From 925a1475a126672daf934a9da06079c911f9621e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Fri, 4 Sep 2020 11:01:47 +0200 Subject: [PATCH 001/151] add ref_ext to ProductCombination.class.php --- .../class/ProductCombination.class.php | 105 ++++++++++++------ 1 file changed, 72 insertions(+), 33 deletions(-) diff --git a/htdocs/variants/class/ProductCombination.class.php b/htdocs/variants/class/ProductCombination.class.php index 4c25e32c9da..a4faa6121a0 100644 --- a/htdocs/variants/class/ProductCombination.class.php +++ b/htdocs/variants/class/ProductCombination.class.php @@ -76,6 +76,12 @@ class ProductCombination * @var ProductCombinationLevel[] */ public $combination_price_levels; + + /** + * External ref + * @var string + */ + public $variation_ref_ext = ''; /** * Constructor @@ -100,7 +106,7 @@ class ProductCombination { global $conf; - $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE rowid = ".(int) $rowid." AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE rowid = ".(int) $rowid." AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -120,6 +126,7 @@ class ProductCombination $this->variation_price = $obj->variation_price; $this->variation_price_percentage = $obj->variation_price_percentage; $this->variation_weight = $obj->variation_weight; + $this->variation_ref_ext = $obj->variation_ref_ext; if (!empty($conf->global->PRODUIT_MULTIPRICES)) { $this->fetchCombinationPriceLevels(); @@ -226,44 +233,72 @@ class ProductCombination } } + /** + * Get fk_product_parent by fk_product_child + * + * @param int $fk_child Product row id + * @return int >0 OK <0 KO + */ + public function getFkProductParentByFkProductChild($fk_child) + { + $sql = "SELECT fk_product_parent FROM ".MAIN_DB_PREFIX."product_attribute_combination"; + $sql .= " WHERE fk_product_child = ".(int) $fk_child." AND entity IN (".getEntity('product').") LIMIT 1"; - /** - * Retrieves a product combination by a child product row id - * - * @param int $fk_child Product row id - * @return int <0 KO, >0 OK - */ - public function fetchByFkProductChild($fk_child) - { - global $conf; + $query = $this->db->query($sql); - $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_child = ".(int) $fk_child." AND entity IN (".getEntity('product').")"; + if (!$query) { + return -1; + } - $query = $this->db->query($sql); + if (!$this->db->num_rows($query)) { + return -1; + } - if (!$query) { - return -1; - } + $row = $this->db->fetch_object($query); - if (!$this->db->num_rows($query)) { - return -1; - } + return (int) $row->fk_product_parent; + } - $result = $this->db->fetch_object($query); - $this->id = $result->rowid; - $this->fk_product_parent = $result->fk_product_parent; - $this->fk_product_child = $result->fk_product_child; - $this->variation_price = $result->variation_price; - $this->variation_price_percentage = $result->variation_price_percentage; - $this->variation_weight = $result->variation_weight; + /** + * Retrieves all product combinations by the child product row id + * + * @param int $fk_child Product row id + * @return int|ProductCombination[] <0 KO + */ + public function fetchAllByFkProductChild($fk_child) + { + global $conf; - if (!empty($conf->global->PRODUIT_MULTIPRICES)) { - $this->fetchCombinationPriceLevels(); - } + $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_child = ".(int) $fk_child." AND entity IN (".getEntity('product').")"; - return 1; - } + $query = $this->db->query($sql); + + if (!$query) { + return -1; + } + + $return = array(); + + while ($result = $this->db->fetch_object($query)) { + $tmp = new ProductCombination($this->db); + $tmp->id = $result->rowid; + $tmp->fk_product_parent = $result->fk_product_parent; + $tmp->fk_product_child = $result->fk_product_child; + $tmp->variation_price = $result->variation_price; + $tmp->variation_price_percentage = $result->variation_price_percentage; + $tmp->variation_weight = $result->variation_weight; + $tmp->variation_ref_ext = $result->variation_ref_ext; + + if (!empty($conf->global->PRODUIT_MULTIPRICES)) { + $tmp->fetchCombinationPriceLevels(); + } + + $return[] = $tmp; + } + + return $return; + } /** * Retrieves all product combinations by the product parent row id @@ -293,6 +328,7 @@ class ProductCombination $tmp->variation_price = $result->variation_price; $tmp->variation_price_percentage = $result->variation_price_percentage; $tmp->variation_weight = $result->variation_weight; + $tmp->variation_ref_ext = $result->variation_ref_ext; if (!empty($conf->global->PRODUIT_MULTIPRICES)) { $tmp->fetchCombinationPriceLevels(); @@ -340,7 +376,7 @@ class ProductCombination $sql .= " (fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, entity)"; $sql .= " VALUES (".((int) $this->fk_product_parent).", ".((int) $this->fk_product_child).","; $sql .= (float) $this->variation_price.", ".(int) $this->variation_price_percentage.","; - $sql .= (float) $this->variation_weight.", ".(int) $this->entity.")"; + $sql .= (float) $this->variation_weight.", '".$this->db->escape($this->variation_ref_ext)."', ".(int) $this->entity.")"; $resql = $this->db->query($sql); if ($resql) { @@ -373,7 +409,8 @@ class ProductCombination $sql = "UPDATE ".MAIN_DB_PREFIX."product_attribute_combination"; $sql .= " SET fk_product_parent = ".(int) $this->fk_product_parent.", fk_product_child = ".(int) $this->fk_product_child.","; $sql .= " variation_price = ".(float) $this->variation_price.", variation_price_percentage = ".(int) $this->variation_price_percentage.","; - $sql .= " variation_weight = ".(float) $this->variation_weight." WHERE rowid = ".((int) $this->id); + $sql .= " variation_ref_ext = '".$this->db->escape($this->variation_ref_ext)."',"; + $sql .= " variation_weight = ".(float) $this->variation_weight." WHERE rowid = ".((int) $this->id); $resql = $this->db->query($sql); if (! $resql) { @@ -661,9 +698,10 @@ class ProductCombination * @param bool|float $forced_pricevar If the price variation is forced * @param bool|float $forced_weightvar If the weight variation is forced * @param bool|string $forced_refvar If the reference is forced + * @param string $ref_ext External reference * @return int <0 KO, >0 OK */ - public function createProductCombination(User $user, Product $product, array $combinations, array $variations, $price_var_percent = false, $forced_pricevar = false, $forced_weightvar = false, $forced_refvar = false) + public function createProductCombination(User $user, Product $product, array $combinations, array $variations, $price_var_percent = false, $forced_pricevar = false, $forced_weightvar = false, $forced_refvar = false, $ref_ext = '') { global $db, $conf; @@ -779,6 +817,7 @@ class ProductCombination $newcomb->variation_price_percentage = $price_var_percent; $newcomb->variation_price = $price_impact[1]; $newcomb->variation_weight = $weight_impact; + $newcomb->variation_ref_ext = $db->escape($ref_ext); // Init price level if ($conf->global->PRODUIT_MULTIPRICES){ From 0f1c3643d7db798fa9e38984ea596b68b84cf878 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Fri, 4 Sep 2020 11:21:29 +0200 Subject: [PATCH 002/151] Use function getFkProductParentByFkProductChild --- htdocs/core/lib/product.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/product.lib.php b/htdocs/core/lib/product.lib.php index dfc57313add..686ff3af1f5 100644 --- a/htdocs/core/lib/product.lib.php +++ b/htdocs/core/lib/product.lib.php @@ -107,7 +107,7 @@ function product_prepare_head($object) $prodcomb = new ProductCombination($db); - if ($prodcomb->fetchByFkProductChild($object->id) == -1) + if ($prodcomb->getFkProductParentByFkProductChild($object->id) == -1) { $head[$h][0] = DOL_URL_ROOT."/variants/combinations.php?id=".$object->id; $head[$h][1] = $langs->trans('ProductCombinations'); From 3d926ff3a180b19c176dcdcfeced966891005374 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Fri, 4 Sep 2020 11:38:40 +0200 Subject: [PATCH 003/151] use function getFkProductParentByFkProductChild --- htdocs/product/card.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 32c50ccb661..bfb630f4eb9 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -1912,9 +1912,9 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if (!empty($conf->variants->enabled) && ($object->isProduct() || $object->isService())) { $combination = new ProductCombination($db); - if ($combination->fetchByFkProductChild($object->id) > 0) { + if (($fk_product_parent = $combination->getFkProductParentByFkProductChild($object->id)) > 0) { $prodstatic = new Product($db); - $prodstatic->fetch($combination->fk_product_parent); + $prodstatic->fetch($fk_product_parent); // Parent product print ''.$langs->trans("ParentProduct").''; From 3a232796d8878d35e71b6f9d0f8412254a260363 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Fri, 4 Sep 2020 11:43:56 +0200 Subject: [PATCH 004/151] Use new function fetchAllByFkProductChild --- htdocs/product/class/product.class.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 1fcb76a571d..7d91052ab87 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -1194,9 +1194,13 @@ class Product extends CommonObject } //We also check if it is a child product - if (!$error && ($prodcomb->fetchByFkProductChild($this->id) > 0) && ($prodcomb->delete($user) < 0)) { - $error++; - $this->errors[] = 'Error deleting child combination'; + if (!$error) { + foreach ($prodcomb->fetchAllByFkProductChild($this->id) as $obj) { + if ($obj->delete($user) < 0) { + $error++; + $this->errors[] = 'Error deleting child combination'; + } + } } } From 93959d34c8f4020529bf98c4442a4afc658281e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Fri, 4 Sep 2020 12:01:01 +0200 Subject: [PATCH 005/151] NEW fields ref_ext for Attributes and Combinations --- htdocs/install/mysql/migration/12.0.0-13.0.0.sql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/htdocs/install/mysql/migration/12.0.0-13.0.0.sql b/htdocs/install/mysql/migration/12.0.0-13.0.0.sql index 17b58f278cf..35f2e4e8a54 100644 --- a/htdocs/install/mysql/migration/12.0.0-13.0.0.sql +++ b/htdocs/install/mysql/migration/12.0.0-13.0.0.sql @@ -310,4 +310,8 @@ ALTER TABLE llx_actioncomm_reminder ADD INDEX idx_actioncomm_reminder_status (st ALTER TABLE llx_inventorydet ADD UNIQUE uk_inventorydet(fk_inventory, fk_warehouse, fk_product, batch); +ALTER TABLE llx_product_attribute ADD COLUMN ref_ext varchar(255) AFTER ref; +ALTER TABLE llx_product_attribute_combination ADD COLUMN variation_ref_ext varchar(255) AFTER variation_weight; +ALTER TABLE llx_product_attribute ADD COLUMN ref_ext varchar(255) AFTER ref; +ALTER TABLE llx_product_attribute_combination ADD COLUMN variation_ref_ext varchar(255) AFTER variation_weight; From b841a4354e04052040811c64599eba8e43784b59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Fri, 4 Sep 2020 12:06:09 +0200 Subject: [PATCH 006/151] NEW ref_ext for Attributes --- .../variants/class/ProductAttribute.class.php | 24 ++++++++++++------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/htdocs/variants/class/ProductAttribute.class.php b/htdocs/variants/class/ProductAttribute.class.php index 6e2335c2f99..d7fbbfefa8b 100644 --- a/htdocs/variants/class/ProductAttribute.class.php +++ b/htdocs/variants/class/ProductAttribute.class.php @@ -40,6 +40,12 @@ class ProductAttribute extends CommonObject * @var string */ public $ref; + + /** + * External ref of the product attribute + * @var string + */ + public $ref_ext; /** * Label of the product attribute @@ -79,8 +85,8 @@ class ProductAttribute extends CommonObject return -1; } - $sql = "SELECT rowid, ref, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE rowid = ".(int) $id." AND entity IN (".getEntity('product').")"; - + $sql = "SELECT rowid, ref, ref_ext, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE rowid = ".(int) $id." AND entity IN (".getEntity('product').")"; + $query = $this->db->query($sql); if (!$this->db->num_rows($query)) { @@ -91,6 +97,7 @@ class ProductAttribute extends CommonObject $this->id = $obj->rowid; $this->ref = $obj->ref; + $this->ref_ext = $obj->ref_ext; $this->label = $obj->label; $this->rang = $obj->rang; @@ -106,7 +113,7 @@ class ProductAttribute extends CommonObject { $return = array(); - $sql = 'SELECT rowid, ref, label, rang FROM '.MAIN_DB_PREFIX."product_attribute WHERE entity IN (".getEntity('product').')'; + $sql = 'SELECT rowid, ref, ref_ext, label, rang FROM '.MAIN_DB_PREFIX."product_attribute WHERE entity IN (".getEntity('product').')'; $sql .= $this->db->order('rang', 'asc'); $query = $this->db->query($sql); if ($query) @@ -115,6 +122,7 @@ class ProductAttribute extends CommonObject $tmp = new ProductAttribute($this->db); $tmp->id = $result->rowid; $tmp->ref = $result->ref; + $tmp->ref_ext = $result->ref_ext; $tmp->label = $result->label; $tmp->rang = $result->rang; @@ -147,9 +155,9 @@ class ProductAttribute extends CommonObject //Ref must be uppercase $this->ref = strtoupper($this->ref); - $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_attribute (ref, label, entity, rang) - VALUES ('".$this->db->escape($this->ref)."', '".$this->db->escape($this->label)."', ".(int) $this->entity.", ".(int) $this->rang.")"; - + $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_attribute (ref, ref_ext, label, entity, rang) + VALUES ('".$this->db->escape($this->ref)."', '".$this->db->escape($this->ref_ext)."', '".$this->db->escape($this->label)."', ".(int) $this->entity.", ".(int) $this->rang.")"; + $query = $this->db->query($sql); if ($query) { @@ -183,8 +191,8 @@ class ProductAttribute extends CommonObject $this->ref = trim(strtoupper($this->ref)); $this->label = trim($this->label); - $sql = "UPDATE ".MAIN_DB_PREFIX."product_attribute SET ref = '".$this->db->escape($this->ref)."', label = '".$this->db->escape($this->label)."', rang = ".(int) $this->rang." WHERE rowid = ".(int) $this->id; - + $sql = "UPDATE ".MAIN_DB_PREFIX."product_attribute SET ref = '".$this->db->escape($this->ref)."', ref_ext = '".$this->db->escape($this->ref_ext)."', label = '".$this->db->escape($this->label)."', rang = ".(int) $this->rang." WHERE rowid = ".(int) $this->id; + if ($this->db->query($sql)) { return 1; } From 8d6c19a4328740ee99185fc65530122ec4e9cade Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Fri, 4 Sep 2020 10:10:37 +0000 Subject: [PATCH 007/151] Fixing style errors. --- htdocs/variants/class/ProductAttribute.class.php | 8 ++++---- htdocs/variants/class/ProductCombination.class.php | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/htdocs/variants/class/ProductAttribute.class.php b/htdocs/variants/class/ProductAttribute.class.php index d7fbbfefa8b..8ae9879e6ca 100644 --- a/htdocs/variants/class/ProductAttribute.class.php +++ b/htdocs/variants/class/ProductAttribute.class.php @@ -40,7 +40,7 @@ class ProductAttribute extends CommonObject * @var string */ public $ref; - + /** * External ref of the product attribute * @var string @@ -86,7 +86,7 @@ class ProductAttribute extends CommonObject } $sql = "SELECT rowid, ref, ref_ext, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE rowid = ".(int) $id." AND entity IN (".getEntity('product').")"; - + $query = $this->db->query($sql); if (!$this->db->num_rows($query)) { @@ -157,7 +157,7 @@ class ProductAttribute extends CommonObject $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_attribute (ref, ref_ext, label, entity, rang) VALUES ('".$this->db->escape($this->ref)."', '".$this->db->escape($this->ref_ext)."', '".$this->db->escape($this->label)."', ".(int) $this->entity.", ".(int) $this->rang.")"; - + $query = $this->db->query($sql); if ($query) { @@ -192,7 +192,7 @@ class ProductAttribute extends CommonObject $this->label = trim($this->label); $sql = "UPDATE ".MAIN_DB_PREFIX."product_attribute SET ref = '".$this->db->escape($this->ref)."', ref_ext = '".$this->db->escape($this->ref_ext)."', label = '".$this->db->escape($this->label)."', rang = ".(int) $this->rang." WHERE rowid = ".(int) $this->id; - + if ($this->db->query($sql)) { return 1; } diff --git a/htdocs/variants/class/ProductCombination.class.php b/htdocs/variants/class/ProductCombination.class.php index a4faa6121a0..b65957d0a89 100644 --- a/htdocs/variants/class/ProductCombination.class.php +++ b/htdocs/variants/class/ProductCombination.class.php @@ -76,7 +76,7 @@ class ProductCombination * @var ProductCombinationLevel[] */ public $combination_price_levels; - + /** * External ref * @var string From 704b83c79a2384cb4e0a17f383ddecaefe504ad0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Fri, 4 Sep 2020 12:24:57 +0200 Subject: [PATCH 008/151] Multiple fix and features NEW ref_ext for Attributes and Combinations Clean and improved results for ::getAttributeValues ::getAttributes ::getAttributesById ::getAttributesByRef FIX delete subproduct endpoint url --- htdocs/product/class/api_products.class.php | 163 ++++++++++++++++++-- 1 file changed, 153 insertions(+), 10 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index f1b3e91617b..f2aeba7f171 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -455,7 +455,7 @@ class Products extends DolibarrApi * @throws RestException 401 * @throws RestException 404 * - * @url DELETE {id}/subproducts/remove + * @url DELETE {id}/subproducts/remove/{subproduct_id} */ public function delSubproducts($id, $subproduct_id) { @@ -878,21 +878,70 @@ class Products extends DolibarrApi /** * Get attributes. - * + * @param string $sortfield Sort field + * @param string $sortorder Sort order + * @param int $limit Limit for list + * @param int $page Page number + * @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.ref:like:color)" * @return array * * @throws RestException * * @url GET attributes */ - public function getAttributes() + public function getAttributes($sortfield = "t.ref", $sortorder = 'ASC', $limit = 100, $page = 0, $sqlfilters = '') { if (!DolibarrApiAccess::$user->rights->produit->lire) { throw new RestException(401); } - $prodattr = new ProductAttribute($this->db); - return $prodattr->fetchAll(); + $sql = "SELECT t.rowid, t.ref, t.ref_ext, t.label, t.rang, t.entity"; + $sql .= " FROM ".MAIN_DB_PREFIX."product_attribute as t"; + $sql .= ' WHERE t.entity IN ('.getEntity('product_attribute').')'; + + // Add sql filters + if ($sqlfilters) { + if (!DolibarrApi::_checkFilters($sqlfilters)) { + throw new RestException(503, 'Error when validating parameter sqlfilters '.$sqlfilters); + } + $regexstring = '\(([^:\'\(\)]+:[^:\'\(\)]+:[^:\(\)]+)\)'; + $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; + } + + $sql .= $this->db->order($sortfield, $sortorder); + if ($limit) { + if ($page < 0) { + $page = 0; + } + $offset = $limit * $page; + + $sql .= $this->db->plimit($limit, $offset); + } + + $result = $this->db->query($sql); + + if (!$result) { + throw new RestException(503, 'Error when retrieve product list : '.$db->lasterror()); + } + + $return = []; + while ($result = $this->db->fetch_object($query)) { + $tmp = new stdClass(); + $tmp->id = $result->rowid; + $tmp->ref = $result->ref; + $tmp->ref_ext = $result->ref_ext; + $tmp->label = $result->label; + $tmp->rang = $result->rang; + $tmp->entity = $result->entity; + + $return[] = $tmp; + } + + if (!count($return)) { + throw new RestException(404, 'No product attribute found'); + } + + return $return; } /** @@ -920,6 +969,22 @@ class Products extends DolibarrApi throw new RestException(404, "Attribute not found"); } + $fields = ["id", "ref", "ref_ext", "label", "rang"]; + + foreach ($prodattr as $field => $value) { + if (!in_array($field, $fields)) { + unset($prodattr->{$field}); + } + } + + $sql = "SELECT COUNT(*) count FROM ".MAIN_DB_PREFIX."product_attribute_combination2val pac2v"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac2v.fk_prod_combination = pac.rowid"; + $sql .= " WHERE pac2v.fk_prod_attr = ".(int) $prodattr->id." AND pac.entity IN (".getEntity('product').")"; + $query = $this->db->query($sql); + $result = $this->db->fetch_object($query); + + $prodattr->is_used_by_products = (bool) $result->count; + return $prodattr; } @@ -940,7 +1005,7 @@ class Products extends DolibarrApi throw new RestException(401); } - $sql = "SELECT rowid, ref, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".trim($ref)."' AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, ref, ref_ext, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".trim($ref)."' AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -953,9 +1018,63 @@ class Products extends DolibarrApi $attr = []; $attr['id'] = $result->rowid; $attr['ref'] = $result->ref; + $attr['ref_ext'] = $result->ref_ext; $attr['label'] = $result->label; $attr['rang'] = $result->rang; + $sql = "SELECT COUNT(*) count FROM ".MAIN_DB_PREFIX."product_attribute_combination2val pac2v"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac2v.fk_prod_combination = pac.rowid"; + $sql .= " WHERE pac2v.fk_prod_attr = ".(int) $result->rowid." AND pac.entity IN (".getEntity('product').")"; + $query = $this->db->query($sql); + $result = $this->db->fetch_object($query); + + $attr["is_used_by_products"] = (bool) $result->count; + + return $attr; + } + + /** + * Get attributes by ref_ext. + * + * @param string $ref_ext External reference of Attribute + * @return array + * + * @throws RestException 500 + * @throws RestException 401 + * + * @url GET attributes/ref_ext/{ref_ext} + */ + public function getAttributesByRefExt($ref_ext) + { + if (!DolibarrApiAccess::$user->rights->produit->lire) { + throw new RestException(401); + } + + $sql = "SELECT rowid, ref, ref_ext, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref_ext LIKE '".trim($ref_ext)."' AND entity IN (".getEntity('product').")"; + + $query = $this->db->query($sql); + + if (!$this->db->num_rows($query)) { + throw new RestException(404); + } + + $result = $this->db->fetch_object($query); + + $attr = []; + $attr['id'] = $result->rowid; + $attr['ref'] = $result->ref; + $attr['ref_ext'] = $result->ref_ext; + $attr['label'] = $result->label; + $attr['rang'] = $result->rang; + + $sql = "SELECT COUNT(*) count FROM ".MAIN_DB_PREFIX."product_attribute_combination2val pac2v"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac2v.fk_prod_combination = pac.rowid"; + $sql .= " WHERE pac2v.fk_prod_attr = ".(int) $result->rowid." AND pac.entity IN (".getEntity('product').")"; + $query = $this->db->query($sql); + $result = $this->db->fetch_object($query); + + $attr["is_used_by_products"] = (bool) $result->count; + return $attr; } @@ -964,6 +1083,7 @@ class Products extends DolibarrApi * * @param string $ref Reference of Attribute * @param string $label Label of Attribute + * @param string $ref_ext Reference of Attribute * @return int * * @throws RestException 500 @@ -971,7 +1091,7 @@ class Products extends DolibarrApi * * @url POST attributes */ - public function addAttributes($ref, $label) + public function addAttributes($ref, $label, $ref_ext = '') { if (!DolibarrApiAccess::$user->rights->produit->creer) { throw new RestException(401); @@ -980,6 +1100,7 @@ class Products extends DolibarrApi $prodattr = new ProductAttribute($this->db); $prodattr->label = $label; $prodattr->ref = $ref; + $prodattr->ref_ext = $ref_ext; $resid = $prodattr->create(DolibarrApiAccess::$user); if ($resid <= 0) { @@ -1202,7 +1323,22 @@ class Products extends DolibarrApi } $objectval = new ProductAttributeValue($this->db); - return $objectval->fetchAllByProductAttribute((int) $id); + + $return = []; + foreach ($objectval->fetchAllByProductAttribute((int) $id) as $result) { + $tmp = new stdClass(); + $tmp->fk_product_attribute = (int) $result->fk_product_attribute; + $tmp->id = (int) $result->id; + $tmp->ref = $result->ref; + $tmp->value = $result->value; + $return[] = $tmp; + } + + if (count($return) == 0) { + throw new RestException(404, 'Attribute values not found'); + } + + return $return; } /** @@ -1420,6 +1556,7 @@ class Products extends DolibarrApi * @param bool $price_impact_is_percent Price impact in percent (true or false) * @param array $features List of attributes pairs id_attribute->id_value. Example: array(id_color=>id_Blue, id_size=>id_small, id_option=>id_val_a, ...) * @param bool|string $reference Customized reference of variant + * @param string $ref_ext External reference of variant * @return int * * @throws RestException 500 @@ -1428,7 +1565,7 @@ class Products extends DolibarrApi * * @url POST {id}/variants */ - public function addVariant($id, $weight_impact, $price_impact, $price_impact_is_percent, $features, $reference = false) + public function addVariant($id, $weight_impact, $price_impact, $price_impact_is_percent, $features, $reference = false, $ref_ext = '') { if (!DolibarrApiAccess::$user->rights->produit->creer) { throw new RestException(401); @@ -1459,7 +1596,7 @@ class Products extends DolibarrApi $prodcomb = new ProductCombination($this->db); - $result = $prodcomb->createProductCombination(DolibarrApiAccess::$user, $this->product, $features, array(), $price_impact_is_percent, $price_impact, $weight_impact, $reference); + $result = $prodcomb->createProductCombination(DolibarrApiAccess::$user, $this->product, $features, array(), $price_impact_is_percent, $price_impact, $weight_impact, $reference, $ref_ext); if ($result > 0) { return $result; @@ -1678,6 +1815,12 @@ class Products extends DolibarrApi throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } + $prodcomb = new ProductCombination($this->db); + $this->product->fk_product_parent = null; + if (($fk_product_parent = $prodcomb->getFkProductParentByFkProductChild($this->product->id)) > 0) { + $this->product->fk_product_parent = $fk_product_parent; + } + if ($includestockdata) { $this->product->load_stock(); From e5633e07a28ede6d83b594a1693c6a096832b3ea Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 4 Sep 2020 12:28:47 +0200 Subject: [PATCH 009/151] Update api_products.class.php --- htdocs/product/class/api_products.class.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index f2aeba7f171..9868835414a 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -445,8 +445,7 @@ class Products extends DolibarrApi /** * Remove subproduct. - * - * Unlink a product/service from a parent product/service + * Unlink a product/service from a parent product/service * * @param int $id Id of parent product/service * @param int $subproduct_id Id of child product/service From b329a9d8863ab96aa0b750725634b20f7f010f00 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 4 Sep 2020 12:45:09 +0200 Subject: [PATCH 010/151] Update api_products.class.php --- htdocs/product/class/api_products.class.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 9868835414a..1fda9bf3a22 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -877,6 +877,7 @@ class Products extends DolibarrApi /** * Get attributes. + * * @param string $sortfield Sort field * @param string $sortorder Sort order * @param int $limit Limit for list @@ -920,12 +921,12 @@ class Products extends DolibarrApi $result = $this->db->query($sql); if (!$result) { - throw new RestException(503, 'Error when retrieve product list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve product attribute list : '.$db->lasterror()); } $return = []; while ($result = $this->db->fetch_object($query)) { - $tmp = new stdClass(); + $tmp = new ProductAttribute($this->db); $tmp->id = $result->rowid; $tmp->ref = $result->ref; $tmp->ref_ext = $result->ref_ext; From 8ca08de5e6c7b04db2364b81cdc44ddc830cca7a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 4 Sep 2020 12:51:44 +0200 Subject: [PATCH 011/151] Debug --- htdocs/product/class/api_products.class.php | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 1fda9bf3a22..d903f8f7698 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -897,7 +897,7 @@ class Products extends DolibarrApi $sql = "SELECT t.rowid, t.ref, t.ref_ext, t.label, t.rang, t.entity"; $sql .= " FROM ".MAIN_DB_PREFIX."product_attribute as t"; - $sql .= ' WHERE t.entity IN ('.getEntity('product_attribute').')'; + $sql .= ' WHERE t.entity IN ('.getEntity('product').')'; // Add sql filters if ($sqlfilters) { @@ -966,10 +966,10 @@ class Products extends DolibarrApi $result = $prodattr->fetch((int) $id); if ($result < 0) { - throw new RestException(404, "Attribute not found"); + throw new RestException(404, "Product attribute not found"); } - $fields = ["id", "ref", "ref_ext", "label", "rang"]; + $fields = ["id", "ref", "ref_ext", "label", "rang", "entity"]; foreach ($prodattr as $field => $value) { if (!in_array($field, $fields)) { @@ -977,13 +977,13 @@ class Products extends DolibarrApi } } - $sql = "SELECT COUNT(*) count FROM ".MAIN_DB_PREFIX."product_attribute_combination2val pac2v"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac2v.fk_prod_combination = pac.rowid"; - $sql .= " WHERE pac2v.fk_prod_attr = ".(int) $prodattr->id." AND pac.entity IN (".getEntity('product').")"; - $query = $this->db->query($sql); - $result = $this->db->fetch_object($query); - - $prodattr->is_used_by_products = (bool) $result->count; + $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; + $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; + $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $prodattr->id)." AND pac.entity IN (".getEntity('product').")"; + + $resql = $this->db->query($sql); + $obj = $this->db->fetch_object($resql); + $prodattr->is_used_by_products = (int) $obj->nb; return $prodattr; } From 8026ee15dfdcfddcfa283370df71d76718439fee Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Fri, 4 Sep 2020 10:52:55 +0000 Subject: [PATCH 012/151] Fixing style errors. --- htdocs/product/class/api_products.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index d903f8f7698..bd18fb3dfb4 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -980,7 +980,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $prodattr->id)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); $prodattr->is_used_by_products = (int) $obj->nb; From 606217fefcdae69372589b0ce104ea31347f0276 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 4 Sep 2020 12:54:23 +0200 Subject: [PATCH 013/151] Debug --- htdocs/product/class/api_products.class.php | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index bd18fb3dfb4..15d6237339b 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -980,7 +980,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $prodattr->id)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); $prodattr->is_used_by_products = (int) $obj->nb; @@ -1005,7 +1005,7 @@ class Products extends DolibarrApi throw new RestException(401); } - $sql = "SELECT rowid, ref, ref_ext, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".trim($ref)."' AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, ref, ref_ext, label, rang, entity FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".trim($ref)."' AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -1021,14 +1021,16 @@ class Products extends DolibarrApi $attr['ref_ext'] = $result->ref_ext; $attr['label'] = $result->label; $attr['rang'] = $result->rang; + $attr['entity'] = $result->entity; - $sql = "SELECT COUNT(*) count FROM ".MAIN_DB_PREFIX."product_attribute_combination2val pac2v"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac2v.fk_prod_combination = pac.rowid"; - $sql .= " WHERE pac2v.fk_prod_attr = ".(int) $result->rowid." AND pac.entity IN (".getEntity('product').")"; - $query = $this->db->query($sql); - $result = $this->db->fetch_object($query); + $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; + $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; + $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $result->rowid)." AND pac.entity IN (".getEntity('product').")"; + + $resql = $this->db->query($sql); + $obj = $this->db->fetch_object($resql); - $attr["is_used_by_products"] = (bool) $result->count; + $attr["is_used_by_products"] = (int) $obj->nb; return $attr; } From 334224cd2d19e77f96c0f9b0a18d99cf6d10ccdf Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Fri, 4 Sep 2020 10:55:34 +0000 Subject: [PATCH 014/151] Fixing style errors. --- htdocs/product/class/api_products.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 15d6237339b..3a97c798eca 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -980,7 +980,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $prodattr->id)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); $prodattr->is_used_by_products = (int) $obj->nb; @@ -1026,7 +1026,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $result->rowid)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); From a6f6db6b545a785d3526647c2a3a728729d295de Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 4 Sep 2020 12:56:06 +0200 Subject: [PATCH 015/151] Update api_products.class.php --- htdocs/product/class/api_products.class.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 3a97c798eca..f66db145902 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -934,7 +934,7 @@ class Products extends DolibarrApi $tmp->rang = $result->rang; $tmp->entity = $result->entity; - $return[] = $tmp; + $return[] = $this->_cleanObjectDatas($tmp); } if (!count($return)) { @@ -980,7 +980,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $prodattr->id)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); $prodattr->is_used_by_products = (int) $obj->nb; @@ -1026,7 +1026,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $result->rowid)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); From d6bf70300af75ae016551d5279b3cbe24f918360 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Fri, 4 Sep 2020 10:57:21 +0000 Subject: [PATCH 016/151] Fixing style errors. --- htdocs/product/class/api_products.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index f66db145902..151f95a84a6 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -980,7 +980,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $prodattr->id)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); $prodattr->is_used_by_products = (int) $obj->nb; @@ -1026,7 +1026,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $result->rowid)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); From a93cbafe588572aca4a49e6340467dea4139bc30 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 4 Sep 2020 12:58:30 +0200 Subject: [PATCH 017/151] Update api_products.class.php --- htdocs/product/class/api_products.class.php | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 151f95a84a6..ee02aea99ac 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -980,7 +980,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $prodattr->id)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); $prodattr->is_used_by_products = (int) $obj->nb; @@ -1026,7 +1026,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $result->rowid)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); @@ -1052,7 +1052,7 @@ class Products extends DolibarrApi throw new RestException(401); } - $sql = "SELECT rowid, ref, ref_ext, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref_ext LIKE '".trim($ref_ext)."' AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, ref, ref_ext, label, rang, entity FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref_ext LIKE '".trim($ref_ext)."' AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -1068,14 +1068,15 @@ class Products extends DolibarrApi $attr['ref_ext'] = $result->ref_ext; $attr['label'] = $result->label; $attr['rang'] = $result->rang; + $attr['entity'] = $result->entity; - $sql = "SELECT COUNT(*) count FROM ".MAIN_DB_PREFIX."product_attribute_combination2val pac2v"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac2v.fk_prod_combination = pac.rowid"; - $sql .= " WHERE pac2v.fk_prod_attr = ".(int) $result->rowid." AND pac.entity IN (".getEntity('product').")"; - $query = $this->db->query($sql); - $result = $this->db->fetch_object($query); - - $attr["is_used_by_products"] = (bool) $result->count; + $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; + $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; + $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $result->rowid)." AND pac.entity IN (".getEntity('product').")"; + + $resql = $this->db->query($sql); + $obj = $this->db->fetch_object($resql); + $attr["is_used_by_products"] = (int) $obj->nb; return $attr; } From 962bb0c698e36ae1fcceaddc1a97dde324872f2d Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Fri, 4 Sep 2020 10:59:38 +0000 Subject: [PATCH 018/151] Fixing style errors. --- htdocs/product/class/api_products.class.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index ee02aea99ac..b4b4715ac11 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -980,7 +980,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $prodattr->id)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); $prodattr->is_used_by_products = (int) $obj->nb; @@ -1026,7 +1026,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $result->rowid)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); @@ -1073,7 +1073,7 @@ class Products extends DolibarrApi $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $result->rowid)." AND pac.entity IN (".getEntity('product').")"; - + $resql = $this->db->query($sql); $obj = $this->db->fetch_object($resql); $attr["is_used_by_products"] = (int) $obj->nb; From a98c5b9841fb42b1bb81c1e869e2dc1dfd21cb1e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 4 Sep 2020 13:05:30 +0200 Subject: [PATCH 019/151] Update api_products.class.php --- htdocs/product/class/api_products.class.php | 22 +++++++++------------ 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index b4b4715ac11..a4726405669 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -1327,20 +1327,16 @@ class Products extends DolibarrApi $objectval = new ProductAttributeValue($this->db); - $return = []; - foreach ($objectval->fetchAllByProductAttribute((int) $id) as $result) { - $tmp = new stdClass(); - $tmp->fk_product_attribute = (int) $result->fk_product_attribute; - $tmp->id = (int) $result->id; - $tmp->ref = $result->ref; - $tmp->value = $result->value; - $return[] = $tmp; - } - + $return = $objectval->fetchAllByProductAttribute((int) $id); + if (count($return) == 0) { throw new RestException(404, 'Attribute values not found'); } + foreach ($return as $key => $val) { + $return[$key] = $this->_cleanObjectDatas($return[$key]); + } + return $return; } @@ -1363,8 +1359,8 @@ class Products extends DolibarrApi $return = array(); $sql = 'SELECT '; - $sql .= 'v.fk_product_attribute, v.rowid, v.ref, v.value FROM '.MAIN_DB_PREFIX.'product_attribute_value v '; - $sql .= "WHERE v.fk_product_attribute = ( SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".strtoupper(trim($ref))."' LIMIT 1)"; + $sql .= 'v.fk_product_attribute, v.rowid, v.ref, v.value FROM '.MAIN_DB_PREFIX.'product_attribute_value as v'; + $sql .= " WHERE v.fk_product_attribute = (SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".strtoupper(trim($ref))."' LIMIT 1)"; $query = $this->db->query($sql); @@ -1375,7 +1371,7 @@ class Products extends DolibarrApi $tmp->ref = $result->ref; $tmp->value = $result->value; - $return[] = $tmp; + $return[] = $this->_cleanObjectDatas($tmp); } return $return; From 52c057b9dd8068277e6ecb7a6d224e3955333730 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Fri, 4 Sep 2020 11:06:43 +0000 Subject: [PATCH 020/151] Fixing style errors. --- htdocs/product/class/api_products.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index a4726405669..d27ac9ad836 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -1328,7 +1328,7 @@ class Products extends DolibarrApi $objectval = new ProductAttributeValue($this->db); $return = $objectval->fetchAllByProductAttribute((int) $id); - + if (count($return) == 0) { throw new RestException(404, 'Attribute values not found'); } From 9cafd3b97f28d33ce3b2fdc660e98b04f08f6ab0 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 4 Sep 2020 13:10:30 +0200 Subject: [PATCH 021/151] Update api_products.class.php --- htdocs/product/class/api_products.class.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index d27ac9ad836..d5255bfa57f 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -1360,11 +1360,11 @@ class Products extends DolibarrApi $sql = 'SELECT '; $sql .= 'v.fk_product_attribute, v.rowid, v.ref, v.value FROM '.MAIN_DB_PREFIX.'product_attribute_value as v'; - $sql .= " WHERE v.fk_product_attribute = (SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".strtoupper(trim($ref))."' LIMIT 1)"; + $sql .= " WHERE v.fk_product_attribute IN (SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".trim($ref)."')"; - $query = $this->db->query($sql); + $resql = $this->db->query($sql); - while ($result = $this->db->fetch_object($query)) { + while ($result = $this->db->fetch_object($resql)) { $tmp = new ProductAttributeValue($this->db); $tmp->fk_product_attribute = $result->fk_product_attribute; $tmp->id = $result->rowid; From 8e2001a09bd222af87c8369f963e72bc5c6ee909 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 4 Sep 2020 13:20:03 +0200 Subject: [PATCH 022/151] Update api_products.class.php --- htdocs/product/class/api_products.class.php | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index d5255bfa57f..9721cd4a3c6 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -1787,13 +1787,14 @@ class Products extends DolibarrApi * @param string $barcode Barcode of element * @param int $includestockdata Load also information about stock (slower) * @param bool $includesubproducts Load information about subproducts + * @param bool $includeparentid Load also ID of parent product if product is a variant * @return array|mixed Data without useless information * * @throws RestException 401 * @throws RestException 403 * @throws RestException 404 */ - private function _fetch($id, $ref = '', $ref_ext = '', $barcode = '', $includestockdata = 0, $includesubproducts = false) + private function _fetch($id, $ref = '', $ref_ext = '', $barcode = '', $includestockdata = 0, $includesubproducts = false, $includeparentid = false) { if (empty($id) && empty($ref) && empty($ref_ext) && empty($barcode)) { throw new RestException(400, 'bad value for parameter id, ref, ref_ext or barcode'); @@ -1814,12 +1815,6 @@ class Products extends DolibarrApi throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } - $prodcomb = new ProductCombination($this->db); - $this->product->fk_product_parent = null; - if (($fk_product_parent = $prodcomb->getFkProductParentByFkProductChild($this->product->id)) > 0) { - $this->product->fk_product_parent = $fk_product_parent; - } - if ($includestockdata) { $this->product->load_stock(); @@ -1846,6 +1841,14 @@ class Products extends DolibarrApi $this->product->sousprods = $childs; } + if ($includeparentid) { + $prodcomb = new ProductCombination($this->db); + $this->product->fk_product_parent = null; + if (($fk_product_parent = $prodcomb->getFkProductParentByFkProductChild($this->product->id)) > 0) { + $this->product->fk_product_parent = $fk_product_parent; + } + } + return $this->_cleanObjectDatas($this->product); } } From 35c0bc81e2855f6fe5c22fcd9e0ecce8c38ff755 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 4 Sep 2020 13:21:10 +0200 Subject: [PATCH 023/151] Update api_products.class.php --- htdocs/product/class/api_products.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 9721cd4a3c6..bd0270162cb 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -1786,8 +1786,8 @@ class Products extends DolibarrApi * @param string $ref_ext Ref ext of element * @param string $barcode Barcode of element * @param int $includestockdata Load also information about stock (slower) - * @param bool $includesubproducts Load information about subproducts - * @param bool $includeparentid Load also ID of parent product if product is a variant + * @param bool $includesubproducts Load information about subproducts (if product is a virtual product) + * @param bool $includeparentid Load also ID of parent product (if product is a variant of a parent product) * @return array|mixed Data without useless information * * @throws RestException 401 From d743cb6ac25dc6cf7fb4103c28cdb1ee6a147008 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Fri, 4 Sep 2020 11:22:22 +0000 Subject: [PATCH 024/151] Fixing style errors. --- htdocs/product/class/api_products.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index bd0270162cb..4163357c78e 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -1848,7 +1848,7 @@ class Products extends DolibarrApi $this->product->fk_product_parent = $fk_product_parent; } } - + return $this->_cleanObjectDatas($this->product); } } From 4383f1d00c0188f1eb53a2ae2a9183475e110400 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 4 Sep 2020 13:50:22 +0200 Subject: [PATCH 025/151] Update ProductCombination.class.php --- htdocs/variants/class/ProductCombination.class.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/variants/class/ProductCombination.class.php b/htdocs/variants/class/ProductCombination.class.php index b65957d0a89..a449ca5d237 100644 --- a/htdocs/variants/class/ProductCombination.class.php +++ b/htdocs/variants/class/ProductCombination.class.php @@ -234,10 +234,10 @@ class ProductCombination } /** - * Get fk_product_parent by fk_product_child + * Return the product id of the parent product of a variant product (Get fk_product_parent by fk_product_child) * - * @param int $fk_child Product row id - * @return int >0 OK <0 KO + * @param int $fk_child Product row id + * @return int >0 if OK, 0 if product is not a variant, <0 if KO */ public function getFkProductParentByFkProductChild($fk_child) { @@ -251,7 +251,7 @@ class ProductCombination } if (!$this->db->num_rows($query)) { - return -1; + return 0; } $row = $this->db->fetch_object($query); From 0a09284b8fbaa1c9608a485f1b497acdffedd582 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Fri, 4 Sep 2020 21:32:12 +0200 Subject: [PATCH 026/151] FIX one time is enough --- htdocs/install/mysql/migration/12.0.0-13.0.0.sql | 3 --- 1 file changed, 3 deletions(-) diff --git a/htdocs/install/mysql/migration/12.0.0-13.0.0.sql b/htdocs/install/mysql/migration/12.0.0-13.0.0.sql index 35f2e4e8a54..7dfccac5beb 100644 --- a/htdocs/install/mysql/migration/12.0.0-13.0.0.sql +++ b/htdocs/install/mysql/migration/12.0.0-13.0.0.sql @@ -312,6 +312,3 @@ ALTER TABLE llx_inventorydet ADD UNIQUE uk_inventorydet(fk_inventory, fk_warehou ALTER TABLE llx_product_attribute ADD COLUMN ref_ext varchar(255) AFTER ref; ALTER TABLE llx_product_attribute_combination ADD COLUMN variation_ref_ext varchar(255) AFTER variation_weight; - -ALTER TABLE llx_product_attribute ADD COLUMN ref_ext varchar(255) AFTER ref; -ALTER TABLE llx_product_attribute_combination ADD COLUMN variation_ref_ext varchar(255) AFTER variation_weight; From 76a5a42191385172107d35b0c9ac9d79846093cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Fri, 4 Sep 2020 23:07:10 +0200 Subject: [PATCH 027/151] Update llx_product_attribute.sql --- htdocs/install/mysql/tables/llx_product_attribute.sql | 1 + 1 file changed, 1 insertion(+) diff --git a/htdocs/install/mysql/tables/llx_product_attribute.sql b/htdocs/install/mysql/tables/llx_product_attribute.sql index f7ebee3cc23..7e00b14d17a 100644 --- a/htdocs/install/mysql/tables/llx_product_attribute.sql +++ b/htdocs/install/mysql/tables/llx_product_attribute.sql @@ -20,6 +20,7 @@ CREATE TABLE llx_product_attribute ( rowid INT PRIMARY KEY NOT NULL AUTO_INCREMENT, ref VARCHAR(255) NOT NULL, + ref_ext varchar(255) DEFAULT NULL, label VARCHAR(255) NOT NULL, rang INT DEFAULT 0 NOT NULL, entity INT DEFAULT 1 NOT NULL From 806cfa84e258d509673140d36a05e66afad74084 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Fri, 4 Sep 2020 23:08:02 +0200 Subject: [PATCH 028/151] Update llx_product_attribute_combination.sql --- .../install/mysql/tables/llx_product_attribute_combination.sql | 1 + 1 file changed, 1 insertion(+) diff --git a/htdocs/install/mysql/tables/llx_product_attribute_combination.sql b/htdocs/install/mysql/tables/llx_product_attribute_combination.sql index a00b4009c72..afbb9bcec65 100644 --- a/htdocs/install/mysql/tables/llx_product_attribute_combination.sql +++ b/htdocs/install/mysql/tables/llx_product_attribute_combination.sql @@ -25,5 +25,6 @@ CREATE TABLE llx_product_attribute_combination variation_price DOUBLE(24,8) NOT NULL, variation_price_percentage INTEGER NULL, variation_weight REAL NOT NULL, + ref_ext varchar(255) DEFAULT NULL, entity INTEGER DEFAULT 1 NOT NULL )ENGINE=innodb; From af910135061136e0987a72fdde21d2aa67e04d45 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Sun, 6 Sep 2020 15:52:02 +0000 Subject: [PATCH 029/151] Fixing style errors. --- .../class/ProductCombination.class.php | 104 +++++++++--------- 1 file changed, 52 insertions(+), 52 deletions(-) diff --git a/htdocs/variants/class/ProductCombination.class.php b/htdocs/variants/class/ProductCombination.class.php index e9e71b41c4a..cdf8e470a00 100644 --- a/htdocs/variants/class/ProductCombination.class.php +++ b/htdocs/variants/class/ProductCombination.class.php @@ -233,72 +233,72 @@ class ProductCombination } } - /** - * Return the product id of the parent product of a variant product (Get fk_product_parent by fk_product_child) - * - * @param int $fk_child Product row id - * @return int >0 if OK, 0 if product is not a variant, <0 if KO - */ - public function getFkProductParentByFkProductChild($fk_child) - { - $sql = "SELECT fk_product_parent FROM ".MAIN_DB_PREFIX."product_attribute_combination"; - $sql .= " WHERE fk_product_child = ".(int) $fk_child." AND entity IN (".getEntity('product').") LIMIT 1"; + /** + * Return the product id of the parent product of a variant product (Get fk_product_parent by fk_product_child) + * + * @param int $fk_child Product row id + * @return int >0 if OK, 0 if product is not a variant, <0 if KO + */ + public function getFkProductParentByFkProductChild($fk_child) + { + $sql = "SELECT fk_product_parent FROM ".MAIN_DB_PREFIX."product_attribute_combination"; + $sql .= " WHERE fk_product_child = ".(int) $fk_child." AND entity IN (".getEntity('product').") LIMIT 1"; - $query = $this->db->query($sql); + $query = $this->db->query($sql); - if (!$query) { - return -1; - } + if (!$query) { + return -1; + } - if (!$this->db->num_rows($query)) { - return 0; - } + if (!$this->db->num_rows($query)) { + return 0; + } - $row = $this->db->fetch_object($query); + $row = $this->db->fetch_object($query); - return (int) $row->fk_product_parent; - } + return (int) $row->fk_product_parent; + } - /** - * Retrieves all product combinations by the child product row id - * - * @param int $fk_child Product row id - * @param int $donotloadpricelevel Avoid loading price impact for each level. If PRODUIT_MULTIPRICES is not set, this has no effect. - * @return int|ProductCombination[] <0 KO - */ - public function fetchAllByFkProductChild($fk_child, $donotloadpricelevel = 0) - { - global $conf; + /** + * Retrieves all product combinations by the child product row id + * + * @param int $fk_child Product row id + * @param int $donotloadpricelevel Avoid loading price impact for each level. If PRODUIT_MULTIPRICES is not set, this has no effect. + * @return int|ProductCombination[] <0 KO + */ + public function fetchAllByFkProductChild($fk_child, $donotloadpricelevel = 0) + { + global $conf; - $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_child = ".(int) $fk_child." AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_child = ".(int) $fk_child." AND entity IN (".getEntity('product').")"; - $query = $this->db->query($sql); + $query = $this->db->query($sql); - if (!$query) { - return -1; - } + if (!$query) { + return -1; + } - $return = array(); + $return = array(); - while ($result = $this->db->fetch_object($query)) { - $tmp = new ProductCombination($this->db); - $tmp->id = $result->rowid; - $tmp->fk_product_parent = $result->fk_product_parent; - $tmp->fk_product_child = $result->fk_product_child; - $tmp->variation_price = $result->variation_price; - $tmp->variation_price_percentage = $result->variation_price_percentage; - $tmp->variation_weight = $result->variation_weight; - $tmp->variation_ref_ext = $result->variation_ref_ext; + while ($result = $this->db->fetch_object($query)) { + $tmp = new ProductCombination($this->db); + $tmp->id = $result->rowid; + $tmp->fk_product_parent = $result->fk_product_parent; + $tmp->fk_product_child = $result->fk_product_child; + $tmp->variation_price = $result->variation_price; + $tmp->variation_price_percentage = $result->variation_price_percentage; + $tmp->variation_weight = $result->variation_weight; + $tmp->variation_ref_ext = $result->variation_ref_ext; - if (empty($donotloadpricelevel) && !empty($conf->global->PRODUIT_MULTIPRICES)) { - $tmp->fetchCombinationPriceLevels(); - } + if (empty($donotloadpricelevel) && !empty($conf->global->PRODUIT_MULTIPRICES)) { + $tmp->fetchCombinationPriceLevels(); + } - $return[] = $tmp; - } + $return[] = $tmp; + } - return $return; - } + return $return; + } /** * Retrieves all product combinations by the product parent row id From 61903a10795279ec58dcc4f9d43bafbf42b968e2 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Mon, 7 Sep 2020 15:24:35 +0000 Subject: [PATCH 030/151] Fixing style errors. --- htdocs/product/card.php | 6 +++--- htdocs/product/class/product.class.php | 2 +- .../variants/class/ProductAttribute.class.php | 18 +++++++++--------- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 7195c1476f3..073136e8807 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -1912,9 +1912,9 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if (!empty($conf->variants->enabled) && ($object->isProduct() || $object->isService())) { $combination = new ProductCombination($db); - if (($fk_product_parent = $combination->getFkProductParentByFkProductChild($object->id)) > 0) { - $prodstatic = new Product($db); - $prodstatic->fetch($fk_product_parent); + if (($fk_product_parent = $combination->getFkProductParentByFkProductChild($object->id)) > 0) { + $prodstatic = new Product($db); + $prodstatic->fetch($fk_product_parent); // Parent product print ''.$langs->trans("ParentProduct").''; diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index fb27e140cc2..697c51f09c4 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -4482,7 +4482,7 @@ class Product extends CommonObject global $conf, $langs; $labelStatus = $labelStatusShort = ''; - + $langs->load('products'); if (!empty($conf->productbatch->enabled)) { $langs->load("productbatch"); } diff --git a/htdocs/variants/class/ProductAttribute.class.php b/htdocs/variants/class/ProductAttribute.class.php index 533fc7ea9f4..bbc3a188137 100644 --- a/htdocs/variants/class/ProductAttribute.class.php +++ b/htdocs/variants/class/ProductAttribute.class.php @@ -118,16 +118,16 @@ class ProductAttribute extends CommonObject $query = $this->db->query($sql); if ($query) { - while ($result = $this->db->fetch_object($query)) { - $tmp = new ProductAttribute($this->db); - $tmp->id = $result->rowid; - $tmp->ref = $result->ref; - $tmp->ref_ext = $result->ref_ext; - $tmp->label = $result->label; - $tmp->rang = $result->rang; + while ($result = $this->db->fetch_object($query)) { + $tmp = new ProductAttribute($this->db); + $tmp->id = $result->rowid; + $tmp->ref = $result->ref; + $tmp->ref_ext = $result->ref_ext; + $tmp->label = $result->label; + $tmp->rang = $result->rang; - $return[] = $tmp; - } + $return[] = $tmp; + } } else dol_print_error($this->db); From ccff18e2a564424d32ec921f3a183c942c86858e Mon Sep 17 00:00:00 2001 From: kamel Date: Tue, 8 Sep 2020 14:48:50 +0200 Subject: [PATCH 031/151] NEW : Email configuration - Allow auto signed certificat when ssl activated --- htdocs/admin/mails.php | 37 ++++++++++++++++++++-- htdocs/admin/mails_emailing.php | 40 ++++++++++++++++++++++-- htdocs/core/class/CMailFile.class.php | 14 +++++++++ htdocs/core/class/smtps.class.php | 44 ++++++++++++++++++++++++--- htdocs/langs/en_US/admin.lang | 1 + htdocs/langs/fr_FR/admin.lang | 1 + 6 files changed, 127 insertions(+), 10 deletions(-) diff --git a/htdocs/admin/mails.php b/htdocs/admin/mails.php index 476d782368e..c8c017c476e 100644 --- a/htdocs/admin/mails.php +++ b/htdocs/admin/mails.php @@ -77,6 +77,7 @@ if ($action == 'update' && empty($_POST["cancel"])) dolibarr_set_const($db, "MAIN_MAIL_SMTPS_PW", GETPOST("MAIN_MAIL_SMTPS_PW", 'none'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_TLS", GETPOST("MAIN_MAIL_EMAIL_TLS", 'int'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_STARTTLS", GETPOST("MAIN_MAIL_EMAIL_STARTTLS", 'int'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED", GETPOST("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED", 'int'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_DKIM_ENABLED", GETPOST("MAIN_MAIL_EMAIL_DKIM_ENABLED", 'int'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_DKIM_DOMAIN", GETPOST("MAIN_MAIL_EMAIL_DKIM_DOMAIN", 'alphanohtml'), 'chaine', 0, '', $conf->entity); @@ -156,6 +157,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val(0); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").prop("disabled", true); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val(0); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").val(0); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_DKIM_DOMAIN").prop("disabled", true); @@ -187,6 +190,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val('.$conf->global->MAIN_MAIL_EMAIL_STARTTLS.'); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").removeAttr("disabled"); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val('.$conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED.'); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").val(0); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_DKIM_DOMAIN").prop("disabled", true); @@ -211,6 +216,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val('.$conf->global->MAIN_MAIL_EMAIL_STARTTLS.'); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").removeAttr("disabled"); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val('.$conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED.'); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").val('.$conf->global->MAIN_MAIL_EMAIL_DKIM_ENABLED.'); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_DKIM_DOMAIN").removeAttr("disabled"); @@ -233,12 +240,16 @@ if ($action == 'edit') initfields(); }); jQuery("#MAIN_MAIL_EMAIL_TLS").change(function() { - if (jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val() == 1) + if (jQuery("#MAIN_MAIL_EMAIL_TLS").val() == 1) jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val(0); + else + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val(0); }); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").change(function() { - if (jQuery("#MAIN_MAIL_EMAIL_TLS").val() == 1) + if (jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val() == 1) jQuery("#MAIN_MAIL_EMAIL_TLS").val(0); + else + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val(0); }); })'; print ''."\n"; @@ -408,6 +419,17 @@ if ($action == 'edit') } else print yn(0).' ('.$langs->trans("NotSupported").')'; print ''; + // SMTP_ALLOW_SELF_SIGNED + print ''.$langs->trans("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").''; + if (!empty($conf->use_javascript_ajax) || (isset($conf->global->MAIN_MAIL_SENDMODE) && in_array($conf->global->MAIN_MAIL_SENDMODE, array('smtps', 'swiftmailer')))) + { + if (function_exists('openssl_open')) + { + print $form->selectyesno('MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED', (!empty($conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED) ? $conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED : 0), 1); + } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; + } else print yn(0).' ('.$langs->trans("NotSupported").')'; + print ''; + // DKIM print ''.$langs->trans("MAIN_MAIL_EMAIL_DKIM_ENABLED").''; if (!empty($conf->use_javascript_ajax) || (isset($conf->global->MAIN_MAIL_SENDMODE) && in_array($conf->global->MAIN_MAIL_SENDMODE, array('swiftmailer')))) @@ -561,6 +583,17 @@ if ($action == 'edit') } else print ''.yn(0).' ('.$langs->trans("NotSupported").')'; print ''; + // SMTP_ALLOW_SELF_SIGNED + print ''.$langs->trans("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").''; + if (isset($conf->global->MAIN_MAIL_SENDMODE) && in_array($conf->global->MAIN_MAIL_SENDMODE, array('smtps', 'swiftmailer'))) + { + if (function_exists('openssl_open')) + { + print yn($conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED); + } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; + } else print ''.yn(0).' ('.$langs->trans("NotSupported").')'; + print ''; + if ($conf->global->MAIN_MAIL_SENDMODE == 'swiftmailer') { diff --git a/htdocs/admin/mails_emailing.php b/htdocs/admin/mails_emailing.php index f78ef0277bb..7e6f9acae93 100644 --- a/htdocs/admin/mails_emailing.php +++ b/htdocs/admin/mails_emailing.php @@ -68,6 +68,7 @@ if ($action == 'update' && empty($_POST["cancel"])) dolibarr_set_const($db, "MAIN_MAIL_SMTPS_PW_EMAILING", GETPOST("MAIN_MAIL_SMTPS_PW_EMAILING"), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_TLS_EMAILING", GETPOST("MAIN_MAIL_EMAIL_TLS_EMAILING"), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_STARTTLS_EMAILING", GETPOST("MAIN_MAIL_EMAIL_STARTTLS_EMAILING"), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING", GETPOST("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING"), 'chaine', 0, '', $conf->entity); header("Location: ".$_SERVER["PHP_SELF"]."?mainmenu=home&leftmenu=setup"); exit; @@ -147,6 +148,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val(0); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").prop("disabled", true); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val(0); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").prop("disabled", true); '; if ($linuxlike) { @@ -173,6 +176,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val('.$conf->global->MAIN_MAIL_EMAIL_STARTTLS_EMAILING.'); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").removeAttr("disabled"); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val('.$conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING.'); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_SERVER_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_PORT_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_SERVER_EMAILING").show(); @@ -187,6 +192,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val('.$conf->global->MAIN_MAIL_EMAIL_STARTTLS_EMAILING.'); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").removeAttr("disabled"); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val('.$conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING.'); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_SERVER_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_PORT_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_SERVER_EMAILING").show(); @@ -199,13 +206,17 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_SENDMODE_EMAILING").change(function() { initfields(); }); - jQuery("#MAIN_MAIL_EMAIL_TLS").change(function() { - if (jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val() == 1) + jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").change(function() { + if (jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").val() == 1) jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val(0); + else + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val(0); }); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").change(function() { - if (jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").val() == 1) + if (jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val() == 1) jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").val(0); + else + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val(0); }); })'; print ''."\n"; @@ -359,6 +370,18 @@ if ($action == 'edit') } else print yn(0).' ('.$langs->trans("NotSupported").')'; print ''; + // SMTP_ALLOW_SELF_SIGNED_EMAILING + + print ''.$langs->trans("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").''; + if (!empty($conf->use_javascript_ajax) || (isset($conf->global->MAIN_MAIL_SENDMODE_EMAILING) && in_array($conf->global->MAIN_MAIL_SENDMODE_EMAILING, array('smtps', 'swiftmailer')))) + { + if (function_exists('openssl_open')) + { + print $form->selectyesno('MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING', (!empty($conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING) ? $conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING : 0), 1); + } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; + } else print yn(0).' ('.$langs->trans("NotSupported").')'; + print ''; + print ''; dol_fiche_end(); @@ -437,6 +460,17 @@ if ($action == 'edit') } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; } else print yn(0).' ('.$langs->trans("NotSupported").')'; print ''; + + // SMTP_ALLOW_SELF_SIGNED_EMAILING + print ''.$langs->trans("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").''; + if (isset($conf->global->MAIN_MAIL_SENDMODE_EMAILING) && in_array($conf->global->MAIN_MAIL_SENDMODE_EMAILING, array('smtps', 'swiftmailer'))) + { + if (function_exists('openssl_open')) + { + print yn($conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING); + } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; + } else print yn(0).' ('.$langs->trans("NotSupported").')'; + print ''; } print ''; diff --git a/htdocs/core/class/CMailFile.class.php b/htdocs/core/class/CMailFile.class.php index 5048bcd31e8..4803a0da1ca 100644 --- a/htdocs/core/class/CMailFile.class.php +++ b/htdocs/core/class/CMailFile.class.php @@ -294,6 +294,16 @@ class CMailFile $addr_bcc .= ($addr_bcc ? ', ' : '').$conf->global->MAIN_MAIL_AUTOCOPY_TO; } + $keyforsslseflsigned ='MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED'; + if (!empty($this->sendcontext)) { + $smtpContextKey = strtoupper($this->sendcontext); + $keyForSMTPSendMode = 'MAIN_MAIL_SENDMODE_' . $smtpContextKey; + $smtpContextSendMode = $conf->global->{$keyForSMTPSendMode}; + if (!empty($smtpContextSendMode) && $smtpContextSendMode != 'default') { + $keyforsslseflsigned ='MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_' . $smtpContextKey; + } + } + // We set all data according to choosed sending method. // We also set a value for ->msgid if ($this->sendmode == 'mail') @@ -404,6 +414,7 @@ class CMailFile $smtps->setBCC($this->addr_bcc); $smtps->setErrorsTo($this->errors_to); $smtps->setDeliveryReceipt($this->deliveryreceipt); + if (!empty($conf->global->$keyforsslseflsigned)) $smtps->setOptions(array('ssl' => array('verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true))); $host = dol_getprefix('email'); $this->msgid = time().'.SMTPs-dolibarr-'.$this->trackid.'@'.$host; @@ -639,6 +650,7 @@ class CMailFile $keyforsmtppw = 'MAIN_MAIL_SMTPS_PW'; $keyfortls = 'MAIN_MAIL_EMAIL_TLS'; $keyforstarttls = 'MAIN_MAIL_EMAIL_STARTTLS'; + $keyforsslseflsigned ='MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED'; if (!empty($this->sendcontext)) { $smtpContextKey = strtoupper($this->sendcontext); $keyForSMTPSendMode = 'MAIN_MAIL_SENDMODE_' . $smtpContextKey; @@ -650,6 +662,7 @@ class CMailFile $keyforsmtppw = 'MAIN_MAIL_SMTPS_PW_' . $smtpContextKey; $keyfortls = 'MAIN_MAIL_EMAIL_TLS_' . $smtpContextKey; $keyforstarttls = 'MAIN_MAIL_EMAIL_STARTTLS_' . $smtpContextKey; + $keyforsslseflsigned ='MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_' . $smtpContextKey; } } @@ -846,6 +859,7 @@ class CMailFile if (!empty($conf->global->$keyforsmtpid)) $this->transport->setUsername($conf->global->$keyforsmtpid); if (!empty($conf->global->$keyforsmtppw)) $this->transport->setPassword($conf->global->$keyforsmtppw); + if (! empty($conf->global->$keyforsslseflsigned)) $this->transport->setStreamOptions(array('ssl' => array('allow_self_signed' => true, 'verify_peer' => false)));; //$smtps->_msgReplyTo = 'reply@web.com'; // Switch content encoding to base64 - avoid the doubledot issue with quoted-printable diff --git a/htdocs/core/class/smtps.class.php b/htdocs/core/class/smtps.class.php index 87ce3c22e80..5e3f35fbbc0 100644 --- a/htdocs/core/class/smtps.class.php +++ b/htdocs/core/class/smtps.class.php @@ -228,6 +228,21 @@ class SMTPs private $_trackId = ''; private $_moreInHeader = ''; + /** + * An array of options for stream_context_create() + */ + private $_options = []; + + /** + * Set delivery receipt + * + * @param array $_options An array of options for stream_context_create() + * @return void + */ + public function setOptions($_options = []) + { + $this->_options = $_options; + } /** * Set delivery receipt @@ -372,15 +387,34 @@ class SMTPs { $this->_setErr(99, $host.' is either offline or is an invalid host name.'); $_retVal = false; - } else { - //See if we can connect to the SMTP server - if ($this->socket = @fsockopen( - preg_replace('@tls://@i', '', $this->getHost()), // Host to 'hit', IP or domain + } + else + { + if (function_exists('stream_socket_client')) { + $socket_context = stream_context_create($this->_options); // An array of options for stream_context_create() + set_error_handler([$this, 'errorHandler']); + $this->socket = @stream_socket_client( + $this->getHost() . // Host to 'hit', IP or domain + ':' . $this->getPort(), // which Port number to use + $this->errno, // actual system level error + $this->errstr, // and any text that goes with the error + $this->_smtpTimeout, // timeout for reading/writing data over the socket + STREAM_CLIENT_CONNECT, + $socket_context // Options for connection + ); + } else { + $this->socket = @fsockopen( + $this->getHost(), // Host to 'hit', IP or domain $this->getPort(), // which Port number to use $this->errno, // actual system level error $this->errstr, // and any text that goes with the error $this->_smtpTimeout // timeout for reading/writing data over the socket - )) { + ); + } + + //See if we can connect to the SMTP server + if (is_resource($this->socket)) + { // Fix from PHP SMTP class by 'Chris Ryan' // Sometimes the SMTP server takes a little longer to respond // so we will give it a longer timeout for the first read diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index 15627a7e88b..7bf73f8e458 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -289,6 +289,7 @@ MAIN_MAIL_SMTPS_ID=SMTP ID (if sending server requires authentication) MAIN_MAIL_SMTPS_PW=SMTP Password (if sending server requires authentication) MAIN_MAIL_EMAIL_TLS=Use TLS (SSL) encryption MAIN_MAIL_EMAIL_STARTTLS=Use TLS (STARTTLS) encryption +MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED=Authorise les certificats auto-signés MAIN_MAIL_EMAIL_DKIM_ENABLED=Use DKIM to generate email signature MAIN_MAIL_EMAIL_DKIM_DOMAIN=Email Domain for use with dkim MAIN_MAIL_EMAIL_DKIM_SELECTOR=Name of dkim selector diff --git a/htdocs/langs/fr_FR/admin.lang b/htdocs/langs/fr_FR/admin.lang index baf38869cab..6cace7f78fd 100644 --- a/htdocs/langs/fr_FR/admin.lang +++ b/htdocs/langs/fr_FR/admin.lang @@ -289,6 +289,7 @@ MAIN_MAIL_SMTPS_ID=ID SMTP (si le serveur d'envoi nécessite une authentificatio MAIN_MAIL_SMTPS_PW=Mot de passe SMTP (si le serveur d'envoi nécessite une authentification) MAIN_MAIL_EMAIL_TLS=Utilisation du chiffrement TLS (SSL) MAIN_MAIL_EMAIL_STARTTLS=Utiliser le cryptage TTS (STARTTLS) +MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED=Authorise les certificats auto-signés MAIN_MAIL_EMAIL_DKIM_ENABLED=Utiliser DKIM pour signer les emails MAIN_MAIL_EMAIL_DKIM_DOMAIN=Nom de domaine pour la signature DKIM MAIN_MAIL_EMAIL_DKIM_SELECTOR=Nom du sélecteur DKIM From ed13a9fce2958c9056f98aaf8c54296b1eb57bfd Mon Sep 17 00:00:00 2001 From: kamel Date: Tue, 8 Sep 2020 14:53:22 +0200 Subject: [PATCH 032/151] Correction stickler-ci --- htdocs/core/class/smtps.class.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/htdocs/core/class/smtps.class.php b/htdocs/core/class/smtps.class.php index 5e3f35fbbc0..6d02d23ab6e 100644 --- a/htdocs/core/class/smtps.class.php +++ b/htdocs/core/class/smtps.class.php @@ -387,9 +387,7 @@ class SMTPs { $this->_setErr(99, $host.' is either offline or is an invalid host name.'); $_retVal = false; - } - else - { + } else { if (function_exists('stream_socket_client')) { $socket_context = stream_context_create($this->_options); // An array of options for stream_context_create() set_error_handler([$this, 'errorHandler']); From efb59754d72b62c586f51e1e802952d844e6bd03 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 9 Sep 2020 19:32:14 +0200 Subject: [PATCH 033/151] Update 12.0.0-13.0.0.sql --- htdocs/install/mysql/migration/12.0.0-13.0.0.sql | 3 --- 1 file changed, 3 deletions(-) diff --git a/htdocs/install/mysql/migration/12.0.0-13.0.0.sql b/htdocs/install/mysql/migration/12.0.0-13.0.0.sql index 37fcf0d785f..a41b6825fa3 100644 --- a/htdocs/install/mysql/migration/12.0.0-13.0.0.sql +++ b/htdocs/install/mysql/migration/12.0.0-13.0.0.sql @@ -312,8 +312,5 @@ ALTER TABLE llx_actioncomm_reminder ADD INDEX idx_actioncomm_reminder_status (st ALTER TABLE llx_inventorydet ADD UNIQUE uk_inventorydet(fk_inventory, fk_warehouse, fk_product, batch); -ALTER TABLE llx_product_attribute ADD COLUMN ref_ext varchar(255) AFTER ref; -ALTER TABLE llx_product_attribute_combination ADD COLUMN variation_ref_ext varchar(255) AFTER variation_weight; - ALTER TABLE llx_commandedet ADD COLUMN ref_ext varchar(255) AFTER label; ALTER TABLE llx_facturedet ADD COLUMN ref_ext varchar(255) AFTER multicurrency_total_ttc; From 3209708e309d79bfa62c0e18dd136cbf7a415d71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Thu, 10 Sep 2020 13:56:58 +0200 Subject: [PATCH 034/151] Update ProductCombination.class.php --- htdocs/variants/class/ProductCombination.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/variants/class/ProductCombination.class.php b/htdocs/variants/class/ProductCombination.class.php index 6510ef3176e..bd593b2c568 100644 --- a/htdocs/variants/class/ProductCombination.class.php +++ b/htdocs/variants/class/ProductCombination.class.php @@ -373,7 +373,7 @@ class ProductCombination /* $this->fk_product_child may be empty and will be filled later after subproduct has been created */ $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_attribute_combination"; - $sql .= " (fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, entity)"; + $sql .= " (fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext, entity)"; $sql .= " VALUES (".((int) $this->fk_product_parent).", ".((int) $this->fk_product_child).","; $sql .= (float) $this->variation_price.", ".(int) $this->variation_price_percentage.","; $sql .= (float) $this->variation_weight.", '".$this->db->escape($this->variation_ref_ext)."', ".(int) $this->entity.")"; From 2ae91b131fa04ea0e2ba06ddb675496be2bd8361 Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Sun, 13 Sep 2020 22:17:24 +0200 Subject: [PATCH 035/151] Fix display on quickadd dropdown menu --- htdocs/langs/en_US/supplier_proposal.lang | 1 + htdocs/theme/eldy/dropdown.inc.php | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/htdocs/langs/en_US/supplier_proposal.lang b/htdocs/langs/en_US/supplier_proposal.lang index ce5bdf0425a..ca75eddb7df 100644 --- a/htdocs/langs/en_US/supplier_proposal.lang +++ b/htdocs/langs/en_US/supplier_proposal.lang @@ -13,6 +13,7 @@ SupplierProposalArea=Vendor proposals area SupplierProposalShort=Vendor proposal SupplierProposals=Vendor proposals SupplierProposalsShort=Vendor proposals +AskPrice=Price request NewAskPrice=New price request ShowSupplierProposal=Show price request AddSupplierProposal=Create a price request diff --git a/htdocs/theme/eldy/dropdown.inc.php b/htdocs/theme/eldy/dropdown.inc.php index 12f34ed50ac..ff1a4ff9fba 100644 --- a/htdocs/theme/eldy/dropdown.inc.php +++ b/htdocs/theme/eldy/dropdown.inc.php @@ -411,7 +411,7 @@ a.top-menu-dropdown-link { * QUICK ADD */ #topmenu-quickadd-dropdown .dropdown-menu { - width: 300px !important; + width: 340px !important; color: #444; } @@ -449,8 +449,8 @@ div.quickadd a:hover, div.quickadd a:active { } div.quickaddblock { - width: 80px; - display: block ruby; + width: 100px; + height: 70px; } div.quickaddblock:hover, From 2a5b31da2dca7e36ad2c1d4708342a806c5a976c Mon Sep 17 00:00:00 2001 From: kamel Date: Mon, 14 Sep 2020 10:22:05 +0200 Subject: [PATCH 036/151] CORE smtps: Corrections --- htdocs/core/class/smtps.class.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/htdocs/core/class/smtps.class.php b/htdocs/core/class/smtps.class.php index 6d02d23ab6e..3adbf4af4d5 100644 --- a/htdocs/core/class/smtps.class.php +++ b/htdocs/core/class/smtps.class.php @@ -388,11 +388,11 @@ class SMTPs $this->_setErr(99, $host.' is either offline or is an invalid host name.'); $_retVal = false; } else { - if (function_exists('stream_socket_client')) { + if (function_exists('stream_socket_client') && !empty($this->_options)) { $socket_context = stream_context_create($this->_options); // An array of options for stream_context_create() set_error_handler([$this, 'errorHandler']); $this->socket = @stream_socket_client( - $this->getHost() . // Host to 'hit', IP or domain + preg_replace('@tls://@i', '', $this->getHost()) . // Host to 'hit', IP or domain ':' . $this->getPort(), // which Port number to use $this->errno, // actual system level error $this->errstr, // and any text that goes with the error @@ -402,7 +402,7 @@ class SMTPs ); } else { $this->socket = @fsockopen( - $this->getHost(), // Host to 'hit', IP or domain + preg_replace('@tls://@i', '', $this->getHost()), // Host to 'hit', IP or domain $this->getPort(), // which Port number to use $this->errno, // actual system level error $this->errstr, // and any text that goes with the error From a8c1b835db978350bf98ada2f5825e5687206156 Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Tue, 15 Sep 2020 03:08:06 +0200 Subject: [PATCH 037/151] Fix display on quickadd dropdown menu --- htdocs/theme/eldy/dropdown.inc.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/htdocs/theme/eldy/dropdown.inc.php b/htdocs/theme/eldy/dropdown.inc.php index ff1a4ff9fba..1140589a2e2 100644 --- a/htdocs/theme/eldy/dropdown.inc.php +++ b/htdocs/theme/eldy/dropdown.inc.php @@ -411,10 +411,15 @@ a.top-menu-dropdown-link { * QUICK ADD */ #topmenu-quickadd-dropdown .dropdown-menu { - width: 340px !important; + width: 310px !important; color: #444; } +.quickadd-body.dropdown-body { + padding: unset; + padding-top: 15px; +} + .quickadd-header { color: #444 !important; } @@ -449,8 +454,8 @@ div.quickadd a:hover, div.quickadd a:active { } div.quickaddblock { - width: 100px; - height: 70px; + width: 95px; + height: 80px; } div.quickaddblock:hover, From 31eecae2a6044e12fe383d69df0de2e5f635279d Mon Sep 17 00:00:00 2001 From: "jove@bisquerra.com" Date: Wed, 16 Sep 2020 06:54:01 +0200 Subject: [PATCH 038/151] Show buttons on products when 'Hide Product Images' is enabled --- htdocs/takepos/css/pos.css.php | 21 +++++++++++++++++ htdocs/takepos/index.php | 43 +++++++++++++++++++++++++--------- 2 files changed, 53 insertions(+), 11 deletions(-) diff --git a/htdocs/takepos/css/pos.css.php b/htdocs/takepos/css/pos.css.php index f4c9cf3a88a..4666de59a8e 100644 --- a/htdocs/takepos/css/pos.css.php +++ b/htdocs/takepos/css/pos.css.php @@ -141,6 +141,27 @@ button.calcbutton3 { border-radius: 3px; } +button.productbutton { + display: inline-block; + position: relative; + padding: 0; + line-height: normal; + cursor: pointer; + vertical-align: middle; + text-align: center; + overflow: visible; /* removes extra width in IE */ + width: calc(100% - 2px); + height: calc(100% - 2px); + font-weight: bold; + background-color: #a3a6a3; + color: #fff; + /* border-color: unset; */ + border-width: 0; + margin: 1px; + font-size: 14pt; + border-radius: 3px; +} + button.actionbutton { background: #EABCA6; border: 2px solid #EEE; diff --git a/htdocs/takepos/index.php b/htdocs/takepos/index.php index 390f71491ba..76c71f5b755 100644 --- a/htdocs/takepos/index.php +++ b/htdocs/takepos/index.php @@ -291,12 +291,20 @@ function LoadProducts(position, issubcat) { //console.log("ishow"+ishow+" idata="+idata); console.log(data[idata]); if (typeof (data[idata]) == "undefined") { - $("#prodivdesc"+ishow).hide(); - $("#prodesc"+ishow).text(""); + global->TAKEPOS_HIDE_PRODUCT_IMAGES) + { + echo '$("#prodivdesc"+ishow).hide();'; + echo '$("#prodesc"+ishow).text("");'; + echo '$("#proimg"+ishow).attr("title","");'; + echo '$("#proimg"+ishow).attr("src","genimg/empty.png");'; + } + else + { + echo '$("#probutton"+ishow).hide();'; + echo '$("#probutton"+ishow).text("");'; + }?> $("#proprice"+ishow).attr("class", "hidden"); $("#proprice"+ishow).html(""); - $("#proimg"+ishow).attr("title",""); - $("#proimg"+ishow).attr("src","genimg/empty.png"); $("#prodiv"+ishow).data("rowid",""); $("#prodiv"+ishow).attr("class","wrapper2 divempty"); $("#prowatermark"+ishow).hide(); @@ -308,14 +316,23 @@ function LoadProducts(position, issubcat) { $titlestring .= " + ' - ".dol_escape_js($langs->trans("Barcode").': ')."' + data[idata]['barcode']"; ?> var titlestring = ; - $("#prodivdesc"+ishow).show(); - $("#prodesc"+ishow).text(data[parseInt(idata)]['label']); + global->TAKEPOS_HIDE_PRODUCT_IMAGES) + { + echo '$("#prodivdesc"+ishow).show();'; + echo '$("#prodesc"+ishow).text(data[parseInt(idata)][\'label\']);'; + echo '$("#proimg"+ishow).attr("title", titlestring);'; + echo '$("#proimg"+ishow).attr("src", "genimg/index.php?query=pro&id="+data[idata][\'id\']);'; + } + else + { + echo '$("#probutton"+ishow).show();'; + echo '$("#probutton"+ishow).text(data[parseInt(idata)][\'label\']);'; + } + ?> if (data[parseInt(idata)]['price_formated']) { $("#proprice"+ishow).attr("class", "productprice"); $("#proprice"+ishow).html(data[parseInt(idata)]['price_formated']); } - $("#proimg"+ishow).attr("title", titlestring); - $("#proimg"+ishow).attr("src", "genimg/index.php?query=pro&id="+data[idata]['id']); $("#prodiv"+ishow).data("rowid", data[idata]['id']); $("#prodiv"+ishow).data("iscat", 0); $("#prodiv"+ishow).attr("class","wrapper2"); @@ -1070,11 +1087,15 @@ if ($conf->global->TAKEPOS_WEIGHING_SCALE) //echo ''; print ''; } else { - print '
'; - if (!$conf->global->TAKEPOS_HIDE_PRODUCT_IMAGES) print ''; + if ($conf->global->TAKEPOS_HIDE_PRODUCT_IMAGES) echo ''; + else + { + print '
'; + print ''; + } } ?> - + global->TAKEPOS_HIDE_PRODUCT_IMAGES) { ?>
From 9bb41e949d420900fa28cffb6eb15e53afbbd515 Mon Sep 17 00:00:00 2001 From: andreubisquerra Date: Wed, 16 Sep 2020 07:39:48 +0200 Subject: [PATCH 039/151] Fix travis --- htdocs/takepos/index.php | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/htdocs/takepos/index.php b/htdocs/takepos/index.php index 76c71f5b755..fac4f7a0083 100644 --- a/htdocs/takepos/index.php +++ b/htdocs/takepos/index.php @@ -297,8 +297,7 @@ function LoadProducts(position, issubcat) { echo '$("#prodesc"+ishow).text("");'; echo '$("#proimg"+ishow).attr("title","");'; echo '$("#proimg"+ishow).attr("src","genimg/empty.png");'; - } - else + } else { echo '$("#probutton"+ishow).hide();'; echo '$("#probutton"+ishow).text("");'; @@ -323,8 +322,7 @@ function LoadProducts(position, issubcat) { echo '$("#proimg"+ishow).attr("title", titlestring);'; echo '$("#proimg"+ishow).attr("src", "genimg/index.php?query=pro&id="+data[idata][\'id\']);'; } - else - { + else { echo '$("#probutton"+ishow).show();'; echo '$("#probutton"+ishow).text(data[parseInt(idata)][\'label\']);'; } @@ -1088,8 +1086,7 @@ if ($conf->global->TAKEPOS_WEIGHING_SCALE) print ''; } else { if ($conf->global->TAKEPOS_HIDE_PRODUCT_IMAGES) echo ''; - else - { + else { print '
'; print ''; } From ffb1b5c2ca3a07eb8f338cfcbecf5dedccfced50 Mon Sep 17 00:00:00 2001 From: andreubisquerra Date: Wed, 16 Sep 2020 07:59:36 +0200 Subject: [PATCH 040/151] Fix travis --- htdocs/takepos/index.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/htdocs/takepos/index.php b/htdocs/takepos/index.php index fac4f7a0083..accd353de8d 100644 --- a/htdocs/takepos/index.php +++ b/htdocs/takepos/index.php @@ -297,8 +297,7 @@ function LoadProducts(position, issubcat) { echo '$("#prodesc"+ishow).text("");'; echo '$("#proimg"+ishow).attr("title","");'; echo '$("#proimg"+ishow).attr("src","genimg/empty.png");'; - } else - { + } else { echo '$("#probutton"+ishow).hide();'; echo '$("#probutton"+ishow).text("");'; }?> From 31825375669329ac6006ae664af2645862b906cc Mon Sep 17 00:00:00 2001 From: atm-lena Date: Wed, 16 Sep 2020 17:19:25 +0200 Subject: [PATCH 041/151] FIX - Send mail from contact : select mail model --- htdocs/contact/card.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index f013cd7e8aa..ec8d64fcede 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -1176,6 +1176,11 @@ else } } + // Select mail models is same action as presend + if (GETPOST('modelselected', 'alpha')) { + $action = 'presend'; + } + if (! empty($id) && $action != 'edit' && $action != 'create') { $objsoc = new Societe($db); From 23c4cfe913429a38b3e4f9edec33bdfb0166d274 Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Wed, 16 Sep 2020 20:55:28 +0200 Subject: [PATCH 042/151] FIX Yogosha report 4425 (backport) --- htdocs/core/lib/functions.lib.php | 37 ++++++++++++++++++++++++------- htdocs/document.php | 9 ++++---- 2 files changed, 34 insertions(+), 12 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 97ad5d58969..3f4229589dd 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -7705,19 +7705,16 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param if (empty($conf->use_javascript_ajax)) return ''; - $mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'svg+xml'); - //$mime_preview[]='vnd.oasis.opendocument.presentation'; - //$mime_preview[]='archive'; - $num_mime = array_search(dol_mimetype($relativepath, '', 1), $mime_preview); + $isAllowedForPreview = dolIsAllowedForPreview($relativepath); if ($alldata == 1) { - if ($num_mime !== false) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), ); + if (isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), ); else return array(); } - // old behavior - if ($num_mime !== false) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:'')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')'; + // old behavior, return a string + if ($isAllowedForPreview) return 'javascript:document_preview(\''.dol_escape_js(DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:'')).'\', \''.dol_mimetype($relativepath).'\', \''.dol_escape_js($langs->trans('Preview')).'\')'; else return ''; } @@ -7741,6 +7738,30 @@ function ajax_autoselect($htmlname, $addlink = '') return $out; } +/** + * Return if a file is qualified for preview + * + * @param string $file Filename we looking for information + * @return int 1 If allowed, 0 otherwise + * @see dol_mimetype(), image_format_supported() from images.lib.php + */ +function dolIsAllowedForPreview($file) { + global $conf; + + // Check .noexe extension in filename + if (preg_match('/\.noexe$/i', $file)) return 0; + + // Check mime types + $mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'webp'); + if (!empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)) $mime_preview[] = 'svg+xml'; + //$mime_preview[]='vnd.oasis.opendocument.presentation'; + //$mime_preview[]='archive'; + $num_mime = array_search(dol_mimetype($file, '', 1), $mime_preview); + if ($num_mime !== false) return 1; + + // By default, not allowed for preview + return 0; +} /** * Return mime type of a file @@ -7749,7 +7770,7 @@ function ajax_autoselect($htmlname, $addlink = '') * @param string $default Default mime type if extension not found in known list * @param int $mode 0=Return full mime, 1=otherwise short mime string, 2=image for mime type, 3=source language, 4=css of font fa * @return string Return a mime type family (text/xxx, application/xxx, image/xxx, audio, video, archive) - * @see image_format_supported() from images.lib.php + * @see dolIsAllowedForPreview(), image_format_supported() from images.lib.php */ function dol_mimetype($file, $default = 'application/octet-stream', $mode = 0) { diff --git a/htdocs/document.php b/htdocs/document.php index 2b37792d69a..ccd404f7315 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -156,12 +156,13 @@ if (isset($_GET["attachment"])) $attachment = GETPOST("attachment", 'alpha')?tru if (! empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment=false; // Define mime type -$type = 'application/octet-stream'; +$type = 'application/octet-stream'; // By default if (GETPOST('type', 'alpha')) $type=GETPOST('type', 'alpha'); else $type=dol_mimetype($original_file); -// Security: Force to octet-stream if file is a dangerous file -if (preg_match('/\.noexe$/i', $original_file)) $type = 'application/octet-stream'; - +// Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file +if (!dolIsAllowedForPreview($original_file)) { + $type = 'application/octet-stream'; +} // Security: Delete string ../ into $original_file $original_file = str_replace("../", "/", $original_file); From bc457ebb660ae67b0bc853e317915e9e140458c1 Mon Sep 17 00:00:00 2001 From: Alexandre SPANGARO Date: Wed, 16 Sep 2020 21:22:59 +0200 Subject: [PATCH 043/151] Stickler --- htdocs/core/lib/functions.lib.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 3f4229589dd..c279b3fb4e5 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -7745,7 +7745,8 @@ function ajax_autoselect($htmlname, $addlink = '') * @return int 1 If allowed, 0 otherwise * @see dol_mimetype(), image_format_supported() from images.lib.php */ -function dolIsAllowedForPreview($file) { +function dolIsAllowedForPreview($file) +{ global $conf; // Check .noexe extension in filename From 8284d0ee06a785c85f41598f7973aba11e120dd7 Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Thu, 17 Sep 2020 11:41:53 +0200 Subject: [PATCH 044/151] FIx product list fix mistake if fk_state empty --- htdocs/product/list.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/htdocs/product/list.php b/htdocs/product/list.php index 2217d85ccfc..a6fb86f07b8 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -1445,7 +1445,9 @@ if ($resql) // State if (!empty($arrayfields['p.fk_state']['checked'])) { - print ''.getState($obj->fk_state, 0, $db).''; + print ''; + if (!empty($obj->fk_state)) print getState($obj->fk_state, 0, $db); + print ''; if (!$i) $totalarray['nbfield']++; } // Accountancy code sell From e711ab3aa398f5fad429b1f27ef9cb1b7b454bbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Thu, 17 Sep 2020 12:31:56 +0200 Subject: [PATCH 045/151] Update product.lib.php --- htdocs/core/lib/product.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/product.lib.php b/htdocs/core/lib/product.lib.php index 686ff3af1f5..dfc57313add 100644 --- a/htdocs/core/lib/product.lib.php +++ b/htdocs/core/lib/product.lib.php @@ -107,7 +107,7 @@ function product_prepare_head($object) $prodcomb = new ProductCombination($db); - if ($prodcomb->getFkProductParentByFkProductChild($object->id) == -1) + if ($prodcomb->fetchByFkProductChild($object->id) == -1) { $head[$h][0] = DOL_URL_ROOT."/variants/combinations.php?id=".$object->id; $head[$h][1] = $langs->trans('ProductCombinations'); From 67b565df6ba5a0aa59a5302b43908827fd14712f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Thu, 17 Sep 2020 12:34:47 +0200 Subject: [PATCH 046/151] Update card.php --- htdocs/product/card.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 073136e8807..df3f21a453a 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -1912,9 +1912,9 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if (!empty($conf->variants->enabled) && ($object->isProduct() || $object->isService())) { $combination = new ProductCombination($db); - if (($fk_product_parent = $combination->getFkProductParentByFkProductChild($object->id)) > 0) { + if ($combination->fetchByFkProductChild($object->id) > 0) { $prodstatic = new Product($db); - $prodstatic->fetch($fk_product_parent); + $prodstatic->fetch($combination->fk_product_parent); // Parent product print ''.$langs->trans("ParentProduct").''; From 0d20b6645d95d726d815f399396cf6bb07c21bdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Thu, 17 Sep 2020 12:37:20 +0200 Subject: [PATCH 047/151] Update ProductCombination.class.php --- .../class/ProductCombination.class.php | 65 ++++++------------- 1 file changed, 19 insertions(+), 46 deletions(-) diff --git a/htdocs/variants/class/ProductCombination.class.php b/htdocs/variants/class/ProductCombination.class.php index bd593b2c568..a50256226f3 100644 --- a/htdocs/variants/class/ProductCombination.class.php +++ b/htdocs/variants/class/ProductCombination.class.php @@ -234,15 +234,18 @@ class ProductCombination } /** - * Return the product id of the parent product of a variant product (Get fk_product_parent by fk_product_child) + * Retrieves information of a variant product and ID of its parent product. * - * @param int $fk_child Product row id - * @return int >0 if OK, 0 if product is not a variant, <0 if KO + * @param int $productid Product ID of variant + * @param int $donotloadpricelevel Avoid loading price impact for each level. If PRODUIT_MULTIPRICES is not set, this has no effect. + * @return int <0 if KO, 0 if product ID is not ID of a variant product (so parent not found), >0 if OK (ID of parent) */ - public function getFkProductParentByFkProductChild($fk_child) + public function fetchByFkProductChild($productid, $donotloadpricelevel = 0) { - $sql = "SELECT fk_product_parent FROM ".MAIN_DB_PREFIX."product_attribute_combination"; - $sql .= " WHERE fk_product_child = ".(int) $fk_child." AND entity IN (".getEntity('product').") LIMIT 1"; + global $conf; + + $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight"; + $sql .= " FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_child = ".((int) $productid)." AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -254,50 +257,20 @@ class ProductCombination return 0; } - $row = $this->db->fetch_object($query); + $result = $this->db->fetch_object($query); - return (int) $row->fk_product_parent; - } + $this->id = $result->rowid; + $this->fk_product_parent = $result->fk_product_parent; + $this->fk_product_child = $result->fk_product_child; + $this->variation_price = $result->variation_price; + $this->variation_price_percentage = $result->variation_price_percentage; + $this->variation_weight = $result->variation_weight; - /** - * Retrieves all product combinations by the child product row id - * - * @param int $fk_child Product row id - * @param int $donotloadpricelevel Avoid loading price impact for each level. If PRODUIT_MULTIPRICES is not set, this has no effect. - * @return int|ProductCombination[] <0 KO - */ - public function fetchAllByFkProductChild($fk_child, $donotloadpricelevel = 0) - { - global $conf; - - $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_child = ".(int) $fk_child." AND entity IN (".getEntity('product').")"; - - $query = $this->db->query($sql); - - if (!$query) { - return -1; + if (empty($donotloadpricelevel) && !empty($conf->global->PRODUIT_MULTIPRICES)) { + $this->fetchCombinationPriceLevels(); } - $return = array(); - - while ($result = $this->db->fetch_object($query)) { - $tmp = new ProductCombination($this->db); - $tmp->id = $result->rowid; - $tmp->fk_product_parent = $result->fk_product_parent; - $tmp->fk_product_child = $result->fk_product_child; - $tmp->variation_price = $result->variation_price; - $tmp->variation_price_percentage = $result->variation_price_percentage; - $tmp->variation_weight = $result->variation_weight; - $tmp->variation_ref_ext = $result->variation_ref_ext; - - if (empty($donotloadpricelevel) && !empty($conf->global->PRODUIT_MULTIPRICES)) { - $tmp->fetchCombinationPriceLevels(); - } - - $return[] = $tmp; - } - - return $return; + return (int) $this->fk_product_parent; } /** From 2b6a6e12e3aa6cebece738a12affb230ecfba2b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Thu, 17 Sep 2020 12:43:04 +0200 Subject: [PATCH 048/151] Update api_products.class.php --- htdocs/product/class/api_products.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 4163357c78e..28692e6a3b0 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -1844,7 +1844,7 @@ class Products extends DolibarrApi if ($includeparentid) { $prodcomb = new ProductCombination($this->db); $this->product->fk_product_parent = null; - if (($fk_product_parent = $prodcomb->getFkProductParentByFkProductChild($this->product->id)) > 0) { + if (($fk_product_parent = $prodcomb->fetchByFkProductChild($this->product->id)) > 0) { $this->product->fk_product_parent = $fk_product_parent; } } From 75b46dd535c8c5857045f4e7420e2d4f43b87e82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric?= <35066297+c3do@users.noreply.github.com> Date: Thu, 17 Sep 2020 12:45:20 +0200 Subject: [PATCH 049/151] Update api_products.class.php --- htdocs/product/class/api_products.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 28692e6a3b0..1a965ba0f8d 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -1554,7 +1554,7 @@ class Products extends DolibarrApi * @param float $price_impact Price impact of variant * @param bool $price_impact_is_percent Price impact in percent (true or false) * @param array $features List of attributes pairs id_attribute->id_value. Example: array(id_color=>id_Blue, id_size=>id_small, id_option=>id_val_a, ...) - * @param bool|string $reference Customized reference of variant + * @param string $reference Customized reference of variant * @param string $ref_ext External reference of variant * @return int * @@ -1564,7 +1564,7 @@ class Products extends DolibarrApi * * @url POST {id}/variants */ - public function addVariant($id, $weight_impact, $price_impact, $price_impact_is_percent, $features, $reference = false, $ref_ext = '') + public function addVariant($id, $weight_impact, $price_impact, $price_impact_is_percent, $features, $reference = '', $ref_ext = '') { if (!DolibarrApiAccess::$user->rights->produit->creer) { throw new RestException(401); From cbd511fbb42a9db63834db677143568c0db09ae0 Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Thu, 17 Sep 2020 16:16:35 +0200 Subject: [PATCH 050/151] Update list.php --- htdocs/product/list.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/product/list.php b/htdocs/product/list.php index a6fb86f07b8..f3aab6091ef 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -210,8 +210,8 @@ $arrayfields = array( 'p.stock'=>array('label'=>$langs->trans("PhysicalStock"), 'checked'=>1, 'enabled'=>(!empty($conf->stock->enabled) && $user->rights->stock->lire && $contextpage != 'service'), 'position'=>52), 'stock_virtual'=>array('label'=>$langs->trans("VirtualStock"), 'checked'=>1, 'enabled'=>(!empty($conf->stock->enabled) && $user->rights->stock->lire && $contextpage != 'service' && $virtualdiffersfromphysical), 'position'=>53), 'p.tobatch'=>array('label'=>$langs->trans("ManageLotSerial"), 'checked'=>0, 'enabled'=>(!empty($conf->productbatch->enabled)), 'position'=>60), - 'p.fk_country'=>array('label'=>$langs->trans("Country").' ('.$langs->trans("Country").')', 'checked'=>0, 'position'=>100), - 'p.fk_state'=>array('label'=>$langs->trans("State").' ('.$langs->trans("State").')', 'checked'=>0, 'position'=>101), + 'p.fk_country'=>array('label'=>$langs->trans("Country").', 'checked'=>0, 'position'=>100), + 'p.fk_state'=>array('label'=>$langs->trans("State").', 'checked'=>0, 'position'=>101), 'p.accountancy_code_sell'=>array('label'=>$langs->trans("ProductAccountancySellCode"), 'checked'=>0, 'position'=>400), 'p.accountancy_code_sell_intra'=>array('label'=>$langs->trans("ProductAccountancySellIntraCode"), 'checked'=>0, 'enabled'=>$isInEEC, 'position'=>401), 'p.accountancy_code_sell_export'=>array('label'=>$langs->trans("ProductAccountancySellExportCode"), 'checked'=>0, 'position'=>402), From 03f37f3c1f65f37214b4a3a51ef3ec9165f61206 Mon Sep 17 00:00:00 2001 From: Got2be Date: Thu, 17 Sep 2020 17:00:58 +0200 Subject: [PATCH 051/151] NEW : add hooks on stats pages --- htdocs/compta/stats/cabyprodserv.php | 3 +++ htdocs/compta/stats/casoc.php | 3 +++ htdocs/compta/stats/supplier_turnover_by_prodserv.php | 3 +++ htdocs/compta/stats/supplier_turnover_by_thirdparty.php | 3 +++ 4 files changed, 12 insertions(+) diff --git a/htdocs/compta/stats/cabyprodserv.php b/htdocs/compta/stats/cabyprodserv.php index ab2c1dcadb1..fbecc1df335 100644 --- a/htdocs/compta/stats/cabyprodserv.php +++ b/htdocs/compta/stats/cabyprodserv.php @@ -60,6 +60,9 @@ if (GETPOST('subcat', 'alpha') === 'yes') { $selected_type = GETPOST('search_type', 'int'); if ($selected_type == '') $selected_type = -1; +// Hook +$hookmanager->initHooks(array('cabyprodservlist')); + // Date range $year = GETPOST("year"); $month = GETPOST("month"); diff --git a/htdocs/compta/stats/casoc.php b/htdocs/compta/stats/casoc.php index ab71b147b50..a02d87a8392 100644 --- a/htdocs/compta/stats/casoc.php +++ b/htdocs/compta/stats/casoc.php @@ -61,6 +61,9 @@ if ($user->socid > 0) $socid = $user->socid; if (!empty($conf->comptabilite->enabled)) $result = restrictedArea($user, 'compta', '', '', 'resultat'); if (!empty($conf->accounting->enabled)) $result = restrictedArea($user, 'accounting', '', '', 'comptarapport'); +// Hook +$hookmanager->initHooks(array('casoclist')); + // Date range $year = GETPOST("year", 'int'); $month = GETPOST("month", 'int'); diff --git a/htdocs/compta/stats/supplier_turnover_by_prodserv.php b/htdocs/compta/stats/supplier_turnover_by_prodserv.php index 5911daaba45..83a3cb70a00 100644 --- a/htdocs/compta/stats/supplier_turnover_by_prodserv.php +++ b/htdocs/compta/stats/supplier_turnover_by_prodserv.php @@ -57,6 +57,9 @@ if (GETPOST('subcat', 'alpha') === 'yes') { $selected_type = GETPOST('search_type', 'int'); if ($selected_type == '') $selected_type = -1; +// Hook +$hookmanager->initHooks(array('supplierturnoverbyprodservlist')); + // Date range $year = GETPOST("year"); $month = GETPOST("month"); diff --git a/htdocs/compta/stats/supplier_turnover_by_thirdparty.php b/htdocs/compta/stats/supplier_turnover_by_thirdparty.php index 60d65049800..7a624284cdf 100644 --- a/htdocs/compta/stats/supplier_turnover_by_thirdparty.php +++ b/htdocs/compta/stats/supplier_turnover_by_thirdparty.php @@ -50,6 +50,9 @@ if (GETPOST('subcat', 'alpha') === 'yes') { $subcat = true; } +// Hook +$hookmanager->initHooks(array('supplierturnoverbythirdpartylist')); + // Security check if ($user->socid > 0) $socid = $user->socid; if (!empty($conf->comptabilite->enabled)) $result = restrictedArea($user, 'compta', '', '', 'resultat'); From 08d7973b4a8e85e9a3f5c19a2e3e7aeec512a690 Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Thu, 17 Sep 2020 22:10:22 +0200 Subject: [PATCH 052/151] Update list.php --- htdocs/product/list.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/product/list.php b/htdocs/product/list.php index f3aab6091ef..f0d1a3ef4c0 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -210,8 +210,8 @@ $arrayfields = array( 'p.stock'=>array('label'=>$langs->trans("PhysicalStock"), 'checked'=>1, 'enabled'=>(!empty($conf->stock->enabled) && $user->rights->stock->lire && $contextpage != 'service'), 'position'=>52), 'stock_virtual'=>array('label'=>$langs->trans("VirtualStock"), 'checked'=>1, 'enabled'=>(!empty($conf->stock->enabled) && $user->rights->stock->lire && $contextpage != 'service' && $virtualdiffersfromphysical), 'position'=>53), 'p.tobatch'=>array('label'=>$langs->trans("ManageLotSerial"), 'checked'=>0, 'enabled'=>(!empty($conf->productbatch->enabled)), 'position'=>60), - 'p.fk_country'=>array('label'=>$langs->trans("Country").', 'checked'=>0, 'position'=>100), - 'p.fk_state'=>array('label'=>$langs->trans("State").', 'checked'=>0, 'position'=>101), + 'p.fk_country'=>array('label'=>$langs->trans("Country"), 'checked'=>0, 'position'=>100), + 'p.fk_state'=>array('label'=>$langs->trans("State"), 'checked'=>0, 'position'=>101), 'p.accountancy_code_sell'=>array('label'=>$langs->trans("ProductAccountancySellCode"), 'checked'=>0, 'position'=>400), 'p.accountancy_code_sell_intra'=>array('label'=>$langs->trans("ProductAccountancySellIntraCode"), 'checked'=>0, 'enabled'=>$isInEEC, 'position'=>401), 'p.accountancy_code_sell_export'=>array('label'=>$langs->trans("ProductAccountancySellExportCode"), 'checked'=>0, 'position'=>402), From c82992714b47796824a2582a8e0beba93e6b87ce Mon Sep 17 00:00:00 2001 From: "Sekan, Tobias" Date: Fri, 18 Sep 2020 08:00:43 +0200 Subject: [PATCH 053/151] Fix wrong visibility of commercial mein menu --- htdocs/core/menus/standard/eldy.lib.php | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php index a76a4839242..b964548195d 100644 --- a/htdocs/core/menus/standard/eldy.lib.php +++ b/htdocs/core/menus/standard/eldy.lib.php @@ -223,26 +223,24 @@ function print_eldy_menu($db, $atarget, $type_user, &$tabMenu, &$menu, $noout = 'submenus' => array(), ); - // Commercial + // Commercial (propal, commande, supplier_proposal, supplier_order, contrat, ficheinter) $tmpentry = array( - 'enabled'=>(!empty($conf->propal->enabled) || + 'enabled'=>( + !empty($conf->propal->enabled) || !empty($conf->commande->enabled) || - !empty($conf->fournisseur->enabled) || !empty($conf->supplier_proposal->enabled) || !empty($conf->supplier_order->enabled) || !empty($conf->contrat->enabled) || !empty($conf->ficheinter->enabled) - ) ? 1 : 0, - 'perms'=>(!empty($user->rights->propal->lire) || + ) ? 1 : 0, + 'perms'=>( + !empty($user->rights->propal->lire) || !empty($user->rights->commande->lire) || - !empty($user->rights->fournisseur->lire) || !empty($user->rights->supplier_proposal->lire) || !empty($user->rights->supplier_order->lire) || !empty($user->rights->contrat->lire) || - !empty($user->rights->ficheinter->lire) || - !empty($user->rights->supplier_order->lire) || - !empty($user->rights->fournisseur->commande->lire) - ), + !empty($user->rights->ficheinter->lire) + ), 'module'=>'propal|commande|supplier_proposal|supplier_order|contrat|ficheinter' ); @@ -893,7 +891,7 @@ function print_left_eldy_menu($db, $menu_array_before, $menu_array_after, &$tabM } /* - * Menu COMMERCIAL + * Menu COMMERCIAL (propal, commande, supplier_proposal, supplier_order, contrat, ficheinter) */ if ($mainmenu == 'commercial') { From b879b365c318ba9e7fb3f2fe9ca05cfbdba88b2c Mon Sep 17 00:00:00 2001 From: "Sekan, Tobias" Date: Fri, 18 Sep 2020 08:30:28 +0200 Subject: [PATCH 054/151] bette code style --- htdocs/core/menus/standard/eldy.lib.php | 26 ++++++++++++------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php index b964548195d..9ad83e503b7 100644 --- a/htdocs/core/menus/standard/eldy.lib.php +++ b/htdocs/core/menus/standard/eldy.lib.php @@ -225,21 +225,19 @@ function print_eldy_menu($db, $atarget, $type_user, &$tabMenu, &$menu, $noout = // Commercial (propal, commande, supplier_proposal, supplier_order, contrat, ficheinter) $tmpentry = array( - 'enabled'=>( - !empty($conf->propal->enabled) || - !empty($conf->commande->enabled) || - !empty($conf->supplier_proposal->enabled) || - !empty($conf->supplier_order->enabled) || - !empty($conf->contrat->enabled) || - !empty($conf->ficheinter->enabled) + 'enabled'=>(!empty($conf->propal->enabled) + || !empty($conf->commande->enabled) + || !empty($conf->supplier_proposal->enabled) + || !empty($conf->supplier_order->enabled) + || !empty($conf->contrat->enabled) + || !empty($conf->ficheinter->enabled) ) ? 1 : 0, - 'perms'=>( - !empty($user->rights->propal->lire) || - !empty($user->rights->commande->lire) || - !empty($user->rights->supplier_proposal->lire) || - !empty($user->rights->supplier_order->lire) || - !empty($user->rights->contrat->lire) || - !empty($user->rights->ficheinter->lire) + 'perms'=>(!empty($user->rights->propal->lire) + || !empty($user->rights->commande->lire) + || !empty($user->rights->supplier_proposal->lire) + || !empty($user->rights->supplier_order->lire) + || !empty($user->rights->contrat->lire) + || !empty($user->rights->ficheinter->lire) ), 'module'=>'propal|commande|supplier_proposal|supplier_order|contrat|ficheinter' ); From cddec2f4dcba356b1d6fa6e38e7aadc9617ee9bc Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 13:25:56 +0200 Subject: [PATCH 055/151] Fix XSS --- htdocs/adherents/card.php | 6 +++--- htdocs/main.inc.php | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index d7a05a1805e..a13367326fa 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -1454,7 +1454,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Login if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED)) { - print ''.$langs->trans("Login").' / '.$langs->trans("Id").''.$object->login.' '; + print ''.$langs->trans("Login").' / '.$langs->trans("Id").''.dol_escape_htmltag($object->login).''; } // Type @@ -1471,10 +1471,10 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { print ''; // Company - print ''.$langs->trans("Company").''.$object->company.''; + print ''.$langs->trans("Company").''.dol_escape_htmltag($object->company).''; // Civility - print ''.$langs->trans("UserTitle").''.$object->getCivilityLabel().' '; + print ''.$langs->trans("UserTitle").''.$object->getCivilityLabel().''; print ''; // Password diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 995327bdee2..0c73df30c75 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -87,9 +87,10 @@ function testSqlAndScriptInject($val, $type) // When it found ' Date: Fri, 18 Sep 2020 13:41:50 +0200 Subject: [PATCH 056/151] Enhance the anti injection layer --- htdocs/main.inc.php | 1 + 1 file changed, 1 insertion(+) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 0c73df30c75..4d70c12eb71 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -107,6 +107,7 @@ function testSqlAndScriptInject($val, $type) $inj += preg_match('/:|:|:/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...' //if ($type == 1) //{ + $inj += preg_match('/javascript%/i', $val); $inj += preg_match('/javascript:/i', $val); $inj += preg_match('/vbscript:/i', $val); //} From 9134892c71bfea4f5b056e296cf3bbfbc684089d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 13:58:09 +0200 Subject: [PATCH 057/151] Fix remove useless code --- htdocs/core/lib/functions.lib.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 051f8a031ca..4a3bdb9167b 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -598,6 +598,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null break; case 'restricthtml': // Recommended for most html textarea $out = dol_string_onlythesehtmltags($out, 0); + // TODO We can also remove all javascripts reference break; case 'custom': if (empty($filter)) return 'BadFourthParameterForGETPOST'; @@ -5536,9 +5537,8 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, "html", "head", "meta", "body", "article", "a", "abbr", "b", "blockquote", "br", "cite", "div", "dl", "dd", "dt", "em", "font", "img", "ins", "hr", "i", "li", "link", "ol", "p", "q", "s", "section", "span", "strike", "strong", "title", "table", "tr", "th", "td", "u", "ul", "sup", "sub", "blockquote", "pre", "h1", "h2", "h3", "h4", "h5", "h6" ); + $allowed_tags_string = join("><", $allowed_tags); - $allowed_tags_string = preg_replace('/^>/', '', $allowed_tags_string); - $allowed_tags_string = preg_replace('/<$/', '', $allowed_tags_string); $allowed_tags_string = '<'.$allowed_tags_string.'>'; if ($cleanalsosomestyles) { From 2fe9514b6bf40d58c78f5bfb3772813b1bcaef0b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 14:01:00 +0200 Subject: [PATCH 058/151] Doc --- htdocs/core/lib/functions.lib.php | 1 + 1 file changed, 1 insertion(+) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 4a3bdb9167b..c1c2f1d3724 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -5547,6 +5547,7 @@ function dol_string_onlythesehtmltags($stringtoclean, $cleanalsosomestyles = 1, if ($removeclassattribute) { $stringtoclean = preg_replace('/(<[^>]+)\s+class=((["\']).*?\\3|\\w*)/i', '\\1', $stringtoclean); } + // TODO Remove '/href=("|\'|)javascript/' string ? $temp = strip_tags($stringtoclean, $allowed_tags_string); From 4e56115d2dba1ef7a9a6e277b1b54b4a8aca4bbe Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 14:35:30 +0200 Subject: [PATCH 059/151] Fix No CSRF for install module using GET --- htdocs/main.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 4d70c12eb71..d97f4814dbc 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -354,7 +354,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->gl || defined('CSRFCHECK_WITH_TOKEN')) // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set { // Check all cases that need a token (all POST and some GET) - if ($_SERVER['REQUEST_METHOD'] == 'POST' || (GETPOSTISSET('action') && defined('CSRFCHECK_WITH_TOKEN')) || in_array(GETPOST('action', 'aZ09'), array('add', 'update'))) + if ($_SERVER['REQUEST_METHOD'] == 'POST' || (GETPOSTISSET('action') && defined('CSRFCHECK_WITH_TOKEN')) || in_array(GETPOST('action', 'aZ09'), array('add', 'update', 'install'))) { if (!GETPOSTISSET('token')) { dol_syslog("--- Access to ".$_SERVER["PHP_SELF"]." refused by CSRFCHECK_WITH_TOKEN protection. Token not provided."); From 1c65fa0c5dddffecd9dfbac5ec1bbde727aa7cec Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Fri, 18 Sep 2020 14:48:47 +0200 Subject: [PATCH 060/151] NEW create thirdparty customer from TAKEPOS avoid to switch to backend dolibarr then return to takepos (not really ergonomic and userfriendly) --- htdocs/societe/list.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php index 4cb6941dc74..cf4ebf6b2df 100644 --- a/htdocs/societe/list.php +++ b/htdocs/societe/list.php @@ -613,6 +613,12 @@ if ($user->rights->societe->creer && $contextpage != 'poslist') } $newcardbutton .= dolGetButtonTitle($langs->trans($label), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/societe/card.php?action=create'.$typefilter); +} elseif ($user->rights->societe->creer && $contextpage == 'poslist') +{ + + $label = 'MenuNewCustomer'; + + $newcardbutton .= dolGetButtonTitle($langs->trans($label), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/societe/card.php?action=create&type=c&contextpage=poslist&optioncss=print&backtopage='.$_SERVER["PHP_SELF"].'?contextpage=poslist&nomassaction=1&optioncss=print&place='.urlencode($place)); } print '
'; From 56a9f5c48b180ed152bc3e20e99a8e6151384571 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 14:49:20 +0200 Subject: [PATCH 061/151] Fix --- htdocs/core/lib/functions.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index c279b3fb4e5..a5ab772b795 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -7709,7 +7709,7 @@ function getAdvancedPreviewUrl($modulepart, $relativepath, $alldata = 0, $param if ($alldata == 1) { - if (isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), ); + if ($isAllowedForPreview) return array('target'=>'_blank', 'css'=>'documentpreview', 'url'=>DOL_URL_ROOT.'/document.php?modulepart='.$modulepart.'&attachment=0&file='.urlencode($relativepath).($param?'&'.$param:''), 'mime'=>dol_mimetype($relativepath), ); else return array(); } From b41bfd502a901f9d249d844d2bfbd4d6e808cc70 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Fri, 18 Sep 2020 12:50:53 +0000 Subject: [PATCH 062/151] Fixing style errors. --- htdocs/societe/list.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php index cf4ebf6b2df..c7f9d7697b5 100644 --- a/htdocs/societe/list.php +++ b/htdocs/societe/list.php @@ -615,10 +615,9 @@ if ($user->rights->societe->creer && $contextpage != 'poslist') $newcardbutton .= dolGetButtonTitle($langs->trans($label), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/societe/card.php?action=create'.$typefilter); } elseif ($user->rights->societe->creer && $contextpage == 'poslist') { - $label = 'MenuNewCustomer'; - $newcardbutton .= dolGetButtonTitle($langs->trans($label), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/societe/card.php?action=create&type=c&contextpage=poslist&optioncss=print&backtopage='.$_SERVER["PHP_SELF"].'?contextpage=poslist&nomassaction=1&optioncss=print&place='.urlencode($place)); + $newcardbutton .= dolGetButtonTitle($langs->trans($label), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/societe/card.php?action=create&type=c&contextpage=poslist&optioncss=print&backtopage='.$_SERVER["PHP_SELF"].'?contextpage=poslist&nomassaction=1&optioncss=print&place='.urlencode($place)); } print ''; From 37c9afebd9d249c36660ef7d046c60c0b50fe4e1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 14:55:32 +0200 Subject: [PATCH 063/151] Fix regression --- htdocs/document.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/document.php b/htdocs/document.php index ccd404f7315..a55ca1fd895 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -160,7 +160,7 @@ $type = 'application/octet-stream'; // By default if (GETPOST('type', 'alpha')) $type=GETPOST('type', 'alpha'); else $type=dol_mimetype($original_file); // Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file -if (!dolIsAllowedForPreview($original_file)) { +if (!in_array($type, array('text/x-javascript')) && !dolIsAllowedForPreview($original_file)) { $type = 'application/octet-stream'; } // Security: Delete string ../ into $original_file From 72d5850a5fdd93cb650790cc15917be82a7d9789 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 15:45:26 +0200 Subject: [PATCH 064/151] Fix regression --- htdocs/core/lib/functions.lib.php | 26 -------------------------- 1 file changed, 26 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 82445d49569..98ab515a957 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -7951,32 +7951,6 @@ function dolIsAllowedForPreview($file) return 0; } -/** - * Return if a file is qualified for preview - * - * @param string $file Filename we looking for information - * @return int 1 If allowed, 0 otherwise - * @see dol_mimetype(), image_format_supported() from images.lib.php - */ -function dolIsAllowedForPreview($file) -{ - global $conf; - - // Check .noexe extension in filename - if (preg_match('/\.noexe$/i', $file)) return 0; - - // Check mime types - $mime_preview = array('bmp', 'jpeg', 'png', 'gif', 'tiff', 'pdf', 'plain', 'css', 'webp'); - if (!empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES)) $mime_preview[] = 'svg+xml'; - //$mime_preview[]='vnd.oasis.opendocument.presentation'; - //$mime_preview[]='archive'; - $num_mime = array_search(dol_mimetype($file, '', 1), $mime_preview); - if ($num_mime !== false) return 1; - - // By default, not allowed for preview - return 0; -} - /** * Return mime type of a file From d75e1e577194de02d3e35925d5f58440d78daea7 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 16:00:47 +0200 Subject: [PATCH 065/151] Fix #yogosha4525 --- htdocs/core/boxes/box_task.php | 2 +- htdocs/core/class/html.formmargin.class.php | 2 +- htdocs/core/website.inc.php | 2 +- htdocs/main.inc.php | 2 +- htdocs/takepos/index.php | 6 +++--- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/htdocs/core/boxes/box_task.php b/htdocs/core/boxes/box_task.php index 9c6020bebdc..ea049c46e71 100644 --- a/htdocs/core/boxes/box_task.php +++ b/htdocs/core/boxes/box_task.php @@ -94,7 +94,7 @@ class box_task extends ModeleBoxes if (in_array(GETPOST($cookie_name), array('all', 'im_project_contact', 'im_task_contact'))) { $filterValue = GETPOST($cookie_name); } elseif (!empty($_COOKIE[$cookie_name])) { - $filterValue = $_COOKIE[$cookie_name]; + $filterValue = preg_replace('/[^a-z_]/', '', $_COOKIE[$cookie_name]); // Clean cookie from evil data } if ($filterValue == 'im_task_contact') { diff --git a/htdocs/core/class/html.formmargin.class.php b/htdocs/core/class/html.formmargin.class.php index 5e18bb20782..7a6c3d9c13a 100644 --- a/htdocs/core/class/html.formmargin.class.php +++ b/htdocs/core/class/html.formmargin.class.php @@ -204,7 +204,7 @@ class FormMargin if (!empty($conf->global->MARGIN_ADD_SHOWHIDE_BUTTON)) // TODO Warning this feature rely on an external js file that may be removed. Using native js function document.cookie should be better { print $langs->trans('ShowMarginInfos').' : '; - $hidemargininfos = $_COOKIE['DOLUSER_MARGININFO_HIDE_SHOW']; + $hidemargininfos = preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['DOLUSER_MARGININFO_HIDE_SHOW']); // Clean cookie print ''.img_picto($langs->trans("Disabled"), 'switch_off').''; print ''.img_picto($langs->trans("Enabled"), 'switch_on').''; diff --git a/htdocs/core/website.inc.php b/htdocs/core/website.inc.php index 31d4d45723f..9d4cc3f7797 100644 --- a/htdocs/core/website.inc.php +++ b/htdocs/core/website.inc.php @@ -68,7 +68,7 @@ if ($pageid > 0) { $websitepage->fetch($pageid); - $weblangs->setDefaultLang(GETPOSTISSET('lang') ? GETPOST('lang', 'aZ09') : (empty($_COOKIE['weblangs-shortcode']) ? 'auto' : $_COOKIE['weblangs-shortcode'])); + $weblangs->setDefaultLang(GETPOSTISSET('lang') ? GETPOST('lang', 'aZ09') : (empty($_COOKIE['weblangs-shortcode']) ? 'auto' : preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['weblangs-shortcode']))); $pagelangs->setDefaultLang($websitepage->lang ? $websitepage->lang : $weblangs->shortlang); if (!defined('USEDOLIBARREDITOR') && (in_array($websitepage->type_container, array('menu', 'other')) || empty($websitepage->status))) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index d97f4814dbc..3879f6c6978 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -521,7 +521,7 @@ if (!defined('NOLOGIN')) $allowedmethodtopostusername = 2; if (defined('MAIN_AUTHENTICATION_POST_METHOD')) $allowedmethodtopostusername = constant('MAIN_AUTHENTICATION_POST_METHOD'); - $usertotest = (!empty($_COOKIE['login_dolibarr']) ? $_COOKIE['login_dolibarr'] : GETPOST("username", "alpha", $allowedmethodtopostusername)); + $usertotest = (!empty($_COOKIE['login_dolibarr']) ? preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['login_dolibarr']) : GETPOST("username", "alpha", $allowedmethodtopostusername)); $passwordtotest = GETPOST('password', 'none', $allowedmethodtopostusername); $entitytotest = (GETPOST('entity', 'int') ? GETPOST('entity', 'int') : (!empty($conf->entity) ? $conf->entity : 1)); diff --git a/htdocs/takepos/index.php b/htdocs/takepos/index.php index 29b11dbb8ad..3376023b8b6 100644 --- a/htdocs/takepos/index.php +++ b/htdocs/takepos/index.php @@ -48,7 +48,7 @@ $setterminal = GETPOST('setterminal', 'int'); if ($_SESSION["takeposterminal"] == "") { if ($conf->global->TAKEPOS_NUM_TERMINALS == "1") $_SESSION["takeposterminal"] = 1; // Use terminal 1 if there is only 1 terminal - elseif (!empty($_COOKIE["takeposterminal"])) $_SESSION["takeposterminal"] = $_COOKIE["takeposterminal"]; // Restore takeposterminal from previous session + elseif (!empty($_COOKIE["takeposterminal"])) $_SESSION["takeposterminal"] = preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE["takeposterminal"]); // Restore takeposterminal from previous session } if ($setterminal > 0) @@ -544,7 +544,7 @@ function Search2(keyCodeForEnter) { if ($('#search').val() == data[0]['barcode'] && 'thirdparty' == data[0]['object']) { console.log("There is only 1 answer with barcode matching the search, so we change the thirdparty "+data[0]['rowid']); ChangeThirdparty(data[0]['rowid']); - } + } else if ($('#search').val() == data[0]['barcode'] && 'product' == data[0]['object']) { console.log("There is only 1 answer with barcode matching the search, so we add the product in basket"); ClickProduct(0); @@ -562,7 +562,7 @@ function Search2(keyCodeForEnter) { } }); } - + } function Edit(number) { From 2d38644ae1731be664bc95d4112c9269f9bcfcef Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 17:13:01 +0200 Subject: [PATCH 066/151] Sanitize sortfield --- htdocs/accountancy/admin/account.php | 2 +- htdocs/accountancy/admin/fiscalyear.php | 2 +- htdocs/accountancy/bookkeeping/balance.php | 2 +- htdocs/accountancy/bookkeeping/list.php | 2 +- htdocs/accountancy/bookkeeping/listbyaccount.php | 2 +- htdocs/accountancy/customer/lines.php | 2 +- htdocs/accountancy/customer/list.php | 2 +- htdocs/accountancy/expensereport/lines.php | 2 +- htdocs/accountancy/expensereport/list.php | 2 +- htdocs/accountancy/supplier/lines.php | 2 +- htdocs/accountancy/supplier/list.php | 2 +- htdocs/adherents/subscription.php | 2 +- htdocs/admin/const.php | 2 +- htdocs/admin/emailcollector_list.php | 2 +- htdocs/admin/events.php | 2 +- htdocs/admin/mails_senderprofile_list.php | 2 +- htdocs/admin/tools/dolibarr_export.php | 2 +- htdocs/admin/tools/export.php | 2 +- htdocs/admin/tools/export_files.php | 2 +- htdocs/admin/tools/listevents.php | 2 +- htdocs/admin/website.php | 2 +- htdocs/admin/website_options.php | 2 +- htdocs/asset/list.php | 2 +- htdocs/blockedlog/admin/blockedlog_list.php | 2 +- htdocs/bom/bom_list.php | 2 +- htdocs/bookmarks/list.php | 2 +- htdocs/categories/viewcat.php | 2 +- htdocs/comm/contact.php | 2 +- htdocs/comm/mailing/advtargetemailing.php | 2 +- htdocs/comm/mailing/cibles.php | 2 +- htdocs/compta/accounting-files.php | 2 +- htdocs/compta/bank/various_payment/document.php | 2 +- htdocs/compta/cashcontrol/cashcontrol_list.php | 2 +- htdocs/compta/deplacement/document.php | 2 +- htdocs/compta/paiement.php | 2 +- htdocs/compta/paiement/cheque/card.php | 2 +- htdocs/compta/paiement/tovalidate.php | 2 +- htdocs/compta/prelevement/bons.php | 2 +- htdocs/compta/prelevement/card.php | 2 +- htdocs/compta/prelevement/factures.php | 2 +- htdocs/compta/prelevement/fiche-rejet.php | 2 +- htdocs/compta/prelevement/fiche-stat.php | 2 +- htdocs/compta/prelevement/line.php | 2 +- htdocs/compta/prelevement/list.php | 2 +- htdocs/compta/prelevement/rejets.php | 2 +- htdocs/compta/recap-compta.php | 2 +- htdocs/contact/list.php | 2 +- htdocs/contrat/index.php | 2 +- htdocs/core/class/html.formfile.class.php | 2 +- htdocs/core/customreports.php | 2 +- htdocs/core/db/Database.interface.php | 8 ++++++++ htdocs/core/db/DoliDB.class.php | 11 +++++++++++ htdocs/don/document.php | 2 +- htdocs/expedition/list.php | 2 +- htdocs/expensereport/document.php | 2 +- htdocs/expensereport/list.php | 2 +- htdocs/fichinter/document.php | 2 +- htdocs/fichinter/list.php | 2 +- htdocs/fourn/product/list.php | 2 +- htdocs/holiday/define_holiday.php | 2 +- htdocs/holiday/document.php | 2 +- htdocs/holiday/list.php | 2 +- htdocs/holiday/month_report.php | 2 +- htdocs/holiday/view_log.php | 2 +- htdocs/loan/list.php | 2 +- htdocs/margin/agentMargins.php | 2 +- htdocs/margin/checkMargins.php | 2 +- htdocs/margin/customerMargins.php | 2 +- htdocs/margin/productMargins.php | 2 +- htdocs/modulebuilder/template/myobject_list.php | 2 +- htdocs/mrp/mo_list.php | 2 +- htdocs/opensurvey/list.php | 2 +- htdocs/product/inventory/list.php | 2 +- htdocs/product/stats/commande_fournisseur.php | 2 +- htdocs/product/stats/propal.php | 2 +- htdocs/product/stats/supplier_proposal.php | 2 +- htdocs/product/stock/list.php | 2 +- htdocs/product/stock/massstockmove.php | 2 +- htdocs/product/stock/productlot_list.php | 2 +- htdocs/product/stock/replenish.php | 2 +- htdocs/product/stock/stockatdate.php | 2 +- htdocs/reception/list.php | 2 +- htdocs/recruitment/recruitmentcandidature_list.php | 2 +- htdocs/recruitment/recruitmentjobposition_list.php | 2 +- htdocs/resource/document.php | 2 +- htdocs/resource/list.php | 2 +- htdocs/salaries/document.php | 2 +- htdocs/ticket/card.php | 2 +- htdocs/ticket/list.php | 2 +- htdocs/user/group/list.php | 2 +- htdocs/user/list.php | 2 +- htdocs/zapier/hook_list.php | 2 +- 92 files changed, 109 insertions(+), 90 deletions(-) diff --git a/htdocs/accountancy/admin/account.php b/htdocs/accountancy/admin/account.php index 93241901524..7ee9844ce63 100644 --- a/htdocs/accountancy/admin/account.php +++ b/htdocs/accountancy/admin/account.php @@ -54,7 +54,7 @@ if (!$user->rights->accounting->chartofaccount) accessforbidden(); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/accountancy/admin/fiscalyear.php b/htdocs/accountancy/admin/fiscalyear.php index 5728f78b791..1ddcddf13e6 100644 --- a/htdocs/accountancy/admin/fiscalyear.php +++ b/htdocs/accountancy/admin/fiscalyear.php @@ -29,7 +29,7 @@ $action = GETPOST('action', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/accountancy/bookkeeping/balance.php b/htdocs/accountancy/bookkeeping/balance.php index 9079d95d670..3608622916d 100644 --- a/htdocs/accountancy/bookkeeping/balance.php +++ b/htdocs/accountancy/bookkeeping/balance.php @@ -46,7 +46,7 @@ $action = GETPOST('action', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/accountancy/bookkeeping/list.php b/htdocs/accountancy/bookkeeping/list.php index 29b5c2eb7fe..cba4756fdd0 100644 --- a/htdocs/accountancy/bookkeeping/list.php +++ b/htdocs/accountancy/bookkeeping/list.php @@ -91,7 +91,7 @@ $search_not_reconciled = GETPOST('search_reconciled_option', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } diff --git a/htdocs/accountancy/bookkeeping/listbyaccount.php b/htdocs/accountancy/bookkeeping/listbyaccount.php index 6e7b9dfb54f..e0e16e00d12 100644 --- a/htdocs/accountancy/bookkeeping/listbyaccount.php +++ b/htdocs/accountancy/bookkeeping/listbyaccount.php @@ -68,7 +68,7 @@ if (GETPOST("button_delmvt_x") || GETPOST("button_delmvt.x") || GETPOST("button_ // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } diff --git a/htdocs/accountancy/customer/lines.php b/htdocs/accountancy/customer/lines.php index 2baed5d4653..5d35040f6ab 100644 --- a/htdocs/accountancy/customer/lines.php +++ b/htdocs/accountancy/customer/lines.php @@ -61,7 +61,7 @@ $search_tvaintra = GETPOST('search_tvaintra', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) $page = 0; diff --git a/htdocs/accountancy/customer/list.php b/htdocs/accountancy/customer/list.php index 79a693978d1..70ed0bf8878 100644 --- a/htdocs/accountancy/customer/list.php +++ b/htdocs/accountancy/customer/list.php @@ -69,7 +69,7 @@ $btn_ventil = GETPOST('ventil', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } diff --git a/htdocs/accountancy/expensereport/lines.php b/htdocs/accountancy/expensereport/lines.php index afb6ae13a6e..f99f1148044 100644 --- a/htdocs/accountancy/expensereport/lines.php +++ b/htdocs/accountancy/expensereport/lines.php @@ -55,7 +55,7 @@ $search_year = GETPOST("search_year", "int"); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) $page = 0; diff --git a/htdocs/accountancy/expensereport/list.php b/htdocs/accountancy/expensereport/list.php index 61e2a95fd88..b3c8b7cda3e 100644 --- a/htdocs/accountancy/expensereport/list.php +++ b/htdocs/accountancy/expensereport/list.php @@ -65,7 +65,7 @@ $search_year = GETPOST("search_year", "int"); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } diff --git a/htdocs/accountancy/supplier/lines.php b/htdocs/accountancy/supplier/lines.php index dacca2a226d..903d2188a80 100644 --- a/htdocs/accountancy/supplier/lines.php +++ b/htdocs/accountancy/supplier/lines.php @@ -62,7 +62,7 @@ $search_tvaintra = GETPOST('search_tvaintra', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) $page = 0; diff --git a/htdocs/accountancy/supplier/list.php b/htdocs/accountancy/supplier/list.php index 9b700aeac56..cabe62e6471 100644 --- a/htdocs/accountancy/supplier/list.php +++ b/htdocs/accountancy/supplier/list.php @@ -69,7 +69,7 @@ $btn_ventil = GETPOST('ventil', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php index 88924efdf93..67880c303cb 100644 --- a/htdocs/adherents/subscription.php +++ b/htdocs/adherents/subscription.php @@ -47,7 +47,7 @@ $typeid = GETPOST('typeid', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php index 7c08a7d0201..5a525cbe9ad 100644 --- a/htdocs/admin/const.php +++ b/htdocs/admin/const.php @@ -46,7 +46,7 @@ $constnote = GETPOST('constnote', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/admin/emailcollector_list.php b/htdocs/admin/emailcollector_list.php index b538a64c9e9..2ed95ce91b9 100644 --- a/htdocs/admin/emailcollector_list.php +++ b/htdocs/admin/emailcollector_list.php @@ -51,7 +51,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/admin/events.php b/htdocs/admin/events.php index fe87c2a9ef4..931cefb2992 100644 --- a/htdocs/admin/events.php +++ b/htdocs/admin/events.php @@ -41,7 +41,7 @@ $optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always '' // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters diff --git a/htdocs/admin/mails_senderprofile_list.php b/htdocs/admin/mails_senderprofile_list.php index a471c0369a4..9a1a696e034 100644 --- a/htdocs/admin/mails_senderprofile_list.php +++ b/htdocs/admin/mails_senderprofile_list.php @@ -47,7 +47,7 @@ $rowid = GETPOST('rowid', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/admin/tools/dolibarr_export.php b/htdocs/admin/tools/dolibarr_export.php index b8e6dc8c15e..f1a95a48e9f 100644 --- a/htdocs/admin/tools/dolibarr_export.php +++ b/htdocs/admin/tools/dolibarr_export.php @@ -31,7 +31,7 @@ $langs->load("admin"); $action = GETPOST('action', 'aZ09'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "DESC"; diff --git a/htdocs/admin/tools/export.php b/htdocs/admin/tools/export.php index 3614e412318..cbe25f0ff75 100644 --- a/htdocs/admin/tools/export.php +++ b/htdocs/admin/tools/export.php @@ -37,7 +37,7 @@ $file = GETPOST('filename_template', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/admin/tools/export_files.php b/htdocs/admin/tools/export_files.php index 45b02716524..485df8c318b 100644 --- a/htdocs/admin/tools/export_files.php +++ b/htdocs/admin/tools/export_files.php @@ -39,7 +39,7 @@ $compression = GETPOST('compression'); $file = dol_sanitizeFileName($file); $file = preg_replace('/(\.zip|\.tar|\.tgz|\.gz|\.tar\.gz|\.bz2)$/i', '', $file); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "DESC"; diff --git a/htdocs/admin/tools/listevents.php b/htdocs/admin/tools/listevents.php index af55fcd1f16..23cd5fb5f0a 100644 --- a/htdocs/admin/tools/listevents.php +++ b/htdocs/admin/tools/listevents.php @@ -46,7 +46,7 @@ $langs->loadLangs(array("companies", "admin", "users", "other")); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/admin/website.php b/htdocs/admin/website.php index 7c098aa1c4b..55c7993788c 100644 --- a/htdocs/admin/website.php +++ b/htdocs/admin/website.php @@ -51,7 +51,7 @@ $actl[1] = img_picto($langs->trans("Activated"), 'switch_on'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/admin/website_options.php b/htdocs/admin/website_options.php index 2bbe3e84638..1df7642b646 100644 --- a/htdocs/admin/website_options.php +++ b/htdocs/admin/website_options.php @@ -46,7 +46,7 @@ $status = 1; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/asset/list.php b/htdocs/asset/list.php index 224caea2e58..975551968b4 100644 --- a/htdocs/asset/list.php +++ b/htdocs/asset/list.php @@ -47,7 +47,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/blockedlog/admin/blockedlog_list.php b/htdocs/blockedlog/admin/blockedlog_list.php index 818c84a8b5e..f70e402b667 100644 --- a/htdocs/blockedlog/admin/blockedlog_list.php +++ b/htdocs/blockedlog/admin/blockedlog_list.php @@ -56,7 +56,7 @@ if (($search_start == -1 || empty($search_start)) && !GETPOSTISSET('search_start // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/bom/bom_list.php b/htdocs/bom/bom_list.php index 5f1728ef055..121517b2544 100644 --- a/htdocs/bom/bom_list.php +++ b/htdocs/bom/bom_list.php @@ -45,7 +45,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/bookmarks/list.php b/htdocs/bookmarks/list.php index 3ea33b329ff..ca8e1d5c16a 100644 --- a/htdocs/bookmarks/list.php +++ b/htdocs/bookmarks/list.php @@ -42,7 +42,7 @@ $optioncss = GETPOST('optioncss', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/categories/viewcat.php b/htdocs/categories/viewcat.php index 2648a0c09f4..3a1d13d210e 100644 --- a/htdocs/categories/viewcat.php +++ b/htdocs/categories/viewcat.php @@ -53,7 +53,7 @@ $optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always ' // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/comm/contact.php b/htdocs/comm/contact.php index 83dfd203d0c..1038afa923f 100644 --- a/htdocs/comm/contact.php +++ b/htdocs/comm/contact.php @@ -29,7 +29,7 @@ require '../main.inc.php'; // Load translation files required by the page $langs->load("companies"); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "ASC"; diff --git a/htdocs/comm/mailing/advtargetemailing.php b/htdocs/comm/mailing/advtargetemailing.php index fbdf3097139..29b06819e9e 100644 --- a/htdocs/comm/mailing/advtargetemailing.php +++ b/htdocs/comm/mailing/advtargetemailing.php @@ -46,7 +46,7 @@ if (!$user->rights->mailing->lire || $user->socid > 0) // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/comm/mailing/cibles.php b/htdocs/comm/mailing/cibles.php index be0518be553..813a195007b 100644 --- a/htdocs/comm/mailing/cibles.php +++ b/htdocs/comm/mailing/cibles.php @@ -41,7 +41,7 @@ if (!$user->rights->mailing->lire || $user->socid > 0) accessforbidden(); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/accounting-files.php b/htdocs/compta/accounting-files.php index d73e7228b82..2a8a0358744 100644 --- a/htdocs/compta/accounting-files.php +++ b/htdocs/compta/accounting-files.php @@ -67,7 +67,7 @@ $hookmanager->initHooks(array('comptafileslist', 'globallist')); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/bank/various_payment/document.php b/htdocs/compta/bank/various_payment/document.php index 267908cde41..744daa939d5 100644 --- a/htdocs/compta/bank/various_payment/document.php +++ b/htdocs/compta/bank/various_payment/document.php @@ -44,7 +44,7 @@ $result = restrictedArea($user, 'banque', '', '', ''); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/cashcontrol/cashcontrol_list.php b/htdocs/compta/cashcontrol/cashcontrol_list.php index ae2837a35cd..2adf3a01a83 100644 --- a/htdocs/compta/cashcontrol/cashcontrol_list.php +++ b/htdocs/compta/cashcontrol/cashcontrol_list.php @@ -63,7 +63,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/compta/deplacement/document.php b/htdocs/compta/deplacement/document.php index 98354e328f0..47b1709ff60 100644 --- a/htdocs/compta/deplacement/document.php +++ b/htdocs/compta/deplacement/document.php @@ -49,7 +49,7 @@ $result = restrictedArea($user, 'deplacement', $id, ''); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/paiement.php b/htdocs/compta/paiement.php index 2dea1b245f4..9d86cff65dd 100644 --- a/htdocs/compta/paiement.php +++ b/htdocs/compta/paiement.php @@ -47,7 +47,7 @@ $accountid = GETPOST('accountid', 'int'); $paymentnum = GETPOST('num_paiement', 'alpha'); $socid = GETPOST('socid', 'int'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'alpha'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); diff --git a/htdocs/compta/paiement/cheque/card.php b/htdocs/compta/paiement/cheque/card.php index 1691fe3ecfc..706a08788b8 100644 --- a/htdocs/compta/paiement/cheque/card.php +++ b/htdocs/compta/paiement/cheque/card.php @@ -46,7 +46,7 @@ $fieldname = (!empty($ref) ? 'ref' : 'rowid'); if ($user->socid) $socid = $user->socid; $result = restrictedArea($user, 'cheque', $id, 'bordereau_cheque', '', 'fk_user_author', $fieldname); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "ASC"; diff --git a/htdocs/compta/paiement/tovalidate.php b/htdocs/compta/paiement/tovalidate.php index df0b92b5f44..00e9a0c4074 100644 --- a/htdocs/compta/paiement/tovalidate.php +++ b/htdocs/compta/paiement/tovalidate.php @@ -40,7 +40,7 @@ if ($user->socid > 0) $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/bons.php b/htdocs/compta/prelevement/bons.php index cb702174434..69d6412b235 100644 --- a/htdocs/compta/prelevement/bons.php +++ b/htdocs/compta/prelevement/bons.php @@ -41,7 +41,7 @@ $result = restrictedArea($user, 'prelevement', '', '', 'bons'); $type = GETPOST('type', 'aZ09'); $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/card.php b/htdocs/compta/prelevement/card.php index a70a464b428..1370155cb1d 100644 --- a/htdocs/compta/prelevement/card.php +++ b/htdocs/compta/prelevement/card.php @@ -45,7 +45,7 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/factures.php b/htdocs/compta/prelevement/factures.php index 4104633e111..0b0c0eef6d4 100644 --- a/htdocs/compta/prelevement/factures.php +++ b/htdocs/compta/prelevement/factures.php @@ -45,7 +45,7 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/fiche-rejet.php b/htdocs/compta/prelevement/fiche-rejet.php index 29d799a8554..6e601d82ecd 100644 --- a/htdocs/compta/prelevement/fiche-rejet.php +++ b/htdocs/compta/prelevement/fiche-rejet.php @@ -45,7 +45,7 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/fiche-stat.php b/htdocs/compta/prelevement/fiche-stat.php index 3bb71f8c441..4ff81467d7c 100644 --- a/htdocs/compta/prelevement/fiche-stat.php +++ b/htdocs/compta/prelevement/fiche-stat.php @@ -43,7 +43,7 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/line.php b/htdocs/compta/prelevement/line.php index 4120672b44e..3c8d80d4931 100644 --- a/htdocs/compta/prelevement/line.php +++ b/htdocs/compta/prelevement/line.php @@ -47,7 +47,7 @@ $type = GETPOST('type', 'aZ09'); $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortorder = GETPOST('sortorder', 'aZ09comma'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if ($page == -1 || $page == null) { $page = 0; } $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/list.php b/htdocs/compta/prelevement/list.php index 1255a2b861e..6f9685ece18 100644 --- a/htdocs/compta/prelevement/list.php +++ b/htdocs/compta/prelevement/list.php @@ -50,7 +50,7 @@ $result = restrictedArea($user, 'prelevement', '', '', 'bons'); $type = GETPOST('type', 'aZ09'); $limit = GETPOST('limit', 'int')?GETPOST('limit', 'int'):$conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/compta/prelevement/rejets.php b/htdocs/compta/prelevement/rejets.php index 6c38e65981b..da2420aed3f 100644 --- a/htdocs/compta/prelevement/rejets.php +++ b/htdocs/compta/prelevement/rejets.php @@ -43,7 +43,7 @@ $type = GETPOST('type', 'aZ09'); // Get supervariables $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; $sortorder = GETPOST('sortorder', 'aZ09comma'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/recap-compta.php b/htdocs/compta/recap-compta.php index 3106235430e..63368fa94e8 100644 --- a/htdocs/compta/recap-compta.php +++ b/htdocs/compta/recap-compta.php @@ -46,7 +46,7 @@ $hookmanager->initHooks(array('recapcomptacard', 'globalcard')); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index 50f5a98fa4e..1332bc5e100 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -104,7 +104,7 @@ $type = GETPOST("type", 'aZ'); $view = GETPOST("view", 'alpha'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); $userid = GETPOST('userid', 'int'); diff --git a/htdocs/contrat/index.php b/htdocs/contrat/index.php index 1293da8cf26..7fe88d03c3d 100644 --- a/htdocs/contrat/index.php +++ b/htdocs/contrat/index.php @@ -37,7 +37,7 @@ $hookmanager->initHooks(array('contractindex')); // Load translation files required by the page $langs->loadLangs(array('products', 'companies', 'contracts')); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index 360248a741e..db9f326dfdc 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -118,7 +118,7 @@ class FormFile $out .= ''; $out .= ''; $out .= ''; - $out .= ''; + $out .= ''; $out .= ''; } diff --git a/htdocs/core/customreports.php b/htdocs/core/customreports.php index fa30da5b10a..7deb98dbfd5 100644 --- a/htdocs/core/customreports.php +++ b/htdocs/core/customreports.php @@ -54,7 +54,7 @@ if (!defined('USE_CUSTOME_REPORT_AS_INCLUDE')) // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; - $sortfield = GETPOST('sortfield', 'alpha'); + $sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/core/db/Database.interface.php b/htdocs/core/db/Database.interface.php index 3ba3b322e68..898421978db 100644 --- a/htdocs/core/db/Database.interface.php +++ b/htdocs/core/db/Database.interface.php @@ -177,6 +177,14 @@ interface Database */ public function escape($stringtoencode); + /** + * Sanitize a string for SQL forging + * + * @param string $stringtosanitize String to escape + * @return string String escaped + */ + public function sanitize($stringtosanitize); + // phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps /** * Get last ID after an insert INSERT diff --git a/htdocs/core/db/DoliDB.class.php b/htdocs/core/db/DoliDB.class.php index 2ed52b2f01c..cb290a49c07 100644 --- a/htdocs/core/db/DoliDB.class.php +++ b/htdocs/core/db/DoliDB.class.php @@ -103,6 +103,17 @@ abstract class DoliDB implements Database return $this->lasterrno; } + /** + * Sanitize a string for SQL forging + * + * @param string $stringtosanitize String to escape + * @return string String escaped + */ + public function sanitize($stringtosanitize) + { + return preg_replace('/[^a-z0-9_\-\.,]/i', '', $stringtosanitize); + } + /** * Start transaction * diff --git a/htdocs/don/document.php b/htdocs/don/document.php index d0009f5fb23..9265692241d 100644 --- a/htdocs/don/document.php +++ b/htdocs/don/document.php @@ -56,7 +56,7 @@ $result = restrictedArea($user, 'don', $id, ''); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/expedition/list.php b/htdocs/expedition/list.php index 615373be5f4..77796fc9bc1 100644 --- a/htdocs/expedition/list.php +++ b/htdocs/expedition/list.php @@ -76,7 +76,7 @@ $search_product_category = GETPOST('search_product_category', 'int'); $optioncss = GETPOST('optioncss', 'alpha'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortfield) $sortfield = "e.ref"; diff --git a/htdocs/expensereport/document.php b/htdocs/expensereport/document.php index 356165c1c2c..6814c0a5b0d 100644 --- a/htdocs/expensereport/document.php +++ b/htdocs/expensereport/document.php @@ -51,7 +51,7 @@ $result = restrictedArea($user, 'expensereport', $id, 'expensereport'); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php index 2ca0558f72c..ebfa8fb0628 100644 --- a/htdocs/expensereport/list.php +++ b/htdocs/expensereport/list.php @@ -74,7 +74,7 @@ $diroutputmassaction = $conf->expensereport->dir_output.'/temp/massgeneration/'. // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/fichinter/document.php b/htdocs/fichinter/document.php index 529b3086794..49988e27e78 100644 --- a/htdocs/fichinter/document.php +++ b/htdocs/fichinter/document.php @@ -53,7 +53,7 @@ $result = restrictedArea($user, 'ficheinter', $id, 'fichinter'); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/fichinter/list.php b/htdocs/fichinter/list.php index 89223158445..7c48f087be5 100644 --- a/htdocs/fichinter/list.php +++ b/htdocs/fichinter/list.php @@ -65,7 +65,7 @@ $result = restrictedArea($user, 'ficheinter', $id, 'fichinter'); $diroutputmassaction = $conf->ficheinter->dir_output.'/temp/massgeneration/'.$user->id; $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/fourn/product/list.php b/htdocs/fourn/product/list.php index dde0e8a435f..e3d2b5b91d2 100644 --- a/htdocs/fourn/product/list.php +++ b/htdocs/fourn/product/list.php @@ -43,7 +43,7 @@ $optioncss = GETPOST('optioncss', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/holiday/define_holiday.php b/htdocs/holiday/define_holiday.php index 4c57f112fef..af646984045 100644 --- a/htdocs/holiday/define_holiday.php +++ b/htdocs/holiday/define_holiday.php @@ -41,7 +41,7 @@ $search_supervisor = GETPOST('search_supervisor', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/holiday/document.php b/htdocs/holiday/document.php index 9fd7f7b45b8..bdd791e80f1 100644 --- a/htdocs/holiday/document.php +++ b/htdocs/holiday/document.php @@ -50,7 +50,7 @@ $result = restrictedArea($user, 'holiday', $id, 'holiday'); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index 50de7121833..100507f0610 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -83,7 +83,7 @@ $diroutputmassaction = $conf->holiday->dir_output.'/temp/massgeneration/'.$user- // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/holiday/month_report.php b/htdocs/holiday/month_report.php index b6da0427464..baf444ce295 100644 --- a/htdocs/holiday/month_report.php +++ b/htdocs/holiday/month_report.php @@ -51,7 +51,7 @@ $optioncss = GETPOST('optioncss', 'aZ'); $search_ref = GETPOST('search_ref', 'alpha'); $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'alpha'); if (! $sortfield) $sortfield = "cp.rowid"; diff --git a/htdocs/holiday/view_log.php b/htdocs/holiday/view_log.php index 2d4b41826a6..4ff8238648c 100644 --- a/htdocs/holiday/view_log.php +++ b/htdocs/holiday/view_log.php @@ -51,7 +51,7 @@ if (empty($year)) // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/loan/list.php b/htdocs/loan/list.php index ec5031a7079..168e603099e 100644 --- a/htdocs/loan/list.php +++ b/htdocs/loan/list.php @@ -36,7 +36,7 @@ if ($user->socid) $socid = $user->socid; $result = restrictedArea($user, 'loan', '', '', ''); $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/margin/agentMargins.php b/htdocs/margin/agentMargins.php index 7cad5068d93..7e15b94aede 100644 --- a/htdocs/margin/agentMargins.php +++ b/htdocs/margin/agentMargins.php @@ -36,7 +36,7 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/margin/checkMargins.php b/htdocs/margin/checkMargins.php index 62f110677be..60052294baa 100644 --- a/htdocs/margin/checkMargins.php +++ b/htdocs/margin/checkMargins.php @@ -41,7 +41,7 @@ $optioncss = GETPOST('optioncss', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/margin/customerMargins.php b/htdocs/margin/customerMargins.php index 185f8df13f4..a566c7bd620 100644 --- a/htdocs/margin/customerMargins.php +++ b/htdocs/margin/customerMargins.php @@ -45,7 +45,7 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/margin/productMargins.php b/htdocs/margin/productMargins.php index ca9f2b6f96d..e390be68068 100644 --- a/htdocs/margin/productMargins.php +++ b/htdocs/margin/productMargins.php @@ -49,7 +49,7 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/modulebuilder/template/myobject_list.php b/htdocs/modulebuilder/template/myobject_list.php index 86c0e456e14..50307c91161 100644 --- a/htdocs/modulebuilder/template/myobject_list.php +++ b/htdocs/modulebuilder/template/myobject_list.php @@ -84,7 +84,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters diff --git a/htdocs/mrp/mo_list.php b/htdocs/mrp/mo_list.php index 5b77e3b1b87..b9da34958d4 100644 --- a/htdocs/mrp/mo_list.php +++ b/htdocs/mrp/mo_list.php @@ -51,7 +51,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/opensurvey/list.php b/htdocs/opensurvey/list.php index e9ff7f72a84..f17a4615eef 100644 --- a/htdocs/opensurvey/list.php +++ b/htdocs/opensurvey/list.php @@ -47,7 +47,7 @@ $search_status = GETPOST('search_status', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/product/inventory/list.php b/htdocs/product/inventory/list.php index f8aa47d79e8..09947e80ac7 100644 --- a/htdocs/product/inventory/list.php +++ b/htdocs/product/inventory/list.php @@ -45,7 +45,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/product/stats/commande_fournisseur.php b/htdocs/product/stats/commande_fournisseur.php index c2133e12a53..162a108029e 100644 --- a/htdocs/product/stats/commande_fournisseur.php +++ b/htdocs/product/stats/commande_fournisseur.php @@ -50,7 +50,7 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stats/propal.php b/htdocs/product/stats/propal.php index 5dac77e8193..6766864b042 100644 --- a/htdocs/product/stats/propal.php +++ b/htdocs/product/stats/propal.php @@ -50,7 +50,7 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stats/supplier_proposal.php b/htdocs/product/stats/supplier_proposal.php index 1745a232799..f4d2a5d4644 100644 --- a/htdocs/product/stats/supplier_proposal.php +++ b/htdocs/product/stats/supplier_proposal.php @@ -50,7 +50,7 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stock/list.php b/htdocs/product/stock/list.php index 478b07b3d91..b0f593f82d9 100644 --- a/htdocs/product/stock/list.php +++ b/htdocs/product/stock/list.php @@ -59,7 +59,7 @@ if (!empty($conf->categorie->enabled)) // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/product/stock/massstockmove.php b/htdocs/product/stock/massstockmove.php index 168166ac487..86458966b34 100644 --- a/htdocs/product/stock/massstockmove.php +++ b/htdocs/product/stock/massstockmove.php @@ -53,7 +53,7 @@ $batch = GETPOST('batch'); $qty = GETPOST('qty'); $idline = GETPOST('idline'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stock/productlot_list.php b/htdocs/product/stock/productlot_list.php index e1b7469ef53..33d49c0c5e5 100644 --- a/htdocs/product/stock/productlot_list.php +++ b/htdocs/product/stock/productlot_list.php @@ -51,7 +51,7 @@ $search_import_key = GETPOST('search_import_key', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stock/replenish.php b/htdocs/product/stock/replenish.php index e418f8b519b..08fb9d6a1f0 100644 --- a/htdocs/product/stock/replenish.php +++ b/htdocs/product/stock/replenish.php @@ -65,7 +65,7 @@ $fk_supplier = GETPOST('fk_supplier', 'int'); $fk_entrepot = GETPOST('fk_entrepot', 'int'); $texte = ''; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stock/stockatdate.php b/htdocs/product/stock/stockatdate.php index 59d85de6b6a..075790ef82c 100644 --- a/htdocs/product/stock/stockatdate.php +++ b/htdocs/product/stock/stockatdate.php @@ -64,7 +64,7 @@ $now = dol_now(); $productid = GETPOST('productid', 'int'); $fk_warehouse = GETPOST('fk_warehouse', 'int'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/reception/list.php b/htdocs/reception/list.php index a92c72a4b51..891a5630c7f 100644 --- a/htdocs/reception/list.php +++ b/htdocs/reception/list.php @@ -61,7 +61,7 @@ $sall = GETPOST('sall', 'alphanohtml'); $optioncss = GETPOST('optioncss', 'alpha'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortfield) $sortfield = "e.ref"; diff --git a/htdocs/recruitment/recruitmentcandidature_list.php b/htdocs/recruitment/recruitmentcandidature_list.php index f3ee50665e0..1db036f6878 100644 --- a/htdocs/recruitment/recruitmentcandidature_list.php +++ b/htdocs/recruitment/recruitmentcandidature_list.php @@ -83,7 +83,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters diff --git a/htdocs/recruitment/recruitmentjobposition_list.php b/htdocs/recruitment/recruitmentjobposition_list.php index a0194feb647..24c98a3fbb9 100644 --- a/htdocs/recruitment/recruitmentjobposition_list.php +++ b/htdocs/recruitment/recruitmentjobposition_list.php @@ -83,7 +83,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters diff --git a/htdocs/resource/document.php b/htdocs/resource/document.php index fa7fb07dbb0..0e1e6ba5cc1 100644 --- a/htdocs/resource/document.php +++ b/htdocs/resource/document.php @@ -50,7 +50,7 @@ $result = restrictedArea($user, 'resource', $id, 'resource'); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/resource/list.php b/htdocs/resource/list.php index 4dca64b47a6..e2d10ffceef 100644 --- a/htdocs/resource/list.php +++ b/htdocs/resource/list.php @@ -39,7 +39,7 @@ $element_id = GETPOST('element_id', 'int'); $resource_id = GETPOST('resource_id', 'int'); $sortorder = GETPOST('sortorder', 'alpha'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); // Initialize context for list $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'resourcelist'; diff --git a/htdocs/salaries/document.php b/htdocs/salaries/document.php index 06d572012bb..403a5b3af3b 100644 --- a/htdocs/salaries/document.php +++ b/htdocs/salaries/document.php @@ -51,7 +51,7 @@ $result = restrictedArea($user, 'salaries', '', '', ''); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/ticket/card.php b/htdocs/ticket/card.php index 20d10ef72cc..03e9fe52781 100644 --- a/htdocs/ticket/card.php +++ b/htdocs/ticket/card.php @@ -55,7 +55,7 @@ $action = GETPOST('action', 'aZ09'); $notifyTiers = GETPOST("notify_tiers_at_create", 'alpha'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); if (GETPOST('actioncode', 'array')) { diff --git a/htdocs/ticket/list.php b/htdocs/ticket/list.php index fe36e8bced0..9fc1357f817 100644 --- a/htdocs/ticket/list.php +++ b/htdocs/ticket/list.php @@ -61,7 +61,7 @@ $mode = GETPOST('mode', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters diff --git a/htdocs/user/group/list.php b/htdocs/user/group/list.php index 336fbc19727..0b6cdf23d47 100644 --- a/htdocs/user/group/list.php +++ b/htdocs/user/group/list.php @@ -57,7 +57,7 @@ if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } diff --git a/htdocs/user/list.php b/htdocs/user/list.php index 81fbf006f28..991ccdf20c2 100644 --- a/htdocs/user/list.php +++ b/htdocs/user/list.php @@ -51,7 +51,7 @@ $mode = GETPOST("mode", 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } diff --git a/htdocs/zapier/hook_list.php b/htdocs/zapier/hook_list.php index ab69c576445..ac90713f13c 100644 --- a/htdocs/zapier/hook_list.php +++ b/htdocs/zapier/hook_list.php @@ -49,7 +49,7 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { From 4e2aff2cdc4e84c7b06ec3f11cf856585a17c97d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 17:24:31 +0200 Subject: [PATCH 067/151] Fix sql injection when forging requests with IN --- htdocs/comm/mailing/class/advtargetemailing.class.php | 6 +++--- htdocs/comm/propal/list.php | 6 +++--- htdocs/compta/bank/annuel.php | 6 +++--- htdocs/compta/facture/list.php | 8 ++++---- htdocs/core/lib/functions.lib.php | 2 +- htdocs/don/list.php | 2 +- htdocs/expensereport/list.php | 2 +- htdocs/fourn/card.php | 4 ++-- htdocs/fourn/commande/list.php | 8 ++++---- htdocs/fourn/commande/orderstoinvoice.php | 4 ++-- htdocs/holiday/class/holiday.class.php | 2 +- htdocs/product/class/html.formproduct.class.php | 2 +- htdocs/product/class/product.class.php | 2 +- htdocs/product/stock/stockatdate.php | 4 ++-- htdocs/societe/list.php | 4 ++-- htdocs/user/list.php | 6 +++--- 16 files changed, 34 insertions(+), 34 deletions(-) diff --git a/htdocs/comm/mailing/class/advtargetemailing.class.php b/htdocs/comm/mailing/class/advtargetemailing.class.php index 983ad374980..bbceba682c0 100644 --- a/htdocs/comm/mailing/class/advtargetemailing.class.php +++ b/htdocs/comm/mailing/class/advtargetemailing.class.php @@ -664,13 +664,13 @@ class AdvanceTargetingMailing extends CommonObject $sqlwhere[] = $this->transformToSQL('t.firstname', $arrayquery['contact_firstname']); } if (!empty($arrayquery['contact_country']) && count($arrayquery['contact_country'])) { - $sqlwhere[] = " (t.fk_pays IN (".$this->db->escape(implode(',', $arrayquery['contact_country']))."))"; + $sqlwhere[] = " (t.fk_pays IN (".$this->db->sanitize($this->db->escape(implode(',', $arrayquery['contact_country'])))."))"; } if (!empty($arrayquery['contact_status']) && count($arrayquery['contact_status']) > 0) { - $sqlwhere[] = " (t.statut IN (".$this->db->escape(implode(',', $arrayquery['contact_status']))."))"; + $sqlwhere[] = " (t.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $arrayquery['contact_status'])))."))"; } if (!empty($arrayquery['contact_civility']) && count($arrayquery['contact_civility']) > 0) { - $sqlwhere[] = " (t.civility IN ('".$this->db->escape(implode("','", $arrayquery['contact_civility']))."'))"; + $sqlwhere[] = " (t.civility IN ('".$this->db->sanitize($this->db->escape(implode("','", $arrayquery['contact_civility'])))."'))"; } if ($arrayquery['contact_no_email'] != '') { $tmpwhere = ''; diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index 47fe4a1b41c..e3064f6adf6 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -333,13 +333,13 @@ if (!$user->rights->societe->client->voir && !$socid) //restriction if ($search_town) $sql .= natural_search('s.town', $search_town); if ($search_zip) $sql .= natural_search("s.zip", $search_zip); if ($search_state) $sql .= natural_search("state.nom", $search_state); -if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; -if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')'; +if ($search_country) $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')'; +if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->sanitize($db->escape($search_type_thirdparty)).')'; if ($search_ref) $sql .= natural_search('p.ref', $search_ref); if ($search_refcustomer) $sql .= natural_search('p.ref_client', $search_refcustomer); if ($search_refproject) $sql .= natural_search('pr.ref', $search_refproject); if ($search_project) $sql .= natural_search('pr.title', $search_project); -if ($search_availability) $sql .= " AND p.fk_availability IN (".$db->escape($search_availability).')'; +if ($search_availability) $sql .= " AND p.fk_availability IN (".$db->sanitize($db->escape($search_availability)).')'; if ($search_societe) $sql .= natural_search('s.nom', $search_societe); if ($search_login) $sql .= natural_search("u.login", $search_login); diff --git a/htdocs/compta/bank/annuel.php b/htdocs/compta/bank/annuel.php index 72a7e33d3f2..cd82da0e1bd 100644 --- a/htdocs/compta/bank/annuel.php +++ b/htdocs/compta/bank/annuel.php @@ -91,7 +91,7 @@ $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; $sql .= " AND b.amount >= 0"; if (!empty($id)) - $sql .= " AND b.fk_account IN (".$db->escape($id).")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($db->escape($id)).")"; $sql .= " GROUP BY dm"; $resql = $db->query($sql); @@ -117,7 +117,7 @@ $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; $sql .= " AND b.amount <= 0"; if (!empty($id)) - $sql .= " AND b.fk_account IN (".$db->escape($id).")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($db->escape($id)).")"; $sql .= " GROUP BY dm"; $resql = $db->query($sql); @@ -240,7 +240,7 @@ $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if (!empty($id)) - $sql .= " AND b.fk_account IN (".$db->escape($id).")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($db->escape($id)).")"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index 3aed9acafe9..6df16367015 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -478,15 +478,15 @@ if ($filtre) } if ($search_ref) $sql .= natural_search('f.ref', $search_ref); if ($search_refcustomer) $sql .= natural_search('f.ref_client', $search_refcustomer); -if ($search_type != '' && $search_type != '-1') $sql .= " AND f.type IN (".$db->escape($search_type).")"; +if ($search_type != '' && $search_type != '-1') $sql .= " AND f.type IN (".$db->sanitize($db->escape($search_type)).")"; if ($search_project_ref) $sql .= natural_search('p.ref', $search_project_ref); if ($search_project) $sql .= natural_search('p.title', $search_project); if ($search_societe) $sql .= natural_search('s.nom', $search_societe); if ($search_town) $sql .= natural_search('s.town', $search_town); if ($search_zip) $sql .= natural_search("s.zip", $search_zip); if ($search_state) $sql .= natural_search("state.nom", $search_state); -if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; -if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')'; +if ($search_country) $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')'; +if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->sanitize($db->escape($search_type_thirdparty)).')'; if ($search_company) $sql .= natural_search('s.nom', $search_company); if ($search_montant_ht != '') $sql .= natural_search('f.total', $search_montant_ht, 1); if ($search_montant_vat != '') $sql .= natural_search('f.tva', $search_montant_vat, 1); @@ -510,7 +510,7 @@ if ($search_status != '-1' && $search_status != '') if ($search_status == '2') $sql .= " AND f.fk_statut = 2"; // payed Not that some corrupted data may contains f.fk_statut = 1 AND f.paye = 1 (it means payed too but should not happend. If yes, reopen and reclassify billed) if ($search_status == '3') $sql .= " AND f.fk_statut = 3"; // abandonned } else { - $sql .= " AND f.fk_statut IN (".$db->escape($search_status).")"; // When search_status is '1,2' for example + $sql .= " AND f.fk_statut IN (".$db->sanitize($db->escape($search_status)).")"; // When search_status is '1,2' for example } } diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 98ab515a957..a457aa5af17 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -95,7 +95,7 @@ function getEntity($element, $shared = 1, $currentobject = null) $out = ''; $addzero = array('user', 'usergroup', 'c_email_templates', 'email_template', 'default_values'); if (in_array($element, $addzero)) $out .= '0,'; - $out .= $conf->entity; + $out .= ((int) $conf->entity); return $out; } } diff --git a/htdocs/don/list.php b/htdocs/don/list.php index cc12daabb6c..c98f2f8a000 100644 --- a/htdocs/don/list.php +++ b/htdocs/don/list.php @@ -96,7 +96,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."don as d LEFT JOIN ".MAIN_DB_PREFIX."projet AS $sql .= " ON p.rowid = d.fk_projet WHERE d.entity IN (".getEntity('donation').")"; if ($search_status != '' && $search_status != '-4') { - $sql .= " AND d.fk_statut IN (".$db->escape($search_status).")"; + $sql .= " AND d.fk_statut IN (".$db->sanitize($db->escape($search_status)).")"; } if (trim($search_ref) != '') { diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php index ebfa8fb0628..dd8c49aae28 100644 --- a/htdocs/expensereport/list.php +++ b/htdocs/expensereport/list.php @@ -302,7 +302,7 @@ if ($search_amount_ttc != '') $sql .= natural_search('d.total_ttc', $search_amou // User if ($search_user != '' && $search_user >= 0) $sql .= " AND u.rowid = '".$db->escape($search_user)."'"; // Status -if ($search_status != '' && $search_status >= 0) $sql .= " AND d.fk_statut IN (".$db->escape($search_status).")"; +if ($search_status != '' && $search_status >= 0) $sql .= " AND d.fk_statut IN (".$db->sanitize($db->escape($search_status)).")"; // RESTRICT RIGHTS if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous) && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) diff --git a/htdocs/fourn/card.php b/htdocs/fourn/card.php index 7b521918fc8..5023faab929 100644 --- a/htdocs/fourn/card.php +++ b/htdocs/fourn/card.php @@ -595,10 +595,10 @@ if ($object->id > 0) // Show orders we can bill if (empty($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS)) { - $sql2 .= " AND c.fk_statut IN (".CommandeFournisseur::STATUS_RECEIVED_COMPLETELY.")"; // Must match filter in htdocs/fourn/orderstoinvoice.php + $sql2 .= " AND c.fk_statut IN (".$db->sanitize(CommandeFournisseur::STATUS_RECEIVED_COMPLETELY)).")"; // Must match filter in htdocs/fourn/orderstoinvoice.php } else { // CommandeFournisseur::STATUS_ORDERSENT.", ".CommandeFournisseur::STATUS_RECEIVED_PARTIALLY.", ".CommandeFournisseur::STATUS_RECEIVED_COMPLETELY - $sql2 .= " AND c.fk_statut IN (".$db->escape($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS).")"; + $sql2 .= " AND c.fk_statut IN (".$db->sanitize($db->escape($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS)).")"; } $sql2 .= " AND c.billed = 0"; // Find order that are not already invoiced diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php index ea2e44b775d..23da4aecedd 100644 --- a/htdocs/fourn/commande/list.php +++ b/htdocs/fourn/commande/list.php @@ -535,16 +535,16 @@ if ($search_billed != '' && $search_billed >= 0) $sql .= " AND cf.billed = ".$db if ($search_product_category > 0) $sql .= " AND cp.fk_categorie = ".$search_product_category; //Required triple check because statut=0 means draft filter if (GETPOST('statut', 'intcomma') !== '') - $sql .= " AND cf.fk_statut IN (".$db->escape($db->escape(GETPOST('statut', 'intcomma'))).")"; + $sql .= " AND cf.fk_statut IN (".$db->sanitize($db->escape(GETPOST('statut', 'intcomma'))).")"; if ($search_status != '' && $search_status >= 0) - $sql .= " AND cf.fk_statut IN (".$db->escape($search_status).")"; + $sql .= " AND cf.fk_statut IN (".$db->sanitize($db->escape($search_status)).")"; $sql .= dolSqlDateFilter("cf.date_commande", $search_orderday, $search_ordermonth, $search_orderyear); $sql .= dolSqlDateFilter("cf.date_livraison", $search_deliveryday, $search_deliverymonth, $search_deliveryyear); if ($search_town) $sql .= natural_search('s.town', $search_town); if ($search_zip) $sql .= natural_search("s.zip", $search_zip); if ($search_state) $sql .= natural_search("state.nom", $search_state); -if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; -if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')'; +if ($search_country) $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')'; +if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->sanitize($db->escape($search_type_thirdparty)).')'; if ($search_company) $sql .= natural_search('s.nom', $search_company); if ($search_sale > 0) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$db->escape($search_sale); if ($search_user > 0) $sql .= " AND ec.fk_c_type_contact = tc.rowid AND tc.element='supplier_order' AND tc.source='internal' AND ec.element_id = cf.rowid AND ec.fk_socpeople = ".$db->escape($search_user); diff --git a/htdocs/fourn/commande/orderstoinvoice.php b/htdocs/fourn/commande/orderstoinvoice.php index 3c8e5708972..83dd50a32e0 100644 --- a/htdocs/fourn/commande/orderstoinvoice.php +++ b/htdocs/fourn/commande/orderstoinvoice.php @@ -445,10 +445,10 @@ if (($action != 'create' && $action != 'add') && !$error) { // Show orders we can bill if (empty($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS)) { - $sql .= " AND c.fk_statut IN (".CommandeFournisseur::STATUS_RECEIVED_COMPLETELY.")"; // Must match filter in htdocs/fourn/card.php + $sql .= " AND c.fk_statut IN (".$db->sanitize($db->escape(CommandeFournisseur::STATUS_RECEIVED_COMPLETELY)).")"; // Must match filter in htdocs/fourn/card.php } else { // CommandeFournisseur::STATUS_ORDERSENT.", ".CommandeFournisseur::STATUS_RECEIVED_PARTIALLY.", ".CommandeFournisseur::STATUS_RECEIVED_COMPLETELY - $sql .= " AND c.fk_statut IN (".$db->escape($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS).")"; + $sql .= " AND c.fk_statut IN (".$db->sanitize($db->escape($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS)).")"; } $sql .= " AND c.billed = 0"; diff --git a/htdocs/holiday/class/holiday.class.php b/htdocs/holiday/class/holiday.class.php index d2aa54664cc..9d0e71a7b57 100644 --- a/htdocs/holiday/class/holiday.class.php +++ b/htdocs/holiday/class/holiday.class.php @@ -1122,7 +1122,7 @@ class Holiday extends CommonObject $sql .= " WHERE cp.entity IN (".getEntity('holiday').")"; $sql .= " AND cp.fk_user = ".(int) $fk_user; $sql .= " AND cp.date_debut <= '".$this->db->idate($timestamp)."' AND cp.date_fin >= '".$this->db->idate($timestamp)."'"; - if ($status != '-1') $sql .= " AND cp.statut IN (".$this->db->escape($status).")"; + if ($status != '-1') $sql .= " AND cp.statut IN (".$this->db->sanitize($this->db->escape($status)).")"; $resql = $this->db->query($sql); if ($resql) diff --git a/htdocs/product/class/html.formproduct.class.php b/htdocs/product/class/html.formproduct.class.php index 2a2228422d9..4e1a45a4c59 100644 --- a/htdocs/product/class/html.formproduct.class.php +++ b/htdocs/product/class/html.formproduct.class.php @@ -121,7 +121,7 @@ class FormProduct $sql .= " WHERE e.entity IN (".getEntity('stock').")"; if (count($warehouseStatus)) { - $sql .= " AND e.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")"; + $sql .= " AND e.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; } else { $sql .= " AND e.statut = 1"; } diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 9ba528d3b3d..15572e1ae73 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -4698,7 +4698,7 @@ class Product extends CommonObject $sql .= " AND w.rowid = ps.fk_entrepot"; $sql .= " AND ps.fk_product = ".$this->id; if ($conf->global->ENTREPOT_EXTRA_STATUS && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")"; + $sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; } dol_syslog(get_class($this)."::load_stock", LOG_DEBUG); diff --git a/htdocs/product/stock/stockatdate.php b/htdocs/product/stock/stockatdate.php index 075790ef82c..b4ae04d6ae3 100644 --- a/htdocs/product/stock/stockatdate.php +++ b/htdocs/product/stock/stockatdate.php @@ -124,7 +124,7 @@ if ($date && $dateIsValid) { // Avoid heavy sql if mandatory date is not defined $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = ps.fk_entrepot"; if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")"; + $sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; } if ($productid > 0) { $sql .= " AND ps.fk_product = ".$productid; @@ -175,7 +175,7 @@ if ($date && $dateIsValid) { $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = sm.fk_entrepot"; if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")"; + $sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; } if ($mode == 'future') { $sql .= " AND sm.datem <= '".$db->idate($dateendofday)."'"; diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php index 4cb6941dc74..92a9517f08a 100644 --- a/htdocs/societe/list.php +++ b/htdocs/societe/list.php @@ -457,7 +457,7 @@ if ($search_town) $sql .= natural_search("s.town", $search_town); if (strlen($search_zip)) $sql .= natural_search("s.zip", $search_zip); if ($search_state) $sql .= natural_search("state.nom", $search_state); if ($search_region) $sql .= natural_search("region.nom", $search_region); -if ($search_country && $search_country != '-1') $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; +if ($search_country && $search_country != '-1') $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')'; if ($search_email) $sql .= natural_search("s.email", $search_email); if (strlen($search_phone)) $sql .= natural_search("s.phone", $search_phone); if (strlen($search_fax)) $sql .= natural_search("s.fax", $search_fax); @@ -470,7 +470,7 @@ if (strlen($search_idprof5)) $sql .= natural_search("s.idprof5", $search_idprof5 if (strlen($search_idprof6)) $sql .= natural_search("s.idprof6", $search_idprof6); if (strlen($search_vat)) $sql .= natural_search("s.tva_intra", $search_vat); // Filter on type of thirdparty -if ($search_type > 0 && in_array($search_type, array('1,3', '2,3'))) $sql .= " AND s.client IN (".$db->escape($search_type).")"; +if ($search_type > 0 && in_array($search_type, array('1,3', '2,3'))) $sql .= " AND s.client IN (".$db->sanitize($db->escape($search_type)).")"; if ($search_type > 0 && in_array($search_type, array('4'))) $sql .= " AND s.fournisseur = 1"; if ($search_type == '0') $sql .= " AND s.client = 0 AND s.fournisseur = 0"; if ($search_status != '' && $search_status >= 0) $sql .= natural_search("s.status", $search_status, 2); diff --git a/htdocs/user/list.php b/htdocs/user/list.php index 991ccdf20c2..9554ef1563a 100644 --- a/htdocs/user/list.php +++ b/htdocs/user/list.php @@ -224,7 +224,7 @@ if ($reshook > 0) { } if ($socid > 0) $sql .= " AND u.fk_soc = ".$socid; //if ($search_user != '') $sql.=natural_search(array('u.login', 'u.lastname', 'u.firstname'), $search_user); -if ($search_supervisor > 0) $sql .= " AND u.fk_user IN (".$db->escape($search_supervisor).")"; +if ($search_supervisor > 0) $sql .= " AND u.fk_user IN (".$db->sanitize($db->escape($search_supervisor)).")"; if ($search_thirdparty != '') $sql .= natural_search(array('s.nom'), $search_thirdparty); if ($search_login != '') $sql .= natural_search("u.login", $search_login); if ($search_lastname != '') $sql .= natural_search("u.lastname", $search_lastname); @@ -236,9 +236,9 @@ if (is_numeric($search_employee) && $search_employee >= 0) { if ($search_accountancy_code != '') $sql .= natural_search("u.accountancy_code", $search_accountancy_code); if ($search_email != '') $sql .= natural_search("u.email", $search_email); if ($search_api_key != '') $sql .= natural_search("u.api_key", $search_api_key); -if ($search_statut != '' && $search_statut >= 0) $sql .= " AND u.statut IN (".$db->escape($search_statut).")"; +if ($search_statut != '' && $search_statut >= 0) $sql .= " AND u.statut IN (".$db->sanitize($db->escape($search_statut)).")"; if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall); -if ($catid > 0) $sql .= " AND cu.fk_categorie = ".$catid; +if ($catid > 0) $sql .= " AND cu.fk_categorie = ".((int) $catid); if ($catid == -2) $sql .= " AND cu.fk_categorie IS NULL"; if ($search_categ > 0) $sql .= " AND cu.fk_categorie = ".$db->escape($search_categ); if ($search_categ == -2) $sql .= " AND cu.fk_categorie IS NULL"; From b6c6473cce48ee4d227bba1b43eedc9a5523e4ac Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 17:47:40 +0200 Subject: [PATCH 068/151] Fix sql injection when forging requests with IN --- htdocs/comm/propal/list.php | 2 +- htdocs/comm/propal/stats/index.php | 2 +- htdocs/commande/stats/index.php | 4 ++-- htdocs/compta/facture/stats/index.php | 4 ++-- htdocs/core/class/html.form.class.php | 2 +- htdocs/expensereport/stats/index.php | 2 +- htdocs/fichinter/stats/index.php | 2 +- htdocs/holiday/list.php | 2 +- htdocs/modulebuilder/template/class/myobject.class.php | 2 +- htdocs/recruitment/class/recruitmentcandidature.class.php | 2 +- htdocs/recruitment/class/recruitmentjobposition.class.php | 2 +- htdocs/supplier_proposal/list.php | 2 +- htdocs/ticket/stats/index.php | 2 +- 13 files changed, 15 insertions(+), 15 deletions(-) diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index e3064f6adf6..d4bf2e392f3 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -361,7 +361,7 @@ if ($search_product_category > 0) $sql .= " AND cp.fk_categorie = ".$db->escape( if ($socid > 0) $sql .= ' AND s.rowid = '.$socid; if ($search_status != '' && $search_status != '-1') { - $sql .= ' AND p.fk_statut IN ('.$db->escape($search_status).')'; + $sql .= ' AND p.fk_statut IN ('.$this->db->sanitize($db->escape($search_status)).')'; } if ($search_date_start) $sql .= " AND p.datep >= '".$db->idate($search_date_start)."'"; if ($search_date_end) $sql .= " AND p.datep <= '".$db->idate($search_date_end)."'"; diff --git a/htdocs/comm/propal/stats/index.php b/htdocs/comm/propal/stats/index.php index 00a79f3c1be..6cf14e92d50 100644 --- a/htdocs/comm/propal/stats/index.php +++ b/htdocs/comm/propal/stats/index.php @@ -101,7 +101,7 @@ dol_mkdir($dir); $stats = new PropaleStats($db, $socid, ($userid > 0 ? $userid : 0), $mode, ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); -if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$db->escape($object_status).')'; +if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; // Build graphic number of object $data = $stats->getNbByMonthWithPrevYear($endyear, $startyear); diff --git a/htdocs/commande/stats/index.php b/htdocs/commande/stats/index.php index 0910e4ee7ad..8ef736ca333 100644 --- a/htdocs/commande/stats/index.php +++ b/htdocs/commande/stats/index.php @@ -94,11 +94,11 @@ dol_mkdir($dir); $stats = new CommandeStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { - if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')'; + if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; } if ($mode == 'supplier') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; } diff --git a/htdocs/compta/facture/stats/index.php b/htdocs/compta/facture/stats/index.php index 82ba8a33467..543585ddbb0 100644 --- a/htdocs/compta/facture/stats/index.php +++ b/htdocs/compta/facture/stats/index.php @@ -94,7 +94,7 @@ dol_mkdir($dir); $stats = new FactureStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; if (is_array($custcats) && !empty($custcats)) { $stats->from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie_societe as cat ON (f.fk_soc = cat.fk_soc)'; $stats->where .= ' AND cat.fk_categorie IN ('.implode(',', $custcats).')'; @@ -102,7 +102,7 @@ if ($mode == 'customer') } if ($mode == 'supplier') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; } // Build graphic number of object diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 7c5d350d21e..5dfe76427f2 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -2163,7 +2163,7 @@ class Form { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.fk_product = p.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entrepot as e on ps.fk_entrepot = e.rowid AND e.entity IN (".getEntity('stock').")"; - $sql .= ' AND e.statut IN ('.$this->db->escape(implode(',', $warehouseStatusArray)).')'; // Return line if product is inside the selected stock. If not, an empty line will be returned so we will count 0. + $sql .= ' AND e.statut IN ('.$this->db->sanitize($this->db->escape(implode(',', $warehouseStatusArray))).')'; // Return line if product is inside the selected stock. If not, an empty line will be returned so we will count 0. } // include search in supplier ref diff --git a/htdocs/expensereport/stats/index.php b/htdocs/expensereport/stats/index.php index eff10cd9323..f73b95a6ebb 100644 --- a/htdocs/expensereport/stats/index.php +++ b/htdocs/expensereport/stats/index.php @@ -75,7 +75,7 @@ print load_fiche_titre($title, '', 'trip'); dol_mkdir($dir); $stats = new ExpenseReportStats($db, $socid, $userid); -if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$db->escape($object_status).')'; +if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; // Build graphic number of object // $data = array(array('Lib',val1,val2,val3),...) diff --git a/htdocs/fichinter/stats/index.php b/htdocs/fichinter/stats/index.php index cb076e01ef1..336a55eb32e 100644 --- a/htdocs/fichinter/stats/index.php +++ b/htdocs/fichinter/stats/index.php @@ -70,7 +70,7 @@ print load_fiche_titre($title, '', 'intervention'); dol_mkdir($dir); $stats = new FichinterStats($db, $socid, $mode, ($userid > 0 ? $userid : 0)); -if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')'; +if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; // Build graphic number of object $data = $stats->getNbByMonthWithPrevYear($endyear, $startyear); diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index 100507f0610..1f2ad4ecf20 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -311,7 +311,7 @@ if (!empty($search_valideur) && $search_valideur != -1) { } // Type if (!empty($search_type) && $search_type != -1) { - $sql .= ' AND cp.fk_type IN ('.$db->escape($search_type).')'; + $sql .= ' AND cp.fk_type IN ('.$this->db->sanitize($db->escape($search_type)).')'; } // Status if (!empty($search_status) && $search_status != -1) { diff --git a/htdocs/modulebuilder/template/class/myobject.class.php b/htdocs/modulebuilder/template/class/myobject.class.php index cdf3996c46c..f52d28c2489 100644 --- a/htdocs/modulebuilder/template/class/myobject.class.php +++ b/htdocs/modulebuilder/template/class/myobject.class.php @@ -426,7 +426,7 @@ class MyObject extends CommonObject } elseif ($key == 'customsql') { $sqlwhere[] = $value; } elseif (strpos($value, '%') === false) { - $sqlwhere[] = $key.' IN ('.$this->db->escape($value).')'; + $sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')'; } else { $sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\''; } diff --git a/htdocs/recruitment/class/recruitmentcandidature.class.php b/htdocs/recruitment/class/recruitmentcandidature.class.php index 74644270e6a..df96744526b 100644 --- a/htdocs/recruitment/class/recruitmentcandidature.class.php +++ b/htdocs/recruitment/class/recruitmentcandidature.class.php @@ -403,7 +403,7 @@ class RecruitmentCandidature extends CommonObject } elseif ($key == 'customsql') { $sqlwhere[] = $value; } elseif (strpos($value, '%') === false) { - $sqlwhere[] = $key.' IN ('.$this->db->escape($value).')'; + $sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')'; } else { $sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\''; } diff --git a/htdocs/recruitment/class/recruitmentjobposition.class.php b/htdocs/recruitment/class/recruitmentjobposition.class.php index 0f28b34be6a..355cae49c89 100644 --- a/htdocs/recruitment/class/recruitmentjobposition.class.php +++ b/htdocs/recruitment/class/recruitmentjobposition.class.php @@ -396,7 +396,7 @@ class RecruitmentJobPosition extends CommonObject } elseif ($key == 'customsql') { $sqlwhere[] = $value; } elseif (strpos($value, '%') === false) { - $sqlwhere[] = $key.' IN ('.$this->db->escape($value).')'; + $sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')'; } else { $sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\''; } diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php index 0b05d3afabd..2ead83c0eb2 100644 --- a/htdocs/supplier_proposal/list.php +++ b/htdocs/supplier_proposal/list.php @@ -314,7 +314,7 @@ if ($search_multicurrency_montant_vat != '') $sql .= natural_search('sp.multicur if ($search_multicurrency_montant_ttc != '') $sql .= natural_search('sp.multicurrency_total_ttc', $search_multicurrency_montant_ttc, 1); if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall); if ($socid) $sql .= ' AND s.rowid = '.$socid; -if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$db->escape($search_status).')'; +if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$this->db->sanitize($db->escape($search_status)).')'; $sql .= dolSqlDateFilter("sp.date_livraison", $day, $month, $year); $sql .= dolSqlDateFilter("sp.date_valid", $dayvalid, $monthvalid, $yearvalid); if ($search_sale > 0) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale; diff --git a/htdocs/ticket/stats/index.php b/htdocs/ticket/stats/index.php index da921577596..d00d1b8ac34 100644 --- a/htdocs/ticket/stats/index.php +++ b/htdocs/ticket/stats/index.php @@ -70,7 +70,7 @@ print load_fiche_titre($title, '', 'ticket'); dol_mkdir($dir); $stats = new TicketStats($db, $socid, ($userid > 0 ? $userid : 0)); -if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND fk_statut IN ('.$db->escape($object_status).')'; +if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; // Build graphic number of object From 11bf662c381ccb4cffe444d6fe385dbdb8b15237 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 17:49:51 +0200 Subject: [PATCH 069/151] Fix regression --- htdocs/fourn/card.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/fourn/card.php b/htdocs/fourn/card.php index 5023faab929..3a2f391ad17 100644 --- a/htdocs/fourn/card.php +++ b/htdocs/fourn/card.php @@ -595,7 +595,7 @@ if ($object->id > 0) // Show orders we can bill if (empty($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS)) { - $sql2 .= " AND c.fk_statut IN (".$db->sanitize(CommandeFournisseur::STATUS_RECEIVED_COMPLETELY)).")"; // Must match filter in htdocs/fourn/orderstoinvoice.php + $sql2 .= " AND c.fk_statut IN (".$db->sanitize(CommandeFournisseur::STATUS_RECEIVED_COMPLETELY).")"; // Must match filter in htdocs/fourn/orderstoinvoice.php } else { // CommandeFournisseur::STATUS_ORDERSENT.", ".CommandeFournisseur::STATUS_RECEIVED_PARTIALLY.", ".CommandeFournisseur::STATUS_RECEIVED_COMPLETELY $sql2 .= " AND c.fk_statut IN (".$db->sanitize($db->escape($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS)).")"; From 206b1189c90bbd73ef2749d9db11e7338abf29a9 Mon Sep 17 00:00:00 2001 From: ptibogxiv Date: Fri, 18 Sep 2020 17:52:48 +0200 Subject: [PATCH 070/151] NEW fetch contact by email with REST API --- htdocs/societe/class/api_contacts.class.php | 42 +++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/htdocs/societe/class/api_contacts.class.php b/htdocs/societe/class/api_contacts.class.php index 37d9239265f..027cd124d36 100644 --- a/htdocs/societe/class/api_contacts.class.php +++ b/htdocs/societe/class/api_contacts.class.php @@ -97,6 +97,48 @@ class Contacts extends DolibarrApi return $this->_cleanObjectDatas($this->contact); } + + /** + * Get properties of a contact object by Email + * + * @param string $email Email of contact + * @param int $includecount Count and return also number of elements the contact is used as a link for + * @return array|mixed data without useless information + * + * @url GET email/{email} + * + * @throws RestException 401 Insufficient rights + * @throws RestException 404 User or group not found + */ + public function getByEmail($email, $includecount = 0) + { + if (!DolibarrApiAccess::$user->rights->societe->contact->lire) + { + throw new RestException(401, 'No permission to read contacts'); + } + if (empty($email)) { + $result = $this->contact->initAsSpecimen(); + } else { + $result = $this->contact->fetch('', '', '', $email); + } + + if (!$result) + { + throw new RestException(404, 'Contact not found'); + } + + if (!DolibarrApi::_checkAccessToResource('contact', $this->contact->id, 'socpeople&societe')) + { + throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + } + + if ($includecount) + { + $this->contact->load_ref_elements(); + } + + return $this->_cleanObjectDatas($this->contact); + } /** * List contacts From f9b4a0f68ba7a03cfc86daacfe7bf0ec3b5ad711 Mon Sep 17 00:00:00 2001 From: stickler-ci Date: Fri, 18 Sep 2020 15:54:37 +0000 Subject: [PATCH 071/151] Fixing style errors. --- htdocs/societe/class/api_contacts.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/societe/class/api_contacts.class.php b/htdocs/societe/class/api_contacts.class.php index 027cd124d36..4d9bd4a47f4 100644 --- a/htdocs/societe/class/api_contacts.class.php +++ b/htdocs/societe/class/api_contacts.class.php @@ -97,7 +97,7 @@ class Contacts extends DolibarrApi return $this->_cleanObjectDatas($this->contact); } - + /** * Get properties of a contact object by Email * From d86f541b358be57304f6fa9a9e1fa1ddb42c903c Mon Sep 17 00:00:00 2001 From: Bernard Saulme Date: Fri, 18 Sep 2020 18:29:52 +0200 Subject: [PATCH 072/151] FIX|members substitution variable not substituted if empty Members substitution variables not substituted if empty for the __MEMBER_ ... variables, the variable is showed instead. Change to display '' instead --- htdocs/core/lib/functions.lib.php | 34 +++++++++++++++---------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index a457aa5af17..d8b7c68c290 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -6072,25 +6072,25 @@ function getCommonSubstitutionArray($outputlangs, $onlykey = 0, $exclude = null, if (is_object($object) && $object->element == 'adherent' && $object->id > 0) { - $substitutionarray['__MEMBER_ID__'] = $object->id; + $substitutionarray['__MEMBER_ID__'] = (isset($object->id) ? $object->id : ''); if (method_exists($object, 'getCivilityLabel')) $substitutionarray['__MEMBER_CIVILITY__'] = $object->getCivilityLabel(); - $substitutionarray['__MEMBER_FIRSTNAME__'] = $object->firstname; - $substitutionarray['__MEMBER_LASTNAME__'] = $object->lastname; + $substitutionarray['__MEMBER_FIRSTNAME__'] = (isset($object->firstname) ? $object->firstname : ''); + $substitutionarray['__MEMBER_LASTNAME__'] = (isset($object->lastname) ? $object->lastname : ''); if (method_exists($object, 'getFullName')) $substitutionarray['__MEMBER_FULLNAME__'] = $object->getFullName($outputlangs); - $substitutionarray['__MEMBER_COMPANY__'] = $object->societe; - $substitutionarray['__MEMBER_ADDRESS__'] = $object->address; - $substitutionarray['__MEMBER_ZIP__'] = $object->zip; - $substitutionarray['__MEMBER_TOWN__'] = $object->town; - $substitutionarray['__MEMBER_COUNTRY__'] = $object->country; - $substitutionarray['__MEMBER_EMAIL__'] = $object->email; - $substitutionarray['__MEMBER_BIRTH__'] = $birthday; - $substitutionarray['__MEMBER_PHOTO__'] = $object->photo; - $substitutionarray['__MEMBER_LOGIN__'] = $object->login; - $substitutionarray['__MEMBER_PASSWORD__'] = $object->pass; - $substitutionarray['__MEMBER_PHONE__'] = $object->phone; - $substitutionarray['__MEMBER_PHONEPRO__'] = $object->phone_perso; - $substitutionarray['__MEMBER_PHONEMOBILE__'] = $object->phone_mobile; - $substitutionarray['__MEMBER_TYPE__'] = $object->type; + $substitutionarray['__MEMBER_COMPANY__'] = (isset($object->societe) ? $object->societe : ''); + $substitutionarray['__MEMBER_ADDRESS__'] = (isset($object->address) ? $object->address : ''); + $substitutionarray['__MEMBER_ZIP__'] = (isset($object->zip) ? $object->zip : ''); + $substitutionarray['__MEMBER_TOWN__'] = (isset($object->town) ? $object->town : ''); + $substitutionarray['__MEMBER_COUNTRY__'] = (isset($object->country) ? $object->country : ''); + $substitutionarray['__MEMBER_EMAIL__'] = (isset($object->email) ? $object->email : ''); + $substitutionarray['__MEMBER_BIRTH__'] = (isset($birthday) ? $birthday : ''); + $substitutionarray['__MEMBER_PHOTO__'] = (isset($object->photo) ? $object->photo : ''); + $substitutionarray['__MEMBER_LOGIN__'] = (isset($object->login) ? $object->login : ''); + $substitutionarray['__MEMBER_PASSWORD__'] = (isset($object->pass) ? $object->pass : ''); + $substitutionarray['__MEMBER_PHONE__'] = (isset($object->phone) ? $object->phone : ''); + $substitutionarray['__MEMBER_PHONEPRO__'] = (isset($object->phone_perso) ? $object->phone_perso : ''); + $substitutionarray['__MEMBER_PHONEMOBILE__'] = (isset($object->phone_mobile) ? $object->phone_mobile : ''); + $substitutionarray['__MEMBER_TYPE__'] = (isset($object->type) ? $object->type : ''); $substitutionarray['__MEMBER_FIRST_SUBSCRIPTION_DATE__'] = dol_print_date($object->first_subscription_date, 'dayrfc'); $substitutionarray['__MEMBER_FIRST_SUBSCRIPTION_DATE_START__'] = dol_print_date($object->first_subscription_date_start, 'dayrfc'); $substitutionarray['__MEMBER_FIRST_SUBSCRIPTION_DATE_END__'] = dol_print_date($object->first_subscription_date_end, 'dayrfc'); From 4710fedda61b25afee74f17e5557f43ae61dcee7 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 23:06:08 +0200 Subject: [PATCH 073/151] Try another fix for #yogosha4514 --- htdocs/main.inc.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 3879f6c6978..ffa7c47bdff 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -107,8 +107,7 @@ function testSqlAndScriptInject($val, $type) $inj += preg_match('/:|:|:/i', $val); // refused string ':' encoded (no reason to have it encoded) to lock 'javascript:...' //if ($type == 1) //{ - $inj += preg_match('/javascript%/i', $val); - $inj += preg_match('/javascript:/i', $val); + $inj += preg_match('/javascript\s*:/i', $val); $inj += preg_match('/vbscript:/i', $val); //} // For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param) From 4f2d3176f5183391341f1ccc0358fb6866ff07b1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 23:26:05 +0200 Subject: [PATCH 074/151] Fix #yogosha4533 --- htdocs/cron/class/cronjob.class.php | 9 +++++++++ htdocs/langs/en_US/cron.lang | 1 + 2 files changed, 10 insertions(+) diff --git a/htdocs/cron/class/cronjob.class.php b/htdocs/cron/class/cronjob.class.php index e1c9861cc9e..10a2659f6a5 100644 --- a/htdocs/cron/class/cronjob.class.php +++ b/htdocs/cron/class/cronjob.class.php @@ -1008,6 +1008,15 @@ class Cronjob extends CommonObject $retval = $this->lastresult; $error++; } + if (in_array(strtolower(trim($this->methodename)), array('executecli'))) + { + $this->error = $langs->trans('CronMethodNotAllowed', $this->methodename, $this->objectname); + dol_syslog(get_class($this)."::run_jobs ".$this->error, LOG_ERR); + $this->lastoutput = $this->error; + $this->lastresult = -1; + $retval = $this->lastresult; + $error++; + } } // Load langs diff --git a/htdocs/langs/en_US/cron.lang b/htdocs/langs/en_US/cron.lang index 1de1251831a..bb61ed13bbe 100644 --- a/htdocs/langs/en_US/cron.lang +++ b/htdocs/langs/en_US/cron.lang @@ -14,6 +14,7 @@ FileToLaunchCronJobs=Command line to check and launch qualified cron jobs CronExplainHowToRunUnix=On Unix environment you should use the following crontab entry to run the command line each 5 minutes CronExplainHowToRunWin=On Microsoft(tm) Windows environment you can use Scheduled Task tools to run the command line each 5 minutes CronMethodDoesNotExists=Class %s does not contains any method %s +CronMethodNotAllowed=Method %s of class %s is in blacklist of forbidden methods CronJobDefDesc=Cron job profiles are defined into the module descriptor file. When module is activated, they are loaded and available so you can administer the jobs from the admin tools menu %s. CronJobProfiles=List of predefined cron job profiles # Menu From d21c2f0d611f5749b651a6091687d713c824ff3c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 18 Sep 2020 23:38:45 +0200 Subject: [PATCH 075/151] Better sanitizing --- htdocs/cron/card.php | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/htdocs/cron/card.php b/htdocs/cron/card.php index de4b8a03daa..80c3602f5d9 100644 --- a/htdocs/cron/card.php +++ b/htdocs/cron/card.php @@ -126,19 +126,19 @@ if ($action == 'confirm_execute' && $confirm == "yes" && $user->rights->cron->ex if ($action == 'add') { - $object->jobtype = GETPOST('jobtype', 'alpha'); - $object->label = GETPOST('label', 'alpha'); - $object->command = GETPOST('command', 'alpha'); - $object->priority = GETPOST('priority', 'int'); - $object->classesname = GETPOST('classesname', 'alpha'); - $object->objectname = GETPOST('objectname', 'alpha'); - $object->methodename = GETPOST('methodename', 'alpha'); + $object->jobtype = GETPOST('jobtype'); + $object->label = GETPOST('label'); + $object->command = GETPOST('command'); + $object->classesname = GETPOST('classesname', 'alphanohtml'); + $object->objectname = GETPOST('objectname', 'aZ09'); + $object->methodename = GETPOST('methodename', 'aZ09'); $object->params = GETPOST('params'); $object->md5params = GETPOST('md5params'); - $object->module_name = GETPOST('module_name', 'alpha'); + $object->module_name = GETPOST('module_name'); $object->note_private = GETPOST('note', 'restricthtml'); $object->datestart = dol_mktime(GETPOST('datestarthour', 'int'), GETPOST('datestartmin', 'int'), 0, GETPOST('datestartmonth', 'int'), GETPOST('datestartday', 'int'), GETPOST('datestartyear', 'int')); $object->dateend = dol_mktime(GETPOST('dateendhour', 'int'), GETPOST('dateendmin', 'int'), 0, GETPOST('dateendmonth', 'int'), GETPOST('dateendday', 'int'), GETPOST('dateendyear', 'int')); + $object->priority = GETPOST('priority', 'int'); $object->datenextrun = dol_mktime(GETPOST('datenextrunhour', 'int'), GETPOST('datenextrunmin', 'int'), 0, GETPOST('datenextrunmonth', 'int'), GETPOST('datenextrunday', 'int'), GETPOST('datenextrunyear', 'int')); $object->unitfrequency = GETPOST('unitfrequency', 'int'); $object->frequency = GETPOST('nbfrequency', 'int'); @@ -164,16 +164,16 @@ if ($action == 'update') $object->jobtype = GETPOST('jobtype'); $object->label = GETPOST('label'); $object->command = GETPOST('command'); - $object->classesname = GETPOST('classesname', 'alpha'); - $object->priority = GETPOST('priority', 'int'); - $object->objectname = GETPOST('objectname', 'alpha'); - $object->methodename = GETPOST('methodename', 'alpha'); + $object->classesname = GETPOST('classesname', 'alphanohtml'); + $object->objectname = GETPOST('objectname', 'aZ09'); + $object->methodename = GETPOST('methodename', 'aZ09'); $object->params = GETPOST('params'); $object->md5params = GETPOST('md5params'); - $object->module_name = GETPOST('module_name', 'alpha'); + $object->module_name = GETPOST('module_name'); $object->note_private = GETPOST('note', 'restricthtml'); $object->datestart = dol_mktime(GETPOST('datestarthour', 'int'), GETPOST('datestartmin', 'int'), 0, GETPOST('datestartmonth', 'int'), GETPOST('datestartday', 'int'), GETPOST('datestartyear', 'int')); $object->dateend = dol_mktime(GETPOST('dateendhour', 'int'), GETPOST('dateendmin', 'int'), 0, GETPOST('dateendmonth', 'int'), GETPOST('dateendday', 'int'), GETPOST('dateendyear', 'int')); + $object->priority = GETPOST('priority', 'int'); $object->datenextrun = dol_mktime(GETPOST('datenextrunhour', 'int'), GETPOST('datenextrunmin', 'int'), 0, GETPOST('datenextrunmonth', 'int'), GETPOST('datenextrunday', 'int'), GETPOST('datenextrunyear', 'int')); $object->unitfrequency = GETPOST('unitfrequency', 'int'); $object->frequency = GETPOST('nbfrequency', 'int'); From 6d2d5d7caeba2145f3165371a937141ef0d1015c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 00:02:38 +0200 Subject: [PATCH 076/151] Fix #yogosha4529 --- htdocs/core/lib/functions.lib.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index a457aa5af17..20e3dbc2646 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -606,6 +606,11 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null break; } + // Sanitizing for special var name. There is no reason to allow a backtopage to an external URL. + if ($paramname == 'backtopage') { + $out = preg_replace(array('/\/\//', '/^[a-z]*:/'), '', $out); + } + // Code for search criteria persistence. // Save data into session if key start with 'search_' or is 'smonth', 'syear', 'month', 'year' if (empty($method) || $method == 3 || $method == 4) From 63bc3aa48a2cfd7554362cd80fbdd43e38b3a21d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 00:05:29 +0200 Subject: [PATCH 077/151] Better sanitizing --- htdocs/core/lib/functions.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 20e3dbc2646..5eb9d142c0c 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -608,7 +608,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null // Sanitizing for special var name. There is no reason to allow a backtopage to an external URL. if ($paramname == 'backtopage') { - $out = preg_replace(array('/\/\//', '/^[a-z]*:/'), '', $out); + $out = preg_replace(array('/\/\/+/', '/^[a-z]*:/'), '', $out); } // Code for search criteria persistence. From f62d52f89a267a0041fa20ef77639ac927275e6d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 00:44:47 +0200 Subject: [PATCH 078/151] Fix tooltip for linkto object. Fix security of ajax selectobject.php --- htdocs/core/ajax/selectobject.php | 5 +++-- htdocs/core/class/html.form.class.php | 1 + htdocs/core/lib/security.lib.php | 2 ++ htdocs/core/tpl/admin_extrafields_add.tpl.php | 6 ++++-- htdocs/core/tpl/admin_extrafields_edit.tpl.php | 4 +++- htdocs/langs/en_US/admin.lang | 2 +- 6 files changed, 14 insertions(+), 6 deletions(-) diff --git a/htdocs/core/ajax/selectobject.php b/htdocs/core/ajax/selectobject.php index a672510555b..9d9b7bbfc42 100644 --- a/htdocs/core/ajax/selectobject.php +++ b/htdocs/core/ajax/selectobject.php @@ -75,9 +75,10 @@ if (!is_object($objecttmp)) } // When used from jQuery, the search term is added as GET param "term". -$searchkey = (($id && GETPOST($id, 'alpha')) ?GETPOST($id, 'alpha') : (($htmlname && GETPOST($htmlname, 'alpha')) ?GETPOST($htmlname, 'alpha') : '')); +$searchkey = (($id && GETPOST($id, 'alpha')) ? GETPOST($id, 'alpha') : (($htmlname && GETPOST($htmlname, 'alpha')) ? GETPOST($htmlname, 'alpha') : '')); -// TODO Add a security test to avoid to get content of all tables +// Add a security test to avoid to get content of all tables +restrictedArea($user, $objecttmp->element, $id); $arrayresult = $form->selectForFormsList($objecttmp, $htmlname, '', 0, $searchkey, '', '', '', 0, 1); diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 5dfe76427f2..e56f4674f2a 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -5782,6 +5782,7 @@ class Form /** * Generic method to select a component from a combo list. + * Can use autocomplete with ajax after x key pressed or a full combo, depending on setup. * This is the generic method that will replace all specific existing methods. * * @param string $objectdesc ObjectClass:PathToClass[:AddCreateButtonOrNot[:Filter]] diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index d4bb4584e26..b9a06b532f4 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -194,6 +194,8 @@ function restrictedArea($user, $features, $objectid = 0, $tableandshare = '', $f if ($features == 'member') $features = 'adherent'; if ($features == 'subscription') { $features = 'adherent'; $feature2 = 'cotisation'; }; if ($features == 'websitepage') { $features = 'website'; $tableandshare = 'website_page'; $parentfortableentity = 'fk_website@website'; } + if ($features == 'project') $features = 'projet'; + if ($features == 'product') $features = 'produit'; // Get more permissions checks from hooks $parameters = array('features'=>$features, 'objectid'=>$objectid, 'idtype'=>$dbt_select); diff --git a/htdocs/core/tpl/admin_extrafields_add.tpl.php b/htdocs/core/tpl/admin_extrafields_add.tpl.php index b8a37ee5969..8f55e0bfc69 100644 --- a/htdocs/core/tpl/admin_extrafields_add.tpl.php +++ b/htdocs/core/tpl/admin_extrafields_add.tpl.php @@ -37,6 +37,8 @@ if (empty($conf) || !is_object($conf)) $langs->load("modulebuilder"); +$listofexamplesforlink = 'Societe:societe/class/societe.class.php
Contact:contact/class/contact.class.php
Product:product/class/product.class.php
Project:projet/class/project.class.php'; + ?> @@ -168,7 +170,7 @@ $langs->load("modulebuilder"); textwithpicto('', $langs->trans("ExtrafieldParamHelpselect"), 1, 0, '', 0, 2, 'helpvalue1')?> textwithpicto('', $langs->trans("ExtrafieldParamHelpsellist"), 1, 0, '', 0, 2, 'helpvalue2')?> textwithpicto('', $langs->trans("ExtrafieldParamHelpchkbxlst"), 1, 0, '', 0, 2, 'helpvalue3')?> - textwithpicto('', $langs->trans("ExtrafieldParamHelplink"), 1, 0, '', 0, 2, 'helpvalue4')?> + textwithpicto('', $langs->trans("ExtrafieldParamHelplink").'

'.$langs->trans("Examples").':
'.$listofexamplesforlink, 1, 0, '', 0, 2, 'helpvalue4')?> textwithpicto('', $langs->trans("ExtrafieldParamHelpPassword"), 1, 0, '', 0, 2, 'helpvalue5')?> textwithpicto('', $langs->trans("ExtrafieldParamHelpSeparator"), 1, 0, '', 0, 2, 'helpvalue6')?> @@ -176,7 +178,7 @@ $langs->load("modulebuilder"); -trans("Position"); ?> +trans("Position"); ?> trans("LanguageFile"); ?> diff --git a/htdocs/core/tpl/admin_extrafields_edit.tpl.php b/htdocs/core/tpl/admin_extrafields_edit.tpl.php index 52ce7124e7c..451bb93d6c7 100644 --- a/htdocs/core/tpl/admin_extrafields_edit.tpl.php +++ b/htdocs/core/tpl/admin_extrafields_edit.tpl.php @@ -36,6 +36,8 @@ if (empty($conf) || !is_object($conf)) $langs->load("modulebuilder"); +$listofexamplesforlink = 'Societe:societe/class/societe.class.php
Contact:contact/class/contact.class.php
Product:product/class/product.class.php
Project:projet/class/project.class.php
...'; + ?> @@ -245,7 +247,7 @@ if (in_array($type, array_keys($typewecanchangeinto))) textwithpicto('', $langs->trans("ExtrafieldParamHelpselect"), 1, 0, '', 0, 2, 'helpvalue1')?> textwithpicto('', $langs->trans("ExtrafieldParamHelpsellist"), 1, 0, '', 0, 2, 'helpvalue2')?> textwithpicto('', $langs->trans("ExtrafieldParamHelpchkbxlst"), 1, 0, '', 0, 2, 'helpvalue3')?> - textwithpicto('', $langs->trans("ExtrafieldParamHelplink"), 1, 0, '', 0, 2, 'helpvalue4')?> + textwithpicto('', $langs->trans("ExtrafieldParamHelplink").'

'.$langs->trans("Examples").':
'.$listofexamplesforlink, 1, 0, '', 0, 2, 'helpvalue4')?> textwithpicto('', $langs->trans("ExtrafieldParamHelpPassword"), 1, 0, '', 0, 2, 'helpvalue5')?> textwithpicto('', $langs->trans("ExtrafieldParamHelpSeparator"), 1, 0, '', 0, 2, 'helpvalue6')?> diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index bbee1152ec1..df50afc69ac 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -440,7 +440,7 @@ ExtrafieldParamHelpcheckbox=List of values must be lines with format key,value ( ExtrafieldParamHelpradio=List of values must be lines with format key,value (where key can't be '0')

for example:
1,value1
2,value2
3,value3
... ExtrafieldParamHelpsellist=List of values comes from a table
Syntax: table_name:label_field:id_field::filter
Example: c_typent:libelle:id::filter

- idfilter is necessarly a primary int key
- filter can be a simple test (eg active=1) to display only active value
You can also use $ID$ in filter witch is the current id of current object
To do a SELECT in filter use $SEL$
if you want to filter on extrafields use syntax extra.fieldcode=... (where field code is the code of extrafield)

In order to have the list depending on another complementary attribute list:
c_typent:libelle:id:options_parent_list_code|parent_column:filter

In order to have the list depending on another list:
c_typent:libelle:id:parent_list_code|parent_column:filter ExtrafieldParamHelpchkbxlst=List of values comes from a table
Syntax: table_name:label_field:id_field::filter
Example: c_typent:libelle:id::filter

filter can be a simple test (eg active=1) to display only active value
You can also use $ID$ in filter witch is the current id of current object
To do a SELECT in filter use $SEL$
if you want to filter on extrafields use syntax extra.fieldcode=... (where field code is the code of extrafield)

In order to have the list depending on another complementary attribute list:
c_typent:libelle:id:options_parent_list_code|parent_column:filter

In order to have the list depending on another list:
c_typent:libelle:id:parent_list_code|parent_column:filter -ExtrafieldParamHelplink=Parameters must be ObjectName:Classpath
Syntax: ObjectName:Classpath
Examples:
Societe:societe/class/societe.class.php
Contact:contact/class/contact.class.php +ExtrafieldParamHelplink=Parameters must be ObjectName:Classpath
Syntax: ObjectName:Classpath ExtrafieldParamHelpSeparator=Keep empty for a simple separator
Set this to 1 for a collapsing separator (open by default for new session, then status is kept for each user session)
Set this to 2 for a collapsing separator (collapsed by default for new session, then status is kept fore each user session) LibraryToBuildPDF=Library used for PDF generation LocalTaxDesc=Some countries may apply two or three taxes on each invoice line. If this is the case, choose the type for the second and third tax and its rate. Possible type are:
1: local tax apply on products and services without vat (localtax is calculated on amount without tax)
2: local tax apply on products and services including vat (localtax is calculated on amount + main tax)
3: local tax apply on products without vat (localtax is calculated on amount without tax)
4: local tax apply on products including vat (localtax is calculated on amount + main vat)
5: local tax apply on services without vat (localtax is calculated on amount without tax)
6: local tax apply on services including vat (localtax is calculated on amount + tax) From 99c05f09230d8670315d0075570604c3479283fb Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 00:51:09 +0200 Subject: [PATCH 079/151] Fix rss --- htdocs/core/class/rssparser.class.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/htdocs/core/class/rssparser.class.php b/htdocs/core/class/rssparser.class.php index 21c5b2ad200..67d12887315 100644 --- a/htdocs/core/class/rssparser.class.php +++ b/htdocs/core/class/rssparser.class.php @@ -356,7 +356,9 @@ class RssParser if (!empty($rss->channel['title'])) $this->_title = (string) $rss->channel['title']; //if (!empty($rss->channel['rss_description'])) $this->_description = (string) $rss->channel['rss_description']; - $this->_imageurl = $this->getAtomImageUrl($rss->channel); + if (is_array($rss->channel)) { + $this->_imageurl = $this->getAtomImageUrl($rss->channel); + } } if (!empty($conf->global->EXTERNALRSS_USE_SIMPLEXML)) { $tmprss = xml2php($rss); $items = $tmprss['entry']; From b7a97b2c8130fe9c695a1e5bff25277f8c8e7d15 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 01:45:40 +0200 Subject: [PATCH 080/151] Prepare for fix --- htdocs/admin/export.php | 2 +- htdocs/core/js/lib_head.js.php | 16 +++++++++++----- htdocs/core/lib/ajax.lib.php | 4 ++-- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/htdocs/admin/export.php b/htdocs/admin/export.php index d9c2c508464..d066197b580 100644 --- a/htdocs/admin/export.php +++ b/htdocs/admin/export.php @@ -90,7 +90,7 @@ print ''; print ''.$langs->trans("EXPORTS_SHARE_MODELS").''; print ' '; print ''; -echo ajax_constantonoff('EXPORTS_SHARE_MODELS'); +print ajax_constantonoff('EXPORTS_SHARE_MODELS'); print ''; print ''; diff --git a/htdocs/core/js/lib_head.js.php b/htdocs/core/js/lib_head.js.php index 9de5ceba476..d27bab84162 100644 --- a/htdocs/core/js/lib_head.js.php +++ b/htdocs/core/js/lib_head.js.php @@ -516,7 +516,8 @@ function hideMessage(fieldId,message) { /* - * Used by button to set on/off + * Used by button to set on/off. + * Call url then make complementary action (like show/hide, enable/disable or set another option). * * @param string url Url * @param string code Code @@ -525,12 +526,14 @@ function hideMessage(fieldId,message) { * @param int strict Strict * @param int forcereload Force reload * @param int userid User id + * @param string token Token */ -function setConstant(url, code, input, entity, strict, forcereload, userid) { +function setConstant(url, code, input, entity, strict, forcereload, userid, token) { $.get( url, { action: "set", name: code, - entity: entity + entity: entity, + token: token }, function() { console.log("url request success forcereload="+forcereload); @@ -587,6 +590,7 @@ function setConstant(url, code, input, entity, strict, forcereload, userid) { /* * Used by button to set on/off + * Call url then make complementary action (like show/hide, enable/disable or set another option). * * @param string url Url * @param string code Code @@ -595,12 +599,14 @@ function setConstant(url, code, input, entity, strict, forcereload, userid) { * @param int strict Strict * @param int forcereload Force reload * @param int userid User id + * @param string token Token */ -function delConstant(url, code, input, entity, strict, forcereload, userid) { +function delConstant(url, code, input, entity, strict, forcereload, userid, token) { $.get( url, { action: "del", name: code, - entity: entity + entity: entity, + token: token }, function() { console.log("url request success forcereload="+forcereload); diff --git a/htdocs/core/lib/ajax.lib.php b/htdocs/core/lib/ajax.lib.php index 6f730c03976..62fc5bccb27 100644 --- a/htdocs/core/lib/ajax.lib.php +++ b/htdocs/core/lib/ajax.lib.php @@ -491,8 +491,8 @@ function ajax_combobox($htmlname, $events = array(), $minLengthToAutocomplete = * @param int $revertonoff Revert on/off * @param int $strict Use only "disabled" with delConstant and "enabled" with setConstant * @param int $forcereload Force to reload page if we click/change value (this is supported only when there is no 'alert' option in input) - * @param string $marginleftonlyshort 1 = Add a short left margin on picto, 2 = Add a larger left margin on picto, 0 = No margin left. Works for fontawesome picto only. - * @param int $forcenoajax 1=Force to use a ahref link instead of ajax code. + * @param string $marginleftonlyshort 1 = Add a short left margin on picto, 2 = Add a larger left margin on picto, 0 = No left margin. Works for fontawesome picto only. + * @param int $forcenoajax 1=Force to use a ahref link instead of ajax code. * @return string */ function ajax_constantonoff($code, $input = array(), $entity = null, $revertonoff = 0, $strict = 0, $forcereload = 0, $marginleftonlyshort = 2, $forcenoajax = 0) From 6a45545ec1ed34fb22c8297d8c790a5eef7ba8bc Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 01:53:22 +0200 Subject: [PATCH 081/151] Prepare for fix --- htdocs/core/js/lib_head.js.php | 7 ++++--- htdocs/core/lib/ajax.lib.php | 19 +++++++++++-------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/htdocs/core/js/lib_head.js.php b/htdocs/core/js/lib_head.js.php index d27bab84162..3521c3ed0f4 100644 --- a/htdocs/core/js/lib_head.js.php +++ b/htdocs/core/js/lib_head.js.php @@ -670,8 +670,9 @@ function delConstant(url, code, input, entity, strict, forcereload, userid, toke * @param int noButton noButton * @param int strict Strict * @param int userid User id + * @param string token Token */ -function confirmConstantAction(action, url, code, input, box, entity, yesButton, noButton, strict, userid) { +function confirmConstantAction(action, url, code, input, box, entity, yesButton, noButton, strict, userid, token) { var boxConfirm = box; $("#confirm_" + code) .attr("title", boxConfirm.title) @@ -687,9 +688,9 @@ function confirmConstantAction(action, url, code, input, box, entity, yesButton, text : yesButton, click : function() { if (action == "set") { - setConstant(url, code, input, entity, strict, 0, userid); + setConstant(url, code, input, entity, strict, 0, userid, token); } else if (action == "del") { - delConstant(url, code, input, entity, strict, 0, userid); + delConstant(url, code, input, entity, strict, 0, userid, token); } // Close dialog $(this).dialog("close"); diff --git a/htdocs/core/lib/ajax.lib.php b/htdocs/core/lib/ajax.lib.php index 62fc5bccb27..55280d87388 100644 --- a/htdocs/core/lib/ajax.lib.php +++ b/htdocs/core/lib/ajax.lib.php @@ -516,17 +516,18 @@ function ajax_constantonoff($code, $input = array(), $entity = null, $revertonof var entity = \''.$entity.'\'; var strict = \''.$strict.'\'; var userid = \''.$user->id.'\'; - var yesButton = "'.dol_escape_js($langs->transnoentities("Yes")).'"; - var noButton = "'.dol_escape_js($langs->transnoentities("No")).'"; + var yesButton = \''.dol_escape_js($langs->transnoentities("Yes")).'\'; + var noButton = \''.dol_escape_js($langs->transnoentities("No")).'\'; + var token = \''.newToken().'\'; // Set constant $("#set_" + code).click(function() { if (input.alert && input.alert.set) { if (input.alert.set.yesButton) yesButton = input.alert.set.yesButton; if (input.alert.set.noButton) noButton = input.alert.set.noButton; - confirmConstantAction("set", url, code, input, input.alert.set, entity, yesButton, noButton, strict, userid); + confirmConstantAction("set", url, code, input, input.alert.set, entity, yesButton, noButton, strict, userid, token); } else { - setConstant(url, code, input, entity, 0, '.$forcereload.', userid); + setConstant(url, code, input, entity, 0, '.$forcereload.', userid, token); } }); @@ -535,9 +536,9 @@ function ajax_constantonoff($code, $input = array(), $entity = null, $revertonof if (input.alert && input.alert.del) { if (input.alert.del.yesButton) yesButton = input.alert.del.yesButton; if (input.alert.del.noButton) noButton = input.alert.del.noButton; - confirmConstantAction("del", url, code, input, input.alert.del, entity, yesButton, noButton, strict, userid); + confirmConstantAction("del", url, code, input, input.alert.del, entity, yesButton, noButton, strict, userid, token); } else { - delConstant(url, code, input, entity, 0, '.$forcereload.', userid); + delConstant(url, code, input, entity, 0, '.$forcereload.', userid, token); } }); }); @@ -579,7 +580,8 @@ function ajax_object_onoff($object, $code, $field, $text_on, $text_off, $input = field: \''.$field.'\', value: \'1\', element: \''.$object->element.'\', - id: \''.$object->id.'\' + id: \''.$object->id.'\', + token: \''.newToken().'\' }, function() { $("#set_'.$code.'_'.$object->id.'").hide(); @@ -609,7 +611,8 @@ function ajax_object_onoff($object, $code, $field, $text_on, $text_off, $input = field: \''.$field.'\', value: \'0\', element: \''.$object->element.'\', - id: \''.$object->id.'\' + id: \''.$object->id.'\', + token: \''.newToken().'\' }, function() { $("#del_'.$code.'_'.$object->id.'").hide(); From a0b230fa46b7d063690cf80872efdd26ae401f8a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 01:58:46 +0200 Subject: [PATCH 082/151] Fix #yogosha4534 --- htdocs/core/lib/functions.lib.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 5eb9d142c0c..51fb7ef62ea 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -606,9 +606,9 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null break; } - // Sanitizing for special var name. There is no reason to allow a backtopage to an external URL. + // Sanitizing for special parameters. There is no reason to allow the backtopage parameter to contains an external URL. if ($paramname == 'backtopage') { - $out = preg_replace(array('/\/\/+/', '/^[a-z]*:/'), '', $out); + $out = preg_replace(array('/[\\\/][\\\/]+/', '/^[a-z]*:/'), '', $out); } // Code for search criteria persistence. From 93b79561562887711d0d0c3751c4b9f279b6f9ac Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 02:12:08 +0200 Subject: [PATCH 083/151] Fix sanitizing of backtopage --- htdocs/core/lib/functions.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 51fb7ef62ea..404bbc81ccc 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -608,7 +608,7 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null // Sanitizing for special parameters. There is no reason to allow the backtopage parameter to contains an external URL. if ($paramname == 'backtopage') { - $out = preg_replace(array('/[\\\/][\\\/]+/', '/^[a-z]*:/'), '', $out); + $out = preg_replace(array('!(\\\|/)+!', '/^[a-z]*:/'), '', $out); } // Code for search criteria persistence. From eb36c3f1444043001bfa19bfd70fbc13377fa959 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 02:27:32 +0200 Subject: [PATCH 084/151] Fix must use GETPOST --- htdocs/comm/mailing/card.php | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php index 26216c1ac01..13037b58769 100644 --- a/htdocs/comm/mailing/card.php +++ b/htdocs/comm/mailing/card.php @@ -462,14 +462,14 @@ if (empty($reshook)) { $mesgs = array(); - $object->email_from = trim($_POST["from"]); - $object->email_replyto = trim($_POST["replyto"]); - $object->email_errorsto = trim($_POST["errorsto"]); - $object->titre = trim($_POST["titre"]); - $object->sujet = trim($_POST["sujet"]); - $object->body = trim($_POST["bodyemail"]); - $object->bgcolor = trim($_POST["bgcolor"]); - $object->bgimage = trim($_POST["bgimage"]); + $object->email_from = GETPOST("from"); + $object->email_replyto = GETPOST("replyto"); + $object->email_errorsto = GETPOST("errorsto"); + $object->titre = GETPOST("titre"); + $object->sujet = GETPOST("sujet"); + $object->body = GETPOST("bodyemail", 'restricthtml'); + $object->bgcolor = GETPOST("bgcolor"); + $object->bgimage = GETPOST("bgimage"); if (!$object->titre) { $mesgs[] = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTitle")); @@ -563,10 +563,10 @@ if (empty($reshook)) { $mesgs = array(); - $object->sujet = trim($_POST["sujet"]); - $object->body = trim($_POST["bodyemail"]); - $object->bgcolor = trim($_POST["bgcolor"]); - $object->bgimage = trim($_POST["bgimage"]); + $object->sujet = GETPOST("sujet"); + $object->body = GETPOST("bodyemail", 'restricthtml'); + $object->bgcolor = GETPOST("bgcolor"); + $object->bgimage = GETPOST("bgimage"); if (!$object->sujet) { $mesgs[] = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTopic")); From 4a5ee7f04d0826c787a9a56429872c843ce95ff1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 03:25:25 +0200 Subject: [PATCH 085/151] Better testSqlAndScriptInject (deal htmlentities encoded signatures) More phpunits on GETPOST --- htdocs/main.inc.php | 7 +++++-- htdocs/user/card.php | 14 +++++++------- test/phpunit/SecurityTest.php | 17 ++++++++++++----- 3 files changed, 24 insertions(+), 14 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index ffa7c47bdff..c35ccbf5994 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -51,12 +51,15 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO'])) /** * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF). * - * @param string $val Value + * @param string $val Value brut found int $_GET, $_POST or PHP_SELF * @param string $type 1=GET, 0=POST, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test) * @return int >0 if there is an injection, 0 if none */ function testSqlAndScriptInject($val, $type) { + $val=html_entity_decode($val, ENT_QUOTES); // So email = preg_replace('/\s+/', '', GETPOST("email", 'alphanohtml')); - $object->job = GETPOST("job", 'nohtml'); + $object->job = GETPOST("job", 'alphanohtml'); $object->signature = GETPOST("signature", 'restricthtml'); $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); $object->note = GETPOST("note", 'restricthtml'); @@ -388,7 +388,7 @@ if (empty($reshook)) { } } $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alphanohtml')); - $object->job = GETPOST("job", 'nohtml'); + $object->job = GETPOST("job", 'alphanohtml'); $object->signature = GETPOST("signature", 'restricthtml'); $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); $object->openid = GETPOST("openid", 'alphanohtml'); @@ -1183,7 +1183,7 @@ if ($action == 'create' || $action == 'adduserldap') // Position/Job print '
'.$langs->trans("PostOrFunction").''; print ''; - print '
'; if ((!empty($conf->salaries->enabled) && !empty($user->rights->salaries->read)) @@ -1570,7 +1570,7 @@ if ($action == 'create' || $action == 'adduserldap') // Position/Job print '
'.$langs->trans("PostOrFunction").''; - print ''.$object->job.''; + print ''.dol_escape_htmltag($object->job).''; print '
'."\n"; //$childids = $user->getAllChildIds(1); @@ -2606,10 +2606,10 @@ if ($action == 'create' || $action == 'adduserldap') print ''; if ($caneditfield) { - print ''; diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 161dcd935b3..6c4d2270d1a 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -173,11 +173,12 @@ class SecurityTest extends PHPUnit\Framework\TestCase $_GET["param1"]="222"; $_POST["param1"]="333"; $_GET["param2"]='a/b#e(pr)qq-rr\cc'; - $_GET["param3"]='"a/b#e(pr)qq-rr\cc'; // Same than param2 + " + $_GET["param3"]='"na/b#e(pr)qq-rr\cc'; // Same than param2 + " and n $_GET["param4"]='../dir'; $_GET["param5"]="a_1-b"; - $_POST["param6"]="">assertEquals($result, 'a/b#e(pr)qq-rr\cc'); + $this->assertEquals($result, 'na/b#e(pr)qq-rr\cc'); $result=GETPOST("param4", 'alpha'); // Must return string sanitized from ../ print __METHOD__." result=".$result."\n"; @@ -230,9 +231,15 @@ class SecurityTest extends PHPUnit\Framework\TestCase print __METHOD__." result=".$result."\n"; $this->assertEquals('">', $result); + // With restricthtml we must remove html open/close tag and content but not htmlentities like n $result=GETPOST("param7", 'restricthtml'); print __METHOD__." result=".$result."\n"; - $this->assertEquals('"c:\this is a path~1\aaa" abcdef', $result); + $this->assertEquals('"c:\this is a path~1\aaan" abcdef', $result); + + // With alphanohtml, we must convert the html entities like n + $result=GETPOST("param8", 'alphanohtml'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals("Hacker Date: Sat, 19 Sep 2020 04:14:49 +0200 Subject: [PATCH 086/151] Clean code --- htdocs/core/lib/functions.lib.php | 81 ++++++++++++++++-------- htdocs/opensurvey/results.php | 19 +++--- htdocs/opensurvey/wizard/choix_autre.php | 21 +++--- 3 files changed, 77 insertions(+), 44 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 404bbc81ccc..8d1c14b378b 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -545,6 +545,59 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null } } + // Check rule + if ($check == 'array') { + if (!is_array($out) || empty($out)) { + $out = array(); + } else { + foreach($out as $outkey => $outval) { + $out[$outkey] = checkVal($outval, 'alphanohtml', $filter, $options); + } + } + } + else { + $out = checkVal($out, $check, $filter, $options); + } + + // Sanitizing for special parameters. There is no reason to allow the backtopage parameter to contains an external URL. + if ($paramname == 'backtopage') { + $out = preg_replace(array('!(\\\|/)+!', '/^[a-z]*:/'), '', $out); + } + + // Code for search criteria persistence. + // Save data into session if key start with 'search_' or is 'smonth', 'syear', 'month', 'year' + if (empty($method) || $method == 3 || $method == 4) + { + if (preg_match('/^search_/', $paramname) || in_array($paramname, array('sortorder', 'sortfield'))) + { + //var_dump($paramname.' - '.$out.' '.$user->default_values[$relativepathstring]['filters'][$paramname]); + + // We save search key only if $out not empty that means: + // - posted value not empty, or + // - if posted value is empty and a default value exists that is not empty (it means we did a filter to an empty value when default was not). + + if ($out != '') // $out = '0' or 'abc', it is a search criteria to keep + { + $user->lastsearch_values_tmp[$relativepathstring][$paramname] = $out; + } + } + } + + return $out; +} + + +/** + * Return a value after checking on a rule. + * + * @param string $out Value to get/check + * @param string $check Type of check + * @param int $filter Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails) + * @param mixed $options Options to pass to filter_var when $check is set to 'custom' + * @return string|array Value found (string or array), or '' if check fails + */ +function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options = null) +{ // Check is done after replacement switch ($check) { @@ -580,9 +633,6 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null if (preg_match('/[^a-z0-9_\-\.,]+/i', $out)) $out = ''; } break; - case 'array': - if (!is_array($out) || empty($out)) $out = array(); - break; case 'nohtml': $out = dol_string_nohtmltag($out, 0); break; @@ -606,34 +656,11 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null break; } - // Sanitizing for special parameters. There is no reason to allow the backtopage parameter to contains an external URL. - if ($paramname == 'backtopage') { - $out = preg_replace(array('!(\\\|/)+!', '/^[a-z]*:/'), '', $out); - } - - // Code for search criteria persistence. - // Save data into session if key start with 'search_' or is 'smonth', 'syear', 'month', 'year' - if (empty($method) || $method == 3 || $method == 4) - { - if (preg_match('/^search_/', $paramname) || in_array($paramname, array('sortorder', 'sortfield'))) - { - //var_dump($paramname.' - '.$out.' '.$user->default_values[$relativepathstring]['filters'][$paramname]); - - // We save search key only if $out not empty that means: - // - posted value not empty, or - // - if posted value is empty and a default value exists that is not empty (it means we did a filter to an empty value when default was not). - - if ($out != '') // $out = '0' or 'abc', it is a search criteria to keep - { - $user->lastsearch_values_tmp[$relativepathstring][$paramname] = $out; - } - } - } - return $out; } + if (!function_exists('dol_getprefix')) { /** diff --git a/htdocs/opensurvey/results.php b/htdocs/opensurvey/results.php index be252188190..3327800527d 100644 --- a/htdocs/opensurvey/results.php +++ b/htdocs/opensurvey/results.php @@ -58,7 +58,7 @@ if (GETPOST('retoursondage')) { $nbcolonnes = substr_count($object->sujet, ',') + 1; // Add vote -if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) // boutonp for chrom, boutonp.x for firefox +if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) // boutonp for chrome, boutonp.x for firefox { if (GETPOST('nom')) { @@ -158,7 +158,7 @@ if (GETPOST("ajoutercolonne") && GETPOST('nouvellecolonne') && $object->format = //on rajoute la valeur a la fin de tous les sujets deja entrés $nouveauxsujets .= ','; - $nouveauxsujets .= str_replace(array(",", "@"), " ", $_POST["nouvellecolonne"]).(empty($_POST["typecolonne"]) ? '' : '@'.$_POST["typecolonne"]); + $nouveauxsujets .= str_replace(array(",", "@"), " ", GETPOST("nouvellecolonne")).(empty($_POST["typecolonne"]) ? '' : '@'.GETPOST("typecolonne")); //mise a jour avec les nouveaux sujets dans la base $sql = 'UPDATE '.MAIN_DB_PREFIX."opensurvey_sondage"; @@ -186,21 +186,21 @@ if (isset($_POST["ajoutercolonne"]) && $object->format == "D") if (isset($_POST["nouvelleheuredebut"]) && $_POST["nouvelleheuredebut"] != "vide") { $nouvelledate .= "@"; - $nouvelledate .= $_POST["nouvelleheuredebut"]; + $nouvelledate .= GETPOST("nouvelleheuredebut"); $nouvelledate .= "h"; if ($_POST["nouvelleminutedebut"] != "vide") { - $nouvelledate .= $_POST["nouvelleminutedebut"]; + $nouvelledate .= GETPOST("nouvelleminutedebut"); } } if (isset($_POST["nouvelleheurefin"]) && $_POST["nouvelleheurefin"] != "vide") { $nouvelledate .= "-"; - $nouvelledate .= $_POST["nouvelleheurefin"]; + $nouvelledate .= GETPOST("nouvelleheurefin"); $nouvelledate .= "h"; if ($_POST["nouvelleminutefin"] != "vide") { - $nouvelledate .= $_POST["nouvelleminutefin"]; + $nouvelledate .= GETPOST("nouvelleminutefin"); } } @@ -451,7 +451,10 @@ print ''; // Expire date print '
'.$langs->trans('ExpireDate').''; if ($action == 'edit') print $form->selectDate($expiredate ? $expiredate : $object->date_fin, 'expire', 0, 0, 0, '', 1, 0); -else print dol_print_date($object->date_fin, 'day'); +else { + print dol_print_date($object->date_fin, 'day'); + if ($object->date_fin && $object->date_fin < dol_now() && $object->status == Opensurveysondage::STATUS_VALIDATED) print img_warning($langs->trans("Expired")); +} print '
'; // Author @@ -1015,7 +1018,7 @@ if ($nbofcheckbox >= 2) } // S'il a oublié de remplir un nom -if (isset($_POST["boutonp"]) && $_POST["nom"] == "") { +if (GETPOSTISSET("boutonp") && GETPOST("nom") == "") { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Name")), null, 'errors'); } diff --git a/htdocs/opensurvey/wizard/choix_autre.php b/htdocs/opensurvey/wizard/choix_autre.php index 5819d901ec9..6b39a70d5e9 100644 --- a/htdocs/opensurvey/wizard/choix_autre.php +++ b/htdocs/opensurvey/wizard/choix_autre.php @@ -36,14 +36,17 @@ if (!$user->rights->opensurvey->write) accessforbidden(); * Action */ +$arrayofchoices = GETPOST('choix', 'array'); +$arrayoftypecolumn = GETPOST('typecolonne', 'array'); + // Set session vars if (isset($_SESSION["nbrecases"])) { for ($i = 0; $i < $_SESSION["nbrecases"]; $i++) { - if (isset($_POST["choix"][$i])) { - $_SESSION["choix$i"] = $_POST["choix"][$i]; + if (isset($arrayofchoices[$i])) { + $_SESSION["choix$i"] = $arrayofchoices[$i]; } - if (isset($_POST["typecolonne"][$i])) { - $_SESSION["typecolonne$i"] = $_POST["typecolonne"][$i]; + if (isset($arrayoftypecolumn[$i])) { + $_SESSION["typecolonne$i"] = $arrayoftypecolumn[$i]; } } } else { //nombre de cases par défaut @@ -56,16 +59,16 @@ if (GETPOST("ajoutcases") || GETPOST("ajoutcases_x")) } // Create survey into database -if (isset($_POST["confirmecreation"])) +if (GETPOSTISSET("confirmecreation")) { //recuperation des données de champs textes $toutchoix = ''; for ($i = 0; $i < $_SESSION["nbrecases"] + 1; $i++) { - if (!empty($_POST["choix"][$i])) + if (!empty($arrayofchoices[$i])) { $toutchoix .= ','; - $toutchoix .= str_replace(array(",", "@"), " ", $_POST["choix"][$i]).(empty($_POST["typecolonne"][$i]) ? '' : '@'.$_POST["typecolonne"][$i]); + $toutchoix .= str_replace(array(",", "@"), " ", $arrayofchoices[$i]).(empty($arrayoftypecolumn[$i]) ? '' : '@'.$arrayoftypecolumn[$i]); } } @@ -76,7 +79,7 @@ if (isset($_POST["confirmecreation"])) $testremplissage = ''; for ($i = 0; $i < $_SESSION["nbrecases"]; $i++) { - if (isset($_POST["choix"][$i])) + if (isset($arrayofchoices[$i])) { $testremplissage = "ok"; } @@ -94,7 +97,7 @@ if (isset($_POST["confirmecreation"])) } } - +var_dump($_SESSION);exit; /* From 46eb78cd41a37bac172101520042afc2ca48b980 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 04:18:51 +0200 Subject: [PATCH 087/151] Fix escape --- htdocs/public/opensurvey/studs.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/public/opensurvey/studs.php b/htdocs/public/opensurvey/studs.php index 358bf2aa1c6..8b2e8663dac 100644 --- a/htdocs/public/opensurvey/studs.php +++ b/htdocs/public/opensurvey/studs.php @@ -390,7 +390,7 @@ if ($object->format == "D") for ($i = 0; isset($toutsujet[$i]); $i++) { $tmp = explode('@', $toutsujet[$i]); - print ''.$tmp[0].''."\n"; + print ''.dol_escape_htmltag($tmp[0]).''."\n"; } print ''."\n"; From b1985950a6224405a6a6a7798c6fe0cc18dcb863 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 12:50:47 +0200 Subject: [PATCH 088/151] Use POST to make the ajax set/del constant --- htdocs/admin/system/dolibarr.php | 9 ++++++++- htdocs/admin/tools/listevents.php | 14 ++++++++++++++ htdocs/core/ajax/check_notifications.php | 2 +- htdocs/core/ajax/constantonoff.php | 4 +++- htdocs/core/js/lib_head.js.php | 8 ++++---- htdocs/core/lib/ajax.lib.php | 2 +- htdocs/langs/en_US/admin.lang | 2 +- htdocs/main.inc.php | 6 ++---- 8 files changed, 34 insertions(+), 13 deletions(-) diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php index 55a46e9f347..1f34c23c8dc 100644 --- a/htdocs/admin/system/dolibarr.php +++ b/htdocs/admin/system/dolibarr.php @@ -395,7 +395,14 @@ foreach ($configfileparameters as $key => $value) $valuetoshow = ${$newkey}; if (empty($valuetoshow)) { - print img_warning($langs->trans('SwitchThisForABetterSecurity')); + print img_warning($langs->trans('SwitchThisForABetterSecurity', 1)); + } + } elseif ($newkey == 'dolibarr_nocsrfcheck') { + print ${$newkey}; + + $valuetoshow = ${$newkey}; + if (!empty($valuetoshow)) { + print img_warning($langs->trans('SwitchThisForABetterSecurity', 0)); } } else { print ${$newkey}; diff --git a/htdocs/admin/tools/listevents.php b/htdocs/admin/tools/listevents.php index 23cd5fb5f0a..84fe534f473 100644 --- a/htdocs/admin/tools/listevents.php +++ b/htdocs/admin/tools/listevents.php @@ -235,6 +235,20 @@ if ($result) print $form->formconfirm($_SERVER["PHP_SELF"].'?noparam=noparam', $langs->trans('PurgeAuditEvents'), $langs->trans('ConfirmPurgeAuditEvents'), 'confirm_purge', $formquestion, 'no', 1); } + // Check some parameters + // TODO Add a tab with this and other information + /* + global $dolibarr_main_prod, $dolibarr_nocsrfcheck; + if (empty($dolibarr_main_prod)) { + print $langs->trans("Warning").' dolibarr_main_prod = '.$dolibarr_main_prod; + print ' '.img_warning($langs->trans('SwitchThisForABetterSecurity', 1)).'
'; + } + if (!empty($dolibarr_nocsrfcheck)) { + print $langs->trans("Warning").' dolibarr_nocsrfcheck = '.$dolibarr_nocsrfcheck; + print ' '.img_warning($langs->trans('SwitchThisForABetterSecurity', 0)).'
'; + } + */ + print '
'; print ''; diff --git a/htdocs/core/ajax/check_notifications.php b/htdocs/core/ajax/check_notifications.php index f8a30e69aa9..098ac586ce1 100644 --- a/htdocs/core/ajax/check_notifications.php +++ b/htdocs/core/ajax/check_notifications.php @@ -101,7 +101,7 @@ $eventfound = array(); //dol_syslog('time='.$time.' $_SESSION[auto_ck_events_not_before]='.$_SESSION['auto_check_events_not_before']); // TODO Try to make a solution with only a javascript timer that is easier. Difficulty is to avoid notification twice when several tabs are opened. -// This need to extend period to be sure to not miss and save in session what we notified to avoid duplicate (save is not done yet). +// This need to extend period to be sure to not miss and save in session what we notified to avoid duplicate. if ($time >= $_SESSION['auto_check_events_not_before'] || GETPOST('forcechecknow', 'int')) { $time_update = (int) $conf->global->MAIN_BROWSER_NOTIFICATION_FREQUENCY; // Always defined diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php index 456542e331e..f7aab4d02e0 100644 --- a/htdocs/core/ajax/constantonoff.php +++ b/htdocs/core/ajax/constantonoff.php @@ -46,7 +46,7 @@ top_httphead(); //print ''."\n"; -// Registering the location of boxes +// Registering the new value of constant if (!empty($action) && !empty($name)) { $entity = GETPOST('entity', 'int'); @@ -62,4 +62,6 @@ if (!empty($action) && !empty($name)) dolibarr_del_const($db, $name, $entity); } } +} else { + http_response_code(403); } diff --git a/htdocs/core/js/lib_head.js.php b/htdocs/core/js/lib_head.js.php index 3521c3ed0f4..b95d3d18f6c 100644 --- a/htdocs/core/js/lib_head.js.php +++ b/htdocs/core/js/lib_head.js.php @@ -529,7 +529,7 @@ function hideMessage(fieldId,message) { * @param string token Token */ function setConstant(url, code, input, entity, strict, forcereload, userid, token) { - $.get( url, { + $.post( url, { action: "set", name: code, entity: entity, @@ -585,7 +585,7 @@ function setConstant(url, code, input, entity, strict, forcereload, userid, toke if (forcereload) { location.reload(); } - }); + }).fail(function(error) { location.reload(); }); /* When it fails, we always force reload to have setEventErrorMEssage in session visible */ } /* @@ -602,7 +602,7 @@ function setConstant(url, code, input, entity, strict, forcereload, userid, toke * @param string token Token */ function delConstant(url, code, input, entity, strict, forcereload, userid, token) { - $.get( url, { + $.post( url, { action: "del", name: code, entity: entity, @@ -654,7 +654,7 @@ function delConstant(url, code, input, entity, strict, forcereload, userid, toke if (forcereload) { location.reload(); } - }); + }).fail(function(error) { location.reload(); }); /* When it fails, we always force reload to have setEventErrorMEssage in session visible */ } /* diff --git a/htdocs/core/lib/ajax.lib.php b/htdocs/core/lib/ajax.lib.php index 55280d87388..6b77003e52e 100644 --- a/htdocs/core/lib/ajax.lib.php +++ b/htdocs/core/lib/ajax.lib.php @@ -518,7 +518,7 @@ function ajax_constantonoff($code, $input = array(), $entity = null, $revertonof var userid = \''.$user->id.'\'; var yesButton = \''.dol_escape_js($langs->transnoentities("Yes")).'\'; var noButton = \''.dol_escape_js($langs->transnoentities("No")).'\'; - var token = \''.newToken().'\'; + var token = \''.currentToken().'\'; // Set constant $("#set_" + code).click(function() { diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index df50afc69ac..4c529329c4c 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -2056,4 +2056,4 @@ TemplateAdded=Template added TemplateUpdated=Template updated TemplateDeleted=Template deleted MailToSendEventPush=Template for event reminder emails -SwitchThisForABetterSecurity=Switching this value to 1 is recommended for more security +SwitchThisForABetterSecurity=Switching this value to %s is recommended for more security diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index c35ccbf5994..94b0d0bbad5 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -348,10 +348,9 @@ if (!defined('NOTOKENRENEWAL')) $_SESSION['newtoken'] = $token; } -//var_dump(GETPOST('token').' '.$_SESSION['token'].' - '.newToken().' '.$_SERVER['SCRIPT_FILENAME']); +//dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha').' '.$_SESSION['token']); //$dolibarr_nocsrfcheck=1; // Check token -//var_dump((! defined('NOCSRFCHECK')).' '.empty($dolibarr_nocsrfcheck).' '.(! empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)).' '.$_SERVER['REQUEST_METHOD'].' '.(! GETPOSTISSET('token'))); if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && !empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)) || defined('CSRFCHECK_WITH_TOKEN')) // Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set { @@ -939,8 +938,7 @@ if (!defined('NOLOGIN')) $user->getrights(); } - -dol_syslog("--- Access to ".$_SERVER["PHP_SELF"].' - action='.GETPOST('action', 'aZ09').', massaction='.GETPOST('massaction', 'aZ09')); +dol_syslog("--- Access to ".$_SERVER["REQUEST_METHOD"].' '.$_SERVER["PHP_SELF"].' - action='.GETPOST('action', 'aZ09').', massaction='.GETPOST('massaction', 'aZ09')); //Another call for easy debugg //dol_syslog("Access to ".$_SERVER["PHP_SELF"].' GET='.join(',',array_keys($_GET)).'->'.join(',',$_GET).' POST:'.join(',',array_keys($_POST)).'->'.join(',',$_POST)); From 0355dc03d837915ac4120adc2ffcaa6aa738793d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 13:04:23 +0200 Subject: [PATCH 089/151] More secured constantonoff.php --- htdocs/core/ajax/constantonoff.php | 4 +++- htdocs/core/js/lib_notification.js.php | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php index f7aab4d02e0..710759e10bb 100644 --- a/htdocs/core/ajax/constantonoff.php +++ b/htdocs/core/ajax/constantonoff.php @@ -26,13 +26,15 @@ if (!defined('NOREQUIREHTML')) define('NOREQUIREHTML', '1'); if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); if (!defined('NOREQUIRESOC')) define('NOREQUIRESOC', '1'); if (!defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1'); +if (!defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Token is required even in GET mode require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; -$action = GETPOST('action', 'aZ09'); +$action = GETPOST('action', 'aZ09'); // set or del $name = GETPOST('name', 'alpha'); + /* * View */ diff --git a/htdocs/core/js/lib_notification.js.php b/htdocs/core/js/lib_notification.js.php index 50d3f7f3268..8aef30a1180 100644 --- a/htdocs/core/js/lib_notification.js.php +++ b/htdocs/core/js/lib_notification.js.php @@ -50,7 +50,8 @@ if (!($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root.'/' || $_SERVER['HTTP /* Launch timer */ // We set a delay before launching first test so next check will arrive after the time_auto_update compared to previous one. - var time_first_execution = (time_auto_update - (nowtime - time_js_next_test)) * 1000; //need milliseconds + //var time_first_execution = (time_auto_update + (time_js_next_test - nowtime)) * 1000; //need milliseconds + var time_first_execution = global->MAIN_BROWSER_NOTIFICATION_CHECK_FIRST_EXECUTION); ?>; if (login != '') { console.log("Launch browser notif check: setTimeout is set to launch 'first_execution' function after a wait of time_first_execution="+time_first_execution+". nowtime (time php page generation) = "+nowtime+" time_js_next_test = "+time_js_next_test+" time_auto_update="+time_auto_update); setTimeout(first_execution, time_first_execution); @@ -139,7 +140,7 @@ if (!($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root.'/' || $_SERVER['HTTP } else { - console.log("Cancel check_events. Useless because javascript Notification.permission is "+Notification.permission+"."); + console.log("Cancel check_events. Useless because javascript Notification.permission is "+Notification.permission+" (blocked manualy or web site is not https)."); } time_js_next_test += time_auto_update; From 09f23c1d8472a20cc7d6645004b80af2973bb82d Mon Sep 17 00:00:00 2001 From: bahfir abbes Date: Wed, 16 Sep 2020 10:48:06 +0100 Subject: [PATCH 090/151] fix:remove deleted user params --- htdocs/user/class/user.class.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 53a7abe5dac..8c3cdf4ac10 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -1038,6 +1038,14 @@ class User extends CommonObject $this->error = $this->db->lasterror(); } + // Remove params + $sql = "DELETE FROM ".MAIN_DB_PREFIX."user_param WHERE fk_user = ".$this->id; + if (!$error && !$this->db->query($sql)) + { + $error++; + $this->error = $this->db->lasterror(); + } + // If contact, remove link if ($this->contact_id > 0) { From 3bd94d52a15c2f919d69bf0fdcd38afc9ca6c38e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 15:15:49 +0200 Subject: [PATCH 091/151] Fix css --- htdocs/core/lib/functions.lib.php | 4 ++-- htdocs/fourn/commande/list.php | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 8d1c14b378b..d5da3fb86d8 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -4081,11 +4081,11 @@ function getTitleFieldOfList($name, $thead = 0, $file = "", $field = "", $begin // Example if (sortfield,field)=("nom","xxx.nom") or (sortfield,field)=("nom","nom") if ($field1 && ($sortfield1 == $field1 || $sortfield1 == preg_replace("/^[^\.]+\./", "", $field1))) { $out .= '<'.$tag.' class="'.$prefix.'liste_titre_sel" '.$moreattrib; - $out .= (($field && empty($conf->global->MAIN_DISABLE_WRAPPING_ON_COLUMN_TITLE) && preg_match('/^[a-zA-Z_0-9\s\.\-:]*$/', $name)) ? ' title="'.dol_escape_htmltag($langs->trans($name)).'"' : ''); + $out .= (($field && empty($conf->global->MAIN_DISABLE_WRAPPING_ON_COLUMN_TITLE) && preg_match('/^[a-zA-Z_0-9\s\.\-:&;]*$/', $name)) ? ' title="'.dol_escape_htmltag($langs->trans($name)).'"' : ''); $out .= '>'; } else { $out .= '<'.$tag.' class="'.$prefix.'liste_titre" '.$moreattrib; - $out .= (($field && empty($conf->global->MAIN_DISABLE_WRAPPING_ON_COLUMN_TITLE) && preg_match('/^[a-zA-Z_0-9\s\.\-:]*$/', $name)) ? ' title="'.dol_escape_htmltag($langs->trans($name)).'"' : ''); + $out .= (($field && empty($conf->global->MAIN_DISABLE_WRAPPING_ON_COLUMN_TITLE) && preg_match('/^[a-zA-Z_0-9\s\.\-:&;]*$/', $name)) ? ' title="'.dol_escape_htmltag($langs->trans($name)).'"' : ''); $out .= '>'; } diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php index 23da4aecedd..c12a4fb0904 100644 --- a/htdocs/fourn/commande/list.php +++ b/htdocs/fourn/commande/list.php @@ -137,7 +137,7 @@ if (empty($user->socid)) $fieldstosearchall["cf.note_private"] = "NotePrivate"; $checkedtypetiers = 0; $arrayfields = array( 'cf.ref'=>array('label'=>$langs->trans("Ref"), 'checked'=>1), - 'cf.ref_supplier'=>array('label'=>$langs->trans("RefOrderSupplierShort"), 'checked'=>1, 'enabled'=>1), + 'cf.ref_supplier'=>array('label'=>$langs->trans("RefOrderSupplierShort"), 'checked'=>1, 'enabled'=>1, 'css'=>'tdoverflowmaxwidth100'), 'p.project_ref'=>array('label'=>$langs->trans("ProjectRef"), 'checked'=>0, 'enabled'=>1), 'u.login'=>array('label'=>$langs->trans("AuthorRequest"), 'checked'=>1), 's.nom'=>array('label'=>$langs->trans("ThirdParty"), 'checked'=>1), @@ -771,17 +771,17 @@ if ($resql) // Ref if (!empty($arrayfields['cf.ref']['checked'])) { - print ''; + print ''; } // Ref customer if (!empty($arrayfields['cf.ref_supplier']['checked'])) { - print ''; + print ''; } // Project ref if (!empty($arrayfields['p.project_ref']['checked'])) { - print ''; + print ''; } // Request author if (!empty($arrayfields['u.login']['checked'])) @@ -937,7 +937,7 @@ if ($resql) print ''; if (!empty($arrayfields['cf.ref']['checked'])) print_liste_field_titre($arrayfields['cf.ref']['label'], $_SERVER["PHP_SELF"], "cf.ref", "", $param, '', $sortfield, $sortorder); - if (!empty($arrayfields['cf.ref_supplier']['checked'])) print_liste_field_titre($arrayfields['cf.ref_supplier']['label'], $_SERVER["PHP_SELF"], "cf.ref_supplier", "", $param, '', $sortfield, $sortorder); + if (!empty($arrayfields['cf.ref_supplier']['checked'])) print_liste_field_titre($arrayfields['cf.ref_supplier']['label'], $_SERVER["PHP_SELF"], "cf.ref_supplier", "", $param, '', $sortfield, $sortorder, 'tdoverflowmax100imp '); if (!empty($arrayfields['p.project_ref']['checked'])) print_liste_field_titre($arrayfields['p.project_ref']['label'], $_SERVER["PHP_SELF"], "p.ref", "", $param, '', $sortfield, $sortorder); if (!empty($arrayfields['u.login']['checked'])) print_liste_field_titre($arrayfields['u.login']['label'], $_SERVER["PHP_SELF"], "u.login", "", $param, '', $sortfield, $sortorder); if (!empty($arrayfields['s.nom']['checked'])) print_liste_field_titre($arrayfields['s.nom']['label'], $_SERVER["PHP_SELF"], "s.nom", "", $param, '', $sortfield, $sortorder); From 7c50cc9c72ab783bb2dae0b69296845540be3f2a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 15:17:50 +0200 Subject: [PATCH 092/151] css --- htdocs/fourn/commande/list.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php index c12a4fb0904..f1a9486c232 100644 --- a/htdocs/fourn/commande/list.php +++ b/htdocs/fourn/commande/list.php @@ -137,7 +137,7 @@ if (empty($user->socid)) $fieldstosearchall["cf.note_private"] = "NotePrivate"; $checkedtypetiers = 0; $arrayfields = array( 'cf.ref'=>array('label'=>$langs->trans("Ref"), 'checked'=>1), - 'cf.ref_supplier'=>array('label'=>$langs->trans("RefOrderSupplierShort"), 'checked'=>1, 'enabled'=>1, 'css'=>'tdoverflowmaxwidth100'), + 'cf.ref_supplier'=>array('label'=>$langs->trans("RefOrderSupplierShort"), 'checked'=>1, 'enabled'=>1), 'p.project_ref'=>array('label'=>$langs->trans("ProjectRef"), 'checked'=>0, 'enabled'=>1), 'u.login'=>array('label'=>$langs->trans("AuthorRequest"), 'checked'=>1), 's.nom'=>array('label'=>$langs->trans("ThirdParty"), 'checked'=>1), From c6e66d1651b40c4f4412f859a0f687bf2c3a2382 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 16:05:55 +0200 Subject: [PATCH 093/151] Fixes --- htdocs/core/js/lib_notification.js.php | 26 +++++++++++++------------- htdocs/main.inc.php | 1 + 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/htdocs/core/js/lib_notification.js.php b/htdocs/core/js/lib_notification.js.php index 8aef30a1180..277bd5b4904 100644 --- a/htdocs/core/js/lib_notification.js.php +++ b/htdocs/core/js/lib_notification.js.php @@ -39,7 +39,7 @@ if (!($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root.'/' || $_SERVER['HTTP print 'var login = \''.$_SESSION['dol_login'].'\';'."\n"; print 'var nowtime = Date.now();'; print 'var time_auto_update = '.$conf->global->MAIN_BROWSER_NOTIFICATION_FREQUENCY.';'."\n"; // Always defined - print 'var time_js_next_test = (nowtime + time_auto_update);'."\n"; + print 'var time_js_next_test;'."\n"; ?> /* Check if permission ok */ @@ -53,25 +53,28 @@ if (!($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root.'/' || $_SERVER['HTTP //var time_first_execution = (time_auto_update + (time_js_next_test - nowtime)) * 1000; //need milliseconds var time_first_execution = global->MAIN_BROWSER_NOTIFICATION_CHECK_FIRST_EXECUTION); ?>; if (login != '') { - console.log("Launch browser notif check: setTimeout is set to launch 'first_execution' function after a wait of time_first_execution="+time_first_execution+". nowtime (time php page generation) = "+nowtime+" time_js_next_test = "+time_js_next_test+" time_auto_update="+time_auto_update); - setTimeout(first_execution, time_first_execution); + setTimeout(first_execution, time_first_execution * 1000); + time_js_next_test = nowtime + time_first_execution; + console.log("Launch browser notif check: setTimeout is set to launch 'first_execution' function after a wait of time_first_execution="+time_first_execution+". nowtime (time php page generation) = "+nowtime+" time_js_next_check = "+time_js_next_test); } //first run auto check function first_execution() { - console.log("Call first_execution time_auto_update (MAIN_BROWSER_NOTIFICATION_FREQUENCY) = "+time_auto_update); - check_events(); //one check before launching timer to launch other checks - setInterval(check_events, time_auto_update * 1000); //program time to run next check events + console.log("Call first_execution then set repeat time to time_auto_update = MAIN_BROWSER_NOTIFICATION_FREQUENCY = "+time_auto_update); + check_events(); //one check before setting the new time for other checks + setInterval(check_events, time_auto_update * 1000); // Set new time to run next check events } function check_events() { if (Notification.permission === "granted") { - console.log("Call check_events time_js_next_test = date we are looking for event after this date = "+time_js_next_test); + time_js_next_test += time_auto_update; + console.log("Call ajax to check_events with time_js_next_test = "+time_js_next_test); + $.ajax("", { type: "post", // Usually post or get async: true, - data: {time: time_js_next_test}, + data: { time_js_next_test: time_js_next_test }, success: function (result) { var arr = JSON.parse(result); if (arr.length > 0) { @@ -130,9 +133,9 @@ if (!($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root.'/' || $_SERVER['HTTP // Update status of all notifications we sent on browser (listofreminderids) console.log("Flag notification as done for listofreminderids="+listofreminderids); $.ajax(""+listofreminderids, { - type: "get", // Usually post or get + type: "post", // Usually post or get async: true, - data: {time: time_js_next_test} + data: { time_js_next_test: time_js_next_test } }); } } @@ -142,9 +145,6 @@ if (!($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root.'/' || $_SERVER['HTTP { console.log("Cancel check_events. Useless because javascript Notification.permission is "+Notification.permission+" (blocked manualy or web site is not https)."); } - - time_js_next_test += time_auto_update; - console.log('Updated time_js_next_test. New value is '+time_js_next_test); } gl //if ($conf->global->MAIN_FEATURES_LEVEL >= 1) setEventMessages('Unset POST and GET params by CSRF protection in main.inc.php (Token provided was not generated by the previous page).'."
\n".'$_SERVER[REQUEST_URI] = '.$_SERVER['REQUEST_URI'].' $_SERVER[REQUEST_METHOD] = '.$_SERVER['REQUEST_METHOD'].' GETPOST(token) = '.GETPOST('token', 'alpha').' $_SESSION[token] = '.$_SESSION['token'], null, 'warnings'); unset($_POST); unset($_GET['confirm']); + unset($_GET['action']); } } From 55a0e5f2e787aa26bf529acfe70f83572fdab297 Mon Sep 17 00:00:00 2001 From: andreubisquerra Date: Sat, 19 Sep 2020 17:12:41 +0200 Subject: [PATCH 094/151] Avoid errors when Weighing Scale from the cloud in TakePOS --- htdocs/takepos/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/takepos/index.php b/htdocs/takepos/index.php index 3376023b8b6..f2a37953cfa 100644 --- a/htdocs/takepos/index.php +++ b/htdocs/takepos/index.php @@ -751,7 +751,7 @@ function WeighingScale(){ console.log("Weighing Scale"); $.ajax({ type: "POST", - url: 'global->TAKEPOS_PRINT_SERVER; ?>/scale', + url: 'global->TAKEPOS_PRINT_SERVER; ?>/scale/index.php', }) .done(function( editnumber ) { $("#poslines").load("invoice.php?action=updateqty&place="+place+"&idline="+selectedline+"&number="+editnumber, function() { From 673e1fe5aad6cb2faf264e170b07072af381763e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 18:01:06 +0200 Subject: [PATCH 095/151] Fix #yogosha4539 --- htdocs/main.inc.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 9334b0cb564..e584ad48a42 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -57,7 +57,9 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO'])) */ function testSqlAndScriptInject($val, $type) { - $val=html_entity_decode($val, ENT_QUOTES); // So Date: Sat, 19 Sep 2020 18:40:00 +0200 Subject: [PATCH 096/151] Neutral message if login / email exists #yohosha4542 --- htdocs/langs/en_US/users.lang | 2 ++ htdocs/user/passwordforgotten.php | 21 ++++++++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/htdocs/langs/en_US/users.lang b/htdocs/langs/en_US/users.lang index 37ad1c0fc0d..7e81efd0d16 100644 --- a/htdocs/langs/en_US/users.lang +++ b/htdocs/langs/en_US/users.lang @@ -46,6 +46,8 @@ RemoveFromGroup=Remove from group PasswordChangedAndSentTo=Password changed and sent to %s. PasswordChangeRequest=Request to change password for %s PasswordChangeRequestSent=Request to change password for %s sent to %s. +IfLoginExistPasswordRequestSent=If this login is a valid account, an email to reset password has been sent. +IfEmailExistPasswordRequestSent=If this email is a valid account, an email to reset password has been sent. ConfirmPasswordReset=Confirm password reset MenuUsersAndGroups=Users & Groups LastGroupsCreated=Latest %s groups created diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php index 03225e85866..96497492a15 100644 --- a/htdocs/user/passwordforgotten.php +++ b/htdocs/user/passwordforgotten.php @@ -100,16 +100,24 @@ if ($action == 'buildnewpassword' && $username) { $message = '
'.$langs->trans("ErrorBadValueForCode").'
'; } else { + $isanemail = preg_match('/@/', $username); + $edituser = new User($db); $result = $edituser->fetch('', $username, '', 1); - if ($result == 0 && preg_match('/@/', $username)) + if ($result == 0 && $isanemail) { $result = $edituser->fetch('', '', '', 1, -1, $username); } if ($result <= 0 && $edituser->error == 'USERNOTFOUND') { - $message = '
'.$langs->trans("ErrorLoginDoesNotExists", $username).'
'; + $message = ''; $username = ''; } else { if (!$edituser->email) @@ -125,7 +133,14 @@ if ($action == 'buildnewpassword' && $username) // Success if ($edituser->send_password($user, $newpassword, 1) > 0) { - $message = ''; + $message = ''; $username = ''; } else { $message .= '
'.$edituser->error.'
'; From 7dd69a2b2b0cb2aa6009491e57cb87022b5156f0 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 20:11:04 +0200 Subject: [PATCH 097/151] Fix escape --- htdocs/accountancy/admin/account.php | 10 +++--- htdocs/accountancy/admin/accountmodel.php | 20 +++++------ htdocs/accountancy/admin/categories_list.php | 12 +++---- htdocs/accountancy/admin/journals_list.php | 12 +++---- htdocs/accountancy/admin/productaccount.php | 14 ++++---- .../thirdparty_lettering_customer.php | 2 +- .../thirdparty_lettering_supplier.php | 2 +- .../class/accountancyexport.class.php | 3 +- .../class/accountancysystem.class.php | 2 +- .../class/accountingjournal.class.php | 2 +- .../accountancy/class/bookkeeping.class.php | 16 ++++----- htdocs/accountancy/class/lettering.class.php | 34 +++++++++---------- htdocs/accountancy/customer/index.php | 10 +++--- htdocs/accountancy/customer/list.php | 10 +++--- htdocs/accountancy/expensereport/index.php | 6 ++-- htdocs/accountancy/expensereport/list.php | 2 +- htdocs/accountancy/supplier/index.php | 12 +++---- htdocs/accountancy/supplier/list.php | 6 ++-- htdocs/adherents/card.php | 2 +- htdocs/adherents/class/adherent.class.php | 2 +- .../adherents/class/adherentstats.class.php | 6 ++-- htdocs/adherents/list.php | 16 ++++----- htdocs/adherents/subscription/list.php | 4 +-- htdocs/compta/paiement/cheque/card.php | 4 +-- .../cheque/class/remisecheque.class.php | 11 +++--- 25 files changed, 111 insertions(+), 109 deletions(-) diff --git a/htdocs/accountancy/admin/account.php b/htdocs/accountancy/admin/account.php index 7ee9844ce63..de8fd9a8cd6 100644 --- a/htdocs/accountancy/admin/account.php +++ b/htdocs/accountancy/admin/account.php @@ -230,8 +230,8 @@ if (strlen(trim($search_account))) { $search_account_tmp_clean = preg_replace('/^\^/', '', $search_account_tmp); $search_account_clean = preg_replace('/^\^/', '', $search_account); } - $sql .= " AND (aa.account_number LIKE '".$startchar.$search_account_tmp_clean."'"; - $sql .= " OR aa.account_number LIKE '".$startchar.$search_account_clean."%')"; + $sql .= " AND (aa.account_number LIKE '".$db->escape($startchar.$search_account_tmp_clean)."'"; + $sql .= " OR aa.account_number LIKE '".$db->escape($startchar.$search_account_clean)."%')"; } else $sql .= natural_search("aa.account_number", $search_account_tmp); } } @@ -264,14 +264,14 @@ if ($resql) $num = $db->num_rows($resql); $param = ''; - if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.$contextpage; - if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.$limit; + if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.urlencode($contextpage); + if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.urlencode($limit); if ($search_account) $param .= '&search_account='.urlencode($search_account); if ($search_label) $param .= '&search_label='.urlencode($search_label); if ($search_labelshort) $param .= '&search_labelshort='.urlencode($search_labelshort); if ($search_accountparent > 0 || $search_accountparent == '0') $param .= '&search_accountparent='.urlencode($search_accountparent); if ($search_pcgtype) $param .= '&search_pcgtype='.urlencode($search_pcgtype); - if ($optioncss != '') $param .= '&optioncss='.$optioncss; + if ($optioncss != '') $param .= '&optioncss='.urlencode($optioncss); if (!empty($conf->use_javascript_ajax)) { diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php index 9794198332e..be3b49e41c1 100644 --- a/htdocs/accountancy/admin/accountmodel.php +++ b/htdocs/accountancy/admin/accountmodel.php @@ -280,7 +280,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -302,7 +302,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete { if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("delete", LOG_DEBUG); $result = $db->query($sql); @@ -323,9 +323,9 @@ if ($action == $acts[0]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$db->escape($code)."'"; } $result = $db->query($sql); @@ -341,9 +341,9 @@ if ($action == $acts[1]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$db->escape($code)."'"; } $result = $db->query($sql); @@ -359,9 +359,9 @@ if ($action == 'activate_favorite') if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$db->escape($code)."'"; } $result = $db->query($sql); @@ -377,9 +377,9 @@ if ($action == 'disable_favorite') if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$db->escape($code)."'"; } $result = $db->query($sql); diff --git a/htdocs/accountancy/admin/categories_list.php b/htdocs/accountancy/admin/categories_list.php index ddd4240a073..9469a1e64f1 100644 --- a/htdocs/accountancy/admin/categories_list.php +++ b/htdocs/accountancy/admin/categories_list.php @@ -271,7 +271,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -293,7 +293,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete { if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("delete", LOG_DEBUG); $result = $db->query($sql); @@ -314,7 +314,7 @@ if ($action == $acts[0]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$db->escape($code)."'"; } @@ -332,7 +332,7 @@ if ($action == $acts[1]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$db->escape($code)."'"; } @@ -350,7 +350,7 @@ if ($action == 'activate_favorite') if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$db->escape($code)."'"; } @@ -368,7 +368,7 @@ if ($action == 'disable_favorite') if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$db->escape($code)."'"; } diff --git a/htdocs/accountancy/admin/journals_list.php b/htdocs/accountancy/admin/journals_list.php index 74247c5fccd..a09a38c959c 100644 --- a/htdocs/accountancy/admin/journals_list.php +++ b/htdocs/accountancy/admin/journals_list.php @@ -274,7 +274,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); $sql .= " AND entity = ".$conf->entity; dol_syslog("actionmodify", LOG_DEBUG); @@ -297,7 +297,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete { if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid); $sql .= " AND entity = ".$conf->entity; dol_syslog("delete", LOG_DEBUG); @@ -319,9 +319,9 @@ if ($action == $acts[0]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$db->escape($code)."'"; } $sql .= " AND entity = ".$conf->entity; @@ -338,9 +338,9 @@ if ($action == $acts[1]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$db->escape($code)."'"; } $sql .= " AND entity = ".$conf->entity; diff --git a/htdocs/accountancy/admin/productaccount.php b/htdocs/accountancy/admin/productaccount.php index b6465b95355..79bfef57d3a 100644 --- a/htdocs/accountancy/admin/productaccount.php +++ b/htdocs/accountancy/admin/productaccount.php @@ -176,7 +176,7 @@ if ($action == 'update') { if ($accounting_product_mode == 'ACCOUNTANCY_SELL_EXPORT') { $sql .= " SET accountancy_code_sell_export = ".$accounting->account_number; } - $sql .= " WHERE rowid = ".$productid; + $sql .= " WHERE rowid = ".((int) $productid); dol_syslog("/accountancy/admin/productaccount.php sql=".$sql, LOG_DEBUG); if ($db->query($sql)) @@ -251,21 +251,21 @@ $sql .= " aa.rowid as aaid"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON"; if ($accounting_product_mode == 'ACCOUNTANCY_BUY') { - $sql .= " p.accountancy_code_buy = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_buy = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } elseif ($accounting_product_mode == 'ACCOUNTANCY_BUY_INTRA') { - $sql .= " p.accountancy_code_buy_intra = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_buy_intra = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } elseif ($accounting_product_mode == 'ACCOUNTANCY_BUY_EXPORT') { - $sql .= " p.accountancy_code_buy_export = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_buy_export = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } elseif ($accounting_product_mode == 'ACCOUNTANCY_SELL') { - $sql .= " p.accountancy_code_sell = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_sell = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } elseif ($accounting_product_mode == 'ACCOUNTANCY_SELL_INTRA') { - $sql .= " p.accountancy_code_sell_intra = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_sell_intra = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } else { - $sql .= " p.accountancy_code_sell_export = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_sell_export = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } $sql .= ' WHERE p.entity IN ('.getEntity('product').')'; if ($accounting_product_mode == 'ACCOUNTANCY_BUY') { diff --git a/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php b/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php index 0b3d98a2742..321ef282dff 100644 --- a/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php +++ b/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php @@ -147,7 +147,7 @@ $sql = "SELECT bk.rowid, bk.doc_date, bk.doc_type, bk.doc_ref, "; $sql .= " bk.subledger_account, bk.numero_compte , bk.label_compte, bk.debit, "; $sql .= " bk.credit, bk.montant , bk.sens , bk.code_journal , bk.piece_num, bk.lettering_code "; $sql .= " FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as bk"; -$sql .= " WHERE (bk.subledger_account = '".$object->code_compta."' AND bk.numero_compte = '".$conf->global->ACCOUNTING_ACCOUNT_CUSTOMER."' )"; +$sql .= " WHERE (bk.subledger_account = '".$db->escape($object->code_compta)."' AND bk.numero_compte = '".$db->escape($conf->global->ACCOUNTING_ACCOUNT_CUSTOMER)."' )"; /* if (dol_strlen($search_date_start) || dol_strlen($search_date_end)) { diff --git a/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php b/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php index c6ab2fa81d6..144c2595d25 100644 --- a/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php +++ b/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php @@ -146,7 +146,7 @@ $sql = "SELECT bk.rowid, bk.doc_date, bk.doc_type, bk.doc_ref, "; $sql .= " bk.subledger_account, bk.numero_compte , bk.label_compte, bk.debit, "; $sql .= " bk.credit, bk.montant , bk.sens , bk.code_journal , bk.piece_num, bk.lettering_code, bk.date_validated "; $sql .= " FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as bk"; -$sql .= " WHERE (bk.subledger_account = '".$object->code_compta_fournisseur."' AND bk.numero_compte = '".$conf->global->ACCOUNTING_ACCOUNT_SUPPLIER."' )"; +$sql .= " WHERE (bk.subledger_account = '".$db->escape($object->code_compta_fournisseur)."' AND bk.numero_compte = '".$db->escape($conf->global->ACCOUNTING_ACCOUNT_SUPPLIER)."' )"; if (dol_strlen($search_date_start) || dol_strlen($search_date_end)) { $sql .= " AND (bk.doc_date BETWEEN '".$db->idate($search_date_start)."' AND '".$db->idate($search_date_end)."' )"; } diff --git a/htdocs/accountancy/class/accountancyexport.class.php b/htdocs/accountancy/class/accountancyexport.class.php index 130c0e97659..0204602438f 100644 --- a/htdocs/accountancy/class/accountancyexport.class.php +++ b/htdocs/accountancy/class/accountancyexport.class.php @@ -1160,7 +1160,8 @@ class AccountancyExport // TYPE C if ($last_codeinvoice != $line->doc_ref) { //recherche societe en fonction de son code client - $sql = "SELECT code_client, fk_forme_juridique, nom, address, zip, town, fk_pays, phone, siret FROM ".MAIN_DB_PREFIX."societe WHERE code_client = '".$line->thirdparty_code."'"; + $sql = "SELECT code_client, fk_forme_juridique, nom, address, zip, town, fk_pays, phone, siret FROM ".MAIN_DB_PREFIX."societe"; + $sql .= " WHERE code_client = '".$this->db->escape($line->thirdparty_code)."'"; $resql = $this->db->query($sql); if ($resql && $this->db->num_rows($resql) > 0) diff --git a/htdocs/accountancy/class/accountancysystem.class.php b/htdocs/accountancy/class/accountancysystem.class.php index 719d33c8574..c2f3468016c 100644 --- a/htdocs/accountancy/class/accountancysystem.class.php +++ b/htdocs/accountancy/class/accountancysystem.class.php @@ -101,7 +101,7 @@ class AccountancySystem $sql .= " FROM ".MAIN_DB_PREFIX."accounting_system as a"; $sql .= " WHERE"; if ($rowid) { - $sql .= " a.rowid = '".$rowid."'"; + $sql .= " a.rowid = ".((int) $rowid); } elseif ($ref) { $sql .= " a.pcg_version = '".$this->db->escape($ref)."'"; } diff --git a/htdocs/accountancy/class/accountingjournal.class.php b/htdocs/accountancy/class/accountingjournal.class.php index 6067f557cfb..882eee71769 100644 --- a/htdocs/accountancy/class/accountingjournal.class.php +++ b/htdocs/accountancy/class/accountingjournal.class.php @@ -108,7 +108,7 @@ class AccountingJournal extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."accounting_journal"; $sql .= " WHERE"; if ($rowid) { - $sql .= " rowid = ".(int) $rowid; + $sql .= " rowid = ".((int) $rowid); } elseif ($journal_code) { $sql .= " code = '".$this->db->escape($journal_code)."'"; diff --git a/htdocs/accountancy/class/bookkeeping.class.php b/htdocs/accountancy/class/bookkeeping.class.php index 1c377e70192..1e1e42a6047 100644 --- a/htdocs/accountancy/class/bookkeeping.class.php +++ b/htdocs/accountancy/class/bookkeeping.class.php @@ -1755,14 +1755,14 @@ class BookKeeping extends CommonObject $sql .= ' doc_ref, fk_doc, fk_docdet, entity, thirdparty_code, subledger_account, subledger_label,'; $sql .= ' numero_compte, label_compte, label_operation, debit, credit,'; $sql .= ' montant, sens, fk_user_author, import_key, code_journal, journal_label, '.$next_piecenum.", '".$this->db->idate($now)."'"; - $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$this->db->escape($piece_num); + $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; $this->errors[] = 'Error '.$this->db->lasterror(); dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR); } - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$this->db->escape($piece_num); + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; @@ -1770,7 +1770,7 @@ class BookKeeping extends CommonObject dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR); } } elseif ($direction == 1) { - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$piece_num; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; @@ -1785,14 +1785,14 @@ class BookKeeping extends CommonObject $sql .= ' doc_ref, fk_doc, fk_docdet, thirdparty_code, subledger_account, subledger_label,'; $sql .= ' numero_compte, label_compte, label_operation, debit, credit,'; $sql .= ' montant, sens, fk_user_author, import_key, code_journal, journal_label, piece_num'; - $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' WHERE piece_num = '.$piece_num; + $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; $this->errors[] = 'Error '.$this->db->lasterror(); dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR); } - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$piece_num; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; @@ -1910,7 +1910,7 @@ class BookKeeping extends CommonObject $sql .= " AND asy.rowid = ".$pcgver; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as parent ON aa.account_parent = parent.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as root ON parent.account_parent = root.rowid"; - $sql .= " WHERE aa.account_number = '".$account."'"; + $sql .= " WHERE aa.account_number = '".$this->db->escape($account)."'"; $sql .= " AND parent.active = 1"; $sql .= " AND root.active = 1"; $sql .= " AND aa.entity IN (".getEntity('accountancy').")"; @@ -1948,8 +1948,8 @@ class BookKeeping extends CommonObject $sql = "SELECT aa.account_number, aa.label, aa.rowid, aa.fk_pcg_version, cat.label as category"; $sql .= " FROM ".MAIN_DB_PREFIX."accounting_account as aa "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_system as asy ON aa.fk_pcg_version = asy.pcg_version"; - $sql .= " AND aa.account_number = '".$account."'"; - $sql .= " AND asy.rowid = ".$pcgver; + $sql .= " AND aa.account_number = '".$this->db->escape($account)."'"; + $sql .= " AND asy.rowid = ".((int) $pcgver); $sql .= " AND aa.active = 1"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_accounting_category as cat ON aa.fk_accounting_category = cat.rowid"; $sql .= " WHERE aa.entity IN (".getEntity('accountancy').")"; diff --git a/htdocs/accountancy/class/lettering.class.php b/htdocs/accountancy/class/lettering.class.php index d663e0ec9c4..cfe9bf635ae 100644 --- a/htdocs/accountancy/class/lettering.class.php +++ b/htdocs/accountancy/class/lettering.class.php @@ -68,11 +68,11 @@ class Lettering extends BookKeeping $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank_url as bu ON(bk.fk_doc = bu.fk_bank AND bu.type IN ('payment', 'payment_supplier') ) "; $sql .= " WHERE ( "; if ($object->code_compta != "") - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; if ($object->code_compta != "" && $object->code_compta_fournisseur != "") $sql .= " OR "; if ($object->code_compta_fournisseur != "") - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; $sql .= " ) AND (bk.date_lettering ='' OR bk.date_lettering IS NULL) "; $sql .= " AND (bk.lettering_code != '' OR bk.lettering_code IS NULL) "; @@ -95,19 +95,19 @@ class Lettering extends BookKeeping $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn facf "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiementfourn_facturefourn as payfacf ON payfacf.fk_facturefourn=facf.rowid"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiementfourn as payf ON payfacf.fk_paiementfourn=payf.rowid"; - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = payf.fk_bank AND bk.code_journal='".$obj->code_journal."')"; - $sql .= " WHERE payfacf.fk_paiementfourn = '".$obj->url_id."' "; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = payf.fk_bank AND bk.code_journal='".$this->db->escape($obj->code_journal)."')"; + $sql .= " WHERE payfacf.fk_paiementfourn = '".$this->db->escape($obj->url_id)."' "; $sql .= " AND facf.entity = ".$conf->entity; $sql .= " AND code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=4 AND entity=".$conf->entity.") "; $sql .= " AND ( "; if ($object->code_compta != "") { - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; } if ($object->code_compta != "" && $object->code_compta_fournisseur != "") { $sql .= " OR "; } if ($object->code_compta_fournisseur != "") { - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; } $sql .= " ) "; @@ -129,13 +129,13 @@ class Lettering extends BookKeeping $sql .= " AND facf.entity = ".$conf->entity; $sql .= " AND ( "; if ($object->code_compta != "") { - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; } if ($object->code_compta != "" && $object->code_compta_fournisseur != "") { $sql .= " OR "; } if ($object->code_compta_fournisseur != "") { - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; } $sql .= ") "; @@ -154,19 +154,19 @@ class Lettering extends BookKeeping $sql .= " FROM ".MAIN_DB_PREFIX."facture fac "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiement_facture as payfac ON payfac.fk_facture=fac.rowid"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiement as pay ON payfac.fk_paiement=pay.rowid"; - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = pay.fk_bank AND bk.code_journal='".$obj->code_journal."')"; - $sql .= " WHERE payfac.fk_paiement = '".$obj->url_id."' "; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = pay.fk_bank AND bk.code_journal='".$this->db->escape($obj->code_journal)."')"; + $sql .= " WHERE payfac.fk_paiement = '".$this->db->escape($obj->url_id)."' "; $sql .= " AND bk.code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=4 AND entity=".$conf->entity.") "; $sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy $sql .= " AND ( "; if ($object->code_compta != "") { - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; } if ($object->code_compta != "" && $object->code_compta_fournisseur != "") { $sql .= " OR "; } if ($object->code_compta_fournisseur != "") { - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; } $sql .= " )"; @@ -188,13 +188,13 @@ class Lettering extends BookKeeping $sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy $sql .= " AND ( "; if ($object->code_compta != "") { - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; } if ($object->code_compta != "" && $object->code_compta_fournisseur != "") { $sql .= " OR "; } if ($object->code_compta_fournisseur != "") { - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; } $sql .= " ) "; @@ -238,7 +238,7 @@ class Lettering extends BookKeeping $lettre = 'AAA'; $sql = "SELECT DISTINCT lettering_code FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE "; - $sql .= " lettering_code != '' ORDER BY lettering_code DESC limit 1; "; + $sql .= " lettering_code != '' ORDER BY lettering_code DESC limit 1"; $result = $this->db->query($sql); if ($result) { @@ -252,7 +252,7 @@ class Lettering extends BookKeeping } $sql = "SELECT SUM(ABS(debit)) as deb, SUM(ABS(credit)) as cred FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE "; - $sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL "; + $sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL"; $result = $this->db->query($sql); if ($result) { $obj = $this->db->fetch_object($result); @@ -272,7 +272,7 @@ class Lettering extends BookKeeping if (!$error) { $sql = "UPDATE ".MAIN_DB_PREFIX."accounting_bookkeeping SET"; - $sql .= " lettering_code='".$lettre."'"; + $sql .= " lettering_code='".$this->db->escape($lettre)."'"; $sql .= " , date_lettering = '".$this->db->idate($now)."'"; // todo correct date it's false $sql .= " WHERE rowid IN (".implode(',', $ids).") AND date_validated IS NULL "; $this->db->begin(); diff --git a/htdocs/accountancy/customer/index.php b/htdocs/accountancy/customer/index.php index 69135e75c4d..1a5098bda38 100644 --- a/htdocs/accountancy/customer/index.php +++ b/htdocs/accountancy/customer/index.php @@ -131,9 +131,9 @@ if ($action == 'validatehistory') { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as l ON f.rowid = l.fk_facture"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity; $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0"; $sql .= " AND l.product_type <= 2"; @@ -402,7 +402,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange. } print ''; - $sql = "SELECT '".$langs->trans("TotalVente")."' AS total,"; + $sql = "SELECT '".$db->escape($langs->trans("TotalVente"))."' AS total,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; if ($j > 12) $j -= 12; @@ -459,7 +459,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange. } print ''; - $sql = "SELECT '".$langs->trans("Vide")."' AS marge,"; + $sql = "SELECT '".$db->escape($langs->trans("Vide"))."' AS marge,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; if ($j > 12) $j -= 12; diff --git a/htdocs/accountancy/customer/list.php b/htdocs/accountancy/customer/list.php index 70ed0bf8878..3c28cdaab84 100644 --- a/htdocs/accountancy/customer/list.php +++ b/htdocs/accountancy/customer/list.php @@ -161,8 +161,8 @@ if ($massaction == 'ventil') { $ko++; } else { $sql = " UPDATE ".MAIN_DB_PREFIX."facturedet"; - $sql .= " SET fk_code_ventilation = ".$monCompte; - $sql .= " WHERE rowid = ".$monId; + $sql .= " SET fk_code_ventilation = ".((int) $monCompte); + $sql .= " WHERE rowid = ".((int) $monId); $accountventilated = new AccountingAccount($db); $accountventilated->fetch($monCompte, ''); @@ -222,9 +222,9 @@ $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as l ON f.rowid = l.fk_facture"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity; $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0"; $sql .= " AND l.product_type <= 2"; // Define begin binding date diff --git a/htdocs/accountancy/expensereport/index.php b/htdocs/accountancy/expensereport/index.php index 63305791ec7..6edb8d86a07 100644 --- a/htdocs/accountancy/expensereport/index.php +++ b/htdocs/accountancy/expensereport/index.php @@ -161,7 +161,7 @@ for ($i = 1; $i <= 12; $i++) { } print ''; -$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; +$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; $sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; @@ -234,7 +234,7 @@ for ($i = 1; $i <= 12; $i++) { } print ''; -$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; +$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; $sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; @@ -309,7 +309,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange. } print ''; - $sql = "SELECT '".$langs->trans("TotalExpenseReport")."' AS label,"; + $sql = "SELECT '".$db->escape($langs->trans("TotalExpenseReport"))."' AS label,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; if ($j > 12) $j -= 12; diff --git a/htdocs/accountancy/expensereport/list.php b/htdocs/accountancy/expensereport/list.php index b3c8b7cda3e..265e9488055 100644 --- a/htdocs/accountancy/expensereport/list.php +++ b/htdocs/accountancy/expensereport/list.php @@ -196,7 +196,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."expensereport as er"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."expensereport_det as erd ON er.rowid = erd.fk_expensereport"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_type_fees as f ON f.id = erd.fk_c_type_fees"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON u.rowid = er.fk_user_author"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON f.accountancy_code = aa.account_number AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON f.accountancy_code = aa.account_number AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; $sql .= " WHERE er.fk_statut IN (".ExpenseReport::STATUS_APPROVED.", ".ExpenseReport::STATUS_CLOSED.") AND erd.fk_code_ventilation <= 0"; // Define begin binding date if (!empty($conf->global->ACCOUNTING_DATE_START_BINDING)) { diff --git a/htdocs/accountancy/supplier/index.php b/htdocs/accountancy/supplier/index.php index f1807c1c2cc..0dbe09fa468 100644 --- a/htdocs/accountancy/supplier/index.php +++ b/htdocs/accountancy/supplier/index.php @@ -128,9 +128,9 @@ if ($action == 'validatehistory') { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture_fourn_det as l ON f.rowid = l.fk_facture_fourn"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity; $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0"; $sql .= " AND l.product_type <= 2"; @@ -232,7 +232,7 @@ for ($i = 1; $i <= 12; $i++) { } print ''; -$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; +$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; $sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; @@ -305,7 +305,7 @@ for ($i = 1; $i <= 12; $i++) { } print ''; -$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; +$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; $sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; @@ -380,7 +380,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange. } print ''; - $sql = "SELECT '".$langs->trans("CAHTF")."' AS label,"; + $sql = "SELECT '".$db->escape($langs->trans("CAHTF"))."' AS label,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; if ($j > 12) $j -= 12; diff --git a/htdocs/accountancy/supplier/list.php b/htdocs/accountancy/supplier/list.php index cabe62e6471..9e1668e1a35 100644 --- a/htdocs/accountancy/supplier/list.php +++ b/htdocs/accountancy/supplier/list.php @@ -226,9 +226,9 @@ $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture_fourn_det as l ON f.rowid = l.fk_facture_fourn"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity; $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0"; $sql .= " AND l.product_type <= 2"; // Define begin binding date diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index a13367326fa..0a32398f307 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -152,7 +152,7 @@ if (empty($reshook)) { if (!$error) { if ($socid != $object->socid) { // If link differs from currently in database $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."adherent"; - $sql .= " WHERE socid = '".$socid."'"; + $sql .= " WHERE socid = ".((int) $socid); $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index 1475f544f67..95ca2017b21 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -1117,7 +1117,7 @@ class Adherent extends CommonObject // Remove link to third party onto any other members if ($thirdpartyid > 0) { $sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET fk_soc = null"; - $sql .= " WHERE fk_soc = '".$thirdpartyid."'"; + $sql .= " WHERE fk_soc = ".((int) $thirdpartyid); $sql .= " AND entity = ".$conf->entity; dol_syslog(get_class($this)."::setThirdPartyId", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/adherents/class/adherentstats.class.php b/htdocs/adherents/class/adherentstats.class.php index c953d929442..d86a9e21d8c 100644 --- a/htdocs/adherents/class/adherentstats.class.php +++ b/htdocs/adherents/class/adherentstats.class.php @@ -92,7 +92,7 @@ class AdherentStats extends Stats $sql = "SELECT date_format(p.dateadh,'%m') as dm, count(*)"; $sql .= " FROM ".$this->from; //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year); $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -133,7 +133,7 @@ class AdherentStats extends Stats $sql = "SELECT date_format(p.dateadh,'%m') as dm, sum(p.".$this->field.")"; $sql .= " FROM ".$this->from; //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year); $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -154,7 +154,7 @@ class AdherentStats extends Stats $sql = "SELECT date_format(p.dateadh,'%m') as dm, avg(p.".$this->field.")"; $sql .= " FROM ".$this->from; //if (!$user->rights->societe->client->voir && !$this->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year); $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index 4245bf2e74a..1e550fb7f65 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -281,7 +281,7 @@ if ($search_ref) { if ($search_civility) $sql .= natural_search("d.civility", $search_civility); if ($search_firstname) $sql .= natural_search("d.firstname", $search_firstname); if ($search_lastname) $sql .= natural_search(array("d.firstname", "d.lastname", "d.societe"), $search_lastname); -if ($search_gender != '' && $search_gender != '-1') $sql .= " AND d.gender = '".$search_gender."'"; +if ($search_gender != '' && $search_gender != '-1') $sql .= natural_search("d.gender", $search_gender); if ($search_login) $sql .= natural_search("d.login", $search_login); if ($search_company) $sql .= natural_search("s.nom", $search_company); if ($search_email) $sql .= natural_search("d.email", $search_email); @@ -502,16 +502,16 @@ if (!empty($arrayfields['t.libelle']['checked'])) { if (!empty($arrayfields['d.address']['checked'])) { print ''; + print ''; } if (!empty($arrayfields['d.zip']['checked'])) { print ''; + print ''; } if (!empty($arrayfields['d.town']['checked'])) { print ''; + print ''; } // State if (!empty($arrayfields['state.nom']['checked'])) { @@ -528,22 +528,22 @@ if (!empty($arrayfields['country.code_iso']['checked'])) { // Phone pro if (!empty($arrayfields['d.phone']['checked'])) { print ''; + print ''; } // Phone perso if (!empty($arrayfields['d.phone_perso']['checked'])) { print ''; + print ''; } // Phone mobile if (!empty($arrayfields['d.phone_mobile']['checked'])) { print ''; + print ''; } // Email if (!empty($arrayfields['d.email']['checked'])) { print ''; + print ''; } if (!empty($arrayfields['d.datefin']['checked'])) { diff --git a/htdocs/adherents/subscription/list.php b/htdocs/adherents/subscription/list.php index 4d0e2ec7439..b06ee5f227e 100644 --- a/htdocs/adherents/subscription/list.php +++ b/htdocs/adherents/subscription/list.php @@ -154,8 +154,8 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank as b ON c.fk_bank=b.rowid"; $sql .= " WHERE d.entity IN (".getEntity('adherent').")"; if (isset($date_select) && $date_select != '') { - $sql .= " AND c.dateadh >= '".$date_select."-01-01 00:00:00'"; - $sql .= " AND c.dateadh < '".($date_select + 1)."-01-01 00:00:00'"; + $sql .= " AND c.dateadh >= '".((int) $date_select)."-01-01 00:00:00'"; + $sql .= " AND c.dateadh < '".((int) $date_select + 1)."-01-01 00:00:00'"; } if ($search_ref) { if (is_numeric($search_ref)) $sql .= " AND (c.rowid = ".$db->escape($search_ref).")"; diff --git a/htdocs/compta/paiement/cheque/card.php b/htdocs/compta/paiement/cheque/card.php index 706a08788b8..2d42fc14a37 100644 --- a/htdocs/compta/paiement/cheque/card.php +++ b/htdocs/compta/paiement/cheque/card.php @@ -152,10 +152,10 @@ if ($action == 'create' && $_POST["accountid"] > 0 && $user->rights->banque->che } } -if ($action == 'remove' && $id > 0 && $_GET["lineid"] > 0 && $user->rights->banque->cheque) +if ($action == 'remove' && $id > 0 && GETPOST("lineid", 'int') > 0 && $user->rights->banque->cheque) { $object->id = $id; - $result = $object->removeCheck($_GET["lineid"]); + $result = $object->removeCheck(GETPOST("lineid", "int")); if ($result === 0) { header("Location: ".$_SERVER["PHP_SELF"]."?id=".$object->id); diff --git a/htdocs/compta/paiement/cheque/class/remisecheque.class.php b/htdocs/compta/paiement/cheque/class/remisecheque.class.php index 48c58dc7219..56d12872cd2 100644 --- a/htdocs/compta/paiement/cheque/class/remisecheque.class.php +++ b/htdocs/compta/paiement/cheque/class/remisecheque.class.php @@ -358,7 +358,7 @@ class RemiseCheque extends CommonObject if ($this->errno == 0 && $numref) { $sql = "UPDATE ".MAIN_DB_PREFIX."bordereau_cheque"; - $sql .= " SET statut = 1, ref = '".$numref."'"; + $sql .= " SET statut = 1, ref = '".$this->db->escape($numref)."'"; $sql .= " WHERE rowid = ".$this->id; $sql .= " AND entity = ".$conf->entity; $sql .= " AND statut = 0"; @@ -662,6 +662,7 @@ class RemiseCheque extends CommonObject global $conf; $this->errno = 0; + $this->db->begin(); $total = 0; $nb = 0; @@ -681,8 +682,8 @@ class RemiseCheque extends CommonObject $this->db->free($resql); $sql = "UPDATE ".MAIN_DB_PREFIX."bordereau_cheque"; - $sql .= " SET amount = '".price2num($total)."'"; - $sql .= ", nbcheque = ".$nb; + $sql .= " SET amount = ".price2num($total); + $sql .= ", nbcheque = ".((int) $nb); $sql .= " WHERE rowid = ".$this->id; $sql .= " AND entity = ".$conf->entity; @@ -722,8 +723,8 @@ class RemiseCheque extends CommonObject { $sql = "UPDATE ".MAIN_DB_PREFIX."bank"; $sql .= " SET fk_bordereau = 0"; - $sql .= " WHERE rowid = '".$account_id."'"; - $sql .= " AND fk_bordereau = ".$this->id; + $sql .= " WHERE rowid = ".((int) $account_id); + $sql .= " AND fk_bordereau = ".((int) $this->id); $resql = $this->db->query($sql); if ($resql) From 54c0f742b1edb4cdb487cc9d995253077bb6b158 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 21:19:04 +0200 Subject: [PATCH 098/151] Fix escape --- htdocs/admin/bank.php | 2 +- htdocs/admin/barcode.php | 10 +++--- htdocs/admin/bom.php | 2 +- htdocs/core/actions_massactions.inc.php | 4 +-- htdocs/core/boxes/box_produits.php | 2 +- .../core/boxes/box_produits_alerte_stock.php | 2 +- htdocs/core/boxes/box_task.php | 4 +-- .../core/class/commondocgenerator.class.php | 2 +- htdocs/core/class/commoninvoice.class.php | 2 +- htdocs/core/class/commonobject.class.php | 28 +++++++-------- htdocs/core/class/extrafields.class.php | 22 ++++++------ htdocs/core/class/html.form.class.php | 12 +++---- .../core/class/html.formaccounting.class.php | 2 +- htdocs/core/class/html.formcompany.class.php | 2 +- htdocs/core/class/html.formmail.class.php | 4 +-- htdocs/core/class/html.formother.class.php | 2 +- .../class/html.formsocialcontrib.class.php | 2 +- htdocs/core/class/infobox.class.php | 3 +- htdocs/core/class/link.class.php | 8 ++--- htdocs/core/class/menubase.class.php | 2 +- htdocs/core/class/notify.class.php | 6 ++-- htdocs/core/db/mysqli.class.php | 6 ++-- htdocs/core/db/pgsql.class.php | 14 ++++---- htdocs/core/db/sqlite3.class.php | 8 ++--- htdocs/core/lib/admin.lib.php | 6 ++-- htdocs/core/lib/company.lib.php | 4 +-- htdocs/core/lib/files.lib.php | 1 + htdocs/core/lib/functions.lib.php | 6 ++-- .../societe/mod_codeclient_elephant.php | 4 +-- .../modules/societe/mod_codeclient_monkey.php | 4 +-- .../societe/mod_codecompta_digitaria.php | 2 +- test/phpunit/CodingPhpTest.php | 34 +++++++++++++++---- 32 files changed, 118 insertions(+), 94 deletions(-) diff --git a/htdocs/admin/bank.php b/htdocs/admin/bank.php index 76df9b412ec..6f669d900ba 100644 --- a/htdocs/admin/bank.php +++ b/htdocs/admin/bank.php @@ -283,7 +283,7 @@ print load_fiche_titre($langs->trans("BankAccountModelModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/admin/barcode.php b/htdocs/admin/barcode.php index 975869c1ff0..cddb91d0d49 100644 --- a/htdocs/admin/barcode.php +++ b/htdocs/admin/barcode.php @@ -58,10 +58,10 @@ if ($action == 'setbarcodeproducton') if ($action == 'setcoder') { $coder = GETPOST('coder', 'alpha'); - $code_id = GETPOST('code_id', 'alpha'); + $code_id = GETPOST('code_id', 'int'); $sqlp = "UPDATE ".MAIN_DB_PREFIX."c_barcode_type"; - $sqlp .= " SET coder = '".$coder."'"; - $sqlp .= " WHERE rowid = ".$code_id; + $sqlp .= " SET coder = '".$db->escape($coder)."'"; + $sqlp .= " WHERE rowid = ".((int) $code_id); $sqlp .= " AND entity = ".$conf->entity; $resql = $db->query($sqlp); @@ -104,8 +104,8 @@ if ($action == 'setcoder') $code_id = $obj->rowid; $sqlp = "UPDATE ".MAIN_DB_PREFIX."c_barcode_type"; - $sqlp .= " SET coder = '".$coder."'"; - $sqlp .= " WHERE rowid = ".$code_id; + $sqlp .= " SET coder = '".$db->escape($coder)."'"; + $sqlp .= " WHERE rowid = ".((int) $code_id); $sqlp .= " AND entity = ".$conf->entity; $upsql = $db->query($sqlp); diff --git a/htdocs/admin/bom.php b/htdocs/admin/bom.php index 1f19cb75b77..50c919a628a 100644 --- a/htdocs/admin/bom.php +++ b/htdocs/admin/bom.php @@ -292,7 +292,7 @@ print load_fiche_titre($langs->trans("BOMsModelModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/core/actions_massactions.inc.php b/htdocs/core/actions_massactions.inc.php index 4db4c94f007..98e936a2d7a 100644 --- a/htdocs/core/actions_massactions.inc.php +++ b/htdocs/core/actions_massactions.inc.php @@ -648,9 +648,9 @@ if ($massaction == 'confirm_createbills') // Create bills from orders $sql .= ", targettype"; $sql .= ") VALUES ("; $sql .= $id_order; - $sql .= ", '".$objecttmp->origin."'"; + $sql .= ", '".$db->escape($objecttmp->origin)."'"; $sql .= ", ".$objecttmp->id; - $sql .= ", '".$objecttmp->element."'"; + $sql .= ", '".$db->escape($objecttmp->element)."'"; $sql .= ")"; if (!$db->query($sql)) diff --git a/htdocs/core/boxes/box_produits.php b/htdocs/core/boxes/box_produits.php index 8dffe4adf20..52591fa5292 100644 --- a/htdocs/core/boxes/box_produits.php +++ b/htdocs/core/boxes/box_produits.php @@ -117,7 +117,7 @@ class box_produits extends ModeleBoxes $sqld = "SELECT label"; $sqld .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sqld .= " WHERE fk_product=".$objp->rowid; - $sqld .= " AND lang='".$langs->getDefaultLang()."'"; + $sqld .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'"; $sqld .= " LIMIT 1"; $resultd = $this->db->query($sqld); diff --git a/htdocs/core/boxes/box_produits_alerte_stock.php b/htdocs/core/boxes/box_produits_alerte_stock.php index 5b17ef22ddf..6845cb2db5f 100644 --- a/htdocs/core/boxes/box_produits_alerte_stock.php +++ b/htdocs/core/boxes/box_produits_alerte_stock.php @@ -130,7 +130,7 @@ class box_produits_alerte_stock extends ModeleBoxes $sqld = "SELECT label"; $sqld .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sqld .= " WHERE fk_product=".$objp->rowid; - $sqld .= " AND lang='".$langs->getDefaultLang()."'"; + $sqld .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'"; $sqld .= " LIMIT 1"; $resultd = $this->db->query($sqld); diff --git a/htdocs/core/boxes/box_task.php b/htdocs/core/boxes/box_task.php index ea049c46e71..c1d728eb667 100644 --- a/htdocs/core/boxes/box_task.php +++ b/htdocs/core/boxes/box_task.php @@ -154,10 +154,10 @@ class box_task extends ModeleBoxes $sql .= " JOIN ".MAIN_DB_PREFIX."projet as p ON (pt.fk_projet = p.rowid)"; if ($filterValue === 'im_task_contact') { - $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = pt.rowid AND ec.fk_socpeople = '".$user->id."' )"; + $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = pt.rowid AND ec.fk_socpeople = ".((int) $user->id).")"; $sql .= " JOIN ".MAIN_DB_PREFIX."c_type_contact as tc ON (ec.fk_c_type_contact = tc.rowid AND tc.element = 'project_task' AND tc.source = 'internal' )"; } elseif ($filterValue === 'im_project_contact') { - $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = p.rowid AND ec.fk_socpeople = '".$user->id."' )"; + $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = p.rowid AND ec.fk_socpeople = ".((int) $user->id).")"; $sql .= " JOIN ".MAIN_DB_PREFIX."c_type_contact as tc ON (ec.fk_c_type_contact = tc.rowid AND tc.element = 'project' AND tc.source = 'internal' )"; } diff --git a/htdocs/core/class/commondocgenerator.class.php b/htdocs/core/class/commondocgenerator.class.php index f610e6bb952..2eac2d5d900 100644 --- a/htdocs/core/class/commondocgenerator.class.php +++ b/htdocs/core/class/commondocgenerator.class.php @@ -604,7 +604,7 @@ abstract class CommonDocGenerator if ($columns != "") { $columns = substr($columns, 0, strlen($columns) - 2); - $resql = $this->db->query("SELECT $columns FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields AS ex INNER JOIN ".MAIN_DB_PREFIX."product_fournisseur_price AS f ON ex.fk_object = f.rowid WHERE f.ref_fourn = '".$line->ref_supplier."'"); + $resql = $this->db->query("SELECT ".$columns." FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields AS ex INNER JOIN ".MAIN_DB_PREFIX."product_fournisseur_price AS f ON ex.fk_object = f.rowid WHERE f.ref_fourn = '".$this->db->escape($line->ref_supplier)."'"); if ($this->db->num_rows($resql) > 0) { diff --git a/htdocs/core/class/commoninvoice.class.php b/htdocs/core/class/commoninvoice.class.php index 3dabb8279e9..f5137959990 100644 --- a/htdocs/core/class/commoninvoice.class.php +++ b/htdocs/core/class/commoninvoice.class.php @@ -462,7 +462,7 @@ abstract class CommonInvoice extends CommonObject $type = 'customer_invoice'; if ($this->element == 'invoice_supplier') $type = 'supplier_invoice'; - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$this->id; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index ef519f388a7..1d04040d5e3 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -1028,8 +1028,8 @@ abstract class CommonObject // Insert into database $sql = "UPDATE ".MAIN_DB_PREFIX."element_contact set"; $sql .= " statut = ".$statut; - if ($type_contact_id) $sql .= ", fk_c_type_contact = '".$type_contact_id."'"; - if ($fk_socpeople) $sql .= ", fk_socpeople = '".$fk_socpeople."'"; + if ($type_contact_id) $sql .= ", fk_c_type_contact = ".((int) $type_contact_id); + if ($fk_socpeople) $sql .= ", fk_socpeople = ".((int) $fk_socpeople); $sql .= " where rowid = ".$rowid; $resql = $this->db->query($sql); if ($resql) @@ -1389,9 +1389,9 @@ abstract class CommonObject if ($source == 'internal') $sql .= " AND c.entity IN (".getEntity('user').")"; if ($source == 'external') $sql .= " AND c.entity IN (".getEntity('societe').")"; $sql .= " AND ec.fk_c_type_contact = tc.rowid"; - $sql .= " AND tc.element = '".$element."'"; - $sql .= " AND tc.source = '".$source."'"; - if ($code) $sql .= " AND tc.code = '".$code."'"; + $sql .= " AND tc.element = '".$this->db->escape($element)."'"; + $sql .= " AND tc.source = '".$this->db->escape($source)."'"; + if ($code) $sql .= " AND tc.code = '".$this->db->escape($code)."'"; $sql .= " AND tc.active = 1"; if ($status) $sql .= " AND ec.statut = ".$status; @@ -3243,16 +3243,16 @@ abstract class CommonObject { if ($justsource) { - $sql .= "fk_source = ".$sourceid." AND sourcetype = '".$sourcetype."'"; - if ($withtargettype) $sql .= " AND targettype = '".$targettype."'"; + $sql .= "fk_source = ".$sourceid." AND sourcetype = '".$this->db->escape($sourcetype)."'"; + if ($withtargettype) $sql .= " AND targettype = '".$this->db->escape($targettype)."'"; } elseif ($justtarget) { - $sql .= "fk_target = ".$targetid." AND targettype = '".$targettype."'"; - if ($withsourcetype) $sql .= " AND sourcetype = '".$sourcetype."'"; + $sql .= "fk_target = ".$targetid." AND targettype = '".$this->db->escape($targettype)."'"; + if ($withsourcetype) $sql .= " AND sourcetype = '".$this->db->escape($sourcetype)."'"; } } else { - $sql .= "(fk_source = ".$sourceid." AND sourcetype = '".$sourcetype."')"; - $sql .= " ".$clause." (fk_target = ".$targetid." AND targettype = '".$targettype."')"; + $sql .= "(fk_source = ".$sourceid." AND sourcetype = '".$this->db->escape($sourcetype)."')"; + $sql .= " ".$clause." (fk_target = ".$targetid." AND targettype = '".$this->db->escape($targettype)."')"; } $sql .= ' ORDER BY '.$orderby; @@ -4841,7 +4841,7 @@ abstract class CommonObject // Request to get translation values for object $sql = "SELECT rowid, property, lang , value"; $sql .= " FROM ".MAIN_DB_PREFIX."object_lang"; - $sql .= " WHERE type_object = '".$element."'"; + $sql .= " WHERE type_object = '".$this->db->escape($element)."'"; $sql .= " AND fk_object = ".$this->id; //dol_syslog(get_class($this)."::fetch_optionals get extrafields data for ".$this->table_element, LOG_DEBUG); // Too verbose @@ -8295,7 +8295,7 @@ abstract class CommonObject $sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie_".(empty($categorystatic->MAP_CAT_TABLE[$type]) ? $type : $categorystatic->MAP_CAT_TABLE[$type])." (fk_categorie, fk_product)"; $sql .= " SELECT fk_categorie, $toId FROM ".MAIN_DB_PREFIX."categorie_".(empty($categorystatic->MAP_CAT_TABLE[$type]) ? $type : $categorystatic->MAP_CAT_TABLE[$type]); - $sql .= " WHERE fk_product = '".$fromId."'"; + $sql .= " WHERE fk_product = ".((int) $fromId); if (!$this->db->query($sql)) { @@ -8341,7 +8341,7 @@ abstract class CommonObject $sql = "DELETE FROM ".MAIN_DB_PREFIX."ecm_files"; $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%'"; - $sql.= " AND filepath = '".$element."/".$this->db->escape($this->ref)."' AND entity = ".$conf->entity; + $sql.= " AND filepath = '".$this->db->escape($element)."/".$this->db->escape($this->ref)."' AND entity = ".$conf->entity; if (!$this->db->query($sql)) { $this->error = $this->db->lasterror(); diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php index ddf811cfc77..678560b622e 100644 --- a/htdocs/core/class/extrafields.class.php +++ b/htdocs/core/class/extrafields.class.php @@ -426,7 +426,7 @@ class ExtraFields $sql .= " help,"; $sql .= " totalizable"; $sql .= " )"; - $sql .= " VALUES('".$attrname."',"; + $sql .= " VALUES('".$this->db->escape($attrname)."',"; $sql .= " '".$this->db->escape($label)."',"; $sql .= " '".$this->db->escape($type)."',"; $sql .= " ".$pos.","; @@ -494,8 +494,8 @@ class ExtraFields { $sql = "SELECT COUNT(rowid) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX."extrafields"; - $sql .= " WHERE elementtype = '".$elementtype."'"; - $sql .= " AND name = '".$attrname."'"; + $sql .= " WHERE elementtype = '".$this->db->escape($elementtype)."'"; + $sql .= " AND name = '".$this->db->escape($attrname)."'"; //$sql.= " AND entity IN (0,".$conf->entity.")"; Do not test on entity here. We want to see if there is still on field remaning in other entities before deleting field in table $resql = $this->db->query($sql); if ($resql) @@ -539,9 +539,9 @@ class ExtraFields if (isset($attrname) && $attrname != '' && preg_match("/^\w[a-zA-Z0-9-_]*$/", $attrname)) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."extrafields"; - $sql .= " WHERE name = '".$attrname."'"; + $sql .= " WHERE name = '".$this->db->escape($attrname)."'"; $sql .= " AND entity IN (0,".$conf->entity.')'; - $sql .= " AND elementtype = '".$elementtype."'"; + $sql .= " AND elementtype = '".$this->db->escape($elementtype)."'"; dol_syslog(get_class($this)."::delete_label", LOG_DEBUG); $resql = $this->db->query($sql); @@ -724,15 +724,15 @@ class ExtraFields { // We dont want on all entities, we delete all and current $sql_del = "DELETE FROM ".MAIN_DB_PREFIX."extrafields"; - $sql_del .= " WHERE name = '".$attrname."'"; + $sql_del .= " WHERE name = '".$this->db->escape($attrname)."'"; $sql_del .= " AND entity IN (0, ".($entity === '' ? $conf->entity : $entity).")"; - $sql_del .= " AND elementtype = '".$elementtype."'"; + $sql_del .= " AND elementtype = '".$this->db->escape($elementtype)."'"; } else { // We want on all entities ($entities = '0'), we delete on all only (we keep setup specific to each entity) $sql_del = "DELETE FROM ".MAIN_DB_PREFIX."extrafields"; - $sql_del .= " WHERE name = '".$attrname."'"; + $sql_del .= " WHERE name = '".$this->db->escape($attrname)."'"; $sql_del .= " AND entity = 0"; - $sql_del .= " AND elementtype = '".$elementtype."'"; + $sql_del .= " AND elementtype = '".$this->db->escape($elementtype)."'"; } $resql1 = $this->db->query($sql_del); @@ -761,7 +761,7 @@ class ExtraFields $sql .= " enabled,"; $sql .= " help"; $sql .= ") VALUES ("; - $sql .= "'".$attrname."',"; + $sql .= "'".$this->db->escape($attrname)."',"; $sql .= " ".($entity === '' ? $conf->entity : $entity).","; $sql .= " '".$this->db->escape($label)."',"; $sql .= " '".$this->db->escape($type)."',"; @@ -829,7 +829,7 @@ class ExtraFields $sql = "SELECT rowid,name,label,type,size,elementtype,fieldunique,fieldrequired,param,pos,alwayseditable,perms,langs,list,printable,totalizable,fielddefault,fieldcomputed,entity,enabled,help"; $sql .= " FROM ".MAIN_DB_PREFIX."extrafields"; //$sql.= " WHERE entity IN (0,".$conf->entity.")"; // Filter is done later - if ($elementtype) $sql .= " WHERE elementtype = '".$elementtype."'"; // Filed with object->table_element + if ($elementtype) $sql .= " WHERE elementtype = '".$this->db->escape($elementtype)."'"; // Filed with object->table_element $sql .= " ORDER BY pos"; $resql = $this->db->query($sql); diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index e56f4674f2a..601d0b6f78a 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -2183,7 +2183,7 @@ class Form // Multilang : we add translation if (!empty($conf->global->MAIN_MULTILANGS)) { - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang='".$langs->getDefaultLang()."'"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang='".$this->db->escape($langs->getDefaultLang())."'"; } if (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD)) { @@ -2503,9 +2503,9 @@ class Form { $sql = "SELECT price, price_ttc, price_base_type, tva_tx"; $sql .= " FROM ".MAIN_DB_PREFIX."product_price"; - $sql .= " WHERE fk_product='".$objp->rowid."'"; + $sql .= " WHERE fk_product = ".((int) $objp->rowid); $sql .= " AND entity IN (".getEntity('productprice').")"; - $sql .= " AND price_level=".$price_level; + $sql .= " AND price_level = ".((int) $price_level); $sql .= " ORDER BY date_price DESC, rowid DESC"; // Warning DESC must be both on date_price and rowid. $sql .= " LIMIT 1"; @@ -7016,7 +7016,7 @@ class Form // phpcs:enable $sql = "SELECT rowid, label"; $sql .= " FROM ".MAIN_DB_PREFIX."export_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$this->db->escape($type)."'"; $sql .= " ORDER BY rowid"; $result = $this->db->query($sql); if ($result) @@ -7460,10 +7460,10 @@ class Form if (!empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity) { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entity as e ON e.rowid=ug.entity"; - if ($force_entity) $sql .= " WHERE ug.entity IN (0,".$force_entity.")"; + if ($force_entity) $sql .= " WHERE ug.entity IN (0, ".$force_entity.")"; else $sql .= " WHERE ug.entity IS NOT NULL"; } else { - $sql .= " WHERE ug.entity IN (0,".$conf->entity.")"; + $sql .= " WHERE ug.entity IN (0, ".$conf->entity.")"; } if (is_array($exclude) && $excludeGroups) $sql .= " AND ug.rowid NOT IN ('".$excludeGroups."')"; if (is_array($include) && $includeGroups) $sql .= " AND ug.rowid IN ('".$includeGroups."')"; diff --git a/htdocs/core/class/html.formaccounting.class.php b/htdocs/core/class/html.formaccounting.class.php index 991a8f87006..874bb3719e4 100644 --- a/htdocs/core/class/html.formaccounting.class.php +++ b/htdocs/core/class/html.formaccounting.class.php @@ -174,7 +174,7 @@ class FormAccounting extends Form $sql .= " WHERE c.active = 1"; $sql .= " AND c.category_type = 0"; $sql .= " AND c.fk_country = co.rowid"; - if (empty($allcountries)) $sql .= " AND co.code = '".$mysoc->country_code."'"; + if (empty($allcountries)) $sql .= " AND co.code = '".$this->db->escape($mysoc->country_code)."'"; $sql .= " ORDER BY c.label ASC"; } diff --git a/htdocs/core/class/html.formcompany.class.php b/htdocs/core/class/html.formcompany.class.php index 4ee5c9f1f6a..b43df3753dc 100644 --- a/htdocs/core/class/html.formcompany.class.php +++ b/htdocs/core/class/html.formcompany.class.php @@ -516,7 +516,7 @@ class FormCompany extends Form $sql .= " FROM ".MAIN_DB_PREFIX."c_forme_juridique as f, ".MAIN_DB_PREFIX."c_country as c"; $sql .= " WHERE f.fk_pays=c.rowid"; $sql .= " AND f.active = 1 AND c.active = 1"; - if ($country_codeid) $sql .= " AND c.code = '".$country_codeid."'"; + if ($country_codeid) $sql .= " AND c.code = '".$this->db->escape($country_codeid)."'"; if ($filter) $sql .= " ".$filter; $sql .= " ORDER BY c.code"; diff --git a/htdocs/core/class/html.formmail.class.php b/htdocs/core/class/html.formmail.class.php index f7acd09dbd1..fcd7199137c 100644 --- a/htdocs/core/class/html.formmail.class.php +++ b/htdocs/core/class/html.formmail.class.php @@ -1296,7 +1296,7 @@ class FormMail extends Form $sql .= " WHERE type_template='".$this->db->escape($type_template)."'"; $sql .= " AND entity IN (".getEntity('c_email_templates').")"; $sql .= " AND (fk_user is NULL or fk_user = 0 or fk_user = ".$user->id.")"; - if (is_object($outputlangs)) $sql .= " AND (lang = '".$outputlangs->defaultlang."' OR lang IS NULL OR lang = '')"; + if (is_object($outputlangs)) $sql .= " AND (lang = '".$this->db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')"; $sql .= $this->db->order("lang,label", "ASC"); //print $sql; @@ -1330,7 +1330,7 @@ class FormMail extends Form $sql .= " AND entity IN (".getEntity('c_email_templates').")"; $sql .= " AND (private = 0 OR fk_user = ".$user->id.")"; // See all public templates or templates I own. if ($active >= 0) $sql .= " AND active = ".$active; - //if (is_object($outputlangs)) $sql.= " AND (lang = '".$outputlangs->defaultlang."' OR lang IS NULL OR lang = '')"; // Return all languages + //if (is_object($outputlangs)) $sql.= " AND (lang = '".$this->db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')"; // Return all languages $sql .= $this->db->order("position,lang,label", "ASC"); //print $sql; diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index f69ef6703e0..08eaa77ac3e 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -256,7 +256,7 @@ class FormOther $sql = "SELECT r.taux, r.revenuestamp_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_revenuestamp as r,".MAIN_DB_PREFIX."c_country as c"; $sql .= " WHERE r.active = 1 AND r.fk_pays = c.rowid"; - $sql .= " AND c.code = '".$country_code."'"; + $sql .= " AND c.code = '".$this->db->escape($country_code)."'"; dol_syslog(get_class($this).'::select_revenue_stamp', LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/core/class/html.formsocialcontrib.class.php b/htdocs/core/class/html.formsocialcontrib.class.php index c6d28a7b70f..b9da780f02d 100644 --- a/htdocs/core/class/html.formsocialcontrib.class.php +++ b/htdocs/core/class/html.formsocialcontrib.class.php @@ -83,7 +83,7 @@ class FormSocialContrib $sql = "SELECT c.id, c.libelle as type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_chargesociales as c, ".MAIN_DB_PREFIX."c_country as co"; $sql .= " WHERE c.active = 1 AND c.fk_pays = co.rowid"; - $sql .= " AND co.code = '".$mysoc->country_code."'"; + $sql .= " AND co.code = '".$this->db->escape($mysoc->country_code)."'"; $sql .= " ORDER BY c.libelle ASC"; } diff --git a/htdocs/core/class/infobox.class.php b/htdocs/core/class/infobox.class.php index 70569f08eb7..8d8d41d0747 100644 --- a/htdocs/core/class/infobox.class.php +++ b/htdocs/core/class/infobox.class.php @@ -273,12 +273,13 @@ class InfoBox //dol_syslog("aaaaa".count($listarray)); $i++; $ii = sprintf('%02d', $i); + $sql = "INSERT INTO ".MAIN_DB_PREFIX."boxes"; $sql .= "(box_id, position, box_order, fk_user, entity)"; $sql .= " values ("; $sql .= " ".$id.","; $sql .= " ".$zone.","; - $sql .= " '".$colonne.$ii."',"; + $sql .= " '".$this->db->escape($colonne.$ii)."',"; $sql .= " ".$userid.","; $sql .= " ".$conf->entity; $sql .= ")"; diff --git a/htdocs/core/class/link.class.php b/htdocs/core/class/link.class.php index 2599fa69c09..ceba7fa17f7 100644 --- a/htdocs/core/class/link.class.php +++ b/htdocs/core/class/link.class.php @@ -98,7 +98,7 @@ class Link extends CommonObject $this->db->begin(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."links (entity, datea, url, label, objecttype, objectid)"; - $sql .= " VALUES ('".$conf->entity."', '".$this->db->idate($this->datea)."'"; + $sql .= " VALUES (".$conf->entity.", '".$this->db->idate($this->datea)."'"; $sql .= ", '".$this->db->escape($this->url)."'"; $sql .= ", '".$this->db->escape($this->label)."'"; $sql .= ", '".$this->db->escape($this->objecttype)."'"; @@ -175,7 +175,7 @@ class Link extends CommonObject $this->db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."links SET "; - $sql .= "entity = '".$conf->entity."'"; + $sql .= "entity = ".$conf->entity; $sql .= ", datea = '".$this->db->idate(dol_now())."'"; $sql .= ", url = '".$this->db->escape($this->url)."'"; $sql .= ", label = '".$this->db->escape($this->label)."'"; @@ -235,7 +235,7 @@ class Link extends CommonObject global $conf; $sql = "SELECT rowid, entity, datea, url, label, objecttype, objectid FROM ".MAIN_DB_PREFIX."links"; - $sql .= " WHERE objecttype = '".$objecttype."' AND objectid = ".$objectid; + $sql .= " WHERE objecttype = '".$this->db->escape($objecttype)."' AND objectid = ".$objectid; if ($conf->entity != 0) $sql .= " AND entity = ".$conf->entity; if ($sortfield) { if (empty($sortorder)) { @@ -286,7 +286,7 @@ class Link extends CommonObject global $conf; $sql = "SELECT COUNT(rowid) as nb FROM ".MAIN_DB_PREFIX."links"; - $sql .= " WHERE objecttype = '".$objecttype."' AND objectid = ".$objectid; + $sql .= " WHERE objecttype = '".$this->db->escape($objecttype)."' AND objectid = ".$objectid; if ($conf->entity != 0) $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/core/class/menubase.class.php b/htdocs/core/class/menubase.class.php index 4d949f4f7d8..3c0c6bd9389 100644 --- a/htdocs/core/class/menubase.class.php +++ b/htdocs/core/class/menubase.class.php @@ -622,7 +622,7 @@ class Menubase $sql = "SELECT m.rowid, m.type, m.module, m.fk_menu, m.fk_mainmenu, m.fk_leftmenu, m.url, m.titre, m.langs, m.perms, m.enabled, m.target, m.mainmenu, m.leftmenu, m.position"; $sql .= " FROM ".MAIN_DB_PREFIX."menu as m"; $sql .= " WHERE m.entity IN (0,".$conf->entity.")"; - $sql .= " AND m.menu_handler IN ('".$menu_handler."','all')"; + $sql .= " AND m.menu_handler IN ('".$this->db->escape($menu_handler)."','all')"; if ($type_user == 0) $sql .= " AND m.usertype IN (0,2)"; if ($type_user == 1) $sql .= " AND m.usertype IN (1,2)"; $sql .= " ORDER BY m.position, m.rowid"; diff --git a/htdocs/core/class/notify.class.php b/htdocs/core/class/notify.class.php index 130dc09f4f8..82b6c8859bc 100644 --- a/htdocs/core/class/notify.class.php +++ b/htdocs/core/class/notify.class.php @@ -171,7 +171,7 @@ class Notify if ($notifcode) { if (is_numeric($notifcode)) $sql .= " AND n.fk_action = ".$notifcode; // Old usage - else $sql .= " AND a.code = '".$notifcode."'"; // New usage + else $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage } $sql .= " AND s.entity IN (".getEntity('societe').")"; if ($socid > 0) $sql .= " AND s.rowid = ".$socid; @@ -214,7 +214,7 @@ class Notify if ($notifcode) { if (is_numeric($notifcode)) $sql .= " AND n.fk_action = ".$notifcode; // Old usage - else $sql .= " AND a.code = '".$notifcode."'"; // New usage + else $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage } $sql .= " AND c.entity IN (".getEntity('user').")"; if ($userid > 0) $sql .= " AND c.rowid = ".$userid; @@ -355,7 +355,7 @@ class Notify $sql .= " AND n.fk_soc = s.rowid"; $sql .= " AND c.statut = 1"; if (is_numeric($notifcode)) $sql .= " AND n.fk_action = ".$notifcode; // Old usage - else $sql .= " AND a.code = '".$notifcode."'"; // New usage + else $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage $sql .= " AND s.rowid = ".$object->socid; $sql .= "\nUNION\n"; diff --git a/htdocs/core/db/mysqli.class.php b/htdocs/core/db/mysqli.class.php index ed7b2e5947d..e3687f7f405 100644 --- a/htdocs/core/db/mysqli.class.php +++ b/htdocs/core/db/mysqli.class.php @@ -693,7 +693,7 @@ class DoliDBMysqli extends DoliDB if ((preg_match("/null/i", $field_desc['default'])) || (preg_match("/CURRENT_TIMESTAMP/i", $field_desc['default']))) { $sqlfields[$i] .= " default ".$field_desc['default']; } else { - $sqlfields[$i] .= " default '".$field_desc['default']."'"; + $sqlfields[$i] .= " default '".$this->escape($field_desc['default'])."'"; } } if (preg_match("/^[^\s]/i", $field_desc['null'])) { @@ -711,7 +711,7 @@ class DoliDBMysqli extends DoliDB $i = 0; foreach ($unique_keys as $key => $value) { - $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$value."')"; + $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$this->escape($value)."')"; $i++; } } @@ -809,7 +809,7 @@ class DoliDBMysqli extends DoliDB { if (preg_match("/null/i", $field_desc['default'])) $sql .= " default ".$field_desc['default']; - else $sql .= " default '".$field_desc['default']."'"; + else $sql .= " default '".$this->escape($field_desc['default'])."'"; } if (isset($field_desc['extra']) && preg_match("/^[^\s]/i", $field_desc['extra'])) { diff --git a/htdocs/core/db/pgsql.class.php b/htdocs/core/db/pgsql.class.php index 3f33016d7e5..3c49bcf6f4b 100644 --- a/htdocs/core/db/pgsql.class.php +++ b/htdocs/core/db/pgsql.class.php @@ -904,7 +904,7 @@ class DoliDBPgsql extends DoliDB $listtables = array(); $like = ''; - if ($table) $like = " AND table_name LIKE '".$table."'"; + if ($table) $like = " AND table_name LIKE '".$this->escape($table)."'"; $result = pg_query($this->db, "SELECT table_name FROM information_schema.tables WHERE table_schema = 'public'".$like." ORDER BY table_name"); if ($result) { @@ -942,7 +942,7 @@ class DoliDBPgsql extends DoliDB $sql .= " '' as \"Privileges\""; $sql .= " FROM information_schema.columns infcol"; $sql .= " WHERE table_schema='public' "; - $sql .= " AND table_name='".$table."'"; + $sql .= " AND table_name='".$this->escape($table)."'"; $sql .= " ORDER BY ordinal_position;"; dol_syslog($sql, LOG_DEBUG); @@ -992,7 +992,7 @@ class DoliDBPgsql extends DoliDB { if (preg_match("/null/i", $field_desc['default'])) $sqlfields[$i] .= " default ".$field_desc['default']; - else $sqlfields[$i] .= " default '".$field_desc['default']."'"; + else $sqlfields[$i] .= " default '".$this->escape($field_desc['default'])."'"; } elseif (preg_match("/^[^\s]/i", $field_desc['null'])) $sqlfields[$i] .= " ".$field_desc['null']; @@ -1008,7 +1008,7 @@ class DoliDBPgsql extends DoliDB $i = 0; foreach ($unique_keys as $key => $value) { - $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$value."')"; + $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$this->escape($value)."')"; $i++; } } @@ -1090,9 +1090,9 @@ class DoliDBPgsql extends DoliDB public function DDLDescTable($table, $field = "") { // phpcs:enable - $sql = "SELECT attname FROM pg_attribute, pg_type WHERE typname = '".$table."' AND attrelid = typrelid"; + $sql = "SELECT attname FROM pg_attribute, pg_type WHERE typname = '".$this->escape($table)."' AND attrelid = typrelid"; $sql .= " AND attname NOT IN ('cmin', 'cmax', 'ctid', 'oid', 'tableoid', 'xmin', 'xmax')"; - if ($field) $sql .= " AND attname = '".$field."'"; + if ($field) $sql .= " AND attname = '".$this->escape($field)."'"; dol_syslog($sql, LOG_DEBUG); $this->_results = $this->query($sql); @@ -1130,7 +1130,7 @@ class DoliDBPgsql extends DoliDB if (preg_match("/null/i", $field_desc['default'])) { $sql .= " default ".$field_desc['default']; } else { - $sql .= " default '".$field_desc['default']."'"; + $sql .= " default '".$this->escape($field_desc['default'])."'"; } } if (preg_match("/^[^\s]/i", $field_desc['extra'])) { diff --git a/htdocs/core/db/sqlite3.class.php b/htdocs/core/db/sqlite3.class.php index a1a4e10ec7e..c34b9dddac0 100644 --- a/htdocs/core/db/sqlite3.class.php +++ b/htdocs/core/db/sqlite3.class.php @@ -420,7 +420,7 @@ class DoliDBSqlite3 extends DoliDB $constraintname = trim($reg[2]); $tablename = trim($reg[1]); - $descTable = $this->db->querySingle("SELECT sql FROM sqlite_master WHERE name='".$tablename."'"); + $descTable = $this->db->querySingle("SELECT sql FROM sqlite_master WHERE name='".$this->escape($tablename)."'"); // 1- Renommer la table avec un nom temporaire $this->query('ALTER TABLE '.$tablename.' RENAME TO tmp_'.$tablename); @@ -921,7 +921,7 @@ class DoliDBSqlite3 extends DoliDB { if (preg_match("/null/i", $field_desc['default'])) $sqlfields[$i] .= " default ".$field_desc['default']; - else $sqlfields[$i] .= " default '".$field_desc['default']."'"; + else $sqlfields[$i] .= " default '".$this->escape($field_desc['default'])."'"; } elseif (preg_match("/^[^\s]/i", $field_desc['null'])) $sqlfields[$i] .= " ".$field_desc['null']; @@ -937,7 +937,7 @@ class DoliDBSqlite3 extends DoliDB $i = 0; foreach ($unique_keys as $key => $value) { - $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$value."')"; + $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$this->escape($value)."')"; $i++; } } @@ -1030,7 +1030,7 @@ class DoliDBSqlite3 extends DoliDB { if (preg_match("/null/i", $field_desc['default'])) $sql .= " default ".$field_desc['default']; - else $sql .= " default '".$field_desc['default']."'"; + else $sql .= " default '".$this->escape($field_desc['default'])."'"; } if (preg_match("/^[^\s]/i", $field_desc['extra'])) $sql .= " ".$field_desc['extra']; diff --git a/htdocs/core/lib/admin.lib.php b/htdocs/core/lib/admin.lib.php index 48314125bdc..9227d9a1cfd 100644 --- a/htdocs/core/lib/admin.lib.php +++ b/htdocs/core/lib/admin.lib.php @@ -292,7 +292,7 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle $sql = preg_replace('/llx_/i', MAIN_DB_PREFIX, $sql); } - if (!empty($handler)) $sql = preg_replace('/__HANDLER__/i', "'".$handler."'", $sql); + if (!empty($handler)) $sql = preg_replace('/__HANDLER__/i', "'".$db->escape($handler)."'", $sql); $newsql = preg_replace('/__ENTITY__/i', (!empty($entity) ? $entity : $conf->entity), $sql); @@ -1630,7 +1630,7 @@ function addDocumentModel($name, $type, $label = '', $description = '') $db->begin(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; - $sql .= " VALUES ('".$db->escape($name)."','".$type."',".$conf->entity.", "; + $sql .= " VALUES ('".$db->escape($name)."','".$db->escape($type)."',".$conf->entity.", "; $sql .= ($label ? "'".$db->escape($label)."'" : 'null').", "; $sql .= (!empty($description) ? "'".$db->escape($description)."'" : "null"); $sql .= ")"; @@ -1663,7 +1663,7 @@ function delDocumentModel($name, $type) $sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; $sql .= " WHERE nom = '".$db->escape($name)."'"; - $sql .= " AND type = '".$type."'"; + $sql .= " AND type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; dol_syslog("admin.lib::delDocumentModel", LOG_DEBUG); diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index 6c32d71024b..d7b5773e1c2 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -574,7 +574,7 @@ function currency_name($code_iso, $withcode = '', $outputlangs = null) // If no translation, we read table to get label by default $sql = "SELECT label FROM ".MAIN_DB_PREFIX."c_currencies"; - $sql .= " WHERE code_iso='".$code_iso."'"; + $sql .= " WHERE code_iso='".$db->escape($code_iso)."'"; $resql = $db->query($sql); if ($resql) @@ -607,7 +607,7 @@ function getFormeJuridiqueLabel($code) if (!$code) return ''; $sql = "SELECT libelle FROM ".MAIN_DB_PREFIX."c_forme_juridique"; - $sql .= " WHERE code='$code'"; + $sql .= " WHERE code='".$db->escape($code)."'"; dol_syslog("Company.lib::getFormeJuridiqueLabel", LOG_DEBUG); $resql = $db->query($sql); diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index d8bf9ca5a1e..f4e8a06920b 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -142,6 +142,7 @@ function dol_dir_list($path, $types = "all", $recursive = 0, $filter = "", $excl if (!$filter || preg_match('/'.$filter.'/i', $file)) // We do not search key $filter into all $path, only into $file part { + $reg = array(); preg_match('/([^\/]+)\/[^\/]+$/', $path.'/'.$file, $reg); $level1name = (isset($reg[1]) ? $reg[1] : ''); $file_list[] = array( diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index d5da3fb86d8..ffd921ba316 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -4857,10 +4857,10 @@ function get_localtax($vatrate, $local, $thirdparty_buyer = "", $thirdparty_sell // By default, search value of local tax on line of common tax $sql = "SELECT t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$thirdparty_seller->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($thirdparty_seller->country_code)."'"; $sql .= " AND t.taux = ".((float) $vatratecleaned)." AND t.active = 1"; - if ($vatratecode) $sql .= " AND t.code ='".$vatratecode."'"; // If we have the code, we use it in priority - else $sql .= " AND t.recuperableonly ='".$vatnpr."'"; + if ($vatratecode) $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; // If we have the code, we use it in priority + else $sql .= " AND t.recuperableonly ='".$db->escape($vatnpr)."'"; dol_syslog("get_localtax", LOG_DEBUG); $resql = $db->query($sql); diff --git a/htdocs/core/modules/societe/mod_codeclient_elephant.php b/htdocs/core/modules/societe/mod_codeclient_elephant.php index 665d1266468..948be99b61a 100644 --- a/htdocs/core/modules/societe/mod_codeclient_elephant.php +++ b/htdocs/core/modules/societe/mod_codeclient_elephant.php @@ -320,8 +320,8 @@ class mod_codeclient_elephant extends ModeleThirdPartyCode { // phpcs:enable $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe"; - if ($type == 1) $sql .= " WHERE code_fournisseur = '".$code."'"; - else $sql .= " WHERE code_client = '".$code."'"; + if ($type == 1) $sql .= " WHERE code_fournisseur = '".$db->escape($code)."'"; + else $sql .= " WHERE code_client = '".$db->escape($code)."'"; if ($soc->id > 0) $sql .= " AND rowid <> ".$soc->id; $resql = $db->query($sql); diff --git a/htdocs/core/modules/societe/mod_codeclient_monkey.php b/htdocs/core/modules/societe/mod_codeclient_monkey.php index 356974a67d4..378b9bd5045 100644 --- a/htdocs/core/modules/societe/mod_codeclient_monkey.php +++ b/htdocs/core/modules/societe/mod_codeclient_monkey.php @@ -226,8 +226,8 @@ class mod_codeclient_monkey extends ModeleThirdPartyCode global $conf, $mc; $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe"; - if ($type == 1) $sql .= " WHERE code_fournisseur = '".$code."'"; - else $sql .= " WHERE code_client = '".$code."'"; + if ($type == 1) $sql .= " WHERE code_fournisseur = '".$db->escape($code)."'"; + else $sql .= " WHERE code_client = '".$db->escape($code)."'"; $sql .= " AND entity IN (".getEntity('societe').")"; if ($soc->id > 0) $sql .= " AND rowid <> ".$soc->id; diff --git a/htdocs/core/modules/societe/mod_codecompta_digitaria.php b/htdocs/core/modules/societe/mod_codecompta_digitaria.php index 20edc26f219..9835851cc7c 100644 --- a/htdocs/core/modules/societe/mod_codecompta_digitaria.php +++ b/htdocs/core/modules/societe/mod_codecompta_digitaria.php @@ -244,7 +244,7 @@ class mod_codecompta_digitaria extends ModeleAccountancyCode } $sql = "SELECT ".$typethirdparty." FROM ".MAIN_DB_PREFIX."societe"; - $sql .= " WHERE ".$typethirdparty." = '".$code."'"; + $sql .= " WHERE ".$typethirdparty." = '".$db->escape($code)."'"; $resql = $db->query($sql); if ($resql) diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 74f889f19b6..60ba1ae4bbe 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -152,7 +152,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $db=$this->savdb; include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; - $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); + $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/core', 'files', 1, '\.php', null, 'fullname'); //$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); foreach ($filesarray as $key => $file) @@ -166,10 +166,17 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase print 'Check php file '.$file['fullname']."\n"; $filecontent=file_get_contents($file['fullname']); + if (preg_match('/\.class\.php/', $file['relativename'])) { + // Must must not found $db-> + + } else { + // Must must not found $this->db-> + + } $ok=true; $matches=array(); - // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. + // Check string get_class... preg_match_all('/'.preg_quote('get_class($this)."::".__METHOD__', '/').'/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { @@ -182,7 +189,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $ok=true; $matches=array(); - // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. + // Check string $this->db->idate without quotes preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { @@ -200,11 +207,12 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $ok=true; $matches=array(); + // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. - preg_match_all('/(=|sql.+)\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER); + preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { - if ($val[2] != 'db->' && $val[2] != 'esca') + if ($val[1] != 'db->' && $val[1] != 'esca') { $ok=false; break; @@ -212,7 +220,21 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase //if ($reg[0] != 'db') $ok=false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; - $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].' ('.$val[0].'). Bad.'); + $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.'); + //exit; + + // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. + preg_match_all('/sql.+\s*\'"\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER); + foreach ($matches as $key => $val) + { + if (! in_array($val[1], array('this->db-', 'this->esc', 'db->escap', 'db->idate', 'excludeGr', 'includeGr'))) { + $ok=false; + break; + } + //if ($reg[0] != 'db') $ok=false; + } + //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; + $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.'); //exit; From b5703350da6b1fb0723a104ca2d39a4963e1af34 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 22:41:05 +0200 Subject: [PATCH 099/151] Fix escape --- htdocs/core/extrafieldsinexport.inc.php | 3 ++- htdocs/core/lib/functions.lib.php | 22 +++++++++---------- htdocs/core/lib/functions2.lib.php | 21 +++++++++++------- htdocs/core/lib/security.lib.php | 2 +- htdocs/core/modules/DolibarrModules.class.php | 14 ++++++------ .../barcode/mod_barcode_product_standard.php | 2 +- .../doc/pdf_standard.modules.php | 2 +- .../core/modules/facture/mod_facture_mars.php | 4 ++-- .../modules/facture/mod_facture_terre.php | 4 ++-- .../modules/import/import_csv.modules.php | 2 +- .../modules/import/import_xlsx.modules.php | 2 +- .../modules/mailings/contacts1.modules.php | 4 ++-- .../core/modules/mailings/fraise.modules.php | 4 ++-- .../modules/mailings/modules_mailings.php | 2 +- .../core/modules/mailings/pomme.modules.php | 2 +- .../thirdparties_services_expired.modules.php | 2 +- .../movement/doc/pdf_standard.modules.php | 8 +++---- .../modules/printing/printgcp.modules.php | 2 +- .../modules/printing/printipp.modules.php | 2 +- .../product/mod_codeproduct_elephant.php | 2 +- .../modules/societe/mod_codeclient_monkey.php | 2 +- .../stock/doc/pdf_standard.modules.php | 2 +- .../mod_facture_fournisseur_cactus.php | 4 ++-- .../core/modules/ticket/mod_ticket_simple.php | 4 ++-- 24 files changed, 62 insertions(+), 56 deletions(-) diff --git a/htdocs/core/extrafieldsinexport.inc.php b/htdocs/core/extrafieldsinexport.inc.php index db926a2b6bc..ae6fdf8bf70 100644 --- a/htdocs/core/extrafieldsinexport.inc.php +++ b/htdocs/core/extrafieldsinexport.inc.php @@ -8,7 +8,8 @@ if (empty($keyforselect) || empty($keyforelement) || empty($keyforaliasextra)) } // Add extra fields -$sql = "SELECT name, label, type, param, fieldcomputed, fielddefault FROM ".MAIN_DB_PREFIX."extrafields WHERE elementtype = '".$keyforselect."' AND type != 'separate' AND entity IN (0, ".$conf->entity.') ORDER BY pos ASC'; +$sql = "SELECT name, label, type, param, fieldcomputed, fielddefault FROM ".MAIN_DB_PREFIX."extrafields"; +$sql .= " WHERE elementtype = '".$this->db->escape($keyforselect)."' AND type != 'separate' AND entity IN (0, ".$conf->entity.') ORDER BY pos ASC'; //print $sql; $resql = $this->db->query($sql); if ($resql) // This can fail when class is used on old database (during migration for example) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index ffd921ba316..ca8dcbde59d 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -4908,9 +4908,9 @@ function get_localtax_by_third($local) global $db, $mysoc; $sql = "SELECT t.localtax1, t.localtax2 "; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t inner join ".MAIN_DB_PREFIX."c_country as c ON c.rowid=t.fk_pays"; - $sql .= " WHERE c.code = '".$mysoc->country_code."' AND t.active = 1 AND t.taux=("; + $sql .= " WHERE c.code = '".$db->escape($mysoc->country_code)."' AND t.active = 1 AND t.taux=("; $sql .= " SELECT max(tt.taux) FROM ".MAIN_DB_PREFIX."c_tva as tt inner join ".MAIN_DB_PREFIX."c_country as c ON c.rowid=tt.fk_pays"; - $sql .= " WHERE c.code = '".$mysoc->country_code."' AND tt.active = 1"; + $sql .= " WHERE c.code = '".$db->escape($mysoc->country_code)."' AND tt.active = 1"; $sql .= " )"; $resql = $db->query($sql); @@ -4956,11 +4956,11 @@ function getTaxesFromId($vatrate, $buyer = null, $seller = null, $firstparamisid } $sql .= ", ".MAIN_DB_PREFIX."c_country as c"; - /*if ($mysoc->country_code == 'ES') $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$buyer->country_code."'"; // vat in spain use the buyer country ?? - else $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$seller->country_code."'";*/ - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$seller->country_code."'"; + /*if ($mysoc->country_code == 'ES') $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($buyer->country_code)."'"; // vat in spain use the buyer country ?? + else $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($seller->country_code)."'";*/ + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($seller->country_code)."'"; $sql .= " AND t.taux = ".((float) $vatratecleaned)." AND t.active = 1"; - if ($vatratecode) $sql .= " AND t.code = '".$vatratecode."'"; + if ($vatratecode) $sql .= " AND t.code = '".$db->escape($vatratecode)."'"; } $resql = $db->query($sql); @@ -5011,10 +5011,10 @@ function getLocalTaxesFromRate($vatrate, $local, $buyer, $seller, $firstparamisi } $sql .= ", ".MAIN_DB_PREFIX."c_country as c"; - if ($mysoc->country_code == 'ES') $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$buyer->country_code."'"; // local tax in spain use the buyer country ?? - else $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$seller->country_code."'"; + if ($mysoc->country_code == 'ES') $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($buyer->country_code)."'"; // local tax in spain use the buyer country ?? + else $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($seller->country_code)."'"; $sql .= " AND t.taux = ".((float) $vatratecleaned)." AND t.active = 1"; - if ($vatratecode) $sql .= " AND t.code = '".$vatratecode."'"; + if ($vatratecode) $sql .= " AND t.code = '".$db->escape($vatratecode)."'"; } $resql = $db->query($sql); @@ -5088,7 +5088,7 @@ function get_product_vat_for_country($idprod, $thirdparty_seller, $idprodfournpr // If vat of product for the country not found or not defined, we return the first higher vat of country. $sql = "SELECT t.taux as vat_rate, t.code as default_vat_code"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$thirdparty_seller->country_code."'"; + $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$db->escape($thirdparty_seller->country_code)."'"; $sql .= " ORDER BY t.taux DESC, t.code ASC, t.recuperableonly ASC"; $sql .= $db->plimit(1); @@ -5153,7 +5153,7 @@ function get_product_localtax_for_country($idprod, $local, $thirdparty_seller) // If vat of product for the country not found or not defined, we return higher vat of country. $sql = "SELECT taux as vat_rate, localtax1, localtax2"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$thirdparty_seller->country_code."'"; + $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$db->escape($thirdparty_seller->country_code)."'"; $sql .= " ORDER BY t.taux DESC, t.recuperableonly ASC"; $sql .= $db->plimit(1); diff --git a/htdocs/core/lib/functions2.lib.php b/htdocs/core/lib/functions2.lib.php index ddeb4df4dea..7b0042cf55a 100644 --- a/htdocs/core/lib/functions2.lib.php +++ b/htdocs/core/lib/functions2.lib.php @@ -579,6 +579,7 @@ function clean_url($url, $http = 1) // Fixed by Matelli (see http://matelli.fr/showcases/patchs-dolibarr/fix-cleaning-url.html) // To include the minus sign in a char class, we must not escape it but put it at the end of the class // Also, there's no need of escape a dot sign in a class + $regs = array(); if (preg_match('/^(https?:[\\/]+)?([0-9A-Z.-]+\.[A-Z]{2,4})(:[0-9]+)?/i', $url, $regs)) { $proto = $regs[1]; @@ -737,6 +738,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ //$date=dol_stringtotime('20130101'); $hasglobalcounter = false; + $reg = array(); // Extract value for mask counter, mask raz and mask offset if (preg_match('/\{(0+)([@\+][0-9\-\+\=]+)?([@\+][0-9\-\+\=]+)?\}/i', $mask, $reg)) { @@ -755,6 +757,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ if (dol_strlen($maskcounter) < 3 && empty($conf->global->MAIN_COUNTER_WITH_LESS_3_DIGITS)) return 'ErrorCounterMustHaveMoreThan3Digits'; // Extract value for third party mask counter + $regClient = array(); if (preg_match('/\{(c+)(0*)\}/i', $mask, $regClientRef)) { $maskrefclient = $regClientRef[1].$regClientRef[2]; @@ -774,6 +777,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ } // Extract value for third party type + $regType = array(); if (preg_match('/\{(t+)\}/i', $mask, $regType)) { $masktype = $regType[1]; @@ -802,6 +806,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ $maskperso = array(); $maskpersonew = array(); $tmpmask = $mask; + $regKey = array(); while (preg_match('/\{([A-Z]+)\-([1-9])\}/', $tmpmask, $regKey)) { $maskperso[$regKey[1]] = '{'.$regKey[1].'-'.$regKey[2].'}'; @@ -918,19 +923,19 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ elseif ($yearlen == 2) $yearcomp1 = sprintf("%02d", date("y", $date) + $yearoffset + 1); $sqlwhere .= "("; - $sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$yearcomp."'"; + $sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$db->escape($yearcomp)."'"; $sqlwhere .= " AND SUBSTRING(".$field.", ".$monthpos.", ".$monthlen.") >= '".str_pad($monthcomp, $monthlen, '0', STR_PAD_LEFT)."')"; $sqlwhere .= " OR"; - $sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$yearcomp1."'"; + $sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$db->escape($yearcomp1)."'"; $sqlwhere .= " AND SUBSTRING(".$field.", ".$monthpos.", ".$monthlen.") < '".str_pad($monthcomp, $monthlen, '0', STR_PAD_LEFT)."') "; $sqlwhere .= ')'; } elseif ($resetEveryMonth) { - $sqlwhere .= "(SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$yearcomp."'"; + $sqlwhere .= "(SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$db->escape($yearcomp)."'"; $sqlwhere .= " AND SUBSTRING(".$field.", ".$monthpos.", ".$monthlen.") = '".str_pad($monthcomp, $monthlen, '0', STR_PAD_LEFT)."')"; } else // reset is done on january { - $sqlwhere .= '(SUBSTRING('.$field.', '.$yearpos.', '.$yearlen.") = '".$yearcomp."')"; + $sqlwhere .= '(SUBSTRING('.$field.', '.$yearpos.', '.$yearlen.") = '".$db->escape($yearcomp)."')"; } } //print "sqlwhere=".$sqlwhere." yearcomp=".$yearcomp."
\n"; // sqlwhere and yearcomp defined only if we ask a reset @@ -969,7 +974,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ $counter = 0; $sql = "SELECT MAX(".$sqlstring.") as val"; $sql .= " FROM ".MAIN_DB_PREFIX.$table; - $sql .= " WHERE ".$field." LIKE '".$maskLike."'"; + $sql .= " WHERE ".$field." LIKE '".$db->escape($maskLike)."'"; $sql .= " AND ".$field." NOT LIKE '(PROV%)'"; if ($bentityon) // only if entity enable $sql .= " AND entity IN (".getEntity($sharetable).")"; @@ -1016,7 +1021,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ $ref = ''; $sql = "SELECT ".$field." as ref"; $sql .= " FROM ".MAIN_DB_PREFIX.$table; - $sql .= " WHERE ".$field." LIKE '".$maskLike."'"; + $sql .= " WHERE ".$field." LIKE '".$db->escape($maskLike)."'"; $sql .= " AND ".$field." NOT LIKE '%PROV%'"; if ($bentityon) // only if entity enable $sql .= " AND entity IN (".getEntity($sharetable).")"; @@ -1071,14 +1076,14 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ $maskrefclient_sql = "SELECT MAX(".$maskrefclient_sqlstring.") as val"; $maskrefclient_sql .= " FROM ".MAIN_DB_PREFIX.$table; //$sql.= " WHERE ".$field." not like '(%'"; - $maskrefclient_sql .= " WHERE ".$field." LIKE '".$maskrefclient_maskLike."'"; + $maskrefclient_sql .= " WHERE ".$field." LIKE '".$db->escape($maskrefclient_maskLike)."'"; if ($bentityon) // only if entity enable $maskrefclient_sql .= " AND entity IN (".getEntity($sharetable).")"; elseif (!empty($forceentity)) $sql .= " AND entity IN (".$forceentity.")"; if ($where) $maskrefclient_sql .= $where; //use the same optional where as general mask if ($sqlwhere) $maskrefclient_sql .= ' AND '.$sqlwhere; //use the same sqlwhere as general mask - $maskrefclient_sql .= ' AND (SUBSTRING('.$field.', '.(strpos($maskwithnocode, $maskrefclient) + 1).', '.dol_strlen($maskrefclient_maskclientcode).")='".$maskrefclient_clientcode."')"; + $maskrefclient_sql .= ' AND (SUBSTRING('.$field.', '.(strpos($maskwithnocode, $maskrefclient) + 1).', '.dol_strlen($maskrefclient_maskclientcode).")='".$db->escape($maskrefclient_clientcode)."')"; dol_syslog("functions2::get_next_value maskrefclient", LOG_DEBUG); $maskrefclient_resql = $db->query($maskrefclient_sql); diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index b9a06b532f4..cd4bc333b41 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -528,7 +528,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand { $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '".$user->id."'"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; $sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; diff --git a/htdocs/core/modules/DolibarrModules.class.php b/htdocs/core/modules/DolibarrModules.class.php index bd8e7b7d58e..69fce65f781 100644 --- a/htdocs/core/modules/DolibarrModules.class.php +++ b/htdocs/core/modules/DolibarrModules.class.php @@ -1586,10 +1586,10 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it $sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name,type,value,note,visible,entity)"; $sql .= " VALUES ("; $sql .= $this->db->encrypt($name, 1); - $sql .= ",'".$type."'"; + $sql .= ",'".$this->db->escape($type)."'"; $sql .= ",".(($val != '') ? $this->db->encrypt($val, 1) : "''"); $sql .= ",".($note ? "'".$this->db->escape($note)."'" : "null"); - $sql .= ",'".$visible."'"; + $sql .= ",'".$this->db->escape($visible)."'"; $sql .= ",".$entity; $sql .= ")"; @@ -1630,7 +1630,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it if ($deleteonunactive) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; - $sql .= " WHERE ".$this->db->decrypt('name')." = '".$name."'"; + $sql .= " WHERE ".$this->db->decrypt('name')." = '".$this->db->escape($name)."'"; $sql .= " AND entity in (0, ".$conf->entity.")"; dol_syslog(get_class($this)."::delete_const", LOG_DEBUG); if (!$this->db->query($sql)) { @@ -1700,18 +1700,18 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it $sql = "INSERT INTO ".MAIN_DB_PREFIX."rights_def"; $sql .= " (id, entity, libelle, module, type, bydefault, perms, subperms)"; $sql .= " VALUES "; - $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$r_modul."','".$r_type."',".$r_def.",'".$r_perms."','".$r_subperms."')"; + $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$this->db->escape($r_modul)."','".$this->db->escape($r_type)."',".$r_def.",'".$this->db->escape($r_perms)."','".$this->db->escape($r_subperms)."')"; } else { $sql = "INSERT INTO ".MAIN_DB_PREFIX."rights_def"; $sql .= " (id, entity, libelle, module, type, bydefault, perms)"; $sql .= " VALUES "; - $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$r_modul."','".$r_type."',".$r_def.",'".$r_perms."')"; + $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$this->db->escape($r_modul)."','".$this->db->escape($r_type)."',".$r_def.",'".$this->db->escape($r_perms)."')"; } } else { $sql = "INSERT INTO ".MAIN_DB_PREFIX."rights_def "; $sql .= " (id, entity, libelle, module, type, bydefault)"; $sql .= " VALUES "; - $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$r_modul."','".$r_type."',".$r_def.")"; + $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$this->db->escape($r_modul)."','".$this->db->escape($r_type)."',".$r_def.")"; } $resqlinsert = $this->db->query($sql, 1); @@ -2009,7 +2009,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it $sql = "SELECT count(*)"; $sql .= " FROM ".MAIN_DB_PREFIX."const"; - $sql .= " WHERE ".$this->db->decrypt('name')." = '".$name."'"; + $sql .= " WHERE ".$this->db->decrypt('name')." = '".$this->db->escape($name)."'"; $sql .= " AND entity = ".$conf->entity; dol_syslog(get_class($this)."::insert_dirs", LOG_DEBUG); diff --git a/htdocs/core/modules/barcode/mod_barcode_product_standard.php b/htdocs/core/modules/barcode/mod_barcode_product_standard.php index 9569f800f7f..5d43609e7de 100644 --- a/htdocs/core/modules/barcode/mod_barcode_product_standard.php +++ b/htdocs/core/modules/barcode/mod_barcode_product_standard.php @@ -245,7 +245,7 @@ class mod_barcode_product_standard extends ModeleNumRefBarCode { // phpcs:enable $sql = "SELECT barcode FROM ".MAIN_DB_PREFIX."product"; - $sql .= " WHERE barcode = '".$code."'"; + $sql .= " WHERE barcode = '".$db->escape($code)."'"; if ($product->id > 0) $sql .= " AND rowid <> ".$product->id; $resql = $db->query($sql); diff --git a/htdocs/core/modules/expensereport/doc/pdf_standard.modules.php b/htdocs/core/modules/expensereport/doc/pdf_standard.modules.php index e569d51ab43..ae1310a924a 100644 --- a/htdocs/core/modules/expensereport/doc/pdf_standard.modules.php +++ b/htdocs/core/modules/expensereport/doc/pdf_standard.modules.php @@ -1029,7 +1029,7 @@ class pdf_standard extends ModeleExpenseReport $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as c ON p.fk_typepayment = c.id"; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank as b ON p.fk_bank = b.rowid'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank_account as ba ON b.fk_account = ba.rowid'; - $sql .= " WHERE e.rowid = '".$object->id."'"; + $sql .= " WHERE e.rowid = ".((int) $object->id); $sql .= " AND p.fk_expensereport = e.rowid"; $sql .= ' AND e.entity IN ('.getEntity('expensereport').')'; $sql .= " ORDER BY dp"; diff --git a/htdocs/core/modules/facture/mod_facture_mars.php b/htdocs/core/modules/facture/mod_facture_mars.php index 0f481483bbf..8dc23e045b3 100644 --- a/htdocs/core/modules/facture/mod_facture_mars.php +++ b/htdocs/core/modules/facture/mod_facture_mars.php @@ -162,7 +162,7 @@ class mod_facture_mars extends ModeleNumRefFactures $posindice = strlen($prefix) + 6; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql .= " FROM ".MAIN_DB_PREFIX."facture"; - $sql .= " WHERE ref LIKE '".$prefix."____-%'"; + $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-%'"; $sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")"; $resql = $db->query($sql); @@ -184,7 +184,7 @@ class mod_facture_mars extends ModeleNumRefFactures $ref = ''; $sql = "SELECT ref as ref"; $sql .= " FROM ".MAIN_DB_PREFIX."facture"; - $sql .= " WHERE ref LIKE '".$prefix."____-".$num."'"; + $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-".$num."'"; $sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")"; $sql .= " ORDER BY ref DESC"; diff --git a/htdocs/core/modules/facture/mod_facture_terre.php b/htdocs/core/modules/facture/mod_facture_terre.php index 9b744523db8..588b2f34aab 100644 --- a/htdocs/core/modules/facture/mod_facture_terre.php +++ b/htdocs/core/modules/facture/mod_facture_terre.php @@ -194,7 +194,7 @@ class mod_facture_terre extends ModeleNumRefFactures $posindice = strlen($prefix) + 6; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql .= " FROM ".MAIN_DB_PREFIX."facture"; - $sql .= " WHERE ref LIKE '".$prefix."____-%'"; + $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-%'"; $sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")"; $resql = $db->query($sql); @@ -215,7 +215,7 @@ class mod_facture_terre extends ModeleNumRefFactures $ref = ''; $sql = "SELECT ref as ref"; $sql .= " FROM ".MAIN_DB_PREFIX."facture"; - $sql .= " WHERE ref LIKE '".$prefix."____-".$num."'"; + $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-".$num."'"; $sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")"; $sql .= " ORDER BY ref DESC"; diff --git a/htdocs/core/modules/import/import_csv.modules.php b/htdocs/core/modules/import/import_csv.modules.php index 51ad55cc937..330454e2105 100644 --- a/htdocs/core/modules/import/import_csv.modules.php +++ b/htdocs/core/modules/import/import_csv.modules.php @@ -843,7 +843,7 @@ class ImportCsv extends ModeleImports if (!$error && !$updatedone) { // Build SQL INSERT request $sqlstart = 'INSERT INTO '.$tablename.'('.implode(', ', $listfields).', import_key'; - $sqlend = ') VALUES('.implode(', ', $listvalues).", '".$importid."'"; + $sqlend = ') VALUES('.implode(', ', $listvalues).", '".$this->db->escape($importid)."'"; if (!empty($tablewithentity_cache[$tablename])) { $sqlstart .= ', entity'; $sqlend .= ', '.$conf->entity; diff --git a/htdocs/core/modules/import/import_xlsx.modules.php b/htdocs/core/modules/import/import_xlsx.modules.php index 090d57645ea..f6daa52d541 100644 --- a/htdocs/core/modules/import/import_xlsx.modules.php +++ b/htdocs/core/modules/import/import_xlsx.modules.php @@ -872,7 +872,7 @@ class ImportXlsx extends ModeleImports if (!$error && !$updatedone) { // Build SQL INSERT request $sqlstart = 'INSERT INTO '.$tablename.'('.implode(', ', $listfields).', import_key'; - $sqlend = ') VALUES('.implode(', ', $listvalues).", '".$importid."'"; + $sqlend = ') VALUES('.implode(', ', $listvalues).", '".$db->escape($importid)."'"; if (!empty($tablewithentity_cache[$tablename])) { $sqlstart .= ', entity'; $sqlend .= ', '.$conf->entity; diff --git a/htdocs/core/modules/mailings/contacts1.modules.php b/htdocs/core/modules/mailings/contacts1.modules.php index 2ba999fa8b7..be5e8435ad2 100644 --- a/htdocs/core/modules/mailings/contacts1.modules.php +++ b/htdocs/core/modules/mailings/contacts1.modules.php @@ -75,7 +75,7 @@ class mailing_contacts1 extends MailingTargets $langs->load("commercial"); $statssql = array(); - $statssql[0] = "SELECT '".$langs->trans("NbOfCompaniesContacts")."' as label,"; + $statssql[0] = "SELECT '".$this->db->escape($langs->trans("NbOfCompaniesContacts"))."' as label,"; $statssql[0] .= " count(distinct(c.email)) as nb"; $statssql[0] .= " FROM ".MAIN_DB_PREFIX."socpeople as c"; $statssql[0] .= " WHERE c.entity IN (".getEntity('socpeople').")"; @@ -390,7 +390,7 @@ class mailing_contacts1 extends MailingTargets { //print "xx".$key; if ($key == 'prospects') $sql .= " AND s.client=2"; - foreach ($prospectlevel as $codelevel=>$valuelevel) if ($key == 'prospectslevel'.$codelevel) $sql .= " AND s.fk_prospectlevel='".$codelevel."'"; + foreach ($prospectlevel as $codelevel=>$valuelevel) if ($key == 'prospectslevel'.$codelevel) $sql .= " AND s.fk_prospectlevel='".$this->db->escape($codelevel)."'"; if ($key == 'customers') $sql .= " AND s.client=1"; if ($key == 'suppliers') $sql .= " AND s.fournisseur=1"; } diff --git a/htdocs/core/modules/mailings/fraise.modules.php b/htdocs/core/modules/mailings/fraise.modules.php index f9c876b0230..7b9eeb02c0d 100644 --- a/htdocs/core/modules/mailings/fraise.modules.php +++ b/htdocs/core/modules/mailings/fraise.modules.php @@ -266,9 +266,9 @@ class mailing_fraise extends MailingTargets if ($dateendsubscriptionbefore > 0) $sql .= " AND datefin < '".$this->db->idate($dateendsubscriptionbefore)."'"; $sql .= " AND a.fk_adherent_type = ta.rowid"; // Filter on type - if ($_POST['filter_type']) $sql .= " AND ta.rowid='".$_POST['filter_type']."'"; + if (GETPOSTISET('filter_type')) $sql .= " AND ta.rowid='".$this->db->escape(GETPOST('filter_type'))."'"; // Filter on category - if ($_POST['filter_category']) $sql .= " AND c.rowid='".$_POST['filter_category']."'"; + if (GETPOSTISSET('filter_category')) $sql .= " AND c.rowid='".$this->db->escape(GETPOST('filter_category'))."'"; $sql .= " ORDER BY a.email"; //print $sql; diff --git a/htdocs/core/modules/mailings/modules_mailings.php b/htdocs/core/modules/mailings/modules_mailings.php index 32222d619a0..4c078a39130 100644 --- a/htdocs/core/modules/mailings/modules_mailings.php +++ b/htdocs/core/modules/mailings/modules_mailings.php @@ -175,7 +175,7 @@ class MailingTargets // This can't be abstract as it is used for some method $sql .= " tag,"; $sql .= " source_type)"; $sql .= " VALUES (".$mailing_id.","; - $sql .= (empty($targetarray['fk_contact']) ? '0' : "'".$targetarray['fk_contact']."'").","; + $sql .= (empty($targetarray['fk_contact']) ? '0' : "'".$this->db->escape($targetarray['fk_contact'])."'").","; $sql .= "'".$this->db->escape($targetarray['lastname'])."',"; $sql .= "'".$this->db->escape($targetarray['firstname'])."',"; $sql .= "'".$this->db->escape($targetarray['email'])."',"; diff --git a/htdocs/core/modules/mailings/pomme.modules.php b/htdocs/core/modules/mailings/pomme.modules.php index 38c7fc78065..52da4f87a32 100644 --- a/htdocs/core/modules/mailings/pomme.modules.php +++ b/htdocs/core/modules/mailings/pomme.modules.php @@ -73,7 +73,7 @@ class mailing_pomme extends MailingTargets $langs->load("users"); $statssql = array(); - $sql = "SELECT '".$langs->trans("DolibarrUsers")."' as label,"; + $sql = "SELECT '".$this->db->escape($langs->trans("DolibarrUsers"))."' as label,"; $sql .= " count(distinct(u.email)) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX."user as u"; $sql .= " WHERE u.email != ''"; // u.email IS NOT NULL est implicite dans ce test diff --git a/htdocs/core/modules/mailings/thirdparties_services_expired.modules.php b/htdocs/core/modules/mailings/thirdparties_services_expired.modules.php index 852f05f837a..51bdb7b6b87 100644 --- a/htdocs/core/modules/mailings/thirdparties_services_expired.modules.php +++ b/htdocs/core/modules/mailings/thirdparties_services_expired.modules.php @@ -113,7 +113,7 @@ class mailing_thirdparties_services_expired extends MailingTargets $sql .= " WHERE s.entity IN (".getEntity('societe').")"; $sql .= " AND s.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".$mailing_id.")"; $sql .= " AND s.rowid = c.fk_soc AND cd.fk_contrat = c.rowid AND s.email != ''"; - $sql .= " AND cd.statut= 4 AND cd.fk_product=p.rowid AND p.ref = '".$product."'"; + $sql .= " AND cd.statut= 4 AND cd.fk_product=p.rowid AND p.ref = '".$this->db->escape($product)."'"; $sql .= " AND cd.date_fin_validite < '".$this->db->idate($now)."'"; $sql .= " ORDER BY s.email"; diff --git a/htdocs/core/modules/movement/doc/pdf_standard.modules.php b/htdocs/core/modules/movement/doc/pdf_standard.modules.php index ecdcb9925f1..308c541bb69 100644 --- a/htdocs/core/modules/movement/doc/pdf_standard.modules.php +++ b/htdocs/core/modules/movement/doc/pdf_standard.modules.php @@ -291,13 +291,13 @@ class pdf_stdandard extends ModelePDFMovement { $sql .= " AND m.datem BETWEEN '".$db->idate(dol_get_first_day($year, 1, false))."' AND '".$db->idate(dol_get_last_day($year, 12, false))."'"; } - if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'"; + if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct); if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1); if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement); if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode); if (!empty($search_product_ref)) $sql .= natural_search('p.ref', $search_product_ref); if (!empty($search_product)) $sql .= natural_search('p.label', $search_product); - if ($search_warehouse > 0) $sql .= " AND e.rowid = '".$db->escape($search_warehouse)."'"; + if ($search_warehouse > 0) $sql .= " AND e.rowid = ".((int) $db->escape($search_warehouse)); if (!empty($search_user)) $sql .= natural_search('u.login', $search_user); if (!empty($search_batch)) $sql .= natural_search('m.batch', $search_batch); if ($search_qty != '') $sql .= natural_search('m.value', $search_qty, 1); @@ -489,7 +489,7 @@ class pdf_stdandard extends ModelePDFMovement $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $result = $db->query($sql); @@ -1049,7 +1049,7 @@ class pdf_stdandard extends ModelePDFMovement // Last movement $sql = "SELECT max(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_entrepot = '".$object->id."'"; + $sql .= " WHERE m.fk_entrepot = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { diff --git a/htdocs/core/modules/printing/printgcp.modules.php b/htdocs/core/modules/printing/printgcp.modules.php index f68de863ab8..fc7fef9a158 100644 --- a/htdocs/core/modules/printing/printgcp.modules.php +++ b/htdocs/core/modules/printing/printgcp.modules.php @@ -312,7 +312,7 @@ class printing_printgcp extends PrintingDriver $fileprint .= '/'.$file; $mimetype = dol_mimetype($fileprint); // select printer uri for module order, propal,... - $sql = "SELECT rowid, printer_id, copy FROM ".MAIN_DB_PREFIX."printing WHERE module='".$module."' AND driver='printgcp' AND userid=".$user->id; + $sql = "SELECT rowid, printer_id, copy FROM ".MAIN_DB_PREFIX."printing WHERE module='".$this->db->escape($module)."' AND driver='printgcp' AND userid=".$user->id; $result = $this->db->query($sql); if ($result) { diff --git a/htdocs/core/modules/printing/printipp.modules.php b/htdocs/core/modules/printing/printipp.modules.php index b4b24b062df..bd51b2c170e 100644 --- a/htdocs/core/modules/printing/printipp.modules.php +++ b/htdocs/core/modules/printing/printipp.modules.php @@ -107,7 +107,7 @@ class printing_printipp extends PrintingDriver if (!empty($this->user)) $ipp->setAuthentication($this->user, $this->password); // select printer uri for module order, propal,... - $sql = "SELECT rowid,printer_id,copy FROM ".MAIN_DB_PREFIX."printing WHERE module = '".$module."' AND driver = 'printipp' AND userid = ".$user->id; + $sql = "SELECT rowid,printer_id,copy FROM ".MAIN_DB_PREFIX."printing WHERE module = '".$this->db->escape($module)."' AND driver = 'printipp' AND userid = ".$user->id; $result = $this->db->query($sql); if ($result) { $obj = $this->db->fetch_object($result); diff --git a/htdocs/core/modules/product/mod_codeproduct_elephant.php b/htdocs/core/modules/product/mod_codeproduct_elephant.php index 0b5fcd5212c..7c2a7e479da 100644 --- a/htdocs/core/modules/product/mod_codeproduct_elephant.php +++ b/htdocs/core/modules/product/mod_codeproduct_elephant.php @@ -313,7 +313,7 @@ class mod_codeproduct_elephant extends ModeleProductCode { // phpcs:enable $sql = "SELECT ref FROM ".MAIN_DB_PREFIX."product"; - $sql .= " WHERE ref = '".$code."'"; + $sql .= " WHERE ref = '".$this->db->escape($code)."'"; if ($product->id > 0) $sql .= " AND rowid <> ".$product->id; $resql = $db->query($sql); diff --git a/htdocs/core/modules/societe/mod_codeclient_monkey.php b/htdocs/core/modules/societe/mod_codeclient_monkey.php index 378b9bd5045..a73e7db2911 100644 --- a/htdocs/core/modules/societe/mod_codeclient_monkey.php +++ b/htdocs/core/modules/societe/mod_codeclient_monkey.php @@ -133,7 +133,7 @@ class mod_codeclient_monkey extends ModeleThirdPartyCode $posindice = strlen($prefix) + 6; $sql = "SELECT MAX(CAST(SUBSTRING(".$field." FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql .= " FROM ".MAIN_DB_PREFIX."societe"; - $sql .= " WHERE ".$field." LIKE '".$prefix."____-%'"; + $sql .= " WHERE ".$field." LIKE '".$db->escape($prefix)."____-%'"; $sql .= " AND entity IN (".getEntity('societe').")"; dol_syslog(get_class($this)."::getNextValue", LOG_DEBUG); diff --git a/htdocs/core/modules/stock/doc/pdf_standard.modules.php b/htdocs/core/modules/stock/doc/pdf_standard.modules.php index 12e275e679f..acdbbb89357 100644 --- a/htdocs/core/modules/stock/doc/pdf_standard.modules.php +++ b/htdocs/core/modules/stock/doc/pdf_standard.modules.php @@ -863,7 +863,7 @@ class pdf_standard extends ModelePDFStock // Last movement $sql = "SELECT max(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_entrepot = '".$object->id."'"; + $sql .= " WHERE m.fk_entrepot = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { diff --git a/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php b/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php index 18579b0397c..2b528e1154f 100644 --- a/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php +++ b/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php @@ -182,7 +182,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices $posindice = strlen($prefix) + 6; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn"; - $sql .= " WHERE ref LIKE '".$prefix."____-%'"; + $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-%'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); @@ -204,7 +204,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices $ref = ''; $sql = "SELECT ref as ref"; $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn"; - $sql .= " WHERE ref LIKE '".$prefix."____-".$num."'"; + $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-".$num."'"; $sql .= " AND entity = ".$conf->entity; dol_syslog(get_class($this)."::getNextValue", LOG_DEBUG); diff --git a/htdocs/core/modules/ticket/mod_ticket_simple.php b/htdocs/core/modules/ticket/mod_ticket_simple.php index 67eebfc789a..679224c5357 100644 --- a/htdocs/core/modules/ticket/mod_ticket_simple.php +++ b/htdocs/core/modules/ticket/mod_ticket_simple.php @@ -93,7 +93,7 @@ class mod_ticket_simple extends ModeleNumRefTicket $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql .= " FROM ".MAIN_DB_PREFIX."ticket"; $search = $this->prefix."____-%"; - $sql .= " WHERE ref LIKE '".$search."'"; + $sql .= " WHERE ref LIKE '".$db->escape($search)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) { @@ -128,7 +128,7 @@ class mod_ticket_simple extends ModeleNumRefTicket $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql .= " FROM ".MAIN_DB_PREFIX."ticket"; $search = $this->prefix."____-%"; - $sql .= " WHERE ref LIKE '".$search."'"; + $sql .= " WHERE ref LIKE '".$db->escape($search)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); From d38168f49ead681f89257e8bda6c1d67cea4f978 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 22:59:04 +0200 Subject: [PATCH 100/151] Fix escape --- htdocs/install/lib/repair.lib.php | 2 +- htdocs/install/repair.php | 7 ++- htdocs/install/upgrade2.php | 52 ++++++++++++---------- htdocs/webservices/server_user.php | 2 +- htdocs/website/class/websitepage.class.php | 4 +- test/phpunit/CodingPhpTest.php | 2 +- 6 files changed, 36 insertions(+), 33 deletions(-) diff --git a/htdocs/install/lib/repair.lib.php b/htdocs/install/lib/repair.lib.php index 19b91bb0a26..1a05dad1b77 100644 --- a/htdocs/install/lib/repair.lib.php +++ b/htdocs/install/lib/repair.lib.php @@ -130,7 +130,7 @@ function clean_data_ecm_directories() $newlabel = dol_sanitizeFileName($label); if ($label != $newlabel) { - $sqlupdate = "UPDATE ".MAIN_DB_PREFIX."ecm_directories set label='".$newlabel."' WHERE rowid=".$id; + $sqlupdate = "UPDATE ".MAIN_DB_PREFIX."ecm_directories set label='".$db->escape($newlabel)."' WHERE rowid=".$id; print '\n"; $resqlupdate = $db->query($sqlupdate); if (!$resqlupdate) dol_print_error($db, 'Failed to update'); diff --git a/htdocs/install/repair.php b/htdocs/install/repair.php index b4fe656bbac..e8965adedb3 100644 --- a/htdocs/install/repair.php +++ b/htdocs/install/repair.php @@ -30,7 +30,6 @@ include_once $dolibarr_main_document_root.'/core/lib/images.lib.php'; require_once $dolibarr_main_document_root.'/core/class/extrafields.class.php'; require_once 'lib/repair.lib.php'; -$grant_query = ''; $step = 2; $ok = 0; @@ -445,8 +444,8 @@ if ($ok && GETPOST('standard', 'alpha')) if ($obj2 && $obj2->nb == 0) { // Module not found, so we canremove entry - $sqldeletea = "DELETE FROM ".MAIN_DB_PREFIX."boxes WHERE entity = ".$obj->entity." AND box_id IN (SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def WHERE file = '".$obj->file."' AND entity = ".$obj->entity.")"; - $sqldeleteb = "DELETE FROM ".MAIN_DB_PREFIX."boxes_def WHERE file = '".$obj->file."' AND entity = ".$obj->entity; + $sqldeletea = "DELETE FROM ".MAIN_DB_PREFIX."boxes WHERE entity = ".$obj->entity." AND box_id IN (SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def WHERE file = '".$db->escape($obj->file)."' AND entity = ".$obj->entity.")"; + $sqldeleteb = "DELETE FROM ".MAIN_DB_PREFIX."boxes_def WHERE file = '".$db->escape($obj->file)."' AND entity = ".$obj->entity; if (GETPOST('standard', 'alpha') == 'confirmed') { @@ -782,7 +781,7 @@ if ($ok && GETPOST('clean_menus', 'alpha')) print ' - Module condition '.$modulecond.' seems ko, we delete menu entry.'; if (GETPOST('clean_menus') == 'confirmed') { - $sql2 = "DELETE FROM ".MAIN_DB_PREFIX."menu WHERE module = '".$modulecond."'"; + $sql2 = "DELETE FROM ".MAIN_DB_PREFIX."menu WHERE module = '".$db->escape($modulecond)."'"; $resql2 = $db->query($sql2); if (!$resql2) { diff --git a/htdocs/install/upgrade2.php b/htdocs/install/upgrade2.php index 90ac30058e0..6c154ca062a 100644 --- a/htdocs/install/upgrade2.php +++ b/htdocs/install/upgrade2.php @@ -978,11 +978,11 @@ function migrate_contracts_det($db, $langs, $conf) $sql .= $obj->cref.", ".($obj->fk_product ? $obj->fk_product : 0).", "; $sql .= "0, "; $sql .= "'".$db->escape($obj->label)."', null, "; - $sql .= ($obj->date_contrat ? "'".$obj->date_contrat."'" : "null").", "; + $sql .= ($obj->date_contrat ? "'".$db->escape($obj->date_contrat)."'" : "null").", "; $sql .= "null, "; $sql .= "null, "; - $sql .= "'".$obj->tva_tx."' , 1, "; - $sql .= "'".$obj->price."', '".$obj->price."', ".$obj->fk_user_author.","; + $sql .= "'".$db->escape($obj->tva_tx)."' , 1, "; + $sql .= "'".$db->escape($obj->price)."', '".$db->escape($obj->price)."', ".$obj->fk_user_author.","; $sql .= "null"; $sql .= ")"; @@ -1171,9 +1171,11 @@ function migrate_contracts_date2($db, $langs, $conf) $obj = $db->fetch_object($resql); if ($obj->date_contrat > $obj->datemin) { + $datemin = $db->jdate($obj->datemin); + print $langs->trans('MigrationContractsInvalidDateFix', $obj->cref, $obj->date_contrat, $obj->datemin)."
\n"; $sql = "UPDATE ".MAIN_DB_PREFIX."contrat"; - $sql .= " SET date_contrat='".$obj->datemin."'"; + $sql .= " SET date_contrat='".$db->idate($datemin)."'"; $sql .= " WHERE rowid=".$obj->cref; $resql2 = $db->query($sql); if (!$resql2) dol_print_error($db); @@ -2088,9 +2090,11 @@ function migrate_commande_livraison($db, $langs, $conf) if ($resql2) { + $date_livraison = $db->jdate($obj->date_livraison); + $sqlu = "UPDATE ".MAIN_DB_PREFIX."livraison SET"; - $sqlu .= " ref_client='".$obj->ref_client."'"; - $sqlu .= ", date_livraison='".$obj->date_livraison."'"; + $sqlu .= " ref_client='".$db->escape($obj->ref_client)."'"; + $sqlu .= ", date_livraison='".$db->idate($date_livraison)."'"; $sqlu .= " WHERE rowid = ".$obj->rowid; $resql3 = $db->query($sqlu); if (!$resql3) @@ -2172,8 +2176,8 @@ function migrate_detail_livraison($db, $langs, $conf) $sql = "UPDATE ".MAIN_DB_PREFIX."livraisondet SET"; $sql .= " fk_product=".$obj->fk_product; $sql .= ",description='".$db->escape($obj->description)."'"; - $sql .= ",subprice='".$obj->subprice."'"; - $sql .= ",total_ht='".$obj->total_ht."'"; + $sql .= ",subprice='".$db->escape($obj->subprice)."'"; + $sql .= ",total_ht='".$db->escape($obj->total_ht)."'"; $sql .= " WHERE fk_commande_ligne = ".$obj->rowid; $resql2 = $db->query($sql); @@ -2190,7 +2194,7 @@ function migrate_detail_livraison($db, $langs, $conf) $total_ht = $obju->total_ht + $obj->total_ht; $sqlu = "UPDATE ".MAIN_DB_PREFIX."livraison SET"; - $sqlu .= " total_ht='".$total_ht."'"; + $sqlu .= " total_ht='".$db->escape($total_ht)."'"; $sqlu .= " WHERE rowid=".$obj->fk_livraison; $resql4 = $db->query($sqlu); if (!$resql4) @@ -2274,7 +2278,7 @@ function migrate_stocks($db, $langs, $conf) $obj = $db->fetch_object($resql); $sql = "UPDATE ".MAIN_DB_PREFIX."product SET"; - $sql .= " stock = '".$obj->total."'"; + $sql .= " stock = '".$db->escape($obj->total)."'"; $sql .= " WHERE rowid=".$obj->fk_product; $resql2 = $db->query($sql); @@ -2343,7 +2347,7 @@ function migrate_menus($db, $langs, $conf) $obj = $db->fetch_object($resql); $sql = "UPDATE ".MAIN_DB_PREFIX."menu SET"; - $sql .= " enabled = '".$obj->action."'"; + $sql .= " enabled = '".$db->escape($obj->action)."'"; $sql .= " WHERE rowid=".$obj->rowid; $sql .= " AND enabled = '1'"; @@ -2419,7 +2423,7 @@ function migrate_commande_deliveryaddress($db, $langs, $conf) $obj = $db->fetch_object($resql); $sql = "UPDATE ".MAIN_DB_PREFIX."expedition SET"; - $sql .= " fk_adresse_livraison = '".$obj->fk_adresse_livraison."'"; + $sql .= " fk_adresse_livraison = '".$db->escape($obj->fk_adresse_livraison)."'"; $sql .= " WHERE rowid=".$obj->fk_expedition; $resql2 = $db->query($sql); @@ -2508,7 +2512,7 @@ function migrate_restore_missing_links($db, $langs, $conf) print 'Line '.$obj->rowid.' in '.$table1.' is linked to record '.$obj->field.' in '.$table2.' that has no link to '.$table1.'. We fix this.
'; $sql = "UPDATE ".MAIN_DB_PREFIX.$table2." SET"; - $sql .= " ".$field2." = '".$obj->rowid."'"; + $sql .= " ".$field2." = '".$db->escape($obj->rowid)."'"; $sql .= " WHERE rowid=".$obj->field; $resql2 = $db->query($sql); @@ -2568,7 +2572,7 @@ function migrate_restore_missing_links($db, $langs, $conf) print 'Line '.$obj->rowid.' in '.$table1.' is linked to record '.$obj->field.' in '.$table2.' that has no link to '.$table1.'. We fix this.
'; $sql = "UPDATE ".MAIN_DB_PREFIX.$table2." SET"; - $sql .= " ".$field2." = '".$obj->rowid."'"; + $sql .= " ".$field2." = '".$db->escape($obj->rowid)."'"; $sql .= " WHERE rowid=".$obj->field; $resql2 = $db->query($sql); @@ -2821,9 +2825,9 @@ function migrate_relationship_tables($db, $langs, $conf, $table, $fk_source, $so $sqlInsert .= ", targettype"; $sqlInsert .= ") VALUES ("; $sqlInsert .= $obj->$fk_source; - $sqlInsert .= ", '".$sourcetype."'"; + $sqlInsert .= ", '".$db->escape($sourcetype)."'"; $sqlInsert .= ", ".$obj->$fk_target; - $sqlInsert .= ", '".$targettype."'"; + $sqlInsert .= ", '".$db->escape($targettype)."'"; $sqlInsert .= ")"; $result = $db->query($sqlInsert); @@ -3023,8 +3027,8 @@ function migrate_customerorder_shipping($db, $langs, $conf) $obj = $db->fetch_object($resql); $sqlUpdate = "UPDATE ".MAIN_DB_PREFIX."expedition SET"; - $sqlUpdate .= " ref_customer = '".$obj->ref_client."'"; - $sqlUpdate .= ", date_delivery = '".($obj->date_livraison ? $obj->date_livraison : 'null')."'"; + $sqlUpdate .= " ref_customer = '".$db->escape($obj->ref_client)."'"; + $sqlUpdate .= ", date_delivery = '".$db->escape($obj->date_livraison ? $obj->date_livraison : 'null')."'"; $sqlUpdate .= " WHERE rowid = ".$obj->shipping_id; $result = $db->query($sqlUpdate); @@ -3210,8 +3214,8 @@ function migrate_shipping_delivery2($db, $langs, $conf) $obj = $db->fetch_object($resql); $sqlUpdate = "UPDATE ".MAIN_DB_PREFIX."livraison SET"; - $sqlUpdate .= " ref_customer = '".$obj->ref_customer."',"; - $sqlUpdate .= " date_delivery = ".($obj->date_delivery ? "'".$obj->date_delivery."'" : 'null'); + $sqlUpdate .= " ref_customer = '".$db->escape($obj->ref_customer)."',"; + $sqlUpdate .= " date_delivery = ".($obj->date_delivery ? "'".$db->escape($obj->date_delivery)."'" : 'null'); $sqlUpdate .= " WHERE rowid = ".$obj->delivery_id; $result = $db->query($sqlUpdate); @@ -3277,7 +3281,7 @@ function migrate_actioncomm_element($db, $langs, $conf) $db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."actioncomm SET "; - $sql .= "fk_element = ".$field.", elementtype = '".$type."'"; + $sql .= "fk_element = ".$field.", elementtype = '".$db->escape($type)."'"; $sql .= " WHERE ".$field." IS NOT NULL"; $sql .= " AND fk_element IS NULL"; $sql .= " AND elementtype IS NULL"; @@ -3336,7 +3340,7 @@ function migrate_mode_reglement($db, $langs, $conf) $sqlSelect = "SELECT id"; $sqlSelect .= " FROM ".MAIN_DB_PREFIX."c_paiement"; $sqlSelect .= " WHERE id = ".$old_id; - $sqlSelect .= " AND code = '".$elements['code'][$key]."'"; + $sqlSelect .= " AND code = '".$db->escape($elements['code'][$key])."'"; $resql = $db->query($sqlSelect); if ($resql) @@ -3351,13 +3355,13 @@ function migrate_mode_reglement($db, $langs, $conf) $sqla = "UPDATE ".MAIN_DB_PREFIX."paiement SET "; $sqla .= "fk_paiement = ".$elements['new_id'][$key]; $sqla .= " WHERE fk_paiement = ".$old_id; - $sqla .= " AND fk_paiement IN (SELECT id FROM ".MAIN_DB_PREFIX."c_paiement WHERE id = ".$old_id." AND code = '".$elements['code'][$key]."')"; + $sqla .= " AND fk_paiement IN (SELECT id FROM ".MAIN_DB_PREFIX."c_paiement WHERE id = ".$old_id." AND code = '".$db->escape($elements['code'][$key])."')"; $resqla = $db->query($sqla); $sql = "UPDATE ".MAIN_DB_PREFIX."c_paiement SET "; $sql .= "id = ".$elements['new_id'][$key]; $sql .= " WHERE id = ".$old_id; - $sql .= " AND code = '".$elements['code'][$key]."'"; + $sql .= " AND code = '".$db->escape($elements['code'][$key])."'"; $resql = $db->query($sql); if ($resqla && $resql) diff --git a/htdocs/webservices/server_user.php b/htdocs/webservices/server_user.php index bc43c4ab6d4..000bad4b563 100644 --- a/htdocs/webservices/server_user.php +++ b/htdocs/webservices/server_user.php @@ -540,7 +540,7 @@ function createUserFromThirdparty($authentication, $thirdpartywithuser) $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."c_country"; $sql .= " WHERE active = 1"; - $sql .= " AND code='".$thirdparty->country_code."'"; + $sql .= " AND code='".$db->escape($thirdparty->country_code)."'"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/website/class/websitepage.class.php b/htdocs/website/class/websitepage.class.php index 2ed4b9a75a3..b5e29e04176 100644 --- a/htdocs/website/class/websitepage.class.php +++ b/htdocs/website/class/websitepage.class.php @@ -382,9 +382,9 @@ class WebsitePage extends CommonObject if (count($filter) > 0) { foreach ($filter as $key => $value) { if ($key == 't.rowid' || $key == 't.fk_website' || $key == 'status') { - $sqlwhere[] = $key.'='.$value; + $sqlwhere[] = $key.' = '.$value; } elseif ($key == 'type_container') { - $sqlwhere[] = $key."='".$value."'"; + $sqlwhere[] = $key." = '".$this->db->escape($value)."'"; } elseif ($key == 'lang' || $key == 't.lang') { $listoflang = array(); $foundnull = 0; diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 60ba1ae4bbe..00af206c552 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -152,7 +152,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $db=$this->savdb; include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; - $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/core', 'files', 1, '\.php', null, 'fullname'); + $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/bom', 'files', 1, '\.php', null, 'fullname'); //$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); foreach ($filesarray as $key => $file) From 2c660504bb1e005fb39ca3449557f5b79e20d753 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 23:11:38 +0200 Subject: [PATCH 101/151] Fix escape --- htdocs/admin/boxes.php | 14 +++++++------- htdocs/admin/commande.php | 2 +- htdocs/admin/contract.php | 2 +- htdocs/admin/expedition.php | 2 +- htdocs/admin/expensereport.php | 2 +- htdocs/admin/external_rss.php | 4 ++-- htdocs/admin/facture.php | 2 +- htdocs/admin/fichinter.php | 2 +- htdocs/admin/holiday.php | 2 +- htdocs/admin/limits.php | 2 +- htdocs/admin/livraison.php | 2 +- htdocs/admin/mails_templates.php | 10 +++++----- htdocs/admin/mrp.php | 2 +- htdocs/admin/paymentbybanktransfer.php | 2 +- htdocs/admin/prelevement.php | 2 +- htdocs/admin/propal.php | 2 +- htdocs/admin/reception_setup.php | 2 +- htdocs/admin/stock.php | 2 +- htdocs/admin/supplier_payment.php | 2 +- htdocs/admin/supplier_proposal.php | 2 +- htdocs/admin/user.php | 2 +- htdocs/admin/usergroup.php | 2 +- htdocs/admin/website.php | 14 +++++++------- 23 files changed, 40 insertions(+), 40 deletions(-) diff --git a/htdocs/admin/boxes.php b/htdocs/admin/boxes.php index 412427494e3..4f6dfff33a5 100644 --- a/htdocs/admin/boxes.php +++ b/htdocs/admin/boxes.php @@ -192,12 +192,12 @@ if ($action == 'switch') $newsecondnum = preg_replace('/[a-zA-Z]+/', '', $newsecond); $newsecond = sprintf("%s%02d", $newsecondchar ? $newsecondchar : 'A', $newsecondnum + 1); } - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$newfirst."' WHERE rowid=".$objfrom->rowid; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newfirst)."' WHERE rowid=".$objfrom->rowid; dol_syslog($sql); $resultupdatefrom = $db->query($sql); if (!$resultupdatefrom) { dol_print_error($db); } - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$newsecond."' WHERE rowid=".$objto->rowid; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newsecond)."' WHERE rowid=".$objto->rowid; dol_syslog($sql); $resultupdateto = $db->query($sql); if (!$resultupdateto) { dol_print_error($db); } @@ -261,7 +261,7 @@ if ($resql) // This occurs just after an insert. if ($decalage) { - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$decalage."' WHERE rowid=".$obj->rowid; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($decalage)."' WHERE rowid=".$obj->rowid; $db->query($sql); } } @@ -286,12 +286,12 @@ if ($resql) if (preg_match("/[13579]{1}/", substr($record['box_order'], -1))) { $box_order = "A0".$record['box_order']; - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'"; $resql = $db->query($sql); } elseif (preg_match("/[02468]{1}/", substr($record['box_order'], -1))) { $box_order = "B0".$record['box_order']; - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'"; $resql = $db->query($sql); } } elseif (dol_strlen($record['box_order']) == 2) @@ -299,12 +299,12 @@ if ($resql) if (preg_match("/[13579]{1}/", substr($record['box_order'], -1))) { $box_order = "A".$record['box_order']; - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'"; $resql = $db->query($sql); } elseif (preg_match("/[02468]{1}/", substr($record['box_order'], -1))) { $box_order = "B".$record['box_order']; - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'"; $resql = $db->query($sql); } } diff --git a/htdocs/admin/commande.php b/htdocs/admin/commande.php index 9add7675da6..288eac6de92 100644 --- a/htdocs/admin/commande.php +++ b/htdocs/admin/commande.php @@ -357,7 +357,7 @@ print load_fiche_titre($langs->trans("OrdersModelModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/contract.php b/htdocs/admin/contract.php index 0b84e23d992..971596d1c06 100644 --- a/htdocs/admin/contract.php +++ b/htdocs/admin/contract.php @@ -287,7 +287,7 @@ print load_fiche_titre($langs->trans("TemplatePDFContracts"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/expedition.php b/htdocs/admin/expedition.php index 92372c076cb..cf01d287d23 100644 --- a/htdocs/admin/expedition.php +++ b/htdocs/admin/expedition.php @@ -296,7 +296,7 @@ $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/admin/expensereport.php b/htdocs/admin/expensereport.php index f082c89286f..13b1b0277a6 100644 --- a/htdocs/admin/expensereport.php +++ b/htdocs/admin/expensereport.php @@ -297,7 +297,7 @@ $type = 'expensereport'; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/external_rss.php b/htdocs/admin/external_rss.php index 3d81ab01c43..7f5bcde4b3d 100644 --- a/htdocs/admin/external_rss.php +++ b/htdocs/admin/external_rss.php @@ -80,8 +80,8 @@ if ($action == 'add' || GETPOST("modify")) { // Supprime boite box_external_rss de definition des boites /* $sql = "UPDATE ".MAIN_DB_PREFIX."boxes_def"; - $sql.= " SET name = '".$boxlabel."'"; - $sql.= " WHERE file ='box_external_rss.php' AND note like '".$_POST["norss"]." %'"; + $sql.= " SET name = '".$db->escape($boxlabel)."'"; + $sql.= " WHERE file ='box_external_rss.php' AND note like '".$db->escape($_POST["norss"])." %'"; $resql=$db->query($sql); if (! $resql) diff --git a/htdocs/admin/facture.php b/htdocs/admin/facture.php index 7042f291828..fe84cf12478 100644 --- a/htdocs/admin/facture.php +++ b/htdocs/admin/facture.php @@ -421,7 +421,7 @@ $type = 'invoice'; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/fichinter.php b/htdocs/admin/fichinter.php index a30a9d767a9..df97e9875a0 100644 --- a/htdocs/admin/fichinter.php +++ b/htdocs/admin/fichinter.php @@ -349,7 +349,7 @@ $type = 'ficheinter'; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/holiday.php b/htdocs/admin/holiday.php index 067c0698a99..bac8e99e70f 100644 --- a/htdocs/admin/holiday.php +++ b/htdocs/admin/holiday.php @@ -299,7 +299,7 @@ print load_fiche_titre($langs->trans("TemplatePDFHolidays"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/limits.php b/htdocs/admin/limits.php index 95a8d52bc57..db29deef9d7 100644 --- a/htdocs/admin/limits.php +++ b/htdocs/admin/limits.php @@ -243,7 +243,7 @@ if (empty($mysoc->country_code)) $sql = "SELECT taux as vat_rate, t.code as vat_code, t.localtax1 as localtax_rate1, t.localtax2 as localtax_rate2"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$mysoc->country_code."' AND (t.taux <> 0 OR t.localtax1 <>0 OR t.localtax2 <>0)"; + $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$db->escape($mysoc->country_code)."' AND (t.taux <> 0 OR t.localtax1 <>0 OR t.localtax2 <>0)"; $sql .= " ORDER BY t.taux ASC"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/livraison.php b/htdocs/admin/livraison.php index ddd2b3f83c6..4073b0a59a9 100644 --- a/htdocs/admin/livraison.php +++ b/htdocs/admin/livraison.php @@ -291,7 +291,7 @@ $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php index b33741cd571..610dd9c1ef2 100644 --- a/htdocs/admin/mails_templates.php +++ b/htdocs/admin/mails_templates.php @@ -341,7 +341,7 @@ if (empty($reshook)) $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); //print $sql;exit; dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -359,7 +359,7 @@ if (empty($reshook)) { $rowidcol = "rowid"; - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."=".((int) $rowid); dol_syslog("delete", LOG_DEBUG); $result = $db->query($sql); @@ -379,7 +379,7 @@ if (empty($reshook)) { $rowidcol = "rowid"; - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."=".((int) $rowid); $result = $db->query($sql); if (!$result) @@ -393,7 +393,7 @@ if (empty($reshook)) { $rowidcol = "rowid"; - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."=".((int) $rowid); $result = $db->query($sql); if (!$result) @@ -443,7 +443,7 @@ if (!$user->admin) } if (empty($conf->global->MAIN_MULTILANGS)) { - $sql .= " AND (lang = '".$langs->defaultlang."' OR lang IS NULL OR lang = '')"; + $sql .= " AND (lang = '".$db->escape($langs->defaultlang)."' OR lang IS NULL OR lang = '')"; } if ($search_label) $sql .= natural_search('label', $search_label); if ($search_type_template != '' && $search_type_template != '-1') $sql .= natural_search('type_template', $search_type_template); diff --git a/htdocs/admin/mrp.php b/htdocs/admin/mrp.php index ffa4d8e7c6b..10e992c7ac2 100644 --- a/htdocs/admin/mrp.php +++ b/htdocs/admin/mrp.php @@ -293,7 +293,7 @@ print load_fiche_titre($langs->trans("MOsModelModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/paymentbybanktransfer.php b/htdocs/admin/paymentbybanktransfer.php index c549e29443e..4056ce238e3 100644 --- a/htdocs/admin/paymentbybanktransfer.php +++ b/htdocs/admin/paymentbybanktransfer.php @@ -210,7 +210,7 @@ print load_fiche_titre($langs->trans("OrdersModelModule"),'',''); $def = array(); $sql = "SELECT nom"; $sql.= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql.= " WHERE type = '".$type."'"; +$sql.= " WHERE type = '".$db->escape($type)."'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); if ($resql) diff --git a/htdocs/admin/prelevement.php b/htdocs/admin/prelevement.php index 0429fde6287..24d4a379f83 100644 --- a/htdocs/admin/prelevement.php +++ b/htdocs/admin/prelevement.php @@ -217,7 +217,7 @@ print load_fiche_titre($langs->trans("OrdersModelModule"),'',''); $def = array(); $sql = "SELECT nom"; $sql.= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql.= " WHERE type = '".$type."'"; +$sql.= " WHERE type = '".$db->escape($type)."'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); if ($resql) diff --git a/htdocs/admin/propal.php b/htdocs/admin/propal.php index a0f9adb86d9..843cf0cfd55 100644 --- a/htdocs/admin/propal.php +++ b/htdocs/admin/propal.php @@ -316,7 +316,7 @@ print load_fiche_titre($langs->trans("ProposalsPDFModules"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/reception_setup.php b/htdocs/admin/reception_setup.php index 4c33ee78ef7..60833669753 100644 --- a/htdocs/admin/reception_setup.php +++ b/htdocs/admin/reception_setup.php @@ -301,7 +301,7 @@ $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/admin/stock.php b/htdocs/admin/stock.php index 44ae6a82945..61ab031376b 100644 --- a/htdocs/admin/stock.php +++ b/htdocs/admin/stock.php @@ -516,7 +516,7 @@ print load_fiche_titre($langs->trans("WarehouseModelModules"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/supplier_payment.php b/htdocs/admin/supplier_payment.php index 27b3c023fcb..5541b8ff895 100644 --- a/htdocs/admin/supplier_payment.php +++ b/htdocs/admin/supplier_payment.php @@ -179,7 +179,7 @@ print load_fiche_titre($langs->trans("PaymentsNumberingModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/supplier_proposal.php b/htdocs/admin/supplier_proposal.php index b0c5c4bff10..f2110687042 100644 --- a/htdocs/admin/supplier_proposal.php +++ b/htdocs/admin/supplier_proposal.php @@ -310,7 +310,7 @@ print load_fiche_titre($langs->trans("SupplierProposalPDFModules"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/user.php b/htdocs/admin/user.php index 25822cd380b..723a4bb0063 100644 --- a/htdocs/admin/user.php +++ b/htdocs/admin/user.php @@ -192,7 +192,7 @@ $dirmodels = array_merge(array('/'), (array) $conf->modules_parts['models']); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/usergroup.php b/htdocs/admin/usergroup.php index d6b66b6fd22..0b372bf3518 100644 --- a/htdocs/admin/usergroup.php +++ b/htdocs/admin/usergroup.php @@ -124,7 +124,7 @@ $form = new Form($db); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/website.php b/htdocs/admin/website.php index 55c7993788c..595848fe232 100644 --- a/htdocs/admin/website.php +++ b/htdocs/admin/website.php @@ -252,7 +252,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -310,16 +310,16 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete if ($website->id > 0) { - $sql = "DELETE from ".MAIN_DB_PREFIX."website_account WHERE fk_website ='".$rowid."'"; + $sql = "DELETE from ".MAIN_DB_PREFIX."website_account WHERE fk_website = ".((int) $rowid); $result = $db->query($sql); - $sql = "DELETE from ".MAIN_DB_PREFIX."website_page WHERE fk_website ='".$rowid."'"; + $sql = "DELETE from ".MAIN_DB_PREFIX."website_page WHERE fk_website = ".((int) $rowid); $result = $db->query($sql); - $sql = "DELETE from ".MAIN_DB_PREFIX."website_extrafields WHERE fk_object ='".$rowid."'"; + $sql = "DELETE from ".MAIN_DB_PREFIX."website_extrafields WHERE fk_object = ".((int) $rowid); $result = $db->query($sql); - $sql = "DELETE from ".MAIN_DB_PREFIX."website WHERE rowid ='".$rowid."'"; + $sql = "DELETE from ".MAIN_DB_PREFIX."website WHERE rowid = ".((int) $rowid); $result = $db->query($sql); if (!$result) { @@ -346,7 +346,7 @@ if ($action == $acts[0]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET status = 1 WHERE rowid ='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET status = 1 WHERE rowid = ".((int) $rowid); } $result = $db->query($sql); @@ -362,7 +362,7 @@ if ($action == $acts[1]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET status = 0 WHERE rowid ='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET status = 0 WHERE rowid = ".((int) $rowid); } $result = $db->query($sql); From c191dd1a34f41552fa6e017d7855357ba307f071 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 23:27:11 +0200 Subject: [PATCH 102/151] Fix escaping --- htdocs/cashdesk/facturation.php | 4 ++-- htdocs/cashdesk/facturation_dhtml.php | 2 +- htdocs/cashdesk/index_verif.php | 2 +- htdocs/comm/action/class/actioncomm.class.php | 24 +++++++++---------- .../comm/action/class/cactioncomm.class.php | 2 +- htdocs/comm/action/index.php | 2 +- .../mailing/class/advtargetemailing.class.php | 12 +++++----- htdocs/comm/propal/class/propal.class.php | 2 +- 8 files changed, 25 insertions(+), 25 deletions(-) diff --git a/htdocs/cashdesk/facturation.php b/htdocs/cashdesk/facturation.php index e1a42aed012..85347e4c7ff 100644 --- a/htdocs/cashdesk/facturation.php +++ b/htdocs/cashdesk/facturation.php @@ -42,7 +42,7 @@ if (GETPOST('filtre', 'alpha')) { $sql = "SELECT p.rowid, p.ref, p.label, p.tva_tx, p.fk_product_type"; if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; - if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'"; + if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; $sql .= " AND p.tosell = 1"; if (!$conf->global->CASHDESK_SERVICES) $sql .= " AND p.fk_product_type = 0"; @@ -92,7 +92,7 @@ if (GETPOST('filtre', 'alpha')) { $sql = "SELECT p.rowid, ref, label, tva_tx, p.fk_product_type"; if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; - if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'"; + if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; $sql .= " AND p.tosell = 1"; if (!$conf->global->CASHDESK_SERVICES) $sql .= " AND p.fk_product_type = 0"; diff --git a/htdocs/cashdesk/facturation_dhtml.php b/htdocs/cashdesk/facturation_dhtml.php index 99e1ed2f942..9ee4bdb856c 100644 --- a/htdocs/cashdesk/facturation_dhtml.php +++ b/htdocs/cashdesk/facturation_dhtml.php @@ -45,7 +45,7 @@ if (dol_strlen($search) >= 0) // If search criteria is on char length at least $sql = "SELECT p.rowid, p.ref, p.label, p.tva_tx"; if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; - if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'"; + if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; $sql .= " AND p.tosell = 1"; $sql .= " AND p.fk_product_type = 0"; diff --git a/htdocs/cashdesk/index_verif.php b/htdocs/cashdesk/index_verif.php index 204af8f51f7..e8366e981cc 100644 --- a/htdocs/cashdesk/index_verif.php +++ b/htdocs/cashdesk/index_verif.php @@ -89,7 +89,7 @@ if ($retour >= 0) $sql = "SELECT rowid, lastname, firstname"; $sql .= " FROM ".MAIN_DB_PREFIX."user"; - $sql .= " WHERE login = '".$username."'"; + $sql .= " WHERE login = '".$db->escape($username)."'"; $sql .= " AND entity IN (0,".$conf->entity.")"; $result = $db->query($sql); diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 7e4a58b07e0..842a41c1a46 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -1031,8 +1031,8 @@ class ActionComm extends CommonObject $sql .= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'" : "null"); $sql .= ", transparency = '".$this->db->escape($this->transparency)."'"; $sql .= ", fk_user_mod = ".$user->id; - $sql .= ", fk_user_action=".($userownerid > 0 ? "'".$userownerid."'" : "null"); - $sql .= ", fk_user_done=".($userdoneid > 0 ? "'".$userdoneid."'" : "null"); + $sql .= ", fk_user_action = ".($userownerid > 0 ? "'".$this->db->escape($userownerid)."'" : "null"); + $sql .= ", fk_user_done = ".($userdoneid > 0 ? "'".$this->db->escape($userdoneid)."'" : "null"); if (!empty($this->fk_element)) $sql .= ", fk_element=".($this->fk_element ? $this->db->escape($this->fk_element) : "null"); if (!empty($this->elementtype)) $sql .= ", elementtype=".($this->elementtype ? "'".$this->db->escape($this->elementtype)."'" : "null"); $sql .= " WHERE id=".$this->id; @@ -1127,7 +1127,7 @@ class ActionComm extends CommonObject * Load all objects with filters. * @todo WARNING: This make a fetch on all records instead of making one request with a join. * - * @param DoliDb $db Database handler + * @param DoliDb $db Not used * @param int $socid Filter by thirdparty * @param int $fk_element Id of element action is linked to * @param string $elementtype Type of element action is linked to @@ -1160,32 +1160,32 @@ class ActionComm extends CommonObject $sql .= " element_type = 'socpeople' AND fk_element = ".$fk_element.')'; } else { - $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$elementtype."'"; + $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$this->db->escape($elementtype)."'"; } } if (!empty($filter)) $sql .= $filter; - if ($sortorder && $sortfield) $sql .= $db->order($sortfield, $sortorder); - $sql .= $db->plimit($limit, 0); + if ($sortorder && $sortfield) $sql .= $this->db->order($sortfield, $sortorder); + $sql .= $this->db->plimit($limit, 0); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) { for ($i = 0; $i < $num; $i++) { - $obj = $db->fetch_object($resql); - $actioncommstatic = new ActionComm($db); + $obj = $this->db->fetch_object($resql); + $actioncommstatic = new ActionComm($this->db); $actioncommstatic->fetch($obj->id); $resarray[$i] = $actioncommstatic; } } - $db->free($resql); + $this->db->free($resql); return $resarray; } else { - return $db->lasterror(); + return $this->db->lasterror(); } } diff --git a/htdocs/comm/action/class/cactioncomm.class.php b/htdocs/comm/action/class/cactioncomm.class.php index 147a6ff7ef0..6e86a556a1a 100644 --- a/htdocs/comm/action/class/cactioncomm.class.php +++ b/htdocs/comm/action/class/cactioncomm.class.php @@ -139,7 +139,7 @@ class CActionComm $sql .= " FROM ".MAIN_DB_PREFIX."c_actioncomm"; $sql .= " WHERE 1=1"; if ($active != '') $sql .= " AND active=".$active; - if (!empty($excludetype)) $sql .= " AND type <> '".$excludetype."'"; + if (!empty($excludetype)) $sql .= " AND type <> '".$this->db->escape($excludetype)."'"; if ($morefilter) $sql .= " AND ".$morefilter; $sql .= " ORDER BY module, position, type"; diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index f4e8487b054..a48dc03aea2 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -810,7 +810,7 @@ if ($conf->global->AGENDA_SHOW_HOLIDAYS) if ($action == 'show_day') { // Request only leaves for the current selected day - $sql .= " AND '".$year."-".$month."-".$day."' BETWEEN x.date_debut AND x.date_fin"; + $sql .= " AND '".$db->escape($year)."-".$db->escape($month)."-".$db->escape($day)."' BETWEEN x.date_debut AND x.date_fin"; } elseif ($action == 'show_week') { // TODO: Add filter to reduce database request diff --git a/htdocs/comm/mailing/class/advtargetemailing.class.php b/htdocs/comm/mailing/class/advtargetemailing.class.php index bbceba682c0..f82ebec9d6f 100644 --- a/htdocs/comm/mailing/class/advtargetemailing.class.php +++ b/htdocs/comm/mailing/class/advtargetemailing.class.php @@ -567,7 +567,7 @@ class AdvanceTargetingMailing extends CommonObject if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') || ($extrafields->attributes[$elementtype]['type'][$key] == 'text')) { if (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') || ($extrafields->attributes[$elementtype]['type'][$key] == 'double')) { @@ -587,7 +587,7 @@ class AdvanceTargetingMailing extends CommonObject if (is_array($arrayquery['options_'.$key])) { $sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))"; } elseif (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } } @@ -708,7 +708,7 @@ class AdvanceTargetingMailing extends CommonObject if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') || ($extrafields->attributes[$elementtype]['type'][$key] == 'text')) { if (!empty($arrayquery['options_'.$key.'_cnct'])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key.'_cnct']."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')"; } } elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') || ($extrafields->attributes[$elementtype]['type'][$key] == 'double')) { @@ -732,7 +732,7 @@ class AdvanceTargetingMailing extends CommonObject if (is_array($arrayquery['options_'.$key.'_cnct'])) { $sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key.'_cnct'])."'))"; } elseif (!empty($arrayquery['options_'.$key.'_cnct'])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key.'_cnct']."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')"; } } } @@ -810,7 +810,7 @@ class AdvanceTargetingMailing extends CommonObject if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') || ($extrafields->attributes[$elementtype]['type'][$key] == 'text')) { if (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (tse.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') || ($extrafields->attributes[$elementtype]['type'][$key] == 'double')) { @@ -830,7 +830,7 @@ class AdvanceTargetingMailing extends CommonObject if (is_array($arrayquery['options_'.$key])) { $sqlwhere[] = " (tse.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))"; } elseif (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (tse.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } } diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 0712346f927..7e34ac6fc3c 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -1061,7 +1061,7 @@ class Propal extends CommonObject $sql .= ", '".$this->db->idate($this->date)."'"; $sql .= ", '".$this->db->idate($now)."'"; $sql .= ", '(PROV)'"; - $sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "NULL"); + $sql .= ", ".($user->id > 0 ? "'".$this->db->escape($user->id)."'" : "NULL"); $sql .= ", '".$this->db->escape($this->note_private)."'"; $sql .= ", '".$this->db->escape($this->note_public)."'"; $sql .= ", '".$this->db->escape($this->model_pdf)."'"; From 216b3c885d00491bdf0a705d69cff47da0af8478 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 23:30:29 +0200 Subject: [PATCH 103/151] Fix escaping --- htdocs/adherents/class/api_members.class.php | 14 +-- .../class/api_memberstypes.class.php | 12 +-- .../class/api_subscriptions.class.php | 12 +-- htdocs/admin/menus/edit.php | 7 +- htdocs/api/class/api_access.class.php | 24 +++-- htdocs/bom/class/api_boms.class.php | 14 +-- .../categories/class/api_categories.class.php | 14 +-- .../action/class/api_agendaevents.class.php | 14 +-- .../comm/propal/class/api_proposals.class.php | 14 +-- htdocs/comm/propal/list.php | 2 +- htdocs/comm/propal/stats/index.php | 2 +- htdocs/commande/card.php | 2 +- htdocs/commande/class/api_orders.class.php | 14 +-- htdocs/commande/class/commande.class.php | 2 +- htdocs/commande/orderstoinvoice.php | 4 +- htdocs/commande/stats/index.php | 4 +- htdocs/compta/bank/class/account.class.php | 20 ++--- .../bank/class/paymentvarious.class.php | 2 +- htdocs/compta/bank/graph.php | 28 +++--- htdocs/compta/bank/line.php | 14 +-- htdocs/compta/cashcontrol/report.php | 4 +- htdocs/compta/clients.php | 2 +- .../class/deplacementstats.class.php | 4 +- htdocs/compta/facture/card.php | 2 +- .../facture/class/api_invoices.class.php | 14 +-- .../facture/class/facture-rec.class.php | 34 +++---- htdocs/compta/facture/class/facture.class.php | 6 +- htdocs/compta/facture/stats/index.php | 4 +- htdocs/compta/journal/purchasesjournal.php | 2 +- htdocs/compta/journal/sellsjournal.php | 2 +- htdocs/compta/paiement/cheque/card.php | 4 +- .../cheque/class/remisecheque.class.php | 10 +-- .../compta/paiement/class/paiement.class.php | 2 +- .../class/bonprelevement.class.php | 20 ++--- htdocs/compta/sociales/list.php | 4 +- htdocs/compta/tva/class/tva.class.php | 6 +- htdocs/contact/class/contact.class.php | 2 +- htdocs/contrat/class/api_contracts.class.php | 14 +-- htdocs/contrat/class/contrat.class.php | 16 ++-- htdocs/core/class/comment.class.php | 10 +-- htdocs/core/class/html.form.class.php | 26 +++--- .../core/class/html.formaccounting.class.php | 8 +- htdocs/core/class/html.formcontract.class.php | 10 +-- .../class/html.formintervention.class.php | 10 +-- htdocs/core/class/html.formmargin.class.php | 2 +- htdocs/core/class/html.formother.class.php | 4 +- .../class/html.formsocialcontrib.class.php | 8 +- htdocs/core/class/infobox.class.php | 1 + htdocs/core/class/interfaces.class.php | 3 +- htdocs/core/class/utils.class.php | 2 +- htdocs/core/lib/functions.lib.php | 2 +- .../core/triggers/dolibarrtriggers.class.php | 1 - htdocs/don/class/api_donations.class.php | 14 +-- .../expedition/class/api_shipments.class.php | 14 +-- .../class/api_expensereports.class.php | 14 +-- .../class/api_interventions.class.php | 14 +-- .../class/api_supplier_invoices.class.php | 14 +-- .../fourn/class/api_supplier_orders.class.php | 14 +-- htdocs/index.php | 2 +- .../template/class/api_mymodule.class.php | 16 ++-- htdocs/mrp/class/api_mos.class.php | 14 +-- htdocs/product/admin/product_tools.php | 4 +- htdocs/product/class/api_products.class.php | 32 +++---- .../stock/class/api_stockmovements.class.php | 14 +-- .../stock/class/api_warehouses.class.php | 16 ++-- htdocs/projet/class/api_projects.class.php | 16 ++-- htdocs/projet/class/api_tasks.class.php | 14 +-- htdocs/societe/class/api_contacts.class.php | 14 +-- .../societe/class/api_thirdparties.class.php | 90 +++++++++---------- .../class/api_supplier_proposals.class.php | 14 +-- htdocs/ticket/class/api_tickets.class.php | 10 +-- htdocs/user/class/api_users.class.php | 28 +++--- .../class/ProductCombination.class.php | 30 +++---- htdocs/zapier/class/api_zapier.class.php | 14 +-- test/phpunit/CodingPhpTest.php | 52 +++++++++-- 75 files changed, 486 insertions(+), 436 deletions(-) diff --git a/htdocs/adherents/class/api_members.class.php b/htdocs/adherents/class/api_members.class.php index 990e21dd08b..230b839f726 100644 --- a/htdocs/adherents/class/api_members.class.php +++ b/htdocs/adherents/class/api_members.class.php @@ -227,7 +227,7 @@ class Members extends DolibarrApi } // Select members of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_member = t.rowid "; } // Add sql filters @@ -239,23 +239,23 @@ class Members extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $member = new Adherent($this->db); if ($member->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($member); @@ -263,7 +263,7 @@ class Members extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve member list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve member list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No member found'); diff --git a/htdocs/adherents/class/api_memberstypes.class.php b/htdocs/adherents/class/api_memberstypes.class.php index a5923914187..682fb9d707c 100644 --- a/htdocs/adherents/class/api_memberstypes.class.php +++ b/htdocs/adherents/class/api_memberstypes.class.php @@ -109,23 +109,23 @@ class MembersTypes extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $membertype = new AdherentType($this->db); if ($membertype->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($membertype); @@ -133,7 +133,7 @@ class MembersTypes extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve member type list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve member type list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No member type found'); diff --git a/htdocs/adherents/class/api_subscriptions.class.php b/htdocs/adherents/class/api_subscriptions.class.php index 502a855657c..d5adbb0bc5b 100644 --- a/htdocs/adherents/class/api_subscriptions.class.php +++ b/htdocs/adherents/class/api_subscriptions.class.php @@ -107,22 +107,22 @@ class Subscriptions extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < min($limit, $num)) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $subscription = new Subscription($this->db); if ($subscription->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($subscription); @@ -130,7 +130,7 @@ class Subscriptions extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve subscription list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve subscription list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No Subscription found'); diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php index fbed05a1dbe..92373d7c01e 100644 --- a/htdocs/admin/menus/edit.php +++ b/htdocs/admin/menus/edit.php @@ -233,24 +233,25 @@ if ($action == 'add') // delete if ($action == 'confirm_delete' && $_POST["confirm"] == 'yes') { - $this->db->begin(); + $db->begin(); $sql = "DELETE FROM ".MAIN_DB_PREFIX."menu WHERE rowid = ".GETPOST('menuId', 'int'); $result = $db->query($sql); if ($result == 0) { - $this->db->commit(); + $db->commit(); llxHeader(); setEventMessages($langs->trans("MenuDeleted"), null, 'mesgs'); llxFooter(); exit; } else { - $this->db->rollback(); + $db->rollback(); $reload = 0; $_GET["action"] = ''; + $action = ''; } } diff --git a/htdocs/api/class/api_access.class.php b/htdocs/api/class/api_access.class.php index a6d0d72b8de..84f7bf303e7 100644 --- a/htdocs/api/class/api_access.class.php +++ b/htdocs/api/class/api_access.class.php @@ -59,6 +59,16 @@ class DolibarrApiAccess implements iAuthenticate */ public static $user = ''; + + /** + * Constructor + */ + public function __construct() + { + global $db; + $this->db = $db; + } + // phpcs:disable PEAR.NamingConventions.ValidFunctionName /** * Check access @@ -107,15 +117,15 @@ class DolibarrApiAccess implements iAuthenticate $sql = "SELECT u.login, u.datec, u.api_key, "; $sql .= " u.tms as date_modification, u.entity"; $sql .= " FROM ".MAIN_DB_PREFIX."user as u"; - $sql .= " WHERE u.api_key = '".$db->escape($api_key)."'"; + $sql .= " WHERE u.api_key = '".$this->db->escape($api_key)."'"; // TODO Check if 2 users has same API key. - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - if ($db->num_rows($result)) + if ($this->db->num_rows($result)) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $login = $obj->login; $stored_key = $obj->api_key; $userentity = $obj->entity; @@ -125,11 +135,11 @@ class DolibarrApiAccess implements iAuthenticate $conf->entity = ($obj->entity ? $obj->entity : 1); // We must also reload global conf to get params from the entity dol_syslog("Entity was not set on http header with HTTP_DOLAPIENTITY (recommanded for performance purpose), so we switch now on entity of user (".$conf->entity.") and we have to reload configuration.", LOG_WARNING); - $conf->setValues($db); + $conf->setValues($this->db); } } } else { - throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg); + throw new RestException(503, 'Error when fetching user api_key :'.$this->db->error_msg); } if ($stored_key != $api_key) { // This should not happen since we did a search on api_key @@ -141,7 +151,7 @@ class DolibarrApiAccess implements iAuthenticate { throw new RestException(503, 'Error when searching login user from api key'); } - $fuser = new User($db); + $fuser = new User($this->db); $result = $fuser->fetch('', $login, '', 0, (empty($userentity) ? -1 : $conf->entity)); // If user is not entity 0, we search in working entity $conf->entity (that may have been forced to a different value than user entity) if ($result <= 0) { throw new RestException(503, 'Error when fetching user :'.$fuser->error.' (conf->entity='.$conf->entity.')'); diff --git a/htdocs/bom/class/api_boms.class.php b/htdocs/bom/class/api_boms.class.php index a6295d12589..b9123b8c226 100644 --- a/htdocs/bom/class/api_boms.class.php +++ b/htdocs/bom/class/api_boms.class.php @@ -99,7 +99,7 @@ class Boms extends DolibarrApi global $db, $conf; $obj_ret = array(); - $tmpobject = new BOM($db); + $tmpobject = new BOM($this->db); $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; @@ -139,7 +139,7 @@ class Boms extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -147,18 +147,18 @@ class Boms extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $i = 0; while ($i < $num) { - $obj = $db->fetch_object($result); - $bom_static = new BOM($db); + $obj = $this->db->fetch_object($result); + $bom_static = new BOM($this->db); if ($bom_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($bom_static); } diff --git a/htdocs/categories/class/api_categories.class.php b/htdocs/categories/class/api_categories.class.php index 4a84a25e5ca..5f0a28340f9 100644 --- a/htdocs/categories/class/api_categories.class.php +++ b/htdocs/categories/class/api_categories.class.php @@ -155,7 +155,7 @@ class Categories extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -163,19 +163,19 @@ class Categories extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $category_static = new Categorie($db); + $obj = $this->db->fetch_object($result); + $category_static = new Categorie($this->db); if ($category_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($category_static); } @@ -183,7 +183,7 @@ class Categories extends DolibarrApi } } else { - throw new RestException(503, 'Error when retrieve category list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve category list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No category found'); diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 43d880b3866..473c87e22a0 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -148,7 +148,7 @@ class AgendaEvents extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -156,27 +156,27 @@ class AgendaEvents extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $actioncomm_static = new ActionComm($db); + $obj = $this->db->fetch_object($result); + $actioncomm_static = new ActionComm($this->db); if ($actioncomm_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($actioncomm_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve Agenda Event list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve Agenda Event list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No Agenda Event found'); diff --git a/htdocs/comm/propal/class/api_proposals.class.php b/htdocs/comm/propal/class/api_proposals.class.php index 8efc4aa5c19..0f157396f35 100644 --- a/htdocs/comm/propal/class/api_proposals.class.php +++ b/htdocs/comm/propal/class/api_proposals.class.php @@ -190,7 +190,7 @@ class Proposals extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -198,21 +198,21 @@ class Proposals extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $proposal_static = new Propal($db); + $obj = $this->db->fetch_object($result); + $proposal_static = new Propal($this->db); if ($proposal_static->fetch($obj->rowid)) { // Add external contacts ids $proposal_static->contacts_ids = $proposal_static->liste_contact(-1, 'external', 1); @@ -221,7 +221,7 @@ class Proposals extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve propal list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve propal list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No proposal found'); diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index d4bf2e392f3..074d00443bd 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -361,7 +361,7 @@ if ($search_product_category > 0) $sql .= " AND cp.fk_categorie = ".$db->escape( if ($socid > 0) $sql .= ' AND s.rowid = '.$socid; if ($search_status != '' && $search_status != '-1') { - $sql .= ' AND p.fk_statut IN ('.$this->db->sanitize($db->escape($search_status)).')'; + $sql .= ' AND p.fk_statut IN ('.$db->sanitize($db->escape($search_status)).')'; } if ($search_date_start) $sql .= " AND p.datep >= '".$db->idate($search_date_start)."'"; if ($search_date_end) $sql .= " AND p.datep <= '".$db->idate($search_date_end)."'"; diff --git a/htdocs/comm/propal/stats/index.php b/htdocs/comm/propal/stats/index.php index 6cf14e92d50..49e1141fec1 100644 --- a/htdocs/comm/propal/stats/index.php +++ b/htdocs/comm/propal/stats/index.php @@ -101,7 +101,7 @@ dol_mkdir($dir); $stats = new PropaleStats($db, $socid, ($userid > 0 ? $userid : 0), $mode, ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); -if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; +if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; // Build graphic number of object $data = $stats->getNbByMonthWithPrevYear($endyear, $startyear); diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index d48e990e7e8..b447a00c404 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -417,7 +417,7 @@ if (empty($reshook)) $originidforcontact=$srcobject->origin_id; } $sqlcontact = "SELECT code, fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$db->escape($originforcontact)."'"; $resqlcontact = $db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index f62c00ee81b..2202ad5b67e 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -193,7 +193,7 @@ class Orders extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -201,21 +201,21 @@ class Orders extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $commande_static = new Commande($db); + $obj = $this->db->fetch_object($result); + $commande_static = new Commande($this->db); if ($commande_static->fetch($obj->rowid)) { // Add external contacts ids $commande_static->contacts_ids = $commande_static->liste_contact(-1, 'external', 1); @@ -224,7 +224,7 @@ class Orders extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve commande list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve commande list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No order found'); diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 1bd919fd470..5c314226214 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -1122,7 +1122,7 @@ class Commande extends CommonOrder } $sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'"; $resqlcontact = $this->db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/commande/orderstoinvoice.php b/htdocs/commande/orderstoinvoice.php index 7b8e31ce7a4..a4d4ed07dee 100644 --- a/htdocs/commande/orderstoinvoice.php +++ b/htdocs/commande/orderstoinvoice.php @@ -199,9 +199,9 @@ if (($action == 'create' || $action == 'add') && !$error) $sql .= ", targettype"; $sql .= ") VALUES ("; $sql .= $origin_id; - $sql .= ", '".$object->origin."'"; + $sql .= ", '".$db->escape($object->origin)."'"; $sql .= ", ".$id; - $sql .= ", '".$object->element."'"; + $sql .= ", '".$db->escape($object->element)."'"; $sql .= ")"; if ($db->query($sql)) diff --git a/htdocs/commande/stats/index.php b/htdocs/commande/stats/index.php index 8ef736ca333..346b5549bfd 100644 --- a/htdocs/commande/stats/index.php +++ b/htdocs/commande/stats/index.php @@ -94,11 +94,11 @@ dol_mkdir($dir); $stats = new CommandeStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { - if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; + if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; } if ($mode == 'supplier') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; } diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index 4ce4ef3bb3b..675e462047f 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -390,11 +390,11 @@ class Account extends CommonObject $sql .= ", label"; $sql .= ", type"; $sql .= ") VALUES ("; - $sql .= "'".$line_id."'"; - $sql .= ", '".$url_id."'"; - $sql .= ", '".$url."'"; + $sql .= " ".((int) $line_id); + $sql .= ", '".$this->db->escape($url_id)."'"; + $sql .= ", '".$this->db->escape($url)."'"; $sql .= ", '".$this->db->escape($label)."'"; - $sql .= ", '".$type."'"; + $sql .= ", '".$this->db->escape($type)."'"; $sql .= ")"; dol_syslog(get_class($this)."::add_url_line", LOG_DEBUG); @@ -434,7 +434,7 @@ class Account extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."bank_url"; if ($fk_bank > 0) { $sql .= " WHERE fk_bank = ".$fk_bank; - } else { $sql .= " WHERE url_id = ".$url_id." AND type = '".$type."'"; + } else { $sql .= " WHERE url_id = ".$url_id." AND type = '".$this->db->escape($type)."'"; } $sql .= " ORDER BY type, label"; @@ -1315,7 +1315,7 @@ class Account extends CommonObject * * @return int Nb of account we can reconciliate */ - public static function countAccountToReconcile() + public function countAccountToReconcile() { global $db, $conf, $user; @@ -1331,12 +1331,12 @@ class Account extends CommonObject $sql .= " WHERE ba.rappro > 0 and ba.clos = 0"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if (empty($conf->global->BANK_CAN_RECONCILIATE_CASHACCOUNT)) $sql .= " AND ba.courant != 2"; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $obj = $db->fetch_object($resql); + $obj = $this->db->fetch_object($resql); $nb = $obj->nb; - } else dol_print_error($db); + } else dol_print_error($this->db); return $nb; } @@ -2421,7 +2421,7 @@ class AccountLine extends CommonObject $type = 'bank'; - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$this->id; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/compta/bank/class/paymentvarious.class.php b/htdocs/compta/bank/class/paymentvarious.class.php index bfb522b6e3a..14466915d76 100644 --- a/htdocs/compta/bank/class/paymentvarious.class.php +++ b/htdocs/compta/bank/class/paymentvarious.class.php @@ -710,7 +710,7 @@ class PaymentVarious extends CommonObject $type = 'bank'; - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$banklineid; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$banklineid; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/compta/bank/graph.php b/htdocs/compta/bank/graph.php index 296211bf35c..686122f4d56 100644 --- a/htdocs/compta/bank/graph.php +++ b/htdocs/compta/bank/graph.php @@ -130,8 +130,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-".$month."-01 00:00:00'"; - $sql .= " AND b.datev < '".$yearnext."-".$monthnext."-01 00:00:00'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; + $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -159,7 +159,7 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev < '".$year."-".sprintf("%02s", $month)."-01'"; + $sql .= " AND b.datev < '".$db->escape($year)."-".sprintf("%02s", $month)."-01'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $resql = $db->query($sql); @@ -267,8 +267,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-01-01 00:00:00'"; - $sql .= " AND b.datev <= '".$year."-12-31 23:59:59'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; + $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -296,7 +296,7 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev < '".$year."-01-01'"; + $sql .= " AND b.datev < '".$db->escape($year)."-01-01'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $resql = $db->query($sql); @@ -519,8 +519,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-".$month."-01 00:00:00'"; - $sql .= " AND b.datev < '".$yearnext."-".$monthnext."-01 00:00:00'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; + $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; $sql .= " AND b.amount > 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%d')"; @@ -555,8 +555,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-".$month."-01 00:00:00'"; - $sql .= " AND b.datev < '".$yearnext."-".$monthnext."-01 00:00:00'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; + $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; $sql .= " AND b.amount < 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%d')"; @@ -632,8 +632,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-01-01 00:00:00'"; - $sql .= " AND b.datev <= '".$year."-12-31 23:59:59'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; + $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; $sql .= " AND b.amount > 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%m');"; @@ -659,8 +659,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-01-01 00:00:00'"; - $sql .= " AND b.datev <= '".$year."-12-31 23:59:59'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; + $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; $sql .= " AND b.amount < 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%m')"; diff --git a/htdocs/compta/bank/line.php b/htdocs/compta/bank/line.php index 0da5a557647..2677f8d8c3f 100644 --- a/htdocs/compta/bank/line.php +++ b/htdocs/compta/bank/line.php @@ -138,15 +138,15 @@ if ($user->rights->banque->modifier && $action == "update") $sql = "UPDATE ".MAIN_DB_PREFIX."bank"; $sql .= " SET "; // Always opened - if (isset($_POST['value'])) $sql .= " fk_type='".$db->escape($_POST['value'])."',"; - if (isset($_POST['num_chq'])) $sql .= " num_chq='".$db->escape($_POST["num_chq"])."',"; - if (isset($_POST['banque'])) $sql .= " banque='".$db->escape($_POST["banque"])."',"; - if (isset($_POST['emetteur'])) $sql .= " emetteur='".$db->escape($_POST["emetteur"])."',"; + if (isset($_POST['value'])) $sql .= " fk_type='".$db->escape(GETPOST('value'))."',"; + if (isset($_POST['num_chq'])) $sql .= " num_chq='".$db->escape(GETPOST("num_chq"))."',"; + if (isset($_POST['banque'])) $sql .= " banque='".$db->escape(GETPOST("banque"))."',"; + if (isset($_POST['emetteur'])) $sql .= " emetteur='".$db->escape(GETPOST("emetteur"))."',"; // Blocked when conciliated if (!$acline->rappro) { - if (isset($_POST['label'])) $sql .= " label='".$db->escape($_POST["label"])."',"; - if (isset($_POST['amount'])) $sql .= " amount='".$amount."',"; + if (isset($_POST['label'])) $sql .= " label = '".$db->escape(GETPOST("label"))."',"; + if (isset($_POST['amount'])) $sql .= " amount= '".$db->escape($amount)."',"; if (isset($_POST['dateomonth'])) $sql .= " dateo = '".$db->idate($dateop)."',"; if (isset($_POST['datevmonth'])) $sql .= " datev = '".$db->idate($dateval)."',"; } @@ -212,7 +212,7 @@ if ($user->rights->banque->consolidate && ($action == 'num_releve' || $action == $db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."bank"; - $sql .= " SET num_releve=".($num_rel ? "'".$num_rel."'" : "null"); + $sql .= " SET num_releve=".($num_rel ? "'".$db->escape($num_rel)."'" : "null"); if (empty($num_rel)) $sql .= ", rappro = 0"; else $sql .= ", rappro = ".$rappro; $sql .= " WHERE rowid = ".$rowid; diff --git a/htdocs/compta/cashcontrol/report.php b/htdocs/compta/cashcontrol/report.php index f2d8e38fb15..02299788794 100644 --- a/htdocs/compta/cashcontrol/report.php +++ b/htdocs/compta/cashcontrol/report.php @@ -297,8 +297,8 @@ if ($resql) /* $sql = "UPDATE ".MAIN_DB_PREFIX."pos_cash_fence "; $sql .= "SET"; - $sql .= " cash='".$cash."'"; - $sql .= ", card='".$bank."'"; + $sql .= " cash='".$db->escape($cash)."'"; + $sql .= ", card='".$db->escape($bank)."'"; $sql .= " where rowid=".$id; $db->query($sql); */ diff --git a/htdocs/compta/clients.php b/htdocs/compta/clients.php index 5632e8ebc1a..1b4e86bbb4c 100644 --- a/htdocs/compta/clients.php +++ b/htdocs/compta/clients.php @@ -66,7 +66,7 @@ $thirdpartystatic = new Societe($db); if ($action == 'note') { - $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".$note."' WHERE rowid=".$socid; + $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".$db->escape($note)."' WHERE rowid=".$socid; $result = $db->query($sql); } diff --git a/htdocs/compta/deplacement/class/deplacementstats.class.php b/htdocs/compta/deplacement/class/deplacementstats.class.php index 6fdd54095a2..953ee78a3d6 100644 --- a/htdocs/compta/deplacement/class/deplacementstats.class.php +++ b/htdocs/compta/deplacement/class/deplacementstats.class.php @@ -122,7 +122,7 @@ class DeplacementStats extends Stats { $sql = "SELECT date_format(dated,'%m') as dm, sum(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(dated,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(dated,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -142,7 +142,7 @@ class DeplacementStats extends Stats { $sql = "SELECT date_format(dated,'%m') as dm, avg(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(dated,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(dated,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index b19ee852db6..87a3a3c8be2 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -1664,7 +1664,7 @@ if (empty($reshook)) $originidforcontact=$srcobject->origin_id; } $sqlcontact = "SELECT code, fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$db->escape($originforcontact)."'"; $resqlcontact = $db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php index 1828493d89f..cc1b7fe57ed 100644 --- a/htdocs/compta/facture/class/api_invoices.class.php +++ b/htdocs/compta/facture/class/api_invoices.class.php @@ -207,7 +207,7 @@ class Invoices extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) @@ -216,19 +216,19 @@ class Invoices extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $invoice_static = new Facture($db); + $obj = $this->db->fetch_object($result); + $invoice_static = new Facture($this->db); if ($invoice_static->fetch($obj->rowid)) { // Get payment details @@ -245,7 +245,7 @@ class Invoices extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve invoice list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve invoice list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No invoice found'); diff --git a/htdocs/compta/facture/class/facture-rec.class.php b/htdocs/compta/facture/class/facture-rec.class.php index c5e93bc41ad..67dd4e304ea 100644 --- a/htdocs/compta/facture/class/facture-rec.class.php +++ b/htdocs/compta/facture/class/facture-rec.class.php @@ -277,8 +277,8 @@ class FactureRec extends CommonInvoice $sql .= ", ".(!empty($this->note_public) ? ("'".$this->db->escape($this->note_public)."'") : "NULL"); $sql .= ", ".(!empty($this->modelpdf) ? ("'".$this->db->escape($this->modelpdf)."'") : "NULL"); $sql .= ", '".$this->db->escape($user->id)."'"; - $sql .= ", ".(!empty($facsrc->fk_project) ? "'".$facsrc->fk_project."'" : "null"); - $sql .= ", ".(!empty($facsrc->fk_account) ? "'".$facsrc->fk_account."'" : "null"); + $sql .= ", ".(!empty($facsrc->fk_project) ? "'".$this->db->escape($facsrc->fk_project)."'" : "null"); + $sql .= ", ".(!empty($facsrc->fk_account) ? "'".$this->db->escape($facsrc->fk_account)."'" : "null"); $sql .= ", ".($facsrc->cond_reglement_id > 0 ? $this->db->escape($facsrc->cond_reglement_id) : "null"); $sql .= ", ".($facsrc->mode_reglement_id > 0 ? $this->db->escape($facsrc->mode_reglement_id) : "null"); $sql .= ", ".$this->usenewprice; @@ -921,7 +921,7 @@ class FactureRec extends CommonInvoice $sql .= ", fk_unit"; $sql .= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc'; $sql .= ") VALUES ("; - $sql .= "'".$facid."'"; + $sql .= " ".((int) $facid); $sql .= ", ".(!empty($label) ? "'".$this->db->escape($label)."'" : "null"); $sql .= ", '".$this->db->escape($desc)."'"; $sql .= ", ".price2num($pu_ht); @@ -932,7 +932,7 @@ class FactureRec extends CommonInvoice $sql .= ", '".$this->db->escape($localtaxes_type[0])."'"; $sql .= ", ".price2num($txlocaltax2); $sql .= ", '".$this->db->escape($localtaxes_type[2])."'"; - $sql .= ", ".(!empty($fk_product) ? "'".$fk_product."'" : "null"); + $sql .= ", ".(!empty($fk_product) ? "'".$this->db->escape($fk_product)."'" : "null"); $sql .= ", ".$product_type; $sql .= ", ".price2num($remise_percent); $sql .= ", ".price2num($pu_ht); @@ -1083,7 +1083,7 @@ class FactureRec extends CommonInvoice } $sql = "UPDATE ".MAIN_DB_PREFIX."facturedet_rec SET "; - $sql .= "fk_facture = '".$facid."'"; + $sql .= "fk_facture = ".((int) $facid); $sql .= ", label=".(!empty($label) ? "'".$this->db->escape($label)."'" : "null"); $sql .= ", description='".$this->db->escape($desc)."'"; $sql .= ", price=".price2num($pu_ht); @@ -1094,7 +1094,7 @@ class FactureRec extends CommonInvoice $sql .= ", localtax1_type='".$this->db->escape($localtaxes_type[0])."'"; $sql .= ", localtax2_tx=".$txlocaltax2; $sql .= ", localtax2_type='".$this->db->escape($localtaxes_type[2])."'"; - $sql .= ", fk_product=".(!empty($fk_product) ? "'".$fk_product."'" : "null"); + $sql .= ", fk_product=".(!empty($fk_product) ? "'".$this->db->escape($fk_product)."'" : "null"); $sql .= ", product_type=".$product_type; $sql .= ", remise_percent='".price2num($remise_percent)."'"; $sql .= ", subprice='".price2num($pu_ht)."'"; @@ -1194,13 +1194,13 @@ class FactureRec extends CommonInvoice $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'facture_rec'; $sql .= ' WHERE frequency > 0'; // A recurring invoice is an invoice with a frequency - $sql .= " AND (date_when IS NULL OR date_when <= '".$db->idate($today)."')"; + $sql .= " AND (date_when IS NULL OR date_when <= '".$this->db->idate($today)."')"; $sql .= ' AND (nb_gen_done < nb_gen_max OR nb_gen_max = 0)'; $sql .= ' AND suspended = 0'; $sql .= ' AND entity = '.$conf->entity; // MUST STAY = $conf->entity here if ($restrictioninvoiceid > 0) $sql .= ' AND rowid = '.$restrictioninvoiceid; - $sql .= $db->order('entity', 'ASC'); + $sql .= $this->db->order('entity', 'ASC'); //print $sql;exit; $parameters = array( 'restrictioninvoiceid' => $restrictioninvoiceid, @@ -1208,11 +1208,11 @@ class FactureRec extends CommonInvoice ); $reshook = $hookmanager->executeHooks('beforeCreationOfRecurringInvoices', $parameters, $sql); // note that $sql might be modified by hooks - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { $i = 0; - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) $this->output .= $langs->trans("FoundXQualifiedRecurringInvoiceTemplate", $num)."\n"; @@ -1222,14 +1222,14 @@ class FactureRec extends CommonInvoice while ($i < $num) // Loop on each template invoice. If $num = 0, test is false at first pass. { - $line = $db->fetch_object($resql); + $line = $this->db->fetch_object($resql); - $db->begin(); + $this->db->begin(); $invoiceidgenerated = 0; $facture = null; - $facturerec = new FactureRec($db); + $facturerec = new FactureRec($this->db); $facturerec->fetch($line->rowid); if ($facturerec->id > 0) @@ -1239,7 +1239,7 @@ class FactureRec extends CommonInvoice dol_syslog("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref.", entity=".$facturerec->entity); - $facture = new Facture($db); + $facture = new Facture($this->db); $facture->fac_rec = $facturerec->id; // We will create $facture from this recurring invoice $facture->fk_fac_rec_source = $facturerec->id; // We will create $facture from this recurring invoice @@ -1286,12 +1286,12 @@ class FactureRec extends CommonInvoice if (!$error && $invoiceidgenerated >= 0) { - $db->commit("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); + $this->db->commit("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); dol_syslog("createRecurringInvoices Process invoice template ".$facturerec->ref." is finished with a success generation"); $nb_create++; $this->output .= $langs->trans("InvoiceGeneratedFromTemplate", $facture->ref, $facturerec->ref)."\n"; } else { - $db->rollback("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); + $this->db->rollback("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); } $parameters = array( @@ -1308,7 +1308,7 @@ class FactureRec extends CommonInvoice } $conf->entity = $saventity; // Restore entity context - } else dol_print_error($db); + } else dol_print_error($this->db); $this->output = trim($this->output); diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index be0888e4c79..4110e5ad26d 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -612,7 +612,7 @@ class Facture extends CommonInvoice $sql .= ", ".setEntity($this); $sql .= ", ".($this->ref_ext ? "'".$this->db->escape($this->ref_ext)."'" : "null"); $sql .= ", '".$this->db->escape($this->type)."'"; - $sql .= ", '".$socid."'"; + $sql .= ", ".((int) $socid); $sql .= ", '".$this->db->idate($now)."'"; $sql .= ", ".($this->remise_absolue > 0 ? $this->remise_absolue : 'NULL'); $sql .= ", ".($this->remise_percent > 0 ? $this->remise_percent : 'NULL'); @@ -627,7 +627,7 @@ class Facture extends CommonInvoice $sql .= ", ".($this->pos_source != '' ? "'".$this->db->escape($this->pos_source)."'" : "null"); $sql .= ", ".($this->fk_fac_rec_source ? "'".$this->db->escape($this->fk_fac_rec_source)."'" : "null"); $sql .= ", ".($this->fk_facture_source ? "'".$this->db->escape($this->fk_facture_source)."'" : "null"); - $sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "null"); + $sql .= ", ".($user->id > 0 ? (int) $user->id : "null"); $sql .= ", ".($this->fk_project ? $this->fk_project : "null"); $sql .= ", ".$this->cond_reglement_id; $sql .= ", ".$this->mode_reglement_id; @@ -715,7 +715,7 @@ class Facture extends CommonInvoice } $sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'"; $resqlcontact = $this->db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/compta/facture/stats/index.php b/htdocs/compta/facture/stats/index.php index 543585ddbb0..81466651856 100644 --- a/htdocs/compta/facture/stats/index.php +++ b/htdocs/compta/facture/stats/index.php @@ -94,7 +94,7 @@ dol_mkdir($dir); $stats = new FactureStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; if (is_array($custcats) && !empty($custcats)) { $stats->from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie_societe as cat ON (f.fk_soc = cat.fk_soc)'; $stats->where .= ' AND cat.fk_categorie IN ('.implode(',', $custcats).')'; @@ -102,7 +102,7 @@ if ($mode == 'customer') } if ($mode == 'supplier') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; } // Build graphic number of object diff --git a/htdocs/compta/journal/purchasesjournal.php b/htdocs/compta/journal/purchasesjournal.php index 78ef32072d6..d754760dd57 100644 --- a/htdocs/compta/journal/purchasesjournal.php +++ b/htdocs/compta/journal/purchasesjournal.php @@ -106,7 +106,7 @@ $sql .= " s.rowid as socid, s.nom as name, s.code_compta_fournisseur,"; $sql .= " p.rowid as pid, p.ref as ref, p.accountancy_code_buy,"; $sql .= " ct.accountancy_code_buy as account_tva, ct.recuperableonly"; $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn_det as fd"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva as ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = '".$idpays."'"; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva as ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = ".((int) $idpays); $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = fd.fk_product"; $sql .= " JOIN ".MAIN_DB_PREFIX."facture_fourn as f ON f.rowid = fd.fk_facture_fourn"; $sql .= " JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; diff --git a/htdocs/compta/journal/sellsjournal.php b/htdocs/compta/journal/sellsjournal.php index bd44f6c47cc..62e8c77a133 100644 --- a/htdocs/compta/journal/sellsjournal.php +++ b/htdocs/compta/journal/sellsjournal.php @@ -109,7 +109,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = fd.fk_product"; $sql .= " JOIN ".MAIN_DB_PREFIX."facture as f ON f.rowid = fd.fk_facture"; $sql .= " JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = '".$idpays."'"; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = ".((int) $idpays); $sql .= " WHERE f.entity IN (".getEntity('invoice').")"; $sql .= " AND f.fk_statut > 0"; if (!empty($conf->global->FACTURE_DEPOSITS_ARE_JUST_PAYMENTS)) { diff --git a/htdocs/compta/paiement/cheque/card.php b/htdocs/compta/paiement/cheque/card.php index 2d42fc14a37..463e95f953e 100644 --- a/htdocs/compta/paiement/cheque/card.php +++ b/htdocs/compta/paiement/cheque/card.php @@ -57,7 +57,7 @@ $offset = $limit * $page; $dir = $conf->bank->dir_output.'/checkdeposits/'; $filterdate = dol_mktime(0, 0, 0, GETPOST('fdmonth'), GETPOST('fdday'), GETPOST('fdyear')); -$filteraccountid = GETPOST('accountid'); +$filteraccountid = GETPOST('accountid', 'int'); $object = new RemiseCheque($db); @@ -394,7 +394,7 @@ if ($action == 'new') $sql .= " AND b.fk_bordereau = 0"; $sql .= " AND b.amount > 0"; if ($filterdate) $sql .= " AND b.dateo = '".$db->idate($filterdate)."'"; - if ($filteraccountid > 0) $sql .= " AND ba.rowid= '".$filteraccountid."'"; + if ($filteraccountid > 0) $sql .= " AND ba.rowid = ".((int) $filteraccountid); $sql .= $db->order("b.dateo,b.rowid", "ASC"); $resql = $db->query($sql); diff --git a/htdocs/compta/paiement/cheque/class/remisecheque.class.php b/htdocs/compta/paiement/cheque/class/remisecheque.class.php index 56d12872cd2..00815c90f7d 100644 --- a/htdocs/compta/paiement/cheque/class/remisecheque.class.php +++ b/htdocs/compta/paiement/cheque/class/remisecheque.class.php @@ -211,7 +211,7 @@ class RemiseCheque extends CommonObject $sql .= " WHERE b.fk_type = 'CHQ'"; $sql .= " AND b.amount > 0"; $sql .= " AND b.fk_bordereau = 0"; - $sql .= " AND b.fk_account='".$account_id."'"; + $sql .= " AND b.fk_account = ".((int) $account_id); if ($limit) $sql .= $this->db->plimit($limit); dol_syslog("RemiseCheque::Create", LOG_DEBUG); @@ -775,18 +775,18 @@ class RemiseCheque extends CommonObject $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf'; $sql .= ' WHERE pf.fk_paiement = '.$payment->id; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $rejectedPayment = new Paiement($db); + $rejectedPayment = new Paiement($this->db); $rejectedPayment->amounts = array(); $rejectedPayment->datepaye = $rejection_date; $rejectedPayment->paiementid = dol_getIdFromCode($this->db, 'CHQ', 'c_paiement', 'code', 'id', 1); $rejectedPayment->num_payment = $payment->num_payment; - while ($obj = $db->fetch_object($resql)) + while ($obj = $this->db->fetch_object($resql)) { - $invoice = new Facture($db); + $invoice = new Facture($this->db); $invoice->fetch($obj->fk_facture); $invoice->set_unpaid($user); diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index f2dc613175f..5cb16bdcbe3 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -800,7 +800,7 @@ class Paiement extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX.'bank'; $sql .= " SET dateo = '".$this->db->idate($date)."', datev = '".$this->db->idate($date)."'"; - $sql .= " WHERE rowid IN (SELECT fk_bank FROM ".MAIN_DB_PREFIX."bank_url WHERE type = '".$type."' AND url_id = ".$this->id.")"; + $sql .= " WHERE rowid IN (SELECT fk_bank FROM ".MAIN_DB_PREFIX."bank_url WHERE type = '".$this->db->escape($type)."' AND url_id = ".$this->id.")"; $sql .= " AND rappro = 0"; $result = $this->db->query($sql); diff --git a/htdocs/compta/prelevement/class/bonprelevement.class.php b/htdocs/compta/prelevement/class/bonprelevement.class.php index 067dd33cd81..9d3c5bef7a8 100644 --- a/htdocs/compta/prelevement/class/bonprelevement.class.php +++ b/htdocs/compta/prelevement/class/bonprelevement.class.php @@ -205,9 +205,9 @@ class BonPrelevement extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_lignes"; $sql .= " WHERE fk_prelevement_bons = ".$this->id; $sql .= " AND fk_soc =".$client_id; - $sql .= " AND code_banque ='".$code_banque."'"; - $sql .= " AND code_guichet ='".$code_guichet."'"; - $sql .= " AND number ='".$number."'"; + $sql .= " AND code_banque = '".$this->db->escape($code_banque)."'"; + $sql .= " AND code_guichet = '".$this->db->escape($code_guichet)."'"; + $sql .= " AND number = '".$this->db->escape($number)."'"; $resql = $this->db->query($sql); if ($resql) @@ -234,10 +234,10 @@ class BonPrelevement extends CommonObject $sql .= ", ".$client_id; $sql .= ", '".$this->db->escape($client_nom)."'"; $sql .= ", '".price2num($amount)."'"; - $sql .= ", '".$code_banque."'"; - $sql .= ", '".$code_guichet."'"; - $sql .= ", '".$number."'"; - $sql .= ", '".$number_key."'"; + $sql .= ", '".$this->db->escape($code_banque)."'"; + $sql .= ", '".$this->db->escape($code_guichet)."'"; + $sql .= ", '".$this->db->escape($number)."'"; + $sql .= ", '".$this->db->escape($number_key)."'"; $sql .= ")"; if ($this->db->query($sql)) @@ -1380,7 +1380,7 @@ class BonPrelevement extends CommonObject $result = 0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def"; - $sql .= " WHERE rowid = '".$rowid."'"; + $sql .= " WHERE rowid = ".((int) $rowid); if ($this->db->query($sql)) { @@ -1404,7 +1404,7 @@ class BonPrelevement extends CommonObject $result = 0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def"; - $sql .= " WHERE fk_user=".$user." AND fk_action='".$action."'"; + $sql .= " WHERE fk_user=".$user." AND fk_action='".$this->db->escape($action)."'"; if ($this->db->query($sql)) { @@ -1433,7 +1433,7 @@ class BonPrelevement extends CommonObject $now = dol_now(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."notify_def (datec,fk_user, fk_soc, fk_contact, fk_action)"; - $sql .= " VALUES (".$db->idate($now).",".$user.", 'NULL', 'NULL', '".$action."')"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$user.", 'NULL', 'NULL', '".$this->db->escape($action)."')"; dol_syslog("adnotiff: ".$sql); if ($this->db->query($sql)) diff --git a/htdocs/compta/sociales/list.php b/htdocs/compta/sociales/list.php index 341799a686a..52d3b9b7fa3 100644 --- a/htdocs/compta/sociales/list.php +++ b/htdocs/compta/sociales/list.php @@ -138,8 +138,8 @@ if ($year > 0) $sql .= " AND ("; // Si period renseignee on l'utilise comme critere de date, sinon on prend date echeance, // ceci afin d'etre compatible avec les cas ou la periode n'etait pas obligatoire - $sql .= " (cs.periode IS NOT NULL AND date_format(cs.periode, '%Y') = '".$year."') "; - $sql .= "OR (cs.periode IS NULL AND date_format(cs.date_ech, '%Y') = '".$year."')"; + $sql .= " (cs.periode IS NOT NULL AND date_format(cs.periode, '%Y') = '".$db->escape($year)."') "; + $sql .= "OR (cs.periode IS NULL AND date_format(cs.date_ech, '%Y') = '".$db->escape($year)."')"; $sql .= ")"; } if ($filtre) { diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index b4201d0bc36..5f661609e52 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -384,7 +384,7 @@ class Tva extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."facture as f WHERE f.paye = 1"; if ($year) { - $sql .= " AND f.datef >= '".$year."-01-01' AND f.datef <= '".$year."-12-31' "; + $sql .= " AND f.datef >= '".$this->db->escape($year)."-01-01' AND f.datef <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql); @@ -421,7 +421,7 @@ class Tva extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f"; if ($year) { - $sql .= " WHERE f.datef >= '".$year."-01-01' AND f.datef <= '".$year."-12-31' "; + $sql .= " WHERE f.datef >= '".$this->db->escape($year)."-01-01' AND f.datef <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql); @@ -460,7 +460,7 @@ class Tva extends CommonObject if ($year) { - $sql .= " WHERE f.datev >= '".$year."-01-01' AND f.datev <= '".$year."-12-31' "; + $sql .= " WHERE f.datev >= '".$this->db->escape($year)."-01-01' AND f.datev <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql); diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index 3922dc9069f..0c2c3bf56ce 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -1649,7 +1649,7 @@ class Contact extends CommonObject $sql .= ", ".MAIN_DB_PREFIX."societe_contacts sc"; $sql .= " WHERE sc.fk_soc =".$this->socid; $sql .= " AND sc.fk_c_type_contact=tc.rowid"; - $sql .= " AND tc.element='".$element."'"; + $sql .= " AND tc.element='".$this->db->escape($element)."'"; $sql .= " AND tc.active=1"; dol_syslog(__METHOD__, LOG_DEBUG); diff --git a/htdocs/contrat/class/api_contracts.class.php b/htdocs/contrat/class/api_contracts.class.php index ffe66208afe..671ac1177f6 100644 --- a/htdocs/contrat/class/api_contracts.class.php +++ b/htdocs/contrat/class/api_contracts.class.php @@ -141,7 +141,7 @@ class Contracts extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -149,28 +149,28 @@ class Contracts extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $contrat_static = new Contrat($db); + $obj = $this->db->fetch_object($result); + $contrat_static = new Contrat($this->db); if ($contrat_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($contrat_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve contrat list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve contrat list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No contract found'); diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index b555917e2f3..f94b19c30b9 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -510,7 +510,7 @@ class Contrat extends CommonObject if ($num) { - $sql = "UPDATE ".MAIN_DB_PREFIX."contrat SET ref = '".$num."', statut = 1"; + $sql = "UPDATE ".MAIN_DB_PREFIX."contrat SET ref = '".$this->db->escape($num)."', statut = 1"; //$sql.= ", fk_user_valid = ".$user->id.", date_valid = '".$this->db->idate($now)."'"; $sql .= " WHERE rowid = ".$this->id." AND statut = 0"; @@ -1093,7 +1093,7 @@ class Contrat extends CommonObject } $sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'"; $resqlcontact = $this->db->query($sqlcontact); if ($resqlcontact) @@ -1541,15 +1541,15 @@ class Contrat extends CommonObject $sql .= ($fk_product > 0 ? $fk_product : "null").","; $sql .= " ".$qty.","; $sql .= " ".$txtva.","; - $sql .= " ".($vat_src_code ? "'".$vat_src_code."'" : "null").","; + $sql .= " ".($vat_src_code ? "'".$this->db->escape($vat_src_code)."'" : "null").","; $sql .= " ".$txlocaltax1.","; $sql .= " ".$txlocaltax2.","; - $sql .= " '".$localtax1_type."',"; - $sql .= " '".$localtax2_type."',"; + $sql .= " '".$this->db->escape($localtax1_type)."',"; + $sql .= " '".$this->db->escape($localtax2_type)."',"; $sql .= " ".price2num($remise_percent).","; $sql .= " ".price2num($pu_ht).","; $sql .= " ".price2num($total_ht).",".price2num($total_tva).",".price2num($total_localtax1).",".price2num($total_localtax2).",".price2num($total_ttc).","; - $sql .= " '".$info_bits."',"; + $sql .= " '".$this->db->escape($info_bits)."',"; $sql .= " ".price2num($price).",".price2num($remise).","; if (isset($fk_fournprice)) $sql .= ' '.$fk_fournprice.','; else $sql .= ' null,'; @@ -1717,8 +1717,8 @@ class Contrat extends CommonObject $sql .= ",tva_tx='".price2num($tvatx)."'"; $sql .= ",localtax1_tx='".price2num($localtax1tx)."'"; $sql .= ",localtax2_tx='".price2num($localtax2tx)."'"; - $sql .= ",localtax1_type='".$localtax1_type."'"; - $sql .= ",localtax2_type='".$localtax2_type."'"; + $sql .= ",localtax1_type='".$this->db->escape($localtax1_type)."'"; + $sql .= ",localtax2_type='".$this->db->escape($localtax2_type)."'"; $sql .= ", total_ht='".price2num($total_ht)."'"; $sql .= ", total_tva='".price2num($total_tva)."'"; $sql .= ", total_localtax1='".price2num($total_localtax1)."'"; diff --git a/htdocs/core/class/comment.class.php b/htdocs/core/class/comment.class.php index 91fba374181..a083576aacb 100644 --- a/htdocs/core/class/comment.class.php +++ b/htdocs/core/class/comment.class.php @@ -349,25 +349,25 @@ class Comment extends CommonObject $sql .= " c.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX.$this->table_element." as c"; $sql .= " WHERE c.fk_element = ".$fk_element; - $sql .= " AND c.element_type = '".$db->escape($element_type)."'"; + $sql .= " AND c.element_type = '".$this->db->escape($element_type)."'"; $sql .= " AND c.entity = ".$conf->entity; $sql .= " ORDER BY c.tms DESC"; dol_syslog(get_class($this).'::'.__METHOD__, LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num_rows = $db->num_rows($resql); + $num_rows = $this->db->num_rows($resql); if ($num_rows > 0) { - while ($obj = $db->fetch_object($resql)) + while ($obj = $this->db->fetch_object($resql)) { $comment = new self($db); $comment->fetch($obj->rowid); $this->comments[] = $comment; } } - $db->free($resql); + $this->db->free($resql); } else { $this->errors[] = "Error ".$this->db->lasterror(); return -1; diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 601d0b6f78a..9cd56c3b29a 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -2108,9 +2108,9 @@ class Form $selectFields = " p.rowid, p.ref, p.label, p.description, p.barcode, p.fk_country, p.fk_product_type, p.price, p.price_ttc, p.price_base_type, p.tva_tx, p.duration, p.fk_price_expression"; if (count($warehouseStatusArray)) { - $selectFieldsGrouped = ", sum(".$db->ifsql("e.statut IS NULL", "0", "ps.reel").") as stock"; // e.statut is null if there is no record in stock + $selectFieldsGrouped = ", sum(".$this->db->ifsql("e.statut IS NULL", "0", "ps.reel").") as stock"; // e.statut is null if there is no record in stock } else { - $selectFieldsGrouped = ", ".$db->ifsql("p.stock IS NULL", 0, "p.stock")." AS stock"; + $selectFieldsGrouped = ", ".$this->db->ifsql("p.stock IS NULL", 0, "p.stock")." AS stock"; } $sql = "SELECT "; @@ -2226,19 +2226,19 @@ class Form foreach ($scrit as $crit) { if ($i > 0) $sql .= " AND "; - $sql .= "(p.ref LIKE '".$db->escape($prefix.$crit)."%' OR p.label LIKE '".$db->escape($prefix.$crit)."%'"; - if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.label LIKE '".$db->escape($prefix.$crit)."%'"; + $sql .= "(p.ref LIKE '".$this->db->escape($prefix.$crit)."%' OR p.label LIKE '".$this->db->escape($prefix.$crit)."%'"; + if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.label LIKE '".$this->db->escape($prefix.$crit)."%'"; if (!empty($conf->global->PRODUCT_AJAX_SEARCH_ON_DESCRIPTION)) { - $sql .= " OR p.description LIKE '".$db->escape($prefix.$crit)."%'"; - if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.description LIKE '".$db->escape($prefix.$crit)."%'"; + $sql .= " OR p.description LIKE '".$this->db->escape($prefix.$crit)."%'"; + if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.description LIKE '".$this->db->escape($prefix.$crit)."%'"; } - if (!empty($conf->global->MAIN_SEARCH_PRODUCT_BY_FOURN_REF)) $sql .= " OR pfp.ref_fourn LIKE '".$db->escape($prefix.$crit)."%'"; + if (!empty($conf->global->MAIN_SEARCH_PRODUCT_BY_FOURN_REF)) $sql .= " OR pfp.ref_fourn LIKE '".$this->db->escape($prefix.$crit)."%'"; $sql .= ")"; $i++; } if (count($scrit) > 1) $sql .= ")"; - if (!empty($conf->barcode->enabled)) $sql .= " OR p.barcode LIKE '".$db->escape($prefix.$filterkey)."%'"; + if (!empty($conf->barcode->enabled)) $sql .= " OR p.barcode LIKE '".$this->db->escape($prefix.$filterkey)."%'"; $sql .= ')'; } if (count($warehouseStatusArray)) @@ -2253,10 +2253,10 @@ class Form //ASC OR DESC order ($conf->global->PRODUCT_SORT_BY_CATEGORY == 1) ? $sql .= "ASC" : $sql .= "DESC"; } else { - $sql .= $db->order("p.ref"); + $sql .= $this->db->order("p.ref"); } - $sql .= $db->plimit($limit, 0); + $sql .= $this->db->plimit($limit, 0); // Build output string dol_syslog(get_class($this)."::select_produits_list search product", LOG_DEBUG); @@ -2770,7 +2770,7 @@ class Form $sql .= ')'; } $sql .= " ORDER BY pfp.ref_fourn DESC, pfp.quantity ASC"; - $sql .= $db->plimit($limit, 0); + $sql .= $this->db->plimit($limit, 0); // Build output string @@ -4913,10 +4913,10 @@ class Form $sql = 'SELECT code FROM '.MAIN_DB_PREFIX.'multicurrency'; $sql .= " WHERE entity IN ('".getEntity('mutlicurrency')."')"; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - while ($obj = $db->fetch_object($resql)) $TCurrency[$obj->code] = $obj->code; + while ($obj = $this->db->fetch_object($resql)) $TCurrency[$obj->code] = $obj->code; } $out = ''; diff --git a/htdocs/core/class/html.formaccounting.class.php b/htdocs/core/class/html.formaccounting.class.php index 874bb3719e4..f48e9b8eb74 100644 --- a/htdocs/core/class/html.formaccounting.class.php +++ b/htdocs/core/class/html.formaccounting.class.php @@ -179,10 +179,10 @@ class FormAccounting extends Form } dol_syslog(get_class($this).'::'.__METHOD__, LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) { $out = ''; if ($showempty) print ''; - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); $i = 0; if ($num) { while ($i < $num) { - $obj = $db->fetch_object($resql); + $obj = $this->db->fetch_object($resql); // If we ask to filter on a company and user has no permission to see all companies and project is linked to another company, we hide project. if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && !$user->rights->societe->lire) { @@ -150,7 +150,7 @@ class FormContract } } print ''; - $db->free($resql); + $this->db->free($resql); if (!empty($conf->use_javascript_ajax)) { @@ -161,7 +161,7 @@ class FormContract return $num; } else { - dol_print_error($db); + dol_print_error($this->db); return -1; } } diff --git a/htdocs/core/class/html.formintervention.class.php b/htdocs/core/class/html.formintervention.class.php index 37073e8d3a5..dccbe50333a 100644 --- a/htdocs/core/class/html.formintervention.class.php +++ b/htdocs/core/class/html.formintervention.class.php @@ -80,18 +80,18 @@ class FormIntervention } dol_syslog(get_class($this)."::select_intervention", LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { $out .= ''; - $db->free($resql); + $this->db->free($resql); return $out; } else { - dol_print_error($db); + dol_print_error($this->db); return ''; } } diff --git a/htdocs/core/class/html.formmargin.class.php b/htdocs/core/class/html.formmargin.class.php index 7a6c3d9c13a..cf159819764 100644 --- a/htdocs/core/class/html.formmargin.class.php +++ b/htdocs/core/class/html.formmargin.class.php @@ -87,7 +87,7 @@ class FormMargin if (empty($line->pa_ht) && isset($line->fk_fournprice) && !$force_price) { require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.product.class.php'; - $product = new ProductFournisseur($db); + $product = new ProductFournisseur($this->db); if ($product->fetch_product_fournisseur_price($line->fk_fournprice)) $line->pa_ht = $product->fourn_unitprice * (1 - $product->fourn_remise_percent / 100); } diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index 08eaa77ac3e..38d75177b90 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -1012,7 +1012,7 @@ class FormOther // $boxidactivatedforuser will be array of boxes choosed by user $selectboxlist = ''; - $boxactivated = InfoBox::listBoxes($db, 'activated', $areacode, (empty($user->conf->$confuserzone) ?null:$user), array(), 0); // Search boxes of common+user (or common only if user has no specific setup) + $boxactivated = InfoBox::listBoxes($this->db, 'activated', $areacode, (empty($user->conf->$confuserzone) ?null:$user), array(), 0); // Search boxes of common+user (or common only if user has no specific setup) $boxidactivatedforuser = array(); foreach ($boxactivated as $box) @@ -1141,7 +1141,7 @@ class FormOther // Load translation files required by the page $langs->loadLangs(array("boxes", "projects")); - $emptybox = new ModeleBoxes($db); + $emptybox = new ModeleBoxes($this->db); $boxlista .= "\n\n"; diff --git a/htdocs/core/class/html.formsocialcontrib.class.php b/htdocs/core/class/html.formsocialcontrib.class.php index b9da780f02d..b5adfdba82f 100644 --- a/htdocs/core/class/html.formsocialcontrib.class.php +++ b/htdocs/core/class/html.formsocialcontrib.class.php @@ -88,10 +88,10 @@ class FormSocialContrib } dol_syslog("Form::select_type_socialcontrib", LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) { print ''; @@ -920,7 +920,7 @@ class ExpenseReport extends CommonObject print ''; print ''; } else { - $this->error = $db->lasterror(); + $this->error = $this->db->lasterror(); return -1; } } @@ -1130,7 +1130,7 @@ class ExpenseReport extends CommonObject // Validate $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element; - $sql .= " SET ref = '".$num."',"; + $sql .= " SET ref = '".$this->db->escape($num)."',"; $sql .= " fk_statut = ".self::STATUS_VALIDATED.","; $sql .= " date_valid='".$this->db->idate($this->date_valid)."',"; $sql .= " fk_user_valid = ".$user->id; @@ -2354,7 +2354,7 @@ class ExpenseReport extends CommonObject $type = 'expense_report'; - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$this->id; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id; $resql = $this->db->query($sql); if ($resql) { @@ -2740,7 +2740,7 @@ function select_expensereport_statut($selected = '', $htmlname = 'fk_statut', $u { global $db, $langs; - $tmpep = new ExpenseReport($db); + $tmpep = new ExpenseReport($this->db); print '
'.$langs->trans("Total").'
'.$langs->trans("Total").'
'.$langs->trans("Total").'
'.$langs->trans("Total").'
'.$langs->trans("Total").'
'.$langs->trans("Total").'
'.$langs->trans("Total").'
'.$langs->trans("Total").'
'; - print ''; - print ''; - print ''; - print ''; - print ''; - print ''; - print '
'.$sqlupdate."
 
'; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/product/admin/product_tools.php b/htdocs/product/admin/product_tools.php index 46a9af57153..592dd89baaa 100644 --- a/htdocs/product/admin/product_tools.php +++ b/htdocs/product/admin/product_tools.php @@ -184,7 +184,7 @@ if ($action == 'convert') $sql .= " AND tva_tx = '".$db->escape($oldvatrate)."'"; if ($vat_src_code_old) $sql .= " AND default_vat_code = '".$db->escape($vat_src_code_old)."'"; else " AND default_vat_code = IS NULL"; - $sql .= " AND s.fk_pays = '".$country_id."'"; + $sql .= " AND s.fk_pays = ".((int) $country_id); //print $sql; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/product/card.php b/htdocs/product/card.php index c4b46113d7f..f86b94f314e 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -234,6 +234,7 @@ if (empty($reshook)) $npr = preg_match('/\*/', $tva_tx_txt) ? 1 : 0; $localtax1 = 0; $localtax2 = 0; $localtax1_type = '0'; $localtax2_type = '0'; // If value contains the unique code of vat line (new recommanded method), we use it to find npr and local taxes + $reg = array(); if (preg_match('/\((.*)\)/', $tva_tx_txt, $reg)) { // We look into database using code (we can't use get_localtax() because it depends on buyer that is not known). Same in update price. @@ -241,9 +242,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code = '".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/product/class/html.formproduct.class.php b/htdocs/product/class/html.formproduct.class.php index 4e1a45a4c59..a0fd2bdb10c 100644 --- a/htdocs/product/class/html.formproduct.class.php +++ b/htdocs/product/class/html.formproduct.class.php @@ -112,10 +112,10 @@ class FormProduct $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.fk_entrepot = e.rowid"; if (!empty($fk_product)) { - $sql .= " AND ps.fk_product = '".$fk_product."'"; + $sql .= " AND ps.fk_product = ".((int) $fk_product); if (!empty($batch)) { - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$batch."'"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$this->db->escape($batch)."'"; } } $sql .= " WHERE e.entity IN (".getEntity('stock').")"; diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 15572e1ae73..18565347072 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -929,7 +929,7 @@ class Product extends CommonObject { if ($detail->batch == $valueforundefinedlot || $detail->batch == 'Undefined') { // We discard this line, we will create it later - $sqlclean = "DELETE FROM ".MAIN_DB_PREFIX."product_batch WHERE batch in('Undefined', '".$valueforundefinedlot."') AND fk_product_stock = ".$ObjW->id; + $sqlclean = "DELETE FROM ".MAIN_DB_PREFIX."product_batch WHERE batch in('Undefined', '".$this->db->escape($valueforundefinedlot)."') AND fk_product_stock = ".$ObjW->id; $result = $this->db->query($sqlclean); if (!$result) { dol_print_error($this->db); @@ -1612,7 +1612,7 @@ class Product extends CommonObject // If price per customer require_once DOL_DOCUMENT_ROOT.'/product/class/productcustomerprice.class.php'; - $prodcustprice = new Productcustomerprice($db); + $prodcustprice = new Productcustomerprice($this->db); $filter = array('t.fk_product' => $this->id, 't.fk_soc' => $thirdparty_buyer->id); @@ -1749,7 +1749,7 @@ class Product extends CommonObject if (!empty($conf->global->PRODUCT_USE_SUPPLIER_PACKAGING)) $sql .= ", pfp.packaging"; $sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price as pfp"; $sql .= " WHERE pfp.fk_product = ".$product_id; - if ($fourn_ref != 'none') { $sql .= " AND pfp.ref_fourn = '".$fourn_ref."'"; + if ($fourn_ref != 'none') { $sql .= " AND pfp.ref_fourn = '".$this->db->escape($fourn_ref)."'"; } if ($fk_soc > 0) { $sql .= " AND pfp.fk_soc = ".$fk_soc; } @@ -1922,18 +1922,18 @@ class Product extends CommonObject // Ne pas mettre de quote sur les numeriques decimaux. // Ceci provoque des stockages avec arrondis en base au lieu des valeurs exactes. $sql = "UPDATE ".MAIN_DB_PREFIX."product SET"; - $sql .= " price_base_type='".$newpricebase."',"; + $sql .= " price_base_type='".$this->db->escape($newpricebase)."',"; $sql .= " price=".$price.","; $sql .= " price_ttc=".$price_ttc.","; $sql .= " price_min=".$price_min.","; $sql .= " price_min_ttc=".$price_min_ttc.","; $sql .= " localtax1_tx=".($localtax1 >= 0 ? $localtax1 : 'NULL').","; $sql .= " localtax2_tx=".($localtax2 >= 0 ? $localtax2 : 'NULL').","; - $sql .= " localtax1_type=".($localtaxtype1 != '' ? "'".$localtaxtype1."'" : "'0'").","; - $sql .= " localtax2_type=".($localtaxtype2 != '' ? "'".$localtaxtype2."'" : "'0'").","; + $sql .= " localtax1_type=".($localtaxtype1 != '' ? "'".$this->db->escape($localtaxtype1)."'" : "'0'").","; + $sql .= " localtax2_type=".($localtaxtype2 != '' ? "'".$this->db->escape($localtaxtype2)."'" : "'0'").","; $sql .= " default_vat_code=".($newdefaultvatcode ? "'".$this->db->escape($newdefaultvatcode)."'" : "null").","; $sql .= " tva_tx='".price2num($newvat)."',"; - $sql .= " recuperableonly='".$newnpr."'"; + $sql .= " recuperableonly='".$this->db->escape($newnpr)."'"; $sql .= " WHERE rowid = ".$id; dol_syslog(get_class($this)."::update_price", LOG_DEBUG); @@ -2942,7 +2942,7 @@ class Product extends CommonObject global $db, $conf, $user, $hookmanager; $sql = "SELECT COUNT(DISTINCT f.fk_soc) as nb_customers, COUNT(DISTINCT f.rowid) as nb,"; - $sql .= " COUNT(fd.rowid) as nb_rows, SUM(".$db->ifsql('f.type != 2', 'fd.qty', 'fd.qty * -1').") as qty"; + $sql .= " COUNT(fd.rowid) as nb_rows, SUM(".$this->db->ifsql('f.type != 2', 'fd.qty', 'fd.qty * -1').") as qty"; $sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd"; $sql .= ", ".MAIN_DB_PREFIX."facture as f"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; @@ -3672,8 +3672,8 @@ class Product extends CommonObject // phpcs:enable $sql = "SELECT fk_product_pere, qty, incdec"; $sql .= " FROM ".MAIN_DB_PREFIX."product_association"; - $sql .= " WHERE fk_product_pere = '".$fk_parent."'"; - $sql .= " AND fk_product_fils = '".$fk_child."'"; + $sql .= " WHERE fk_product_pere = ".((int) $fk_parent); + $sql .= " AND fk_product_fils = ".((int) $fk_child); $result = $this->db->query($sql); if ($result) { @@ -5371,17 +5371,17 @@ class Product extends CommonObject global $conf, $db; $sql = "SELECT rowid, level, fk_level, var_percent, var_min_percent FROM ".MAIN_DB_PREFIX."product_pricerules"; - $query = $db->query($sql); + $query = $this->db->query($sql); $rules = array(); - while ($result = $db->fetch_object($query)) { + while ($result = $this->db->fetch_object($query)) { $rules[$result->level] = $result; } //Because prices can be based on other level's prices, we temporarily store them $prices = array( - 1 => $baseprice + 1 => $baseprice ); for ($i = 1; $i <= $conf->global->PRODUIT_MULTIPRICES_LIMIT; $i++) { diff --git a/htdocs/product/class/propalmergepdfproduct.class.php b/htdocs/product/class/propalmergepdfproduct.class.php index 331708ff096..30ed73d8c77 100644 --- a/htdocs/product/class/propalmergepdfproduct.class.php +++ b/htdocs/product/class/propalmergepdfproduct.class.php @@ -232,7 +232,7 @@ class Propalmergepdfproduct extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t"; $sql .= " WHERE t.fk_product = ".$product_id; if ($conf->global->MAIN_MULTILANGS && !empty($lang)) { - $sql .= " AND t.lang = '".$lang."'"; + $sql .= " AND t.lang = '".$this->db->escape($lang)."'"; } dol_syslog(__METHOD__, LOG_DEBUG); @@ -398,7 +398,7 @@ class Propalmergepdfproduct extends CommonObject $sql .= " WHERE fk_product=".$product_id; if ($conf->global->MAIN_MULTILANGS && !empty($lang_id)) { - $sql .= " AND lang='".$lang_id."'"; + $sql .= " AND lang='".$this->db->escape($lang_id)."'"; } dol_syslog(__METHOD__, LOG_DEBUG); diff --git a/htdocs/product/index.php b/htdocs/product/index.php index 6dcc5799c26..53136237eca 100644 --- a/htdocs/product/index.php +++ b/htdocs/product/index.php @@ -327,7 +327,7 @@ if ((!empty($conf->product->enabled) || !empty($conf->service->enabled)) && ($us $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $resultd = $db->query($sql); if ($resultd) diff --git a/htdocs/product/list.php b/htdocs/product/list.php index 50d59168342..7f1711b13bb 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -353,7 +353,7 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count if (!empty($searchCategoryProductList) || !empty($catid)) $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_product as cp ON p.rowid = cp.fk_product"; // We'll need this table joined to the select in order to filter by categ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_fournisseur_price as pfp ON p.rowid = pfp.fk_product"; // multilang -if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang = '".$langs->getDefaultLang()."'"; +if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang = '".$db->escape($langs->getDefaultLang())."'"; if (!empty($conf->variants->enabled) && (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD) && !$show_childproducts)) { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac.fk_product_child = p.rowid"; diff --git a/htdocs/product/popuprop.php b/htdocs/product/popuprop.php index affd5a8b3f2..7e5015b7813 100644 --- a/htdocs/product/popuprop.php +++ b/htdocs/product/popuprop.php @@ -203,7 +203,7 @@ if ($mode && $mode != '-1') { $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$prodid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $resultp = $db->query($sql); diff --git a/htdocs/product/price.php b/htdocs/product/price.php index 668777cb6c3..c73e43dc6f0 100644 --- a/htdocs/product/price.php +++ b/htdocs/product/price.php @@ -127,9 +127,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -243,9 +243,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -296,9 +296,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -436,7 +436,7 @@ if (empty($reshook)) // Ajout / mise à jour if ($rowid > 0) { $sql = "UPDATE ".MAIN_DB_PREFIX."product_price_by_qty SET"; - $sql .= " price='".$price."',"; + $sql .= " price='".$db->escape($price)."',"; $sql .= " unitprice=".$unitPrice.","; $sql .= " quantity=".$quantity.","; $sql .= " remise_percent=".$remise_percent.","; @@ -525,9 +525,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -625,9 +625,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php index 2dfb423c5f8..cc37d930280 100644 --- a/htdocs/product/reassortlot.php +++ b/htdocs/product/reassortlot.php @@ -335,7 +335,7 @@ if ($resql) $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $result = $db->query($sql); diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php index 21be487993f..e2cf02ce3c7 100644 --- a/htdocs/product/stock/card.php +++ b/htdocs/product/stock/card.php @@ -432,7 +432,7 @@ if ($action == 'create') if (!empty($user->rights->stock->mouvement->lire)) { $sql = "SELECT max(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_entrepot = '".$object->id."'"; + $sql .= " WHERE m.fk_entrepot = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { $obj = $db->fetch_object($resqlbis); @@ -555,7 +555,7 @@ if ($action == 'create') $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $result = $db->query($sql); diff --git a/htdocs/product/stock/class/mouvementstock.class.php b/htdocs/product/stock/class/mouvementstock.class.php index bfdfb14f6e8..ca6e39c2b07 100644 --- a/htdocs/product/stock/class/mouvementstock.class.php +++ b/htdocs/product/stock/class/mouvementstock.class.php @@ -418,7 +418,7 @@ class MouvementStock extends CommonObject $sql .= " fk_entrepot, value, type_mouvement, fk_user_author, label, inventorycode, price, fk_origin, origintype, fk_projet"; $sql .= ")"; $sql .= " VALUES ('".$this->db->idate($now)."', ".$this->product_id.", "; - $sql .= " ".($batch ? "'".$batch."'" : "null").", "; + $sql .= " ".($batch ? "'".$this->db->escape($batch)."'" : "null").", "; $sql .= " ".($eatby ? "'".$this->db->idate($eatby)."'" : "null").", "; $sql .= " ".($sellby ? "'".$this->db->idate($sellby)."'" : "null").", "; $sql .= " ".$this->entrepot_id.", ".$this->qty.", ".((int) $this->type).","; diff --git a/htdocs/product/stock/movement_card.php b/htdocs/product/stock/movement_card.php index 2000ab4cdec..6d0eb0dc24c 100644 --- a/htdocs/product/stock/movement_card.php +++ b/htdocs/product/stock/movement_card.php @@ -457,7 +457,7 @@ $sql .= " AND e.entity IN (".getEntity('stock').")"; if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) $sql .= " AND p.fk_product_type = 0"; if ($id > 0) $sql .= " AND e.rowid ='".$id."'"; $sql .= dolSqlDateFilter('m.datem', 0, $month, $year); -if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'"; +if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct); if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1); if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement); if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode); diff --git a/htdocs/product/stock/movement_list.php b/htdocs/product/stock/movement_list.php index e47c0664142..b533d4407a6 100644 --- a/htdocs/product/stock/movement_list.php +++ b/htdocs/product/stock/movement_list.php @@ -483,7 +483,7 @@ $sql .= " AND e.entity IN (".getEntity('stock').")"; if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) $sql .= " AND p.fk_product_type = 0"; if ($id > 0) $sql .= " AND e.rowid ='".$id."'"; $sql .= dolSqlDateFilter('m.datem', 0, $month, $year); -if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'"; +if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct); if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1); if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement); if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode); @@ -624,7 +624,7 @@ if ($resql) // Last movement $sql = "SELECT MAX(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_entrepot = '".$object->id."'"; + $sql .= " WHERE m.fk_entrepot = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { diff --git a/htdocs/product/stock/product.php b/htdocs/product/stock/product.php index cd83f2c19c8..858058ef684 100644 --- a/htdocs/product/stock/product.php +++ b/htdocs/product/stock/product.php @@ -710,7 +710,7 @@ if ($id > 0 || $ref) { $sql = "SELECT max(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_product = '".$object->id."'"; + $sql .= " WHERE m.fk_product = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { $obj = $db->fetch_object($resqlbis); diff --git a/htdocs/product/stock/stockatdate.php b/htdocs/product/stock/stockatdate.php index b4ae04d6ae3..f581242c9f2 100644 --- a/htdocs/product/stock/stockatdate.php +++ b/htdocs/product/stock/stockatdate.php @@ -124,7 +124,7 @@ if ($date && $dateIsValid) { // Avoid heavy sql if mandatory date is not defined $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = ps.fk_entrepot"; if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; + $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")"; } if ($productid > 0) { $sql .= " AND ps.fk_product = ".$productid; @@ -175,7 +175,7 @@ if ($date && $dateIsValid) { $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = sm.fk_entrepot"; if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; + $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")"; } if ($mode == 'future') { $sql .= " AND sm.datem <= '".$db->idate($dateendofday)."'"; diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 1a03699c2bc..41ab46d0c9f 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -152,7 +152,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $db=$this->savdb; include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; - $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/holiday', 'files', 1, '\.php', null, 'fullname'); + $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/product', 'files', 1, '\.php', null, 'fullname'); //$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); foreach ($filesarray as $key => $file) @@ -186,7 +186,9 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase 'TraceableDB.php', 'expeditionbatch.class.php', 'expensereport_ik.class.php', - 'expensereport_rule.class.php' + 'expensereport_rule.class.php', + 'multicurrency.class.php', + 'productbatch.class.php' ))) { // Must must not found $db-> $ok=true; From e5cca13ea08651557e76bd7c3645c86e7f11f0c2 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 03:32:43 +0200 Subject: [PATCH 107/151] Fix escaping --- htdocs/compta/bank/class/account.class.php | 2 +- htdocs/compta/paiement/cheque/card.php | 2 +- htdocs/projet/activity/index.php | 16 ++++++++-------- htdocs/projet/admin/project.php | 4 ++-- htdocs/projet/list.php | 2 +- htdocs/projet/tasks/list.php | 4 ++-- htdocs/reception/class/reception.class.php | 7 +++---- htdocs/recruitment/admin/setup.php | 2 +- .../recruitment/admin/setup_candidatures.php | 2 +- htdocs/salaries/class/salariesstats.class.php | 4 ++-- htdocs/societe/admin/societe.php | 8 ++++---- .../societe/class/api_thirdparties.class.php | 2 +- htdocs/societe/class/societe.class.php | 9 ++++----- htdocs/societe/paymentmodes.php | 18 +++++++++--------- htdocs/societe/price.php | 4 ++-- htdocs/stripe/class/actions_stripe.class.php | 18 +++++++++--------- htdocs/stripe/class/stripe.class.php | 14 +++++++------- .../class/supplier_proposal.class.php | 2 +- htdocs/supplier_proposal/list.php | 2 +- htdocs/takepos/invoice.php | 14 +++++++------- htdocs/ticket/class/ticket.class.php | 4 ++-- htdocs/ticket/class/ticketstats.class.php | 4 ++-- htdocs/ticket/index.php | 6 +++--- htdocs/ticket/stats/index.php | 2 +- test/phpunit/CodingPhpTest.php | 6 ++++-- 25 files changed, 79 insertions(+), 79 deletions(-) diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index 675e462047f..dffd62dc5a3 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -1825,7 +1825,7 @@ class AccountLine extends CommonObject $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if ($num) $sql .= " AND b.num_chq='".$this->db->escape($num)."'"; elseif ($ref) $sql .= " AND b.rowid='".$this->db->escape($ref)."'"; - else $sql .= " AND b.rowid=".$rowid; + else $sql .= " AND b.rowid = ".((int) $rowid); dol_syslog(get_class($this)."::fetch", LOG_DEBUG); $result = $this->db->query($sql); diff --git a/htdocs/compta/paiement/cheque/card.php b/htdocs/compta/paiement/cheque/card.php index 463e95f953e..2f9182f1693 100644 --- a/htdocs/compta/paiement/cheque/card.php +++ b/htdocs/compta/paiement/cheque/card.php @@ -206,7 +206,7 @@ if ($action == 'confirm_valide' && $confirm == 'yes' && $user->rights->banque->c if ($action == 'confirm_reject_check' && $confirm == 'yes' && $user->rights->banque->cheque) { $reject_date = dol_mktime(0, 0, 0, GETPOST('rejectdate_month'), GETPOST('rejectdate_day'), GETPOST('rejectdate_year')); - $rejected_check = GETPOST('bankid'); + $rejected_check = GETPOST('bankid', 'int'); $object->fetch($id); $paiement_id = $object->rejectCheck($rejected_check, $reject_date); diff --git a/htdocs/projet/activity/index.php b/htdocs/projet/activity/index.php index da8a6dc9c0c..295f96370f3 100644 --- a/htdocs/projet/activity/index.php +++ b/htdocs/projet/activity/index.php @@ -145,7 +145,7 @@ $sql .= " AND p.entity = ".$conf->entity; $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".$user->id; $sql .= " AND task_date BETWEEN '".$db->idate(dol_mktime(0, 0, 0, $month, $day, $year))."' AND '".$db->idate(dol_mktime(23, 59, 59, $month, $day, $year))."'"; -$sql .= " AND p.rowid in (".$projectsListId.")"; +$sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql .= " GROUP BY p.rowid, p.ref, p.title, p.public"; $resql = $db->query($sql); @@ -200,7 +200,7 @@ $sql .= " AND p.entity = ".$conf->entity; $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".$user->id; $sql .= " AND task_date BETWEEN '".$db->idate(dol_time_plus_duree(dol_mktime(0, 0, 0, $month, $day, $year), -1, 'd'))."' AND '".$db->idate(dol_time_plus_duree(dol_mktime(23, 59, 59, $month, $day, $year), -1, 'd'))."'"; -$sql .= " AND p.rowid in (".$projectsListId.")"; +$sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql .= " GROUP BY p.rowid, p.ref, p.title, p.public"; $resql = $db->query($sql); @@ -258,7 +258,7 @@ if ($db->type != 'pgsql') $sql.= " AND tt.fk_task = t.rowid"; $sql.= " AND tt.fk_user = ".$user->id; $sql.= " AND task_date >= '".$db->idate(dol_get_first_day($year, $month)).'" AND ..."; - $sql.= " AND p.rowid in (".$projectsListId.")"; + $sql.= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql.= " GROUP BY p.rowid, p.ref, p.title"; $resql = $db->query($sql); @@ -315,7 +315,7 @@ if (!empty($conf->global->PROJECT_TASK_TIME_MONTH)) $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".$user->id; $sql .= " AND task_date BETWEEN '".$db->idate(dol_get_first_day($year, $month))."' AND '".$db->idate(dol_get_last_day($year, $month))."'"; - $sql .= " AND p.rowid in (".$projectsListId.")"; + $sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql .= " GROUP BY p.rowid, p.ref, p.title, p.public"; $resql = $db->query($sql); @@ -364,7 +364,7 @@ if (!empty($conf->global->PROJECT_TASK_TIME_YEAR)) $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".$user->id; $sql .= " AND YEAR(task_date) = '".strftime("%Y", $now)."'"; - $sql .= " AND p.rowid in (".$projectsListId.")"; + $sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql .= " GROUP BY p.rowid, p.ref, p.title, p.public"; $resql = $db->query($sql); @@ -400,7 +400,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH // Get id of types of contacts for projects (This list never contains a lot of elements) $listofprojectcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sql .= " WHERE ctc.element = '".$projectstatic->element."'"; + $sql .= " WHERE ctc.element = '".$db->escape($projectstatic->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) @@ -414,7 +414,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH // Get id of types of contacts for tasks (This list never contains a lot of elements) $listoftaskcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sql .= " WHERE ctc.element = '".$taskstatic->element."'"; + $sql .= " WHERE ctc.element = '".$db->escape($taskstatic->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) @@ -445,7 +445,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH $sql .= ", ".MAIN_DB_PREFIX."element_contact as ect"; } $sql .= " WHERE p.entity IN (".getEntity('project').")"; - if ($mine || empty($user->rights->projet->all->lire)) $sql .= " AND p.rowid IN (".$projectsListId.")"; // project i have permission on + if ($mine || empty($user->rights->projet->all->lire)) $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // project i have permission on if ($mine) // this may duplicate record if we are contact twice { $sql .= " AND ect.fk_c_type_contact IN (".join(',', array_keys($listoftaskcontacttype)).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$user->id; diff --git a/htdocs/projet/admin/project.php b/htdocs/projet/admin/project.php index 5156794dea2..937a5d28f27 100644 --- a/htdocs/projet/admin/project.php +++ b/htdocs/projet/admin/project.php @@ -508,7 +508,7 @@ $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); @@ -657,7 +657,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS)) $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index 8f3a7769e34..8157adcf5c4 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -282,7 +282,7 @@ if (!$user->rights->projet->all->lire) $projectsListId = $object->getProjectsAut // Get id of types of contacts for projects (This list never contains a lot of elements) $listofprojectcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; -$sql .= " WHERE ctc.element = '".$object->element."'"; +$sql .= " WHERE ctc.element = '".$db->escape($object->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php index 1caa0479673..20d917b2ae8 100644 --- a/htdocs/projet/tasks/list.php +++ b/htdocs/projet/tasks/list.php @@ -239,7 +239,7 @@ if (!$user->rights->projet->all->lire) $projectsListId = $projectstatic->getProj // Get id of types of contacts for projects (This list never contains a lot of elements) $listofprojectcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; -$sql .= " WHERE ctc.element = '".$projectstatic->element."'"; +$sql .= " WHERE ctc.element = '".$db->escape($projectstatic->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) @@ -253,7 +253,7 @@ if (count($listofprojectcontacttype) == 0) $listofprojectcontacttype[0] = '0'; / // Get id of types of contacts for tasks (This list never contains a lot of elements) $listoftaskcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; -$sql .= " WHERE ctc.element = '".$object->element."'"; +$sql .= " WHERE ctc.element = '".$db->escape($object->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/reception/class/reception.class.php b/htdocs/reception/class/reception.class.php index 201afb161dd..8ea45ccd1c8 100644 --- a/htdocs/reception/class/reception.class.php +++ b/htdocs/reception/class/reception.class.php @@ -1012,21 +1012,20 @@ class Reception extends CommonObject public function fetch_lines() { // phpcs:enable - global $db; dol_include_once('/fourn/class/fournisseur.commande.dispatch.class.php'); $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'commande_fournisseur_dispatch WHERE fk_reception='.$this->id; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if (!empty($resql)) { $this->lines = array(); while ($obj = $resql->fetch_object()) { - $line = new CommandeFournisseurDispatch($db); + $line = new CommandeFournisseurDispatch($this->db); $line->fetch($obj->rowid); $line->fetch_product(); $sql_commfourndet = 'SELECT qty, ref, label, tva_tx, vat_src_code, subprice, multicurrency_subprice, remise_percent FROM llx_commande_fournisseurdet WHERE rowid='.$line->fk_commandefourndet; $resql_commfourndet = $db->query($sql_commfourndet); if (!empty($resql_commfourndet)) { - $obj = $db->fetch_object($resql_commfourndet); + $obj = $this->db->fetch_object($resql_commfourndet); $line->qty_asked = $obj->qty; $line->description = $line->comment; $line->desc = $line->comment; diff --git a/htdocs/recruitment/admin/setup.php b/htdocs/recruitment/admin/setup.php index aa65393c7a8..72d455d7a14 100644 --- a/htdocs/recruitment/admin/setup.php +++ b/htdocs/recruitment/admin/setup.php @@ -372,7 +372,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) { $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/recruitment/admin/setup_candidatures.php b/htdocs/recruitment/admin/setup_candidatures.php index 22bdd03cfd2..e3738f57564 100644 --- a/htdocs/recruitment/admin/setup_candidatures.php +++ b/htdocs/recruitment/admin/setup_candidatures.php @@ -372,7 +372,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) { $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/salaries/class/salariesstats.class.php b/htdocs/salaries/class/salariesstats.class.php index 3601e14bcdc..f20bde818a1 100644 --- a/htdocs/salaries/class/salariesstats.class.php +++ b/htdocs/salaries/class/salariesstats.class.php @@ -119,7 +119,7 @@ class SalariesStats extends Stats { $sql = "SELECT date_format(datep,'%m') as dm, sum(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(datep,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(datep,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -140,7 +140,7 @@ class SalariesStats extends Stats { $sql = "SELECT date_format(datep,'%m') as dm, avg(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(datep,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(datep,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/societe/admin/societe.php b/htdocs/societe/admin/societe.php index 69f5e373725..a66f17ca915 100644 --- a/htdocs/societe/admin/societe.php +++ b/htdocs/societe/admin/societe.php @@ -119,7 +119,7 @@ if ($action == 'set') $type = 'company'; $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; - $sql .= " VALUES ('".$db->escape($value)."','".$type."',".$conf->entity.", "; + $sql .= " VALUES ('".$db->escape($value)."','".$db->escape($type)."',".$conf->entity.", "; $sql .= ($label ? "'".$db->escape($label)."'" : 'null').", "; $sql .= (!empty($scandir) ? "'".$db->escape($scandir)."'" : "null"); $sql .= ")"; @@ -133,7 +133,7 @@ if ($action == 'del') { $type = 'company'; $sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE nom='".$db->escape($value)."' AND type='".$type."' AND entity=".$conf->entity; + $sql .= " WHERE nom='".$db->escape($value)."' AND type='".$db->escape($type)."' AND entity=".$conf->entity; $resql = $db->query($sql); if (!$resql) dol_print_error($db); } @@ -152,13 +152,13 @@ if ($action == 'setdoc') $type = 'company'; $sql_del = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; $sql_del .= " WHERE nom = '".$db->escape(GETPOST('value', 'alpha'))."'"; - $sql_del .= " AND type = '".$type."'"; + $sql_del .= " AND type = '".$db->escape($type)."'"; $sql_del .= " AND entity = ".$conf->entity; dol_syslog("societe.php ".$sql); $result1 = $db->query($sql_del); $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; - $sql .= " VALUES ('".$db->escape($value)."', '".$type."', ".$conf->entity.", "; + $sql .= " VALUES ('".$db->escape($value)."', '".$db->escape($type)."', ".$conf->entity.", "; $sql .= ($label ? "'".$db->escape($label)."'" : 'null').", "; $sql .= (!empty($scandir) ? "'".$db->escape($scandir)."'" : "null"); $sql .= ")"; diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index eb376f41341..8551cb61f10 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -1588,7 +1588,7 @@ class Thirdparties extends DolibarrApi // We found an existing SocieteAccount entity, we are replacing it } else { if (isset($request_data['site']) && $request_data['site'] !== $site) { - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$request_data['site']."' "; + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$this->db->escape($request_data['site'])."' "; $result = $this->db->query($sql); if ($result->num_rows !== 0) { diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index 4f41326b175..f28c6953d82 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -820,12 +820,11 @@ class Societe extends CommonObject { $this->entity = ((isset($this->entity) && is_numeric($this->entity)) ? $this->entity : $conf->entity); - $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe (nom, name_alias, entity, datec, fk_user_creat, canvas, status, ref_int, ref_ext, fk_stcomm, fk_incoterms, location_incoterms ,import_key, fk_multicurrency, multicurrency_code)"; + $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe (nom, name_alias, entity, datec, fk_user_creat, canvas, status, ref_ext, fk_stcomm, fk_incoterms, location_incoterms ,import_key, fk_multicurrency, multicurrency_code)"; $sql .= " VALUES ('".$this->db->escape($this->name)."', '".$this->db->escape($this->name_alias)."', ".$this->db->escape($this->entity).", '".$this->db->idate($now)."'"; - $sql .= ", ".(!empty($user->id) ? "'".$user->id."'" : "null"); + $sql .= ", ".(!empty($user->id) ? ((int) $user->id) : "null"); $sql .= ", ".(!empty($this->canvas) ? "'".$this->db->escape($this->canvas)."'" : "null"); $sql .= ", ".$this->status; - $sql .= ", ".(!empty($this->ref_int) ? "'".$this->db->escape($this->ref_int)."'" : "null"); $sql .= ", ".(!empty($this->ref_ext) ? "'".$this->db->escape($this->ref_ext)."'" : "null"); $sql .= ", 0"; $sql .= ", ".(int) $this->fk_incoterms; @@ -2742,7 +2741,7 @@ class Societe extends CommonObject $sql = "SELECT rowid, email, phone_mobile, lastname, firstname"; $sql .= " FROM ".MAIN_DB_PREFIX."socpeople"; - $sql .= " WHERE rowid = '".$rowid."'"; + $sql .= " WHERE rowid = ".((int) $rowid); $resql = $this->db->query($sql); if ($resql) @@ -3186,7 +3185,7 @@ class Societe extends CommonObject } //Verify duplicate entries - $sql = "SELECT COUNT(*) as idprof FROM ".MAIN_DB_PREFIX."societe WHERE ".$field." = '".$value."' AND entity IN (".getEntity('societe').")"; + $sql = "SELECT COUNT(*) as idprof FROM ".MAIN_DB_PREFIX."societe WHERE ".$field." = '".$this->db->escape($value)."' AND entity IN (".getEntity('societe').")"; if ($socid) $sql .= " AND rowid <> ".$socid; $resql = $this->db->query($sql); if ($resql) diff --git a/htdocs/societe/paymentmodes.php b/htdocs/societe/paymentmodes.php index 739c4456a78..26828773753 100644 --- a/htdocs/societe/paymentmodes.php +++ b/htdocs/societe/paymentmodes.php @@ -551,10 +551,10 @@ if (empty($reshook)) $db->begin(); if (empty($newcu)) { - $sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_account WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_account WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; } else { $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX."societe_account"; - $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! + $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! } $resql = $db->query($sql); @@ -577,8 +577,8 @@ if (empty($reshook)) } } else { $sql = 'UPDATE '.MAIN_DB_PREFIX."societe_account"; - $sql .= " SET key_account = '".$db->escape(GETPOST('key_account', 'alpha'))."', site_account = '".$site_account."'"; - $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! + $sql .= " SET key_account = '".$db->escape(GETPOST('key_account', 'alpha'))."', site_account = '".$db->escape($site_account)."'"; + $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! $resql = $db->query($sql); } } @@ -602,9 +602,9 @@ if (empty($reshook)) $db->begin(); if (empty($newsup)) { - $sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; // TODO Add site and site_account on oauth_token table - //$sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; + //$sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; } else { try { $stripesup = \Stripe\Account::retrieve($db->escape(GETPOST('key_account_supplier', 'alpha'))); @@ -612,9 +612,9 @@ if (empty($reshook)) $tokenstring['type'] = $stripesup->type; $sql = "UPDATE ".MAIN_DB_PREFIX."oauth_token"; $sql .= " SET tokenstring = '".dol_json_encode($tokenstring)."'"; - $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! + $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! // TODO Add site and site_account on oauth_token table - $sql .= " WHERE fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! + $sql .= " WHERE fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! } catch (Exception $e) { $error++; setEventMessages($e->getMessage(), null, 'errors'); @@ -630,7 +630,7 @@ if (empty($reshook)) $tokenstring['stripe_user_id'] = $stripesup->id; $tokenstring['type'] = $stripesup->type; $sql = "INSERT INTO ".MAIN_DB_PREFIX."oauth_token (service, fk_soc, entity, tokenstring)"; - $sql .= " VALUES ('".$service."', ".$object->id.", ".$conf->entity.", '".dol_json_encode($tokenstring)."')"; + $sql .= " VALUES ('".$db->escape($service)."', ".$object->id.", ".$conf->entity.", '".dol_json_encode($tokenstring)."')"; // TODO Add site and site_account on oauth_token table } catch (Exception $e) { $error++; diff --git a/htdocs/societe/price.php b/htdocs/societe/price.php index 48cc398bf87..8fb17a59e3f 100644 --- a/htdocs/societe/price.php +++ b/htdocs/societe/price.php @@ -105,9 +105,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/stripe/class/actions_stripe.class.php b/htdocs/stripe/class/actions_stripe.class.php index 2fafe09a693..a7a868f7e4a 100644 --- a/htdocs/stripe/class/actions_stripe.class.php +++ b/htdocs/stripe/class/actions_stripe.class.php @@ -98,7 +98,7 @@ class ActionsStripeconnect $this->resprints .= ''; $this->resprints .= ''; $this->resprints .= ''; - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if ($stripe->getStripeAccount($service) && $object->client != 0) { $customer = $stripe->customerStripe($object, $stripe->getStripeAccount($service)); $this->resprints .= $customer->id; @@ -114,7 +114,7 @@ class ActionsStripeconnect $this->resprints .= ''; $this->resprints .= ''; $this->resprints .= ''; - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if ($stripe->getStripeAccount($service) && $object->fk_soc > 0) { $object->fetch_thirdparty(); $customer = $stripe->customerStripe($object->thirdparty, $stripe->getStripeAccount($service)); @@ -131,7 +131,7 @@ class ActionsStripeconnect $this->resprints .= ''; $this->resprints .= ''; $this->resprints .= ''; - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if (7 == 4) { $object->fetch_thirdparty(); $customer = $stripe->customerStripe($object, $stripe->getStripeAccount($service)); @@ -149,7 +149,7 @@ class ActionsStripeconnect $this->resprints .= ''; $this->resprints .= ''; $this->resprints .= ''; - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if (7 == 4) { $object->fetch_thirdparty(); $customer = $stripe->customerStripe($object, $stripe->getStripeAccount($service)); @@ -179,25 +179,25 @@ class ActionsStripeconnect $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf'; $sql .= ' WHERE pf.fk_facture = '.$object->id; - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $objp = $db->fetch_object($result); + $objp = $this->db->fetch_object($result); $totalpaye += $objp->amount; $i++; } } else { - dol_print_error($db, ''); + dol_print_error($this->db, ''); } $resteapayer = $object->total_ttc - $totalpaye; // Request a direct debit order if ($object->statut > Facture::STATUS_DRAFT && $object->statut < Facture::STATUS_ABANDONED && $object->paye == 0) { - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if ($resteapayer > 0) { if ($stripe->getStripeAccount($conf->entity)) // a modifier avec droit stripe diff --git a/htdocs/stripe/class/stripe.class.php b/htdocs/stripe/class/stripe.class.php index 961011b51e0..a3199917f53 100644 --- a/htdocs/stripe/class/stripe.class.php +++ b/htdocs/stripe/class/stripe.class.php @@ -92,7 +92,7 @@ class Stripe extends CommonObject $sql = "SELECT tokenstring"; $sql .= " FROM ".MAIN_DB_PREFIX."oauth_token"; $sql .= " WHERE entity = ".$conf->entity; - $sql .= " AND service = '".$mode."'"; + $sql .= " AND service = '".$this->db->escape($mode)."'"; if ($fk_soc > 0) { $sql .= " AND fk_soc = ".$fk_soc; } else { @@ -356,9 +356,9 @@ class Stripe extends CommonObject $sql = "SELECT pi.ext_payment_id, pi.entity, pi.fk_facture, pi.sourcetype, pi.ext_payment_site"; $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pi"; $sql .= " WHERE pi.fk_facture = ".$object->id; - $sql .= " AND pi.sourcetype = '".$object->element."'"; + $sql .= " AND pi.sourcetype = '".$this->db->escape($object->element)."'"; $sql .= " AND pi.entity IN (".getEntity('societe').")"; - $sql .= " AND pi.ext_payment_site = '".$service."'"; + $sql .= " AND pi.ext_payment_site = '".$this->db->escape($service)."'"; dol_syslog(get_class($this)."::getPaymentIntent search stripe payment intent for object id = ".$object->id, LOG_DEBUG); $resql = $this->db->query($sql); @@ -465,7 +465,7 @@ class Stripe extends CommonObject $sql = "SELECT pi.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pi"; $sql .= " WHERE pi.entity IN (".getEntity('societe').")"; - $sql .= " AND pi.ext_payment_site = '".$service."'"; + $sql .= " AND pi.ext_payment_site = '".$this->db->escape($service)."'"; $sql .= " AND pi.ext_payment_id = '".$this->db->escape($paymentintent->id)."'"; dol_syslog(get_class($this)."::getPaymentIntent search if payment intent already in prelevement_facture_demande", LOG_DEBUG); @@ -484,7 +484,7 @@ class Stripe extends CommonObject { $now = dol_now(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."prelevement_facture_demande (date_demande, fk_user_demande, ext_payment_id, fk_facture, sourcetype, entity, ext_payment_site, amount)"; - $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($paymentintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', ".$conf->entity.", '".$service."', ".$amount.")"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($paymentintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', ".$conf->entity.", '".$this->db->escape($service)."', ".$amount.")"; $resql = $this->db->query($sql); if (!$resql) { @@ -617,7 +617,7 @@ class Stripe extends CommonObject $sql = "SELECT pi.rowid"; $sql.= " FROM " . MAIN_DB_PREFIX . "prelevement_facture_demande as pi"; $sql.= " WHERE pi.entity IN (".getEntity('societe').")"; - $sql.= " AND pi.ext_payment_site = '" . $service . "'"; + $sql.= " AND pi.ext_payment_site = '" . $this->db->escape($service) . "'"; $sql.= " AND pi.ext_payment_id = '".$this->db->escape($setupintent->id)."'"; dol_syslog(get_class($this) . "::getPaymentIntent search if payment intent already in prelevement_facture_demande", LOG_DEBUG); @@ -637,7 +637,7 @@ class Stripe extends CommonObject { $now=dol_now(); $sql = "INSERT INTO " . MAIN_DB_PREFIX . "prelevement_facture_demande (date_demande, fk_user_demande, ext_payment_id, fk_facture, sourcetype, entity, ext_payment_site)"; - $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($setupintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', " . $conf->entity . ", '" . $service . "', ".$amount.")"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($setupintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', " . $conf->entity . ", '" . $this->db->escape($service) . "', ".$amount.")"; $resql = $this->db->query($sql); if (! $resql) { diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php index eeca2c2adf3..92759515ba4 100644 --- a/htdocs/supplier_proposal/class/supplier_proposal.class.php +++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php @@ -918,7 +918,7 @@ class SupplierProposal extends CommonObject $sql .= ", 0"; $sql .= ", '".$this->db->idate($now)."'"; $sql .= ", '(PROV)'"; - $sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "null"); + $sql .= ", ".($user->id > 0 ? ((int) $user->id) : "null"); $sql .= ", '".$this->db->escape($this->note_private)."'"; $sql .= ", '".$this->db->escape($this->note_public)."'"; $sql .= ", '".$this->db->escape($this->model_pdf)."'"; diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php index 2ead83c0eb2..1340dce3b3b 100644 --- a/htdocs/supplier_proposal/list.php +++ b/htdocs/supplier_proposal/list.php @@ -314,7 +314,7 @@ if ($search_multicurrency_montant_vat != '') $sql .= natural_search('sp.multicur if ($search_multicurrency_montant_ttc != '') $sql .= natural_search('sp.multicurrency_total_ttc', $search_multicurrency_montant_ttc, 1); if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall); if ($socid) $sql .= ' AND s.rowid = '.$socid; -if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$this->db->sanitize($db->escape($search_status)).')'; +if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$db->sanitize($db->escape($search_status)).')'; $sql .= dolSqlDateFilter("sp.date_livraison", $day, $month, $year); $sql .= dolSqlDateFilter("sp.date_valid", $dayvalid, $monthvalid, $yearvalid); if ($search_sale > 0) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale; diff --git a/htdocs/takepos/invoice.php b/htdocs/takepos/invoice.php index 6c45f6121f9..3ab9f91c9ff 100644 --- a/htdocs/takepos/invoice.php +++ b/htdocs/takepos/invoice.php @@ -169,11 +169,11 @@ if ($action == 'valid' && $user->rights->facture->creer) if ($invoice->total_ttc < 0) { $invoice->type = $invoice::TYPE_CREDIT_NOTE; - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."facture WHERE "; - $sql .= "fk_soc = '".$invoice->socid."' "; - $sql .= "AND type <> ".Facture::TYPE_CREDIT_NOTE." "; - $sql .= "AND fk_statut >= ".$invoice::STATUS_VALIDATED." "; - $sql .= "ORDER BY rowid DESC"; + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."facture WHERE"; + $sql .= " fk_soc = ".((int) $invoice->socid); + $sql .= " AND type <> ".Facture::TYPE_CREDIT_NOTE; + $sql .= " AND fk_statut >= ".$invoice::STATUS_VALIDATED; + $sql .= " ORDER BY rowid DESC"; $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql); @@ -394,7 +394,7 @@ if ($action == "deleteline") { $invoice->deleteline($idline); $invoice->fetch($placeid); } elseif ($placeid > 0) { // If invoice exists but no line selected, proceed to delete last line. - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."facturedet where fk_facture='".$placeid."' order by rowid DESC"; + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."facturedet where fk_facture = ".((int) $placeid)." ORDER BY rowid DESC"; $resql = $db->query($sql); $row = $db->fetch_array($resql); $deletelineid = $row[0]; @@ -427,7 +427,7 @@ if ($action == "delete") { $sql = "DELETE FROM ".MAIN_DB_PREFIX."facturedet where fk_facture = ".$placeid; $resql2 = $db->query($sql); $sql = "UPDATE ".MAIN_DB_PREFIX."facture set fk_soc=".$conf->global->{'CASHDESK_ID_THIRDPARTY'.$_SESSION["takeposterminal"]}; - $sql .= " WHERE ref='(PROV-POS".$_SESSION["takeposterminal"]."-".$place.")'"; + $sql .= " WHERE ref='(PROV-POS".$db->escape($_SESSION["takeposterminal"])."-".$db->escape($place).")'"; $resql3 = $db->query($sql); $invoice->update_price(1); diff --git a/htdocs/ticket/class/ticket.class.php b/htdocs/ticket/class/ticket.class.php index d0f2581fa73..f7813066a4c 100644 --- a/htdocs/ticket/class/ticket.class.php +++ b/htdocs/ticket/class/ticket.class.php @@ -664,7 +664,7 @@ class Ticket extends CommonObject if (!empty($filter)) { foreach ($filter as $key => $value) { if (strpos($key, 'date')) { // To allow $filter['YEAR(s.dated)']=>$year - $sql .= ' AND '.$key.' = \''.$value.'\''; + $sql .= ' AND '.$key." = '".$this->db->scape($value)."'"; } elseif (($key == 't.fk_user_assign') || ($key == 't.type_code') || ($key == 't.category_code') || ($key == 't.severity_code') || ($key == 't.fk_soc')) { $sql .= " AND ".$key." = '".$this->db->escape($value)."'"; } elseif ($key == 't.fk_statut') { @@ -2242,7 +2242,7 @@ class Ticket extends CommonObject $sql .= " AND tc.active=1"; if ($status >= 0) { - $sql .= " AND ec.statut = '".$status."'"; + $sql .= " AND ec.statut = ".((int) $status); } $sql .= " ORDER BY t.lastname ASC"; diff --git a/htdocs/ticket/class/ticketstats.class.php b/htdocs/ticket/class/ticketstats.class.php index a6b4c23e70c..f2fd2155247 100644 --- a/htdocs/ticket/class/ticketstats.class.php +++ b/htdocs/ticket/class/ticketstats.class.php @@ -118,7 +118,7 @@ class TicketStats extends Stats { $sql = "SELECT date_format(datec,'%m') as dm, sum(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(datec,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(datec,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -138,7 +138,7 @@ class TicketStats extends Stats { $sql = "SELECT date_format(datec,'%m') as dm, avg(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(datec,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(datec,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/ticket/index.php b/htdocs/ticket/index.php index cfd8e3f26f3..a6d9ad3d0b0 100644 --- a/htdocs/ticket/index.php +++ b/htdocs/ticket/index.php @@ -142,11 +142,11 @@ if (!$user->rights->societe->client->voir && !$socid) { // External users restriction if ($user->socid > 0) { - $sql .= " AND t.fk_soc='".$user->socid."'"; + $sql .= " AND t.fk_soc= ".((int) $user->socid); } else { // For internals users, if (!empty($conf->global->TICKET_LIMIT_VIEW_ASSIGNED_ONLY) && !$user->rights->ticket->manage) { - $sql .= " AND t.fk_user_assign=".$user->id; + $sql .= " AND t.fk_user_assign = ".$user->id; } } $sql .= " GROUP BY t.fk_statut"; @@ -305,7 +305,7 @@ if (!$user->rights->societe->client->voir && !$socid) { } if ($user->socid > 0) { - $sql .= " AND t.fk_soc='".$user->socid."'"; + $sql .= " AND t.fk_soc= ".((int) $user->socid); } else { // Restricted to assigned user only if ($conf->global->TICKET_LIMIT_VIEW_ASSIGNED_ONLY && !$user->rights->ticket->manage) { diff --git a/htdocs/ticket/stats/index.php b/htdocs/ticket/stats/index.php index d00d1b8ac34..fe66b9c2231 100644 --- a/htdocs/ticket/stats/index.php +++ b/htdocs/ticket/stats/index.php @@ -70,7 +70,7 @@ print load_fiche_titre($title, '', 'ticket'); dol_mkdir($dir); $stats = new TicketStats($db, $socid, ($userid > 0 ? $userid : 0)); -if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; +if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; // Build graphic number of object diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 41ab46d0c9f..b633ce00868 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -152,7 +152,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $db=$this->savdb; include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; - $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/product', 'files', 1, '\.php', null, 'fullname'); + $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/ticket', 'files', 1, '\.php', null, 'fullname'); //$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); foreach ($filesarray as $key => $file) @@ -188,7 +188,9 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase 'expensereport_ik.class.php', 'expensereport_rule.class.php', 'multicurrency.class.php', - 'productbatch.class.php' + 'productbatch.class.php', + 'reception.class.php', + 'societe.class.php' ))) { // Must must not found $db-> $ok=true; From 233aa58161c4bc7b73b905304251f0062a5cba9f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 03:36:02 +0200 Subject: [PATCH 108/151] Fix sanitizing --- htdocs/user/class/user.class.php | 2 +- htdocs/user/class/userbankaccount.class.php | 2 +- htdocs/user/list.php | 2 +- test/phpunit/CodingPhpTest.php | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 53a7abe5dac..94b35a9a629 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -3133,7 +3133,7 @@ class User extends CommonObject $sql = "SELECT rowid, email, user_mobile, civility, lastname, firstname"; $sql .= " FROM ".MAIN_DB_PREFIX."user"; - $sql .= " WHERE rowid = '".$rowid."'"; + $sql .= " WHERE rowid = ".((int) $rowid); $resql = $this->db->query($sql); if ($resql) diff --git a/htdocs/user/class/userbankaccount.class.php b/htdocs/user/class/userbankaccount.class.php index 325753fc773..25c751b4cb9 100644 --- a/htdocs/user/class/userbankaccount.class.php +++ b/htdocs/user/class/userbankaccount.class.php @@ -170,7 +170,7 @@ class UserBankAccount extends Account $sql .= " FROM ".MAIN_DB_PREFIX."user_rib"; if ($id) $sql .= " WHERE rowid = ".$id; if ($ref) $sql .= " WHERE label = '".$this->db->escape($ref)."'"; - if ($userid) $sql .= " WHERE fk_user = '".$userid."'"; + if ($userid) $sql .= " WHERE fk_user = ".((int) $userid); $resql = $this->db->query($sql); if ($resql) diff --git a/htdocs/user/list.php b/htdocs/user/list.php index 9554ef1563a..92826eac19e 100644 --- a/htdocs/user/list.php +++ b/htdocs/user/list.php @@ -229,7 +229,7 @@ if ($search_thirdparty != '') $sql .= natural_search(array('s.nom'), $search_thi if ($search_login != '') $sql .= natural_search("u.login", $search_login); if ($search_lastname != '') $sql .= natural_search("u.lastname", $search_lastname); if ($search_firstname != '') $sql .= natural_search("u.firstname", $search_firstname); -if ($search_gender != '' && $search_gender != '-1') $sql .= " AND u.gender = '".$search_gender."'"; +if ($search_gender != '' && $search_gender != '-1') $sql .= natural_search("u.gender", $search_gender); if (is_numeric($search_employee) && $search_employee >= 0) { $sql .= ' AND u.employee = '.(int) $search_employee; } diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index b633ce00868..82175d3e3e9 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -152,7 +152,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $db=$this->savdb; include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; - $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/ticket', 'files', 1, '\.php', null, 'fullname'); + $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); //$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); foreach ($filesarray as $key => $file) From 85aa1ab402ebcb8b0ab1802555d0f1dd60d22ce3 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 03:37:05 +0200 Subject: [PATCH 109/151] Fix sanitizing --- htdocs/expensereport/stats/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/expensereport/stats/index.php b/htdocs/expensereport/stats/index.php index f73b95a6ebb..2079a2bf045 100644 --- a/htdocs/expensereport/stats/index.php +++ b/htdocs/expensereport/stats/index.php @@ -75,7 +75,7 @@ print load_fiche_titre($title, '', 'trip'); dol_mkdir($dir); $stats = new ExpenseReportStats($db, $socid, $userid); -if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; +if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; // Build graphic number of object // $data = array(array('Lib',val1,val2,val3),...) From 2eb46b490013b20472e50c5e08aa0c57c055b11c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 04:56:45 +0200 Subject: [PATCH 110/151] Enhance antiXSS by excluding non printable chars used to obfuscate hack --- htdocs/core/lib/functions.lib.php | 17 ++++++++++++++++- htdocs/main.inc.php | 8 +++++--- htdocs/ticket/class/actions_ticket.class.php | 3 ++- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 03a42beff2a..c3417702c6a 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -970,7 +970,7 @@ function dol_string_unaccent($str) * @param array $badcharstoreplace List of forbidden characters * @return string Cleaned string * - * @see dol_sanitizeFilename(), dol_string_unaccent() + * @see dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nounprintableascii() */ function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '') { @@ -983,6 +983,21 @@ function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '') } +/** + * Clean a string from all non printable ascii chars (0x00-0x1F and 0x7F). It removes also CR-LF + * This can be used to sanitize a string and view its real content. Some hacks try to obfuscate attacks by inserting non printable chars. + * + * @param string $str String to clean + * @return string Cleaned string + * + * @see dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nospecial() + */ +function dol_string_nounprintableascii($str) +{ + return preg_replace('/[\x00-\x1F\x7F]/u', '', $str); +} + + /** * Returns text escaped for inclusion into javascript code * diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index e584ad48a42..b46a72b5ddc 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -57,11 +57,13 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO'])) */ function testSqlAndScriptInject($val, $type) { - $val = html_entity_decode($val, ENT_QUOTES); // So message; include_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; $uselocalbrowser = true; - $doleditor = new DolEditor('message_initial', $msg, '100%', 250, 'dolibarr_details', 'In', true, $uselocalbrowser, $conf->global->FCKEDITOR_ENABLE_TICKET, ROWS_9, '95%'); + $ckeditorenabledforticket = $conf->global->FCKEDITOR_ENABLE_TICKET; + $doleditor = new DolEditor('message_initial', $msg, '100%', 250, 'dolibarr_details', 'In', true, $uselocalbrowser, $ckeditorenabledforticket, ROWS_9, '95%'); $doleditor->Create(); } else { // Deal with format differences (text / HTML) From b3d386fa54add55019e69a2737ede7eefa764bed Mon Sep 17 00:00:00 2001 From: daraelmin Date: Sun, 20 Sep 2020 08:42:25 +0200 Subject: [PATCH 111/151] Fix Category is lost on sorting member list When sorting member list filter by tag/category the criteria is lost because of one missing GET parameter Just adding a GET parameter to keep the category/tag parameter when sorting the list --- htdocs/adherents/list.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index 1e550fb7f65..75c9c731810 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -370,6 +370,7 @@ if ($search_lastname) $param .= "&search_lastname=".urlencode($search_lastname) if ($search_gender) $param .= "&search_gender=".urlencode($search_gender); if ($search_login) $param .= "&search_login=".urlencode($search_login); if ($search_email) $param .= "&search_email=".urlencode($search_email); +if ($search_categ) $param .= "&search_categ=".urlencode($search_categ); if ($search_company) $param .= "&search_company=".urlencode($search_company); if ($search_address != '') $param .= "&search_address=".urlencode($search_address); if ($search_town != '') $param .= "&search_town=".urlencode($search_town); @@ -545,7 +546,7 @@ if (!empty($arrayfields['d.email']['checked'])) { print ''; print ''; } - +// End of subscription date if (!empty($arrayfields['d.datefin']['checked'])) { print ''; print ''; From 3f2220bd6fff69f520106955620ffa66099037fd Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 14:34:19 +0200 Subject: [PATCH 112/151] Fix --- htdocs/core/class/html.formother.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index 38d75177b90..96c73deff7a 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -1012,7 +1012,7 @@ class FormOther // $boxidactivatedforuser will be array of boxes choosed by user $selectboxlist = ''; - $boxactivated = InfoBox::listBoxes($this->db, 'activated', $areacode, (empty($user->conf->$confuserzone) ?null:$user), array(), 0); // Search boxes of common+user (or common only if user has no specific setup) + $boxactivated = InfoBox::listBoxes($db, 'activated', $areacode, (empty($user->conf->$confuserzone) ?null:$user), array(), 0); // Search boxes of common+user (or common only if user has no specific setup) $boxidactivatedforuser = array(); foreach ($boxactivated as $box) @@ -1141,7 +1141,7 @@ class FormOther // Load translation files required by the page $langs->loadLangs(array("boxes", "projects")); - $emptybox = new ModeleBoxes($this->db); + $emptybox = new ModeleBoxes($db); $boxlista .= "\n\n"; From 1a494542c654808a81bcc62775a096680908583d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 14:40:49 +0200 Subject: [PATCH 113/151] Fix static --- htdocs/core/class/infobox.class.php | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/htdocs/core/class/infobox.class.php b/htdocs/core/class/infobox.class.php index 7ddbd9a74c2..26edc402880 100644 --- a/htdocs/core/class/infobox.class.php +++ b/htdocs/core/class/infobox.class.php @@ -280,7 +280,7 @@ class InfoBox $sql .= " values ("; $sql .= " ".$id.","; $sql .= " ".$zone.","; - $sql .= " '".$this->db->escape($colonne.$ii)."',"; + $sql .= " '".$db->escape($colonne.$ii)."',"; $sql .= " ".$userid.","; $sql .= " ".$conf->entity; $sql .= ")"; @@ -295,20 +295,17 @@ class InfoBox } } } - if ($error) - { - $error = $db->error(); - $db->rollback(); - return -2; - } else { - $db->commit(); - return 1; - } } else { - $error = $db->lasterror(); - $db->rollback(); - dol_syslog(get_class()."::saveboxorder ".$error); - return -1; + $error++; + } + + if ($error) + { + $db->rollback(); + return -2; + } else { + $db->commit(); + return 1; } } } From 667fb1098cd148d46165e00a81b95062c6f7d9cc Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 16:06:53 +0200 Subject: [PATCH 114/151] Fix --- htdocs/core/class/rssparser.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/core/class/rssparser.class.php b/htdocs/core/class/rssparser.class.php index 67d12887315..c18bfd1d263 100644 --- a/htdocs/core/class/rssparser.class.php +++ b/htdocs/core/class/rssparser.class.php @@ -356,7 +356,7 @@ class RssParser if (!empty($rss->channel['title'])) $this->_title = (string) $rss->channel['title']; //if (!empty($rss->channel['rss_description'])) $this->_description = (string) $rss->channel['rss_description']; - if (is_array($rss->channel)) { + if (!empty($rss->channel)) { $this->_imageurl = $this->getAtomImageUrl($rss->channel); } } From a3d0835c370b2dfc96bb528c72b3aec3955317e1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 16:11:02 +0200 Subject: [PATCH 115/151] Fix param --- htdocs/comm/index.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php index 1ed0b684696..9751858ff41 100644 --- a/htdocs/comm/index.php +++ b/htdocs/comm/index.php @@ -191,6 +191,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -254,6 +255,7 @@ if (!empty($conf->supplier_proposal->enabled) && $user->rights->supplier_proposa addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -318,6 +320,7 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -382,6 +385,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -448,6 +452,7 @@ if (!empty($conf->societe->enabled) && $user->rights->societe->lire) { addSummaryTableLine(3, $num); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -498,6 +503,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU addSummaryTableLine(2, $num); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -572,6 +578,7 @@ if (!empty($conf->contrat->enabled) && $user->rights->contrat->lire && 0) { // T addSummaryTableLine(2, $num); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -654,6 +661,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { addSummaryTableLine(5, $num, $nbofloop, $total, "NoProposal", true); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -734,8 +742,9 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { } } - addSummaryTableLine(5, $num, $nbofloop, $num, $total, "None", true); + addSummaryTableLine(5, $num, $nbofloop, $total, "None", true); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); From 2fca5e928b466bd9332b35509cf8612654430f5c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 16:13:20 +0200 Subject: [PATCH 116/151] Fix comment --- htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php b/htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php index 48e8f79a8de..169bfeb92f6 100644 --- a/htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php +++ b/htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php @@ -53,7 +53,7 @@ class MyObjectTest extends \PHPUnit_Framework_TestCase * Constructor * We save global variables into local variables * - * @return BOMTest + * @return MyObject */ public function __construct() { From b3dd51b7901b536727bcf2129968cd0844368c75 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 16:46:29 +0200 Subject: [PATCH 117/151] Fix warnings --- htdocs/admin/menus/edit.php | 3 +- htdocs/comm/action/class/actioncomm.class.php | 18 +-- .../class/html.formexpensereport.class.php | 136 ++++++++++++++++++ htdocs/core/class/link.class.php | 2 +- htdocs/expensereport/card.php | 8 +- .../class/expensereport.class.php | 85 ----------- htdocs/expensereport/list.php | 4 +- htdocs/exports/export.php | 2 +- .../webservices/server_productorservice.php | 4 +- 9 files changed, 159 insertions(+), 103 deletions(-) create mode 100644 htdocs/core/class/html.formexpensereport.class.php diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php index 92373d7c01e..31e0f896633 100644 --- a/htdocs/admin/menus/edit.php +++ b/htdocs/admin/menus/edit.php @@ -32,6 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/menubase.class.php'; $langs->loadLangs(array("other", "admin")); $cancel = GETPOST('cancel', 'alphanohtml'); // We click on a Cancel button +$confirm = GETPOST('confirm'); if (!$user->admin) accessforbidden(); @@ -231,7 +232,7 @@ if ($action == 'add') } // delete -if ($action == 'confirm_delete' && $_POST["confirm"] == 'yes') +if ($action == 'confirm_delete' && $confirm == 'yes') { $db->begin(); diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 842a41c1a46..a5084bfac74 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -1160,32 +1160,32 @@ class ActionComm extends CommonObject $sql .= " element_type = 'socpeople' AND fk_element = ".$fk_element.')'; } else { - $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$this->db->escape($elementtype)."'"; + $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$db->escape($elementtype)."'"; } } if (!empty($filter)) $sql .= $filter; - if ($sortorder && $sortfield) $sql .= $this->db->order($sortfield, $sortorder); - $sql .= $this->db->plimit($limit, 0); + if ($sortorder && $sortfield) $sql .= $db->order($sortfield, $sortorder); + $sql .= $db->plimit($limit, 0); - $resql = $this->db->query($sql); + $resql = $db->query($sql); if ($resql) { - $num = $this->db->num_rows($resql); + $num = $db->num_rows($resql); if ($num) { for ($i = 0; $i < $num; $i++) { - $obj = $this->db->fetch_object($resql); - $actioncommstatic = new ActionComm($this->db); + $obj = $db->fetch_object($resql); + $actioncommstatic = new ActionComm($db); $actioncommstatic->fetch($obj->id); $resarray[$i] = $actioncommstatic; } } - $this->db->free($resql); + $db->free($resql); return $resarray; } else { - return $this->db->lasterror(); + return $db->lasterror(); } } diff --git a/htdocs/core/class/html.formexpensereport.class.php b/htdocs/core/class/html.formexpensereport.class.php new file mode 100644 index 00000000000..e8079b77ed6 --- /dev/null +++ b/htdocs/core/class/html.formexpensereport.class.php @@ -0,0 +1,136 @@ + + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * or see https://www.gnu.org/ + */ + +/** + * \file htdocs/core/class/html.formexpensereport.class.php + * \ingroup core + * \brief File of class with all html predefined components + */ + +/** + * Class to manage generation of HTML components for contract module + */ +class FormExpenseReport +{ + /** + * @var DoliDB Database handler. + */ + public $db; + + /** + * @var string Error code (or message) + */ + public $error = ''; + + + /** + * Constructor + * + * @param DoliDB $db Database handler + */ + public function __construct($db) + { + $this->db = $db; + } + + + /** + * Retourne la liste deroulante des differents etats d'une note de frais. + * Les valeurs de la liste sont les id de la table c_expensereport_statuts + * + * @param int $selected preselect status + * @param string $htmlname Name of HTML select + * @param int $useempty 1=Add empty line + * @param int $useshortlabel Use short labels + * @return string HTML select with status + */ + public function selectExpensereportStatus($selected = '', $htmlname = 'fk_statut', $useempty = 1, $useshortlabel = 0) + { + global $langs; + + $tmpep = new ExpenseReport($this->db); + + print ''; + } + + /** + * Return list of types of notes with select value = id + * + * @param int $selected Preselected type + * @param string $htmlname Name of field in form + * @param int $showempty Add an empty field + * @param int $active 1=Active only, 0=Unactive only, -1=All + * @return string Select html + */ + public function selectTypeExpenseReport($selected = '', $htmlname = 'type', $showempty = 0, $active = 1) + { + // phpcs:enable + global $langs, $user; + $langs->load("trips"); + + $out = ''; + + $out .= ''; + $out .= ajax_combobox($htmlname); + + return $out; + } +} diff --git a/htdocs/core/class/link.class.php b/htdocs/core/class/link.class.php index ceba7fa17f7..9d70458a198 100644 --- a/htdocs/core/class/link.class.php +++ b/htdocs/core/class/link.class.php @@ -286,7 +286,7 @@ class Link extends CommonObject global $conf; $sql = "SELECT COUNT(rowid) as nb FROM ".MAIN_DB_PREFIX."links"; - $sql .= " WHERE objecttype = '".$this->db->escape($objecttype)."' AND objectid = ".$objectid; + $sql .= " WHERE objecttype = '".$db->escape($objecttype)."' AND objectid = ".$objectid; if ($conf->entity != 0) $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php index 77960bf2ed8..fa2e30ed31d 100644 --- a/htdocs/expensereport/card.php +++ b/htdocs/expensereport/card.php @@ -27,10 +27,11 @@ */ require '../main.inc.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/html.formexpensereport.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; -require_once DOL_DOCUMENT_ROOT.'/core/class/CMailFile.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formprojet.class.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/CMailFile.class.php'; require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php'; require_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmfiles.class.php'; require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; @@ -1362,6 +1363,7 @@ $projecttmp = new Project($db); $paymentexpensereportstatic = new PaymentExpenseReport($db); $bankaccountstatic = new Account($db); $ecmfilesstatic = new EcmFiles($db); +$formexpensereport = new FormExpenseReport($db); // Create if ($action == 'create') @@ -2289,7 +2291,7 @@ if ($action == 'create') // Select type print ''; - print select_type_fees_id($line->fk_c_type_fees, 'fk_c_type_fees'); + print $formexpensereport->selectTypeExpenseReport($line->fk_c_type_fees, 'fk_c_type_fees'); print ''; if (!empty($conf->global->MAIN_USE_EXPENSE_IK)) @@ -2448,7 +2450,7 @@ if ($action == 'create') // Select type print ''; - print select_type_fees_id($fk_c_type_fees, 'fk_c_type_fees', 1); + print $formexpensereport->selectTypeExpenseReport($fk_c_type_fees, 'fk_c_type_fees', 1); print ''; if (!empty($conf->global->MAIN_USE_EXPENSE_IK)) diff --git a/htdocs/expensereport/class/expensereport.class.php b/htdocs/expensereport/class/expensereport.class.php index 610e749da16..b06e34eb92a 100644 --- a/htdocs/expensereport/class/expensereport.class.php +++ b/htdocs/expensereport/class/expensereport.class.php @@ -2724,88 +2724,3 @@ class ExpenseReportLine } } } - - -/** - * Retourne la liste deroulante des differents etats d'une note de frais. - * Les valeurs de la liste sont les id de la table c_expensereport_statuts - * - * @param int $selected preselect status - * @param string $htmlname Name of HTML select - * @param int $useempty 1=Add empty line - * @param int $useshortlabel Use short labels - * @return string HTML select with status - */ -function select_expensereport_statut($selected = '', $htmlname = 'fk_statut', $useempty = 1, $useshortlabel = 0) -{ - global $db, $langs; - - $tmpep = new ExpenseReport($this->db); - - print ''; -} - -/** - * Return list of types of notes with select value = id - * - * @param int $selected Preselected type - * @param string $htmlname Name of field in form - * @param int $showempty Add an empty field - * @param int $active 1=Active only, 0=Unactive only, -1=All - * @return string Select html - */ -function select_type_fees_id($selected = '', $htmlname = 'type', $showempty = 0, $active = 1) -{ - global $db, $langs, $user; - $langs->load("trips"); - - $out = ''; - - $out .= ''; - $out .= ajax_combobox($htmlname); - - return $out; -} diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php index dd8c49aae28..bfc5ed64f5e 100644 --- a/htdocs/expensereport/list.php +++ b/htdocs/expensereport/list.php @@ -35,6 +35,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php'; require_once DOL_DOCUMENT_ROOT.'/expensereport/class/expensereport.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/html.formexpensereport.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php'; require_once DOL_DOCUMENT_ROOT.'/expensereport/class/expensereport_ik.class.php'; @@ -251,6 +252,7 @@ if (empty($reshook)) $form = new Form($db); $formother = new FormOther($db); $formfile = new FormFile($db); +$formexpensereport = new FormExpenseReport($db); $fuser = new User($db); @@ -599,7 +601,7 @@ if ($resql) if (!empty($arrayfields['d.fk_statut']['checked'])) { print ''; - select_expensereport_statut($search_status, 'search_status', 1, 1); + $formexpensereport->selectExpensereportStatus($search_status, 'search_status', 1, 1); print ''; } // Action column diff --git a/htdocs/exports/export.php b/htdocs/exports/export.php index 0401fc7004f..a5f11264a43 100644 --- a/htdocs/exports/export.php +++ b/htdocs/exports/export.php @@ -1081,7 +1081,7 @@ if ($step == 4 && $datatoexport) $i++; } } else { - dol_print_error($this->db); + dol_print_error($db); } print ''; diff --git a/htdocs/webservices/server_productorservice.php b/htdocs/webservices/server_productorservice.php index ae5f1f285a4..f74a945d53b 100644 --- a/htdocs/webservices/server_productorservice.php +++ b/htdocs/webservices/server_productorservice.php @@ -593,7 +593,7 @@ function createProductOrService($authentication, $product) if ($savstockreal != $getstockreal) { - $warehouse = new Entrepot($this->db); + $warehouse = new Entrepot($db); $warehouse->fetch(0, $product['warehouse_ref']); if ($warehouse->id > 0) { @@ -762,7 +762,7 @@ function updateProductOrService($authentication, $product) if ($savstockreal != $getstockreal) { - $warehouse = new Entrepot($this->db); + $warehouse = new Entrepot($db); $warehouse->fetch(0, $product['warehouse_ref']); if ($warehouse->id > 0) { From cd8ebd9500d9b4064193b04eacad96e6fc0601f8 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 16:57:53 +0200 Subject: [PATCH 118/151] Fix warnings --- .../core/class/commonstickergenerator.class.php | 10 +++++----- .../filemanagerdol/connectors/php/basexml.php | 4 ++-- .../fourn/class/api_supplier_invoices.class.php | 15 +++++++-------- .../template/class/api_mymodule.class.php | 3 ++- .../doc/pdf_standard_myobject.modules.php | 2 +- ...df_standard_recruitmentjobposition.modules.php | 2 +- htdocs/webservices/server_productorservice.php | 8 ++------ 7 files changed, 20 insertions(+), 24 deletions(-) diff --git a/htdocs/core/class/commonstickergenerator.class.php b/htdocs/core/class/commonstickergenerator.class.php index 6c832c4788d..c3d6e7de299 100644 --- a/htdocs/core/class/commonstickergenerator.class.php +++ b/htdocs/core/class/commonstickergenerator.class.php @@ -127,7 +127,7 @@ abstract class CommonStickerGenerator /** * Output a sticker on page at position _COUNTX, _COUNTY (_COUNTX and _COUNTY start from 0) * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param Translate $outputlangs Output langs * @param array $param Associative array containing label content and optional parameters * @return void @@ -139,7 +139,7 @@ abstract class CommonStickerGenerator * Methode qui permet de modifier la taille des caracteres * Cela modiera aussi l'espace entre chaque ligne * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param int $pt point * @return void */ @@ -158,7 +158,7 @@ abstract class CommonStickerGenerator /** * protected Print dot line * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param int $x1 X1 * @param int $y1 Y1 * @param int $x2 X2 @@ -201,7 +201,7 @@ abstract class CommonStickerGenerator /** * protected Function realisant une croix aux 4 coins des cartes * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param int $x1 X1 * @param int $y1 Y1 * @param int $x2 X2 @@ -280,7 +280,7 @@ abstract class CommonStickerGenerator /** * protected Set format * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param string $format Format * @return void */ diff --git a/htdocs/core/filemanagerdol/connectors/php/basexml.php b/htdocs/core/filemanagerdol/connectors/php/basexml.php index 80973006886..648ab675cfa 100644 --- a/htdocs/core/filemanagerdol/connectors/php/basexml.php +++ b/htdocs/core/filemanagerdol/connectors/php/basexml.php @@ -84,8 +84,8 @@ function CreateXmlFooter() /** * SendError * - * @param integer $number Number - * @param unknown_type $text Text + * @param integer $number Number + * @param string $text Text * @return void */ function SendError($number, $text) diff --git a/htdocs/fourn/class/api_supplier_invoices.class.php b/htdocs/fourn/class/api_supplier_invoices.class.php index f57c83125f6..8c3ca0108e3 100644 --- a/htdocs/fourn/class/api_supplier_invoices.class.php +++ b/htdocs/fourn/class/api_supplier_invoices.class.php @@ -579,10 +579,9 @@ class SupplierInvoices extends DolibarrApi * * @return object * - * @throws 200 - * @throws 304 - * @throws 401 - * @throws 404 + * @throws RestException 401 Not allowed + * @throws RestException 404 Not found + * @throws RestException 304 Error */ public function putLine($id, $lineid, $request_data = null) { @@ -640,10 +639,10 @@ class SupplierInvoices extends DolibarrApi * * @return array * - * @throws 400 - * @throws 401 - * @throws 404 - * @throws 405 + * @throws RestException 400 Bad parameters + * @throws RestException 401 Not allowed + * @throws RestException 404 Not found + * @throws RestException 405 Error */ public function deleteLine($id, $lineid) { diff --git a/htdocs/modulebuilder/template/class/api_mymodule.class.php b/htdocs/modulebuilder/template/class/api_mymodule.class.php index 571d9a2784d..32113b71ef0 100644 --- a/htdocs/modulebuilder/template/class/api_mymodule.class.php +++ b/htdocs/modulebuilder/template/class/api_mymodule.class.php @@ -64,7 +64,8 @@ class MyModuleApi extends DolibarrApi * * @url GET myobjects/{id} * - * @throws RestException + * @throws RestException 401 Not allowed + * @throws RestException 404 Not found */ public function get($id) { diff --git a/htdocs/modulebuilder/template/core/modules/mymodule/doc/pdf_standard_myobject.modules.php b/htdocs/modulebuilder/template/core/modules/mymodule/doc/pdf_standard_myobject.modules.php index 0dbd92aa379..f8fc8466349 100644 --- a/htdocs/modulebuilder/template/core/modules/mymodule/doc/pdf_standard_myobject.modules.php +++ b/htdocs/modulebuilder/template/core/modules/mymodule/doc/pdf_standard_myobject.modules.php @@ -1139,7 +1139,7 @@ class pdf_standard_myobject extends ModelePDFMyObject /** * Show footer of page. Need this->emetteur object * - * @param PDF $pdf PDF + * @param TCPDF $pdf PDF * @param Object $object Object to show * @param Translate $outputlangs Object lang for output * @param int $hidefreetext 1=Hide free text diff --git a/htdocs/recruitment/core/modules/recruitment/doc/pdf_standard_recruitmentjobposition.modules.php b/htdocs/recruitment/core/modules/recruitment/doc/pdf_standard_recruitmentjobposition.modules.php index 42b536c4bd6..ee0f63f6c4f 100644 --- a/htdocs/recruitment/core/modules/recruitment/doc/pdf_standard_recruitmentjobposition.modules.php +++ b/htdocs/recruitment/core/modules/recruitment/doc/pdf_standard_recruitmentjobposition.modules.php @@ -1051,7 +1051,7 @@ class pdf_standard_recruitmentjobposition extends ModelePDFRecruitmentJobPositio /** * Show footer of page. Need this->emetteur object * - * @param PDF $pdf PDF + * @param TCPDF $pdf PDF * @param Object $object Object to show * @param Translate $outputlangs Object lang for output * @param int $hidefreetext 1=Hide free text diff --git a/htdocs/webservices/server_productorservice.php b/htdocs/webservices/server_productorservice.php index f74a945d53b..bf29795f0de 100644 --- a/htdocs/webservices/server_productorservice.php +++ b/htdocs/webservices/server_productorservice.php @@ -503,7 +503,7 @@ function createProductOrService($authentication, $product) if ($product['barcode'] && !$product['barcode_type']) { - $errror++; $errorcode = 'KO'; $errorlabel = "You must set a barcode type when setting a barcode."; + $error++; $errorcode = 'KO'; $errorlabel = "You must set a barcode type when setting a barcode."; } @@ -675,7 +675,7 @@ function updateProductOrService($authentication, $product) if ($product['barcode'] && !$product['barcode_type']) { - $errror++; $errorcode = 'KO'; $errorlabel = "You must set a barcode type when setting a barcode."; + $error++; $errorcode = 'KO'; $errorlabel = "You must set a barcode type when setting a barcode."; } if (!$error) @@ -841,8 +841,6 @@ function deleteProductOrService($authentication, $listofidstring) { global $db, $conf, $langs; - $now = dol_now(); - dol_syslog("Function: deleteProductOrService login=".$authentication['login']); if ($authentication['entity']) $conf->entity = $authentication['entity']; @@ -936,8 +934,6 @@ function getListOfProductsOrServices($authentication, $filterproduct) { global $db, $conf, $langs; - $now = dol_now(); - dol_syslog("Function: getListOfProductsOrServices login=".$authentication['login']); if ($authentication['entity']) $conf->entity = $authentication['entity']; From 4ce7507518d57469a62e9d69ddefc69177ebef13 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 17:06:53 +0200 Subject: [PATCH 119/151] Fix warnings --- htdocs/core/modules/oauth/github_oauthcallback.php | 1 - htdocs/core/modules/oauth/google_oauthcallback.php | 1 - htdocs/core/modules/oauth/stripelive_oauthcallback.php | 1 - htdocs/core/modules/oauth/stripetest_oauthcallback.php | 1 - htdocs/core/modules/project/doc/pdf_baleine.modules.php | 2 +- .../modules/propale/doc/doc_generic_proposal_odt.modules.php | 4 ++-- 6 files changed, 3 insertions(+), 7 deletions(-) diff --git a/htdocs/core/modules/oauth/github_oauthcallback.php b/htdocs/core/modules/oauth/github_oauthcallback.php index 778baad8cc8..6f3b53bee44 100644 --- a/htdocs/core/modules/oauth/github_oauthcallback.php +++ b/htdocs/core/modules/oauth/github_oauthcallback.php @@ -80,7 +80,6 @@ if ($action != 'delete' && empty($requestedpermissionsarray)) //var_dump($requestedpermissionsarray);exit; // Instantiate the Api service using the credentials, http client and storage mechanism for the token -/** @var $apiService Service */ $apiService = $serviceFactory->createService('GitHub', $credentials, $storage, $requestedpermissionsarray); // access type needed to have oauth provider refreshing token diff --git a/htdocs/core/modules/oauth/google_oauthcallback.php b/htdocs/core/modules/oauth/google_oauthcallback.php index 7c00fdac323..ea68a5b6141 100644 --- a/htdocs/core/modules/oauth/google_oauthcallback.php +++ b/htdocs/core/modules/oauth/google_oauthcallback.php @@ -82,7 +82,6 @@ if ($action != 'delete' && empty($requestedpermissionsarray)) // Instantiate the Api service using the credentials, http client and storage mechanism for the token // $requestedpermissionsarray contains list of scopes. // Conversion into URL is done by Reflection on constant with name SCOPE_scope_in_uppercase -/** @var $apiService Service */ $apiService = $serviceFactory->createService('Google', $credentials, $storage, $requestedpermissionsarray); // access type needed to have oauth provider refreshing token diff --git a/htdocs/core/modules/oauth/stripelive_oauthcallback.php b/htdocs/core/modules/oauth/stripelive_oauthcallback.php index f5b52459b30..6f5da103cf3 100644 --- a/htdocs/core/modules/oauth/stripelive_oauthcallback.php +++ b/htdocs/core/modules/oauth/stripelive_oauthcallback.php @@ -80,7 +80,6 @@ if (GETPOST('state')) $requestedpermissionsarray = explode(',', GETPOST('state') //var_dump($requestedpermissionsarray);exit; // Instantiate the Api service using the credentials, http client and storage mechanism for the token -/** @var $apiService Service */ //$apiService = $serviceFactory->createService('StripeTest', $credentials, $storage, $requestedpermissionsarray); $sql = "INSERT INTO ".MAIN_DB_PREFIX."oauth_token set service='StripeLive', entity=".$conf->entity; diff --git a/htdocs/core/modules/oauth/stripetest_oauthcallback.php b/htdocs/core/modules/oauth/stripetest_oauthcallback.php index efe522d9049..d0ca0ba03a4 100644 --- a/htdocs/core/modules/oauth/stripetest_oauthcallback.php +++ b/htdocs/core/modules/oauth/stripetest_oauthcallback.php @@ -80,7 +80,6 @@ if (GETPOST('state')) $requestedpermissionsarray = explode(',', GETPOST('state') //var_dump($requestedpermissionsarray);exit; // Instantiate the Api service using the credentials, http client and storage mechanism for the token -/** @var $apiService Service */ //$apiService = $serviceFactory->createService('StripeTest', $credentials, $storage, $requestedpermissionsarray); $sql = "INSERT INTO ".MAIN_DB_PREFIX."oauth_token set service='StripeTest', entity=".$conf->entity; diff --git a/htdocs/core/modules/project/doc/pdf_baleine.modules.php b/htdocs/core/modules/project/doc/pdf_baleine.modules.php index 0f4ad835575..84cc5829571 100644 --- a/htdocs/core/modules/project/doc/pdf_baleine.modules.php +++ b/htdocs/core/modules/project/doc/pdf_baleine.modules.php @@ -107,7 +107,7 @@ class pdf_baleine extends ModelePDFProjects /** * Issuer - * @var Company object that emits + * @var Societe object that emits */ public $emetteur; diff --git a/htdocs/core/modules/propale/doc/doc_generic_proposal_odt.modules.php b/htdocs/core/modules/propale/doc/doc_generic_proposal_odt.modules.php index d904c5877ec..59e0e27b677 100644 --- a/htdocs/core/modules/propale/doc/doc_generic_proposal_odt.modules.php +++ b/htdocs/core/modules/propale/doc/doc_generic_proposal_odt.modules.php @@ -39,7 +39,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/doc.lib.php'; class doc_generic_proposal_odt extends ModelePDFPropales { /** - * @var Company Issuer object that emits + * @var Societe Issuer object that emits */ public $emetteur; @@ -226,7 +226,7 @@ class doc_generic_proposal_odt extends ModelePDFPropales /** * Function to build a document on disk using the generic odt module. * - * @param Propale $object Object source to build document + * @param Propal $object Object source to build document * @param Translate $outputlangs Lang output object * @param string $srctemplatepath Full path of source filename for generator using a template file * @param int $hidedetails Do not show line details From acf28e28af28eaeb10cbf7c24b4a6337ee3d7daf Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 18:01:17 +0200 Subject: [PATCH 120/151] Label --- htdocs/core/class/commonincoterm.class.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/class/commonincoterm.class.php b/htdocs/core/class/commonincoterm.class.php index b0bb5a3370c..b2d5491684e 100644 --- a/htdocs/core/class/commonincoterm.class.php +++ b/htdocs/core/class/commonincoterm.class.php @@ -122,12 +122,12 @@ trait CommonIncoterm $this->fk_incoterms = $id_incoterm; $this->location_incoterms = $location; - $sql = 'SELECT libelle FROM '.MAIN_DB_PREFIX.'c_incoterms WHERE rowid = '.(int) $this->fk_incoterms; + $sql = 'SELECT libelle as label_incotermsFROM '.MAIN_DB_PREFIX.'c_incoterms WHERE rowid = '.(int) $this->fk_incoterms; $res = $this->db->query($sql); if ($res) { $obj = $this->db->fetch_object($res); - $this->label_incoterms = $obj->libelle; + $this->label_incoterms = $obj->label_incoterms; } return 1; } else { From ad1d60740b5b5e74537363faf585d5c9a4e8139d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 18:05:49 +0200 Subject: [PATCH 121/151] Fix string --- htdocs/paypal/admin/paypal.php | 2 +- htdocs/stripe/admin/stripe.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/paypal/admin/paypal.php b/htdocs/paypal/admin/paypal.php index 1e88163c563..4c304201c6c 100644 --- a/htdocs/paypal/admin/paypal.php +++ b/htdocs/paypal/admin/paypal.php @@ -269,7 +269,7 @@ if (!empty($conf->use_javascript_ajax)) { } if (! empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) { $langs->load("errors"); - print img_warning($langs->trans("WarningTheHiddenOptionIsOn", PAYMENT_SECURITY_ACCEPT_ANY_TOKEN), '', 'pictowarning marginleftonly'); + print img_warning($langs->trans("WarningTheHiddenOptionIsOn", 'PAYMENT_SECURITY_ACCEPT_ANY_TOKEN'), '', 'pictowarning marginleftonly'); } print ''; diff --git a/htdocs/stripe/admin/stripe.php b/htdocs/stripe/admin/stripe.php index b467a5068ed..46f59039c36 100644 --- a/htdocs/stripe/admin/stripe.php +++ b/htdocs/stripe/admin/stripe.php @@ -446,7 +446,7 @@ if (!empty($conf->use_javascript_ajax)) { } if (! empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) { $langs->load("errors"); - print img_warning($langs->trans("WarningTheHiddenOptionIsOn", PAYMENT_SECURITY_ACCEPT_ANY_TOKEN), '', 'pictowarning marginleftonly'); + print img_warning($langs->trans("WarningTheHiddenOptionIsOn", 'PAYMENT_SECURITY_ACCEPT_ANY_TOKEN'), '', 'pictowarning marginleftonly'); } print ''; From e6fc9d3b5e3c61d052d56a1463dc36ee9b39b488 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 19:20:34 +0200 Subject: [PATCH 122/151] NEW Add message in error_log after detection of SQL or script injection --- htdocs/main.inc.php | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index b46a72b5ddc..4d2a3606ab7 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -49,7 +49,7 @@ if (!empty($_SERVER['MAIN_SHOW_TUNING_INFO'])) } /** - * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF). + * Security: WAF layer for SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF). * * @param string $val Value brut found int $_GET, $_POST or PHP_SELF * @param string $type 1=GET, 0=POST, 2=PHP_SELF, 3=GET without sql reserved keywords (the less tolerant test) @@ -95,12 +95,14 @@ function testSqlAndScriptInject($val, $type) // All examples on page: http://ha.ckers.org/xss.html#XSScalc // More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet $inj += preg_match('/
'; print '
'; - print ''; + print '
'; $i++; From 2137901b0b3f3dd5805a031dbceddbbeffda228c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 20:49:26 +0200 Subject: [PATCH 127/151] Fix sanitizing --- htdocs/societe/card.php | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php index b19c3bc814a..42de4d74b39 100644 --- a/htdocs/societe/card.php +++ b/htdocs/societe/card.php @@ -1181,12 +1181,12 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) print ''.$form->editfieldkey('ThirdPartyName', 'name', '', $object, 0).''; } print 'global->SOCIETE_USEPREFIX) ? ' colspan="3"' : '').'>'; - print ''; + print ''; print $form->widgetForTranslation("name", $object, $permissiontoadd, 'string', 'alpahnohtml', 'minwidth300'); print ''; if (!empty($conf->global->SOCIETE_USEPREFIX)) // Old not used prefix field { - print ''; + print ''; } print ''; @@ -1197,7 +1197,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Firstname print ''; - print ''; + print ''; print ''; // Title @@ -1209,7 +1209,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) // Alias names (commercial, trademark or alias names) print ''; - print ''; + print ''; // Prospect/Customer print ''; @@ -1274,7 +1274,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if (!empty($conf->barcode->enabled)) { print ''; - print ''; } @@ -1284,7 +1284,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) print ''; print ''; @@ -1857,7 +1857,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) print ''; } elseif ($object->codefournisseur_modifiable()) { - print ''; + print ''; } else { print $object->code_fournisseur; print ''; @@ -1873,7 +1873,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if (!empty($conf->barcode->enabled)) { print ''; - print ''; } @@ -1885,7 +1885,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) // Address print ''; print ''; @@ -2280,7 +2280,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if (!empty($conf->barcode->enabled)) { print ''; print ''; } @@ -2418,7 +2418,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if ($object->tva_intra) { $s = ''; - $s .= $object->tva_intra; + $s .= dol_escape_htmltag($object->tva_intra); $s .= ''; if (empty($conf->global->MAIN_DISABLEVATCHECK) && isInEEC($object)) From cda101238debaae3c0c1e3f0e241d30f1c9601ae Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 21:17:27 +0200 Subject: [PATCH 128/151] Fix #yogosha4543 --- htdocs/admin/system/dolibarr.php | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php index 1f34c23c8dc..57d288dfb4c 100644 --- a/htdocs/admin/system/dolibarr.php +++ b/htdocs/admin/system/dolibarr.php @@ -365,7 +365,12 @@ foreach ($configfileparameters as $key => $value) print ''; // Value print "'; print ''."\n"; - print ''."\n"; + print ''."\n"; if (empty($conf->multicompany->enabled) || !$user->entity) print ''."\n"; // If superadmin or multicompany disabled print "\n"; From 906e030bfbe40c60ee1a279fac5b7c064ff52f26 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 21:25:18 +0200 Subject: [PATCH 129/151] Removed warning --- htdocs/societe/tpl/linesalesrepresentative.tpl.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/societe/tpl/linesalesrepresentative.tpl.php b/htdocs/societe/tpl/linesalesrepresentative.tpl.php index 9c6e485e97d..039379be8c7 100644 --- a/htdocs/societe/tpl/linesalesrepresentative.tpl.php +++ b/htdocs/societe/tpl/linesalesrepresentative.tpl.php @@ -49,7 +49,7 @@ if ($action == 'editsalesrepresentatives') { } else { $listsalesrepresentatives = $object->getSalesRepresentatives($user); $nbofsalesrepresentative = count($listsalesrepresentatives); - if ($nbofsalesrepresentative > 0) { + if ($nbofsalesrepresentative > 0 && is_array($listsalesrepresentatives)) { $userstatic = new User($db); foreach ($listsalesrepresentatives as $val) { $userstatic->id = $val['id']; From 43376b3abc1526ec4ea6c63a48b7c2b8568dc61f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 21:27:11 +0200 Subject: [PATCH 130/151] Removed warning --- htdocs/core/lib/functions.lib.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 18c0558b465..43b01f5ea6b 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -4107,7 +4107,7 @@ function getTitleFieldOfList($name, $thead = 0, $file = "", $field = "", $begin if (empty($thead) && $field && empty($disablesortlink)) // If this is a sort field { - $options = preg_replace('/sortfield=([a-zA-Z0-9,\s\.]+)/i', '', $moreparam); + $options = preg_replace('/sortfield=([a-zA-Z0-9,\s\.]+)/i', '', (is_scalar($moreparam) ? $moreparam : '')); $options = preg_replace('/sortorder=([a-zA-Z0-9,\s\.]+)/i', '', $options); $options = preg_replace('/&+/i', '&', $options); if (!preg_match('/^&/', $options)) $options = '&'.$options; @@ -4147,7 +4147,7 @@ function getTitleFieldOfList($name, $thead = 0, $file = "", $field = "", $begin if (empty($thead) && $field) // If this is a sort field { - $options = preg_replace('/sortfield=([a-zA-Z0-9,\s\.]+)/i', '', $moreparam); + $options = preg_replace('/sortfield=([a-zA-Z0-9,\s\.]+)/i', '', (is_scalar($moreparam) ? $moreparam : '')); $options = preg_replace('/sortorder=([a-zA-Z0-9,\s\.]+)/i', '', $options); $options = preg_replace('/&+/i', '&', $options); if (!preg_match('/^&/', $options)) $options = '&'.$options; From cde7df8b488215e5ad08a9a795cce8e2668f8a1f Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 21:33:00 +0200 Subject: [PATCH 131/151] Fix phpunit --- test/phpunit/CodingPhpTest.php | 1 + 1 file changed, 1 insertion(+) diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 82175d3e3e9..b819671578c 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -173,6 +173,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase || in_array($file['name'], array('modules_boxes.php', 'rapport.pdf.php', 'TraceableDB.php'))) { if (! in_array($file['name'], array( 'api.class.php', + 'actioncomm.class.php', 'commonobject.class.php', 'conf.class.php', 'html.form.class.php', From 9f41f90eeb999579bc88e9669b74d7e694ed9512 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 21 Sep 2020 01:28:26 +0200 Subject: [PATCH 132/151] Fix responsive --- htdocs/adherents/stats/byproperties.php | 5 +- htdocs/adherents/stats/geo.php | 10 +-- htdocs/theme/eldy/global.inc.php | 90 ++++++++++++++----------- 3 files changed, 60 insertions(+), 45 deletions(-) diff --git a/htdocs/adherents/stats/byproperties.php b/htdocs/adherents/stats/byproperties.php index 90187e483dc..62e503f8170 100644 --- a/htdocs/adherents/stats/byproperties.php +++ b/htdocs/adherents/stats/byproperties.php @@ -141,10 +141,11 @@ if (!count($data)) { } // Print array +print '
'; // You can use div-table-responsive-no-min if you dont need reserved height for your table print '
'.$langs->trans('Prefix').''.$langs->trans('Prefix').'
'.$form->editfieldkey('FirstName', 'firstname', '', $object, 0).'
'.$form->editfieldkey('ProspectCustomer', 'customerprospect', '', $object, 0, 'string', '', 1).'
'.$form->editfieldkey('Gencod', 'barcode', '', $object, 0).''; + print ''; print '
'; print ''; print $form->widgetForTranslation("address", $object, $permissiontoadd, 'textarea', 'alphanohtml', 'quatrevingtpercent'); print '
'.$form->editfieldkey('Gencod', 'barcode', '', $object, 0).''; + print ''; print '
'.$form->editfieldkey('Address', 'address', '', $object, 0).''; print $form->widgetForTranslation("address", $object, $permissiontoadd, 'textarea', 'alphanohtml', 'quatrevingtpercent'); print '
'; - print $langs->trans('Gencod').''.$object->barcode; + print $langs->trans('Gencod').''.dol_escape_htmltag($object->barcode); print '
'.$newkey.'"; - if ($newkey == 'dolibarr_main_db_pass') print preg_replace('/./i', '*', ${$newkey}); + if ($newkey == 'dolibarr_main_db_pass') { + if (empty($dolibarr_main_prod)) { + print ''; + } + print '**********'; + } elseif ($newkey == 'dolibarr_main_url_root' && preg_match('/__auto__/', ${$newkey})) print ${$newkey}.' => '.constant('DOL_MAIN_URL_ROOT'); elseif ($newkey == 'dolibarr_main_document_root_alt') { $tmparray = explode(',', ${$newkey}); @@ -458,7 +463,16 @@ if ($resql) print '
'.$obj->name.''.dol_escape_htmltag($obj->value).''; + if (preg_match('/(_pass|password|_pw|_key|securekey|serverkey|secret\d?|p12key|exportkey|_PW_[a-z]+|token)$/i', $obj->name)) { + if (empty($dolibarr_main_prod)) { + print ''; + } + print '**********'; + } else { + print dol_escape_htmltag($obj->value); + } + print ''.$obj->entity.'
'; print ''; print ''; -print ''; +print ''; print ''; print ''; print ''; @@ -170,7 +171,7 @@ foreach ($data as $val) { } print '
'.$langs->trans("MemberNature").''.$langs->trans("NbOfMembers").' ('.$langs->trans("AllTime").')'.$langs->trans("NbOfMembers").' ('.$langs->trans("AllTime").')'.$langs->trans("NbOfActiveMembers").''.$langs->trans("LastMemberDate").''.$langs->trans("NbOfSubscriptions").'
'; - +print '
'; dol_fiche_end(); diff --git a/htdocs/adherents/stats/geo.php b/htdocs/adherents/stats/geo.php index edb37a9d4a8..f7001656bd9 100644 --- a/htdocs/adherents/stats/geo.php +++ b/htdocs/adherents/stats/geo.php @@ -45,7 +45,7 @@ $startyear = $year - 2; $endyear = $year; // Load translation files required by the page -$langs->loadLangs(array("companies", "members")); +$langs->loadLangs(array("companies", "members", "banks")); /* @@ -272,12 +272,13 @@ if (count($arrayjs) && $mode == 'memberbycountry') { } if ($mode) { - // Print array / Affiche le tableau - print ''; + // Print array + print '
'; // You can use div-table-responsive-no-min if you dont need reserved height for your table + print '
'; print ''; print ''; if ($label2) print ''; - print ''; + print ''; print ''; print ''; print ''; @@ -294,6 +295,7 @@ if ($mode) { } print '
'.$label.''.$label2.''.$langs->trans("NbOfMembers").' ('.$langs->trans("AllTime").')'.$langs->trans("NbOfMembers").' ('.$langs->trans("AllTime").')'.$langs->trans("LastMemberDate").''.$langs->trans("LatestSubscriptionDate").'
'; + print '
'; } diff --git a/htdocs/theme/eldy/global.inc.php b/htdocs/theme/eldy/global.inc.php index 7abf4342f25..775612364ae 100644 --- a/htdocs/theme/eldy/global.inc.php +++ b/htdocs/theme/eldy/global.inc.php @@ -1612,51 +1612,63 @@ div.vmenu, td.vmenu { .menuhider { display: none !important; } + /* rule to reduce top menu - 3rd reduction: The menu for user is on left */ @media only screen and (max-width: global->THEME_ELDY_WITDHOFFSET_FOR_REDUC3) ? round($nbtopmenuentries * 47, 0) + 130 : $conf->global->THEME_ELDY_WITDHOFFSET_FOR_REDUC3; ?>px) /* reduction 3 */ { -body.sidebar-collapse .side-nav { - display: none; + body.sidebar-collapse .side-nav { + display: none; + } + + body.sidebar-collapse .login_block { + display: none; + } + + .menuhider { display: block !important; } + .dropdown-user-image { display: none; } + .user-header { height: auto !important; color: var(--colorbackbody); } + + #id-container { + width: 100%; + } + .side-nav { + border-bottom: 1px solid #BBB; + background: #FFF; + padding-left: 20px; + padding-right: 20px; + position: absolute; + z-index: 90; + } + div.blockvmenulogo + { + border-bottom: 0 !important; + } + div.blockvmenupair, div.blockvmenuimpair, div.blockvmenubookmarks, div.blockvmenuend { + border-top: none !important; + border-left: none !important; + border-right: none !important; + border-bottom: 1px solid #e0e0e0; + padding-left: 0 !important; + } + div.vmenu, td.vmenu { + padding-right: 6px !important; + } + div.fiche { + margin-: 9px !important; + margin-: 10px !important; + } + + .pagination .fa-chevron-left, .pagination .fa-chevron-right { + font-size: 1.2em; + } } -body.sidebar-collapse .login_block { - display: none; -} - -.menuhider { display: block !important; } -.dropdown-user-image { display: none; } -.user-header { height: auto !important; color: var(--colorbackbody); } - -#id-container { - width: 100%; -} -.side-nav { - border-bottom: 1px solid #BBB; - background: #FFF; - padding-left: 20px; - padding-right: 20px; - position: absolute; - z-index: 90; -} -div.blockvmenulogo +@media only screen and (min-width: 768px) and (max-width: global->THEME_ELDY_WITDHOFFSET_FOR_REDUC3) ? round($nbtopmenuentries * 47, 0) + 130 : $conf->global->THEME_ELDY_WITDHOFFSET_FOR_REDUC3; ?>px) /* reduction 3 */ { - border-bottom: 0 !important; -} -div.blockvmenupair, div.blockvmenuimpair, div.blockvmenubookmarks, div.blockvmenuend { - border-top: none !important; - border-left: none !important; - border-right: none !important; - border-bottom: 1px solid #e0e0e0; - padding-left: 0 !important; -} -div.vmenu, td.vmenu { - padding-right: 6px !important; -} -div.fiche { - margin-: 9px !important; - margin-: 10px !important; -} - + div.fiche { + margin-: 13px !important; + margin-: 14px !important; + } } From d5d187c793b85ecad406cce043da04001a7fb4e4 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 21 Sep 2020 01:31:35 +0200 Subject: [PATCH 133/151] Fix phpunit --- htdocs/product/class/api_products.class.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 49d7e9a3274..a90c9dd5b1b 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -58,6 +58,7 @@ class Products extends DolibarrApi public function __construct() { global $db, $conf; + $this->db = $db; $this->product = new Product($this->db); $this->productsupplier = new ProductFournisseur($this->db); @@ -749,8 +750,11 @@ class Products extends DolibarrApi public function getSupplierProducts($sortfield = "t.ref", $sortorder = 'ASC', $limit = 100, $page = 0, $mode = 0, $category = 0, $supplier = 0, $sqlfilters = '') { global $db, $conf; + $obj_ret = array(); + $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; + $sql = "SELECT t.rowid, t.ref, t.ref_ext"; $sql .= " FROM ".MAIN_DB_PREFIX."product as t"; if ($category > 0) { @@ -921,7 +925,7 @@ class Products extends DolibarrApi $result = $this->db->query($sql); if (!$result) { - throw new RestException(503, 'Error when retrieve product attribute list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve product attribute list : '.$this->db->lasterror()); } $return = []; From 6380a294fc390eeaf059a32662455805cda2a11e Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 21 Sep 2020 12:16:22 +0200 Subject: [PATCH 134/151] FIX Restore multiselect (selection of prospect level) --- htdocs/core/class/html.form.class.php | 5 +- htdocs/core/lib/functions.lib.php | 15 +- .../multiselect/jquery.multi-select.js | 360 ++++++++++++++++++ .../multiselect/jquery.multi-select.min.js | 9 + htdocs/main.inc.php | 4 + htdocs/theme/eldy/global.inc.php | 15 +- htdocs/theme/md/style.css.php | 4 + 7 files changed, 398 insertions(+), 14 deletions(-) create mode 100644 htdocs/includes/jquery/plugins/multiselect/jquery.multi-select.js create mode 100644 htdocs/includes/jquery/plugins/multiselect/jquery.multi-select.min.js diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 9cd56c3b29a..27e7029c254 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -6461,11 +6461,12 @@ class Form templateSelection: formatSelection /* For 4.0 */ }); });'."\n"; - } elseif ($addjscombo == 2) + } elseif ($addjscombo == 2 && ! defined('DISABLE_MULTISELECT')) { // Add other js lib // TODO external lib multiselect/jquery.multi-select.js must have been loaded to use this multiselect plugin // ... + $out .= 'console.log(\'addjscombo=2 for htmlname='.$htmlname.'\');'; $out .= '$(document).ready(function () { $(\'#'.$htmlname.'\').multiSelect({ containerHTML: \'
\', @@ -7158,7 +7159,7 @@ class Form } //if ($conf->browser->layout == 'phone') $ret.='
'; - $ret .= '
'; + $ret .= '
'; // For thirdparty, contact, user, member, the ref is the id, so we show something else if ($object->element == 'societe') diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 43b01f5ea6b..90f919fe2d7 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -1350,19 +1350,28 @@ function dol_get_fiche_head($links = array(), $active = '', $title = '', $notab { $left = ($langs->trans("DIRECTION") == 'rtl' ? 'right' : 'left'); $right = ($langs->trans("DIRECTION") == 'rtl' ? 'left' : 'right'); + $widthofpopup = 200; $tabsname = $moretabssuffix; if (empty($tabsname)) { $tabsname = str_replace("@", "", $picto); } $out .= '
'; - $out .= ''.$langs->trans("More").'... ('.$nbintab.')'; - $out .= '
'; + $out .= ''.$langs->trans("More").'... ('.$nbintab.')'; // Do not use "reposition" class in the "More". + $out .= '
'; $out .= $outmore; $out .= '
'; $out .= '
'; $out .= "
\n"; $out .= ""; } diff --git a/htdocs/includes/jquery/plugins/multiselect/jquery.multi-select.js b/htdocs/includes/jquery/plugins/multiselect/jquery.multi-select.js new file mode 100644 index 00000000000..ee62d1f588d --- /dev/null +++ b/htdocs/includes/jquery/plugins/multiselect/jquery.multi-select.js @@ -0,0 +1,360 @@ +// jquery.multi-select.js +// by mySociety +// https://github.com/mysociety/jquery-multi-select + +;(function($) { + + "use strict"; + + var pluginName = "multiSelect", + defaults = { + 'containerHTML': '
', + 'menuHTML': '
', + 'buttonHTML': '', + 'menuItemsHTML': '
', + 'menuItemHTML': '