Fix: Security
This commit is contained in:
simnandez
parent
79c0369d66
commit
cda3600f7f
@ -1,7 +1,7 @@
|
||||
<?PHP
|
||||
/* Copyright (C) 2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2005 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es>
|
||||
* Copyright (C) 2010-2012 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -34,7 +34,7 @@ $langs->load("categories");
|
||||
// Security check
|
||||
$socid=0;
|
||||
$id = GETPOST('id','int');
|
||||
$ref = GETPOST("ref");
|
||||
$ref = GETPOST('ref','alpha');
|
||||
if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'prelevement', $id);
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
/* Copyright (C) 2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2005-2008 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
|
||||
* Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es>
|
||||
* Copyright (C) 2010-2012 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -36,11 +36,11 @@ if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'prelevement','','','bons');
|
||||
|
||||
// Get supervariables
|
||||
$page = GETPOST("page");
|
||||
$sortorder = ((GETPOST("sortorder")=="")) ? "DESC" : GETPOST("sortorder");
|
||||
$sortfield = ((GETPOST("sortfield")=="")) ? "p.datec" : GETPOST("sortfield");
|
||||
$statut = GETPOST("statut");
|
||||
$search_line = GETPOST("search_ligne");
|
||||
$page = GETPOST('page','int');
|
||||
$sortorder = ((GETPOST('sortorder','alpha')=="")) ? "DESC" : GETPOST('sortorder','alpha');
|
||||
$sortfield = ((GETPOST('sortfield','alpha')=="")) ? "p.datec" : GETPOST('sortfield','alpha');
|
||||
$statut = GETPOST('statut','int');
|
||||
$search_line = GETPOST('search_ligne','int');
|
||||
|
||||
llxHeader('',$langs->trans("WithdrawalsReceipts"));
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
/* Copyright (C) 2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
|
||||
* Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es>
|
||||
* Copyright (C) 2010-2012 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -39,7 +39,7 @@ if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'prelevement', '', '', 'bons');
|
||||
|
||||
// Get supervariables
|
||||
$action = GETPOST("action");
|
||||
$action = GETPOST('action','alpha');
|
||||
|
||||
|
||||
/*
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
/* Copyright (C) 2004-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2005-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
|
||||
* Copyright (C) 2011 Juanjo Menent <jmenent@2byte.es>
|
||||
* Copyright (C) 2011-2012 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -37,9 +37,9 @@ if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'prelevement','','','bons');
|
||||
|
||||
// Get supervariables
|
||||
$page = GETPOST("page");
|
||||
$sortorder = GETPOST("sortorder");
|
||||
$sortfield = GETPOST("sortfield");
|
||||
$page = GETPOST('page','int');
|
||||
$sortorder = GETPOST('sortorder','alpha');
|
||||
$sortfield = GETPOST('sortfield','alpha');
|
||||
|
||||
/*
|
||||
* View
|
||||
@ -77,9 +77,9 @@ if ($socid) $sql.= " AND f.fk_soc = ".$socid;
|
||||
if (!$statut) $sql.= " AND pfd.traite = 0";
|
||||
if ($statut) $sql.= " AND pfd.traite = ".$statut;
|
||||
$sql.= " AND pfd.fk_facture = f.rowid";
|
||||
if (dol_strlen(trim(GETPOST("search_societe"))))
|
||||
if (dol_strlen(trim(GETPOST('search_societe','alpha'))))
|
||||
{
|
||||
$sql.= " AND s.nom LIKE '%".GETPOST("search_societe")."%'";
|
||||
$sql.= " AND s.nom LIKE '%".GETPOST('search_societe','alpha')."%'";
|
||||
}
|
||||
$sql.= " ORDER BY $sortfield $sortorder ";
|
||||
$sql.= $db->plimit($conf->liste_limit+1, $offset);
|
||||
@ -108,8 +108,8 @@ if ($resql)
|
||||
print '</tr>';
|
||||
|
||||
print '<form action="'.$_SERVER["PHP_SELF"].'" method="GET">';
|
||||
print '<td class="liste_titre"><input type="text" class="flat" name="search_facture" size="12" value="'.GETPOST("search_facture").'"></td>';
|
||||
print '<td class="liste_titre"><input type="text" class="flat" name="search_societe" size="18" value="'.GETPOST("search_societe").'"></td>';
|
||||
print '<td class="liste_titre"><input type="text" class="flat" name="search_facture" size="12" value="'.GETPOST('search_facture','alpha').'"></td>';
|
||||
print '<td class="liste_titre"><input type="text" class="flat" name="search_societe" size="18" value="'.GETPOST('search_societe','alpha').'"></td>';
|
||||
print '<td colspan="2" class="liste_titre" align="right"><input type="image" class="liste_titre" src="'.DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/search.png" name="button_search" value="'.dol_escape_htmltag($langs->trans("Search")).'" title="'.dol_escape_htmltag($langs->trans("Search")).'"></td>';
|
||||
print '</tr>';
|
||||
print '</form>';
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
/* Copyright (C) 2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2005 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
|
||||
* Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es>
|
||||
* Copyright (C) 2010-2012 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -39,9 +39,9 @@ if ($user->societe_id > 0) accessforbidden();
|
||||
// Get supervariables
|
||||
$prev_id = GETPOST('id','int');
|
||||
$socid = GETPOST('socid','int');
|
||||
$page = GETPOST("page");
|
||||
$sortorder = ((GETPOST("sortorder")=="")) ? "DESC" : GETPOST("sortorder");
|
||||
$sortfield = ((GETPOST("sortfield")=="")) ? "p.ref" : GETPOST("sortfield");
|
||||
$page = GETPOST('page','int');
|
||||
$sortorder = ((GETPOST('sortorder','alpha')=="")) ? "DESC" : GETPOST('sortorder','alpha');
|
||||
$sortfield = ((GETPOST('sortfield','alpha')=="")) ? "p.ref" : GETPOST('sortfield','alpha');
|
||||
|
||||
llxHeader('',$langs->trans("WithdrawalReceipt"));
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
/* Copyright (C) 2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2005 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005-2010 Regis Houssin <regis@dolibarr.fr>
|
||||
* Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es>
|
||||
* Copyright (C) 2010-2012 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -36,7 +36,7 @@ if ($user->societe_id > 0) accessforbidden();
|
||||
|
||||
// Get supervariables
|
||||
$prev_id = GETPOST('id','int');
|
||||
$page = GETPOST("page");
|
||||
$page = GETPOST('page','int');
|
||||
|
||||
/*
|
||||
* View
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<?PHP
|
||||
/* Copyright (C) 2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2005 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es>
|
||||
* Copyright (C) 2010-2012 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -35,7 +35,7 @@ $langs->load("categories");
|
||||
|
||||
// Get supervariables
|
||||
$prev_id = GETPOST('id','int');
|
||||
$page = GETPOST("page");
|
||||
$page = GETPOST('page','int');
|
||||
|
||||
/*
|
||||
* View
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<?PHP
|
||||
/* Copyright (C) 2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2005-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es>
|
||||
* Copyright (C) 2010-2012 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -39,14 +39,14 @@ $langs->load("categories");
|
||||
if ($user->societe_id > 0) accessforbidden();
|
||||
|
||||
// Get supervariables
|
||||
$action = GETPOST("action");
|
||||
$action = GETPOST('action','alpha');
|
||||
$id = GETPOST('id','int');
|
||||
|
||||
/*
|
||||
* Actions
|
||||
*/
|
||||
|
||||
if ( $action == 'confirm_credite' && GETPOST("confirm") == 'yes')
|
||||
if ( $action == 'confirm_credite' && GETPOST('confirm','alpha') == 'yes')
|
||||
{
|
||||
$bon = new BonPrelevement($db,"");
|
||||
$bon->id = $id;
|
||||
@ -69,9 +69,9 @@ if ($action == 'infotrans' && $user->rights->prelevement->bons->send)
|
||||
|
||||
if (dol_move_uploaded_file($_FILES['userfile']['tmp_name'], $dir . "/" . $_FILES['userfile']['name'],1) > 0)
|
||||
{
|
||||
$dt = dol_mktime(12,0,0,GETPOST("remonth"),GETPOST("reday"),GETPOST("reyear"));
|
||||
$dt = dol_mktime(12,0,0,GETPOST('remonth','int'),GETPOST('reday','int'),GETPOST('reyear','int'));
|
||||
|
||||
$bon->set_infotrans($user, $dt, GETPOST("methode"));
|
||||
$bon->set_infotrans($user, $dt, GETPOST('methode','alpha'));
|
||||
}
|
||||
|
||||
Header("Location: fiche.php?id=".$id);
|
||||
@ -88,7 +88,7 @@ if ($action == 'infocredit' && $user->rights->prelevement->bons->credit)
|
||||
{
|
||||
$bon = new BonPrelevement($db,"");
|
||||
$bon->fetch($id);
|
||||
$dt = dol_mktime(12,0,0,GETPOST("remonth"),GETPOST("reday"),GETPOST("reyear"));
|
||||
$dt = dol_mktime(12,0,0,GETPOST('remonth','int'),GETPOST('reday','int'),GETPOST('reyear','int'));
|
||||
|
||||
$error = $bon->set_infocredit($user, $dt);
|
||||
|
||||
@ -121,9 +121,9 @@ if ($id)
|
||||
$head = prelevement_prepare_head($bon);
|
||||
dol_fiche_head($head, 'prelevement', $langs->trans("WithdrawalReceipt"), '', 'payment');
|
||||
|
||||
if (GETPOST("error")!='')
|
||||
if (GETPOST('error','alpha')!='')
|
||||
{
|
||||
print '<div class="error">'.$bon->ReadError(GETPOST("error")).'</div>';
|
||||
print '<div class="error">'.$bon->ReadError(GETPOST('error','alpha')).'</div>';
|
||||
}
|
||||
|
||||
if ($action == 'credite')
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
/* Copyright (C) 2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2005-2008 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
|
||||
* Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es>
|
||||
* Copyright (C) 2010-2012 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -38,37 +38,37 @@ $langs->load("withdrawals");
|
||||
$langs->load("categories");
|
||||
|
||||
// Get supervariables
|
||||
$action = GETPOST("action");
|
||||
$action = GETPOST('action','alpha');
|
||||
$id = GETPOST('id','int');
|
||||
$socid = GETPOST('socid','int');
|
||||
|
||||
$page = GETPOST("page");
|
||||
$sortorder = GETPOST("sortorder");
|
||||
$sortfield = GETPOST("sortfield");
|
||||
$page = GETPOST('page','int');
|
||||
$sortorder = GETPOST('sortorder','alpha');
|
||||
$sortfield = GETPOST('sortfield','alpha');
|
||||
|
||||
if ($action == 'confirm_rejet')
|
||||
{
|
||||
if ( GETPOST("confirm") == 'yes')
|
||||
{
|
||||
$daterej = mktime(2, 0, 0, GETPOST("remonth"), GETPOST("reday"), GETPOST("reyear"));
|
||||
$daterej = mktime(2, 0, 0, GETPOST('remonth','int'), GETPOST('reday','int'), GETPOST('reyear','int'));
|
||||
|
||||
$lipre = new LignePrelevement($db, $user);
|
||||
|
||||
if ($lipre->fetch($id) == 0)
|
||||
{
|
||||
|
||||
if (GETPOST("motif") > 0 && $daterej < time())
|
||||
if (GETPOST('motif','alpha') > 0 && $daterej < time())
|
||||
{
|
||||
$rej = new RejetPrelevement($db, $user);
|
||||
|
||||
$rej->create($user, $id, GETPOST("motif"), $daterej, $lipre->bon_rowid, GETPOST("facturer"));
|
||||
$rej->create($user, $id, GETPOST('motif','alpha'), $daterej, $lipre->bon_rowid, GETPOST('facturer','int'));
|
||||
|
||||
Header("Location: ligne.php?id=".$id);
|
||||
exit;
|
||||
}
|
||||
else
|
||||
{
|
||||
dol_syslog("Motif : ".GETPOST("motif"));
|
||||
dol_syslog("Motif : ".GETPOST('motif','alpha'));
|
||||
dol_syslog("$daterej $time ");
|
||||
Header("Location: ligne.php?id=".$id."&action=rejet");
|
||||
exit;
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
/* Copyright (C) 2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2005 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
|
||||
* Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es>
|
||||
* Copyright (C) 2010-2012 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -38,9 +38,9 @@ $langs->load("categories");
|
||||
// Get supervariables
|
||||
$prev_id = GETPOST('id','int');
|
||||
$socid = GETPOST('socid','int');
|
||||
$page = GETPOST("page");
|
||||
$sortorder = ((GETPOST("sortorder")=="")) ? "DESC" : GETPOST("sortorder");
|
||||
$sortfield = ((GETPOST("sortfield")=="")) ? "pl.fk_soc" : GETPOST("sortfield");
|
||||
$page = GETPOST('page','int');
|
||||
$sortorder = ((GETPOST('sortorder','alpha')=="")) ? "DESC" : GETPOST('sortorder','alpha');
|
||||
$sortfield = ((GETPOST('sortfield','alpha')=="")) ? "pl.fk_soc" : GETPOST('sortfield','alpha');
|
||||
|
||||
|
||||
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
/* Copyright (C) 2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2005-2010 Laurent Destailleur <eldy@users.sourceforge.net>
|
||||
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
|
||||
* Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es>
|
||||
* Copyright (C) 2010-2012 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -37,14 +37,14 @@ if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'prelevement','','','bons');
|
||||
|
||||
// Get supervariables
|
||||
$page = GETPOST("page");
|
||||
$sortorder = ((GETPOST("sortorder")=="")) ? "DESC" : GETPOST("sortorder");
|
||||
$sortfield = ((GETPOST("sortfield")=="")) ? "p.datec" : GETPOST("sortfield");
|
||||
$search_line = GETPOST("search_ligne");
|
||||
$search_bon = GETPOST("search_bon");
|
||||
$search_code = GETPOST("search_code");
|
||||
$search_societe = GETPOST("search_societe");
|
||||
$statut = GETPOST("statut");
|
||||
$page = GETPOST('page','int');
|
||||
$sortorder = ((GETPOST('sortorder','alpha')=="")) ? "DESC" : GETPOST('sortorder','alpha');
|
||||
$sortfield = ((GETPOST('sortfield','alpha')=="")) ? "p.datec" : GETPOST('sortfield','alpha');
|
||||
$search_line = GETPOST('search_ligne','alpha');
|
||||
$search_bon = GETPOST('search_bon','alpha');
|
||||
$search_code = GETPOST('search_code','alpha');
|
||||
$search_societe = GETPOST('search_societe','alpha');
|
||||
$statut = GETPOST('statut','int');
|
||||
|
||||
$bon=new BonPrelevement($db,"");
|
||||
$ligne=new LignePrelevement($db,$user);
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<?PHP
|
||||
/* Copyright (C) 2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
|
||||
* Copyright (C) 2005-2009 Regis Houssin <regis@dolibarr.fr>
|
||||
* Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es>
|
||||
* Copyright (C) 2010-2012 Juanjo Menent <jmenent@2byte.es>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -35,9 +35,9 @@ if ($user->societe_id) $socid=$user->societe_id;
|
||||
$result = restrictedArea($user, 'prelevement','','','bons');
|
||||
|
||||
// Get supervariables
|
||||
$page = GETPOST("page");
|
||||
$sortorder = GETPOST("sortorder");
|
||||
$sortfield = GETPOST("sortfield");
|
||||
$page = GETPOST('page','int');
|
||||
$sortorder = GETPOST('sortorder','alpha');
|
||||
$sortfield = GETPOST('sortfield','alpha');
|
||||
|
||||
/*
|
||||
* View
|
||||
|
||||
Loading…
Reference in New Issue
Block a user