lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix #yogosha7508

Browse Source
This commit is contained in:
Laurent Destailleur 2021-10-25 18:40:19 +02:00
parent 1aa59a8b73
commit dc1226b116
3 changed files with 6 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/core/class/commonobject.class.php
View File

@ -1851,7 +1851,7 @@ abstract class CommonObject
$result = false;
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX.$table;
$sql .= " WHERE ".$field." = '".$key."'";
$sql .= " WHERE ".$field." = '".$this->db->escape($key)."'";
if (!empty($element)) {
$sql .= " AND entity IN (".getEntity($element).")";
} else {

5
htdocs/fourn/class/fournisseur.commande.dispatch.class.php
View File

@ -286,7 +286,7 @@ class CommandeFournisseurDispatch extends CommonObjectLine
$sql .= " FROM ".MAIN_DB_PREFIX.$this->table_element." as t";
if ($ref) {
$sql .= " WHERE t.ref = '".$ref."'";
$sql .= " WHERE t.ref = '".$this->db->escape($ref)."'";
} else {
$sql .= " WHERE t.rowid = ".((int) $id);
}
@ -374,7 +374,6 @@ class CommandeFournisseurDispatch extends CommonObjectLine
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element." SET";
$sql .= " fk_commande=".(isset($this->fk_commande) ? $this->fk_commande : "null").",";
$sql .= " fk_product=".(isset($this->fk_product) ? $this->fk_product : "null").",";
$sql .= " fk_commandefourndet=".(isset($this->fk_commandefourndet) ? $this->fk_commandefourndet : "null").",";
@ -388,8 +387,6 @@ class CommandeFournisseurDispatch extends CommonObjectLine
$sql .= " batch=".(isset($this->batch) ? "'".$this->db->escape($this->batch)."'" : "null").",";
$sql .= " eatby=".(dol_strlen($this->eatby) != 0 ? "'".$this->db->idate($this->eatby)."'" : 'null').",";
$sql .= " sellby=".(dol_strlen($this->sellby) != 0 ? "'".$this->db->idate($this->sellby)."'" : 'null')."";
$sql .= " WHERE rowid=".((int) $this->id);
$this->db->begin();

8
test/phpunit/CodingPhpTest.php
View File

@ -360,13 +360,13 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
$this->assertTrue($ok, 'Found non escaped string in building of a sql request (case 1) in '.$file['relativename'].' - Bad.');
// Check string sql|set...'".$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request.
// Check string sql|set|WHERE|...'".$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request.
$ok=true;
$matches=array();
preg_match_all('/(sql|SET|WHERE|INSERT|VALUES).+\s*\'"\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER);
preg_match_all('/(sql|SET|WHERE|INSERT|VALUES).+\s*\'"\s*\.\s*\$(........)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if (! in_array($val[2], array('this->db-', 'this->esc', 'db->escap', 'dbs->esca', 'mydb->esc', 'dbsession', 'db->idate', 'escapedli', 'excludeGr', 'includeGr'))) {
$ok=false;
if (! in_array($val[2], array('this->db', 'this->es', 'db->esca', 'dbs->esc', 'mydb->es', 'dbsessio', 'db->idat', 'escapedl', 'excludeG', 'includeG'))) {
$ok=false; // This will generate error
break;
}
//if ($reg[0] != 'db') $ok=false;