Fix escaping
This commit is contained in:
Laurent Destailleur
parent
2c660504bb
commit
c191dd1a34
@ -42,7 +42,7 @@ if (GETPOST('filtre', 'alpha')) {
|
||||
$sql = "SELECT p.rowid, p.ref, p.label, p.tva_tx, p.fk_product_type";
|
||||
if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."product as p";
|
||||
if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'";
|
||||
if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'";
|
||||
$sql .= " WHERE p.entity IN (".getEntity('product').")";
|
||||
$sql .= " AND p.tosell = 1";
|
||||
if (!$conf->global->CASHDESK_SERVICES) $sql .= " AND p.fk_product_type = 0";
|
||||
@ -92,7 +92,7 @@ if (GETPOST('filtre', 'alpha')) {
|
||||
$sql = "SELECT p.rowid, ref, label, tva_tx, p.fk_product_type";
|
||||
if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."product as p";
|
||||
if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'";
|
||||
if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'";
|
||||
$sql .= " WHERE p.entity IN (".getEntity('product').")";
|
||||
$sql .= " AND p.tosell = 1";
|
||||
if (!$conf->global->CASHDESK_SERVICES) $sql .= " AND p.fk_product_type = 0";
|
||||
|
||||
@ -45,7 +45,7 @@ if (dol_strlen($search) >= 0) // If search criteria is on char length at least
|
||||
$sql = "SELECT p.rowid, p.ref, p.label, p.tva_tx";
|
||||
if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."product as p";
|
||||
if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'";
|
||||
if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'";
|
||||
$sql .= " WHERE p.entity IN (".getEntity('product').")";
|
||||
$sql .= " AND p.tosell = 1";
|
||||
$sql .= " AND p.fk_product_type = 0";
|
||||
|
||||
@ -89,7 +89,7 @@ if ($retour >= 0)
|
||||
|
||||
$sql = "SELECT rowid, lastname, firstname";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."user";
|
||||
$sql .= " WHERE login = '".$username."'";
|
||||
$sql .= " WHERE login = '".$db->escape($username)."'";
|
||||
$sql .= " AND entity IN (0,".$conf->entity.")";
|
||||
|
||||
$result = $db->query($sql);
|
||||
|
||||
@ -1031,8 +1031,8 @@ class ActionComm extends CommonObject
|
||||
$sql .= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'" : "null");
|
||||
$sql .= ", transparency = '".$this->db->escape($this->transparency)."'";
|
||||
$sql .= ", fk_user_mod = ".$user->id;
|
||||
$sql .= ", fk_user_action=".($userownerid > 0 ? "'".$userownerid."'" : "null");
|
||||
$sql .= ", fk_user_done=".($userdoneid > 0 ? "'".$userdoneid."'" : "null");
|
||||
$sql .= ", fk_user_action = ".($userownerid > 0 ? "'".$this->db->escape($userownerid)."'" : "null");
|
||||
$sql .= ", fk_user_done = ".($userdoneid > 0 ? "'".$this->db->escape($userdoneid)."'" : "null");
|
||||
if (!empty($this->fk_element)) $sql .= ", fk_element=".($this->fk_element ? $this->db->escape($this->fk_element) : "null");
|
||||
if (!empty($this->elementtype)) $sql .= ", elementtype=".($this->elementtype ? "'".$this->db->escape($this->elementtype)."'" : "null");
|
||||
$sql .= " WHERE id=".$this->id;
|
||||
@ -1127,7 +1127,7 @@ class ActionComm extends CommonObject
|
||||
* Load all objects with filters.
|
||||
* @todo WARNING: This make a fetch on all records instead of making one request with a join.
|
||||
*
|
||||
* @param DoliDb $db Database handler
|
||||
* @param DoliDb $db Not used
|
||||
* @param int $socid Filter by thirdparty
|
||||
* @param int $fk_element Id of element action is linked to
|
||||
* @param string $elementtype Type of element action is linked to
|
||||
@ -1160,32 +1160,32 @@ class ActionComm extends CommonObject
|
||||
$sql .= " element_type = 'socpeople' AND fk_element = ".$fk_element.')';
|
||||
}
|
||||
else {
|
||||
$sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$elementtype."'";
|
||||
$sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$this->db->escape($elementtype)."'";
|
||||
}
|
||||
}
|
||||
if (!empty($filter)) $sql .= $filter;
|
||||
if ($sortorder && $sortfield) $sql .= $db->order($sortfield, $sortorder);
|
||||
$sql .= $db->plimit($limit, 0);
|
||||
if ($sortorder && $sortfield) $sql .= $this->db->order($sortfield, $sortorder);
|
||||
$sql .= $this->db->plimit($limit, 0);
|
||||
|
||||
$resql = $db->query($sql);
|
||||
$resql = $this->db->query($sql);
|
||||
if ($resql)
|
||||
{
|
||||
$num = $db->num_rows($resql);
|
||||
$num = $this->db->num_rows($resql);
|
||||
|
||||
if ($num)
|
||||
{
|
||||
for ($i = 0; $i < $num; $i++)
|
||||
{
|
||||
$obj = $db->fetch_object($resql);
|
||||
$actioncommstatic = new ActionComm($db);
|
||||
$obj = $this->db->fetch_object($resql);
|
||||
$actioncommstatic = new ActionComm($this->db);
|
||||
$actioncommstatic->fetch($obj->id);
|
||||
$resarray[$i] = $actioncommstatic;
|
||||
}
|
||||
}
|
||||
$db->free($resql);
|
||||
$this->db->free($resql);
|
||||
return $resarray;
|
||||
} else {
|
||||
return $db->lasterror();
|
||||
return $this->db->lasterror();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -139,7 +139,7 @@ class CActionComm
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."c_actioncomm";
|
||||
$sql .= " WHERE 1=1";
|
||||
if ($active != '') $sql .= " AND active=".$active;
|
||||
if (!empty($excludetype)) $sql .= " AND type <> '".$excludetype."'";
|
||||
if (!empty($excludetype)) $sql .= " AND type <> '".$this->db->escape($excludetype)."'";
|
||||
if ($morefilter) $sql .= " AND ".$morefilter;
|
||||
$sql .= " ORDER BY module, position, type";
|
||||
|
||||
|
||||
@ -810,7 +810,7 @@ if ($conf->global->AGENDA_SHOW_HOLIDAYS)
|
||||
if ($action == 'show_day')
|
||||
{
|
||||
// Request only leaves for the current selected day
|
||||
$sql .= " AND '".$year."-".$month."-".$day."' BETWEEN x.date_debut AND x.date_fin";
|
||||
$sql .= " AND '".$db->escape($year)."-".$db->escape($month)."-".$db->escape($day)."' BETWEEN x.date_debut AND x.date_fin";
|
||||
} elseif ($action == 'show_week')
|
||||
{
|
||||
// TODO: Add filter to reduce database request
|
||||
|
||||
@ -567,7 +567,7 @@ class AdvanceTargetingMailing extends CommonObject
|
||||
if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') ||
|
||||
($extrafields->attributes[$elementtype]['type'][$key] == 'text')) {
|
||||
if (!empty($arrayquery['options_'.$key])) {
|
||||
$sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key]."')";
|
||||
$sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')";
|
||||
}
|
||||
} elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') ||
|
||||
($extrafields->attributes[$elementtype]['type'][$key] == 'double')) {
|
||||
@ -587,7 +587,7 @@ class AdvanceTargetingMailing extends CommonObject
|
||||
if (is_array($arrayquery['options_'.$key])) {
|
||||
$sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))";
|
||||
} elseif (!empty($arrayquery['options_'.$key])) {
|
||||
$sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key]."')";
|
||||
$sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')";
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -708,7 +708,7 @@ class AdvanceTargetingMailing extends CommonObject
|
||||
if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') ||
|
||||
($extrafields->attributes[$elementtype]['type'][$key] == 'text')) {
|
||||
if (!empty($arrayquery['options_'.$key.'_cnct'])) {
|
||||
$sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key.'_cnct']."')";
|
||||
$sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')";
|
||||
}
|
||||
} elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') ||
|
||||
($extrafields->attributes[$elementtype]['type'][$key] == 'double')) {
|
||||
@ -732,7 +732,7 @@ class AdvanceTargetingMailing extends CommonObject
|
||||
if (is_array($arrayquery['options_'.$key.'_cnct'])) {
|
||||
$sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key.'_cnct'])."'))";
|
||||
} elseif (!empty($arrayquery['options_'.$key.'_cnct'])) {
|
||||
$sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key.'_cnct']."')";
|
||||
$sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')";
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -810,7 +810,7 @@ class AdvanceTargetingMailing extends CommonObject
|
||||
if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') ||
|
||||
($extrafields->attributes[$elementtype]['type'][$key] == 'text')) {
|
||||
if (!empty($arrayquery['options_'.$key])) {
|
||||
$sqlwhere[] = " (tse.".$key." LIKE '".$arrayquery['options_'.$key]."')";
|
||||
$sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')";
|
||||
}
|
||||
} elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') ||
|
||||
($extrafields->attributes[$elementtype]['type'][$key] == 'double')) {
|
||||
@ -830,7 +830,7 @@ class AdvanceTargetingMailing extends CommonObject
|
||||
if (is_array($arrayquery['options_'.$key])) {
|
||||
$sqlwhere[] = " (tse.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))";
|
||||
} elseif (!empty($arrayquery['options_'.$key])) {
|
||||
$sqlwhere[] = " (tse.".$key." LIKE '".$arrayquery['options_'.$key]."')";
|
||||
$sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1061,7 +1061,7 @@ class Propal extends CommonObject
|
||||
$sql .= ", '".$this->db->idate($this->date)."'";
|
||||
$sql .= ", '".$this->db->idate($now)."'";
|
||||
$sql .= ", '(PROV)'";
|
||||
$sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "NULL");
|
||||
$sql .= ", ".($user->id > 0 ? "'".$this->db->escape($user->id)."'" : "NULL");
|
||||
$sql .= ", '".$this->db->escape($this->note_private)."'";
|
||||
$sql .= ", '".$this->db->escape($this->note_public)."'";
|
||||
$sql .= ", '".$this->db->escape($this->model_pdf)."'";
|
||||
|
||||
Loading…
Reference in New Issue
Block a user