From bd838d0b8a40a0f2970aad12226c33019d83a99d Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 14 Mar 2021 18:07:53 +0100 Subject: [PATCH] Fix sql syntax error #yogosha5628 + 1 SQL injection --- .../class/productcustomerprice.class.php | 31 +-- htdocs/societe/price.php | 200 +++++++++--------- 2 files changed, 120 insertions(+), 111 deletions(-) diff --git a/htdocs/product/class/productcustomerprice.class.php b/htdocs/product/class/productcustomerprice.class.php index 94f438a77cb..5d395572f5c 100644 --- a/htdocs/product/class/productcustomerprice.class.php +++ b/htdocs/product/class/productcustomerprice.class.php @@ -274,8 +274,8 @@ class Productcustomerprice extends CommonObject /** * Load object in memory from the database * - * @param int $id object - * @return int <0 if KO, >0 if OK + * @param int $id ID of customer price + * @return int <0 if KO, 0 if not found, >0 if OK */ public function fetch($id) { @@ -301,7 +301,6 @@ class Productcustomerprice extends CommonObject $sql .= " t.localtax2_tx,"; $sql .= " t.fk_user,"; $sql .= " t.import_key"; - $sql .= " FROM ".MAIN_DB_PREFIX."product_customer_price as t"; $sql .= " WHERE t.rowid = ".((int) $id); @@ -331,10 +330,15 @@ class Productcustomerprice extends CommonObject $this->localtax2_tx = $obj->localtax2_tx; $this->fk_user = $obj->fk_user; $this->import_key = $obj->import_key; - } - $this->db->free($resql); - return 1; + $this->db->free($resql); + + return 1; + } else { + $this->db->free($resql); + + return 0; + } } else { $this->error = "Error ".$this->db->lasterror(); return -1; @@ -487,7 +491,6 @@ class Productcustomerprice extends CommonObject $sql = "SELECT"; $sql .= " t.rowid,"; - $sql .= " t.entity,"; $sql .= " t.datec,"; $sql .= " t.fk_product,"; @@ -507,27 +510,25 @@ class Productcustomerprice extends CommonObject $sql .= " t.import_key,"; $sql .= " soc.nom as socname,"; $sql .= " prod.ref as prodref"; - $sql .= " FROM ".MAIN_DB_PREFIX."product_customer_price_log as t "; - $sql .= " ,".MAIN_DB_PREFIX."product as prod "; - $sql .= " ,".MAIN_DB_PREFIX."societe as soc "; - $sql .= " WHERE soc.rowid=t.fk_soc "; + $sql .= " FROM ".MAIN_DB_PREFIX."product_customer_price_log as t"; + $sql .= " ,".MAIN_DB_PREFIX."product as prod"; + $sql .= " ,".MAIN_DB_PREFIX."societe as soc"; + $sql .= " WHERE soc.rowid=t.fk_soc"; $sql .= " AND prod.rowid=t.fk_product "; $sql .= " AND prod.entity IN (".getEntity('product').")"; $sql .= " AND t.entity IN (".getEntity('productprice').")"; - // Manage filter if (count($filter) > 0) { foreach ($filter as $key => $value) { if (strpos($key, 'date')) { // To allow $filter['YEAR(s.dated)']=>$year $sql .= ' AND '.$key.' = \''.$value.'\''; } elseif ($key == 'soc.nom') { - $sql .= ' AND '.$key.' LIKE \'%'.$value.'%\''; + $sql .= ' AND '.$key.' LIKE \'%'.$this->db->escape($value).'%\''; } else { - $sql .= ' AND '.$key.' = '.$value; + $sql .= ' AND '.$key.' = '.((int) $value); } } } - $sql .= $this->db->order($sortfield, $sortorder); if (!empty($limit)) { $sql .= ' '.$this->db->plimit($limit + 1, $offset); diff --git a/htdocs/societe/price.php b/htdocs/societe/price.php index c9abb624286..d7d373f721a 100644 --- a/htdocs/societe/price.php +++ b/htdocs/societe/price.php @@ -368,99 +368,101 @@ if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES)) { print load_fiche_titre($langs->trans('PriceByCustomer')); $result = $prodcustprice->fetch(GETPOST('lineid', 'int')); - if ($result < 0) { + + if ($result <= 0) { setEventMessages($prodcustprice->error, $prodcustprice->errors, 'errors'); - } - - print '
'; - print ''; - print ''; - print ''; - print ''; - print ''; - print ''; - $staticprod = new Product($db); - $staticprod->fetch($prodcustprice->fk_product); - print ""; - print ''; - - // Ref. Customer - print ''; - print ''; - - // VAT - print ''; - - // Price base - print ''; - print ''; - print ''; - - // Price - print ''; - - // Price minimum - print ''; - - // Update all child soc - print ''; - print ''; - print ''; - - print '
'.$langs->trans('Product').'".$staticprod->getNomUrl(1)."
'.$langs->trans('RefCustomer').'
'.$langs->trans("VATRate").''; - print $form->load_tva("tva_tx", $prodcustprice->tva_tx, $mysoc, '', $staticprod->id, $prodcustprice->recuperableonly); - print '
'; - print $langs->trans('PriceBase'); - print ''; - print $form->selectPriceBaseType($prodcustprice->price_base_type, "price_base_type"); - print '
'; - $text = $langs->trans('SellingPrice'); - print $form->textwithpicto($text, $langs->trans("PrecisionUnitIsLimitedToXDecimals", $conf->global->MAIN_MAX_DECIMALS_UNIT), 1, 1); - print ''; - if ($prodcustprice->price_base_type == 'TTC') { - print ''; } else { - print ''; + print ''; + print ''; + print ''; + print ''; + print ''; + print ''; + print ''; + $staticprod = new Product($db); + $staticprod->fetch($prodcustprice->fk_product); + print ""; + print ''; + + // Ref. Customer + print ''; + print ''; + + // VAT + print ''; + + // Price base + print ''; + print ''; + print ''; + + // Price + print ''; + + // Price minimum + print ''; + + // Update all child soc + print ''; + print ''; + print ''; + + print '
'.$langs->trans('Product').'".$staticprod->getNomUrl(1)."
'.$langs->trans('RefCustomer').'
'.$langs->trans("VATRate").''; + print $form->load_tva("tva_tx", $prodcustprice->tva_tx, $mysoc, '', $staticprod->id, $prodcustprice->recuperableonly); + print '
'; + print $langs->trans('PriceBase'); + print ''; + print $form->selectPriceBaseType($prodcustprice->price_base_type, "price_base_type"); + print '
'; + $text = $langs->trans('SellingPrice'); + print $form->textwithpicto($text, $langs->trans("PrecisionUnitIsLimitedToXDecimals", $conf->global->MAIN_MAX_DECIMALS_UNIT), 1, 1); + print ''; + if ($prodcustprice->price_base_type == 'TTC') { + print ''; + } else { + print ''; + } + print '
'; + $text = $langs->trans('MinPrice'); + print $form->textwithpicto($text, $langs->trans("PrecisionUnitIsLimitedToXDecimals", $conf->global->MAIN_MAX_DECIMALS_UNIT), 1, 1); + print ''; + if ($prodcustprice->price_base_type == 'TTC') { + print ''; + } else { + print ''; + } + print '
'; + print $langs->trans('ForceUpdateChildPriceSoc'); + print ''; + print ''; + print '
'; + + print '
'; + print ''; + print '     '; + print ''; + print '
'; + + print '
'; } - print '
'; - $text = $langs->trans('MinPrice'); - print $form->textwithpicto($text, $langs->trans("PrecisionUnitIsLimitedToXDecimals", $conf->global->MAIN_MAX_DECIMALS_UNIT), 1, 1); - print ''; - if ($prodcustprice->price_base_type == 'TTC') { - print ''; - } else { - print ''; - } - print '
'; - print $langs->trans('ForceUpdateChildPriceSoc'); - print ''; - print ''; - print '
'; - - print '
'; - print ''; - print '     '; - print ''; - print '
'; - - print '
'; } elseif ($action == 'showlog_customer_price') { print '
'; print ''."\n"; $filter = array( - 't.fk_product' => GETPOST('prodid', 'int'), 't.fk_soc' => $socid + 't.fk_product' => GETPOST('prodid', 'int'), + 't.fk_soc' => $socid ); // Count total nb of records $nbtotalofrecords = ''; - if (empty($conf->global->MAIN_DISABLE_FULL_SCANLIST)) { - $nbtotalofrecords = $prodcustprice->fetch_all_log($sortorder, $sortfield, $conf->liste_limit, $offset, $filter); - } - $result = $prodcustprice->fetch_all_log($sortorder, $sortfield, $conf->liste_limit, $offset, $filter); if ($result < 0) { setEventMessages($prodcustprice->error, $prodcustprice->errors, 'errors'); + } else { + if (empty($conf->global->MAIN_DISABLE_FULL_SCANLIST)) { + $nbtotalofrecords = $result; + } } $option = '&socid='.GETPOST('socid', 'int').'&prodid='.GETPOST('prodid', 'int'); @@ -485,14 +487,18 @@ if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES)) { print ''.$langs->trans("MinPrice").' '.$langs->trans("HT").''; print ''.$langs->trans("MinPrice").' '.$langs->trans("TTC").''; print ''.$langs->trans("ChangedBy").''; - print ' '; + print ''; print ''; foreach ($prodcustprice->lines as $line) { - print ''; $staticprod = new Product($db); $staticprod->fetch($line->fk_product); + $userstatic = new User($db); + $userstatic->fetch($line->fk_user); + + print ''; + print "".$staticprod->getNomUrl(1).""; print ''.$line->ref_customer.''; print "".dol_print_date($line->datec, "dayhour").""; @@ -505,11 +511,10 @@ if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES)) { print ''.price($line->price_min_ttc).''; // User - $userstatic = new User($db); - $userstatic->fetch($line->fk_user); print ''; - print $userstatic->getLoginUrl(1); + print $userstatic->getNomUrl(-1); print ''; + print ''; } print ""; } else { @@ -571,17 +576,22 @@ if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES)) { print ''.$langs->trans("MinPrice").' '.$langs->trans("HT").''; print ''.$langs->trans("MinPrice").' '.$langs->trans("TTC").''; print ''.$langs->trans("ChangedBy").''; - print ' '; + print ''; print ''; if (count($prodcustprice->lines) > 0 || $search_prod) { print ''; print ''; print ''; - print ' '; - print ''; - print ''; - print ' '; + print ''; + print ''; + print ''; + print ''; + print ''; + print ''; + print ''; + print ''; + print ''; // Print the search button print ''; $searchpicto = $form->showFilterAndCheckAddButtons(0); @@ -592,30 +602,28 @@ if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES)) { if (count($prodcustprice->lines) > 0) { foreach ($prodcustprice->lines as $line) { - print ''; - $staticprod = new Product($db); $staticprod->fetch($line->fk_product); + $userstatic = new User($db); + $userstatic->fetch($line->fk_user); + + print ''; + print "".$staticprod->getNomUrl(1).""; print "".$staticprod->label.""; print ''.$line->ref_customer.''; print "".dol_print_date($line->datec, "dayhour").""; - print ''.$langs->trans($line->price_base_type).""; print ''.vatrate($line->tva_tx.($line->default_vat_code ? ' ('.$line->default_vat_code.')' : ''), true, $line->recuperableonly).""; print ''.price($line->price).""; print ''.price($line->price_ttc).""; print ''.price($line->price_min).''; print ''.price($line->price_min_ttc).''; - // User - $userstatic = new User($db); - $userstatic->fetch($line->fk_user); print ''; - print $userstatic->getLoginUrl(1); + print $userstatic->getNomUrl(-1); print ''; - // Action if ($user->rights->produit->creer || $user->rights->service->creer) { print '';