sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE nom='".$db->escape($value)."' AND type='".$db->escape($type)."' AND entity=".$conf->entity; + $sql .= " WHERE nom='".$db->escape($value)."' AND type='".$db->escape($type)."' AND entity=".((int) $conf->entity); $resql = $db->query($sql); if (!$resql) { dol_print_error($db); @@ -151,12 +151,12 @@ if ($action == 'setdoc') { $sql_del = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; $sql_del .= " WHERE nom = '".$db->escape(GETPOST('value', 'alpha'))."'"; $sql_del .= " AND type = '".$db->escape($type)."'"; - $sql_del .= " AND entity = ".$conf->entity; + $sql_del .= " AND entity = ".((int) $conf->entity); dol_syslog("societe.php ".$sql); $result1 = $db->query($sql_del); $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; - $sql .= " VALUES ('".$db->escape($value)."', '".$db->escape($type)."', ".$conf->entity.", "; + $sql .= " VALUES ('".$db->escape($value)."', '".$db->escape($type)."', ".((int) $conf->entity).", "; $sql .= ($label ? "'".$db->escape($label)."'" : 'null').", "; $sql .= (!empty($scandir) ? "'".$db->escape($scandir)."'" : "null"); $sql .= ")"; diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index d7dde07af5f..74e08914f3f 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -890,7 +890,7 @@ class Societe extends CommonObject $sql .= ", accountancy_code_buy"; $sql .= ", accountancy_code_sell"; } - $sql .= ") VALUES ('".$this->db->escape($this->name)."', '".$this->db->escape($this->name_alias)."', ".$this->db->escape($this->entity).", '".$this->db->idate($now)."'"; + $sql .= ") VALUES ('".$this->db->escape($this->name)."', '".$this->db->escape($this->name_alias)."', ".((int) $this->entity).", '".$this->db->idate($now)."'"; $sql .= ", ".(!empty($user->id) ? ((int) $user->id) : "null"); $sql .= ", ".(!empty($this->typent_id) ? ((int) $this->typent_id) : "null"); $sql .= ", ".(!empty($this->canvas) ? "'".$this->db->escape($this->canvas)."'" : "null"); @@ -2372,7 +2372,7 @@ class Societe extends CommonObject $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_prices"; $sql .= " (datec, fk_soc, price_level, fk_user_author)"; - $sql .= " VALUES ('".$this->db->idate($now)."', ".$this->id.", ".((int) $price_level).", ".$user->id.")"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".((int) $this->id).", ".((int) $price_level).", ".((int) $user->id).")"; if (!$this->db->query($sql)) { dol_print_error($this->db); @@ -3388,7 +3388,7 @@ class Societe extends CommonObject $sql = 'SELECT s.parent'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe as s'; - $sql .= ' WHERE rowid = '.$idparent; + $sql .= ' WHERE rowid = '.((int) $idparent); $resql = $this->db->query($sql); if ($resql) { $obj = $this->db->fetch_object($resql); @@ -3875,7 +3875,7 @@ class Societe extends CommonObject // phpcs:enable if ($categorie_id > 0 && $this->id > 0) { $sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie_fournisseur (fk_categorie, fk_soc) "; - $sql .= " VALUES (".$categorie_id.", ".$this->id.")"; + $sql .= " VALUES (".((int) $categorie_id).", ".((int) $this->id).")"; if ($resql = $this->db->query($sql)) { return 0; diff --git a/htdocs/societe/paymentmodes.php b/htdocs/societe/paymentmodes.php index 664d7d36255..f80bebd9bf5 100644 --- a/htdocs/societe/paymentmodes.php +++ b/htdocs/societe/paymentmodes.php @@ -587,7 +587,7 @@ if (empty($reshook)) { $tokenstring['stripe_user_id'] = $stripesup->id; $tokenstring['type'] = $stripesup->type; $sql = "INSERT INTO ".MAIN_DB_PREFIX."oauth_token (service, fk_soc, entity, tokenstring)"; - $sql .= " VALUES ('".$db->escape($service)."', ".$object->id.", ".$conf->entity.", '".$db->escape(json_encode($tokenstring))."')"; + $sql .= " VALUES ('".$db->escape($service)."', ".((int) $object->id).", ".((int) $conf->entity).", '".$db->escape(json_encode($tokenstring))."')"; // TODO Add site and site_account on oauth_token table } catch (Exception $e) { $error++; diff --git a/htdocs/stripe/class/stripe.class.php b/htdocs/stripe/class/stripe.class.php index c671ac9c396..9324d7d3a5d 100644 --- a/htdocs/stripe/class/stripe.class.php +++ b/htdocs/stripe/class/stripe.class.php @@ -246,7 +246,7 @@ class Stripe extends CommonObject // Create customer in Dolibarr $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_account (fk_soc, login, key_account, site, site_account, status, entity, date_creation, fk_user_creat)"; - $sql .= " VALUES (".$object->id.", '', '".$this->db->escape($customer->id)."', 'stripe', '".$this->db->escape($stripearrayofkeysbyenv[$status]['publishable_key'])."', ".$status.", ".$conf->entity.", '".$this->db->idate(dol_now())."', ".$user->id.")"; + $sql .= " VALUES (".((int) $object->id).", '', '".$this->db->escape($customer->id)."', 'stripe', '".$this->db->escape($stripearrayofkeysbyenv[$status]['publishable_key'])."', ".((int) $status).", ".((int) $conf->entity).", '".$this->db->idate(dol_now())."', ".((int) $user->id).")"; $resql = $this->db->query($sql); if (!$resql) { $this->error = $this->db->lasterror(); @@ -509,7 +509,7 @@ class Stripe extends CommonObject if (!$paymentintentalreadyexists) { $now = dol_now(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."prelevement_facture_demande (date_demande, fk_user_demande, ext_payment_id, fk_facture, sourcetype, entity, ext_payment_site, amount)"; - $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($paymentintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', ".$conf->entity.", '".$this->db->escape($service)."', ".$amount.")"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".((int) $user->id).", '".$this->db->escape($paymentintent->id)."', ".((int) $object->id).", '".$this->db->escape($object->element)."', ".((int) $conf->entity).", '".$this->db->escape($service)."', ".((float) $amount).")"; $resql = $this->db->query($sql); if (!$resql) { $error++; @@ -675,7 +675,7 @@ class Stripe extends CommonObject { $now=dol_now(); $sql = "INSERT INTO " . MAIN_DB_PREFIX . "prelevement_facture_demande (date_demande, fk_user_demande, ext_payment_id, fk_facture, sourcetype, entity, ext_payment_site)"; - $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($setupintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', " . $conf->entity . ", '" . $this->db->escape($service) . "', ".$amount.")"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".((int) $user->id).", '".$this->db->escape($setupintent->id)."', ".((int) $object->id).", '".$this->db->escape($object->element)."', " . ((int) $conf->entity) . ", '" . $this->db->escape($service) . "', ".((float) $amount).")"; $resql = $this->db->query($sql); if (! $resql) { diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php index a3ab70c8c5a..71cd1c1fa69 100644 --- a/htdocs/supplier_proposal/list.php +++ b/htdocs/supplier_proposal/list.php @@ -376,7 +376,7 @@ if ($search_montant_ttc != '') { $sql .= natural_search("sp.total_ttc", $search_montant_ttc, 1); } if ($search_multicurrency_code != '') { - $sql .= ' AND sp.multicurrency_code = "'.$db->escape($search_multicurrency_code).'"'; + $sql .= " AND sp.multicurrency_code = '".$db->escape($search_multicurrency_code)."'"; } if ($search_multicurrency_tx != '') { $sql .= natural_search('sp.multicurrency_tx', $search_multicurrency_tx, 1); diff --git a/htdocs/takepos/invoice.php b/htdocs/takepos/invoice.php index 95167ed3b51..96b06d09271 100644 --- a/htdocs/takepos/invoice.php +++ b/htdocs/takepos/invoice.php @@ -629,9 +629,10 @@ if ($action == "delete") { } $sql = "UPDATE ".MAIN_DB_PREFIX."facture"; - $sql .= " SET fk_soc=".$conf->global->{'CASHDESK_ID_THIRDPARTY'.$_SESSION["takeposterminal"]}.", "; + $varforconst = 'CASHDESK_ID_THIRDPARTY'.$_SESSION["takeposterminal"]; + $sql .= " SET fk_soc = ".((int) $conf->global->$varforconst).", "; $sql .= " datec = '".$db->idate(dol_now())."'"; - $sql .= " WHERE ref='(PROV-POS".$db->escape($_SESSION["takeposterminal"]."-".$place).")'"; + $sql .= " WHERE ref = '(PROV-POS".$db->escape($_SESSION["takeposterminal"]."-".$place).")'"; $resql1 = $db->query($sql); if ($resdeletelines && $resql1) { diff --git a/htdocs/ticket/class/ticket.class.php b/htdocs/ticket/class/ticket.class.php index a53d649c2b3..9bf53fb5271 100644 --- a/htdocs/ticket/class/ticket.class.php +++ b/htdocs/ticket/class/ticket.class.php @@ -734,7 +734,7 @@ class Ticket extends CommonObject $sql .= " AND t.fk_soc = ".((int) $user->socid); } - $sql .= " ORDER BY ".$sortfield.' '.$sortorder; + $sql .= $this->db->order($sortfield, $sortorder); if (!empty($limit)) { $sql .= $this->db->plimit($limit + 1, $offset); } @@ -2132,124 +2132,6 @@ class Ticket extends CommonObject return $array_contact; } - /** - * Send message - * - * @param string $subject Subject - * @param string $texte Message to send - * @return int <0 if KO, or number of changes if OK - */ - public function messageSend($subject, $texte) - { - global $conf, $langs, $mysoc, $dolibarr_main_url_root; - - $langs->load("other"); - - dol_syslog(get_class($this)."::message_send action=$action, socid=$socid, texte=$texte, objet_type=$objet_type, objet_id=$objet_id, file=$file"); - - $internal_contacts = $this->getIdContact('internal', 'SUPPORTTEC'); - $external_contacts = $this->getIdContact('external', 'SUPPORTTEC'); - - if ($result) { - $num = $this->db->num_rows($result); - $i = 0; - while ($i < $num) { // For each notification couple defined (third party/actioncode) - $obj = $this->db->fetch_object($result); - - $sendto = $obj->firstname." ".$obj->lastname." <".$obj->email.">"; - $actiondefid = $obj->adid; - - if (dol_strlen($sendto)) { - include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; - $application = ($conf->global->MAIN_APPLICATION_TITLE ? $conf->global->MAIN_APPLICATION_TITLE : 'Dolibarr ERP/CRM'); - - $subject = '['.$application.'] '.$langs->transnoentitiesnoconv("DolibarrNotification"); - - $message = $langs->transnoentities("YouReceiveMailBecauseOfNotification", $application, $mysoc->name)."\n"; - $message .= $langs->transnoentities("YouReceiveMailBecauseOfNotification2", $application, $mysoc->name)."\n"; - $message .= "\n"; - $message .= $texte; - // Add link - $link = ''; - switch ($objet_type) { - case 'ficheinter': - $link = '/fichinter/card.php?id='.$objet_id; - break; - case 'propal': - $link = '/comm/propal.php?id='.$objet_id; - break; - case 'facture': - $link = '/compta/facture/card.php?facid='.$objet_id; - break; - case 'order': - $link = '/commande/card.php?facid='.$objet_id; - break; - case 'order_supplier': - $link = '/fourn/commande/card.php?facid='.$objet_id; - break; - } - // Define $urlwithroot - $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root)); - $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file - //$urlwithroot=DOL_MAIN_URL_ROOT; // This is to use same domain name than current - if ($link) { - $message .= "\n".$urlwithroot.$link; - } - - $filename = basename($file); - - $mimefile = dol_mimetype($file); - - $msgishtml = 0; - - $replyto = $conf->notification->email_from; - - $message = dol_nl2br($message); - - if (!empty($conf->global->TICKET_DISABLE_MAIL_AUTOCOPY_TO)) { - $old_MAIN_MAIL_AUTOCOPY_TO = $conf->global->MAIN_MAIL_AUTOCOPY_TO; - $conf->global->MAIN_MAIL_AUTOCOPY_TO = ''; - } - $mailfile = new CMailFile( - $subject, - $sendto, - $replyto, - $message, - array($file), - array($mimefile), - array($filename[count($filename) - 1]), - '', - '', - 0, - $msgishtml - ); - - if ($mailfile->sendfile()) { - $now = dol_now(); - $sendto = htmlentities($sendto); - - $sql = "INSERT INTO ".MAIN_DB_PREFIX."notify (daten, fk_action, fk_contact, objet_type, objet_id, email)"; - $sql .= " VALUES ('".$this->db->idate($now)."', ".$actiondefid.", ".$obj->cid.", '".$this->db->escape($objet_type)."', ".$objet_id.", '".$this->db->escape($obj->email)."')"; - dol_syslog("Notify::send sql=".$sql); - if (!$this->db->query($sql)) { - dol_print_error($this->db); - } - } else { - $this->error = $mailfile->error; - //dol_syslog("Notify::send ".$this->error, LOG_ERR); - } - if (!empty($conf->global->TICKET_DISABLE_MAIL_AUTOCOPY_TO)) { - $conf->global->MAIN_MAIL_AUTOCOPY_TO = $old_MAIN_MAIL_AUTOCOPY_TO; - } - } - $i++; - } - return $i; - } else { - $this->error = $this->db->error(); - return -1; - } - } /** * Get array of all contacts for a ticket diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index f22882b1852..db2d4583177 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -1355,7 +1355,7 @@ class User extends CommonObject // Insert into database $sql = "INSERT INTO ".MAIN_DB_PREFIX."user (datec, login, ldap_sid, entity)"; - $sql .= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->db->escape($this->ldap_sid)."',".$this->db->escape($this->entity).")"; + $sql .= " VALUES('".$this->db->idate($this->datec)."', '".$this->db->escape($this->login)."', '".$this->db->escape($this->ldap_sid)."', ".((int) $this->entity).")"; $result = $this->db->query($sql); dol_syslog(get_class($this)."::create", LOG_DEBUG); @@ -3587,13 +3587,11 @@ class User extends CommonObject $sql = 'SELECT rowid'; $sql .= ' FROM '.MAIN_DB_PREFIX.'user'; - if (!empty($conf->global->AGENDA_DISABLE_EXACT_USER_EMAIL_COMPARE_FOR_EXTERNAL_CALENDAR)) { - $sql .= ' WHERE email LIKE "%'.$email.'%"'; + $sql .= " WHERE email LIKE '%".$this->db->escape($email)."%'"; } else { - $sql .= ' WHERE email = "'.$email.'"'; + $sql .= " WHERE email = '".$this->db->escape($email)."'"; } - $sql .= ' LIMIT 1'; $resql = $this->db->query($sql); diff --git a/htdocs/user/notify/card.php b/htdocs/user/notify/card.php index a0cc0128b4c..14067af9a08 100644 --- a/htdocs/user/notify/card.php +++ b/htdocs/user/notify/card.php @@ -100,7 +100,7 @@ if ($action == 'add') { $sql .= " WHERE fk_user=".((int) $id)." AND fk_action=".((int) $actionid); if ($db->query($sql)) { $sql = "INSERT INTO ".MAIN_DB_PREFIX."notify_def (datec, fk_user, fk_action)"; - $sql .= " VALUES ('".$db->idate($now)."', ".((int) $id).", ".$actionid.")"; + $sql .= " VALUES ('".$db->idate($now)."', ".((int) $id).", ".((int) $actionid).")"; if (!$db->query($sql)) { $error++; diff --git a/htdocs/variants/class/ProductCombination.class.php b/htdocs/variants/class/ProductCombination.class.php index 29cfdf731f9..d4fc03724d0 100644 --- a/htdocs/variants/class/ProductCombination.class.php +++ b/htdocs/variants/class/ProductCombination.class.php @@ -942,7 +942,7 @@ class ProductCombination $sql .= ' FROM '.MAIN_DB_PREFIX.'product_attribute_combination pac'; $sql .= ' INNER JOIN '.MAIN_DB_PREFIX.'product_attribute_combination2val pac2v ON pac2v.fk_prod_combination=pac.rowid'; $sql .= ' INNER JOIN '.MAIN_DB_PREFIX.'product_attribute_value pav ON pav.rowid=pac2v.fk_prod_attr_val'; - $sql .= ' WHERE pac.fk_product_child='.$prod_child; + $sql .= ' WHERE pac.fk_product_child='.((int) $prod_child); $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/website/class/website.class.php b/htdocs/website/class/website.class.php index 893cd9a6bf1..f48fada2eb9 100644 --- a/htdocs/website/class/website.class.php +++ b/htdocs/website/class/website.class.php @@ -1138,7 +1138,7 @@ class Website extends CommonObject return -1; } - dol_delete_dir_recursive($conf->website->dir_temp.'/'.$object->ref); + dol_delete_dir_recursive($conf->website->dir_temp."/".$object->ref); dol_mkdir($conf->website->dir_temp.'/'.$object->ref); $filename = basename($pathtofile); @@ -1183,7 +1183,7 @@ class Website extends CommonObject dolCopyDir($conf->website->dir_temp.'/'.$object->ref.'/medias/image/websitekey', $conf->website->dir_output.'/'.$object->ref.'/medias/image/'.$object->ref, 0, 1); // Medias can be shared, do not overwrite if exists dolCopyDir($conf->website->dir_temp.'/'.$object->ref.'/medias/js/websitekey', $conf->website->dir_output.'/'.$object->ref.'/medias/js/'.$object->ref, 0, 1); // Medias can be shared, do not overwrite if exists - $sqlfile = $conf->website->dir_temp.'/'.$object->ref.'/website_pages.sql'; + $sqlfile = $conf->website->dir_temp."/".$object->ref.'/website_pages.sql'; $result = dolReplaceInFile($sqlfile, $arrayreplacement); diff --git a/htdocs/website/index.php b/htdocs/website/index.php index ffda0802c51..c80c09c7727 100644 --- a/htdocs/website/index.php +++ b/htdocs/website/index.php @@ -2378,7 +2378,7 @@ if ($action == 'generatesitemaps' && $usercanedit) { // Add "has translation pages" $sql = 'SELECT rowid as id, lang, pageurl from '.MAIN_DB_PREFIX.'website_page'; - $sql .= ' WHERE status = '.WebsitePage::STATUS_VALIDATED.' AND fk_page IN ('.$db->sanitize($objp->rowid.($translationof ? ', '.$translationof : '')).")"; + $sql .= " WHERE status = ".((int) WebsitePage::STATUS_VALIDATED).' AND fk_page IN ('.$db->sanitize($objp->rowid.($translationof ? ", ".$translationof : "")).")"; $resqlhastrans = $db->query($sql); if ($resqlhastrans) { $num_rows_hastrans = $db->num_rows($resqlhastrans); @@ -2857,7 +2857,7 @@ if (!GETPOST('hide_websitemenu')) { $pagepreviousid = 0; $pagenextid = 0; if ($pageid) { - $sql = 'SELECT MAX(rowid) as pagepreviousid FROM '.MAIN_DB_PREFIX.'website_page WHERE rowid < '.$pageid.' AND fk_website = '.((int) $object->id); + $sql = "SELECT MAX(rowid) as pagepreviousid FROM ".MAIN_DB_PREFIX."website_page WHERE rowid < ".((int) $pageid)." AND fk_website = ".((int) $object->id); $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql); @@ -2867,7 +2867,7 @@ if (!GETPOST('hide_websitemenu')) { } else { dol_print_error($db); } - $sql = 'SELECT MIN(rowid) as pagenextid FROM '.MAIN_DB_PREFIX.'website_page WHERE rowid > '.$pageid.' AND fk_website = '.((int) $object->id); + $sql = "SELECT MIN(rowid) as pagenextid FROM ".MAIN_DB_PREFIX."website_page WHERE rowid > ".((int) $pageid)." AND fk_website = ".((int) $object->id); $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql); @@ -3829,7 +3829,7 @@ if ($action == 'editmeta' || $action == 'createcontainer') { // Edit properties print ''; if ($action != 'createcontainer') { // Has translation pages - $sql = 'SELECT rowid, lang from '.MAIN_DB_PREFIX.'website_page where fk_page = '.$objectpage->id; + $sql = 'SELECT rowid, lang from '.MAIN_DB_PREFIX.'website_page where fk_page = '.((int) $objectpage->id); $resql = $db->query($sql); if ($resql) { $num_rows = $db->num_rows($resql);