FIX SQL injection on qty

2019-09-24 12:43:44 +02:00 · 2019-09-24 12:43:44 +02:00 · 6431e8e16d
commit 6431e8e16d
parent d22a1e2571
4 changed files with 15 additions and 11 deletions
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@ -4437,7 +4437,9 @@ function price($amount, $form = 0, $outlangs = '', $trunc = 1, $rounding = -1, $
 *									'MS'=Round to Max for stock quantity (MAIN_MAX_DECIMALS_STOCK)
 *									Numeric = Nb of digits for rounding
 * 	@param	int		$alreadysqlnb	Put 1 if you know that content is already universal format number
- *	@return	string					Amount with universal numeric format (Example: '99.99999') or unchanged text if conversion fails. If amount is null or '', it returns ''.
+ *	@return	string					Amount with universal numeric format (Example: '99.99999').
+ *									If conversion fails, it return text unchanged if $rounding = '' or '0' if $rounding is defined.
+ *									If amount is null or '', it returns '' if $rounding = '' or '0' if $rounding is defined..
 *
 *	@see    price()					Opposite function of price2num
 */
--- a/htdocs/fourn/class/fournisseur.product.class.php
+++ b/htdocs/fourn/class/fournisseur.product.class.php
@ -207,7 +207,7 @@ class ProductFournisseur extends Product
    /**
     *    Modify the purchase price for a supplier
     *
-     *    @param  	int			$qty				            Min quantity for which price is valid
+     *    @param  	float		$qty				            Min quantity for which price is valid
     *    @param  	float		$buyprice			            Purchase price for the quantity min
     *    @param  	User		$user				            Object user user made changes
     *    @param  	string		$price_base_type	            HT or TTC
@ -230,7 +230,7 @@ class ProductFournisseur extends Product
     *    @param  	string		$desc_fourn     	            Custom description for product_fourn_price
     *    @param  	string		$barcode     	                Barcode
     *    @param  	int		    $fk_barcode_type     	        Barcode type
-     *    @return	int								<0 if KO, >=0 if OK
+     *    @return	int											<0 if KO, >=0 if OK
     */
    public function update_buyprice($qty, $buyprice, $user, $price_base_type, $fourn, $availability, $ref_fourn, $tva_tx, $charges = 0, $remise_percent = 0, $remise = 0, $newnpr = 0, $delivery_time_days = 0, $supplier_reputation = '', $localtaxes_array = array(), $newdefaultvatcode = '', $multicurrency_buyprice = 0, $multicurrency_price_base_type = 'HT', $multicurrency_tx = 1, $multicurrency_code = '', $desc_fourn = '', $barcode = '', $fk_barcode_type = '')
    {
@ -272,11 +272,10 @@ class ProductFournisseur extends Product

        $buyprice=price2num($buyprice, 'MU');
 		$charges=price2num($charges, 'MU');
-        $qty=price2num($qty);
- 		$error=0;
-
+        $qty=price2num($qty, 'MS');
 		$unitBuyPrice = price2num($buyprice/$qty, 'MU');

+		$error=0;
 		$now=dol_now();

 		$newvat = $tva_tx;
@ -331,7 +330,7 @@ class ProductFournisseur extends Product
 			$sql.= " SET fk_user = " . $user->id." ,";
            $sql.= " ref_fourn = '" . $this->db->escape($ref_fourn) . "',";
            $sql.= " desc_fourn = '" . $this->db->escape($desc_fourn) . "',";
-			$sql.= " price = ".price2num($buyprice).",";
+			$sql.= " price = ".$buyprice.",";
 			$sql.= " quantity = ".$qty.",";
 			$sql.= " remise_percent = ".$remise_percent.",";
 			$sql.= " remise = ".$remise.",";
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@ -3437,7 +3437,7 @@ class Product extends CommonObject
     * @param  int    $id_fourn  Supplier id
     * @param  string $ref_fourn Supplier ref
     * @param  float  $quantity  Quantity minimum for price
-     * @return int                 < 0 if KO, 0 if link already exists for this product, > 0 if OK
+     * @return int               < 0 if KO, 0 if link already exists for this product, > 0 if OK
     */
    public function add_fournisseur($user, $id_fourn, $ref_fourn, $quantity)
    {
@ -3448,6 +3448,9 @@ class Product extends CommonObject

        dol_syslog(get_class($this)."::add_fournisseur id_fourn = ".$id_fourn." ref_fourn=".$ref_fourn." quantity=".$quantity, LOG_DEBUG);

+        // Clean parameters
+        $quantity = price2num($quantity, 'MS');
+
        if ($ref_fourn) {
            $sql = "SELECT rowid, fk_product";
            $sql.= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price";
@ -3474,7 +3477,7 @@ class Product extends CommonObject
        if ($ref_fourn) { $sql.= " AND ref_fourn = '".$this->db->escape($ref_fourn)."'";
        } else { $sql.= " AND (ref_fourn = '' OR ref_fourn IS NULL)";
        }
-        $sql.= " AND quantity = '".$quantity."'";
+        $sql.= " AND quantity = ".$quantity;
        $sql.= " AND fk_product = ".$this->id;
        $sql.= " AND entity IN (".getEntity('productsupplierprice').")";

--- a/htdocs/product/fournisseurs.php
+++ b/htdocs/product/fournisseurs.php
@ -154,7 +154,7 @@ if (empty($reshook))
 		if (empty($ref_fourn)) $ref_fourn=GETPOST("search_ref_fourn");
 		$ref_fourn_old=GETPOST("ref_fourn_old");
 		if (empty($ref_fourn_old)) $ref_fourn_old = $ref_fourn;
-		$quantity=GETPOST("qty");
+		$quantity=price2num(GETPOST("qty", 'nohtml'), 'MS');
 		$remise_percent=price2num(GETPOST('remise_percent', 'alpha'));
 		$npr = preg_match('/\*/', $_POST['tva_tx']) ? 1 : 0 ;
 		$tva_tx = str_replace('*', '', GETPOST('tva_tx', 'alpha'));
@ -481,7 +481,7 @@ if ($id > 0 || $ref)
 				print '<tr>';
 				print '<td class="fieldrequired">'.$langs->trans("QtyMin").'</td>';
 				print '<td>';
-				$quantity = GETPOST('qty') ? GETPOST('qty') : "1";
+				$quantity = GETPOSTISSET('qty') ? price2num(GETPOST('qty', 'nohtml'), 'MS') : "1";
 				if ($rowid)
 				{
 					print '<input type="hidden" name="qty" value="'.$object->fourn_qty.'">';