From 669fef00147476b5ed8e96de393778e841c8a35b Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Thu, 24 Feb 2011 18:36:27 +0000
Subject: [PATCH] Fix: compatibility with pgsql, replace all addslashes in
 particular files

---
 htdocs/comm/propal.php                             | 14 +++++++-------
 .../includes/modules/mailings/fraise.modules.php   |  3 ++-
 htdocs/main.inc.php                                |  2 +-
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/htdocs/comm/propal.php b/htdocs/comm/propal.php
index 5950a36ba3e..6937f1afe04 100644
--- a/htdocs/comm/propal.php
+++ b/htdocs/comm/propal.php
@@ -1652,8 +1652,8 @@ else
 	$pageprev = $page - 1;
 	$pagenext = $page + 1;
 
-	$viewstatut=addslashes($_GET['viewstatut']);
-	$object_statut = addslashes($_GET['propal_statut']);
+	$viewstatut=$db->escape($_GET['viewstatut']);
+	$object_statut = $db->escape($_GET['propal_statut']);
 	if($object_statut != '')
 	$viewstatut=$object_statut;
 
@@ -1679,17 +1679,17 @@ else
 	}
 	if (!empty($_GET['search_ref']))
 	{
-		$sql.= " AND p.ref LIKE '%".addslashes($_GET['search_ref'])."%'";
+		$sql.= " AND p.ref LIKE '%".$db->escape($_GET['search_ref'])."%'";
 	}
 	if (!empty($_GET['search_societe']))
 	{
-		$sql.= " AND s.nom LIKE '%".addslashes($_GET['search_societe'])."%'";
+		$sql.= " AND s.nom LIKE '%".$db->escape($_GET['search_societe'])."%'";
 	}
 	if (!empty($_GET['search_montant_ht']))
 	{
-		$sql.= " AND p.total_ht='".addslashes($_GET['search_montant_ht'])."'";
+		$sql.= " AND p.total_ht='".$db->escape($_GET['search_montant_ht'])."'";
 	}
-	if ($sall) $sql.= " AND (s.nom like '%".addslashes($sall)."%' OR p.note like '%".addslashes($sall)."%' OR pd.description like '%".addslashes($sall)."%')";
+	if ($sall) $sql.= " AND (s.nom like '%".$db->escape($sall)."%' OR p.note like '%".$db->escape($sall)."%' OR pd.description like '%".$db->escape($sall)."%')";
 	if ($socid) $sql.= ' AND s.rowid = '.$socid;
 	if ($viewstatut <> '')
 	{
@@ -1708,7 +1708,7 @@ else
 	}
 	if (dol_strlen($_POST['sf_ref']) > 0)
 	{
-		$sql.= " AND p.ref like '%".addslashes($_POST["sf_ref"]) . "%'";
+		$sql.= " AND p.ref like '%".$db->escape($_POST["sf_ref"]) . "%'";
 	}
 
 	$sql.= ' ORDER BY '.$sortfield.' '.$sortorder.', p.ref DESC';
diff --git a/htdocs/includes/modules/mailings/fraise.modules.php b/htdocs/includes/modules/mailings/fraise.modules.php
index b2b62814bc1..ebef6d060fc 100644
--- a/htdocs/includes/modules/mailings/fraise.modules.php
+++ b/htdocs/includes/modules/mailings/fraise.modules.php
@@ -58,12 +58,13 @@ class mailing_fraise extends MailingTargets
 	function getSqlArrayForStats()
 	{
         global $langs;
+        
         $langs->load("members");
 
 		// Array for requests for statistics board
 	    $statssql=array();
 
-        $statssql[0] ="SELECT '".addslashes($langs->trans("FundationMembers"))."' as label, count(*) as nb";
+        $statssql[0] ="SELECT '".$this->db->escape($langs->trans("FundationMembers"))."' as label, count(*) as nb";
 		$statssql[0].=" FROM ".MAIN_DB_PREFIX."adherent where statut = 1";
 
 		return $statssql;
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 280257f608f..323af9a6e61 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -46,7 +46,7 @@ if (! empty($_SERVER['DOL_TUNING']))
 // Forcing parameter setting magic_quotes_gpc and cleaning parameters
 // (Otherwise he would have for each position, condition
 // Reading stripslashes variable according to state get_magic_quotes_gpc).
-// Off mode (recommended, you just do addslashes when an insert / update.
+// Off mode (recommended, you just do $db->escape when an insert / update.
 function stripslashes_deep($value)
 {
 	return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value));