From 8debefa8ad6404ec434a6d77efa85d275fa33eb9 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 18 Jun 2017 21:53:06 +0200 Subject: [PATCH] Fix php sanitazing --- htdocs/don/card.php | 87 ++++++++++------------------------------- htdocs/holiday/list.php | 8 ++-- 2 files changed, 24 insertions(+), 71 deletions(-) diff --git a/htdocs/don/card.php b/htdocs/don/card.php index 0ace5c88e76..f2e7ade706d 100644 --- a/htdocs/don/card.php +++ b/htdocs/don/card.php @@ -50,7 +50,7 @@ $cancel=GETPOST('cancel'); $amount=GETPOST('amount'); $donation_date=dol_mktime(12, 0, 0, GETPOST('remonth'), GETPOST('reday'), GETPOST('reyear')); $projectid = (GETPOST('projectid') ? GETPOST('projectid', 'int') : 0); - + $object = new Don($db); $extrafields = new ExtraFields($db); @@ -316,17 +316,17 @@ if ($action == 'create') print ''; // Amount - print "".''.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).''; + print "".''.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).''; print ''.$langs->trans("PublicDonation").""; print $form->selectyesno("public",isset($_POST["public"])?$_POST["public"]:1,1); print "\n"; - print "".''.$langs->trans("Company").''; - print "".''.$langs->trans("Lastname").''; - print "".''.$langs->trans("Firstname").''; + print "".''.$langs->trans("Company").''; + print "".''.$langs->trans("Lastname").''; + print "".''.$langs->trans("Firstname").''; print "".''.$langs->trans("Address").''; - print ''; + print ''; // Zip / Town print ''.$langs->trans("Zip").' / '.$langs->trans("Town").''; @@ -341,7 +341,7 @@ if ($action == 'create') if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1); print ''; - print "".''.$langs->trans("EMail").''; + print "".''.$langs->trans("EMail").''; // Public note print ''; @@ -384,9 +384,9 @@ if ($action == 'create') dol_fiche_end(); print '
'; - print ''; + print ''; print '     '; - print ''; + print ''; print '
'; print "\n"; @@ -438,7 +438,7 @@ if (! empty($id) && $action == 'edit') // Amount if ($object->statut == 0) { - print "".''.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).''; + print "".''.$langs->trans("Amount").' '.$langs->trans("Currency".$conf->currency).''; } else { @@ -453,11 +453,11 @@ if (! empty($id) && $action == 'edit') print "\n"; $langs->load("companies"); - print ''.$langs->trans("Company").''; - print ''.$langs->trans("Lastname").''; - print ''.$langs->trans("Firstname").''; + print ''.$langs->trans("Company").''; + print ''.$langs->trans("Lastname").''; + print ''.$langs->trans("Firstname").''; print ''.$langs->trans("Address").''; - print ''; + print ''; // Zip / Town print ''.$langs->trans("Zip").' / '.$langs->trans("Town").''; @@ -472,7 +472,7 @@ if (! empty($id) && $action == 'edit') if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1); print ''; - print "".''.$langs->trans("EMail").''; + print "".''.$langs->trans("EMail").''; print "".$langs->trans("PaymentMode")."\n"; @@ -544,9 +544,9 @@ if (! empty($id) && $action != 'edit') // Print form confirm print $formconfirm; - + $linkback = ''.$langs->trans("BackToList").''; - + $morehtmlref='
'; // Project if (! empty($conf->projet->enabled)) @@ -581,8 +581,8 @@ if (! empty($id) && $action != 'edit') } } $morehtmlref.='
'; - - + + dol_banner_tab($object, 'rowid', $linkback, 1, 'rowid', 'ref', $morehtmlref); @@ -592,13 +592,6 @@ if (! empty($id) && $action != 'edit') print ''; - // Ref - /* - print ''; - print ''; - */ // Date print ''; print ''; print ''; - /*print ''; - // Zip / Town - print ''; - - // Country - print ''; - - // EMail - print "".''; - */ - // Payment mode print "\n"; - - //print "".''; - - // Project - /* - if (! empty($conf->projet->enabled)) - { - print ''; - print ''; - print ''; - print ''; - }*/ - + // Other attributes $cols = 2; include DOL_DOCUMENT_ROOT . '/core/tpl/extrafields_view.tpl.php'; diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index 9523d489256..90db40fd2e7 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -138,7 +138,7 @@ if($year_start > 0) { } } else { if($month_start > 0) { - $filter.= " AND date_format(cp.date_debut, '%m') = '$month_start'"; + $filter.= " AND date_format(cp.date_debut, '%m') = '".$db->escape($month_start)."'"; } } @@ -153,7 +153,7 @@ if($year_end > 0) { } } else { if($month_end > 0) { - $filter.= " AND date_format(cp.date_fin, '%m') = '$month_end'"; + $filter.= " AND date_format(cp.date_fin, '%m') = '".$db->escape($month_end)."'"; } } @@ -368,13 +368,13 @@ print ''; // DATE DEBUT print ''; // DATE FIN print '';
'.$langs->trans("Ref").''; - print $form->showrefnav($object, 'rowid', $linkback, 1, 'rowid', 'ref', ''); - print '
'.$langs->trans("Date").''; print dol_print_date($object->date,"day"); @@ -615,52 +608,12 @@ if (! empty($id) && $action != 'edit') print '
'.$langs->trans("Company").''.$object->societe.'
'.$langs->trans("Lastname").''.$object->lastname.'
'.$langs->trans("Firstname").''.$object->firstname.'
'.$langs->trans("Address").''.dol_nl2br($object->address).'
'.$langs->trans("Zip").' / '.$langs->trans("Town").''; - print $object->zip.($object->zip && $object->town?' / ':'').$object->town.'
'.$langs->trans('Country').''; - if (! empty($object->country_code)) - { - $img=picto_from_langcode($object->country_code); - print ($img?$img.' ':''); - print $object->country; - } - else - { - print $object->country_olddata; - } - print '
'.$langs->trans("EMail").''.dol_print_email($object->email).'
".$langs->trans("PaymentMode").""; $form->form_modes_reglement(null, $object->modepaymentid,'none'); print "
'.$langs->trans("Status").''.$object->getLibStatut(4).'
'.$langs->trans("Project").''; - $projettmp=new Project($db); - $projettmp->id=$object->fk_projet; - $projettmp->ref=$object->project; - if(! empty($object->fk_projet)) print $projettmp->getNomUrl(1); - print '
 '; -print ''; +print ''; $formother->select_year($year_start,'year_start',1, $min_year, $max_year); print ''; -print ''; +print ''; $formother->select_year($year_end,'year_end',1, $min_year, $max_year); print '