From db900cb5ea8062c0f880dde0ae2be3b6f7aba412 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 11 Sep 2019 17:51:50 +0200 Subject: [PATCH] FIX EDB-ID:47370 --- htdocs/comm/action/card.php | 42 +++++++++---------- .../comm/action/class/cactioncomm.class.php | 2 +- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php index af54186e255..4e5abac75d3 100644 --- a/htdocs/comm/action/card.php +++ b/htdocs/comm/action/card.php @@ -221,7 +221,7 @@ if ($action == 'add') } // Initialisation objet cactioncomm - if (! GETPOST('actioncode') > 0) // actioncode is id + if (GETPOSTISSET('actioncode') && ! GETPOST('actioncode', 'aZ09')) // actioncode is '0' { $error++; $donotclearsession=1; $action = 'create'; @@ -229,7 +229,7 @@ if ($action == 'add') } else { - $object->type_code = GETPOST('actioncode'); + $object->type_code = GETPOST('actioncode', 'aZ09'); } if (! $error) @@ -243,7 +243,7 @@ if ($action == 'add') $object->elementtype = GETPOST("elementtype", 'alpha'); if (! GETPOST('label')) { - if (GETPOST('actioncode') == 'AC_RDV' && $contact->getFullName($langs)) + if (GETPOST('actioncode', 'aZ09') == 'AC_RDV' && $contact->getFullName($langs)) { $object->label = $langs->transnoentitiesnoconv("TaskRDVWith", $contact->getFullName($langs)); } @@ -426,15 +426,15 @@ if ($action == 'update') $datep=dol_mktime($fulldayevent?'00':$aphour, $fulldayevent?'00':$apmin, 0, $_POST["apmonth"], $_POST["apday"], $_POST["apyear"]); $datef=dol_mktime($fulldayevent?'23':$p2hour, $fulldayevent?'59':$p2min, $fulldayevent?'59':'0', $_POST["p2month"], $_POST["p2day"], $_POST["p2year"]); - $object->type_id = dol_getIdFromCode($db, GETPOST("actioncode"), 'c_actioncomm'); - $object->label = GETPOST("label"); + $object->type_id = dol_getIdFromCode($db, GETPOST("actioncode", 'aZ09'), 'c_actioncomm'); + $object->label = GETPOST("label", "alphanohtml"); $object->datep = $datep; $object->datef = $datef; $object->percentage = $percentage; - $object->priority = GETPOST("priority"); + $object->priority = GETPOST("priority", "alphanohtml"); $object->fulldayevent= GETPOST("fullday")?1:0; - $object->location = GETPOST('location'); - $object->socid = GETPOST("socid"); + $object->location = GETPOST('location', "alphanohtml"); + $object->socid = GETPOST("socid", "int"); $socpeopleassigned = GETPOST("socpeopleassigned", 'array'); $object->socpeopleassigned = array(); foreach ($socpeopleassigned as $cid) $object->socpeopleassigned[$cid] = array('id' => $cid); @@ -446,8 +446,8 @@ if ($action == 'update') $object->fk_project = GETPOST("projectid", 'int'); $object->note = GETPOST("note", "none"); // deprecated $object->note_private= GETPOST("note", "none"); - $object->fk_element = GETPOST("fk_element"); - $object->elementtype = GETPOST("elementtype"); + $object->fk_element = GETPOST("fk_element", "int"); + $object->elementtype = GETPOST("elementtype", "alphanohtml"); if (! $datef && $percentage == 100) { @@ -491,7 +491,7 @@ if ($action == 'update') } // Check parameters - if (! GETPOST('actioncode') > 0) + if (GETPOSTISSET('actioncode') && ! GETPOST('actioncode', 'aZ09')) // actioncode is '0' { $error++; $donotclearsession=1; $action = 'edit'; @@ -499,7 +499,7 @@ if ($action == 'update') } else { - $result=$cactioncomm->fetch(GETPOST('actioncode')); + $result=$cactioncomm->fetch(GETPOST('actioncode', 'aZ09')); } if (empty($object->userownerid)) { @@ -689,7 +689,7 @@ if ($action == 'create') if ($backtopage) print ''; if (empty($conf->global->AGENDA_USE_EVENT_TYPE)) print ''; - if (GETPOST("actioncode") == 'AC_RDV') print load_fiche_titre($langs->trans("AddActionRendezVous"), '', 'title_agenda'); + if (GETPOST("actioncode", 'aZ09') == 'AC_RDV') print load_fiche_titre($langs->trans("AddActionRendezVous"), '', 'title_agenda'); else print load_fiche_titre($langs->trans("AddAnAction"), '', 'title_agenda'); dol_fiche_head(); @@ -701,7 +701,7 @@ if ($action == 'create') { print ''.$langs->trans("Type").''; $default=(empty($conf->global->AGENDA_USE_EVENT_TYPE_DEFAULT)?'':$conf->global->AGENDA_USE_EVENT_TYPE_DEFAULT); - $formactions->select_type_actions(GETPOST("actioncode")?GETPOST("actioncode"):($object->type_code?$object->type_code:$default), "actioncode", "systemauto", 0, -1); + $formactions->select_type_actions(GETPOST("actioncode", 'aZ09')?GETPOST("actioncode", 'aZ09'):($object->type_code?$object->type_code:$default), "actioncode", "systemauto", 0, -1); print ''; } @@ -731,7 +731,7 @@ if ($action == 'create') { $datef=dol_time_plus_duree($datep, $conf->global->AGENDA_AUTOSET_END_DATE_WITH_DELTA_HOURS, 'h'); } - print ''.$langs->trans("DateActionEnd").''; + print ''.$langs->trans("DateActionEnd").''; if (GETPOST("afaire") == 1) { print $form->selectDate($datef, 'p2', 1, 1, 1, "action", 1, 1, 0, 'fulldayend'); } elseif (GETPOST("afaire") == 2) { @@ -1010,15 +1010,15 @@ if ($id > 0) $datep=dol_mktime($fulldayevent?'00':$aphour, $fulldayevent?'00':$apmin, 0, $_POST["apmonth"], $_POST["apday"], $_POST["apyear"]); $datef=dol_mktime($fulldayevent?'23':$p2hour, $fulldayevent?'59':$p2min, $fulldayevent?'59':'0', $_POST["p2month"], $_POST["p2day"], $_POST["p2year"]); - $object->type_id = dol_getIdFromCode($db, GETPOST("actioncode"), 'c_actioncomm'); - $object->label = GETPOST("label"); + $object->type_id = dol_getIdFromCode($db, GETPOST("actioncode", 'aZ09'), 'c_actioncomm'); + $object->label = GETPOST("label", "alphanohtml"); $object->datep = $datep; $object->datef = $datef; $object->percentage = $percentage; - $object->priority = GETPOST("priority"); + $object->priority = GETPOST("priority", "alphanohtml"); $object->fulldayevent= GETPOST("fullday")?1:0; - $object->location = GETPOST('location'); - $object->socid = GETPOST("socid"); + $object->location = GETPOST('location', "alpanohtml"); + $object->socid = GETPOST("socid", "int"); $socpeopleassigned = GETPOST("socpeopleassigned", 'array'); foreach ($socpeopleassigned as $tmpid) $object->socpeopleassigned[$id] = array('id' => $tmpid); $object->contactid = GETPOST("contactid", 'int'); @@ -1101,7 +1101,7 @@ if ($id > 0) print ''.$langs->trans("Type").''; if ($object->type_code != 'AC_OTH_AUTO') { - $formactions->select_type_actions(GETPOST("actioncode")?GETPOST("actioncode"):$object->type_code, "actioncode", "systemauto"); + $formactions->select_type_actions(GETPOST("actioncode", 'aZ09')?GETPOST("actioncode", 'aZ09'):$object->type_code, "actioncode", "systemauto"); } else { diff --git a/htdocs/comm/action/class/cactioncomm.class.php b/htdocs/comm/action/class/cactioncomm.class.php index eb7fb885d8d..5d3290599b9 100644 --- a/htdocs/comm/action/class/cactioncomm.class.php +++ b/htdocs/comm/action/class/cactioncomm.class.php @@ -84,7 +84,7 @@ class CActionComm $sql = "SELECT id, code, type, libelle as label, color, active, picto"; $sql.= " FROM ".MAIN_DB_PREFIX."c_actioncomm"; if (is_numeric($id)) $sql.= " WHERE id=".$id; - else $sql.= " WHERE code='".$id."'"; + else $sql.= " WHERE code='".$this->db->escape($id)."'"; dol_syslog(get_class($this)."::fetch", LOG_DEBUG); $resql=$this->db->query($sql);