diff --git a/htdocs/accountancy/admin/account.php b/htdocs/accountancy/admin/account.php
index 7ee9844ce63..de8fd9a8cd6 100644
--- a/htdocs/accountancy/admin/account.php
+++ b/htdocs/accountancy/admin/account.php
@@ -230,8 +230,8 @@ if (strlen(trim($search_account))) {
$search_account_tmp_clean = preg_replace('/^\^/', '', $search_account_tmp);
$search_account_clean = preg_replace('/^\^/', '', $search_account);
}
- $sql .= " AND (aa.account_number LIKE '".$startchar.$search_account_tmp_clean."'";
- $sql .= " OR aa.account_number LIKE '".$startchar.$search_account_clean."%')";
+ $sql .= " AND (aa.account_number LIKE '".$db->escape($startchar.$search_account_tmp_clean)."'";
+ $sql .= " OR aa.account_number LIKE '".$db->escape($startchar.$search_account_clean)."%')";
} else $sql .= natural_search("aa.account_number", $search_account_tmp);
}
}
@@ -264,14 +264,14 @@ if ($resql)
$num = $db->num_rows($resql);
$param = '';
- if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.$contextpage;
- if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.$limit;
+ if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.urlencode($contextpage);
+ if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.urlencode($limit);
if ($search_account) $param .= '&search_account='.urlencode($search_account);
if ($search_label) $param .= '&search_label='.urlencode($search_label);
if ($search_labelshort) $param .= '&search_labelshort='.urlencode($search_labelshort);
if ($search_accountparent > 0 || $search_accountparent == '0') $param .= '&search_accountparent='.urlencode($search_accountparent);
if ($search_pcgtype) $param .= '&search_pcgtype='.urlencode($search_pcgtype);
- if ($optioncss != '') $param .= '&optioncss='.$optioncss;
+ if ($optioncss != '') $param .= '&optioncss='.urlencode($optioncss);
if (!empty($conf->use_javascript_ajax))
{
diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php
index 9794198332e..be3b49e41c1 100644
--- a/htdocs/accountancy/admin/accountmodel.php
+++ b/htdocs/accountancy/admin/accountmodel.php
@@ -280,7 +280,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha'))
else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'";
$i++;
}
- $sql .= " WHERE ".$rowidcol." = '".$rowid."'";
+ $sql .= " WHERE ".$rowidcol." = ".((int) $rowid);
dol_syslog("actionmodify", LOG_DEBUG);
//print $sql;
@@ -302,7 +302,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete
{
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
- $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'";
+ $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid);
dol_syslog("delete", LOG_DEBUG);
$result = $db->query($sql);
@@ -323,9 +323,9 @@ if ($action == $acts[0])
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$db->escape($code)."'";
}
$result = $db->query($sql);
@@ -341,9 +341,9 @@ if ($action == $acts[1])
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$db->escape($code)."'";
}
$result = $db->query($sql);
@@ -359,9 +359,9 @@ if ($action == 'activate_favorite')
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'";
+ $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
- $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'";
+ $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$db->escape($code)."'";
}
$result = $db->query($sql);
@@ -377,9 +377,9 @@ if ($action == 'disable_favorite')
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'";
+ $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
- $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'";
+ $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$db->escape($code)."'";
}
$result = $db->query($sql);
diff --git a/htdocs/accountancy/admin/categories_list.php b/htdocs/accountancy/admin/categories_list.php
index ddd4240a073..9469a1e64f1 100644
--- a/htdocs/accountancy/admin/categories_list.php
+++ b/htdocs/accountancy/admin/categories_list.php
@@ -271,7 +271,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha'))
else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'";
$i++;
}
- $sql .= " WHERE ".$rowidcol." = '".$rowid."'";
+ $sql .= " WHERE ".$rowidcol." = ".((int) $rowid);
dol_syslog("actionmodify", LOG_DEBUG);
//print $sql;
@@ -293,7 +293,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete
{
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
- $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
+ $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid);
dol_syslog("delete", LOG_DEBUG);
$result = $db->query($sql);
@@ -314,7 +314,7 @@ if ($action == $acts[0])
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$db->escape($code)."'";
}
@@ -332,7 +332,7 @@ if ($action == $acts[1])
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$db->escape($code)."'";
}
@@ -350,7 +350,7 @@ if ($action == 'activate_favorite')
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
+ $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$db->escape($code)."'";
}
@@ -368,7 +368,7 @@ if ($action == 'disable_favorite')
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
+ $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$db->escape($code)."'";
}
diff --git a/htdocs/accountancy/admin/journals_list.php b/htdocs/accountancy/admin/journals_list.php
index 74247c5fccd..a09a38c959c 100644
--- a/htdocs/accountancy/admin/journals_list.php
+++ b/htdocs/accountancy/admin/journals_list.php
@@ -274,7 +274,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha'))
else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'";
$i++;
}
- $sql .= " WHERE ".$rowidcol." = '".$rowid."'";
+ $sql .= " WHERE ".$rowidcol." = ".((int) $rowid);
$sql .= " AND entity = ".$conf->entity;
dol_syslog("actionmodify", LOG_DEBUG);
@@ -297,7 +297,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete
{
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
- $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'";
+ $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid);
$sql .= " AND entity = ".$conf->entity;
dol_syslog("delete", LOG_DEBUG);
@@ -319,9 +319,9 @@ if ($action == $acts[0])
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$db->escape($code)."'";
}
$sql .= " AND entity = ".$conf->entity;
@@ -338,9 +338,9 @@ if ($action == $acts[1])
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$db->escape($code)."'";
}
$sql .= " AND entity = ".$conf->entity;
diff --git a/htdocs/accountancy/admin/productaccount.php b/htdocs/accountancy/admin/productaccount.php
index b6465b95355..79bfef57d3a 100644
--- a/htdocs/accountancy/admin/productaccount.php
+++ b/htdocs/accountancy/admin/productaccount.php
@@ -176,7 +176,7 @@ if ($action == 'update') {
if ($accounting_product_mode == 'ACCOUNTANCY_SELL_EXPORT') {
$sql .= " SET accountancy_code_sell_export = ".$accounting->account_number;
}
- $sql .= " WHERE rowid = ".$productid;
+ $sql .= " WHERE rowid = ".((int) $productid);
dol_syslog("/accountancy/admin/productaccount.php sql=".$sql, LOG_DEBUG);
if ($db->query($sql))
@@ -251,21 +251,21 @@ $sql .= " aa.rowid as aaid";
$sql .= " FROM ".MAIN_DB_PREFIX."product as p";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON";
if ($accounting_product_mode == 'ACCOUNTANCY_BUY') {
- $sql .= " p.accountancy_code_buy = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'";
+ $sql .= " p.accountancy_code_buy = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'";
} elseif ($accounting_product_mode == 'ACCOUNTANCY_BUY_INTRA')
{
- $sql .= " p.accountancy_code_buy_intra = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'";
+ $sql .= " p.accountancy_code_buy_intra = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'";
} elseif ($accounting_product_mode == 'ACCOUNTANCY_BUY_EXPORT')
{
- $sql .= " p.accountancy_code_buy_export = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'";
+ $sql .= " p.accountancy_code_buy_export = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'";
} elseif ($accounting_product_mode == 'ACCOUNTANCY_SELL')
{
- $sql .= " p.accountancy_code_sell = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'";
+ $sql .= " p.accountancy_code_sell = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'";
} elseif ($accounting_product_mode == 'ACCOUNTANCY_SELL_INTRA')
{
- $sql .= " p.accountancy_code_sell_intra = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'";
+ $sql .= " p.accountancy_code_sell_intra = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'";
} else {
- $sql .= " p.accountancy_code_sell_export = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'";
+ $sql .= " p.accountancy_code_sell_export = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'";
}
$sql .= ' WHERE p.entity IN ('.getEntity('product').')';
if ($accounting_product_mode == 'ACCOUNTANCY_BUY') {
diff --git a/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php b/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php
index 0b3d98a2742..321ef282dff 100644
--- a/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php
+++ b/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php
@@ -147,7 +147,7 @@ $sql = "SELECT bk.rowid, bk.doc_date, bk.doc_type, bk.doc_ref, ";
$sql .= " bk.subledger_account, bk.numero_compte , bk.label_compte, bk.debit, ";
$sql .= " bk.credit, bk.montant , bk.sens , bk.code_journal , bk.piece_num, bk.lettering_code ";
$sql .= " FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as bk";
-$sql .= " WHERE (bk.subledger_account = '".$object->code_compta."' AND bk.numero_compte = '".$conf->global->ACCOUNTING_ACCOUNT_CUSTOMER."' )";
+$sql .= " WHERE (bk.subledger_account = '".$db->escape($object->code_compta)."' AND bk.numero_compte = '".$db->escape($conf->global->ACCOUNTING_ACCOUNT_CUSTOMER)."' )";
/*
if (dol_strlen($search_date_start) || dol_strlen($search_date_end)) {
diff --git a/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php b/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php
index c6ab2fa81d6..144c2595d25 100644
--- a/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php
+++ b/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php
@@ -146,7 +146,7 @@ $sql = "SELECT bk.rowid, bk.doc_date, bk.doc_type, bk.doc_ref, ";
$sql .= " bk.subledger_account, bk.numero_compte , bk.label_compte, bk.debit, ";
$sql .= " bk.credit, bk.montant , bk.sens , bk.code_journal , bk.piece_num, bk.lettering_code, bk.date_validated ";
$sql .= " FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as bk";
-$sql .= " WHERE (bk.subledger_account = '".$object->code_compta_fournisseur."' AND bk.numero_compte = '".$conf->global->ACCOUNTING_ACCOUNT_SUPPLIER."' )";
+$sql .= " WHERE (bk.subledger_account = '".$db->escape($object->code_compta_fournisseur)."' AND bk.numero_compte = '".$db->escape($conf->global->ACCOUNTING_ACCOUNT_SUPPLIER)."' )";
if (dol_strlen($search_date_start) || dol_strlen($search_date_end)) {
$sql .= " AND (bk.doc_date BETWEEN '".$db->idate($search_date_start)."' AND '".$db->idate($search_date_end)."' )";
}
diff --git a/htdocs/accountancy/class/accountancyexport.class.php b/htdocs/accountancy/class/accountancyexport.class.php
index 130c0e97659..0204602438f 100644
--- a/htdocs/accountancy/class/accountancyexport.class.php
+++ b/htdocs/accountancy/class/accountancyexport.class.php
@@ -1160,7 +1160,8 @@ class AccountancyExport
// TYPE C
if ($last_codeinvoice != $line->doc_ref) {
//recherche societe en fonction de son code client
- $sql = "SELECT code_client, fk_forme_juridique, nom, address, zip, town, fk_pays, phone, siret FROM ".MAIN_DB_PREFIX."societe WHERE code_client = '".$line->thirdparty_code."'";
+ $sql = "SELECT code_client, fk_forme_juridique, nom, address, zip, town, fk_pays, phone, siret FROM ".MAIN_DB_PREFIX."societe";
+ $sql .= " WHERE code_client = '".$this->db->escape($line->thirdparty_code)."'";
$resql = $this->db->query($sql);
if ($resql && $this->db->num_rows($resql) > 0)
diff --git a/htdocs/accountancy/class/accountancysystem.class.php b/htdocs/accountancy/class/accountancysystem.class.php
index 719d33c8574..c2f3468016c 100644
--- a/htdocs/accountancy/class/accountancysystem.class.php
+++ b/htdocs/accountancy/class/accountancysystem.class.php
@@ -101,7 +101,7 @@ class AccountancySystem
$sql .= " FROM ".MAIN_DB_PREFIX."accounting_system as a";
$sql .= " WHERE";
if ($rowid) {
- $sql .= " a.rowid = '".$rowid."'";
+ $sql .= " a.rowid = ".((int) $rowid);
} elseif ($ref) {
$sql .= " a.pcg_version = '".$this->db->escape($ref)."'";
}
diff --git a/htdocs/accountancy/class/accountingjournal.class.php b/htdocs/accountancy/class/accountingjournal.class.php
index 6067f557cfb..882eee71769 100644
--- a/htdocs/accountancy/class/accountingjournal.class.php
+++ b/htdocs/accountancy/class/accountingjournal.class.php
@@ -108,7 +108,7 @@ class AccountingJournal extends CommonObject
$sql .= " FROM ".MAIN_DB_PREFIX."accounting_journal";
$sql .= " WHERE";
if ($rowid) {
- $sql .= " rowid = ".(int) $rowid;
+ $sql .= " rowid = ".((int) $rowid);
} elseif ($journal_code)
{
$sql .= " code = '".$this->db->escape($journal_code)."'";
diff --git a/htdocs/accountancy/class/bookkeeping.class.php b/htdocs/accountancy/class/bookkeeping.class.php
index 1c377e70192..1e1e42a6047 100644
--- a/htdocs/accountancy/class/bookkeeping.class.php
+++ b/htdocs/accountancy/class/bookkeeping.class.php
@@ -1755,14 +1755,14 @@ class BookKeeping extends CommonObject
$sql .= ' doc_ref, fk_doc, fk_docdet, entity, thirdparty_code, subledger_account, subledger_label,';
$sql .= ' numero_compte, label_compte, label_operation, debit, credit,';
$sql .= ' montant, sens, fk_user_author, import_key, code_journal, journal_label, '.$next_piecenum.", '".$this->db->idate($now)."'";
- $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$this->db->escape($piece_num);
+ $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num);
$resql = $this->db->query($sql);
if (!$resql) {
$error++;
$this->errors[] = 'Error '.$this->db->lasterror();
dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR);
}
- $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$this->db->escape($piece_num);
+ $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num);
$resql = $this->db->query($sql);
if (!$resql) {
$error++;
@@ -1770,7 +1770,7 @@ class BookKeeping extends CommonObject
dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR);
}
} elseif ($direction == 1) {
- $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$piece_num;
+ $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num);
$resql = $this->db->query($sql);
if (!$resql) {
$error++;
@@ -1785,14 +1785,14 @@ class BookKeeping extends CommonObject
$sql .= ' doc_ref, fk_doc, fk_docdet, thirdparty_code, subledger_account, subledger_label,';
$sql .= ' numero_compte, label_compte, label_operation, debit, credit,';
$sql .= ' montant, sens, fk_user_author, import_key, code_journal, journal_label, piece_num';
- $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' WHERE piece_num = '.$piece_num;
+ $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' WHERE piece_num = '.((int) $piece_num);
$resql = $this->db->query($sql);
if (!$resql) {
$error++;
$this->errors[] = 'Error '.$this->db->lasterror();
dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR);
}
- $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$piece_num;
+ $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num);
$resql = $this->db->query($sql);
if (!$resql) {
$error++;
@@ -1910,7 +1910,7 @@ class BookKeeping extends CommonObject
$sql .= " AND asy.rowid = ".$pcgver;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as parent ON aa.account_parent = parent.rowid";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as root ON parent.account_parent = root.rowid";
- $sql .= " WHERE aa.account_number = '".$account."'";
+ $sql .= " WHERE aa.account_number = '".$this->db->escape($account)."'";
$sql .= " AND parent.active = 1";
$sql .= " AND root.active = 1";
$sql .= " AND aa.entity IN (".getEntity('accountancy').")";
@@ -1948,8 +1948,8 @@ class BookKeeping extends CommonObject
$sql = "SELECT aa.account_number, aa.label, aa.rowid, aa.fk_pcg_version, cat.label as category";
$sql .= " FROM ".MAIN_DB_PREFIX."accounting_account as aa ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_system as asy ON aa.fk_pcg_version = asy.pcg_version";
- $sql .= " AND aa.account_number = '".$account."'";
- $sql .= " AND asy.rowid = ".$pcgver;
+ $sql .= " AND aa.account_number = '".$this->db->escape($account)."'";
+ $sql .= " AND asy.rowid = ".((int) $pcgver);
$sql .= " AND aa.active = 1";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_accounting_category as cat ON aa.fk_accounting_category = cat.rowid";
$sql .= " WHERE aa.entity IN (".getEntity('accountancy').")";
diff --git a/htdocs/accountancy/class/lettering.class.php b/htdocs/accountancy/class/lettering.class.php
index d663e0ec9c4..cfe9bf635ae 100644
--- a/htdocs/accountancy/class/lettering.class.php
+++ b/htdocs/accountancy/class/lettering.class.php
@@ -68,11 +68,11 @@ class Lettering extends BookKeeping
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank_url as bu ON(bk.fk_doc = bu.fk_bank AND bu.type IN ('payment', 'payment_supplier') ) ";
$sql .= " WHERE ( ";
if ($object->code_compta != "")
- $sql .= " bk.subledger_account = '".$object->code_compta."' ";
+ $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' ";
if ($object->code_compta != "" && $object->code_compta_fournisseur != "")
$sql .= " OR ";
if ($object->code_compta_fournisseur != "")
- $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' ";
+ $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' ";
$sql .= " ) AND (bk.date_lettering ='' OR bk.date_lettering IS NULL) ";
$sql .= " AND (bk.lettering_code != '' OR bk.lettering_code IS NULL) ";
@@ -95,19 +95,19 @@ class Lettering extends BookKeeping
$sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn facf ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiementfourn_facturefourn as payfacf ON payfacf.fk_facturefourn=facf.rowid";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiementfourn as payf ON payfacf.fk_paiementfourn=payf.rowid";
- $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = payf.fk_bank AND bk.code_journal='".$obj->code_journal."')";
- $sql .= " WHERE payfacf.fk_paiementfourn = '".$obj->url_id."' ";
+ $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = payf.fk_bank AND bk.code_journal='".$this->db->escape($obj->code_journal)."')";
+ $sql .= " WHERE payfacf.fk_paiementfourn = '".$this->db->escape($obj->url_id)."' ";
$sql .= " AND facf.entity = ".$conf->entity;
$sql .= " AND code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=4 AND entity=".$conf->entity.") ";
$sql .= " AND ( ";
if ($object->code_compta != "") {
- $sql .= " bk.subledger_account = '".$object->code_compta."' ";
+ $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' ";
}
if ($object->code_compta != "" && $object->code_compta_fournisseur != "") {
$sql .= " OR ";
}
if ($object->code_compta_fournisseur != "") {
- $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' ";
+ $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' ";
}
$sql .= " ) ";
@@ -129,13 +129,13 @@ class Lettering extends BookKeeping
$sql .= " AND facf.entity = ".$conf->entity;
$sql .= " AND ( ";
if ($object->code_compta != "") {
- $sql .= " bk.subledger_account = '".$object->code_compta."' ";
+ $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' ";
}
if ($object->code_compta != "" && $object->code_compta_fournisseur != "") {
$sql .= " OR ";
}
if ($object->code_compta_fournisseur != "") {
- $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' ";
+ $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' ";
}
$sql .= ") ";
@@ -154,19 +154,19 @@ class Lettering extends BookKeeping
$sql .= " FROM ".MAIN_DB_PREFIX."facture fac ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiement_facture as payfac ON payfac.fk_facture=fac.rowid";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiement as pay ON payfac.fk_paiement=pay.rowid";
- $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = pay.fk_bank AND bk.code_journal='".$obj->code_journal."')";
- $sql .= " WHERE payfac.fk_paiement = '".$obj->url_id."' ";
+ $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = pay.fk_bank AND bk.code_journal='".$this->db->escape($obj->code_journal)."')";
+ $sql .= " WHERE payfac.fk_paiement = '".$this->db->escape($obj->url_id)."' ";
$sql .= " AND bk.code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=4 AND entity=".$conf->entity.") ";
$sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy
$sql .= " AND ( ";
if ($object->code_compta != "") {
- $sql .= " bk.subledger_account = '".$object->code_compta."' ";
+ $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' ";
}
if ($object->code_compta != "" && $object->code_compta_fournisseur != "") {
$sql .= " OR ";
}
if ($object->code_compta_fournisseur != "") {
- $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' ";
+ $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' ";
}
$sql .= " )";
@@ -188,13 +188,13 @@ class Lettering extends BookKeeping
$sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy
$sql .= " AND ( ";
if ($object->code_compta != "") {
- $sql .= " bk.subledger_account = '".$object->code_compta."' ";
+ $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' ";
}
if ($object->code_compta != "" && $object->code_compta_fournisseur != "") {
$sql .= " OR ";
}
if ($object->code_compta_fournisseur != "") {
- $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' ";
+ $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' ";
}
$sql .= " ) ";
@@ -238,7 +238,7 @@ class Lettering extends BookKeeping
$lettre = 'AAA';
$sql = "SELECT DISTINCT lettering_code FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE ";
- $sql .= " lettering_code != '' ORDER BY lettering_code DESC limit 1; ";
+ $sql .= " lettering_code != '' ORDER BY lettering_code DESC limit 1";
$result = $this->db->query($sql);
if ($result) {
@@ -252,7 +252,7 @@ class Lettering extends BookKeeping
}
$sql = "SELECT SUM(ABS(debit)) as deb, SUM(ABS(credit)) as cred FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE ";
- $sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL ";
+ $sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL";
$result = $this->db->query($sql);
if ($result) {
$obj = $this->db->fetch_object($result);
@@ -272,7 +272,7 @@ class Lettering extends BookKeeping
if (!$error)
{
$sql = "UPDATE ".MAIN_DB_PREFIX."accounting_bookkeeping SET";
- $sql .= " lettering_code='".$lettre."'";
+ $sql .= " lettering_code='".$this->db->escape($lettre)."'";
$sql .= " , date_lettering = '".$this->db->idate($now)."'"; // todo correct date it's false
$sql .= " WHERE rowid IN (".implode(',', $ids).") AND date_validated IS NULL ";
$this->db->begin();
diff --git a/htdocs/accountancy/customer/index.php b/htdocs/accountancy/customer/index.php
index 69135e75c4d..1a5098bda38 100644
--- a/htdocs/accountancy/customer/index.php
+++ b/htdocs/accountancy/customer/index.php
@@ -131,9 +131,9 @@ if ($action == 'validatehistory') {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as l ON f.rowid = l.fk_facture";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product";
- $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity;
- $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity;
- $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity;
+ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
+ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
+ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
$sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0";
$sql .= " AND l.product_type <= 2";
@@ -402,7 +402,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange.
}
print '
'.$langs->trans("Total").'
';
- $sql = "SELECT '".$langs->trans("TotalVente")."' AS total,";
+ $sql = "SELECT '".$db->escape($langs->trans("TotalVente"))."' AS total,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
if ($j > 12) $j -= 12;
@@ -459,7 +459,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange.
}
print '
'.$langs->trans("Total").'
';
- $sql = "SELECT '".$langs->trans("Vide")."' AS marge,";
+ $sql = "SELECT '".$db->escape($langs->trans("Vide"))."' AS marge,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
if ($j > 12) $j -= 12;
diff --git a/htdocs/accountancy/customer/list.php b/htdocs/accountancy/customer/list.php
index 70ed0bf8878..3c28cdaab84 100644
--- a/htdocs/accountancy/customer/list.php
+++ b/htdocs/accountancy/customer/list.php
@@ -161,8 +161,8 @@ if ($massaction == 'ventil') {
$ko++;
} else {
$sql = " UPDATE ".MAIN_DB_PREFIX."facturedet";
- $sql .= " SET fk_code_ventilation = ".$monCompte;
- $sql .= " WHERE rowid = ".$monId;
+ $sql .= " SET fk_code_ventilation = ".((int) $monCompte);
+ $sql .= " WHERE rowid = ".((int) $monId);
$accountventilated = new AccountingAccount($db);
$accountventilated->fetch($monCompte, '');
@@ -222,9 +222,9 @@ $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as l ON f.rowid = l.fk_facture";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product";
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity;
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity;
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
$sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0";
$sql .= " AND l.product_type <= 2";
// Define begin binding date
diff --git a/htdocs/accountancy/expensereport/index.php b/htdocs/accountancy/expensereport/index.php
index 63305791ec7..6edb8d86a07 100644
--- a/htdocs/accountancy/expensereport/index.php
+++ b/htdocs/accountancy/expensereport/index.php
@@ -161,7 +161,7 @@ for ($i = 1; $i <= 12; $i++) {
}
print '
'.$langs->trans("Total").'
';
-$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
+$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
$sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
@@ -234,7 +234,7 @@ for ($i = 1; $i <= 12; $i++) {
}
print '
'.$langs->trans("Total").'
';
-$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
+$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
$sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
@@ -309,7 +309,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange.
}
print '
'.$langs->trans("Total").'
';
- $sql = "SELECT '".$langs->trans("TotalExpenseReport")."' AS label,";
+ $sql = "SELECT '".$db->escape($langs->trans("TotalExpenseReport"))."' AS label,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
if ($j > 12) $j -= 12;
diff --git a/htdocs/accountancy/expensereport/list.php b/htdocs/accountancy/expensereport/list.php
index b3c8b7cda3e..265e9488055 100644
--- a/htdocs/accountancy/expensereport/list.php
+++ b/htdocs/accountancy/expensereport/list.php
@@ -196,7 +196,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."expensereport as er";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."expensereport_det as erd ON er.rowid = erd.fk_expensereport";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_type_fees as f ON f.id = erd.fk_c_type_fees";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON u.rowid = er.fk_user_author";
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON f.accountancy_code = aa.account_number AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON f.accountancy_code = aa.account_number AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
$sql .= " WHERE er.fk_statut IN (".ExpenseReport::STATUS_APPROVED.", ".ExpenseReport::STATUS_CLOSED.") AND erd.fk_code_ventilation <= 0";
// Define begin binding date
if (!empty($conf->global->ACCOUNTING_DATE_START_BINDING)) {
diff --git a/htdocs/accountancy/supplier/index.php b/htdocs/accountancy/supplier/index.php
index f1807c1c2cc..0dbe09fa468 100644
--- a/htdocs/accountancy/supplier/index.php
+++ b/htdocs/accountancy/supplier/index.php
@@ -128,9 +128,9 @@ if ($action == 'validatehistory') {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture_fourn_det as l ON f.rowid = l.fk_facture_fourn";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product";
- $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity;
- $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity;
- $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity;
+ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
+ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
+ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
$sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0";
$sql .= " AND l.product_type <= 2";
@@ -232,7 +232,7 @@ for ($i = 1; $i <= 12; $i++) {
}
print '
'.$langs->trans("Total").'
';
-$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
+$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
$sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
@@ -305,7 +305,7 @@ for ($i = 1; $i <= 12; $i++) {
}
print '
'.$langs->trans("Total").'
';
-$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
+$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
$sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
@@ -380,7 +380,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange.
}
print '
'.$langs->trans("Total").'
';
- $sql = "SELECT '".$langs->trans("CAHTF")."' AS label,";
+ $sql = "SELECT '".$db->escape($langs->trans("CAHTF"))."' AS label,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
if ($j > 12) $j -= 12;
diff --git a/htdocs/accountancy/supplier/list.php b/htdocs/accountancy/supplier/list.php
index cabe62e6471..9e1668e1a35 100644
--- a/htdocs/accountancy/supplier/list.php
+++ b/htdocs/accountancy/supplier/list.php
@@ -226,9 +226,9 @@ $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture_fourn_det as l ON f.rowid = l.fk_facture_fourn";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product";
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity;
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity;
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
$sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0";
$sql .= " AND l.product_type <= 2";
// Define begin binding date
diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php
index a13367326fa..0a32398f307 100644
--- a/htdocs/adherents/card.php
+++ b/htdocs/adherents/card.php
@@ -152,7 +152,7 @@ if (empty($reshook)) {
if (!$error) {
if ($socid != $object->socid) { // If link differs from currently in database
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."adherent";
- $sql .= " WHERE socid = '".$socid."'";
+ $sql .= " WHERE socid = ".((int) $socid);
$sql .= " AND entity = ".$conf->entity;
$resql = $db->query($sql);
if ($resql) {
diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php
index 1475f544f67..95ca2017b21 100644
--- a/htdocs/adherents/class/adherent.class.php
+++ b/htdocs/adherents/class/adherent.class.php
@@ -1117,7 +1117,7 @@ class Adherent extends CommonObject
// Remove link to third party onto any other members
if ($thirdpartyid > 0) {
$sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET fk_soc = null";
- $sql .= " WHERE fk_soc = '".$thirdpartyid."'";
+ $sql .= " WHERE fk_soc = ".((int) $thirdpartyid);
$sql .= " AND entity = ".$conf->entity;
dol_syslog(get_class($this)."::setThirdPartyId", LOG_DEBUG);
$resql = $this->db->query($sql);
diff --git a/htdocs/adherents/class/adherentstats.class.php b/htdocs/adherents/class/adherentstats.class.php
index c953d929442..d86a9e21d8c 100644
--- a/htdocs/adherents/class/adherentstats.class.php
+++ b/htdocs/adherents/class/adherentstats.class.php
@@ -92,7 +92,7 @@ class AdherentStats extends Stats
$sql = "SELECT date_format(p.dateadh,'%m') as dm, count(*)";
$sql .= " FROM ".$this->from;
//if (!$user->rights->societe->client->voir && !$user->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
- $sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'";
+ $sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year);
$sql .= " AND ".$this->where;
$sql .= " GROUP BY dm";
$sql .= $this->db->order('dm', 'DESC');
@@ -133,7 +133,7 @@ class AdherentStats extends Stats
$sql = "SELECT date_format(p.dateadh,'%m') as dm, sum(p.".$this->field.")";
$sql .= " FROM ".$this->from;
//if (!$user->rights->societe->client->voir && !$user->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
- $sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'";
+ $sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year);
$sql .= " AND ".$this->where;
$sql .= " GROUP BY dm";
$sql .= $this->db->order('dm', 'DESC');
@@ -154,7 +154,7 @@ class AdherentStats extends Stats
$sql = "SELECT date_format(p.dateadh,'%m') as dm, avg(p.".$this->field.")";
$sql .= " FROM ".$this->from;
//if (!$user->rights->societe->client->voir && !$this->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
- $sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'";
+ $sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year);
$sql .= " AND ".$this->where;
$sql .= " GROUP BY dm";
$sql .= $this->db->order('dm', 'DESC');
diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php
index 4245bf2e74a..1e550fb7f65 100644
--- a/htdocs/adherents/list.php
+++ b/htdocs/adherents/list.php
@@ -281,7 +281,7 @@ if ($search_ref) {
if ($search_civility) $sql .= natural_search("d.civility", $search_civility);
if ($search_firstname) $sql .= natural_search("d.firstname", $search_firstname);
if ($search_lastname) $sql .= natural_search(array("d.firstname", "d.lastname", "d.societe"), $search_lastname);
-if ($search_gender != '' && $search_gender != '-1') $sql .= " AND d.gender = '".$search_gender."'";
+if ($search_gender != '' && $search_gender != '-1') $sql .= natural_search("d.gender", $search_gender);
if ($search_login) $sql .= natural_search("d.login", $search_login);
if ($search_company) $sql .= natural_search("s.nom", $search_company);
if ($search_email) $sql .= natural_search("d.email", $search_email);
@@ -502,16 +502,16 @@ if (!empty($arrayfields['t.libelle']['checked'])) {
if (!empty($arrayfields['d.address']['checked'])) {
print '
';
- print '
';
+ print '';
}
if (!empty($arrayfields['d.zip']['checked'])) {
print '
';
- print '
';
+ print '';
}
if (!empty($arrayfields['d.town']['checked'])) {
print '
';
- print '
';
+ print '';
}
// State
if (!empty($arrayfields['state.nom']['checked'])) {
@@ -528,22 +528,22 @@ if (!empty($arrayfields['country.code_iso']['checked'])) {
// Phone pro
if (!empty($arrayfields['d.phone']['checked'])) {
print '