From b6c6473cce48ee4d227bba1b43eedc9a5523e4ac Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 18 Sep 2020 17:47:40 +0200
Subject: [PATCH] Fix sql injection when forging requests with IN

---
 htdocs/comm/propal/list.php                               | 2 +-
 htdocs/comm/propal/stats/index.php                        | 2 +-
 htdocs/commande/stats/index.php                           | 4 ++--
 htdocs/compta/facture/stats/index.php                     | 4 ++--
 htdocs/core/class/html.form.class.php                     | 2 +-
 htdocs/expensereport/stats/index.php                      | 2 +-
 htdocs/fichinter/stats/index.php                          | 2 +-
 htdocs/holiday/list.php                                   | 2 +-
 htdocs/modulebuilder/template/class/myobject.class.php    | 2 +-
 htdocs/recruitment/class/recruitmentcandidature.class.php | 2 +-
 htdocs/recruitment/class/recruitmentjobposition.class.php | 2 +-
 htdocs/supplier_proposal/list.php                         | 2 +-
 htdocs/ticket/stats/index.php                             | 2 +-
 13 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php
index e3064f6adf6..d4bf2e392f3 100644
--- a/htdocs/comm/propal/list.php
+++ b/htdocs/comm/propal/list.php
@@ -361,7 +361,7 @@ if ($search_product_category > 0)	$sql .= " AND cp.fk_categorie = ".$db->escape(
 if ($socid > 0) $sql .= ' AND s.rowid = '.$socid;
 if ($search_status != '' && $search_status != '-1')
 {
-	$sql .= ' AND p.fk_statut IN ('.$db->escape($search_status).')';
+	$sql .= ' AND p.fk_statut IN ('.$this->db->sanitize($db->escape($search_status)).')';
 }
 if ($search_date_start)             $sql .= " AND p.datep >= '".$db->idate($search_date_start)."'";
 if ($search_date_end)               $sql .= " AND p.datep <= '".$db->idate($search_date_end)."'";
diff --git a/htdocs/comm/propal/stats/index.php b/htdocs/comm/propal/stats/index.php
index 00a79f3c1be..6cf14e92d50 100644
--- a/htdocs/comm/propal/stats/index.php
+++ b/htdocs/comm/propal/stats/index.php
@@ -101,7 +101,7 @@ dol_mkdir($dir);
 
 
 $stats = new PropaleStats($db, $socid, ($userid > 0 ? $userid : 0), $mode, ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0));
-if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$db->escape($object_status).')';
+if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
 
 // Build graphic number of object
 $data = $stats->getNbByMonthWithPrevYear($endyear, $startyear);
diff --git a/htdocs/commande/stats/index.php b/htdocs/commande/stats/index.php
index 0910e4ee7ad..8ef736ca333 100644
--- a/htdocs/commande/stats/index.php
+++ b/htdocs/commande/stats/index.php
@@ -94,11 +94,11 @@ dol_mkdir($dir);
 $stats = new CommandeStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0));
 if ($mode == 'customer')
 {
-    if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')';
+	if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
 }
 if ($mode == 'supplier')
 {
-    if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')';
+	if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
 }
 
 
diff --git a/htdocs/compta/facture/stats/index.php b/htdocs/compta/facture/stats/index.php
index 82ba8a33467..543585ddbb0 100644
--- a/htdocs/compta/facture/stats/index.php
+++ b/htdocs/compta/facture/stats/index.php
@@ -94,7 +94,7 @@ dol_mkdir($dir);
 $stats = new FactureStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0));
 if ($mode == 'customer')
 {
-    if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')';
+	if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
     if (is_array($custcats) && !empty($custcats)) {
         $stats->from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie_societe as cat ON (f.fk_soc = cat.fk_soc)';
         $stats->where .= ' AND cat.fk_categorie IN ('.implode(',', $custcats).')';
@@ -102,7 +102,7 @@ if ($mode == 'customer')
 }
 if ($mode == 'supplier')
 {
-    if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')';
+	if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
 }
 
 // Build graphic number of object
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index 7c5d350d21e..5dfe76427f2 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -2163,7 +2163,7 @@ class Form
 		{
 			$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.fk_product = p.rowid";
 			$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entrepot as e on ps.fk_entrepot = e.rowid AND e.entity IN (".getEntity('stock').")";
-			$sql .= ' AND e.statut IN ('.$this->db->escape(implode(',', $warehouseStatusArray)).')'; // Return line if product is inside the selected stock. If not, an empty line will be returned so we will count 0.
+			$sql .= ' AND e.statut IN ('.$this->db->sanitize($this->db->escape(implode(',', $warehouseStatusArray))).')'; // Return line if product is inside the selected stock. If not, an empty line will be returned so we will count 0.
 		}
 
 		// include search in supplier ref
diff --git a/htdocs/expensereport/stats/index.php b/htdocs/expensereport/stats/index.php
index eff10cd9323..f73b95a6ebb 100644
--- a/htdocs/expensereport/stats/index.php
+++ b/htdocs/expensereport/stats/index.php
@@ -75,7 +75,7 @@ print load_fiche_titre($title, '', 'trip');
 dol_mkdir($dir);
 
 $stats = new ExpenseReportStats($db, $socid, $userid);
-if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$db->escape($object_status).')';
+if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
 
 // Build graphic number of object
 // $data = array(array('Lib',val1,val2,val3),...)
diff --git a/htdocs/fichinter/stats/index.php b/htdocs/fichinter/stats/index.php
index cb076e01ef1..336a55eb32e 100644
--- a/htdocs/fichinter/stats/index.php
+++ b/htdocs/fichinter/stats/index.php
@@ -70,7 +70,7 @@ print load_fiche_titre($title, '', 'intervention');
 dol_mkdir($dir);
 
 $stats = new FichinterStats($db, $socid, $mode, ($userid > 0 ? $userid : 0));
-if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')';
+if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
 
 // Build graphic number of object
 $data = $stats->getNbByMonthWithPrevYear($endyear, $startyear);
diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php
index 100507f0610..1f2ad4ecf20 100644
--- a/htdocs/holiday/list.php
+++ b/htdocs/holiday/list.php
@@ -311,7 +311,7 @@ if (!empty($search_valideur) && $search_valideur != -1) {
 }
 // Type
 if (!empty($search_type) && $search_type != -1) {
-	$sql .= ' AND cp.fk_type IN ('.$db->escape($search_type).')';
+	$sql .= ' AND cp.fk_type IN ('.$this->db->sanitize($db->escape($search_type)).')';
 }
 // Status
 if (!empty($search_status) && $search_status != -1) {
diff --git a/htdocs/modulebuilder/template/class/myobject.class.php b/htdocs/modulebuilder/template/class/myobject.class.php
index cdf3996c46c..f52d28c2489 100644
--- a/htdocs/modulebuilder/template/class/myobject.class.php
+++ b/htdocs/modulebuilder/template/class/myobject.class.php
@@ -426,7 +426,7 @@ class MyObject extends CommonObject
 				} elseif ($key == 'customsql') {
 					$sqlwhere[] = $value;
 				} elseif (strpos($value, '%') === false) {
-					$sqlwhere[] = $key.' IN ('.$this->db->escape($value).')';
+					$sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')';
 				} else {
 					$sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\'';
 				}
diff --git a/htdocs/recruitment/class/recruitmentcandidature.class.php b/htdocs/recruitment/class/recruitmentcandidature.class.php
index 74644270e6a..df96744526b 100644
--- a/htdocs/recruitment/class/recruitmentcandidature.class.php
+++ b/htdocs/recruitment/class/recruitmentcandidature.class.php
@@ -403,7 +403,7 @@ class RecruitmentCandidature extends CommonObject
 				} elseif ($key == 'customsql') {
 					$sqlwhere[] = $value;
 				} elseif (strpos($value, '%') === false) {
-					$sqlwhere[] = $key.' IN ('.$this->db->escape($value).')';
+					$sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')';
 				} else {
 					$sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\'';
 				}
diff --git a/htdocs/recruitment/class/recruitmentjobposition.class.php b/htdocs/recruitment/class/recruitmentjobposition.class.php
index 0f28b34be6a..355cae49c89 100644
--- a/htdocs/recruitment/class/recruitmentjobposition.class.php
+++ b/htdocs/recruitment/class/recruitmentjobposition.class.php
@@ -396,7 +396,7 @@ class RecruitmentJobPosition extends CommonObject
 				} elseif ($key == 'customsql') {
 					$sqlwhere[] = $value;
 				} elseif (strpos($value, '%') === false) {
-					$sqlwhere[] = $key.' IN ('.$this->db->escape($value).')';
+					$sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')';
 				} else {
 					$sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\'';
 				}
diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php
index 0b05d3afabd..2ead83c0eb2 100644
--- a/htdocs/supplier_proposal/list.php
+++ b/htdocs/supplier_proposal/list.php
@@ -314,7 +314,7 @@ if ($search_multicurrency_montant_vat != '') $sql .= natural_search('sp.multicur
 if ($search_multicurrency_montant_ttc != '') $sql .= natural_search('sp.multicurrency_total_ttc', $search_multicurrency_montant_ttc, 1);
 if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall);
 if ($socid) $sql .= ' AND s.rowid = '.$socid;
-if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$db->escape($search_status).')';
+if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$this->db->sanitize($db->escape($search_status)).')';
 $sql .= dolSqlDateFilter("sp.date_livraison", $day, $month, $year);
 $sql .= dolSqlDateFilter("sp.date_valid", $dayvalid, $monthvalid, $yearvalid);
 if ($search_sale > 0) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale;
diff --git a/htdocs/ticket/stats/index.php b/htdocs/ticket/stats/index.php
index da921577596..d00d1b8ac34 100644
--- a/htdocs/ticket/stats/index.php
+++ b/htdocs/ticket/stats/index.php
@@ -70,7 +70,7 @@ print load_fiche_titre($title, '', 'ticket');
 dol_mkdir($dir);
 
 $stats = new TicketStats($db, $socid, ($userid > 0 ? $userid : 0));
-if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND fk_statut IN ('.$db->escape($object_status).')';
+if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
 
 
 // Build graphic number of object