Fix: Sanitize data

2012-03-29 09:54:48 +01:00 · 2012-03-29 09:54:48 +01:00 · a0cae7709c
commit a0cae7709c
parent 2e7ce7647b
4 changed files with 48 additions and 41 deletions
--- a/htdocs/adherents/admin/adherent.php
+++ b/htdocs/adherents/admin/adherent.php
@ -4,8 +4,8 @@
 * Copyright (C) 2004-2012 Laurent Destailleur  <eldy@users.sourceforge.net>
 * Copyright (C) 2004      Sebastien Di Cintio  <sdicintio@ressource-toi.org>
 * Copyright (C) 2004      Benoit Mortier       <benoit.mortier@opensides.be>
- * Copyright (C) 2005-2011 Regis Houssin        <regis@dolibarr.fr>
- * Copyright (C) 2011 	   Juanjo Menent		<jmenent@2byte.es>
+ * Copyright (C) 2005-2012 Regis Houssin        <regis@dolibarr.fr>
+ * Copyright (C) 2011-2012 Juanjo Menent		<jmenent@2byte.es>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -39,7 +39,7 @@ if (! $user->admin) accessforbidden();

 $type=array('yesno','texte','chaine');

-$action = GETPOST("action");
+$action = POST('action','alpha');


 /*
@ -78,7 +78,7 @@ if ($action == 'update' || $action == 'add')
 // Action activation d'un sous module du module adherent
 if ($action == 'set')
 {
-    $result=dolibarr_set_const($db, $_GET["name"],$_GET["value"],'',0,'',$conf->entity);
+    $result=dolibarr_set_const($db, GETPOST('name','alpha'),GETPOST('value','alpha'),'',0,'',$conf->entity);
    if ($result < 0)
    {
        print $db->error();
@ -88,7 +88,7 @@ if ($action == 'set')
 // Action desactivation d'un sous module du module adherent
 if ($action == 'unset')
 {
-    $result=dolibarr_del_const($db,$_GET["name"],$conf->entity);
+    $result=dolibarr_del_const($db,GETPOST('name','alpha'),$conf->entity);
    if ($result < 0)
    {
        print $db->error();
--- a/htdocs/admin/fournisseur.php
+++ b/htdocs/admin/fournisseur.php
@ -4,7 +4,7 @@
 * Copyright (C) 2005-2011 Regis Houssin           <regis@dolibarr.fr>
 * Copyright (C) 2004      Sebastien Di Cintio     <sdicintio@ressource-toi.org>
 * Copyright (C) 2004      Benoit Mortier          <benoit.mortier@opensides.be>
- * Copyright (C) 2010-2011 Juanjo Menent           <jmenent@2byte.es>
+ * Copyright (C) 2010-2012 Juanjo Menent           <jmenent@2byte.es>
 * Copyright (C) 2011      Philippe Grand          <philippe.grand@atoo-net.com>
 *
 * This program is free software; you can redistribute it and/or modify
@ -38,9 +38,9 @@ $langs->load("admin");
 if (!$user->admin)
 accessforbidden();

-$type=GETPOST('type');
-$value=GETPOST('value');
-$action=GETPOST('action');
+$type=GETPOST('type', 'alpha');
+$value=GETPOST('value', 'alpha');
+$action=GETPOST('action', 'alpha');

 $specimenthirdparty=new Societe($db);
 $specimenthirdparty->initAsSpecimen();
@ -52,8 +52,9 @@ $specimenthirdparty->initAsSpecimen();

 if ($action == 'updateMask')
 {
-    $maskconstorder=$_POST['maskconstorder'];
-    $maskorder=$_POST['maskorder'];
+    $maskconstorder=GETPOST('maskconstorder','alpha');
+    $maskorder=GETPOST('maskorder','alpha');
+    
    if ($maskconstorder)  $res = dolibarr_set_const($db,$maskconstorder,$maskorder,'chaine',0,'',$conf->entity);

    if (! $res > 0) $error++;
@ -70,7 +71,7 @@ if ($action == 'updateMask')

 if ($action == 'specimen')  // For orders
 {
-    $modele=GETPOST("module");
+    $modele=GETPOST('module','alpha');

    $commande = new CommandeFournisseur($db);
    $commande->initAsSpecimen();
@ -116,7 +117,7 @@ if ($action == 'specimen')  // For orders

 if ($action == 'specimenfacture')   // For invoices
 {
-    $modele=GETPOST("module");
+    $modele=GETPOST('module','alpha');

    $facture = new FactureFournisseur($db);
    $facture->initAsSpecimen();
@ -162,10 +163,13 @@ if ($action == 'specimenfacture')   // For invoices

 if ($action == 'set')
 {
+	$label = GETPOST('label','alpha');
+	$scandir = GETPOST('scandir','alpha');
+	
    $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
    $sql.= " VALUES ('".$db->escape($value)."','".$type."',".$conf->entity.", ";
-    $sql.= ($_GET["label"]?"'".$db->escape($_GET["label"])."'":'null').", ";
-    $sql.= (! empty($_GET["scandir"])?"'".$db->escape($_GET["scandir"])."'":"null");
+    $sql.= ($label?"'".$db->escape($label)."'":'null').", ";
+    $sql.= (! empty($scandir)?"'".$db->escape($scandir)."'":"null");
    $sql.= ")";
    $res=$db->query($sql);
    if ($res)
@ -191,14 +195,17 @@ if ($action == 'del')

 if ($action == 'setdoc')
 {
+	$label = GETPOST('label','alpha');
+	$scandir = GETPOST('scandir','alpha');
+	
    $db->begin();

-    if ($_GET["type"] == 'order_supplier' && dolibarr_set_const($db, "COMMANDE_SUPPLIER_ADDON_PDF",$value,'chaine',0,'',$conf->entity))
+    if ($type == 'order_supplier' && dolibarr_set_const($db, "COMMANDE_SUPPLIER_ADDON_PDF",$value,'chaine',0,'',$conf->entity))
    {
        $conf->global->COMMANDE_SUPPLIER_ADDON_PDF = $value;
    }

-    if ($_GET["type"] == 'invoice_supplier' && dolibarr_set_const($db, "INVOICE_SUPPLIER_ADDON_PDF",$value,'chaine',0,'',$conf->entity))
+    if ($type == 'invoice_supplier' && dolibarr_set_const($db, "INVOICE_SUPPLIER_ADDON_PDF",$value,'chaine',0,'',$conf->entity))
    {
        $conf->global->INVOICE_SUPPLIER_ADDON_PDF = $value;
    }
@ -212,8 +219,8 @@ if ($action == 'setdoc')

    $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
    $sql.= " VALUES ('".$db->escape($value)."', '".$type."', ".$conf->entity.", ";
-    $sql.= ($_GET["label"]?"'".$db->escape($_GET["label"])."'":'null').", ";
-    $sql.= (! empty($_GET["scandir"])?"'".$db->escape($_GET["scandir"])."'":"null");
+    $sql.= ($label?"'".$db->escape($label)."'":'null').", ";
+    $sql.= (! empty($scandir)?"'".$db->escape($scandir)."'":"null");
    $sql.= ")";
    $result2=$db->query($sql);
    if ($result1 && $result2)
@ -242,7 +249,7 @@ if ($action == 'addcat')

 if ($action == 'set_SUPPLIER_INVOICE_FREE_TEXT')
 {
-    $free = GETPOST("SUPPLIER_INVOICE_FREE_TEXT");
+    $free = GETPOST('SUPPLIER_INVOICE_FREE_TEXT','alpha');
    $res = dolibarr_set_const($db, "SUPPLIER_INVOICE_FREE_TEXT",$free,'chaine',0,'',$conf->entity);

    if (! $res > 0) $error++;
--- a/htdocs/cashdesk/admin/cashdesk.php
+++ b/htdocs/cashdesk/admin/cashdesk.php
@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2008-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2011 	   Juanjo Menent		<jmenent@2byte.es>
+ * Copyright (C) 2011-2012 Juanjo Menent		<jmenent@2byte.es>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@ -29,9 +29,9 @@ require_once(DOL_DOCUMENT_ROOT."/product/class/html.formproduct.class.php");
 // If socid provided by ajax company selector
 if (! empty($_REQUEST['CASHDESK_ID_THIRDPARTY_id']))
 {
-	$_GET['CASHDESK_ID_THIRDPARTY'] = $_GET['CASHDESK_ID_THIRDPARTY_id'];
-	$_POST['CASHDESK_ID_THIRDPARTY'] = $_POST['CASHDESK_ID_THIRDPARTY_id'];
-	$_REQUEST['CASHDESK_ID_THIRDPARTY'] = $_REQUEST['CASHDESK_ID_THIRDPARTY_id'];
+	$_GET['CASHDESK_ID_THIRDPARTY'] = GETPOST('CASHDESK_ID_THIRDPARTY_id','alpha');
+	$_POST['CASHDESK_ID_THIRDPARTY'] = GETPOST('CASHDESK_ID_THIRDPARTY_id','alpha');
+	$_REQUEST['CASHDESK_ID_THIRDPARTY'] = GETPOST('CASHDESK_ID_THIRDPARTY_id','alpha');
 }

 // Security check
@ -45,7 +45,7 @@ $langs->load("cashdesk");
 /*
 * Actions
 */
-if (GETPOST("action") == 'set')
+if (GETPOST('action','alpha') == 'set')
 {
 	$db->begin();

@ -54,13 +54,13 @@ if (GETPOST("action") == 'set')
 	if (GETPOST("CASHDESK_ID_WAREHOUSE") < 0)  $_POST["CASHDESK_ID_WAREHOUSE"]='';*/

 	$res = dolibarr_set_const($db,"CASHDESK_ID_THIRDPARTY",GETPOST('socid','int'),'chaine',0,'',$conf->entity);
-	$res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CASH",GETPOST("CASHDESK_ID_BANKACCOUNT_CASH"),'chaine',0,'',$conf->entity);
-	$res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CHEQUE",GETPOST("CASHDESK_ID_BANKACCOUNT_CHEQUE"),'chaine',0,'',$conf->entity);
-	$res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CB",GETPOST("CASHDESK_ID_BANKACCOUNT_CB"),'chaine',0,'',$conf->entity);
-	$res = dolibarr_set_const($db,"CASHDESK_ID_WAREHOUSE",GETPOST("CASHDESK_ID_WAREHOUSE"),'chaine',0,'',$conf->entity);
-	$res = dolibarr_set_const($db,"CASHDESK_SERVICES", GETPOST("CASHDESK_SERVICES"),'chaine',0,'',$conf->entity);
+	$res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CASH",GETPOST('CASHDESK_ID_BANKACCOUNT_CASH','alpha'),'chaine',0,'',$conf->entity);
+	$res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CHEQUE",GETPOST('CASHDESK_ID_BANKACCOUNT_CHEQUE','alpha'),'chaine',0,'',$conf->entity);
+	$res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CB",GETPOST('CASHDESK_ID_BANKACCOUNT_CB','alpha'),'chaine',0,'',$conf->entity);
+	$res = dolibarr_set_const($db,"CASHDESK_ID_WAREHOUSE",GETPOST('CASHDESK_ID_WAREHOUSE','alpha'),'chaine',0,'',$conf->entity);
+	$res = dolibarr_set_const($db,"CASHDESK_SERVICES", GETPOST('CASHDESK_SERVICES','alpha'),'chaine',0,'',$conf->entity);

-	dol_syslog("admin/cashdesk: level ".GETPOST("level"));
+	dol_syslog("admin/cashdesk: level ".GETPOST('level','alpha'));

 	if (! $res > 0) $error++;

--- a/htdocs/product/admin/product.php
+++ b/htdocs/product/admin/product.php
@ -4,7 +4,7 @@
 * Copyright (C) 2006-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org>
 * Copyright (C) 2007      Auguria SARL         <info@auguria.org>
 * Copyright (C) 2005-2012 Regis Houssin        <regis@dolibarr.fr>
- * Copyright (C) 2011 	   Juanjo Menent        <jmenent@2byte.es>
+ * Copyright (C) 2011-2012 Juanjo Menent        <jmenent@2byte.es>
 * Copyright (C) 2012      Christophe Battarel   <christophe.battarel@altairis.fr>
 **
 * This program is free software; you can redistribute it and/or modify
@ -38,8 +38,8 @@ $langs->load("products");
 // Security check
 if (! $user->admin) accessforbidden();

-$action = GETPOST("action");
-$value = GETPOST("value");
+$action = GETPOST('action','alpha');
+$value = GETPOST('value','alpha');


 /*
@ -56,35 +56,35 @@ else if ($action == 'multiprix_num')
 }
 if ($action == 'multiprix')
 {
-	$multiprix = GETPOST("activate_multiprix");
+	$multiprix = GETPOST('activate_multiprix','alpha');

 	$res = dolibarr_set_const($db, "PRODUIT_MULTIPRICES", $multiprix,'chaine',0,'',$conf->entity);
 	$res =dolibarr_set_const($db, "PRODUIT_MULTIPRICES_LIMIT", "5",'chaine',0,'',$conf->entity);
 }
 else if ($action == 'sousproduits')
 {
-	$sousproduits = GETPOST("activate_sousproduits");
+	$sousproduits = GETPOST('activate_sousproduits','alpha');
 	$res = dolibarr_set_const($db, "PRODUIT_SOUSPRODUITS", $sousproduits,'chaine',0,'',$conf->entity);
 }
 else if ($action == 'viewProdDescInForm')
 {
-	$view = GETPOST("activate_viewProdDescInForm");
+	$view = GETPOST('activate_viewProdDescInForm','alpha');
 	$res = dolibarr_set_const($db, "PRODUIT_DESC_IN_FORM", $view,'chaine',0,'',$conf->entity);
 }
 else if ($action == 'viewProdTextsInThirdpartyLanguage')
 {
-	$view = GETPOST("activate_viewProdTextsInThirdpartyLanguage");
+	$view = GETPOST('activate_viewProdTextsInThirdpartyLanguage','alpha');
 	$res = dolibarr_set_const($db, "PRODUIT_TEXTS_IN_THIRDPARTY_LANGUAGE", $view,'chaine',0,'',$conf->entity);
 }
 else if ($action == 'usesearchtoselectproduct')
 {
-	$usesearch = GETPOST("activate_usesearchtoselectproduct");
+	$usesearch = GETPOST('activate_usesearchtoselectproduct','alpha');
 	$res = dolibarr_set_const($db, "PRODUIT_USE_SEARCH_TO_SELECT", $usesearch,'chaine',0,'',$conf->entity);
 }
 else if ($action == 'set')
 {
-	$const = "PRODUCT_SPECIAL_".strtoupper($_GET["spe"]);
-	if ($_GET["value"]) $res = dolibarr_set_const($db, $const, $value,'chaine',0,'',$conf->entity);
+	$const = "PRODUCT_SPECIAL_".strtoupper(GETPOST('spe','alpha'));
+	if (GETPOST('value','alpha')) $res = dolibarr_set_const($db, $const, $value,'chaine',0,'',$conf->entity);
 	else $res = dolibarr_del_const($db, $const,$conf->entity);
 }
 /*else if ($action == 'useecotaxe')