Fix: compatibility with pgsql, replace all addslashes by $db->escape in other files
This commit is contained in:
Regis Houssin
parent
3b4ea76538
commit
aba9bb9acd
@ -134,7 +134,7 @@ if ($filter == 'outofdate')
|
||||
// Insert categ filter
|
||||
if ($search_categ)
|
||||
{
|
||||
$sql.= " AND cf.fk_categorie = ".addslashes($search_categ);
|
||||
$sql.= " AND cf.fk_categorie = ".$db->escape($search_categ);
|
||||
}
|
||||
|
||||
// Count total nb of records with no order and no limits
|
||||
|
||||
@ -387,7 +387,7 @@ if ($_POST["actionadd"] || $_POST["actionmodify"])
|
||||
if ($tabrowid[$_POST["id"]] && !in_array($tabrowid[$_POST["id"]],$listfieldmodify))
|
||||
{
|
||||
$sql.= $tabrowid[$_POST["id"]]."=";
|
||||
$sql.= "'".addslashes($_POST["rowid"])."', ";
|
||||
$sql.= "'".$db->escape($_POST["rowid"])."', ";
|
||||
}
|
||||
$i = 0;
|
||||
foreach ($listfieldmodify as $field)
|
||||
|
||||
@ -86,7 +86,7 @@ if ($_POST["action"] == 'add' || $_POST["modify"])
|
||||
{
|
||||
// Ajoute boite box_external_rss dans definition des boites
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."boxes_def (file, note)";
|
||||
$sql.= " VALUES ('box_external_rss.php','".addslashes($_POST["norss"].' ('.$_POST[$external_rss_title]).")')";
|
||||
$sql.= " VALUES ('box_external_rss.php','".$db->escape($_POST["norss"].' ('.$_POST[$external_rss_title]).")')";
|
||||
if (! $db->query($sql))
|
||||
{
|
||||
dol_print_error($db);
|
||||
|
||||
@ -156,7 +156,7 @@ if ($_GET["action"] == 'setdoc')
|
||||
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
|
||||
$sql.= " VALUES ('".$_GET["value"]."', '".$type."', ".$conf->entity.", ";
|
||||
$sql.= ($_GET["label"]?"'".addslashes($_GET["label"])."'":'null').", ";
|
||||
$sql.= ($_GET["label"]?"'".$db->escape($_GET["label"])."'":'null').", ";
|
||||
$sql.= (! empty($_GET["scandir"])?"'".$_GET["scandir"]."'":"null");
|
||||
$sql.= ")";
|
||||
dol_syslog("facture.php ".$sql);
|
||||
|
||||
@ -112,7 +112,7 @@ if ($_GET["action"] == 'del')
|
||||
{
|
||||
$type='company';
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql.= " WHERE nom='".addslashes($_GET["value"])."' AND type='".$type."' AND entity=".$conf->entity;
|
||||
$sql.= " WHERE nom='".$db->escape($_GET["value"])."' AND type='".$type."' AND entity=".$conf->entity;
|
||||
if ($db->query($sql))
|
||||
{
|
||||
|
||||
|
||||
@ -44,10 +44,10 @@ if (empty($phone))
|
||||
$sql = "SELECT nom FROM ".MAIN_DB_PREFIX."societe as s";
|
||||
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."socpeople as sp ON sp.fk_soc = s.rowid";
|
||||
$sql.= " WHERE s.entity=".$conf->entity;
|
||||
$sql.= " AND (s.tel='".addslashes($phone)."'";
|
||||
$sql.= " OR sp.phone='".addslashes($phone)."'";
|
||||
$sql.= " OR sp.phone_perso='".addslashes($phone)."'";
|
||||
$sql.= " OR sp.phone_mobile='".addslashes($phone)."')";
|
||||
$sql.= " AND (s.tel='".$db->escape($phone)."'";
|
||||
$sql.= " OR sp.phone='".$db->escape($phone)."'";
|
||||
$sql.= " OR sp.phone_perso='".$db->escape($phone)."'";
|
||||
$sql.= " OR sp.phone_mobile='".$db->escape($phone)."')";
|
||||
$sql.= $db->plimit(1);
|
||||
|
||||
dol_syslog('cidlookup search information with phone '.$phone, LOG_DEBUG);
|
||||
|
||||
@ -224,7 +224,7 @@ $sql.= ' WHERE a.fk_action = ca.id';
|
||||
$sql.= ' AND a.fk_user_author = u.rowid';
|
||||
$sql.= ' AND u.entity in (0,'.$conf->entity.')'; // To limit to entity
|
||||
if ($user->societe_id) $sql.= ' AND a.fk_soc = '.$user->societe_id; // To limit to external user company
|
||||
if ($pid) $sql.=" AND a.fk_project=".addslashes($pid);
|
||||
if ($pid) $sql.=" AND a.fk_project=".$db->escape($pid);
|
||||
if ($action == 'show_day')
|
||||
{
|
||||
$sql.= " AND (";
|
||||
|
||||
@ -141,7 +141,7 @@ $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."user as ud ON a.fk_user_done = ud.rowid";
|
||||
$sql.= " WHERE c.id = a.fk_action";
|
||||
$sql.= ' AND a.fk_user_author = u.rowid'; // To limit to entity
|
||||
$sql.= ' AND u.entity in (0,'.$conf->entity.')'; // To limit to entity
|
||||
if ($pid) $sql.=" AND a.fk_project=".addslashes($pid);
|
||||
if ($pid) $sql.=" AND a.fk_project=".$db->escape($pid);
|
||||
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
||||
if ($socid) $sql.= " AND s.rowid = ".$socid;
|
||||
if ($_GET["type"]) $sql.= " AND c.id = ".$_GET["type"];
|
||||
|
||||
@ -357,9 +357,9 @@ if ($mil->fetch($_REQUEST["id"]) >= 0)
|
||||
$sql = "SELECT mc.rowid, mc.nom, mc.prenom, mc.email, mc.other, mc.statut, mc.date_envoi, mc.source_url, mc.source_id, mc.source_type";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc";
|
||||
$sql .= " WHERE mc.fk_mailing=".$mil->id;
|
||||
if ($search_nom) $sql.= " AND mc.nom like '%".addslashes($search_nom)."%'";
|
||||
if ($search_prenom) $sql.= " AND mc.prenom like '%".addslashes($search_prenom)."%'";
|
||||
if ($search_email) $sql.= " AND mc.email like '%".addslashes($search_email)."%'";
|
||||
if ($search_nom) $sql.= " AND mc.nom like '%".$db->escape($search_nom)."%'";
|
||||
if ($search_prenom) $sql.= " AND mc.prenom like '%".$db->escape($search_prenom)."%'";
|
||||
if ($search_email) $sql.= " AND mc.email like '%".$db->escape($search_email)."%'";
|
||||
$sql .= $db->order($sortfield,$sortorder);
|
||||
$sql .= $db->plimit($conf->liste_limit+1, $offset);
|
||||
|
||||
|
||||
@ -67,7 +67,7 @@ if ($filteremail)
|
||||
$sql.= " mc.statut as sendstatut";
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX."mailing as m, ".MAIN_DB_PREFIX."mailing_cibles as mc";
|
||||
$sql.= " WHERE m.rowid = mc.fk_mailing AND m.entity = ".$conf->entity;
|
||||
$sql.= " AND mc.email = '".addslashes($filteremail)."'";
|
||||
$sql.= " AND mc.email = '".$db->escape($filteremail)."'";
|
||||
if ($sref) $sql.= " AND m.rowid = '".$sref."'";
|
||||
if ($sall) $sql.= " AND (m.titre like '%".$sall."%' OR m.sujet like '%".$sall."%' OR m.body like '%".$sall."%')";
|
||||
if (! $sortorder) $sortorder="ASC";
|
||||
|
||||
@ -181,8 +181,8 @@ if ($search_sale) $sql.= " AND s.rowid = sc.fk_soc"; // Join for the needed tab
|
||||
if ($search_categ) $sql.= " AND s.rowid = cs.fk_societe"; // Join for the needed table to filter by categ
|
||||
if (isset($stcomm) && $stcomm != '') $sql.= " AND s.fk_stcomm=".$stcomm;
|
||||
|
||||
if ($_GET["search_nom"]) $sql .= " AND s.nom like '%".addslashes(strtolower($_GET["search_nom"]))."%'";
|
||||
if ($_GET["search_ville"]) $sql .= " AND s.ville like '%".addslashes(strtolower($_GET["search_ville"]))."%'";
|
||||
if ($_GET["search_nom"]) $sql .= " AND s.nom like '%".$db->escape(strtolower($_GET["search_nom"]))."%'";
|
||||
if ($_GET["search_ville"]) $sql .= " AND s.ville like '%".$db->escape(strtolower($_GET["search_ville"]))."%'";
|
||||
// Insert levels filters
|
||||
if ($search_levels)
|
||||
{
|
||||
@ -191,16 +191,16 @@ if ($search_levels)
|
||||
// Insert sale filter
|
||||
if ($search_sale)
|
||||
{
|
||||
$sql .= " AND sc.fk_user = ".addslashes($search_sale);
|
||||
$sql .= " AND sc.fk_user = ".$db->escape($search_sale);
|
||||
}
|
||||
// Insert categ filter
|
||||
if ($search_categ)
|
||||
{
|
||||
$sql .= " AND cs.fk_categorie = ".addslashes($search_categ);
|
||||
$sql .= " AND cs.fk_categorie = ".$db->escape($search_categ);
|
||||
}
|
||||
if ($socname)
|
||||
{
|
||||
$sql .= " AND s.nom like '%".addslashes($socname)."%'";
|
||||
$sql .= " AND s.nom like '%".$db->escape($socname)."%'";
|
||||
$sortfield = "s.nom";
|
||||
$sortorder = "ASC";
|
||||
}
|
||||
|
||||
@ -88,11 +88,11 @@ if ($socid) $sql.= ' AND s.rowid = '.$socid;
|
||||
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
||||
if ($sref)
|
||||
{
|
||||
$sql.= " AND c.ref LIKE '%".addslashes($sref)."%'";
|
||||
$sql.= " AND c.ref LIKE '%".$db->escape($sref)."%'";
|
||||
}
|
||||
if ($sall)
|
||||
{
|
||||
$sql.= " AND (c.ref LIKE '%".addslashes($sall)."%' OR c.note LIKE '%".addslashes($sall)."%')";
|
||||
$sql.= " AND (c.ref LIKE '%".$db->escape($sall)."%' OR c.note LIKE '%".$db->escape($sall)."%')";
|
||||
}
|
||||
if ($viewstatut <> '')
|
||||
{
|
||||
@ -131,11 +131,11 @@ if ($_GET['deliveryyear'] > 0)
|
||||
}
|
||||
if (!empty($snom))
|
||||
{
|
||||
$sql.= ' AND s.nom LIKE \'%'.addslashes($snom).'%\'';
|
||||
$sql.= ' AND s.nom LIKE \'%'.$db->escape($snom).'%\'';
|
||||
}
|
||||
if (!empty($sref_client))
|
||||
{
|
||||
$sql.= ' AND c.ref_client LIKE \'%'.addslashes($sref_client).'%\'';
|
||||
$sql.= ' AND c.ref_client LIKE \'%'.$db->escape($sref_client).'%\'';
|
||||
}
|
||||
|
||||
$sql.= ' ORDER BY '.$sortfield.' '.$sortorder;
|
||||
|
||||
@ -186,13 +186,13 @@ if ($account || $_GET["ref"])
|
||||
$mode_search = 0;
|
||||
if ($_REQUEST["req_nb"])
|
||||
{
|
||||
$sql_rech.= " AND b.num_chq like '%".addslashes($_REQUEST["req_nb"])."%'";
|
||||
$sql_rech.= " AND b.num_chq like '%".$db->escape($_REQUEST["req_nb"])."%'";
|
||||
$param.='&req_nb='.urlencode($_REQUEST["req_nb"]);
|
||||
$mode_search = 1;
|
||||
}
|
||||
if ($_REQUEST["req_desc"])
|
||||
{
|
||||
$sql_rech.= " AND b.label like '%".addslashes($_REQUEST["req_desc"])."%'";
|
||||
$sql_rech.= " AND b.label like '%".$db->escape($_REQUEST["req_desc"])."%'";
|
||||
$param.='&req_desc='.urlencode($_REQUEST["req_desc"]);
|
||||
$mode_search = 1;
|
||||
}
|
||||
@ -210,7 +210,7 @@ if ($account || $_GET["ref"])
|
||||
}
|
||||
if ($_REQUEST["thirdparty"])
|
||||
{
|
||||
$sql_rech.=" AND (COALESCE(s.nom,'') LIKE '%".addslashes($_REQUEST["thirdparty"])."%')";
|
||||
$sql_rech.=" AND (COALESCE(s.nom,'') LIKE '%".$db->escape($_REQUEST["thirdparty"])."%')";
|
||||
$param.='&thirdparty='.urlencode($_REQUEST["thirdparty"]);
|
||||
$mode_search = 1;
|
||||
}
|
||||
|
||||
@ -43,7 +43,7 @@ if ($_POST["action"] == 'add')
|
||||
$sql.= "label";
|
||||
$sql.= ", entity";
|
||||
$sql.= ") VALUES (";
|
||||
$sql.= "'".addslashes($_POST["label"])."'";
|
||||
$sql.= "'".$db->escape($_POST["label"])."'";
|
||||
$sql.= ", ".$conf->entity;
|
||||
$sql.= ")";
|
||||
|
||||
|
||||
@ -101,7 +101,7 @@ if ($_POST["action"] == "update")
|
||||
$dateop = dol_mktime(12,0,0,$_POST["dateomonth"],$_POST["dateoday"],$_POST["dateoyear"]);
|
||||
$dateval= dol_mktime(12,0,0,$_POST["datevmonth"],$_POST["datevday"],$_POST["datevyear"]);
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."bank";
|
||||
$sql.= " SET label='".addslashes($_POST["label"])."',";
|
||||
$sql.= " SET label='".$db->escape($_POST["label"])."',";
|
||||
if (isset($_POST['amount'])) $sql.=" amount='$amount',";
|
||||
$sql.= " dateo = '".$db->idate($dateop)."', datev = '".$db->idate($dateval)."',";
|
||||
$sql.= " fk_account = ".$_POST['accountid'];
|
||||
@ -127,13 +127,13 @@ if ($_POST["action"] == 'type')
|
||||
|
||||
if ($_POST["action"] == 'banque')
|
||||
{
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."bank set banque='".addslashes($_POST["banque"])."' WHERE rowid = $rowid;";
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."bank set banque='".$db->escape($_POST["banque"])."' WHERE rowid = $rowid;";
|
||||
$result = $db->query($sql);
|
||||
}
|
||||
|
||||
if ($_POST["action"] == 'emetteur')
|
||||
{
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."bank set emetteur='".addslashes($_POST["emetteur"])."' WHERE rowid = $rowid;";
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."bank set emetteur='".$db->escape($_POST["emetteur"])."' WHERE rowid = $rowid;";
|
||||
$result = $db->query($sql);
|
||||
}
|
||||
|
||||
|
||||
@ -76,7 +76,7 @@ if ($action == 'note')
|
||||
if ($mode == 'search') {
|
||||
if ($mode-search == 'soc') {
|
||||
$sql = "SELECT s.rowid FROM ".MAIN_DB_PREFIX."societe as s ";
|
||||
$sql.= " WHERE lower(s.nom) like '%".addslashes(strtolower($socname))."%'";
|
||||
$sql.= " WHERE lower(s.nom) like '%".$db->escape(strtolower($socname))."%'";
|
||||
$sql.= " AND s.entity = ".$conf->entity;
|
||||
}
|
||||
|
||||
@ -113,29 +113,29 @@ if (dol_strlen($stcomm))
|
||||
|
||||
if ($socname)
|
||||
{
|
||||
$sql.= " AND s.nom like '%".addslashes(strtolower($socname))."%'";
|
||||
$sql.= " AND s.nom like '%".$db->escape(strtolower($socname))."%'";
|
||||
$sortfield = "s.nom";
|
||||
$sortorder = "ASC";
|
||||
}
|
||||
|
||||
if ($_GET["search_nom"])
|
||||
{
|
||||
$sql.= " AND s.nom like '%".addslashes(strtolower($_GET["search_nom"]))."%'";
|
||||
$sql.= " AND s.nom like '%".$db->escape(strtolower($_GET["search_nom"]))."%'";
|
||||
}
|
||||
|
||||
if ($_GET["search_compta"])
|
||||
{
|
||||
$sql.= " AND s.code_compta like '%".addslashes($_GET["search_compta"])."%'";
|
||||
$sql.= " AND s.code_compta like '%".$db->escape($_GET["search_compta"])."%'";
|
||||
}
|
||||
|
||||
if ($_GET["search_code_client"])
|
||||
{
|
||||
$sql.= " AND s.code_client like '%".addslashes($_GET["search_code_client"])."%'";
|
||||
$sql.= " AND s.code_client like '%".$db->escape($_GET["search_code_client"])."%'";
|
||||
}
|
||||
|
||||
if (dol_strlen($begin))
|
||||
{
|
||||
$sql.= " AND s.nom like '".addslashes($begin)."'";
|
||||
$sql.= " AND s.nom like '".$db->escape($begin)."'";
|
||||
}
|
||||
|
||||
if ($socid)
|
||||
|
||||
@ -2930,19 +2930,19 @@ else
|
||||
}
|
||||
if ($_GET['search_ref'])
|
||||
{
|
||||
$sql.= ' AND f.facnumber LIKE \'%'.addslashes(trim($_GET['search_ref'])).'%\'';
|
||||
$sql.= ' AND f.facnumber LIKE \'%'.$db->escape(trim($_GET['search_ref'])).'%\'';
|
||||
}
|
||||
if ($_GET['search_societe'])
|
||||
{
|
||||
$sql.= ' AND s.nom LIKE \'%'.addslashes(trim($_GET['search_societe'])).'%\'';
|
||||
$sql.= ' AND s.nom LIKE \'%'.$db->escape(trim($_GET['search_societe'])).'%\'';
|
||||
}
|
||||
if ($_GET['search_montant_ht'])
|
||||
{
|
||||
$sql.= ' AND f.total = \''.addslashes(trim($_GET['search_montant_ht'])).'\'';
|
||||
$sql.= ' AND f.total = \''.$db->escape(trim($_GET['search_montant_ht'])).'\'';
|
||||
}
|
||||
if ($_GET['search_montant_ttc'])
|
||||
{
|
||||
$sql.= ' AND f.total_ttc = \''.addslashes(trim($_GET['search_montant_ttc'])).'\'';
|
||||
$sql.= ' AND f.total_ttc = \''.$db->escape(trim($_GET['search_montant_ttc'])).'\'';
|
||||
}
|
||||
if ($month > 0)
|
||||
{
|
||||
@ -2957,11 +2957,11 @@ else
|
||||
}
|
||||
if ($_POST['sf_ref'])
|
||||
{
|
||||
$sql.= ' AND f.facnumber LIKE \'%'.addslashes(trim($_POST['sf_ref'])) . '%\'';
|
||||
$sql.= ' AND f.facnumber LIKE \'%'.$db->escape(trim($_POST['sf_ref'])) . '%\'';
|
||||
}
|
||||
if ($sall)
|
||||
{
|
||||
$sql.= ' AND (s.nom LIKE \'%'.addslashes($sall).'%\' OR f.facnumber LIKE \'%'.addslashes($sall).'%\' OR f.note LIKE \'%'.addslashes($sall).'%\' OR fd.description LIKE \'%'.addslashes($sall).'%\')';
|
||||
$sql.= ' AND (s.nom LIKE \'%'.$db->escape($sall).'%\' OR f.facnumber LIKE \'%'.$db->escape($sall).'%\' OR f.note LIKE \'%'.$db->escape($sall).'%\' OR fd.description LIKE \'%'.$db->escape($sall).'%\')';
|
||||
}
|
||||
if (! $sall)
|
||||
{
|
||||
|
||||
@ -108,7 +108,7 @@ if ($_REQUEST["search_amount"])
|
||||
}
|
||||
if ($_REQUEST["search_company"])
|
||||
{
|
||||
$sql .=" AND s.nom LIKE '%".addslashes($_REQUEST["search_company"])."%'";
|
||||
$sql .=" AND s.nom LIKE '%".$db->escape($_REQUEST["search_company"])."%'";
|
||||
}
|
||||
|
||||
if ($_GET["orphelins"]) // Option for debugging purpose only
|
||||
|
||||
@ -576,15 +576,15 @@ else
|
||||
if ($year > 0) $sql .= " AND date_format(p.datep, '%Y') = $year";
|
||||
if (!empty($_GET['search_ref']))
|
||||
{
|
||||
$sql.= " AND p.ref LIKE '%".addslashes($_GET['search_ref'])."%'";
|
||||
$sql.= " AND p.ref LIKE '%".$db->escape($_GET['search_ref'])."%'";
|
||||
}
|
||||
if (!empty($_GET['search_societe']))
|
||||
{
|
||||
$sql.= " AND s.nom LIKE '%".addslashes($_GET['search_societe'])."%'";
|
||||
$sql.= " AND s.nom LIKE '%".$db->escape($_GET['search_societe'])."%'";
|
||||
}
|
||||
if (!empty($_GET['search_montant_ht']))
|
||||
{
|
||||
$sql.= " AND p.price='".addslashes($_GET['search_montant_ht'])."'";
|
||||
$sql.= " AND p.price='".$db->escape($_GET['search_montant_ht'])."'";
|
||||
}
|
||||
$sql.= " ORDER BY $sortfield $sortorder, p.rowid DESC ";
|
||||
$sql.= $db->plimit($limit + 1,$offset);
|
||||
|
||||
@ -136,19 +136,19 @@ else
|
||||
|
||||
if ($search_nom) // filtre sur le nom
|
||||
{
|
||||
$sql .= " AND p.name like '%".addslashes($search_nom)."%'";
|
||||
$sql .= " AND p.name like '%".$db->escape($search_nom)."%'";
|
||||
}
|
||||
if ($search_prenom) // filtre sur le prenom
|
||||
{
|
||||
$sql .= " AND p.firstname like '%".addslashes($search_prenom)."%'";
|
||||
$sql .= " AND p.firstname like '%".$db->escape($search_prenom)."%'";
|
||||
}
|
||||
if ($search_societe) // filtre sur la societe
|
||||
{
|
||||
$sql .= " AND s.nom like '%".addslashes($search_societe)."%'";
|
||||
$sql .= " AND s.nom like '%".$db->escape($search_societe)."%'";
|
||||
}
|
||||
if ($search_email) // filtre sur l'email
|
||||
{
|
||||
$sql .= " AND p.email like '%".addslashes($search_email)."%'";
|
||||
$sql .= " AND p.email like '%".$db->escape($search_email)."%'";
|
||||
}
|
||||
if ($type == "o") // filtre sur type
|
||||
{
|
||||
@ -168,7 +168,7 @@ if ($type == "p") // filtre sur type
|
||||
}
|
||||
if ($sall)
|
||||
{
|
||||
$sql .= " AND (p.name like '%".addslashes($sall)."%' OR p.firstname like '%".addslashes($sall)."%' OR p.email like '%".addslashes($sall)."%') ";
|
||||
$sql .= " AND (p.name like '%".$db->escape($sall)."%' OR p.firstname like '%".$db->escape($sall)."%' OR p.email like '%".$db->escape($sall)."%') ";
|
||||
}
|
||||
if ($socid)
|
||||
{
|
||||
|
||||
@ -81,9 +81,9 @@ $sql.= " WHERE c.fk_soc = s.rowid ";
|
||||
$sql.= " AND s.entity = ".$conf->entity;
|
||||
if ($socid) $sql.= " AND s.rowid = ".$socid;
|
||||
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
||||
if ($search_nom) $sql.= " AND s.nom like '%".addslashes($search_nom)."%'";
|
||||
if ($search_contract) $sql.= " AND c.rowid = '".addslashes($search_contract)."'";
|
||||
if ($sall) $sql.= " AND (s.nom like '%".addslashes($sall)."%' OR cd.label like '%".addslashes($sall)."%' OR cd.description like '%".addslashes($sall)."%')";
|
||||
if ($search_nom) $sql.= " AND s.nom like '%".$db->escape($search_nom)."%'";
|
||||
if ($search_contract) $sql.= " AND c.rowid = '".$db->escape($search_contract)."'";
|
||||
if ($sall) $sql.= " AND (s.nom like '%".$db->escape($sall)."%' OR cd.label like '%".$db->escape($sall)."%' OR cd.description like '%".$db->escape($sall)."%')";
|
||||
$sql.= " GROUP BY c.rowid, c.ref, c.datec, c.date_contrat, c.statut,";
|
||||
$sql.= " s.nom, s.rowid";
|
||||
$sql.= " ORDER BY $sortfield $sortorder";
|
||||
|
||||
@ -94,9 +94,9 @@ if ($mode == "0") $sql.= " AND cd.statut = 0";
|
||||
if ($mode == "4") $sql.= " AND cd.statut = 4";
|
||||
if ($mode == "5") $sql.= " AND cd.statut = 5";
|
||||
if ($filter == "expired") $sql.= " AND date_fin_validite < ".$db->idate($now);
|
||||
if ($search_nom) $sql.= " AND s.nom like '%".addslashes($search_nom)."%'";
|
||||
if ($search_contract) $sql.= " AND c.rowid = '".addslashes($search_contract)."'";
|
||||
if ($search_service) $sql.= " AND (p.ref like '%".addslashes($search_service)."%' OR p.description like '%".addslashes($search_service)."%')";
|
||||
if ($search_nom) $sql.= " AND s.nom like '%".$db->escape($search_nom)."%'";
|
||||
if ($search_contract) $sql.= " AND c.rowid = '".$db->escape($search_contract)."'";
|
||||
if ($search_service) $sql.= " AND (p.ref like '%".$db->escape($search_service)."%' OR p.description like '%".$db->escape($search_service)."%')";
|
||||
if ($socid > 0) $sql.= " AND s.rowid = ".$socid;
|
||||
$filter_date1=dol_mktime(0,0,0,$_REQUEST['op1month'],$_REQUEST['op1day'],$_REQUEST['op1year']);
|
||||
$filter_date2=dol_mktime(0,0,0,$_REQUEST['op2month'],$_REQUEST['op2day'],$_REQUEST['op2year']);
|
||||
|
||||
@ -81,7 +81,7 @@ if ($socid)
|
||||
}
|
||||
if ($_POST["sf_ref"])
|
||||
{
|
||||
$sql.= " AND e.ref like '%".addslashes($_POST["sf_ref"])."%'";
|
||||
$sql.= " AND e.ref like '%".$db->escape($_POST["sf_ref"])."%'";
|
||||
}
|
||||
|
||||
$sql.= $db->order($sortfield,$sortorder);
|
||||
|
||||
@ -80,9 +80,9 @@ $sql.= ", ".MAIN_DB_PREFIX."fichinter as f)";
|
||||
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."fichinterdet as fd ON fd.fk_fichinter = f.rowid";
|
||||
$sql.= " WHERE f.fk_soc = s.rowid ";
|
||||
$sql.= " AND f.entity = ".$conf->entity;
|
||||
if ($search_ref) $sql .= " AND f.ref like '%".addslashes($search_ref)."%'";
|
||||
if ($search_company) $sql .= " AND s.nom like '%".addslashes($search_company)."%'";
|
||||
if ($search_desc) $sql .= " AND (f.description like '%".addslashes($search_desc)."%' OR fd.description like '%".addslashes($search_desc)."%')";
|
||||
if ($search_ref) $sql .= " AND f.ref like '%".$db->escape($search_ref)."%'";
|
||||
if ($search_company) $sql .= " AND s.nom like '%".$db->escape($search_company)."%'";
|
||||
if ($search_desc) $sql .= " AND (f.description like '%".$db->escape($search_desc)."%' OR fd.description like '%".$db->escape($search_desc)."%')";
|
||||
if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
||||
if ($socid) $sql.= " AND s.rowid = " . $socid;
|
||||
$sql.= " ORDER BY ".$sortfield." ".$sortorder;
|
||||
|
||||
@ -87,15 +87,15 @@ $sql.= " AND s.entity = ".$conf->entity;
|
||||
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
||||
if ($sref)
|
||||
{
|
||||
$sql.= " AND cf.ref LIKE '%".addslashes($sref)."%'";
|
||||
$sql.= " AND cf.ref LIKE '%".$db->escape($sref)."%'";
|
||||
}
|
||||
if ($snom)
|
||||
{
|
||||
$sql.= " AND s.nom LIKE '%".addslashes($snom)."%'";
|
||||
$sql.= " AND s.nom LIKE '%".$db->escape($snom)."%'";
|
||||
}
|
||||
if ($suser)
|
||||
{
|
||||
$sql.= " AND u.login LIKE '%".addslashes($suser)."%'";
|
||||
$sql.= " AND u.login LIKE '%".$db->escape($suser)."%'";
|
||||
}
|
||||
if ($sttc)
|
||||
{
|
||||
@ -103,7 +103,7 @@ if ($sttc)
|
||||
}
|
||||
if ($sall)
|
||||
{
|
||||
$sql.= " AND (cf.ref like '%".addslashes($sall)."%' OR cf.note like '%".addslashes($sall)."%')";
|
||||
$sql.= " AND (cf.ref like '%".$db->escape($sall)."%' OR cf.note like '%".$db->escape($sall)."%')";
|
||||
}
|
||||
if ($socid) $sql.= " AND s.rowid = ".$socid;
|
||||
|
||||
|
||||
@ -69,7 +69,7 @@ if ($_POST["mode"] == 'search')
|
||||
if ($_POST["mode-search"] == 'soc')
|
||||
{
|
||||
$sql = "SELECT s.rowid FROM ".MAIN_DB_PREFIX."societe as s ";
|
||||
$sql.= " WHERE s.nom like '%".addslashes(strtolower($socname))."%'";
|
||||
$sql.= " WHERE s.nom like '%".$db->escape(strtolower($socname))."%'";
|
||||
}
|
||||
|
||||
$resql=$db->query($sql);
|
||||
@ -120,11 +120,11 @@ if ($_GET["filtre"])
|
||||
|
||||
if ($_REQUEST["search_ref"])
|
||||
{
|
||||
$sql .= " AND fac.rowid like '%".addslashes($_REQUEST["search_ref"])."%'";
|
||||
$sql .= " AND fac.rowid like '%".$db->escape($_REQUEST["search_ref"])."%'";
|
||||
}
|
||||
if ($_REQUEST["search_ref_supplier"])
|
||||
{
|
||||
$sql .= " AND fac.facnumber like '%".addslashes($_REQUEST["search_ref_supplier"])."%'";
|
||||
$sql .= " AND fac.facnumber like '%".$db->escape($_REQUEST["search_ref_supplier"])."%'";
|
||||
}
|
||||
if ($month > 0)
|
||||
{
|
||||
@ -139,22 +139,22 @@ else if ($year > 0)
|
||||
}
|
||||
if ($_GET["search_libelle"])
|
||||
{
|
||||
$sql .= " AND fac.libelle like '%".addslashes($_GET["search_libelle"])."%'";
|
||||
$sql .= " AND fac.libelle like '%".$db->escape($_GET["search_libelle"])."%'";
|
||||
}
|
||||
|
||||
if ($_GET["search_societe"])
|
||||
{
|
||||
$sql .= " AND s.nom like '%".addslashes($_GET["search_societe"])."%'";
|
||||
$sql .= " AND s.nom like '%".$db->escape($_GET["search_societe"])."%'";
|
||||
}
|
||||
|
||||
if ($_GET["search_montant_ht"])
|
||||
{
|
||||
$sql .= " AND fac.total_ht = '".addslashes($_GET["search_montant_ht"])."'";
|
||||
$sql .= " AND fac.total_ht = '".$db->escape($_GET["search_montant_ht"])."'";
|
||||
}
|
||||
|
||||
if ($_GET["search_montant_ttc"])
|
||||
{
|
||||
$sql .= " AND fac.total_ttc = '".addslashes($_GET["search_montant_ttc"])."'";
|
||||
$sql .= " AND fac.total_ttc = '".$db->escape($_GET["search_montant_ttc"])."'";
|
||||
}
|
||||
|
||||
$sql.= $db->order($sortfield,$sortorder);
|
||||
|
||||
@ -383,7 +383,7 @@ if (! $_GET['action'] && ! $_POST['action'])
|
||||
}
|
||||
if ($_REQUEST["search_company"])
|
||||
{
|
||||
$sql .=" AND s.nom LIKE '%".addslashes($_REQUEST["search_company"])."%'";
|
||||
$sql .=" AND s.nom LIKE '%".$db->escape($_REQUEST["search_company"])."%'";
|
||||
}
|
||||
$sql.= $db->order($sortfield,$sortorder);
|
||||
$sql.= $db->plimit($limit + 1 ,$offset);
|
||||
|
||||
@ -78,22 +78,22 @@ if ($search_categ) $sql.= " AND s.rowid = cf.fk_societe"; // Join for the needed
|
||||
if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
||||
if ($socid) $sql .= " AND s.rowid = ".$socid;
|
||||
if ($socname) {
|
||||
$sql .= " AND s.nom like '%".addslashes($socname)."%'";
|
||||
$sql .= " AND s.nom like '%".$db->escape($socname)."%'";
|
||||
$sortfield = "s.nom";
|
||||
$sortorder = "ASC";
|
||||
}
|
||||
if ($search_nom)
|
||||
{
|
||||
$sql .= " AND s.nom LIKE '%".addslashes($search_nom)."%'";
|
||||
$sql .= " AND s.nom LIKE '%".$db->escape($search_nom)."%'";
|
||||
}
|
||||
if ($search_ville)
|
||||
{
|
||||
$sql .= " AND s.ville LIKE '%".addslashes($search_ville)."%'";
|
||||
$sql .= " AND s.ville LIKE '%".$db->escape($search_ville)."%'";
|
||||
}
|
||||
// Insert categ filter
|
||||
if ($search_categ)
|
||||
{
|
||||
$sql .= " AND cf.fk_categorie = ".addslashes($search_categ);
|
||||
$sql .= " AND cf.fk_categorie = ".$db->escape($search_categ);
|
||||
}
|
||||
// Count total nb of records
|
||||
$nbtotalofrecords = 0;
|
||||
|
||||
@ -48,7 +48,7 @@ function check_user_password_dolibarr($usertotest,$passwordtotest)
|
||||
|
||||
$sql ='SELECT pass, pass_crypted';
|
||||
$sql.=' FROM '.$table;
|
||||
$sql.=' WHERE '.$usernamecol." = '".addslashes($_POST["username"])."'";
|
||||
$sql.=' WHERE '.$usernamecol." = '".$db->escape($_POST["username"])."'";
|
||||
$sql.=' AND '.$entitycol." IN (0," . ($_POST["entity"] ? $_POST["entity"] : 1) . ")";
|
||||
|
||||
dol_syslog("functions_dolibarr::check_user_password_dolibarr sql=".$sql);
|
||||
|
||||
@ -69,7 +69,7 @@ function check_user_password_myopenid($usertotest,$passwordtotest)
|
||||
|
||||
$sql ="SELECT login";
|
||||
$sql.=" FROM ".MAIN_DB_PREFIX."user";
|
||||
$sql.=" WHERE openid = '".addslashes($_GET['openid_identity'])."'";
|
||||
$sql.=" WHERE openid = '".$db->escape($_GET['openid_identity'])."'";
|
||||
$sql.=" AND entity IN (0," . ($_SESSION["dol_entity"] ? $_SESSION["dol_entity"] : 1) . ")";
|
||||
|
||||
dol_syslog("functions_dolibarr::check_user_password_myopenid sql=".$sql);
|
||||
|
||||
@ -191,7 +191,7 @@ if (! defined('SYSLOG_FILE_NO_ERROR'))
|
||||
// Forcage du parametrage PHP magic_quotes_gpc et nettoyage des parametres
|
||||
// (Sinon il faudrait a chaque POST, conditionner
|
||||
// la lecture de variable par stripslashes selon etat de get_magic_quotes).
|
||||
// En mode off (recommande il faut juste faire addslashes au moment d'un insert/update.
|
||||
// En mode off (recommande il faut juste faire $db->escape au moment d'un insert/update.
|
||||
function stripslashes_deep($value)
|
||||
{
|
||||
return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value));
|
||||
|
||||
@ -748,7 +748,7 @@ function migrate_contracts_det($db,$langs,$conf)
|
||||
$sql.= " VALUES (";
|
||||
$sql.= $obj->cref.",".($obj->fk_product?$obj->fk_product:0).",";
|
||||
$sql.= ($obj->mise_en_service?"4":"0").",";
|
||||
$sql.= "'".addslashes($obj->label)."', null,";
|
||||
$sql.= "'".$db->escape($obj->label)."', null,";
|
||||
$sql.= ($obj->mise_en_service?"'".$obj->mise_en_service."'":($obj->date_contrat?"'".$obj->date_contrat."'":"null")).",";
|
||||
$sql.= ($obj->mise_en_service?"'".$obj->mise_en_service."'":"null").",";
|
||||
$sql.= ($obj->fin_validite?"'".$obj->fin_validite."'":"null").",";
|
||||
@ -1953,7 +1953,7 @@ function migrate_detail_livraison($db,$langs,$conf)
|
||||
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."livraisondet SET";
|
||||
$sql.= " fk_product=".$obj->fk_product;
|
||||
$sql.= ",description='".addslashes($obj->description)."'";
|
||||
$sql.= ",description='".$db->escape($obj->description)."'";
|
||||
$sql.= ",subprice='".$obj->subprice."'";
|
||||
$sql.= ",total_ht='".$obj->total_ht."'";
|
||||
$sql.= " WHERE fk_commande_ligne = ".$obj->rowid;
|
||||
|
||||
@ -720,7 +720,7 @@ function show_actions_done($conf,$langs,$db,$object,$objcon='')
|
||||
$sql.= " 'AC_EMAILING' as acode,";
|
||||
$sql.= " u.rowid as user_id, u.login"; // User that valid action
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX."mailing as m, ".MAIN_DB_PREFIX."mailing_cibles as mc, ".MAIN_DB_PREFIX."user as u";
|
||||
$sql.= " WHERE mc.email = '".addslashes($objcon->email)."'"; // Search is done on email.
|
||||
$sql.= " WHERE mc.email = '".$db->escape($objcon->email)."'"; // Search is done on email.
|
||||
$sql.= " AND mc.statut = 1";
|
||||
$sql.= " AND u.rowid = m.fk_user_valid";
|
||||
$sql.= " AND mc.fk_mailing=m.rowid";
|
||||
|
||||
@ -900,7 +900,7 @@ function dol_set_user_param($db, $conf, &$user, $tab)
|
||||
{
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."user_param(fk_user,entity,param,value)";
|
||||
$sql.= " VALUES (".$user->id.",".$conf->entity.",";
|
||||
$sql.= " '".$key."','".addslashes($value)."');";
|
||||
$sql.= " '".$key."','".$db->escape($value)."');";
|
||||
dol_syslog("functions2.lib::dol_set_user_param sql=".$sql, LOG_DEBUG);
|
||||
|
||||
$result=$db->query($sql);
|
||||
|
||||
@ -121,7 +121,7 @@ if($action == 'search' )
|
||||
}
|
||||
if ($conf->categorie->enabled && $catMere != -1 and $catMere)
|
||||
{
|
||||
$sql.= " AND cp.fk_categorie ='".addslashes($catMere)."'";
|
||||
$sql.= " AND cp.fk_categorie ='".$db->escape($catMere)."'";
|
||||
}
|
||||
$sql.= " ORDER BY p.ref ASC";
|
||||
|
||||
|
||||
@ -143,7 +143,7 @@ else
|
||||
}
|
||||
if ($sall)
|
||||
{
|
||||
$sql.= " AND (p.ref like '%".addslashes($sall)."%' OR p.label like '%".addslashes($sall)."%' OR p.description like '%".addslashes($sall)."%' OR p.note like '%".addslashes($sall)."%')";
|
||||
$sql.= " AND (p.ref like '%".$db->escape($sall)."%' OR p.label like '%".$db->escape($sall)."%' OR p.description like '%".$db->escape($sall)."%' OR p.note like '%".$db->escape($sall)."%')";
|
||||
}
|
||||
# if the type is not 1, we show all products (type = 0,2,3)
|
||||
if (dol_strlen($type))
|
||||
@ -156,10 +156,10 @@ if (dol_strlen($type))
|
||||
}
|
||||
if ($sref) $sql.= " AND p.ref like '%".$sref."%'";
|
||||
if ($sbarcode) $sql.= " AND p.barcode like '%".$sbarcode."%'";
|
||||
if ($snom) $sql.= " AND p.label like '%".addslashes($snom)."%'";
|
||||
if ($snom) $sql.= " AND p.label like '%".$db->escape($snom)."%'";
|
||||
if (isset($_GET["tosell"]) && dol_strlen($_GET["tosell"]) > 0)
|
||||
{
|
||||
$sql.= " AND p.tosell = ".addslashes($_GET["tosell"]);
|
||||
$sql.= " AND p.tosell = ".$db->escape($_GET["tosell"]);
|
||||
}
|
||||
if (isset($_GET["tobuy"]) && dol_strlen($_GET["tobuy"]) > 0)
|
||||
{
|
||||
@ -167,7 +167,7 @@ if (isset($_GET["tobuy"]) && dol_strlen($_GET["tobuy"]) > 0)
|
||||
}
|
||||
if (dol_strlen($canvas) > 0)
|
||||
{
|
||||
$sql.= " AND p.canvas = '".addslashes($canvas)."'";
|
||||
$sql.= " AND p.canvas = '".$db->escape($canvas)."'";
|
||||
}
|
||||
if($catid)
|
||||
{
|
||||
@ -180,7 +180,7 @@ if ($fourn_id > 0)
|
||||
// Insert categ filter
|
||||
if ($search_categ)
|
||||
{
|
||||
$sql .= " AND cp.fk_categorie = ".addslashes($search_categ);
|
||||
$sql .= " AND cp.fk_categorie = ".$db->escape($search_categ);
|
||||
}
|
||||
$sql.= " GROUP BY p.rowid, p.ref, p.label, p.barcode, p.price, p.price_ttc, p.price_base_type,";
|
||||
$sql.= " p.fk_product_type, p.tms,";
|
||||
|
||||
@ -118,7 +118,7 @@ else
|
||||
}
|
||||
if ($sall)
|
||||
{
|
||||
$sql.= " AND (p.ref like '%".addslashes($sall)."%' OR p.label like '%".addslashes($sall)."%' OR p.description like '%".addslashes($sall)."%' OR p.note like '%".addslashes($sall)."%')";
|
||||
$sql.= " AND (p.ref like '%".$db->escape($sall)."%' OR p.label like '%".$db->escape($sall)."%' OR p.description like '%".$db->escape($sall)."%' OR p.note like '%".$db->escape($sall)."%')";
|
||||
}
|
||||
# if the type is not 1, we show all products (type = 0,2,3)
|
||||
if (dol_strlen($type))
|
||||
@ -131,7 +131,7 @@ if (dol_strlen($type))
|
||||
}
|
||||
if ($sref) $sql.= " AND p.ref like '%".$sref."%'";
|
||||
if ($sbarcode) $sql.= " AND p.barcode like '%".$sbarcode."%'";
|
||||
if ($snom) $sql.= " AND p.label like '%".addslashes($snom)."%'";
|
||||
if ($snom) $sql.= " AND p.label like '%".$db->escape($snom)."%'";
|
||||
if (isset($_GET["tosell"]) && dol_strlen($_GET["tosell"]) > 0)
|
||||
{
|
||||
$sql.= " AND p.tosell = ".$_GET["tosell"];
|
||||
@ -142,7 +142,7 @@ if (isset($_GET["tobuy"]) && dol_strlen($_GET["tobuy"]) > 0)
|
||||
}
|
||||
if (dol_strlen($canvas) > 0)
|
||||
{
|
||||
$sql.= " AND p.canvas = '".addslashes($canvas)."'";
|
||||
$sql.= " AND p.canvas = '".$db->escape($canvas)."'";
|
||||
}
|
||||
if($catid)
|
||||
{
|
||||
@ -155,7 +155,7 @@ if ($fourn_id > 0)
|
||||
// Insert categ filter
|
||||
if ($search_categ)
|
||||
{
|
||||
$sql .= " AND cp.fk_categorie = ".addslashes($search_categ);
|
||||
$sql .= " AND cp.fk_categorie = ".$db->escape($search_categ);
|
||||
}
|
||||
$sql.= " GROUP BY p.rowid, p.ref, p.label, p.barcode, p.price, p.price_ttc, p.price_base_type,";
|
||||
$sql.= " p.fk_product_type, p.tms,";
|
||||
|
||||
@ -105,19 +105,19 @@ else if ($year > 0)
|
||||
}
|
||||
if (! empty($search_movement))
|
||||
{
|
||||
$sql.= " AND m.label LIKE '%".addslashes($search_movement)."%'";
|
||||
$sql.= " AND m.label LIKE '%".$db->escape($search_movement)."%'";
|
||||
}
|
||||
if (! empty($search_product))
|
||||
{
|
||||
$sql.= " AND p.label LIKE '%".addslashes($search_product)."%'";
|
||||
$sql.= " AND p.label LIKE '%".$db->escape($search_product)."%'";
|
||||
}
|
||||
if (! empty($search_warehouse))
|
||||
{
|
||||
$sql.= " AND s.label LIKE '%".addslashes($search_warehouse)."%'";
|
||||
$sql.= " AND s.label LIKE '%".$db->escape($search_warehouse)."%'";
|
||||
}
|
||||
if (! empty($search_user))
|
||||
{
|
||||
$sql.= " AND u.login LIKE '%".addslashes($search_user)."%'";
|
||||
$sql.= " AND u.login LIKE '%".$db->escape($search_user)."%'";
|
||||
}
|
||||
if (! empty($_GET['idproduct']))
|
||||
{
|
||||
|
||||
@ -65,11 +65,11 @@ if ($sref)
|
||||
}
|
||||
if ($sall)
|
||||
{
|
||||
$sql.= " AND (e.label LIKE '%".addslashes($sall)."%'";
|
||||
$sql.= " OR e.description LIKE '%".addslashes($sall)."%'";
|
||||
$sql.= " OR e.lieu LIKE '%".addslashes($sall)."%'";
|
||||
$sql.= " OR e.address LIKE '%".addslashes($sall)."%'";
|
||||
$sql.= " OR e.ville LIKE '%".addslashes($sall)."%')";
|
||||
$sql.= " AND (e.label LIKE '%".$db->escape($sall)."%'";
|
||||
$sql.= " OR e.description LIKE '%".$db->escape($sall)."%'";
|
||||
$sql.= " OR e.lieu LIKE '%".$db->escape($sall)."%'";
|
||||
$sql.= " OR e.address LIKE '%".$db->escape($sall)."%'";
|
||||
$sql.= " OR e.ville LIKE '%".$db->escape($sall)."%')";
|
||||
}
|
||||
$sql.= " GROUP BY e.rowid, e.label, e.statut, e.lieu";
|
||||
$sql.= " ORDER BY $sortfield $sortorder ";
|
||||
|
||||
@ -81,15 +81,15 @@ if (! $user->rights->projet->all->lire) $sql.= " AND p.rowid IN (".$projectsList
|
||||
if ($socid) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
|
||||
if ($_GET["search_ref"])
|
||||
{
|
||||
$sql.= " AND p.ref LIKE '%".addslashes($_GET["search_ref"])."%'";
|
||||
$sql.= " AND p.ref LIKE '%".$db->escape($_GET["search_ref"])."%'";
|
||||
}
|
||||
if ($_GET["search_label"])
|
||||
{
|
||||
$sql.= " AND p.title LIKE '%".addslashes($_GET["search_label"])."%'";
|
||||
$sql.= " AND p.title LIKE '%".$db->escape($_GET["search_label"])."%'";
|
||||
}
|
||||
if ($_GET["search_societe"])
|
||||
{
|
||||
$sql.= " AND s.nom LIKE '%".addslashes($_GET["search_societe"])."%'";
|
||||
$sql.= " AND s.nom LIKE '%".$db->escape($_GET["search_societe"])."%'";
|
||||
}
|
||||
$sql.= $db->order($sortfield,$sortorder);
|
||||
$sql.= $db->plimit($conf->liste_limit+1, $offset);
|
||||
|
||||
@ -46,7 +46,7 @@ $result = restrictedArea($user, 'societe', $socid);
|
||||
|
||||
if ($action == 'add')
|
||||
{
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".addslashes($_POST["note"])."' WHERE rowid=".$_POST["socid"];
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".$db->escape($_POST["note"])."' WHERE rowid=".$_POST["socid"];
|
||||
$result = $db->query($sql);
|
||||
|
||||
$_GET["socid"]=$_POST["socid"]; // Pour retour sur fiche
|
||||
|
||||
@ -126,7 +126,7 @@ if (empty($conf->db->user)) $conf->db->user='';
|
||||
// Forcage du parametrage PHP magic_quotes_gpc et nettoyage des parametres
|
||||
// (Sinon il faudrait a chaque POST, conditionner
|
||||
// la lecture de variable par stripslashes selon etat de get_magic_quotes).
|
||||
// En mode off (recommande il faut juste faire addslashes au moment d'un insert/update.
|
||||
// En mode off (recommande il faut juste faire $db->escape au moment d'un insert/update.
|
||||
function stripslashes_deep($value)
|
||||
{
|
||||
return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value));
|
||||
|
||||
Loading…
Reference in New Issue
Block a user