Fix escape
This commit is contained in:
Laurent Destailleur
parent
54c0f742b1
commit
b5703350da
@ -8,7 +8,8 @@ if (empty($keyforselect) || empty($keyforelement) || empty($keyforaliasextra))
|
||||
}
|
||||
|
||||
// Add extra fields
|
||||
$sql = "SELECT name, label, type, param, fieldcomputed, fielddefault FROM ".MAIN_DB_PREFIX."extrafields WHERE elementtype = '".$keyforselect."' AND type != 'separate' AND entity IN (0, ".$conf->entity.') ORDER BY pos ASC';
|
||||
$sql = "SELECT name, label, type, param, fieldcomputed, fielddefault FROM ".MAIN_DB_PREFIX."extrafields";
|
||||
$sql .= " WHERE elementtype = '".$this->db->escape($keyforselect)."' AND type != 'separate' AND entity IN (0, ".$conf->entity.') ORDER BY pos ASC';
|
||||
//print $sql;
|
||||
$resql = $this->db->query($sql);
|
||||
if ($resql) // This can fail when class is used on old database (during migration for example)
|
||||
|
||||
@ -4908,9 +4908,9 @@ function get_localtax_by_third($local)
|
||||
global $db, $mysoc;
|
||||
$sql = "SELECT t.localtax1, t.localtax2 ";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t inner join ".MAIN_DB_PREFIX."c_country as c ON c.rowid=t.fk_pays";
|
||||
$sql .= " WHERE c.code = '".$mysoc->country_code."' AND t.active = 1 AND t.taux=(";
|
||||
$sql .= " WHERE c.code = '".$db->escape($mysoc->country_code)."' AND t.active = 1 AND t.taux=(";
|
||||
$sql .= " SELECT max(tt.taux) FROM ".MAIN_DB_PREFIX."c_tva as tt inner join ".MAIN_DB_PREFIX."c_country as c ON c.rowid=tt.fk_pays";
|
||||
$sql .= " WHERE c.code = '".$mysoc->country_code."' AND tt.active = 1";
|
||||
$sql .= " WHERE c.code = '".$db->escape($mysoc->country_code)."' AND tt.active = 1";
|
||||
$sql .= " )";
|
||||
|
||||
$resql = $db->query($sql);
|
||||
@ -4956,11 +4956,11 @@ function getTaxesFromId($vatrate, $buyer = null, $seller = null, $firstparamisid
|
||||
}
|
||||
|
||||
$sql .= ", ".MAIN_DB_PREFIX."c_country as c";
|
||||
/*if ($mysoc->country_code == 'ES') $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$buyer->country_code."'"; // vat in spain use the buyer country ??
|
||||
else $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$seller->country_code."'";*/
|
||||
$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$seller->country_code."'";
|
||||
/*if ($mysoc->country_code == 'ES') $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($buyer->country_code)."'"; // vat in spain use the buyer country ??
|
||||
else $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($seller->country_code)."'";*/
|
||||
$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($seller->country_code)."'";
|
||||
$sql .= " AND t.taux = ".((float) $vatratecleaned)." AND t.active = 1";
|
||||
if ($vatratecode) $sql .= " AND t.code = '".$vatratecode."'";
|
||||
if ($vatratecode) $sql .= " AND t.code = '".$db->escape($vatratecode)."'";
|
||||
}
|
||||
|
||||
$resql = $db->query($sql);
|
||||
@ -5011,10 +5011,10 @@ function getLocalTaxesFromRate($vatrate, $local, $buyer, $seller, $firstparamisi
|
||||
}
|
||||
|
||||
$sql .= ", ".MAIN_DB_PREFIX."c_country as c";
|
||||
if ($mysoc->country_code == 'ES') $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$buyer->country_code."'"; // local tax in spain use the buyer country ??
|
||||
else $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$seller->country_code."'";
|
||||
if ($mysoc->country_code == 'ES') $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($buyer->country_code)."'"; // local tax in spain use the buyer country ??
|
||||
else $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($seller->country_code)."'";
|
||||
$sql .= " AND t.taux = ".((float) $vatratecleaned)." AND t.active = 1";
|
||||
if ($vatratecode) $sql .= " AND t.code = '".$vatratecode."'";
|
||||
if ($vatratecode) $sql .= " AND t.code = '".$db->escape($vatratecode)."'";
|
||||
}
|
||||
|
||||
$resql = $db->query($sql);
|
||||
@ -5088,7 +5088,7 @@ function get_product_vat_for_country($idprod, $thirdparty_seller, $idprodfournpr
|
||||
// If vat of product for the country not found or not defined, we return the first higher vat of country.
|
||||
$sql = "SELECT t.taux as vat_rate, t.code as default_vat_code";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
|
||||
$sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$thirdparty_seller->country_code."'";
|
||||
$sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$db->escape($thirdparty_seller->country_code)."'";
|
||||
$sql .= " ORDER BY t.taux DESC, t.code ASC, t.recuperableonly ASC";
|
||||
$sql .= $db->plimit(1);
|
||||
|
||||
@ -5153,7 +5153,7 @@ function get_product_localtax_for_country($idprod, $local, $thirdparty_seller)
|
||||
// If vat of product for the country not found or not defined, we return higher vat of country.
|
||||
$sql = "SELECT taux as vat_rate, localtax1, localtax2";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
|
||||
$sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$thirdparty_seller->country_code."'";
|
||||
$sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$db->escape($thirdparty_seller->country_code)."'";
|
||||
$sql .= " ORDER BY t.taux DESC, t.recuperableonly ASC";
|
||||
$sql .= $db->plimit(1);
|
||||
|
||||
|
||||
@ -579,6 +579,7 @@ function clean_url($url, $http = 1)
|
||||
// Fixed by Matelli (see http://matelli.fr/showcases/patchs-dolibarr/fix-cleaning-url.html)
|
||||
// To include the minus sign in a char class, we must not escape it but put it at the end of the class
|
||||
// Also, there's no need of escape a dot sign in a class
|
||||
$regs = array();
|
||||
if (preg_match('/^(https?:[\\/]+)?([0-9A-Z.-]+\.[A-Z]{2,4})(:[0-9]+)?/i', $url, $regs))
|
||||
{
|
||||
$proto = $regs[1];
|
||||
@ -737,6 +738,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
|
||||
//$date=dol_stringtotime('20130101');
|
||||
|
||||
$hasglobalcounter = false;
|
||||
$reg = array();
|
||||
// Extract value for mask counter, mask raz and mask offset
|
||||
if (preg_match('/\{(0+)([@\+][0-9\-\+\=]+)?([@\+][0-9\-\+\=]+)?\}/i', $mask, $reg))
|
||||
{
|
||||
@ -755,6 +757,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
|
||||
if (dol_strlen($maskcounter) < 3 && empty($conf->global->MAIN_COUNTER_WITH_LESS_3_DIGITS)) return 'ErrorCounterMustHaveMoreThan3Digits';
|
||||
|
||||
// Extract value for third party mask counter
|
||||
$regClient = array();
|
||||
if (preg_match('/\{(c+)(0*)\}/i', $mask, $regClientRef))
|
||||
{
|
||||
$maskrefclient = $regClientRef[1].$regClientRef[2];
|
||||
@ -774,6 +777,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
|
||||
}
|
||||
|
||||
// Extract value for third party type
|
||||
$regType = array();
|
||||
if (preg_match('/\{(t+)\}/i', $mask, $regType))
|
||||
{
|
||||
$masktype = $regType[1];
|
||||
@ -802,6 +806,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
|
||||
$maskperso = array();
|
||||
$maskpersonew = array();
|
||||
$tmpmask = $mask;
|
||||
$regKey = array();
|
||||
while (preg_match('/\{([A-Z]+)\-([1-9])\}/', $tmpmask, $regKey))
|
||||
{
|
||||
$maskperso[$regKey[1]] = '{'.$regKey[1].'-'.$regKey[2].'}';
|
||||
@ -918,19 +923,19 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
|
||||
elseif ($yearlen == 2) $yearcomp1 = sprintf("%02d", date("y", $date) + $yearoffset + 1);
|
||||
|
||||
$sqlwhere .= "(";
|
||||
$sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$yearcomp."'";
|
||||
$sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$db->escape($yearcomp)."'";
|
||||
$sqlwhere .= " AND SUBSTRING(".$field.", ".$monthpos.", ".$monthlen.") >= '".str_pad($monthcomp, $monthlen, '0', STR_PAD_LEFT)."')";
|
||||
$sqlwhere .= " OR";
|
||||
$sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$yearcomp1."'";
|
||||
$sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$db->escape($yearcomp1)."'";
|
||||
$sqlwhere .= " AND SUBSTRING(".$field.", ".$monthpos.", ".$monthlen.") < '".str_pad($monthcomp, $monthlen, '0', STR_PAD_LEFT)."') ";
|
||||
$sqlwhere .= ')';
|
||||
} elseif ($resetEveryMonth)
|
||||
{
|
||||
$sqlwhere .= "(SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$yearcomp."'";
|
||||
$sqlwhere .= "(SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$db->escape($yearcomp)."'";
|
||||
$sqlwhere .= " AND SUBSTRING(".$field.", ".$monthpos.", ".$monthlen.") = '".str_pad($monthcomp, $monthlen, '0', STR_PAD_LEFT)."')";
|
||||
} else // reset is done on january
|
||||
{
|
||||
$sqlwhere .= '(SUBSTRING('.$field.', '.$yearpos.', '.$yearlen.") = '".$yearcomp."')";
|
||||
$sqlwhere .= '(SUBSTRING('.$field.', '.$yearpos.', '.$yearlen.") = '".$db->escape($yearcomp)."')";
|
||||
}
|
||||
}
|
||||
//print "sqlwhere=".$sqlwhere." yearcomp=".$yearcomp."<br>\n"; // sqlwhere and yearcomp defined only if we ask a reset
|
||||
@ -969,7 +974,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
|
||||
$counter = 0;
|
||||
$sql = "SELECT MAX(".$sqlstring.") as val";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX.$table;
|
||||
$sql .= " WHERE ".$field." LIKE '".$maskLike."'";
|
||||
$sql .= " WHERE ".$field." LIKE '".$db->escape($maskLike)."'";
|
||||
$sql .= " AND ".$field." NOT LIKE '(PROV%)'";
|
||||
if ($bentityon) // only if entity enable
|
||||
$sql .= " AND entity IN (".getEntity($sharetable).")";
|
||||
@ -1016,7 +1021,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
|
||||
$ref = '';
|
||||
$sql = "SELECT ".$field." as ref";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX.$table;
|
||||
$sql .= " WHERE ".$field." LIKE '".$maskLike."'";
|
||||
$sql .= " WHERE ".$field." LIKE '".$db->escape($maskLike)."'";
|
||||
$sql .= " AND ".$field." NOT LIKE '%PROV%'";
|
||||
if ($bentityon) // only if entity enable
|
||||
$sql .= " AND entity IN (".getEntity($sharetable).")";
|
||||
@ -1071,14 +1076,14 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
|
||||
$maskrefclient_sql = "SELECT MAX(".$maskrefclient_sqlstring.") as val";
|
||||
$maskrefclient_sql .= " FROM ".MAIN_DB_PREFIX.$table;
|
||||
//$sql.= " WHERE ".$field." not like '(%'";
|
||||
$maskrefclient_sql .= " WHERE ".$field." LIKE '".$maskrefclient_maskLike."'";
|
||||
$maskrefclient_sql .= " WHERE ".$field." LIKE '".$db->escape($maskrefclient_maskLike)."'";
|
||||
if ($bentityon) // only if entity enable
|
||||
$maskrefclient_sql .= " AND entity IN (".getEntity($sharetable).")";
|
||||
elseif (!empty($forceentity))
|
||||
$sql .= " AND entity IN (".$forceentity.")";
|
||||
if ($where) $maskrefclient_sql .= $where; //use the same optional where as general mask
|
||||
if ($sqlwhere) $maskrefclient_sql .= ' AND '.$sqlwhere; //use the same sqlwhere as general mask
|
||||
$maskrefclient_sql .= ' AND (SUBSTRING('.$field.', '.(strpos($maskwithnocode, $maskrefclient) + 1).', '.dol_strlen($maskrefclient_maskclientcode).")='".$maskrefclient_clientcode."')";
|
||||
$maskrefclient_sql .= ' AND (SUBSTRING('.$field.', '.(strpos($maskwithnocode, $maskrefclient) + 1).', '.dol_strlen($maskrefclient_maskclientcode).")='".$db->escape($maskrefclient_clientcode)."')";
|
||||
|
||||
dol_syslog("functions2::get_next_value maskrefclient", LOG_DEBUG);
|
||||
$maskrefclient_resql = $db->query($maskrefclient_sql);
|
||||
|
||||
@ -528,7 +528,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
|
||||
{
|
||||
$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '".$user->id."'";
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
|
||||
$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
|
||||
$sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user
|
||||
$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";
|
||||
|
||||
@ -1586,10 +1586,10 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name,type,value,note,visible,entity)";
|
||||
$sql .= " VALUES (";
|
||||
$sql .= $this->db->encrypt($name, 1);
|
||||
$sql .= ",'".$type."'";
|
||||
$sql .= ",'".$this->db->escape($type)."'";
|
||||
$sql .= ",".(($val != '') ? $this->db->encrypt($val, 1) : "''");
|
||||
$sql .= ",".($note ? "'".$this->db->escape($note)."'" : "null");
|
||||
$sql .= ",'".$visible."'";
|
||||
$sql .= ",'".$this->db->escape($visible)."'";
|
||||
$sql .= ",".$entity;
|
||||
$sql .= ")";
|
||||
|
||||
@ -1630,7 +1630,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
|
||||
|
||||
if ($deleteonunactive) {
|
||||
$sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
|
||||
$sql .= " WHERE ".$this->db->decrypt('name')." = '".$name."'";
|
||||
$sql .= " WHERE ".$this->db->decrypt('name')." = '".$this->db->escape($name)."'";
|
||||
$sql .= " AND entity in (0, ".$conf->entity.")";
|
||||
dol_syslog(get_class($this)."::delete_const", LOG_DEBUG);
|
||||
if (!$this->db->query($sql)) {
|
||||
@ -1700,18 +1700,18 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."rights_def";
|
||||
$sql .= " (id, entity, libelle, module, type, bydefault, perms, subperms)";
|
||||
$sql .= " VALUES ";
|
||||
$sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$r_modul."','".$r_type."',".$r_def.",'".$r_perms."','".$r_subperms."')";
|
||||
$sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$this->db->escape($r_modul)."','".$this->db->escape($r_type)."',".$r_def.",'".$this->db->escape($r_perms)."','".$this->db->escape($r_subperms)."')";
|
||||
} else {
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."rights_def";
|
||||
$sql .= " (id, entity, libelle, module, type, bydefault, perms)";
|
||||
$sql .= " VALUES ";
|
||||
$sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$r_modul."','".$r_type."',".$r_def.",'".$r_perms."')";
|
||||
$sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$this->db->escape($r_modul)."','".$this->db->escape($r_type)."',".$r_def.",'".$this->db->escape($r_perms)."')";
|
||||
}
|
||||
} else {
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."rights_def ";
|
||||
$sql .= " (id, entity, libelle, module, type, bydefault)";
|
||||
$sql .= " VALUES ";
|
||||
$sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$r_modul."','".$r_type."',".$r_def.")";
|
||||
$sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$this->db->escape($r_modul)."','".$this->db->escape($r_type)."',".$r_def.")";
|
||||
}
|
||||
|
||||
$resqlinsert = $this->db->query($sql, 1);
|
||||
@ -2009,7 +2009,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
|
||||
|
||||
$sql = "SELECT count(*)";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."const";
|
||||
$sql .= " WHERE ".$this->db->decrypt('name')." = '".$name."'";
|
||||
$sql .= " WHERE ".$this->db->decrypt('name')." = '".$this->db->escape($name)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
|
||||
dol_syslog(get_class($this)."::insert_dirs", LOG_DEBUG);
|
||||
|
||||
@ -245,7 +245,7 @@ class mod_barcode_product_standard extends ModeleNumRefBarCode
|
||||
{
|
||||
// phpcs:enable
|
||||
$sql = "SELECT barcode FROM ".MAIN_DB_PREFIX."product";
|
||||
$sql .= " WHERE barcode = '".$code."'";
|
||||
$sql .= " WHERE barcode = '".$db->escape($code)."'";
|
||||
if ($product->id > 0) $sql .= " AND rowid <> ".$product->id;
|
||||
|
||||
$resql = $db->query($sql);
|
||||
|
||||
@ -1029,7 +1029,7 @@ class pdf_standard extends ModeleExpenseReport
|
||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as c ON p.fk_typepayment = c.id";
|
||||
$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank as b ON p.fk_bank = b.rowid';
|
||||
$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank_account as ba ON b.fk_account = ba.rowid';
|
||||
$sql .= " WHERE e.rowid = '".$object->id."'";
|
||||
$sql .= " WHERE e.rowid = ".((int) $object->id);
|
||||
$sql .= " AND p.fk_expensereport = e.rowid";
|
||||
$sql .= ' AND e.entity IN ('.getEntity('expensereport').')';
|
||||
$sql .= " ORDER BY dp";
|
||||
|
||||
@ -162,7 +162,7 @@ class mod_facture_mars extends ModeleNumRefFactures
|
||||
$posindice = strlen($prefix) + 6;
|
||||
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."facture";
|
||||
$sql .= " WHERE ref LIKE '".$prefix."____-%'";
|
||||
$sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-%'";
|
||||
$sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")";
|
||||
|
||||
$resql = $db->query($sql);
|
||||
@ -184,7 +184,7 @@ class mod_facture_mars extends ModeleNumRefFactures
|
||||
$ref = '';
|
||||
$sql = "SELECT ref as ref";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."facture";
|
||||
$sql .= " WHERE ref LIKE '".$prefix."____-".$num."'";
|
||||
$sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-".$num."'";
|
||||
$sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")";
|
||||
$sql .= " ORDER BY ref DESC";
|
||||
|
||||
|
||||
@ -194,7 +194,7 @@ class mod_facture_terre extends ModeleNumRefFactures
|
||||
$posindice = strlen($prefix) + 6;
|
||||
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."facture";
|
||||
$sql .= " WHERE ref LIKE '".$prefix."____-%'";
|
||||
$sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-%'";
|
||||
$sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")";
|
||||
|
||||
$resql = $db->query($sql);
|
||||
@ -215,7 +215,7 @@ class mod_facture_terre extends ModeleNumRefFactures
|
||||
$ref = '';
|
||||
$sql = "SELECT ref as ref";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."facture";
|
||||
$sql .= " WHERE ref LIKE '".$prefix."____-".$num."'";
|
||||
$sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-".$num."'";
|
||||
$sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")";
|
||||
$sql .= " ORDER BY ref DESC";
|
||||
|
||||
|
||||
@ -843,7 +843,7 @@ class ImportCsv extends ModeleImports
|
||||
if (!$error && !$updatedone) {
|
||||
// Build SQL INSERT request
|
||||
$sqlstart = 'INSERT INTO '.$tablename.'('.implode(', ', $listfields).', import_key';
|
||||
$sqlend = ') VALUES('.implode(', ', $listvalues).", '".$importid."'";
|
||||
$sqlend = ') VALUES('.implode(', ', $listvalues).", '".$this->db->escape($importid)."'";
|
||||
if (!empty($tablewithentity_cache[$tablename])) {
|
||||
$sqlstart .= ', entity';
|
||||
$sqlend .= ', '.$conf->entity;
|
||||
|
||||
@ -872,7 +872,7 @@ class ImportXlsx extends ModeleImports
|
||||
if (!$error && !$updatedone) {
|
||||
// Build SQL INSERT request
|
||||
$sqlstart = 'INSERT INTO '.$tablename.'('.implode(', ', $listfields).', import_key';
|
||||
$sqlend = ') VALUES('.implode(', ', $listvalues).", '".$importid."'";
|
||||
$sqlend = ') VALUES('.implode(', ', $listvalues).", '".$db->escape($importid)."'";
|
||||
if (!empty($tablewithentity_cache[$tablename])) {
|
||||
$sqlstart .= ', entity';
|
||||
$sqlend .= ', '.$conf->entity;
|
||||
|
||||
@ -75,7 +75,7 @@ class mailing_contacts1 extends MailingTargets
|
||||
$langs->load("commercial");
|
||||
|
||||
$statssql = array();
|
||||
$statssql[0] = "SELECT '".$langs->trans("NbOfCompaniesContacts")."' as label,";
|
||||
$statssql[0] = "SELECT '".$this->db->escape($langs->trans("NbOfCompaniesContacts"))."' as label,";
|
||||
$statssql[0] .= " count(distinct(c.email)) as nb";
|
||||
$statssql[0] .= " FROM ".MAIN_DB_PREFIX."socpeople as c";
|
||||
$statssql[0] .= " WHERE c.entity IN (".getEntity('socpeople').")";
|
||||
@ -390,7 +390,7 @@ class mailing_contacts1 extends MailingTargets
|
||||
{
|
||||
//print "xx".$key;
|
||||
if ($key == 'prospects') $sql .= " AND s.client=2";
|
||||
foreach ($prospectlevel as $codelevel=>$valuelevel) if ($key == 'prospectslevel'.$codelevel) $sql .= " AND s.fk_prospectlevel='".$codelevel."'";
|
||||
foreach ($prospectlevel as $codelevel=>$valuelevel) if ($key == 'prospectslevel'.$codelevel) $sql .= " AND s.fk_prospectlevel='".$this->db->escape($codelevel)."'";
|
||||
if ($key == 'customers') $sql .= " AND s.client=1";
|
||||
if ($key == 'suppliers') $sql .= " AND s.fournisseur=1";
|
||||
}
|
||||
|
||||
@ -266,9 +266,9 @@ class mailing_fraise extends MailingTargets
|
||||
if ($dateendsubscriptionbefore > 0) $sql .= " AND datefin < '".$this->db->idate($dateendsubscriptionbefore)."'";
|
||||
$sql .= " AND a.fk_adherent_type = ta.rowid";
|
||||
// Filter on type
|
||||
if ($_POST['filter_type']) $sql .= " AND ta.rowid='".$_POST['filter_type']."'";
|
||||
if (GETPOSTISET('filter_type')) $sql .= " AND ta.rowid='".$this->db->escape(GETPOST('filter_type'))."'";
|
||||
// Filter on category
|
||||
if ($_POST['filter_category']) $sql .= " AND c.rowid='".$_POST['filter_category']."'";
|
||||
if (GETPOSTISSET('filter_category')) $sql .= " AND c.rowid='".$this->db->escape(GETPOST('filter_category'))."'";
|
||||
$sql .= " ORDER BY a.email";
|
||||
//print $sql;
|
||||
|
||||
|
||||
@ -175,7 +175,7 @@ class MailingTargets // This can't be abstract as it is used for some method
|
||||
$sql .= " tag,";
|
||||
$sql .= " source_type)";
|
||||
$sql .= " VALUES (".$mailing_id.",";
|
||||
$sql .= (empty($targetarray['fk_contact']) ? '0' : "'".$targetarray['fk_contact']."'").",";
|
||||
$sql .= (empty($targetarray['fk_contact']) ? '0' : "'".$this->db->escape($targetarray['fk_contact'])."'").",";
|
||||
$sql .= "'".$this->db->escape($targetarray['lastname'])."',";
|
||||
$sql .= "'".$this->db->escape($targetarray['firstname'])."',";
|
||||
$sql .= "'".$this->db->escape($targetarray['email'])."',";
|
||||
|
||||
@ -73,7 +73,7 @@ class mailing_pomme extends MailingTargets
|
||||
$langs->load("users");
|
||||
|
||||
$statssql = array();
|
||||
$sql = "SELECT '".$langs->trans("DolibarrUsers")."' as label,";
|
||||
$sql = "SELECT '".$this->db->escape($langs->trans("DolibarrUsers"))."' as label,";
|
||||
$sql .= " count(distinct(u.email)) as nb";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."user as u";
|
||||
$sql .= " WHERE u.email != ''"; // u.email IS NOT NULL est implicite dans ce test
|
||||
|
||||
@ -113,7 +113,7 @@ class mailing_thirdparties_services_expired extends MailingTargets
|
||||
$sql .= " WHERE s.entity IN (".getEntity('societe').")";
|
||||
$sql .= " AND s.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".$mailing_id.")";
|
||||
$sql .= " AND s.rowid = c.fk_soc AND cd.fk_contrat = c.rowid AND s.email != ''";
|
||||
$sql .= " AND cd.statut= 4 AND cd.fk_product=p.rowid AND p.ref = '".$product."'";
|
||||
$sql .= " AND cd.statut= 4 AND cd.fk_product=p.rowid AND p.ref = '".$this->db->escape($product)."'";
|
||||
$sql .= " AND cd.date_fin_validite < '".$this->db->idate($now)."'";
|
||||
$sql .= " ORDER BY s.email";
|
||||
|
||||
|
||||
@ -291,13 +291,13 @@ class pdf_stdandard extends ModelePDFMovement
|
||||
{
|
||||
$sql .= " AND m.datem BETWEEN '".$db->idate(dol_get_first_day($year, 1, false))."' AND '".$db->idate(dol_get_last_day($year, 12, false))."'";
|
||||
}
|
||||
if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'";
|
||||
if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct);
|
||||
if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1);
|
||||
if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement);
|
||||
if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode);
|
||||
if (!empty($search_product_ref)) $sql .= natural_search('p.ref', $search_product_ref);
|
||||
if (!empty($search_product)) $sql .= natural_search('p.label', $search_product);
|
||||
if ($search_warehouse > 0) $sql .= " AND e.rowid = '".$db->escape($search_warehouse)."'";
|
||||
if ($search_warehouse > 0) $sql .= " AND e.rowid = ".((int) $db->escape($search_warehouse));
|
||||
if (!empty($search_user)) $sql .= natural_search('u.login', $search_user);
|
||||
if (!empty($search_batch)) $sql .= natural_search('m.batch', $search_batch);
|
||||
if ($search_qty != '') $sql .= natural_search('m.value', $search_qty, 1);
|
||||
@ -489,7 +489,7 @@ class pdf_stdandard extends ModelePDFMovement
|
||||
$sql = "SELECT label";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
|
||||
$sql .= " WHERE fk_product=".$objp->rowid;
|
||||
$sql .= " AND lang='".$langs->getDefaultLang()."'";
|
||||
$sql .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'";
|
||||
$sql .= " LIMIT 1";
|
||||
|
||||
$result = $db->query($sql);
|
||||
@ -1049,7 +1049,7 @@ class pdf_stdandard extends ModelePDFMovement
|
||||
// Last movement
|
||||
$sql = "SELECT max(m.datem) as datem";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m";
|
||||
$sql .= " WHERE m.fk_entrepot = '".$object->id."'";
|
||||
$sql .= " WHERE m.fk_entrepot = ".((int) $object->id);
|
||||
$resqlbis = $db->query($sql);
|
||||
if ($resqlbis)
|
||||
{
|
||||
|
||||
@ -312,7 +312,7 @@ class printing_printgcp extends PrintingDriver
|
||||
$fileprint .= '/'.$file;
|
||||
$mimetype = dol_mimetype($fileprint);
|
||||
// select printer uri for module order, propal,...
|
||||
$sql = "SELECT rowid, printer_id, copy FROM ".MAIN_DB_PREFIX."printing WHERE module='".$module."' AND driver='printgcp' AND userid=".$user->id;
|
||||
$sql = "SELECT rowid, printer_id, copy FROM ".MAIN_DB_PREFIX."printing WHERE module='".$this->db->escape($module)."' AND driver='printgcp' AND userid=".$user->id;
|
||||
$result = $this->db->query($sql);
|
||||
if ($result)
|
||||
{
|
||||
|
||||
@ -107,7 +107,7 @@ class printing_printipp extends PrintingDriver
|
||||
if (!empty($this->user)) $ipp->setAuthentication($this->user, $this->password);
|
||||
|
||||
// select printer uri for module order, propal,...
|
||||
$sql = "SELECT rowid,printer_id,copy FROM ".MAIN_DB_PREFIX."printing WHERE module = '".$module."' AND driver = 'printipp' AND userid = ".$user->id;
|
||||
$sql = "SELECT rowid,printer_id,copy FROM ".MAIN_DB_PREFIX."printing WHERE module = '".$this->db->escape($module)."' AND driver = 'printipp' AND userid = ".$user->id;
|
||||
$result = $this->db->query($sql);
|
||||
if ($result) {
|
||||
$obj = $this->db->fetch_object($result);
|
||||
|
||||
@ -313,7 +313,7 @@ class mod_codeproduct_elephant extends ModeleProductCode
|
||||
{
|
||||
// phpcs:enable
|
||||
$sql = "SELECT ref FROM ".MAIN_DB_PREFIX."product";
|
||||
$sql .= " WHERE ref = '".$code."'";
|
||||
$sql .= " WHERE ref = '".$this->db->escape($code)."'";
|
||||
if ($product->id > 0) $sql .= " AND rowid <> ".$product->id;
|
||||
|
||||
$resql = $db->query($sql);
|
||||
|
||||
@ -133,7 +133,7 @@ class mod_codeclient_monkey extends ModeleThirdPartyCode
|
||||
$posindice = strlen($prefix) + 6;
|
||||
$sql = "SELECT MAX(CAST(SUBSTRING(".$field." FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."societe";
|
||||
$sql .= " WHERE ".$field." LIKE '".$prefix."____-%'";
|
||||
$sql .= " WHERE ".$field." LIKE '".$db->escape($prefix)."____-%'";
|
||||
$sql .= " AND entity IN (".getEntity('societe').")";
|
||||
|
||||
dol_syslog(get_class($this)."::getNextValue", LOG_DEBUG);
|
||||
|
||||
@ -863,7 +863,7 @@ class pdf_standard extends ModelePDFStock
|
||||
// Last movement
|
||||
$sql = "SELECT max(m.datem) as datem";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m";
|
||||
$sql .= " WHERE m.fk_entrepot = '".$object->id."'";
|
||||
$sql .= " WHERE m.fk_entrepot = ".((int) $object->id);
|
||||
$resqlbis = $db->query($sql);
|
||||
if ($resqlbis)
|
||||
{
|
||||
|
||||
@ -182,7 +182,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices
|
||||
$posindice = strlen($prefix) + 6;
|
||||
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn";
|
||||
$sql .= " WHERE ref LIKE '".$prefix."____-%'";
|
||||
$sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-%'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
|
||||
$resql = $db->query($sql);
|
||||
@ -204,7 +204,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices
|
||||
$ref = '';
|
||||
$sql = "SELECT ref as ref";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn";
|
||||
$sql .= " WHERE ref LIKE '".$prefix."____-".$num."'";
|
||||
$sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-".$num."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
|
||||
dol_syslog(get_class($this)."::getNextValue", LOG_DEBUG);
|
||||
|
||||
@ -93,7 +93,7 @@ class mod_ticket_simple extends ModeleNumRefTicket
|
||||
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."ticket";
|
||||
$search = $this->prefix."____-%";
|
||||
$sql .= " WHERE ref LIKE '".$search."'";
|
||||
$sql .= " WHERE ref LIKE '".$db->escape($search)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql) {
|
||||
@ -128,7 +128,7 @@ class mod_ticket_simple extends ModeleNumRefTicket
|
||||
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."ticket";
|
||||
$search = $this->prefix."____-%";
|
||||
$sql .= " WHERE ref LIKE '".$search."'";
|
||||
$sql .= " WHERE ref LIKE '".$db->escape($search)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
|
||||
$resql = $db->query($sql);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user