From c191dd1a34f41552fa6e017d7855357ba307f071 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 23:27:11 +0200 Subject: [PATCH] Fix escaping --- htdocs/cashdesk/facturation.php | 4 ++-- htdocs/cashdesk/facturation_dhtml.php | 2 +- htdocs/cashdesk/index_verif.php | 2 +- htdocs/comm/action/class/actioncomm.class.php | 24 +++++++++---------- .../comm/action/class/cactioncomm.class.php | 2 +- htdocs/comm/action/index.php | 2 +- .../mailing/class/advtargetemailing.class.php | 12 +++++----- htdocs/comm/propal/class/propal.class.php | 2 +- 8 files changed, 25 insertions(+), 25 deletions(-) diff --git a/htdocs/cashdesk/facturation.php b/htdocs/cashdesk/facturation.php index e1a42aed012..85347e4c7ff 100644 --- a/htdocs/cashdesk/facturation.php +++ b/htdocs/cashdesk/facturation.php @@ -42,7 +42,7 @@ if (GETPOST('filtre', 'alpha')) { $sql = "SELECT p.rowid, p.ref, p.label, p.tva_tx, p.fk_product_type"; if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; - if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'"; + if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; $sql .= " AND p.tosell = 1"; if (!$conf->global->CASHDESK_SERVICES) $sql .= " AND p.fk_product_type = 0"; @@ -92,7 +92,7 @@ if (GETPOST('filtre', 'alpha')) { $sql = "SELECT p.rowid, ref, label, tva_tx, p.fk_product_type"; if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; - if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'"; + if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; $sql .= " AND p.tosell = 1"; if (!$conf->global->CASHDESK_SERVICES) $sql .= " AND p.fk_product_type = 0"; diff --git a/htdocs/cashdesk/facturation_dhtml.php b/htdocs/cashdesk/facturation_dhtml.php index 99e1ed2f942..9ee4bdb856c 100644 --- a/htdocs/cashdesk/facturation_dhtml.php +++ b/htdocs/cashdesk/facturation_dhtml.php @@ -45,7 +45,7 @@ if (dol_strlen($search) >= 0) // If search criteria is on char length at least $sql = "SELECT p.rowid, p.ref, p.label, p.tva_tx"; if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; - if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'"; + if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; $sql .= " AND p.tosell = 1"; $sql .= " AND p.fk_product_type = 0"; diff --git a/htdocs/cashdesk/index_verif.php b/htdocs/cashdesk/index_verif.php index 204af8f51f7..e8366e981cc 100644 --- a/htdocs/cashdesk/index_verif.php +++ b/htdocs/cashdesk/index_verif.php @@ -89,7 +89,7 @@ if ($retour >= 0) $sql = "SELECT rowid, lastname, firstname"; $sql .= " FROM ".MAIN_DB_PREFIX."user"; - $sql .= " WHERE login = '".$username."'"; + $sql .= " WHERE login = '".$db->escape($username)."'"; $sql .= " AND entity IN (0,".$conf->entity.")"; $result = $db->query($sql); diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 7e4a58b07e0..842a41c1a46 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -1031,8 +1031,8 @@ class ActionComm extends CommonObject $sql .= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'" : "null"); $sql .= ", transparency = '".$this->db->escape($this->transparency)."'"; $sql .= ", fk_user_mod = ".$user->id; - $sql .= ", fk_user_action=".($userownerid > 0 ? "'".$userownerid."'" : "null"); - $sql .= ", fk_user_done=".($userdoneid > 0 ? "'".$userdoneid."'" : "null"); + $sql .= ", fk_user_action = ".($userownerid > 0 ? "'".$this->db->escape($userownerid)."'" : "null"); + $sql .= ", fk_user_done = ".($userdoneid > 0 ? "'".$this->db->escape($userdoneid)."'" : "null"); if (!empty($this->fk_element)) $sql .= ", fk_element=".($this->fk_element ? $this->db->escape($this->fk_element) : "null"); if (!empty($this->elementtype)) $sql .= ", elementtype=".($this->elementtype ? "'".$this->db->escape($this->elementtype)."'" : "null"); $sql .= " WHERE id=".$this->id; @@ -1127,7 +1127,7 @@ class ActionComm extends CommonObject * Load all objects with filters. * @todo WARNING: This make a fetch on all records instead of making one request with a join. * - * @param DoliDb $db Database handler + * @param DoliDb $db Not used * @param int $socid Filter by thirdparty * @param int $fk_element Id of element action is linked to * @param string $elementtype Type of element action is linked to @@ -1160,32 +1160,32 @@ class ActionComm extends CommonObject $sql .= " element_type = 'socpeople' AND fk_element = ".$fk_element.')'; } else { - $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$elementtype."'"; + $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$this->db->escape($elementtype)."'"; } } if (!empty($filter)) $sql .= $filter; - if ($sortorder && $sortfield) $sql .= $db->order($sortfield, $sortorder); - $sql .= $db->plimit($limit, 0); + if ($sortorder && $sortfield) $sql .= $this->db->order($sortfield, $sortorder); + $sql .= $this->db->plimit($limit, 0); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) { for ($i = 0; $i < $num; $i++) { - $obj = $db->fetch_object($resql); - $actioncommstatic = new ActionComm($db); + $obj = $this->db->fetch_object($resql); + $actioncommstatic = new ActionComm($this->db); $actioncommstatic->fetch($obj->id); $resarray[$i] = $actioncommstatic; } } - $db->free($resql); + $this->db->free($resql); return $resarray; } else { - return $db->lasterror(); + return $this->db->lasterror(); } } diff --git a/htdocs/comm/action/class/cactioncomm.class.php b/htdocs/comm/action/class/cactioncomm.class.php index 147a6ff7ef0..6e86a556a1a 100644 --- a/htdocs/comm/action/class/cactioncomm.class.php +++ b/htdocs/comm/action/class/cactioncomm.class.php @@ -139,7 +139,7 @@ class CActionComm $sql .= " FROM ".MAIN_DB_PREFIX."c_actioncomm"; $sql .= " WHERE 1=1"; if ($active != '') $sql .= " AND active=".$active; - if (!empty($excludetype)) $sql .= " AND type <> '".$excludetype."'"; + if (!empty($excludetype)) $sql .= " AND type <> '".$this->db->escape($excludetype)."'"; if ($morefilter) $sql .= " AND ".$morefilter; $sql .= " ORDER BY module, position, type"; diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index f4e8487b054..a48dc03aea2 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -810,7 +810,7 @@ if ($conf->global->AGENDA_SHOW_HOLIDAYS) if ($action == 'show_day') { // Request only leaves for the current selected day - $sql .= " AND '".$year."-".$month."-".$day."' BETWEEN x.date_debut AND x.date_fin"; + $sql .= " AND '".$db->escape($year)."-".$db->escape($month)."-".$db->escape($day)."' BETWEEN x.date_debut AND x.date_fin"; } elseif ($action == 'show_week') { // TODO: Add filter to reduce database request diff --git a/htdocs/comm/mailing/class/advtargetemailing.class.php b/htdocs/comm/mailing/class/advtargetemailing.class.php index bbceba682c0..f82ebec9d6f 100644 --- a/htdocs/comm/mailing/class/advtargetemailing.class.php +++ b/htdocs/comm/mailing/class/advtargetemailing.class.php @@ -567,7 +567,7 @@ class AdvanceTargetingMailing extends CommonObject if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') || ($extrafields->attributes[$elementtype]['type'][$key] == 'text')) { if (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') || ($extrafields->attributes[$elementtype]['type'][$key] == 'double')) { @@ -587,7 +587,7 @@ class AdvanceTargetingMailing extends CommonObject if (is_array($arrayquery['options_'.$key])) { $sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))"; } elseif (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } } @@ -708,7 +708,7 @@ class AdvanceTargetingMailing extends CommonObject if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') || ($extrafields->attributes[$elementtype]['type'][$key] == 'text')) { if (!empty($arrayquery['options_'.$key.'_cnct'])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key.'_cnct']."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')"; } } elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') || ($extrafields->attributes[$elementtype]['type'][$key] == 'double')) { @@ -732,7 +732,7 @@ class AdvanceTargetingMailing extends CommonObject if (is_array($arrayquery['options_'.$key.'_cnct'])) { $sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key.'_cnct'])."'))"; } elseif (!empty($arrayquery['options_'.$key.'_cnct'])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key.'_cnct']."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')"; } } } @@ -810,7 +810,7 @@ class AdvanceTargetingMailing extends CommonObject if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') || ($extrafields->attributes[$elementtype]['type'][$key] == 'text')) { if (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (tse.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') || ($extrafields->attributes[$elementtype]['type'][$key] == 'double')) { @@ -830,7 +830,7 @@ class AdvanceTargetingMailing extends CommonObject if (is_array($arrayquery['options_'.$key])) { $sqlwhere[] = " (tse.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))"; } elseif (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (tse.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } } diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 0712346f927..7e34ac6fc3c 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -1061,7 +1061,7 @@ class Propal extends CommonObject $sql .= ", '".$this->db->idate($this->date)."'"; $sql .= ", '".$this->db->idate($now)."'"; $sql .= ", '(PROV)'"; - $sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "NULL"); + $sql .= ", ".($user->id > 0 ? "'".$this->db->escape($user->id)."'" : "NULL"); $sql .= ", '".$this->db->escape($this->note_private)."'"; $sql .= ", '".$this->db->escape($this->note_public)."'"; $sql .= ", '".$this->db->escape($this->model_pdf)."'";