diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index 8803ce032fa..cf6f9d54649 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -1141,7 +1141,7 @@ class Adherent extends CommonObject $this->db->begin(); // If user is linked to this member, remove old link to this member - $sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = NULL WHERE fk_member = ".$this->id; + $sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = NULL WHERE fk_member = ".((int) $this->id); dol_syslog(get_class($this)."::setUserId", LOG_DEBUG); $resql = $this->db->query($sql); if (!$resql) { @@ -1152,7 +1152,7 @@ class Adherent extends CommonObject // Set link to user if ($userid > 0) { - $sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = ".$this->id; + $sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = ".((int) $this->id); $sql .= " WHERE rowid = ".$userid; dol_syslog(get_class($this)."::setUserId", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php index 8e1b9093e77..ecc0e1cfe47 100644 --- a/htdocs/adherents/subscription.php +++ b/htdocs/adherents/subscription.php @@ -44,6 +44,7 @@ $action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $rowid = GETPOST('rowid', 'int') ?GETPOST('rowid', 'int') : GETPOST('id', 'int'); $typeid = GETPOST('typeid', 'int'); +$cancel = GETPOST('cancel'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; @@ -148,19 +149,18 @@ if (empty($reshook) && $action == 'confirm_create_thirdparty' && $confirm == 'ye if (empty($reshook) && $action == 'setuserid' && ($user->rights->user->self->creer || $user->rights->user->user->creer)) { $error = 0; if (empty($user->rights->user->user->creer)) { // If can edit only itself user, we can link to itself only - if ($_POST["userid"] != $user->id && $_POST["userid"] != $object->user_id) { + if (GETPOST("userid", 'int') != $user->id && GETPOST("userid", 'int') != $object->user_id) { $error++; setEventMessages($langs->trans("ErrorUserPermissionAllowsToLinksToItselfOnly"), null, 'errors'); } } if (!$error) { - if ($_POST["userid"] != $object->user_id) { // If link differs from currently in database - $result = $object->setUserId($_POST["userid"]); + if (GETPOST("userid", 'int') != $object->user_id) { // If link differs from currently in database + $result = $object->setUserId(GETPOST("userid", 'int')); if ($result < 0) { dol_print_error('', $object->error); } - $_POST['action'] = ''; $action = ''; } } @@ -190,14 +190,13 @@ if (empty($reshook) && $action == 'setsocid') { if ($result < 0) { dol_print_error('', $object->error); } - $_POST['action'] = ''; $action = ''; } } } } -if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && !$_POST["cancel"]) { +if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && !$cancel) { $error = 0; $langs->load("banks"); @@ -209,25 +208,25 @@ if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && ! $datesubscription = 0; $datesubend = 0; $paymentdate = 0; - if ($_POST["reyear"] && $_POST["remonth"] && $_POST["reday"]) { - $datesubscription = dol_mktime(0, 0, 0, $_POST["remonth"], $_POST["reday"], $_POST["reyear"]); + if (GETPOST("reyear", "int") && GETPOST("remonth", "int") && GETPOST("reday", "int")) { + $datesubscription = dol_mktime(0, 0, 0, GETPOST("remonth", "int"), GETPOST("reday", "int"), GETPOST("reyear", "int")); } - if ($_POST["endyear"] && $_POST["endmonth"] && $_POST["endday"]) { - $datesubend = dol_mktime(0, 0, 0, $_POST["endmonth"], $_POST["endday"], $_POST["endyear"]); + if (GETPOST("endyear", 'int') && GETPOST("endmonth", 'int') && GETPOST("endday", 'int')) { + $datesubend = dol_mktime(0, 0, 0, GETPOST("endmonth", 'int'), GETPOST("endday", 'int'), GETPOST("endyear", 'int')); } - if ($_POST["paymentyear"] && $_POST["paymentmonth"] && $_POST["paymentday"]) { - $paymentdate = dol_mktime(0, 0, 0, $_POST["paymentmonth"], $_POST["paymentday"], $_POST["paymentyear"]); + if (GETPOST("paymentyear", 'int') && GETPOST("paymentmonth", 'int') && GETPOST("paymentday", 'int')) { + $paymentdate = dol_mktime(0, 0, 0, GETPOST("paymentmonth", 'int'), GETPOST("paymentday", 'int'), GETPOST("paymentyear", 'int')); } $amount = price2num(GETPOST("subscription", 'alpha')); // Amount of subscription - $label = $_POST["label"]; + $label = GETPOST("label"); // Payment informations - $accountid = $_POST["accountid"]; - $operation = $_POST["operation"]; // Payment mode + $accountid = GETPOST("accountid", 'int'); + $operation = GETPOST("operation", "alphanohtml"); // Payment mode $num_chq = GETPOST("num_chq", "alphanohtml"); - $emetteur_nom = $_POST["chqemetteur"]; - $emetteur_banque = $_POST["chqbank"]; - $option = $_POST["paymentsave"]; + $emetteur_nom = GETPOST("chqemetteur"); + $emetteur_banque = GETPOST("chqbank"); + $option = GETPOST("paymentsave"); if (empty($option)) { $option = 'none'; } @@ -267,19 +266,19 @@ if ($user->rights->adherent->cotisation->creer && $action == 'subscription' && ! $error++; $action = 'addsubscription'; } else { - if (!empty($conf->banque->enabled) && $_POST["paymentsave"] != 'none') { - if ($_POST["subscription"]) { - if (!$_POST["label"]) { + if (!empty($conf->banque->enabled) && GETPOST("paymentsave") != 'none') { + if (GETPOST("subscription")) { + if (!GETPOST("label")) { $errmsg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("Label")); } - if ($_POST["paymentsave"] != 'invoiceonly' && !$_POST["operation"]) { + if (GETPOST("paymentsave") != 'invoiceonly' && !GETPOST("operation")) { $errmsg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("PaymentMode")); } - if ($_POST["paymentsave"] != 'invoiceonly' && !($_POST["accountid"] > 0)) { + if (GETPOST("paymentsave") != 'invoiceonly' && !(GETPOST("accountid", 'int') > 0)) { $errmsg = $langs->trans("ErrorFieldRequired", $langs->transnoentities("FinancialAccount")); } } else { - if ($_POST["accountid"]) { + if (GETPOST("accountid")) { $errmsg = $langs->trans("ErrorDoNotProvideAccountsIfNullAmount"); } } @@ -453,7 +452,8 @@ if ($optioncss != '') { if ($rowid > 0) { $res = $object->fetch($rowid); if ($res < 0) { - dol_print_error($db, $object->error); exit; + dol_print_error($db, $object->error); + exit; } $adht->fetch($object->typeid); @@ -847,7 +847,7 @@ if ($rowid > 0) { }); '; if (GETPOST('paymentsave')) { - print '$("#'.GETPOST('paymentsave').'").prop("checked",true);'; + print '$("#'.GETPOST('paymentsave', 'aZ09').'").prop("checked", true);'; } print '});'; print ''."\n"; @@ -1038,6 +1038,7 @@ if ($rowid > 0) { // Bank account print ''.$langs->trans("FinancialAccount").''; + print img_picto('', 'bank_account'); $form->select_comptes(GETPOST('accountid'), 'accountid', 0, '', 2); print "\n"; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index a352b5a9d13..6ba05b04d9c 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -747,8 +747,11 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options = if (!is_array($out)) { // '"' is dangerous because param in url can close the href= or src= and add javascript functions. // '../' is dangerous because it allows dir transversals - $out = str_replace(array('"', '"'), '', trim($out)); - $out = str_replace(array('../'), '', $out); + $out = trim($out); + do { + $oldstringtoclean = $out; + $out = str_ireplace(array('"', '"', '../'), '', $out); + } while ($oldstringtoclean != $out); // keep lines feed $out = dol_string_nohtmltag($out, 0); } @@ -757,8 +760,11 @@ function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options = if (!is_array($out)) { // '"' is dangerous because param in url can close the href= or src= and add javascript functions. // '../' is dangerous because it allows dir transversals - $out = str_replace(array('"', '"'), '', trim($out)); - $out = str_replace(array('../'), '', $out); + $out = trim($out); + do { + $oldstringtoclean = $out; + $out = str_ireplace(array('"', '"', '../'), '', $out); + } while ($oldstringtoclean != $out); } break; case 'restricthtml': // Recommended for most html textarea