diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index e2b79448ea8..914d9be59a3 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -2121,7 +2121,7 @@ abstract class CommonObject foreach ($tab as $key => $value) { - //Test fetch_array ! is_int($key) because fetch_array seult is a mix table with Key as alpha and Key as int (depend db engine) + // Test fetch_array ! is_int($key) because fetch_array seult is a mix table with Key as alpha and Key as int (depend db engine) if ($key != 'rowid' && $key != 'tms' && $key != 'fk_member' && ! is_int($key)) { // we can add this attribute to adherent object diff --git a/htdocs/core/class/fileupload.class.php b/htdocs/core/class/fileupload.class.php index b5483139fb6..520ab7634be 100644 --- a/htdocs/core/class/fileupload.class.php +++ b/htdocs/core/class/fileupload.class.php @@ -329,14 +329,14 @@ class FileUpload $file->error = 'minFileSize'; return false; } - if (is_int($this->options['max_number_of_files']) && ( + if (is_numeric($this->options['max_number_of_files']) && ( count($this->getFileObjects()) >= $this->options['max_number_of_files']) ) { $file->error = 'maxNumberOfFiles'; return false; } list($img_width, $img_height) = @getimagesize($uploaded_file); - if (is_int($img_width)) { + if (is_numeric($img_width)) { if ($this->options['max_width'] && $img_width > $this->options['max_width'] || $this->options['max_height'] && $img_height > $this->options['max_height']) { $file->error = 'maxResolution'; diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index bd4783282f2..e2e3727bddb 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -2668,7 +2668,7 @@ class Form $autoOpen=true; $dialogconfirm='dialog-confirm'; $button=''; - if (! is_int($useajax)) + if (! is_numeric($useajax)) { $button=$useajax; $useajax=1; diff --git a/htdocs/core/lib/pdf.lib.php b/htdocs/core/lib/pdf.lib.php index 7c322a59264..39a4118eadd 100644 --- a/htdocs/core/lib/pdf.lib.php +++ b/htdocs/core/lib/pdf.lib.php @@ -439,7 +439,7 @@ function pdf_pagehead(&$pdf,$outputlangs,$page_height) if (! empty($conf->global->MAIN_USE_BACKGROUND_ON_PDF)) { $pdf->SetAutoPageBreak(0,0); // Disable auto pagebreak before adding image - $pdf->Image($conf->mycompany->dir_output.'/logos/'.$conf->global->MAIN_USE_BACKGROUND_ON_PDF, 0, 0, 0, $page_height); + $pdf->Image($conf->mycompany->dir_output.'/logos/'.$conf->global->MAIN_USE_BACKGROUND_ON_PDF, (isset($conf->global->MAIN_USE_BACKGROUND_ON_PDF_X)?$conf->global->MAIN_USE_BACKGROUND_ON_PDF_X:0), (isset($conf->global->MAIN_USE_BACKGROUND_ON_PDF_Y)?$conf->global->MAIN_USE_BACKGROUND_ON_PDF_Y:0), 0, $page_height); $pdf->SetAutoPageBreak(1,0); // Restore pagebreak } } diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php index e5835ff6a68..40dd2c03ac3 100644 --- a/htdocs/core/lib/security2.lib.php +++ b/htdocs/core/lib/security2.lib.php @@ -292,11 +292,11 @@ function dol_loginfunction($langs,$conf,$mysoc) if (! empty($conf->global->MAIN_USE_JQUERY_THEME)) $jquerytheme = $conf->global->MAIN_USE_JQUERY_THEME; // Set dol_hide_topmenu, dol_hide_leftmenu, dol_optimize_smallscreen, dol_nomousehover - $dol_hide_topmenu=GETPOST('dol_hide_topmenu'); - $dol_hide_leftmenu=GETPOST('dol_hide_leftmenu'); - $dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen'); - $dol_no_mouse_hover=GETPOST('dol_no_mouse_hover'); - $dol_use_jmobile=GETPOST('dol_use_jmobile'); + $dol_hide_topmenu=GETPOST('dol_hide_topmenu','int'); + $dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int'); + $dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int'); + $dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int'); + $dol_use_jmobile=GETPOST('dol_use_jmobile','int'); // Include login page template include $template_dir.'login.tpl.php'; diff --git a/htdocs/core/modules/modSociete.class.php b/htdocs/core/modules/modSociete.class.php index 87b60cd4ba6..5284f5ef55b 100644 --- a/htdocs/core/modules/modSociete.class.php +++ b/htdocs/core/modules/modSociete.class.php @@ -329,7 +329,7 @@ class modSociete extends DolibarrModules unset($this->export_entities_array[$r]['s.code_fournisseur']); } // Add extra fields - $sql="SELECT name, label FROM ".MAIN_DB_PREFIX."extrafields WHERE elementtype = 'socpeople'"; + $sql="SELECT name, label, type, param FROM ".MAIN_DB_PREFIX."extrafields WHERE elementtype = 'socpeople'"; $resql=$this->db->query($sql); if ($resql) // This can fail when class is used on old database (during migration for example) { diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 851e050fa64..64068f20267 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -361,16 +361,16 @@ if (! defined('NOLOGIN')) // It is not already authenticated and it requests the login / password include_once DOL_DOCUMENT_ROOT.'/core/lib/security2.lib.php'; - $dol_dst_observed=GETPOST("dst_observed",3); - $dol_dst_first=GETPOST("dst_first",3); - $dol_dst_second=GETPOST("dst_second",3); - $dol_screenwidth=GETPOST("screenwidth",3); - $dol_screenheight=GETPOST("screenheight",3); - $dol_hide_topmenu=GETPOST('dol_hide_topmenu',3); - $dol_hide_leftmenu=GETPOST('dol_hide_leftmenu',3); - $dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen',3); - $dol_no_mouse_hover=GETPOST('dol_no_mouse_hover',3); - $dol_use_jmobile=GETPOST('dol_use_jmobile',3); + $dol_dst_observed=GETPOST("dst_observed",'int',3); + $dol_dst_first=GETPOST("dst_first",'int',3); + $dol_dst_second=GETPOST("dst_second",'int',3); + $dol_screenwidth=GETPOST("screenwidth",'int',3); + $dol_screenheight=GETPOST("screenheight",'int',3); + $dol_hide_topmenu=GETPOST('dol_hide_topmenu','int',3); + $dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int',3); + $dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int',3); + $dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int',3); + $dol_use_jmobile=GETPOST('dol_use_jmobile','int',3); //dol_syslog("POST key=".join(array_keys($_POST),',').' value='.join($_POST,',')); // If in demo mode, we check we go to home page through the public/demo/index.php page @@ -1037,11 +1037,11 @@ function top_htmlhead($head, $title='', $disablejs=0, $disablehead=0, $arrayofjs $themeparam='?lang='.$langs->defaultlang.'&theme='.$conf->theme.(GETPOST('optioncss')?'&optioncss='.GETPOST('optioncss','alpha',1):'').'&userid='.$user->id.'&entity='.$conf->entity; $themeparam.=($ext?'&'.$ext:''); if (! empty($_SESSION['dol_resetcache'])) $themeparam.='&dol_resetcache='.$_SESSION['dol_resetcache']; - if (GETPOST('dol_hide_topmenu')) { $themeparam.='&dol_hide_topmenu='.GETPOST('dol_hide_topmenu'); } - if (GETPOST('dol_hide_leftmenu')) { $themeparam.='&dol_hide_leftmenu='.GETPOST('dol_hide_leftmenu'); } - if (GETPOST('dol_optimize_smallscreen')) { $themeparam.='&dol_optimize_smallscreen='.GETPOST('dol_optimize_smallscreen'); } - if (GETPOST('dol_no_mouse_hover')) { $themeparam.='&dol_no_mouse_hover='.GETPOST('dol_no_mouse_hover'); } - if (GETPOST('dol_use_jmobile')) { $themeparam.='&dol_use_jmobile='.GETPOST('dol_use_jmobile'); $conf->dol_use_jmobile=GETPOST('dol_use_jmobile'); } + if (GETPOST('dol_hide_topmenu')) { $themeparam.='&dol_hide_topmenu='.GETPOST('dol_hide_topmenu','int'); } + if (GETPOST('dol_hide_leftmenu')) { $themeparam.='&dol_hide_leftmenu='.GETPOST('dol_hide_leftmenu','int'); } + if (GETPOST('dol_optimize_smallscreen')) { $themeparam.='&dol_optimize_smallscreen='.GETPOST('dol_optimize_smallscreen','int'); } + if (GETPOST('dol_no_mouse_hover')) { $themeparam.='&dol_no_mouse_hover='.GETPOST('dol_no_mouse_hover','int'); } + if (GETPOST('dol_use_jmobile')) { $themeparam.='&dol_use_jmobile='.GETPOST('dol_use_jmobile','int'); $conf->dol_use_jmobile=GETPOST('dol_use_jmobile','int'); } //print 'themepath='.$themepath.' themeparam='.$themeparam;exit; print ''."\n"; diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php index 5d9babd0e89..3c2424ed88a 100644 --- a/htdocs/master.inc.php +++ b/htdocs/master.inc.php @@ -160,19 +160,22 @@ if (! defined('NOREQUIREDB')) { $conf->entity = GETPOST("entity",'int'); } - else if (defined('DOLENTITY') && is_int(DOLENTITY)) // For public page with MultiCompany module + else if (defined('DOLENTITY') && is_numeric(DOLENTITY)) // For public page with MultiCompany module { $conf->entity = DOLENTITY; } - else if (!empty($_COOKIE['DOLENTITY'])) // For other application with MultiCompany module + else if (!empty($_COOKIE['DOLENTITY'])) // For other application with MultiCompany module (TODO: We should remove this. entity to use should never be stored into client side) { $conf->entity = $_COOKIE['DOLENTITY']; } - else if (! empty($conf->multicompany->force_entity) && is_int($conf->multicompany->force_entity)) // To force entity in login page + else if (! empty($conf->multicompany->force_entity) && is_numeric($conf->multicompany->force_entity)) // To force entity in login page { $conf->entity = $conf->multicompany->force_entity; } + // Sanitize entity + if (! is_numeric($conf->entity)) $conf->entity=1; + //print "Will work with data into entity instance number '".$conf->entity."'"; // Here we read database (llx_const table) and define $conf->global->XXX var. diff --git a/htdocs/public/demo/index.php b/htdocs/public/demo/index.php index 60348965835..8a6bcd62e58 100644 --- a/htdocs/public/demo/index.php +++ b/htdocs/public/demo/index.php @@ -33,11 +33,11 @@ $langs->load("main"); $langs->load("install"); $langs->load("other"); -$conf->dol_hide_topmenu=GETPOST('dol_hide_topmenu'); -$conf->dol_hide_leftmenu=GETPOST('dol_hide_leftmenu'); -$conf->dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen'); -$conf->dol_no_mouse_hover=GETPOST('dol_no_mouse_hover'); -$conf->dol_use_jmobile=GETPOST('dol_use_jmobile'); +$conf->dol_hide_topmenu=GETPOST('dol_hide_topmenu','int'); +$conf->dol_hide_leftmenu=GETPOST('dol_hide_leftmenu','int'); +$conf->dol_optimize_smallscreen=GETPOST('dol_optimize_smallscreen','int'); +$conf->dol_no_mouse_hover=GETPOST('dol_no_mouse_hover','int'); +$conf->dol_use_jmobile=GETPOST('dol_use_jmobile','int'); // Security check global $dolibarr_main_demo; diff --git a/htdocs/public/members/new.php b/htdocs/public/members/new.php index f9c5b8a95a5..5728e1ae5f5 100644 --- a/htdocs/public/members/new.php +++ b/htdocs/public/members/new.php @@ -42,7 +42,7 @@ define("NOCSRFCHECK",1); // We accept to go on this page from external web site. // Do not use GETPOST here, function is not defined and define must be done before including main.inc.php // TODO This should be useless. Because entity must be retreive from object ref and not from url. $entity=(! empty($_GET['entity']) ? (int) $_GET['entity'] : (! empty($_POST['entity']) ? (int) $_POST['entity'] : 1)); -if (is_int($entity)) define("DOLENTITY", $entity); +if (is_numeric($entity)) define("DOLENTITY", $entity); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent.class.php'; diff --git a/htdocs/public/members/public_card.php b/htdocs/public/members/public_card.php index 77c419e7b11..fd745e523c9 100644 --- a/htdocs/public/members/public_card.php +++ b/htdocs/public/members/public_card.php @@ -27,11 +27,11 @@ define("NOLOGIN",1); // This means this output page does not require to be logged. define("NOCSRFCHECK",1); // We accept to go on this page from external web site. -// For MultiCompany module. +// For MultiCompany module. // Do not use GETPOST here, function is not defined and define must be done before including main.inc.php // TODO This should be useless. Because entity must be retreive from object ref and not from url. $entity=(! empty($_GET['entity']) ? (int) $_GET['entity'] : (! empty($_POST['entity']) ? (int) $_POST['entity'] : 1)); -if (is_int($entity)) define("DOLENTITY", $entity); +if (is_numeric($entity)) define("DOLENTITY", $entity); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent.class.php'; diff --git a/htdocs/public/members/public_list.php b/htdocs/public/members/public_list.php index 7a1ffffd54d..d88e87c2d12 100644 --- a/htdocs/public/members/public_list.php +++ b/htdocs/public/members/public_list.php @@ -27,11 +27,11 @@ define("NOLOGIN",1); // This means this output page does not require to be logged. define("NOCSRFCHECK",1); // We accept to go on this page from external web site. -// For MultiCompany module. +// For MultiCompany module. // Do not use GETPOST here, function is not defined and define must be done before including main.inc.php // TODO This should be useless. Because entity must be retreive from object ref and not from url. $entity=(! empty($_GET['entity']) ? (int) $_GET['entity'] : (! empty($_POST['entity']) ? (int) $_POST['entity'] : 1)); -if (is_int($entity)) define("DOLENTITY", $entity); +if (is_numeric($entity)) define("DOLENTITY", $entity); require '../../main.inc.php'; diff --git a/htdocs/public/paybox/newpayment.php b/htdocs/public/paybox/newpayment.php index d9e652abc35..47a93e39c32 100644 --- a/htdocs/public/paybox/newpayment.php +++ b/htdocs/public/paybox/newpayment.php @@ -27,11 +27,11 @@ define("NOLOGIN",1); // This means this output page does not require to be logged. define("NOCSRFCHECK",1); // We accept to go on this page from external web site. -// For MultiCompany module. +// For MultiCompany module. // Do not use GETPOST here, function is not defined and define must be done before including main.inc.php // TODO This should be useless. Because entity must be retreive from object ref and not from url. $entity=(! empty($_GET['entity']) ? (int) $_GET['entity'] : (! empty($_POST['entity']) ? (int) $_POST['entity'] : 1)); -if (is_int($entity)) define("DOLENTITY", $entity); +if (is_numeric($entity)) define("DOLENTITY", $entity); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/paybox/lib/paybox.lib.php'; diff --git a/htdocs/public/paybox/paymentko.php b/htdocs/public/paybox/paymentko.php index 9e094b9d394..47601fb8dab 100644 --- a/htdocs/public/paybox/paymentko.php +++ b/htdocs/public/paybox/paymentko.php @@ -26,11 +26,11 @@ define("NOLOGIN",1); // This means this output page does not require to be logged. define("NOCSRFCHECK",1); // We accept to go on this page from external web site. -// For MultiCompany module. +// For MultiCompany module. // Do not use GETPOST here, function is not defined and define must be done before including main.inc.php // TODO This should be useless. Because entity must be retreive from object ref and not from url. $entity=(! empty($_GET['entity']) ? (int) $_GET['entity'] : (! empty($_POST['entity']) ? (int) $_POST['entity'] : 1)); -if (is_int($entity)) define("DOLENTITY", $entity); +if (is_numeric($entity)) define("DOLENTITY", $entity); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/paybox/lib/paybox.lib.php'; diff --git a/htdocs/public/paybox/paymentok.php b/htdocs/public/paybox/paymentok.php index 34fbf265642..becfd7978c2 100644 --- a/htdocs/public/paybox/paymentok.php +++ b/htdocs/public/paybox/paymentok.php @@ -30,7 +30,7 @@ define("NOCSRFCHECK",1); // We accept to go on this page from external web site. // Do not use GETPOST here, function is not defined and define must be done before including main.inc.php // TODO This should be useless. Because entity must be retreive from object ref and not from url. $entity=(! empty($_GET['entity']) ? (int) $_GET['entity'] : (! empty($_POST['entity']) ? (int) $_POST['entity'] : 1)); -if (is_int($entity)) define("DOLENTITY", $entity); +if (is_numeric($entity)) define("DOLENTITY", $entity); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/paybox/lib/paybox.lib.php'; diff --git a/htdocs/public/paypal/newpayment.php b/htdocs/public/paypal/newpayment.php index d2f73d84b96..afe685fb6ac 100644 --- a/htdocs/public/paypal/newpayment.php +++ b/htdocs/public/paypal/newpayment.php @@ -29,11 +29,11 @@ define("NOLOGIN",1); // This means this output page does not require to be logged. define("NOCSRFCHECK",1); // We accept to go on this page from external web site. -// For MultiCompany module. +// For MultiCompany module. // Do not use GETPOST here, function is not defined and define must be done before including main.inc.php // TODO This should be useless. Because entity must be retreive from object ref and not from url. $entity=(! empty($_GET['entity']) ? (int) $_GET['entity'] : (! empty($_POST['entity']) ? (int) $_POST['entity'] : 1)); -if (is_int($entity)) define("DOLENTITY", $entity); +if (is_numeric($entity)) define("DOLENTITY", $entity); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/paypal/lib/paypal.lib.php'; diff --git a/htdocs/public/paypal/paymentko.php b/htdocs/public/paypal/paymentko.php index 33dabdd5a47..d6b1843b2b1 100644 --- a/htdocs/public/paypal/paymentko.php +++ b/htdocs/public/paypal/paymentko.php @@ -29,11 +29,11 @@ define("NOLOGIN",1); // This means this output page does not require to be logged. define("NOCSRFCHECK",1); // We accept to go on this page from external web site. -// For MultiCompany module. +// For MultiCompany module. // Do not use GETPOST here, function is not defined and define must be done before including main.inc.php // TODO This should be useless. Because entity must be retreive from object ref and not from url. $entity=(! empty($_GET['entity']) ? (int) $_GET['entity'] : (! empty($_POST['entity']) ? (int) $_POST['entity'] : 1)); -if (is_int($entity)) define("DOLENTITY", $entity); +if (is_numeric($entity)) define("DOLENTITY", $entity); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/paypal/lib/paypal.lib.php'; diff --git a/htdocs/public/paypal/paymentok.php b/htdocs/public/paypal/paymentok.php index 4cc44eca4ce..f7fad5ebb31 100644 --- a/htdocs/public/paypal/paymentok.php +++ b/htdocs/public/paypal/paymentok.php @@ -33,7 +33,7 @@ define("NOCSRFCHECK",1); // We accept to go on this page from external web site. // Do not use GETPOST here, function is not defined and define must be done before including main.inc.php // TODO This should be useless. Because entity must be retreive from object ref and not from url. $entity=(! empty($_GET['entity']) ? (int) $_GET['entity'] : (! empty($_POST['entity']) ? (int) $_POST['entity'] : 1)); -if (is_int($entity)) define("DOLENTITY", $entity); +if (is_numeric($entity)) define("DOLENTITY", $entity); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/paypal/lib/paypal.lib.php'; diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index d671322d0dc..2775bff226f 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -809,7 +809,7 @@ class User extends CommonObject $sql = "SELECT login FROM ".MAIN_DB_PREFIX."user"; $sql.= " WHERE login ='".$this->db->escape($this->login)."'"; - $sql.= " AND entity IN (0,".$conf->entity.")"; + $sql.= " AND entity IN (0,".$this->db->escape($conf->entity).")"; dol_syslog(get_class($this)."::create sql=".$sql, LOG_DEBUG); $resql=$this->db->query($sql); @@ -828,7 +828,7 @@ class User extends CommonObject else { $sql = "INSERT INTO ".MAIN_DB_PREFIX."user (datec,login,ldap_sid,entity)"; - $sql.= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->ldap_sid."',".$this->entity.")"; + $sql.= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->ldap_sid."',".$this->db->escape($this->entity).")"; $result=$this->db->query($sql); dol_syslog(get_class($this)."::create sql=".$sql, LOG_DEBUG); @@ -925,7 +925,7 @@ class User extends CommonObject $this->lastname = $contact->lastname; $this->firstname = $contact->firstname; $this->email = $contact->email; - $this->skype = $contact->skype; + $this->skype = $contact->skype; $this->office_phone = $contact->phone_pro; $this->office_fax = $contact->fax; $this->user_mobile = $contact->phone_mobile; diff --git a/htdocs/user/class/usergroup.class.php b/htdocs/user/class/usergroup.class.php index 72dc0b7cf48..a8ab0dc5ebb 100644 --- a/htdocs/user/class/usergroup.class.php +++ b/htdocs/user/class/usergroup.class.php @@ -589,7 +589,7 @@ class UserGroup extends CommonObject $sql.= ") VALUES ("; $sql.= "'".$this->db->idate($now)."'"; $sql.= ",'".$this->db->escape($this->nom)."'"; - $sql.= ",".$entity; + $sql.= ",".$this->db->escape($entity); $sql.= ")"; dol_syslog(get_class($this)."::create sql=".$sql, LOG_DEBUG); @@ -640,7 +640,7 @@ class UserGroup extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."usergroup SET "; $sql.= " nom = '" . $this->db->escape($this->nom) . "'"; - $sql.= ", entity = " . $entity; + $sql.= ", entity = " . $this->db->escape($entity); $sql.= ", note = '" . $this->db->escape($this->note) . "'"; $sql.= " WHERE rowid = " . $this->id; diff --git a/htdocs/user/fiche.php b/htdocs/user/fiche.php index d78a512bf53..359b42856ab 100644 --- a/htdocs/user/fiche.php +++ b/htdocs/user/fiche.php @@ -178,16 +178,16 @@ if ($action == 'add' && $canadduser) if (! $message) { - $object->lastname = GETPOST("lastname"); - $object->firstname = GETPOST("firstname"); - $object->login = GETPOST("login"); - $object->admin = GETPOST("admin"); - $object->office_phone = GETPOST("office_phone"); - $object->office_fax = GETPOST("office_fax"); + $object->lastname = GETPOST("lastname",'alpha'); + $object->firstname = GETPOST("firstname",'alpha'); + $object->login = GETPOST("login",'alpha'); + $object->admin = GETPOST("admin",'alpha'); + $object->office_phone = GETPOST("office_phone",'alpha'); + $object->office_fax = GETPOST("office_fax",'alpha'); $object->user_mobile = GETPOST("user_mobile"); $object->skype = GETPOST("skype"); - $object->email = GETPOST("email"); - $object->job = GETPOST("job"); + $object->email = GETPOST("email",'alpha'); + $object->job = GETPOST("job",'alpha'); $object->signature = GETPOST("signature"); $object->accountancy_code = GETPOST("accountancy_code"); $object->note = GETPOST("note"); @@ -200,6 +200,7 @@ if ($action == 'add' && $canadduser) // If multicompany is off, admin users must all be on entity 0. if (! empty($conf->multicompany->enabled)) { + $entity=GETPOST('entity','int'); if (! empty($_POST["superadmin"])) { $object->entity = 0; @@ -210,12 +211,12 @@ if ($action == 'add' && $canadduser) } else { - $object->entity = (empty($_POST["entity"]) ? 0 : $_POST["entity"]); + $object->entity = (empty($entity) ? 0 : $entity); } } else { - $object->entity = (empty($_POST["entity"]) ? 0 : $_POST["entity"]); + $object->entity = (empty($entity) ? 0 : $entity); } $db->begin(); @@ -316,17 +317,17 @@ if ($action == 'update' && ! $_POST["cancel"]) $object->oldcopy=dol_clone($object); - $object->lastname = GETPOST("lastname"); - $object->firstname = GETPOST("firstname"); - $object->login = GETPOST("login"); + $object->lastname = GETPOST("lastname",'alpha'); + $object->firstname = GETPOST("firstname",'alpha'); + $object->login = GETPOST("login",'alpha'); $object->pass = GETPOST("password"); $object->admin = empty($user->admin)?0:GETPOST("admin"); // A user can only be set admin by an admin - $object->office_phone=GETPOST("office_phone"); - $object->office_fax = GETPOST("office_fax"); + $object->office_phone=GETPOST("office_phone",'alpha'); + $object->office_fax = GETPOST("office_fax",'alpha'); $object->user_mobile= GETPOST("user_mobile"); - $object->skype =GETPOST("skype"); - $object->email = GETPOST("email"); - $object->job = GETPOST("job"); + $object->skype = GETPOST("skype"); + $object->email = GETPOST("email",'alpha'); + $object->job = GETPOST("job",'alpha'); $object->signature = GETPOST("signature"); $object->accountancy_code = GETPOST("accountancy_code"); $object->openid = GETPOST("openid"); @@ -384,8 +385,8 @@ if ($action == 'update' && ! $_POST["cancel"]) $contact->fetch($contactid); $sql = "UPDATE ".MAIN_DB_PREFIX."user"; - $sql.= " SET fk_socpeople=".$contactid; - if ($contact->socid) $sql.=", fk_societe=".$contact->socid; + $sql.= " SET fk_socpeople=".$db->escape($contactid); + if ($contact->socid) $sql.=", fk_societe=".$db->escape($contact->socid); $sql.= " WHERE rowid=".$object->id; } else