diff --git a/htdocs/accountancy/admin/account.php b/htdocs/accountancy/admin/account.php index 93241901524..de8fd9a8cd6 100644 --- a/htdocs/accountancy/admin/account.php +++ b/htdocs/accountancy/admin/account.php @@ -54,7 +54,7 @@ if (!$user->rights->accounting->chartofaccount) accessforbidden(); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 @@ -230,8 +230,8 @@ if (strlen(trim($search_account))) { $search_account_tmp_clean = preg_replace('/^\^/', '', $search_account_tmp); $search_account_clean = preg_replace('/^\^/', '', $search_account); } - $sql .= " AND (aa.account_number LIKE '".$startchar.$search_account_tmp_clean."'"; - $sql .= " OR aa.account_number LIKE '".$startchar.$search_account_clean."%')"; + $sql .= " AND (aa.account_number LIKE '".$db->escape($startchar.$search_account_tmp_clean)."'"; + $sql .= " OR aa.account_number LIKE '".$db->escape($startchar.$search_account_clean)."%')"; } else $sql .= natural_search("aa.account_number", $search_account_tmp); } } @@ -264,14 +264,14 @@ if ($resql) $num = $db->num_rows($resql); $param = ''; - if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.$contextpage; - if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.$limit; + if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.urlencode($contextpage); + if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.urlencode($limit); if ($search_account) $param .= '&search_account='.urlencode($search_account); if ($search_label) $param .= '&search_label='.urlencode($search_label); if ($search_labelshort) $param .= '&search_labelshort='.urlencode($search_labelshort); if ($search_accountparent > 0 || $search_accountparent == '0') $param .= '&search_accountparent='.urlencode($search_accountparent); if ($search_pcgtype) $param .= '&search_pcgtype='.urlencode($search_pcgtype); - if ($optioncss != '') $param .= '&optioncss='.$optioncss; + if ($optioncss != '') $param .= '&optioncss='.urlencode($optioncss); if (!empty($conf->use_javascript_ajax)) { diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php index 9794198332e..be3b49e41c1 100644 --- a/htdocs/accountancy/admin/accountmodel.php +++ b/htdocs/accountancy/admin/accountmodel.php @@ -280,7 +280,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -302,7 +302,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete { if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("delete", LOG_DEBUG); $result = $db->query($sql); @@ -323,9 +323,9 @@ if ($action == $acts[0]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$db->escape($code)."'"; } $result = $db->query($sql); @@ -341,9 +341,9 @@ if ($action == $acts[1]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$db->escape($code)."'"; } $result = $db->query($sql); @@ -359,9 +359,9 @@ if ($action == 'activate_favorite') if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$db->escape($code)."'"; } $result = $db->query($sql); @@ -377,9 +377,9 @@ if ($action == 'disable_favorite') if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$db->escape($code)."'"; } $result = $db->query($sql); diff --git a/htdocs/accountancy/admin/categories_list.php b/htdocs/accountancy/admin/categories_list.php index ddd4240a073..9469a1e64f1 100644 --- a/htdocs/accountancy/admin/categories_list.php +++ b/htdocs/accountancy/admin/categories_list.php @@ -271,7 +271,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -293,7 +293,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete { if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("delete", LOG_DEBUG); $result = $db->query($sql); @@ -314,7 +314,7 @@ if ($action == $acts[0]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$db->escape($code)."'"; } @@ -332,7 +332,7 @@ if ($action == $acts[1]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$db->escape($code)."'"; } @@ -350,7 +350,7 @@ if ($action == 'activate_favorite') if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$db->escape($code)."'"; } @@ -368,7 +368,7 @@ if ($action == 'disable_favorite') if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$db->escape($code)."'"; } diff --git a/htdocs/accountancy/admin/fiscalyear.php b/htdocs/accountancy/admin/fiscalyear.php index 5728f78b791..1ddcddf13e6 100644 --- a/htdocs/accountancy/admin/fiscalyear.php +++ b/htdocs/accountancy/admin/fiscalyear.php @@ -29,7 +29,7 @@ $action = GETPOST('action', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/accountancy/admin/journals_list.php b/htdocs/accountancy/admin/journals_list.php index 74247c5fccd..a09a38c959c 100644 --- a/htdocs/accountancy/admin/journals_list.php +++ b/htdocs/accountancy/admin/journals_list.php @@ -274,7 +274,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); $sql .= " AND entity = ".$conf->entity; dol_syslog("actionmodify", LOG_DEBUG); @@ -297,7 +297,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete { if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid); $sql .= " AND entity = ".$conf->entity; dol_syslog("delete", LOG_DEBUG); @@ -319,9 +319,9 @@ if ($action == $acts[0]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$db->escape($code)."'"; } $sql .= " AND entity = ".$conf->entity; @@ -338,9 +338,9 @@ if ($action == $acts[1]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$db->escape($code)."'"; } $sql .= " AND entity = ".$conf->entity; diff --git a/htdocs/accountancy/admin/productaccount.php b/htdocs/accountancy/admin/productaccount.php index b6465b95355..79bfef57d3a 100644 --- a/htdocs/accountancy/admin/productaccount.php +++ b/htdocs/accountancy/admin/productaccount.php @@ -176,7 +176,7 @@ if ($action == 'update') { if ($accounting_product_mode == 'ACCOUNTANCY_SELL_EXPORT') { $sql .= " SET accountancy_code_sell_export = ".$accounting->account_number; } - $sql .= " WHERE rowid = ".$productid; + $sql .= " WHERE rowid = ".((int) $productid); dol_syslog("/accountancy/admin/productaccount.php sql=".$sql, LOG_DEBUG); if ($db->query($sql)) @@ -251,21 +251,21 @@ $sql .= " aa.rowid as aaid"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON"; if ($accounting_product_mode == 'ACCOUNTANCY_BUY') { - $sql .= " p.accountancy_code_buy = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_buy = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } elseif ($accounting_product_mode == 'ACCOUNTANCY_BUY_INTRA') { - $sql .= " p.accountancy_code_buy_intra = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_buy_intra = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } elseif ($accounting_product_mode == 'ACCOUNTANCY_BUY_EXPORT') { - $sql .= " p.accountancy_code_buy_export = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_buy_export = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } elseif ($accounting_product_mode == 'ACCOUNTANCY_SELL') { - $sql .= " p.accountancy_code_sell = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_sell = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } elseif ($accounting_product_mode == 'ACCOUNTANCY_SELL_INTRA') { - $sql .= " p.accountancy_code_sell_intra = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_sell_intra = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } else { - $sql .= " p.accountancy_code_sell_export = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_sell_export = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } $sql .= ' WHERE p.entity IN ('.getEntity('product').')'; if ($accounting_product_mode == 'ACCOUNTANCY_BUY') { diff --git a/htdocs/accountancy/bookkeeping/balance.php b/htdocs/accountancy/bookkeeping/balance.php index 9079d95d670..3608622916d 100644 --- a/htdocs/accountancy/bookkeeping/balance.php +++ b/htdocs/accountancy/bookkeeping/balance.php @@ -46,7 +46,7 @@ $action = GETPOST('action', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/accountancy/bookkeeping/list.php b/htdocs/accountancy/bookkeeping/list.php index f8f0cad1996..5ae9c3d4742 100644 --- a/htdocs/accountancy/bookkeeping/list.php +++ b/htdocs/accountancy/bookkeeping/list.php @@ -91,7 +91,7 @@ $search_not_reconciled = GETPOST('search_reconciled_option', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } diff --git a/htdocs/accountancy/bookkeeping/listbyaccount.php b/htdocs/accountancy/bookkeeping/listbyaccount.php index 6e7b9dfb54f..e0e16e00d12 100644 --- a/htdocs/accountancy/bookkeeping/listbyaccount.php +++ b/htdocs/accountancy/bookkeeping/listbyaccount.php @@ -68,7 +68,7 @@ if (GETPOST("button_delmvt_x") || GETPOST("button_delmvt.x") || GETPOST("button_ // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } diff --git a/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php b/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php index 0b3d98a2742..321ef282dff 100644 --- a/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php +++ b/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php @@ -147,7 +147,7 @@ $sql = "SELECT bk.rowid, bk.doc_date, bk.doc_type, bk.doc_ref, "; $sql .= " bk.subledger_account, bk.numero_compte , bk.label_compte, bk.debit, "; $sql .= " bk.credit, bk.montant , bk.sens , bk.code_journal , bk.piece_num, bk.lettering_code "; $sql .= " FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as bk"; -$sql .= " WHERE (bk.subledger_account = '".$object->code_compta."' AND bk.numero_compte = '".$conf->global->ACCOUNTING_ACCOUNT_CUSTOMER."' )"; +$sql .= " WHERE (bk.subledger_account = '".$db->escape($object->code_compta)."' AND bk.numero_compte = '".$db->escape($conf->global->ACCOUNTING_ACCOUNT_CUSTOMER)."' )"; /* if (dol_strlen($search_date_start) || dol_strlen($search_date_end)) { diff --git a/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php b/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php index c6ab2fa81d6..144c2595d25 100644 --- a/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php +++ b/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php @@ -146,7 +146,7 @@ $sql = "SELECT bk.rowid, bk.doc_date, bk.doc_type, bk.doc_ref, "; $sql .= " bk.subledger_account, bk.numero_compte , bk.label_compte, bk.debit, "; $sql .= " bk.credit, bk.montant , bk.sens , bk.code_journal , bk.piece_num, bk.lettering_code, bk.date_validated "; $sql .= " FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as bk"; -$sql .= " WHERE (bk.subledger_account = '".$object->code_compta_fournisseur."' AND bk.numero_compte = '".$conf->global->ACCOUNTING_ACCOUNT_SUPPLIER."' )"; +$sql .= " WHERE (bk.subledger_account = '".$db->escape($object->code_compta_fournisseur)."' AND bk.numero_compte = '".$db->escape($conf->global->ACCOUNTING_ACCOUNT_SUPPLIER)."' )"; if (dol_strlen($search_date_start) || dol_strlen($search_date_end)) { $sql .= " AND (bk.doc_date BETWEEN '".$db->idate($search_date_start)."' AND '".$db->idate($search_date_end)."' )"; } diff --git a/htdocs/accountancy/class/accountancyexport.class.php b/htdocs/accountancy/class/accountancyexport.class.php index 130c0e97659..0204602438f 100644 --- a/htdocs/accountancy/class/accountancyexport.class.php +++ b/htdocs/accountancy/class/accountancyexport.class.php @@ -1160,7 +1160,8 @@ class AccountancyExport // TYPE C if ($last_codeinvoice != $line->doc_ref) { //recherche societe en fonction de son code client - $sql = "SELECT code_client, fk_forme_juridique, nom, address, zip, town, fk_pays, phone, siret FROM ".MAIN_DB_PREFIX."societe WHERE code_client = '".$line->thirdparty_code."'"; + $sql = "SELECT code_client, fk_forme_juridique, nom, address, zip, town, fk_pays, phone, siret FROM ".MAIN_DB_PREFIX."societe"; + $sql .= " WHERE code_client = '".$this->db->escape($line->thirdparty_code)."'"; $resql = $this->db->query($sql); if ($resql && $this->db->num_rows($resql) > 0) diff --git a/htdocs/accountancy/class/accountancysystem.class.php b/htdocs/accountancy/class/accountancysystem.class.php index 719d33c8574..c2f3468016c 100644 --- a/htdocs/accountancy/class/accountancysystem.class.php +++ b/htdocs/accountancy/class/accountancysystem.class.php @@ -101,7 +101,7 @@ class AccountancySystem $sql .= " FROM ".MAIN_DB_PREFIX."accounting_system as a"; $sql .= " WHERE"; if ($rowid) { - $sql .= " a.rowid = '".$rowid."'"; + $sql .= " a.rowid = ".((int) $rowid); } elseif ($ref) { $sql .= " a.pcg_version = '".$this->db->escape($ref)."'"; } diff --git a/htdocs/accountancy/class/accountingjournal.class.php b/htdocs/accountancy/class/accountingjournal.class.php index 6067f557cfb..882eee71769 100644 --- a/htdocs/accountancy/class/accountingjournal.class.php +++ b/htdocs/accountancy/class/accountingjournal.class.php @@ -108,7 +108,7 @@ class AccountingJournal extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."accounting_journal"; $sql .= " WHERE"; if ($rowid) { - $sql .= " rowid = ".(int) $rowid; + $sql .= " rowid = ".((int) $rowid); } elseif ($journal_code) { $sql .= " code = '".$this->db->escape($journal_code)."'"; diff --git a/htdocs/accountancy/class/bookkeeping.class.php b/htdocs/accountancy/class/bookkeeping.class.php index 1c377e70192..1e1e42a6047 100644 --- a/htdocs/accountancy/class/bookkeeping.class.php +++ b/htdocs/accountancy/class/bookkeeping.class.php @@ -1755,14 +1755,14 @@ class BookKeeping extends CommonObject $sql .= ' doc_ref, fk_doc, fk_docdet, entity, thirdparty_code, subledger_account, subledger_label,'; $sql .= ' numero_compte, label_compte, label_operation, debit, credit,'; $sql .= ' montant, sens, fk_user_author, import_key, code_journal, journal_label, '.$next_piecenum.", '".$this->db->idate($now)."'"; - $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$this->db->escape($piece_num); + $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; $this->errors[] = 'Error '.$this->db->lasterror(); dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR); } - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$this->db->escape($piece_num); + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; @@ -1770,7 +1770,7 @@ class BookKeeping extends CommonObject dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR); } } elseif ($direction == 1) { - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$piece_num; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; @@ -1785,14 +1785,14 @@ class BookKeeping extends CommonObject $sql .= ' doc_ref, fk_doc, fk_docdet, thirdparty_code, subledger_account, subledger_label,'; $sql .= ' numero_compte, label_compte, label_operation, debit, credit,'; $sql .= ' montant, sens, fk_user_author, import_key, code_journal, journal_label, piece_num'; - $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' WHERE piece_num = '.$piece_num; + $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; $this->errors[] = 'Error '.$this->db->lasterror(); dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR); } - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$piece_num; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; @@ -1910,7 +1910,7 @@ class BookKeeping extends CommonObject $sql .= " AND asy.rowid = ".$pcgver; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as parent ON aa.account_parent = parent.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as root ON parent.account_parent = root.rowid"; - $sql .= " WHERE aa.account_number = '".$account."'"; + $sql .= " WHERE aa.account_number = '".$this->db->escape($account)."'"; $sql .= " AND parent.active = 1"; $sql .= " AND root.active = 1"; $sql .= " AND aa.entity IN (".getEntity('accountancy').")"; @@ -1948,8 +1948,8 @@ class BookKeeping extends CommonObject $sql = "SELECT aa.account_number, aa.label, aa.rowid, aa.fk_pcg_version, cat.label as category"; $sql .= " FROM ".MAIN_DB_PREFIX."accounting_account as aa "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_system as asy ON aa.fk_pcg_version = asy.pcg_version"; - $sql .= " AND aa.account_number = '".$account."'"; - $sql .= " AND asy.rowid = ".$pcgver; + $sql .= " AND aa.account_number = '".$this->db->escape($account)."'"; + $sql .= " AND asy.rowid = ".((int) $pcgver); $sql .= " AND aa.active = 1"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_accounting_category as cat ON aa.fk_accounting_category = cat.rowid"; $sql .= " WHERE aa.entity IN (".getEntity('accountancy').")"; diff --git a/htdocs/accountancy/class/lettering.class.php b/htdocs/accountancy/class/lettering.class.php index d663e0ec9c4..cfe9bf635ae 100644 --- a/htdocs/accountancy/class/lettering.class.php +++ b/htdocs/accountancy/class/lettering.class.php @@ -68,11 +68,11 @@ class Lettering extends BookKeeping $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank_url as bu ON(bk.fk_doc = bu.fk_bank AND bu.type IN ('payment', 'payment_supplier') ) "; $sql .= " WHERE ( "; if ($object->code_compta != "") - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; if ($object->code_compta != "" && $object->code_compta_fournisseur != "") $sql .= " OR "; if ($object->code_compta_fournisseur != "") - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; $sql .= " ) AND (bk.date_lettering ='' OR bk.date_lettering IS NULL) "; $sql .= " AND (bk.lettering_code != '' OR bk.lettering_code IS NULL) "; @@ -95,19 +95,19 @@ class Lettering extends BookKeeping $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn facf "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiementfourn_facturefourn as payfacf ON payfacf.fk_facturefourn=facf.rowid"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiementfourn as payf ON payfacf.fk_paiementfourn=payf.rowid"; - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = payf.fk_bank AND bk.code_journal='".$obj->code_journal."')"; - $sql .= " WHERE payfacf.fk_paiementfourn = '".$obj->url_id."' "; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = payf.fk_bank AND bk.code_journal='".$this->db->escape($obj->code_journal)."')"; + $sql .= " WHERE payfacf.fk_paiementfourn = '".$this->db->escape($obj->url_id)."' "; $sql .= " AND facf.entity = ".$conf->entity; $sql .= " AND code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=4 AND entity=".$conf->entity.") "; $sql .= " AND ( "; if ($object->code_compta != "") { - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; } if ($object->code_compta != "" && $object->code_compta_fournisseur != "") { $sql .= " OR "; } if ($object->code_compta_fournisseur != "") { - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; } $sql .= " ) "; @@ -129,13 +129,13 @@ class Lettering extends BookKeeping $sql .= " AND facf.entity = ".$conf->entity; $sql .= " AND ( "; if ($object->code_compta != "") { - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; } if ($object->code_compta != "" && $object->code_compta_fournisseur != "") { $sql .= " OR "; } if ($object->code_compta_fournisseur != "") { - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; } $sql .= ") "; @@ -154,19 +154,19 @@ class Lettering extends BookKeeping $sql .= " FROM ".MAIN_DB_PREFIX."facture fac "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiement_facture as payfac ON payfac.fk_facture=fac.rowid"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiement as pay ON payfac.fk_paiement=pay.rowid"; - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = pay.fk_bank AND bk.code_journal='".$obj->code_journal."')"; - $sql .= " WHERE payfac.fk_paiement = '".$obj->url_id."' "; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = pay.fk_bank AND bk.code_journal='".$this->db->escape($obj->code_journal)."')"; + $sql .= " WHERE payfac.fk_paiement = '".$this->db->escape($obj->url_id)."' "; $sql .= " AND bk.code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=4 AND entity=".$conf->entity.") "; $sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy $sql .= " AND ( "; if ($object->code_compta != "") { - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; } if ($object->code_compta != "" && $object->code_compta_fournisseur != "") { $sql .= " OR "; } if ($object->code_compta_fournisseur != "") { - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; } $sql .= " )"; @@ -188,13 +188,13 @@ class Lettering extends BookKeeping $sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy $sql .= " AND ( "; if ($object->code_compta != "") { - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; } if ($object->code_compta != "" && $object->code_compta_fournisseur != "") { $sql .= " OR "; } if ($object->code_compta_fournisseur != "") { - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; } $sql .= " ) "; @@ -238,7 +238,7 @@ class Lettering extends BookKeeping $lettre = 'AAA'; $sql = "SELECT DISTINCT lettering_code FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE "; - $sql .= " lettering_code != '' ORDER BY lettering_code DESC limit 1; "; + $sql .= " lettering_code != '' ORDER BY lettering_code DESC limit 1"; $result = $this->db->query($sql); if ($result) { @@ -252,7 +252,7 @@ class Lettering extends BookKeeping } $sql = "SELECT SUM(ABS(debit)) as deb, SUM(ABS(credit)) as cred FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE "; - $sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL "; + $sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL"; $result = $this->db->query($sql); if ($result) { $obj = $this->db->fetch_object($result); @@ -272,7 +272,7 @@ class Lettering extends BookKeeping if (!$error) { $sql = "UPDATE ".MAIN_DB_PREFIX."accounting_bookkeeping SET"; - $sql .= " lettering_code='".$lettre."'"; + $sql .= " lettering_code='".$this->db->escape($lettre)."'"; $sql .= " , date_lettering = '".$this->db->idate($now)."'"; // todo correct date it's false $sql .= " WHERE rowid IN (".implode(',', $ids).") AND date_validated IS NULL "; $this->db->begin(); diff --git a/htdocs/accountancy/customer/index.php b/htdocs/accountancy/customer/index.php index 69135e75c4d..1a5098bda38 100644 --- a/htdocs/accountancy/customer/index.php +++ b/htdocs/accountancy/customer/index.php @@ -131,9 +131,9 @@ if ($action == 'validatehistory') { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as l ON f.rowid = l.fk_facture"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity; $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0"; $sql .= " AND l.product_type <= 2"; @@ -402,7 +402,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange. } print ''.$langs->trans("Total").''; - $sql = "SELECT '".$langs->trans("TotalVente")."' AS total,"; + $sql = "SELECT '".$db->escape($langs->trans("TotalVente"))."' AS total,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; if ($j > 12) $j -= 12; @@ -459,7 +459,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange. } print ''.$langs->trans("Total").''; - $sql = "SELECT '".$langs->trans("Vide")."' AS marge,"; + $sql = "SELECT '".$db->escape($langs->trans("Vide"))."' AS marge,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; if ($j > 12) $j -= 12; diff --git a/htdocs/accountancy/customer/lines.php b/htdocs/accountancy/customer/lines.php index 2baed5d4653..5d35040f6ab 100644 --- a/htdocs/accountancy/customer/lines.php +++ b/htdocs/accountancy/customer/lines.php @@ -61,7 +61,7 @@ $search_tvaintra = GETPOST('search_tvaintra', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) $page = 0; diff --git a/htdocs/accountancy/customer/list.php b/htdocs/accountancy/customer/list.php index 79a693978d1..3c28cdaab84 100644 --- a/htdocs/accountancy/customer/list.php +++ b/htdocs/accountancy/customer/list.php @@ -69,7 +69,7 @@ $btn_ventil = GETPOST('ventil', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } @@ -161,8 +161,8 @@ if ($massaction == 'ventil') { $ko++; } else { $sql = " UPDATE ".MAIN_DB_PREFIX."facturedet"; - $sql .= " SET fk_code_ventilation = ".$monCompte; - $sql .= " WHERE rowid = ".$monId; + $sql .= " SET fk_code_ventilation = ".((int) $monCompte); + $sql .= " WHERE rowid = ".((int) $monId); $accountventilated = new AccountingAccount($db); $accountventilated->fetch($monCompte, ''); @@ -222,9 +222,9 @@ $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as l ON f.rowid = l.fk_facture"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity; $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0"; $sql .= " AND l.product_type <= 2"; // Define begin binding date diff --git a/htdocs/accountancy/expensereport/index.php b/htdocs/accountancy/expensereport/index.php index 63305791ec7..6edb8d86a07 100644 --- a/htdocs/accountancy/expensereport/index.php +++ b/htdocs/accountancy/expensereport/index.php @@ -161,7 +161,7 @@ for ($i = 1; $i <= 12; $i++) { } print ''.$langs->trans("Total").''; -$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; +$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; $sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; @@ -234,7 +234,7 @@ for ($i = 1; $i <= 12; $i++) { } print ''.$langs->trans("Total").''; -$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; +$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; $sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; @@ -309,7 +309,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange. } print ''.$langs->trans("Total").''; - $sql = "SELECT '".$langs->trans("TotalExpenseReport")."' AS label,"; + $sql = "SELECT '".$db->escape($langs->trans("TotalExpenseReport"))."' AS label,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; if ($j > 12) $j -= 12; diff --git a/htdocs/accountancy/expensereport/lines.php b/htdocs/accountancy/expensereport/lines.php index afb6ae13a6e..f99f1148044 100644 --- a/htdocs/accountancy/expensereport/lines.php +++ b/htdocs/accountancy/expensereport/lines.php @@ -55,7 +55,7 @@ $search_year = GETPOST("search_year", "int"); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) $page = 0; diff --git a/htdocs/accountancy/expensereport/list.php b/htdocs/accountancy/expensereport/list.php index 61e2a95fd88..265e9488055 100644 --- a/htdocs/accountancy/expensereport/list.php +++ b/htdocs/accountancy/expensereport/list.php @@ -65,7 +65,7 @@ $search_year = GETPOST("search_year", "int"); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } @@ -196,7 +196,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."expensereport as er"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."expensereport_det as erd ON er.rowid = erd.fk_expensereport"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_type_fees as f ON f.id = erd.fk_c_type_fees"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON u.rowid = er.fk_user_author"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON f.accountancy_code = aa.account_number AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON f.accountancy_code = aa.account_number AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; $sql .= " WHERE er.fk_statut IN (".ExpenseReport::STATUS_APPROVED.", ".ExpenseReport::STATUS_CLOSED.") AND erd.fk_code_ventilation <= 0"; // Define begin binding date if (!empty($conf->global->ACCOUNTING_DATE_START_BINDING)) { diff --git a/htdocs/accountancy/supplier/index.php b/htdocs/accountancy/supplier/index.php index f1807c1c2cc..0dbe09fa468 100644 --- a/htdocs/accountancy/supplier/index.php +++ b/htdocs/accountancy/supplier/index.php @@ -128,9 +128,9 @@ if ($action == 'validatehistory') { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture_fourn_det as l ON f.rowid = l.fk_facture_fourn"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity; $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0"; $sql .= " AND l.product_type <= 2"; @@ -232,7 +232,7 @@ for ($i = 1; $i <= 12; $i++) { } print ''.$langs->trans("Total").''; -$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; +$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; $sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; @@ -305,7 +305,7 @@ for ($i = 1; $i <= 12; $i++) { } print ''.$langs->trans("Total").''; -$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; +$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; $sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; @@ -380,7 +380,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange. } print ''.$langs->trans("Total").''; - $sql = "SELECT '".$langs->trans("CAHTF")."' AS label,"; + $sql = "SELECT '".$db->escape($langs->trans("CAHTF"))."' AS label,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; if ($j > 12) $j -= 12; diff --git a/htdocs/accountancy/supplier/lines.php b/htdocs/accountancy/supplier/lines.php index dacca2a226d..903d2188a80 100644 --- a/htdocs/accountancy/supplier/lines.php +++ b/htdocs/accountancy/supplier/lines.php @@ -62,7 +62,7 @@ $search_tvaintra = GETPOST('search_tvaintra', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) $page = 0; diff --git a/htdocs/accountancy/supplier/list.php b/htdocs/accountancy/supplier/list.php index 9b700aeac56..9e1668e1a35 100644 --- a/htdocs/accountancy/supplier/list.php +++ b/htdocs/accountancy/supplier/list.php @@ -69,7 +69,7 @@ $btn_ventil = GETPOST('ventil', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } @@ -226,9 +226,9 @@ $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture_fourn_det as l ON f.rowid = l.fk_facture_fourn"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity; $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0"; $sql .= " AND l.product_type <= 2"; // Define begin binding date diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index d7a05a1805e..0a32398f307 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -152,7 +152,7 @@ if (empty($reshook)) { if (!$error) { if ($socid != $object->socid) { // If link differs from currently in database $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."adherent"; - $sql .= " WHERE socid = '".$socid."'"; + $sql .= " WHERE socid = ".((int) $socid); $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) { @@ -1454,7 +1454,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Login if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED)) { - print ''.$langs->trans("Login").' / '.$langs->trans("Id").''.$object->login.' '; + print ''.$langs->trans("Login").' / '.$langs->trans("Id").''.dol_escape_htmltag($object->login).''; } // Type @@ -1471,10 +1471,10 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { print ''; // Company - print ''.$langs->trans("Company").''.$object->company.''; + print ''.$langs->trans("Company").''.dol_escape_htmltag($object->company).''; // Civility - print ''.$langs->trans("UserTitle").''.$object->getCivilityLabel().' '; + print ''.$langs->trans("UserTitle").''.$object->getCivilityLabel().''; print ''; // Password diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index 1475f544f67..95ca2017b21 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -1117,7 +1117,7 @@ class Adherent extends CommonObject // Remove link to third party onto any other members if ($thirdpartyid > 0) { $sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET fk_soc = null"; - $sql .= " WHERE fk_soc = '".$thirdpartyid."'"; + $sql .= " WHERE fk_soc = ".((int) $thirdpartyid); $sql .= " AND entity = ".$conf->entity; dol_syslog(get_class($this)."::setThirdPartyId", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/adherents/class/adherentstats.class.php b/htdocs/adherents/class/adherentstats.class.php index c953d929442..d86a9e21d8c 100644 --- a/htdocs/adherents/class/adherentstats.class.php +++ b/htdocs/adherents/class/adherentstats.class.php @@ -92,7 +92,7 @@ class AdherentStats extends Stats $sql = "SELECT date_format(p.dateadh,'%m') as dm, count(*)"; $sql .= " FROM ".$this->from; //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year); $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -133,7 +133,7 @@ class AdherentStats extends Stats $sql = "SELECT date_format(p.dateadh,'%m') as dm, sum(p.".$this->field.")"; $sql .= " FROM ".$this->from; //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year); $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -154,7 +154,7 @@ class AdherentStats extends Stats $sql = "SELECT date_format(p.dateadh,'%m') as dm, avg(p.".$this->field.")"; $sql .= " FROM ".$this->from; //if (!$user->rights->societe->client->voir && !$this->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year); $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/adherents/class/api_members.class.php b/htdocs/adherents/class/api_members.class.php index 990e21dd08b..230b839f726 100644 --- a/htdocs/adherents/class/api_members.class.php +++ b/htdocs/adherents/class/api_members.class.php @@ -227,7 +227,7 @@ class Members extends DolibarrApi } // Select members of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_member = t.rowid "; } // Add sql filters @@ -239,23 +239,23 @@ class Members extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $member = new Adherent($this->db); if ($member->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($member); @@ -263,7 +263,7 @@ class Members extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve member list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve member list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No member found'); diff --git a/htdocs/adherents/class/api_memberstypes.class.php b/htdocs/adherents/class/api_memberstypes.class.php index a5923914187..682fb9d707c 100644 --- a/htdocs/adherents/class/api_memberstypes.class.php +++ b/htdocs/adherents/class/api_memberstypes.class.php @@ -109,23 +109,23 @@ class MembersTypes extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $membertype = new AdherentType($this->db); if ($membertype->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($membertype); @@ -133,7 +133,7 @@ class MembersTypes extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve member type list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve member type list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No member type found'); diff --git a/htdocs/adherents/class/api_subscriptions.class.php b/htdocs/adherents/class/api_subscriptions.class.php index 502a855657c..d5adbb0bc5b 100644 --- a/htdocs/adherents/class/api_subscriptions.class.php +++ b/htdocs/adherents/class/api_subscriptions.class.php @@ -107,22 +107,22 @@ class Subscriptions extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < min($limit, $num)) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $subscription = new Subscription($this->db); if ($subscription->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($subscription); @@ -130,7 +130,7 @@ class Subscriptions extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve subscription list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve subscription list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No Subscription found'); diff --git a/htdocs/adherents/index.php b/htdocs/adherents/index.php index 89f95b3e3dc..c63bb9049ca 100644 --- a/htdocs/adherents/index.php +++ b/htdocs/adherents/index.php @@ -282,7 +282,7 @@ print '
'; /* * Latest modified members */ -$max = 5; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; $sql = "SELECT a.rowid, a.statut, a.lastname, a.firstname, a.societe as company, a.fk_soc,"; $sql .= " a.tms as datem, datefin as date_end_subscription,"; @@ -337,7 +337,7 @@ if ($resql) { /* * Last modified subscriptions */ -$max = 5; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; $sql = "SELECT a.rowid, a.statut, a.lastname, a.firstname, a.societe as company, a.fk_soc,"; $sql .= " datefin as date_end_subscription,"; diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index 4245bf2e74a..75c9c731810 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -281,7 +281,7 @@ if ($search_ref) { if ($search_civility) $sql .= natural_search("d.civility", $search_civility); if ($search_firstname) $sql .= natural_search("d.firstname", $search_firstname); if ($search_lastname) $sql .= natural_search(array("d.firstname", "d.lastname", "d.societe"), $search_lastname); -if ($search_gender != '' && $search_gender != '-1') $sql .= " AND d.gender = '".$search_gender."'"; +if ($search_gender != '' && $search_gender != '-1') $sql .= natural_search("d.gender", $search_gender); if ($search_login) $sql .= natural_search("d.login", $search_login); if ($search_company) $sql .= natural_search("s.nom", $search_company); if ($search_email) $sql .= natural_search("d.email", $search_email); @@ -370,6 +370,7 @@ if ($search_lastname) $param .= "&search_lastname=".urlencode($search_lastname) if ($search_gender) $param .= "&search_gender=".urlencode($search_gender); if ($search_login) $param .= "&search_login=".urlencode($search_login); if ($search_email) $param .= "&search_email=".urlencode($search_email); +if ($search_categ) $param .= "&search_categ=".urlencode($search_categ); if ($search_company) $param .= "&search_company=".urlencode($search_company); if ($search_address != '') $param .= "&search_address=".urlencode($search_address); if ($search_town != '') $param .= "&search_town=".urlencode($search_town); @@ -502,16 +503,16 @@ if (!empty($arrayfields['t.libelle']['checked'])) { if (!empty($arrayfields['d.address']['checked'])) { print ''; - print ''; + print ''; } if (!empty($arrayfields['d.zip']['checked'])) { print ''; - print ''; + print ''; } if (!empty($arrayfields['d.town']['checked'])) { print ''; - print ''; + print ''; } // State if (!empty($arrayfields['state.nom']['checked'])) { @@ -528,24 +529,24 @@ if (!empty($arrayfields['country.code_iso']['checked'])) { // Phone pro if (!empty($arrayfields['d.phone']['checked'])) { print ''; - print ''; + print ''; } // Phone perso if (!empty($arrayfields['d.phone_perso']['checked'])) { print ''; - print ''; + print ''; } // Phone mobile if (!empty($arrayfields['d.phone_mobile']['checked'])) { print ''; - print ''; + print ''; } // Email if (!empty($arrayfields['d.email']['checked'])) { print ''; - print ''; + print ''; } - +// End of subscription date if (!empty($arrayfields['d.datefin']['checked'])) { print ''; print ''; diff --git a/htdocs/adherents/stats/byproperties.php b/htdocs/adherents/stats/byproperties.php index 90187e483dc..62e503f8170 100644 --- a/htdocs/adherents/stats/byproperties.php +++ b/htdocs/adherents/stats/byproperties.php @@ -141,10 +141,11 @@ if (!count($data)) { } // Print array +print '
'; // You can use div-table-responsive-no-min if you dont need reserved height for your table print ''; print ''; print ''; -print ''; +print ''; print ''; print ''; print ''; @@ -170,7 +171,7 @@ foreach ($data as $val) { } print '
'.$langs->trans("MemberNature").''.$langs->trans("NbOfMembers").' ('.$langs->trans("AllTime").')'.$langs->trans("NbOfMembers").' ('.$langs->trans("AllTime").')'.$langs->trans("NbOfActiveMembers").''.$langs->trans("LastMemberDate").''.$langs->trans("NbOfSubscriptions").'
'; - +print '
'; dol_fiche_end(); diff --git a/htdocs/adherents/stats/geo.php b/htdocs/adherents/stats/geo.php index edb37a9d4a8..f7001656bd9 100644 --- a/htdocs/adherents/stats/geo.php +++ b/htdocs/adherents/stats/geo.php @@ -45,7 +45,7 @@ $startyear = $year - 2; $endyear = $year; // Load translation files required by the page -$langs->loadLangs(array("companies", "members")); +$langs->loadLangs(array("companies", "members", "banks")); /* @@ -272,12 +272,13 @@ if (count($arrayjs) && $mode == 'memberbycountry') { } if ($mode) { - // Print array / Affiche le tableau - print ''; + // Print array + print '
'; // You can use div-table-responsive-no-min if you dont need reserved height for your table + print '
'; print ''; print ''; if ($label2) print ''; - print ''; + print ''; print ''; print ''; print ''; @@ -294,6 +295,7 @@ if ($mode) { } print '
'.$label.''.$label2.''.$langs->trans("NbOfMembers").' ('.$langs->trans("AllTime").')'.$langs->trans("NbOfMembers").' ('.$langs->trans("AllTime").')'.$langs->trans("LastMemberDate").''.$langs->trans("LatestSubscriptionDate").'
'; + print '
'; } diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php index 88924efdf93..67880c303cb 100644 --- a/htdocs/adherents/subscription.php +++ b/htdocs/adherents/subscription.php @@ -47,7 +47,7 @@ $typeid = GETPOST('typeid', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/adherents/subscription/list.php b/htdocs/adherents/subscription/list.php index 4d0e2ec7439..b06ee5f227e 100644 --- a/htdocs/adherents/subscription/list.php +++ b/htdocs/adherents/subscription/list.php @@ -154,8 +154,8 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank as b ON c.fk_bank=b.rowid"; $sql .= " WHERE d.entity IN (".getEntity('adherent').")"; if (isset($date_select) && $date_select != '') { - $sql .= " AND c.dateadh >= '".$date_select."-01-01 00:00:00'"; - $sql .= " AND c.dateadh < '".($date_select + 1)."-01-01 00:00:00'"; + $sql .= " AND c.dateadh >= '".((int) $date_select)."-01-01 00:00:00'"; + $sql .= " AND c.dateadh < '".((int) $date_select + 1)."-01-01 00:00:00'"; } if ($search_ref) { if (is_numeric($search_ref)) $sql .= " AND (c.rowid = ".$db->escape($search_ref).")"; diff --git a/htdocs/admin/bank.php b/htdocs/admin/bank.php index 76df9b412ec..6f669d900ba 100644 --- a/htdocs/admin/bank.php +++ b/htdocs/admin/bank.php @@ -283,7 +283,7 @@ print load_fiche_titre($langs->trans("BankAccountModelModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/admin/barcode.php b/htdocs/admin/barcode.php index 975869c1ff0..cddb91d0d49 100644 --- a/htdocs/admin/barcode.php +++ b/htdocs/admin/barcode.php @@ -58,10 +58,10 @@ if ($action == 'setbarcodeproducton') if ($action == 'setcoder') { $coder = GETPOST('coder', 'alpha'); - $code_id = GETPOST('code_id', 'alpha'); + $code_id = GETPOST('code_id', 'int'); $sqlp = "UPDATE ".MAIN_DB_PREFIX."c_barcode_type"; - $sqlp .= " SET coder = '".$coder."'"; - $sqlp .= " WHERE rowid = ".$code_id; + $sqlp .= " SET coder = '".$db->escape($coder)."'"; + $sqlp .= " WHERE rowid = ".((int) $code_id); $sqlp .= " AND entity = ".$conf->entity; $resql = $db->query($sqlp); @@ -104,8 +104,8 @@ if ($action == 'setcoder') $code_id = $obj->rowid; $sqlp = "UPDATE ".MAIN_DB_PREFIX."c_barcode_type"; - $sqlp .= " SET coder = '".$coder."'"; - $sqlp .= " WHERE rowid = ".$code_id; + $sqlp .= " SET coder = '".$db->escape($coder)."'"; + $sqlp .= " WHERE rowid = ".((int) $code_id); $sqlp .= " AND entity = ".$conf->entity; $upsql = $db->query($sqlp); diff --git a/htdocs/admin/bom.php b/htdocs/admin/bom.php index 1f19cb75b77..50c919a628a 100644 --- a/htdocs/admin/bom.php +++ b/htdocs/admin/bom.php @@ -292,7 +292,7 @@ print load_fiche_titre($langs->trans("BOMsModelModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/boxes.php b/htdocs/admin/boxes.php index 412427494e3..4f6dfff33a5 100644 --- a/htdocs/admin/boxes.php +++ b/htdocs/admin/boxes.php @@ -192,12 +192,12 @@ if ($action == 'switch') $newsecondnum = preg_replace('/[a-zA-Z]+/', '', $newsecond); $newsecond = sprintf("%s%02d", $newsecondchar ? $newsecondchar : 'A', $newsecondnum + 1); } - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$newfirst."' WHERE rowid=".$objfrom->rowid; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newfirst)."' WHERE rowid=".$objfrom->rowid; dol_syslog($sql); $resultupdatefrom = $db->query($sql); if (!$resultupdatefrom) { dol_print_error($db); } - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$newsecond."' WHERE rowid=".$objto->rowid; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newsecond)."' WHERE rowid=".$objto->rowid; dol_syslog($sql); $resultupdateto = $db->query($sql); if (!$resultupdateto) { dol_print_error($db); } @@ -261,7 +261,7 @@ if ($resql) // This occurs just after an insert. if ($decalage) { - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$decalage."' WHERE rowid=".$obj->rowid; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($decalage)."' WHERE rowid=".$obj->rowid; $db->query($sql); } } @@ -286,12 +286,12 @@ if ($resql) if (preg_match("/[13579]{1}/", substr($record['box_order'], -1))) { $box_order = "A0".$record['box_order']; - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'"; $resql = $db->query($sql); } elseif (preg_match("/[02468]{1}/", substr($record['box_order'], -1))) { $box_order = "B0".$record['box_order']; - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'"; $resql = $db->query($sql); } } elseif (dol_strlen($record['box_order']) == 2) @@ -299,12 +299,12 @@ if ($resql) if (preg_match("/[13579]{1}/", substr($record['box_order'], -1))) { $box_order = "A".$record['box_order']; - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'"; $resql = $db->query($sql); } elseif (preg_match("/[02468]{1}/", substr($record['box_order'], -1))) { $box_order = "B".$record['box_order']; - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'"; $resql = $db->query($sql); } } diff --git a/htdocs/admin/commande.php b/htdocs/admin/commande.php index 9add7675da6..288eac6de92 100644 --- a/htdocs/admin/commande.php +++ b/htdocs/admin/commande.php @@ -357,7 +357,7 @@ print load_fiche_titre($langs->trans("OrdersModelModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php index 7c08a7d0201..5a525cbe9ad 100644 --- a/htdocs/admin/const.php +++ b/htdocs/admin/const.php @@ -46,7 +46,7 @@ $constnote = GETPOST('constnote', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/admin/contract.php b/htdocs/admin/contract.php index 0b84e23d992..971596d1c06 100644 --- a/htdocs/admin/contract.php +++ b/htdocs/admin/contract.php @@ -287,7 +287,7 @@ print load_fiche_titre($langs->trans("TemplatePDFContracts"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/emailcollector_list.php b/htdocs/admin/emailcollector_list.php index b538a64c9e9..2ed95ce91b9 100644 --- a/htdocs/admin/emailcollector_list.php +++ b/htdocs/admin/emailcollector_list.php @@ -51,7 +51,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/admin/events.php b/htdocs/admin/events.php index fe87c2a9ef4..931cefb2992 100644 --- a/htdocs/admin/events.php +++ b/htdocs/admin/events.php @@ -41,7 +41,7 @@ $optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always '' // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters diff --git a/htdocs/admin/expedition.php b/htdocs/admin/expedition.php index 92372c076cb..cf01d287d23 100644 --- a/htdocs/admin/expedition.php +++ b/htdocs/admin/expedition.php @@ -296,7 +296,7 @@ $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/admin/expensereport.php b/htdocs/admin/expensereport.php index f082c89286f..13b1b0277a6 100644 --- a/htdocs/admin/expensereport.php +++ b/htdocs/admin/expensereport.php @@ -297,7 +297,7 @@ $type = 'expensereport'; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/export.php b/htdocs/admin/export.php index d9c2c508464..d066197b580 100644 --- a/htdocs/admin/export.php +++ b/htdocs/admin/export.php @@ -90,7 +90,7 @@ print ''; print ''.$langs->trans("EXPORTS_SHARE_MODELS").''; print ' '; print ''; -echo ajax_constantonoff('EXPORTS_SHARE_MODELS'); +print ajax_constantonoff('EXPORTS_SHARE_MODELS'); print ''; print ''; diff --git a/htdocs/admin/external_rss.php b/htdocs/admin/external_rss.php index 3d81ab01c43..7f5bcde4b3d 100644 --- a/htdocs/admin/external_rss.php +++ b/htdocs/admin/external_rss.php @@ -80,8 +80,8 @@ if ($action == 'add' || GETPOST("modify")) { // Supprime boite box_external_rss de definition des boites /* $sql = "UPDATE ".MAIN_DB_PREFIX."boxes_def"; - $sql.= " SET name = '".$boxlabel."'"; - $sql.= " WHERE file ='box_external_rss.php' AND note like '".$_POST["norss"]." %'"; + $sql.= " SET name = '".$db->escape($boxlabel)."'"; + $sql.= " WHERE file ='box_external_rss.php' AND note like '".$db->escape($_POST["norss"])." %'"; $resql=$db->query($sql); if (! $resql) diff --git a/htdocs/admin/facture.php b/htdocs/admin/facture.php index 7042f291828..fe84cf12478 100644 --- a/htdocs/admin/facture.php +++ b/htdocs/admin/facture.php @@ -421,7 +421,7 @@ $type = 'invoice'; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/fichinter.php b/htdocs/admin/fichinter.php index a30a9d767a9..df97e9875a0 100644 --- a/htdocs/admin/fichinter.php +++ b/htdocs/admin/fichinter.php @@ -349,7 +349,7 @@ $type = 'ficheinter'; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/holiday.php b/htdocs/admin/holiday.php index 067c0698a99..bac8e99e70f 100644 --- a/htdocs/admin/holiday.php +++ b/htdocs/admin/holiday.php @@ -299,7 +299,7 @@ print load_fiche_titre($langs->trans("TemplatePDFHolidays"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/limits.php b/htdocs/admin/limits.php index 95a8d52bc57..db29deef9d7 100644 --- a/htdocs/admin/limits.php +++ b/htdocs/admin/limits.php @@ -243,7 +243,7 @@ if (empty($mysoc->country_code)) $sql = "SELECT taux as vat_rate, t.code as vat_code, t.localtax1 as localtax_rate1, t.localtax2 as localtax_rate2"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$mysoc->country_code."' AND (t.taux <> 0 OR t.localtax1 <>0 OR t.localtax2 <>0)"; + $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$db->escape($mysoc->country_code)."' AND (t.taux <> 0 OR t.localtax1 <>0 OR t.localtax2 <>0)"; $sql .= " ORDER BY t.taux ASC"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/livraison.php b/htdocs/admin/livraison.php index ddd2b3f83c6..4073b0a59a9 100644 --- a/htdocs/admin/livraison.php +++ b/htdocs/admin/livraison.php @@ -291,7 +291,7 @@ $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/admin/mails.php b/htdocs/admin/mails.php index 27e64973ddf..feca9bf582e 100644 --- a/htdocs/admin/mails.php +++ b/htdocs/admin/mails.php @@ -77,6 +77,7 @@ if ($action == 'update' && empty($_POST["cancel"])) dolibarr_set_const($db, "MAIN_MAIL_SMTPS_PW", GETPOST("MAIN_MAIL_SMTPS_PW", 'none'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_TLS", GETPOST("MAIN_MAIL_EMAIL_TLS", 'int'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_STARTTLS", GETPOST("MAIN_MAIL_EMAIL_STARTTLS", 'int'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED", GETPOST("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED", 'int'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_DKIM_ENABLED", GETPOST("MAIN_MAIL_EMAIL_DKIM_ENABLED", 'int'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_DKIM_DOMAIN", GETPOST("MAIN_MAIL_EMAIL_DKIM_DOMAIN", 'alphanohtml'), 'chaine', 0, '', $conf->entity); @@ -156,6 +157,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val(0); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").prop("disabled", true); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val(0); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").val(0); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_DKIM_DOMAIN").prop("disabled", true); @@ -187,6 +190,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val('.$conf->global->MAIN_MAIL_EMAIL_STARTTLS.'); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").removeAttr("disabled"); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val('.$conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED.'); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").val(0); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_DKIM_DOMAIN").prop("disabled", true); @@ -211,6 +216,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val('.$conf->global->MAIN_MAIL_EMAIL_STARTTLS.'); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").removeAttr("disabled"); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val('.$conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED.'); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").val('.$conf->global->MAIN_MAIL_EMAIL_DKIM_ENABLED.'); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_DKIM_DOMAIN").removeAttr("disabled"); @@ -233,12 +240,16 @@ if ($action == 'edit') initfields(); }); jQuery("#MAIN_MAIL_EMAIL_TLS").change(function() { - if (jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val() == 1) + if (jQuery("#MAIN_MAIL_EMAIL_TLS").val() == 1) jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val(0); + else + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val(0); }); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").change(function() { - if (jQuery("#MAIN_MAIL_EMAIL_TLS").val() == 1) + if (jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val() == 1) jQuery("#MAIN_MAIL_EMAIL_TLS").val(0); + else + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val(0); }); })'; print ''."\n"; @@ -406,6 +417,17 @@ if ($action == 'edit') } else print yn(0).' ('.$langs->trans("NotSupported").')'; print ''; + // SMTP_ALLOW_SELF_SIGNED + print ''.$langs->trans("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").''; + if (!empty($conf->use_javascript_ajax) || (isset($conf->global->MAIN_MAIL_SENDMODE) && in_array($conf->global->MAIN_MAIL_SENDMODE, array('smtps', 'swiftmailer')))) + { + if (function_exists('openssl_open')) + { + print $form->selectyesno('MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED', (!empty($conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED) ? $conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED : 0), 1); + } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; + } else print yn(0).' ('.$langs->trans("NotSupported").')'; + print ''; + // DKIM print ''.$langs->trans("MAIN_MAIL_EMAIL_DKIM_ENABLED").''; if (!empty($conf->use_javascript_ajax) || (isset($conf->global->MAIN_MAIL_SENDMODE) && in_array($conf->global->MAIN_MAIL_SENDMODE, array('swiftmailer')))) @@ -571,6 +593,17 @@ if ($action == 'edit') } else print ''.yn(0).' ('.$langs->trans("NotSupported").')'; print ''; + // SMTP_ALLOW_SELF_SIGNED + print ''.$langs->trans("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").''; + if (isset($conf->global->MAIN_MAIL_SENDMODE) && in_array($conf->global->MAIN_MAIL_SENDMODE, array('smtps', 'swiftmailer'))) + { + if (function_exists('openssl_open')) + { + print yn($conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED); + } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; + } else print ''.yn(0).' ('.$langs->trans("NotSupported").')'; + print ''; + if ($conf->global->MAIN_MAIL_SENDMODE == 'swiftmailer') { diff --git a/htdocs/admin/mails_emailing.php b/htdocs/admin/mails_emailing.php index 7b8265f93f9..b97437216d6 100644 --- a/htdocs/admin/mails_emailing.php +++ b/htdocs/admin/mails_emailing.php @@ -68,6 +68,7 @@ if ($action == 'update' && empty($_POST["cancel"])) dolibarr_set_const($db, "MAIN_MAIL_SMTPS_PW_EMAILING", GETPOST("MAIN_MAIL_SMTPS_PW_EMAILING"), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_TLS_EMAILING", GETPOST("MAIN_MAIL_EMAIL_TLS_EMAILING"), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_STARTTLS_EMAILING", GETPOST("MAIN_MAIL_EMAIL_STARTTLS_EMAILING"), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING", GETPOST("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING"), 'chaine', 0, '', $conf->entity); header("Location: ".$_SERVER["PHP_SELF"]."?mainmenu=home&leftmenu=setup"); exit; @@ -147,6 +148,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val(0); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").prop("disabled", true); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val(0); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").prop("disabled", true); '; if ($linuxlike) { @@ -173,6 +176,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val('.$conf->global->MAIN_MAIL_EMAIL_STARTTLS_EMAILING.'); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").removeAttr("disabled"); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val('.$conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING.'); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_SERVER_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_PORT_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_SERVER_EMAILING").show(); @@ -187,6 +192,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val('.$conf->global->MAIN_MAIL_EMAIL_STARTTLS_EMAILING.'); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").removeAttr("disabled"); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val('.$conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING.'); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_SERVER_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_PORT_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_SERVER_EMAILING").show(); @@ -199,13 +206,17 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_SENDMODE_EMAILING").change(function() { initfields(); }); - jQuery("#MAIN_MAIL_EMAIL_TLS").change(function() { - if (jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val() == 1) + jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").change(function() { + if (jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").val() == 1) jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val(0); + else + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val(0); }); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").change(function() { - if (jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").val() == 1) + if (jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val() == 1) jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").val(0); + else + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val(0); }); })'; print ''."\n"; @@ -359,6 +370,18 @@ if ($action == 'edit') } else print yn(0).' ('.$langs->trans("NotSupported").')'; print ''; + // SMTP_ALLOW_SELF_SIGNED_EMAILING + + print ''.$langs->trans("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").''; + if (!empty($conf->use_javascript_ajax) || (isset($conf->global->MAIN_MAIL_SENDMODE_EMAILING) && in_array($conf->global->MAIN_MAIL_SENDMODE_EMAILING, array('smtps', 'swiftmailer')))) + { + if (function_exists('openssl_open')) + { + print $form->selectyesno('MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING', (!empty($conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING) ? $conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING : 0), 1); + } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; + } else print yn(0).' ('.$langs->trans("NotSupported").')'; + print ''; + print ''; dol_fiche_end(); @@ -437,6 +460,17 @@ if ($action == 'edit') } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; } else print yn(0).' ('.$langs->trans("NotSupported").')'; print ''; + + // SMTP_ALLOW_SELF_SIGNED_EMAILING + print ''.$langs->trans("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").''; + if (isset($conf->global->MAIN_MAIL_SENDMODE_EMAILING) && in_array($conf->global->MAIN_MAIL_SENDMODE_EMAILING, array('smtps', 'swiftmailer'))) + { + if (function_exists('openssl_open')) + { + print yn($conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING); + } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; + } else print yn(0).' ('.$langs->trans("NotSupported").')'; + print ''; } print ''; diff --git a/htdocs/admin/mails_senderprofile_list.php b/htdocs/admin/mails_senderprofile_list.php index a471c0369a4..9a1a696e034 100644 --- a/htdocs/admin/mails_senderprofile_list.php +++ b/htdocs/admin/mails_senderprofile_list.php @@ -47,7 +47,7 @@ $rowid = GETPOST('rowid', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php index b33741cd571..610dd9c1ef2 100644 --- a/htdocs/admin/mails_templates.php +++ b/htdocs/admin/mails_templates.php @@ -341,7 +341,7 @@ if (empty($reshook)) $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); //print $sql;exit; dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -359,7 +359,7 @@ if (empty($reshook)) { $rowidcol = "rowid"; - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."=".((int) $rowid); dol_syslog("delete", LOG_DEBUG); $result = $db->query($sql); @@ -379,7 +379,7 @@ if (empty($reshook)) { $rowidcol = "rowid"; - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."=".((int) $rowid); $result = $db->query($sql); if (!$result) @@ -393,7 +393,7 @@ if (empty($reshook)) { $rowidcol = "rowid"; - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."=".((int) $rowid); $result = $db->query($sql); if (!$result) @@ -443,7 +443,7 @@ if (!$user->admin) } if (empty($conf->global->MAIN_MULTILANGS)) { - $sql .= " AND (lang = '".$langs->defaultlang."' OR lang IS NULL OR lang = '')"; + $sql .= " AND (lang = '".$db->escape($langs->defaultlang)."' OR lang IS NULL OR lang = '')"; } if ($search_label) $sql .= natural_search('label', $search_label); if ($search_type_template != '' && $search_type_template != '-1') $sql .= natural_search('type_template', $search_type_template); diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php index fbed05a1dbe..31e0f896633 100644 --- a/htdocs/admin/menus/edit.php +++ b/htdocs/admin/menus/edit.php @@ -32,6 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/menubase.class.php'; $langs->loadLangs(array("other", "admin")); $cancel = GETPOST('cancel', 'alphanohtml'); // We click on a Cancel button +$confirm = GETPOST('confirm'); if (!$user->admin) accessforbidden(); @@ -231,26 +232,27 @@ if ($action == 'add') } // delete -if ($action == 'confirm_delete' && $_POST["confirm"] == 'yes') +if ($action == 'confirm_delete' && $confirm == 'yes') { - $this->db->begin(); + $db->begin(); $sql = "DELETE FROM ".MAIN_DB_PREFIX."menu WHERE rowid = ".GETPOST('menuId', 'int'); $result = $db->query($sql); if ($result == 0) { - $this->db->commit(); + $db->commit(); llxHeader(); setEventMessages($langs->trans("MenuDeleted"), null, 'mesgs'); llxFooter(); exit; } else { - $this->db->rollback(); + $db->rollback(); $reload = 0; $_GET["action"] = ''; + $action = ''; } } diff --git a/htdocs/admin/mrp.php b/htdocs/admin/mrp.php index ffa4d8e7c6b..10e992c7ac2 100644 --- a/htdocs/admin/mrp.php +++ b/htdocs/admin/mrp.php @@ -293,7 +293,7 @@ print load_fiche_titre($langs->trans("MOsModelModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/paymentbybanktransfer.php b/htdocs/admin/paymentbybanktransfer.php index c549e29443e..4056ce238e3 100644 --- a/htdocs/admin/paymentbybanktransfer.php +++ b/htdocs/admin/paymentbybanktransfer.php @@ -210,7 +210,7 @@ print load_fiche_titre($langs->trans("OrdersModelModule"),'',''); $def = array(); $sql = "SELECT nom"; $sql.= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql.= " WHERE type = '".$type."'"; +$sql.= " WHERE type = '".$db->escape($type)."'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); if ($resql) diff --git a/htdocs/admin/prelevement.php b/htdocs/admin/prelevement.php index 0429fde6287..24d4a379f83 100644 --- a/htdocs/admin/prelevement.php +++ b/htdocs/admin/prelevement.php @@ -217,7 +217,7 @@ print load_fiche_titre($langs->trans("OrdersModelModule"),'',''); $def = array(); $sql = "SELECT nom"; $sql.= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql.= " WHERE type = '".$type."'"; +$sql.= " WHERE type = '".$db->escape($type)."'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); if ($resql) diff --git a/htdocs/admin/propal.php b/htdocs/admin/propal.php index a0f9adb86d9..843cf0cfd55 100644 --- a/htdocs/admin/propal.php +++ b/htdocs/admin/propal.php @@ -316,7 +316,7 @@ print load_fiche_titre($langs->trans("ProposalsPDFModules"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/reception_setup.php b/htdocs/admin/reception_setup.php index 4c33ee78ef7..60833669753 100644 --- a/htdocs/admin/reception_setup.php +++ b/htdocs/admin/reception_setup.php @@ -301,7 +301,7 @@ $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/admin/stock.php b/htdocs/admin/stock.php index 44ae6a82945..c7508e996ad 100644 --- a/htdocs/admin/stock.php +++ b/htdocs/admin/stock.php @@ -516,7 +516,7 @@ print load_fiche_titre($langs->trans("WarehouseModelModules"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) @@ -760,76 +760,6 @@ print ''; print ''; -/* -print '
'; -if ($conf->global->MAIN_FEATURES_LEVEL >= 2) -{ - print ''; - print ''; - print ''."\n"; - print ''."\n"; - print ''."\n"; - - // Example with a yes / no select - print ''; - print ''; - print ''; - - - // Example with a yes / no select - print ''; - print ''; - print ''; - - - // Example with a yes / no select - print ''; - print ''; - print ''; - - print '
'.$langs->trans("Inventory").''.$langs->trans("Status").'
'.$langs->trans("INVENTORY_DISABLE_VIRTUAL").''; - if ($conf->use_javascript_ajax) { - print ajax_constantonoff('INVENTORY_DISABLE_VIRTUAL'); - } else { - $arrval = array('0' => $langs->trans("No"), '1' => $langs->trans("Yes")); - print $form->selectarray("INVENTORY_DISABLE_VIRTUAL", $arrval, $conf->global->INVENTORY_DISABLE_VIRTUAL); - } - print '
'.$langs->trans("INVENTORY_USE_MIN_PA_IF_NO_LAST_PA").''; - if ($conf->use_javascript_ajax) { - print ajax_constantonoff('INVENTORY_USE_MIN_PA_IF_NO_LAST_PA'); - } else { - $arrval = array('0' => $langs->trans("No"), '1' => $langs->trans("Yes")); - print $form->selectarray("INVENTORY_USE_MIN_PA_IF_NO_LAST_PA", $arrval, $conf->global->INVENTORY_USE_MIN_PA_IF_NO_LAST_PA); - } - print '
'.$langs->trans("INVENTORY_USE_INVENTORY_DATE_FOR_DATE_OF_MVT").''; - if ($conf->use_javascript_ajax) { - print ajax_constantonoff('INVENTORY_USE_INVENTORY_DATE_FOR_DATE_OF_MVT'); - } else { - $arrval = array('0' => $langs->trans("No"), '1' => $langs->trans("Yes")); - print $form->selectarray("INVENTORY_USE_INVENTORY_DATE_FOR_DATE_OF_MVT", $arrval, $conf->global->INVENTORY_USE_INVENTORY_DATE_FOR_DATE_OF_MVT); - } - print '
'; -} -*/ - -/* I keep the option/feature, but hidden to end users for the moment. If feature is used by module, no need to have users see it. -If not used by a module, I still need to understand in which case user may need this now we can set rule on product page. -if ($conf->global->PRODUIT_SOUSPRODUITS) -{ - print ''; - print ''.$langs->trans("IndependantSubProductStock").''; - print ''; - print "
"; - print ''; - print ""; - print $form->selectyesno("INDEPENDANT_SUBPRODUCT_STOCK",$conf->global->INDEPENDANT_SUBPRODUCT_STOCK,1); - print ''; - print '
'; - print "\n"; - print "\n"; -} -*/ - // End of page llxFooter(); $db->close(); diff --git a/htdocs/admin/supplier_payment.php b/htdocs/admin/supplier_payment.php index 27b3c023fcb..5541b8ff895 100644 --- a/htdocs/admin/supplier_payment.php +++ b/htdocs/admin/supplier_payment.php @@ -179,7 +179,7 @@ print load_fiche_titre($langs->trans("PaymentsNumberingModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/supplier_proposal.php b/htdocs/admin/supplier_proposal.php index b0c5c4bff10..f2110687042 100644 --- a/htdocs/admin/supplier_proposal.php +++ b/htdocs/admin/supplier_proposal.php @@ -310,7 +310,7 @@ print load_fiche_titre($langs->trans("SupplierProposalPDFModules"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/syslog.php b/htdocs/admin/syslog.php index 079fb3a6052..60de87d2d2e 100644 --- a/htdocs/admin/syslog.php +++ b/htdocs/admin/syslog.php @@ -212,6 +212,12 @@ foreach ($syslogModules as $moduleName) print ''; print ' '; print $module->getName(); + if ($moduleName == 'mod_syslog_syslog') { + if (! $module->isActive()) { + $langs->load("errors"); + print $form->textwithpicto('', $langs->trans("ErrorPHPNeedModule", 'SysLog')); + } + } print ''; print ''; diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php index 55a46e9f347..57d288dfb4c 100644 --- a/htdocs/admin/system/dolibarr.php +++ b/htdocs/admin/system/dolibarr.php @@ -365,7 +365,12 @@ foreach ($configfileparameters as $key => $value) print ''.$newkey.''; // Value print ""; - if ($newkey == 'dolibarr_main_db_pass') print preg_replace('/./i', '*', ${$newkey}); + if ($newkey == 'dolibarr_main_db_pass') { + if (empty($dolibarr_main_prod)) { + print ''; + } + print '**********'; + } elseif ($newkey == 'dolibarr_main_url_root' && preg_match('/__auto__/', ${$newkey})) print ${$newkey}.' => '.constant('DOL_MAIN_URL_ROOT'); elseif ($newkey == 'dolibarr_main_document_root_alt') { $tmparray = explode(',', ${$newkey}); @@ -395,7 +400,14 @@ foreach ($configfileparameters as $key => $value) $valuetoshow = ${$newkey}; if (empty($valuetoshow)) { - print img_warning($langs->trans('SwitchThisForABetterSecurity')); + print img_warning($langs->trans('SwitchThisForABetterSecurity', 1)); + } + } elseif ($newkey == 'dolibarr_nocsrfcheck') { + print ${$newkey}; + + $valuetoshow = ${$newkey}; + if (!empty($valuetoshow)) { + print img_warning($langs->trans('SwitchThisForABetterSecurity', 0)); } } else { print ${$newkey}; @@ -451,7 +463,16 @@ if ($resql) print ''; print ''.$obj->name.''."\n"; - print ''.dol_escape_htmltag($obj->value).''."\n"; + print ''; + if (preg_match('/(_pass|password|_pw|_key|securekey|serverkey|secret\d?|p12key|exportkey|_PW_[a-z]+|token)$/i', $obj->name)) { + if (empty($dolibarr_main_prod)) { + print ''; + } + print '**********'; + } else { + print dol_escape_htmltag($obj->value); + } + print ''."\n"; if (empty($conf->multicompany->enabled) || !$user->entity) print ''.$obj->entity.''."\n"; // If superadmin or multicompany disabled print "\n"; diff --git a/htdocs/admin/tools/dolibarr_export.php b/htdocs/admin/tools/dolibarr_export.php index b8e6dc8c15e..f1a95a48e9f 100644 --- a/htdocs/admin/tools/dolibarr_export.php +++ b/htdocs/admin/tools/dolibarr_export.php @@ -31,7 +31,7 @@ $langs->load("admin"); $action = GETPOST('action', 'aZ09'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "DESC"; diff --git a/htdocs/admin/tools/export.php b/htdocs/admin/tools/export.php index 3614e412318..cbe25f0ff75 100644 --- a/htdocs/admin/tools/export.php +++ b/htdocs/admin/tools/export.php @@ -37,7 +37,7 @@ $file = GETPOST('filename_template', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/admin/tools/export_files.php b/htdocs/admin/tools/export_files.php index 45b02716524..485df8c318b 100644 --- a/htdocs/admin/tools/export_files.php +++ b/htdocs/admin/tools/export_files.php @@ -39,7 +39,7 @@ $compression = GETPOST('compression'); $file = dol_sanitizeFileName($file); $file = preg_replace('/(\.zip|\.tar|\.tgz|\.gz|\.tar\.gz|\.bz2)$/i', '', $file); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "DESC"; diff --git a/htdocs/admin/tools/listevents.php b/htdocs/admin/tools/listevents.php index af55fcd1f16..84fe534f473 100644 --- a/htdocs/admin/tools/listevents.php +++ b/htdocs/admin/tools/listevents.php @@ -46,7 +46,7 @@ $langs->loadLangs(array("companies", "admin", "users", "other")); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 @@ -235,6 +235,20 @@ if ($result) print $form->formconfirm($_SERVER["PHP_SELF"].'?noparam=noparam', $langs->trans('PurgeAuditEvents'), $langs->trans('ConfirmPurgeAuditEvents'), 'confirm_purge', $formquestion, 'no', 1); } + // Check some parameters + // TODO Add a tab with this and other information + /* + global $dolibarr_main_prod, $dolibarr_nocsrfcheck; + if (empty($dolibarr_main_prod)) { + print $langs->trans("Warning").' dolibarr_main_prod = '.$dolibarr_main_prod; + print ' '.img_warning($langs->trans('SwitchThisForABetterSecurity', 1)).'
'; + } + if (!empty($dolibarr_nocsrfcheck)) { + print $langs->trans("Warning").' dolibarr_nocsrfcheck = '.$dolibarr_nocsrfcheck; + print ' '.img_warning($langs->trans('SwitchThisForABetterSecurity', 0)).'
'; + } + */ + print '
'; print ''; diff --git a/htdocs/admin/user.php b/htdocs/admin/user.php index 25822cd380b..723a4bb0063 100644 --- a/htdocs/admin/user.php +++ b/htdocs/admin/user.php @@ -192,7 +192,7 @@ $dirmodels = array_merge(array('/'), (array) $conf->modules_parts['models']); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/usergroup.php b/htdocs/admin/usergroup.php index d6b66b6fd22..0b372bf3518 100644 --- a/htdocs/admin/usergroup.php +++ b/htdocs/admin/usergroup.php @@ -124,7 +124,7 @@ $form = new Form($db); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/website.php b/htdocs/admin/website.php index 7c098aa1c4b..595848fe232 100644 --- a/htdocs/admin/website.php +++ b/htdocs/admin/website.php @@ -51,7 +51,7 @@ $actl[1] = img_picto($langs->trans("Activated"), 'switch_on'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 @@ -252,7 +252,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -310,16 +310,16 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete if ($website->id > 0) { - $sql = "DELETE from ".MAIN_DB_PREFIX."website_account WHERE fk_website ='".$rowid."'"; + $sql = "DELETE from ".MAIN_DB_PREFIX."website_account WHERE fk_website = ".((int) $rowid); $result = $db->query($sql); - $sql = "DELETE from ".MAIN_DB_PREFIX."website_page WHERE fk_website ='".$rowid."'"; + $sql = "DELETE from ".MAIN_DB_PREFIX."website_page WHERE fk_website = ".((int) $rowid); $result = $db->query($sql); - $sql = "DELETE from ".MAIN_DB_PREFIX."website_extrafields WHERE fk_object ='".$rowid."'"; + $sql = "DELETE from ".MAIN_DB_PREFIX."website_extrafields WHERE fk_object = ".((int) $rowid); $result = $db->query($sql); - $sql = "DELETE from ".MAIN_DB_PREFIX."website WHERE rowid ='".$rowid."'"; + $sql = "DELETE from ".MAIN_DB_PREFIX."website WHERE rowid = ".((int) $rowid); $result = $db->query($sql); if (!$result) { @@ -346,7 +346,7 @@ if ($action == $acts[0]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET status = 1 WHERE rowid ='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET status = 1 WHERE rowid = ".((int) $rowid); } $result = $db->query($sql); @@ -362,7 +362,7 @@ if ($action == $acts[1]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET status = 0 WHERE rowid ='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET status = 0 WHERE rowid = ".((int) $rowid); } $result = $db->query($sql); diff --git a/htdocs/admin/website_options.php b/htdocs/admin/website_options.php index 2bbe3e84638..1df7642b646 100644 --- a/htdocs/admin/website_options.php +++ b/htdocs/admin/website_options.php @@ -46,7 +46,7 @@ $status = 1; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/api/class/api_access.class.php b/htdocs/api/class/api_access.class.php index a6d0d72b8de..84f7bf303e7 100644 --- a/htdocs/api/class/api_access.class.php +++ b/htdocs/api/class/api_access.class.php @@ -59,6 +59,16 @@ class DolibarrApiAccess implements iAuthenticate */ public static $user = ''; + + /** + * Constructor + */ + public function __construct() + { + global $db; + $this->db = $db; + } + // phpcs:disable PEAR.NamingConventions.ValidFunctionName /** * Check access @@ -107,15 +117,15 @@ class DolibarrApiAccess implements iAuthenticate $sql = "SELECT u.login, u.datec, u.api_key, "; $sql .= " u.tms as date_modification, u.entity"; $sql .= " FROM ".MAIN_DB_PREFIX."user as u"; - $sql .= " WHERE u.api_key = '".$db->escape($api_key)."'"; + $sql .= " WHERE u.api_key = '".$this->db->escape($api_key)."'"; // TODO Check if 2 users has same API key. - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - if ($db->num_rows($result)) + if ($this->db->num_rows($result)) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $login = $obj->login; $stored_key = $obj->api_key; $userentity = $obj->entity; @@ -125,11 +135,11 @@ class DolibarrApiAccess implements iAuthenticate $conf->entity = ($obj->entity ? $obj->entity : 1); // We must also reload global conf to get params from the entity dol_syslog("Entity was not set on http header with HTTP_DOLAPIENTITY (recommanded for performance purpose), so we switch now on entity of user (".$conf->entity.") and we have to reload configuration.", LOG_WARNING); - $conf->setValues($db); + $conf->setValues($this->db); } } } else { - throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg); + throw new RestException(503, 'Error when fetching user api_key :'.$this->db->error_msg); } if ($stored_key != $api_key) { // This should not happen since we did a search on api_key @@ -141,7 +151,7 @@ class DolibarrApiAccess implements iAuthenticate { throw new RestException(503, 'Error when searching login user from api key'); } - $fuser = new User($db); + $fuser = new User($this->db); $result = $fuser->fetch('', $login, '', 0, (empty($userentity) ? -1 : $conf->entity)); // If user is not entity 0, we search in working entity $conf->entity (that may have been forced to a different value than user entity) if ($result <= 0) { throw new RestException(503, 'Error when fetching user :'.$fuser->error.' (conf->entity='.$conf->entity.')'); diff --git a/htdocs/asset/list.php b/htdocs/asset/list.php index 224caea2e58..975551968b4 100644 --- a/htdocs/asset/list.php +++ b/htdocs/asset/list.php @@ -47,7 +47,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/blockedlog/admin/blockedlog_list.php b/htdocs/blockedlog/admin/blockedlog_list.php index 818c84a8b5e..f70e402b667 100644 --- a/htdocs/blockedlog/admin/blockedlog_list.php +++ b/htdocs/blockedlog/admin/blockedlog_list.php @@ -56,7 +56,7 @@ if (($search_start == -1 || empty($search_start)) && !GETPOSTISSET('search_start // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/bom/bom_list.php b/htdocs/bom/bom_list.php index 5f1728ef055..121517b2544 100644 --- a/htdocs/bom/bom_list.php +++ b/htdocs/bom/bom_list.php @@ -45,7 +45,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/bom/class/api_boms.class.php b/htdocs/bom/class/api_boms.class.php index a6295d12589..b9123b8c226 100644 --- a/htdocs/bom/class/api_boms.class.php +++ b/htdocs/bom/class/api_boms.class.php @@ -99,7 +99,7 @@ class Boms extends DolibarrApi global $db, $conf; $obj_ret = array(); - $tmpobject = new BOM($db); + $tmpobject = new BOM($this->db); $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; @@ -139,7 +139,7 @@ class Boms extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -147,18 +147,18 @@ class Boms extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $i = 0; while ($i < $num) { - $obj = $db->fetch_object($result); - $bom_static = new BOM($db); + $obj = $this->db->fetch_object($result); + $bom_static = new BOM($this->db); if ($bom_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($bom_static); } diff --git a/htdocs/bookmarks/list.php b/htdocs/bookmarks/list.php index 3ea33b329ff..ca8e1d5c16a 100644 --- a/htdocs/bookmarks/list.php +++ b/htdocs/bookmarks/list.php @@ -42,7 +42,7 @@ $optioncss = GETPOST('optioncss', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/cashdesk/facturation.php b/htdocs/cashdesk/facturation.php index e1a42aed012..85347e4c7ff 100644 --- a/htdocs/cashdesk/facturation.php +++ b/htdocs/cashdesk/facturation.php @@ -42,7 +42,7 @@ if (GETPOST('filtre', 'alpha')) { $sql = "SELECT p.rowid, p.ref, p.label, p.tva_tx, p.fk_product_type"; if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; - if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'"; + if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; $sql .= " AND p.tosell = 1"; if (!$conf->global->CASHDESK_SERVICES) $sql .= " AND p.fk_product_type = 0"; @@ -92,7 +92,7 @@ if (GETPOST('filtre', 'alpha')) { $sql = "SELECT p.rowid, ref, label, tva_tx, p.fk_product_type"; if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; - if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'"; + if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; $sql .= " AND p.tosell = 1"; if (!$conf->global->CASHDESK_SERVICES) $sql .= " AND p.fk_product_type = 0"; diff --git a/htdocs/cashdesk/facturation_dhtml.php b/htdocs/cashdesk/facturation_dhtml.php index 99e1ed2f942..9ee4bdb856c 100644 --- a/htdocs/cashdesk/facturation_dhtml.php +++ b/htdocs/cashdesk/facturation_dhtml.php @@ -45,7 +45,7 @@ if (dol_strlen($search) >= 0) // If search criteria is on char length at least $sql = "SELECT p.rowid, p.ref, p.label, p.tva_tx"; if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; - if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'"; + if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; $sql .= " AND p.tosell = 1"; $sql .= " AND p.fk_product_type = 0"; diff --git a/htdocs/cashdesk/index_verif.php b/htdocs/cashdesk/index_verif.php index 204af8f51f7..e8366e981cc 100644 --- a/htdocs/cashdesk/index_verif.php +++ b/htdocs/cashdesk/index_verif.php @@ -89,7 +89,7 @@ if ($retour >= 0) $sql = "SELECT rowid, lastname, firstname"; $sql .= " FROM ".MAIN_DB_PREFIX."user"; - $sql .= " WHERE login = '".$username."'"; + $sql .= " WHERE login = '".$db->escape($username)."'"; $sql .= " AND entity IN (0,".$conf->entity.")"; $result = $db->query($sql); diff --git a/htdocs/categories/class/api_categories.class.php b/htdocs/categories/class/api_categories.class.php index 4a84a25e5ca..5f0a28340f9 100644 --- a/htdocs/categories/class/api_categories.class.php +++ b/htdocs/categories/class/api_categories.class.php @@ -155,7 +155,7 @@ class Categories extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -163,19 +163,19 @@ class Categories extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $category_static = new Categorie($db); + $obj = $this->db->fetch_object($result); + $category_static = new Categorie($this->db); if ($category_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($category_static); } @@ -183,7 +183,7 @@ class Categories extends DolibarrApi } } else { - throw new RestException(503, 'Error when retrieve category list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve category list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No category found'); diff --git a/htdocs/categories/viewcat.php b/htdocs/categories/viewcat.php index 2648a0c09f4..3a1d13d210e 100644 --- a/htdocs/categories/viewcat.php +++ b/htdocs/categories/viewcat.php @@ -53,7 +53,7 @@ $optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always ' // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 7e4a58b07e0..a5084bfac74 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -1031,8 +1031,8 @@ class ActionComm extends CommonObject $sql .= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'" : "null"); $sql .= ", transparency = '".$this->db->escape($this->transparency)."'"; $sql .= ", fk_user_mod = ".$user->id; - $sql .= ", fk_user_action=".($userownerid > 0 ? "'".$userownerid."'" : "null"); - $sql .= ", fk_user_done=".($userdoneid > 0 ? "'".$userdoneid."'" : "null"); + $sql .= ", fk_user_action = ".($userownerid > 0 ? "'".$this->db->escape($userownerid)."'" : "null"); + $sql .= ", fk_user_done = ".($userdoneid > 0 ? "'".$this->db->escape($userdoneid)."'" : "null"); if (!empty($this->fk_element)) $sql .= ", fk_element=".($this->fk_element ? $this->db->escape($this->fk_element) : "null"); if (!empty($this->elementtype)) $sql .= ", elementtype=".($this->elementtype ? "'".$this->db->escape($this->elementtype)."'" : "null"); $sql .= " WHERE id=".$this->id; @@ -1127,7 +1127,7 @@ class ActionComm extends CommonObject * Load all objects with filters. * @todo WARNING: This make a fetch on all records instead of making one request with a join. * - * @param DoliDb $db Database handler + * @param DoliDb $db Not used * @param int $socid Filter by thirdparty * @param int $fk_element Id of element action is linked to * @param string $elementtype Type of element action is linked to @@ -1160,7 +1160,7 @@ class ActionComm extends CommonObject $sql .= " element_type = 'socpeople' AND fk_element = ".$fk_element.')'; } else { - $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$elementtype."'"; + $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$db->escape($elementtype)."'"; } } if (!empty($filter)) $sql .= $filter; diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 43d880b3866..473c87e22a0 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -148,7 +148,7 @@ class AgendaEvents extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -156,27 +156,27 @@ class AgendaEvents extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $actioncomm_static = new ActionComm($db); + $obj = $this->db->fetch_object($result); + $actioncomm_static = new ActionComm($this->db); if ($actioncomm_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($actioncomm_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve Agenda Event list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve Agenda Event list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No Agenda Event found'); diff --git a/htdocs/comm/action/class/cactioncomm.class.php b/htdocs/comm/action/class/cactioncomm.class.php index 147a6ff7ef0..6e86a556a1a 100644 --- a/htdocs/comm/action/class/cactioncomm.class.php +++ b/htdocs/comm/action/class/cactioncomm.class.php @@ -139,7 +139,7 @@ class CActionComm $sql .= " FROM ".MAIN_DB_PREFIX."c_actioncomm"; $sql .= " WHERE 1=1"; if ($active != '') $sql .= " AND active=".$active; - if (!empty($excludetype)) $sql .= " AND type <> '".$excludetype."'"; + if (!empty($excludetype)) $sql .= " AND type <> '".$this->db->escape($excludetype)."'"; if ($morefilter) $sql .= " AND ".$morefilter; $sql .= " ORDER BY module, position, type"; diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index f4e8487b054..a48dc03aea2 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -810,7 +810,7 @@ if ($conf->global->AGENDA_SHOW_HOLIDAYS) if ($action == 'show_day') { // Request only leaves for the current selected day - $sql .= " AND '".$year."-".$month."-".$day."' BETWEEN x.date_debut AND x.date_fin"; + $sql .= " AND '".$db->escape($year)."-".$db->escape($month)."-".$db->escape($day)."' BETWEEN x.date_debut AND x.date_fin"; } elseif ($action == 'show_week') { // TODO: Add filter to reduce database request diff --git a/htdocs/comm/card.php b/htdocs/comm/card.php index d3e180b7a88..18bd6b22ce0 100644 --- a/htdocs/comm/card.php +++ b/htdocs/comm/card.php @@ -591,7 +591,7 @@ if ($object->id > 0) $icon = 'bill'; if ($link) $boxstat .= ''; $boxstat .= '
'; - $boxstat .= ''.img_object("", $icon).' '.$text.'
'; + $boxstat .= ''.img_object("", $icon).' '.$text.'
'; $boxstat .= ''.price($outstandingTotal, 1, $langs, 1, -1, -1, $conf->currency).''; $boxstat .= '
'; if ($link) $boxstat .= ''; @@ -609,7 +609,7 @@ if ($object->id > 0) $icon = 'bill'; if ($link) $boxstat .= ''; $boxstat .= '
'; - $boxstat .= ''.img_object("", $icon).' '.$text.'
'; + $boxstat .= ''.img_object("", $icon).' '.$text.'
'; $boxstat .= ''.price($outstandingTotal, 1, $langs, 1, -1, -1, $conf->currency).''; $boxstat .= '
'; if ($link) $boxstat .= ''; @@ -627,7 +627,7 @@ if ($object->id > 0) $icon = 'bill'; if ($link) $boxstat .= ''; $boxstat .= '
'; - $boxstat .= ''.img_object("", $icon).' '.$text.'
'; + $boxstat .= ''.img_object("", $icon).' '.$text.'
'; $boxstat .= ''.price($outstandingTotal, 1, $langs, 1, -1, -1, $conf->currency).''; $boxstat .= '
'; if ($link) $boxstat .= ''; @@ -643,7 +643,7 @@ if ($object->id > 0) $icon = 'bill'; if ($link) $boxstat .= ''; $boxstat .= '
'; - $boxstat .= ''.img_object("", $icon).' '.$text.'
'; + $boxstat .= ''.img_object("", $icon).' '.$text.'
'; $boxstat .= ''.price($outstandingOpened, 1, $langs, 1, -1, -1, $conf->currency).$warn.''; $boxstat .= '
'; if ($link) $boxstat .= ''; diff --git a/htdocs/comm/contact.php b/htdocs/comm/contact.php index 83dfd203d0c..1038afa923f 100644 --- a/htdocs/comm/contact.php +++ b/htdocs/comm/contact.php @@ -29,7 +29,7 @@ require '../main.inc.php'; // Load translation files required by the page $langs->load("companies"); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "ASC"; diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php index 1ed0b684696..cfd2d67ea4e 100644 --- a/htdocs/comm/index.php +++ b/htdocs/comm/index.php @@ -58,7 +58,7 @@ if (isset($user->socid) && $user->socid > 0) { $socid = $user->socid; } -$max = 3; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; $now = dol_now(); /* @@ -191,6 +191,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -254,6 +255,7 @@ if (!empty($conf->supplier_proposal->enabled) && $user->rights->supplier_proposa addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -318,6 +320,7 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -382,6 +385,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -448,6 +452,7 @@ if (!empty($conf->societe->enabled) && $user->rights->societe->lire) { addSummaryTableLine(3, $num); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -498,6 +503,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU addSummaryTableLine(2, $num); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -517,7 +523,7 @@ if ($user->rights->agenda->myactions->read) { * Actions to do */ if ($user->rights->agenda->myactions->read) { - show_array_actions_to_do(10); + show_array_actions_to_do($max); } @@ -539,12 +545,12 @@ if (!empty($conf->contrat->enabled) && $user->rights->contrat->lire && 0) { // T if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($socid) $sql .= " AND s.rowid = ".$socid; $sql .= " ORDER BY c.tms DESC"; - $sql .= $db->plimit(5, 0); + $sql .= $db->plimit($max + 1, 0); $resql = $db->query($sql); if ($resql) { $num = $db->num_rows($resql); - startSimpleTable($langs->trans("LastContracts", 5), "", "", 2); + startSimpleTable($langs->trans("LastContracts", $max), "", "", 2); if ($num > 0) { $i = 0; @@ -572,6 +578,7 @@ if (!empty($conf->contrat->enabled) && $user->rights->contrat->lire && 0) { // T addSummaryTableLine(2, $num); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -597,17 +604,26 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { $resql = $db->query($sql); if ($resql) { - $total = 0; + $total = $total_ttc = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); startSimpleTable("ProposalsOpened", "comm/propal/list.php", "search_status=1", 4, $num); if ($num > 0) { $i = 0; + $othernb = 0; while ($i < $nbofloop) { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $propalstatic->id = $obj->propalid; $propalstatic->ref = $obj->ref; $propalstatic->ref_client = $obj->ref_client; @@ -648,12 +664,22 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { print ''; $i++; - $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + } + + if ($othernb) { + print ''; + print ''; + print "\n"; } } - addSummaryTableLine(5, $num, $nbofloop, $total, "NoProposal", true); + addSummaryTableLine(5, $num, $nbofloop, empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $total_ttc : $total, "NoProposal", true); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -679,17 +705,26 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { $resql = $db->query($sql); if ($resql) { - $total = 0; + $total = $total_ttc = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); startSimpleTable("OrdersOpened", "commande/list.php", "search_status=".Commande::STATUS_VALIDATED, 4, $num); if ($num > 0) { $i = 0; + $othernb = 0; while ($i < $nbofloop) { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $orderstatic->id = $obj->commandeid; $orderstatic->ref = $obj->ref; $orderstatic->ref_client = $obj->ref_client; @@ -730,12 +765,22 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { print ''; $i++; - $total +=(!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + } + + if ($othernb) { + print ''; + print ''; + print "\n"; } } - addSummaryTableLine(5, $num, $nbofloop, $num, $total, "None", true); + addSummaryTableLine(5, $num, $nbofloop, empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $total_ttc : $total, "None", true); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); diff --git a/htdocs/comm/mailing/advtargetemailing.php b/htdocs/comm/mailing/advtargetemailing.php index fbdf3097139..29b06819e9e 100644 --- a/htdocs/comm/mailing/advtargetemailing.php +++ b/htdocs/comm/mailing/advtargetemailing.php @@ -46,7 +46,7 @@ if (!$user->rights->mailing->lire || $user->socid > 0) // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php index 26216c1ac01..13037b58769 100644 --- a/htdocs/comm/mailing/card.php +++ b/htdocs/comm/mailing/card.php @@ -462,14 +462,14 @@ if (empty($reshook)) { $mesgs = array(); - $object->email_from = trim($_POST["from"]); - $object->email_replyto = trim($_POST["replyto"]); - $object->email_errorsto = trim($_POST["errorsto"]); - $object->titre = trim($_POST["titre"]); - $object->sujet = trim($_POST["sujet"]); - $object->body = trim($_POST["bodyemail"]); - $object->bgcolor = trim($_POST["bgcolor"]); - $object->bgimage = trim($_POST["bgimage"]); + $object->email_from = GETPOST("from"); + $object->email_replyto = GETPOST("replyto"); + $object->email_errorsto = GETPOST("errorsto"); + $object->titre = GETPOST("titre"); + $object->sujet = GETPOST("sujet"); + $object->body = GETPOST("bodyemail", 'restricthtml'); + $object->bgcolor = GETPOST("bgcolor"); + $object->bgimage = GETPOST("bgimage"); if (!$object->titre) { $mesgs[] = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTitle")); @@ -563,10 +563,10 @@ if (empty($reshook)) { $mesgs = array(); - $object->sujet = trim($_POST["sujet"]); - $object->body = trim($_POST["bodyemail"]); - $object->bgcolor = trim($_POST["bgcolor"]); - $object->bgimage = trim($_POST["bgimage"]); + $object->sujet = GETPOST("sujet"); + $object->body = GETPOST("bodyemail", 'restricthtml'); + $object->bgcolor = GETPOST("bgcolor"); + $object->bgimage = GETPOST("bgimage"); if (!$object->sujet) { $mesgs[] = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTopic")); diff --git a/htdocs/comm/mailing/cibles.php b/htdocs/comm/mailing/cibles.php index be0518be553..813a195007b 100644 --- a/htdocs/comm/mailing/cibles.php +++ b/htdocs/comm/mailing/cibles.php @@ -41,7 +41,7 @@ if (!$user->rights->mailing->lire || $user->socid > 0) accessforbidden(); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/comm/mailing/class/advtargetemailing.class.php b/htdocs/comm/mailing/class/advtargetemailing.class.php index 983ad374980..f82ebec9d6f 100644 --- a/htdocs/comm/mailing/class/advtargetemailing.class.php +++ b/htdocs/comm/mailing/class/advtargetemailing.class.php @@ -567,7 +567,7 @@ class AdvanceTargetingMailing extends CommonObject if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') || ($extrafields->attributes[$elementtype]['type'][$key] == 'text')) { if (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') || ($extrafields->attributes[$elementtype]['type'][$key] == 'double')) { @@ -587,7 +587,7 @@ class AdvanceTargetingMailing extends CommonObject if (is_array($arrayquery['options_'.$key])) { $sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))"; } elseif (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } } @@ -664,13 +664,13 @@ class AdvanceTargetingMailing extends CommonObject $sqlwhere[] = $this->transformToSQL('t.firstname', $arrayquery['contact_firstname']); } if (!empty($arrayquery['contact_country']) && count($arrayquery['contact_country'])) { - $sqlwhere[] = " (t.fk_pays IN (".$this->db->escape(implode(',', $arrayquery['contact_country']))."))"; + $sqlwhere[] = " (t.fk_pays IN (".$this->db->sanitize($this->db->escape(implode(',', $arrayquery['contact_country'])))."))"; } if (!empty($arrayquery['contact_status']) && count($arrayquery['contact_status']) > 0) { - $sqlwhere[] = " (t.statut IN (".$this->db->escape(implode(',', $arrayquery['contact_status']))."))"; + $sqlwhere[] = " (t.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $arrayquery['contact_status'])))."))"; } if (!empty($arrayquery['contact_civility']) && count($arrayquery['contact_civility']) > 0) { - $sqlwhere[] = " (t.civility IN ('".$this->db->escape(implode("','", $arrayquery['contact_civility']))."'))"; + $sqlwhere[] = " (t.civility IN ('".$this->db->sanitize($this->db->escape(implode("','", $arrayquery['contact_civility'])))."'))"; } if ($arrayquery['contact_no_email'] != '') { $tmpwhere = ''; @@ -708,7 +708,7 @@ class AdvanceTargetingMailing extends CommonObject if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') || ($extrafields->attributes[$elementtype]['type'][$key] == 'text')) { if (!empty($arrayquery['options_'.$key.'_cnct'])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key.'_cnct']."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')"; } } elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') || ($extrafields->attributes[$elementtype]['type'][$key] == 'double')) { @@ -732,7 +732,7 @@ class AdvanceTargetingMailing extends CommonObject if (is_array($arrayquery['options_'.$key.'_cnct'])) { $sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key.'_cnct'])."'))"; } elseif (!empty($arrayquery['options_'.$key.'_cnct'])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key.'_cnct']."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')"; } } } @@ -810,7 +810,7 @@ class AdvanceTargetingMailing extends CommonObject if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') || ($extrafields->attributes[$elementtype]['type'][$key] == 'text')) { if (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (tse.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') || ($extrafields->attributes[$elementtype]['type'][$key] == 'double')) { @@ -830,7 +830,7 @@ class AdvanceTargetingMailing extends CommonObject if (is_array($arrayquery['options_'.$key])) { $sqlwhere[] = " (tse.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))"; } elseif (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (tse.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } } diff --git a/htdocs/comm/propal/class/api_proposals.class.php b/htdocs/comm/propal/class/api_proposals.class.php index 8efc4aa5c19..0f157396f35 100644 --- a/htdocs/comm/propal/class/api_proposals.class.php +++ b/htdocs/comm/propal/class/api_proposals.class.php @@ -190,7 +190,7 @@ class Proposals extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -198,21 +198,21 @@ class Proposals extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $proposal_static = new Propal($db); + $obj = $this->db->fetch_object($result); + $proposal_static = new Propal($this->db); if ($proposal_static->fetch($obj->rowid)) { // Add external contacts ids $proposal_static->contacts_ids = $proposal_static->liste_contact(-1, 'external', 1); @@ -221,7 +221,7 @@ class Proposals extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve propal list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve propal list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No proposal found'); diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 0712346f927..7e34ac6fc3c 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -1061,7 +1061,7 @@ class Propal extends CommonObject $sql .= ", '".$this->db->idate($this->date)."'"; $sql .= ", '".$this->db->idate($now)."'"; $sql .= ", '(PROV)'"; - $sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "NULL"); + $sql .= ", ".($user->id > 0 ? "'".$this->db->escape($user->id)."'" : "NULL"); $sql .= ", '".$this->db->escape($this->note_private)."'"; $sql .= ", '".$this->db->escape($this->note_public)."'"; $sql .= ", '".$this->db->escape($this->model_pdf)."'"; diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index 1391bc4e1fd..dde38d98489 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -333,13 +333,13 @@ if (!$user->rights->societe->client->voir && !$socid) //restriction if ($search_town) $sql .= natural_search('s.town', $search_town); if ($search_zip) $sql .= natural_search("s.zip", $search_zip); if ($search_state) $sql .= natural_search("state.nom", $search_state); -if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; -if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')'; +if ($search_country) $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')'; +if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->sanitize($db->escape($search_type_thirdparty)).')'; if ($search_ref) $sql .= natural_search('p.ref', $search_ref); if ($search_refcustomer) $sql .= natural_search('p.ref_client', $search_refcustomer); if ($search_refproject) $sql .= natural_search('pr.ref', $search_refproject); if ($search_project) $sql .= natural_search('pr.title', $search_project); -if ($search_availability) $sql .= " AND p.fk_availability IN (".$db->escape($search_availability).')'; +if ($search_availability) $sql .= " AND p.fk_availability IN (".$db->sanitize($db->escape($search_availability)).')'; if ($search_societe) $sql .= natural_search('s.nom', $search_societe); if ($search_login) $sql .= natural_search("u.login", $search_login); @@ -361,7 +361,7 @@ if ($search_product_category > 0) $sql .= " AND cp.fk_categorie = ".$db->escape( if ($socid > 0) $sql .= ' AND s.rowid = '.$socid; if ($search_status != '' && $search_status != '-1') { - $sql .= ' AND p.fk_statut IN ('.$db->escape($search_status).')'; + $sql .= ' AND p.fk_statut IN ('.$db->sanitize($db->escape($search_status)).')'; } if ($search_date_start) $sql .= " AND p.datep >= '".$db->idate($search_date_start)."'"; if ($search_date_end) $sql .= " AND p.datep <= '".$db->idate($search_date_end)."'"; @@ -636,12 +636,10 @@ if ($resql) { print ''; } @@ -650,12 +648,10 @@ if ($resql) { print ''; } @@ -664,12 +660,10 @@ if ($resql) { print ''; } diff --git a/htdocs/comm/propal/stats/index.php b/htdocs/comm/propal/stats/index.php index 00a79f3c1be..49e1141fec1 100644 --- a/htdocs/comm/propal/stats/index.php +++ b/htdocs/comm/propal/stats/index.php @@ -101,7 +101,7 @@ dol_mkdir($dir); $stats = new PropaleStats($db, $socid, ($userid > 0 ? $userid : 0), $mode, ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); -if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$db->escape($object_status).')'; +if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; // Build graphic number of object $data = $stats->getNbByMonthWithPrevYear($endyear, $startyear); diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index d48e990e7e8..b447a00c404 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -417,7 +417,7 @@ if (empty($reshook)) $originidforcontact=$srcobject->origin_id; } $sqlcontact = "SELECT code, fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$db->escape($originforcontact)."'"; $resqlcontact = $db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index f62c00ee81b..2202ad5b67e 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -193,7 +193,7 @@ class Orders extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -201,21 +201,21 @@ class Orders extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $commande_static = new Commande($db); + $obj = $this->db->fetch_object($result); + $commande_static = new Commande($this->db); if ($commande_static->fetch($obj->rowid)) { // Add external contacts ids $commande_static->contacts_ids = $commande_static->liste_contact(-1, 'external', 1); @@ -224,7 +224,7 @@ class Orders extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve commande list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve commande list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No order found'); diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 1bd919fd470..5c314226214 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -1122,7 +1122,7 @@ class Commande extends CommonOrder } $sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'"; $resqlcontact = $this->db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php index c65ffe18e12..921e1de185b 100644 --- a/htdocs/commande/list.php +++ b/htdocs/commande/list.php @@ -630,31 +630,31 @@ if ($resql) if (!empty($arrayfields['c.ref']['checked'])) { print ''; } // Ref customer if (!empty($arrayfields['c.ref_client']['checked'])) { print ''; } // Project ref if (!empty($arrayfields['p.ref']['checked'])) { - print ''; + print ''; } // Project title if (!empty($arrayfields['p.title']['checked'])) { - print ''; + print ''; } // Thirpdarty if (!empty($arrayfields['s.nom']['checked'])) { print ''; } // Town @@ -687,12 +687,10 @@ if ($resql) { print ''; } @@ -700,12 +698,10 @@ if ($resql) { print ''; } @@ -713,14 +709,14 @@ if ($resql) { // Amount print ''; } if (!empty($arrayfields['c.total_vat']['checked'])) { // Amount print ''; } if (!empty($arrayfields['c.total_ttc']['checked'])) diff --git a/htdocs/commande/orderstoinvoice.php b/htdocs/commande/orderstoinvoice.php index 7b8e31ce7a4..a4d4ed07dee 100644 --- a/htdocs/commande/orderstoinvoice.php +++ b/htdocs/commande/orderstoinvoice.php @@ -199,9 +199,9 @@ if (($action == 'create' || $action == 'add') && !$error) $sql .= ", targettype"; $sql .= ") VALUES ("; $sql .= $origin_id; - $sql .= ", '".$object->origin."'"; + $sql .= ", '".$db->escape($object->origin)."'"; $sql .= ", ".$id; - $sql .= ", '".$object->element."'"; + $sql .= ", '".$db->escape($object->element)."'"; $sql .= ")"; if ($db->query($sql)) diff --git a/htdocs/commande/stats/index.php b/htdocs/commande/stats/index.php index 0910e4ee7ad..346b5549bfd 100644 --- a/htdocs/commande/stats/index.php +++ b/htdocs/commande/stats/index.php @@ -94,11 +94,11 @@ dol_mkdir($dir); $stats = new CommandeStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { - if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')'; + if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; } if ($mode == 'supplier') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; } diff --git a/htdocs/compta/accounting-files.php b/htdocs/compta/accounting-files.php index d73e7228b82..2a8a0358744 100644 --- a/htdocs/compta/accounting-files.php +++ b/htdocs/compta/accounting-files.php @@ -67,7 +67,7 @@ $hookmanager->initHooks(array('comptafileslist', 'globallist')); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/bank/annuel.php b/htdocs/compta/bank/annuel.php index 72a7e33d3f2..cd82da0e1bd 100644 --- a/htdocs/compta/bank/annuel.php +++ b/htdocs/compta/bank/annuel.php @@ -91,7 +91,7 @@ $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; $sql .= " AND b.amount >= 0"; if (!empty($id)) - $sql .= " AND b.fk_account IN (".$db->escape($id).")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($db->escape($id)).")"; $sql .= " GROUP BY dm"; $resql = $db->query($sql); @@ -117,7 +117,7 @@ $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; $sql .= " AND b.amount <= 0"; if (!empty($id)) - $sql .= " AND b.fk_account IN (".$db->escape($id).")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($db->escape($id)).")"; $sql .= " GROUP BY dm"; $resql = $db->query($sql); @@ -240,7 +240,7 @@ $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if (!empty($id)) - $sql .= " AND b.fk_account IN (".$db->escape($id).")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($db->escape($id)).")"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/compta/bank/bankentries_list.php b/htdocs/compta/bank/bankentries_list.php index 1573a226521..950d0c7d3c6 100644 --- a/htdocs/compta/bank/bankentries_list.php +++ b/htdocs/compta/bank/bankentries_list.php @@ -811,19 +811,19 @@ if ($resql) $moreforfilter .= '
'; $moreforfilter .= $langs->trans('DateOperationShort').' :'; $moreforfilter .= ($conf->browser->layout == 'phone' ? '
' : ' '); - $moreforfilter .= '
'.$langs->trans('From').' '; - $moreforfilter .= $form->selectDate($search_dt_start, 'search_start_dt', 0, 0, 1, "search_form", 1, 0).'
'; + $moreforfilter .= '
'; + $moreforfilter .= $form->selectDate($search_dt_start, 'search_start_dt', 0, 0, 1, "search_form", 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')).'
'; //$moreforfilter .= ' - '; - $moreforfilter .= '
'.$langs->trans('to').' '.$form->selectDate($search_dt_end, 'search_end_dt', 0, 0, 1, "search_form", 1, 0).'
'; + $moreforfilter .= '
'.$form->selectDate($search_dt_end, 'search_end_dt', 0, 0, 1, "search_form", 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')).'
'; $moreforfilter .= '
'; $moreforfilter .= '
'; $moreforfilter .= $langs->trans('DateValueShort').' : '; $moreforfilter .= ($conf->browser->layout == 'phone' ? '
' : ' '); - $moreforfilter .= '
'.$langs->trans('From').' '; - $moreforfilter .= $form->selectDate($search_dv_start, 'search_start_dv', 0, 0, 1, "search_form", 1, 0).'
'; + $moreforfilter .= '
'; + $moreforfilter .= $form->selectDate($search_dv_start, 'search_start_dv', 0, 0, 1, "search_form", 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')).'
'; //$moreforfilter .= ' - '; - $moreforfilter .= '
'.$langs->trans('to').' '.$form->selectDate($search_dv_end, 'search_end_dv', 0, 0, 1, "search_form", 1, 0).'
'; + $moreforfilter .= '
'.$form->selectDate($search_dv_end, 'search_end_dv', 0, 0, 1, "search_form", 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')).'
'; $moreforfilter .= '
'; if (!empty($conf->categorie->enabled)) diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index 4ce4ef3bb3b..dffd62dc5a3 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -390,11 +390,11 @@ class Account extends CommonObject $sql .= ", label"; $sql .= ", type"; $sql .= ") VALUES ("; - $sql .= "'".$line_id."'"; - $sql .= ", '".$url_id."'"; - $sql .= ", '".$url."'"; + $sql .= " ".((int) $line_id); + $sql .= ", '".$this->db->escape($url_id)."'"; + $sql .= ", '".$this->db->escape($url)."'"; $sql .= ", '".$this->db->escape($label)."'"; - $sql .= ", '".$type."'"; + $sql .= ", '".$this->db->escape($type)."'"; $sql .= ")"; dol_syslog(get_class($this)."::add_url_line", LOG_DEBUG); @@ -434,7 +434,7 @@ class Account extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."bank_url"; if ($fk_bank > 0) { $sql .= " WHERE fk_bank = ".$fk_bank; - } else { $sql .= " WHERE url_id = ".$url_id." AND type = '".$type."'"; + } else { $sql .= " WHERE url_id = ".$url_id." AND type = '".$this->db->escape($type)."'"; } $sql .= " ORDER BY type, label"; @@ -1315,7 +1315,7 @@ class Account extends CommonObject * * @return int Nb of account we can reconciliate */ - public static function countAccountToReconcile() + public function countAccountToReconcile() { global $db, $conf, $user; @@ -1331,12 +1331,12 @@ class Account extends CommonObject $sql .= " WHERE ba.rappro > 0 and ba.clos = 0"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if (empty($conf->global->BANK_CAN_RECONCILIATE_CASHACCOUNT)) $sql .= " AND ba.courant != 2"; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $obj = $db->fetch_object($resql); + $obj = $this->db->fetch_object($resql); $nb = $obj->nb; - } else dol_print_error($db); + } else dol_print_error($this->db); return $nb; } @@ -1825,7 +1825,7 @@ class AccountLine extends CommonObject $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if ($num) $sql .= " AND b.num_chq='".$this->db->escape($num)."'"; elseif ($ref) $sql .= " AND b.rowid='".$this->db->escape($ref)."'"; - else $sql .= " AND b.rowid=".$rowid; + else $sql .= " AND b.rowid = ".((int) $rowid); dol_syslog(get_class($this)."::fetch", LOG_DEBUG); $result = $this->db->query($sql); @@ -2421,7 +2421,7 @@ class AccountLine extends CommonObject $type = 'bank'; - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$this->id; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/compta/bank/class/paymentvarious.class.php b/htdocs/compta/bank/class/paymentvarious.class.php index bfb522b6e3a..14466915d76 100644 --- a/htdocs/compta/bank/class/paymentvarious.class.php +++ b/htdocs/compta/bank/class/paymentvarious.class.php @@ -710,7 +710,7 @@ class PaymentVarious extends CommonObject $type = 'bank'; - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$banklineid; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$banklineid; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/compta/bank/graph.php b/htdocs/compta/bank/graph.php index 296211bf35c..686122f4d56 100644 --- a/htdocs/compta/bank/graph.php +++ b/htdocs/compta/bank/graph.php @@ -130,8 +130,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-".$month."-01 00:00:00'"; - $sql .= " AND b.datev < '".$yearnext."-".$monthnext."-01 00:00:00'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; + $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -159,7 +159,7 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev < '".$year."-".sprintf("%02s", $month)."-01'"; + $sql .= " AND b.datev < '".$db->escape($year)."-".sprintf("%02s", $month)."-01'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $resql = $db->query($sql); @@ -267,8 +267,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-01-01 00:00:00'"; - $sql .= " AND b.datev <= '".$year."-12-31 23:59:59'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; + $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -296,7 +296,7 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev < '".$year."-01-01'"; + $sql .= " AND b.datev < '".$db->escape($year)."-01-01'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $resql = $db->query($sql); @@ -519,8 +519,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-".$month."-01 00:00:00'"; - $sql .= " AND b.datev < '".$yearnext."-".$monthnext."-01 00:00:00'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; + $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; $sql .= " AND b.amount > 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%d')"; @@ -555,8 +555,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-".$month."-01 00:00:00'"; - $sql .= " AND b.datev < '".$yearnext."-".$monthnext."-01 00:00:00'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; + $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; $sql .= " AND b.amount < 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%d')"; @@ -632,8 +632,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-01-01 00:00:00'"; - $sql .= " AND b.datev <= '".$year."-12-31 23:59:59'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; + $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; $sql .= " AND b.amount > 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%m');"; @@ -659,8 +659,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-01-01 00:00:00'"; - $sql .= " AND b.datev <= '".$year."-12-31 23:59:59'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; + $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; $sql .= " AND b.amount < 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%m')"; diff --git a/htdocs/compta/bank/line.php b/htdocs/compta/bank/line.php index 0da5a557647..7502d4644f5 100644 --- a/htdocs/compta/bank/line.php +++ b/htdocs/compta/bank/line.php @@ -138,15 +138,15 @@ if ($user->rights->banque->modifier && $action == "update") $sql = "UPDATE ".MAIN_DB_PREFIX."bank"; $sql .= " SET "; // Always opened - if (isset($_POST['value'])) $sql .= " fk_type='".$db->escape($_POST['value'])."',"; - if (isset($_POST['num_chq'])) $sql .= " num_chq='".$db->escape($_POST["num_chq"])."',"; - if (isset($_POST['banque'])) $sql .= " banque='".$db->escape($_POST["banque"])."',"; - if (isset($_POST['emetteur'])) $sql .= " emetteur='".$db->escape($_POST["emetteur"])."',"; + if (isset($_POST['value'])) $sql .= " fk_type='".$db->escape(GETPOST('value'))."',"; + if (isset($_POST['num_chq'])) $sql .= " num_chq='".$db->escape(GETPOST("num_chq"))."',"; + if (isset($_POST['banque'])) $sql .= " banque='".$db->escape(GETPOST("banque"))."',"; + if (isset($_POST['emetteur'])) $sql .= " emetteur='".$db->escape(GETPOST("emetteur"))."',"; // Blocked when conciliated if (!$acline->rappro) { - if (isset($_POST['label'])) $sql .= " label='".$db->escape($_POST["label"])."',"; - if (isset($_POST['amount'])) $sql .= " amount='".$amount."',"; + if (isset($_POST['label'])) $sql .= " label = '".$db->escape(GETPOST("label"))."',"; + if (isset($_POST['amount'])) $sql .= " amount= '".$db->escape($amount)."',"; if (isset($_POST['dateomonth'])) $sql .= " dateo = '".$db->idate($dateop)."',"; if (isset($_POST['datevmonth'])) $sql .= " datev = '".$db->idate($dateval)."',"; } @@ -212,7 +212,7 @@ if ($user->rights->banque->consolidate && ($action == 'num_releve' || $action == $db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."bank"; - $sql .= " SET num_releve=".($num_rel ? "'".$num_rel."'" : "null"); + $sql .= " SET num_releve=".($num_rel ? "'".$db->escape($num_rel)."'" : "null"); if (empty($num_rel)) $sql .= ", rappro = 0"; else $sql .= ", rappro = ".$rappro; $sql .= " WHERE rowid = ".$rowid; @@ -306,7 +306,7 @@ if ($result) print '
'; print '
'; - print '
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_date_start ? $search_date_start : -1, 'search_date_start', 0, 0, 1); + print $form->selectDate($search_date_start ? $search_date_start : -1, 'search_date_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_date_end ? $search_date_end : -1, 'search_date_end', 0, 0, 1); + print $form->selectDate($search_date_end ? $search_date_end : -1, 'search_date_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print '		'; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_dateend_start ? $search_dateend_start : -1, 'search_dateend_start', 0, 0, 1); + print $form->selectDate($search_dateend_start ? $search_dateend_start : -1, 'search_dateend_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_dateend_end ? $search_dateend_end : -1, 'search_dateend_end', 0, 0, 1); + print $form->selectDate($search_dateend_end ? $search_dateend_end : -1, 'search_dateend_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print '		'; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_datedelivery_start ? $search_datedelivery_start : -1, 'search_datedelivery_start', 0, 0, 1); + print $form->selectDate($search_datedelivery_start ? $search_datedelivery_start : -1, 'search_datedelivery_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_datedelivery_end ? $search_datedelivery_end : -1, 'search_datedelivery_end', 0, 0, 1); + print $form->selectDate($search_datedelivery_end ? $search_datedelivery_end : -1, 'search_datedelivery_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '		'; - print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_dateorder_start ? $search_dateorder_start : -1, 'search_dateorder_start', 0, 0, 1); + print $form->selectDate($search_dateorder_start ? $search_dateorder_start : -1, 'search_dateorder_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_dateorder_end ? $search_dateorder_end : -1, 'search_dateorder_end', 0, 0, 1); + print $form->selectDate($search_dateorder_end ? $search_dateorder_end : -1, 'search_dateorder_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print '		'; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_datedelivery_start ? $search_datedelivery_start : -1, 'search_datedelivery_start', 0, 0, 1); + print $form->selectDate($search_datedelivery_start ? $search_datedelivery_start : -1, 'search_datedelivery_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_datedelivery_end ? $search_datedelivery_end : -1, 'search_datedelivery_end', 0, 0, 1); + print $form->selectDate($search_datedelivery_end ? $search_datedelivery_end : -1, 'search_datedelivery_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print '		'; - print ''; + print ''; print ''; - print ''; + print ''; print '
'; + print '
'; $i++; diff --git a/htdocs/compta/bank/various_payment/document.php b/htdocs/compta/bank/various_payment/document.php index 267908cde41..744daa939d5 100644 --- a/htdocs/compta/bank/various_payment/document.php +++ b/htdocs/compta/bank/various_payment/document.php @@ -44,7 +44,7 @@ $result = restrictedArea($user, 'banque', '', '', ''); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/bank/various_payment/list.php b/htdocs/compta/bank/various_payment/list.php index d4b8bb512cd..54216f06358 100644 --- a/htdocs/compta/bank/various_payment/list.php +++ b/htdocs/compta/bank/various_payment/list.php @@ -240,8 +240,10 @@ if ($result) if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.urlencode($limit); if ($search_ref) $param .= '&search_ref='.urlencode($search_ref); if ($search_label) $param .= '&search_label='.urlencode($search_label); - if ($search_date_start) $param .= '&search_date_start='.urlencode($search_date_start); - if ($search_date_end) $param .= '&search_date_end='.urlencode($search_date_end); + if ($search_datep_start) $param .= '&search_datep_start='.urlencode($search_datep_start); + if ($search_datep_end) $param .= '&search_datep_end='.urlencode($search_datep_end); + if ($search_datev_start) $param .= '&search_datev_start='.urlencode($search_datev_start); + if ($search_datev_end) $param .= '&search_datev_end='.urlencode($search_datev_end); if ($typeid > 0) $param .= '&typeid='.urlencode($typeid); if ($search_amount_deb) $param .= '&search_amount_deb='.urlencode($search_amount_deb); if ($search_amount_cred) $param .= '&search_amount_cred='.urlencode($search_amount_cred); @@ -304,12 +306,10 @@ if ($result) if ($arrayfields['datep']['checked']) { print ''; } @@ -318,12 +318,10 @@ if ($result) if ($arrayfields['datev']['checked']) { print ''; } @@ -331,7 +329,7 @@ if ($result) // Payment type if ($arrayfields['type']['checked']) { print ''; } @@ -345,14 +343,14 @@ if ($result) // Bank account if ($arrayfields['bank']['checked']) { print ''; } // Bank entry if ($arrayfields['entry']['checked']) { - print ''; } @@ -377,14 +375,14 @@ if ($result) // Debit if ($arrayfields['debit']['checked']) { print ''; } // Credit if ($arrayfields['credit']['checked']) { print ''; } @@ -469,7 +467,7 @@ if ($result) // Project if ($arrayfields['project']['checked']) { $proj->fetch($obj->fk_project); - print ''; + print ''; if (!$i) $totalarray['nbfield']++; } diff --git a/htdocs/compta/cashcontrol/cashcontrol_list.php b/htdocs/compta/cashcontrol/cashcontrol_list.php index ae2837a35cd..2adf3a01a83 100644 --- a/htdocs/compta/cashcontrol/cashcontrol_list.php +++ b/htdocs/compta/cashcontrol/cashcontrol_list.php @@ -63,7 +63,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/compta/cashcontrol/report.php b/htdocs/compta/cashcontrol/report.php index f2d8e38fb15..02299788794 100644 --- a/htdocs/compta/cashcontrol/report.php +++ b/htdocs/compta/cashcontrol/report.php @@ -297,8 +297,8 @@ if ($resql) /* $sql = "UPDATE ".MAIN_DB_PREFIX."pos_cash_fence "; $sql .= "SET"; - $sql .= " cash='".$cash."'"; - $sql .= ", card='".$bank."'"; + $sql .= " cash='".$db->escape($cash)."'"; + $sql .= ", card='".$db->escape($bank)."'"; $sql .= " where rowid=".$id; $db->query($sql); */ diff --git a/htdocs/compta/clients.php b/htdocs/compta/clients.php index 5632e8ebc1a..1b4e86bbb4c 100644 --- a/htdocs/compta/clients.php +++ b/htdocs/compta/clients.php @@ -66,7 +66,7 @@ $thirdpartystatic = new Societe($db); if ($action == 'note') { - $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".$note."' WHERE rowid=".$socid; + $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".$db->escape($note)."' WHERE rowid=".$socid; $result = $db->query($sql); } diff --git a/htdocs/compta/deplacement/class/deplacementstats.class.php b/htdocs/compta/deplacement/class/deplacementstats.class.php index 6fdd54095a2..953ee78a3d6 100644 --- a/htdocs/compta/deplacement/class/deplacementstats.class.php +++ b/htdocs/compta/deplacement/class/deplacementstats.class.php @@ -122,7 +122,7 @@ class DeplacementStats extends Stats { $sql = "SELECT date_format(dated,'%m') as dm, sum(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(dated,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(dated,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -142,7 +142,7 @@ class DeplacementStats extends Stats { $sql = "SELECT date_format(dated,'%m') as dm, avg(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(dated,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(dated,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/compta/deplacement/document.php b/htdocs/compta/deplacement/document.php index 98354e328f0..47b1709ff60 100644 --- a/htdocs/compta/deplacement/document.php +++ b/htdocs/compta/deplacement/document.php @@ -49,7 +49,7 @@ $result = restrictedArea($user, 'deplacement', $id, ''); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index b19ee852db6..87a3a3c8be2 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -1664,7 +1664,7 @@ if (empty($reshook)) $originidforcontact=$srcobject->origin_id; } $sqlcontact = "SELECT code, fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$db->escape($originforcontact)."'"; $resqlcontact = $db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php index 1828493d89f..cc1b7fe57ed 100644 --- a/htdocs/compta/facture/class/api_invoices.class.php +++ b/htdocs/compta/facture/class/api_invoices.class.php @@ -207,7 +207,7 @@ class Invoices extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) @@ -216,19 +216,19 @@ class Invoices extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $invoice_static = new Facture($db); + $obj = $this->db->fetch_object($result); + $invoice_static = new Facture($this->db); if ($invoice_static->fetch($obj->rowid)) { // Get payment details @@ -245,7 +245,7 @@ class Invoices extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve invoice list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve invoice list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No invoice found'); diff --git a/htdocs/compta/facture/class/facture-rec.class.php b/htdocs/compta/facture/class/facture-rec.class.php index c5e93bc41ad..67dd4e304ea 100644 --- a/htdocs/compta/facture/class/facture-rec.class.php +++ b/htdocs/compta/facture/class/facture-rec.class.php @@ -277,8 +277,8 @@ class FactureRec extends CommonInvoice $sql .= ", ".(!empty($this->note_public) ? ("'".$this->db->escape($this->note_public)."'") : "NULL"); $sql .= ", ".(!empty($this->modelpdf) ? ("'".$this->db->escape($this->modelpdf)."'") : "NULL"); $sql .= ", '".$this->db->escape($user->id)."'"; - $sql .= ", ".(!empty($facsrc->fk_project) ? "'".$facsrc->fk_project."'" : "null"); - $sql .= ", ".(!empty($facsrc->fk_account) ? "'".$facsrc->fk_account."'" : "null"); + $sql .= ", ".(!empty($facsrc->fk_project) ? "'".$this->db->escape($facsrc->fk_project)."'" : "null"); + $sql .= ", ".(!empty($facsrc->fk_account) ? "'".$this->db->escape($facsrc->fk_account)."'" : "null"); $sql .= ", ".($facsrc->cond_reglement_id > 0 ? $this->db->escape($facsrc->cond_reglement_id) : "null"); $sql .= ", ".($facsrc->mode_reglement_id > 0 ? $this->db->escape($facsrc->mode_reglement_id) : "null"); $sql .= ", ".$this->usenewprice; @@ -921,7 +921,7 @@ class FactureRec extends CommonInvoice $sql .= ", fk_unit"; $sql .= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc'; $sql .= ") VALUES ("; - $sql .= "'".$facid."'"; + $sql .= " ".((int) $facid); $sql .= ", ".(!empty($label) ? "'".$this->db->escape($label)."'" : "null"); $sql .= ", '".$this->db->escape($desc)."'"; $sql .= ", ".price2num($pu_ht); @@ -932,7 +932,7 @@ class FactureRec extends CommonInvoice $sql .= ", '".$this->db->escape($localtaxes_type[0])."'"; $sql .= ", ".price2num($txlocaltax2); $sql .= ", '".$this->db->escape($localtaxes_type[2])."'"; - $sql .= ", ".(!empty($fk_product) ? "'".$fk_product."'" : "null"); + $sql .= ", ".(!empty($fk_product) ? "'".$this->db->escape($fk_product)."'" : "null"); $sql .= ", ".$product_type; $sql .= ", ".price2num($remise_percent); $sql .= ", ".price2num($pu_ht); @@ -1083,7 +1083,7 @@ class FactureRec extends CommonInvoice } $sql = "UPDATE ".MAIN_DB_PREFIX."facturedet_rec SET "; - $sql .= "fk_facture = '".$facid."'"; + $sql .= "fk_facture = ".((int) $facid); $sql .= ", label=".(!empty($label) ? "'".$this->db->escape($label)."'" : "null"); $sql .= ", description='".$this->db->escape($desc)."'"; $sql .= ", price=".price2num($pu_ht); @@ -1094,7 +1094,7 @@ class FactureRec extends CommonInvoice $sql .= ", localtax1_type='".$this->db->escape($localtaxes_type[0])."'"; $sql .= ", localtax2_tx=".$txlocaltax2; $sql .= ", localtax2_type='".$this->db->escape($localtaxes_type[2])."'"; - $sql .= ", fk_product=".(!empty($fk_product) ? "'".$fk_product."'" : "null"); + $sql .= ", fk_product=".(!empty($fk_product) ? "'".$this->db->escape($fk_product)."'" : "null"); $sql .= ", product_type=".$product_type; $sql .= ", remise_percent='".price2num($remise_percent)."'"; $sql .= ", subprice='".price2num($pu_ht)."'"; @@ -1194,13 +1194,13 @@ class FactureRec extends CommonInvoice $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'facture_rec'; $sql .= ' WHERE frequency > 0'; // A recurring invoice is an invoice with a frequency - $sql .= " AND (date_when IS NULL OR date_when <= '".$db->idate($today)."')"; + $sql .= " AND (date_when IS NULL OR date_when <= '".$this->db->idate($today)."')"; $sql .= ' AND (nb_gen_done < nb_gen_max OR nb_gen_max = 0)'; $sql .= ' AND suspended = 0'; $sql .= ' AND entity = '.$conf->entity; // MUST STAY = $conf->entity here if ($restrictioninvoiceid > 0) $sql .= ' AND rowid = '.$restrictioninvoiceid; - $sql .= $db->order('entity', 'ASC'); + $sql .= $this->db->order('entity', 'ASC'); //print $sql;exit; $parameters = array( 'restrictioninvoiceid' => $restrictioninvoiceid, @@ -1208,11 +1208,11 @@ class FactureRec extends CommonInvoice ); $reshook = $hookmanager->executeHooks('beforeCreationOfRecurringInvoices', $parameters, $sql); // note that $sql might be modified by hooks - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { $i = 0; - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) $this->output .= $langs->trans("FoundXQualifiedRecurringInvoiceTemplate", $num)."\n"; @@ -1222,14 +1222,14 @@ class FactureRec extends CommonInvoice while ($i < $num) // Loop on each template invoice. If $num = 0, test is false at first pass. { - $line = $db->fetch_object($resql); + $line = $this->db->fetch_object($resql); - $db->begin(); + $this->db->begin(); $invoiceidgenerated = 0; $facture = null; - $facturerec = new FactureRec($db); + $facturerec = new FactureRec($this->db); $facturerec->fetch($line->rowid); if ($facturerec->id > 0) @@ -1239,7 +1239,7 @@ class FactureRec extends CommonInvoice dol_syslog("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref.", entity=".$facturerec->entity); - $facture = new Facture($db); + $facture = new Facture($this->db); $facture->fac_rec = $facturerec->id; // We will create $facture from this recurring invoice $facture->fk_fac_rec_source = $facturerec->id; // We will create $facture from this recurring invoice @@ -1286,12 +1286,12 @@ class FactureRec extends CommonInvoice if (!$error && $invoiceidgenerated >= 0) { - $db->commit("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); + $this->db->commit("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); dol_syslog("createRecurringInvoices Process invoice template ".$facturerec->ref." is finished with a success generation"); $nb_create++; $this->output .= $langs->trans("InvoiceGeneratedFromTemplate", $facture->ref, $facturerec->ref)."\n"; } else { - $db->rollback("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); + $this->db->rollback("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); } $parameters = array( @@ -1308,7 +1308,7 @@ class FactureRec extends CommonInvoice } $conf->entity = $saventity; // Restore entity context - } else dol_print_error($db); + } else dol_print_error($this->db); $this->output = trim($this->output); diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index be0888e4c79..4110e5ad26d 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -612,7 +612,7 @@ class Facture extends CommonInvoice $sql .= ", ".setEntity($this); $sql .= ", ".($this->ref_ext ? "'".$this->db->escape($this->ref_ext)."'" : "null"); $sql .= ", '".$this->db->escape($this->type)."'"; - $sql .= ", '".$socid."'"; + $sql .= ", ".((int) $socid); $sql .= ", '".$this->db->idate($now)."'"; $sql .= ", ".($this->remise_absolue > 0 ? $this->remise_absolue : 'NULL'); $sql .= ", ".($this->remise_percent > 0 ? $this->remise_percent : 'NULL'); @@ -627,7 +627,7 @@ class Facture extends CommonInvoice $sql .= ", ".($this->pos_source != '' ? "'".$this->db->escape($this->pos_source)."'" : "null"); $sql .= ", ".($this->fk_fac_rec_source ? "'".$this->db->escape($this->fk_fac_rec_source)."'" : "null"); $sql .= ", ".($this->fk_facture_source ? "'".$this->db->escape($this->fk_facture_source)."'" : "null"); - $sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "null"); + $sql .= ", ".($user->id > 0 ? (int) $user->id : "null"); $sql .= ", ".($this->fk_project ? $this->fk_project : "null"); $sql .= ", ".$this->cond_reglement_id; $sql .= ", ".$this->mode_reglement_id; @@ -715,7 +715,7 @@ class Facture extends CommonInvoice } $sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'"; $resqlcontact = $this->db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index 9594acd8a56..4a856539196 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -478,15 +478,15 @@ if ($filtre) } if ($search_ref) $sql .= natural_search('f.ref', $search_ref); if ($search_refcustomer) $sql .= natural_search('f.ref_client', $search_refcustomer); -if ($search_type != '' && $search_type != '-1') $sql .= " AND f.type IN (".$db->escape($search_type).")"; +if ($search_type != '' && $search_type != '-1') $sql .= " AND f.type IN (".$db->sanitize($db->escape($search_type)).")"; if ($search_project_ref) $sql .= natural_search('p.ref', $search_project_ref); if ($search_project) $sql .= natural_search('p.title', $search_project); if ($search_societe) $sql .= natural_search('s.nom', $search_societe); if ($search_town) $sql .= natural_search('s.town', $search_town); if ($search_zip) $sql .= natural_search("s.zip", $search_zip); if ($search_state) $sql .= natural_search("state.nom", $search_state); -if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; -if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')'; +if ($search_country) $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')'; +if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->sanitize($db->escape($search_type_thirdparty)).')'; if ($search_company) $sql .= natural_search('s.nom', $search_company); if ($search_montant_ht != '') $sql .= natural_search('f.total', $search_montant_ht, 1); if ($search_montant_vat != '') $sql .= natural_search('f.tva', $search_montant_vat, 1); @@ -510,7 +510,7 @@ if ($search_status != '-1' && $search_status != '') if ($search_status == '2') $sql .= " AND f.fk_statut = 2"; // payed Not that some corrupted data may contains f.fk_statut = 1 AND f.paye = 1 (it means payed too but should not happend. If yes, reopen and reclassify billed) if ($search_status == '3') $sql .= " AND f.fk_statut = 3"; // abandonned } else { - $sql .= " AND f.fk_statut IN (".$db->escape($search_status).")"; // When search_status is '1,2' for example + $sql .= " AND f.fk_statut IN (".$db->sanitize($db->escape($search_status)).")"; // When search_status is '1,2' for example } } @@ -807,12 +807,10 @@ if ($resql) { print ''; } @@ -821,12 +819,10 @@ if ($resql) { print ''; } diff --git a/htdocs/compta/facture/stats/index.php b/htdocs/compta/facture/stats/index.php index 82ba8a33467..81466651856 100644 --- a/htdocs/compta/facture/stats/index.php +++ b/htdocs/compta/facture/stats/index.php @@ -94,7 +94,7 @@ dol_mkdir($dir); $stats = new FactureStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; if (is_array($custcats) && !empty($custcats)) { $stats->from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie_societe as cat ON (f.fk_soc = cat.fk_soc)'; $stats->where .= ' AND cat.fk_categorie IN ('.implode(',', $custcats).')'; @@ -102,7 +102,7 @@ if ($mode == 'customer') } if ($mode == 'supplier') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; } // Build graphic number of object diff --git a/htdocs/compta/index.php b/htdocs/compta/index.php index 6adff20725c..8c144f6bd71 100644 --- a/htdocs/compta/index.php +++ b/htdocs/compta/index.php @@ -60,7 +60,7 @@ if ($user->socid > 0) $socid = $user->socid; } -$max = 3; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; // Initialize technical object to manage hooks. Note that conf->hooks_modules contains array $hookmanager->initHooks(array('invoiceindex')); @@ -370,6 +370,7 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) { $num = $db->num_rows($resql); $i = 0; + $othernb = 0; print '
'; print '
'; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_datep_start ? $search_datep_start : -1, 'search_date_start', 0, 0, 1); + print $form->selectDate($search_datep_start ? $search_datep_start : -1, 'search_date_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_datep_end ? $search_datep_end : -1, 'search_date_end', 0, 0, 1); + print $form->selectDate($search_datep_end ? $search_datep_end : -1, 'search_date_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print '		'; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_datev_start ? $search_datev_start : -1, 'search_date_value_start', 0, 0, 1); + print $form->selectDate($search_datev_start ? $search_datev_start : -1, 'search_date_value_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_datev_end ? $search_datev_end : -1, 'search_date_value_end', 0, 0, 1); + print $form->selectDate($search_datev_end ? $search_datev_end : -1, 'search_date_value_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print '		'; - $form->select_types_paiements($typeid, 'typeid', '', 0, 1, 1, 16); + $form->select_types_paiements($typeid, 'typeid', '', 0, 1, 1, 16, 1, 'maxwidth100'); print ''; - $form->select_comptes($search_bank_account, 'search_account', 0, '', 1); + $form->select_comptes($search_bank_account, 'search_account', 0, '', 1, '', 0, 'maxwidth100'); print ''; - print ''; + print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''.$proj->getNomUrl(1).''.$proj->getNomUrl(1).''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_date_start ? $search_date_start : -1, 'search_date_start', 0, 0, 1); + print $form->selectDate($search_date_start ? $search_date_start : -1, 'search_date_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_date_end ? $search_date_end : -1, 'search_date_end', 0, 0, 1); + print $form->selectDate($search_date_end ? $search_date_end : -1, 'search_date_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print '		'; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_date_valid_start ? $search_date_valid_start : -1, 'search_date_valid_start', 0, 0, 1); + print $form->selectDate($search_date_valid_start ? $search_date_valid_start : -1, 'search_date_valid_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_date_valid_end ? $search_date_valid_end : -1, 'search_date_valid_end', 0, 0, 1); + print $form->selectDate($search_date_valid_end ? $search_date_valid_end : -1, 'search_date_valid_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print '
'; @@ -386,6 +387,14 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $facturestatic->ref = $obj->ref; $facturestatic->id = $obj->rowid; $facturestatic->total_ht = $obj->total_ht; @@ -442,6 +451,14 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) $i++; } + + if ($othernb) { + print ''; + print ''; + print "\n"; + } } else { $colspan = 5; if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) $colspan++; @@ -501,10 +518,20 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU { $i = 0; $total = $total_ttc = $totalam = 0; + $othernb = 0; + while ($i < $num) { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $facstatic->ref = $obj->ref; $facstatic->id = $obj->rowid; $facstatic->total_ht = $obj->total_ht; @@ -539,6 +566,14 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU $totalam += $obj->am; $i++; } + + if ($othernb) { + print ''; + print ''; + print "\n"; + } } else { $colspan = 5; if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) $colspan++; @@ -574,10 +609,10 @@ if (!empty($conf->don->enabled) && $user->rights->don->lire) $result = $db->query($sql); if ($result) { - $var = false; $num = $db->num_rows($result); $i = 0; + $othernb = 0; print '
'; print '
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'; @@ -596,6 +631,14 @@ if (!empty($conf->don->enabled) && $user->rights->don->lire) { $objp = $db->fetch_object($result); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $donationstatic->id = $objp->rowid; $donationstatic->ref = $objp->rowid; $donationstatic->lastname = $objp->lastname; @@ -614,6 +657,14 @@ if (!empty($conf->don->enabled) && $user->rights->don->lire) $i++; } + + if ($othernb) { + print ''; + print ''; + print "\n"; + } } else { print ''; } @@ -663,10 +714,20 @@ if (!empty($conf->tax->enabled) && $user->rights->tax->charges->lire) { $i = 0; $tot_ttc = 0; + $othernb = 0; + while ($i < $num) { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $chargestatic->id = $obj->rowid; $chargestatic->ref = $obj->rowid; $chargestatic->label = $obj->label; @@ -684,6 +745,14 @@ if (!empty($conf->tax->enabled) && $user->rights->tax->charges->lire) $i++; } + if ($othernb) { + print ''; + print ''; + print "\n"; + } + print ''; print ''; print ''; @@ -740,6 +809,7 @@ if (!empty($conf->facture->enabled) && !empty($conf->commande->enabled) && $user if ($num) { $i = 0; + $othernb = 0; print '
'; print '
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'.$langs->trans("None").'
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'.$langs->trans("Total").''.price($tot_ttc).'
'; @@ -764,6 +834,14 @@ if (!empty($conf->facture->enabled) && !empty($conf->commande->enabled) && $user { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $societestatic->id = $obj->socid; $societestatic->name = $obj->name; $societestatic->email = $obj->email; @@ -812,6 +890,14 @@ if (!empty($conf->facture->enabled) && !empty($conf->commande->enabled) && $user $i++; } + if ($othernb) { + print ''; + print ''; + print "\n"; + } + print ''; if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) print ''; print ''; @@ -861,6 +947,7 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) { $num = $db->num_rows($resql); $i = 0; + $othernb = 0; print '
'; print '
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'.$langs->trans("Total").'   ('.$langs->trans("RemainderToBill").': '.price($tot_tobill).') '.price($tot_ht).''.price($tot_ttc).'
'; @@ -887,6 +974,14 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $facturestatic->ref = $obj->ref; $facturestatic->id = $obj->rowid; $facturestatic->total_ht = $obj->total_ht; @@ -934,7 +1029,7 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) print ''; print ''; print ''; - print ''; + print ''; print ''; $total_ttc += $obj->total_ttc; @@ -944,6 +1039,14 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) $i++; } + if ($othernb) { + print ''; + print ''; + print "\n"; + } + print ''; print ''; if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) print ''; @@ -970,7 +1073,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU { $facstatic = new FactureFournisseur($db); - $sql = "SELECT ff.rowid, ff.ref, ff.fk_statut, ff.libelle as label, ff.total_ht, ff.total_tva, ff.total_ttc, ff.paye"; + $sql = "SELECT ff.rowid, ff.ref, ff.fk_statut, ff.type, ff.libelle as label, ff.total_ht, ff.total_tva, ff.total_ttc, ff.paye"; $sql .= ", ff.date_lim_reglement"; $sql .= ", s.nom as name"; $sql .= ", s.rowid as socid, s.email"; @@ -991,7 +1094,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU $reshook = $hookmanager->executeHooks('printFieldListWhereSupplierUnpaid', $parameters); $sql .= $hookmanager->resPrint; - $sql .= " GROUP BY ff.rowid, ff.ref, ff.fk_statut, ff.libelle, ff.total_ht, ff.tva, ff.total_tva, ff.total_ttc, ff.paye, ff.date_lim_reglement,"; + $sql .= " GROUP BY ff.rowid, ff.ref, ff.fk_statut, ff.type, ff.libelle, ff.total_ht, ff.tva, ff.total_tva, ff.total_ttc, ff.paye, ff.date_lim_reglement,"; $sql .= " s.nom, s.rowid, s.email, s.code_client, s.code_fournisseur, s.code_compta, s.code_compta_fournisseur"; $sql .= " ORDER BY ff.date_lim_reglement ASC"; @@ -999,6 +1102,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU if ($resql) { $num = $db->num_rows($resql); + $othernb = 0; print '
'; print '
'.price($obj->total_ht).''.price($obj->total_ttc).''.price($obj->am).''.$facstatic->LibStatut($obj->paye, $obj->fk_statut, 3, $obj->am).''.$facstatic->LibStatut($obj->paye, $obj->fk_statut, 3, $obj->am, $obj->type).'
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'.$langs->trans("Total").'   ('.$langs->trans("RemainderToTake").': '.price($total_ttc - $totalam).')  '.price($total).'
'; @@ -1028,8 +1132,17 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $facstatic->ref = $obj->ref; $facstatic->id = $obj->rowid; + $facstatic->type = $obj->type; $facstatic->total_ht = $obj->total_ht; $facstatic->total_tva = $obj->total_tva; $facstatic->total_ttc = $obj->total_ttc; @@ -1052,7 +1165,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) print ''; print ''; print ''; - print ''; + print ''; print ''; $total += $obj->total_ht; $total_ttc += $obj->total_ttc; @@ -1060,6 +1173,14 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU $i++; } + if ($othernb) { + print ''; + print ''; + print "\n"; + } + print ''; print ''; if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) print ''; diff --git a/htdocs/compta/journal/purchasesjournal.php b/htdocs/compta/journal/purchasesjournal.php index 78ef32072d6..d754760dd57 100644 --- a/htdocs/compta/journal/purchasesjournal.php +++ b/htdocs/compta/journal/purchasesjournal.php @@ -106,7 +106,7 @@ $sql .= " s.rowid as socid, s.nom as name, s.code_compta_fournisseur,"; $sql .= " p.rowid as pid, p.ref as ref, p.accountancy_code_buy,"; $sql .= " ct.accountancy_code_buy as account_tva, ct.recuperableonly"; $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn_det as fd"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva as ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = '".$idpays."'"; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva as ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = ".((int) $idpays); $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = fd.fk_product"; $sql .= " JOIN ".MAIN_DB_PREFIX."facture_fourn as f ON f.rowid = fd.fk_facture_fourn"; $sql .= " JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; diff --git a/htdocs/compta/journal/sellsjournal.php b/htdocs/compta/journal/sellsjournal.php index bd44f6c47cc..62e8c77a133 100644 --- a/htdocs/compta/journal/sellsjournal.php +++ b/htdocs/compta/journal/sellsjournal.php @@ -109,7 +109,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = fd.fk_product"; $sql .= " JOIN ".MAIN_DB_PREFIX."facture as f ON f.rowid = fd.fk_facture"; $sql .= " JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = '".$idpays."'"; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = ".((int) $idpays); $sql .= " WHERE f.entity IN (".getEntity('invoice').")"; $sql .= " AND f.fk_statut > 0"; if (!empty($conf->global->FACTURE_DEPOSITS_ARE_JUST_PAYMENTS)) { diff --git a/htdocs/compta/paiement.php b/htdocs/compta/paiement.php index 2dea1b245f4..9d86cff65dd 100644 --- a/htdocs/compta/paiement.php +++ b/htdocs/compta/paiement.php @@ -47,7 +47,7 @@ $accountid = GETPOST('accountid', 'int'); $paymentnum = GETPOST('num_paiement', 'alpha'); $socid = GETPOST('socid', 'int'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'alpha'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); diff --git a/htdocs/compta/paiement/cheque/card.php b/htdocs/compta/paiement/cheque/card.php index 1691fe3ecfc..2f9182f1693 100644 --- a/htdocs/compta/paiement/cheque/card.php +++ b/htdocs/compta/paiement/cheque/card.php @@ -46,7 +46,7 @@ $fieldname = (!empty($ref) ? 'ref' : 'rowid'); if ($user->socid) $socid = $user->socid; $result = restrictedArea($user, 'cheque', $id, 'bordereau_cheque', '', 'fk_user_author', $fieldname); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "ASC"; @@ -57,7 +57,7 @@ $offset = $limit * $page; $dir = $conf->bank->dir_output.'/checkdeposits/'; $filterdate = dol_mktime(0, 0, 0, GETPOST('fdmonth'), GETPOST('fdday'), GETPOST('fdyear')); -$filteraccountid = GETPOST('accountid'); +$filteraccountid = GETPOST('accountid', 'int'); $object = new RemiseCheque($db); @@ -152,10 +152,10 @@ if ($action == 'create' && $_POST["accountid"] > 0 && $user->rights->banque->che } } -if ($action == 'remove' && $id > 0 && $_GET["lineid"] > 0 && $user->rights->banque->cheque) +if ($action == 'remove' && $id > 0 && GETPOST("lineid", 'int') > 0 && $user->rights->banque->cheque) { $object->id = $id; - $result = $object->removeCheck($_GET["lineid"]); + $result = $object->removeCheck(GETPOST("lineid", "int")); if ($result === 0) { header("Location: ".$_SERVER["PHP_SELF"]."?id=".$object->id); @@ -206,7 +206,7 @@ if ($action == 'confirm_valide' && $confirm == 'yes' && $user->rights->banque->c if ($action == 'confirm_reject_check' && $confirm == 'yes' && $user->rights->banque->cheque) { $reject_date = dol_mktime(0, 0, 0, GETPOST('rejectdate_month'), GETPOST('rejectdate_day'), GETPOST('rejectdate_year')); - $rejected_check = GETPOST('bankid'); + $rejected_check = GETPOST('bankid', 'int'); $object->fetch($id); $paiement_id = $object->rejectCheck($rejected_check, $reject_date); @@ -394,7 +394,7 @@ if ($action == 'new') $sql .= " AND b.fk_bordereau = 0"; $sql .= " AND b.amount > 0"; if ($filterdate) $sql .= " AND b.dateo = '".$db->idate($filterdate)."'"; - if ($filteraccountid > 0) $sql .= " AND ba.rowid= '".$filteraccountid."'"; + if ($filteraccountid > 0) $sql .= " AND ba.rowid = ".((int) $filteraccountid); $sql .= $db->order("b.dateo,b.rowid", "ASC"); $resql = $db->query($sql); diff --git a/htdocs/compta/paiement/cheque/class/remisecheque.class.php b/htdocs/compta/paiement/cheque/class/remisecheque.class.php index 48c58dc7219..00815c90f7d 100644 --- a/htdocs/compta/paiement/cheque/class/remisecheque.class.php +++ b/htdocs/compta/paiement/cheque/class/remisecheque.class.php @@ -211,7 +211,7 @@ class RemiseCheque extends CommonObject $sql .= " WHERE b.fk_type = 'CHQ'"; $sql .= " AND b.amount > 0"; $sql .= " AND b.fk_bordereau = 0"; - $sql .= " AND b.fk_account='".$account_id."'"; + $sql .= " AND b.fk_account = ".((int) $account_id); if ($limit) $sql .= $this->db->plimit($limit); dol_syslog("RemiseCheque::Create", LOG_DEBUG); @@ -358,7 +358,7 @@ class RemiseCheque extends CommonObject if ($this->errno == 0 && $numref) { $sql = "UPDATE ".MAIN_DB_PREFIX."bordereau_cheque"; - $sql .= " SET statut = 1, ref = '".$numref."'"; + $sql .= " SET statut = 1, ref = '".$this->db->escape($numref)."'"; $sql .= " WHERE rowid = ".$this->id; $sql .= " AND entity = ".$conf->entity; $sql .= " AND statut = 0"; @@ -662,6 +662,7 @@ class RemiseCheque extends CommonObject global $conf; $this->errno = 0; + $this->db->begin(); $total = 0; $nb = 0; @@ -681,8 +682,8 @@ class RemiseCheque extends CommonObject $this->db->free($resql); $sql = "UPDATE ".MAIN_DB_PREFIX."bordereau_cheque"; - $sql .= " SET amount = '".price2num($total)."'"; - $sql .= ", nbcheque = ".$nb; + $sql .= " SET amount = ".price2num($total); + $sql .= ", nbcheque = ".((int) $nb); $sql .= " WHERE rowid = ".$this->id; $sql .= " AND entity = ".$conf->entity; @@ -722,8 +723,8 @@ class RemiseCheque extends CommonObject { $sql = "UPDATE ".MAIN_DB_PREFIX."bank"; $sql .= " SET fk_bordereau = 0"; - $sql .= " WHERE rowid = '".$account_id."'"; - $sql .= " AND fk_bordereau = ".$this->id; + $sql .= " WHERE rowid = ".((int) $account_id); + $sql .= " AND fk_bordereau = ".((int) $this->id); $resql = $this->db->query($sql); if ($resql) @@ -774,18 +775,18 @@ class RemiseCheque extends CommonObject $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf'; $sql .= ' WHERE pf.fk_paiement = '.$payment->id; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $rejectedPayment = new Paiement($db); + $rejectedPayment = new Paiement($this->db); $rejectedPayment->amounts = array(); $rejectedPayment->datepaye = $rejection_date; $rejectedPayment->paiementid = dol_getIdFromCode($this->db, 'CHQ', 'c_paiement', 'code', 'id', 1); $rejectedPayment->num_payment = $payment->num_payment; - while ($obj = $db->fetch_object($resql)) + while ($obj = $this->db->fetch_object($resql)) { - $invoice = new Facture($db); + $invoice = new Facture($this->db); $invoice->fetch($obj->fk_facture); $invoice->set_unpaid($user); diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index f2dc613175f..5cb16bdcbe3 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -800,7 +800,7 @@ class Paiement extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX.'bank'; $sql .= " SET dateo = '".$this->db->idate($date)."', datev = '".$this->db->idate($date)."'"; - $sql .= " WHERE rowid IN (SELECT fk_bank FROM ".MAIN_DB_PREFIX."bank_url WHERE type = '".$type."' AND url_id = ".$this->id.")"; + $sql .= " WHERE rowid IN (SELECT fk_bank FROM ".MAIN_DB_PREFIX."bank_url WHERE type = '".$this->db->escape($type)."' AND url_id = ".$this->id.")"; $sql .= " AND rappro = 0"; $result = $this->db->query($sql); diff --git a/htdocs/compta/paiement/tovalidate.php b/htdocs/compta/paiement/tovalidate.php index df0b92b5f44..00e9a0c4074 100644 --- a/htdocs/compta/paiement/tovalidate.php +++ b/htdocs/compta/paiement/tovalidate.php @@ -40,7 +40,7 @@ if ($user->socid > 0) $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/bons.php b/htdocs/compta/prelevement/bons.php index cb702174434..69d6412b235 100644 --- a/htdocs/compta/prelevement/bons.php +++ b/htdocs/compta/prelevement/bons.php @@ -41,7 +41,7 @@ $result = restrictedArea($user, 'prelevement', '', '', 'bons'); $type = GETPOST('type', 'aZ09'); $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/card.php b/htdocs/compta/prelevement/card.php index a70a464b428..1370155cb1d 100644 --- a/htdocs/compta/prelevement/card.php +++ b/htdocs/compta/prelevement/card.php @@ -45,7 +45,7 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/class/bonprelevement.class.php b/htdocs/compta/prelevement/class/bonprelevement.class.php index 067dd33cd81..9d3c5bef7a8 100644 --- a/htdocs/compta/prelevement/class/bonprelevement.class.php +++ b/htdocs/compta/prelevement/class/bonprelevement.class.php @@ -205,9 +205,9 @@ class BonPrelevement extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_lignes"; $sql .= " WHERE fk_prelevement_bons = ".$this->id; $sql .= " AND fk_soc =".$client_id; - $sql .= " AND code_banque ='".$code_banque."'"; - $sql .= " AND code_guichet ='".$code_guichet."'"; - $sql .= " AND number ='".$number."'"; + $sql .= " AND code_banque = '".$this->db->escape($code_banque)."'"; + $sql .= " AND code_guichet = '".$this->db->escape($code_guichet)."'"; + $sql .= " AND number = '".$this->db->escape($number)."'"; $resql = $this->db->query($sql); if ($resql) @@ -234,10 +234,10 @@ class BonPrelevement extends CommonObject $sql .= ", ".$client_id; $sql .= ", '".$this->db->escape($client_nom)."'"; $sql .= ", '".price2num($amount)."'"; - $sql .= ", '".$code_banque."'"; - $sql .= ", '".$code_guichet."'"; - $sql .= ", '".$number."'"; - $sql .= ", '".$number_key."'"; + $sql .= ", '".$this->db->escape($code_banque)."'"; + $sql .= ", '".$this->db->escape($code_guichet)."'"; + $sql .= ", '".$this->db->escape($number)."'"; + $sql .= ", '".$this->db->escape($number_key)."'"; $sql .= ")"; if ($this->db->query($sql)) @@ -1380,7 +1380,7 @@ class BonPrelevement extends CommonObject $result = 0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def"; - $sql .= " WHERE rowid = '".$rowid."'"; + $sql .= " WHERE rowid = ".((int) $rowid); if ($this->db->query($sql)) { @@ -1404,7 +1404,7 @@ class BonPrelevement extends CommonObject $result = 0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def"; - $sql .= " WHERE fk_user=".$user." AND fk_action='".$action."'"; + $sql .= " WHERE fk_user=".$user." AND fk_action='".$this->db->escape($action)."'"; if ($this->db->query($sql)) { @@ -1433,7 +1433,7 @@ class BonPrelevement extends CommonObject $now = dol_now(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."notify_def (datec,fk_user, fk_soc, fk_contact, fk_action)"; - $sql .= " VALUES (".$db->idate($now).",".$user.", 'NULL', 'NULL', '".$action."')"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$user.", 'NULL', 'NULL', '".$this->db->escape($action)."')"; dol_syslog("adnotiff: ".$sql); if ($this->db->query($sql)) diff --git a/htdocs/compta/prelevement/factures.php b/htdocs/compta/prelevement/factures.php index 4104633e111..0b0c0eef6d4 100644 --- a/htdocs/compta/prelevement/factures.php +++ b/htdocs/compta/prelevement/factures.php @@ -45,7 +45,7 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/fiche-rejet.php b/htdocs/compta/prelevement/fiche-rejet.php index 29d799a8554..6e601d82ecd 100644 --- a/htdocs/compta/prelevement/fiche-rejet.php +++ b/htdocs/compta/prelevement/fiche-rejet.php @@ -45,7 +45,7 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/fiche-stat.php b/htdocs/compta/prelevement/fiche-stat.php index 3bb71f8c441..4ff81467d7c 100644 --- a/htdocs/compta/prelevement/fiche-stat.php +++ b/htdocs/compta/prelevement/fiche-stat.php @@ -43,7 +43,7 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/line.php b/htdocs/compta/prelevement/line.php index 4120672b44e..3c8d80d4931 100644 --- a/htdocs/compta/prelevement/line.php +++ b/htdocs/compta/prelevement/line.php @@ -47,7 +47,7 @@ $type = GETPOST('type', 'aZ09'); $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortorder = GETPOST('sortorder', 'aZ09comma'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if ($page == -1 || $page == null) { $page = 0; } $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/list.php b/htdocs/compta/prelevement/list.php index 1255a2b861e..6f9685ece18 100644 --- a/htdocs/compta/prelevement/list.php +++ b/htdocs/compta/prelevement/list.php @@ -50,7 +50,7 @@ $result = restrictedArea($user, 'prelevement', '', '', 'bons'); $type = GETPOST('type', 'aZ09'); $limit = GETPOST('limit', 'int')?GETPOST('limit', 'int'):$conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/rejets.php b/htdocs/compta/prelevement/rejets.php index 6c38e65981b..da2420aed3f 100644 --- a/htdocs/compta/prelevement/rejets.php +++ b/htdocs/compta/prelevement/rejets.php @@ -43,7 +43,7 @@ $type = GETPOST('type', 'aZ09'); // Get supervariables $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortorder = GETPOST('sortorder', 'aZ09comma'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/recap-compta.php b/htdocs/compta/recap-compta.php index 3106235430e..63368fa94e8 100644 --- a/htdocs/compta/recap-compta.php +++ b/htdocs/compta/recap-compta.php @@ -46,7 +46,7 @@ $hookmanager->initHooks(array('recapcomptacard', 'globalcard')); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/sociales/list.php b/htdocs/compta/sociales/list.php index 341799a686a..52d3b9b7fa3 100644 --- a/htdocs/compta/sociales/list.php +++ b/htdocs/compta/sociales/list.php @@ -138,8 +138,8 @@ if ($year > 0) $sql .= " AND ("; // Si period renseignee on l'utilise comme critere de date, sinon on prend date echeance, // ceci afin d'etre compatible avec les cas ou la periode n'etait pas obligatoire - $sql .= " (cs.periode IS NOT NULL AND date_format(cs.periode, '%Y') = '".$year."') "; - $sql .= "OR (cs.periode IS NULL AND date_format(cs.date_ech, '%Y') = '".$year."')"; + $sql .= " (cs.periode IS NOT NULL AND date_format(cs.periode, '%Y') = '".$db->escape($year)."') "; + $sql .= "OR (cs.periode IS NULL AND date_format(cs.date_ech, '%Y') = '".$db->escape($year)."')"; $sql .= ")"; } if ($filtre) { diff --git a/htdocs/compta/stats/cabyprodserv.php b/htdocs/compta/stats/cabyprodserv.php index ab2c1dcadb1..fbecc1df335 100644 --- a/htdocs/compta/stats/cabyprodserv.php +++ b/htdocs/compta/stats/cabyprodserv.php @@ -60,6 +60,9 @@ if (GETPOST('subcat', 'alpha') === 'yes') { $selected_type = GETPOST('search_type', 'int'); if ($selected_type == '') $selected_type = -1; +// Hook +$hookmanager->initHooks(array('cabyprodservlist')); + // Date range $year = GETPOST("year"); $month = GETPOST("month"); diff --git a/htdocs/compta/stats/casoc.php b/htdocs/compta/stats/casoc.php index ab71b147b50..a02d87a8392 100644 --- a/htdocs/compta/stats/casoc.php +++ b/htdocs/compta/stats/casoc.php @@ -61,6 +61,9 @@ if ($user->socid > 0) $socid = $user->socid; if (!empty($conf->comptabilite->enabled)) $result = restrictedArea($user, 'compta', '', '', 'resultat'); if (!empty($conf->accounting->enabled)) $result = restrictedArea($user, 'accounting', '', '', 'comptarapport'); +// Hook +$hookmanager->initHooks(array('casoclist')); + // Date range $year = GETPOST("year", 'int'); $month = GETPOST("month", 'int'); diff --git a/htdocs/compta/stats/supplier_turnover_by_prodserv.php b/htdocs/compta/stats/supplier_turnover_by_prodserv.php index 5911daaba45..83a3cb70a00 100644 --- a/htdocs/compta/stats/supplier_turnover_by_prodserv.php +++ b/htdocs/compta/stats/supplier_turnover_by_prodserv.php @@ -57,6 +57,9 @@ if (GETPOST('subcat', 'alpha') === 'yes') { $selected_type = GETPOST('search_type', 'int'); if ($selected_type == '') $selected_type = -1; +// Hook +$hookmanager->initHooks(array('supplierturnoverbyprodservlist')); + // Date range $year = GETPOST("year"); $month = GETPOST("month"); diff --git a/htdocs/compta/stats/supplier_turnover_by_thirdparty.php b/htdocs/compta/stats/supplier_turnover_by_thirdparty.php index 60d65049800..7a624284cdf 100644 --- a/htdocs/compta/stats/supplier_turnover_by_thirdparty.php +++ b/htdocs/compta/stats/supplier_turnover_by_thirdparty.php @@ -50,6 +50,9 @@ if (GETPOST('subcat', 'alpha') === 'yes') { $subcat = true; } +// Hook +$hookmanager->initHooks(array('supplierturnoverbythirdpartylist')); + // Security check if ($user->socid > 0) $socid = $user->socid; if (!empty($conf->comptabilite->enabled)) $result = restrictedArea($user, 'compta', '', '', 'resultat'); diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index b4201d0bc36..5f661609e52 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -384,7 +384,7 @@ class Tva extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."facture as f WHERE f.paye = 1"; if ($year) { - $sql .= " AND f.datef >= '".$year."-01-01' AND f.datef <= '".$year."-12-31' "; + $sql .= " AND f.datef >= '".$this->db->escape($year)."-01-01' AND f.datef <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql); @@ -421,7 +421,7 @@ class Tva extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f"; if ($year) { - $sql .= " WHERE f.datef >= '".$year."-01-01' AND f.datef <= '".$year."-12-31' "; + $sql .= " WHERE f.datef >= '".$this->db->escape($year)."-01-01' AND f.datef <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql); @@ -460,7 +460,7 @@ class Tva extends CommonObject if ($year) { - $sql .= " WHERE f.datev >= '".$year."-01-01' AND f.datev <= '".$year."-12-31' "; + $sql .= " WHERE f.datev >= '".$this->db->escape($year)."-01-01' AND f.datev <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql); diff --git a/htdocs/compta/tva/list.php b/htdocs/compta/tva/list.php index 8c9b9efb5a6..82829fca12e 100644 --- a/htdocs/compta/tva/list.php +++ b/htdocs/compta/tva/list.php @@ -170,22 +170,18 @@ if ($result) // Date end period print ''; diff --git a/htdocs/core/class/html.formintervention.class.php b/htdocs/core/class/html.formintervention.class.php index 37073e8d3a5..dccbe50333a 100644 --- a/htdocs/core/class/html.formintervention.class.php +++ b/htdocs/core/class/html.formintervention.class.php @@ -80,18 +80,18 @@ class FormIntervention } dol_syslog(get_class($this)."::select_intervention", LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { $out .= ''; - $db->free($resql); + $this->db->free($resql); return $out; } else { - dol_print_error($db); + dol_print_error($this->db); return ''; } } diff --git a/htdocs/core/class/html.formmail.class.php b/htdocs/core/class/html.formmail.class.php index f7acd09dbd1..fcd7199137c 100644 --- a/htdocs/core/class/html.formmail.class.php +++ b/htdocs/core/class/html.formmail.class.php @@ -1296,7 +1296,7 @@ class FormMail extends Form $sql .= " WHERE type_template='".$this->db->escape($type_template)."'"; $sql .= " AND entity IN (".getEntity('c_email_templates').")"; $sql .= " AND (fk_user is NULL or fk_user = 0 or fk_user = ".$user->id.")"; - if (is_object($outputlangs)) $sql .= " AND (lang = '".$outputlangs->defaultlang."' OR lang IS NULL OR lang = '')"; + if (is_object($outputlangs)) $sql .= " AND (lang = '".$this->db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')"; $sql .= $this->db->order("lang,label", "ASC"); //print $sql; @@ -1330,7 +1330,7 @@ class FormMail extends Form $sql .= " AND entity IN (".getEntity('c_email_templates').")"; $sql .= " AND (private = 0 OR fk_user = ".$user->id.")"; // See all public templates or templates I own. if ($active >= 0) $sql .= " AND active = ".$active; - //if (is_object($outputlangs)) $sql.= " AND (lang = '".$outputlangs->defaultlang."' OR lang IS NULL OR lang = '')"; // Return all languages + //if (is_object($outputlangs)) $sql.= " AND (lang = '".$this->db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')"; // Return all languages $sql .= $this->db->order("position,lang,label", "ASC"); //print $sql; diff --git a/htdocs/core/class/html.formmargin.class.php b/htdocs/core/class/html.formmargin.class.php index 5e18bb20782..cf159819764 100644 --- a/htdocs/core/class/html.formmargin.class.php +++ b/htdocs/core/class/html.formmargin.class.php @@ -87,7 +87,7 @@ class FormMargin if (empty($line->pa_ht) && isset($line->fk_fournprice) && !$force_price) { require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.product.class.php'; - $product = new ProductFournisseur($db); + $product = new ProductFournisseur($this->db); if ($product->fetch_product_fournisseur_price($line->fk_fournprice)) $line->pa_ht = $product->fourn_unitprice * (1 - $product->fourn_remise_percent / 100); } @@ -204,7 +204,7 @@ class FormMargin if (!empty($conf->global->MARGIN_ADD_SHOWHIDE_BUTTON)) // TODO Warning this feature rely on an external js file that may be removed. Using native js function document.cookie should be better { print $langs->trans('ShowMarginInfos').' : '; - $hidemargininfos = $_COOKIE['DOLUSER_MARGININFO_HIDE_SHOW']; + $hidemargininfos = preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['DOLUSER_MARGININFO_HIDE_SHOW']); // Clean cookie print ''.img_picto($langs->trans("Disabled"), 'switch_off').''; print ''.img_picto($langs->trans("Enabled"), 'switch_on').''; diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index f69ef6703e0..96c73deff7a 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -256,7 +256,7 @@ class FormOther $sql = "SELECT r.taux, r.revenuestamp_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_revenuestamp as r,".MAIN_DB_PREFIX."c_country as c"; $sql .= " WHERE r.active = 1 AND r.fk_pays = c.rowid"; - $sql .= " AND c.code = '".$country_code."'"; + $sql .= " AND c.code = '".$this->db->escape($country_code)."'"; dol_syslog(get_class($this).'::select_revenue_stamp', LOG_DEBUG); $resql = $this->db->query($sql); @@ -1141,7 +1141,7 @@ class FormOther // Load translation files required by the page $langs->loadLangs(array("boxes", "projects")); - $emptybox = new ModeleBoxes($db); + $emptybox = new ModeleBoxes($db); $boxlista .= "\n\n"; diff --git a/htdocs/core/class/html.formsocialcontrib.class.php b/htdocs/core/class/html.formsocialcontrib.class.php index c6d28a7b70f..b5adfdba82f 100644 --- a/htdocs/core/class/html.formsocialcontrib.class.php +++ b/htdocs/core/class/html.formsocialcontrib.class.php @@ -83,15 +83,15 @@ class FormSocialContrib $sql = "SELECT c.id, c.libelle as type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_chargesociales as c, ".MAIN_DB_PREFIX."c_country as co"; $sql .= " WHERE c.active = 1 AND c.fk_pays = co.rowid"; - $sql .= " AND co.code = '".$mysoc->country_code."'"; + $sql .= " AND co.code = '".$this->db->escape($mysoc->country_code)."'"; $sql .= " ORDER BY c.libelle ASC"; } dol_syslog("Form::select_type_socialcontrib", LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) { print ''; print ''; print ''; + print ''; print ''; print ''; //print ''; @@ -2589,6 +2595,7 @@ if ($module == 'initmodule') print ''; print ''; print ''; + print ''; print ''; print ''; //print ''; @@ -2629,6 +2636,7 @@ if ($module == 'initmodule') $propsearchall = $propval['searchall']; $propisameasure = $propval['isameasure']; $propcss = $propval['css']; + $propcssview = $propval['cssview']; $prophelp = $propval['help']; $propshowoncombobox = $propval['showoncombobox']; //$propdisabled=$propval['disabled']; @@ -2637,63 +2645,70 @@ if ($module == 'initmodule') print ''; print ''; print ''; - print ''; - print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; + print ''; print ''; /*print '';*/ - print ''; print ''; // Expire date print ''; // Author @@ -1015,7 +1018,7 @@ if ($nbofcheckbox >= 2) } // S'il a oublié de remplir un nom -if (isset($_POST["boutonp"]) && $_POST["nom"] == "") { +if (GETPOSTISSET("boutonp") && GETPOST("nom") == "") { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Name")), null, 'errors'); } diff --git a/htdocs/opensurvey/wizard/choix_autre.php b/htdocs/opensurvey/wizard/choix_autre.php index 5819d901ec9..6b39a70d5e9 100644 --- a/htdocs/opensurvey/wizard/choix_autre.php +++ b/htdocs/opensurvey/wizard/choix_autre.php @@ -36,14 +36,17 @@ if (!$user->rights->opensurvey->write) accessforbidden(); * Action */ +$arrayofchoices = GETPOST('choix', 'array'); +$arrayoftypecolumn = GETPOST('typecolonne', 'array'); + // Set session vars if (isset($_SESSION["nbrecases"])) { for ($i = 0; $i < $_SESSION["nbrecases"]; $i++) { - if (isset($_POST["choix"][$i])) { - $_SESSION["choix$i"] = $_POST["choix"][$i]; + if (isset($arrayofchoices[$i])) { + $_SESSION["choix$i"] = $arrayofchoices[$i]; } - if (isset($_POST["typecolonne"][$i])) { - $_SESSION["typecolonne$i"] = $_POST["typecolonne"][$i]; + if (isset($arrayoftypecolumn[$i])) { + $_SESSION["typecolonne$i"] = $arrayoftypecolumn[$i]; } } } else { //nombre de cases par défaut @@ -56,16 +59,16 @@ if (GETPOST("ajoutcases") || GETPOST("ajoutcases_x")) } // Create survey into database -if (isset($_POST["confirmecreation"])) +if (GETPOSTISSET("confirmecreation")) { //recuperation des données de champs textes $toutchoix = ''; for ($i = 0; $i < $_SESSION["nbrecases"] + 1; $i++) { - if (!empty($_POST["choix"][$i])) + if (!empty($arrayofchoices[$i])) { $toutchoix .= ','; - $toutchoix .= str_replace(array(",", "@"), " ", $_POST["choix"][$i]).(empty($_POST["typecolonne"][$i]) ? '' : '@'.$_POST["typecolonne"][$i]); + $toutchoix .= str_replace(array(",", "@"), " ", $arrayofchoices[$i]).(empty($arrayoftypecolumn[$i]) ? '' : '@'.$arrayoftypecolumn[$i]); } } @@ -76,7 +79,7 @@ if (isset($_POST["confirmecreation"])) $testremplissage = ''; for ($i = 0; $i < $_SESSION["nbrecases"]; $i++) { - if (isset($_POST["choix"][$i])) + if (isset($arrayofchoices[$i])) { $testremplissage = "ok"; } @@ -94,7 +97,7 @@ if (isset($_POST["confirmecreation"])) } } - +var_dump($_SESSION);exit; /* diff --git a/htdocs/paypal/admin/paypal.php b/htdocs/paypal/admin/paypal.php index 1e88163c563..4c304201c6c 100644 --- a/htdocs/paypal/admin/paypal.php +++ b/htdocs/paypal/admin/paypal.php @@ -269,7 +269,7 @@ if (!empty($conf->use_javascript_ajax)) { } if (! empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) { $langs->load("errors"); - print img_warning($langs->trans("WarningTheHiddenOptionIsOn", PAYMENT_SECURITY_ACCEPT_ANY_TOKEN), '', 'pictowarning marginleftonly'); + print img_warning($langs->trans("WarningTheHiddenOptionIsOn", 'PAYMENT_SECURITY_ACCEPT_ANY_TOKEN'), '', 'pictowarning marginleftonly'); } print ''; diff --git a/htdocs/product/admin/product.php b/htdocs/product/admin/product.php index 905821535c1..f037dfb3d6f 100644 --- a/htdocs/product/admin/product.php +++ b/htdocs/product/admin/product.php @@ -378,7 +378,7 @@ print '
'.price($obj->total_ht).''.price($obj->total_ttc).''.price($obj->am).''.$facstatic->LibStatut($obj->paye, $obj->fk_statut, 3).''.$facstatic->LibStatut($obj->paye, $obj->fk_statut, 3, $obj->am, $obj->type).'
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'.$langs->trans("Total").'   ('.$langs->trans("RemainderToPay").': '.price($total_ttc - $totalam).')  '.price($total).''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_dateend_start ? $search_dateend_start : -1, 'search_dateend_start', 0, 0, 1); + print $form->selectDate($search_dateend_start ? $search_dateend_start : -1, 'search_dateend_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_dateend_end ? $search_dateend_end : -1, 'search_dateend_end', 0, 0, 1); + print $form->selectDate($search_dateend_end ? $search_dateend_end : -1, 'search_dateend_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; // Date payment print '		'; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_datepayment_start ? $search_datepayment_start : -1, 'search_datepayment_start', 0, 0, 1); + print $form->selectDate($search_datepayment_start ? $search_datepayment_start : -1, 'search_datepayment_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_datepayment_end ? $search_datepayment_end : -1, 'search_datepayment_end', 0, 0, 1); + print $form->selectDate($search_datepayment_end ? $search_datepayment_end : -1, 'search_datepayment_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; // Type print '		'; diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index dab7242b598..8428b257fac 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -1249,9 +1249,14 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) } } - if (!empty($id) && $action != 'edit' && $action != 'create') - { - $objsoc = new Societe($db); + // Select mail models is same action as presend + if (GETPOST('modelselected', 'alpha')) { + $action = 'presend'; + } + + if (!empty($id) && $action != 'edit' && $action != 'create') + { + $objsoc = new Societe($db); // View mode diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index 3922dc9069f..0c2c3bf56ce 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -1649,7 +1649,7 @@ class Contact extends CommonObject $sql .= ", ".MAIN_DB_PREFIX."societe_contacts sc"; $sql .= " WHERE sc.fk_soc =".$this->socid; $sql .= " AND sc.fk_c_type_contact=tc.rowid"; - $sql .= " AND tc.element='".$element."'"; + $sql .= " AND tc.element='".$this->db->escape($element)."'"; $sql .= " AND tc.active=1"; dol_syslog(__METHOD__, LOG_DEBUG); diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index 7bf82aa9379..0f4f01a0916 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -104,7 +104,7 @@ $type = GETPOST("type", 'aZ'); $view = GETPOST("view", 'alpha'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); $userid = GETPOST('userid', 'int'); diff --git a/htdocs/contrat/class/api_contracts.class.php b/htdocs/contrat/class/api_contracts.class.php index ffe66208afe..671ac1177f6 100644 --- a/htdocs/contrat/class/api_contracts.class.php +++ b/htdocs/contrat/class/api_contracts.class.php @@ -141,7 +141,7 @@ class Contracts extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -149,28 +149,28 @@ class Contracts extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $contrat_static = new Contrat($db); + $obj = $this->db->fetch_object($result); + $contrat_static = new Contrat($this->db); if ($contrat_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($contrat_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve contrat list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve contrat list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No contract found'); diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index b555917e2f3..f94b19c30b9 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -510,7 +510,7 @@ class Contrat extends CommonObject if ($num) { - $sql = "UPDATE ".MAIN_DB_PREFIX."contrat SET ref = '".$num."', statut = 1"; + $sql = "UPDATE ".MAIN_DB_PREFIX."contrat SET ref = '".$this->db->escape($num)."', statut = 1"; //$sql.= ", fk_user_valid = ".$user->id.", date_valid = '".$this->db->idate($now)."'"; $sql .= " WHERE rowid = ".$this->id." AND statut = 0"; @@ -1093,7 +1093,7 @@ class Contrat extends CommonObject } $sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'"; $resqlcontact = $this->db->query($sqlcontact); if ($resqlcontact) @@ -1541,15 +1541,15 @@ class Contrat extends CommonObject $sql .= ($fk_product > 0 ? $fk_product : "null").","; $sql .= " ".$qty.","; $sql .= " ".$txtva.","; - $sql .= " ".($vat_src_code ? "'".$vat_src_code."'" : "null").","; + $sql .= " ".($vat_src_code ? "'".$this->db->escape($vat_src_code)."'" : "null").","; $sql .= " ".$txlocaltax1.","; $sql .= " ".$txlocaltax2.","; - $sql .= " '".$localtax1_type."',"; - $sql .= " '".$localtax2_type."',"; + $sql .= " '".$this->db->escape($localtax1_type)."',"; + $sql .= " '".$this->db->escape($localtax2_type)."',"; $sql .= " ".price2num($remise_percent).","; $sql .= " ".price2num($pu_ht).","; $sql .= " ".price2num($total_ht).",".price2num($total_tva).",".price2num($total_localtax1).",".price2num($total_localtax2).",".price2num($total_ttc).","; - $sql .= " '".$info_bits."',"; + $sql .= " '".$this->db->escape($info_bits)."',"; $sql .= " ".price2num($price).",".price2num($remise).","; if (isset($fk_fournprice)) $sql .= ' '.$fk_fournprice.','; else $sql .= ' null,'; @@ -1717,8 +1717,8 @@ class Contrat extends CommonObject $sql .= ",tva_tx='".price2num($tvatx)."'"; $sql .= ",localtax1_tx='".price2num($localtax1tx)."'"; $sql .= ",localtax2_tx='".price2num($localtax2tx)."'"; - $sql .= ",localtax1_type='".$localtax1_type."'"; - $sql .= ",localtax2_type='".$localtax2_type."'"; + $sql .= ",localtax1_type='".$this->db->escape($localtax1_type)."'"; + $sql .= ",localtax2_type='".$this->db->escape($localtax2_type)."'"; $sql .= ", total_ht='".price2num($total_ht)."'"; $sql .= ", total_tva='".price2num($total_tva)."'"; $sql .= ", total_localtax1='".price2num($total_localtax1)."'"; diff --git a/htdocs/contrat/index.php b/htdocs/contrat/index.php index 1293da8cf26..7fe88d03c3d 100644 --- a/htdocs/contrat/index.php +++ b/htdocs/contrat/index.php @@ -37,7 +37,7 @@ $hookmanager->initHooks(array('contractindex')); // Load translation files required by the page $langs->loadLangs(array('products', 'companies', 'contracts')); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); diff --git a/htdocs/core/actions_massactions.inc.php b/htdocs/core/actions_massactions.inc.php index 4db4c94f007..98e936a2d7a 100644 --- a/htdocs/core/actions_massactions.inc.php +++ b/htdocs/core/actions_massactions.inc.php @@ -648,9 +648,9 @@ if ($massaction == 'confirm_createbills') // Create bills from orders $sql .= ", targettype"; $sql .= ") VALUES ("; $sql .= $id_order; - $sql .= ", '".$objecttmp->origin."'"; + $sql .= ", '".$db->escape($objecttmp->origin)."'"; $sql .= ", ".$objecttmp->id; - $sql .= ", '".$objecttmp->element."'"; + $sql .= ", '".$db->escape($objecttmp->element)."'"; $sql .= ")"; if (!$db->query($sql)) diff --git a/htdocs/core/ajax/check_notifications.php b/htdocs/core/ajax/check_notifications.php index f8a30e69aa9..098ac586ce1 100644 --- a/htdocs/core/ajax/check_notifications.php +++ b/htdocs/core/ajax/check_notifications.php @@ -101,7 +101,7 @@ $eventfound = array(); //dol_syslog('time='.$time.' $_SESSION[auto_ck_events_not_before]='.$_SESSION['auto_check_events_not_before']); // TODO Try to make a solution with only a javascript timer that is easier. Difficulty is to avoid notification twice when several tabs are opened. -// This need to extend period to be sure to not miss and save in session what we notified to avoid duplicate (save is not done yet). +// This need to extend period to be sure to not miss and save in session what we notified to avoid duplicate. if ($time >= $_SESSION['auto_check_events_not_before'] || GETPOST('forcechecknow', 'int')) { $time_update = (int) $conf->global->MAIN_BROWSER_NOTIFICATION_FREQUENCY; // Always defined diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php index 456542e331e..710759e10bb 100644 --- a/htdocs/core/ajax/constantonoff.php +++ b/htdocs/core/ajax/constantonoff.php @@ -26,13 +26,15 @@ if (!defined('NOREQUIREHTML')) define('NOREQUIREHTML', '1'); if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); if (!defined('NOREQUIRESOC')) define('NOREQUIRESOC', '1'); if (!defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1'); +if (!defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Token is required even in GET mode require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; -$action = GETPOST('action', 'aZ09'); +$action = GETPOST('action', 'aZ09'); // set or del $name = GETPOST('name', 'alpha'); + /* * View */ @@ -46,7 +48,7 @@ top_httphead(); //print ''."\n"; -// Registering the location of boxes +// Registering the new value of constant if (!empty($action) && !empty($name)) { $entity = GETPOST('entity', 'int'); @@ -62,4 +64,6 @@ if (!empty($action) && !empty($name)) dolibarr_del_const($db, $name, $entity); } } +} else { + http_response_code(403); } diff --git a/htdocs/core/ajax/selectobject.php b/htdocs/core/ajax/selectobject.php index a672510555b..9d9b7bbfc42 100644 --- a/htdocs/core/ajax/selectobject.php +++ b/htdocs/core/ajax/selectobject.php @@ -75,9 +75,10 @@ if (!is_object($objecttmp)) } // When used from jQuery, the search term is added as GET param "term". -$searchkey = (($id && GETPOST($id, 'alpha')) ?GETPOST($id, 'alpha') : (($htmlname && GETPOST($htmlname, 'alpha')) ?GETPOST($htmlname, 'alpha') : '')); +$searchkey = (($id && GETPOST($id, 'alpha')) ? GETPOST($id, 'alpha') : (($htmlname && GETPOST($htmlname, 'alpha')) ? GETPOST($htmlname, 'alpha') : '')); -// TODO Add a security test to avoid to get content of all tables +// Add a security test to avoid to get content of all tables +restrictedArea($user, $objecttmp->element, $id); $arrayresult = $form->selectForFormsList($objecttmp, $htmlname, '', 0, $searchkey, '', '', '', 0, 1); diff --git a/htdocs/core/boxes/box_produits.php b/htdocs/core/boxes/box_produits.php index 8dffe4adf20..52591fa5292 100644 --- a/htdocs/core/boxes/box_produits.php +++ b/htdocs/core/boxes/box_produits.php @@ -117,7 +117,7 @@ class box_produits extends ModeleBoxes $sqld = "SELECT label"; $sqld .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sqld .= " WHERE fk_product=".$objp->rowid; - $sqld .= " AND lang='".$langs->getDefaultLang()."'"; + $sqld .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'"; $sqld .= " LIMIT 1"; $resultd = $this->db->query($sqld); diff --git a/htdocs/core/boxes/box_produits_alerte_stock.php b/htdocs/core/boxes/box_produits_alerte_stock.php index 5b17ef22ddf..6845cb2db5f 100644 --- a/htdocs/core/boxes/box_produits_alerte_stock.php +++ b/htdocs/core/boxes/box_produits_alerte_stock.php @@ -130,7 +130,7 @@ class box_produits_alerte_stock extends ModeleBoxes $sqld = "SELECT label"; $sqld .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sqld .= " WHERE fk_product=".$objp->rowid; - $sqld .= " AND lang='".$langs->getDefaultLang()."'"; + $sqld .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'"; $sqld .= " LIMIT 1"; $resultd = $this->db->query($sqld); diff --git a/htdocs/core/boxes/box_task.php b/htdocs/core/boxes/box_task.php index 9c6020bebdc..c1d728eb667 100644 --- a/htdocs/core/boxes/box_task.php +++ b/htdocs/core/boxes/box_task.php @@ -94,7 +94,7 @@ class box_task extends ModeleBoxes if (in_array(GETPOST($cookie_name), array('all', 'im_project_contact', 'im_task_contact'))) { $filterValue = GETPOST($cookie_name); } elseif (!empty($_COOKIE[$cookie_name])) { - $filterValue = $_COOKIE[$cookie_name]; + $filterValue = preg_replace('/[^a-z_]/', '', $_COOKIE[$cookie_name]); // Clean cookie from evil data } if ($filterValue == 'im_task_contact') { @@ -154,10 +154,10 @@ class box_task extends ModeleBoxes $sql .= " JOIN ".MAIN_DB_PREFIX."projet as p ON (pt.fk_projet = p.rowid)"; if ($filterValue === 'im_task_contact') { - $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = pt.rowid AND ec.fk_socpeople = '".$user->id."' )"; + $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = pt.rowid AND ec.fk_socpeople = ".((int) $user->id).")"; $sql .= " JOIN ".MAIN_DB_PREFIX."c_type_contact as tc ON (ec.fk_c_type_contact = tc.rowid AND tc.element = 'project_task' AND tc.source = 'internal' )"; } elseif ($filterValue === 'im_project_contact') { - $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = p.rowid AND ec.fk_socpeople = '".$user->id."' )"; + $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = p.rowid AND ec.fk_socpeople = ".((int) $user->id).")"; $sql .= " JOIN ".MAIN_DB_PREFIX."c_type_contact as tc ON (ec.fk_c_type_contact = tc.rowid AND tc.element = 'project' AND tc.source = 'internal' )"; } diff --git a/htdocs/core/class/CMailFile.class.php b/htdocs/core/class/CMailFile.class.php index a90e3a2cf26..10c539a48de 100644 --- a/htdocs/core/class/CMailFile.class.php +++ b/htdocs/core/class/CMailFile.class.php @@ -294,6 +294,16 @@ class CMailFile $addr_bcc .= ($addr_bcc ? ', ' : '').$conf->global->MAIN_MAIL_AUTOCOPY_TO; } + $keyforsslseflsigned ='MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED'; + if (!empty($this->sendcontext)) { + $smtpContextKey = strtoupper($this->sendcontext); + $keyForSMTPSendMode = 'MAIN_MAIL_SENDMODE_' . $smtpContextKey; + $smtpContextSendMode = $conf->global->{$keyForSMTPSendMode}; + if (!empty($smtpContextSendMode) && $smtpContextSendMode != 'default') { + $keyforsslseflsigned ='MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_' . $smtpContextKey; + } + } + // We set all data according to choosed sending method. // We also set a value for ->msgid if ($this->sendmode == 'mail') @@ -404,6 +414,7 @@ class CMailFile $smtps->setBCC($this->addr_bcc); $smtps->setErrorsTo($this->errors_to); $smtps->setDeliveryReceipt($this->deliveryreceipt); + if (!empty($conf->global->$keyforsslseflsigned)) $smtps->setOptions(array('ssl' => array('verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true))); $host = dol_getprefix('email'); $this->msgid = time().'.SMTPs-dolibarr-'.$this->trackid.'@'.$host; @@ -642,17 +653,19 @@ class CMailFile $keyforsmtppw = 'MAIN_MAIL_SMTPS_PW'; $keyfortls = 'MAIN_MAIL_EMAIL_TLS'; $keyforstarttls = 'MAIN_MAIL_EMAIL_STARTTLS'; + $keyforsslseflsigned ='MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED'; if (!empty($this->sendcontext)) { $smtpContextKey = strtoupper($this->sendcontext); $keyForSMTPSendMode = 'MAIN_MAIL_SENDMODE_'.$smtpContextKey; $smtpContextSendMode = $conf->global->{$keyForSMTPSendMode}; if (!empty($smtpContextSendMode) && $smtpContextSendMode != 'default') { - $keyforsmtpserver = 'MAIN_MAIL_SMTP_SERVER_'.$smtpContextKey; - $keyforsmtpport = 'MAIN_MAIL_SMTP_PORT_'.$smtpContextKey; - $keyforsmtpid = 'MAIN_MAIL_SMTPS_ID_'.$smtpContextKey; - $keyforsmtppw = 'MAIN_MAIL_SMTPS_PW_'.$smtpContextKey; - $keyfortls = 'MAIN_MAIL_EMAIL_TLS_'.$smtpContextKey; - $keyforstarttls = 'MAIN_MAIL_EMAIL_STARTTLS_'.$smtpContextKey; + $keyforsmtpserver = 'MAIN_MAIL_SMTP_SERVER_' . $smtpContextKey; + $keyforsmtpport = 'MAIN_MAIL_SMTP_PORT_' . $smtpContextKey; + $keyforsmtpid = 'MAIN_MAIL_SMTPS_ID_' . $smtpContextKey; + $keyforsmtppw = 'MAIN_MAIL_SMTPS_PW_' . $smtpContextKey; + $keyfortls = 'MAIN_MAIL_EMAIL_TLS_' . $smtpContextKey; + $keyforstarttls = 'MAIN_MAIL_EMAIL_STARTTLS_' . $smtpContextKey; + $keyforsslseflsigned ='MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_' . $smtpContextKey; } } @@ -849,6 +862,7 @@ class CMailFile if (!empty($conf->global->$keyforsmtpid)) $this->transport->setUsername($conf->global->$keyforsmtpid); if (!empty($conf->global->$keyforsmtppw)) $this->transport->setPassword($conf->global->$keyforsmtppw); + if (! empty($conf->global->$keyforsslseflsigned)) $this->transport->setStreamOptions(array('ssl' => array('allow_self_signed' => true, 'verify_peer' => false)));; //$smtps->_msgReplyTo = 'reply@web.com'; // Switch content encoding to base64 - avoid the doubledot issue with quoted-printable diff --git a/htdocs/core/class/comment.class.php b/htdocs/core/class/comment.class.php index 91fba374181..a083576aacb 100644 --- a/htdocs/core/class/comment.class.php +++ b/htdocs/core/class/comment.class.php @@ -349,25 +349,25 @@ class Comment extends CommonObject $sql .= " c.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX.$this->table_element." as c"; $sql .= " WHERE c.fk_element = ".$fk_element; - $sql .= " AND c.element_type = '".$db->escape($element_type)."'"; + $sql .= " AND c.element_type = '".$this->db->escape($element_type)."'"; $sql .= " AND c.entity = ".$conf->entity; $sql .= " ORDER BY c.tms DESC"; dol_syslog(get_class($this).'::'.__METHOD__, LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num_rows = $db->num_rows($resql); + $num_rows = $this->db->num_rows($resql); if ($num_rows > 0) { - while ($obj = $db->fetch_object($resql)) + while ($obj = $this->db->fetch_object($resql)) { $comment = new self($db); $comment->fetch($obj->rowid); $this->comments[] = $comment; } } - $db->free($resql); + $this->db->free($resql); } else { $this->errors[] = "Error ".$this->db->lasterror(); return -1; diff --git a/htdocs/core/class/commondocgenerator.class.php b/htdocs/core/class/commondocgenerator.class.php index f610e6bb952..2eac2d5d900 100644 --- a/htdocs/core/class/commondocgenerator.class.php +++ b/htdocs/core/class/commondocgenerator.class.php @@ -604,7 +604,7 @@ abstract class CommonDocGenerator if ($columns != "") { $columns = substr($columns, 0, strlen($columns) - 2); - $resql = $this->db->query("SELECT $columns FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields AS ex INNER JOIN ".MAIN_DB_PREFIX."product_fournisseur_price AS f ON ex.fk_object = f.rowid WHERE f.ref_fourn = '".$line->ref_supplier."'"); + $resql = $this->db->query("SELECT ".$columns." FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields AS ex INNER JOIN ".MAIN_DB_PREFIX."product_fournisseur_price AS f ON ex.fk_object = f.rowid WHERE f.ref_fourn = '".$this->db->escape($line->ref_supplier)."'"); if ($this->db->num_rows($resql) > 0) { diff --git a/htdocs/core/class/commonincoterm.class.php b/htdocs/core/class/commonincoterm.class.php index b0bb5a3370c..b2d5491684e 100644 --- a/htdocs/core/class/commonincoterm.class.php +++ b/htdocs/core/class/commonincoterm.class.php @@ -122,12 +122,12 @@ trait CommonIncoterm $this->fk_incoterms = $id_incoterm; $this->location_incoterms = $location; - $sql = 'SELECT libelle FROM '.MAIN_DB_PREFIX.'c_incoterms WHERE rowid = '.(int) $this->fk_incoterms; + $sql = 'SELECT libelle as label_incotermsFROM '.MAIN_DB_PREFIX.'c_incoterms WHERE rowid = '.(int) $this->fk_incoterms; $res = $this->db->query($sql); if ($res) { $obj = $this->db->fetch_object($res); - $this->label_incoterms = $obj->libelle; + $this->label_incoterms = $obj->label_incoterms; } return 1; } else { diff --git a/htdocs/core/class/commoninvoice.class.php b/htdocs/core/class/commoninvoice.class.php index 3dabb8279e9..98890744701 100644 --- a/htdocs/core/class/commoninvoice.class.php +++ b/htdocs/core/class/commoninvoice.class.php @@ -462,7 +462,7 @@ abstract class CommonInvoice extends CommonObject $type = 'customer_invoice'; if ($this->element == 'invoice_supplier') $type = 'supplier_invoice'; - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$this->id; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id; $resql = $this->db->query($sql); if ($resql) { @@ -544,7 +544,7 @@ abstract class CommonInvoice extends CommonObject $labelStatus = $langs->trans('BillStatusClosedPaidPartially'); $labelStatusShort = $langs->trans('Bill'.$prefix.'StatusClosedPaidPartially'); $statusType = 'status9'; - } elseif ($alreadypaid <= 0) { + } elseif ($alreadypaid == 0) { $labelStatus = $langs->trans('BillStatusNotPaid'); $labelStatusShort = $langs->trans('Bill'.$prefix.'StatusNotPaid'); $statusType = 'status1'; diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index ef519f388a7..38596f2a265 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -1028,8 +1028,8 @@ abstract class CommonObject // Insert into database $sql = "UPDATE ".MAIN_DB_PREFIX."element_contact set"; $sql .= " statut = ".$statut; - if ($type_contact_id) $sql .= ", fk_c_type_contact = '".$type_contact_id."'"; - if ($fk_socpeople) $sql .= ", fk_socpeople = '".$fk_socpeople."'"; + if ($type_contact_id) $sql .= ", fk_c_type_contact = ".((int) $type_contact_id); + if ($fk_socpeople) $sql .= ", fk_socpeople = ".((int) $fk_socpeople); $sql .= " where rowid = ".$rowid; $resql = $this->db->query($sql); if ($resql) @@ -1389,9 +1389,9 @@ abstract class CommonObject if ($source == 'internal') $sql .= " AND c.entity IN (".getEntity('user').")"; if ($source == 'external') $sql .= " AND c.entity IN (".getEntity('societe').")"; $sql .= " AND ec.fk_c_type_contact = tc.rowid"; - $sql .= " AND tc.element = '".$element."'"; - $sql .= " AND tc.source = '".$source."'"; - if ($code) $sql .= " AND tc.code = '".$code."'"; + $sql .= " AND tc.element = '".$this->db->escape($element)."'"; + $sql .= " AND tc.source = '".$this->db->escape($source)."'"; + if ($code) $sql .= " AND tc.code = '".$this->db->escape($code)."'"; $sql .= " AND tc.active = 1"; if ($status) $sql .= " AND ec.statut = ".$status; @@ -3243,16 +3243,16 @@ abstract class CommonObject { if ($justsource) { - $sql .= "fk_source = ".$sourceid." AND sourcetype = '".$sourcetype."'"; - if ($withtargettype) $sql .= " AND targettype = '".$targettype."'"; + $sql .= "fk_source = ".$sourceid." AND sourcetype = '".$this->db->escape($sourcetype)."'"; + if ($withtargettype) $sql .= " AND targettype = '".$this->db->escape($targettype)."'"; } elseif ($justtarget) { - $sql .= "fk_target = ".$targetid." AND targettype = '".$targettype."'"; - if ($withsourcetype) $sql .= " AND sourcetype = '".$sourcetype."'"; + $sql .= "fk_target = ".$targetid." AND targettype = '".$this->db->escape($targettype)."'"; + if ($withsourcetype) $sql .= " AND sourcetype = '".$this->db->escape($sourcetype)."'"; } } else { - $sql .= "(fk_source = ".$sourceid." AND sourcetype = '".$sourcetype."')"; - $sql .= " ".$clause." (fk_target = ".$targetid." AND targettype = '".$targettype."')"; + $sql .= "(fk_source = ".$sourceid." AND sourcetype = '".$this->db->escape($sourcetype)."')"; + $sql .= " ".$clause." (fk_target = ".$targetid." AND targettype = '".$this->db->escape($targettype)."')"; } $sql .= ' ORDER BY '.$orderby; @@ -4841,7 +4841,7 @@ abstract class CommonObject // Request to get translation values for object $sql = "SELECT rowid, property, lang , value"; $sql .= " FROM ".MAIN_DB_PREFIX."object_lang"; - $sql .= " WHERE type_object = '".$element."'"; + $sql .= " WHERE type_object = '".$this->db->escape($element)."'"; $sql .= " AND fk_object = ".$this->id; //dol_syslog(get_class($this)."::fetch_optionals get extrafields data for ".$this->table_element, LOG_DEBUG); // Too verbose @@ -5741,11 +5741,9 @@ abstract class CommonObject } // Set value of $morecss. For this, we use in priority showsize from parameters, then $val['css'] then autodefine - if (empty($morecss) && !empty($val['css'])) - { + if (empty($morecss) && !empty($val['css'])) { $morecss = $val['css']; - } elseif (empty($morecss)) - { + } elseif (empty($morecss)) { if ($type == 'date') { $morecss = 'minwidth100imp'; @@ -5792,16 +5790,16 @@ abstract class CommonObject { $tmp = explode(',', $size); $newsize = $tmp[0]; - $out = ''; + $out = ''; } elseif (in_array($type, array('real'))) { - $out = ''; + $out = ''; } elseif (preg_match('/varchar/', $type)) { - $out = ''; + $out = ''; } elseif (in_array($type, array('mail', 'phone', 'url'))) { - $out = ''; + $out = ''; } elseif ($type == 'text') { if (!preg_match('/search_/', $keyprefix)) // If keyprefix is search_ or search_options_, we must just use a simple text field @@ -8295,7 +8293,7 @@ abstract class CommonObject $sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie_".(empty($categorystatic->MAP_CAT_TABLE[$type]) ? $type : $categorystatic->MAP_CAT_TABLE[$type])." (fk_categorie, fk_product)"; $sql .= " SELECT fk_categorie, $toId FROM ".MAIN_DB_PREFIX."categorie_".(empty($categorystatic->MAP_CAT_TABLE[$type]) ? $type : $categorystatic->MAP_CAT_TABLE[$type]); - $sql .= " WHERE fk_product = '".$fromId."'"; + $sql .= " WHERE fk_product = ".((int) $fromId); if (!$this->db->query($sql)) { @@ -8341,7 +8339,7 @@ abstract class CommonObject $sql = "DELETE FROM ".MAIN_DB_PREFIX."ecm_files"; $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%'"; - $sql.= " AND filepath = '".$element."/".$this->db->escape($this->ref)."' AND entity = ".$conf->entity; + $sql.= " AND filepath = '".$this->db->escape($element)."/".$this->db->escape($this->ref)."' AND entity = ".$conf->entity; if (!$this->db->query($sql)) { $this->error = $this->db->lasterror(); diff --git a/htdocs/core/class/commonstickergenerator.class.php b/htdocs/core/class/commonstickergenerator.class.php index 6c832c4788d..c3d6e7de299 100644 --- a/htdocs/core/class/commonstickergenerator.class.php +++ b/htdocs/core/class/commonstickergenerator.class.php @@ -127,7 +127,7 @@ abstract class CommonStickerGenerator /** * Output a sticker on page at position _COUNTX, _COUNTY (_COUNTX and _COUNTY start from 0) * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param Translate $outputlangs Output langs * @param array $param Associative array containing label content and optional parameters * @return void @@ -139,7 +139,7 @@ abstract class CommonStickerGenerator * Methode qui permet de modifier la taille des caracteres * Cela modiera aussi l'espace entre chaque ligne * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param int $pt point * @return void */ @@ -158,7 +158,7 @@ abstract class CommonStickerGenerator /** * protected Print dot line * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param int $x1 X1 * @param int $y1 Y1 * @param int $x2 X2 @@ -201,7 +201,7 @@ abstract class CommonStickerGenerator /** * protected Function realisant une croix aux 4 coins des cartes * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param int $x1 X1 * @param int $y1 Y1 * @param int $x2 X2 @@ -280,7 +280,7 @@ abstract class CommonStickerGenerator /** * protected Set format * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param string $format Format * @return void */ diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php index ddf811cfc77..678560b622e 100644 --- a/htdocs/core/class/extrafields.class.php +++ b/htdocs/core/class/extrafields.class.php @@ -426,7 +426,7 @@ class ExtraFields $sql .= " help,"; $sql .= " totalizable"; $sql .= " )"; - $sql .= " VALUES('".$attrname."',"; + $sql .= " VALUES('".$this->db->escape($attrname)."',"; $sql .= " '".$this->db->escape($label)."',"; $sql .= " '".$this->db->escape($type)."',"; $sql .= " ".$pos.","; @@ -494,8 +494,8 @@ class ExtraFields { $sql = "SELECT COUNT(rowid) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX."extrafields"; - $sql .= " WHERE elementtype = '".$elementtype."'"; - $sql .= " AND name = '".$attrname."'"; + $sql .= " WHERE elementtype = '".$this->db->escape($elementtype)."'"; + $sql .= " AND name = '".$this->db->escape($attrname)."'"; //$sql.= " AND entity IN (0,".$conf->entity.")"; Do not test on entity here. We want to see if there is still on field remaning in other entities before deleting field in table $resql = $this->db->query($sql); if ($resql) @@ -539,9 +539,9 @@ class ExtraFields if (isset($attrname) && $attrname != '' && preg_match("/^\w[a-zA-Z0-9-_]*$/", $attrname)) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."extrafields"; - $sql .= " WHERE name = '".$attrname."'"; + $sql .= " WHERE name = '".$this->db->escape($attrname)."'"; $sql .= " AND entity IN (0,".$conf->entity.')'; - $sql .= " AND elementtype = '".$elementtype."'"; + $sql .= " AND elementtype = '".$this->db->escape($elementtype)."'"; dol_syslog(get_class($this)."::delete_label", LOG_DEBUG); $resql = $this->db->query($sql); @@ -724,15 +724,15 @@ class ExtraFields { // We dont want on all entities, we delete all and current $sql_del = "DELETE FROM ".MAIN_DB_PREFIX."extrafields"; - $sql_del .= " WHERE name = '".$attrname."'"; + $sql_del .= " WHERE name = '".$this->db->escape($attrname)."'"; $sql_del .= " AND entity IN (0, ".($entity === '' ? $conf->entity : $entity).")"; - $sql_del .= " AND elementtype = '".$elementtype."'"; + $sql_del .= " AND elementtype = '".$this->db->escape($elementtype)."'"; } else { // We want on all entities ($entities = '0'), we delete on all only (we keep setup specific to each entity) $sql_del = "DELETE FROM ".MAIN_DB_PREFIX."extrafields"; - $sql_del .= " WHERE name = '".$attrname."'"; + $sql_del .= " WHERE name = '".$this->db->escape($attrname)."'"; $sql_del .= " AND entity = 0"; - $sql_del .= " AND elementtype = '".$elementtype."'"; + $sql_del .= " AND elementtype = '".$this->db->escape($elementtype)."'"; } $resql1 = $this->db->query($sql_del); @@ -761,7 +761,7 @@ class ExtraFields $sql .= " enabled,"; $sql .= " help"; $sql .= ") VALUES ("; - $sql .= "'".$attrname."',"; + $sql .= "'".$this->db->escape($attrname)."',"; $sql .= " ".($entity === '' ? $conf->entity : $entity).","; $sql .= " '".$this->db->escape($label)."',"; $sql .= " '".$this->db->escape($type)."',"; @@ -829,7 +829,7 @@ class ExtraFields $sql = "SELECT rowid,name,label,type,size,elementtype,fieldunique,fieldrequired,param,pos,alwayseditable,perms,langs,list,printable,totalizable,fielddefault,fieldcomputed,entity,enabled,help"; $sql .= " FROM ".MAIN_DB_PREFIX."extrafields"; //$sql.= " WHERE entity IN (0,".$conf->entity.")"; // Filter is done later - if ($elementtype) $sql .= " WHERE elementtype = '".$elementtype."'"; // Filed with object->table_element + if ($elementtype) $sql .= " WHERE elementtype = '".$this->db->escape($elementtype)."'"; // Filed with object->table_element $sql .= " ORDER BY pos"; $resql = $this->db->query($sql); diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 7c5d350d21e..5acb5d7de85 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -2108,9 +2108,9 @@ class Form $selectFields = " p.rowid, p.ref, p.label, p.description, p.barcode, p.fk_country, p.fk_product_type, p.price, p.price_ttc, p.price_base_type, p.tva_tx, p.duration, p.fk_price_expression"; if (count($warehouseStatusArray)) { - $selectFieldsGrouped = ", sum(".$db->ifsql("e.statut IS NULL", "0", "ps.reel").") as stock"; // e.statut is null if there is no record in stock + $selectFieldsGrouped = ", sum(".$this->db->ifsql("e.statut IS NULL", "0", "ps.reel").") as stock"; // e.statut is null if there is no record in stock } else { - $selectFieldsGrouped = ", ".$db->ifsql("p.stock IS NULL", 0, "p.stock")." AS stock"; + $selectFieldsGrouped = ", ".$this->db->ifsql("p.stock IS NULL", 0, "p.stock")." AS stock"; } $sql = "SELECT "; @@ -2163,7 +2163,7 @@ class Form { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.fk_product = p.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entrepot as e on ps.fk_entrepot = e.rowid AND e.entity IN (".getEntity('stock').")"; - $sql .= ' AND e.statut IN ('.$this->db->escape(implode(',', $warehouseStatusArray)).')'; // Return line if product is inside the selected stock. If not, an empty line will be returned so we will count 0. + $sql .= ' AND e.statut IN ('.$this->db->sanitize($this->db->escape(implode(',', $warehouseStatusArray))).')'; // Return line if product is inside the selected stock. If not, an empty line will be returned so we will count 0. } // include search in supplier ref @@ -2183,7 +2183,7 @@ class Form // Multilang : we add translation if (!empty($conf->global->MAIN_MULTILANGS)) { - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang='".$langs->getDefaultLang()."'"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang='".$this->db->escape($langs->getDefaultLang())."'"; } if (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD)) { @@ -2226,19 +2226,19 @@ class Form foreach ($scrit as $crit) { if ($i > 0) $sql .= " AND "; - $sql .= "(p.ref LIKE '".$db->escape($prefix.$crit)."%' OR p.label LIKE '".$db->escape($prefix.$crit)."%'"; - if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.label LIKE '".$db->escape($prefix.$crit)."%'"; + $sql .= "(p.ref LIKE '".$this->db->escape($prefix.$crit)."%' OR p.label LIKE '".$this->db->escape($prefix.$crit)."%'"; + if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.label LIKE '".$this->db->escape($prefix.$crit)."%'"; if (!empty($conf->global->PRODUCT_AJAX_SEARCH_ON_DESCRIPTION)) { - $sql .= " OR p.description LIKE '".$db->escape($prefix.$crit)."%'"; - if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.description LIKE '".$db->escape($prefix.$crit)."%'"; + $sql .= " OR p.description LIKE '".$this->db->escape($prefix.$crit)."%'"; + if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.description LIKE '".$this->db->escape($prefix.$crit)."%'"; } - if (!empty($conf->global->MAIN_SEARCH_PRODUCT_BY_FOURN_REF)) $sql .= " OR pfp.ref_fourn LIKE '".$db->escape($prefix.$crit)."%'"; + if (!empty($conf->global->MAIN_SEARCH_PRODUCT_BY_FOURN_REF)) $sql .= " OR pfp.ref_fourn LIKE '".$this->db->escape($prefix.$crit)."%'"; $sql .= ")"; $i++; } if (count($scrit) > 1) $sql .= ")"; - if (!empty($conf->barcode->enabled)) $sql .= " OR p.barcode LIKE '".$db->escape($prefix.$filterkey)."%'"; + if (!empty($conf->barcode->enabled)) $sql .= " OR p.barcode LIKE '".$this->db->escape($prefix.$filterkey)."%'"; $sql .= ')'; } if (count($warehouseStatusArray)) @@ -2253,10 +2253,10 @@ class Form //ASC OR DESC order ($conf->global->PRODUCT_SORT_BY_CATEGORY == 1) ? $sql .= "ASC" : $sql .= "DESC"; } else { - $sql .= $db->order("p.ref"); + $sql .= $this->db->order("p.ref"); } - $sql .= $db->plimit($limit, 0); + $sql .= $this->db->plimit($limit, 0); // Build output string dol_syslog(get_class($this)."::select_produits_list search product", LOG_DEBUG); @@ -2503,9 +2503,9 @@ class Form { $sql = "SELECT price, price_ttc, price_base_type, tva_tx"; $sql .= " FROM ".MAIN_DB_PREFIX."product_price"; - $sql .= " WHERE fk_product='".$objp->rowid."'"; + $sql .= " WHERE fk_product = ".((int) $objp->rowid); $sql .= " AND entity IN (".getEntity('productprice').")"; - $sql .= " AND price_level=".$price_level; + $sql .= " AND price_level = ".((int) $price_level); $sql .= " ORDER BY date_price DESC, rowid DESC"; // Warning DESC must be both on date_price and rowid. $sql .= " LIMIT 1"; @@ -2770,7 +2770,7 @@ class Form $sql .= ')'; } $sql .= " ORDER BY pfp.ref_fourn DESC, pfp.quantity ASC"; - $sql .= $db->plimit($limit, 0); + $sql .= $this->db->plimit($limit, 0); // Build output string @@ -4913,10 +4913,10 @@ class Form $sql = 'SELECT code FROM '.MAIN_DB_PREFIX.'multicurrency'; $sql .= " WHERE entity IN ('".getEntity('mutlicurrency')."')"; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - while ($obj = $db->fetch_object($resql)) $TCurrency[$obj->code] = $obj->code; + while ($obj = $this->db->fetch_object($resql)) $TCurrency[$obj->code] = $obj->code; } $out = ''; @@ -5280,10 +5280,11 @@ class Form * @param string $openinghours Specify hour start and hour end for the select ex 8,20 * @param int $stepminutes Specify step for minutes between 1 and 30 * @param string $labeladddateof Label to use for the $adddateof parameter. + * @param string $placeholder Placeholder * @return string Html for selectDate * @see form_date(), select_month(), select_year(), select_dayofweek() */ - public function selectDate($set_time = '', $prefix = 're', $h = 0, $m = 0, $empty = 0, $form_name = "", $d = 1, $addnowlink = 0, $disabled = 0, $fullday = '', $addplusone = '', $adddateof = '', $openinghours = '', $stepminutes = 1, $labeladddateof = '') + public function selectDate($set_time = '', $prefix = 're', $h = 0, $m = 0, $empty = 0, $form_name = "", $d = 1, $addnowlink = 0, $disabled = 0, $fullday = '', $addplusone = '', $adddateof = '', $openinghours = '', $stepminutes = 1, $labeladddateof = '', $placeholder = '') { global $conf, $langs; @@ -5420,6 +5421,7 @@ class Form $retstring .= '
'; $retstring .= 'trans("FormatDateShortJavaInput").'\'); "'; // FormatDateShortInput for dol_print_date / FormatDateShortJavaInput that is same for javascript $retstring .= '>'; @@ -5782,6 +5784,7 @@ class Form /** * Generic method to select a component from a combo list. + * Can use autocomplete with ajax after x key pressed or a full combo, depending on setup. * This is the generic method that will replace all specific existing methods. * * @param string $objectdesc ObjectClass:PathToClass[:AddCreateButtonOrNot[:Filter]] @@ -6460,11 +6463,12 @@ class Form templateSelection: formatSelection /* For 4.0 */ }); });'."\n"; - } elseif ($addjscombo == 2) + } elseif ($addjscombo == 2 && ! defined('DISABLE_MULTISELECT')) { // Add other js lib // TODO external lib multiselect/jquery.multi-select.js must have been loaded to use this multiselect plugin // ... + $out .= 'console.log(\'addjscombo=2 for htmlname='.$htmlname.'\');'; $out .= '$(document).ready(function () { $(\'#'.$htmlname.'\').multiSelect({ containerHTML: \'
\', @@ -7015,7 +7019,7 @@ class Form // phpcs:enable $sql = "SELECT rowid, label"; $sql .= " FROM ".MAIN_DB_PREFIX."export_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$this->db->escape($type)."'"; $sql .= " ORDER BY rowid"; $result = $this->db->query($sql); if ($result) @@ -7157,7 +7161,7 @@ class Form } //if ($conf->browser->layout == 'phone') $ret.='
'; - $ret .= '
'; + $ret .= '
'; // For thirdparty, contact, user, member, the ref is the id, so we show something else if ($object->element == 'societe') @@ -7459,10 +7463,10 @@ class Form if (!empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity) { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entity as e ON e.rowid=ug.entity"; - if ($force_entity) $sql .= " WHERE ug.entity IN (0,".$force_entity.")"; + if ($force_entity) $sql .= " WHERE ug.entity IN (0, ".$force_entity.")"; else $sql .= " WHERE ug.entity IS NOT NULL"; } else { - $sql .= " WHERE ug.entity IN (0,".$conf->entity.")"; + $sql .= " WHERE ug.entity IN (0, ".$conf->entity.")"; } if (is_array($exclude) && $excludeGroups) $sql .= " AND ug.rowid NOT IN ('".$excludeGroups."')"; if (is_array($include) && $includeGroups) $sql .= " AND ug.rowid IN ('".$includeGroups."')"; diff --git a/htdocs/core/class/html.formaccounting.class.php b/htdocs/core/class/html.formaccounting.class.php index 991a8f87006..f48e9b8eb74 100644 --- a/htdocs/core/class/html.formaccounting.class.php +++ b/htdocs/core/class/html.formaccounting.class.php @@ -174,15 +174,15 @@ class FormAccounting extends Form $sql .= " WHERE c.active = 1"; $sql .= " AND c.category_type = 0"; $sql .= " AND c.fk_country = co.rowid"; - if (empty($allcountries)) $sql .= " AND co.code = '".$mysoc->country_code."'"; + if (empty($allcountries)) $sql .= " AND co.code = '".$this->db->escape($mysoc->country_code)."'"; $sql .= " ORDER BY c.label ASC"; } dol_syslog(get_class($this).'::'.__METHOD__, LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) { $out = ''; if ($showempty) print ''; - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); $i = 0; if ($num) { while ($i < $num) { - $obj = $db->fetch_object($resql); + $obj = $this->db->fetch_object($resql); // If we ask to filter on a company and user has no permission to see all companies and project is linked to another company, we hide project. if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && !$user->rights->societe->lire) { @@ -150,7 +150,7 @@ class FormContract } } print ''; - $db->free($resql); + $this->db->free($resql); if (!empty($conf->use_javascript_ajax)) { @@ -161,7 +161,7 @@ class FormContract return $num; } else { - dol_print_error($db); + dol_print_error($this->db); return -1; } } diff --git a/htdocs/core/class/html.formexpensereport.class.php b/htdocs/core/class/html.formexpensereport.class.php new file mode 100644 index 00000000000..e8079b77ed6 --- /dev/null +++ b/htdocs/core/class/html.formexpensereport.class.php @@ -0,0 +1,136 @@ + + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * or see https://www.gnu.org/ + */ + +/** + * \file htdocs/core/class/html.formexpensereport.class.php + * \ingroup core + * \brief File of class with all html predefined components + */ + +/** + * Class to manage generation of HTML components for contract module + */ +class FormExpenseReport +{ + /** + * @var DoliDB Database handler. + */ + public $db; + + /** + * @var string Error code (or message) + */ + public $error = ''; + + + /** + * Constructor + * + * @param DoliDB $db Database handler + */ + public function __construct($db) + { + $this->db = $db; + } + + + /** + * Retourne la liste deroulante des differents etats d'une note de frais. + * Les valeurs de la liste sont les id de la table c_expensereport_statuts + * + * @param int $selected preselect status + * @param string $htmlname Name of HTML select + * @param int $useempty 1=Add empty line + * @param int $useshortlabel Use short labels + * @return string HTML select with status + */ + public function selectExpensereportStatus($selected = '', $htmlname = 'fk_statut', $useempty = 1, $useshortlabel = 0) + { + global $langs; + + $tmpep = new ExpenseReport($this->db); + + print ''; + } + + /** + * Return list of types of notes with select value = id + * + * @param int $selected Preselected type + * @param string $htmlname Name of field in form + * @param int $showempty Add an empty field + * @param int $active 1=Active only, 0=Unactive only, -1=All + * @return string Select html + */ + public function selectTypeExpenseReport($selected = '', $htmlname = 'type', $showempty = 0, $active = 1) + { + // phpcs:enable + global $langs, $user; + $langs->load("trips"); + + $out = ''; + + $out .= ''; + $out .= ajax_combobox($htmlname); + + return $out; + } +} diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index 360248a741e..2e06837563e 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -118,7 +118,7 @@ class FormFile $out .= ''; $out .= ''; $out .= ''; - $out .= ''; + $out .= ''; $out .= ''; } @@ -1252,7 +1252,7 @@ class FormFile } else { print ''; } - print ''; + print ''; print ''; } else print ' '; print '
'.$form->textwithpicto($langs->trans("SearchAll"), $langs->trans("SearchAllDesc")).''.$form->textwithpicto($langs->trans("IsAMeasure"), $langs->trans("IsAMeasureDesc")).''.$langs->trans("CSSClass").''.$langs->trans("CSSViewClass").''.$langs->trans("KeyForTooltip").''.$langs->trans("ShowOnCombobox").''.$langs->trans("Disabled").'
'; - print $propname; + print dol_escape_htmltag($propname); print ''; - print $proplabel; + print dol_escape_htmltag($proplabel); print ''; - print $proptype; + print ''; + print ''.dol_escape_htmltag($proptype).''; print ''; + print ''; if ($proparrayofkeyval) { - print json_encode($proparrayofkeyval); + print ''; + print dol_escape_htmltag(json_encode($proparrayofkeyval)); + print ''; } print ''; - print $propnotnull; + print dol_escape_htmltag($propnotnull); print ''; - print $propdefault; + print dol_escape_htmltag($propdefault); print ''; print $propindex ? '1' : ''; print ''; - print $propforeignkey ? $propforeignkey : ''; + print $propforeignkey ? dol_escape_htmltag($propforeignkey) : ''; print ''; - print $propposition; + print dol_escape_htmltag($propposition); print ''; - print $propenabled ? $propenabled : ''; + print $propenabled ? dol_escape_htmltag($propenabled) : ''; print ''; - print $propvisible ? $propvisible : '0'; + print $propvisible ? dol_escape_htmltag($propvisible) : '0'; print ''; - print $propnoteditable ? $propnoteditable : ''; + print $propnoteditable ? dol_escape_htmltag($propnoteditable) : ''; print ''; print $propsearchall ? '1' : ''; print ''; - print $propisameasure ? $propisameasure : ''; + print $propisameasure ? dol_escape_htmltag($propisameasure) : ''; print ''; - print $propcss ? $propcss : ''; + print $propcss ? dol_escape_htmltag($propcss) : ''; print ''; - print $prophelp ? $prophelp : ''; + print $propcssview ? dol_escape_htmltag($propcssview) : ''; + print ''; + print $prophelp ? dol_escape_htmltag($prophelp) : ''; print ''; - print $propshowoncombobox ? $propshowoncombobox : ''; + print $propshowoncombobox ? dol_escape_htmltag($propshowoncombobox) : ''; print ''; print $propdisabled?$propdisabled:''; print ''; - print $propcomment; + print ''; + print ''; + print dol_escape_htmltag($propcomment); + print ''; print ''; if ($propname != 'rowid') diff --git a/htdocs/modulebuilder/template/admin/setup.php b/htdocs/modulebuilder/template/admin/setup.php index 9653f05d4b3..b0ef752707c 100644 --- a/htdocs/modulebuilder/template/admin/setup.php +++ b/htdocs/modulebuilder/template/admin/setup.php @@ -374,7 +374,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) { $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/modulebuilder/template/class/api_mymodule.class.php b/htdocs/modulebuilder/template/class/api_mymodule.class.php index 67c7246b855..32113b71ef0 100644 --- a/htdocs/modulebuilder/template/class/api_mymodule.class.php +++ b/htdocs/modulebuilder/template/class/api_mymodule.class.php @@ -64,7 +64,8 @@ class MyModuleApi extends DolibarrApi * * @url GET myobjects/{id} * - * @throws RestException + * @throws RestException 401 Not allowed + * @throws RestException 404 Not found */ public function get($id) { @@ -106,7 +107,7 @@ class MyModuleApi extends DolibarrApi global $db, $conf; $obj_ret = array(); - $tmpobject = new MyObject($db); + $tmpobject = new MyObject($this->db); if (!DolibarrApiAccess::$user->rights->mymodule->myobject->read) { throw new RestException(401); @@ -148,32 +149,32 @@ class MyModuleApi extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); $i = 0; if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $obj = $db->fetch_object($result); - $tmp_object = new MyObject($db); + $obj = $this->db->fetch_object($result); + $tmp_object = new MyObject($this->db); if ($tmp_object->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($tmp_object); } $i++; } } else { - throw new RestException(503, 'Error when retrieving myobject list: '.$db->lasterror()); + throw new RestException(503, 'Error when retrieving myobject list: '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No myobject found'); diff --git a/htdocs/modulebuilder/template/class/myobject.class.php b/htdocs/modulebuilder/template/class/myobject.class.php index cdf3996c46c..399dd3b10b8 100644 --- a/htdocs/modulebuilder/template/class/myobject.class.php +++ b/htdocs/modulebuilder/template/class/myobject.class.php @@ -83,7 +83,7 @@ class MyObject extends CommonObject * 'foreignkey'=>'tablename.field' if the field is a foreign key (it is recommanded to name the field fk_...). * 'searchall' is 1 if we want to search in this field when making a search from the quick search button. * 'isameasure' must be set to 1 if you want to have a total on list for this field. Field type must be summable like integer or double(24,8). - * 'css' is the CSS style to use on field. For example: 'maxwidth200' + * 'css' and 'cssview' is the CSS style to use on field. 'css' is used in creation and update. 'cssview' is used in view mode. For example: 'maxwidth200', 'wordbreak' * 'help' is a string visible as a tooltip on field * 'showoncombobox' if value of the field must be visible into the label of the combobox that list record * 'disabled' is 1 if we want to have the field locked by a 'disabled' attribute. In most cases, this is never set into the definition of $fields into class, but is set dynamically by some part of code. @@ -102,7 +102,7 @@ class MyObject extends CommonObject 'rowid' => array('type'=>'integer', 'label'=>'TechnicalID', 'enabled'=>1, 'visible'=>-2, 'noteditable'=>1, 'notnull'=> 1, 'index'=>1, 'position'=>1, 'comment'=>'Id', 'css'=>'left'), 'ref' => array('type'=>'varchar(128)', 'label'=>'Ref', 'enabled'=>1, 'visible'=>1, 'noteditable'=>0, 'default'=>'', 'notnull'=> 1, 'showoncombobox'=>1, 'index'=>1, 'position'=>10, 'searchall'=>1, 'comment'=>'Reference of object'), 'entity' => array('type'=>'integer', 'label'=>'Entity', 'enabled'=>1, 'visible'=>0, 'notnull'=> 1, 'default'=>1, 'index'=>1, 'position'=>20), - 'label' => array('type'=>'varchar(255)', 'label'=>'Label', 'enabled'=>1, 'visible'=>1, 'position'=>30, 'searchall'=>1, 'css'=>'minwidth200', 'help'=>'Help text', 'showoncombobox'=>1), + 'label' => array('type'=>'varchar(255)', 'label'=>'Label', 'enabled'=>1, 'visible'=>1, 'position'=>30, 'searchall'=>1, 'css'=>'minwidth300', 'cssview'=>'wordbreak', 'help'=>'Help text', 'showoncombobox'=>1), 'amount' => array('type'=>'price', 'label'=>'Amount', 'enabled'=>1, 'visible'=>1, 'default'=>'null', 'position'=>40, 'searchall'=>0, 'isameasure'=>1, 'help'=>'Help text for amount'), 'qty' => array('type'=>'real', 'label'=>'Qty', 'enabled'=>1, 'visible'=>1, 'default'=>'0', 'position'=>45, 'searchall'=>0, 'isameasure'=>1, 'help'=>'Help text for quantity', 'css'=>'maxwidth75imp'), 'fk_soc' => array('type'=>'integer:Societe:societe/class/societe.class.php:1:status=1 AND entity IN (__SHARED_ENTITIES__)', 'label'=>'ThirdParty', 'visible'=> 1, 'enabled'=>1, 'position'=>50, 'notnull'=>-1, 'index'=>1, 'help'=>'LinkToThirparty'), @@ -426,7 +426,7 @@ class MyObject extends CommonObject } elseif ($key == 'customsql') { $sqlwhere[] = $value; } elseif (strpos($value, '%') === false) { - $sqlwhere[] = $key.' IN ('.$this->db->escape($value).')'; + $sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')'; } else { $sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\''; } diff --git a/htdocs/modulebuilder/template/core/modules/mymodule/doc/pdf_standard_myobject.modules.php b/htdocs/modulebuilder/template/core/modules/mymodule/doc/pdf_standard_myobject.modules.php index 0dbd92aa379..f8fc8466349 100644 --- a/htdocs/modulebuilder/template/core/modules/mymodule/doc/pdf_standard_myobject.modules.php +++ b/htdocs/modulebuilder/template/core/modules/mymodule/doc/pdf_standard_myobject.modules.php @@ -1139,7 +1139,7 @@ class pdf_standard_myobject extends ModelePDFMyObject /** * Show footer of page. Need this->emetteur object * - * @param PDF $pdf PDF + * @param TCPDF $pdf PDF * @param Object $object Object to show * @param Translate $outputlangs Object lang for output * @param int $hidefreetext 1=Hide free text diff --git a/htdocs/modulebuilder/template/mymoduleindex.php b/htdocs/modulebuilder/template/mymoduleindex.php index 2b6bd518570..3da38a7e02c 100644 --- a/htdocs/modulebuilder/template/mymoduleindex.php +++ b/htdocs/modulebuilder/template/mymoduleindex.php @@ -159,8 +159,8 @@ END MODULEBUILDER DRAFT MYOBJECT */ print '
'; -$NBMAX = 3; -$max = 3; +$NBMAX = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; /* BEGIN MODULEBUILDER LASTMODIFIED MYOBJECT // Last modified myobject diff --git a/htdocs/modulebuilder/template/myobject_list.php b/htdocs/modulebuilder/template/myobject_list.php index 86c0e456e14..50307c91161 100644 --- a/htdocs/modulebuilder/template/myobject_list.php +++ b/htdocs/modulebuilder/template/myobject_list.php @@ -84,7 +84,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters diff --git a/htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php b/htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php index 48e8f79a8de..169bfeb92f6 100644 --- a/htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php +++ b/htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php @@ -53,7 +53,7 @@ class MyObjectTest extends \PHPUnit_Framework_TestCase * Constructor * We save global variables into local variables * - * @return BOMTest + * @return MyObject */ public function __construct() { diff --git a/htdocs/mrp/class/api_mos.class.php b/htdocs/mrp/class/api_mos.class.php index 9dcb26149ef..d502e5cc99d 100644 --- a/htdocs/mrp/class/api_mos.class.php +++ b/htdocs/mrp/class/api_mos.class.php @@ -99,7 +99,7 @@ class Mos extends DolibarrApi global $db, $conf; $obj_ret = array(); - $tmpobject = new Mo($db); + $tmpobject = new Mo($this->db); $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; @@ -139,7 +139,7 @@ class Mos extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -147,18 +147,18 @@ class Mos extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $i = 0; while ($i < $num) { - $obj = $db->fetch_object($result); - $tmp_object = new Mo($db); + $obj = $this->db->fetch_object($result); + $tmp_object = new Mo($this->db); if ($tmp_object->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($tmp_object); } diff --git a/htdocs/mrp/mo_list.php b/htdocs/mrp/mo_list.php index 5b77e3b1b87..b9da34958d4 100644 --- a/htdocs/mrp/mo_list.php +++ b/htdocs/mrp/mo_list.php @@ -51,7 +51,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/multicurrency/class/multicurrency.class.php b/htdocs/multicurrency/class/multicurrency.class.php index 3641c6abf0f..2ce3277ae89 100644 --- a/htdocs/multicurrency/class/multicurrency.class.php +++ b/htdocs/multicurrency/class/multicurrency.class.php @@ -427,11 +427,11 @@ class MultiCurrency extends CommonObject { global $db, $user; - $currency = new MultiCurrency($db); + $currency = new MultiCurrency($this->db); $currency->code = $code; $currency->name = $code; - $sql = 'SELECT label FROM '.MAIN_DB_PREFIX.'c_currencies WHERE code_iso = \''.$db->escape($code).'\''; + $sql = 'SELECT label FROM '.MAIN_DB_PREFIX."c_currencies WHERE code_iso = '".$this->db->escape($code)."'"; dol_syslog(__METHOD__, LOG_DEBUG); $resql = $db->query($sql); @@ -486,15 +486,15 @@ class MultiCurrency extends CommonObject * Get id of currency from code * * @param DoliDB $db object db - * @param string $code code value search + * @param string $code code value search * * @return int 0 if not found, >0 if OK */ - public static function getIdFromCode(&$db, $code) + public static function getIdFromCode($db, $code) { global $conf; - $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'multicurrency WHERE code = \''.$db->escape($code).'\' AND entity = '.$conf->entity; + $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX."multicurrency WHERE code = '".$db->escape($code)."' AND entity = ".$conf->entity; dol_syslog(__METHOD__, LOG_DEBUG); $resql = $db->query($sql); @@ -512,7 +512,7 @@ class MultiCurrency extends CommonObject * @return array [0] => id currency * [1] => rate */ - public static function getIdAndTxFromCode(&$db, $code, $date_document = '') + public static function getIdAndTxFromCode($db, $code, $date_document = '') { global $conf; diff --git a/htdocs/opensurvey/list.php b/htdocs/opensurvey/list.php index e9ff7f72a84..f17a4615eef 100644 --- a/htdocs/opensurvey/list.php +++ b/htdocs/opensurvey/list.php @@ -47,7 +47,7 @@ $search_status = GETPOST('search_status', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/opensurvey/results.php b/htdocs/opensurvey/results.php index be252188190..3327800527d 100644 --- a/htdocs/opensurvey/results.php +++ b/htdocs/opensurvey/results.php @@ -58,7 +58,7 @@ if (GETPOST('retoursondage')) { $nbcolonnes = substr_count($object->sujet, ',') + 1; // Add vote -if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) // boutonp for chrom, boutonp.x for firefox +if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) // boutonp for chrome, boutonp.x for firefox { if (GETPOST('nom')) { @@ -158,7 +158,7 @@ if (GETPOST("ajoutercolonne") && GETPOST('nouvellecolonne') && $object->format = //on rajoute la valeur a la fin de tous les sujets deja entrés $nouveauxsujets .= ','; - $nouveauxsujets .= str_replace(array(",", "@"), " ", $_POST["nouvellecolonne"]).(empty($_POST["typecolonne"]) ? '' : '@'.$_POST["typecolonne"]); + $nouveauxsujets .= str_replace(array(",", "@"), " ", GETPOST("nouvellecolonne")).(empty($_POST["typecolonne"]) ? '' : '@'.GETPOST("typecolonne")); //mise a jour avec les nouveaux sujets dans la base $sql = 'UPDATE '.MAIN_DB_PREFIX."opensurvey_sondage"; @@ -186,21 +186,21 @@ if (isset($_POST["ajoutercolonne"]) && $object->format == "D") if (isset($_POST["nouvelleheuredebut"]) && $_POST["nouvelleheuredebut"] != "vide") { $nouvelledate .= "@"; - $nouvelledate .= $_POST["nouvelleheuredebut"]; + $nouvelledate .= GETPOST("nouvelleheuredebut"); $nouvelledate .= "h"; if ($_POST["nouvelleminutedebut"] != "vide") { - $nouvelledate .= $_POST["nouvelleminutedebut"]; + $nouvelledate .= GETPOST("nouvelleminutedebut"); } } if (isset($_POST["nouvelleheurefin"]) && $_POST["nouvelleheurefin"] != "vide") { $nouvelledate .= "-"; - $nouvelledate .= $_POST["nouvelleheurefin"]; + $nouvelledate .= GETPOST("nouvelleheurefin"); $nouvelledate .= "h"; if ($_POST["nouvelleminutefin"] != "vide") { - $nouvelledate .= $_POST["nouvelleminutefin"]; + $nouvelledate .= GETPOST("nouvelleminutefin"); } } @@ -451,7 +451,10 @@ print '
'.$langs->trans('ExpireDate').''; if ($action == 'edit') print $form->selectDate($expiredate ? $expiredate : $object->date_fin, 'expire', 0, 0, 0, '', 1, 0); -else print dol_print_date($object->date_fin, 'day'); +else { + print dol_print_date($object->date_fin, 'day'); + if ($object->date_fin && $object->date_fin < dol_now() && $object->status == Opensurveysondage::STATUS_VALIDATED) print img_warning($langs->trans("Expired")); +} print '
'; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/product/admin/product_tools.php b/htdocs/product/admin/product_tools.php index e01111712ad..592dd89baaa 100644 --- a/htdocs/product/admin/product_tools.php +++ b/htdocs/product/admin/product_tools.php @@ -90,7 +90,7 @@ if ($action == 'convert') $sql .= ' FROM '.MAIN_DB_PREFIX.'product'; $sql .= ' WHERE entity IN ('.getEntity('product').')'; $sql .= " AND tva_tx = '".$db->escape($oldvatrateclean)."'"; - if ($vat_src_code_old) $sql .= " AND default_vat_code = '".$vat_src_code_old."'"; + if ($vat_src_code_old) $sql .= " AND default_vat_code = '".$db->escape($vat_src_code_old)."'"; else " AND default_vat_code = IS NULL"; $resql = $db->query($sql); @@ -182,9 +182,9 @@ if ($action == 'convert') $sql .= ' FROM '.MAIN_DB_PREFIX.'product_fournisseur_price as pfp, '.MAIN_DB_PREFIX.'societe as s'; $sql .= ' WHERE pfp.fk_soc = s.rowid AND pfp.entity IN ('.getEntity('product').')'; $sql .= " AND tva_tx = '".$db->escape($oldvatrate)."'"; - if ($vat_src_code_old) $sql .= " AND default_vat_code = '".$vat_src_code_old."'"; + if ($vat_src_code_old) $sql .= " AND default_vat_code = '".$db->escape($vat_src_code_old)."'"; else " AND default_vat_code = IS NULL"; - $sql .= " AND s.fk_pays = '".$country_id."'"; + $sql .= " AND s.fk_pays = ".((int) $country_id); //print $sql; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/product/card.php b/htdocs/product/card.php index c4b46113d7f..f86b94f314e 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -234,6 +234,7 @@ if (empty($reshook)) $npr = preg_match('/\*/', $tva_tx_txt) ? 1 : 0; $localtax1 = 0; $localtax2 = 0; $localtax1_type = '0'; $localtax2_type = '0'; // If value contains the unique code of vat line (new recommanded method), we use it to find npr and local taxes + $reg = array(); if (preg_match('/\((.*)\)/', $tva_tx_txt, $reg)) { // We look into database using code (we can't use get_localtax() because it depends on buyer that is not known). Same in update price. @@ -241,9 +242,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code = '".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 267e3bc2890..a90c9dd5b1b 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -58,6 +58,7 @@ class Products extends DolibarrApi public function __construct() { global $db, $conf; + $this->db = $db; $this->product = new Product($this->db); $this->productsupplier = new ProductFournisseur($this->db); @@ -178,7 +179,7 @@ class Products extends DolibarrApi $sql .= ' WHERE t.entity IN ('.getEntity('product').')'; // Select products of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_product = t.rowid "; } if ($mode == 1) { @@ -197,32 +198,32 @@ class Products extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $product_static = new Product($db); + $obj = $this->db->fetch_object($result); + $product_static = new Product($this->db); if ($product_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($product_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve product list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve product list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No product found'); @@ -445,8 +446,7 @@ class Products extends DolibarrApi /** * Remove subproduct. - * - * Unlink a product/service from a parent product/service + * Unlink a product/service from a parent product/service * * @param int $id Id of parent product/service * @param int $subproduct_id Id of child product/service @@ -750,8 +750,11 @@ class Products extends DolibarrApi public function getSupplierProducts($sortfield = "t.ref", $sortorder = 'ASC', $limit = 100, $page = 0, $mode = 0, $category = 0, $supplier = 0, $sqlfilters = '') { global $db, $conf; + $obj_ret = array(); + $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; + $sql = "SELECT t.rowid, t.ref, t.ref_ext"; $sql .= " FROM ".MAIN_DB_PREFIX."product as t"; if ($category > 0) { @@ -762,12 +765,12 @@ class Products extends DolibarrApi $sql .= ' WHERE t.entity IN ('.getEntity('product').')'; if ($supplier > 0) { - $sql .= " AND s.fk_soc = ".$db->escape($supplier); + $sql .= " AND s.fk_soc = ".$this->db->escape($supplier); } $sql .= " AND s.fk_product = t.rowid"; // Select products of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_product = t.rowid"; } if ($mode == 1) { @@ -785,22 +788,22 @@ class Products extends DolibarrApi $regexstring = '\(([^:\'\(\)]+:[^:\'\(\)]+:[^:\(\)]+)\)'; $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $product_fourn = new ProductFournisseur($this->db); $product_fourn_list = $product_fourn->list_product_fournisseur_price($obj->rowid, '', '', 0, 0); @@ -814,7 +817,7 @@ class Products extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve product list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve product list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No product found'); @@ -878,21 +881,71 @@ class Products extends DolibarrApi /** * Get attributes. - * + * + * @param string $sortfield Sort field + * @param string $sortorder Sort order + * @param int $limit Limit for list + * @param int $page Page number + * @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.ref:like:color)" * @return array * * @throws RestException * * @url GET attributes */ - public function getAttributes() + public function getAttributes($sortfield = "t.ref", $sortorder = 'ASC', $limit = 100, $page = 0, $sqlfilters = '') { if (!DolibarrApiAccess::$user->rights->produit->lire) { throw new RestException(401); } - $prodattr = new ProductAttribute($this->db); - return $prodattr->fetchAll(); + $sql = "SELECT t.rowid, t.ref, t.ref_ext, t.label, t.rang, t.entity"; + $sql .= " FROM ".MAIN_DB_PREFIX."product_attribute as t"; + $sql .= ' WHERE t.entity IN ('.getEntity('product').')'; + + // Add sql filters + if ($sqlfilters) { + if (!DolibarrApi::_checkFilters($sqlfilters)) { + throw new RestException(503, 'Error when validating parameter sqlfilters '.$sqlfilters); + } + $regexstring = '\(([^:\'\(\)]+:[^:\'\(\)]+:[^:\(\)]+)\)'; + $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; + } + + $sql .= $this->db->order($sortfield, $sortorder); + if ($limit) { + if ($page < 0) { + $page = 0; + } + $offset = $limit * $page; + + $sql .= $this->db->plimit($limit, $offset); + } + + $result = $this->db->query($sql); + + if (!$result) { + throw new RestException(503, 'Error when retrieve product attribute list : '.$this->db->lasterror()); + } + + $return = []; + while ($result = $this->db->fetch_object($query)) { + $tmp = new ProductAttribute($this->db); + $tmp->id = $result->rowid; + $tmp->ref = $result->ref; + $tmp->ref_ext = $result->ref_ext; + $tmp->label = $result->label; + $tmp->rang = $result->rang; + $tmp->entity = $result->entity; + + $return[] = $this->_cleanObjectDatas($tmp); + } + + if (!count($return)) { + throw new RestException(404, 'No product attribute found'); + } + + return $return; } /** @@ -917,9 +970,25 @@ class Products extends DolibarrApi $result = $prodattr->fetch((int) $id); if ($result < 0) { - throw new RestException(404, "Attribute not found"); + throw new RestException(404, "Product attribute not found"); } + $fields = ["id", "ref", "ref_ext", "label", "rang", "entity"]; + + foreach ($prodattr as $field => $value) { + if (!in_array($field, $fields)) { + unset($prodattr->{$field}); + } + } + + $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; + $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; + $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $prodattr->id)." AND pac.entity IN (".getEntity('product').")"; + + $resql = $this->db->query($sql); + $obj = $this->db->fetch_object($resql); + $prodattr->is_used_by_products = (int) $obj->nb; + return $prodattr; } @@ -940,7 +1009,7 @@ class Products extends DolibarrApi throw new RestException(401); } - $sql = "SELECT rowid, ref, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".trim($ref)."' AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, ref, ref_ext, label, rang, entity FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".trim($ref)."' AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -953,8 +1022,65 @@ class Products extends DolibarrApi $attr = []; $attr['id'] = $result->rowid; $attr['ref'] = $result->ref; + $attr['ref_ext'] = $result->ref_ext; $attr['label'] = $result->label; $attr['rang'] = $result->rang; + $attr['entity'] = $result->entity; + + $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; + $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; + $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $result->rowid)." AND pac.entity IN (".getEntity('product').")"; + + $resql = $this->db->query($sql); + $obj = $this->db->fetch_object($resql); + + $attr["is_used_by_products"] = (int) $obj->nb; + + return $attr; + } + + /** + * Get attributes by ref_ext. + * + * @param string $ref_ext External reference of Attribute + * @return array + * + * @throws RestException 500 + * @throws RestException 401 + * + * @url GET attributes/ref_ext/{ref_ext} + */ + public function getAttributesByRefExt($ref_ext) + { + if (!DolibarrApiAccess::$user->rights->produit->lire) { + throw new RestException(401); + } + + $sql = "SELECT rowid, ref, ref_ext, label, rang, entity FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref_ext LIKE '".trim($ref_ext)."' AND entity IN (".getEntity('product').")"; + + $query = $this->db->query($sql); + + if (!$this->db->num_rows($query)) { + throw new RestException(404); + } + + $result = $this->db->fetch_object($query); + + $attr = []; + $attr['id'] = $result->rowid; + $attr['ref'] = $result->ref; + $attr['ref_ext'] = $result->ref_ext; + $attr['label'] = $result->label; + $attr['rang'] = $result->rang; + $attr['entity'] = $result->entity; + + $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; + $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; + $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $result->rowid)." AND pac.entity IN (".getEntity('product').")"; + + $resql = $this->db->query($sql); + $obj = $this->db->fetch_object($resql); + $attr["is_used_by_products"] = (int) $obj->nb; return $attr; } @@ -964,6 +1090,7 @@ class Products extends DolibarrApi * * @param string $ref Reference of Attribute * @param string $label Label of Attribute + * @param string $ref_ext Reference of Attribute * @return int * * @throws RestException 500 @@ -971,7 +1098,7 @@ class Products extends DolibarrApi * * @url POST attributes */ - public function addAttributes($ref, $label) + public function addAttributes($ref, $label, $ref_ext = '') { if (!DolibarrApiAccess::$user->rights->produit->creer) { throw new RestException(401); @@ -980,6 +1107,7 @@ class Products extends DolibarrApi $prodattr = new ProductAttribute($this->db); $prodattr->label = $label; $prodattr->ref = $ref; + $prodattr->ref_ext = $ref_ext; $resid = $prodattr->create(DolibarrApiAccess::$user); if ($resid <= 0) { @@ -1202,7 +1330,18 @@ class Products extends DolibarrApi } $objectval = new ProductAttributeValue($this->db); - return $objectval->fetchAllByProductAttribute((int) $id); + + $return = $objectval->fetchAllByProductAttribute((int) $id); + + if (count($return) == 0) { + throw new RestException(404, 'Attribute values not found'); + } + + foreach ($return as $key => $val) { + $return[$key] = $this->_cleanObjectDatas($return[$key]); + } + + return $return; } /** @@ -1224,19 +1363,19 @@ class Products extends DolibarrApi $return = array(); $sql = 'SELECT '; - $sql .= 'v.fk_product_attribute, v.rowid, v.ref, v.value FROM '.MAIN_DB_PREFIX.'product_attribute_value v '; - $sql .= "WHERE v.fk_product_attribute = ( SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".strtoupper(trim($ref))."' LIMIT 1)"; + $sql .= 'v.fk_product_attribute, v.rowid, v.ref, v.value FROM '.MAIN_DB_PREFIX.'product_attribute_value as v'; + $sql .= " WHERE v.fk_product_attribute IN (SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".$this->db->escape(trim($ref))."')"; - $query = $this->db->query($sql); + $resql = $this->db->query($sql); - while ($result = $this->db->fetch_object($query)) { + while ($result = $this->db->fetch_object($resql)) { $tmp = new ProductAttributeValue($this->db); $tmp->fk_product_attribute = $result->fk_product_attribute; $tmp->id = $result->rowid; $tmp->ref = $result->ref; $tmp->value = $result->value; - $return[] = $tmp; + $return[] = $this->_cleanObjectDatas($tmp); } return $return; @@ -1419,7 +1558,8 @@ class Products extends DolibarrApi * @param float $price_impact Price impact of variant * @param bool $price_impact_is_percent Price impact in percent (true or false) * @param array $features List of attributes pairs id_attribute->id_value. Example: array(id_color=>id_Blue, id_size=>id_small, id_option=>id_val_a, ...) - * @param bool|string $reference Customized reference of variant + * @param string $reference Customized reference of variant + * @param string $ref_ext External reference of variant * @return int * * @throws RestException 500 @@ -1428,7 +1568,7 @@ class Products extends DolibarrApi * * @url POST {id}/variants */ - public function addVariant($id, $weight_impact, $price_impact, $price_impact_is_percent, $features, $reference = false) + public function addVariant($id, $weight_impact, $price_impact, $price_impact_is_percent, $features, $reference = '', $ref_ext = '') { if (!DolibarrApiAccess::$user->rights->produit->creer) { throw new RestException(401); @@ -1459,7 +1599,7 @@ class Products extends DolibarrApi $prodcomb = new ProductCombination($this->db); - $result = $prodcomb->createProductCombination(DolibarrApiAccess::$user, $this->product, $features, array(), $price_impact_is_percent, $price_impact, $weight_impact, $reference); + $result = $prodcomb->createProductCombination(DolibarrApiAccess::$user, $this->product, $features, array(), $price_impact_is_percent, $price_impact, $weight_impact, $reference, $ref_ext); if ($result > 0) { return $result; @@ -1650,14 +1790,15 @@ class Products extends DolibarrApi * @param string $ref_ext Ref ext of element * @param string $barcode Barcode of element * @param int $includestockdata Load also information about stock (slower) - * @param bool $includesubproducts Load information about subproducts + * @param bool $includesubproducts Load information about subproducts (if product is a virtual product) + * @param bool $includeparentid Load also ID of parent product (if product is a variant of a parent product) * @return array|mixed Data without useless information * * @throws RestException 401 * @throws RestException 403 * @throws RestException 404 */ - private function _fetch($id, $ref = '', $ref_ext = '', $barcode = '', $includestockdata = 0, $includesubproducts = false) + private function _fetch($id, $ref = '', $ref_ext = '', $barcode = '', $includestockdata = 0, $includesubproducts = false, $includeparentid = false) { if (empty($id) && empty($ref) && empty($ref_ext) && empty($barcode)) { throw new RestException(400, 'bad value for parameter id, ref, ref_ext or barcode'); @@ -1704,6 +1845,14 @@ class Products extends DolibarrApi $this->product->sousprods = $childs; } + if ($includeparentid) { + $prodcomb = new ProductCombination($this->db); + $this->product->fk_product_parent = null; + if (($fk_product_parent = $prodcomb->fetchByFkProductChild($this->product->id)) > 0) { + $this->product->fk_product_parent = $fk_product_parent; + } + } + return $this->_cleanObjectDatas($this->product); } } diff --git a/htdocs/product/class/html.formproduct.class.php b/htdocs/product/class/html.formproduct.class.php index 2a2228422d9..a0fd2bdb10c 100644 --- a/htdocs/product/class/html.formproduct.class.php +++ b/htdocs/product/class/html.formproduct.class.php @@ -112,16 +112,16 @@ class FormProduct $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.fk_entrepot = e.rowid"; if (!empty($fk_product)) { - $sql .= " AND ps.fk_product = '".$fk_product."'"; + $sql .= " AND ps.fk_product = ".((int) $fk_product); if (!empty($batch)) { - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$batch."'"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$this->db->escape($batch)."'"; } } $sql .= " WHERE e.entity IN (".getEntity('stock').")"; if (count($warehouseStatus)) { - $sql .= " AND e.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")"; + $sql .= " AND e.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; } else { $sql .= " AND e.statut = 1"; } diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 9ba528d3b3d..18565347072 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -929,7 +929,7 @@ class Product extends CommonObject { if ($detail->batch == $valueforundefinedlot || $detail->batch == 'Undefined') { // We discard this line, we will create it later - $sqlclean = "DELETE FROM ".MAIN_DB_PREFIX."product_batch WHERE batch in('Undefined', '".$valueforundefinedlot."') AND fk_product_stock = ".$ObjW->id; + $sqlclean = "DELETE FROM ".MAIN_DB_PREFIX."product_batch WHERE batch in('Undefined', '".$this->db->escape($valueforundefinedlot)."') AND fk_product_stock = ".$ObjW->id; $result = $this->db->query($sqlclean); if (!$result) { dol_print_error($this->db); @@ -1612,7 +1612,7 @@ class Product extends CommonObject // If price per customer require_once DOL_DOCUMENT_ROOT.'/product/class/productcustomerprice.class.php'; - $prodcustprice = new Productcustomerprice($db); + $prodcustprice = new Productcustomerprice($this->db); $filter = array('t.fk_product' => $this->id, 't.fk_soc' => $thirdparty_buyer->id); @@ -1749,7 +1749,7 @@ class Product extends CommonObject if (!empty($conf->global->PRODUCT_USE_SUPPLIER_PACKAGING)) $sql .= ", pfp.packaging"; $sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price as pfp"; $sql .= " WHERE pfp.fk_product = ".$product_id; - if ($fourn_ref != 'none') { $sql .= " AND pfp.ref_fourn = '".$fourn_ref."'"; + if ($fourn_ref != 'none') { $sql .= " AND pfp.ref_fourn = '".$this->db->escape($fourn_ref)."'"; } if ($fk_soc > 0) { $sql .= " AND pfp.fk_soc = ".$fk_soc; } @@ -1922,18 +1922,18 @@ class Product extends CommonObject // Ne pas mettre de quote sur les numeriques decimaux. // Ceci provoque des stockages avec arrondis en base au lieu des valeurs exactes. $sql = "UPDATE ".MAIN_DB_PREFIX."product SET"; - $sql .= " price_base_type='".$newpricebase."',"; + $sql .= " price_base_type='".$this->db->escape($newpricebase)."',"; $sql .= " price=".$price.","; $sql .= " price_ttc=".$price_ttc.","; $sql .= " price_min=".$price_min.","; $sql .= " price_min_ttc=".$price_min_ttc.","; $sql .= " localtax1_tx=".($localtax1 >= 0 ? $localtax1 : 'NULL').","; $sql .= " localtax2_tx=".($localtax2 >= 0 ? $localtax2 : 'NULL').","; - $sql .= " localtax1_type=".($localtaxtype1 != '' ? "'".$localtaxtype1."'" : "'0'").","; - $sql .= " localtax2_type=".($localtaxtype2 != '' ? "'".$localtaxtype2."'" : "'0'").","; + $sql .= " localtax1_type=".($localtaxtype1 != '' ? "'".$this->db->escape($localtaxtype1)."'" : "'0'").","; + $sql .= " localtax2_type=".($localtaxtype2 != '' ? "'".$this->db->escape($localtaxtype2)."'" : "'0'").","; $sql .= " default_vat_code=".($newdefaultvatcode ? "'".$this->db->escape($newdefaultvatcode)."'" : "null").","; $sql .= " tva_tx='".price2num($newvat)."',"; - $sql .= " recuperableonly='".$newnpr."'"; + $sql .= " recuperableonly='".$this->db->escape($newnpr)."'"; $sql .= " WHERE rowid = ".$id; dol_syslog(get_class($this)."::update_price", LOG_DEBUG); @@ -2942,7 +2942,7 @@ class Product extends CommonObject global $db, $conf, $user, $hookmanager; $sql = "SELECT COUNT(DISTINCT f.fk_soc) as nb_customers, COUNT(DISTINCT f.rowid) as nb,"; - $sql .= " COUNT(fd.rowid) as nb_rows, SUM(".$db->ifsql('f.type != 2', 'fd.qty', 'fd.qty * -1').") as qty"; + $sql .= " COUNT(fd.rowid) as nb_rows, SUM(".$this->db->ifsql('f.type != 2', 'fd.qty', 'fd.qty * -1').") as qty"; $sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd"; $sql .= ", ".MAIN_DB_PREFIX."facture as f"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; @@ -3672,8 +3672,8 @@ class Product extends CommonObject // phpcs:enable $sql = "SELECT fk_product_pere, qty, incdec"; $sql .= " FROM ".MAIN_DB_PREFIX."product_association"; - $sql .= " WHERE fk_product_pere = '".$fk_parent."'"; - $sql .= " AND fk_product_fils = '".$fk_child."'"; + $sql .= " WHERE fk_product_pere = ".((int) $fk_parent); + $sql .= " AND fk_product_fils = ".((int) $fk_child); $result = $this->db->query($sql); if ($result) { @@ -4698,7 +4698,7 @@ class Product extends CommonObject $sql .= " AND w.rowid = ps.fk_entrepot"; $sql .= " AND ps.fk_product = ".$this->id; if ($conf->global->ENTREPOT_EXTRA_STATUS && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")"; + $sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; } dol_syslog(get_class($this)."::load_stock", LOG_DEBUG); @@ -5371,17 +5371,17 @@ class Product extends CommonObject global $conf, $db; $sql = "SELECT rowid, level, fk_level, var_percent, var_min_percent FROM ".MAIN_DB_PREFIX."product_pricerules"; - $query = $db->query($sql); + $query = $this->db->query($sql); $rules = array(); - while ($result = $db->fetch_object($query)) { + while ($result = $this->db->fetch_object($query)) { $rules[$result->level] = $result; } //Because prices can be based on other level's prices, we temporarily store them $prices = array( - 1 => $baseprice + 1 => $baseprice ); for ($i = 1; $i <= $conf->global->PRODUIT_MULTIPRICES_LIMIT; $i++) { diff --git a/htdocs/product/class/propalmergepdfproduct.class.php b/htdocs/product/class/propalmergepdfproduct.class.php index 331708ff096..30ed73d8c77 100644 --- a/htdocs/product/class/propalmergepdfproduct.class.php +++ b/htdocs/product/class/propalmergepdfproduct.class.php @@ -232,7 +232,7 @@ class Propalmergepdfproduct extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t"; $sql .= " WHERE t.fk_product = ".$product_id; if ($conf->global->MAIN_MULTILANGS && !empty($lang)) { - $sql .= " AND t.lang = '".$lang."'"; + $sql .= " AND t.lang = '".$this->db->escape($lang)."'"; } dol_syslog(__METHOD__, LOG_DEBUG); @@ -398,7 +398,7 @@ class Propalmergepdfproduct extends CommonObject $sql .= " WHERE fk_product=".$product_id; if ($conf->global->MAIN_MULTILANGS && !empty($lang_id)) { - $sql .= " AND lang='".$lang_id."'"; + $sql .= " AND lang='".$this->db->escape($lang_id)."'"; } dol_syslog(__METHOD__, LOG_DEBUG); diff --git a/htdocs/product/index.php b/htdocs/product/index.php index 6dcc5799c26..53136237eca 100644 --- a/htdocs/product/index.php +++ b/htdocs/product/index.php @@ -327,7 +327,7 @@ if ((!empty($conf->product->enabled) || !empty($conf->service->enabled)) && ($us $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $resultd = $db->query($sql); if ($resultd) diff --git a/htdocs/product/inventory/list.php b/htdocs/product/inventory/list.php index f8aa47d79e8..09947e80ac7 100644 --- a/htdocs/product/inventory/list.php +++ b/htdocs/product/inventory/list.php @@ -45,7 +45,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/product/list.php b/htdocs/product/list.php index 47e142da27b..4267e5c4e9a 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -210,8 +210,8 @@ $arrayfields = array( 'p.stock'=>array('label'=>$langs->trans("PhysicalStock"), 'checked'=>1, 'enabled'=>(!empty($conf->stock->enabled) && $user->rights->stock->lire && $contextpage != 'service'), 'position'=>52), 'stock_virtual'=>array('label'=>$langs->trans("VirtualStock"), 'checked'=>1, 'enabled'=>(!empty($conf->stock->enabled) && $user->rights->stock->lire && $contextpage != 'service' && $virtualdiffersfromphysical), 'position'=>53), 'p.tobatch'=>array('label'=>$langs->trans("ManageLotSerial"), 'checked'=>0, 'enabled'=>(!empty($conf->productbatch->enabled)), 'position'=>60), - 'p.fk_country'=>array('label'=>$langs->trans("Country").' ('.$langs->trans("Country").')', 'checked'=>0, 'position'=>100), - 'p.fk_state'=>array('label'=>$langs->trans("State").' ('.$langs->trans("State").')', 'checked'=>0, 'position'=>101), + 'p.fk_country'=>array('label'=>$langs->trans("Country"), 'checked'=>0, 'position'=>100), + 'p.fk_state'=>array('label'=>$langs->trans("State"), 'checked'=>0, 'position'=>101), 'p.accountancy_code_sell'=>array('label'=>$langs->trans("ProductAccountancySellCode"), 'checked'=>0, 'position'=>400), 'p.accountancy_code_sell_intra'=>array('label'=>$langs->trans("ProductAccountancySellIntraCode"), 'checked'=>0, 'enabled'=>$isInEEC, 'position'=>401), 'p.accountancy_code_sell_export'=>array('label'=>$langs->trans("ProductAccountancySellExportCode"), 'checked'=>0, 'position'=>402), @@ -353,7 +353,7 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count if (!empty($searchCategoryProductList) || !empty($catid)) $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_product as cp ON p.rowid = cp.fk_product"; // We'll need this table joined to the select in order to filter by categ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_fournisseur_price as pfp ON p.rowid = pfp.fk_product"; // multilang -if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang = '".$langs->getDefaultLang()."'"; +if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang = '".$db->escape($langs->getDefaultLang())."'"; if (!empty($conf->variants->enabled) && (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD) && !$show_childproducts)) { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac.fk_product_child = p.rowid"; @@ -1442,7 +1442,9 @@ if ($resql) // State if (!empty($arrayfields['p.fk_state']['checked'])) { - print ''.getState($obj->fk_state, 0, $db).''; + print ''; + if (!empty($obj->fk_state)) print getState($obj->fk_state, 0, $db); + print ''; if (!$i) $totalarray['nbfield']++; } // Accountancy code sell diff --git a/htdocs/product/popuprop.php b/htdocs/product/popuprop.php index affd5a8b3f2..7e5015b7813 100644 --- a/htdocs/product/popuprop.php +++ b/htdocs/product/popuprop.php @@ -203,7 +203,7 @@ if ($mode && $mode != '-1') { $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$prodid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $resultp = $db->query($sql); diff --git a/htdocs/product/price.php b/htdocs/product/price.php index 668777cb6c3..c73e43dc6f0 100644 --- a/htdocs/product/price.php +++ b/htdocs/product/price.php @@ -127,9 +127,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -243,9 +243,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -296,9 +296,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -436,7 +436,7 @@ if (empty($reshook)) // Ajout / mise à jour if ($rowid > 0) { $sql = "UPDATE ".MAIN_DB_PREFIX."product_price_by_qty SET"; - $sql .= " price='".$price."',"; + $sql .= " price='".$db->escape($price)."',"; $sql .= " unitprice=".$unitPrice.","; $sql .= " quantity=".$quantity.","; $sql .= " remise_percent=".$remise_percent.","; @@ -525,9 +525,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -625,9 +625,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php index 2dfb423c5f8..cc37d930280 100644 --- a/htdocs/product/reassortlot.php +++ b/htdocs/product/reassortlot.php @@ -335,7 +335,7 @@ if ($resql) $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $result = $db->query($sql); diff --git a/htdocs/product/stats/commande_fournisseur.php b/htdocs/product/stats/commande_fournisseur.php index c2133e12a53..162a108029e 100644 --- a/htdocs/product/stats/commande_fournisseur.php +++ b/htdocs/product/stats/commande_fournisseur.php @@ -50,7 +50,7 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stats/propal.php b/htdocs/product/stats/propal.php index 5dac77e8193..6766864b042 100644 --- a/htdocs/product/stats/propal.php +++ b/htdocs/product/stats/propal.php @@ -50,7 +50,7 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stats/supplier_proposal.php b/htdocs/product/stats/supplier_proposal.php index 1745a232799..f4d2a5d4644 100644 --- a/htdocs/product/stats/supplier_proposal.php +++ b/htdocs/product/stats/supplier_proposal.php @@ -50,7 +50,7 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php index 21be487993f..e2cf02ce3c7 100644 --- a/htdocs/product/stock/card.php +++ b/htdocs/product/stock/card.php @@ -432,7 +432,7 @@ if ($action == 'create') if (!empty($user->rights->stock->mouvement->lire)) { $sql = "SELECT max(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_entrepot = '".$object->id."'"; + $sql .= " WHERE m.fk_entrepot = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { $obj = $db->fetch_object($resqlbis); @@ -555,7 +555,7 @@ if ($action == 'create') $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $result = $db->query($sql); diff --git a/htdocs/product/stock/class/api_stockmovements.class.php b/htdocs/product/stock/class/api_stockmovements.class.php index 1efa81bc0a8..71f687a1b03 100644 --- a/htdocs/product/stock/class/api_stockmovements.class.php +++ b/htdocs/product/stock/class/api_stockmovements.class.php @@ -118,7 +118,7 @@ class StockMovements extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -126,26 +126,26 @@ class StockMovements extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $stockmovement_static = new MouvementStock($db); + $obj = $this->db->fetch_object($result); + $stockmovement_static = new MouvementStock($this->db); if ($stockmovement_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($stockmovement_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve stock movement list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve stock movement list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No stock movement found'); diff --git a/htdocs/product/stock/class/api_warehouses.class.php b/htdocs/product/stock/class/api_warehouses.class.php index e84b017ed93..1c31bbbc2af 100644 --- a/htdocs/product/stock/class/api_warehouses.class.php +++ b/htdocs/product/stock/class/api_warehouses.class.php @@ -111,7 +111,7 @@ class Warehouses extends DolibarrApi $sql .= ' WHERE t.entity IN ('.getEntity('stock').')'; // Select warehouses of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_warehouse = t.rowid "; } // Add sql filters @@ -125,7 +125,7 @@ class Warehouses extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -133,26 +133,26 @@ class Warehouses extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $warehouse_static = new Entrepot($db); + $obj = $this->db->fetch_object($result); + $warehouse_static = new Entrepot($this->db); if ($warehouse_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($warehouse_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve warehouse list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve warehouse list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No warehouse found'); diff --git a/htdocs/product/stock/class/mouvementstock.class.php b/htdocs/product/stock/class/mouvementstock.class.php index bfdfb14f6e8..ca6e39c2b07 100644 --- a/htdocs/product/stock/class/mouvementstock.class.php +++ b/htdocs/product/stock/class/mouvementstock.class.php @@ -418,7 +418,7 @@ class MouvementStock extends CommonObject $sql .= " fk_entrepot, value, type_mouvement, fk_user_author, label, inventorycode, price, fk_origin, origintype, fk_projet"; $sql .= ")"; $sql .= " VALUES ('".$this->db->idate($now)."', ".$this->product_id.", "; - $sql .= " ".($batch ? "'".$batch."'" : "null").", "; + $sql .= " ".($batch ? "'".$this->db->escape($batch)."'" : "null").", "; $sql .= " ".($eatby ? "'".$this->db->idate($eatby)."'" : "null").", "; $sql .= " ".($sellby ? "'".$this->db->idate($sellby)."'" : "null").", "; $sql .= " ".$this->entrepot_id.", ".$this->qty.", ".((int) $this->type).","; diff --git a/htdocs/product/stock/list.php b/htdocs/product/stock/list.php index 478b07b3d91..b0f593f82d9 100644 --- a/htdocs/product/stock/list.php +++ b/htdocs/product/stock/list.php @@ -59,7 +59,7 @@ if (!empty($conf->categorie->enabled)) // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/product/stock/massstockmove.php b/htdocs/product/stock/massstockmove.php index 168166ac487..86458966b34 100644 --- a/htdocs/product/stock/massstockmove.php +++ b/htdocs/product/stock/massstockmove.php @@ -53,7 +53,7 @@ $batch = GETPOST('batch'); $qty = GETPOST('qty'); $idline = GETPOST('idline'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stock/movement_card.php b/htdocs/product/stock/movement_card.php index 2000ab4cdec..6d0eb0dc24c 100644 --- a/htdocs/product/stock/movement_card.php +++ b/htdocs/product/stock/movement_card.php @@ -457,7 +457,7 @@ $sql .= " AND e.entity IN (".getEntity('stock').")"; if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) $sql .= " AND p.fk_product_type = 0"; if ($id > 0) $sql .= " AND e.rowid ='".$id."'"; $sql .= dolSqlDateFilter('m.datem', 0, $month, $year); -if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'"; +if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct); if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1); if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement); if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode); diff --git a/htdocs/product/stock/movement_list.php b/htdocs/product/stock/movement_list.php index e47c0664142..b533d4407a6 100644 --- a/htdocs/product/stock/movement_list.php +++ b/htdocs/product/stock/movement_list.php @@ -483,7 +483,7 @@ $sql .= " AND e.entity IN (".getEntity('stock').")"; if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) $sql .= " AND p.fk_product_type = 0"; if ($id > 0) $sql .= " AND e.rowid ='".$id."'"; $sql .= dolSqlDateFilter('m.datem', 0, $month, $year); -if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'"; +if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct); if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1); if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement); if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode); @@ -624,7 +624,7 @@ if ($resql) // Last movement $sql = "SELECT MAX(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_entrepot = '".$object->id."'"; + $sql .= " WHERE m.fk_entrepot = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { diff --git a/htdocs/product/stock/product.php b/htdocs/product/stock/product.php index cd83f2c19c8..858058ef684 100644 --- a/htdocs/product/stock/product.php +++ b/htdocs/product/stock/product.php @@ -710,7 +710,7 @@ if ($id > 0 || $ref) { $sql = "SELECT max(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_product = '".$object->id."'"; + $sql .= " WHERE m.fk_product = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { $obj = $db->fetch_object($resqlbis); diff --git a/htdocs/product/stock/productlot_list.php b/htdocs/product/stock/productlot_list.php index e1b7469ef53..33d49c0c5e5 100644 --- a/htdocs/product/stock/productlot_list.php +++ b/htdocs/product/stock/productlot_list.php @@ -51,7 +51,7 @@ $search_import_key = GETPOST('search_import_key', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stock/replenish.php b/htdocs/product/stock/replenish.php index e418f8b519b..08fb9d6a1f0 100644 --- a/htdocs/product/stock/replenish.php +++ b/htdocs/product/stock/replenish.php @@ -65,7 +65,7 @@ $fk_supplier = GETPOST('fk_supplier', 'int'); $fk_entrepot = GETPOST('fk_entrepot', 'int'); $texte = ''; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stock/stockatdate.php b/htdocs/product/stock/stockatdate.php index 59d85de6b6a..f581242c9f2 100644 --- a/htdocs/product/stock/stockatdate.php +++ b/htdocs/product/stock/stockatdate.php @@ -64,7 +64,7 @@ $now = dol_now(); $productid = GETPOST('productid', 'int'); $fk_warehouse = GETPOST('fk_warehouse', 'int'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 @@ -124,7 +124,7 @@ if ($date && $dateIsValid) { // Avoid heavy sql if mandatory date is not defined $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = ps.fk_entrepot"; if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")"; + $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")"; } if ($productid > 0) { $sql .= " AND ps.fk_product = ".$productid; @@ -175,7 +175,7 @@ if ($date && $dateIsValid) { $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = sm.fk_entrepot"; if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")"; + $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")"; } if ($mode == 'future') { $sql .= " AND sm.datem <= '".$db->idate($dateendofday)."'"; diff --git a/htdocs/projet/activity/index.php b/htdocs/projet/activity/index.php index da8a6dc9c0c..295f96370f3 100644 --- a/htdocs/projet/activity/index.php +++ b/htdocs/projet/activity/index.php @@ -145,7 +145,7 @@ $sql .= " AND p.entity = ".$conf->entity; $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".$user->id; $sql .= " AND task_date BETWEEN '".$db->idate(dol_mktime(0, 0, 0, $month, $day, $year))."' AND '".$db->idate(dol_mktime(23, 59, 59, $month, $day, $year))."'"; -$sql .= " AND p.rowid in (".$projectsListId.")"; +$sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql .= " GROUP BY p.rowid, p.ref, p.title, p.public"; $resql = $db->query($sql); @@ -200,7 +200,7 @@ $sql .= " AND p.entity = ".$conf->entity; $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".$user->id; $sql .= " AND task_date BETWEEN '".$db->idate(dol_time_plus_duree(dol_mktime(0, 0, 0, $month, $day, $year), -1, 'd'))."' AND '".$db->idate(dol_time_plus_duree(dol_mktime(23, 59, 59, $month, $day, $year), -1, 'd'))."'"; -$sql .= " AND p.rowid in (".$projectsListId.")"; +$sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql .= " GROUP BY p.rowid, p.ref, p.title, p.public"; $resql = $db->query($sql); @@ -258,7 +258,7 @@ if ($db->type != 'pgsql') $sql.= " AND tt.fk_task = t.rowid"; $sql.= " AND tt.fk_user = ".$user->id; $sql.= " AND task_date >= '".$db->idate(dol_get_first_day($year, $month)).'" AND ..."; - $sql.= " AND p.rowid in (".$projectsListId.")"; + $sql.= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql.= " GROUP BY p.rowid, p.ref, p.title"; $resql = $db->query($sql); @@ -315,7 +315,7 @@ if (!empty($conf->global->PROJECT_TASK_TIME_MONTH)) $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".$user->id; $sql .= " AND task_date BETWEEN '".$db->idate(dol_get_first_day($year, $month))."' AND '".$db->idate(dol_get_last_day($year, $month))."'"; - $sql .= " AND p.rowid in (".$projectsListId.")"; + $sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql .= " GROUP BY p.rowid, p.ref, p.title, p.public"; $resql = $db->query($sql); @@ -364,7 +364,7 @@ if (!empty($conf->global->PROJECT_TASK_TIME_YEAR)) $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".$user->id; $sql .= " AND YEAR(task_date) = '".strftime("%Y", $now)."'"; - $sql .= " AND p.rowid in (".$projectsListId.")"; + $sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql .= " GROUP BY p.rowid, p.ref, p.title, p.public"; $resql = $db->query($sql); @@ -400,7 +400,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH // Get id of types of contacts for projects (This list never contains a lot of elements) $listofprojectcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sql .= " WHERE ctc.element = '".$projectstatic->element."'"; + $sql .= " WHERE ctc.element = '".$db->escape($projectstatic->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) @@ -414,7 +414,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH // Get id of types of contacts for tasks (This list never contains a lot of elements) $listoftaskcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sql .= " WHERE ctc.element = '".$taskstatic->element."'"; + $sql .= " WHERE ctc.element = '".$db->escape($taskstatic->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) @@ -445,7 +445,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH $sql .= ", ".MAIN_DB_PREFIX."element_contact as ect"; } $sql .= " WHERE p.entity IN (".getEntity('project').")"; - if ($mine || empty($user->rights->projet->all->lire)) $sql .= " AND p.rowid IN (".$projectsListId.")"; // project i have permission on + if ($mine || empty($user->rights->projet->all->lire)) $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // project i have permission on if ($mine) // this may duplicate record if we are contact twice { $sql .= " AND ect.fk_c_type_contact IN (".join(',', array_keys($listoftaskcontacttype)).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$user->id; diff --git a/htdocs/projet/admin/project.php b/htdocs/projet/admin/project.php index 5156794dea2..937a5d28f27 100644 --- a/htdocs/projet/admin/project.php +++ b/htdocs/projet/admin/project.php @@ -508,7 +508,7 @@ $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); @@ -657,7 +657,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS)) $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/projet/class/api_projects.class.php b/htdocs/projet/class/api_projects.class.php index 5ef21879c7f..214cbe96154 100644 --- a/htdocs/projet/class/api_projects.class.php +++ b/htdocs/projet/class/api_projects.class.php @@ -131,7 +131,7 @@ class Projects extends DolibarrApi } // Select projects of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category)." AND c.fk_project = t.rowid "; + $sql .= " AND c.fk_categorie = ".$this->db->escape($category)." AND c.fk_project = t.rowid "; } // Add sql filters if ($sqlfilters) @@ -144,7 +144,7 @@ class Projects extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -152,27 +152,27 @@ class Projects extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $project_static = new Project($db); + $obj = $this->db->fetch_object($result); + $project_static = new Project($this->db); if ($project_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($project_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve project list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve project list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No project found'); diff --git a/htdocs/projet/class/api_tasks.class.php b/htdocs/projet/class/api_tasks.class.php index d5ad064f84f..5181beb3707 100644 --- a/htdocs/projet/class/api_tasks.class.php +++ b/htdocs/projet/class/api_tasks.class.php @@ -146,7 +146,7 @@ class Tasks extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -154,28 +154,28 @@ class Tasks extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $task_static = new Task($db); + $obj = $this->db->fetch_object($result); + $task_static = new Task($this->db); if ($task_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($task_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve task list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve task list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No task found'); diff --git a/htdocs/projet/index.php b/htdocs/projet/index.php index 7fbe8fd17d5..847d7b03d47 100644 --- a/htdocs/projet/index.php +++ b/htdocs/projet/index.php @@ -53,7 +53,7 @@ if (!$user->rights->projet->lire) accessforbidden(); $sortfield = GETPOST("sortfield", 'alpha'); $sortorder = GETPOST("sortorder", 'alpha'); -$max = 3; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; /* @@ -362,7 +362,7 @@ if ($resql) if ($othernb) { print ''; print ''; - print '...'; + print '...'; print ''; print ''; print $othernb; diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index acc987b4364..c73a68b98ee 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -282,7 +282,7 @@ if (!$user->rights->projet->all->lire) $projectsListId = $object->getProjectsAut // Get id of types of contacts for projects (This list never contains a lot of elements) $listofprojectcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; -$sql .= " WHERE ctc.element = '".$object->element."'"; +$sql .= " WHERE ctc.element = '".$db->escape($object->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) @@ -459,7 +459,6 @@ print ''; print ''; print ''; -print ''; print ''; // Show description of content diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php index f2257bf4a87..7d1a8354bb3 100644 --- a/htdocs/projet/tasks/list.php +++ b/htdocs/projet/tasks/list.php @@ -239,7 +239,7 @@ if (!$user->rights->projet->all->lire) $projectsListId = $projectstatic->getProj // Get id of types of contacts for projects (This list never contains a lot of elements) $listofprojectcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; -$sql .= " WHERE ctc.element = '".$projectstatic->element."'"; +$sql .= " WHERE ctc.element = '".$db->escape($projectstatic->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) @@ -253,7 +253,7 @@ if (count($listofprojectcontacttype) == 0) $listofprojectcontacttype[0] = '0'; / // Get id of types of contacts for tasks (This list never contains a lot of elements) $listoftaskcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; -$sql .= " WHERE ctc.element = '".$object->element."'"; +$sql .= " WHERE ctc.element = '".$db->escape($object->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/public/opensurvey/studs.php b/htdocs/public/opensurvey/studs.php index 358bf2aa1c6..8b2e8663dac 100644 --- a/htdocs/public/opensurvey/studs.php +++ b/htdocs/public/opensurvey/studs.php @@ -390,7 +390,7 @@ if ($object->format == "D") for ($i = 0; isset($toutsujet[$i]); $i++) { $tmp = explode('@', $toutsujet[$i]); - print ''.$tmp[0].''."\n"; + print ''.dol_escape_htmltag($tmp[0]).''."\n"; } print ''."\n"; diff --git a/htdocs/reception/class/reception.class.php b/htdocs/reception/class/reception.class.php index 201afb161dd..8ea45ccd1c8 100644 --- a/htdocs/reception/class/reception.class.php +++ b/htdocs/reception/class/reception.class.php @@ -1012,21 +1012,20 @@ class Reception extends CommonObject public function fetch_lines() { // phpcs:enable - global $db; dol_include_once('/fourn/class/fournisseur.commande.dispatch.class.php'); $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'commande_fournisseur_dispatch WHERE fk_reception='.$this->id; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if (!empty($resql)) { $this->lines = array(); while ($obj = $resql->fetch_object()) { - $line = new CommandeFournisseurDispatch($db); + $line = new CommandeFournisseurDispatch($this->db); $line->fetch($obj->rowid); $line->fetch_product(); $sql_commfourndet = 'SELECT qty, ref, label, tva_tx, vat_src_code, subprice, multicurrency_subprice, remise_percent FROM llx_commande_fournisseurdet WHERE rowid='.$line->fk_commandefourndet; $resql_commfourndet = $db->query($sql_commfourndet); if (!empty($resql_commfourndet)) { - $obj = $db->fetch_object($resql_commfourndet); + $obj = $this->db->fetch_object($resql_commfourndet); $line->qty_asked = $obj->qty; $line->description = $line->comment; $line->desc = $line->comment; diff --git a/htdocs/reception/list.php b/htdocs/reception/list.php index a92c72a4b51..891a5630c7f 100644 --- a/htdocs/reception/list.php +++ b/htdocs/reception/list.php @@ -61,7 +61,7 @@ $sall = GETPOST('sall', 'alphanohtml'); $optioncss = GETPOST('optioncss', 'alpha'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortfield) $sortfield = "e.ref"; diff --git a/htdocs/recruitment/admin/setup.php b/htdocs/recruitment/admin/setup.php index aa65393c7a8..72d455d7a14 100644 --- a/htdocs/recruitment/admin/setup.php +++ b/htdocs/recruitment/admin/setup.php @@ -372,7 +372,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) { $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/recruitment/admin/setup_candidatures.php b/htdocs/recruitment/admin/setup_candidatures.php index 22bdd03cfd2..e3738f57564 100644 --- a/htdocs/recruitment/admin/setup_candidatures.php +++ b/htdocs/recruitment/admin/setup_candidatures.php @@ -372,7 +372,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) { $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/recruitment/class/recruitmentcandidature.class.php b/htdocs/recruitment/class/recruitmentcandidature.class.php index 74644270e6a..df96744526b 100644 --- a/htdocs/recruitment/class/recruitmentcandidature.class.php +++ b/htdocs/recruitment/class/recruitmentcandidature.class.php @@ -403,7 +403,7 @@ class RecruitmentCandidature extends CommonObject } elseif ($key == 'customsql') { $sqlwhere[] = $value; } elseif (strpos($value, '%') === false) { - $sqlwhere[] = $key.' IN ('.$this->db->escape($value).')'; + $sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')'; } else { $sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\''; } diff --git a/htdocs/recruitment/class/recruitmentjobposition.class.php b/htdocs/recruitment/class/recruitmentjobposition.class.php index 0f28b34be6a..355cae49c89 100644 --- a/htdocs/recruitment/class/recruitmentjobposition.class.php +++ b/htdocs/recruitment/class/recruitmentjobposition.class.php @@ -396,7 +396,7 @@ class RecruitmentJobPosition extends CommonObject } elseif ($key == 'customsql') { $sqlwhere[] = $value; } elseif (strpos($value, '%') === false) { - $sqlwhere[] = $key.' IN ('.$this->db->escape($value).')'; + $sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')'; } else { $sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\''; } diff --git a/htdocs/recruitment/core/modules/recruitment/doc/pdf_standard_recruitmentjobposition.modules.php b/htdocs/recruitment/core/modules/recruitment/doc/pdf_standard_recruitmentjobposition.modules.php index 42b536c4bd6..ee0f63f6c4f 100644 --- a/htdocs/recruitment/core/modules/recruitment/doc/pdf_standard_recruitmentjobposition.modules.php +++ b/htdocs/recruitment/core/modules/recruitment/doc/pdf_standard_recruitmentjobposition.modules.php @@ -1051,7 +1051,7 @@ class pdf_standard_recruitmentjobposition extends ModelePDFRecruitmentJobPositio /** * Show footer of page. Need this->emetteur object * - * @param PDF $pdf PDF + * @param TCPDF $pdf PDF * @param Object $object Object to show * @param Translate $outputlangs Object lang for output * @param int $hidefreetext 1=Hide free text diff --git a/htdocs/recruitment/recruitmentcandidature_list.php b/htdocs/recruitment/recruitmentcandidature_list.php index f3ee50665e0..1db036f6878 100644 --- a/htdocs/recruitment/recruitmentcandidature_list.php +++ b/htdocs/recruitment/recruitmentcandidature_list.php @@ -83,7 +83,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters diff --git a/htdocs/recruitment/recruitmentindex.php b/htdocs/recruitment/recruitmentindex.php index 6e710163396..93e4c53eb7c 100644 --- a/htdocs/recruitment/recruitmentindex.php +++ b/htdocs/recruitment/recruitmentindex.php @@ -317,8 +317,8 @@ END MODULEBUILDER DRAFT MYOBJECT */ print '
'; -$NBMAX = 3; -$max = 3; +$NBMAX = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; // Last modified job position if (!empty($conf->recruitment->enabled) && $user->rights->recruitment->recruitmentjobposition->read) diff --git a/htdocs/recruitment/recruitmentjobposition_list.php b/htdocs/recruitment/recruitmentjobposition_list.php index a0194feb647..24c98a3fbb9 100644 --- a/htdocs/recruitment/recruitmentjobposition_list.php +++ b/htdocs/recruitment/recruitmentjobposition_list.php @@ -83,7 +83,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters diff --git a/htdocs/resource/document.php b/htdocs/resource/document.php index fa7fb07dbb0..0e1e6ba5cc1 100644 --- a/htdocs/resource/document.php +++ b/htdocs/resource/document.php @@ -50,7 +50,7 @@ $result = restrictedArea($user, 'resource', $id, 'resource'); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/resource/list.php b/htdocs/resource/list.php index 4dca64b47a6..e2d10ffceef 100644 --- a/htdocs/resource/list.php +++ b/htdocs/resource/list.php @@ -39,7 +39,7 @@ $element_id = GETPOST('element_id', 'int'); $resource_id = GETPOST('resource_id', 'int'); $sortorder = GETPOST('sortorder', 'alpha'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); // Initialize context for list $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'resourcelist'; diff --git a/htdocs/salaries/class/salariesstats.class.php b/htdocs/salaries/class/salariesstats.class.php index 3601e14bcdc..f20bde818a1 100644 --- a/htdocs/salaries/class/salariesstats.class.php +++ b/htdocs/salaries/class/salariesstats.class.php @@ -119,7 +119,7 @@ class SalariesStats extends Stats { $sql = "SELECT date_format(datep,'%m') as dm, sum(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(datep,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(datep,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -140,7 +140,7 @@ class SalariesStats extends Stats { $sql = "SELECT date_format(datep,'%m') as dm, avg(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(datep,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(datep,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/salaries/document.php b/htdocs/salaries/document.php index 06d572012bb..403a5b3af3b 100644 --- a/htdocs/salaries/document.php +++ b/htdocs/salaries/document.php @@ -51,7 +51,7 @@ $result = restrictedArea($user, 'salaries', '', '', ''); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/salaries/list.php b/htdocs/salaries/list.php index 051f18c62cb..9341599ba70 100644 --- a/htdocs/salaries/list.php +++ b/htdocs/salaries/list.php @@ -184,12 +184,10 @@ if ($result) // Date print ''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_date_start ? $search_date_start : -1, 'search_date_start', 0, 0, 1); + print $form->selectDate($search_date_start ? $search_date_start : -1, 'search_date_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_date_end ? $search_date_end : -1, 'search_date_end', 0, 0, 1); + print $form->selectDate($search_date_end ? $search_date_end : -1, 'search_date_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print ''; // Type diff --git a/htdocs/societe/admin/societe.php b/htdocs/societe/admin/societe.php index 69f5e373725..a66f17ca915 100644 --- a/htdocs/societe/admin/societe.php +++ b/htdocs/societe/admin/societe.php @@ -119,7 +119,7 @@ if ($action == 'set') $type = 'company'; $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; - $sql .= " VALUES ('".$db->escape($value)."','".$type."',".$conf->entity.", "; + $sql .= " VALUES ('".$db->escape($value)."','".$db->escape($type)."',".$conf->entity.", "; $sql .= ($label ? "'".$db->escape($label)."'" : 'null').", "; $sql .= (!empty($scandir) ? "'".$db->escape($scandir)."'" : "null"); $sql .= ")"; @@ -133,7 +133,7 @@ if ($action == 'del') { $type = 'company'; $sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE nom='".$db->escape($value)."' AND type='".$type."' AND entity=".$conf->entity; + $sql .= " WHERE nom='".$db->escape($value)."' AND type='".$db->escape($type)."' AND entity=".$conf->entity; $resql = $db->query($sql); if (!$resql) dol_print_error($db); } @@ -152,13 +152,13 @@ if ($action == 'setdoc') $type = 'company'; $sql_del = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; $sql_del .= " WHERE nom = '".$db->escape(GETPOST('value', 'alpha'))."'"; - $sql_del .= " AND type = '".$type."'"; + $sql_del .= " AND type = '".$db->escape($type)."'"; $sql_del .= " AND entity = ".$conf->entity; dol_syslog("societe.php ".$sql); $result1 = $db->query($sql_del); $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; - $sql .= " VALUES ('".$db->escape($value)."', '".$type."', ".$conf->entity.", "; + $sql .= " VALUES ('".$db->escape($value)."', '".$db->escape($type)."', ".$conf->entity.", "; $sql .= ($label ? "'".$db->escape($label)."'" : 'null').", "; $sql .= (!empty($scandir) ? "'".$db->escape($scandir)."'" : "null"); $sql .= ")"; diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php index b19c3bc814a..42de4d74b39 100644 --- a/htdocs/societe/card.php +++ b/htdocs/societe/card.php @@ -1181,12 +1181,12 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) print ''.$form->editfieldkey('ThirdPartyName', 'name', '', $object, 0).''; } print 'global->SOCIETE_USEPREFIX) ? ' colspan="3"' : '').'>'; - print ''; + print ''; print $form->widgetForTranslation("name", $object, $permissiontoadd, 'string', 'alpahnohtml', 'minwidth300'); print ''; if (!empty($conf->global->SOCIETE_USEPREFIX)) // Old not used prefix field { - print ''.$langs->trans('Prefix').''; + print ''.$langs->trans('Prefix').''; } print ''; @@ -1197,7 +1197,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Firstname print ''.$form->editfieldkey('FirstName', 'firstname', '', $object, 0).''; - print ''; + print ''; print ''; // Title @@ -1209,7 +1209,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) // Alias names (commercial, trademark or alias names) print ''; - print ''; + print ''; // Prospect/Customer print ''.$form->editfieldkey('ProspectCustomer', 'customerprospect', '', $object, 0, 'string', '', 1).''; @@ -1274,7 +1274,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if (!empty($conf->barcode->enabled)) { print ''.$form->editfieldkey('Gencod', 'barcode', '', $object, 0).''; - print ''; + print ''; print ''; } @@ -1284,7 +1284,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) print ''; print ''; print ''; print $form->widgetForTranslation("address", $object, $permissiontoadd, 'textarea', 'alphanohtml', 'quatrevingtpercent'); print ''; @@ -1857,7 +1857,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) print ''; } elseif ($object->codefournisseur_modifiable()) { - print ''; + print ''; } else { print $object->code_fournisseur; print ''; @@ -1873,7 +1873,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if (!empty($conf->barcode->enabled)) { print ''.$form->editfieldkey('Gencod', 'barcode', '', $object, 0).''; - print ''; + print ''; print ''; } @@ -1885,7 +1885,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) // Address print ''.$form->editfieldkey('Address', 'address', '', $object, 0).''; print ''; print $form->widgetForTranslation("address", $object, $permissiontoadd, 'textarea', 'alphanohtml', 'quatrevingtpercent'); print ''; @@ -2280,7 +2280,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if (!empty($conf->barcode->enabled)) { print ''; - print $langs->trans('Gencod').''.$object->barcode; + print $langs->trans('Gencod').''.dol_escape_htmltag($object->barcode); print ''; print ''; } @@ -2418,7 +2418,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if ($object->tva_intra) { $s = ''; - $s .= $object->tva_intra; + $s .= dol_escape_htmltag($object->tva_intra); $s .= ''; if (empty($conf->global->MAIN_DISABLEVATCHECK) && isInEEC($object)) diff --git a/htdocs/societe/class/api_contacts.class.php b/htdocs/societe/class/api_contacts.class.php index 37d9239265f..d5280ee80dd 100644 --- a/htdocs/societe/class/api_contacts.class.php +++ b/htdocs/societe/class/api_contacts.class.php @@ -98,6 +98,48 @@ class Contacts extends DolibarrApi return $this->_cleanObjectDatas($this->contact); } + /** + * Get properties of a contact object by Email + * + * @param string $email Email of contact + * @param int $includecount Count and return also number of elements the contact is used as a link for + * @return array|mixed data without useless information + * + * @url GET email/{email} + * + * @throws RestException 401 Insufficient rights + * @throws RestException 404 User or group not found + */ + public function getByEmail($email, $includecount = 0) + { + if (!DolibarrApiAccess::$user->rights->societe->contact->lire) + { + throw new RestException(401, 'No permission to read contacts'); + } + if (empty($email)) { + $result = $this->contact->initAsSpecimen(); + } else { + $result = $this->contact->fetch('', '', '', $email); + } + + if (!$result) + { + throw new RestException(404, 'Contact not found'); + } + + if (!DolibarrApi::_checkAccessToResource('contact', $this->contact->id, 'socpeople&societe')) + { + throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + } + + if ($includecount) + { + $this->contact->load_ref_elements(); + } + + return $this->_cleanObjectDatas($this->contact); + } + /** * List contacts * @@ -160,7 +202,7 @@ class Contacts extends DolibarrApi // Select contacts of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_socpeople = t.rowid "; } @@ -175,7 +217,7 @@ class Contacts extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { @@ -185,18 +227,18 @@ class Contacts extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $contact_static = new Contact($db); + $obj = $this->db->fetch_object($result); + $contact_static = new Contact($this->db); if ($contact_static->fetch($obj->rowid)) { if ($includecount) diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index 48b6f989408..8551cb61f10 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -160,7 +160,9 @@ class Thirdparties extends DolibarrApi // Select thirdparties of given category if ($category > 0) { - if (!empty($mode) && $mode != 4) { $sql .= " AND c.fk_categorie = ".$db->escape($category)." AND c.fk_soc = t.rowid"; } elseif (!empty($mode) && $mode == 4) { $sql .= " AND cc.fk_categorie = ".$db->escape($category)." AND cc.fk_soc = t.rowid"; } else { $sql .= " AND ((c.fk_categorie = ".$db->escape($category)." AND c.fk_soc = t.rowid) OR (cc.fk_categorie = ".$db->escape($category)." AND cc.fk_soc = t.rowid))"; } + if (!empty($mode) && $mode != 4) { $sql .= " AND c.fk_categorie = ".$this->db->escape($category)." AND c.fk_soc = t.rowid"; } + elseif (!empty($mode) && $mode == 4) { $sql .= " AND cc.fk_categorie = ".$this->db->escape($category)." AND cc.fk_soc = t.rowid"; } + else { $sql .= " AND ((c.fk_categorie = ".$this->db->escape($category)." AND c.fk_soc = t.rowid) OR (cc.fk_categorie = ".$this->db->escape($category)." AND cc.fk_soc = t.rowid))"; } } if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql .= " AND t.rowid = sc.fk_soc"; @@ -183,7 +185,7 @@ class Thirdparties extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) @@ -192,26 +194,26 @@ class Thirdparties extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $soc_static = new Societe($db); + $obj = $this->db->fetch_object($result); + $soc_static = new Societe($this->db); if ($soc_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($soc_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve thirdparties : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve thirdparties : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'Thirdparties not found'); @@ -313,7 +315,7 @@ class Thirdparties extends DolibarrApi throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } - $this->companytoremove = new Societe($db); + $this->companytoremove = new Societe($this->db); $result = $this->companytoremove->fetch($idtodelete); // include the fetch of extra fields if (!$result) { @@ -332,7 +334,7 @@ class Thirdparties extends DolibarrApi // Call same code than into action 'confirm_merge' - $db->begin(); + $this->db->begin(); // Recopy some data $object->client = $object->client | $soc_origin->client; @@ -369,7 +371,7 @@ class Thirdparties extends DolibarrApi } // Merge categories - $static_cat = new Categorie($db); + $static_cat = new Categorie($this->db); $custcats = $static_cat->containing($soc_origin->id, 'customer', 'id'); $object->setCategories($custcats, 'customer'); $suppcats = $static_cat->containing($soc_origin->id, 'supplier', 'id'); @@ -426,10 +428,10 @@ class Thirdparties extends DolibarrApi { require_once DOL_DOCUMENT_ROOT.$object_file; - if (!$errors && !$object_name::replaceThirdparty($db, $soc_origin->id, $object->id)) + if (!$errors && !$object_name::replaceThirdparty($this->db, $soc_origin->id, $object->id)) { $errors++; - //setEventMessages($db->lasterror(), null, 'errors'); + //setEventMessages($this->db->lasterror(), null, 'errors'); } } } @@ -477,11 +479,11 @@ class Thirdparties extends DolibarrApi if ($error) { - $db->rollback(); + $this->db->rollback(); throw new RestException(500, 'Error failed to merged thirdparty '.$this->companytoremove->id.' into '.$id.'. Enable and read log file for more information.'); } else { - $db->commit(); + $this->db->commit(); } return $this->get($id); @@ -1155,7 +1157,7 @@ class Thirdparties extends DolibarrApi if ($id) $sql .= " WHERE fk_soc = ".$id." "; - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result->num_rows == 0) { throw new RestException(404, 'Account not found'); @@ -1167,11 +1169,11 @@ class Thirdparties extends DolibarrApi if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $obj = $db->fetch_object($result); - $account = new CompanyBankAccount($db); + $obj = $this->db->fetch_object($result); + $account = new CompanyBankAccount($this->db); if ($account->fetch($obj->rowid)) { $accounts[] = $account; } @@ -1435,7 +1437,7 @@ class Thirdparties extends DolibarrApi $sql .= " WHERE fk_soc = $id"; if ($site) $sql .= " AND site ='$site'"; - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result->num_rows == 0) { throw new RestException(404, 'This thirdparty does not have any gateway attached or does not exist.'); @@ -1445,11 +1447,11 @@ class Thirdparties extends DolibarrApi $accounts = array(); - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $obj = $db->fetch_object($result); - $account = new SocieteAccount($db); + $obj = $this->db->fetch_object($result); + $account = new SocieteAccount($this->db); if ($account->fetch($obj->rowid)) { $accounts[] = $account; @@ -1505,8 +1507,8 @@ class Thirdparties extends DolibarrApi throw new RestException(422, 'Unprocessable Entity: You must pass the site attribute in your request data !'); } - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$request_data['site']."' "; - $result = $db->query($sql); + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$this->db->escape($request_data['site'])."'"; + $result = $this->db->query($sql); if ($result->num_rows == 0) { $account = new SocieteAccount($this->db); @@ -1560,8 +1562,8 @@ class Thirdparties extends DolibarrApi throw new RestException(401); } - $sql = "SELECT rowid, fk_user_creat, date_creation FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = $id AND site = '$site' "; - $result = $db->query($sql); + $sql = "SELECT rowid, fk_user_creat, date_creation FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = $id AND site = '".$this->db->escape($site)."'"; + $result = $this->db->query($sql); // We do not found an existing SocieteAccount entity for this fk_soc and site ; we then create a new one. if ($result->num_rows == 0) { @@ -1586,15 +1588,15 @@ class Thirdparties extends DolibarrApi // We found an existing SocieteAccount entity, we are replacing it } else { if (isset($request_data['site']) && $request_data['site'] !== $site) { - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$request_data['site']."' "; - $result = $db->query($sql); + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$this->db->escape($request_data['site'])."' "; + $result = $this->db->query($sql); if ($result->num_rows !== 0) { throw new RestException(409, "You are trying to update this thirdparty SocieteAccount (gateway record) from $site to ".$request_data['site']." but another SocieteAccount entity already exists with this site key."); } } - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $account = new SocieteAccount($this->db); $account->id = $obj->rowid; @@ -1644,21 +1646,21 @@ class Thirdparties extends DolibarrApi } $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = $id AND site = '$site' "; - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result->num_rows == 0) { throw new RestException(404, "This thirdparty does not have $site gateway attached or does not exist."); } else { // If the user tries to edit the site member, we check first if if (isset($request_data['site']) && $request_data['site'] !== $site) { - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$request_data['site']."' "; - $result = $db->query($sql); + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$this->db->escape($request_data['site'])."' "; + $result = $this->db->query($sql); if ($result->num_rows !== 0) throw new RestException(409, "You are trying to update this thirdparty SocieteAccount (gateway record) site member from $site to ".$request_data['site']." but another SocieteAccount entity already exists for this thirdparty with this site key."); } - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $account = new SocieteAccount($this->db); $account->fetch($obj->rowid); @@ -1690,20 +1692,19 @@ class Thirdparties extends DolibarrApi */ public function deleteSocieteAccount($id, $site) { - global /** @var Database $db */ - $db; + global $db; if (!DolibarrApiAccess::$user->rights->societe->creer) { throw new RestException(401); } - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = $id AND site = '$site' "; - $result = $db->query($sql); + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = $id AND site = '".$this->db->escape($site)."'"; + $result = $this->db->query($sql); if ($result->num_rows == 0) { throw new RestException(404); } else { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $account = new SocieteAccount($this->db); $account->fetch($obj->rowid); @@ -1727,8 +1728,7 @@ class Thirdparties extends DolibarrApi */ public function deleteSocieteAccounts($id) { - global /** @var Database $db */ - $db; + global $db; if (!DolibarrApiAccess::$user->rights->societe->creer) { throw new RestException(401); @@ -1739,20 +1739,20 @@ class Thirdparties extends DolibarrApi */ $sql = "SELECT rowid, fk_soc, key_account, site, date_creation, tms"; - $sql .= " FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = $id "; + $sql .= " FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id; - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result->num_rows == 0) { throw new RestException(404, 'This third party does not have any gateway attached or does not exist.'); } else { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $obj = $db->fetch_object($result); - $account = new SocieteAccount($db); + $obj = $this->db->fetch_object($result); + $account = new SocieteAccount($this->db); $account->fetch($obj->rowid); if ($account->delete(DolibarrApiAccess::$user) < 0) { diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index 4f41326b175..f28c6953d82 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -820,12 +820,11 @@ class Societe extends CommonObject { $this->entity = ((isset($this->entity) && is_numeric($this->entity)) ? $this->entity : $conf->entity); - $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe (nom, name_alias, entity, datec, fk_user_creat, canvas, status, ref_int, ref_ext, fk_stcomm, fk_incoterms, location_incoterms ,import_key, fk_multicurrency, multicurrency_code)"; + $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe (nom, name_alias, entity, datec, fk_user_creat, canvas, status, ref_ext, fk_stcomm, fk_incoterms, location_incoterms ,import_key, fk_multicurrency, multicurrency_code)"; $sql .= " VALUES ('".$this->db->escape($this->name)."', '".$this->db->escape($this->name_alias)."', ".$this->db->escape($this->entity).", '".$this->db->idate($now)."'"; - $sql .= ", ".(!empty($user->id) ? "'".$user->id."'" : "null"); + $sql .= ", ".(!empty($user->id) ? ((int) $user->id) : "null"); $sql .= ", ".(!empty($this->canvas) ? "'".$this->db->escape($this->canvas)."'" : "null"); $sql .= ", ".$this->status; - $sql .= ", ".(!empty($this->ref_int) ? "'".$this->db->escape($this->ref_int)."'" : "null"); $sql .= ", ".(!empty($this->ref_ext) ? "'".$this->db->escape($this->ref_ext)."'" : "null"); $sql .= ", 0"; $sql .= ", ".(int) $this->fk_incoterms; @@ -2742,7 +2741,7 @@ class Societe extends CommonObject $sql = "SELECT rowid, email, phone_mobile, lastname, firstname"; $sql .= " FROM ".MAIN_DB_PREFIX."socpeople"; - $sql .= " WHERE rowid = '".$rowid."'"; + $sql .= " WHERE rowid = ".((int) $rowid); $resql = $this->db->query($sql); if ($resql) @@ -3186,7 +3185,7 @@ class Societe extends CommonObject } //Verify duplicate entries - $sql = "SELECT COUNT(*) as idprof FROM ".MAIN_DB_PREFIX."societe WHERE ".$field." = '".$value."' AND entity IN (".getEntity('societe').")"; + $sql = "SELECT COUNT(*) as idprof FROM ".MAIN_DB_PREFIX."societe WHERE ".$field." = '".$this->db->escape($value)."' AND entity IN (".getEntity('societe').")"; if ($socid) $sql .= " AND rowid <> ".$socid; $resql = $this->db->query($sql); if ($resql) diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php index 2452f7ec94f..15853f13a66 100644 --- a/htdocs/societe/list.php +++ b/htdocs/societe/list.php @@ -457,7 +457,7 @@ if ($search_town) $sql .= natural_search("s.town", $search_town); if (strlen($search_zip)) $sql .= natural_search("s.zip", $search_zip); if ($search_state) $sql .= natural_search("state.nom", $search_state); if ($search_region) $sql .= natural_search("region.nom", $search_region); -if ($search_country && $search_country != '-1') $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; +if ($search_country && $search_country != '-1') $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')'; if ($search_email) $sql .= natural_search("s.email", $search_email); if (strlen($search_phone)) $sql .= natural_search("s.phone", $search_phone); if (strlen($search_fax)) $sql .= natural_search("s.fax", $search_fax); @@ -470,7 +470,7 @@ if (strlen($search_idprof5)) $sql .= natural_search("s.idprof5", $search_idprof5 if (strlen($search_idprof6)) $sql .= natural_search("s.idprof6", $search_idprof6); if (strlen($search_vat)) $sql .= natural_search("s.tva_intra", $search_vat); // Filter on type of thirdparty -if ($search_type > 0 && in_array($search_type, array('1,3', '2,3'))) $sql .= " AND s.client IN (".$db->escape($search_type).")"; +if ($search_type > 0 && in_array($search_type, array('1,3', '2,3'))) $sql .= " AND s.client IN (".$db->sanitize($db->escape($search_type)).")"; if ($search_type > 0 && in_array($search_type, array('4'))) $sql .= " AND s.fournisseur = 1"; if ($search_type == '0') $sql .= " AND s.client = 0 AND s.fournisseur = 0"; if ($search_status != '' && $search_status >= 0) $sql .= natural_search("s.status", $search_status, 2); @@ -610,11 +610,16 @@ if (!empty($type)) } // Show the new button only when this page is not opend from the Extended POS (pop-up window) +// but allow it too, when a user has the rights to create a new customer if($contextpage != 'poslist') { $url = DOL_URL_ROOT.'/societe/card.php?action=create'.$typefilter; if (!empty($socid)) $url .= '&socid='.$socid; $newcardbutton = dolGetButtonTitle($langs->trans($label), '', 'fa fa-plus-circle', $url, '', $user->rights->societe->creer); +} elseif ($user->rights->societe->creer) { + $url = DOL_URL_ROOT.'/societe/card.php?action=create&type=c&contextpage=poslist&optioncss=print&backtopage='.$_SERVER["PHP_SELF"].'?contextpage=poslist&nomassaction=1&optioncss=print&place='.urlencode($place); + $label = 'MenuNewCustomer'; + $newcardbutton .= dolGetButtonTitle($langs->trans($label), '', 'fa fa-plus-circle', $url); } print '
'; diff --git a/htdocs/societe/paymentmodes.php b/htdocs/societe/paymentmodes.php index 739c4456a78..26828773753 100644 --- a/htdocs/societe/paymentmodes.php +++ b/htdocs/societe/paymentmodes.php @@ -551,10 +551,10 @@ if (empty($reshook)) $db->begin(); if (empty($newcu)) { - $sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_account WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_account WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; } else { $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX."societe_account"; - $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! + $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! } $resql = $db->query($sql); @@ -577,8 +577,8 @@ if (empty($reshook)) } } else { $sql = 'UPDATE '.MAIN_DB_PREFIX."societe_account"; - $sql .= " SET key_account = '".$db->escape(GETPOST('key_account', 'alpha'))."', site_account = '".$site_account."'"; - $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! + $sql .= " SET key_account = '".$db->escape(GETPOST('key_account', 'alpha'))."', site_account = '".$db->escape($site_account)."'"; + $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! $resql = $db->query($sql); } } @@ -602,9 +602,9 @@ if (empty($reshook)) $db->begin(); if (empty($newsup)) { - $sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; // TODO Add site and site_account on oauth_token table - //$sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; + //$sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; } else { try { $stripesup = \Stripe\Account::retrieve($db->escape(GETPOST('key_account_supplier', 'alpha'))); @@ -612,9 +612,9 @@ if (empty($reshook)) $tokenstring['type'] = $stripesup->type; $sql = "UPDATE ".MAIN_DB_PREFIX."oauth_token"; $sql .= " SET tokenstring = '".dol_json_encode($tokenstring)."'"; - $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! + $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! // TODO Add site and site_account on oauth_token table - $sql .= " WHERE fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! + $sql .= " WHERE fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! } catch (Exception $e) { $error++; setEventMessages($e->getMessage(), null, 'errors'); @@ -630,7 +630,7 @@ if (empty($reshook)) $tokenstring['stripe_user_id'] = $stripesup->id; $tokenstring['type'] = $stripesup->type; $sql = "INSERT INTO ".MAIN_DB_PREFIX."oauth_token (service, fk_soc, entity, tokenstring)"; - $sql .= " VALUES ('".$service."', ".$object->id.", ".$conf->entity.", '".dol_json_encode($tokenstring)."')"; + $sql .= " VALUES ('".$db->escape($service)."', ".$object->id.", ".$conf->entity.", '".dol_json_encode($tokenstring)."')"; // TODO Add site and site_account on oauth_token table } catch (Exception $e) { $error++; diff --git a/htdocs/societe/price.php b/htdocs/societe/price.php index 48cc398bf87..8fb17a59e3f 100644 --- a/htdocs/societe/price.php +++ b/htdocs/societe/price.php @@ -105,9 +105,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/societe/tpl/linesalesrepresentative.tpl.php b/htdocs/societe/tpl/linesalesrepresentative.tpl.php index 9c6e485e97d..039379be8c7 100644 --- a/htdocs/societe/tpl/linesalesrepresentative.tpl.php +++ b/htdocs/societe/tpl/linesalesrepresentative.tpl.php @@ -49,7 +49,7 @@ if ($action == 'editsalesrepresentatives') { } else { $listsalesrepresentatives = $object->getSalesRepresentatives($user); $nbofsalesrepresentative = count($listsalesrepresentatives); - if ($nbofsalesrepresentative > 0) { + if ($nbofsalesrepresentative > 0 && is_array($listsalesrepresentatives)) { $userstatic = new User($db); foreach ($listsalesrepresentatives as $val) { $userstatic->id = $val['id']; diff --git a/htdocs/stripe/admin/stripe.php b/htdocs/stripe/admin/stripe.php index b467a5068ed..46f59039c36 100644 --- a/htdocs/stripe/admin/stripe.php +++ b/htdocs/stripe/admin/stripe.php @@ -446,7 +446,7 @@ if (!empty($conf->use_javascript_ajax)) { } if (! empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) { $langs->load("errors"); - print img_warning($langs->trans("WarningTheHiddenOptionIsOn", PAYMENT_SECURITY_ACCEPT_ANY_TOKEN), '', 'pictowarning marginleftonly'); + print img_warning($langs->trans("WarningTheHiddenOptionIsOn", 'PAYMENT_SECURITY_ACCEPT_ANY_TOKEN'), '', 'pictowarning marginleftonly'); } print ''; diff --git a/htdocs/stripe/class/actions_stripe.class.php b/htdocs/stripe/class/actions_stripe.class.php index 2fafe09a693..a7a868f7e4a 100644 --- a/htdocs/stripe/class/actions_stripe.class.php +++ b/htdocs/stripe/class/actions_stripe.class.php @@ -98,7 +98,7 @@ class ActionsStripeconnect $this->resprints .= ''; $this->resprints .= ''; $this->resprints .= ''; - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if ($stripe->getStripeAccount($service) && $object->client != 0) { $customer = $stripe->customerStripe($object, $stripe->getStripeAccount($service)); $this->resprints .= $customer->id; @@ -114,7 +114,7 @@ class ActionsStripeconnect $this->resprints .= ''; $this->resprints .= ''; $this->resprints .= ''; - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if ($stripe->getStripeAccount($service) && $object->fk_soc > 0) { $object->fetch_thirdparty(); $customer = $stripe->customerStripe($object->thirdparty, $stripe->getStripeAccount($service)); @@ -131,7 +131,7 @@ class ActionsStripeconnect $this->resprints .= ''; $this->resprints .= ''; $this->resprints .= ''; - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if (7 == 4) { $object->fetch_thirdparty(); $customer = $stripe->customerStripe($object, $stripe->getStripeAccount($service)); @@ -149,7 +149,7 @@ class ActionsStripeconnect $this->resprints .= ''; $this->resprints .= ''; $this->resprints .= ''; - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if (7 == 4) { $object->fetch_thirdparty(); $customer = $stripe->customerStripe($object, $stripe->getStripeAccount($service)); @@ -179,25 +179,25 @@ class ActionsStripeconnect $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf'; $sql .= ' WHERE pf.fk_facture = '.$object->id; - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $objp = $db->fetch_object($result); + $objp = $this->db->fetch_object($result); $totalpaye += $objp->amount; $i++; } } else { - dol_print_error($db, ''); + dol_print_error($this->db, ''); } $resteapayer = $object->total_ttc - $totalpaye; // Request a direct debit order if ($object->statut > Facture::STATUS_DRAFT && $object->statut < Facture::STATUS_ABANDONED && $object->paye == 0) { - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if ($resteapayer > 0) { if ($stripe->getStripeAccount($conf->entity)) // a modifier avec droit stripe diff --git a/htdocs/stripe/class/stripe.class.php b/htdocs/stripe/class/stripe.class.php index 961011b51e0..a3199917f53 100644 --- a/htdocs/stripe/class/stripe.class.php +++ b/htdocs/stripe/class/stripe.class.php @@ -92,7 +92,7 @@ class Stripe extends CommonObject $sql = "SELECT tokenstring"; $sql .= " FROM ".MAIN_DB_PREFIX."oauth_token"; $sql .= " WHERE entity = ".$conf->entity; - $sql .= " AND service = '".$mode."'"; + $sql .= " AND service = '".$this->db->escape($mode)."'"; if ($fk_soc > 0) { $sql .= " AND fk_soc = ".$fk_soc; } else { @@ -356,9 +356,9 @@ class Stripe extends CommonObject $sql = "SELECT pi.ext_payment_id, pi.entity, pi.fk_facture, pi.sourcetype, pi.ext_payment_site"; $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pi"; $sql .= " WHERE pi.fk_facture = ".$object->id; - $sql .= " AND pi.sourcetype = '".$object->element."'"; + $sql .= " AND pi.sourcetype = '".$this->db->escape($object->element)."'"; $sql .= " AND pi.entity IN (".getEntity('societe').")"; - $sql .= " AND pi.ext_payment_site = '".$service."'"; + $sql .= " AND pi.ext_payment_site = '".$this->db->escape($service)."'"; dol_syslog(get_class($this)."::getPaymentIntent search stripe payment intent for object id = ".$object->id, LOG_DEBUG); $resql = $this->db->query($sql); @@ -465,7 +465,7 @@ class Stripe extends CommonObject $sql = "SELECT pi.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pi"; $sql .= " WHERE pi.entity IN (".getEntity('societe').")"; - $sql .= " AND pi.ext_payment_site = '".$service."'"; + $sql .= " AND pi.ext_payment_site = '".$this->db->escape($service)."'"; $sql .= " AND pi.ext_payment_id = '".$this->db->escape($paymentintent->id)."'"; dol_syslog(get_class($this)."::getPaymentIntent search if payment intent already in prelevement_facture_demande", LOG_DEBUG); @@ -484,7 +484,7 @@ class Stripe extends CommonObject { $now = dol_now(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."prelevement_facture_demande (date_demande, fk_user_demande, ext_payment_id, fk_facture, sourcetype, entity, ext_payment_site, amount)"; - $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($paymentintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', ".$conf->entity.", '".$service."', ".$amount.")"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($paymentintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', ".$conf->entity.", '".$this->db->escape($service)."', ".$amount.")"; $resql = $this->db->query($sql); if (!$resql) { @@ -617,7 +617,7 @@ class Stripe extends CommonObject $sql = "SELECT pi.rowid"; $sql.= " FROM " . MAIN_DB_PREFIX . "prelevement_facture_demande as pi"; $sql.= " WHERE pi.entity IN (".getEntity('societe').")"; - $sql.= " AND pi.ext_payment_site = '" . $service . "'"; + $sql.= " AND pi.ext_payment_site = '" . $this->db->escape($service) . "'"; $sql.= " AND pi.ext_payment_id = '".$this->db->escape($setupintent->id)."'"; dol_syslog(get_class($this) . "::getPaymentIntent search if payment intent already in prelevement_facture_demande", LOG_DEBUG); @@ -637,7 +637,7 @@ class Stripe extends CommonObject { $now=dol_now(); $sql = "INSERT INTO " . MAIN_DB_PREFIX . "prelevement_facture_demande (date_demande, fk_user_demande, ext_payment_id, fk_facture, sourcetype, entity, ext_payment_site)"; - $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($setupintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', " . $conf->entity . ", '" . $service . "', ".$amount.")"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($setupintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', " . $conf->entity . ", '" . $this->db->escape($service) . "', ".$amount.")"; $resql = $this->db->query($sql); if (! $resql) { diff --git a/htdocs/supplier_proposal/class/api_supplier_proposals.class.php b/htdocs/supplier_proposal/class/api_supplier_proposals.class.php index 3eea10bdf13..ba2fa37e1b9 100644 --- a/htdocs/supplier_proposal/class/api_supplier_proposals.class.php +++ b/htdocs/supplier_proposal/class/api_supplier_proposals.class.php @@ -133,7 +133,7 @@ class Supplierproposals extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -141,27 +141,27 @@ class Supplierproposals extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $propal_static = new SupplierProposal($db); + $obj = $this->db->fetch_object($result); + $propal_static = new SupplierProposal($this->db); if ($propal_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($propal_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieving supplier proposal list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieving supplier proposal list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No supplier proposal found'); diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php index eeca2c2adf3..92759515ba4 100644 --- a/htdocs/supplier_proposal/class/supplier_proposal.class.php +++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php @@ -918,7 +918,7 @@ class SupplierProposal extends CommonObject $sql .= ", 0"; $sql .= ", '".$this->db->idate($now)."'"; $sql .= ", '(PROV)'"; - $sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "null"); + $sql .= ", ".($user->id > 0 ? ((int) $user->id) : "null"); $sql .= ", '".$this->db->escape($this->note_private)."'"; $sql .= ", '".$this->db->escape($this->note_public)."'"; $sql .= ", '".$this->db->escape($this->model_pdf)."'"; diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php index 56508bc0783..b0f8bf40609 100644 --- a/htdocs/supplier_proposal/list.php +++ b/htdocs/supplier_proposal/list.php @@ -314,7 +314,7 @@ if ($search_multicurrency_montant_vat != '') $sql .= natural_search('sp.multicur if ($search_multicurrency_montant_ttc != '') $sql .= natural_search('sp.multicurrency_total_ttc', $search_multicurrency_montant_ttc, 1); if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall); if ($socid) $sql .= ' AND s.rowid = '.$socid; -if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$db->escape($search_status).')'; +if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$db->sanitize($db->escape($search_status)).')'; $sql .= dolSqlDateFilter("sp.date_livraison", $day, $month, $year); $sql .= dolSqlDateFilter("sp.date_valid", $dayvalid, $monthvalid, $yearvalid); if ($search_sale > 0) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale; diff --git a/htdocs/takepos/css/pos.css.php b/htdocs/takepos/css/pos.css.php index f4c9cf3a88a..4666de59a8e 100644 --- a/htdocs/takepos/css/pos.css.php +++ b/htdocs/takepos/css/pos.css.php @@ -141,6 +141,27 @@ button.calcbutton3 { border-radius: 3px; } +button.productbutton { + display: inline-block; + position: relative; + padding: 0; + line-height: normal; + cursor: pointer; + vertical-align: middle; + text-align: center; + overflow: visible; /* removes extra width in IE */ + width: calc(100% - 2px); + height: calc(100% - 2px); + font-weight: bold; + background-color: #a3a6a3; + color: #fff; + /* border-color: unset; */ + border-width: 0; + margin: 1px; + font-size: 14pt; + border-radius: 3px; +} + button.actionbutton { background: #EABCA6; border: 2px solid #EEE; diff --git a/htdocs/takepos/index.php b/htdocs/takepos/index.php index 29b11dbb8ad..c29f74a53fd 100644 --- a/htdocs/takepos/index.php +++ b/htdocs/takepos/index.php @@ -48,7 +48,7 @@ $setterminal = GETPOST('setterminal', 'int'); if ($_SESSION["takeposterminal"] == "") { if ($conf->global->TAKEPOS_NUM_TERMINALS == "1") $_SESSION["takeposterminal"] = 1; // Use terminal 1 if there is only 1 terminal - elseif (!empty($_COOKIE["takeposterminal"])) $_SESSION["takeposterminal"] = $_COOKIE["takeposterminal"]; // Restore takeposterminal from previous session + elseif (!empty($_COOKIE["takeposterminal"])) $_SESSION["takeposterminal"] = preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE["takeposterminal"]); // Restore takeposterminal from previous session } if ($setterminal > 0) @@ -291,12 +291,18 @@ function LoadProducts(position, issubcat) { //console.log("ishow"+ishow+" idata="+idata); console.log(data[idata]); if (typeof (data[idata]) == "undefined") { - $("#prodivdesc"+ishow).hide(); - $("#prodesc"+ishow).text(""); + global->TAKEPOS_HIDE_PRODUCT_IMAGES) + { + echo '$("#prodivdesc"+ishow).hide();'; + echo '$("#prodesc"+ishow).text("");'; + echo '$("#proimg"+ishow).attr("title","");'; + echo '$("#proimg"+ishow).attr("src","genimg/empty.png");'; + } else { + echo '$("#probutton"+ishow).hide();'; + echo '$("#probutton"+ishow).text("");'; + }?> $("#proprice"+ishow).attr("class", "hidden"); $("#proprice"+ishow).html(""); - $("#proimg"+ishow).attr("title",""); - $("#proimg"+ishow).attr("src","genimg/empty.png"); $("#prodiv"+ishow).data("rowid",""); $("#prodiv"+ishow).attr("class","wrapper2 divempty"); $("#prowatermark"+ishow).hide(); @@ -308,14 +314,22 @@ function LoadProducts(position, issubcat) { $titlestring .= " + ' - ".dol_escape_js($langs->trans("Barcode").': ')."' + data[idata]['barcode']"; ?> var titlestring = ; - $("#prodivdesc"+ishow).show(); - $("#prodesc"+ishow).text(data[parseInt(idata)]['label']); + global->TAKEPOS_HIDE_PRODUCT_IMAGES) + { + echo '$("#prodivdesc"+ishow).show();'; + echo '$("#prodesc"+ishow).text(data[parseInt(idata)][\'label\']);'; + echo '$("#proimg"+ishow).attr("title", titlestring);'; + echo '$("#proimg"+ishow).attr("src", "genimg/index.php?query=pro&id="+data[idata][\'id\']);'; + } + else { + echo '$("#probutton"+ishow).show();'; + echo '$("#probutton"+ishow).text(data[parseInt(idata)][\'label\']);'; + } + ?> if (data[parseInt(idata)]['price_formated']) { $("#proprice"+ishow).attr("class", "productprice"); $("#proprice"+ishow).html(data[parseInt(idata)]['price_formated']); } - $("#proimg"+ishow).attr("title", titlestring); - $("#proimg"+ishow).attr("src", "genimg/index.php?query=pro&id="+data[idata]['id']); $("#prodiv"+ishow).data("rowid", data[idata]['id']); $("#prodiv"+ishow).data("iscat", 0); $("#prodiv"+ishow).attr("class","wrapper2"); @@ -544,7 +558,7 @@ function Search2(keyCodeForEnter) { if ($('#search').val() == data[0]['barcode'] && 'thirdparty' == data[0]['object']) { console.log("There is only 1 answer with barcode matching the search, so we change the thirdparty "+data[0]['rowid']); ChangeThirdparty(data[0]['rowid']); - } + } else if ($('#search').val() == data[0]['barcode'] && 'product' == data[0]['object']) { console.log("There is only 1 answer with barcode matching the search, so we add the product in basket"); ClickProduct(0); @@ -562,7 +576,7 @@ function Search2(keyCodeForEnter) { } }); } - + } function Edit(number) { @@ -751,7 +765,7 @@ function WeighingScale(){ console.log("Weighing Scale"); $.ajax({ type: "POST", - url: 'global->TAKEPOS_PRINT_SERVER; ?>/scale', + url: 'global->TAKEPOS_PRINT_SERVER; ?>/scale/index.php', }) .done(function( editnumber ) { $("#poslines").load("invoice.php?action=updateqty&place="+place+"&idline="+selectedline+"&number="+editnumber, function() { @@ -1070,11 +1084,14 @@ if ($conf->global->TAKEPOS_WEIGHING_SCALE) //echo ''; print ''; } else { - print '
'; - if (!$conf->global->TAKEPOS_HIDE_PRODUCT_IMAGES) print ''; + if ($conf->global->TAKEPOS_HIDE_PRODUCT_IMAGES) echo ''; + else { + print '
'; + print ''; + } } ?> - + global->TAKEPOS_HIDE_PRODUCT_IMAGES) { ?>
diff --git a/htdocs/takepos/invoice.php b/htdocs/takepos/invoice.php index 6c45f6121f9..3ab9f91c9ff 100644 --- a/htdocs/takepos/invoice.php +++ b/htdocs/takepos/invoice.php @@ -169,11 +169,11 @@ if ($action == 'valid' && $user->rights->facture->creer) if ($invoice->total_ttc < 0) { $invoice->type = $invoice::TYPE_CREDIT_NOTE; - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."facture WHERE "; - $sql .= "fk_soc = '".$invoice->socid."' "; - $sql .= "AND type <> ".Facture::TYPE_CREDIT_NOTE." "; - $sql .= "AND fk_statut >= ".$invoice::STATUS_VALIDATED." "; - $sql .= "ORDER BY rowid DESC"; + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."facture WHERE"; + $sql .= " fk_soc = ".((int) $invoice->socid); + $sql .= " AND type <> ".Facture::TYPE_CREDIT_NOTE; + $sql .= " AND fk_statut >= ".$invoice::STATUS_VALIDATED; + $sql .= " ORDER BY rowid DESC"; $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql); @@ -394,7 +394,7 @@ if ($action == "deleteline") { $invoice->deleteline($idline); $invoice->fetch($placeid); } elseif ($placeid > 0) { // If invoice exists but no line selected, proceed to delete last line. - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."facturedet where fk_facture='".$placeid."' order by rowid DESC"; + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."facturedet where fk_facture = ".((int) $placeid)." ORDER BY rowid DESC"; $resql = $db->query($sql); $row = $db->fetch_array($resql); $deletelineid = $row[0]; @@ -427,7 +427,7 @@ if ($action == "delete") { $sql = "DELETE FROM ".MAIN_DB_PREFIX."facturedet where fk_facture = ".$placeid; $resql2 = $db->query($sql); $sql = "UPDATE ".MAIN_DB_PREFIX."facture set fk_soc=".$conf->global->{'CASHDESK_ID_THIRDPARTY'.$_SESSION["takeposterminal"]}; - $sql .= " WHERE ref='(PROV-POS".$_SESSION["takeposterminal"]."-".$place.")'"; + $sql .= " WHERE ref='(PROV-POS".$db->escape($_SESSION["takeposterminal"])."-".$db->escape($place).")'"; $resql3 = $db->query($sql); $invoice->update_price(1); diff --git a/htdocs/theme/eldy/dropdown.inc.php b/htdocs/theme/eldy/dropdown.inc.php index 12f34ed50ac..1140589a2e2 100644 --- a/htdocs/theme/eldy/dropdown.inc.php +++ b/htdocs/theme/eldy/dropdown.inc.php @@ -411,10 +411,15 @@ a.top-menu-dropdown-link { * QUICK ADD */ #topmenu-quickadd-dropdown .dropdown-menu { - width: 300px !important; + width: 310px !important; color: #444; } +.quickadd-body.dropdown-body { + padding: unset; + padding-top: 15px; +} + .quickadd-header { color: #444 !important; } @@ -449,8 +454,8 @@ div.quickadd a:hover, div.quickadd a:active { } div.quickaddblock { - width: 80px; - display: block ruby; + width: 95px; + height: 80px; } div.quickaddblock:hover, diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php index 7abf4342f25..308426ddc98 100644 --- a/htdocs/theme/eldy/global.inc.php +++ b/htdocs/theme/eldy/global.inc.php @@ -191,10 +191,6 @@ input, select { #mainbody input.button:not(.buttongen):not(.bordertransp) { background: var(--butactionbg); color: #FFF !important; - - /* -webkit-box-shadow: 0px 0px 1px 1px rgba(0, 0, 0, 0.2), 0px 0px 0px rgba(60,60,60,0.1); - box-shadow: 0px 0px 1px 1px rgba(0, 0, 0, 0.2), 0px 0px 0px rgba(60,60,60,0.1); */ - border-radius: 3px; border-collapse: collapse; border: none; @@ -220,7 +216,6 @@ input:invalid, select:invalid { /* Focus definitions must be after standard definition */ textarea:focus { - /* v6 box-shadow: 0 0 4px #8091BF; */ border: 1px solid #aaa !important; } input:focus, select:focus { @@ -571,6 +566,9 @@ th .button { .centpercent { width: 100%; } +.centpercentwithoutmenu { + width: calc(100% - 200px); +} .quatrevingtpercent, .inputsearch { width: 80%; } @@ -1275,9 +1273,6 @@ table[summary="list_of_modules"] .fa-cog { /* Force values for small screen 767 */ @media only screen and (max-width: 767px) { - body { - font-size: ; - } div.refidno { font-size: !important; } @@ -1311,10 +1306,6 @@ table[summary="list_of_modules"] .fa-cog { /* Force values for small screen 570 */ @media only screen and (max-width: 570px) { - body { - font-size: ; - } - .box-flex-item { margin: 3px 2px 3px 2px !important; } @@ -1502,20 +1493,20 @@ td.showDragHandle { padding-bottom: 20px; } -/* For having horizontal scroll into array (like with smartphone) */ -/* -#id-container { +/* DOL_XXX For having horizontal scroll into array (like with smartphone) */ + +.classforhorizontalscrolloftabs #id-container { width: 100%; } -.side-nav { +.classforhorizontalscrolloftabs .side-nav { display: block; float: left; } -#id-right { +.classforhorizontalscrolloftabs #id-right { width:calc(100% - 210px); display: inline-block; } -*/ + global->THEME_DISABLE_STICKY_TOPMENU)) { ?> @@ -1612,51 +1603,63 @@ div.vmenu, td.vmenu { .menuhider { display: none !important; } + /* rule to reduce top menu - 3rd reduction: The menu for user is on left */ @media only screen and (max-width: global->THEME_ELDY_WITDHOFFSET_FOR_REDUC3) ? round($nbtopmenuentries * 47, 0) + 130 : $conf->global->THEME_ELDY_WITDHOFFSET_FOR_REDUC3; ?>px) /* reduction 3 */ { -body.sidebar-collapse .side-nav { - display: none; + body.sidebar-collapse .side-nav { + display: none; + } + + body.sidebar-collapse .login_block { + display: none; + } + + .menuhider { display: block !important; } + .dropdown-user-image { display: none; } + .user-header { height: auto !important; color: var(--colorbackbody); } + + #id-container { + width: 100%; + } + .side-nav { + border-bottom: 1px solid #BBB; + background: #FFF; + padding-left: 20px; + padding-right: 20px; + position: absolute; + z-index: 90; + } + div.blockvmenulogo + { + border-bottom: 0 !important; + } + div.blockvmenupair, div.blockvmenuimpair, div.blockvmenubookmarks, div.blockvmenuend { + border-top: none !important; + border-left: none !important; + border-right: none !important; + border-bottom: 1px solid #e0e0e0; + padding-left: 0 !important; + } + div.vmenu, td.vmenu { + padding-right: 6px !important; + } + div.fiche { + margin-: 9px !important; + margin-: 10px !important; + } + + .pagination .fa-chevron-left, .pagination .fa-chevron-right { + font-size: 1.2em; + } } -body.sidebar-collapse .login_block { - display: none; -} - -.menuhider { display: block !important; } -.dropdown-user-image { display: none; } -.user-header { height: auto !important; color: var(--colorbackbody); } - -#id-container { - width: 100%; -} -.side-nav { - border-bottom: 1px solid #BBB; - background: #FFF; - padding-left: 20px; - padding-right: 20px; - position: absolute; - z-index: 90; -} -div.blockvmenulogo +@media only screen and (min-width: 768px) and (max-width: global->THEME_ELDY_WITDHOFFSET_FOR_REDUC3) ? round($nbtopmenuentries * 47, 0) + 130 : $conf->global->THEME_ELDY_WITDHOFFSET_FOR_REDUC3; ?>px) /* reduction 3 */ { - border-bottom: 0 !important; -} -div.blockvmenupair, div.blockvmenuimpair, div.blockvmenubookmarks, div.blockvmenuend { - border-top: none !important; - border-left: none !important; - border-right: none !important; - border-bottom: 1px solid #e0e0e0; - padding-left: 0 !important; -} -div.vmenu, td.vmenu { - padding-right: 6px !important; -} -div.fiche { - margin-: 9px !important; - margin-: 10px !important; -} - + div.fiche { + margin-: 13px !important; + margin-: 14px !important; + } } @@ -2803,8 +2806,8 @@ div.popuptabset { border: 1px solid #888; } div.popuptab { - padding-top: 5px; - padding-bottom: 5px; + padding-top: 8px; + padding-bottom: 8px; padding-left: 5px; padding-right: 5px; } @@ -3202,6 +3205,7 @@ div.refid { font-weight: bold; color: var(--colortexttitlenotab); font-size: 1.2em; + word-break: break-word; } div.refidno { padding-top: 3px; @@ -3795,8 +3799,10 @@ ul.noborder li:nth-child(even):not(.liste_titre) { .boxstats:hover { box-shadow: 0px 0px 8px 0px rgba(0,0,0,0.20); } -span.boxstatstext { +span.boxstatstext span:not(.fas) { opacity: 0.5; +} +span.boxstatstext { line-height: 18px; color: var(--colortext); } @@ -5581,6 +5587,10 @@ span.noborderoncategories { /* External lib multiselect with checkbox */ /* ============================================================================== */ +.multi-select-menu { + z-index: 10; +} + .multi-select-container { display: inline-block; position: relative; diff --git a/htdocs/theme/md/style.css.php b/htdocs/theme/md/style.css.php index 76bddfc0241..f81bcff5e83 100644 --- a/htdocs/theme/md/style.css.php +++ b/htdocs/theme/md/style.css.php @@ -1461,6 +1461,22 @@ td.showDragHandle { } +/* DOL_XXX For having horizontal scroll into array (like with smartphone) */ + +.classforhorizontalscrolloftabs #id-container { + width: 100%; +} +.classforhorizontalscrolloftabs .side-nav { + display: block; + float: left; +} +.classforhorizontalscrolloftabs #id-right { + width:calc(100% - 210px); + display: inline-block; +} + + + .side-nav { display: none; @@ -1513,9 +1529,10 @@ td.showDragHandle { ?> } -/* -* Slide animation -*/ + +/** + * Slide animation + */ .side-nav-vert, #id-right { transition: padding-left 0.5s ease, margin-left 0.5s ease; } @@ -5427,6 +5444,10 @@ span.noborderoncategories { /* External lib multiselect with checkbox */ /* ============================================================================== */ +.multi-select-menu { + z-index: 10; +} + .multi-select-container { display: inline-block; position: relative; diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php index 20d10ef72cc..03e9fe52781 100644 --- a/htdocs/ticket/card.php +++ b/htdocs/ticket/card.php @@ -55,7 +55,7 @@ $action = GETPOST('action', 'aZ09'); $notifyTiers = GETPOST("notify_tiers_at_create", 'alpha'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); if (GETPOST('actioncode', 'array')) { diff --git a/htdocs/ticket/class/actions_ticket.class.php b/htdocs/ticket/class/actions_ticket.class.php index 641b56b1716..9a142ef4ba7 100644 --- a/htdocs/ticket/class/actions_ticket.class.php +++ b/htdocs/ticket/class/actions_ticket.class.php @@ -208,7 +208,8 @@ class ActionsTicket $msg = GETPOST('message_initial', 'alpha') ? GETPOST('message_initial', 'alpha') : $object->message; include_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; $uselocalbrowser = true; - $doleditor = new DolEditor('message_initial', $msg, '100%', 250, 'dolibarr_details', 'In', true, $uselocalbrowser, $conf->global->FCKEDITOR_ENABLE_TICKET, ROWS_9, '95%'); + $ckeditorenabledforticket = $conf->global->FCKEDITOR_ENABLE_TICKET; + $doleditor = new DolEditor('message_initial', $msg, '100%', 250, 'dolibarr_details', 'In', true, $uselocalbrowser, $ckeditorenabledforticket, ROWS_9, '95%'); $doleditor->Create(); } else { // Deal with format differences (text / HTML) diff --git a/htdocs/ticket/class/api_tickets.class.php b/htdocs/ticket/class/api_tickets.class.php index f06ec59aa5d..4a3c9b66203 100644 --- a/htdocs/ticket/class/api_tickets.class.php +++ b/htdocs/ticket/class/api_tickets.class.php @@ -276,7 +276,7 @@ class Tickets extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -287,13 +287,13 @@ class Tickets extends DolibarrApi $sql .= $this->db->plimit($limit, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $i = 0; while ($i < $num) { - $obj = $db->fetch_object($result); - $ticket_static = new Ticket($db); + $obj = $this->db->fetch_object($result); + $ticket_static = new Ticket($this->db); if ($ticket_static->fetch($obj->rowid)) { if ($ticket_static->fk_user_assign > 0) { $userStatic = new User($this->db); diff --git a/htdocs/ticket/class/ticket.class.php b/htdocs/ticket/class/ticket.class.php index d0f2581fa73..f7813066a4c 100644 --- a/htdocs/ticket/class/ticket.class.php +++ b/htdocs/ticket/class/ticket.class.php @@ -664,7 +664,7 @@ class Ticket extends CommonObject if (!empty($filter)) { foreach ($filter as $key => $value) { if (strpos($key, 'date')) { // To allow $filter['YEAR(s.dated)']=>$year - $sql .= ' AND '.$key.' = \''.$value.'\''; + $sql .= ' AND '.$key." = '".$this->db->scape($value)."'"; } elseif (($key == 't.fk_user_assign') || ($key == 't.type_code') || ($key == 't.category_code') || ($key == 't.severity_code') || ($key == 't.fk_soc')) { $sql .= " AND ".$key." = '".$this->db->escape($value)."'"; } elseif ($key == 't.fk_statut') { @@ -2242,7 +2242,7 @@ class Ticket extends CommonObject $sql .= " AND tc.active=1"; if ($status >= 0) { - $sql .= " AND ec.statut = '".$status."'"; + $sql .= " AND ec.statut = ".((int) $status); } $sql .= " ORDER BY t.lastname ASC"; diff --git a/htdocs/ticket/class/ticketstats.class.php b/htdocs/ticket/class/ticketstats.class.php index a6b4c23e70c..f2fd2155247 100644 --- a/htdocs/ticket/class/ticketstats.class.php +++ b/htdocs/ticket/class/ticketstats.class.php @@ -118,7 +118,7 @@ class TicketStats extends Stats { $sql = "SELECT date_format(datec,'%m') as dm, sum(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(datec,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(datec,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -138,7 +138,7 @@ class TicketStats extends Stats { $sql = "SELECT date_format(datec,'%m') as dm, avg(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(datec,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(datec,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/ticket/index.php b/htdocs/ticket/index.php index cfd8e3f26f3..a6d9ad3d0b0 100644 --- a/htdocs/ticket/index.php +++ b/htdocs/ticket/index.php @@ -142,11 +142,11 @@ if (!$user->rights->societe->client->voir && !$socid) { // External users restriction if ($user->socid > 0) { - $sql .= " AND t.fk_soc='".$user->socid."'"; + $sql .= " AND t.fk_soc= ".((int) $user->socid); } else { // For internals users, if (!empty($conf->global->TICKET_LIMIT_VIEW_ASSIGNED_ONLY) && !$user->rights->ticket->manage) { - $sql .= " AND t.fk_user_assign=".$user->id; + $sql .= " AND t.fk_user_assign = ".$user->id; } } $sql .= " GROUP BY t.fk_statut"; @@ -305,7 +305,7 @@ if (!$user->rights->societe->client->voir && !$socid) { } if ($user->socid > 0) { - $sql .= " AND t.fk_soc='".$user->socid."'"; + $sql .= " AND t.fk_soc= ".((int) $user->socid); } else { // Restricted to assigned user only if ($conf->global->TICKET_LIMIT_VIEW_ASSIGNED_ONLY && !$user->rights->ticket->manage) { diff --git a/htdocs/ticket/list.php b/htdocs/ticket/list.php index e3a41a670b4..12dd4c37058 100644 --- a/htdocs/ticket/list.php +++ b/htdocs/ticket/list.php @@ -61,7 +61,7 @@ $mode = GETPOST('mode', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters diff --git a/htdocs/ticket/stats/index.php b/htdocs/ticket/stats/index.php index da921577596..fe66b9c2231 100644 --- a/htdocs/ticket/stats/index.php +++ b/htdocs/ticket/stats/index.php @@ -70,7 +70,7 @@ print load_fiche_titre($title, '', 'ticket'); dol_mkdir($dir); $stats = new TicketStats($db, $socid, ($userid > 0 ? $userid : 0)); -if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND fk_statut IN ('.$db->escape($object_status).')'; +if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; // Build graphic number of object diff --git a/htdocs/user/bank.php b/htdocs/user/bank.php index 5363ec728c2..af7aa162790 100644 --- a/htdocs/user/bank.php +++ b/htdocs/user/bank.php @@ -114,6 +114,49 @@ if ($action == 'update' && !$cancel) { $account->userid = $object->id; + /* + if ($action == 'update' && !$cancel) + { + require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; + + if ($canedituser) // Case we can edit all field + { + $error = 0; + + if (!$error) + { + $objectuser->fetch($id); + + $objectuser->oldcopy = clone $objectuser; + + $db->begin(); + + $objectuser->default_range = GETPOST('default_range'); + $objectuser->default_c_exp_tax_cat = GETPOST('default_c_exp_tax_cat'); + + if (!$error) { + $ret = $objectuser->update($user); + if ($ret < 0) { + $error++; + if ($db->errno() == 'DB_ERROR_RECORD_ALREADY_EXISTS') { + $langs->load("errors"); + setEventMessages($langs->trans("ErrorLoginAlreadyExists", $objectuser->login), null, 'errors'); + } else { + setEventMessages($objectuser->error, $objectuser->errors, 'errors'); + } + } + } + + if (!$error && !count($objectuser->errors)) { + setEventMessages($langs->trans("UserModified"), null, 'mesgs'); + $db->commit(); + } else { + $db->rollback(); + } + } + } + }*/ + $account->bank = GETPOST('bank', 'alpha'); $account->label = GETPOST('label', 'alpha'); $account->courant = GETPOST('courant', 'alpha'); @@ -155,6 +198,23 @@ if ($action == 'setpersonal_mobile') if ($result < 0) setEventMessages($object->error, $object->errors, 'errors'); } +// update default_c_exp_tax_cat +if ($action == 'setdefault_c_exp_tax_cat') +{ + $object->default_c_exp_tax_cat = GETPOST('default_c_exp_tax_cat', 'int'); + $result = $object->update($user); + if ($result < 0) setEventMessages($object->error, $object->errors, 'errors'); +} + +// update default range +if ($action == 'setdefault_range') +{ + $object->default_range = GETPOST('default_range', 'int'); + $result = $object->update($user); + if ($result < 0) setEventMessages($object->error, $object->errors, 'errors'); +} + + /* * View @@ -223,6 +283,51 @@ if ($action != 'edit' && $action != 'create') // If not bank account yet, $acco print ''; print ''; + if (!empty($conf->global->MAIN_USE_EXPENSE_IK)) + { + print ''; + print ''; + print $form->editfieldkey("DefaultCategoryCar", 'default_c_exp_tax_cat', $object->default_c_exp_tax_cat, $object, $user->rights->user->user->creer); + print ''; + if ($action == 'editdefault_c_exp_tax_cat') { + $ret = ''; + $ret .= ''; + $ret .= ''; + $ret .= ''; + $ret .= $form->selectExpenseCategories($object->default_c_exp_tax_cat, 'default_c_exp_tax_cat', 1); + $ret .= ' '; + $ret .= ''; + $ret .= '
'; + print $ret; + } else { + print dol_getIdFromCode($db, $object->default_c_exp_tax_cat, 'c_exp_tax_cat', 'rowid', 'label'); + //print $form->editfieldval("DefaultCategoryCar", 'default_c_exp_tax_cat', $object->default_c_exp_tax_cat, $object, $user->rights->user->user->creer, 'string', ($object->default_c_exp_tax_cat != '' ? $object->default_c_exp_tax_cat : '')); + } + print ''; + print ''; + + print ''; + print ''; + print $form->editfieldkey("DefaultRangeNumber", 'default_range', $object->default_range, $object, $user->rights->user->user->creer); + print ''; + if ($action == 'editdefault_range') { + $ret = '
'; + $ret .= ''; + $ret .= ''; + $ret .= ''; + $maxRangeNum = ExpenseReportIk::getMaxRangeNumber($object->default_c_exp_tax_cat); + $ret .= $form->selectarray('default_range', range(0, $maxRangeNum), $object->default_range); + $ret .= ' '; + $ret .= ''; + $ret .= '
'; + print $ret; + } else { + print $object->default_range; + } + print ''; + print ''; + } + print ''; print '
'; diff --git a/htdocs/user/card.php b/htdocs/user/card.php index 6ca1e7c9bdc..96b9d55af6a 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -61,6 +61,12 @@ $group = GETPOST("group", "int", 3); $cancel = GETPOST('cancel', 'alpha'); $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'useracard'; // To manage different context of search +$dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth', 'int'), GETPOST('dateemploymentday', 'int'), GETPOST('dateemploymentyear', 'int')); +$dateemploymentend = dol_mktime(0, 0, 0, GETPOST('dateemploymentendmonth', 'int'), GETPOST('dateemploymentendday', 'int'), GETPOST('dateemploymentendyear', 'int')); +$datestartvalidity = dol_mktime(0, 0, 0, GETPOST('datestartvaliditymonth', 'int'), GETPOST('datestartvalidityday', 'int'), GETPOST('datestartvalidityyear', 'int')); +$dateendvalidity = dol_mktime(0, 0, 0, GETPOST('dateendvaliditymonth', 'int'), GETPOST('dateendvalidityday', 'int'), GETPOST('dateendvalidityyear', 'int')); +$dateofbirth = dol_mktime(0, 0, 0, GETPOST('dateofbirthmonth', 'int'), GETPOST('dateofbirthday', 'int'), GETPOST('dateofbirthyear', 'int')); + // Define value to know what current user can do on users $canadduser = (!empty($user->admin) || $user->rights->user->user->creer); $canreaduser = (!empty($user->admin) || $user->rights->user->user->lire); @@ -202,8 +208,6 @@ if (empty($reshook)) { $object->login = GETPOST("login", 'alphanohtml'); $object->api_key = GETPOST("api_key", 'alphanohtml'); $object->gender = GETPOST("gender", 'aZ09'); - $birth = dol_mktime(0, 0, 0, GETPOST('birthmonth', 'int'), GETPOST('birthday', 'int'), GETPOST('birthyear', 'int')); - $object->birth = $birth; $object->admin = GETPOST("admin", 'int'); $object->address = GETPOST('address', 'alphanohtml'); $object->zip = GETPOST('zipcode', 'alphanohtml'); @@ -226,7 +230,7 @@ if (empty($reshook)) { } $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alphanohtml')); - $object->job = GETPOST("job", 'nohtml'); + $object->job = GETPOST("job", 'alphanohtml'); $object->signature = GETPOST("signature", 'restricthtml'); $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); $object->note = GETPOST("note", 'restricthtml'); @@ -247,11 +251,12 @@ if (empty($reshook)) { $object->weeklyhours = GETPOST("weeklyhours", 'alphanohtml') != '' ? GETPOST("weeklyhours", 'alphanohtml') : ''; $object->color = GETPOST("color", 'alphanohtml') != '' ? GETPOST("color", 'alphanohtml') : ''; - $dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth', 'int'), GETPOST('dateemploymentday', 'int'), GETPOST('dateemploymentyear', 'int')); - $object->dateemployment = $dateemployment; - $dateemploymentend = dol_mktime(0, 0, 0, GETPOST('dateemploymentendmonth', 'int'), GETPOST('dateemploymentendday', 'int'), GETPOST('dateemploymentendyear', 'int')); + $object->dateemployment = $dateemployment; $object->dateemploymentend = $dateemploymentend; + $object->datestartvalidity = $datestartvalidity; + $object->dateendvalidity = $dateendvalidity; + $object->birth = $dateofbirth; $object->fk_warehouse = GETPOST('fk_warehouse', 'int'); @@ -364,8 +369,6 @@ if (empty($reshook)) { $object->firstname = GETPOST("firstname", 'alphanohtml'); $object->login = GETPOST("login", 'alphanohtml'); $object->gender = GETPOST("gender", 'aZ09'); - $birth = dol_mktime(0, 0, 0, GETPOST('birthmonth', 'int'), GETPOST('birthday', 'int'), GETPOST('birthyear', 'int')); - $object->birth = $birth; $object->pass = GETPOST("password", 'none'); $object->api_key = (GETPOST("api_key", 'alphanohtml')) ? GETPOST("api_key", 'alphanohtml') : $object->api_key; if (!empty($user->admin)) $object->admin = GETPOST("admin", "int"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request @@ -388,7 +391,7 @@ if (empty($reshook)) { } } $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alphanohtml')); - $object->job = GETPOST("job", 'nohtml'); + $object->job = GETPOST("job", 'alphanohtml'); $object->signature = GETPOST("signature", 'restricthtml'); $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); $object->openid = GETPOST("openid", 'alphanohtml'); @@ -409,10 +412,11 @@ if (empty($reshook)) { $object->weeklyhours = price2num($object->weeklyhours); $object->color = GETPOST("color", 'alphanohtml') != '' ? GETPOST("color", 'alphanohtml') : ''; - $dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth', 'int'), GETPOST('dateemploymentday', 'int'), GETPOST('dateemploymentyear', 'int')); $object->dateemployment = $dateemployment; - $dateemploymentend = dol_mktime(0, 0, 0, GETPOST('dateemploymentendmonth', 'int'), GETPOST('dateemploymentendday', 'int'), GETPOST('dateemploymentendyear', 'int')); $object->dateemploymentend = $dateemploymentend; + $object->datestartvalidity = $datestartvalidity; + $object->dateendvalidity = $dateendvalidity; + $object->birth = $dateofbirth; if (!empty($conf->stock->enabled)) { @@ -1183,7 +1187,7 @@ if ($action == 'create' || $action == 'adduserldap') // Position/Job print ''.$langs->trans("PostOrFunction").''; print ''; - print ''; + print ''; print ''; if ((!empty($conf->salaries->enabled) && !empty($user->rights->salaries->read)) @@ -1229,21 +1233,29 @@ if ($action == 'create' || $action == 'adduserldap') // Date employment print ''.$langs->trans("DateEmployment").''; print ''; - print $form->selectDate(GETPOST('dateemployment'), 'dateemployment', 0, 0, 1, 'formdateemployment', 1, 0); + print $form->selectDate($dateemployment, 'dateemployment', 0, 0, 1, 'formdateemployment', 1, 1); + + print ' - '; + + print $form->selectDate($dateemploymentend, 'dateemploymentend', 0, 0, 1, 'formdateemploymentend', 1, 0); print ''; print "\n"; - // Date employment END - print ''.$langs->trans("DateEmploymentEnd").''; + // Date validity + print ''.$langs->trans("RangeOfLoginValidity").''; print ''; - print $form->selectDate(GETPOST('dateemploymentend'), 'dateemploymentend', 0, 0, 1, 'formdateemploymentend', 1, 0); + print $form->selectDate($datestartvalidity, 'datestartvalidity', 0, 0, 1, 'formdatestartvalidity', 1, 1); + + print ' - '; + + print $form->selectDate($dateendvalidity, 'dateendvalidity', 0, 0, 1, 'formdateendvalidity', 1, 0); print ''; print "\n"; // Date birth - print ''.$langs->trans("DateToBirth").''; + print ''.$langs->trans("DateOfBirth").''; print ''; - print $form->selectDate(GETPOST('birth'), 'birth', 0, 0, 1, 'createuser', 1, 0); + print $form->selectDate($dateofbirth, 'dateofbirth', 0, 0, 1, 'createuser', 1, 0); print ''; print "\n"; @@ -1570,7 +1582,7 @@ if ($action == 'create' || $action == 'adduserldap') // Position/Job print ''.$langs->trans("PostOrFunction").''; - print ''.$object->job.''; + print ''.dol_escape_htmltag($object->job).''; print ''."\n"; //$childids = $user->getAllChildIds(1); @@ -1621,24 +1633,32 @@ if ($action == 'create' || $action == 'adduserldap') print ''.$langs->trans("DateOfEmployment").''; print ''; if ($object->dateemployment) { - print ''.$langs->trans("FromDate ").''; + print ''.$langs->trans("FromDate").' '; print dol_print_date($object->dateemployment, 'day'); } - //print ''; - //print "\n"; - - // Date employment - //print ''.$langs->trans("DateEmploymentEnd").''; - //print ''; if ($object->dateemploymentend) { - print ' - '.$langs->trans("To ").''; + print ' - '.$langs->trans("To").' '; print dol_print_date($object->dateemploymentend, 'day'); } print ''; print "\n"; + // Date login validity + print ''.$langs->trans("RangeOfLoginValidity").''; + print ''; + if ($object->datestartvalidity) { + print ''.$langs->trans("FromDate").' '; + print dol_print_date($object->datestartvalidity, 'day'); + } + if ($object->dateendvalidity) { + print ' - '.$langs->trans("To").' '; + print dol_print_date($object->dateendvalidity, 'day'); + } + print ''; + print "\n"; + // Date of birth - print ''.$langs->trans("DateToBirth").''; + print ''.$langs->trans("DateOfBirth").''; print ''; print dol_print_date($object->birth, 'day'); print ''; @@ -2606,10 +2626,10 @@ if ($action == 'create' || $action == 'adduserldap') print ''; if ($caneditfield) { - print ''; + print ''; } else { - print ''; - print $object->job; + print ''; + print dol_escape_htmltag($object->job); } print ''; @@ -2672,19 +2692,16 @@ if ($action == 'create' || $action == 'adduserldap') print ''; if ($caneditfield) { - print $form->selectDate(GETPOST('dateemployment') ?GETPOST('dateemployment') : $object->dateemployment, 'dateemployment', 0, 0, 1, 'formdateemployment', 1, 0); + print $form->selectDate($dateemployment ? $dateemployment : $object->dateemployment, 'dateemployment', 0, 0, 1, 'formdateemployment', 1, 1); } else { print dol_print_date($object->dateemployment, 'day'); } - print ''; - print "\n"; - // Date employmentEnd - print ''.$langs->trans("DateEmploymentEnd").''; - print ''; + if ($dateemployment && $dateemploymentend) print ' - '; + if ($caneditfield) { - print $form->selectDate(GETPOST('dateemploymentend') ?GETPOST('dateemploymentend') : $object->dateemploymentend, 'dateemploymentend', 0, 0, 1, 'formdateemploymentend', 1, 0); + print $form->selectDate($dateemploymentend ? $dateemploymentend : $object->dateemploymentend, 'dateemploymentend', 0, 0, 1, 'formdateemploymentend', 1, 0); } else { print dol_print_date($object->dateemploymentend, 'day'); } @@ -2692,12 +2709,33 @@ if ($action == 'create' || $action == 'adduserldap') print "\n"; - // Date birth - print ''.$langs->trans("DateToBirth").''; + // Date login validity + print ''.$langs->trans("RangeOfLoginValidity").''; print ''; if ($caneditfield) { - echo $form->selectDate(GETPOST('birth') ?GETPOST('birth') : $object->birth, 'birth', 0, 0, 1, 'updateuser', 1, 0); + print $form->selectDate($datestartvalidity ? $datestartvalidity : $object->datestartvalidity, 'datestartvalidity', 0, 0, 1, 'formdatestartvalidity', 1, 1); + } else { + print dol_print_date($object->datestartvalidity, 'day'); + } + + if ($datestartvalidity && $dateendvalidity) print ' - '; + + if ($caneditfield) + { + print $form->selectDate($dateendvalidity ? $datendevalidity : $object->dateendvalidity, 'dateendvalidity', 0, 0, 1, 'formdateendvalidity', 1, 0); + } else { + print dol_print_date($object->dateendvalidity, 'day'); + } + print ''; + print "\n"; + + + // Date birth + print ''.$langs->trans("DateOfBirth").''; + print ''; + if ($caneditfield) { + echo $form->selectDate($dateofbirth ? $dateofbirth : $object->birth, 'dateofbirth', 0, 0, 1, 'updateuser', 1, 0); } else { print dol_print_date($object->birth, 'day'); } diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index cab2b56f5d9..5245ff0b961 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -90,7 +90,7 @@ class Users extends DolibarrApi // Select products of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_user = t.rowid "; } @@ -105,7 +105,7 @@ class Users extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -113,27 +113,27 @@ class Users extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $user_static = new User($db); + $obj = $this->db->fetch_object($result); + $user_static = new User($this->db); if ($user_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($user_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve User list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve User list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No User found'); @@ -490,7 +490,7 @@ class Users extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -498,19 +498,19 @@ class Users extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $group_static = new UserGroup($this->db); if ($group_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($group_static); @@ -518,7 +518,7 @@ class Users extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve Group list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve Group list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No Group found'); diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 53a7abe5dac..786af8c81d1 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -154,7 +154,7 @@ class User extends CommonObject public $datelastlogin; public $datepreviouslogin; public $datestartvalidity; - public $dateedvalidity; + public $dateendvalidity; public $photo; public $lang; @@ -1038,6 +1038,14 @@ class User extends CommonObject $this->error = $this->db->lasterror(); } + // Remove params + $sql = "DELETE FROM ".MAIN_DB_PREFIX."user_param WHERE fk_user = ".$this->id; + if (!$error && !$this->db->query($sql)) + { + $error++; + $this->error = $this->db->lasterror(); + } + // If contact, remove link if ($this->contact_id > 0) { @@ -1459,7 +1467,6 @@ class User extends CommonObject $this->employee = $this->employee ? $this->employee : 0; $this->login = trim($this->login); $this->gender = trim($this->gender); - $this->birth = trim($this->birth); $this->pass = trim($this->pass); $this->api_key = trim($this->api_key); $this->address = $this->address ?trim($this->address) : trim($this->address); @@ -1487,6 +1494,9 @@ class User extends CommonObject $this->color = empty($this->color) ? '' : $this->color; $this->dateemployment = empty($this->dateemployment) ? '' : $this->dateemployment; $this->dateemploymentend = empty($this->dateemploymentend) ? '' : $this->dateemploymentend; + $this->datestartvalidity = empty($this->datestartvalidity) ? '' : $this->datestartvalidity; + $this->dateendvalidity = empty($this->dateendvalidity) ? '' : $this->dateendvalidity; + $this->birth = trim($this->birth); $this->fk_warehouse = trim(empty($this->fk_warehouse) ? '' : $this->fk_warehouse); // Check parameters @@ -1499,7 +1509,7 @@ class User extends CommonObject if (empty($this->login)) { $langs->load("errors"); - $this->error = $langs->trans("ErrorFieldRequired", $this->login); + $this->error = $langs->trans("ErrorFieldRequired", 'Login'); return -1; } @@ -1533,6 +1543,8 @@ class User extends CommonObject $sql .= ", color = '".$this->db->escape($this->color)."'"; $sql .= ", dateemployment=".(strval($this->dateemployment) != '' ? "'".$this->db->idate($this->dateemployment)."'" : 'null'); $sql .= ", dateemploymentend=".(strval($this->dateemploymentend) != '' ? "'".$this->db->idate($this->dateemploymentend)."'" : 'null'); + $sql .= ", datestartvalidity=".(strval($this->datestartvalidity) != '' ? "'".$this->db->idate($this->datestartvalidity)."'" : 'null'); + $sql .= ", dateendvalidity=".(strval($this->dateendvalidity) != '' ? "'".$this->db->idate($this->dateendvalidity)."'" : 'null'); $sql .= ", note = '".$this->db->escape($this->note_private)."'"; $sql .= ", note_public = '".$this->db->escape($this->note_public)."'"; $sql .= ", photo = ".($this->photo ? "'".$this->db->escape($this->photo)."'" : "null"); @@ -1550,7 +1562,6 @@ class User extends CommonObject $sql .= ", default_c_exp_tax_cat = ".($this->default_c_exp_tax_cat > 0 ? $this->default_c_exp_tax_cat : 'null'); $sql .= ", fk_warehouse = ".($this->fk_warehouse ? "'".$this->db->escape($this->fk_warehouse)."'" : "null"); $sql .= ", lang = ".($this->lang ? "'".$this->db->escape($this->lang)."'" : "null"); - $sql .= " WHERE rowid = ".$this->id; dol_syslog(get_class($this)."::update", LOG_DEBUG); @@ -3133,7 +3144,7 @@ class User extends CommonObject $sql = "SELECT rowid, email, user_mobile, civility, lastname, firstname"; $sql .= " FROM ".MAIN_DB_PREFIX."user"; - $sql .= " WHERE rowid = '".$rowid."'"; + $sql .= " WHERE rowid = ".((int) $rowid); $resql = $this->db->query($sql); if ($resql) diff --git a/htdocs/user/class/userbankaccount.class.php b/htdocs/user/class/userbankaccount.class.php index 325753fc773..25c751b4cb9 100644 --- a/htdocs/user/class/userbankaccount.class.php +++ b/htdocs/user/class/userbankaccount.class.php @@ -170,7 +170,7 @@ class UserBankAccount extends Account $sql .= " FROM ".MAIN_DB_PREFIX."user_rib"; if ($id) $sql .= " WHERE rowid = ".$id; if ($ref) $sql .= " WHERE label = '".$this->db->escape($ref)."'"; - if ($userid) $sql .= " WHERE fk_user = '".$userid."'"; + if ($userid) $sql .= " WHERE fk_user = ".((int) $userid); $resql = $this->db->query($sql); if ($resql) diff --git a/htdocs/user/group/list.php b/htdocs/user/group/list.php index 336fbc19727..0b6cdf23d47 100644 --- a/htdocs/user/group/list.php +++ b/htdocs/user/group/list.php @@ -57,7 +57,7 @@ if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } diff --git a/htdocs/user/list.php b/htdocs/user/list.php index 7e8406e84bf..406401bdf38 100644 --- a/htdocs/user/list.php +++ b/htdocs/user/list.php @@ -51,7 +51,7 @@ $mode = GETPOST("mode", 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } @@ -224,21 +224,21 @@ if ($reshook > 0) { } if ($socid > 0) $sql .= " AND u.fk_soc = ".$socid; //if ($search_user != '') $sql.=natural_search(array('u.login', 'u.lastname', 'u.firstname'), $search_user); -if ($search_supervisor > 0) $sql .= " AND u.fk_user IN (".$db->escape($search_supervisor).")"; +if ($search_supervisor > 0) $sql .= " AND u.fk_user IN (".$db->sanitize($db->escape($search_supervisor)).")"; if ($search_thirdparty != '') $sql .= natural_search(array('s.nom'), $search_thirdparty); if ($search_login != '') $sql .= natural_search("u.login", $search_login); if ($search_lastname != '') $sql .= natural_search("u.lastname", $search_lastname); if ($search_firstname != '') $sql .= natural_search("u.firstname", $search_firstname); -if ($search_gender != '' && $search_gender != '-1') $sql .= " AND u.gender = '".$search_gender."'"; +if ($search_gender != '' && $search_gender != '-1') $sql .= natural_search("u.gender", $search_gender); if (is_numeric($search_employee) && $search_employee >= 0) { $sql .= ' AND u.employee = '.(int) $search_employee; } if ($search_accountancy_code != '') $sql .= natural_search("u.accountancy_code", $search_accountancy_code); if ($search_email != '') $sql .= natural_search("u.email", $search_email); if ($search_api_key != '') $sql .= natural_search("u.api_key", $search_api_key); -if ($search_statut != '' && $search_statut >= 0) $sql .= " AND u.statut IN (".$db->escape($search_statut).")"; +if ($search_statut != '' && $search_statut >= 0) $sql .= " AND u.statut IN (".$db->sanitize($db->escape($search_statut)).")"; if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall); -if ($catid > 0) $sql .= " AND cu.fk_categorie = ".$catid; +if ($catid > 0) $sql .= " AND cu.fk_categorie = ".((int) $catid); if ($catid == -2) $sql .= " AND cu.fk_categorie IS NULL"; if ($search_categ > 0) $sql .= " AND cu.fk_categorie = ".$db->escape($search_categ); if ($search_categ == -2) $sql .= " AND cu.fk_categorie IS NULL"; diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php index 03225e85866..96497492a15 100644 --- a/htdocs/user/passwordforgotten.php +++ b/htdocs/user/passwordforgotten.php @@ -100,16 +100,24 @@ if ($action == 'buildnewpassword' && $username) { $message = '
'.$langs->trans("ErrorBadValueForCode").'
'; } else { + $isanemail = preg_match('/@/', $username); + $edituser = new User($db); $result = $edituser->fetch('', $username, '', 1); - if ($result == 0 && preg_match('/@/', $username)) + if ($result == 0 && $isanemail) { $result = $edituser->fetch('', '', '', 1, -1, $username); } if ($result <= 0 && $edituser->error == 'USERNOTFOUND') { - $message = '
'.$langs->trans("ErrorLoginDoesNotExists", $username).'
'; + $message = ''; $username = ''; } else { if (!$edituser->email) @@ -125,7 +133,14 @@ if ($action == 'buildnewpassword' && $username) // Success if ($edituser->send_password($user, $newpassword, 1) > 0) { - $message = ''; + $message = ''; $username = ''; } else { $message .= '
'.$edituser->error.'
'; diff --git a/htdocs/variants/class/ProductAttribute.class.php b/htdocs/variants/class/ProductAttribute.class.php index 52ee3153108..bbc3a188137 100644 --- a/htdocs/variants/class/ProductAttribute.class.php +++ b/htdocs/variants/class/ProductAttribute.class.php @@ -41,6 +41,12 @@ class ProductAttribute extends CommonObject */ public $ref; + /** + * External ref of the product attribute + * @var string + */ + public $ref_ext; + /** * Label of the product attribute * @var string @@ -79,7 +85,7 @@ class ProductAttribute extends CommonObject return -1; } - $sql = "SELECT rowid, ref, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE rowid = ".(int) $id." AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, ref, ref_ext, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE rowid = ".(int) $id." AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -91,6 +97,7 @@ class ProductAttribute extends CommonObject $this->id = $obj->rowid; $this->ref = $obj->ref; + $this->ref_ext = $obj->ref_ext; $this->label = $obj->label; $this->rang = $obj->rang; @@ -106,7 +113,7 @@ class ProductAttribute extends CommonObject { $return = array(); - $sql = 'SELECT rowid, ref, label, rang FROM '.MAIN_DB_PREFIX."product_attribute WHERE entity IN (".getEntity('product').')'; + $sql = 'SELECT rowid, ref, ref_ext, label, rang FROM '.MAIN_DB_PREFIX."product_attribute WHERE entity IN (".getEntity('product').')'; $sql .= $this->db->order('rang', 'asc'); $query = $this->db->query($sql); if ($query) @@ -115,6 +122,7 @@ class ProductAttribute extends CommonObject $tmp = new ProductAttribute($this->db); $tmp->id = $result->rowid; $tmp->ref = $result->ref; + $tmp->ref_ext = $result->ref_ext; $tmp->label = $result->label; $tmp->rang = $result->rang; @@ -147,8 +155,8 @@ class ProductAttribute extends CommonObject //Ref must be uppercase $this->ref = strtoupper($this->ref); - $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_attribute (ref, label, entity, rang) - VALUES ('".$this->db->escape($this->ref)."', '".$this->db->escape($this->label)."', ".(int) $this->entity.", ".(int) $this->rang.")"; + $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_attribute (ref, ref_ext, label, entity, rang) + VALUES ('".$this->db->escape($this->ref)."', '".$this->db->escape($this->ref_ext)."', '".$this->db->escape($this->label)."', ".(int) $this->entity.", ".(int) $this->rang.")"; $query = $this->db->query($sql); if ($query) @@ -183,7 +191,7 @@ class ProductAttribute extends CommonObject $this->ref = trim(strtoupper($this->ref)); $this->label = trim($this->label); - $sql = "UPDATE ".MAIN_DB_PREFIX."product_attribute SET ref = '".$this->db->escape($this->ref)."', label = '".$this->db->escape($this->label)."', rang = ".(int) $this->rang." WHERE rowid = ".(int) $this->id; + $sql = "UPDATE ".MAIN_DB_PREFIX."product_attribute SET ref = '".$this->db->escape($this->ref)."', ref_ext = '".$this->db->escape($this->ref_ext)."', label = '".$this->db->escape($this->label)."', rang = ".(int) $this->rang." WHERE rowid = ".(int) $this->id; if ($this->db->query($sql)) { return 1; diff --git a/htdocs/variants/class/ProductCombination.class.php b/htdocs/variants/class/ProductCombination.class.php index b4dac8475c0..721d31ef3ca 100644 --- a/htdocs/variants/class/ProductCombination.class.php +++ b/htdocs/variants/class/ProductCombination.class.php @@ -27,7 +27,7 @@ class ProductCombination * Database handler * @var DoliDB */ - private $db; + public $db; /** * Rowid of combination @@ -77,6 +77,12 @@ class ProductCombination */ public $combination_price_levels; + /** + * External ref + * @var string + */ + public $variation_ref_ext = ''; + /** * Constructor * @@ -100,7 +106,7 @@ class ProductCombination { global $conf; - $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE rowid = ".(int) $rowid." AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE rowid = ".(int) $rowid." AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -120,6 +126,7 @@ class ProductCombination $this->variation_price = $obj->variation_price; $this->variation_price_percentage = $obj->variation_price_percentage; $this->variation_weight = $obj->variation_weight; + $this->variation_ref_ext = $obj->variation_ref_ext; if (!empty($conf->global->PRODUIT_MULTIPRICES)) { $this->fetchCombinationPriceLevels(); @@ -226,7 +233,6 @@ class ProductCombination } } - /** * Retrieves information of a variant product and ID of its parent product. * @@ -295,6 +301,7 @@ class ProductCombination $tmp->variation_price = $result->variation_price; $tmp->variation_price_percentage = $result->variation_price_percentage; $tmp->variation_weight = $result->variation_weight; + $tmp->variation_ref_ext = $result->variation_ref_ext; if (!empty($conf->global->PRODUIT_MULTIPRICES)) { $tmp->fetchCombinationPriceLevels(); @@ -339,10 +346,10 @@ class ProductCombination /* $this->fk_product_child may be empty and will be filled later after subproduct has been created */ $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_attribute_combination"; - $sql .= " (fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, entity)"; + $sql .= " (fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext, entity)"; $sql .= " VALUES (".((int) $this->fk_product_parent).", ".((int) $this->fk_product_child).","; $sql .= (float) $this->variation_price.", ".(int) $this->variation_price_percentage.","; - $sql .= (float) $this->variation_weight.", ".(int) $this->entity.")"; + $sql .= (float) $this->variation_weight.", '".$this->db->escape($this->variation_ref_ext)."', ".(int) $this->entity.")"; $resql = $this->db->query($sql); if ($resql) { @@ -375,7 +382,8 @@ class ProductCombination $sql = "UPDATE ".MAIN_DB_PREFIX."product_attribute_combination"; $sql .= " SET fk_product_parent = ".(int) $this->fk_product_parent.", fk_product_child = ".(int) $this->fk_product_child.","; $sql .= " variation_price = ".(float) $this->variation_price.", variation_price_percentage = ".(int) $this->variation_price_percentage.","; - $sql .= " variation_weight = ".(float) $this->variation_weight." WHERE rowid = ".((int) $this->id); + $sql .= " variation_ref_ext = '".$this->db->escape($this->variation_ref_ext)."',"; + $sql .= " variation_weight = ".(float) $this->variation_weight." WHERE rowid = ".((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { @@ -663,23 +671,24 @@ class ProductCombination * @param bool|float $forced_pricevar If the price variation is forced * @param bool|float $forced_weightvar If the weight variation is forced * @param bool|string $forced_refvar If the reference is forced + * @param string $ref_ext External reference * @return int <0 KO, >0 OK */ - public function createProductCombination(User $user, Product $product, array $combinations, array $variations, $price_var_percent = false, $forced_pricevar = false, $forced_weightvar = false, $forced_refvar = false) + public function createProductCombination(User $user, Product $product, array $combinations, array $variations, $price_var_percent = false, $forced_pricevar = false, $forced_weightvar = false, $forced_refvar = false, $ref_ext = '') { - global $db, $conf; + global $conf; require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductAttribute.class.php'; require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductAttributeValue.class.php'; - $db->begin(); + $this->db->begin(); $price_impact = array(1=>0); // init level price impact $forced_refvar = trim($forced_refvar); if (!empty($forced_refvar) && $forced_refvar != $product->ref) { - $existingProduct = new Product($db); + $existingProduct = new Product($this->db); $result = $existingProduct->fetch('', $forced_refvar); if ($result > 0) { $newproduct = $existingProduct; @@ -705,7 +714,7 @@ class ProductCombination $price_impact = $forced_pricevar; } - $newcomb = new ProductCombination($db); + $newcomb = new ProductCombination($this->db); $existingCombination = $newcomb->fetchByProductCombination2ValuePairs($product->id, $combinations); if ($existingCombination) { @@ -718,13 +727,13 @@ class ProductCombination if ($result < 0) { $this->error = $newcomb->error; $this->errors = $newcomb->errors; - $db->rollback(); + $this->db->rollback(); return -1; } } - $prodattr = new ProductAttribute($db); - $prodattrval = new ProductAttributeValue($db); + $prodattr = new ProductAttribute($this->db); + $prodattrval = new ProductAttributeValue($this->db); // $combination contains list of attributes pairs key->value. Example: array('id Color'=>id Blue, 'id Size'=>id Small, 'id Option'=>id val a, ...) //var_dump($combinations); @@ -735,7 +744,7 @@ class ProductCombination //If there is an existing combination, there is no need to duplicate the valuepair if (!$existingCombination) { - $tmp = new ProductCombination2ValuePair($db); + $tmp = new ProductCombination2ValuePair($this->db); $tmp->fk_prod_attr = $currcombattr; $tmp->fk_prod_attr_val = $currcombval; $tmp->fk_prod_combination = $newcomb->id; @@ -743,7 +752,7 @@ class ProductCombination if ($tmp->create($user) < 0) { // Create 1 entry into product_attribute_combination2val $this->error = $tmp->error; $this->errors = $tmp->errors; - $db->rollback(); + $this->db->rollback(); return -1; } } @@ -781,6 +790,7 @@ class ProductCombination $newcomb->variation_price_percentage = $price_var_percent; $newcomb->variation_price = $price_impact[1]; $newcomb->variation_weight = $weight_impact; + $newcomb->variation_ref_ext = $this->db->escape($ref_ext); // Init price level if ($conf->global->PRODUIT_MULTIPRICES) { @@ -822,7 +832,7 @@ class ProductCombination if ($newproduct->error != 'ErrorProductAlreadyExists') { $this->error[] = $newproduct->error; $this->errors = $newproduct->errors; - $db->rollback(); + $this->db->rollback(); return -1; } @@ -851,7 +861,7 @@ class ProductCombination } if ($res < 0) { - $db->rollback(); + $this->db->rollback(); return -1; } } @@ -859,7 +869,7 @@ class ProductCombination $result = $newproduct->update($newproduct->id, $user); if ($result < 0) { - $db->rollback(); + $this->db->rollback(); return -1; } } @@ -870,11 +880,11 @@ class ProductCombination { $this->error = $newcomb->error; $this->errors = $newcomb->errors; - $db->rollback(); + $this->db->rollback(); return -1; } - $db->commit(); + $this->db->commit(); return $newproduct->id; } @@ -971,7 +981,7 @@ class ProductCombinationLevel * Database handler * @var DoliDB */ - private $db; + public $db; /** * @var string Name of table without prefix where object is stored diff --git a/htdocs/webservices/server_productorservice.php b/htdocs/webservices/server_productorservice.php index ae5f1f285a4..bf29795f0de 100644 --- a/htdocs/webservices/server_productorservice.php +++ b/htdocs/webservices/server_productorservice.php @@ -503,7 +503,7 @@ function createProductOrService($authentication, $product) if ($product['barcode'] && !$product['barcode_type']) { - $errror++; $errorcode = 'KO'; $errorlabel = "You must set a barcode type when setting a barcode."; + $error++; $errorcode = 'KO'; $errorlabel = "You must set a barcode type when setting a barcode."; } @@ -593,7 +593,7 @@ function createProductOrService($authentication, $product) if ($savstockreal != $getstockreal) { - $warehouse = new Entrepot($this->db); + $warehouse = new Entrepot($db); $warehouse->fetch(0, $product['warehouse_ref']); if ($warehouse->id > 0) { @@ -675,7 +675,7 @@ function updateProductOrService($authentication, $product) if ($product['barcode'] && !$product['barcode_type']) { - $errror++; $errorcode = 'KO'; $errorlabel = "You must set a barcode type when setting a barcode."; + $error++; $errorcode = 'KO'; $errorlabel = "You must set a barcode type when setting a barcode."; } if (!$error) @@ -762,7 +762,7 @@ function updateProductOrService($authentication, $product) if ($savstockreal != $getstockreal) { - $warehouse = new Entrepot($this->db); + $warehouse = new Entrepot($db); $warehouse->fetch(0, $product['warehouse_ref']); if ($warehouse->id > 0) { @@ -841,8 +841,6 @@ function deleteProductOrService($authentication, $listofidstring) { global $db, $conf, $langs; - $now = dol_now(); - dol_syslog("Function: deleteProductOrService login=".$authentication['login']); if ($authentication['entity']) $conf->entity = $authentication['entity']; @@ -936,8 +934,6 @@ function getListOfProductsOrServices($authentication, $filterproduct) { global $db, $conf, $langs; - $now = dol_now(); - dol_syslog("Function: getListOfProductsOrServices login=".$authentication['login']); if ($authentication['entity']) $conf->entity = $authentication['entity']; diff --git a/htdocs/webservices/server_user.php b/htdocs/webservices/server_user.php index bc43c4ab6d4..000bad4b563 100644 --- a/htdocs/webservices/server_user.php +++ b/htdocs/webservices/server_user.php @@ -540,7 +540,7 @@ function createUserFromThirdparty($authentication, $thirdpartywithuser) $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."c_country"; $sql .= " WHERE active = 1"; - $sql .= " AND code='".$thirdparty->country_code."'"; + $sql .= " AND code='".$db->escape($thirdparty->country_code)."'"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/website/class/websitepage.class.php b/htdocs/website/class/websitepage.class.php index 2ed4b9a75a3..b5e29e04176 100644 --- a/htdocs/website/class/websitepage.class.php +++ b/htdocs/website/class/websitepage.class.php @@ -382,9 +382,9 @@ class WebsitePage extends CommonObject if (count($filter) > 0) { foreach ($filter as $key => $value) { if ($key == 't.rowid' || $key == 't.fk_website' || $key == 'status') { - $sqlwhere[] = $key.'='.$value; + $sqlwhere[] = $key.' = '.$value; } elseif ($key == 'type_container') { - $sqlwhere[] = $key."='".$value."'"; + $sqlwhere[] = $key." = '".$this->db->escape($value)."'"; } elseif ($key == 'lang' || $key == 't.lang') { $listoflang = array(); $foundnull = 0; diff --git a/htdocs/zapier/class/api_zapier.class.php b/htdocs/zapier/class/api_zapier.class.php index 082ca5a5490..9fbaf56c303 100644 --- a/htdocs/zapier/class/api_zapier.class.php +++ b/htdocs/zapier/class/api_zapier.class.php @@ -174,7 +174,7 @@ class ZapierApi extends DolibarrApi //if ($mode == 1) $sql.= " AND s.client IN (1, 3)"; //if ($mode == 2) $sql.= " AND s.client IN (2, 3)"; - $tmpobject = new Hook($db); + $tmpobject = new Hook($this->db); if ($tmpobject->ismultientitymanaged) { $sql .= ' AND t.entity IN ('.getEntity('hook').')'; } @@ -200,23 +200,23 @@ class ZapierApi extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); $i = 0; if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $obj = $db->fetch_object($result); - $hook_static = new Hook($db); + $obj = $this->db->fetch_object($result); + $hook_static = new Hook($this->db); if ($hook_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($hook_static); } diff --git a/htdocs/zapier/hook_list.php b/htdocs/zapier/hook_list.php index ab69c576445..ac90713f13c 100644 --- a/htdocs/zapier/hook_list.php +++ b/htdocs/zapier/hook_list.php @@ -49,7 +49,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { diff --git a/htdocs/zapier/zapierindex.php b/htdocs/zapier/zapierindex.php index 2ac566dc058..5ecdf24e6cd 100644 --- a/htdocs/zapier/zapierindex.php +++ b/htdocs/zapier/zapierindex.php @@ -67,156 +67,9 @@ print load_fiche_titre($langs->trans("ZapierForDolibarrArea"), '', 'zapier.png@z print '
'; -/* BEGIN MODULEBUILDER DRAFT MYOBJECT -// Draft MyObject -if (! empty($conf->zapier->enabled) && $user->rights->zapier->read) -{ - $langs->load("orders"); - - $sql = "SELECT c.rowid, c.ref, c.ref_client, c.total_ht, c.tva as total_tva, c.total_ttc, s.rowid as socid, s.nom as name, s.client, s.canvas"; - $sql.= ", s.code_client"; - $sql.= " FROM ".MAIN_DB_PREFIX."commande as c"; - $sql.= ", ".MAIN_DB_PREFIX."societe as s"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql.= " WHERE c.fk_soc = s.rowid"; - $sql.= " AND c.fk_statut = 0"; - $sql.= " AND c.entity IN (".getEntity('commande').")"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; - if ($socid) $sql.= " AND c.fk_soc = ".$socid; - - $resql = $db->query($sql); - if ($resql) - { - $total = 0; - $num = $db->num_rows($resql); - - print ''; - print ''; - print ''; - - $var = true; - if ($num > 0) - { - $i = 0; - while ($i < $num) - { - - $obj = $db->fetch_object($resql); - print ''; - print ''; - print ''; - $i++; - $total += $obj->total_ttc; - } - if ($total>0) - { - - print '"; - } - } - else - { - - print ''; - } - print "
'.$langs->trans("DraftOrders").($num?''.$num.'':'').'
'; - $orderstatic->id=$obj->rowid; - $orderstatic->ref=$obj->ref; - $orderstatic->ref_client=$obj->ref_client; - $orderstatic->total_ht = $obj->total_ht; - $orderstatic->total_tva = $obj->total_tva; - $orderstatic->total_ttc = $obj->total_ttc; - print $orderstatic->getNomUrl(1); - print ''; - $companystatic->id=$obj->socid; - $companystatic->name=$obj->name; - $companystatic->client=$obj->client; - $companystatic->code_client = $obj->code_client; - $companystatic->code_fournisseur = $obj->code_fournisseur; - $companystatic->canvas=$obj->canvas; - print $companystatic->getNomUrl(1,'customer',16); - print ''.price($obj->total_ttc).'
'.$langs->trans("Total").''.price($total)."
'.$langs->trans("NoOrder").'

"; - - $db->free($resql); - } - else - { - dol_print_error($db); - } -} -END MODULEBUILDER DRAFT MYOBJECT */ - - print '
'; -$NBMAX = 3; -$max = 3; - -/* BEGIN MODULEBUILDER LASTMODIFIED MYOBJECT -// Last modified myobject -if (! empty($conf->zapier->enabled) && $user->rights->zapier->read) -{ - $sql = "SELECT s.rowid, s.nom as name, s.client, s.datec, s.tms, s.canvas"; - $sql.= ", s.code_client"; - $sql.= " FROM ".MAIN_DB_PREFIX."societe as s"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql.= " WHERE s.client IN (1, 2, 3)"; - $sql.= " AND s.entity IN (".getEntity($companystatic->element).")"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; - if ($socid) $sql.= " AND s.rowid = $socid"; - $sql .= " ORDER BY s.tms DESC"; - $sql .= $db->plimit($max, 0); - - $resql = $db->query($sql); - if ($resql) - { - $num = $db->num_rows($resql); - $i = 0; - - print ''; - print ''; - print ''; - print ''; - print ''; - if ($num) - { - while ($i < $num) - { - $objp = $db->fetch_object($resql); - $companystatic->id=$objp->rowid; - $companystatic->name=$objp->name; - $companystatic->client=$objp->client; - $companystatic->code_client = $objp->code_client; - $companystatic->code_fournisseur = $objp->code_fournisseur; - $companystatic->canvas=$objp->canvas; - print ''; - print ''; - print '"; - print '"; - print ''; - $i++; - - - } - - $db->free($resql); - } - else - { - print ''; - } - print "
'; - if (empty($conf->global->SOCIETE_DISABLE_PROSPECTS) && empty($conf->global->SOCIETE_DISABLE_CUSTOMERS)) print $langs->trans("BoxTitleLastCustomersOrProspects",$max); - else if (! empty($conf->global->SOCIETE_DISABLE_CUSTOMERS)) print $langs->trans("BoxTitleLastModifiedProspects",$max); - else print $langs->trans("BoxTitleLastModifiedCustomers",$max); - print ''.$langs->trans("DateModificationShort").'
'.$companystatic->getNomUrl(1,'customer',48).''; - print $companystatic->getLibCustProspStatut(); - print "'.dol_print_date($db->jdate($objp->tms),'day')."
'.$langs->trans("None").'

"; - } -} -*/ - print '
'; // End of page diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 74f889f19b6..b819671578c 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -166,10 +166,71 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase print 'Check php file '.$file['fullname']."\n"; $filecontent=file_get_contents($file['fullname']); + if (preg_match('/\.class\.php/', $file['relativename']) + || preg_match('/boxes\/box_/', $file['relativename']) + || preg_match('/modules\/.*\/doc\/(doc|pdf)_/', $file['relativename']) + || preg_match('/modules\/(import|mailings|printing)\//', $file['relativename']) + || in_array($file['name'], array('modules_boxes.php', 'rapport.pdf.php', 'TraceableDB.php'))) { + if (! in_array($file['name'], array( + 'api.class.php', + 'actioncomm.class.php', + 'commonobject.class.php', + 'conf.class.php', + 'html.form.class.php', + 'html.formmail.class.php', + 'infobox.class.php', + 'link.class.php', + 'translate.class.php', + 'utils.class.php', + 'modules_product.class.php', + 'modules_societe.class.php', + 'TraceableDB.php', + 'expeditionbatch.class.php', + 'expensereport_ik.class.php', + 'expensereport_rule.class.php', + 'multicurrency.class.php', + 'productbatch.class.php', + 'reception.class.php', + 'societe.class.php' + ))) { + // Must must not found $db-> + $ok=true; + $matches=array(); + // Check string get_class... + preg_match_all('/'.preg_quote('$db->', '/').'/', $filecontent, $matches, PREG_SET_ORDER); + foreach ($matches as $key => $val) + { + $ok=false; + break; + } + //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; + $this->assertTrue($ok, 'Found string $db-> into a .class.php file in '.$file['relativename']); + //exit; + } + } else { + if (! in_array($file['name'], array( + 'extrafieldsinexport.inc.php', + 'DolQueryCollector.php' + ))) { + // Must must not found $this->db-> + $ok=true; + $matches=array(); + // Check string get_class... + preg_match_all('/'.preg_quote('$this->db->', '/').'/', $filecontent, $matches, PREG_SET_ORDER); + foreach ($matches as $key => $val) + { + $ok=false; + break; + } + //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; + $this->assertTrue($ok, 'Found string $this->db-> in '.$file['relativename']); + //exit; + } + } $ok=true; $matches=array(); - // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. + // Check string get_class... preg_match_all('/'.preg_quote('get_class($this)."::".__METHOD__', '/').'/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { @@ -182,7 +243,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $ok=true; $matches=array(); - // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. + // Check string $this->db->idate without quotes preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { @@ -200,11 +261,12 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $ok=true; $matches=array(); + // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. - preg_match_all('/(=|sql.+)\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER); + preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { - if ($val[2] != 'db->' && $val[2] != 'esca') + if ($val[1] != 'db->' && $val[1] != 'esca') { $ok=false; break; @@ -212,7 +274,21 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase //if ($reg[0] != 'db') $ok=false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; - $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].' ('.$val[0].'). Bad.'); + $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.'); + //exit; + + // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. + preg_match_all('/sql.+\s*\'"\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER); + foreach ($matches as $key => $val) + { + if (! in_array($val[1], array('this->db-', 'this->esc', 'db->escap', 'db->idate', 'excludeGr', 'includeGr'))) { + $ok=false; + break; + } + //if ($reg[0] != 'db') $ok=false; + } + //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; + $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.'); //exit; diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 161dcd935b3..6c4d2270d1a 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -173,11 +173,12 @@ class SecurityTest extends PHPUnit\Framework\TestCase $_GET["param1"]="222"; $_POST["param1"]="333"; $_GET["param2"]='a/b#e(pr)qq-rr\cc'; - $_GET["param3"]='"a/b#e(pr)qq-rr\cc'; // Same than param2 + " + $_GET["param3"]='"na/b#e(pr)qq-rr\cc'; // Same than param2 + " and n $_GET["param4"]='../dir'; $_GET["param5"]="a_1-b"; - $_POST["param6"]="">assertEquals($result, 'a/b#e(pr)qq-rr\cc'); + $this->assertEquals($result, 'na/b#e(pr)qq-rr\cc'); $result=GETPOST("param4", 'alpha'); // Must return string sanitized from ../ print __METHOD__." result=".$result."\n"; @@ -230,9 +231,15 @@ class SecurityTest extends PHPUnit\Framework\TestCase print __METHOD__." result=".$result."\n"; $this->assertEquals('">', $result); + // With restricthtml we must remove html open/close tag and content but not htmlentities like n $result=GETPOST("param7", 'restricthtml'); print __METHOD__." result=".$result."\n"; - $this->assertEquals('"c:\this is a path~1\aaa" abcdef', $result); + $this->assertEquals('"c:\this is a path~1\aaan" abcdef', $result); + + // With alphanohtml, we must convert the html entities like n + $result=GETPOST("param8", 'alphanohtml'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals("Hacker