diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index a709e07f3ff..ba6728586f1 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -439,18 +439,18 @@ class Adherent extends CommonObject $sql.= ", town=" .($this->town?"'".$this->db->escape($this->town)."'":"null"); $sql.= ", country=".($this->country_id>0?"'".$this->country_id."'":"null"); $sql.= ", state_id=".($this->state_id>0?"'".$this->state_id."'":"null"); - $sql.= ", email='".$this->email."'"; - $sql.= ", skype='".$this->skype."'"; + $sql.= ", email='".$this->db->escape($this->email)."'"; + $sql.= ", skype='".$this->db->escape($this->skype)."'"; $sql.= ", phone=" .($this->phone?"'".$this->db->escape($this->phone)."'":"null"); $sql.= ", phone_perso=" .($this->phone_perso?"'".$this->db->escape($this->phone_perso)."'":"null"); $sql.= ", phone_mobile=" .($this->phone_mobile?"'".$this->db->escape($this->phone_mobile)."'":"null"); $sql.= ", note_private=" .($this->note_private?"'".$this->db->escape($this->note_private)."'":"null"); $sql.= ", note_public=" .($this->note_public?"'".$this->db->escape($this->note_public)."'":"null"); $sql.= ", photo=" .($this->photo?"'".$this->photo."'":"null"); - $sql.= ", public='".$this->public."'"; + $sql.= ", public='".$this->db->escape($this->public)."'"; $sql.= ", statut=" .$this->statut; $sql.= ", fk_adherent_type=".$this->typeid; - $sql.= ", morphy='".$this->morphy."'"; + $sql.= ", morphy='".$this->db->escape($this->morphy)."'"; $sql.= ", birth=" .($this->birth?"'".$this->db->idate($this->birth)."'":"null"); if ($this->datefin) $sql.= ", datefin='".$this->db->idate($this->datefin)."'"; // Must be modified only when deleting a subscription if ($this->datevalid) $sql.= ", datevalid='".$this->db->idate($this->datevalid)."'"; // Must be modified only when validating a member @@ -649,7 +649,7 @@ class Adherent extends CommonObject // Search for last subscription id and end date $sql = "SELECT rowid, datec as dateop, dateadh as datedeb, datef as datefin"; $sql.= " FROM ".MAIN_DB_PREFIX."subscription"; - $sql.= " WHERE fk_adherent='".$this->id."'"; + $sql.= " WHERE fk_adherent=".$this->id; $sql.= " ORDER by dateadh DESC"; // Sort by start subscription date dol_syslog(get_class($this)."::update_end_date", LOG_DEBUG); diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 7b05adf1fb6..fc2cb3c94f0 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -947,7 +947,7 @@ class Propal extends CommonObject if ($this->id) { $this->ref='(PROV'.$this->id.')'; - $sql = 'UPDATE '.MAIN_DB_PREFIX."propal SET ref='".$this->ref."' WHERE rowid=".$this->id; + $sql = 'UPDATE '.MAIN_DB_PREFIX."propal SET ref='".$this->db->escape($this->ref)."' WHERE rowid=".$this->id; dol_syslog(get_class($this)."::create", LOG_DEBUG); $resql=$this->db->query($sql); @@ -3931,14 +3931,14 @@ class PropaleLigne extends CommonObjectLine $sql.= ", tva_tx='".price2num($this->tva_tx)."'"; $sql.= ", localtax1_tx=".price2num($this->localtax1_tx); $sql.= ", localtax2_tx=".price2num($this->localtax2_tx); - $sql.= ", localtax1_type='".$this->localtax1_type."'"; - $sql.= ", localtax2_type='".$this->localtax2_type."'"; + $sql.= ", localtax1_type='".$this->db->escape($this->localtax1_type)."'"; + $sql.= ", localtax2_type='".$this->db->escape($this->localtax2_type)."'"; $sql.= ", qty='".price2num($this->qty)."'"; $sql.= ", subprice=".price2num($this->subprice).""; $sql.= ", remise_percent=".price2num($this->remise_percent).""; $sql.= ", price=".price2num($this->price).""; // TODO A virer $sql.= ", remise=".price2num($this->remise).""; // TODO A virer - $sql.= ", info_bits='".$this->info_bits."'"; + $sql.= ", info_bits='".$this->db->escape($this->info_bits)."'"; if (empty($this->skip_update_total)) { $sql.= ", total_ht=".price2num($this->total_ht).""; diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 38a8f983903..65769ea795f 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -3885,7 +3885,7 @@ class OrderLine extends CommonOrderLine $this->db->begin(); - $sql = 'DELETE FROM '.MAIN_DB_PREFIX."commandedet WHERE rowid='".$this->rowid."';"; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX."commandedet WHERE rowid=".$this->rowid; dol_syslog("OrderLine::delete", LOG_DEBUG); $resql=$this->db->query($sql); @@ -4133,8 +4133,8 @@ class OrderLine extends CommonOrderLine $sql.= " , tva_tx=".price2num($this->tva_tx); $sql.= " , localtax1_tx=".price2num($this->localtax1_tx); $sql.= " , localtax2_tx=".price2num($this->localtax2_tx); - $sql.= " , localtax1_type='".$this->localtax1_type."'"; - $sql.= " , localtax2_type='".$this->localtax2_type."'"; + $sql.= " , localtax1_type='".$this->db->escape($this->localtax1_type)."'"; + $sql.= " , localtax2_type='".$this->db->escape($this->localtax2_type)."'"; $sql.= " , qty=".price2num($this->qty); $sql.= " , subprice=".price2num($this->subprice).""; $sql.= " , remise_percent=".price2num($this->remise_percent).""; diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index a7289400569..2720bd861b2 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -705,17 +705,17 @@ class Account extends CommonObject $sql.= ",accountancy_journal = '".$this->accountancy_journal."'"; $sql.= ",bank = '".$this->db->escape($this->bank)."'"; - $sql.= ",code_banque='".$this->code_banque."'"; - $sql.= ",code_guichet='".$this->code_guichet."'"; - $sql.= ",number='".$this->number."'"; - $sql.= ",cle_rib='".$this->cle_rib."'"; - $sql.= ",bic='".$this->bic."'"; - $sql.= ",iban_prefix = '".$this->iban."'"; + $sql.= ",code_banque='".$this->db->escape($this->code_banque)."'"; + $sql.= ",code_guichet='".$this->db->escape($this->code_guichet)."'"; + $sql.= ",number='".$this->db->escape($this->number)."'"; + $sql.= ",cle_rib='".$this->db->escape($this->cle_rib)."'"; + $sql.= ",bic='".$this->db->escape($this->bic)."'"; + $sql.= ",iban_prefix = '".$this->db->escape($this->iban)."'"; $sql.= ",domiciliation='".$this->db->escape($this->domiciliation)."'"; $sql.= ",proprio = '".$this->db->escape($this->proprio)."'"; $sql.= ",owner_address = '".$this->db->escape($this->owner_address)."'"; - $sql.= ",currency_code = '".$this->currency_code."'"; + $sql.= ",currency_code = '".$this->db->escape($this->currency_code)."'"; $sql.= ",min_allowed = ".($this->min_allowed != '' ? price2num($this->min_allowed) : "null"); $sql.= ",min_desired = ".($this->min_desired != '' ? price2num($this->min_desired) : "null"); @@ -797,12 +797,12 @@ class Account extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."bank_account SET "; $sql.= " bank = '".$this->db->escape($this->bank)."'"; - $sql.= ",code_banque='".$this->code_banque."'"; - $sql.= ",code_guichet='".$this->code_guichet."'"; - $sql.= ",number='".$this->number."'"; - $sql.= ",cle_rib='".$this->cle_rib."'"; - $sql.= ",bic='".$this->bic."'"; - $sql.= ",iban_prefix = '".$this->iban."'"; + $sql.= ",code_banque='".$this->db->escape($this->code_banque)."'"; + $sql.= ",code_guichet='".$this->db->escape($this->code_guichet)."'"; + $sql.= ",number='".$this->db->escape($this->number)."'"; + $sql.= ",cle_rib='".$this->db->escape($this->cle_rib)."'"; + $sql.= ",bic='".$this->db->escape($this->bic)."'"; + $sql.= ",iban_prefix = '".$this->db->escape($this->iban)."'"; $sql.= ",domiciliation='".$this->db->escape($this->domiciliation)."'"; $sql.= ",proprio = '".$this->db->escape($this->proprio)."'"; $sql.= ",owner_address = '".$this->db->escape($this->owner_address)."'"; diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 912a18979bc..adb9130e085 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -435,7 +435,7 @@ class Facture extends CommonInvoice // Update ref with new one $this->ref='(PROV'.$this->id.')'; - $sql = 'UPDATE '.MAIN_DB_PREFIX."facture SET facnumber='".$this->ref."' WHERE rowid=".$this->id; + $sql = 'UPDATE '.MAIN_DB_PREFIX."facture SET facnumber='".$this->db->escape($this->ref)."' WHERE rowid=".$this->id; dol_syslog(get_class($this)."::create", LOG_DEBUG); $resql=$this->db->query($sql); @@ -4641,18 +4641,18 @@ class FactureLigne extends CommonInvoiceLine $sql.= ", remise_percent=".price2num($this->remise_percent).""; if ($this->fk_remise_except) $sql.= ", fk_remise_except=".$this->fk_remise_except; else $sql.= ", fk_remise_except=null"; - $sql.= ", vat_src_code = '".(empty($this->vat_src_code)?'':$this->vat_src_code)."'"; + $sql.= ", vat_src_code = '".(empty($this->vat_src_code)?'':$this->db->escape($this->vat_src_code))."'"; $sql.= ", tva_tx=".price2num($this->tva_tx).""; $sql.= ", localtax1_tx=".price2num($this->localtax1_tx).""; $sql.= ", localtax2_tx=".price2num($this->localtax2_tx).""; - $sql.= ", localtax1_type='".$this->localtax1_type."'"; - $sql.= ", localtax2_type='".$this->localtax2_type."'"; - $sql.= ", qty=".price2num($this->qty).""; + $sql.= ", localtax1_type='".$this->db->escape($this->localtax1_type)."'"; + $sql.= ", localtax2_type='".$this->db->escape($this->localtax2_type)."'"; + $sql.= ", qty=".price2num($this->qty); $sql.= ", date_start=".(! empty($this->date_start)?"'".$this->db->idate($this->date_start)."'":"null"); $sql.= ", date_end=".(! empty($this->date_end)?"'".$this->db->idate($this->date_end)."'":"null"); $sql.= ", product_type=".$this->product_type; - $sql.= ", info_bits='".$this->info_bits."'"; - $sql.= ", special_code='".$this->special_code."'"; + $sql.= ", info_bits='".$this->db->escape($this->info_bits)."'"; + $sql.= ", special_code='".$this->db->escape($this->special_code)."'"; if (empty($this->skip_update_total)) { $sql.= ", total_ht=".price2num($this->total_ht).""; diff --git a/htdocs/compta/localtax/class/localtax.class.php b/htdocs/compta/localtax/class/localtax.class.php index 067c8dc9cbe..e59b2c6ce2b 100644 --- a/htdocs/compta/localtax/class/localtax.class.php +++ b/htdocs/compta/localtax/class/localtax.class.php @@ -154,12 +154,12 @@ class Localtax extends CommonObject $sql.= " tms=".$this->db->idate($this->tms).","; $sql.= " datep=".$this->db->idate($this->datep).","; $sql.= " datev=".$this->db->idate($this->datev).","; - $sql.= " amount='".$this->amount."',"; + $sql.= " amount=".price2num($this->amount).","; $sql.= " label='".$this->db->escape($this->label)."',"; $sql.= " note='".$this->db->escape($this->note)."',"; - $sql.= " fk_bank='".$this->fk_bank."',"; - $sql.= " fk_user_creat='".$this->fk_user_creat."',"; - $sql.= " fk_user_modif='".$this->fk_user_modif."'"; + $sql.= " fk_bank=".$this->fk_bank.","; + $sql.= " fk_user_creat=".$this->fk_user_creat.","; + $sql.= " fk_user_modif=".$this->fk_user_modif; $sql.= " WHERE rowid=".$this->id; dol_syslog(get_class($this)."::update", LOG_DEBUG); diff --git a/htdocs/compta/paiement/cheque/class/remisecheque.class.php b/htdocs/compta/paiement/cheque/class/remisecheque.class.php index ad53e98693e..36ceec7b577 100644 --- a/htdocs/compta/paiement/cheque/class/remisecheque.class.php +++ b/htdocs/compta/paiement/cheque/class/remisecheque.class.php @@ -178,7 +178,7 @@ class RemiseCheque extends CommonObject { $sql = "UPDATE ".MAIN_DB_PREFIX."bordereau_cheque"; $sql.= " SET ref='(PROV".$this->id.")'"; - $sql.= " WHERE rowid='".$this->id."';"; + $sql.= " WHERE rowid=".$this->id.""; dol_syslog("RemiseCheque::Create", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/compta/salaries/class/paymentsalary.class.php b/htdocs/compta/salaries/class/paymentsalary.class.php index a4bee09d7de..871a938a9c9 100644 --- a/htdocs/compta/salaries/class/paymentsalary.class.php +++ b/htdocs/compta/salaries/class/paymentsalary.class.php @@ -97,19 +97,19 @@ class PaymentSalary extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."payment_salary SET"; $sql.= " tms=".$this->db->idate($this->tms).","; - $sql.= " fk_user='".$this->fk_user."',"; + $sql.= " fk_user=".$this->fk_user.","; $sql.= " datep=".$this->db->idate($this->datep).","; $sql.= " datev=".$this->db->idate($this->datev).","; - $sql.= " amount='".$this->amount."',"; + $sql.= " amount=".price2num($this->amount).","; $sql.= " fk_typepayment=".$this->fk_typepayment."',"; - $sql.= " num_payment='".$this->num_payment."',"; + $sql.= " num_payment='".$this->db->escape($this->num_payment)."',"; $sql.= " label='".$this->db->escape($this->label)."',"; $sql.= " datesp=".$this->db->idate($this->datesp).","; $sql.= " dateep=".$this->db->idate($this->dateep).","; $sql.= " note='".$this->db->escape($this->note)."',"; $sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").","; - $sql.= " fk_user_author='".$this->fk_user_author."',"; - $sql.= " fk_user_modif='".$this->fk_user_modif."'"; + $sql.= " fk_user_author=".$this->fk_user_author.","; + $sql.= " fk_user_modif=".$this->fk_user_modif; $sql.= " WHERE rowid=".$this->id; diff --git a/htdocs/compta/sociales/class/chargesociales.class.php b/htdocs/compta/sociales/class/chargesociales.class.php index 61546b39061..507db49ba5a 100644 --- a/htdocs/compta/sociales/class/chargesociales.class.php +++ b/htdocs/compta/sociales/class/chargesociales.class.php @@ -232,7 +232,7 @@ class ChargeSociales extends CommonObject // Delete payments if (! $error) { - $sql = "DELETE FROM ".MAIN_DB_PREFIX."paiementcharge WHERE fk_charge='".$this->id."'"; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."paiementcharge WHERE fk_charge=".$this->id; dol_syslog(get_class($this)."::delete", LOG_DEBUG); $resql=$this->db->query($sql); if (! $resql) @@ -244,7 +244,7 @@ class ChargeSociales extends CommonObject if (! $error) { - $sql = "DELETE FROM ".MAIN_DB_PREFIX."chargesociales WHERE rowid='".$this->id."'"; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."chargesociales WHERE rowid=".$this->id; dol_syslog(get_class($this)."::delete", LOG_DEBUG); $resql=$this->db->query($sql); if (! $resql) diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index 3c45ec77a89..5cf8b6566bd 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -175,12 +175,12 @@ class Tva extends CommonObject $sql.= " tms=".$this->db->idate($this->tms).","; $sql.= " datep=".$this->db->idate($this->datep).","; $sql.= " datev=".$this->db->idate($this->datev).","; - $sql.= " amount='".$this->amount."',"; + $sql.= " amount=".price2num($this->amount).","; $sql.= " label='".$this->db->escape($this->label)."',"; $sql.= " note='".$this->db->escape($this->note)."',"; - $sql.= " fk_bank='".$this->fk_bank."',"; - $sql.= " fk_user_creat='".$this->fk_user_creat."',"; - $sql.= " fk_user_modif='".$this->fk_user_modif."'"; + $sql.= " fk_bank=".$this->fk_bank.","; + $sql.= " fk_user_creat=".$this->fk_user_creat.","; + $sql.= " fk_user_modif=".$this->fk_user_modif.""; $sql.= " WHERE rowid=".$this->id; diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index 3187fcaba42..a97391de170 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -2780,9 +2780,9 @@ class ContratLigne extends CommonObjectLine // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET"; - $sql.= " fk_contrat='".$this->fk_contrat."',"; + $sql.= " fk_contrat=".$this->fk_contrat.","; $sql.= " fk_product=".($this->fk_product?"'".$this->fk_product."'":'null').","; - $sql.= " statut='".$this->statut."',"; + $sql.= " statut=".$this->statut.","; $sql.= " label='".$this->db->escape($this->label)."',"; $sql.= " description='".$this->db->escape($this->description)."',"; $sql.= " date_commande=".($this->date_commande!=''?"'".$this->db->idate($this->date_commande)."'":"null").","; @@ -2790,24 +2790,24 @@ class ContratLigne extends CommonObjectLine $sql.= " date_ouverture=".($this->date_ouverture!=''?"'".$this->db->idate($this->date_ouverture)."'":"null").","; $sql.= " date_fin_validite=".($this->date_fin_validite!=''?"'".$this->db->idate($this->date_fin_validite)."'":"null").","; $sql.= " date_cloture=".($this->date_cloture!=''?"'".$this->db->idate($this->date_cloture)."'":"null").","; - $sql.= " vat_src_code='".$this->vat_src_code."',"; - $sql.= " tva_tx='".$this->tva_tx."',"; - $sql.= " localtax1_tx='".$this->localtax1_tx."',"; - $sql.= " localtax2_tx='".$this->localtax2_tx."',"; + $sql.= " vat_src_code='".$this->db->escape($this->vat_src_code)."',"; + $sql.= " tva_tx=".price2num($this->tva_tx).","; + $sql.= " localtax1_tx=".price2num($this->localtax1_tx).","; + $sql.= " localtax2_tx=".price2num($this->localtax2_tx).","; $sql.= " qty='".$this->qty."',"; - $sql.= " remise_percent='".$this->remise_percent."',"; + $sql.= " remise_percent=".price2num($this->remise_percent).","; $sql.= " remise=".($this->remise?"'".$this->remise."'":"null").","; $sql.= " fk_remise_except=".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").","; $sql.= " subprice=".($this->subprice != '' ? $this->subprice : "null").","; $sql.= " price_ht=".($this->price_ht != '' ? $this->price_ht : "null").","; - $sql.= " total_ht='".$this->total_ht."',"; - $sql.= " total_tva='".$this->total_tva."',"; - $sql.= " total_localtax1='".$this->total_localtax1."',"; - $sql.= " total_localtax2='".$this->total_localtax2."',"; - $sql.= " total_ttc='".$this->total_ttc."',"; + $sql.= " total_ht=".$this->total_ht.","; + $sql.= " total_tva=".$this->total_tva.","; + $sql.= " total_localtax1=".$this->total_localtax1.","; + $sql.= " total_localtax2=".$this->total_localtax2.","; + $sql.= " total_ttc=".$this->total_ttc.","; $sql.= " fk_product_fournisseur_price=".(!empty($this->fk_fournprice)?$this->fk_fournprice:"NULL").","; $sql.= " buy_price_ht='".price2num($this->pa_ht)."',"; - $sql.= " info_bits='".$this->info_bits."',"; + $sql.= " info_bits='".$this->db->escape($this->info_bits)."',"; $sql.= " fk_user_author=".($this->fk_user_author >= 0?$this->fk_user_author:"NULL").","; $sql.= " fk_user_ouverture=".($this->fk_user_ouverture > 0?$this->fk_user_ouverture:"NULL").","; $sql.= " fk_user_cloture=".($this->fk_user_cloture > 0?$this->fk_user_cloture:"NULL").","; diff --git a/htdocs/theme/eldy/style.css.php b/htdocs/theme/eldy/style.css.php index db28e154b3a..c9562e80bad 100644 --- a/htdocs/theme/eldy/style.css.php +++ b/htdocs/theme/eldy/style.css.php @@ -53,8 +53,8 @@ else header('Cache-Control: no-cache'); // On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1. if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) { ob_start("ob_gzhandler"); } -if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL -if (GETPOST('theme')) $conf->theme=GETPOST('theme'); // If theme was forced on URL +if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang', 'alpha')); // If language was forced on URL +if (GETPOST('theme')) $conf->theme=GETPOST('theme', 'alpha'); // If theme was forced on URL $langs->load("main",0,1); $right=($langs->trans("DIRECTION")=='rtl'?'left':'right'); $left=($langs->trans("DIRECTION")=='rtl'?'right':'left');