lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Suppression des addslashes. En effet, les donnes ne doivent jamais contenir une valeur "transforme" de leur valeur mais c'est uniquement dans l'ordre insert que le addslashes doit etre ajout. Ceci ces donnes peuvent etre manipules par d'autres portions de code que le insert qui elle requiert la donne d'origine.

Browse Source
This commit is contained in:
Laurent Destailleur 2006-06-07 21:03:19 +00:00
parent 50dca584c4
commit d04e921c60
3 changed files with 44 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
htdocs/commande/commande.class.php
View File

@ -496,28 +496,28 @@ class Commande
}
}
/**
* Ajoute une ligne de commande
*
*/
/**
* Ajoute une ligne de commande
*
*/
function addline($desc, $product_desc, $pu, $qty, $txtva, $fk_product=0, $remise_percent=0)
{
global $conf;
// Nettoyage parametres
$qty = ereg_replace(',','.',$qty);
$pu = ereg_replace(',','.',$pu);
$qty = price2num($qty);
$pu = price2num($pu);
$desc=trim($desc);
$product_desc=trim($product_desc);
if (strlen(trim($qty))==0)
{
$qty=1;
}
// Verifs
if (! $this->brouillon) return -1;
$this->db->begin();
if ($fk_product > 0)
{
$prod = new Product($this->db, $fk_product);
@ -526,45 +526,35 @@ class Commande
$desc = $desc?$desc:$prod->libelle;
$product_desc = $prod->description;
$client = new Societe($this->db);
$client->fetch($this->soc_id);
$client->fetch($this->soc_id);
if($client->tva_assuj == "0")
$txtva ="0";
$txtva ="0";
else
$txtva=$prod->tva_tx;
$txtva=$prod->tva_tx;
// multiprix
if($conf->global->PRODUIT_MULTIPRICES == 1)
{
$pu = $prod->multiprices[$client->price_level];
$pu = $prod->multiprices[$client->price_level];
}
else
$pu = $prod->price;
$pu = $prod->price;
}
}
$remise = 0;
$price = round(ereg_replace(',','.',$pu), 2);
$price = round(price2num($pu), 2);
$subprice = $price;
// appliquait la remise 2 fois : sur la ligne et le HT
/*
if (trim(strlen($remise_percent)) > 0)
{
$remise = round(($pu * $remise_percent / 100), 2);
$price = $pu - $remise;
}
*/
$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'commandedet (fk_commande,label,description,fk_product, price,qty,tva_tx, remise_percent, subprice, remise)';
if ($conf->global->PRODUIT_CHANGE_PROD_DESC)
{
$sql .= " VALUES ($this->id, '" . addslashes($desc) . "','" . addslashes($product_desc) . "',$fk_product,".price2num($price).", '$qty', $txtva, $remise_percent,'".price2num($subprice)."','".price2num( $remise)."') ;";
}
else
{
$sql .= " VALUES ($this->id, '" . addslashes($desc) . "','" . addslashes($desc) . "',$fk_product,".price2num($price).", '$qty', $txtva, $remise_percent,'".price2num($subprice)."','".price2num( $remise)."') ;";
}
{
$sql .= " VALUES ($this->id, '" . addslashes($desc) . "','" . addslashes($product_desc) . "',$fk_product,".price2num($price).", '$qty', $txtva, $remise_percent,'".price2num($subprice)."','".price2num( $remise)."') ;";
}
else
{
$sql .= " VALUES ($this->id, '" . addslashes($desc) . "','" . addslashes($desc) . "',$fk_product,".price2num($price).", '$qty', $txtva, $remise_percent,'".price2num($subprice)."','".price2num( $remise)."') ;";
}
if ( $this->db->query( $sql) )
{
$this->update_price();

23
htdocs/compta/facture.php
View File

@ -1559,19 +1559,16 @@ else
/*
* Lignes de factures
*/
$sql = 'SELECT l.fk_product, l.description, l.price, l.qty, l.rowid, l.tva_taux,';
$sql .= ' l.remise_percent, l.subprice,';
$sql .= ' '.$db->pdate('l.date_start').' as date_start,';
$sql .= ' '.$db->pdate('l.date_end').' as date_end, ';
$sql .= ' p.ref, p.fk_product_type, p.label as product';
if ($conf->global->FAC_ADD_PROD_DESC && !$conf->global->PRODUIT_CHANGE_PROD_DESC)
{
$sql.= ', p.description as product_desc';
}
$sql .= ' FROM '.MAIN_DB_PREFIX.'facturedet as l ';
$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product p ON l.fk_product=p.rowid';
$sql .= ' WHERE l.fk_facture = '.$fac->id;
$sql .= ' ORDER BY l.rang ASC, l.rowid';
$sql = 'SELECT l.fk_product, l.description, l.price, l.qty, l.rowid, l.tva_taux,';
$sql.= ' l.remise_percent, l.subprice,';
$sql.= ' '.$db->pdate('l.date_start').' as date_start,';
$sql.= ' '.$db->pdate('l.date_end').' as date_end,';
$sql.= ' p.ref, p.fk_product_type, p.label as product,';
$sql.= ' p.description as product_desc';
$sql.= ' FROM '.MAIN_DB_PREFIX.'facturedet as l';
$sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'product p ON l.fk_product=p.rowid';
$sql.= ' WHERE l.fk_facture = '.$fac->id;
$sql.= ' ORDER BY l.rang ASC, l.rowid';
$resql = $db->query($sql);
if ($resql)

18
htdocs/product/fiche.php
View File

@ -256,8 +256,8 @@ if ($_POST["action"] == 'addincommande')
$commande = New Commande($db);
$commande->fetch($_POST["commandeid"]);
$result = $commande->addline(addslashes($product->libelle),
addslashes($product->description),
$result = $commande->addline($product->libelle,
$product->description,
$product->price,
$_POST["qty"],
$product->tva_tx,
@ -281,13 +281,13 @@ if ($_POST["action"] == 'addinfacture' && $user->rights->facture->creer)
$facture->fetch($_POST["factureid"]);
$facture->addline($_POST["factureid"],
addslashes($product->libelle),
addslashes($product->description),
"", // volontairement laissé vide pour fonctionnement module multiprix
$_POST["qty"],
$product->tva_tx,
$product->id,
$_POST["remise_percent"]);
$product->libelle,
$product->description,
"", // volontairement laissé vide pour fonctionnement module multiprix
$_POST["qty"],
$product->tva_tx,
$product->id,
$_POST["remise_percent"]);
Header("Location: ../compta/facture.php?facid=".$facture->id);
exit;