From 9037816c33215978e7a63eede8810ac98782e48b Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Mon, 4 May 2009 08:48:49 +0000
Subject: [PATCH] Fix: security with multi-company

---
 htdocs/product/barcode.php                    | 2 +-
 htdocs/product/document.php                   | 2 +-
 htdocs/product/fiche.php                      | 2 +-
 htdocs/product/fournisseurs.php               | 2 +-
 htdocs/product/photos.php                     | 2 +-
 htdocs/product/price.php                      | 2 +-
 htdocs/product/sousproduits/fiche.php         | 2 +-
 htdocs/product/stats/commande.php             | 2 +-
 htdocs/product/stats/commande_fournisseur.php | 2 +-
 htdocs/product/stats/contrat.php              | 2 +-
 htdocs/product/stats/facture.php              | 2 +-
 htdocs/product/stats/facture_fournisseur.php  | 2 +-
 htdocs/product/stats/fiche.php                | 2 +-
 htdocs/product/stats/propal.php               | 2 +-
 htdocs/product/stock/product.php              | 2 +-
 htdocs/product/traduction.php                 | 2 +-
 16 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/htdocs/product/barcode.php b/htdocs/product/barcode.php
index 4dddca1dcc0..3a134c0ff4d 100644
--- a/htdocs/product/barcode.php
+++ b/htdocs/product/barcode.php
@@ -37,7 +37,7 @@ $langs->load("bills");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/document.php b/htdocs/product/document.php
index 6584044a22b..b4e98d4dc68 100755
--- a/htdocs/product/document.php
+++ b/htdocs/product/document.php
@@ -42,7 +42,7 @@ $action=empty($_GET['action']) ? (empty($_POST['action']) ? '' : $_POST['action'
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/fiche.php b/htdocs/product/fiche.php
index b152d97c149..a343cb9d75a 100644
--- a/htdocs/product/fiche.php
+++ b/htdocs/product/fiche.php
@@ -44,7 +44,7 @@ $langs->load("stocks");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/fournisseurs.php b/htdocs/product/fournisseurs.php
index 097d7c5b689..68216d72359 100644
--- a/htdocs/product/fournisseurs.php
+++ b/htdocs/product/fournisseurs.php
@@ -39,7 +39,7 @@ $langs->load("bills");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/photos.php b/htdocs/product/photos.php
index 06ac4f8e4da..176dd9c437f 100644
--- a/htdocs/product/photos.php
+++ b/htdocs/product/photos.php
@@ -38,7 +38,7 @@ $langs->load("bills");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/price.php b/htdocs/product/price.php
index 3e78dd81d62..84d5264d582 100644
--- a/htdocs/product/price.php
+++ b/htdocs/product/price.php
@@ -38,7 +38,7 @@ $langs->load("bills");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/sousproduits/fiche.php b/htdocs/product/sousproduits/fiche.php
index 90c61151ea7..84faf8c04d0 100644
--- a/htdocs/product/sousproduits/fiche.php
+++ b/htdocs/product/sousproduits/fiche.php
@@ -39,7 +39,7 @@ $langs->load("products");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/stats/commande.php b/htdocs/product/stats/commande.php
index 006f09bde86..06ac36cc92f 100644
--- a/htdocs/product/stats/commande.php
+++ b/htdocs/product/stats/commande.php
@@ -39,7 +39,7 @@ $langs->load("companies");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/stats/commande_fournisseur.php b/htdocs/product/stats/commande_fournisseur.php
index 709ce3b3dda..cbadcc6764b 100644
--- a/htdocs/product/stats/commande_fournisseur.php
+++ b/htdocs/product/stats/commande_fournisseur.php
@@ -39,7 +39,7 @@ $langs->load("companies");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/stats/contrat.php b/htdocs/product/stats/contrat.php
index e98d6759054..443bde1c9e1 100644
--- a/htdocs/product/stats/contrat.php
+++ b/htdocs/product/stats/contrat.php
@@ -38,7 +38,7 @@ $langs->load("companies");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/stats/facture.php b/htdocs/product/stats/facture.php
index 0d2f7e688d0..7f816108b42 100644
--- a/htdocs/product/stats/facture.php
+++ b/htdocs/product/stats/facture.php
@@ -39,7 +39,7 @@ $langs->load("products");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/stats/facture_fournisseur.php b/htdocs/product/stats/facture_fournisseur.php
index 658daa9dd28..5ac6d29510c 100644
--- a/htdocs/product/stats/facture_fournisseur.php
+++ b/htdocs/product/stats/facture_fournisseur.php
@@ -40,7 +40,7 @@ $langs->load("companies");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/stats/fiche.php b/htdocs/product/stats/fiche.php
index 65e27845c91..624440d3f15 100644
--- a/htdocs/product/stats/fiche.php
+++ b/htdocs/product/stats/fiche.php
@@ -42,7 +42,7 @@ $mode=isset($_GET["mode"])?$_GET["mode"]:'byunit';
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/stats/propal.php b/htdocs/product/stats/propal.php
index f3e4aed3f80..b489cfca726 100644
--- a/htdocs/product/stats/propal.php
+++ b/htdocs/product/stats/propal.php
@@ -38,7 +38,7 @@ $langs->load("companies");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/stock/product.php b/htdocs/product/stock/product.php
index 158f140447c..6fc6c7d9efd 100644
--- a/htdocs/product/stock/product.php
+++ b/htdocs/product/stock/product.php
@@ -40,7 +40,7 @@ $langs->load("bills");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;
diff --git a/htdocs/product/traduction.php b/htdocs/product/traduction.php
index f619b0a8ac9..cb4c30e6f45 100644
--- a/htdocs/product/traduction.php
+++ b/htdocs/product/traduction.php
@@ -39,7 +39,7 @@ $langs->load("bills");
 if (isset($_GET["id"]) || isset($_GET["ref"]))
 {
 	$id = isset($_GET["id"])?$_GET["id"]:(isset($_GET["ref"])?$_GET["ref"]:'');
-	$fieldid = isset($_REQUEST["ref"])?'ref':'rowid';
+	$fieldid = isset($_GET["ref"])?'ref':'rowid';
 }
 
 if ($user->societe_id) $socid=$user->societe_id;