diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index b77759b98a3..36abe22fa10 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -959,14 +959,14 @@ else // Address print ''.$langs->trans("Address").''; - print ''; + print ''; print ''; // Zip / Town print ''.$langs->trans("Zip").' / '.$langs->trans("Town").''; - print $formcompany->select_ziptown((GETPOST('zipcode','alpha')?GETPOST('zipcode','alpha'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6); + print $formcompany->select_ziptown((GETPOST('zipcode','alphanohtml')?GETPOST('zipcode','alphanohtml'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6); print ' '; - print $formcompany->select_ziptown((GETPOST('town','alpha')?GETPOST('town','alpha'):$object->town),'town',array('zipcode','selectcountry_id','state_id')); + print $formcompany->select_ziptown((GETPOST('town','alphanohtml')?GETPOST('town','alphanohtml'):$object->town),'town',array('zipcode','selectcountry_id','state_id')); print ''; // Country diff --git a/htdocs/adherents/type.php b/htdocs/adherents/type.php index fc147ad8fa1..75cdd3d3c12 100644 --- a/htdocs/adherents/type.php +++ b/htdocs/adherents/type.php @@ -42,7 +42,7 @@ $backtopage = GETPOST('backtopage','alpha'); $search_lastname = GETPOST('search_lastname','alpha'); $search_login = GETPOST('search_login','alpha'); $search_email = GETPOST('search_email','alpha'); -$type = GETPOST('type','alpha'); +$type = GETPOST('type','intcomma'); $status = GETPOST('status','alpha'); $limit = GETPOST('limit','int')?GETPOST('limit','int'):$conf->liste_limit; @@ -59,8 +59,8 @@ if (! $sortfield) { $sortfield="d.lastname"; } $label=GETPOST("label","alpha"); $subscription=GETPOST("subscription","int"); $vote=GETPOST("vote","int"); -$comment=GETPOST("comment"); -$mail_valid=GETPOST("mail_valid"); +$comment=GETPOST("comment",'alphanohtml'); +$mail_valid=GETPOST("mail_valid",'none'); // Security check $result=restrictedArea($user,'adherent',$rowid,'adherent_type'); diff --git a/htdocs/compta/tva/index.php b/htdocs/compta/tva/index.php index 517f15c81f3..514f2030065 100644 --- a/htdocs/compta/tva/index.php +++ b/htdocs/compta/tva/index.php @@ -257,7 +257,8 @@ $mend = $tmp['mon']; //var_dump($m); $total=0; $subtotalcoll=0; $subtotalpaye=0; $subtotal=0; $i=0; $mcursor=0; -while ((($y < $yend) || ($y == $yend && $m < $mend)) && $mcursor < 1000) // $mcursor is to avoid too large loop + +while ((($y < $yend) || ($y == $yend && $m <= $mend)) && $mcursor < 1000) // $mcursor is to avoid too large loop { //$m = $conf->global->SOCIETE_FISCAL_MONTH_START + ($mcursor % 12); if ($m == 13) $y++; diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index b63e380c2c1..f5af034e43a 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1441,9 +1441,10 @@ class Form $out .= ajax_combobox($htmlid, $events, $conf->global->CONTACT_USE_SEARCH_TO_SELECT); } - if ($htmlname != 'none' || $options_only) $out.= ''; if (($showempty == 1 || ($showempty == 3 && $num > 1)) && !$multiple) $out.= ''; if ($showempty == 2) $out.= ''; + $num = $this->db->num_rows($resql); $i = 0; if ($num) @@ -1504,7 +1505,7 @@ class Form $out.= ($socid != -1) ? ($langs->trans($socid?"NoContactDefinedForThirdParty":"NoContactDefined")) : $langs->trans('SelectAThirdPartyFirst'); $out.= ''; } - if ($htmlname != 'none' || $options_only) + if ($htmlname != 'none' && ! $options_only) { $out.= ''; } diff --git a/htdocs/core/class/html.formcompany.class.php b/htdocs/core/class/html.formcompany.class.php index 60017d82570..9d0bded74b6 100644 --- a/htdocs/core/class/html.formcompany.class.php +++ b/htdocs/core/class/html.formcompany.class.php @@ -622,8 +622,8 @@ class FormCompany runJsCodeForEvent'.$htmlname.'(values); } }); - /* Clean contact */ - $("div#s2id_contactid>a>span").html(\'\'); + + $(this).trigger("blur"); }); // Function used to execute events when search_htmlname change diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index be9993a74b5..da2f697d5d4 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -307,8 +307,10 @@ class FormFile return $this->getDocumentsLink($modulepart, $modulesubdir, $filedir); } - // Add entity in $param - $param.= 'entity='.(!empty($object->entity)?$object->entity:$conf->entity); + // Add entity in $param if not already exists + if (!preg_match('/entity\=[0-9]+/', $param)) { + $param.= 'entity='.(!empty($object->entity)?$object->entity:$conf->entity); + } $printer=0; if (in_array($modulepart,array('facture','supplier_proposal','propal','proposal','order','commande','expedition', 'commande_fournisseur', 'expensereport','livraison'))) // The direct print feature is implemented only for such elements diff --git a/htdocs/core/triggers/interface_50_modLdap_Ldapsynchro.class.php b/htdocs/core/triggers/interface_50_modLdap_Ldapsynchro.class.php index a5ef414a6e5..e5a0992d466 100644 --- a/htdocs/core/triggers/interface_50_modLdap_Ldapsynchro.class.php +++ b/htdocs/core/triggers/interface_50_modLdap_Ldapsynchro.class.php @@ -446,9 +446,10 @@ class InterfaceLdapsynchro extends DolibarrTriggers // For member type if (! empty($conf->global->LDAP_MEMBER_TYPE_ACTIVE) && (string) $conf->global->LDAP_MEMBER_TYPE_ACTIVE == '1') { - $membertype=new AdherentType($this->db); if ($object->typeid > 0) { + require_once DOL_DOCUMENT_ROOT."/adherents/class/adherent_type.class.php"; + $membertype=new AdherentType($this->db); $membertype->fetch($object->typeid); $membertype->listMembersForMemberType('', 1); @@ -565,6 +566,8 @@ class InterfaceLdapsynchro extends DolibarrTriggers // For member type if (! empty($conf->global->LDAP_MEMBER_TYPE_ACTIVE) && (string) $conf->global->LDAP_MEMBER_TYPE_ACTIVE == '1') { + require_once DOL_DOCUMENT_ROOT."/adherents/class/adherent_type.class.php"; + /* * Change member info */ @@ -689,6 +692,8 @@ class InterfaceLdapsynchro extends DolibarrTriggers { if ($object->typeid > 0) { + require_once DOL_DOCUMENT_ROOT."/adherents/class/adherent_type.class.php"; + /* * Remove member in member type */ diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 2579b870bcd..9afed25286c 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -366,7 +366,7 @@ if ((! empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_V // Creation of a token against CSRF vulnerabilities if (! defined('NOTOKENRENEWAL')) { - // roulement des jetons car cree a chaque appel + // Rolling token at each call ($_SESSION['token'] contains token of previous page) if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken']; // Save in $_SESSION['newtoken'] what will be next token. Into forms, we will add param token = $_SESSION['newtoken'] diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 6d3a0724006..693323d63b0 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -911,9 +911,9 @@ class Product extends CommonObject $sql.= ", barcode = ". (empty($this->barcode)?"null":"'".$this->db->escape($this->barcode)."'"); $sql.= ", fk_barcode_type = ". (empty($this->barcode_type)?"null":$this->db->escape($this->barcode_type)); - $sql.= ", tosell = " . $this->status; - $sql.= ", tobuy = " . $this->status_buy; - $sql.= ", tobatch = " . ((empty($this->status_batch) || $this->status_batch < 0) ? '0' : $this->status_batch); + $sql.= ", tosell = " . (int) $this->status; + $sql.= ", tobuy = " . (int) $this->status_buy; + $sql.= ", tobatch = " . ((empty($this->status_batch) || $this->status_batch < 0) ? '0' : (int) $this->status_batch); $sql.= ", finished = " . ((! isset($this->finished) || $this->finished < 0) ? "null" : (int) $this->finished); $sql.= ", weight = " . ($this->weight!='' ? "'".$this->db->escape($this->weight)."'" : 'null'); $sql.= ", weight_units = " . ($this->weight_units!='' ? "'".$this->db->escape($this->weight_units)."'": 'null'); @@ -932,18 +932,18 @@ class Product extends CommonObject $sql.= ", description = '" . $this->db->escape($this->description) ."'"; $sql.= ", url = " . ($this->url?"'".$this->db->escape($this->url)."'":'null'); $sql.= ", customcode = '" . $this->db->escape($this->customcode) ."'"; - $sql.= ", fk_country = " . ($this->country_id > 0 ? $this->country_id : 'null'); + $sql.= ", fk_country = " . ($this->country_id > 0 ? (int) $this->country_id : 'null'); $sql.= ", note = ".(isset($this->note) ? "'" .$this->db->escape($this->note)."'" : 'null'); $sql.= ", duration = '" . $this->db->escape($this->duration_value . $this->duration_unit) ."'"; $sql.= ", accountancy_code_buy = '" . $this->db->escape($this->accountancy_code_buy)."'"; $sql.= ", accountancy_code_sell= '" . $this->db->escape($this->accountancy_code_sell)."'"; $sql.= ", accountancy_code_sell_intra= '" . $this->db->escape($this->accountancy_code_sell_intra)."'"; $sql.= ", accountancy_code_sell_export= '" . $this->db->escape($this->accountancy_code_sell_export)."'"; - $sql.= ", desiredstock = " . ((isset($this->desiredstock) && $this->desiredstock != '') ? $this->desiredstock : "null"); + $sql.= ", desiredstock = " . ((isset($this->desiredstock) && $this->desiredstock != '') ? (int) $this->desiredstock : "null"); $sql.= ", cost_price = " . ($this->cost_price != '' ? $this->db->escape($this->cost_price) : 'null'); - $sql.= ", fk_unit= " . (!$this->fk_unit ? 'NULL' : $this->fk_unit); + $sql.= ", fk_unit= " . (!$this->fk_unit ? 'NULL' : (int) $this->fk_unit); $sql.= ", price_autogen = " . (!$this->price_autogen ? 0 : 1); - $sql.= ", fk_price_expression = ".($this->fk_price_expression != 0 ? $this->fk_price_expression : 'NULL'); + $sql.= ", fk_price_expression = ".($this->fk_price_expression != 0 ? (int) $this->fk_price_expression : 'NULL'); $sql.= ", fk_user_modif = ".($user->id > 0 ? $user->id : 'NULL'); // stock field is not here because it is a denormalized value from product_stock. $sql.= " WHERE rowid = " . $id; diff --git a/htdocs/product/price.php b/htdocs/product/price.php index b610e2a2914..e02ec3f82c7 100644 --- a/htdocs/product/price.php +++ b/htdocs/product/price.php @@ -1443,7 +1443,7 @@ if ((empty($conf->global->PRODUIT_CUSTOMER_PRICES) || $action=='showlog_default_ // Il doit au moins y avoir la ligne de prix initial. // On l'ajoute donc pour remettre a niveau (pb vieilles versions) - //$object->updatePrice($object->price, $object->price_base_type, $user, $newprice_min); + //$object->updatePrice($object->price, $object->price_base_type, $user, $object->tva_tx, $object->price_min); if (! empty($conf->global->PRODUIT_MULTIPRICES)) { $object->updatePrice($object->multiprices[1], $object->multiprices_base_type[1], $user, (empty($object->multiprices_tva_tx[1])?0:$object->multiprices_tva_tx[1]), $object->multiprices_min[1], 1); } else { diff --git a/htdocs/public/notice.php b/htdocs/public/notice.php index 3b25349324c..6a55411ae3b 100644 --- a/htdocs/public/notice.php +++ b/htdocs/public/notice.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2016-2018 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -34,7 +34,7 @@ require '../main.inc.php'; * View */ -if (! GETPOST('transkey') && ! GETPOST('transphrase')) +if (! GETPOST('transkey','alphanohtml') && ! GETPOST('transphrase','alphanohtml')) { print 'Sorry, it seems your internet connexion is off.
'; print 'You need to be connected to network to use this software.
'; @@ -44,7 +44,7 @@ else $langs->load("error"); $langs->load("other"); - if (GETPOST('transphrase')) print GETPOST('transphrase'); - if (GETPOST('transkey')) print $langs->trans(GETPOST('transkey')); + if (GETPOST('transphrase','alphanohtml')) print GETPOST('transphrase','alphanohtml'); + if (GETPOST('transkey','alphanohtml')) print $langs->trans(GETPOST('transkey','alphanohtml')); } diff --git a/htdocs/user/card.php b/htdocs/user/card.php index fd2628f56e6..39e5d3093d0 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -194,32 +194,34 @@ if (empty($reshook)) { $object->birth = $birth; $object->admin = GETPOST("admin", 'alpha'); $object->address = GETPOST('address', 'alphanohtml'); - $object->zip = GETPOST('zipcode', 'alpha'); - $object->town = GETPOST('town', 'alpha'); + $object->zip = GETPOST('zipcode', 'alphanohtml'); + $object->town = GETPOST('town', 'alphanohtml'); $object->country_id = GETPOST('country_id', 'int'); $object->state_id = GETPOST('state_id', 'int'); - $object->office_phone = GETPOST("office_phone", 'alpha'); - $object->office_fax = GETPOST("office_fax", 'alpha'); - $object->user_mobile = GETPOST("user_mobile"); - $object->skype = GETPOST("skype", 'alpha'); - $object->twitter = GETPOST("twitter", 'alpha'); - $object->facebook = GETPOST("facebook", 'alpha'); + $object->office_phone = GETPOST("office_phone", 'alphanohtml'); + $object->office_fax = GETPOST("office_fax", 'alphanohtml'); + $object->user_mobile = GETPOST("user_mobile", 'alphanohtml'); + + $object->skype = GETPOST("skype", 'alphanohtml'); + $object->twitter = GETPOST("twitter", 'alphanohtml'); + $object->facebook = GETPOST("facebook", 'alphanohtml'); + $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alpha')); $object->job = GETPOST("job", 'alpha'); - $object->signature = GETPOST("signature"); - $object->accountancy_code = GETPOST("accountancy_code"); - $object->note = GETPOST("note"); - $object->ldap_sid = GETPOST("ldap_sid"); - $object->fk_user = GETPOST("fk_user") > 0 ? GETPOST("fk_user") : 0; - $object->employee = GETPOST('employee'); + $object->signature = GETPOST("signature", 'none'); + $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); + $object->note = GETPOST("note", 'none'); + $object->ldap_sid = GETPOST("ldap_sid", 'alphanohtml'); + $object->fk_user = GETPOST("fk_user", 'int') > 0 ? GETPOST("fk_user", 'int') : 0; + $object->employee = GETPOST('employee', 'alphanohtml'); - $object->thm = GETPOST("thm") != '' ? GETPOST("thm") : ''; - $object->tjm = GETPOST("tjm") != '' ? GETPOST("tjm") : ''; - $object->salary = GETPOST("salary") != '' ? GETPOST("salary") : ''; - $object->salaryextra = GETPOST("salaryextra") != '' ? GETPOST("salaryextra") : ''; - $object->weeklyhours = GETPOST("weeklyhours") != '' ? GETPOST("weeklyhours") : ''; + $object->thm = GETPOST("thm", 'alphanohtml') != '' ? GETPOST("thm", 'alphanohtml') : ''; + $object->tjm = GETPOST("tjm", 'alphanohtml') != '' ? GETPOST("tjm", 'alphanohtml') : ''; + $object->salary = GETPOST("salary", 'alphanohtml') != '' ? GETPOST("salary", 'alphanohtml') : ''; + $object->salaryextra = GETPOST("salaryextra", 'alphanohtml') != '' ? GETPOST("salaryextra", 'alphanohtml') : ''; + $object->weeklyhours = GETPOST("weeklyhours", 'alphanohtml') != '' ? GETPOST("weeklyhours", 'alphanohtml') : ''; - $object->color = GETPOST("color") != '' ? GETPOST("color") : ''; + $object->color = GETPOST("color", 'alphanohtml') != '' ? GETPOST("color", 'alphanohtml') : ''; $dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth'), GETPOST('dateemploymentday'), GETPOST('dateemploymentyear')); $object->dateemployment = $dateemployment; @@ -343,13 +345,13 @@ if (empty($reshook)) { $object->api_key = (GETPOST("api_key", 'alpha')) ? GETPOST("api_key", 'alpha') : $object->api_key; if (! empty($user->admin)) $object->admin = GETPOST("admin"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request $object->address = GETPOST('address', 'alphanohtml'); - $object->zip = GETPOST('zipcode', 'alpha'); - $object->town = GETPOST('town', 'alpha'); + $object->zip = GETPOST('zipcode', 'alphanohtml'); + $object->town = GETPOST('town', 'alphanohtml'); $object->country_id = GETPOST('country_id', 'int'); $object->state_id = GETPOST('state_id', 'int'); - $object->office_phone = GETPOST("office_phone", 'alpha'); - $object->office_fax = GETPOST("office_fax", 'alpha'); - $object->user_mobile = GETPOST("user_mobile"); + $object->office_phone = GETPOST("office_phone", 'alphanohtml'); + $object->office_fax = GETPOST("office_fax", 'alphanohtml'); + $object->user_mobile = GETPOST("user_mobile", 'alphanohtml'); $object->skype = GETPOST("skype", 'alpha'); $object->twitter = GETPOST("twitter", 'alpha'); $object->facebook = GETPOST("facebook", 'alpha'); @@ -359,7 +361,7 @@ if (empty($reshook)) { $object->accountancy_code = GETPOST("accountancy_code",'alpha'); $object->openid = GETPOST("openid",'alpha'); $object->fk_user = GETPOST("fk_user",'int') > 0 ? GETPOST("fk_user",'int') : 0; - $object->employee = GETPOST('employee'); + $object->employee = GETPOST('employee','int'); $object->thm = GETPOST("thm",'alphanohtml') != '' ? GETPOST("thm",'alphanohtml') : ''; $object->tjm = GETPOST("tjm",'alphanohtml') != '' ? GETPOST("tjm",'alphanohtml') : ''; @@ -1249,7 +1251,7 @@ else $object->getrights(); if (empty($object->nb_rights) && $object->statut != 0 && empty($object->admin)) setEventMessages($langs->trans('UserHasNoPermissions'), null, 'warnings'); } - + // Connexion ldap // pour recuperer passDoNotExpire et userChangePassNextLogon if (! empty($conf->ldap->enabled) && ! empty($object->ldap_sid)) diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 4aaaff7ed21..9cb586556e9 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -1502,12 +1502,12 @@ class User extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."user SET"; $sql.= " lastname = '".$this->db->escape($this->lastname)."'"; $sql.= ", firstname = '".$this->db->escape($this->firstname)."'"; - $sql.= ", employee = ".$this->employee; + $sql.= ", employee = ".(int) $this->employee; $sql.= ", login = '".$this->db->escape($this->login)."'"; $sql.= ", api_key = ".($this->api_key ? "'".$this->db->escape($this->api_key)."'" : "null"); $sql.= ", gender = ".($this->gender != -1 ? "'".$this->db->escape($this->gender)."'" : "null"); // 'man' or 'woman' $sql.= ", birth=".(strval($this->birth)!='' ? "'".$this->db->idate($this->birth)."'" : 'null'); - if (! empty($user->admin)) $sql.= ", admin = ".$this->admin; // admin flag can be set/unset only by an admin user + if (! empty($user->admin)) $sql.= ", admin = ".(int) $this->admin; // admin flag can be set/unset only by an admin user $sql.= ", address = '".$this->db->escape($this->address)."'"; $sql.= ", zip = '".$this->db->escape($this->zip)."'"; $sql.= ", town = '".$this->db->escape($this->town)."'";