Fix escape
This commit is contained in:
Laurent Destailleur
parent
7dd69a2b2b
commit
54c0f742b1
@ -283,7 +283,7 @@ print load_fiche_titre($langs->trans("BankAccountModelModule"), '', '');
|
||||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql) {
|
||||
|
||||
@ -58,10 +58,10 @@ if ($action == 'setbarcodeproducton')
|
||||
if ($action == 'setcoder')
|
||||
{
|
||||
$coder = GETPOST('coder', 'alpha');
|
||||
$code_id = GETPOST('code_id', 'alpha');
|
||||
$code_id = GETPOST('code_id', 'int');
|
||||
$sqlp = "UPDATE ".MAIN_DB_PREFIX."c_barcode_type";
|
||||
$sqlp .= " SET coder = '".$coder."'";
|
||||
$sqlp .= " WHERE rowid = ".$code_id;
|
||||
$sqlp .= " SET coder = '".$db->escape($coder)."'";
|
||||
$sqlp .= " WHERE rowid = ".((int) $code_id);
|
||||
$sqlp .= " AND entity = ".$conf->entity;
|
||||
|
||||
$resql = $db->query($sqlp);
|
||||
@ -104,8 +104,8 @@ if ($action == 'setcoder')
|
||||
$code_id = $obj->rowid;
|
||||
|
||||
$sqlp = "UPDATE ".MAIN_DB_PREFIX."c_barcode_type";
|
||||
$sqlp .= " SET coder = '".$coder."'";
|
||||
$sqlp .= " WHERE rowid = ".$code_id;
|
||||
$sqlp .= " SET coder = '".$db->escape($coder)."'";
|
||||
$sqlp .= " WHERE rowid = ".((int) $code_id);
|
||||
$sqlp .= " AND entity = ".$conf->entity;
|
||||
|
||||
$upsql = $db->query($sqlp);
|
||||
|
||||
@ -292,7 +292,7 @@ print load_fiche_titre($langs->trans("BOMsModelModule"), '', '');
|
||||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
||||
@ -648,9 +648,9 @@ if ($massaction == 'confirm_createbills') // Create bills from orders
|
||||
$sql .= ", targettype";
|
||||
$sql .= ") VALUES (";
|
||||
$sql .= $id_order;
|
||||
$sql .= ", '".$objecttmp->origin."'";
|
||||
$sql .= ", '".$db->escape($objecttmp->origin)."'";
|
||||
$sql .= ", ".$objecttmp->id;
|
||||
$sql .= ", '".$objecttmp->element."'";
|
||||
$sql .= ", '".$db->escape($objecttmp->element)."'";
|
||||
$sql .= ")";
|
||||
|
||||
if (!$db->query($sql))
|
||||
|
||||
@ -117,7 +117,7 @@ class box_produits extends ModeleBoxes
|
||||
$sqld = "SELECT label";
|
||||
$sqld .= " FROM ".MAIN_DB_PREFIX."product_lang";
|
||||
$sqld .= " WHERE fk_product=".$objp->rowid;
|
||||
$sqld .= " AND lang='".$langs->getDefaultLang()."'";
|
||||
$sqld .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'";
|
||||
$sqld .= " LIMIT 1";
|
||||
|
||||
$resultd = $this->db->query($sqld);
|
||||
|
||||
@ -130,7 +130,7 @@ class box_produits_alerte_stock extends ModeleBoxes
|
||||
$sqld = "SELECT label";
|
||||
$sqld .= " FROM ".MAIN_DB_PREFIX."product_lang";
|
||||
$sqld .= " WHERE fk_product=".$objp->rowid;
|
||||
$sqld .= " AND lang='".$langs->getDefaultLang()."'";
|
||||
$sqld .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'";
|
||||
$sqld .= " LIMIT 1";
|
||||
|
||||
$resultd = $this->db->query($sqld);
|
||||
|
||||
@ -154,10 +154,10 @@ class box_task extends ModeleBoxes
|
||||
$sql .= " JOIN ".MAIN_DB_PREFIX."projet as p ON (pt.fk_projet = p.rowid)";
|
||||
|
||||
if ($filterValue === 'im_task_contact') {
|
||||
$sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = pt.rowid AND ec.fk_socpeople = '".$user->id."' )";
|
||||
$sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = pt.rowid AND ec.fk_socpeople = ".((int) $user->id).")";
|
||||
$sql .= " JOIN ".MAIN_DB_PREFIX."c_type_contact as tc ON (ec.fk_c_type_contact = tc.rowid AND tc.element = 'project_task' AND tc.source = 'internal' )";
|
||||
} elseif ($filterValue === 'im_project_contact') {
|
||||
$sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = p.rowid AND ec.fk_socpeople = '".$user->id."' )";
|
||||
$sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = p.rowid AND ec.fk_socpeople = ".((int) $user->id).")";
|
||||
$sql .= " JOIN ".MAIN_DB_PREFIX."c_type_contact as tc ON (ec.fk_c_type_contact = tc.rowid AND tc.element = 'project' AND tc.source = 'internal' )";
|
||||
}
|
||||
|
||||
|
||||
@ -604,7 +604,7 @@ abstract class CommonDocGenerator
|
||||
if ($columns != "")
|
||||
{
|
||||
$columns = substr($columns, 0, strlen($columns) - 2);
|
||||
$resql = $this->db->query("SELECT $columns FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields AS ex INNER JOIN ".MAIN_DB_PREFIX."product_fournisseur_price AS f ON ex.fk_object = f.rowid WHERE f.ref_fourn = '".$line->ref_supplier."'");
|
||||
$resql = $this->db->query("SELECT ".$columns." FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields AS ex INNER JOIN ".MAIN_DB_PREFIX."product_fournisseur_price AS f ON ex.fk_object = f.rowid WHERE f.ref_fourn = '".$this->db->escape($line->ref_supplier)."'");
|
||||
|
||||
if ($this->db->num_rows($resql) > 0)
|
||||
{
|
||||
|
||||
@ -462,7 +462,7 @@ abstract class CommonInvoice extends CommonObject
|
||||
$type = 'customer_invoice';
|
||||
if ($this->element == 'invoice_supplier') $type = 'supplier_invoice';
|
||||
|
||||
$sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$this->id;
|
||||
$sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id;
|
||||
$resql = $this->db->query($sql);
|
||||
if ($resql)
|
||||
{
|
||||
|
||||
@ -1028,8 +1028,8 @@ abstract class CommonObject
|
||||
// Insert into database
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."element_contact set";
|
||||
$sql .= " statut = ".$statut;
|
||||
if ($type_contact_id) $sql .= ", fk_c_type_contact = '".$type_contact_id."'";
|
||||
if ($fk_socpeople) $sql .= ", fk_socpeople = '".$fk_socpeople."'";
|
||||
if ($type_contact_id) $sql .= ", fk_c_type_contact = ".((int) $type_contact_id);
|
||||
if ($fk_socpeople) $sql .= ", fk_socpeople = ".((int) $fk_socpeople);
|
||||
$sql .= " where rowid = ".$rowid;
|
||||
$resql = $this->db->query($sql);
|
||||
if ($resql)
|
||||
@ -1389,9 +1389,9 @@ abstract class CommonObject
|
||||
if ($source == 'internal') $sql .= " AND c.entity IN (".getEntity('user').")";
|
||||
if ($source == 'external') $sql .= " AND c.entity IN (".getEntity('societe').")";
|
||||
$sql .= " AND ec.fk_c_type_contact = tc.rowid";
|
||||
$sql .= " AND tc.element = '".$element."'";
|
||||
$sql .= " AND tc.source = '".$source."'";
|
||||
if ($code) $sql .= " AND tc.code = '".$code."'";
|
||||
$sql .= " AND tc.element = '".$this->db->escape($element)."'";
|
||||
$sql .= " AND tc.source = '".$this->db->escape($source)."'";
|
||||
if ($code) $sql .= " AND tc.code = '".$this->db->escape($code)."'";
|
||||
$sql .= " AND tc.active = 1";
|
||||
if ($status) $sql .= " AND ec.statut = ".$status;
|
||||
|
||||
@ -3243,16 +3243,16 @@ abstract class CommonObject
|
||||
{
|
||||
if ($justsource)
|
||||
{
|
||||
$sql .= "fk_source = ".$sourceid." AND sourcetype = '".$sourcetype."'";
|
||||
if ($withtargettype) $sql .= " AND targettype = '".$targettype."'";
|
||||
$sql .= "fk_source = ".$sourceid." AND sourcetype = '".$this->db->escape($sourcetype)."'";
|
||||
if ($withtargettype) $sql .= " AND targettype = '".$this->db->escape($targettype)."'";
|
||||
} elseif ($justtarget)
|
||||
{
|
||||
$sql .= "fk_target = ".$targetid." AND targettype = '".$targettype."'";
|
||||
if ($withsourcetype) $sql .= " AND sourcetype = '".$sourcetype."'";
|
||||
$sql .= "fk_target = ".$targetid." AND targettype = '".$this->db->escape($targettype)."'";
|
||||
if ($withsourcetype) $sql .= " AND sourcetype = '".$this->db->escape($sourcetype)."'";
|
||||
}
|
||||
} else {
|
||||
$sql .= "(fk_source = ".$sourceid." AND sourcetype = '".$sourcetype."')";
|
||||
$sql .= " ".$clause." (fk_target = ".$targetid." AND targettype = '".$targettype."')";
|
||||
$sql .= "(fk_source = ".$sourceid." AND sourcetype = '".$this->db->escape($sourcetype)."')";
|
||||
$sql .= " ".$clause." (fk_target = ".$targetid." AND targettype = '".$this->db->escape($targettype)."')";
|
||||
}
|
||||
$sql .= ' ORDER BY '.$orderby;
|
||||
|
||||
@ -4841,7 +4841,7 @@ abstract class CommonObject
|
||||
// Request to get translation values for object
|
||||
$sql = "SELECT rowid, property, lang , value";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."object_lang";
|
||||
$sql .= " WHERE type_object = '".$element."'";
|
||||
$sql .= " WHERE type_object = '".$this->db->escape($element)."'";
|
||||
$sql .= " AND fk_object = ".$this->id;
|
||||
|
||||
//dol_syslog(get_class($this)."::fetch_optionals get extrafields data for ".$this->table_element, LOG_DEBUG); // Too verbose
|
||||
@ -8295,7 +8295,7 @@ abstract class CommonObject
|
||||
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie_".(empty($categorystatic->MAP_CAT_TABLE[$type]) ? $type : $categorystatic->MAP_CAT_TABLE[$type])." (fk_categorie, fk_product)";
|
||||
$sql .= " SELECT fk_categorie, $toId FROM ".MAIN_DB_PREFIX."categorie_".(empty($categorystatic->MAP_CAT_TABLE[$type]) ? $type : $categorystatic->MAP_CAT_TABLE[$type]);
|
||||
$sql .= " WHERE fk_product = '".$fromId."'";
|
||||
$sql .= " WHERE fk_product = ".((int) $fromId);
|
||||
|
||||
if (!$this->db->query($sql))
|
||||
{
|
||||
@ -8341,7 +8341,7 @@ abstract class CommonObject
|
||||
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."ecm_files";
|
||||
$sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%'";
|
||||
$sql.= " AND filepath = '".$element."/".$this->db->escape($this->ref)."' AND entity = ".$conf->entity;
|
||||
$sql.= " AND filepath = '".$this->db->escape($element)."/".$this->db->escape($this->ref)."' AND entity = ".$conf->entity;
|
||||
|
||||
if (!$this->db->query($sql)) {
|
||||
$this->error = $this->db->lasterror();
|
||||
|
||||
@ -426,7 +426,7 @@ class ExtraFields
|
||||
$sql .= " help,";
|
||||
$sql .= " totalizable";
|
||||
$sql .= " )";
|
||||
$sql .= " VALUES('".$attrname."',";
|
||||
$sql .= " VALUES('".$this->db->escape($attrname)."',";
|
||||
$sql .= " '".$this->db->escape($label)."',";
|
||||
$sql .= " '".$this->db->escape($type)."',";
|
||||
$sql .= " ".$pos.",";
|
||||
@ -494,8 +494,8 @@ class ExtraFields
|
||||
{
|
||||
$sql = "SELECT COUNT(rowid) as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."extrafields";
|
||||
$sql .= " WHERE elementtype = '".$elementtype."'";
|
||||
$sql .= " AND name = '".$attrname."'";
|
||||
$sql .= " WHERE elementtype = '".$this->db->escape($elementtype)."'";
|
||||
$sql .= " AND name = '".$this->db->escape($attrname)."'";
|
||||
//$sql.= " AND entity IN (0,".$conf->entity.")"; Do not test on entity here. We want to see if there is still on field remaning in other entities before deleting field in table
|
||||
$resql = $this->db->query($sql);
|
||||
if ($resql)
|
||||
@ -539,9 +539,9 @@ class ExtraFields
|
||||
if (isset($attrname) && $attrname != '' && preg_match("/^\w[a-zA-Z0-9-_]*$/", $attrname))
|
||||
{
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."extrafields";
|
||||
$sql .= " WHERE name = '".$attrname."'";
|
||||
$sql .= " WHERE name = '".$this->db->escape($attrname)."'";
|
||||
$sql .= " AND entity IN (0,".$conf->entity.')';
|
||||
$sql .= " AND elementtype = '".$elementtype."'";
|
||||
$sql .= " AND elementtype = '".$this->db->escape($elementtype)."'";
|
||||
|
||||
dol_syslog(get_class($this)."::delete_label", LOG_DEBUG);
|
||||
$resql = $this->db->query($sql);
|
||||
@ -724,15 +724,15 @@ class ExtraFields
|
||||
{
|
||||
// We dont want on all entities, we delete all and current
|
||||
$sql_del = "DELETE FROM ".MAIN_DB_PREFIX."extrafields";
|
||||
$sql_del .= " WHERE name = '".$attrname."'";
|
||||
$sql_del .= " WHERE name = '".$this->db->escape($attrname)."'";
|
||||
$sql_del .= " AND entity IN (0, ".($entity === '' ? $conf->entity : $entity).")";
|
||||
$sql_del .= " AND elementtype = '".$elementtype."'";
|
||||
$sql_del .= " AND elementtype = '".$this->db->escape($elementtype)."'";
|
||||
} else {
|
||||
// We want on all entities ($entities = '0'), we delete on all only (we keep setup specific to each entity)
|
||||
$sql_del = "DELETE FROM ".MAIN_DB_PREFIX."extrafields";
|
||||
$sql_del .= " WHERE name = '".$attrname."'";
|
||||
$sql_del .= " WHERE name = '".$this->db->escape($attrname)."'";
|
||||
$sql_del .= " AND entity = 0";
|
||||
$sql_del .= " AND elementtype = '".$elementtype."'";
|
||||
$sql_del .= " AND elementtype = '".$this->db->escape($elementtype)."'";
|
||||
}
|
||||
$resql1 = $this->db->query($sql_del);
|
||||
|
||||
@ -761,7 +761,7 @@ class ExtraFields
|
||||
$sql .= " enabled,";
|
||||
$sql .= " help";
|
||||
$sql .= ") VALUES (";
|
||||
$sql .= "'".$attrname."',";
|
||||
$sql .= "'".$this->db->escape($attrname)."',";
|
||||
$sql .= " ".($entity === '' ? $conf->entity : $entity).",";
|
||||
$sql .= " '".$this->db->escape($label)."',";
|
||||
$sql .= " '".$this->db->escape($type)."',";
|
||||
@ -829,7 +829,7 @@ class ExtraFields
|
||||
$sql = "SELECT rowid,name,label,type,size,elementtype,fieldunique,fieldrequired,param,pos,alwayseditable,perms,langs,list,printable,totalizable,fielddefault,fieldcomputed,entity,enabled,help";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."extrafields";
|
||||
//$sql.= " WHERE entity IN (0,".$conf->entity.")"; // Filter is done later
|
||||
if ($elementtype) $sql .= " WHERE elementtype = '".$elementtype."'"; // Filed with object->table_element
|
||||
if ($elementtype) $sql .= " WHERE elementtype = '".$this->db->escape($elementtype)."'"; // Filed with object->table_element
|
||||
$sql .= " ORDER BY pos";
|
||||
|
||||
$resql = $this->db->query($sql);
|
||||
|
||||
@ -2183,7 +2183,7 @@ class Form
|
||||
// Multilang : we add translation
|
||||
if (!empty($conf->global->MAIN_MULTILANGS))
|
||||
{
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang='".$langs->getDefaultLang()."'";
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang='".$this->db->escape($langs->getDefaultLang())."'";
|
||||
}
|
||||
|
||||
if (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD)) {
|
||||
@ -2503,9 +2503,9 @@ class Form
|
||||
{
|
||||
$sql = "SELECT price, price_ttc, price_base_type, tva_tx";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."product_price";
|
||||
$sql .= " WHERE fk_product='".$objp->rowid."'";
|
||||
$sql .= " WHERE fk_product = ".((int) $objp->rowid);
|
||||
$sql .= " AND entity IN (".getEntity('productprice').")";
|
||||
$sql .= " AND price_level=".$price_level;
|
||||
$sql .= " AND price_level = ".((int) $price_level);
|
||||
$sql .= " ORDER BY date_price DESC, rowid DESC"; // Warning DESC must be both on date_price and rowid.
|
||||
$sql .= " LIMIT 1";
|
||||
|
||||
@ -7016,7 +7016,7 @@ class Form
|
||||
// phpcs:enable
|
||||
$sql = "SELECT rowid, label";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."export_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$this->db->escape($type)."'";
|
||||
$sql .= " ORDER BY rowid";
|
||||
$result = $this->db->query($sql);
|
||||
if ($result)
|
||||
@ -7460,10 +7460,10 @@ class Form
|
||||
if (!empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity)
|
||||
{
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entity as e ON e.rowid=ug.entity";
|
||||
if ($force_entity) $sql .= " WHERE ug.entity IN (0,".$force_entity.")";
|
||||
if ($force_entity) $sql .= " WHERE ug.entity IN (0, ".$force_entity.")";
|
||||
else $sql .= " WHERE ug.entity IS NOT NULL";
|
||||
} else {
|
||||
$sql .= " WHERE ug.entity IN (0,".$conf->entity.")";
|
||||
$sql .= " WHERE ug.entity IN (0, ".$conf->entity.")";
|
||||
}
|
||||
if (is_array($exclude) && $excludeGroups) $sql .= " AND ug.rowid NOT IN ('".$excludeGroups."')";
|
||||
if (is_array($include) && $includeGroups) $sql .= " AND ug.rowid IN ('".$includeGroups."')";
|
||||
|
||||
@ -174,7 +174,7 @@ class FormAccounting extends Form
|
||||
$sql .= " WHERE c.active = 1";
|
||||
$sql .= " AND c.category_type = 0";
|
||||
$sql .= " AND c.fk_country = co.rowid";
|
||||
if (empty($allcountries)) $sql .= " AND co.code = '".$mysoc->country_code."'";
|
||||
if (empty($allcountries)) $sql .= " AND co.code = '".$this->db->escape($mysoc->country_code)."'";
|
||||
$sql .= " ORDER BY c.label ASC";
|
||||
}
|
||||
|
||||
|
||||
@ -516,7 +516,7 @@ class FormCompany extends Form
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."c_forme_juridique as f, ".MAIN_DB_PREFIX."c_country as c";
|
||||
$sql .= " WHERE f.fk_pays=c.rowid";
|
||||
$sql .= " AND f.active = 1 AND c.active = 1";
|
||||
if ($country_codeid) $sql .= " AND c.code = '".$country_codeid."'";
|
||||
if ($country_codeid) $sql .= " AND c.code = '".$this->db->escape($country_codeid)."'";
|
||||
if ($filter) $sql .= " ".$filter;
|
||||
$sql .= " ORDER BY c.code";
|
||||
|
||||
|
||||
@ -1296,7 +1296,7 @@ class FormMail extends Form
|
||||
$sql .= " WHERE type_template='".$this->db->escape($type_template)."'";
|
||||
$sql .= " AND entity IN (".getEntity('c_email_templates').")";
|
||||
$sql .= " AND (fk_user is NULL or fk_user = 0 or fk_user = ".$user->id.")";
|
||||
if (is_object($outputlangs)) $sql .= " AND (lang = '".$outputlangs->defaultlang."' OR lang IS NULL OR lang = '')";
|
||||
if (is_object($outputlangs)) $sql .= " AND (lang = '".$this->db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')";
|
||||
$sql .= $this->db->order("lang,label", "ASC");
|
||||
//print $sql;
|
||||
|
||||
@ -1330,7 +1330,7 @@ class FormMail extends Form
|
||||
$sql .= " AND entity IN (".getEntity('c_email_templates').")";
|
||||
$sql .= " AND (private = 0 OR fk_user = ".$user->id.")"; // See all public templates or templates I own.
|
||||
if ($active >= 0) $sql .= " AND active = ".$active;
|
||||
//if (is_object($outputlangs)) $sql.= " AND (lang = '".$outputlangs->defaultlang."' OR lang IS NULL OR lang = '')"; // Return all languages
|
||||
//if (is_object($outputlangs)) $sql.= " AND (lang = '".$this->db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')"; // Return all languages
|
||||
$sql .= $this->db->order("position,lang,label", "ASC");
|
||||
//print $sql;
|
||||
|
||||
|
||||
@ -256,7 +256,7 @@ class FormOther
|
||||
$sql = "SELECT r.taux, r.revenuestamp_type";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."c_revenuestamp as r,".MAIN_DB_PREFIX."c_country as c";
|
||||
$sql .= " WHERE r.active = 1 AND r.fk_pays = c.rowid";
|
||||
$sql .= " AND c.code = '".$country_code."'";
|
||||
$sql .= " AND c.code = '".$this->db->escape($country_code)."'";
|
||||
|
||||
dol_syslog(get_class($this).'::select_revenue_stamp', LOG_DEBUG);
|
||||
$resql = $this->db->query($sql);
|
||||
|
||||
@ -83,7 +83,7 @@ class FormSocialContrib
|
||||
$sql = "SELECT c.id, c.libelle as type";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."c_chargesociales as c, ".MAIN_DB_PREFIX."c_country as co";
|
||||
$sql .= " WHERE c.active = 1 AND c.fk_pays = co.rowid";
|
||||
$sql .= " AND co.code = '".$mysoc->country_code."'";
|
||||
$sql .= " AND co.code = '".$this->db->escape($mysoc->country_code)."'";
|
||||
$sql .= " ORDER BY c.libelle ASC";
|
||||
}
|
||||
|
||||
|
||||
@ -273,12 +273,13 @@ class InfoBox
|
||||
//dol_syslog("aaaaa".count($listarray));
|
||||
$i++;
|
||||
$ii = sprintf('%02d', $i);
|
||||
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."boxes";
|
||||
$sql .= "(box_id, position, box_order, fk_user, entity)";
|
||||
$sql .= " values (";
|
||||
$sql .= " ".$id.",";
|
||||
$sql .= " ".$zone.",";
|
||||
$sql .= " '".$colonne.$ii."',";
|
||||
$sql .= " '".$this->db->escape($colonne.$ii)."',";
|
||||
$sql .= " ".$userid.",";
|
||||
$sql .= " ".$conf->entity;
|
||||
$sql .= ")";
|
||||
|
||||
@ -98,7 +98,7 @@ class Link extends CommonObject
|
||||
$this->db->begin();
|
||||
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."links (entity, datea, url, label, objecttype, objectid)";
|
||||
$sql .= " VALUES ('".$conf->entity."', '".$this->db->idate($this->datea)."'";
|
||||
$sql .= " VALUES (".$conf->entity.", '".$this->db->idate($this->datea)."'";
|
||||
$sql .= ", '".$this->db->escape($this->url)."'";
|
||||
$sql .= ", '".$this->db->escape($this->label)."'";
|
||||
$sql .= ", '".$this->db->escape($this->objecttype)."'";
|
||||
@ -175,7 +175,7 @@ class Link extends CommonObject
|
||||
$this->db->begin();
|
||||
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."links SET ";
|
||||
$sql .= "entity = '".$conf->entity."'";
|
||||
$sql .= "entity = ".$conf->entity;
|
||||
$sql .= ", datea = '".$this->db->idate(dol_now())."'";
|
||||
$sql .= ", url = '".$this->db->escape($this->url)."'";
|
||||
$sql .= ", label = '".$this->db->escape($this->label)."'";
|
||||
@ -235,7 +235,7 @@ class Link extends CommonObject
|
||||
global $conf;
|
||||
|
||||
$sql = "SELECT rowid, entity, datea, url, label, objecttype, objectid FROM ".MAIN_DB_PREFIX."links";
|
||||
$sql .= " WHERE objecttype = '".$objecttype."' AND objectid = ".$objectid;
|
||||
$sql .= " WHERE objecttype = '".$this->db->escape($objecttype)."' AND objectid = ".$objectid;
|
||||
if ($conf->entity != 0) $sql .= " AND entity = ".$conf->entity;
|
||||
if ($sortfield) {
|
||||
if (empty($sortorder)) {
|
||||
@ -286,7 +286,7 @@ class Link extends CommonObject
|
||||
global $conf;
|
||||
|
||||
$sql = "SELECT COUNT(rowid) as nb FROM ".MAIN_DB_PREFIX."links";
|
||||
$sql .= " WHERE objecttype = '".$objecttype."' AND objectid = ".$objectid;
|
||||
$sql .= " WHERE objecttype = '".$this->db->escape($objecttype)."' AND objectid = ".$objectid;
|
||||
if ($conf->entity != 0) $sql .= " AND entity = ".$conf->entity;
|
||||
|
||||
$resql = $db->query($sql);
|
||||
|
||||
@ -622,7 +622,7 @@ class Menubase
|
||||
$sql = "SELECT m.rowid, m.type, m.module, m.fk_menu, m.fk_mainmenu, m.fk_leftmenu, m.url, m.titre, m.langs, m.perms, m.enabled, m.target, m.mainmenu, m.leftmenu, m.position";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."menu as m";
|
||||
$sql .= " WHERE m.entity IN (0,".$conf->entity.")";
|
||||
$sql .= " AND m.menu_handler IN ('".$menu_handler."','all')";
|
||||
$sql .= " AND m.menu_handler IN ('".$this->db->escape($menu_handler)."','all')";
|
||||
if ($type_user == 0) $sql .= " AND m.usertype IN (0,2)";
|
||||
if ($type_user == 1) $sql .= " AND m.usertype IN (1,2)";
|
||||
$sql .= " ORDER BY m.position, m.rowid";
|
||||
|
||||
@ -171,7 +171,7 @@ class Notify
|
||||
if ($notifcode)
|
||||
{
|
||||
if (is_numeric($notifcode)) $sql .= " AND n.fk_action = ".$notifcode; // Old usage
|
||||
else $sql .= " AND a.code = '".$notifcode."'"; // New usage
|
||||
else $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage
|
||||
}
|
||||
$sql .= " AND s.entity IN (".getEntity('societe').")";
|
||||
if ($socid > 0) $sql .= " AND s.rowid = ".$socid;
|
||||
@ -214,7 +214,7 @@ class Notify
|
||||
if ($notifcode)
|
||||
{
|
||||
if (is_numeric($notifcode)) $sql .= " AND n.fk_action = ".$notifcode; // Old usage
|
||||
else $sql .= " AND a.code = '".$notifcode."'"; // New usage
|
||||
else $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage
|
||||
}
|
||||
$sql .= " AND c.entity IN (".getEntity('user').")";
|
||||
if ($userid > 0) $sql .= " AND c.rowid = ".$userid;
|
||||
@ -355,7 +355,7 @@ class Notify
|
||||
$sql .= " AND n.fk_soc = s.rowid";
|
||||
$sql .= " AND c.statut = 1";
|
||||
if (is_numeric($notifcode)) $sql .= " AND n.fk_action = ".$notifcode; // Old usage
|
||||
else $sql .= " AND a.code = '".$notifcode."'"; // New usage
|
||||
else $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage
|
||||
$sql .= " AND s.rowid = ".$object->socid;
|
||||
|
||||
$sql .= "\nUNION\n";
|
||||
|
||||
@ -693,7 +693,7 @@ class DoliDBMysqli extends DoliDB
|
||||
if ((preg_match("/null/i", $field_desc['default'])) || (preg_match("/CURRENT_TIMESTAMP/i", $field_desc['default']))) {
|
||||
$sqlfields[$i] .= " default ".$field_desc['default'];
|
||||
} else {
|
||||
$sqlfields[$i] .= " default '".$field_desc['default']."'";
|
||||
$sqlfields[$i] .= " default '".$this->escape($field_desc['default'])."'";
|
||||
}
|
||||
}
|
||||
if (preg_match("/^[^\s]/i", $field_desc['null'])) {
|
||||
@ -711,7 +711,7 @@ class DoliDBMysqli extends DoliDB
|
||||
$i = 0;
|
||||
foreach ($unique_keys as $key => $value)
|
||||
{
|
||||
$sqluq[$i] = "UNIQUE KEY '".$key."' ('".$value."')";
|
||||
$sqluq[$i] = "UNIQUE KEY '".$key."' ('".$this->escape($value)."')";
|
||||
$i++;
|
||||
}
|
||||
}
|
||||
@ -809,7 +809,7 @@ class DoliDBMysqli extends DoliDB
|
||||
{
|
||||
if (preg_match("/null/i", $field_desc['default']))
|
||||
$sql .= " default ".$field_desc['default'];
|
||||
else $sql .= " default '".$field_desc['default']."'";
|
||||
else $sql .= " default '".$this->escape($field_desc['default'])."'";
|
||||
}
|
||||
if (isset($field_desc['extra']) && preg_match("/^[^\s]/i", $field_desc['extra']))
|
||||
{
|
||||
|
||||
@ -904,7 +904,7 @@ class DoliDBPgsql extends DoliDB
|
||||
$listtables = array();
|
||||
|
||||
$like = '';
|
||||
if ($table) $like = " AND table_name LIKE '".$table."'";
|
||||
if ($table) $like = " AND table_name LIKE '".$this->escape($table)."'";
|
||||
$result = pg_query($this->db, "SELECT table_name FROM information_schema.tables WHERE table_schema = 'public'".$like." ORDER BY table_name");
|
||||
if ($result)
|
||||
{
|
||||
@ -942,7 +942,7 @@ class DoliDBPgsql extends DoliDB
|
||||
$sql .= " '' as \"Privileges\"";
|
||||
$sql .= " FROM information_schema.columns infcol";
|
||||
$sql .= " WHERE table_schema='public' ";
|
||||
$sql .= " AND table_name='".$table."'";
|
||||
$sql .= " AND table_name='".$this->escape($table)."'";
|
||||
$sql .= " ORDER BY ordinal_position;";
|
||||
|
||||
dol_syslog($sql, LOG_DEBUG);
|
||||
@ -992,7 +992,7 @@ class DoliDBPgsql extends DoliDB
|
||||
{
|
||||
if (preg_match("/null/i", $field_desc['default']))
|
||||
$sqlfields[$i] .= " default ".$field_desc['default'];
|
||||
else $sqlfields[$i] .= " default '".$field_desc['default']."'";
|
||||
else $sqlfields[$i] .= " default '".$this->escape($field_desc['default'])."'";
|
||||
} elseif (preg_match("/^[^\s]/i", $field_desc['null']))
|
||||
$sqlfields[$i] .= " ".$field_desc['null'];
|
||||
|
||||
@ -1008,7 +1008,7 @@ class DoliDBPgsql extends DoliDB
|
||||
$i = 0;
|
||||
foreach ($unique_keys as $key => $value)
|
||||
{
|
||||
$sqluq[$i] = "UNIQUE KEY '".$key."' ('".$value."')";
|
||||
$sqluq[$i] = "UNIQUE KEY '".$key."' ('".$this->escape($value)."')";
|
||||
$i++;
|
||||
}
|
||||
}
|
||||
@ -1090,9 +1090,9 @@ class DoliDBPgsql extends DoliDB
|
||||
public function DDLDescTable($table, $field = "")
|
||||
{
|
||||
// phpcs:enable
|
||||
$sql = "SELECT attname FROM pg_attribute, pg_type WHERE typname = '".$table."' AND attrelid = typrelid";
|
||||
$sql = "SELECT attname FROM pg_attribute, pg_type WHERE typname = '".$this->escape($table)."' AND attrelid = typrelid";
|
||||
$sql .= " AND attname NOT IN ('cmin', 'cmax', 'ctid', 'oid', 'tableoid', 'xmin', 'xmax')";
|
||||
if ($field) $sql .= " AND attname = '".$field."'";
|
||||
if ($field) $sql .= " AND attname = '".$this->escape($field)."'";
|
||||
|
||||
dol_syslog($sql, LOG_DEBUG);
|
||||
$this->_results = $this->query($sql);
|
||||
@ -1130,7 +1130,7 @@ class DoliDBPgsql extends DoliDB
|
||||
if (preg_match("/null/i", $field_desc['default'])) {
|
||||
$sql .= " default ".$field_desc['default'];
|
||||
} else {
|
||||
$sql .= " default '".$field_desc['default']."'";
|
||||
$sql .= " default '".$this->escape($field_desc['default'])."'";
|
||||
}
|
||||
}
|
||||
if (preg_match("/^[^\s]/i", $field_desc['extra'])) {
|
||||
|
||||
@ -420,7 +420,7 @@ class DoliDBSqlite3 extends DoliDB
|
||||
$constraintname = trim($reg[2]);
|
||||
$tablename = trim($reg[1]);
|
||||
|
||||
$descTable = $this->db->querySingle("SELECT sql FROM sqlite_master WHERE name='".$tablename."'");
|
||||
$descTable = $this->db->querySingle("SELECT sql FROM sqlite_master WHERE name='".$this->escape($tablename)."'");
|
||||
|
||||
// 1- Renommer la table avec un nom temporaire
|
||||
$this->query('ALTER TABLE '.$tablename.' RENAME TO tmp_'.$tablename);
|
||||
@ -921,7 +921,7 @@ class DoliDBSqlite3 extends DoliDB
|
||||
{
|
||||
if (preg_match("/null/i", $field_desc['default']))
|
||||
$sqlfields[$i] .= " default ".$field_desc['default'];
|
||||
else $sqlfields[$i] .= " default '".$field_desc['default']."'";
|
||||
else $sqlfields[$i] .= " default '".$this->escape($field_desc['default'])."'";
|
||||
} elseif (preg_match("/^[^\s]/i", $field_desc['null']))
|
||||
$sqlfields[$i] .= " ".$field_desc['null'];
|
||||
|
||||
@ -937,7 +937,7 @@ class DoliDBSqlite3 extends DoliDB
|
||||
$i = 0;
|
||||
foreach ($unique_keys as $key => $value)
|
||||
{
|
||||
$sqluq[$i] = "UNIQUE KEY '".$key."' ('".$value."')";
|
||||
$sqluq[$i] = "UNIQUE KEY '".$key."' ('".$this->escape($value)."')";
|
||||
$i++;
|
||||
}
|
||||
}
|
||||
@ -1030,7 +1030,7 @@ class DoliDBSqlite3 extends DoliDB
|
||||
{
|
||||
if (preg_match("/null/i", $field_desc['default']))
|
||||
$sql .= " default ".$field_desc['default'];
|
||||
else $sql .= " default '".$field_desc['default']."'";
|
||||
else $sql .= " default '".$this->escape($field_desc['default'])."'";
|
||||
}
|
||||
if (preg_match("/^[^\s]/i", $field_desc['extra']))
|
||||
$sql .= " ".$field_desc['extra'];
|
||||
|
||||
@ -292,7 +292,7 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
|
||||
$sql = preg_replace('/llx_/i', MAIN_DB_PREFIX, $sql);
|
||||
}
|
||||
|
||||
if (!empty($handler)) $sql = preg_replace('/__HANDLER__/i', "'".$handler."'", $sql);
|
||||
if (!empty($handler)) $sql = preg_replace('/__HANDLER__/i', "'".$db->escape($handler)."'", $sql);
|
||||
|
||||
$newsql = preg_replace('/__ENTITY__/i', (!empty($entity) ? $entity : $conf->entity), $sql);
|
||||
|
||||
@ -1630,7 +1630,7 @@ function addDocumentModel($name, $type, $label = '', $description = '')
|
||||
$db->begin();
|
||||
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
|
||||
$sql .= " VALUES ('".$db->escape($name)."','".$type."',".$conf->entity.", ";
|
||||
$sql .= " VALUES ('".$db->escape($name)."','".$db->escape($type)."',".$conf->entity.", ";
|
||||
$sql .= ($label ? "'".$db->escape($label)."'" : 'null').", ";
|
||||
$sql .= (!empty($description) ? "'".$db->escape($description)."'" : "null");
|
||||
$sql .= ")";
|
||||
@ -1663,7 +1663,7 @@ function delDocumentModel($name, $type)
|
||||
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE nom = '".$db->escape($name)."'";
|
||||
$sql .= " AND type = '".$type."'";
|
||||
$sql .= " AND type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
|
||||
dol_syslog("admin.lib::delDocumentModel", LOG_DEBUG);
|
||||
|
||||
@ -574,7 +574,7 @@ function currency_name($code_iso, $withcode = '', $outputlangs = null)
|
||||
|
||||
// If no translation, we read table to get label by default
|
||||
$sql = "SELECT label FROM ".MAIN_DB_PREFIX."c_currencies";
|
||||
$sql .= " WHERE code_iso='".$code_iso."'";
|
||||
$sql .= " WHERE code_iso='".$db->escape($code_iso)."'";
|
||||
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
@ -607,7 +607,7 @@ function getFormeJuridiqueLabel($code)
|
||||
if (!$code) return '';
|
||||
|
||||
$sql = "SELECT libelle FROM ".MAIN_DB_PREFIX."c_forme_juridique";
|
||||
$sql .= " WHERE code='$code'";
|
||||
$sql .= " WHERE code='".$db->escape($code)."'";
|
||||
|
||||
dol_syslog("Company.lib::getFormeJuridiqueLabel", LOG_DEBUG);
|
||||
$resql = $db->query($sql);
|
||||
|
||||
@ -142,6 +142,7 @@ function dol_dir_list($path, $types = "all", $recursive = 0, $filter = "", $excl
|
||||
|
||||
if (!$filter || preg_match('/'.$filter.'/i', $file)) // We do not search key $filter into all $path, only into $file part
|
||||
{
|
||||
$reg = array();
|
||||
preg_match('/([^\/]+)\/[^\/]+$/', $path.'/'.$file, $reg);
|
||||
$level1name = (isset($reg[1]) ? $reg[1] : '');
|
||||
$file_list[] = array(
|
||||
|
||||
@ -4857,10 +4857,10 @@ function get_localtax($vatrate, $local, $thirdparty_buyer = "", $thirdparty_sell
|
||||
// By default, search value of local tax on line of common tax
|
||||
$sql = "SELECT t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
|
||||
$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$thirdparty_seller->country_code."'";
|
||||
$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($thirdparty_seller->country_code)."'";
|
||||
$sql .= " AND t.taux = ".((float) $vatratecleaned)." AND t.active = 1";
|
||||
if ($vatratecode) $sql .= " AND t.code ='".$vatratecode."'"; // If we have the code, we use it in priority
|
||||
else $sql .= " AND t.recuperableonly ='".$vatnpr."'";
|
||||
if ($vatratecode) $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; // If we have the code, we use it in priority
|
||||
else $sql .= " AND t.recuperableonly ='".$db->escape($vatnpr)."'";
|
||||
dol_syslog("get_localtax", LOG_DEBUG);
|
||||
$resql = $db->query($sql);
|
||||
|
||||
|
||||
@ -320,8 +320,8 @@ class mod_codeclient_elephant extends ModeleThirdPartyCode
|
||||
{
|
||||
// phpcs:enable
|
||||
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe";
|
||||
if ($type == 1) $sql .= " WHERE code_fournisseur = '".$code."'";
|
||||
else $sql .= " WHERE code_client = '".$code."'";
|
||||
if ($type == 1) $sql .= " WHERE code_fournisseur = '".$db->escape($code)."'";
|
||||
else $sql .= " WHERE code_client = '".$db->escape($code)."'";
|
||||
if ($soc->id > 0) $sql .= " AND rowid <> ".$soc->id;
|
||||
|
||||
$resql = $db->query($sql);
|
||||
|
||||
@ -226,8 +226,8 @@ class mod_codeclient_monkey extends ModeleThirdPartyCode
|
||||
global $conf, $mc;
|
||||
|
||||
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe";
|
||||
if ($type == 1) $sql .= " WHERE code_fournisseur = '".$code."'";
|
||||
else $sql .= " WHERE code_client = '".$code."'";
|
||||
if ($type == 1) $sql .= " WHERE code_fournisseur = '".$db->escape($code)."'";
|
||||
else $sql .= " WHERE code_client = '".$db->escape($code)."'";
|
||||
$sql .= " AND entity IN (".getEntity('societe').")";
|
||||
if ($soc->id > 0) $sql .= " AND rowid <> ".$soc->id;
|
||||
|
||||
|
||||
@ -244,7 +244,7 @@ class mod_codecompta_digitaria extends ModeleAccountancyCode
|
||||
}
|
||||
|
||||
$sql = "SELECT ".$typethirdparty." FROM ".MAIN_DB_PREFIX."societe";
|
||||
$sql .= " WHERE ".$typethirdparty." = '".$code."'";
|
||||
$sql .= " WHERE ".$typethirdparty." = '".$db->escape($code)."'";
|
||||
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
||||
@ -152,7 +152,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
$db=$this->savdb;
|
||||
|
||||
include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
|
||||
$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
|
||||
$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/core', 'files', 1, '\.php', null, 'fullname');
|
||||
//$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
|
||||
|
||||
foreach ($filesarray as $key => $file)
|
||||
@ -166,10 +166,17 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
print 'Check php file '.$file['fullname']."\n";
|
||||
$filecontent=file_get_contents($file['fullname']);
|
||||
|
||||
if (preg_match('/\.class\.php/', $file['relativename'])) {
|
||||
// Must must not found $db->
|
||||
|
||||
} else {
|
||||
// Must must not found $this->db->
|
||||
|
||||
}
|
||||
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
|
||||
// Check string get_class...
|
||||
preg_match_all('/'.preg_quote('get_class($this)."::".__METHOD__', '/').'/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val)
|
||||
{
|
||||
@ -182,7 +189,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
|
||||
// Check string $this->db->idate without quotes
|
||||
preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val)
|
||||
{
|
||||
@ -200,11 +207,12 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
|
||||
$ok=true;
|
||||
$matches=array();
|
||||
|
||||
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
|
||||
preg_match_all('/(=|sql.+)\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val)
|
||||
{
|
||||
if ($val[2] != 'db->' && $val[2] != 'esca')
|
||||
if ($val[1] != 'db->' && $val[1] != 'esca')
|
||||
{
|
||||
$ok=false;
|
||||
break;
|
||||
@ -212,7 +220,21 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
||||
//if ($reg[0] != 'db') $ok=false;
|
||||
}
|
||||
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
|
||||
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].' ('.$val[0].'). Bad.');
|
||||
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.');
|
||||
//exit;
|
||||
|
||||
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
|
||||
preg_match_all('/sql.+\s*\'"\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER);
|
||||
foreach ($matches as $key => $val)
|
||||
{
|
||||
if (! in_array($val[1], array('this->db-', 'this->esc', 'db->escap', 'db->idate', 'excludeGr', 'includeGr'))) {
|
||||
$ok=false;
|
||||
break;
|
||||
}
|
||||
//if ($reg[0] != 'db') $ok=false;
|
||||
}
|
||||
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
|
||||
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.');
|
||||
//exit;
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user