From 5a1f2db024e534b5e0b2795cb64b4db25f44a10f Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 30 Apr 2021 10:57:21 +0200
Subject: [PATCH] Clean sql

---
 .../class/html.formadvtargetemailing.class.php       |  2 +-
 htdocs/compta/localtax/class/localtax.class.php      |  9 +++++----
 .../modules/movement/doc/pdf_standard.modules.php    |  4 ++--
 htdocs/societe/class/api_thirdparties.class.php      | 12 ++++++------
 4 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/htdocs/comm/mailing/class/html.formadvtargetemailing.class.php b/htdocs/comm/mailing/class/html.formadvtargetemailing.class.php
index 2c47edd4289..12684e5f873 100644
--- a/htdocs/comm/mailing/class/html.formadvtargetemailing.class.php
+++ b/htdocs/comm/mailing/class/html.formadvtargetemailing.class.php
@@ -355,7 +355,7 @@ class FormAdvTargetEmailing extends Form
 
 		$sql = "SELECT c.rowid, c.name, c.fk_element";
 		$sql .= " FROM ".MAIN_DB_PREFIX."advtargetemailing as c";
-		$sql .= " WHERE type_element='$type_element'";
+		$sql .= " WHERE type_element = '".$this->db->escape($type_element)."'";
 		$sql .= " ORDER BY c.name";
 
 		dol_syslog(__METHOD__, LOG_DEBUG);
diff --git a/htdocs/compta/localtax/class/localtax.class.php b/htdocs/compta/localtax/class/localtax.class.php
index 2adfe41330b..dc133977202 100644
--- a/htdocs/compta/localtax/class/localtax.class.php
+++ b/htdocs/compta/localtax/class/localtax.class.php
@@ -352,9 +352,10 @@ class Localtax extends CommonObject
 	{
 		// phpcs:enable
 		$sql = "SELECT sum(f.localtax) as amount";
-		$sql .= " FROM ".MAIN_DB_PREFIX."facture as f WHERE f.paye = 1";
+		$sql .= " FROM ".MAIN_DB_PREFIX."facture as f";
+		$sql .= " WHERE f.paye = 1";
 		if ($year) {
-			$sql .= " AND f.datef >= '$year-01-01' AND f.datef <= '$year-12-31' ";
+			$sql .= " AND f.datef BETWEEN '".$this->db->idate(dol_get_first_day($year, 1, 'gmt'))."' AND '".$this->db->idate(dol_get_last_day($year, 1, 'gmt'))."'";
 		}
 
 		$result = $this->db->query($sql);
@@ -388,7 +389,7 @@ class Localtax extends CommonObject
 		$sql = "SELECT sum(f.total_localtax) as total_localtax";
 		$sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f";
 		if ($year) {
-			$sql .= " WHERE f.datef >= '$year-01-01' AND f.datef <= '$year-12-31' ";
+			$sql .= " WHERE f.datef BETWEEN '".$this->db->idate(dol_get_first_day($year, 1, 'gmt'))."' AND '".$this->db->idate(dol_get_last_day($year, 1, 'gmt'))."'";
 		}
 
 		$result = $this->db->query($sql);
@@ -423,7 +424,7 @@ class Localtax extends CommonObject
 		$sql = "SELECT sum(f.amount) as amount";
 		$sql .= " FROM ".MAIN_DB_PREFIX."localtax as f";
 		if ($year) {
-			$sql .= " WHERE f.datev >= '$year-01-01' AND f.datev <= '$year-12-31' ";
+			$sql .= " WHERE f.datev BETWEEN '".$this->db->idate(dol_get_first_day($year, 1, 'gmt'))."' AND '".$this->db->idate(dol_get_last_day($year, 1, 'gmt'))."'";
 		}
 
 		$result = $this->db->query($sql);
diff --git a/htdocs/core/modules/movement/doc/pdf_standard.modules.php b/htdocs/core/modules/movement/doc/pdf_standard.modules.php
index c2817fb50f6..d818ab24f9e 100644
--- a/htdocs/core/modules/movement/doc/pdf_standard.modules.php
+++ b/htdocs/core/modules/movement/doc/pdf_standard.modules.php
@@ -303,13 +303,13 @@ class pdf_stdandard extends ModelePDFMovement
 			$sql .= " AND p.fk_product_type = 0";
 		}
 		if ($id > 0) {
-			$sql .= " AND e.rowid ='".$id."'";
+			$sql .= " AND e.rowid = ".((int) $id);
 		}
 		if ($month > 0) {
 			if ($year > 0) {
 				$sql .= " AND m.datem BETWEEN '".$this->db->idate(dol_get_first_day($year, $month, false))."' AND '".$this->db->idate(dol_get_last_day($year, $month, false))."'";
 			} else {
-				$sql .= " AND date_format(m.datem, '%m') = '$month'";
+				$sql .= " AND date_format(m.datem, '%m') = '".((int) $month)."'";
 			}
 		} elseif ($year > 0) {
 			$sql .= " AND m.datem BETWEEN '".$this->db->idate(dol_get_first_day($year, 1, false))."' AND '".$this->db->idate(dol_get_last_day($year, 12, false))."'";
diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php
index b0b486459b1..1de2f436ca7 100644
--- a/htdocs/societe/class/api_thirdparties.class.php
+++ b/htdocs/societe/class/api_thirdparties.class.php
@@ -1624,11 +1624,11 @@ class Thirdparties extends DolibarrApi
 	}
 
 	/**
-	 * Update specified values of a specific site gateway attached to a thirdparty
+	 * Update specified values of a specific gateway attached to a thirdparty
 	 *
-	 * @param int $id Id of thirdparty
-	 * @param string  $site Site key
-	 * @param array $request_data Request data
+	 * @param int 		$id 			Id of thirdparty
+	 * @param string  	$site 			Site key
+	 * @param array 	$request_data 	Request data
 	 *
 	 * @return array|mixed
 	 *
@@ -1645,7 +1645,7 @@ class Thirdparties extends DolibarrApi
 			throw new RestException(401);
 		}
 
-		$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc  = $id AND site = '$site' ";
+		$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".((int) $id)." AND site = '".$this->db->escape($site)."'";
 		$result = $this->db->query($sql);
 
 		if ($result && $this->db->num_rows($result) == 0) {
@@ -1657,7 +1657,7 @@ class Thirdparties extends DolibarrApi
 				$result = $this->db->query($sql);
 
 				if ($result && $this->db->num_rows($result) !== 0) {
-					throw new RestException(409, "You are trying to update this thirdparty SocieteAccount (gateway record) site member from $site to ".$request_data['site']." but another SocieteAccount entity already exists for this thirdparty with this site key.");
+					throw new RestException(409, "You are trying to update this thirdparty SocieteAccount (gateway record) site member from ".$site." to ".$request_data['site']." but another SocieteAccount entity already exists for this thirdparty with this site key.");
 				}
 			}