diff --git a/htdocs/accountancy/admin/journals_list.php b/htdocs/accountancy/admin/journals_list.php
index 7f000290e1c..de6b8374c2a 100644
--- a/htdocs/accountancy/admin/journals_list.php
+++ b/htdocs/accountancy/admin/journals_list.php
@@ -165,45 +165,19 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) {
// Check that all fields are filled
$ok = 1;
- foreach ($listfield as $f => $value) {
- if ($fieldnamekey == 'libelle' || ($fieldnamekey == 'label')) {
- $fieldnamekey = 'Label';
- }
- if ($fieldnamekey == 'code') {
- $fieldnamekey = 'Code';
- }
- if ($fieldnamekey == 'nature') {
- $fieldnamekey = 'NatureOfJournal';
- }
- }
+
// Other checks
if (GETPOSTISSET("code")) {
if (GETPOST("code") == '0') {
$ok = 0;
setEventMessages($langs->transnoentities('ErrorCodeCantContainZero'), null, 'errors');
}
- /*if (!is_numeric($_POST['code'])) // disabled, code may not be in numeric base
- {
- $ok = 0;
- $msg .= $langs->transnoentities('ErrorFieldFormat', $langs->transnoentities('Code')).'
';
- }*/
}
if (!GETPOST('label', 'alpha')) {
setEventMessages($langs->transnoentities("ErrorFieldRequired", $langs->transnoentitiesnoconv("Label")), null, 'errors');
$ok = 0;
}
- // Clean some parameters
- if ($_POST["accountancy_code"] <= 0) {
- $_POST["accountancy_code"] = ''; // If empty, we force to null
- }
- if ($_POST["accountancy_code_sell"] <= 0) {
- $_POST["accountancy_code_sell"] = ''; // If empty, we force to null
- }
- if ($_POST["accountancy_code_buy"] <= 0) {
- $_POST["accountancy_code_buy"] = ''; // If empty, we force to null
- }
-
// Si verif ok et action add, on ajoute la ligne
if ($ok && GETPOST('actionadd', 'alpha')) {
if ($tabrowid[$id]) {
@@ -235,16 +209,13 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) {
}
$i = 0;
foreach ($listfieldinsert as $f => $value) {
- if ($value == 'entity') {
- $_POST[$listfieldvalue[$i]] = $conf->entity;
- }
if ($i) {
$sql .= ",";
}
- if ($_POST[$listfieldvalue[$i]] == '') {
+ if (GETPOST($listfieldvalue[$i]) == '') {
$sql .= "null"; // For vat, we want/accept code = ''
} else {
- $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'";
+ $sql .= "'".$db->escape(GETPOST($listfieldvalue[$i]))."'";
}
$i++;
}
@@ -254,7 +225,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) {
$result = $db->query($sql);
if ($result) { // Add is ok
setEventMessages($langs->transnoentities("RecordSaved"), null, 'mesgs');
- $_POST = array('id'=>$id); // Clean $_POST array, we keep only
+ $_POST = array('id'=>$id); // Clean $_POST array, we keep only id
} else {
if ($db->errno() == 'DB_ERROR_RECORD_ALREADY_EXISTS') {
setEventMessages($langs->transnoentities("ErrorRecordAlreadyExists"), null, 'errors');
@@ -281,24 +252,15 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) {
}
$i = 0;
foreach ($listfieldmodify as $field) {
- if ($field == 'price' || preg_match('/^amount/i', $field) || $field == 'taux') {
- $_POST[$listfieldvalue[$i]] = price2num($_POST[$listfieldvalue[$i]], 'MU');
- } elseif ($field == 'entity') {
- $_POST[$listfieldvalue[$i]] = $conf->entity;
- }
if ($i) {
$sql .= ",";
}
- $sql .= $field."=";
- if ($_POST[$listfieldvalue[$i]] == '' && !($listfieldvalue[$i] == 'code' && $id == 10)) {
- $sql .= "null"; // For vat, we want/accept code = ''
- } else {
- $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'";
- }
+ $sql .= $field." = ";
+ $sql .= "'".$db->escape(GETPOST($listfieldvalue[$i]))."'";
$i++;
}
$sql .= " WHERE ".$rowidcol." = ".((int) $rowid);
- $sql .= " AND entity = ".$conf->entity;
+ $sql .= " AND entity = ".((int) $conf->entity);
dol_syslog("actionmodify", LOG_DEBUG);
//print $sql;
@@ -323,7 +285,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') { // delete
}
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid);
- $sql .= " AND entity = ".$conf->entity;
+ $sql .= " AND entity = ".((int) $conf->entity);
dol_syslog("delete", LOG_DEBUG);
$result = $db->query($sql);
@@ -410,7 +372,7 @@ if ($action == 'delete') {
if ($id) {
// Complete requete recherche valeurs avec critere de tri
$sql = $tabsql[$id];
- $sql .= " WHERE a.entity = ".$conf->entity;
+ $sql .= " WHERE a.entity = ".((int) $conf->entity);
// If sort order is "country", we use country_code instead
if ($sortfield == 'country') {
@@ -510,7 +472,7 @@ if ($id) {
$num = $db->num_rows($resql);
$i = 0;
- $param = '&id='.$id;
+ $param = '&id='.((int) $id);
if ($search_country_id > 0) {
$param .= '&search_country_id='.urlencode($search_country_id);
}
@@ -635,7 +597,7 @@ if ($id) {
$class = 'tddict';
// Show value for field
if ($showfield) {
- print ''.$valuetoshow.' | ';
+ print ''.dol_escape_htmltag($valuetoshow).' | ';
}
}
}
diff --git a/htdocs/admin/system/filecheck.php b/htdocs/admin/system/filecheck.php
index 1f183e1b730..10edae1a24b 100644
--- a/htdocs/admin/system/filecheck.php
+++ b/htdocs/admin/system/filecheck.php
@@ -416,7 +416,7 @@ if (empty($error) && !empty($xml)) {
$outexpectedchecksum = ($checksumtoget ? $checksumtoget : $langs->trans("Unknown"));
if ($checksumget == $checksumtoget) {
- if (count($file_list['added'])) {
+ if (is_array($file_list['added']) && count($file_list['added'])) {
$resultcode = 'warning';
$resultcomment = 'FileIntegrityIsOkButFilesWereAdded';
$outcurrentchecksum = $checksumget.' - '.$langs->trans($resultcomment).'';
diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index 0a4455239bb..60382cc4906 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -2430,10 +2430,10 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
}
$original_file = $conf->fournisseur->facture->dir_output.'/'.$original_file;
} elseif (($modulepart == 'holiday') && !empty($conf->holiday->dir_output)) {
- if ($fuser->rights->holiday->{$read} || preg_match('/^specimen/i', $original_file)) {
+ if ($fuser->rights->holiday->{$read} || !empty($fuser->rights->holiday->readall) || preg_match('/^specimen/i', $original_file)) {
$accessallowed = 1;
// If we known $id of holiday, call checkUserAccessToObject to check permission on properties and hierarchy of leave request
- if ($refname && !preg_match('/^specimen/i', $original_file)) {
+ if ($refname && empty($fuser->rights->holiday->readall) && !preg_match('/^specimen/i', $original_file)) {
include_once DOL_DOCUMENT_ROOT.'/holiday/class/holiday.class.php';
$tmpholiday = new Holiday($db);
$tmpholiday->fetch('', $refname);
@@ -2442,10 +2442,10 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
}
$original_file = $conf->holiday->dir_output.'/'.$original_file;
} elseif (($modulepart == 'expensereport') && !empty($conf->expensereport->dir_output)) {
- if ($fuser->rights->expensereport->{$lire} || preg_match('/^specimen/i', $original_file)) {
+ if ($fuser->rights->expensereport->{$lire} || !empty($fuser->rights->expensereport->readall) || preg_match('/^specimen/i', $original_file)) {
$accessallowed = 1;
// If we known $id of expensereport, call checkUserAccessToObject to check permission on properties and hierarchy of expense report
- if ($refname && !preg_match('/^specimen/i', $original_file)) {
+ if ($refname && empty($fuser->rights->expensereport->readall) && !preg_match('/^specimen/i', $original_file)) {
include_once DOL_DOCUMENT_ROOT.'/expensereport/class/expensereport.class.php';
$tmpexpensereport = new ExpenseReport($db);
$tmpexpensereport->fetch('', $refname);
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 9f9659e292f..624c7bd6e73 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -533,7 +533,10 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (invalid token), so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);
//print 'Unset POST by CSRF protection in main.inc.php.'; // Do not output anything because this create problems when using the BACK button on browsers.
setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings');
- if (isset($_POST['id'])) $savid = ((int) $_POST['id']);
+ $savid = null;
+ if (isset($_POST['id'])) {
+ $savid = ((int) $_POST['id']);
+ }
unset($_POST);
//unset($_POST['action']); unset($_POST['massaction']);
//unset($_POST['confirm']); unset($_POST['confirmmassaction']);
@@ -541,7 +544,10 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
unset($_GET['action']);
unset($_GET['confirmmassaction']);
unset($_GET['massaction']);
- if (isset($savid)) $_POST['id'] = ((int) $savid);
+ unset($_GET['token']); // TODO Make a redirect if we have a token in url to remove it ?
+ if (isset($savid)) {
+ $_POST['id'] = ((int) $savid);
+ }
}
// Note: There is another CSRF protection into the filefunc.inc.php
diff --git a/htdocs/webservices/server_supplier_invoice.php b/htdocs/webservices/server_supplier_invoice.php
index 926fa8f6418..1581d569f27 100644
--- a/htdocs/webservices/server_supplier_invoice.php
+++ b/htdocs/webservices/server_supplier_invoice.php
@@ -350,8 +350,8 @@ function getSupplierInvoicesForThirdParty($authentication, $idthirdparty)
if (!$error) {
$linesinvoice = array();
- $sql .= "SELECT f.rowid as facid";
- $sql .= " FROM '.MAIN_DB_PREFIX.'facture_fourn as f";
+ $sql = "SELECT f.rowid as facid";
+ $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f";
$sql .= " WHERE f.entity = ".((int) $conf->entity);
if ($idthirdparty != 'all') {
$sql .= " AND f.fk_soc = ".((int) $idthirdparty);
diff --git a/htdocs/website/index.php b/htdocs/website/index.php
index 7765d963d8f..9d2de205f3a 100644
--- a/htdocs/website/index.php
+++ b/htdocs/website/index.php
@@ -3517,7 +3517,7 @@ if ($action == 'createsite') {
$siteref = $sitedesc = $sitelang = $siteotherlang = '';
if (GETPOST('WEBSITE_REF')) {
- $siteref = GETPOST('WEBSITE_REF', 'alpha');
+ $siteref = GETPOST('WEBSITE_REF', 'aZ09');
}
if (GETPOST('WEBSITE_DESCRIPTION')) {
$sitedesc = GETPOST('WEBSITE_DESCRIPTION', 'alpha');