From d4ff877fdd04aace228c0b3c055a137f19b9c247 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 4 Sep 2017 12:13:12 +0200 Subject: [PATCH 01/14] Prepare 6.0.1 --- htdocs/filefunc.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index db05918e8a6..cbec259b2aa 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -31,7 +31,7 @@ */ if (! defined('DOL_APPLICATION_TITLE')) define('DOL_APPLICATION_TITLE','Dolibarr'); -if (! defined('DOL_VERSION')) define('DOL_VERSION','6.0.0'); // a.b.c-alpha, a.b.c-beta, a.b.c-rcX or a.b.c +if (! defined('DOL_VERSION')) define('DOL_VERSION','6.0.1'); // a.b.c-alpha, a.b.c-beta, a.b.c-rcX or a.b.c if (! defined('EURO')) define('EURO',chr(128)); From f5ccd943f1e56887603ac2340915e6abf6ee26f7 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 5 Sep 2017 20:13:33 +0200 Subject: [PATCH 02/14] Fix mix of collation --- htdocs/install/mysql/migration/repair.sql | 2 ++ 1 file changed, 2 insertions(+) diff --git a/htdocs/install/mysql/migration/repair.sql b/htdocs/install/mysql/migration/repair.sql index 14622a3963c..59be09bcb8b 100755 --- a/htdocs/install/mysql/migration/repair.sql +++ b/htdocs/install/mysql/migration/repair.sql @@ -41,6 +41,8 @@ -- VMYSQLUTF8UNICODECI ALTER TABLE llx_product MODIFY accountancy_code_sell VARCHAR(32) COLLATE utf8_unicode_ci; -- VMYSQLUTF8UNICODECI ALTER TABLE llx_product MODIFY accountancy_code_buy VARCHAR(32) CHARACTER SET utf8; -- VMYSQLUTF8UNICODECI ALTER TABLE llx_product MODIFY accountancy_code_buy VARCHAR(32) COLLATE utf8_unicode_ci; +-- VMYSQLUTF8UNICODECI ALTER TABLE llx_c_type_fees MODIFY accountancy_code VARCHAR(32) CHARACTER SET utf8; +-- VMYSQLUTF8UNICODECI ALTER TABLE llx_c_type_fees MODIFY accountancy_code VARCHAR(32) COLLATE utf8_unicode_ci; -- VMYSQL4.1 SET sql_mode = 'ALLOW_INVALID_DATES'; From 9cc344f8cc57a15e0d5beb40b022f5104897d193 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 6 Sep 2017 10:11:07 +0200 Subject: [PATCH 03/14] Fix problem in type and customer code substitution in numbering module --- htdocs/core/modules/commande/mod_commande_saphir.php | 7 ++++++- htdocs/core/modules/expedition/mod_expedition_ribera.php | 7 ++++++- htdocs/core/modules/propale/mod_propale_saphir.php | 7 +++++-- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/htdocs/core/modules/commande/mod_commande_saphir.php b/htdocs/core/modules/commande/mod_commande_saphir.php index 1996717e506..2c8ae2ef3e9 100644 --- a/htdocs/core/modules/commande/mod_commande_saphir.php +++ b/htdocs/core/modules/commande/mod_commande_saphir.php @@ -88,9 +88,12 @@ class mod_commande_saphir extends ModeleNumRefCommandes global $conf,$langs,$mysoc; $old_code_client=$mysoc->code_client; + $old_code_type=$mysoc->typent_code; $mysoc->code_client='CCCCCCCCCC'; + $mysoc->typent_code='TTTTTTTTTT'; $numExample = $this->getNextValue($mysoc,''); $mysoc->code_client=$old_code_client; + $mysoc->typent_code=$old_code_type; if (! $numExample) { @@ -121,7 +124,9 @@ class mod_commande_saphir extends ModeleNumRefCommandes return 0; } - $numFinal=get_next_value($db,$mask,'commande','ref','',$objsoc,$object->date); + $date = ($object->date_commande ? $object->date_commande : $object->date); + + $numFinal=get_next_value($db,$mask,'commande','ref','',$objsoc,$date); return $numFinal; } diff --git a/htdocs/core/modules/expedition/mod_expedition_ribera.php b/htdocs/core/modules/expedition/mod_expedition_ribera.php index c92ea93e6a2..c002da1eee2 100644 --- a/htdocs/core/modules/expedition/mod_expedition_ribera.php +++ b/htdocs/core/modules/expedition/mod_expedition_ribera.php @@ -79,9 +79,12 @@ class mod_expedition_ribera extends ModelNumRefExpedition global $conf,$langs,$mysoc; $old_code_client=$mysoc->code_client; + $old_code_type=$mysoc->typent_code; $mysoc->code_client='CCCCCCCCCC'; + $mysoc->typent_code='TTTTTTTTTT'; $numExample = $this->getNextValue($mysoc,''); $mysoc->code_client=$old_code_client; + $mysoc->typent_code=$old_code_type; if (! $numExample) { @@ -111,7 +114,9 @@ class mod_expedition_ribera extends ModelNumRefExpedition return 0; } - $numFinal=get_next_value($db,$mask,'expedition','ref','',$objsoc->code_client,$shipment->date_expedition); + $date = $shipment->date_expedition; + + $numFinal=get_next_value($db,$mask,'expedition','ref','',$objsoc,$date); return $numFinal; } diff --git a/htdocs/core/modules/propale/mod_propale_saphir.php b/htdocs/core/modules/propale/mod_propale_saphir.php index 25ccecb253c..ec0b0b241e2 100644 --- a/htdocs/core/modules/propale/mod_propale_saphir.php +++ b/htdocs/core/modules/propale/mod_propale_saphir.php @@ -88,9 +88,12 @@ class mod_propale_saphir extends ModeleNumRefPropales global $conf,$langs,$mysoc; $old_code_client=$mysoc->code_client; + $old_code_type=$mysoc->typent_code; $mysoc->code_client='CCCCCCCCCC'; + $mysoc->typent_code='TTTTTTTTTT'; $numExample = $this->getNextValue($mysoc,''); $mysoc->code_client=$old_code_client; + $mysoc->typent_code=$old_code_type; if (! $numExample) { @@ -121,8 +124,8 @@ class mod_propale_saphir extends ModeleNumRefPropales return 0; } - $date=$propal->datep; - $customercode=$objsoc->code_client; + $date = $propal->date; + $numFinal=get_next_value($db,$mask,'propal','ref','',$objsoc,$date); return $numFinal; From d26b2a694de30f95e46ea54ea72cc54f0d38e548 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 6 Sep 2017 11:39:30 +0200 Subject: [PATCH 04/14] FIX Security fixes (filter onload js, less verbose error message in download and viewimage, show info to encourage dolibarr_main_prod=1) --- htdocs/admin/company.php | 216 +++++++++++++++--------------- htdocs/admin/menus/edit.php | 103 +++++++------- htdocs/core/lib/functions.lib.php | 7 +- htdocs/document.php | 29 ++-- htdocs/langs/en_US/main.lang | 3 +- htdocs/main.inc.php | 41 +++--- htdocs/viewimage.php | 27 ++-- 7 files changed, 215 insertions(+), 211 deletions(-) diff --git a/htdocs/admin/company.php b/htdocs/admin/company.php index 4487f81c2fe..6170c02dd4f 100644 --- a/htdocs/admin/company.php +++ b/htdocs/admin/company.php @@ -49,7 +49,7 @@ $error=0; * Actions */ -if ( ($action == 'update' && empty($_POST["cancel"])) +if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) || ($action == 'updateedit') ) { $tmparray=getCountry(GETPOST('country_id','int'),'all',$db,$langs,0); @@ -63,19 +63,19 @@ if ( ($action == 'update' && empty($_POST["cancel"])) dolibarr_set_const($db, "MAIN_INFO_SOCIETE_COUNTRY", $s,'chaine',0,'',$conf->entity); } - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOM",$_POST["nom"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ADDRESS",$_POST["address"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TOWN",$_POST["town"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP",$_POST["zipcode"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_STATE",$_POST["state_id"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_MONNAIE",$_POST["currency"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL",$_POST["tel"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX",$_POST["fax"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL",$_POST["mail"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_WEB",$_POST["web"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOTE",$_POST["note"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_GENCOD",$_POST["barcode"],'chaine',0,'',$conf->entity); - + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOM", GETPOST("nom",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ADDRESS", GETPOST("address",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TOWN", GETPOST("town",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP", GETPOST("zipcode",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_STATE", GETPOST("state_id",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL", GETPOST("tel",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_WEB", GETPOST("web",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOTE", GETPOST("note",'none'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_GENCOD", GETPOST("barcode",'alpha'),'chaine',0,'',$conf->entity); + $varforimage='logo'; $dirforimage=$conf->mycompany->dir_output.'/logos/'; if ($_FILES[$varforimage]["tmp_name"]) { @@ -100,8 +100,8 @@ if ( ($action == 'update' && empty($_POST["cancel"])) if ($isimage > 0) { // Create thumbs - //$object->addThumbs($newfile); // We can't use addThumbs here yet because we need name of generated thumbs to add them into constants. TODO Check if need such constants. We should be able to retreive value with get... - + //$object->addThumbs($newfile); // We can't use addThumbs here yet because we need name of generated thumbs to add them into constants. TODO Check if need such constants. We should be able to retreive value with get... + // Create small thumb, Used on logon for example $imgThumbSmall = vignette($dirforimage.$original_file, $maxwidthsmall, $maxheightsmall, '_small', $quality); if (image_format_supported($imgThumbSmall) >= 0 && preg_match('/([^\\/:]+)$/i',$imgThumbSmall,$reg)) @@ -143,27 +143,27 @@ if ( ($action == 'update' && empty($_POST["cancel"])) } } } - - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS",$_POST["MAIN_INFO_SOCIETE_MANAGERS"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_CAPITAL",$_POST["capital"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE",$_POST["forme_juridique_code"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SIREN",$_POST["siren"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SIRET",$_POST["siret"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_APE",$_POST["ape"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_RCS",$_POST["rcs"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_PROFID5",$_POST["MAIN_INFO_PROFID5"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_PROFID6",$_POST["MAIN_INFO_PROFID6"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_TVAINTRA",$_POST["tva"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_OBJECT",$_POST["object"],'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START",$_POST["fiscalmonthstart"],'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_OBJECT", GETPOST("object",'nohtml'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "FACTURE_TVAOPTION",$_POST["optiontva"],'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("fiscalmonthstart",'alpha'),'chaine',0,'',$conf->entity); + + dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'alpha'),'chaine',0,'',$conf->entity); // Local taxes - dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION",$_POST["optionlocaltax1"],'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION",$_POST["optionlocaltax2"],'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'alpha'),'chaine',0,'',$conf->entity); if($_POST["optionlocaltax1"]=="localtax1on") { @@ -173,9 +173,9 @@ if ( ($action == 'update' && empty($_POST["cancel"])) } else { - dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','alpha'),'chaine',0,'',$conf->entity); } - dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", $_POST["clt1"],'chaine',0,'',$conf->entity); + dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1",'alpha'),'chaine',0,'',$conf->entity); } if($_POST["optionlocaltax2"]=="localtax2on") { @@ -185,9 +185,9 @@ if ( ($action == 'update' && empty($_POST["cancel"])) } else { - dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','alpha'),'chaine',0,'',$conf->entity); } - dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", $_POST["clt2"],'chaine',0,'',$conf->entity); + dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", GETPOST("clt2",'alpha'),'chaine',0,'',$conf->entity); } if ($action != 'updateedit' && ! $error) @@ -207,7 +207,7 @@ if ($action == 'addthumb') // Regenerate thumbs if ($isimage > 0) { // Create thumbs - //$object->addThumbs($newfile); // We can't use addThumbs here yet because we need name of generated thumbs to add them into constants. TODO Check if need such constants. We should be able to retreive value with get... + //$object->addThumbs($newfile); // We can't use addThumbs here yet because we need name of generated thumbs to add them into constants. TODO Check if need such constants. We should be able to retreive value with get... // Create small thumb. Used on logon for example $imgThumbSmall = vignette($conf->mycompany->dir_output.'/logos/'.$_GET["file"], $maxwidthsmall, $maxheightsmall, '_small',$quality); @@ -309,72 +309,72 @@ if ($action == 'edit' || $action == 'updateedit') print ''.$langs->trans("CompanyInfo").''.$langs->trans("Value").''."\n"; // Name - + print ''; - print ''."\n"; + print ''."\n"; // Addresse - + print ''; - print ''."\n"; + print ''."\n"; + - print ''; - print ''."\n"; + print ''."\n"; + - print ''; - print ''."\n"; + print ''."\n"; // Country - + print ''; //if (empty($country_selected)) $country_selected=substr($langs->defaultlang,-2); // By default, country of localization print $form->select_country($mysoc->country_id,'country_id'); if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1); print ''."\n"; - + print ''; $formcompany->select_departement($conf->global->MAIN_INFO_SOCIETE_STATE,$mysoc->country_code,'state_id'); print ''."\n"; - + print ''; print $form->selectCurrency($conf->currency,"currency"); print ''."\n"; - + print ''; print ''; print ''."\n"; - + print ''; print ''; print ''."\n"; - + print ''; print ''; print ''."\n"; // Web - + print ''; print ''; print ''."\n"; // Barcode if (! empty($conf->barcode->enabled)) { - + print ''; print ''; print ''; } // Logo - + print ''; print ''; // Note - + print ''; + print ''; print ''; print '
'; print ''; @@ -392,9 +392,9 @@ if ($action == 'edit' || $action == 'updateedit') print '
'; - print '
'; @@ -409,17 +409,17 @@ if ($action == 'edit' || $action == 'updateedit') $langs->load("companies"); // Managing Director(s) - + print ''; print ''; // Capital - + print ''; print ''; // Juridical Status - + print ''; if ($mysoc->country_code) { print $formcompany->select_juridicalstatus($conf->global->MAIN_INFO_SOCIETE_FORME_JURIDIQUE, $mysoc->country_code, '', 'forme_juridique_code'); @@ -431,7 +431,7 @@ if ($action == 'edit' || $action == 'updateedit') // ProfID1 if ($langs->transcountry("ProfId1",$mysoc->country_code) != '-') { - + print ''; if (! empty($mysoc->country_code)) { @@ -447,7 +447,7 @@ if ($action == 'edit' || $action == 'updateedit') // ProfId2 if ($langs->transcountry("ProfId2",$mysoc->country_code) != '-') { - + print ''; if (! empty($mysoc->country_code)) { @@ -463,7 +463,7 @@ if ($action == 'edit' || $action == 'updateedit') // ProfId3 if ($langs->transcountry("ProfId3",$mysoc->country_code) != '-') { - + print ''; if (! empty($mysoc->country_code)) { @@ -479,7 +479,7 @@ if ($action == 'edit' || $action == 'updateedit') // ProfId4 if ($langs->transcountry("ProfId4",$mysoc->country_code) != '-') { - + print ''; if (! empty($mysoc->country_code)) { @@ -495,7 +495,7 @@ if ($action == 'edit' || $action == 'updateedit') // ProfId5 if ($langs->transcountry("ProfId5",$mysoc->country_code) != '-') { - + print ''; if (! empty($mysoc->country_code)) { @@ -511,7 +511,7 @@ if ($action == 'edit' || $action == 'updateedit') // ProfId6 if ($langs->transcountry("ProfId6",$mysoc->country_code) != '-') { - + print ''; if (! empty($mysoc->country_code)) { @@ -525,13 +525,13 @@ if ($action == 'edit' || $action == 'updateedit') } // TVA Intra - + print ''; print ''; print ''; - + // Object of the company - + print ''; print ''; print ''; @@ -546,7 +546,7 @@ if ($action == 'edit' || $action == 'updateedit') print ''.$langs->trans("FiscalYearInformation").''.$langs->trans("Value").''; print "\n"; - + print ''; print $formother->select_month($conf->global->SOCIETE_FISCAL_MONTH_START,'fiscalmonthstart',0,1) . ''; @@ -561,7 +561,7 @@ if ($action == 'edit' || $action == 'updateedit') print ' '; print "\n"; - + print ""; print ''; print ""; @@ -570,7 +570,7 @@ if ($action == 'edit' || $action == 'updateedit') print "
"; print "\n"; - + print ""; print ''; print ""; @@ -593,7 +593,7 @@ if ($action == 'edit' || $action == 'updateedit') print ''; print ''; print "\n"; - + // Note: When option is not set, it must not appears as set on on, because there is no default value for this option print ""; print '
'.$langs->transcountry("LocalTax1Management",$mysoc->country_code).''.$langs->trans("Description").' 
global->FACTURE_LOCAL_TAX1_OPTION == '1' || $conf->global->FACTURE_LOCAL_TAX1_OPTION == "localtax1on")?" checked":"")."> ".$langs->transcountry("LocalTax1IsUsed",$mysoc->country_code)."'; @@ -616,7 +616,7 @@ if ($action == 'edit' || $action == 'updateedit') print "
"; print "\n"; - + print "global->FACTURE_LOCAL_TAX1_OPTION) || $conf->global->FACTURE_LOCAL_TAX1_OPTION == "localtax1off")?" checked":"")."> ".$langs->transcountry("LocalTax1IsNotUsed",$mysoc->country_code).""; print ''; print ""; @@ -637,7 +637,7 @@ if ($action == 'edit' || $action == 'updateedit') print ''; print "\n"; - + // Note: When option is not set, it must not appears as set on on, because there is no default value for this option print ""; print '
 
global->FACTURE_LOCAL_TAX2_OPTION == '1' || $conf->global->FACTURE_LOCAL_TAX2_OPTION == "localtax2on")?" checked":"")."> ".$langs->transcountry("LocalTax2IsUsed",$mysoc->country_code)."'; @@ -657,7 +657,7 @@ if ($action == 'edit' || $action == 'updateedit') print "
"; print "\n"; - + print "global->FACTURE_LOCAL_TAX2_OPTION) || $conf->global->FACTURE_LOCAL_TAX2_OPTION == "localtax2off")?" checked":"")."> ".$langs->transcountry("LocalTax2IsNotUsed",$mysoc->country_code).""; print ''; print ""; @@ -693,22 +693,22 @@ else print '
'; print ''; - + print ''; - + print ''; - + print ''; - + print ''; - + print ''; - + print ''; - + print ''; - + print ''; - + print ''; - + print ''; // Web - + print ''; // Barcode if (! empty($conf->barcode->enabled)) { - + print ''; } // Logo - + print ''; - + print ''; print '
'.$langs->trans("CompanyInfo").''.$langs->trans("Value").'
'.$langs->trans("CompanyName").''; if (! empty($conf->global->MAIN_INFO_SOCIETE_NOM)) print $conf->global->MAIN_INFO_SOCIETE_NOM; else print img_warning().' '.$langs->trans("ErrorFieldRequired",$langs->transnoentitiesnoconv("CompanyName")).''; print '
'.$langs->trans("CompanyAddress").'' . nl2br(empty($conf->global->MAIN_INFO_SOCIETE_ADDRESS)?'':$conf->global->MAIN_INFO_SOCIETE_ADDRESS) . '
'.$langs->trans("CompanyZip").'' . (empty($conf->global->MAIN_INFO_SOCIETE_ZIP)?'':$conf->global->MAIN_INFO_SOCIETE_ZIP) . '
'.$langs->trans("CompanyTown").'' . (empty($conf->global->MAIN_INFO_SOCIETE_TOWN)?'':$conf->global->MAIN_INFO_SOCIETE_TOWN) . '
'.$langs->trans("CompanyCountry").''; if ($mysoc->country_code) { @@ -719,13 +719,13 @@ else else print img_warning().' '.$langs->trans("ErrorFieldRequired",$langs->transnoentitiesnoconv("CompanyCountry")).''; print '
'.$langs->trans("State").''; if (! empty($conf->global->MAIN_INFO_SOCIETE_STATE)) print getState($conf->global->MAIN_INFO_SOCIETE_STATE); else print ' '; print '
'.$langs->trans("CompanyCurrency").''; print currency_name($conf->currency,1); print ' ('.$conf->currency; @@ -733,28 +733,28 @@ else print ')'; print '
'.$langs->trans("Phone").'' . dol_print_phone($conf->global->MAIN_INFO_SOCIETE_TEL,$mysoc->country_code) . '
'.$langs->trans("Fax").'' . dol_print_phone($conf->global->MAIN_INFO_SOCIETE_FAX,$mysoc->country_code) . '
'.$langs->trans("Mail").'' . dol_print_email($conf->global->MAIN_INFO_SOCIETE_MAIL,0,0,0,80) . '
'.$langs->trans("Web").'' . dol_print_url($conf->global->MAIN_INFO_SOCIETE_WEB,'_blank',80) . '
'.$langs->trans("Gencod").'' . $conf->global->MAIN_INFO_SOCIETE_GENCOD . '
'.$langs->trans("Logo").''; $tagtd='tagtd '; @@ -780,7 +780,7 @@ else print '
'.$langs->trans("Note").'' . (! empty($conf->global->MAIN_INFO_SOCIETE_NOTE) ? nl2br($conf->global->MAIN_INFO_SOCIETE_NOTE) : '') . '
'; @@ -796,17 +796,17 @@ else print ''.$langs->trans("CompanyIds").''.$langs->trans("Value").''; // Managing Director(s) - + print ''.$langs->trans("ManagingDirectors").''; print $conf->global->MAIN_INFO_SOCIETE_MANAGERS . ''; // Capital - + print ''.$langs->trans("Capital").''; print $conf->global->MAIN_INFO_CAPITAL . ''; // Juridical Status - + print ''.$langs->trans("JuridicalStatus").''; print getFormeJuridiqueLabel($conf->global->MAIN_INFO_SOCIETE_FORME_JURIDIQUE); print ''; @@ -814,7 +814,7 @@ else // ProfId1 if ($langs->transcountry("ProfId1",$mysoc->country_code) != '-') { - + print ''.$langs->transcountry("ProfId1",$mysoc->country_code).''; if (! empty($conf->global->MAIN_INFO_SIREN)) { @@ -830,7 +830,7 @@ else // ProfId2 if ($langs->transcountry("ProfId2",$mysoc->country_code) != '-') { - + print ''.$langs->transcountry("ProfId2",$mysoc->country_code).''; if (! empty($conf->global->MAIN_INFO_SIRET)) { @@ -846,7 +846,7 @@ else // ProfId3 if ($langs->transcountry("ProfId3",$mysoc->country_code) != '-') { - + print ''.$langs->transcountry("ProfId3",$mysoc->country_code).''; if (! empty($conf->global->MAIN_INFO_APE)) { @@ -862,7 +862,7 @@ else // ProfId4 if ($langs->transcountry("ProfId4",$mysoc->country_code) != '-') { - + print ''.$langs->transcountry("ProfId4",$mysoc->country_code).''; if (! empty($conf->global->MAIN_INFO_RCS)) { @@ -878,7 +878,7 @@ else // ProfId5 if ($langs->transcountry("ProfId5",$mysoc->country_code) != '-') { - + print ''.$langs->transcountry("ProfId5",$mysoc->country_code).''; if (! empty($conf->global->MAIN_INFO_PROFID5)) { @@ -894,7 +894,7 @@ else // ProfId6 if ($langs->transcountry("ProfId6",$mysoc->country_code) != '-') { - + print ''.$langs->transcountry("ProfId6",$mysoc->country_code).''; if (! empty($conf->global->MAIN_INFO_PROFID6)) { @@ -908,7 +908,7 @@ else } // VAT - + print ''.$langs->trans("VATIntra").''; print ''; if (! empty($conf->global->MAIN_INFO_TVAINTRA)) @@ -944,8 +944,8 @@ else } print ''; print ''; - - + + print ''.$langs->trans("CompanyObject").'' . (! empty($conf->global->MAIN_INFO_SOCIETE_OBJECT) ? nl2br($conf->global->MAIN_INFO_SOCIETE_OBJECT) : '') . ''; print ''; @@ -960,7 +960,7 @@ else print ''.$langs->trans("FiscalYearInformation").''.$langs->trans("Value").''; print "\n"; - + print ''.$langs->trans("FiscalMonthStart").''; $monthstart=(! empty($conf->global->SOCIETE_FISCAL_MONTH_START)) ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1; print dol_print_date(dol_mktime(12,0,0,$monthstart,1,2000,1),'%B','gm') . ''; @@ -977,7 +977,7 @@ else print ' '; print "\n"; - + print "global->FACTURE_TVAOPTION)?"":" checked")."> ".$langs->trans("VATIsUsed").""; print ''; print ""; @@ -986,7 +986,7 @@ else print "
"; print "\n"; - + print "global->FACTURE_TVAOPTION)?" checked":"")."> ".$langs->trans("VATIsNotUsed").""; print ''; print ""; @@ -1011,7 +1011,7 @@ else print ''; print "\n"; - + print ""; print '\n"; - + print ""; print '
 
global->FACTURE_LOCAL_TAX1_OPTION == '1' || $conf->global->FACTURE_LOCAL_TAX1_OPTION == "localtax1on")?" checked":"")."> ".$langs->transcountry("LocalTax1IsUsed",$mysoc->country_code)."'; print ""; @@ -1039,7 +1039,7 @@ else print "
"; print "
global->FACTURE_LOCAL_TAX1_OPTION) || $conf->global->FACTURE_LOCAL_TAX1_OPTION == "localtax1off")?" checked":"")."> ".$langs->transcountry("LocalTax1IsNotUsed",$mysoc->country_code)."'; print ""; @@ -1061,7 +1061,7 @@ else print ''; print "\n"; - + print ""; print '\n"; - + print ""; print '
 
global->FACTURE_LOCAL_TAX2_OPTION == '1' || $conf->global->FACTURE_LOCAL_TAX2_OPTION == "localtax2on")?" checked":"")."> ".$langs->transcountry("LocalTax2IsUsed",$mysoc->country_code)."'; print ""; @@ -1090,7 +1090,7 @@ else print "
"; print "
global->FACTURE_LOCAL_TAX2_OPTION) || $conf->global->FACTURE_LOCAL_TAX2_OPTION == "localtax2off")?" checked":"")."> ".$langs->transcountry("LocalTax2IsNotUsed",$mysoc->country_code)."'; print ""; diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php index db03407fed1..cd236d85122 100644 --- a/htdocs/admin/menus/edit.php +++ b/htdocs/admin/menus/edit.php @@ -83,27 +83,27 @@ if ($action == 'update') } } } - + $menu = new Menubase($db); - $result=$menu->fetch($_POST['menuId']); + $result=$menu->fetch(GETPOST('menuId', 'int')); if ($result > 0) { - $menu->titre=$_POST['titre']; - $menu->leftmenu=$_POST['leftmenu']; - $menu->url=$_POST['url']; - $menu->langs=$_POST['langs']; - $menu->position=$_POST['position']; - $menu->enabled=$_POST['enabled']; - $menu->perms=$_POST['perms']; - $menu->target=$_POST['target']; - $menu->user=$_POST['user']; - if (is_numeric($_POST['menuIdParent'])) + $menu->titre=GETPOST('titre', 'alpha'); + $menu->leftmenu=GETPOST('leftmenu', 'alpha'); + $menu->url=GETPOST('url','alpha'); + $menu->langs=GETPOST('langs','alpha'); + $menu->position=GETPOST('position','int'); + $menu->enabled=GETPOST('enabled','alpha'); + $menu->perms=GETPOST('perms','alpha'); + $menu->target=GETPOST('target','alpha'); + $menu->user=GETPOST('user','alpha'); + if (is_numeric(GETPOST('menuIdParent','alpha'))) { - $menu->fk_menu=$_POST['menuIdParent']; + $menu->fk_menu=GETPOST('menuIdParent','alpha'); } else { - if ($_POST['type'] == 'top') $menu->fk_menu=0; + if (GETPOST('type','alpha') == 'top') $menu->fk_menu=0; else $menu->fk_menu=-1; $menu->fk_mainmenu=$mainmenu; $menu->fk_leftmenu=$leftmenu; @@ -123,7 +123,6 @@ if ($action == 'update') { setEventMessages($menu->error, $menu->errors, 'errors'); } - $_GET["menuId"] = $_POST['menuId']; $action = "edit"; } else @@ -148,9 +147,9 @@ if ($action == 'add') } $leftmenu=''; $mainmenu=''; - if (! empty($_POST['menuId']) && ! is_numeric($_POST['menuId'])) + if (GETPOST('menuId','int') && ! is_numeric(GETPOST('menuId','int'))) { - $tmp=explode('&',$_POST['menuId']); + $tmp=explode('&',GETPOST('menuId','int')); foreach($tmp as $s) { if (preg_match('/fk_mainmenu=/',$s)) @@ -197,7 +196,7 @@ if ($action == 'add') $action = 'create'; $error++; } - if (! $error && empty($_POST['menuId']) && $_POST['type'] == 'left') + if (! $error && ! $_POST['menuId'] && $_POST['type'] == 'left') { setEventMessages($langs->trans("ErrorLeftMenuMustHaveAParentId"), null, 'errors'); $action = 'create'; @@ -207,23 +206,23 @@ if ($action == 'add') if (! $error) { $menu = new Menubase($db); - $menu->menu_handler=preg_replace('/_menu$/','',$_POST['menu_handler']); - $menu->type=$_POST['type']; - $menu->titre=$_POST['titre']; - $menu->url=$_POST['url']; - $menu->langs=$_POST['langs']; - $menu->position=$_POST['position']; - $menu->enabled=$_POST['enabled']; - $menu->perms=$_POST['perms']; - $menu->target=$_POST['target']; - $menu->user=$_POST['user']; - if (is_numeric($_POST['menuId'])) + $menu->menu_handler=preg_replace('/_menu$/','',GETPOST('menu_handler','aZ09')); + $menu->type=GETPOST('type','alpha'); + $menu->titre=GETPOST('titre','alpha'); + $menu->url=GETPOST('url','alpha'); + $menu->langs=GETPOST('langs','alpha'); + $menu->position=GETPOST('position','int'); + $menu->enabled=GETPOST('enabled','alpha'); + $menu->perms=GETPOST('perms','alpha'); + $menu->target=GETPOST('target','alpha'); + $menu->user=GETPOST('user','alpha'); + if (is_numeric(GETPOST('menuId','int'))) { - $menu->fk_menu=$_POST['menuId']; + $menu->fk_menu=GETPOST('menuId','int'); } else { - if ($_POST['type'] == 'top') $menu->fk_menu=0; + if (GETPOST('type','alpha') == 'top') $menu->fk_menu=0; else $menu->fk_menu=-1; $menu->fk_mainmenu=$mainmenu; $menu->fk_leftmenu=$leftmenu; @@ -232,7 +231,7 @@ if ($action == 'add') $result=$menu->create($user); if ($result > 0) { - header("Location: ".DOL_URL_ROOT."/admin/menus/index.php?menu_handler=".$_POST['menu_handler']); + header("Location: ".DOL_URL_ROOT."/admin/menus/index.php?menu_handler=".GETPOST('menu_handler','aZ09')); exit; } else @@ -305,17 +304,17 @@ if ($action == 'create') '; print load_fiche_titre($langs->trans("NewMenu"),'','title_setup'); - - print ''; + + print ''; print ''; dol_fiche_head(); - + print '
'; // Id - $parent_rowid = $_GET['menuId']; - if ($_GET['menuId']) + $parent_rowid = GETPOST('menuId', 'int'); + if (GETPOST('menuId', 'int')) { $sql = "SELECT m.rowid, m.mainmenu, m.leftmenu, m.level, m.langs FROM ".MAIN_DB_PREFIX."menu as m WHERE m.rowid = ".GETPOST('menuId', 'int'); $res = $db->query($sql); @@ -375,40 +374,40 @@ if ($action == 'create') } else { - print ''; + print ''; } print ''; // Title - print ''; + print ''; // URL - print ''; + print ''; // Langs print ''; // Position - print ''; + print ''; // Target print ''; // Enabled - print ''; + print ''; // Perms - print ''; + print ''; print '
'.$langs->trans('DetailMenuIdParent'); print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def'; print '
'.$langs->trans('Title').''.$langs->trans('DetailTitre').'
'.$langs->trans('Title').''.$langs->trans('DetailTitre').'
'.$langs->trans('URL').''.$langs->trans('DetailUrl').'
'.$langs->trans('URL').''.$langs->trans('DetailUrl').'
'.$langs->trans('LangFile').''.$langs->trans('DetailLangs').'
'.$langs->trans('Position').''.$langs->trans('DetailPosition').'
'.$langs->trans('Position').''.$langs->trans('DetailPosition').'
'.$langs->trans('Target').''.$langs->trans('DetailTarget').'
'.$langs->trans('Enabled').''.$langs->trans('DetailEnabled').'
'.$langs->trans('Enabled').''.$langs->trans('DetailEnabled').'
'.$langs->trans('Rights').''.$langs->trans('DetailRight').'
'.$langs->trans('Rights').''.$langs->trans('DetailRight').'
'; dol_fiche_end(); - + // Boutons print '
'; print ''; @@ -426,14 +425,14 @@ elseif ($action == 'edit') print ''; print ''; print ''; - print ''; + print ''; dol_fiche_head(); - + print ''; $menu = new Menubase($db); - $result=$menu->fetch($_GET['menuId']); + $result=$menu->fetch(GETPOST('menuId', 'int')); //var_dump($menu); // Id @@ -472,20 +471,20 @@ elseif ($action == 'edit') //print ''; // Title - print ''; + print ''; // Url print ''; // Langs - print ''; + print ''; // Position print ''; // Target print ''; @@ -502,7 +501,7 @@ elseif ($action == 'edit') print '
'.$langs->trans('Level').''.$menu->level.''.$langs->trans('DetailLevel').'
'.$langs->trans('Title').''.$langs->trans('DetailTitre').'
'.$langs->trans('Title').''.$langs->trans('DetailTitre').'
'.$langs->trans('URL').''.$langs->trans('DetailUrl').'
'.$langs->trans('LangFile').''.$langs->trans('DetailLangs').'
'.$langs->trans('LangFile').''.$langs->trans('DetailLangs').'
'.$langs->trans('Position').''.$langs->trans('DetailPosition').'
'.$langs->trans('Target').''.$langs->trans('DetailTarget').'
'; dol_fiche_end(); - + // Bouton print '
'; print ''; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index d79c3def247..ee683f5747d 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -3251,7 +3251,12 @@ function dol_print_error($db='',$error='',$errors=null) } if (empty($dolibarr_main_prod)) print $out; - else define("MAIN_CORE_ERROR", 1); + else + { + print $langs->trans("DolibarrHasDetectedError").'. '; + print $langs->trans("YouCanSetOptionDolibarrMainProdToZero"); + define("MAIN_CORE_ERROR", 1); + } //else print 'Sorry, an error occured but the parameter $dolibarr_main_prod is defined in conf file so no message is reported to your browser. Please read the log file for error message.'; dol_syslog("Error ".$syslog, LOG_ERR); } diff --git a/htdocs/document.php b/htdocs/document.php index 206ea69688a..d35021005e6 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -110,7 +110,7 @@ if (empty($modulepart)) accessforbidden('Bad value for parameter modulepart'); $check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $refname); $accessallowed = $check_access['accessallowed']; $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals']; -$original_file = $check_access['original_file']; // original_file is now a full path name +$fullpath_original_file = $check_access['original_file']; // $fullpath_original_file is now a full path name // Basic protection (against external users only) if ($user->societe_id > 0) @@ -137,36 +137,35 @@ if ($user->societe_id > 0) } // Security: -// Limite acces si droits non corrects +// Limit access if permissions are wrong if (! $accessallowed) { accessforbidden(); } // Security: -// On interdit les remontees de repertoire ainsi que les pipe dans -// les noms de fichiers. -if (preg_match('/\.\./',$original_file) || preg_match('/[<>|]/',$original_file)) +// On interdit les remontees de repertoire ainsi que les pipe dans les noms de fichiers. +if (preg_match('/\.\./',$fullpath_original_file) || preg_match('/[<>|]/',$fullpath_original_file)) { - dol_syslog("Refused to deliver file ".$original_file); - $file=basename($original_file); // Do no show plain path of original_file in shown error message - dol_print_error(0,$langs->trans("ErrorFileNameInvalid",$file)); + dol_syslog("Refused to deliver file ".$fullpath_original_file); + print "ErrorFileNameInvalid: ".$original_file; exit; } clearstatcache(); -$filename = basename($original_file); +$filename = basename($fullpath_original_file); // Output file on browser -dol_syslog("document.php download $original_file $filename content-type=$type"); -$original_file_osencoded=dol_osencode($original_file); // New file name encoded in OS encoding charset +dol_syslog("document.php download $fullpath_original_file filename=$filename content-type=$type"); +$fullpath_original_file_osencoded=dol_osencode($fullpath_original_file); // New file name encoded in OS encoding charset // This test if file exists should be useless. We keep it to find bug more easily -if (! file_exists($original_file_osencoded)) +if (! file_exists($fullpath_original_file_osencoded)) { - dol_print_error(0,$langs->trans("ErrorFileDoesNotExists",$original_file)); + dol_syslog("ErrorFileDoesNotExists: ".$fullpath_original_file); + print "ErrorFileDoesNotExists: ".$original_file; exit; } @@ -177,7 +176,7 @@ if ($encoding) header('Content-Encoding: '.$encoding); // Add MIME Content-Disposition from RFC 2183 (inline=automatically displayed, atachment=need user action to open) if ($attachment) header('Content-Disposition: attachment; filename="'.$filename.'"'); else header('Content-Disposition: inline; filename="'.$filename.'"'); -header('Content-Length: ' . dol_filesize($original_file)); +header('Content-Length: ' . dol_filesize($fullpath_original_file)); // Ajout directives pour resoudre bug IE header('Cache-Control: Public, must-revalidate'); header('Pragma: public'); @@ -185,6 +184,6 @@ header('Pragma: public'); //ob_clean(); //flush(); -readfile($original_file_osencoded); +readfile($fullpath_original_file_osencoded); if (is_object($db)) $db->close(); diff --git a/htdocs/langs/en_US/main.lang b/htdocs/langs/en_US/main.lang index d5cbd14c11d..a314f59b6b5 100644 --- a/htdocs/langs/en_US/main.lang +++ b/htdocs/langs/en_US/main.lang @@ -103,7 +103,8 @@ RequestLastAccessInError=Latest database access request error ReturnCodeLastAccessInError=Return code for latest database access request error InformationLastAccessInError=Information for latest database access request error DolibarrHasDetectedError=Dolibarr has detected a technical error -InformationToHelpDiagnose=This information can be useful for diagnostic purposes +YouCanSetOptionDolibarrMainProdToZero=You can read log file or set option $dolibarr_main_prod to '0' in your config file to get more information. +InformationToHelpDiagnose=This information can be useful for diagnostic purposes (you can set option $dolibarr_main_prod to '1' to remove such notices) MoreInformation=More information TechnicalInformation=Technical information TechnicalID=Technical ID diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 8d34517686b..cd5cb0ba296 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -77,38 +77,39 @@ if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* deprecated in PHP */ function test_sql_and_script_inject($val, $type) { - $sql_inj = 0; + $inj = 0; // For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests) if ($type != 2) { - $sql_inj += preg_match('/delete\s+from/i', $val); - $sql_inj += preg_match('/create\s+table/i', $val); - $sql_inj += preg_match('/update.+set.+=/i', $val); - $sql_inj += preg_match('/insert\s+into/i', $val); - $sql_inj += preg_match('/select.+from/i', $val); - $sql_inj += preg_match('/union.+select/i', $val); - $sql_inj += preg_match('/into\s+(outfile|dumpfile)/i', $val); - $sql_inj += preg_match('/(\.\.%2f)+/i', $val); + $inj += preg_match('/delete\s+from/i', $val); + $inj += preg_match('/create\s+table/i', $val); + $inj += preg_match('/update.+set.+=/i', $val); + $inj += preg_match('/insert\s+into/i', $val); + $inj += preg_match('/select.+from/i', $val); + $inj += preg_match('/union.+select/i', $val); + $inj += preg_match('/into\s+(outfile|dumpfile)/i', $val); + $inj += preg_match('/(\.\.%2f)+/i', $val); } // For XSS Injection done by adding javascript with script // This is all cases a browser consider text is javascript: // When it found ' - $sql_inj += preg_match('/onerror\s*=/i', $val); // onerror can be set on img or any html tag like - $sql_inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be set on input text html tag like + $inj += preg_match('/'; + $result=test_sql_and_script_inject($test, 0); + $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject ccc'); + + $test=''; + $result=test_sql_and_script_inject($test, 1); + $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject ddd'); + + $test='">'; + $result=test_sql_and_script_inject($test, 0); + $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject eee'); + + $test=' + '; + $result=test_sql_and_script_inject($test, 0); + $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject eee'); + + $test=""; // Is locked by some brwoser like chrome because the default directive no-referrer-when-downgrade is sent when requesting the SRC and then refused because of browser protection on img src load without referrer. + $test=""; // Same + + $test=''; + $result=test_sql_and_script_inject($test, 0); + $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject fff1'); + $test=''; + $result=test_sql_and_script_inject($test, 0); + $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject fff2'); + + // This case seems to be filtered by browsers now. + $test=''; + //$result=test_sql_and_script_inject($test, 0); + //$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on test_sql_and_script_inject ggg'); + + $test='