From b5703350da6b1fb0723a104ca2d39a4963e1af34 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 22:41:05 +0200 Subject: [PATCH] Fix escape --- htdocs/core/extrafieldsinexport.inc.php | 3 ++- htdocs/core/lib/functions.lib.php | 22 +++++++++---------- htdocs/core/lib/functions2.lib.php | 21 +++++++++++------- htdocs/core/lib/security.lib.php | 2 +- htdocs/core/modules/DolibarrModules.class.php | 14 ++++++------ .../barcode/mod_barcode_product_standard.php | 2 +- .../doc/pdf_standard.modules.php | 2 +- .../core/modules/facture/mod_facture_mars.php | 4 ++-- .../modules/facture/mod_facture_terre.php | 4 ++-- .../modules/import/import_csv.modules.php | 2 +- .../modules/import/import_xlsx.modules.php | 2 +- .../modules/mailings/contacts1.modules.php | 4 ++-- .../core/modules/mailings/fraise.modules.php | 4 ++-- .../modules/mailings/modules_mailings.php | 2 +- .../core/modules/mailings/pomme.modules.php | 2 +- .../thirdparties_services_expired.modules.php | 2 +- .../movement/doc/pdf_standard.modules.php | 8 +++---- .../modules/printing/printgcp.modules.php | 2 +- .../modules/printing/printipp.modules.php | 2 +- .../product/mod_codeproduct_elephant.php | 2 +- .../modules/societe/mod_codeclient_monkey.php | 2 +- .../stock/doc/pdf_standard.modules.php | 2 +- .../mod_facture_fournisseur_cactus.php | 4 ++-- .../core/modules/ticket/mod_ticket_simple.php | 4 ++-- 24 files changed, 62 insertions(+), 56 deletions(-) diff --git a/htdocs/core/extrafieldsinexport.inc.php b/htdocs/core/extrafieldsinexport.inc.php index db926a2b6bc..ae6fdf8bf70 100644 --- a/htdocs/core/extrafieldsinexport.inc.php +++ b/htdocs/core/extrafieldsinexport.inc.php @@ -8,7 +8,8 @@ if (empty($keyforselect) || empty($keyforelement) || empty($keyforaliasextra)) } // Add extra fields -$sql = "SELECT name, label, type, param, fieldcomputed, fielddefault FROM ".MAIN_DB_PREFIX."extrafields WHERE elementtype = '".$keyforselect."' AND type != 'separate' AND entity IN (0, ".$conf->entity.') ORDER BY pos ASC'; +$sql = "SELECT name, label, type, param, fieldcomputed, fielddefault FROM ".MAIN_DB_PREFIX."extrafields"; +$sql .= " WHERE elementtype = '".$this->db->escape($keyforselect)."' AND type != 'separate' AND entity IN (0, ".$conf->entity.') ORDER BY pos ASC'; //print $sql; $resql = $this->db->query($sql); if ($resql) // This can fail when class is used on old database (during migration for example) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index ffd921ba316..ca8dcbde59d 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -4908,9 +4908,9 @@ function get_localtax_by_third($local) global $db, $mysoc; $sql = "SELECT t.localtax1, t.localtax2 "; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t inner join ".MAIN_DB_PREFIX."c_country as c ON c.rowid=t.fk_pays"; - $sql .= " WHERE c.code = '".$mysoc->country_code."' AND t.active = 1 AND t.taux=("; + $sql .= " WHERE c.code = '".$db->escape($mysoc->country_code)."' AND t.active = 1 AND t.taux=("; $sql .= " SELECT max(tt.taux) FROM ".MAIN_DB_PREFIX."c_tva as tt inner join ".MAIN_DB_PREFIX."c_country as c ON c.rowid=tt.fk_pays"; - $sql .= " WHERE c.code = '".$mysoc->country_code."' AND tt.active = 1"; + $sql .= " WHERE c.code = '".$db->escape($mysoc->country_code)."' AND tt.active = 1"; $sql .= " )"; $resql = $db->query($sql); @@ -4956,11 +4956,11 @@ function getTaxesFromId($vatrate, $buyer = null, $seller = null, $firstparamisid } $sql .= ", ".MAIN_DB_PREFIX."c_country as c"; - /*if ($mysoc->country_code == 'ES') $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$buyer->country_code."'"; // vat in spain use the buyer country ?? - else $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$seller->country_code."'";*/ - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$seller->country_code."'"; + /*if ($mysoc->country_code == 'ES') $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($buyer->country_code)."'"; // vat in spain use the buyer country ?? + else $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($seller->country_code)."'";*/ + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($seller->country_code)."'"; $sql .= " AND t.taux = ".((float) $vatratecleaned)." AND t.active = 1"; - if ($vatratecode) $sql .= " AND t.code = '".$vatratecode."'"; + if ($vatratecode) $sql .= " AND t.code = '".$db->escape($vatratecode)."'"; } $resql = $db->query($sql); @@ -5011,10 +5011,10 @@ function getLocalTaxesFromRate($vatrate, $local, $buyer, $seller, $firstparamisi } $sql .= ", ".MAIN_DB_PREFIX."c_country as c"; - if ($mysoc->country_code == 'ES') $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$buyer->country_code."'"; // local tax in spain use the buyer country ?? - else $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$seller->country_code."'"; + if ($mysoc->country_code == 'ES') $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($buyer->country_code)."'"; // local tax in spain use the buyer country ?? + else $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($seller->country_code)."'"; $sql .= " AND t.taux = ".((float) $vatratecleaned)." AND t.active = 1"; - if ($vatratecode) $sql .= " AND t.code = '".$vatratecode."'"; + if ($vatratecode) $sql .= " AND t.code = '".$db->escape($vatratecode)."'"; } $resql = $db->query($sql); @@ -5088,7 +5088,7 @@ function get_product_vat_for_country($idprod, $thirdparty_seller, $idprodfournpr // If vat of product for the country not found or not defined, we return the first higher vat of country. $sql = "SELECT t.taux as vat_rate, t.code as default_vat_code"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$thirdparty_seller->country_code."'"; + $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$db->escape($thirdparty_seller->country_code)."'"; $sql .= " ORDER BY t.taux DESC, t.code ASC, t.recuperableonly ASC"; $sql .= $db->plimit(1); @@ -5153,7 +5153,7 @@ function get_product_localtax_for_country($idprod, $local, $thirdparty_seller) // If vat of product for the country not found or not defined, we return higher vat of country. $sql = "SELECT taux as vat_rate, localtax1, localtax2"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$thirdparty_seller->country_code."'"; + $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$db->escape($thirdparty_seller->country_code)."'"; $sql .= " ORDER BY t.taux DESC, t.recuperableonly ASC"; $sql .= $db->plimit(1); diff --git a/htdocs/core/lib/functions2.lib.php b/htdocs/core/lib/functions2.lib.php index ddeb4df4dea..7b0042cf55a 100644 --- a/htdocs/core/lib/functions2.lib.php +++ b/htdocs/core/lib/functions2.lib.php @@ -579,6 +579,7 @@ function clean_url($url, $http = 1) // Fixed by Matelli (see http://matelli.fr/showcases/patchs-dolibarr/fix-cleaning-url.html) // To include the minus sign in a char class, we must not escape it but put it at the end of the class // Also, there's no need of escape a dot sign in a class + $regs = array(); if (preg_match('/^(https?:[\\/]+)?([0-9A-Z.-]+\.[A-Z]{2,4})(:[0-9]+)?/i', $url, $regs)) { $proto = $regs[1]; @@ -737,6 +738,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ //$date=dol_stringtotime('20130101'); $hasglobalcounter = false; + $reg = array(); // Extract value for mask counter, mask raz and mask offset if (preg_match('/\{(0+)([@\+][0-9\-\+\=]+)?([@\+][0-9\-\+\=]+)?\}/i', $mask, $reg)) { @@ -755,6 +757,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ if (dol_strlen($maskcounter) < 3 && empty($conf->global->MAIN_COUNTER_WITH_LESS_3_DIGITS)) return 'ErrorCounterMustHaveMoreThan3Digits'; // Extract value for third party mask counter + $regClient = array(); if (preg_match('/\{(c+)(0*)\}/i', $mask, $regClientRef)) { $maskrefclient = $regClientRef[1].$regClientRef[2]; @@ -774,6 +777,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ } // Extract value for third party type + $regType = array(); if (preg_match('/\{(t+)\}/i', $mask, $regType)) { $masktype = $regType[1]; @@ -802,6 +806,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ $maskperso = array(); $maskpersonew = array(); $tmpmask = $mask; + $regKey = array(); while (preg_match('/\{([A-Z]+)\-([1-9])\}/', $tmpmask, $regKey)) { $maskperso[$regKey[1]] = '{'.$regKey[1].'-'.$regKey[2].'}'; @@ -918,19 +923,19 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ elseif ($yearlen == 2) $yearcomp1 = sprintf("%02d", date("y", $date) + $yearoffset + 1); $sqlwhere .= "("; - $sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$yearcomp."'"; + $sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$db->escape($yearcomp)."'"; $sqlwhere .= " AND SUBSTRING(".$field.", ".$monthpos.", ".$monthlen.") >= '".str_pad($monthcomp, $monthlen, '0', STR_PAD_LEFT)."')"; $sqlwhere .= " OR"; - $sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$yearcomp1."'"; + $sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$db->escape($yearcomp1)."'"; $sqlwhere .= " AND SUBSTRING(".$field.", ".$monthpos.", ".$monthlen.") < '".str_pad($monthcomp, $monthlen, '0', STR_PAD_LEFT)."') "; $sqlwhere .= ')'; } elseif ($resetEveryMonth) { - $sqlwhere .= "(SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$yearcomp."'"; + $sqlwhere .= "(SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$db->escape($yearcomp)."'"; $sqlwhere .= " AND SUBSTRING(".$field.", ".$monthpos.", ".$monthlen.") = '".str_pad($monthcomp, $monthlen, '0', STR_PAD_LEFT)."')"; } else // reset is done on january { - $sqlwhere .= '(SUBSTRING('.$field.', '.$yearpos.', '.$yearlen.") = '".$yearcomp."')"; + $sqlwhere .= '(SUBSTRING('.$field.', '.$yearpos.', '.$yearlen.") = '".$db->escape($yearcomp)."')"; } } //print "sqlwhere=".$sqlwhere." yearcomp=".$yearcomp."
\n"; // sqlwhere and yearcomp defined only if we ask a reset @@ -969,7 +974,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ $counter = 0; $sql = "SELECT MAX(".$sqlstring.") as val"; $sql .= " FROM ".MAIN_DB_PREFIX.$table; - $sql .= " WHERE ".$field." LIKE '".$maskLike."'"; + $sql .= " WHERE ".$field." LIKE '".$db->escape($maskLike)."'"; $sql .= " AND ".$field." NOT LIKE '(PROV%)'"; if ($bentityon) // only if entity enable $sql .= " AND entity IN (".getEntity($sharetable).")"; @@ -1016,7 +1021,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ $ref = ''; $sql = "SELECT ".$field." as ref"; $sql .= " FROM ".MAIN_DB_PREFIX.$table; - $sql .= " WHERE ".$field." LIKE '".$maskLike."'"; + $sql .= " WHERE ".$field." LIKE '".$db->escape($maskLike)."'"; $sql .= " AND ".$field." NOT LIKE '%PROV%'"; if ($bentityon) // only if entity enable $sql .= " AND entity IN (".getEntity($sharetable).")"; @@ -1071,14 +1076,14 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $ $maskrefclient_sql = "SELECT MAX(".$maskrefclient_sqlstring.") as val"; $maskrefclient_sql .= " FROM ".MAIN_DB_PREFIX.$table; //$sql.= " WHERE ".$field." not like '(%'"; - $maskrefclient_sql .= " WHERE ".$field." LIKE '".$maskrefclient_maskLike."'"; + $maskrefclient_sql .= " WHERE ".$field." LIKE '".$db->escape($maskrefclient_maskLike)."'"; if ($bentityon) // only if entity enable $maskrefclient_sql .= " AND entity IN (".getEntity($sharetable).")"; elseif (!empty($forceentity)) $sql .= " AND entity IN (".$forceentity.")"; if ($where) $maskrefclient_sql .= $where; //use the same optional where as general mask if ($sqlwhere) $maskrefclient_sql .= ' AND '.$sqlwhere; //use the same sqlwhere as general mask - $maskrefclient_sql .= ' AND (SUBSTRING('.$field.', '.(strpos($maskwithnocode, $maskrefclient) + 1).', '.dol_strlen($maskrefclient_maskclientcode).")='".$maskrefclient_clientcode."')"; + $maskrefclient_sql .= ' AND (SUBSTRING('.$field.', '.(strpos($maskwithnocode, $maskrefclient) + 1).', '.dol_strlen($maskrefclient_maskclientcode).")='".$db->escape($maskrefclient_clientcode)."')"; dol_syslog("functions2::get_next_value maskrefclient", LOG_DEBUG); $maskrefclient_resql = $db->query($maskrefclient_sql); diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index b9a06b532f4..cd4bc333b41 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -528,7 +528,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand { $sql = "SELECT COUNT(dbt.".$dbt_select.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '".$user->id."'"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); $sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")"; $sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user $sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")"; diff --git a/htdocs/core/modules/DolibarrModules.class.php b/htdocs/core/modules/DolibarrModules.class.php index bd8e7b7d58e..69fce65f781 100644 --- a/htdocs/core/modules/DolibarrModules.class.php +++ b/htdocs/core/modules/DolibarrModules.class.php @@ -1586,10 +1586,10 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it $sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name,type,value,note,visible,entity)"; $sql .= " VALUES ("; $sql .= $this->db->encrypt($name, 1); - $sql .= ",'".$type."'"; + $sql .= ",'".$this->db->escape($type)."'"; $sql .= ",".(($val != '') ? $this->db->encrypt($val, 1) : "''"); $sql .= ",".($note ? "'".$this->db->escape($note)."'" : "null"); - $sql .= ",'".$visible."'"; + $sql .= ",'".$this->db->escape($visible)."'"; $sql .= ",".$entity; $sql .= ")"; @@ -1630,7 +1630,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it if ($deleteonunactive) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; - $sql .= " WHERE ".$this->db->decrypt('name')." = '".$name."'"; + $sql .= " WHERE ".$this->db->decrypt('name')." = '".$this->db->escape($name)."'"; $sql .= " AND entity in (0, ".$conf->entity.")"; dol_syslog(get_class($this)."::delete_const", LOG_DEBUG); if (!$this->db->query($sql)) { @@ -1700,18 +1700,18 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it $sql = "INSERT INTO ".MAIN_DB_PREFIX."rights_def"; $sql .= " (id, entity, libelle, module, type, bydefault, perms, subperms)"; $sql .= " VALUES "; - $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$r_modul."','".$r_type."',".$r_def.",'".$r_perms."','".$r_subperms."')"; + $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$this->db->escape($r_modul)."','".$this->db->escape($r_type)."',".$r_def.",'".$this->db->escape($r_perms)."','".$this->db->escape($r_subperms)."')"; } else { $sql = "INSERT INTO ".MAIN_DB_PREFIX."rights_def"; $sql .= " (id, entity, libelle, module, type, bydefault, perms)"; $sql .= " VALUES "; - $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$r_modul."','".$r_type."',".$r_def.",'".$r_perms."')"; + $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$this->db->escape($r_modul)."','".$this->db->escape($r_type)."',".$r_def.",'".$this->db->escape($r_perms)."')"; } } else { $sql = "INSERT INTO ".MAIN_DB_PREFIX."rights_def "; $sql .= " (id, entity, libelle, module, type, bydefault)"; $sql .= " VALUES "; - $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$r_modul."','".$r_type."',".$r_def.")"; + $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$this->db->escape($r_modul)."','".$this->db->escape($r_type)."',".$r_def.")"; } $resqlinsert = $this->db->query($sql, 1); @@ -2009,7 +2009,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it $sql = "SELECT count(*)"; $sql .= " FROM ".MAIN_DB_PREFIX."const"; - $sql .= " WHERE ".$this->db->decrypt('name')." = '".$name."'"; + $sql .= " WHERE ".$this->db->decrypt('name')." = '".$this->db->escape($name)."'"; $sql .= " AND entity = ".$conf->entity; dol_syslog(get_class($this)."::insert_dirs", LOG_DEBUG); diff --git a/htdocs/core/modules/barcode/mod_barcode_product_standard.php b/htdocs/core/modules/barcode/mod_barcode_product_standard.php index 9569f800f7f..5d43609e7de 100644 --- a/htdocs/core/modules/barcode/mod_barcode_product_standard.php +++ b/htdocs/core/modules/barcode/mod_barcode_product_standard.php @@ -245,7 +245,7 @@ class mod_barcode_product_standard extends ModeleNumRefBarCode { // phpcs:enable $sql = "SELECT barcode FROM ".MAIN_DB_PREFIX."product"; - $sql .= " WHERE barcode = '".$code."'"; + $sql .= " WHERE barcode = '".$db->escape($code)."'"; if ($product->id > 0) $sql .= " AND rowid <> ".$product->id; $resql = $db->query($sql); diff --git a/htdocs/core/modules/expensereport/doc/pdf_standard.modules.php b/htdocs/core/modules/expensereport/doc/pdf_standard.modules.php index e569d51ab43..ae1310a924a 100644 --- a/htdocs/core/modules/expensereport/doc/pdf_standard.modules.php +++ b/htdocs/core/modules/expensereport/doc/pdf_standard.modules.php @@ -1029,7 +1029,7 @@ class pdf_standard extends ModeleExpenseReport $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as c ON p.fk_typepayment = c.id"; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank as b ON p.fk_bank = b.rowid'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank_account as ba ON b.fk_account = ba.rowid'; - $sql .= " WHERE e.rowid = '".$object->id."'"; + $sql .= " WHERE e.rowid = ".((int) $object->id); $sql .= " AND p.fk_expensereport = e.rowid"; $sql .= ' AND e.entity IN ('.getEntity('expensereport').')'; $sql .= " ORDER BY dp"; diff --git a/htdocs/core/modules/facture/mod_facture_mars.php b/htdocs/core/modules/facture/mod_facture_mars.php index 0f481483bbf..8dc23e045b3 100644 --- a/htdocs/core/modules/facture/mod_facture_mars.php +++ b/htdocs/core/modules/facture/mod_facture_mars.php @@ -162,7 +162,7 @@ class mod_facture_mars extends ModeleNumRefFactures $posindice = strlen($prefix) + 6; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql .= " FROM ".MAIN_DB_PREFIX."facture"; - $sql .= " WHERE ref LIKE '".$prefix."____-%'"; + $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-%'"; $sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")"; $resql = $db->query($sql); @@ -184,7 +184,7 @@ class mod_facture_mars extends ModeleNumRefFactures $ref = ''; $sql = "SELECT ref as ref"; $sql .= " FROM ".MAIN_DB_PREFIX."facture"; - $sql .= " WHERE ref LIKE '".$prefix."____-".$num."'"; + $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-".$num."'"; $sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")"; $sql .= " ORDER BY ref DESC"; diff --git a/htdocs/core/modules/facture/mod_facture_terre.php b/htdocs/core/modules/facture/mod_facture_terre.php index 9b744523db8..588b2f34aab 100644 --- a/htdocs/core/modules/facture/mod_facture_terre.php +++ b/htdocs/core/modules/facture/mod_facture_terre.php @@ -194,7 +194,7 @@ class mod_facture_terre extends ModeleNumRefFactures $posindice = strlen($prefix) + 6; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql .= " FROM ".MAIN_DB_PREFIX."facture"; - $sql .= " WHERE ref LIKE '".$prefix."____-%'"; + $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-%'"; $sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")"; $resql = $db->query($sql); @@ -215,7 +215,7 @@ class mod_facture_terre extends ModeleNumRefFactures $ref = ''; $sql = "SELECT ref as ref"; $sql .= " FROM ".MAIN_DB_PREFIX."facture"; - $sql .= " WHERE ref LIKE '".$prefix."____-".$num."'"; + $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-".$num."'"; $sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")"; $sql .= " ORDER BY ref DESC"; diff --git a/htdocs/core/modules/import/import_csv.modules.php b/htdocs/core/modules/import/import_csv.modules.php index 51ad55cc937..330454e2105 100644 --- a/htdocs/core/modules/import/import_csv.modules.php +++ b/htdocs/core/modules/import/import_csv.modules.php @@ -843,7 +843,7 @@ class ImportCsv extends ModeleImports if (!$error && !$updatedone) { // Build SQL INSERT request $sqlstart = 'INSERT INTO '.$tablename.'('.implode(', ', $listfields).', import_key'; - $sqlend = ') VALUES('.implode(', ', $listvalues).", '".$importid."'"; + $sqlend = ') VALUES('.implode(', ', $listvalues).", '".$this->db->escape($importid)."'"; if (!empty($tablewithentity_cache[$tablename])) { $sqlstart .= ', entity'; $sqlend .= ', '.$conf->entity; diff --git a/htdocs/core/modules/import/import_xlsx.modules.php b/htdocs/core/modules/import/import_xlsx.modules.php index 090d57645ea..f6daa52d541 100644 --- a/htdocs/core/modules/import/import_xlsx.modules.php +++ b/htdocs/core/modules/import/import_xlsx.modules.php @@ -872,7 +872,7 @@ class ImportXlsx extends ModeleImports if (!$error && !$updatedone) { // Build SQL INSERT request $sqlstart = 'INSERT INTO '.$tablename.'('.implode(', ', $listfields).', import_key'; - $sqlend = ') VALUES('.implode(', ', $listvalues).", '".$importid."'"; + $sqlend = ') VALUES('.implode(', ', $listvalues).", '".$db->escape($importid)."'"; if (!empty($tablewithentity_cache[$tablename])) { $sqlstart .= ', entity'; $sqlend .= ', '.$conf->entity; diff --git a/htdocs/core/modules/mailings/contacts1.modules.php b/htdocs/core/modules/mailings/contacts1.modules.php index 2ba999fa8b7..be5e8435ad2 100644 --- a/htdocs/core/modules/mailings/contacts1.modules.php +++ b/htdocs/core/modules/mailings/contacts1.modules.php @@ -75,7 +75,7 @@ class mailing_contacts1 extends MailingTargets $langs->load("commercial"); $statssql = array(); - $statssql[0] = "SELECT '".$langs->trans("NbOfCompaniesContacts")."' as label,"; + $statssql[0] = "SELECT '".$this->db->escape($langs->trans("NbOfCompaniesContacts"))."' as label,"; $statssql[0] .= " count(distinct(c.email)) as nb"; $statssql[0] .= " FROM ".MAIN_DB_PREFIX."socpeople as c"; $statssql[0] .= " WHERE c.entity IN (".getEntity('socpeople').")"; @@ -390,7 +390,7 @@ class mailing_contacts1 extends MailingTargets { //print "xx".$key; if ($key == 'prospects') $sql .= " AND s.client=2"; - foreach ($prospectlevel as $codelevel=>$valuelevel) if ($key == 'prospectslevel'.$codelevel) $sql .= " AND s.fk_prospectlevel='".$codelevel."'"; + foreach ($prospectlevel as $codelevel=>$valuelevel) if ($key == 'prospectslevel'.$codelevel) $sql .= " AND s.fk_prospectlevel='".$this->db->escape($codelevel)."'"; if ($key == 'customers') $sql .= " AND s.client=1"; if ($key == 'suppliers') $sql .= " AND s.fournisseur=1"; } diff --git a/htdocs/core/modules/mailings/fraise.modules.php b/htdocs/core/modules/mailings/fraise.modules.php index f9c876b0230..7b9eeb02c0d 100644 --- a/htdocs/core/modules/mailings/fraise.modules.php +++ b/htdocs/core/modules/mailings/fraise.modules.php @@ -266,9 +266,9 @@ class mailing_fraise extends MailingTargets if ($dateendsubscriptionbefore > 0) $sql .= " AND datefin < '".$this->db->idate($dateendsubscriptionbefore)."'"; $sql .= " AND a.fk_adherent_type = ta.rowid"; // Filter on type - if ($_POST['filter_type']) $sql .= " AND ta.rowid='".$_POST['filter_type']."'"; + if (GETPOSTISET('filter_type')) $sql .= " AND ta.rowid='".$this->db->escape(GETPOST('filter_type'))."'"; // Filter on category - if ($_POST['filter_category']) $sql .= " AND c.rowid='".$_POST['filter_category']."'"; + if (GETPOSTISSET('filter_category')) $sql .= " AND c.rowid='".$this->db->escape(GETPOST('filter_category'))."'"; $sql .= " ORDER BY a.email"; //print $sql; diff --git a/htdocs/core/modules/mailings/modules_mailings.php b/htdocs/core/modules/mailings/modules_mailings.php index 32222d619a0..4c078a39130 100644 --- a/htdocs/core/modules/mailings/modules_mailings.php +++ b/htdocs/core/modules/mailings/modules_mailings.php @@ -175,7 +175,7 @@ class MailingTargets // This can't be abstract as it is used for some method $sql .= " tag,"; $sql .= " source_type)"; $sql .= " VALUES (".$mailing_id.","; - $sql .= (empty($targetarray['fk_contact']) ? '0' : "'".$targetarray['fk_contact']."'").","; + $sql .= (empty($targetarray['fk_contact']) ? '0' : "'".$this->db->escape($targetarray['fk_contact'])."'").","; $sql .= "'".$this->db->escape($targetarray['lastname'])."',"; $sql .= "'".$this->db->escape($targetarray['firstname'])."',"; $sql .= "'".$this->db->escape($targetarray['email'])."',"; diff --git a/htdocs/core/modules/mailings/pomme.modules.php b/htdocs/core/modules/mailings/pomme.modules.php index 38c7fc78065..52da4f87a32 100644 --- a/htdocs/core/modules/mailings/pomme.modules.php +++ b/htdocs/core/modules/mailings/pomme.modules.php @@ -73,7 +73,7 @@ class mailing_pomme extends MailingTargets $langs->load("users"); $statssql = array(); - $sql = "SELECT '".$langs->trans("DolibarrUsers")."' as label,"; + $sql = "SELECT '".$this->db->escape($langs->trans("DolibarrUsers"))."' as label,"; $sql .= " count(distinct(u.email)) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX."user as u"; $sql .= " WHERE u.email != ''"; // u.email IS NOT NULL est implicite dans ce test diff --git a/htdocs/core/modules/mailings/thirdparties_services_expired.modules.php b/htdocs/core/modules/mailings/thirdparties_services_expired.modules.php index 852f05f837a..51bdb7b6b87 100644 --- a/htdocs/core/modules/mailings/thirdparties_services_expired.modules.php +++ b/htdocs/core/modules/mailings/thirdparties_services_expired.modules.php @@ -113,7 +113,7 @@ class mailing_thirdparties_services_expired extends MailingTargets $sql .= " WHERE s.entity IN (".getEntity('societe').")"; $sql .= " AND s.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".$mailing_id.")"; $sql .= " AND s.rowid = c.fk_soc AND cd.fk_contrat = c.rowid AND s.email != ''"; - $sql .= " AND cd.statut= 4 AND cd.fk_product=p.rowid AND p.ref = '".$product."'"; + $sql .= " AND cd.statut= 4 AND cd.fk_product=p.rowid AND p.ref = '".$this->db->escape($product)."'"; $sql .= " AND cd.date_fin_validite < '".$this->db->idate($now)."'"; $sql .= " ORDER BY s.email"; diff --git a/htdocs/core/modules/movement/doc/pdf_standard.modules.php b/htdocs/core/modules/movement/doc/pdf_standard.modules.php index ecdcb9925f1..308c541bb69 100644 --- a/htdocs/core/modules/movement/doc/pdf_standard.modules.php +++ b/htdocs/core/modules/movement/doc/pdf_standard.modules.php @@ -291,13 +291,13 @@ class pdf_stdandard extends ModelePDFMovement { $sql .= " AND m.datem BETWEEN '".$db->idate(dol_get_first_day($year, 1, false))."' AND '".$db->idate(dol_get_last_day($year, 12, false))."'"; } - if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'"; + if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct); if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1); if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement); if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode); if (!empty($search_product_ref)) $sql .= natural_search('p.ref', $search_product_ref); if (!empty($search_product)) $sql .= natural_search('p.label', $search_product); - if ($search_warehouse > 0) $sql .= " AND e.rowid = '".$db->escape($search_warehouse)."'"; + if ($search_warehouse > 0) $sql .= " AND e.rowid = ".((int) $db->escape($search_warehouse)); if (!empty($search_user)) $sql .= natural_search('u.login', $search_user); if (!empty($search_batch)) $sql .= natural_search('m.batch', $search_batch); if ($search_qty != '') $sql .= natural_search('m.value', $search_qty, 1); @@ -489,7 +489,7 @@ class pdf_stdandard extends ModelePDFMovement $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $result = $db->query($sql); @@ -1049,7 +1049,7 @@ class pdf_stdandard extends ModelePDFMovement // Last movement $sql = "SELECT max(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_entrepot = '".$object->id."'"; + $sql .= " WHERE m.fk_entrepot = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { diff --git a/htdocs/core/modules/printing/printgcp.modules.php b/htdocs/core/modules/printing/printgcp.modules.php index f68de863ab8..fc7fef9a158 100644 --- a/htdocs/core/modules/printing/printgcp.modules.php +++ b/htdocs/core/modules/printing/printgcp.modules.php @@ -312,7 +312,7 @@ class printing_printgcp extends PrintingDriver $fileprint .= '/'.$file; $mimetype = dol_mimetype($fileprint); // select printer uri for module order, propal,... - $sql = "SELECT rowid, printer_id, copy FROM ".MAIN_DB_PREFIX."printing WHERE module='".$module."' AND driver='printgcp' AND userid=".$user->id; + $sql = "SELECT rowid, printer_id, copy FROM ".MAIN_DB_PREFIX."printing WHERE module='".$this->db->escape($module)."' AND driver='printgcp' AND userid=".$user->id; $result = $this->db->query($sql); if ($result) { diff --git a/htdocs/core/modules/printing/printipp.modules.php b/htdocs/core/modules/printing/printipp.modules.php index b4b24b062df..bd51b2c170e 100644 --- a/htdocs/core/modules/printing/printipp.modules.php +++ b/htdocs/core/modules/printing/printipp.modules.php @@ -107,7 +107,7 @@ class printing_printipp extends PrintingDriver if (!empty($this->user)) $ipp->setAuthentication($this->user, $this->password); // select printer uri for module order, propal,... - $sql = "SELECT rowid,printer_id,copy FROM ".MAIN_DB_PREFIX."printing WHERE module = '".$module."' AND driver = 'printipp' AND userid = ".$user->id; + $sql = "SELECT rowid,printer_id,copy FROM ".MAIN_DB_PREFIX."printing WHERE module = '".$this->db->escape($module)."' AND driver = 'printipp' AND userid = ".$user->id; $result = $this->db->query($sql); if ($result) { $obj = $this->db->fetch_object($result); diff --git a/htdocs/core/modules/product/mod_codeproduct_elephant.php b/htdocs/core/modules/product/mod_codeproduct_elephant.php index 0b5fcd5212c..7c2a7e479da 100644 --- a/htdocs/core/modules/product/mod_codeproduct_elephant.php +++ b/htdocs/core/modules/product/mod_codeproduct_elephant.php @@ -313,7 +313,7 @@ class mod_codeproduct_elephant extends ModeleProductCode { // phpcs:enable $sql = "SELECT ref FROM ".MAIN_DB_PREFIX."product"; - $sql .= " WHERE ref = '".$code."'"; + $sql .= " WHERE ref = '".$this->db->escape($code)."'"; if ($product->id > 0) $sql .= " AND rowid <> ".$product->id; $resql = $db->query($sql); diff --git a/htdocs/core/modules/societe/mod_codeclient_monkey.php b/htdocs/core/modules/societe/mod_codeclient_monkey.php index 378b9bd5045..a73e7db2911 100644 --- a/htdocs/core/modules/societe/mod_codeclient_monkey.php +++ b/htdocs/core/modules/societe/mod_codeclient_monkey.php @@ -133,7 +133,7 @@ class mod_codeclient_monkey extends ModeleThirdPartyCode $posindice = strlen($prefix) + 6; $sql = "SELECT MAX(CAST(SUBSTRING(".$field." FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql .= " FROM ".MAIN_DB_PREFIX."societe"; - $sql .= " WHERE ".$field." LIKE '".$prefix."____-%'"; + $sql .= " WHERE ".$field." LIKE '".$db->escape($prefix)."____-%'"; $sql .= " AND entity IN (".getEntity('societe').")"; dol_syslog(get_class($this)."::getNextValue", LOG_DEBUG); diff --git a/htdocs/core/modules/stock/doc/pdf_standard.modules.php b/htdocs/core/modules/stock/doc/pdf_standard.modules.php index 12e275e679f..acdbbb89357 100644 --- a/htdocs/core/modules/stock/doc/pdf_standard.modules.php +++ b/htdocs/core/modules/stock/doc/pdf_standard.modules.php @@ -863,7 +863,7 @@ class pdf_standard extends ModelePDFStock // Last movement $sql = "SELECT max(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_entrepot = '".$object->id."'"; + $sql .= " WHERE m.fk_entrepot = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { diff --git a/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php b/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php index 18579b0397c..2b528e1154f 100644 --- a/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php +++ b/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php @@ -182,7 +182,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices $posindice = strlen($prefix) + 6; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn"; - $sql .= " WHERE ref LIKE '".$prefix."____-%'"; + $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-%'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); @@ -204,7 +204,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices $ref = ''; $sql = "SELECT ref as ref"; $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn"; - $sql .= " WHERE ref LIKE '".$prefix."____-".$num."'"; + $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-".$num."'"; $sql .= " AND entity = ".$conf->entity; dol_syslog(get_class($this)."::getNextValue", LOG_DEBUG); diff --git a/htdocs/core/modules/ticket/mod_ticket_simple.php b/htdocs/core/modules/ticket/mod_ticket_simple.php index 67eebfc789a..679224c5357 100644 --- a/htdocs/core/modules/ticket/mod_ticket_simple.php +++ b/htdocs/core/modules/ticket/mod_ticket_simple.php @@ -93,7 +93,7 @@ class mod_ticket_simple extends ModeleNumRefTicket $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql .= " FROM ".MAIN_DB_PREFIX."ticket"; $search = $this->prefix."____-%"; - $sql .= " WHERE ref LIKE '".$search."'"; + $sql .= " WHERE ref LIKE '".$db->escape($search)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) { @@ -128,7 +128,7 @@ class mod_ticket_simple extends ModeleNumRefTicket $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql .= " FROM ".MAIN_DB_PREFIX."ticket"; $search = $this->prefix."____-%"; - $sql .= " WHERE ref LIKE '".$search."'"; + $sql .= " WHERE ref LIKE '".$db->escape($search)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql);