lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix more then 30 security defects

Browse Source
This commit is contained in:
Laurent Destailleur 2016-12-18 01:44:26 +01:00
parent 9fd48df839
commit 60b8582aa9
24 changed files with 135 additions and 341 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
htdocs/adherents/card.php
View File

@ -822,7 +822,7 @@ else
// Login
if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED))
{
print '<tr><td><span class="fieldrequired">'.$langs->trans("Login").' / '.$langs->trans("Id").'</span></td><td><input type="text" name="member_login" size="40" value="'.(isset($_POST["member_login"])?$_POST["member_login"]:$object->login).'"></td></tr>';
print '<tr><td><span class="fieldrequired">'.$langs->trans("Login").' / '.$langs->trans("Id").'</span></td><td><input type="text" name="member_login" class="maxwidth200" value="'.(isset($_POST["member_login"])?GETPOST("member_login", 'alpha', 2):$object->login).'"></td></tr>';
}
// Type
@ -1066,7 +1066,7 @@ else
// Login
if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED))
{
print '<tr><td><span class="fieldrequired">'.$langs->trans("Login").' / '.$langs->trans("Id").'</span></td><td colspan="2"><input type="text" name="login" size="30" value="'.(isset($_POST["login"])?$_POST["login"]:$object->login).'"></td></tr>';
print '<tr><td><span class="fieldrequired">'.$langs->trans("Login").' / '.$langs->trans("Id").'</span></td><td colspan="2"><input type="text" name="login" class="maxwidth200" value="'.(isset($_POST["login"])?GETPOST("login",'alpha',2):$object->login).'"></td></tr>';
}
// Morphy
@ -1090,7 +1090,7 @@ else
print "</td></tr>";
// Company
print '<tr><td id="tdcompany">'.$langs->trans("Company").'</td><td><input type="text" name="societe" size="40" value="'.(isset($_POST["societe"])?$_POST["societe"]:$object->societe).'"></td></tr>';
print '<tr><td id="tdcompany">'.$langs->trans("Company").'</td><td><input type="text" name="societe" size="40" value="'.(isset($_POST["societe"])?GETPOST("societe",'',2):$object->societe).'"></td></tr>';
// Civility
print '<tr><td>'.$langs->trans("UserTitle").'</td><td>';
@ -1099,11 +1099,11 @@ else
print '</tr>';
// Lastname
print '<tr><td id="tdlastname">'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" size="40" value="'.(isset($_POST["lastname"])?$_POST["lastname"]:$object->lastname).'"></td>';
print '<tr><td id="tdlastname">'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" size="40" value="'.(isset($_POST["lastname"])?GETPOST("lastname",'',2):$object->lastname).'"></td>';
print '</tr>';
// Firstname
print '<tr><td id="tdfirstname">'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" size="40" value="'.(isset($_POST["firstname"])?$_POST["firstname"]:$object->firstname).'"></td>';
print '<tr><td id="tdfirstname">'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" size="40" value="'.(isset($_POST["firstname"])?GETPOST("firstname",'',3):$object->firstname).'"></td>';
print '</tr>';
// Photo
@ -1122,24 +1122,24 @@ else
print '</td></tr>';
// EMail
print '<tr><td>'.($conf->global->ADHERENT_MAIL_REQUIRED?'<span class="fieldrequired">':'').$langs->trans("EMail").($conf->global->ADHERENT_MAIL_REQUIRED?'</span>':'').'</td><td><input type="text" name="email" size="40" value="'.(isset($_POST["email"])?$_POST["email"]:$object->email).'"></td></tr>';
print '<tr><td>'.($conf->global->ADHERENT_MAIL_REQUIRED?'<span class="fieldrequired">':'').$langs->trans("EMail").($conf->global->ADHERENT_MAIL_REQUIRED?'</span>':'').'</td><td><input type="text" name="email" size="40" value="'.(isset($_POST["email"])?GETPOST("email",'',2):$object->email).'"></td></tr>';
// Password
if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED))
{
print '<tr><td class="fieldrequired">'.$langs->trans("Password").'</td><td><input type="password" name="pass" size="30" value="'.(isset($_POST["pass"])?$_POST["pass"]:$object->pass).'"></td></tr>';
print '<tr><td class="fieldrequired">'.$langs->trans("Password").'</td><td><input type="password" name="pass" class="maxwdith200" value="'.(isset($_POST["pass"])?GETPOST("pass",'',2):$object->pass).'"></td></tr>';
}
// Address
print '<tr><td>'.$langs->trans("Address").'</td><td>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="2">'.(isset($_POST["address"])?$_POST["address"]:$object->address).'</textarea>';
print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="2">'.(isset($_POST["address"])?GETPOST("address",'',2):$object->address).'</textarea>';
print '</td></tr>';
// Zip / Town
print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
print $formcompany->select_ziptown((isset($_POST["zipcode"])?$_POST["zipcode"]:$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6);
print $formcompany->select_ziptown((isset($_POST["zipcode"])?GETPOST("zipcode",'',2):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6);
print ' ';
print $formcompany->select_ziptown((isset($_POST["town"])?$_POST["town"]:$object->town),'town',array('zipcode','selectcountry_id','state_id'));
print $formcompany->select_ziptown((isset($_POST["town"])?GETPOST("town",'',2):$object->town),'town',array('zipcode','selectcountry_id','state_id'));
print '</td></tr>';
// Country
@ -1153,23 +1153,23 @@ else
if (empty($conf->global->MEMBER_DISABLE_STATE))
{
print '<tr><td>'.$langs->trans('State').'</td><td>';
print $formcompany->select_state($object->state_id,isset($_POST["country_id"])?$_POST["country_id"]:$object->country_id);
print $formcompany->select_state($object->state_id,isset($_POST["country_id"])?GETPOST("country_id"):$object->country_id);
print '</td></tr>';
}
// Pro phone
print '<tr><td>'.$langs->trans("PhonePro").'</td><td><input type="text" name="phone" size="20" value="'.(isset($_POST["phone"])?$_POST["phone"]:$object->phone).'"></td></tr>';
print '<tr><td>'.$langs->trans("PhonePro").'</td><td><input type="text" name="phone" size="20" value="'.(isset($_POST["phone"])?GETPOST("phone"):$object->phone).'"></td></tr>';
// Personal phone
print '<tr><td>'.$langs->trans("PhonePerso").'</td><td><input type="text" name="phone_perso" size="20" value="'.(isset($_POST["phone_perso"])?$_POST["phone_perso"]:$object->phone_perso).'"></td></tr>';
print '<tr><td>'.$langs->trans("PhonePerso").'</td><td><input type="text" name="phone_perso" size="20" value="'.(isset($_POST["phone_perso"])?GETPOST("phone_perso"):$object->phone_perso).'"></td></tr>';
// Mobile phone
print '<tr><td>'.$langs->trans("PhoneMobile").'</td><td><input type="text" name="phone_mobile" size="20" value="'.(isset($_POST["phone_mobile"])?$_POST["phone_mobile"]:$object->phone_mobile).'"></td></tr>';
print '<tr><td>'.$langs->trans("PhoneMobile").'</td><td><input type="text" name="phone_mobile" size="20" value="'.(isset($_POST["phone_mobile"])?GETPOST("hone_mobile"):$object->phone_mobile).'"></td></tr>';
// Skype
if (! empty($conf->skype->enabled))
{
print '<tr><td>'.$langs->trans("Skype").'</td><td><input type="text" name="skype" size="40" value="'.(isset($_POST["skype"])?$_POST["skype"]:$object->skype).'"></td></tr>';
print '<tr><td>'.$langs->trans("Skype").'</td><td><input type="text" name="skype" size="40" value="'.(isset($_POST["skype"])?GETPOST("skype"):$object->skype).'"></td></tr>';
}
// Birthday
@ -1179,7 +1179,7 @@ else
// Public profil
print "<tr><td>".$langs->trans("Public")."</td><td>\n";
print $form->selectyesno("public",(isset($_POST["public"])?$_POST["public"]:$object->public),1);
print $form->selectyesno("public",(isset($_POST["public"])?GETPOST("public",'',2):$object->public),1);
print "</td></tr>\n";
// Categories

28
htdocs/admin/menus/index.php
View File

@ -71,7 +71,7 @@ if ($action == 'up')
// Get current position
$sql = "SELECT m.rowid, m.position, m.type, m.fk_menu";
$sql.= " FROM ".MAIN_DB_PREFIX."menu as m";
$sql.= " WHERE m.rowid = ".$_GET["menuId"];
$sql.= " WHERE m.rowid = ".GETPOST("menuId","int");
dol_syslog("admin/menus/index.php ".$sql);
$result = $db->query($sql);
$num = $db->num_rows($result);
@ -89,11 +89,11 @@ if ($action == 'up')
// Menu before
$sql = "SELECT m.rowid, m.position";
$sql.= " FROM ".MAIN_DB_PREFIX."menu as m";
$sql.= " WHERE (m.position < ".($current['order'])." OR (m.position = ".($current['order'])." AND rowid < ".$_GET["menuId"]."))";
$sql.= " AND m.menu_handler='".$menu_handler_to_search."'";
$sql.= " WHERE (m.position < ".($current['order'])." OR (m.position = ".($current['order'])." AND rowid < ".GETPOST("menuId","int")."))";
$sql.= " AND m.menu_handler='".$db->escape($menu_handler_to_search)."'";
$sql.= " AND m.entity = ".$conf->entity;
$sql.= " AND m.type = '".$current['type']."'";
$sql.= " AND m.fk_menu = '".$current['fk_menu']."'";
$sql.= " AND m.type = '".$db->escape($current['type'])."'";
$sql.= " AND m.fk_menu = '".$db->escape($current['fk_menu'])."'";
$sql.= " ORDER BY m.position, m.rowid";
dol_syslog("admin/menus/index.php ".$sql);
$result = $db->query($sql);
@ -127,7 +127,7 @@ elseif ($action == 'down')
// Get current position
$sql = "SELECT m.rowid, m.position, m.type, m.fk_menu";
$sql.= " FROM ".MAIN_DB_PREFIX."menu as m";
$sql.= " WHERE m.rowid = ".$_GET["menuId"];
$sql.= " WHERE m.rowid = ".GETPOST("menuId","int");
dol_syslog("admin/menus/index.php ".$sql);
$result = $db->query($sql);
$num = $db->num_rows($result);
@ -145,11 +145,11 @@ elseif ($action == 'down')
// Menu after
$sql = "SELECT m.rowid, m.position";
$sql.= " FROM ".MAIN_DB_PREFIX."menu as m";
$sql.= " WHERE (m.position > ".($current['order'])." OR (m.position = ".($current['order'])." AND rowid > ".$_GET["menuId"]."))";
$sql.= " AND m.menu_handler='".$menu_handler_to_search."'";
$sql.= " WHERE (m.position > ".($current['order'])." OR (m.position = ".($current['order'])." AND rowid > ".GETPOST("menuId","int")."))";
$sql.= " AND m.menu_handler='".$db->escape($menu_handler_to_search)."'";
$sql.= " AND m.entity = ".$conf->entity;
$sql.= " AND m.type = '".$current['type']."'";
$sql.= " AND m.fk_menu = '".$current['fk_menu']."'";
$sql.= " AND m.type = '".$db->escape($current['type'])."'";
$sql.= " AND m.fk_menu = '".$db->escape($current['fk_menu'])."'";
$sql.= " ORDER BY m.position, m.rowid";
dol_syslog("admin/menus/index.php ".$sql);
$result = $db->query($sql);
@ -180,7 +180,7 @@ elseif ($action == 'confirm_delete' && $confirm == 'yes')
$db->begin();
$sql = "DELETE FROM ".MAIN_DB_PREFIX."menu";
$sql.= " WHERE rowid = ".$_GET['menuId'];
$sql.= " WHERE rowid = ".GETPOST('menuId','int');
$resql=$db->query($sql);
if ($resql)
{
@ -245,11 +245,11 @@ if ($action == 'delete')
{
$sql = "SELECT m.titre";
$sql.= " FROM ".MAIN_DB_PREFIX."menu as m";
$sql.= " WHERE m.rowid = ".$_GET['menuId'];
$sql.= " WHERE m.rowid = ".GETPOST('menuId','int');
$result = $db->query($sql);
$obj = $db->fetch_object($result);
print $form->formconfirm("index.php?menu_handler=".$menu_handler."&menuId=".$_GET['menuId'],$langs->trans("DeleteMenu"),$langs->trans("ConfirmDeleteMenu",$obj->titre),"confirm_delete");
print $form->formconfirm("index.php?menu_handler=".$menu_handler."&menuId=".GETPOST('menuId','int'),$langs->trans("DeleteMenu"),$langs->trans("ConfirmDeleteMenu",$obj->titre),"confirm_delete");
}
@ -298,7 +298,7 @@ if ($conf->use_javascript_ajax)
$sql = "SELECT m.rowid, m.titre, m.langs, m.mainmenu, m.leftmenu, m.fk_menu, m.fk_mainmenu, m.fk_leftmenu, m.module";
$sql.= " FROM ".MAIN_DB_PREFIX."menu as m";
$sql.= " WHERE menu_handler = '".$menu_handler_to_search."'";
$sql.= " WHERE menu_handler = '".$db->escape($menu_handler_to_search)."'";
$sql.= " AND entity = ".$conf->entity;
//$sql.= " AND fk_menu >= 0";
$sql.= " ORDER BY m.position, m.rowid"; // Order is position then rowid (because we need a sort criteria when position is same)

4
htdocs/admin/perms.php
View File

@ -44,7 +44,7 @@ if (!$user->admin) accessforbidden();
if ($action == 'add')
{
$sql = "UPDATE ".MAIN_DB_PREFIX."rights_def SET bydefault=1";
$sql.= " WHERE id = ".$_GET["pid"];
$sql.= " WHERE id = ".GETPOST("pid",'int');
$sql.= " AND entity = ".$conf->entity;
$db->query($sql);
}
@ -52,7 +52,7 @@ if ($action == 'add')
if ($action == 'remove')
{
$sql = "UPDATE ".MAIN_DB_PREFIX."rights_def SET bydefault=0";
$sql.= " WHERE id = ".$_GET["pid"];
$sql.= " WHERE id = ".GETPOST('pid','int');
$sql.= " AND entity = ".$conf->entity;
$db->query($sql);
}

8
htdocs/bookmarks/card.php
View File

@ -69,7 +69,7 @@ if ($action == 'add' || $action == 'addproduct' || $action == 'update')
exit;
}
if ($action == 'update') $bookmark->fetch($_POST["id"]);
if ($action == 'update') $bookmark->fetch(GETPOST("id",'int'));
// Check if null because user not admin can't set an user and send empty value here.
if(!empty($userid))
$bookmark->fk_user=$userid;
@ -217,7 +217,7 @@ if ($id > 0 && ! preg_match('/^add/i',$action))
print '<table class="border" width="100%">';
print '<tr><td width="25%">'.$langs->trans("Ref").'</td><td>'.$bookmark->ref.'</td></tr>';
print '<tr><td class="titlefield">'.$langs->trans("Ref").'</td><td>'.$bookmark->ref.'</td></tr>';
print '<tr><td>';
if ($action == 'edit') {
@ -231,7 +231,7 @@ if ($id > 0 && ! preg_match('/^add/i',$action))
}
print '</td><td>';
if ($action == 'edit') print '<input class="flat" name="title" size="30" value="'.(isset($_POST["title"])?$_POST["title"]:$bookmark->title).'">';
if ($action == 'edit') print '<input class="flat minwidth200" name="title" value="'.(isset($_POST["title"])?GETPOST("title",'',2):$bookmark->title).'">';
else print $bookmark->title;
print '</td></tr>';
@ -301,6 +301,8 @@ if ($id > 0 && ! preg_match('/^add/i',$action))
}
// Buttons
print "<div class=\"tabsAction\">\n";
// Edit

2
htdocs/cashdesk/tpl/validation2.tpl.php
View File

@ -33,7 +33,7 @@ $langs->load("bills");
largeur = 600;
hauteur = 500;
opt = 'width='+largeur+', height='+hauteur+', left='+(screen.width - largeur)/2+', top='+(screen.height-hauteur)/2+'';
window.open('validation_ticket.php?facid=<?php echo $_GET['facid']; ?>', '<?php echo $langs->trans('PrintTicket') ?>', opt);
window.open('validation_ticket.php?facid=<?php echo GETPOST('facid','int'); ?>', '<?php echo $langs->trans('PrintTicket') ?>', opt);
}
popupTicket();

9
htdocs/comm/contact.php
View File

@ -125,6 +125,8 @@ if ($resql)
$title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("ListOfContacts") : $langs->trans("ListOfContactsAddresses"));
print_barre_liste($title.($label?" (".$label.")":""),$page, $_SERVER["PHP_SELF"], $param,$sortfield,$sortorder,"",$num);
print '<form action="'.$_SERVER["PHP_SELF"].'?type='.GETPOST("type", "alpha").'" method="GET">';
print '<table class="liste" width="100%">';
print '<tr class="liste_titre">';
print_liste_field_titre($langs->trans("Lastname"),$_SERVER["PHP_SELF"],"p.name", $begin, $param,"",$sortfield,$sortorder);
@ -134,7 +136,6 @@ if ($resql)
print_liste_field_titre($langs->trans("Phone"));
print "</tr>\n";
print '<form action="'.$_SERVER["PHP_SELF"].'?type='.$_GET["type"].'" method="GET">';
print '<tr class="liste_titre">';
print '<td class="liste_titre"><input class="flat" name="search_lastname" size="12" value="'.$search_lastname.'"></td>';
print '<td class="liste_titre"><input class="flat" name="search_firstname" size="12" value="'.$search_firstname.'"></td>';
@ -142,7 +143,6 @@ if ($resql)
print '<td class="liste_titre">&nbsp;</td>';
print '<td class="liste_titre" align="right"><input type="image" class="liste_titre" src="'.img_picto($langs->trans("Search"),'search.png','','',1).'" value="'.dol_escape_htmltag($langs->trans("Search")).'" title="'.dol_escape_htmltag($langs->trans("Search")).'"></td>';
print "</tr>\n";
print '</form>';
$var=True;
$i = 0;
@ -167,7 +167,10 @@ if ($resql)
print "</tr>\n";
$i++;
}
print "</table></p>";
print "</table>";
print '</form>';
$db->free($resql);
}
else

4
htdocs/comm/remx.php
View File

@ -283,14 +283,14 @@ if ($socid > 0)
print '<div class="underbanner clearboth"></div>';
print '<table class="border" width="100%">';
print '<tr><td class="titlefield fieldrequired">'.$langs->trans("AmountHT").'</td>';
print '<td><input type="text" size="5" name="amount_ht" value="'.$_POST["amount_ht"].'">';
print '<td><input type="text" size="5" name="amount_ht" value="'.price2num(GETPOST("amount_ht")).'">';
print '<span class="hideonsmartphone">&nbsp;'.$langs->trans("Currency".$conf->currency).'</span></td></tr>';
print '<tr><td>'.$langs->trans("VAT").'</td>';
print '<td>';
print $form->load_tva('tva_tx',GETPOST('tva_tx'),$mysoc,$object);
print '</td></tr>';
print '<tr><td class="fieldrequired" >'.$langs->trans("NoteReason").'</td>';
print '<td><input type="text" size="60" name="desc" value="'.GETPOST('desc').'"></td></tr>';
print '<td><input type="text" class="quatrevingtpercent" name="desc" value="'.GETPOST('desc').'"></td></tr>';
print "</table>";
}

45
htdocs/commande/customer.php
View File

@ -44,11 +44,13 @@ accessforbidden();
$langs->load("companies");
$langs->load("orders");
$limit = GETPOST("limit")?GETPOST("limit","int"):$conf->liste_limit;
$sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha');
$page = GETPOST("page",'int');
if ($page == -1) { $page = 0; }
$offset = $conf->liste_limit * $page;
$offset = $limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
@ -77,32 +79,32 @@ $sql.= " AND s.entity IN (".getEntity('societe', 1).")";
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
if (dol_strlen($stcomm))
{
$sql.= " AND s.fk_stcomm=$stcomm";
}
if ($_GET["search_nom"])
{
$sql.= " AND s.nom like '%".$db->escape(strtolower($_GET["search_nom"]))."%'";
}
if ($_GET["search_compta"])
{
$sql.= " AND s.code_compta like '%".$db->escape($_GET["search_compta"])."%'";
}
if ($_GET["search_code_client"])
{
$sql.= " AND s.code_client like '%".$db->escape($_GET["search_code_client"])."%'";
$sql.= " AND s.fk_stcomm=".$stcomm;
}
if (GETPOST("search_nom")) $sql.= natural_search("s.nom", GETPOST("search_nom"));
if (GETPOST("search_compta")) $sql.= natural_search("s.code_compta", GETPOST("search_compta"));
if (GETPOST("search_code_client")) $sql.= natural_search("s.code_client", GETPOST("search_code_client"));
if (dol_strlen($begin))
{
$sql.= " AND s.nom like '".$db->escape($begin)."'";
}
if ($socid)
if ($socid > 0)
{
$sql.= " AND s.rowid = ".$socid;
}
$sql.= " AND c.fk_statut in (1, 2) AND c.facture = 0";
$sql.= " GROUP BY s.nom";
$sql.= " ORDER BY $sortfield $sortorder " . $db->plimit($conf->liste_limit+1, $offset);
$sql.= $db->order($sortfield,$sortorder);
// Count total nb of records
$nbtotalofrecords = -1;
if (empty($conf->global->MAIN_DISABLE_FULL_SCANLIST))
{
$result = $db->query($sql);
$nbtotalofrecords = $db->num_rows($result);
}
$sql.= $db->plimit($limit + 1, $offset);
//print $sql;
$resql = $db->query($sql);
@ -129,26 +131,27 @@ if ($resql)
print '<tr class="liste_titre">';
print '<td align="left" class="liste_titre">';
print '<input class="flat" type="text" name="search_nom" value="'.$_GET["search_nom"].'"></td>';
print '<input class="flat" type="text" name="search_nom" value="'.dol_escape_htmltag(GETPOST("search_nom")).'"></td>';
print '<td class="liste_titre">&nbsp;</td>';
print '<td align="left" class="liste_titre">';
print '<input class="flat" type="text" size="10" name="search_code_client" value="'.$_GET["search_code_client"].'">';
print '<input class="flat" type="text" size="10" name="search_code_client" value="'.dol_escape_htmltag(GETPOST("search_code_client")).'">';
print '</td>';
print '<td align="left" class="liste_titre">';
print '<input class="flat" type="text" size="10" name="search_compta" value="'.$_GET["search_compta"].'">';
print '<input class="flat" type="text" size="10" name="search_compta" value="'.dol_escape_htmltag(GETPOST("search_compta")).'">';
print '</td>';
print '<td align="right" colspan="2" class="liste_titre">';
print '<input type="image" class="liste_titre" src="'.img_picto($langs->trans("Search"),'search.png','','',1).'" name="button_search" value="'.dol_escape_htmltag($langs->trans("Search")).'" title="'.dol_escape_htmltag($langs->trans("Search")).'">';
print '</td>';
print "</tr>\n";
$var=true;
while ($i < min($num,$conf->liste_limit))
while ($i < min($num,$limit))
{
$obj = $db->fetch_object($resql);

6
htdocs/commande/orderstoinvoice.php
View File

@ -46,7 +46,7 @@ $langs->load('companies');
if (! $user->rights->facture->creer)
accessforbidden();
$id = (GETPOST('id')?GETPOST('id','int'):GETPOST("facid")); // For backward compatibility
$id = (GETPOST('id')?GETPOST('id','int'):GETPOST("facid","int")); // For backward compatibility
$ref = GETPOST('ref','alpha');
$action = GETPOST('action','alpha');
$confirm = GETPOST('confirm','alpha');
@ -112,7 +112,7 @@ if (($action == 'create' || $action == 'add') && !$error)
$langs->load('main');
if (isset($_GET['orders_to_invoice']))
{
$orders_id = $_GET['orders_to_invoice'];
$orders_id = GETPOST('orders_to_invoice','',1);
$n = count($orders_id);
$i = 0;
@ -122,7 +122,7 @@ if (($action == 'create' || $action == 'add') && !$error)
}
if (isset($_POST['orders_to_invoice']))
{
$orders_id = $_POST['orders_to_invoice'];
$orders_id = GETPOST('orders_to_invoice','',1);
$nn = count($orders_id);
$ii = 0;

4
htdocs/compta/localtax/reglement.php
View File

@ -31,7 +31,7 @@ $langs->load("compta");
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'tax', '', '', 'charges');
$ltt=$_REQUEST["localTaxType"];
$ltt=GETPOST("localTaxType");
/*
* View
@ -45,7 +45,7 @@ print load_fiche_titre($langs->transcountry($ltt==2?"LT2Payments":"LT1Payments",
$sql = "SELECT rowid, amount, label, f.datev as dm";
$sql.= " FROM ".MAIN_DB_PREFIX."localtax as f ";
$sql.= " WHERE f.entity = ".$conf->entity." AND localtaxtype=".$ltt;
$sql.= " WHERE f.entity = ".$conf->entity." AND localtaxtype=".$db->escape($ltt);
$sql.= " ORDER BY dm DESC";
$result = $db->query($sql);

8
htdocs/compta/tva/quadri_detail.php
View File

@ -48,7 +48,7 @@ $langs->load("trips");
$langs->load("other");
// Date range
$year=GETPOST("year");
$year=GETPOST("year","int");
if (empty($year))
{
$year_current = strftime("%Y",dol_now());
@ -57,15 +57,15 @@ if (empty($year))
$year_current = $year;
$year_start = $year;
}
$date_start=dol_mktime(0,0,0,$_REQUEST["date_startmonth"],$_REQUEST["date_startday"],$_REQUEST["date_startyear"]);
$date_end=dol_mktime(23,59,59,$_REQUEST["date_endmonth"],$_REQUEST["date_endday"],$_REQUEST["date_endyear"]);
$date_start=dol_mktime(0,0,0,GETPOST("date_startmonth"),GETPOST("date_startday"),GETPOST("date_startyear"));
$date_end=dol_mktime(23,59,59,GETPOST("date_endmonth"),GETPOST("date_endday"),GETPOST("date_endyear"));
// Quarter
if (empty($date_start) || empty($date_end)) // We define date_start and date_end
{
$q=GETPOST("q");
if (empty($q))
{
if (isset($_REQUEST["month"])) { $date_start=dol_get_first_day($year_start,$_REQUEST["month"],false); $date_end=dol_get_last_day($year_start,$_REQUEST["month"],false); }
if (GETPOST("month")) { $date_start=dol_get_first_day($year_start,GETPOST("month"),false); $date_end=dol_get_last_day($year_start,GETPOST("month"),false); }
else
{
$month_current = strftime("%m",dol_now());

6
htdocs/core/class/html.formsms.class.php
View File

@ -255,7 +255,7 @@ function limitChars(textarea, limit, infodiv)
}
else
{
print "<input size=\"16\" id=\"sendto\" name=\"sendto\" value=\"".(! is_array($this->withto) && $this->withto != '1'? (isset($_REQUEST["sendto"])?$_REQUEST["sendto"]:$this->withto):"+")."\">";
print "<input size=\"16\" id=\"sendto\" name=\"sendto\" value=\"".dol_escape_htmltag(! is_array($this->withto) && $this->withto != '1'? (isset($_REQUEST["sendto"])?GETPOST("sendto"):$this->withto):"+")."\">";
if (! empty($this->withtosocid) && $this->withtosocid > 0)
{
$liste=array();
@ -290,11 +290,11 @@ function limitChars(textarea, limit, infodiv)
if ($this->withbodyreadonly)
{
print nl2br($defaultmessage);
print '<input type="hidden" name="message" value="'.$defaultmessage.'">';
print '<input type="hidden" name="message" value="'.dol_escape_htmltag($defaultmessage).'">';
}
else
{
print '<textarea cols="40" name="message" id="message" rows="4" onkeyup="limitChars(this, 160, \'charlimitinfospan\')">'.$defaultmessage.'</textarea>';
print '<textarea class="quatrevingtpercent" name="message" id="message" rows="'.ROWS_4.'" onkeyup="limitChars(this, 160, \'charlimitinfospan\')">'.$defaultmessage.'</textarea>';
print '<div id="charlimitinfo">'.$langs->trans("SmsInfoCharRemain").': <span id="charlimitinfospan">'.(160-dol_strlen($defaultmessage)).'</span></div></td>';
}
print "</td></tr>\n";

2
htdocs/core/datepicker.php
View File

@ -108,7 +108,7 @@ if (isset($_GET["m"]) && isset($_GET["y"]))
if ($qualified)
{
//print $_GET["cm"].",".$_GET["sd"].",".$_GET["m"].",".$_GET["y"];exit;
displayBox($_GET["sd"],$_GET["m"],$_GET["y"]);
displayBox(GETPOST("sd",'alpha'),GETPOST("m",'int'),GETPOST("y",'int'));
}
else
{

8
htdocs/core/filemanagerdol/connectors/php/io.php
View File

@ -44,7 +44,7 @@ function GetResourceTypePath($resourceType, $sCommand)
{
global $Config ;
if ( $sCommand == "QuickUpload")
if ($sCommand == "QuickUpload")
return $Config['QuickUploadPath'][$resourceType] ;
else
return $Config['FileTypesPath'][$resourceType] ;
@ -60,7 +60,7 @@ function GetResourceTypePath($resourceType, $sCommand)
function GetResourceTypeDirectory($resourceType, $sCommand)
{
global $Config ;
if ( $sCommand == "QuickUpload")
if ($sCommand == "QuickUpload")
{
if ( strlen($Config['QuickUploadAbsolutePath'][$resourceType]) > 0)
return $Config['QuickUploadAbsolutePath'][$resourceType] ;
@ -299,7 +299,7 @@ function IsAllowedCommand($sCommand)
{
global $Config ;
if ( !in_array($sCommand, $Config['ConfigAllowedCommands']))
if (! in_array($sCommand, $Config['ConfigAllowedCommands']))
return false ;
return true ;
@ -315,7 +315,7 @@ function GetCurrentFolder()
if (!isset($_GET)) {
global $_GET;
}
$sCurrentFolder = isset( $_GET['CurrentFolder'] ) ? $_GET['CurrentFolder'] : '/' ;
$sCurrentFolder = isset( $_GET['CurrentFolder'] ) ? GETPOST('CurrentFolder', '', 1) : '/' ;
// Check the current folder syntax (must begin and start with a slash).
if (!preg_match('|/$|', $sCurrentFolder))

2
htdocs/core/photos_resize.php
View File

@ -34,7 +34,7 @@ $langs->load("other");
$id=GETPOST('id','int');
$action=GETPOST('action','alpha');
$modulepart=GETPOST('modulepart','alpha')?GETPOST('modulepart','alpha'):'produit|service';
$original_file = isset($_REQUEST["file"])?urldecode($_REQUEST["file"]):'';
$original_file = GETPOST("file");
$backtourl=GETPOST('backtourl');
$cancel=GETPOST("cancel");

20
htdocs/core/tpl/objectline_create.tpl.php
View File

@ -153,7 +153,7 @@ else {
}
}
echo $form->select_type_of_lines(isset($_POST["type"])?$_POST["type"]:-1,'type',1,1,$forceall);
echo $form->select_type_of_lines(isset($_POST["type"])?GETPOST("type",'alpha',2):-1,'type',1,1,$forceall);
echo '</span>';
@ -253,25 +253,25 @@ else {
<td class="nobottom linecolvat" align="right"><?php
if ($seller->tva_assuj == "0") echo '<input type="hidden" name="tva_tx" id="tva_tx" value="0">'.vatrate(0, true);
else echo $form->load_tva('tva_tx', (isset($_POST["tva_tx"])?$_POST["tva_tx"]:-1), $seller, $buyer, 0, 0, '', false, 1);
else echo $form->load_tva('tva_tx', (isset($_POST["tva_tx"])?GETPOST("tva_tx",'alpha',2):-1), $seller, $buyer, 0, 0, '', false, 1);
?>
</td>
<td class="nobottom linecoluht" align="right">
<input type="text" size="5" name="price_ht" id="price_ht" class="flat" value="<?php echo (isset($_POST["price_ht"])?$_POST["price_ht"]:''); ?>">
<input type="text" size="5" name="price_ht" id="price_ht" class="flat" value="<?php echo (isset($_POST["price_ht"])?GETPOST("price_ht",'alpha',2):''); ?>">
</td>
<?php if (!empty($conf->multicurrency->enabled)) { $colspan++;?>
<td class="nobottom linecoluht_currency" align="right">
<input type="text" size="5" name="multicurrency_price_ht" id="multicurrency_price_ht" class="flat" value="<?php echo (isset($_POST["multicurrency_price_ht"])?$_POST["multicurrency_price_ht"]:''); ?>">
<input type="text" size="5" name="multicurrency_price_ht" id="multicurrency_price_ht" class="flat" value="<?php echo (isset($_POST["multicurrency_price_ht"])?GETPOST("multicurrency_price_ht",'alpha',2):''); ?>">
</td>
<?php } ?>
<?php if (! empty($inputalsopricewithtax)) { ?>
<td class="nobottom linecoluttc" align="right">
<input type="text" size="5" name="price_ttc" id="price_ttc" class="flat" value="<?php echo (isset($_POST["price_ttc"])?$_POST["price_ttc"]:''); ?>">
<input type="text" size="5" name="price_ttc" id="price_ttc" class="flat" value="<?php echo (isset($_POST["price_ttc"])?GETPOST("price_ttc",'alpha',2):''); ?>">
</td>
<?php } ?>
<td class="nobottom linecolqty" align="right"><input type="text" size="2" name="qty" id="qty" class="flat" value="<?php echo (isset($_POST["qty"])?$_POST["qty"]:1); ?>">
<td class="nobottom linecolqty" align="right"><input type="text" size="2" name="qty" id="qty" class="flat" value="<?php echo (isset($_POST["qty"])?GETPOST("qty",'alpha',2):1); ?>">
</td>
<?php
if($conf->global->PRODUCT_USE_UNITS)
@ -281,7 +281,7 @@ else {
print '</td>';
}
?>
<td class="nobottom nowrap linecoldiscount" align="right"><input type="text" size="1" name="remise_percent" id="remise_percent" class="flat" value="<?php echo (isset($_POST["remise_percent"])?$_POST["remise_percent"]:$buyer->remise_percent); ?>"><span class="hideonsmartphone">%</span></td>
<td class="nobottom nowrap linecoldiscount" align="right"><input type="text" size="1" name="remise_percent" id="remise_percent" class="flat" value="<?php echo (isset($_POST["remise_percent"])?GETPOST("remise_percent",'alpha',2):$buyer->remise_percent); ?>"><span class="hideonsmartphone">%</span></td>
<?php
if ($this->situation_cycle_ref) {
$coldisplay++;
@ -296,7 +296,7 @@ else {
<select id="fournprice_predef" name="fournprice_predef" class="flat" data-role="none" style="display: none;"></select>
<?php } ?>
<!-- For free product -->
<input type="text" size="5" id="buying_price" name="buying_price" class="flat" value="<?php echo (isset($_POST["buying_price"])?$_POST["buying_price"]:''); ?>">
<input type="text" size="5" id="buying_price" name="buying_price" class="flat" value="<?php echo (isset($_POST["buying_price"])?GETPOST("buying_price",'alpha',2):''); ?>">
</td>
<?php
@ -305,12 +305,12 @@ else {
{
if (! empty($conf->global->DISPLAY_MARGIN_RATES))
{
echo '<td align="right" class="nobottom nowrap margininfos"><input type="text" size="2" id="np_marginRate" name="np_marginRate" value="'.(isset($_POST["np_marginRate"])?$_POST["np_marginRate"]:'').'"><span class="np_marginRate hideonsmartphone">%</span></td>';
echo '<td align="right" class="nobottom nowrap margininfos"><input type="text" size="2" id="np_marginRate" name="np_marginRate" value="'.(isset($_POST["np_marginRate"])?GETPOST("np_marginRate",'alpha',2):'').'"><span class="np_marginRate hideonsmartphone">%</span></td>';
$coldisplay++;
}
if (! empty($conf->global->DISPLAY_MARK_RATES))
{
echo '<td align="right" class="nobottom nowrap margininfos"><input type="text" size="2" id="np_markRate" name="np_markRate" value="'.(isset($_POST["np_markRate"])?$_POST["np_markRate"]:'').'"><span class="np_markRate hideonsmartphone">%</span></td>';
echo '<td align="right" class="nobottom nowrap margininfos"><input type="text" size="2" id="np_markRate" name="np_markRate" value="'.(isset($_POST["np_markRate"])?GETPOST("np_markRate",'alpha',2):'').'"><span class="np_markRate hideonsmartphone">%</span></td>';
$coldisplay++;
}
}

4
htdocs/core/tpl/objectline_edit.tpl.php
View File

@ -185,7 +185,7 @@ $coldisplay=-1; // We remove first td
<?php if ($user->rights->margins->creer) {
if (! empty($conf->global->DISPLAY_MARGIN_RATES))
{
$margin_rate = (isset($_POST["np_marginRate"])?$_POST["np_marginRate"]:(($line->pa_ht == 0)?'':price($line->marge_tx)));
$margin_rate = (isset($_POST["np_marginRate"])?GETPOST("np_marginRate","alpha",2):(($line->pa_ht == 0)?'':price($line->marge_tx)));
// if credit note, dont allow to modify margin
if ($line->subprice < 0)
echo '<td align="right" class="nowrap margininfos">'.$margin_rate.'<span class="hideonsmartphone">%</span></td>';
@ -195,7 +195,7 @@ $coldisplay=-1; // We remove first td
}
elseif (! empty($conf->global->DISPLAY_MARK_RATES))
{
$mark_rate = (isset($_POST["np_markRate"])?$_POST["np_markRate"]:price($line->marque_tx));
$mark_rate = (isset($_POST["np_markRate"])?GETPOST("np_markRate",'alpha',2):price($line->marque_tx));
// if credit note, dont allow to modify margin
if ($line->subprice < 0)
echo '<td align="right" class="nowrap margininfos">'.$mark_rate.'<span class="hideonsmartphone">%</span></td>';

216
htdocs/expensereport/synchro_compta.php
View File

@ -1,216 +0,0 @@
<?php
/* Copyright (C) 2015 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
require '../main.inc.php';
require_once DOL_DOCUMENT_ROOT . '/compta/bank/class/account.class.php';
require_once DOL_DOCUMENT_ROOT . '/expensereport/class/expensereport.class.php';
$langs->load("companies");
$langs->load("users");
$langs->load("trips");
$langs->load("banks");
$idAccount=isset($_GET["account"])?$_GET["account"]:$_POST["account"];
if ($_GET["action"] == 'confirm_ndf_to_account' && $_GET["confirm"] == "yes"):
$idTrip = $_GET['idTrip'];
$expensereport = new ExpenseReport($db);
$expensereport->fetch($idTrip,$user);
$dateop = dol_mktime(12,0,0,$datePaiement[1],$datePaiement[2],$datePaiement[0]);
$operation = $expensereport->code_paiement;
$label = "Règlement ".$expensereport->ref;
$amount = - price2num($expensereport->total_ttc);
$num_chq = '';
$cat1 = '';
$user = new User($db);
$user->fetch($user->id);
$acct=new Account($db,$idAccount);
$insertid = $acct->addline($dateop, $operation, $label, $amount, $num_chq, $cat1, $user);
if ($insertid > 0):
$sql = " UPDATE ".MAIN_DB_PREFIX."expensereport as d";
$sql.= " SET integration_compta = 1, fk_bank_account = $idAccount";
$sql.= " WHERE rowid = $idTrip";
$resql=$db->query($sql);
if($result):
Header("Location: ".$_SERVER["PHP_SELF"]."?account=".$idAccount);
exit;
else:
dol_print_error($db);
endif;
else:
dol_print_error($db,$acct->error);
endif;
endif;
if ($_GET["action"] == 'confirm_account_to_ndf' && $_GET["confirm"] == "yes"):
$idTrip = $_GET['idTrip'];
$expensereport = new ExpenseReport($db);
$expensereport->fetch($idTrip,$user);
$sql = "DELETE FROM ".MAIN_DB_PREFIX."bank";
$sql.= " WHERE label LIKE '%".$expensereport->ref."%'";
$resql=$db->query($sql);
if ($resql > 0):
$sql = " UPDATE ".MAIN_DB_PREFIX."expensereport as d";
$sql.= " SET integration_compta = 0, fk_bank_account = 0";
$sql.= " WHERE rowid = $idTrip";
$resql=$db->query($sql);
if($result):
Header("Location: ".$_SERVER["PHP_SELF"]."?account=".$idAccount);
exit;
else:
dol_print_error($db);
endif;
else:
dol_print_error($db);
endif;
endif;
/*
* Actions
*/
llxHeader();
$html = new Form($db);
$submit = isset($_POST['submit'])?true:false;
$idAccount=isset($_GET["account"])?$_GET["account"]:$_POST["account"];
print load_fiche_titre($langs->trans("TripSynch"));
dol_fiche_head('');
if ($_GET["action"] == 'ndfTOaccount'):
$idTrip = $_GET['idTrip'];
$ret=$html->form_confirm($_SERVER["PHP_SELF"]."?idTrip=".$idTrip."&account=".$idAccount,$langs->trans("ndfToAccount"),$langs->trans("ConfirmNdfToAccount"),"confirm_ndf_to_account","","",1);
if ($ret == 'html') print '<br />';
endif;
if ($_GET["action"] == 'accountTOndf'):
$idTrip = $_GET['idTrip'];
$ret=$html->form_confirm($_SERVER["PHP_SELF"]."?idTrip=".$idTrip."&account=".$idAccount,$langs->trans("AccountToNdf"),$langs->trans("ConfirmAccountToNdf"),"confirm_account_to_ndf","","",1);
if ($ret == 'html') print '<br />';
endif;
if(empty($submit) && empty($idAccount)):
print "<form name='add' method=\"post\" action=\"synchro_compta.php\">";
print 'Choix du compte&nbsp;&nbsp;';
print $html->select_comptes($_POST['account'],'account',0,'',1);
print '&nbsp;<input type="submit" name="submit" class="button" value="'.$langs->trans("ViewAccountSynch").'">';
print "</form>";
else:
print "<form name='add' method=\"post\" action=\"synchro_compta.php\">";
print 'Choix du compte&nbsp;&nbsp;';
print $html->select_comptes($idAccount,'account',0,'',1);
print '&nbsp;<input type="submit" class="button" value="'.$langs->trans("ViewAccountSynch").'">';
print "</form>";
$sql = "SELECT d.fk_bank_account, d.ref, d.rowid, d.date_valid, d.fk_user_author, d.total_ttc, d.integration_compta, d.fk_statut";
$sql.= " ,CONCAT(u.firstname,' ',u.lastname) as declarant_NDF";
$sql.= " FROM ".MAIN_DB_PREFIX."expensereport as d";
$sql.= " INNER JOIN ".MAIN_DB_PREFIX."user as u ON d.fk_user_author = u.rowid";
$sql.= " WHERE d.fk_statut = 6";
$sql.= ' AND d.entity IN ('.getEntity('expensereport', 1).')';
$sql.= " ORDER BY d.date_valid DESC";
$resql=$db->query($sql);
if ($resql):
$num = $db->num_rows($resql); $i = 0;
if($num>0):
$account=new Account($db);
$account->fetch($idAccount);
print '<br>';
print "<table class='noborder' width='80%'>";
print '<tr class="liste_titre">';
print '<td>'.$langs->trans("Ref").'</td>';
print '<td>'.$langs->trans("DateValidation").'</td>';
print '<td>'.$langs->trans("USER_AUTHOR").'</td>';
print '<td align="center">'.$langs->trans("TotalTTC").'</td>';
print '<td align="center">Actions</td>';
print '<td>Compte</td>';
print '<td align="center">Int.</td>';
print '</tr>';
while($i<$num):
$objp = $db->fetch_object($resql);
$var=!$var;
print '<tr'. $bc[$var].'>';
print '<td>'.$objp->ref.'</td>';
print '<td>'.dol_print_date($db->jdate($objp->date_valid),'day').'</td>';
print '<td><a href="'.DOL_URL_ROOT.'/user/card.php?id='.$objp->fk_user_author.'">'.img_object($langs->trans("ShowUser"),"user").' '.$objp->declarant_NDF.'</a></td>';
print '<td align="center">'.$objp->total_ttc.' '.$langs->trans("EURO").'</td>';
if($objp->integration_compta)
{
print '<td align="center"><a href="synchro_compta.php?action=accountTOndf&idTrip='.$objp->rowid.'&account='.$idAccount.'"><img src="'.DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/1leftarrow.png" style="border:0px;" alt="Compte vers NDF" title="Compte vers NDF"/></a></td>';
}
else
{
print '<td align="center"><a href="synchro_compta.php?action=ndfTOaccount&idTrip='.$objp->rowid.'&account='.$idAccount.'"><img src="'.DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/1rightarrow.png" style="border:0px;" alt="NDF vers Compte" title="NDF vers Compte"/></a></td>';
}
print '<td>'.$account->label.'</td>';
if($objp->integration_compta)
{
print '<td align="center"><img src="'.DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/tick.png" style="border:0px;" alt="Intégration OK" /></td>';
}
else
{
print '<td align="center"><img src="'.DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/off.png" style="border:0px;" alt="Intégration Non OK" /></td>';
}
print "</tr>";
$i++;
endwhile;
print "</table>";
else:
print '<div class="error">'.$langs->trans("NoTripToSync").'</div>';
endif;
$db->free($resql);
else:
dol_print_error($db);
endif;
endif;
dol_fiche_end();
llxFooter();
$db->close();

31
htdocs/fourn/commande/orderstoinvoice.php
View File

@ -108,7 +108,7 @@ if (($action == 'create' || $action == 'add') && ! $error) {
$langs->load('products');
$langs->load('main');
if (isset($_GET['orders_to_invoice'])) {
$orders_id = $_GET['orders_to_invoice'];
$orders_id = GETPOST('orders_to_invoice','',1);
$n = count($orders_id);
$i = 0;
@ -116,7 +116,7 @@ if (($action == 'create' || $action == 'add') && ! $error) {
$_GET['originid'] = $orders_id[0];
}
if (isset($_POST['orders_to_invoice'])) {
$orders_id = $_POST['orders_to_invoice'];
$orders_id = GETPOST('orders_to_invoice','',1);
$nn = count($orders_id);
$ii = 0;
@ -149,10 +149,10 @@ if (($action == 'create' || $action == 'add') && ! $error) {
$datefacture = dol_mktime(date("h"), date("M"), 0, date("m"), date("d"), date("Y"));
}
if (! $error) {
$object->ref = $_POST['ref'];
$object->ref_supplier = $_POST['ref_supplier'];
$object->socid = $_POST['socid'];
$object->libelle = $_POST['libelle'];
$object->ref = GETPOST('ref');
$object->ref_supplier = GETPOST('ref_supplier');
$object->socid = GETPOST('socid','int');
$object->libelle = GETPOST('libelle');
$object->date = $datefacture;
$object->date_echeance = $datedue;
$object->note_public = GETPOST('note_public');
@ -178,7 +178,7 @@ if (($action == 'create' || $action == 'add') && ! $error) {
foreach ( $orders_id as $origin => $origin_id ) {
$origin_id = (! empty($origin_id) ? $origin_id : $orders_id[$ii]);
$object->add_object_linked($_POST['origin'], $origin_id);
$object->add_object_linked(GETPOST('origin'), $origin_id);
}
while ( $ii < $nn ) {
@ -321,7 +321,7 @@ if ($action == 'create' && !$error) {
print '<tr><td class="fieldrequired">' . $langs->trans('Ref') . '</td><td colspan="2">' . $langs->trans('Draft') . '</td></tr>';
// Ref supplier
print '<tr><td class="fieldrequired">' . $langs->trans('RefSupplier') . '</td><td><input name="ref_supplier" value="' . (isset($_POST['ref_supplier']) ? $_POST['ref_supplier'] : '') . '" type="text"></td>';
print '<tr><td class="fieldrequired">' . $langs->trans('RefSupplier') . '</td><td><input name="ref_supplier" value="' . dol_escape_htmltag(isset($_POST['ref_supplier']) ? GETPOST('ref_supplier','alpha', 2) : '') . '" type="text"></td>';
print '</tr>';
// Third party
@ -387,7 +387,7 @@ if ($action == 'create' && !$error) {
print '<tr>';
print '<td class="border" valign="top">' . $langs->trans('NotePublic') . '</td>';
print '<td valign="top" colspan="2">';
print '<textarea name="note_public" wrap="soft" cols="70" rows="' . ROWS_3 . '">';
print '<textarea name="note_public" wrap="soft" class="quatrevingtpercent" rows="' . ROWS_3 . '">';
print $langs->trans("Orders") . ": " . implode(', ', $listoforders);
@ -422,7 +422,7 @@ if ($action == 'create' && !$error) {
if (($action != 'create' && $action != 'add') && !$error) {
llxHeader();
?>
<script type="text/javascript">
<script type="text/javascript">
jQuery(document).ready(function() {
jQuery("#checkall").click(function() {
jQuery(".checkformerge").prop('checked', true);
@ -456,10 +456,10 @@ if (($action != 'create' && $action != 'add') && !$error) {
if (! $user->rights->societe->client->voir && ! $socid)
$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = " . $user->id;
if ($sref) {
$sql .= " AND c.ref LIKE '%" . $db->escape($sref) . "%'";
$sql .= natural_search("c.ref", $sref);
}
if ($sall) {
$sql .= " AND (c.ref LIKE '%" . $db->escape($sall) . "%' OR c.note LIKE '%" . $db->escape($sall) . "%')";
$sql .= natural_search(array("c.ref","c.note"), $sall);
}
// Date filter
@ -469,7 +469,7 @@ if (($action != 'create' && $action != 'add') && !$error) {
$sql .= " AND c.date_livraison >= '" . $db->idate($date_starty) . "' AND c.date_livraison <= '" . $db->idate($date_endy) . "'";
if (! empty($sref_client)) {
$sql .= ' AND c.ref_supplier LIKE \'%' . $db->escape($sref_client) . '%\'';
$sql .= natural_search('c.ref_supplier', $sref_client);
}
$sql .= ' ORDER BY ' . $sortfield . ' ' . $sortorder;
dol_syslog('fourn/commande/ordertoinvoice.php sql=' . $sql);
@ -495,7 +495,7 @@ if (($action != 'create' && $action != 'add') && !$error) {
print '<h3>' . $companystatic->getNomUrl(1, 'customer') . '</h3>';
}
print '<form method="get" action="orderstoinvoice.php">';
print '<form name="orders2invoice" method="GET" action="orderstoinvoice.php">';
print '<input type="hidden" name="socid" value="' . $socid . '">';
print '<table class="noborder" width="100%">';
print '<tr class="liste_titre">';
@ -541,7 +541,6 @@ if (($action != 'create' && $action != 'add') && !$error) {
print '</td></tr>';
print '<form name="orders2invoice" action="orderstoinvoice.php" method="GET">';
$var = True;
$generic_commande = new CommandeFournisseur($db);
@ -607,7 +606,9 @@ if (($action != 'create' && $action != 'add') && !$error) {
print '<input type="submit" class="butAction" value="' . $langs->trans("GenerateBill") . '">';
print '</div>';
print '</div>';
print '</form>';
$db->free($resql);
} else {
print dol_print_error($db);

20
htdocs/fourn/facture/card.php
View File

@ -386,13 +386,13 @@ if (empty($reshook))
if (! $error) {
// This is a replacement invoice
$result = $object->fetch($_POST['fac_replacement']);
$result = $object->fetch(GETPOST('fac_replacement'),'int');
$object->fetch_thirdparty();
$object->ref = $_POST['ref'];
$object->ref_supplier = $_POST['ref_supplier'];
$object->socid = $_POST['socid'];
$object->libelle = $_POST['label'];
$object->ref = GETPOST('ref');
$object->ref_supplier = GETPOST('ref_supplier','alpha');
$object->socid = GETPOST('socid','int');
$object->libelle = GETPOST('label');
$object->date = $datefacture;
$object->date_echeance = $datedue;
$object->note_public = GETPOST('note_public');
@ -407,7 +407,7 @@ if (empty($reshook))
$object->multicurrency_tx = GETPOST('originmulticurrency_tx', 'int');
// Proprietes particulieres a facture de remplacement
$object->fk_facture_source = $_POST['fac_replacement'];
$object->fk_facture_source = GETPOST('fac_replacement');
$object->type = FactureFournisseur::TYPE_REPLACEMENT;
$id = $object->createFromCurrent($user);
@ -586,7 +586,7 @@ if (empty($reshook))
if (! $error && $_POST['origin'] && $_POST['originid'])
{
// Parse element/subelement (ex: project_task)
$element = $subelement = $_POST['origin'];
$element = $subelement = GETPOST('origin');
/*if (preg_match('/^([^_]+)_([^_]+)/i',$_POST['origin'],$regs))
{
$element = $regs[1];
@ -610,8 +610,8 @@ if (empty($reshook))
{
$element = 'projet';
}
$object->origin = $_POST['origin'];
$object->origin_id = $_POST['originid'];
$object->origin = GETPOST('origin');
$object->origin_id = GETPOST('originid');
$id = $object->create($user);
@ -623,7 +623,7 @@ if (empty($reshook))
if ($classname == 'Fournisseur.commande') $classname='CommandeFournisseur';
$srcobject = new $classname($db);
$result=$srcobject->fetch($_POST['originid']);
$result=$srcobject->fetch(GETPOST('originid','int'));
if ($result > 0)
{
$lines = $srcobject->lines;

11
htdocs/societe/checkvat/checkVatPopup.php
View File

@ -1,5 +1,5 @@
<?php
/* Copyright (C) 2006-2010 Laurent Destailleur <eldy@users.sourceforge.net>
/* Copyright (C) 2006-2016 Laurent Destailleur <eldy@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -41,17 +41,18 @@ print '<div>';
print load_fiche_titre($langs->trans("VATIntraCheckableOnEUSite"),'','title_setup');
$vatNumber = GETPOST("vatNumber",'alpha');
if (! $_REQUEST["vatNumber"])
if (! $vatNumber)
{
print '<br>';
print '<font class="error">'.$langs->transnoentities("ErrorFieldRequired",$langs->trans("VATIntraShort")).'</font><br>';
}
else
{
$_REQUEST["vatNumber"] = preg_replace('/\^\w/', '', $_REQUEST["vatNumber"]);
$countryCode=substr($_REQUEST["vatNumber"],0,2);
$vatNumber=substr($_REQUEST["vatNumber"],2);
$vatNumber = preg_replace('/\^\w/', '', $vatNumber);
$countryCode=substr($vatNumber,0,2);
$vatNumber=substr($vatNumber,2);
print '<b>'.$langs->trans("Country").'</b>: '.$countryCode.'<br>';
print '<b>'.$langs->trans("VATIntraShort").'</b>: '.$vatNumber.'<br>';

2
htdocs/societe/rib.php
View File

@ -330,7 +330,7 @@ if ($socid && $action == 'edit' && $user->rights->societe->creer)
print '<form action="rib.php?socid='.$object->id.'" method="post">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="update">';
print '<input type="hidden" name="id" value="'.$_GET["id"].'">';
print '<input type="hidden" name="id" value="'.GETPOST("id","int").'">';
}
if ($socid && $action == 'create' && $user->rights->societe->creer)
{

2
htdocs/user/bank.php
View File

@ -117,7 +117,7 @@ if ($id && $action == 'edit' && $user->rights->user->user->creer)
print '<form action="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'" method="post">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="update">';
print '<input type="hidden" name="id" value="'.$_GET["id"].'">';
print '<input type="hidden" name="id" value="'.GETPOST("id",'int').'">';
}
if ($id && $action == 'create' && $user->rights->user->user->creer)
{

2
htdocs/user/notify/card.php
View File

@ -108,7 +108,7 @@ if ($action == 'add')
// Remove a notification
if ($action == 'delete')
{
$sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def where rowid=".$_GET["actid"];
$sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def where rowid=".GETPOST("actid","int");
$db->query($sql);
}