diff --git a/.github/workflows/exakat.yml b/.github/workflows/exakat.yml new file mode 100644 index 00000000000..99711e56f8f --- /dev/null +++ b/.github/workflows/exakat.yml @@ -0,0 +1,17 @@ +# See syntax file on https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions +name: "Exakat analysis" + +on: + schedule: + - cron: "0 20 * * *" + +jobs: + exakat: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Exakat + uses: docker://exakat/exakat-ga + with: + ignore_rules: 'Classes/DontUnsetProperties,Classes/NonPpp,Classes/StaticMethodsCalledFromObject,Classes/UseClassOperator,Functions/UsesDefaultArguments,Php/NoClassInGlobal,Php/ShouldUseCoalesce,Structures/MergeIfThen,Structures/ElseIfElseif,Structures/RepeatedPrint,Structures/UselessParenthesis' + ignore_dirs: '/htdocs/includes,/htdocs/build,/htdocs/dev,/htdocs/doc,/htdocs/scripts,/htdocs/test' \ No newline at end of file diff --git a/ChangeLog b/ChangeLog index d1aa820e4a2..46779a760c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ English Dolibarr ChangeLog -------------------------------------------------------------- + ***** ChangeLog for 13.0.0 compared to 12.0.0 ***** For users: NEW: Add module Credit transfer SEPA to manage payment of supplier using bank credit transfer SEPA files @@ -18,8 +19,56 @@ Following changes may create regressions for some external modules, but were nec * The hidden option HOLIDAY_MORE_PUBLIC_HOLIDAYS has been removed. Use instead the dictionary table if you need to define custom days of holiday. * Property num_paiement has been renamed num_payment everywhere for better code consistency. +* If you build a class that implement CommonObject to use the incoterm properties or method (->fk_incoterm, ->label_incoterm, ->location_incoterm), + you must now also include declaration of the Trait CommonIncoterm in your class. All incoterm functions were moved into this Trait. +* The GETPOST(..., 'alpha') has now the same behaviour than GETPOST(..., 'alpahnohtml'); +***** ChangeLog for 12.0.3 compared to 12.0.2 ***** +FIX: 10.0 - when the mime file name is different from the filesystem name, the attachment name should be the mime filename +FIX: 11.0 - expenses lines overlapping the total amounts frame +FIX: 12.0 - round value of virtual stock on product stock reassort list +FIX: #14469 +FIX: #14474 Error when deleting +FIX: #14530 +FIX: #14703 +FIX: - Accountancy balance Error SQL on entity +FIX: Bad number of subscription (forgotten when member was resiliated) +FIX: bad route url to delete subproduct with API +FIX: Category for suplements not saved +FIX: Compatibility with modules without document generation +FIX: Cron load lang +FIX: CSS +FIX: Error management. Do no try to approve PO if validation fails. +FIX: expenses lines overlapping the frame for total amounts. +FIX: Filter in "billed" of orders was not saved +FIX: infinite fetch object linked loop +FIX: Intervention lose html tags when updating +FIX: JS CRASH - bad usage of moreparam +FIX: lang fr retained warranty +FIX: Look and feel v12: First tab must be name of object +FIX: missing entity check +FIX: missing param for hook +FIX: Missing transaction on PO actions +FIX: MySql Strict mode +FIX: param entity in html form file +FIX: Problems on FEC format +FIX: round stock value on product list +FIX: - Send mail from contact : select mail model +FIX: set sales representatives on create company card +FIX: Setup of stock increase/decrease +FIX: sign of amount with credit note and multicurrencies +FIX: Static property called as non static +FIX: task leftmenu +FIX: title button attribute id empty +FIX: unit price divided by quantity when accepting supplier price proposal +FIX: Update extrafields on line only if it is supported +FIX: Update line of BOM +FIX: using decimal on stock correction +FIX: Visualization rights correction on last modified contacts box +FIX: Wrong redirection +FIX: Yogosha report 4425 (backport) + ***** ChangeLog for 12.0.2 compared to 12.0.1 ***** FIX: computation of the bottom margin of returns NaN because body is not loaded yet FIX: DebugBar hides content at page bottom diff --git a/SECURITY.md b/SECURITY.md index 59311cf71ba..56e1da679ed 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -62,13 +62,19 @@ No vulnerability disclosure, including partial is allowed for the moment. ## Scope for qualified vulnerabilities -ONLY vulnerabilities discovered, when the following setup on tested platform is used, are accepted: +ONLY vulnerabilities discovered, when the following setup on test platform is used, are accepted: * $dolibarr_main_prod must be set to 1 into conf.php -* $dolibarr_nocsrfcheck must be kept to the value 1 into conf.php (this is the default value) -* The module DebugBar must NOT be enabled (by default, this module is not enabled) +* $dolibarr_nocsrfcheck must be kept to the value 0 into conf.php (this is the default value) +* $dolibarr_main_force_https must be set to something else than 0. * The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 1 into backoffice menu Home - Setup - Other (this protection should be enabled soon by default) -* ONLY security reports on "stable" modules are allowed (troubles into "experimental" and "developement" modules are not accepted). +* The module DebugBar must NOT be enabled (by default, this module is not enabled. This is a developer tool) +* The module ModuleBuilder must NOT be enabled (by default, this module is not enabled. This is a developer tool) +* ONLY security reports on modules provided by default and with the "stable" status are allowed (troubles into "experimental", "developement" or external modules are not accepted). +* The root of web server must link to htdocs and the documents directory must be outside of the web server root (this is the default when using the default installer but may differs with external installer). +* The web server setup must be done so only the documents directory is in write mode. The root directory called htdocs must be readonly. +* CSRF attacks are accepted for all when using a POST URL, but are accepted only for creating or updating data resctricted to the admin user when using GET URL. +* Ability for a high level user to edit web site pages in the CMS by including javascript is an expected feature. Scope is the web application (back office) and the APIs. @@ -91,19 +97,19 @@ Scope is the web application (back office) and the APIs. ## Non-qualifying vulnerabilities for Bug bounty programs, but qualified for reporting * "Self" XSS -* Missing cookie flags * SSL/TLS best practices * Denial of Service attacks * Clickjacking/UI redressing -* Physical or social engineering attempts +* Physical or social engineering attempts or issues that require physical access to a victim’s computer/device * Presence of autocomplete attribute on web forms * Vulnerabilities affecting outdated browsers or platforms -* Issues that require physical access to a victim’s computer/device * Logout and other instances of low-severity Cross-Site Request Forgery +* Missing cookie flags * Missing security-related HTTP headers which do not lead directly to a vulnerability * Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated * Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC) * Reports on features flagged as "experimental" or "development" -* Software version disclosure when logged user is admin +* Software version or private IP disclosure when logged user is admin * Stack traces or path disclosure when logged user is admin +* Any vulnerabilities due to a configuration different than the one defined into chapter "Scope for qualified vulnerabilities". diff --git a/dev/initdemo/initdemo.sh b/dev/initdemo/initdemo.sh index 7fd9eb551d4..1b32161b44b 100755 --- a/dev/initdemo/initdemo.sh +++ b/dev/initdemo/initdemo.sh @@ -69,6 +69,7 @@ then 255) exit;; esac + rm $fichtemp # ----------------------------- database name DIALOG=${DIALOG=dialog} @@ -86,6 +87,7 @@ then 255) exit;; esac + rm $fichtemp # ---------------------------- database port DIALOG=${DIALOG=dialog} @@ -104,6 +106,7 @@ then 255) exit;; esac + rm $fichtemp # ---------------------------- compte admin mysql DIALOG=${DIALOG=dialog} @@ -122,6 +125,7 @@ then 255) exit;; esac + rm $fichtemp # ---------------------------- mot de passe admin mysql DIALOG=${DIALOG=dialog} @@ -140,6 +144,7 @@ then 255) exit;; esac + rm $fichtemp export documentdir=`cat $mydir/../../htdocs/conf/conf.php | grep '^\$dolibarr_main_data_root' | sed -e 's/$dolibarr_main_data_root=//' | sed -e 's/;//' | sed -e "s/'//g" | sed -e 's/"//g' ` diff --git a/dev/initdemo/initdemopassword.sh b/dev/initdemo/initdemopassword.sh new file mode 100755 index 00000000000..d5aa9c1ef0e --- /dev/null +++ b/dev/initdemo/initdemopassword.sh @@ -0,0 +1,166 @@ +#!/bin/sh +#------------------------------------------------------ +# Script to reinit admin password. +# Note: "dialog" tool need to be available if no parameter provided. +# +# Laurent Destailleur - eldy@users.sourceforge.net +#------------------------------------------------------ +# Usage: initdemopassword.sh confirm +# usage: initdemopassword.sh confirm base port login pass +#------------------------------------------------------ + + +export mydir=`echo "$0" | sed -e 's/initdemopassword.sh//'`; +if [ "x$mydir" = 'x' -o "x$mydir" = 'x./' ] +then + export mydir="." +fi +export id=`id -u`; + + +# ----------------------------- check if root +if [ "x$id" != "x0" -a "x$id" != "x1001" ] +then + echo "Script must be ran as root" + exit +fi + + +# ----------------------------- command line params +confirm=$1; +base=$2; +port=$3; +demologin=$4; +demopass=$5; + +# ----------------------------- check params +if [ "x$confirm" != "xconfirm" ] +then + echo "----- $0 -----" + echo "Usage: initdemopassword.sh confirm [base port login pass]" + exit +fi + + +# ----------------------------- if no params on command line +if [ "x$demopass" = "x" ] +then + export dumpfile=`ls -v $mydir/mysqldump_dolibarr_*.sql | tail -n 1` + export dumpfile=`basename $dumpfile` + + # ----------------------------- database name + DIALOG=${DIALOG=dialog} + DIALOG="$DIALOG --ascii-lines" + fichtemp=`tempfile 2>/dev/null` || fichtemp=/tmp/test$$ + trap "rm -f $fichtemp" 0 1 2 5 15 + $DIALOG --title "Init Dolibarr with demo values" --clear \ + --inputbox "Mysql database name :" 16 55 dolibarrdemo 2> $fichtemp + valret=$? + case $valret in + 0) + base=`cat $fichtemp`;; + 1) + exit;; + 255) + exit;; + esac + rm $fichtemp + + # ---------------------------- database port + DIALOG=${DIALOG=dialog} + fichtemp=`tempfile 2>/dev/null` || fichtemp=/tmp/test$$ + trap "rm -f $fichtemp" 0 1 2 5 15 + $DIALOG --title "Init Dolibarr with demo values" --clear \ + --inputbox "Mysql port (ex: 3306):" 16 55 3306 2> $fichtemp + + valret=$? + + case $valret in + 0) + port=`cat $fichtemp`;; + 1) + exit;; + 255) + exit;; + esac + rm $fichtemp + + + # ----------------------------- demo login + DIALOG=${DIALOG=dialog} + DIALOG="$DIALOG --ascii-lines" + fichtemp=`tempfile 2>/dev/null` || fichtemp=/tmp/test$$ + trap "rm -f $fichtemp" 0 1 2 5 15 + $DIALOG --title "Reset login password" --clear \ + --inputbox "Login to reset :" 16 55 dolibarrdemologin 2> $fichtemp + valret=$? + case $valret in + 0) + demologin=`cat $fichtemp`;; + 1) + exit;; + 255) + exit;; + esac + rm fichtemp + + # ----------------------------- demo pass + DIALOG=${DIALOG=dialog} + DIALOG="$DIALOG --ascii-lines" + fichtemp=`tempfile 2>/dev/null` || fichtemp=/tmp/test$$ + trap "rm -f $fichtemp" 0 1 2 5 15 + $DIALOG --title "Reset login password" --clear \ + --inputbox "Pass to set :" 16 55 dolibarrdemopass 2> $fichtemp + valret=$? + case $valret in + 0) + demopass=`cat $fichtemp`;; + 1) + exit;; + 255) + exit;; + esac + rm fichtemp + + + export documentdir=`cat $mydir/../../htdocs/conf/conf.php | grep '^\$dolibarr_main_data_root' | sed -e 's/$dolibarr_main_data_root=//' | sed -e 's/;//' | sed -e "s/'//g" | sed -e 's/"//g' ` + + + # ---------------------------- confirmation + DIALOG=${DIALOG=dialog} + $DIALOG --title "Init demo login with demo values" --clear \ + --yesno "Do you confirm ? \n Mysql database : '$base' \n Mysql port : '$port' \n Demo login: '$demologin' \n Demo password : '$demopass'" 15 55 + + case $? in + 0) echo "Ok, start process...";; + 1) exit;; + 255) exit;; + esac + +fi + + +# ---------------------------- run sql file +if [ "x$passwd" != "x" ] +then + export passwd="-p$passwd" +fi +#echo "mysql -P$port -u$admin $passwd $base < $mydir/$dumpfile" +#mysql -P$port -u$admin $passwd $base < $mydir/$dumpfile +echo "echo \"UPDATE llx_user SET pass_crypted = MD5('$demopass') WHERE login = '$demologin';\" | mysql -P$port $base" +echo "UPDATE llx_user SET pass_crypted = MD5('$demopass') WHERE login = '$demologin';" | mysql -P$port $base +export res=$? + +if [ $res -ne 0 ]; then + echo "Error to execute sql with mysql -P$port -u$admin -p***** $base" + exit +fi + + +if [ "x$res" = "x0" ] +then + echo "Success, file successfully loaded." +else + echo "Error, load failed." +fi +echo diff --git a/htdocs/accountancy/admin/account.php b/htdocs/accountancy/admin/account.php index e6264648159..de8fd9a8cd6 100644 --- a/htdocs/accountancy/admin/account.php +++ b/htdocs/accountancy/admin/account.php @@ -54,8 +54,8 @@ if (!$user->rights->accounting->chartofaccount) accessforbidden(); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; @@ -230,8 +230,8 @@ if (strlen(trim($search_account))) { $search_account_tmp_clean = preg_replace('/^\^/', '', $search_account_tmp); $search_account_clean = preg_replace('/^\^/', '', $search_account); } - $sql .= " AND (aa.account_number LIKE '".$startchar.$search_account_tmp_clean."'"; - $sql .= " OR aa.account_number LIKE '".$startchar.$search_account_clean."%')"; + $sql .= " AND (aa.account_number LIKE '".$db->escape($startchar.$search_account_tmp_clean)."'"; + $sql .= " OR aa.account_number LIKE '".$db->escape($startchar.$search_account_clean)."%')"; } else $sql .= natural_search("aa.account_number", $search_account_tmp); } } @@ -264,14 +264,14 @@ if ($resql) $num = $db->num_rows($resql); $param = ''; - if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.$contextpage; - if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.$limit; + if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.urlencode($contextpage); + if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.urlencode($limit); if ($search_account) $param .= '&search_account='.urlencode($search_account); if ($search_label) $param .= '&search_label='.urlencode($search_label); if ($search_labelshort) $param .= '&search_labelshort='.urlencode($search_labelshort); if ($search_accountparent > 0 || $search_accountparent == '0') $param .= '&search_accountparent='.urlencode($search_accountparent); if ($search_pcgtype) $param .= '&search_pcgtype='.urlencode($search_pcgtype); - if ($optioncss != '') $param .= '&optioncss='.$optioncss; + if ($optioncss != '') $param .= '&optioncss='.urlencode($optioncss); if (!empty($conf->use_javascript_ajax)) { diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php index 9794198332e..be3b49e41c1 100644 --- a/htdocs/accountancy/admin/accountmodel.php +++ b/htdocs/accountancy/admin/accountmodel.php @@ -280,7 +280,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -302,7 +302,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete { if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("delete", LOG_DEBUG); $result = $db->query($sql); @@ -323,9 +323,9 @@ if ($action == $acts[0]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$db->escape($code)."'"; } $result = $db->query($sql); @@ -341,9 +341,9 @@ if ($action == $acts[1]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$db->escape($code)."'"; } $result = $db->query($sql); @@ -359,9 +359,9 @@ if ($action == 'activate_favorite') if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$db->escape($code)."'"; } $result = $db->query($sql); @@ -377,9 +377,9 @@ if ($action == 'disable_favorite') if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$db->escape($code)."'"; } $result = $db->query($sql); diff --git a/htdocs/accountancy/admin/categories_list.php b/htdocs/accountancy/admin/categories_list.php index ddd4240a073..9469a1e64f1 100644 --- a/htdocs/accountancy/admin/categories_list.php +++ b/htdocs/accountancy/admin/categories_list.php @@ -271,7 +271,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -293,7 +293,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete { if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("delete", LOG_DEBUG); $result = $db->query($sql); @@ -314,7 +314,7 @@ if ($action == $acts[0]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$db->escape($code)."'"; } @@ -332,7 +332,7 @@ if ($action == $acts[1]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$db->escape($code)."'"; } @@ -350,7 +350,7 @@ if ($action == 'activate_favorite') if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$db->escape($code)."'"; } @@ -368,7 +368,7 @@ if ($action == 'disable_favorite') if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'"; + $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$db->escape($code)."'"; } diff --git a/htdocs/accountancy/admin/closure.php b/htdocs/accountancy/admin/closure.php index 63b2131f309..a425fd45768 100644 --- a/htdocs/accountancy/admin/closure.php +++ b/htdocs/accountancy/admin/closure.php @@ -92,7 +92,7 @@ print ''.$langs->trans("DefaultClosureDesc").''; print '
'; -print ''; +print ''; print ''; // Define main accounts for closure diff --git a/htdocs/accountancy/admin/fiscalyear.php b/htdocs/accountancy/admin/fiscalyear.php index 89aad6e2d0d..1ddcddf13e6 100644 --- a/htdocs/accountancy/admin/fiscalyear.php +++ b/htdocs/accountancy/admin/fiscalyear.php @@ -29,8 +29,8 @@ $action = GETPOST('action', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/accountancy/admin/journals_list.php b/htdocs/accountancy/admin/journals_list.php index 74247c5fccd..a09a38c959c 100644 --- a/htdocs/accountancy/admin/journals_list.php +++ b/htdocs/accountancy/admin/journals_list.php @@ -274,7 +274,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); $sql .= " AND entity = ".$conf->entity; dol_syslog("actionmodify", LOG_DEBUG); @@ -297,7 +297,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete { if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid); $sql .= " AND entity = ".$conf->entity; dol_syslog("delete", LOG_DEBUG); @@ -319,9 +319,9 @@ if ($action == $acts[0]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$db->escape($code)."'"; } $sql .= " AND entity = ".$conf->entity; @@ -338,9 +338,9 @@ if ($action == $acts[1]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid); } elseif ($code) { - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$db->escape($code)."'"; } $sql .= " AND entity = ".$conf->entity; diff --git a/htdocs/accountancy/admin/productaccount.php b/htdocs/accountancy/admin/productaccount.php index b6465b95355..79bfef57d3a 100644 --- a/htdocs/accountancy/admin/productaccount.php +++ b/htdocs/accountancy/admin/productaccount.php @@ -176,7 +176,7 @@ if ($action == 'update') { if ($accounting_product_mode == 'ACCOUNTANCY_SELL_EXPORT') { $sql .= " SET accountancy_code_sell_export = ".$accounting->account_number; } - $sql .= " WHERE rowid = ".$productid; + $sql .= " WHERE rowid = ".((int) $productid); dol_syslog("/accountancy/admin/productaccount.php sql=".$sql, LOG_DEBUG); if ($db->query($sql)) @@ -251,21 +251,21 @@ $sql .= " aa.rowid as aaid"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON"; if ($accounting_product_mode == 'ACCOUNTANCY_BUY') { - $sql .= " p.accountancy_code_buy = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_buy = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } elseif ($accounting_product_mode == 'ACCOUNTANCY_BUY_INTRA') { - $sql .= " p.accountancy_code_buy_intra = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_buy_intra = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } elseif ($accounting_product_mode == 'ACCOUNTANCY_BUY_EXPORT') { - $sql .= " p.accountancy_code_buy_export = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_buy_export = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } elseif ($accounting_product_mode == 'ACCOUNTANCY_SELL') { - $sql .= " p.accountancy_code_sell = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_sell = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } elseif ($accounting_product_mode == 'ACCOUNTANCY_SELL_INTRA') { - $sql .= " p.accountancy_code_sell_intra = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_sell_intra = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } else { - $sql .= " p.accountancy_code_sell_export = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'"; + $sql .= " p.accountancy_code_sell_export = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'"; } $sql .= ' WHERE p.entity IN ('.getEntity('product').')'; if ($accounting_product_mode == 'ACCOUNTANCY_BUY') { diff --git a/htdocs/accountancy/bookkeeping/balance.php b/htdocs/accountancy/bookkeeping/balance.php index a5000dda461..3608622916d 100644 --- a/htdocs/accountancy/bookkeeping/balance.php +++ b/htdocs/accountancy/bookkeeping/balance.php @@ -46,8 +46,8 @@ $action = GETPOST('action', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/accountancy/bookkeeping/list.php b/htdocs/accountancy/bookkeeping/list.php index 9a623287fc2..5ae9c3d4742 100644 --- a/htdocs/accountancy/bookkeeping/list.php +++ b/htdocs/accountancy/bookkeeping/list.php @@ -91,8 +91,8 @@ $search_not_reconciled = GETPOST('search_reconciled_option', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } $offset = $limit * $page; @@ -640,7 +640,9 @@ $newcardbutton .= dolGetButtonTitle($buttonLabel, $langs->trans("ExportFilteredL $newcardbutton .= dolGetButtonTitle($langs->trans('GroupByAccountAccounting'), '', 'fa fa-stream paddingleft', DOL_URL_ROOT.'/accountancy/bookkeeping/listbyaccount.php?'.$param); -$newcardbutton .= dolGetButtonTitle($langs->trans('NewAccountingMvt'), '', 'fa fa-plus-circle paddingleft', './card.php?action=create', '', $user->rights->accounting->mouvements->creer); +$url = './card.php?action=create'; +if (!empty($socid)) $url .= '&socid='.$socid; +$newcardbutton .= dolGetButtonTitle($langs->trans('NewAccountingMvt'), '', 'fa fa-plus-circle paddingleft', $url, '', $user->rights->accounting->mouvements->creer); print_barre_liste($title_page, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, '', $num, $nbtotalofrecords, 'title_accountancy', 0, $newcardbutton, '', $limit); diff --git a/htdocs/accountancy/bookkeeping/listbyaccount.php b/htdocs/accountancy/bookkeeping/listbyaccount.php index e5a18626b42..e0e16e00d12 100644 --- a/htdocs/accountancy/bookkeeping/listbyaccount.php +++ b/htdocs/accountancy/bookkeeping/listbyaccount.php @@ -39,7 +39,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; // Load translation files required by the page $langs->loadLangs(array("accountancy")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $search_date_start = dol_mktime(0, 0, 0, GETPOST('search_date_startmonth', 'int'), GETPOST('search_date_startday', 'int'), GETPOST('search_date_startyear', 'int')); $search_date_end = dol_mktime(0, 0, 0, GETPOST('search_date_endmonth', 'int'), GETPOST('search_date_endday', 'int'), GETPOST('search_date_endyear', 'int')); $search_doc_date = dol_mktime(0, 0, 0, GETPOST('doc_datemonth', 'int'), GETPOST('doc_dateday', 'int'), GETPOST('doc_dateyear', 'int')); @@ -68,8 +68,8 @@ if (GETPOST("button_delmvt_x") || GETPOST("button_delmvt.x") || GETPOST("button_ // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } $offset = $limit * $page; diff --git a/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php b/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php index 0b3d98a2742..321ef282dff 100644 --- a/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php +++ b/htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php @@ -147,7 +147,7 @@ $sql = "SELECT bk.rowid, bk.doc_date, bk.doc_type, bk.doc_ref, "; $sql .= " bk.subledger_account, bk.numero_compte , bk.label_compte, bk.debit, "; $sql .= " bk.credit, bk.montant , bk.sens , bk.code_journal , bk.piece_num, bk.lettering_code "; $sql .= " FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as bk"; -$sql .= " WHERE (bk.subledger_account = '".$object->code_compta."' AND bk.numero_compte = '".$conf->global->ACCOUNTING_ACCOUNT_CUSTOMER."' )"; +$sql .= " WHERE (bk.subledger_account = '".$db->escape($object->code_compta)."' AND bk.numero_compte = '".$db->escape($conf->global->ACCOUNTING_ACCOUNT_CUSTOMER)."' )"; /* if (dol_strlen($search_date_start) || dol_strlen($search_date_end)) { diff --git a/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php b/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php index c6ab2fa81d6..144c2595d25 100644 --- a/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php +++ b/htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php @@ -146,7 +146,7 @@ $sql = "SELECT bk.rowid, bk.doc_date, bk.doc_type, bk.doc_ref, "; $sql .= " bk.subledger_account, bk.numero_compte , bk.label_compte, bk.debit, "; $sql .= " bk.credit, bk.montant , bk.sens , bk.code_journal , bk.piece_num, bk.lettering_code, bk.date_validated "; $sql .= " FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as bk"; -$sql .= " WHERE (bk.subledger_account = '".$object->code_compta_fournisseur."' AND bk.numero_compte = '".$conf->global->ACCOUNTING_ACCOUNT_SUPPLIER."' )"; +$sql .= " WHERE (bk.subledger_account = '".$db->escape($object->code_compta_fournisseur)."' AND bk.numero_compte = '".$db->escape($conf->global->ACCOUNTING_ACCOUNT_SUPPLIER)."' )"; if (dol_strlen($search_date_start) || dol_strlen($search_date_end)) { $sql .= " AND (bk.doc_date BETWEEN '".$db->idate($search_date_start)."' AND '".$db->idate($search_date_end)."' )"; } diff --git a/htdocs/accountancy/class/accountancyexport.class.php b/htdocs/accountancy/class/accountancyexport.class.php index 130c0e97659..0204602438f 100644 --- a/htdocs/accountancy/class/accountancyexport.class.php +++ b/htdocs/accountancy/class/accountancyexport.class.php @@ -1160,7 +1160,8 @@ class AccountancyExport // TYPE C if ($last_codeinvoice != $line->doc_ref) { //recherche societe en fonction de son code client - $sql = "SELECT code_client, fk_forme_juridique, nom, address, zip, town, fk_pays, phone, siret FROM ".MAIN_DB_PREFIX."societe WHERE code_client = '".$line->thirdparty_code."'"; + $sql = "SELECT code_client, fk_forme_juridique, nom, address, zip, town, fk_pays, phone, siret FROM ".MAIN_DB_PREFIX."societe"; + $sql .= " WHERE code_client = '".$this->db->escape($line->thirdparty_code)."'"; $resql = $this->db->query($sql); if ($resql && $this->db->num_rows($resql) > 0) diff --git a/htdocs/accountancy/class/accountancysystem.class.php b/htdocs/accountancy/class/accountancysystem.class.php index 719d33c8574..c2f3468016c 100644 --- a/htdocs/accountancy/class/accountancysystem.class.php +++ b/htdocs/accountancy/class/accountancysystem.class.php @@ -101,7 +101,7 @@ class AccountancySystem $sql .= " FROM ".MAIN_DB_PREFIX."accounting_system as a"; $sql .= " WHERE"; if ($rowid) { - $sql .= " a.rowid = '".$rowid."'"; + $sql .= " a.rowid = ".((int) $rowid); } elseif ($ref) { $sql .= " a.pcg_version = '".$this->db->escape($ref)."'"; } diff --git a/htdocs/accountancy/class/accountingjournal.class.php b/htdocs/accountancy/class/accountingjournal.class.php index 6067f557cfb..882eee71769 100644 --- a/htdocs/accountancy/class/accountingjournal.class.php +++ b/htdocs/accountancy/class/accountingjournal.class.php @@ -108,7 +108,7 @@ class AccountingJournal extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."accounting_journal"; $sql .= " WHERE"; if ($rowid) { - $sql .= " rowid = ".(int) $rowid; + $sql .= " rowid = ".((int) $rowid); } elseif ($journal_code) { $sql .= " code = '".$this->db->escape($journal_code)."'"; diff --git a/htdocs/accountancy/class/bookkeeping.class.php b/htdocs/accountancy/class/bookkeeping.class.php index 1c377e70192..1e1e42a6047 100644 --- a/htdocs/accountancy/class/bookkeeping.class.php +++ b/htdocs/accountancy/class/bookkeeping.class.php @@ -1755,14 +1755,14 @@ class BookKeeping extends CommonObject $sql .= ' doc_ref, fk_doc, fk_docdet, entity, thirdparty_code, subledger_account, subledger_label,'; $sql .= ' numero_compte, label_compte, label_operation, debit, credit,'; $sql .= ' montant, sens, fk_user_author, import_key, code_journal, journal_label, '.$next_piecenum.", '".$this->db->idate($now)."'"; - $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$this->db->escape($piece_num); + $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; $this->errors[] = 'Error '.$this->db->lasterror(); dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR); } - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$this->db->escape($piece_num); + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; @@ -1770,7 +1770,7 @@ class BookKeeping extends CommonObject dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR); } } elseif ($direction == 1) { - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$piece_num; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; @@ -1785,14 +1785,14 @@ class BookKeeping extends CommonObject $sql .= ' doc_ref, fk_doc, fk_docdet, thirdparty_code, subledger_account, subledger_label,'; $sql .= ' numero_compte, label_compte, label_operation, debit, credit,'; $sql .= ' montant, sens, fk_user_author, import_key, code_journal, journal_label, piece_num'; - $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' WHERE piece_num = '.$piece_num; + $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; $this->errors[] = 'Error '.$this->db->lasterror(); dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR); } - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$piece_num; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num); $resql = $this->db->query($sql); if (!$resql) { $error++; @@ -1910,7 +1910,7 @@ class BookKeeping extends CommonObject $sql .= " AND asy.rowid = ".$pcgver; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as parent ON aa.account_parent = parent.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as root ON parent.account_parent = root.rowid"; - $sql .= " WHERE aa.account_number = '".$account."'"; + $sql .= " WHERE aa.account_number = '".$this->db->escape($account)."'"; $sql .= " AND parent.active = 1"; $sql .= " AND root.active = 1"; $sql .= " AND aa.entity IN (".getEntity('accountancy').")"; @@ -1948,8 +1948,8 @@ class BookKeeping extends CommonObject $sql = "SELECT aa.account_number, aa.label, aa.rowid, aa.fk_pcg_version, cat.label as category"; $sql .= " FROM ".MAIN_DB_PREFIX."accounting_account as aa "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_system as asy ON aa.fk_pcg_version = asy.pcg_version"; - $sql .= " AND aa.account_number = '".$account."'"; - $sql .= " AND asy.rowid = ".$pcgver; + $sql .= " AND aa.account_number = '".$this->db->escape($account)."'"; + $sql .= " AND asy.rowid = ".((int) $pcgver); $sql .= " AND aa.active = 1"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_accounting_category as cat ON aa.fk_accounting_category = cat.rowid"; $sql .= " WHERE aa.entity IN (".getEntity('accountancy').")"; diff --git a/htdocs/accountancy/class/lettering.class.php b/htdocs/accountancy/class/lettering.class.php index d663e0ec9c4..cfe9bf635ae 100644 --- a/htdocs/accountancy/class/lettering.class.php +++ b/htdocs/accountancy/class/lettering.class.php @@ -68,11 +68,11 @@ class Lettering extends BookKeeping $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank_url as bu ON(bk.fk_doc = bu.fk_bank AND bu.type IN ('payment', 'payment_supplier') ) "; $sql .= " WHERE ( "; if ($object->code_compta != "") - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; if ($object->code_compta != "" && $object->code_compta_fournisseur != "") $sql .= " OR "; if ($object->code_compta_fournisseur != "") - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; $sql .= " ) AND (bk.date_lettering ='' OR bk.date_lettering IS NULL) "; $sql .= " AND (bk.lettering_code != '' OR bk.lettering_code IS NULL) "; @@ -95,19 +95,19 @@ class Lettering extends BookKeeping $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn facf "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiementfourn_facturefourn as payfacf ON payfacf.fk_facturefourn=facf.rowid"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiementfourn as payf ON payfacf.fk_paiementfourn=payf.rowid"; - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = payf.fk_bank AND bk.code_journal='".$obj->code_journal."')"; - $sql .= " WHERE payfacf.fk_paiementfourn = '".$obj->url_id."' "; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = payf.fk_bank AND bk.code_journal='".$this->db->escape($obj->code_journal)."')"; + $sql .= " WHERE payfacf.fk_paiementfourn = '".$this->db->escape($obj->url_id)."' "; $sql .= " AND facf.entity = ".$conf->entity; $sql .= " AND code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=4 AND entity=".$conf->entity.") "; $sql .= " AND ( "; if ($object->code_compta != "") { - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; } if ($object->code_compta != "" && $object->code_compta_fournisseur != "") { $sql .= " OR "; } if ($object->code_compta_fournisseur != "") { - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; } $sql .= " ) "; @@ -129,13 +129,13 @@ class Lettering extends BookKeeping $sql .= " AND facf.entity = ".$conf->entity; $sql .= " AND ( "; if ($object->code_compta != "") { - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; } if ($object->code_compta != "" && $object->code_compta_fournisseur != "") { $sql .= " OR "; } if ($object->code_compta_fournisseur != "") { - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; } $sql .= ") "; @@ -154,19 +154,19 @@ class Lettering extends BookKeeping $sql .= " FROM ".MAIN_DB_PREFIX."facture fac "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiement_facture as payfac ON payfac.fk_facture=fac.rowid"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiement as pay ON payfac.fk_paiement=pay.rowid"; - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = pay.fk_bank AND bk.code_journal='".$obj->code_journal."')"; - $sql .= " WHERE payfac.fk_paiement = '".$obj->url_id."' "; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = pay.fk_bank AND bk.code_journal='".$this->db->escape($obj->code_journal)."')"; + $sql .= " WHERE payfac.fk_paiement = '".$this->db->escape($obj->url_id)."' "; $sql .= " AND bk.code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=4 AND entity=".$conf->entity.") "; $sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy $sql .= " AND ( "; if ($object->code_compta != "") { - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; } if ($object->code_compta != "" && $object->code_compta_fournisseur != "") { $sql .= " OR "; } if ($object->code_compta_fournisseur != "") { - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; } $sql .= " )"; @@ -188,13 +188,13 @@ class Lettering extends BookKeeping $sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy $sql .= " AND ( "; if ($object->code_compta != "") { - $sql .= " bk.subledger_account = '".$object->code_compta."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' "; } if ($object->code_compta != "" && $object->code_compta_fournisseur != "") { $sql .= " OR "; } if ($object->code_compta_fournisseur != "") { - $sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' "; + $sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' "; } $sql .= " ) "; @@ -238,7 +238,7 @@ class Lettering extends BookKeeping $lettre = 'AAA'; $sql = "SELECT DISTINCT lettering_code FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE "; - $sql .= " lettering_code != '' ORDER BY lettering_code DESC limit 1; "; + $sql .= " lettering_code != '' ORDER BY lettering_code DESC limit 1"; $result = $this->db->query($sql); if ($result) { @@ -252,7 +252,7 @@ class Lettering extends BookKeeping } $sql = "SELECT SUM(ABS(debit)) as deb, SUM(ABS(credit)) as cred FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE "; - $sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL "; + $sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL"; $result = $this->db->query($sql); if ($result) { $obj = $this->db->fetch_object($result); @@ -272,7 +272,7 @@ class Lettering extends BookKeeping if (!$error) { $sql = "UPDATE ".MAIN_DB_PREFIX."accounting_bookkeeping SET"; - $sql .= " lettering_code='".$lettre."'"; + $sql .= " lettering_code='".$this->db->escape($lettre)."'"; $sql .= " , date_lettering = '".$this->db->idate($now)."'"; // todo correct date it's false $sql .= " WHERE rowid IN (".implode(',', $ids).") AND date_validated IS NULL "; $this->db->begin(); diff --git a/htdocs/accountancy/customer/card.php b/htdocs/accountancy/customer/card.php index 34a23b377b9..ed8f347a177 100644 --- a/htdocs/accountancy/customer/card.php +++ b/htdocs/accountancy/customer/card.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formaccounting.class.php'; // Load translation files required by the page $langs->loadLangs(array("bills", "accountancy")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/accountancy/customer/index.php b/htdocs/accountancy/customer/index.php index 69135e75c4d..1a5098bda38 100644 --- a/htdocs/accountancy/customer/index.php +++ b/htdocs/accountancy/customer/index.php @@ -131,9 +131,9 @@ if ($action == 'validatehistory') { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as l ON f.rowid = l.fk_facture"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity; $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0"; $sql .= " AND l.product_type <= 2"; @@ -402,7 +402,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange. } print ''.$langs->trans("Total").''; - $sql = "SELECT '".$langs->trans("TotalVente")."' AS total,"; + $sql = "SELECT '".$db->escape($langs->trans("TotalVente"))."' AS total,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; if ($j > 12) $j -= 12; @@ -459,7 +459,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange. } print ''.$langs->trans("Total").''; - $sql = "SELECT '".$langs->trans("Vide")."' AS marge,"; + $sql = "SELECT '".$db->escape($langs->trans("Vide"))."' AS marge,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; if ($j > 12) $j -= 12; diff --git a/htdocs/accountancy/customer/lines.php b/htdocs/accountancy/customer/lines.php index 6b326ec872f..5d35040f6ab 100644 --- a/htdocs/accountancy/customer/lines.php +++ b/htdocs/accountancy/customer/lines.php @@ -61,8 +61,8 @@ $search_tvaintra = GETPOST('search_tvaintra', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) $page = 0; $offset = $limit * $page; diff --git a/htdocs/accountancy/customer/list.php b/htdocs/accountancy/customer/list.php index 96750389cc0..3c28cdaab84 100644 --- a/htdocs/accountancy/customer/list.php +++ b/htdocs/accountancy/customer/list.php @@ -40,7 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php'; // Load translation files required by the page $langs->loadLangs(array("bills", "companies", "compta", "accountancy", "other", "productbatch")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -69,8 +69,8 @@ $btn_ventil = GETPOST('ventil', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } $offset = $limit * $page; @@ -161,8 +161,8 @@ if ($massaction == 'ventil') { $ko++; } else { $sql = " UPDATE ".MAIN_DB_PREFIX."facturedet"; - $sql .= " SET fk_code_ventilation = ".$monCompte; - $sql .= " WHERE rowid = ".$monId; + $sql .= " SET fk_code_ventilation = ".((int) $monCompte); + $sql .= " WHERE rowid = ".((int) $monId); $accountventilated = new AccountingAccount($db); $accountventilated->fetch($monCompte, ''); @@ -222,9 +222,9 @@ $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as l ON f.rowid = l.fk_facture"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity; $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0"; $sql .= " AND l.product_type <= 2"; // Define begin binding date diff --git a/htdocs/accountancy/expensereport/card.php b/htdocs/accountancy/expensereport/card.php index b21882b9461..ab02592f6b8 100644 --- a/htdocs/accountancy/expensereport/card.php +++ b/htdocs/accountancy/expensereport/card.php @@ -34,7 +34,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formaccounting.class.php'; // Load translation files required by the page $langs->loadLangs(array("bills", "accountancy", "trips")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/accountancy/expensereport/index.php b/htdocs/accountancy/expensereport/index.php index 63305791ec7..6edb8d86a07 100644 --- a/htdocs/accountancy/expensereport/index.php +++ b/htdocs/accountancy/expensereport/index.php @@ -161,7 +161,7 @@ for ($i = 1; $i <= 12; $i++) { } print ''.$langs->trans("Total").''; -$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; +$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; $sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; @@ -234,7 +234,7 @@ for ($i = 1; $i <= 12; $i++) { } print ''.$langs->trans("Total").''; -$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; +$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; $sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; @@ -309,7 +309,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange. } print ''.$langs->trans("Total").''; - $sql = "SELECT '".$langs->trans("TotalExpenseReport")."' AS label,"; + $sql = "SELECT '".$db->escape($langs->trans("TotalExpenseReport"))."' AS label,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; if ($j > 12) $j -= 12; diff --git a/htdocs/accountancy/expensereport/lines.php b/htdocs/accountancy/expensereport/lines.php index 4fdc29b2c0f..f99f1148044 100644 --- a/htdocs/accountancy/expensereport/lines.php +++ b/htdocs/accountancy/expensereport/lines.php @@ -55,8 +55,8 @@ $search_year = GETPOST("search_year", "int"); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) $page = 0; $pageprev = $page - 1; diff --git a/htdocs/accountancy/expensereport/list.php b/htdocs/accountancy/expensereport/list.php index 76d13b99805..265e9488055 100644 --- a/htdocs/accountancy/expensereport/list.php +++ b/htdocs/accountancy/expensereport/list.php @@ -38,7 +38,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; // Load translation files required by the page $langs->loadLangs(array("bills", "companies", "compta", "accountancy", "other", "trips", "productbatch", "hrm")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -65,8 +65,8 @@ $search_year = GETPOST("search_year", "int"); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } $offset = $limit * $page; @@ -196,7 +196,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."expensereport as er"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."expensereport_det as erd ON er.rowid = erd.fk_expensereport"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_type_fees as f ON f.id = erd.fk_c_type_fees"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON u.rowid = er.fk_user_author"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON f.accountancy_code = aa.account_number AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON f.accountancy_code = aa.account_number AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; $sql .= " WHERE er.fk_statut IN (".ExpenseReport::STATUS_APPROVED.", ".ExpenseReport::STATUS_CLOSED.") AND erd.fk_code_ventilation <= 0"; // Define begin binding date if (!empty($conf->global->ACCOUNTING_DATE_START_BINDING)) { diff --git a/htdocs/accountancy/index.php b/htdocs/accountancy/index.php index 4f6c66ff7d5..80ed833b828 100644 --- a/htdocs/accountancy/index.php +++ b/htdocs/accountancy/index.php @@ -38,6 +38,7 @@ if ($user->socid > 0) // Initialize technical object to manage hooks. Note that conf->hooks_modules contains array of hooks $hookmanager->initHooks(array('accountancyindex')); + /* * Actions */ @@ -54,6 +55,7 @@ if (GETPOST('addbox')) // Add box (when submit is done from a form when ajax dis if ($result > 0) setEventMessages($langs->trans("BoxAdded"), null); } + /* * View */ diff --git a/htdocs/accountancy/supplier/card.php b/htdocs/accountancy/supplier/card.php index 07f3117c266..4a4747cfaf4 100644 --- a/htdocs/accountancy/supplier/card.php +++ b/htdocs/accountancy/supplier/card.php @@ -34,7 +34,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formaccounting.class.php'; // Load translation files required by the page $langs->loadLangs(array("bills", "accountancy")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/accountancy/supplier/index.php b/htdocs/accountancy/supplier/index.php index f1807c1c2cc..0dbe09fa468 100644 --- a/htdocs/accountancy/supplier/index.php +++ b/htdocs/accountancy/supplier/index.php @@ -128,9 +128,9 @@ if ($action == 'validatehistory') { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture_fourn_det as l ON f.rowid = l.fk_facture_fourn"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product"; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity; - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity; $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0"; $sql .= " AND l.product_type <= 2"; @@ -232,7 +232,7 @@ for ($i = 1; $i <= 12; $i++) { } print ''.$langs->trans("Total").''; -$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; +$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; $sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; @@ -305,7 +305,7 @@ for ($i = 1; $i <= 12; $i++) { } print ''.$langs->trans("Total").''; -$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; +$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,"; $sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; @@ -380,7 +380,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange. } print ''.$langs->trans("Total").''; - $sql = "SELECT '".$langs->trans("CAHTF")."' AS label,"; + $sql = "SELECT '".$db->escape($langs->trans("CAHTF"))."' AS label,"; for ($i = 1; $i <= 12; $i++) { $j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1; if ($j > 12) $j -= 12; diff --git a/htdocs/accountancy/supplier/lines.php b/htdocs/accountancy/supplier/lines.php index 6a5e234532c..903d2188a80 100644 --- a/htdocs/accountancy/supplier/lines.php +++ b/htdocs/accountancy/supplier/lines.php @@ -62,8 +62,8 @@ $search_tvaintra = GETPOST('search_tvaintra', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) $page = 0; $offset = $limit * $page; diff --git a/htdocs/accountancy/supplier/list.php b/htdocs/accountancy/supplier/list.php index 9e0b64160e1..9e1668e1a35 100644 --- a/htdocs/accountancy/supplier/list.php +++ b/htdocs/accountancy/supplier/list.php @@ -40,7 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php'; // Load translation files required by the page $langs->loadLangs(array("bills", "companies", "compta", "accountancy", "other", "productbatch")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -69,8 +69,8 @@ $btn_ventil = GETPOST('ventil', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : (empty($conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION) ? $conf->liste_limit : $conf->global->ACCOUNTING_LIMIT_LIST_VENTILATION); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0) { $page = 0; } $offset = $limit * $page; @@ -226,9 +226,9 @@ $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays "; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture_fourn_det as l ON f.rowid = l.fk_facture_fourn"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity; $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0"; $sql .= " AND l.product_type <= 2"; // Define begin binding date diff --git a/htdocs/adherents/admin/adherent.php b/htdocs/adherents/admin/adherent.php index ca1d1cc2a33..f2c52daa4b0 100644 --- a/htdocs/adherents/admin/adherent.php +++ b/htdocs/adherents/admin/adherent.php @@ -41,7 +41,7 @@ if (!$user->admin) accessforbidden(); $type = array('yesno', 'texte', 'chaine'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/adherents/admin/adherent_emails.php b/htdocs/adherents/admin/adherent_emails.php index 1b26a029a01..a3550e4a35a 100644 --- a/htdocs/adherents/admin/adherent_emails.php +++ b/htdocs/adherents/admin/adherent_emails.php @@ -41,7 +41,7 @@ if (!$user->admin) accessforbidden(); $oldtypetonewone = array('texte'=>'text', 'chaine'=>'string'); // old type to new ones -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $error = 0; @@ -83,9 +83,9 @@ if ($action == 'update' || $action == 'add') { $constlineid = GETPOST('rowid', 'int'); $constname = GETPOST('constname', 'alpha'); - $constvalue = (GETPOSTISSET('constvalue_'.$constname) ? GETPOST('constvalue_'.$constname, 'alpha') : GETPOST('constvalue')); + $constvalue = (GETPOSTISSET('constvalue_'.$constname) ? GETPOST('constvalue_'.$constname, 'alphanohtml') : GETPOST('constvalue')); $consttype = (GETPOSTISSET('consttype_'.$constname) ? GETPOST('consttype_'.$constname, 'alphanohtml') : GETPOST('consttype')); - $constnote = (GETPOSTISSET('constnote_'.$constname) ? GETPOST('constnote_'.$constname, 'none') : GETPOST('constnote')); + $constnote = (GETPOSTISSET('constnote_'.$constname) ? GETPOST('constnote_'.$constname, 'restricthtml') : GETPOST('constnote')); $typetouse = empty($oldtypetonewone[$consttype]) ? $consttype : $oldtypetonewone[$consttype]; $constvalue = preg_replace('/:member$/', '', $constvalue); diff --git a/htdocs/adherents/admin/adherent_extrafields.php b/htdocs/adherents/admin/adherent_extrafields.php index d3d91ecba09..8ca29286cab 100644 --- a/htdocs/adherents/admin/adherent_extrafields.php +++ b/htdocs/adherents/admin/adherent_extrafields.php @@ -39,7 +39,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'adherent'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/adherents/admin/adherent_type_extrafields.php b/htdocs/adherents/admin/adherent_type_extrafields.php index fe7989a70b9..5546a99a334 100644 --- a/htdocs/adherents/admin/adherent_type_extrafields.php +++ b/htdocs/adherents/admin/adherent_type_extrafields.php @@ -42,7 +42,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'adherent_type'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/adherents/admin/website.php b/htdocs/adherents/admin/website.php index 0dbb998f764..64f16f8ef57 100644 --- a/htdocs/adherents/admin/website.php +++ b/htdocs/adherents/admin/website.php @@ -33,7 +33,7 @@ require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent_type.class.php'; // Load translation files required by the page $langs->loadLangs(array("admin", "members")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php index c3c14171386..0a32398f307 100644 --- a/htdocs/adherents/card.php +++ b/htdocs/adherents/card.php @@ -45,7 +45,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; // Load translation files required by the page $langs->loadLangs(array("companies", "bills", "members", "users", "other", "paypal")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); $confirm = GETPOST('confirm', 'alpha'); @@ -82,7 +82,7 @@ if (!empty($canvas)) { } // Security check -$result = restrictedArea($user, 'adherent', $id, '', '', 'socid', 'rowid', $objcanvas); +$result = restrictedArea($user, 'adherent', $id, '', '', 'socid', 'rowid', 0); if ($id > 0) { // Load member @@ -152,7 +152,7 @@ if (empty($reshook)) { if (!$error) { if ($socid != $object->socid) { // If link differs from currently in database $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."adherent"; - $sql .= " WHERE socid = '".$socid."'"; + $sql .= " WHERE socid = ".((int) $socid); $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) { @@ -254,7 +254,7 @@ if (empty($reshook)) { $object->firstname = trim(GETPOST("firstname", 'alphanohtml')); $object->lastname = trim(GETPOST("lastname", 'alphanohtml')); $object->gender = trim(GETPOST("gender", 'alphanohtml')); - $object->login = trim(GETPOST("login", 'alpha')); + $object->login = trim(GETPOST("login", 'alphanohtml')); $object->pass = trim(GETPOST("pass", 'alpha')); $object->societe = trim(GETPOST("societe", 'alphanohtml')); // deprecated @@ -404,10 +404,9 @@ if (empty($reshook)) { // $facebook=GETPOST("member_facebook", 'alpha'); // $linkedin=GETPOST("member_linkedin", 'alpha'); $email = preg_replace('/\s+/', '', GETPOST("member_email", 'alpha')); - $login = GETPOST("member_login", 'alpha'); + $login = GETPOST("member_login", 'alphanohtml'); $pass = GETPOST("password", 'alpha'); $photo = GETPOST("photo", 'alpha'); - //$comment=GETPOST("comment",'none'); $morphy = GETPOST("morphy", 'alphanohtml'); $public = GETPOST("public", 'alphanohtml'); @@ -836,7 +835,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Login if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED)) { - print ''.$langs->trans("Login").' / '.$langs->trans("Id").'login).'" autofocus="autofocus">'; + print ''.$langs->trans("Login").' / '.$langs->trans("Id").'login).'" autofocus="autofocus">'; } // Password @@ -884,7 +883,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Gender print ''.$langs->trans("Gender").''; print ''; - $arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman")); + $arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman"), 'other'=>$langs->trans("Genderother")); print $form->selectarray('gender', $arraygender, GETPOST('gender', 'alphanohtml'), 1, 0, 0, '', 0, 0, 0, '', '', 1); print ''; @@ -942,7 +941,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { } // Birth Date - print "".$langs->trans("DateToBirth")."\n"; + print "".$langs->trans("DateOfBirth")."\n"; print $form->selectDate(($object->birth ? $object->birth : -1), 'birth', '', '', 1, 'formsoc'); print "\n"; @@ -1063,7 +1062,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Login if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED)) { - print ''.$langs->trans("Login").' / '.$langs->trans("Id").'login).'">'; + print ''.$langs->trans("Login").' / '.$langs->trans("Id").'login).'">'; } // Password @@ -1107,7 +1106,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Gender print ''.$langs->trans("Gender").''; print ''; - $arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman")); + $arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman"), 'other'=>$langs->trans("Genderother")); print $form->selectarray('gender', $arraygender, GETPOSTISSET('gender') ? GETPOST('gender', 'alphanohtml') : $object->gender, 1, 0, 0, '', 0, 0, 0, '', '', 1); print ''; @@ -1175,7 +1174,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { } // Birth Date - print "".$langs->trans("DateToBirth")."\n"; + print "".$langs->trans("DateOfBirth")."\n"; print $form->selectDate(($object->birth ? $object->birth : -1), 'birth', '', '', 1, 'formsoc'); print "\n"; @@ -1455,7 +1454,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Login if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED)) { - print ''.$langs->trans("Login").' / '.$langs->trans("Id").''.$object->login.' '; + print ''.$langs->trans("Login").' / '.$langs->trans("Id").''.dol_escape_htmltag($object->login).''; } // Type @@ -1472,10 +1471,10 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { print ''; // Company - print ''.$langs->trans("Company").''.$object->company.''; + print ''.$langs->trans("Company").''.dol_escape_htmltag($object->company).''; // Civility - print ''.$langs->trans("UserTitle").''.$object->getCivilityLabel().' '; + print ''.$langs->trans("UserTitle").''.$object->getCivilityLabel().''; print ''; // Password @@ -1570,7 +1569,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { print ''; // Birth Date - print ''; + print ''; // Public print ''; diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index 8b643dcbe92..95ca2017b21 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -282,7 +282,7 @@ class Adherent extends CommonObject 'phone' => array('type' => 'varchar(30)', 'label' => 'Phone', 'enabled' => 1, 'visible' => -1, 'position' => 115), 'phone_perso' => array('type' => 'varchar(30)', 'label' => 'Phone perso', 'enabled' => 1, 'visible' => -1, 'position' => 120), 'phone_mobile' => array('type' => 'varchar(30)', 'label' => 'Phone mobile', 'enabled' => 1, 'visible' => -1, 'position' => 125), - 'birth' => array('type' => 'date', 'label' => 'DateToBirth', 'enabled' => 1, 'visible' => -1, 'position' => 130), + 'birth' => array('type' => 'date', 'label' => 'DateOfBirth', 'enabled' => 1, 'visible' => -1, 'position' => 130), 'photo' => array('type' => 'varchar(255)', 'label' => 'Photo', 'enabled' => 1, 'visible' => -1, 'position' => 135), 'public' => array('type' => 'smallint(6)', 'label' => 'Public', 'enabled' => 1, 'visible' => -1, 'notnull' => 1, 'position' => 145), 'datefin' => array('type' => 'datetime', 'label' => 'DateEnd', 'enabled' => 1, 'visible' => -1, 'position' => 150), @@ -1117,7 +1117,7 @@ class Adherent extends CommonObject // Remove link to third party onto any other members if ($thirdpartyid > 0) { $sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET fk_soc = null"; - $sql .= " WHERE fk_soc = '".$thirdpartyid."'"; + $sql .= " WHERE fk_soc = ".((int) $thirdpartyid); $sql .= " AND entity = ".$conf->entity; dol_syslog(get_class($this)."::setThirdPartyId", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/adherents/class/adherentstats.class.php b/htdocs/adherents/class/adherentstats.class.php index c953d929442..d86a9e21d8c 100644 --- a/htdocs/adherents/class/adherentstats.class.php +++ b/htdocs/adherents/class/adherentstats.class.php @@ -92,7 +92,7 @@ class AdherentStats extends Stats $sql = "SELECT date_format(p.dateadh,'%m') as dm, count(*)"; $sql .= " FROM ".$this->from; //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year); $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -133,7 +133,7 @@ class AdherentStats extends Stats $sql = "SELECT date_format(p.dateadh,'%m') as dm, sum(p.".$this->field.")"; $sql .= " FROM ".$this->from; //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year); $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -154,7 +154,7 @@ class AdherentStats extends Stats $sql = "SELECT date_format(p.dateadh,'%m') as dm, avg(p.".$this->field.")"; $sql .= " FROM ".$this->from; //if (!$user->rights->societe->client->voir && !$this->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year); $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/adherents/class/api_members.class.php b/htdocs/adherents/class/api_members.class.php index 990e21dd08b..230b839f726 100644 --- a/htdocs/adherents/class/api_members.class.php +++ b/htdocs/adherents/class/api_members.class.php @@ -227,7 +227,7 @@ class Members extends DolibarrApi } // Select members of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_member = t.rowid "; } // Add sql filters @@ -239,23 +239,23 @@ class Members extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $member = new Adherent($this->db); if ($member->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($member); @@ -263,7 +263,7 @@ class Members extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve member list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve member list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No member found'); diff --git a/htdocs/adherents/class/api_memberstypes.class.php b/htdocs/adherents/class/api_memberstypes.class.php index a5923914187..682fb9d707c 100644 --- a/htdocs/adherents/class/api_memberstypes.class.php +++ b/htdocs/adherents/class/api_memberstypes.class.php @@ -109,23 +109,23 @@ class MembersTypes extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $membertype = new AdherentType($this->db); if ($membertype->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($membertype); @@ -133,7 +133,7 @@ class MembersTypes extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve member type list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve member type list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No member type found'); diff --git a/htdocs/adherents/class/api_subscriptions.class.php b/htdocs/adherents/class/api_subscriptions.class.php index 502a855657c..d5adbb0bc5b 100644 --- a/htdocs/adherents/class/api_subscriptions.class.php +++ b/htdocs/adherents/class/api_subscriptions.class.php @@ -107,22 +107,22 @@ class Subscriptions extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < min($limit, $num)) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $subscription = new Subscription($this->db); if ($subscription->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($subscription); @@ -130,7 +130,7 @@ class Subscriptions extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve subscription list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve subscription list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No Subscription found'); diff --git a/htdocs/adherents/document.php b/htdocs/adherents/document.php index 141e19d0c96..32630b9e478 100644 --- a/htdocs/adherents/document.php +++ b/htdocs/adherents/document.php @@ -38,7 +38,7 @@ $langs->loadLangs(array("companies", "members", "other")); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/adherents/index.php b/htdocs/adherents/index.php index 89f95b3e3dc..c63bb9049ca 100644 --- a/htdocs/adherents/index.php +++ b/htdocs/adherents/index.php @@ -282,7 +282,7 @@ print '
'; /* * Latest modified members */ -$max = 5; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; $sql = "SELECT a.rowid, a.statut, a.lastname, a.firstname, a.societe as company, a.fk_soc,"; $sql .= " a.tms as datem, datefin as date_end_subscription,"; @@ -337,7 +337,7 @@ if ($resql) { /* * Last modified subscriptions */ -$max = 5; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; $sql = "SELECT a.rowid, a.statut, a.lastname, a.firstname, a.societe as company, a.fk_soc,"; $sql .= " datefin as date_end_subscription,"; diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index 60e10ba44ea..75c9c731810 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -281,7 +281,7 @@ if ($search_ref) { if ($search_civility) $sql .= natural_search("d.civility", $search_civility); if ($search_firstname) $sql .= natural_search("d.firstname", $search_firstname); if ($search_lastname) $sql .= natural_search(array("d.firstname", "d.lastname", "d.societe"), $search_lastname); -if ($search_gender != '' && $search_gender != '-1') $sql .= " AND d.gender = '".$search_gender."'"; +if ($search_gender != '' && $search_gender != '-1') $sql .= natural_search("d.gender", $search_gender); if ($search_login) $sql .= natural_search("d.login", $search_login); if ($search_company) $sql .= natural_search("s.nom", $search_company); if ($search_email) $sql .= natural_search("d.email", $search_email); @@ -370,6 +370,7 @@ if ($search_lastname) $param .= "&search_lastname=".urlencode($search_lastname) if ($search_gender) $param .= "&search_gender=".urlencode($search_gender); if ($search_login) $param .= "&search_login=".urlencode($search_login); if ($search_email) $param .= "&search_email=".urlencode($search_email); +if ($search_categ) $param .= "&search_categ=".urlencode($search_categ); if ($search_company) $param .= "&search_company=".urlencode($search_company); if ($search_address != '') $param .= "&search_address=".urlencode($search_address); if ($search_town != '') $param .= "&search_town=".urlencode($search_town); @@ -477,7 +478,7 @@ if (!empty($arrayfields['d.lastname']['checked'])) { } if (!empty($arrayfields['d.gender']['checked'])) { print '
'; } @@ -502,16 +503,16 @@ if (!empty($arrayfields['t.libelle']['checked'])) { if (!empty($arrayfields['d.address']['checked'])) { print ''; + print ''; } if (!empty($arrayfields['d.zip']['checked'])) { print ''; + print ''; } if (!empty($arrayfields['d.town']['checked'])) { print ''; + print ''; } // State if (!empty($arrayfields['state.nom']['checked'])) { @@ -528,24 +529,24 @@ if (!empty($arrayfields['country.code_iso']['checked'])) { // Phone pro if (!empty($arrayfields['d.phone']['checked'])) { print ''; + print ''; } // Phone perso if (!empty($arrayfields['d.phone_perso']['checked'])) { print ''; + print ''; } // Phone mobile if (!empty($arrayfields['d.phone_mobile']['checked'])) { print ''; + print ''; } // Email if (!empty($arrayfields['d.email']['checked'])) { print ''; + print ''; } - +// End of subscription date if (!empty($arrayfields['d.datefin']['checked'])) { print ''; diff --git a/htdocs/adherents/note.php b/htdocs/adherents/note.php index 819c3499627..85becb0aa3d 100644 --- a/htdocs/adherents/note.php +++ b/htdocs/adherents/note.php @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/adherents/class/adherent_type.class.php'; // Load translation files required by the page $langs->loadLangs(array("companies", "members", "bills")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); // Security check diff --git a/htdocs/adherents/stats/byproperties.php b/htdocs/adherents/stats/byproperties.php index 90187e483dc..62e503f8170 100644 --- a/htdocs/adherents/stats/byproperties.php +++ b/htdocs/adherents/stats/byproperties.php @@ -141,10 +141,11 @@ if (!count($data)) { } // Print array +print '
'; // You can use div-table-responsive-no-min if you dont need reserved height for your table print '
'.$langs->trans("DateToBirth").''.dol_print_date($object->birth, 'day').'
'.$langs->trans("DateOfBirth").''.dol_print_date($object->birth, 'day').'
'.$langs->trans("Public").''.yn($object->public).'
'; - $arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman")); + $arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman"), 'other'=>$langs->trans("Genderother")); print $form->selectarray('search_gender', $arraygender, $search_gender, 1); print ''; - print ''; - print ''; - print ''; - print ''; - print ''; - print ''; - print ''; print '
'; print ''; print ''; -print ''; +print ''; print ''; print ''; print ''; @@ -170,7 +171,7 @@ foreach ($data as $val) { } print '
'.$langs->trans("MemberNature").''.$langs->trans("NbOfMembers").' ('.$langs->trans("AllTime").')'.$langs->trans("NbOfMembers").' ('.$langs->trans("AllTime").')'.$langs->trans("NbOfActiveMembers").''.$langs->trans("LastMemberDate").''.$langs->trans("NbOfSubscriptions").'
'; - +print ''; dol_fiche_end(); diff --git a/htdocs/adherents/stats/geo.php b/htdocs/adherents/stats/geo.php index edb37a9d4a8..f7001656bd9 100644 --- a/htdocs/adherents/stats/geo.php +++ b/htdocs/adherents/stats/geo.php @@ -45,7 +45,7 @@ $startyear = $year - 2; $endyear = $year; // Load translation files required by the page -$langs->loadLangs(array("companies", "members")); +$langs->loadLangs(array("companies", "members", "banks")); /* @@ -272,12 +272,13 @@ if (count($arrayjs) && $mode == 'memberbycountry') { } if ($mode) { - // Print array / Affiche le tableau - print ''; + // Print array + print '
'; // You can use div-table-responsive-no-min if you dont need reserved height for your table + print '
'; print ''; print ''; if ($label2) print ''; - print ''; + print ''; print ''; print ''; print ''; @@ -294,6 +295,7 @@ if ($mode) { } print '
'.$label.''.$label2.''.$langs->trans("NbOfMembers").' ('.$langs->trans("AllTime").')'.$langs->trans("NbOfMembers").' ('.$langs->trans("AllTime").')'.$langs->trans("LastMemberDate").''.$langs->trans("LatestSubscriptionDate").'
'; + print ''; } diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php index 63da0be8677..67880c303cb 100644 --- a/htdocs/adherents/subscription.php +++ b/htdocs/adherents/subscription.php @@ -40,15 +40,15 @@ require_once DOL_DOCUMENT_ROOT.'/accountancy/class/accountingjournal.class.php'; $langs->loadLangs(array("companies", "bills", "members", "users", "mails", 'other')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $rowid = GETPOST('rowid', 'int') ?GETPOST('rowid', 'int') : GETPOST('id', 'int'); $typeid = GETPOST('typeid', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; @@ -628,7 +628,7 @@ if ($rowid > 0) { $subscriptionstatic->ref = $objp->crowid; $subscriptionstatic->id = $objp->crowid; - $typeid = ($objp->cfk_type > 0 ? $objp->cfk_type : $adh->typeid); + $typeid = $objp->cfk_type; if ($typeid > 0) { $adht->fetch($typeid); } diff --git a/htdocs/adherents/subscription/list.php b/htdocs/adherents/subscription/list.php index 509f00d2705..b06ee5f227e 100644 --- a/htdocs/adherents/subscription/list.php +++ b/htdocs/adherents/subscription/list.php @@ -147,13 +147,15 @@ $sql .= " c.rowid as crowid, c.fk_type, c.subscription,"; $sql .= " c.dateadh, c.datef, c.datec as date_creation, c.tms as date_update,"; $sql .= " c.fk_bank as bank, c.note,"; $sql .= " b.fk_account"; -$sql .= " FROM ".MAIN_DB_PREFIX."adherent as d, ".MAIN_DB_PREFIX."subscription as c"; +$sql .= " FROM ".MAIN_DB_PREFIX."adherent as d"; +$sql .= " JOIN ".MAIN_DB_PREFIX."subscription as c on d.rowid = c.fk_adherent"; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."adherent_extrafields as ef on (d.rowid = ef.fk_object)"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank as b ON c.fk_bank=b.rowid"; -$sql .= " WHERE d.rowid = c.fk_adherent"; -$sql .= " AND d.entity IN (".getEntity('adherent').")"; -if (isset($date_select) && $date_select != '') { - $sql .= " AND c.dateadh >= '".$date_select."-01-01 00:00:00'"; - $sql .= " AND c.dateadh < '".($date_select + 1)."-01-01 00:00:00'"; +$sql .= " WHERE d.entity IN (".getEntity('adherent').")"; +if (isset($date_select) && $date_select != '') +{ + $sql .= " AND c.dateadh >= '".((int) $date_select)."-01-01 00:00:00'"; + $sql .= " AND c.dateadh < '".((int) $date_select + 1)."-01-01 00:00:00'"; } if ($search_ref) { if (is_numeric($search_ref)) $sql .= " AND (c.rowid = ".$db->escape($search_ref).")"; diff --git a/htdocs/adherents/type.php b/htdocs/adherents/type.php index 39ee57a6744..853e22bfbc9 100644 --- a/htdocs/adherents/type.php +++ b/htdocs/adherents/type.php @@ -38,7 +38,7 @@ require_once DOL_DOCUMENT_ROOT.'/product/class/html.formproduct.class.php'; $langs->load("members"); $rowid = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); @@ -66,8 +66,8 @@ $subscription = GETPOST("subscription", "int"); $duration_value = GETPOST('duration_value', 'int'); $duration_unit = GETPOST('duration_unit', 'alpha'); $vote = GETPOST("vote", "int"); -$comment = GETPOST("comment", 'none'); -$mail_valid = GETPOST("mail_valid", 'none'); +$comment = GETPOST("comment", 'restricthtml'); +$mail_valid = GETPOST("mail_valid", 'restricthtml'); // Security check $result = restrictedArea($user, 'adherent', $rowid, 'adherent_type'); diff --git a/htdocs/adherents/type_ldap.php b/htdocs/adherents/type_ldap.php index 433c83d72be..5e745293050 100644 --- a/htdocs/adherents/type_ldap.php +++ b/htdocs/adherents/type_ldap.php @@ -33,7 +33,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/ldap.lib.php'; $langs->loadLangs(array("admin", "members", "ldap")); $id = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check $result = restrictedArea($user, 'adherent', $id, 'adherent_type'); diff --git a/htdocs/adherents/type_translation.php b/htdocs/adherents/type_translation.php index b45c7cf76f5..dcd4a7aa981 100644 --- a/htdocs/adherents/type_translation.php +++ b/htdocs/adherents/type_translation.php @@ -35,7 +35,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formadmin.class.php'; $langs->loadLangs(array('members', 'languages')); $id = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); // Security check diff --git a/htdocs/admin/accountant.php b/htdocs/admin/accountant.php index c8c082db6ae..b039032b9c2 100644 --- a/htdocs/admin/accountant.php +++ b/htdocs/admin/accountant.php @@ -62,7 +62,7 @@ if (($action == 'update' && !GETPOST("cancel", 'alpha')) dolibarr_set_const($db, "MAIN_INFO_ACCOUNTANT_MAIL", GETPOST("mail", 'alpha'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_ACCOUNTANT_WEB", GETPOST("web", 'alpha'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_ACCOUNTANT_CODE", GETPOST("code", 'nohtml'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_ACCOUNTANT_NOTE", GETPOST("note", 'none'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_ACCOUNTANT_NOTE", GETPOST("note", 'restricthtml'), 'chaine', 0, '', $conf->entity); if ($action != 'updateedit' && !$error) { @@ -164,7 +164,7 @@ print ''; -print ''; +print ''; print ''; print ''; diff --git a/htdocs/admin/agenda.php b/htdocs/admin/agenda.php index 1a29595a9ab..2cc79be297d 100644 --- a/htdocs/admin/agenda.php +++ b/htdocs/admin/agenda.php @@ -34,7 +34,7 @@ if (!$user->admin) // Load translation files required by the page $langs->loadLangs(array('admin', 'other', 'agenda')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $search_event = GETPOST('search_event', 'alpha'); diff --git a/htdocs/admin/agenda_extrafields.php b/htdocs/admin/agenda_extrafields.php index a0197f70274..605f3c76519 100644 --- a/htdocs/admin/agenda_extrafields.php +++ b/htdocs/admin/agenda_extrafields.php @@ -45,7 +45,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'actioncomm'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/agenda_other.php b/htdocs/admin/agenda_other.php index 560226438c3..cd7e1752274 100644 --- a/htdocs/admin/agenda_other.php +++ b/htdocs/admin/agenda_other.php @@ -37,7 +37,7 @@ if (!$user->admin) // Load translation files required by the page $langs->loadLangs(array('admin', 'other', 'agenda', 'users')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $param = GETPOST('param', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); diff --git a/htdocs/admin/agenda_reminder.php b/htdocs/admin/agenda_reminder.php index 5d23bbb08a1..982387b2ed6 100644 --- a/htdocs/admin/agenda_reminder.php +++ b/htdocs/admin/agenda_reminder.php @@ -32,7 +32,7 @@ if (!$user->admin) // Load translation files required by the page $langs->loadLangs(array("admin", "other", "agenda")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $param = GETPOST('param', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); diff --git a/htdocs/admin/bank.php b/htdocs/admin/bank.php index b43daca20d9..6f669d900ba 100644 --- a/htdocs/admin/bank.php +++ b/htdocs/admin/bank.php @@ -37,7 +37,7 @@ $langs->loadLangs(array("admin", "companies", "bills", "other", "banks")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $actionsave = GETPOST('save', 'alpha'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); @@ -283,7 +283,7 @@ print load_fiche_titre($langs->trans("BankAccountModelModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/admin/bank_extrafields.php b/htdocs/admin/bank_extrafields.php index 940e0a7313e..312da228f50 100644 --- a/htdocs/admin/bank_extrafields.php +++ b/htdocs/admin/bank_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'bank_account'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/admin/barcode.php b/htdocs/admin/barcode.php index 250e2cf6162..cddb91d0d49 100644 --- a/htdocs/admin/barcode.php +++ b/htdocs/admin/barcode.php @@ -33,7 +33,7 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* @@ -58,10 +58,10 @@ if ($action == 'setbarcodeproducton') if ($action == 'setcoder') { $coder = GETPOST('coder', 'alpha'); - $code_id = GETPOST('code_id', 'alpha'); + $code_id = GETPOST('code_id', 'int'); $sqlp = "UPDATE ".MAIN_DB_PREFIX."c_barcode_type"; - $sqlp .= " SET coder = '".$coder."'"; - $sqlp .= " WHERE rowid = ".$code_id; + $sqlp .= " SET coder = '".$db->escape($coder)."'"; + $sqlp .= " WHERE rowid = ".((int) $code_id); $sqlp .= " AND entity = ".$conf->entity; $resql = $db->query($sqlp); @@ -104,8 +104,8 @@ if ($action == 'setcoder') $code_id = $obj->rowid; $sqlp = "UPDATE ".MAIN_DB_PREFIX."c_barcode_type"; - $sqlp .= " SET coder = '".$coder."'"; - $sqlp .= " WHERE rowid = ".$code_id; + $sqlp .= " SET coder = '".$db->escape($coder)."'"; + $sqlp .= " WHERE rowid = ".((int) $code_id); $sqlp .= " AND entity = ".$conf->entity; $upsql = $db->query($sqlp); diff --git a/htdocs/admin/bom.php b/htdocs/admin/bom.php index 621a994cabe..50c919a628a 100644 --- a/htdocs/admin/bom.php +++ b/htdocs/admin/bom.php @@ -32,7 +32,7 @@ $langs->loadLangs(array('admin', 'errors', 'mrp', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -151,7 +151,7 @@ elseif ($action == 'setdoc') } } elseif ($action == 'set_BOM_FREE_TEXT') { - $freetext = GETPOST("BOM_FREE_TEXT", 'none'); // No alpha here, we want exact string + $freetext = GETPOST("BOM_FREE_TEXT", 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "BOM_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); @@ -292,7 +292,7 @@ print load_fiche_titre($langs->trans("BOMsModelModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/bom_extrafields.php b/htdocs/admin/bom_extrafields.php index 70303f1dcda..7ec50d9d7db 100644 --- a/htdocs/admin/bom_extrafields.php +++ b/htdocs/admin/bom_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'bom_bom'; diff --git a/htdocs/admin/boxes.php b/htdocs/admin/boxes.php index 8f28addc994..4f6dfff33a5 100644 --- a/htdocs/admin/boxes.php +++ b/htdocs/admin/boxes.php @@ -34,7 +34,7 @@ $langs->loadLangs(array('admin', 'boxes', 'accountancy')); if (!$user->admin) accessforbidden(); $rowid = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Define possible position of boxes @@ -192,12 +192,12 @@ if ($action == 'switch') $newsecondnum = preg_replace('/[a-zA-Z]+/', '', $newsecond); $newsecond = sprintf("%s%02d", $newsecondchar ? $newsecondchar : 'A', $newsecondnum + 1); } - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$newfirst."' WHERE rowid=".$objfrom->rowid; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newfirst)."' WHERE rowid=".$objfrom->rowid; dol_syslog($sql); $resultupdatefrom = $db->query($sql); if (!$resultupdatefrom) { dol_print_error($db); } - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$newsecond."' WHERE rowid=".$objto->rowid; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newsecond)."' WHERE rowid=".$objto->rowid; dol_syslog($sql); $resultupdateto = $db->query($sql); if (!$resultupdateto) { dol_print_error($db); } @@ -261,7 +261,7 @@ if ($resql) // This occurs just after an insert. if ($decalage) { - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$decalage."' WHERE rowid=".$obj->rowid; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($decalage)."' WHERE rowid=".$obj->rowid; $db->query($sql); } } @@ -286,12 +286,12 @@ if ($resql) if (preg_match("/[13579]{1}/", substr($record['box_order'], -1))) { $box_order = "A0".$record['box_order']; - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'"; $resql = $db->query($sql); } elseif (preg_match("/[02468]{1}/", substr($record['box_order'], -1))) { $box_order = "B0".$record['box_order']; - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'"; $resql = $db->query($sql); } } elseif (dol_strlen($record['box_order']) == 2) @@ -299,12 +299,12 @@ if ($resql) if (preg_match("/[13579]{1}/", substr($record['box_order'], -1))) { $box_order = "A".$record['box_order']; - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'"; $resql = $db->query($sql); } elseif (preg_match("/[02468]{1}/", substr($record['box_order'], -1))) { $box_order = "B".$record['box_order']; - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'"; $resql = $db->query($sql); } } diff --git a/htdocs/admin/chequereceipts.php b/htdocs/admin/chequereceipts.php index b619f584736..096ffbe02c8 100644 --- a/htdocs/admin/chequereceipts.php +++ b/htdocs/admin/chequereceipts.php @@ -37,7 +37,7 @@ $langs->loadLangs(array("admin", "companies", "bills", "other", "banks")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); @@ -72,7 +72,7 @@ if ($action == 'setmod') if ($action == 'set_BANK_CHEQUERECEIPT_FREE_TEXT') { - $freetext = GETPOST('BANK_CHEQUERECEIPT_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('BANK_CHEQUERECEIPT_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "BANK_CHEQUERECEIPT_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/commande.php b/htdocs/admin/commande.php index febddf901c5..288eac6de92 100644 --- a/htdocs/admin/commande.php +++ b/htdocs/admin/commande.php @@ -41,7 +41,7 @@ $langs->loadLangs(array('admin', 'errors', 'orders', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -160,7 +160,7 @@ elseif ($action == 'setdoc') } } elseif ($action == 'set_ORDER_FREE_TEXT') { - $freetext = GETPOST("ORDER_FREE_TEXT", 'none'); // No alpha here, we want exact string + $freetext = GETPOST("ORDER_FREE_TEXT", 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "ORDER_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); @@ -357,7 +357,7 @@ print load_fiche_titre($langs->trans("OrdersModelModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/commande_fournisseur_dispatch_extrafields.php b/htdocs/admin/commande_fournisseur_dispatch_extrafields.php index 8d5925e363d..e1ec33c02d4 100644 --- a/htdocs/admin/commande_fournisseur_dispatch_extrafields.php +++ b/htdocs/admin/commande_fournisseur_dispatch_extrafields.php @@ -50,7 +50,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->trans($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'commande_fournisseur_dispatch'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/company.php b/htdocs/admin/company.php index e5c20f647e5..8211fd1cadf 100644 --- a/htdocs/admin/company.php +++ b/htdocs/admin/company.php @@ -100,7 +100,7 @@ if (($action == 'update' && !GETPOST("cancel", 'alpha')) dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax", 'alphanohtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail", 'alphanohtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_WEB", GETPOST("web", 'alphanohtml'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOTE", GETPOST("note", 'none'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOTE", GETPOST("note", 'restricthtml'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_GENCOD", GETPOST("barcode", 'alphanohtml'), 'chaine', 0, '', $conf->entity); $dirforimage = $conf->mycompany->dir_output.'/logos/'; @@ -524,7 +524,7 @@ print ''; // Note print ''; -print ''; +print ''; print ''; print ''; diff --git a/htdocs/admin/compta.php b/htdocs/admin/compta.php index 4b98d8975eb..faf38f44b16 100644 --- a/htdocs/admin/compta.php +++ b/htdocs/admin/compta.php @@ -36,7 +36,7 @@ $langs->loadLangs(array('admin', 'compta', 'accountancy')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Other parameters ACCOUNTING_* $list = array( diff --git a/htdocs/admin/confexped.php b/htdocs/admin/confexped.php index d2ea8da6d3f..3f1eb8d9651 100644 --- a/htdocs/admin/confexped.php +++ b/htdocs/admin/confexped.php @@ -35,7 +35,7 @@ $langs->loadLangs(array('admin', 'sendings', 'deliveries')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/admin/const.php b/htdocs/admin/const.php index 18252d0849c..5a525cbe9ad 100644 --- a/htdocs/admin/const.php +++ b/htdocs/admin/const.php @@ -35,19 +35,19 @@ if (!$user->admin) $rowid = GETPOST('rowid', 'int'); $entity = GETPOST('entity', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $update = GETPOST('update', 'alpha'); $delete = GETPOST('delete', 'none'); // Do not use alpha here $debug = GETPOST('debug', 'int'); $consts = GETPOST('const', 'array'); $constname = GETPOST('constname', 'alphanohtml'); -$constvalue = GETPOST('constvalue', 'none'); // We shoul dbe able to send everything here +$constvalue = GETPOST('constvalue', 'restricthtml'); // We should be able to send everything here $constnote = GETPOST('constnote', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; @@ -207,10 +207,13 @@ print "\n"; // Line to add new record print "\n"; -print ''."\n"; +print ''; +print ''; +print ''."\n"; print ''; print ''; -print ''; +print ''; +print ''; print ''; print ''; print ''; diff --git a/htdocs/admin/contract.php b/htdocs/admin/contract.php index 4aeabd4439d..971596d1c06 100644 --- a/htdocs/admin/contract.php +++ b/htdocs/admin/contract.php @@ -33,7 +33,7 @@ $langs->loadLangs(array("admin", "errors", "contracts")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -143,7 +143,7 @@ elseif ($action == 'setdoc') dolibarr_set_const($db, "CONTRACT_ADDON", $value, 'chaine', 0, '', $conf->entity); } elseif ($action == 'set_other') { - $freetext = GETPOST('CONTRACT_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('CONTRACT_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res1 = dolibarr_set_const($db, "CONTRACT_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); $draft = GETPOST('CONTRACT_DRAFT_WATERMARK', 'alpha'); @@ -287,7 +287,7 @@ print load_fiche_titre($langs->trans("TemplatePDFContracts"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/dav.php b/htdocs/admin/dav.php index 2937de3ed51..0438d5759ad 100644 --- a/htdocs/admin/dav.php +++ b/htdocs/admin/dav.php @@ -32,7 +32,7 @@ if (!$user->admin) accessforbidden(); // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/admin/defaultvalues.php b/htdocs/admin/defaultvalues.php index cada1cbc8a6..f4e33bb7259 100644 --- a/htdocs/admin/defaultvalues.php +++ b/htdocs/admin/defaultvalues.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('companies', 'products', 'admin', 'sms', 'other', 'error if (!$user->admin) accessforbidden(); $id = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $optioncss = GETPOST('optionscss', 'alphanohtml'); $mode = GETPOST('mode', 'aZ09') ?GETPOST('mode', 'aZ09') : 'createform'; // 'createform', 'filters', 'sortorder', 'focus' @@ -61,7 +61,7 @@ $defaulturl = preg_replace('/^\//', '', $defaulturl); $urlpage = GETPOST('urlpage', 'alphanohtml'); $key = GETPOST('key', 'alphanohtml'); -$value = GETPOST('value', 'none'); +$value = GETPOST('value', 'restricthtml'); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('admindefaultvalues', 'globaladmin')); diff --git a/htdocs/admin/delais.php b/htdocs/admin/delais.php index 2ece442d74f..d6c708c124e 100644 --- a/htdocs/admin/delais.php +++ b/htdocs/admin/delais.php @@ -32,7 +32,7 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $modules = array( 'agenda' => array( @@ -48,7 +48,7 @@ $modules = array( ), array( 'code' => 'MAIN_DELAY_TASKS_TODO', - 'img' => 'task' + 'img' => 'projecttask' ) ), 'propal' => array( @@ -107,10 +107,6 @@ $modules = array( array( 'code' => 'MAIN_DELAY_MEMBERS', 'img' => 'user' - ), - array( - 'code' => 'MAIN_DELAY_MEMBERS_SHIFT', - 'img' => 'user' ) ), 'expensereport' => array( @@ -229,7 +225,7 @@ if ($action == 'edit') $value = (!empty($conf->global->{$delay['code']}) ? $conf->global->{$delay['code']}:0); print ''; print ''.img_object('', $delay['img']).''; - print ''.$langs->trans('Delays_'.$delay['code']).''; + print ''.$langs->trans('Delays_'.$delay['code']).''; print ' '.$langs->trans("days").''; } } @@ -290,148 +286,150 @@ if ($action == 'edit') print '
'; -// Show logo for weather -print ''.$langs->trans("DescWeather").' '; -if ($action == 'edit') { - $str_mode_std = $langs->trans('MeteoStdModEnabled').' : '.$langs->trans('MeteoUseMod', $langs->transnoentitiesnoconv('MeteoPercentageMod')); - $str_mode_percentage = $langs->trans('MeteoPercentageModEnabled').' : '.$langs->trans('MeteoUseMod', $langs->transnoentitiesnoconv('MeteoStdMod')); - if (empty($conf->global->MAIN_USE_METEO_WITH_PERCENTAGE)) $str_mode_enabled = $str_mode_std; - else $str_mode_enabled = $str_mode_percentage; - print ''.$str_mode_enabled.''; - print ''; +if ($conf->global->MAIN_DISABLE_METEO != 1) { + // Show logo for weather + print ''.$langs->trans("DescWeather").' '; - print '

'; -} else { - if (empty($conf->global->MAIN_USE_METEO_WITH_PERCENTAGE)) print $langs->trans('MeteoStdModEnabled'); - else print $langs->trans('MeteoPercentageModEnabled'); - print '

'; -} + if ($action == 'edit') { + $str_mode_std = $langs->trans('MeteoStdModEnabled').' : '.$langs->trans('MeteoUseMod', $langs->transnoentitiesnoconv('MeteoPercentageMod')); + $str_mode_percentage = $langs->trans('MeteoPercentageModEnabled').' : '.$langs->trans('MeteoUseMod', $langs->transnoentitiesnoconv('MeteoStdMod')); + if (empty($conf->global->MAIN_USE_METEO_WITH_PERCENTAGE)) $str_mode_enabled = $str_mode_std; + else $str_mode_enabled = $str_mode_percentage; + print ''.$str_mode_enabled.''; + print ''; -$offset = 0; -$cursor = 10; // By default -//if (! empty($conf->global->MAIN_METEO_OFFSET)) $offset=$conf->global->MAIN_METEO_OFFSET; -//if (! empty($conf->global->MAIN_METEO_GAP)) $cursor=$conf->global->MAIN_METEO_GAP; -$level0 = $offset; if (!empty($conf->global->MAIN_METEO_LEVEL0)) $level0 = $conf->global->MAIN_METEO_LEVEL0; -$level1 = $offset + 1 * $cursor; if (!empty($conf->global->MAIN_METEO_LEVEL1)) $level1 = $conf->global->MAIN_METEO_LEVEL1; -$level2 = $offset + 2 * $cursor; if (!empty($conf->global->MAIN_METEO_LEVEL2)) $level2 = $conf->global->MAIN_METEO_LEVEL2; -$level3 = $offset + 3 * $cursor; if (!empty($conf->global->MAIN_METEO_LEVEL3)) $level3 = $conf->global->MAIN_METEO_LEVEL3; -$text = ''; $options = 'class="valignmiddle" height="60px"'; + print '

'; + } else { + if (empty($conf->global->MAIN_USE_METEO_WITH_PERCENTAGE)) print $langs->trans('MeteoStdModEnabled'); + else print $langs->trans('MeteoPercentageModEnabled'); + print '

'; + } + + $offset = 0; + $cursor = 10; // By default + //if (! empty($conf->global->MAIN_METEO_OFFSET)) $offset=$conf->global->MAIN_METEO_OFFSET; + //if (! empty($conf->global->MAIN_METEO_GAP)) $cursor=$conf->global->MAIN_METEO_GAP; + $level0 = $offset; if (!empty($conf->global->MAIN_METEO_LEVEL0)) $level0 = $conf->global->MAIN_METEO_LEVEL0; + $level1 = $offset + 1 * $cursor; if (!empty($conf->global->MAIN_METEO_LEVEL1)) $level1 = $conf->global->MAIN_METEO_LEVEL1; + $level2 = $offset + 2 * $cursor; if (!empty($conf->global->MAIN_METEO_LEVEL2)) $level2 = $conf->global->MAIN_METEO_LEVEL2; + $level3 = $offset + 3 * $cursor; if (!empty($conf->global->MAIN_METEO_LEVEL3)) $level3 = $conf->global->MAIN_METEO_LEVEL3; + $text = ''; $options = 'class="valignmiddle" height="60px"'; -if ($action == 'edit') { - print '
global->MAIN_USE_METEO_WITH_PERCENTAGE) ? '' : 'style="display:none;"').'>'; + if ($action == 'edit') { + print '
global->MAIN_USE_METEO_WITH_PERCENTAGE) ? '' : 'style="display:none;"').'>'; - print '
'; - print '
'; - print img_weather($text, 0, $options); - print '= '; - print '
'; - print img_weather($text, 1, $options); - print '<= '; - print '
'; - print img_weather($text, 2, $options); - print '<= '; - print '
'; - print img_weather($text, 3, $options); - print '<= '; - print '
'; - print '
'; + print '
'; + print '
'; + print img_weather($text, 0, $options); + print ' <= '; + print '
'; + print img_weather($text, 1, $options); + print ' <= '; + print '
'; + print img_weather($text, 2, $options); + print ' <= '; + print '
'; + print img_weather($text, 3, $options); + print ' <= '; + print '
'; + print '
'; - print '
'; + print '
'; - print '
global->MAIN_USE_METEO_WITH_PERCENTAGE) ? 'style="display:none;"' : '').'>'; + print '
global->MAIN_USE_METEO_WITH_PERCENTAGE) ? 'style="display:none;"' : '').'>'; - print '
'; - print '
'; - print img_weather($text, 0, $options); - print '<=  %'; - print '
'; - print img_weather($text, 1, $options); - print '<=  %'; - print '
'; - print img_weather($text, 2, $options); - print '<=  %'; - print '
'; - print img_weather($text, 3, $options); - print '<=  %'; - print '
'; - print '
'; + print '
'; + print '
'; + print img_weather($text, 0, $options); + print ' <=  %'; + print '
'; + print img_weather($text, 1, $options); + print ' <=  %'; + print '
'; + print img_weather($text, 2, $options); + print ' <=  %'; + print '
'; + print img_weather($text, 3, $options); + print ' <=  %'; + print '
'; + print '
'; - print '
'; + print '
'; - ?> + ?> - - - - global->MAIN_USE_METEO_WITH_PERCENTAGE)) { - print '
'; - print '
'; - print img_weather($text, 0, $options); - print '= '.$conf->global->MAIN_METEO_PERCENTAGE_LEVEL0.' %'; - print '
'; - print img_weather($text, 1, $options); - print '<= '.$conf->global->MAIN_METEO_PERCENTAGE_LEVEL1.' %'; - print '
'; - print img_weather($text, 2, $options); - print '<= '.$conf->global->MAIN_METEO_PERCENTAGE_LEVEL2.' %'; - print '
'; - print img_weather($text, 3, $options); - print '<= '.$conf->global->MAIN_METEO_PERCENTAGE_LEVEL3.' %'; - print '
'; - print img_weather($text, 4, $options); - print '> '.$conf->global->MAIN_METEO_PERCENTAGE_LEVEL3.' %'; - print '
'; - print '
'; + '; - print '
'; - print img_weather($text, 0, $options); - print '= '.$level0; - print '
'; - print img_weather($text, 1, $options); - print '<= '.$level1; - print '
'; - print img_weather($text, 2, $options); - print '<= '.$level2; - print '
'; - print img_weather($text, 3, $options); - print '<= '.$level3; - print '
'; - print img_weather($text, 4, $options); - print '> '.$level3; - print '
'; - print ''; + if (!empty($conf->global->MAIN_USE_METEO_WITH_PERCENTAGE)) { + print '
'; + print '
'; + print img_weather($text, 0, $options); + print ' <= '.$conf->global->MAIN_METEO_PERCENTAGE_LEVEL0.' %'; + print '
'; + print img_weather($text, 1, $options); + print ' <= '.$conf->global->MAIN_METEO_PERCENTAGE_LEVEL1.' %'; + print '
'; + print img_weather($text, 2, $options); + print ' <= '.$conf->global->MAIN_METEO_PERCENTAGE_LEVEL2.' %'; + print '
'; + print img_weather($text, 3, $options); + print ' <= '.$conf->global->MAIN_METEO_PERCENTAGE_LEVEL3.' %'; + print '
'; + print img_weather($text, 4, $options); + print ' > '.$conf->global->MAIN_METEO_PERCENTAGE_LEVEL3.' %'; + print '
'; + print '
'; + } else { + print '
'; + print '
'; + print img_weather($text, 0, $options); + print ' <= '.$level0; + print '
'; + print img_weather($text, 1, $options); + print ' <= '.$level1; + print '
'; + print img_weather($text, 2, $options); + print ' <= '.$level2; + print '
'; + print img_weather($text, 3, $options); + print ' <= '.$level3; + print '
'; + print img_weather($text, 4, $options); + print ' > '.$level3; + print '
'; + print '
'; + } } } -print ''; if ($action == 'edit') { print '
'; diff --git a/htdocs/admin/emailcollector_card.php b/htdocs/admin/emailcollector_card.php index f8129a887a8..cb48336e72c 100644 --- a/htdocs/admin/emailcollector_card.php +++ b/htdocs/admin/emailcollector_card.php @@ -148,7 +148,7 @@ if (GETPOST('addoperation', 'alpha')) { $emailcollectoroperation = new EmailCollectorAction($db); $emailcollectoroperation->type = GETPOST('operationtype', 'aZ09'); - $emailcollectoroperation->actionparam = GETPOST('operationparam', 'none'); + $emailcollectoroperation->actionparam = GETPOST('operationparam', 'restricthtml'); $emailcollectoroperation->fk_emailcollector = $object->id; $emailcollectoroperation->status = 1; $emailcollectoroperation->position = 50; @@ -168,7 +168,7 @@ if ($action == 'updateoperation') $emailcollectoroperation = new EmailCollectorAction($db); $emailcollectoroperation->fetch(GETPOST('rowidoperation2', 'int')); - $emailcollectoroperation->actionparam = GETPOST('operationparam2', 'none'); + $emailcollectoroperation->actionparam = GETPOST('operationparam2', 'restricthtml'); $result = $emailcollectoroperation->update($user); diff --git a/htdocs/admin/emailcollector_list.php b/htdocs/admin/emailcollector_list.php index ef00ece52fc..2ed95ce91b9 100644 --- a/htdocs/admin/emailcollector_list.php +++ b/htdocs/admin/emailcollector_list.php @@ -51,8 +51,8 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/admin/events.php b/htdocs/admin/events.php index 92ff5c7631a..931cefb2992 100644 --- a/htdocs/admin/events.php +++ b/htdocs/admin/events.php @@ -41,8 +41,8 @@ $optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always '' // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters $offset = $limit * $page; diff --git a/htdocs/admin/expedition.php b/htdocs/admin/expedition.php index 1a0be0cb65f..cf01d287d23 100644 --- a/htdocs/admin/expedition.php +++ b/htdocs/admin/expedition.php @@ -40,7 +40,7 @@ $langs->loadLangs(array("admin", "sendings", "deliveries", "other")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -73,7 +73,7 @@ if ($action == 'updateMask') } } elseif ($action == 'set_param') { - $freetext = GETPOST('SHIPPING_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('SHIPPING_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "SHIPPING_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); if ($res <= 0) { @@ -296,7 +296,7 @@ $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/admin/expedition_extrafields.php b/htdocs/admin/expedition_extrafields.php index e40519f9104..d9bf58027f8 100644 --- a/htdocs/admin/expedition_extrafields.php +++ b/htdocs/admin/expedition_extrafields.php @@ -47,7 +47,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'expedition'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/expeditiondet_extrafields.php b/htdocs/admin/expeditiondet_extrafields.php index 03cd140d0ee..a00816d9d75 100644 --- a/htdocs/admin/expeditiondet_extrafields.php +++ b/htdocs/admin/expeditiondet_extrafields.php @@ -48,7 +48,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'expeditiondet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/expensereport.php b/htdocs/admin/expensereport.php index 596428d4c7f..13b1b0277a6 100644 --- a/htdocs/admin/expensereport.php +++ b/htdocs/admin/expensereport.php @@ -39,7 +39,7 @@ $langs->loadLangs(array('admin', 'errors', 'trips', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -152,7 +152,7 @@ elseif ($action == 'setdoc') { $db->begin(); - $freetext = GETPOST('EXPENSEREPORT_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('EXPENSEREPORT_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res1 = dolibarr_set_const($db, "EXPENSEREPORT_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); $draft = GETPOST('EXPENSEREPORT_DRAFT_WATERMARK', 'alpha'); @@ -297,7 +297,7 @@ $type = 'expensereport'; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/expensereport_extrafields.php b/htdocs/admin/expensereport_extrafields.php index bc0f52120fb..ba29df4b766 100644 --- a/htdocs/admin/expensereport_extrafields.php +++ b/htdocs/admin/expensereport_extrafields.php @@ -44,7 +44,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'expensereport'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/expensereport_ik.php b/htdocs/admin/expensereport_ik.php index 840cf4d2681..3ff8ad0c4ce 100644 --- a/htdocs/admin/expensereport_ik.php +++ b/htdocs/admin/expensereport_ik.php @@ -37,7 +37,7 @@ if (!$user->admin) accessforbidden(); $error = 0; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); $ikoffset = GETPOST('ikoffset', 'int'); $coef = GETPOST('coef', 'int'); diff --git a/htdocs/admin/expensereport_rules.php b/htdocs/admin/expensereport_rules.php index 28d5b3341b1..6d08355b815 100644 --- a/htdocs/admin/expensereport_rules.php +++ b/htdocs/admin/expensereport_rules.php @@ -40,7 +40,7 @@ if (!$user->admin) accessforbidden(); $error = false; $message = false; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); $apply_to = GETPOST('apply_to'); diff --git a/htdocs/admin/export.php b/htdocs/admin/export.php index ef6a7c3108f..d066197b580 100644 --- a/htdocs/admin/export.php +++ b/htdocs/admin/export.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('admin', 'exports', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* @@ -90,7 +90,7 @@ print ''; print ''.$langs->trans("EXPORTS_SHARE_MODELS").''; print ' '; print ''; -echo ajax_constantonoff('EXPORTS_SHARE_MODELS'); +print ajax_constantonoff('EXPORTS_SHARE_MODELS'); print ''; print ''; diff --git a/htdocs/admin/external_rss.php b/htdocs/admin/external_rss.php index 3d81ab01c43..7f5bcde4b3d 100644 --- a/htdocs/admin/external_rss.php +++ b/htdocs/admin/external_rss.php @@ -80,8 +80,8 @@ if ($action == 'add' || GETPOST("modify")) { // Supprime boite box_external_rss de definition des boites /* $sql = "UPDATE ".MAIN_DB_PREFIX."boxes_def"; - $sql.= " SET name = '".$boxlabel."'"; - $sql.= " WHERE file ='box_external_rss.php' AND note like '".$_POST["norss"]." %'"; + $sql.= " SET name = '".$db->escape($boxlabel)."'"; + $sql.= " WHERE file ='box_external_rss.php' AND note like '".$db->escape($_POST["norss"])." %'"; $resql=$db->query($sql); if (! $resql) diff --git a/htdocs/admin/facture.php b/htdocs/admin/facture.php index 221244bfb9d..fe84cf12478 100644 --- a/htdocs/admin/facture.php +++ b/htdocs/admin/facture.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('admin', 'errors', 'other', 'bills')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -180,7 +180,7 @@ elseif ($action == 'setdoc') } } elseif ($action == 'set_INVOICE_FREE_TEXT') { - $freetext = GETPOST('INVOICE_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('INVOICE_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "INVOICE_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); @@ -421,7 +421,7 @@ $type = 'invoice'; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/facture_situation.php b/htdocs/admin/facture_situation.php index 68f8e15e81c..61969651634 100644 --- a/htdocs/admin/facture_situation.php +++ b/htdocs/admin/facture_situation.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('admin', 'errors', 'other', 'bills')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); diff --git a/htdocs/admin/fckeditor.php b/htdocs/admin/fckeditor.php index e98d02d9f9c..4c1e495939a 100644 --- a/htdocs/admin/fckeditor.php +++ b/htdocs/admin/fckeditor.php @@ -32,7 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; // Load translation files required by the page $langs->loadLangs(array('admin', 'fckeditor')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Possible modes are: // dolibarr_details // dolibarr_notes diff --git a/htdocs/admin/fichinter.php b/htdocs/admin/fichinter.php index c28ebcab4b2..df97e9875a0 100644 --- a/htdocs/admin/fichinter.php +++ b/htdocs/admin/fichinter.php @@ -39,7 +39,7 @@ $langs->loadLangs(array('admin', 'errors', 'interventions', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -144,7 +144,7 @@ elseif ($action == 'setdoc') dolibarr_set_const($db, "FICHEINTER_ADDON", $value, 'chaine', 0, '', $conf->entity); } elseif ($action == 'set_FICHINTER_FREE_TEXT') { - $freetext = GETPOST('FICHINTER_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('FICHINTER_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "FICHINTER_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); if (!$res > 0) $error++; @@ -349,7 +349,7 @@ $type = 'ficheinter'; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/holiday.php b/htdocs/admin/holiday.php index 3886f85d330..bac8e99e70f 100644 --- a/htdocs/admin/holiday.php +++ b/htdocs/admin/holiday.php @@ -35,7 +35,7 @@ $langs->loadLangs(array("admin", "errors", "holiday")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -145,7 +145,7 @@ elseif ($action == 'setdoc') dolibarr_set_const($db, "HOLIDAY_ADDON", $value, 'chaine', 0, '', $conf->entity); } elseif ($action == 'set_other') { - $freetext = GETPOST('HOLIDAY_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('HOLIDAY_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res1 = dolibarr_set_const($db, "HOLIDAY_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); $draft = GETPOST('HOLIDAY_DRAFT_WATERMARK', 'alpha'); @@ -299,7 +299,7 @@ print load_fiche_titre($langs->trans("TemplatePDFHolidays"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/holiday_extrafields.php b/htdocs/admin/holiday_extrafields.php index fc0bac8a019..30eb707782b 100644 --- a/htdocs/admin/holiday_extrafields.php +++ b/htdocs/admin/holiday_extrafields.php @@ -44,7 +44,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'holiday'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/ihm.php b/htdocs/admin/ihm.php index 85e36dbecb1..f220d83ebcd 100644 --- a/htdocs/admin/ihm.php +++ b/htdocs/admin/ihm.php @@ -164,8 +164,8 @@ if ($action == 'update') dolibarr_set_const($db, "MAIN_FIRSTNAME_NAME_POSITION", GETPOST("MAIN_FIRSTNAME_NAME_POSITION", 'aZ09'), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_MOTD", dol_htmlcleanlastbr(GETPOST("main_motd", 'none')), 'chaine', 0, '', $conf->entity); - dolibarr_set_const($db, "MAIN_HOME", dol_htmlcleanlastbr(GETPOST("main_home", 'none')), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_MOTD", dol_htmlcleanlastbr(GETPOST("main_motd", 'restricthtml')), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_HOME", dol_htmlcleanlastbr(GETPOST("main_home", 'restricthtml')), 'chaine', 0, '', $conf->entity); //dolibarr_set_const($db, "MAIN_BUGTRACK_ENABLELINK", GETPOST('MAIN_BUGTRACK_ENABLELINK', 'aZ09'), 'chaine', 0, '', $conf->entity); //dolibarr_set_const($db, "MAIN_HELP_DISABLELINK", GETPOST("MAIN_HELP_DISABLELINK", 'aZ09'), 'chaine', 0, '', 0); // Param for all entities diff --git a/htdocs/admin/import.php b/htdocs/admin/import.php index 37c9b205424..d36ffd5265f 100644 --- a/htdocs/admin/import.php +++ b/htdocs/admin/import.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('admin', 'exports', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); /* diff --git a/htdocs/admin/limits.php b/htdocs/admin/limits.php index caf2192a9a3..db29deef9d7 100644 --- a/htdocs/admin/limits.php +++ b/htdocs/admin/limits.php @@ -31,7 +31,7 @@ $langs->loadLangs(array('companies', 'products', 'admin')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $currencycode = GETPOST('currencycode', 'alpha'); if (!empty($conf->multicurrency->enabled) && !empty($conf->global->MULTICURRENCY_USE_LIMIT_BY_CURRENCY)) { @@ -243,7 +243,7 @@ if (empty($mysoc->country_code)) $sql = "SELECT taux as vat_rate, t.code as vat_code, t.localtax1 as localtax_rate1, t.localtax2 as localtax_rate2"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$mysoc->country_code."' AND (t.taux <> 0 OR t.localtax1 <>0 OR t.localtax2 <>0)"; + $sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$db->escape($mysoc->country_code)."' AND (t.taux <> 0 OR t.localtax1 <>0 OR t.localtax2 <>0)"; $sql .= " ORDER BY t.taux ASC"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/livraison.php b/htdocs/admin/livraison.php index 5e0c0ce4784..4073b0a59a9 100644 --- a/htdocs/admin/livraison.php +++ b/htdocs/admin/livraison.php @@ -70,7 +70,7 @@ if ($action == 'updateMask') if ($action == 'set_DELIVERY_FREE_TEXT') { - $free = GETPOST('DELIVERY_FREE_TEXT', 'none'); // No alpha here, we want exact string + $free = GETPOST('DELIVERY_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "DELIVERY_FREE_TEXT", $free, 'chaine', 0, '', $conf->entity); if (!$res > 0) $error++; @@ -291,7 +291,7 @@ $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/admin/livraison_extrafields.php b/htdocs/admin/livraison_extrafields.php index 3b6d03ac98e..d30635333be 100644 --- a/htdocs/admin/livraison_extrafields.php +++ b/htdocs/admin/livraison_extrafields.php @@ -47,7 +47,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'livraison'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/livraisondet_extrafields.php b/htdocs/admin/livraisondet_extrafields.php index ebed8de9608..cc9dfa1c49f 100644 --- a/htdocs/admin/livraisondet_extrafields.php +++ b/htdocs/admin/livraisondet_extrafields.php @@ -48,7 +48,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'livraisondet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/loan.php b/htdocs/admin/loan.php index 651782bb23b..a138d9d0bf2 100644 --- a/htdocs/admin/loan.php +++ b/htdocs/admin/loan.php @@ -35,7 +35,7 @@ $langs->loadLangs(array('admin', 'loan')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Other parameters LOAN_* $list = array( diff --git a/htdocs/admin/mailing.php b/htdocs/admin/mailing.php index 7690ca02afa..30b92412719 100644 --- a/htdocs/admin/mailing.php +++ b/htdocs/admin/mailing.php @@ -32,7 +32,7 @@ $langs->loadLangs(array("admin", "mails")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); diff --git a/htdocs/admin/mails.php b/htdocs/admin/mails.php index 1c3d397bc83..feca9bf582e 100644 --- a/htdocs/admin/mails.php +++ b/htdocs/admin/mails.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Load translation files required by the page $langs->loadLangs(array("companies", "products", "admin", "mails", "other", "errors")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); @@ -77,6 +77,7 @@ if ($action == 'update' && empty($_POST["cancel"])) dolibarr_set_const($db, "MAIN_MAIL_SMTPS_PW", GETPOST("MAIN_MAIL_SMTPS_PW", 'none'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_TLS", GETPOST("MAIN_MAIL_EMAIL_TLS", 'int'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_STARTTLS", GETPOST("MAIN_MAIL_EMAIL_STARTTLS", 'int'), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED", GETPOST("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED", 'int'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_DKIM_ENABLED", GETPOST("MAIN_MAIL_EMAIL_DKIM_ENABLED", 'int'), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_DKIM_DOMAIN", GETPOST("MAIN_MAIL_EMAIL_DKIM_DOMAIN", 'alphanohtml'), 'chaine', 0, '', $conf->entity); @@ -156,6 +157,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val(0); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").prop("disabled", true); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val(0); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").val(0); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_DKIM_DOMAIN").prop("disabled", true); @@ -187,6 +190,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val('.$conf->global->MAIN_MAIL_EMAIL_STARTTLS.'); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").removeAttr("disabled"); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val('.$conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED.'); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").val(0); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_DKIM_DOMAIN").prop("disabled", true); @@ -211,6 +216,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val('.$conf->global->MAIN_MAIL_EMAIL_STARTTLS.'); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").removeAttr("disabled"); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val('.$conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED.'); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").val('.$conf->global->MAIN_MAIL_EMAIL_DKIM_ENABLED.'); jQuery("#MAIN_MAIL_EMAIL_DKIM_ENABLED").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_DKIM_DOMAIN").removeAttr("disabled"); @@ -233,12 +240,16 @@ if ($action == 'edit') initfields(); }); jQuery("#MAIN_MAIL_EMAIL_TLS").change(function() { - if (jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val() == 1) + if (jQuery("#MAIN_MAIL_EMAIL_TLS").val() == 1) jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val(0); + else + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val(0); }); jQuery("#MAIN_MAIL_EMAIL_STARTTLS").change(function() { - if (jQuery("#MAIN_MAIL_EMAIL_TLS").val() == 1) + if (jQuery("#MAIN_MAIL_EMAIL_STARTTLS").val() == 1) jQuery("#MAIN_MAIL_EMAIL_TLS").val(0); + else + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").val(0); }); })'; print ''."\n"; @@ -406,6 +417,17 @@ if ($action == 'edit') } else print yn(0).' ('.$langs->trans("NotSupported").')'; print ''; + // SMTP_ALLOW_SELF_SIGNED + print ''.$langs->trans("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").''; + if (!empty($conf->use_javascript_ajax) || (isset($conf->global->MAIN_MAIL_SENDMODE) && in_array($conf->global->MAIN_MAIL_SENDMODE, array('smtps', 'swiftmailer')))) + { + if (function_exists('openssl_open')) + { + print $form->selectyesno('MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED', (!empty($conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED) ? $conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED : 0), 1); + } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; + } else print yn(0).' ('.$langs->trans("NotSupported").')'; + print ''; + // DKIM print ''.$langs->trans("MAIN_MAIL_EMAIL_DKIM_ENABLED").''; if (!empty($conf->use_javascript_ajax) || (isset($conf->global->MAIN_MAIL_SENDMODE) && in_array($conf->global->MAIN_MAIL_SENDMODE, array('swiftmailer')))) @@ -571,6 +593,17 @@ if ($action == 'edit') } else print ''.yn(0).' ('.$langs->trans("NotSupported").')'; print ''; + // SMTP_ALLOW_SELF_SIGNED + print ''.$langs->trans("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").''; + if (isset($conf->global->MAIN_MAIL_SENDMODE) && in_array($conf->global->MAIN_MAIL_SENDMODE, array('smtps', 'swiftmailer'))) + { + if (function_exists('openssl_open')) + { + print yn($conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED); + } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; + } else print ''.yn(0).' ('.$langs->trans("NotSupported").')'; + print ''; + if ($conf->global->MAIN_MAIL_SENDMODE == 'swiftmailer') { diff --git a/htdocs/admin/mails_emailing.php b/htdocs/admin/mails_emailing.php index d841dcf0827..b97437216d6 100644 --- a/htdocs/admin/mails_emailing.php +++ b/htdocs/admin/mails_emailing.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Load translation files required by the page $langs->loadLangs(array('companies', 'products', 'admin', 'mails', 'other', 'errors')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); @@ -68,6 +68,7 @@ if ($action == 'update' && empty($_POST["cancel"])) dolibarr_set_const($db, "MAIN_MAIL_SMTPS_PW_EMAILING", GETPOST("MAIN_MAIL_SMTPS_PW_EMAILING"), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_TLS_EMAILING", GETPOST("MAIN_MAIL_EMAIL_TLS_EMAILING"), 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "MAIN_MAIL_EMAIL_STARTTLS_EMAILING", GETPOST("MAIN_MAIL_EMAIL_STARTTLS_EMAILING"), 'chaine', 0, '', $conf->entity); + dolibarr_set_const($db, "MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING", GETPOST("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING"), 'chaine', 0, '', $conf->entity); header("Location: ".$_SERVER["PHP_SELF"]."?mainmenu=home&leftmenu=setup"); exit; @@ -147,6 +148,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").prop("disabled", true); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val(0); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").prop("disabled", true); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val(0); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").prop("disabled", true); '; if ($linuxlike) { @@ -173,6 +176,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val('.$conf->global->MAIN_MAIL_EMAIL_STARTTLS_EMAILING.'); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").removeAttr("disabled"); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val('.$conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING.'); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_SERVER_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_PORT_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_SERVER_EMAILING").show(); @@ -187,6 +192,8 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val('.$conf->global->MAIN_MAIL_EMAIL_STARTTLS_EMAILING.'); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").removeAttr("disabled"); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val('.$conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING.'); + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_SERVER_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_PORT_EMAILING").removeAttr("disabled"); jQuery("#MAIN_MAIL_SMTP_SERVER_EMAILING").show(); @@ -199,13 +206,17 @@ if ($action == 'edit') jQuery("#MAIN_MAIL_SENDMODE_EMAILING").change(function() { initfields(); }); - jQuery("#MAIN_MAIL_EMAIL_TLS").change(function() { - if (jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val() == 1) + jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").change(function() { + if (jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").val() == 1) jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val(0); + else + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val(0); }); jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").change(function() { - if (jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").val() == 1) + if (jQuery("#MAIN_MAIL_EMAIL_STARTTLS_EMAILING").val() == 1) jQuery("#MAIN_MAIL_EMAIL_TLS_EMAILING").val(0); + else + jQuery("#MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING").val(0); }); })'; print ''."\n"; @@ -359,6 +370,18 @@ if ($action == 'edit') } else print yn(0).' ('.$langs->trans("NotSupported").')'; print ''; + // SMTP_ALLOW_SELF_SIGNED_EMAILING + + print ''.$langs->trans("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").''; + if (!empty($conf->use_javascript_ajax) || (isset($conf->global->MAIN_MAIL_SENDMODE_EMAILING) && in_array($conf->global->MAIN_MAIL_SENDMODE_EMAILING, array('smtps', 'swiftmailer')))) + { + if (function_exists('openssl_open')) + { + print $form->selectyesno('MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING', (!empty($conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING) ? $conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING : 0), 1); + } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; + } else print yn(0).' ('.$langs->trans("NotSupported").')'; + print ''; + print ''; dol_fiche_end(); @@ -437,6 +460,17 @@ if ($action == 'edit') } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; } else print yn(0).' ('.$langs->trans("NotSupported").')'; print ''; + + // SMTP_ALLOW_SELF_SIGNED_EMAILING + print ''.$langs->trans("MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED").''; + if (isset($conf->global->MAIN_MAIL_SENDMODE_EMAILING) && in_array($conf->global->MAIN_MAIL_SENDMODE_EMAILING, array('smtps', 'swiftmailer'))) + { + if (function_exists('openssl_open')) + { + print yn($conf->global->MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_EMAILING); + } else print yn(0).' ('.$langs->trans("YourPHPDoesNotHaveSSLSupport").')'; + } else print yn(0).' ('.$langs->trans("NotSupported").')'; + print ''; } print ''; diff --git a/htdocs/admin/mails_senderprofile_list.php b/htdocs/admin/mails_senderprofile_list.php index 2de3c436826..9a1a696e034 100644 --- a/htdocs/admin/mails_senderprofile_list.php +++ b/htdocs/admin/mails_senderprofile_list.php @@ -47,8 +47,8 @@ $rowid = GETPOST('rowid', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php index ea36b25e3ce..610dd9c1ef2 100644 --- a/htdocs/admin/mails_templates.php +++ b/htdocs/admin/mails_templates.php @@ -284,7 +284,6 @@ if (empty($reshook)) } else { $sql .= "'".$db->escape(GETPOST($keycode, 'nohtml'))."'"; } - $i++; } $sql .= ", 1)"; @@ -341,7 +340,8 @@ if (empty($reshook)) $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); //print $sql;exit; dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -359,7 +359,7 @@ if (empty($reshook)) { $rowidcol = "rowid"; - $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'"; + $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."=".((int) $rowid); dol_syslog("delete", LOG_DEBUG); $result = $db->query($sql); @@ -379,7 +379,7 @@ if (empty($reshook)) { $rowidcol = "rowid"; - $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."=".((int) $rowid); $result = $db->query($sql); if (!$result) @@ -393,7 +393,7 @@ if (empty($reshook)) { $rowidcol = "rowid"; - $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."=".((int) $rowid); $result = $db->query($sql); if (!$result) @@ -443,7 +443,7 @@ if (!$user->admin) } if (empty($conf->global->MAIN_MULTILANGS)) { - $sql .= " AND (lang = '".$langs->defaultlang."' OR lang IS NULL OR lang = '')"; + $sql .= " AND (lang = '".$db->escape($langs->defaultlang)."' OR lang IS NULL OR lang = '')"; } if ($search_label) $sql .= natural_search('label', $search_label); if ($search_type_template != '' && $search_type_template != '-1') $sql .= natural_search('type_template', $search_type_template); diff --git a/htdocs/admin/mails_ticket.php b/htdocs/admin/mails_ticket.php index a11859efc89..39e159535ba 100644 --- a/htdocs/admin/mails_ticket.php +++ b/htdocs/admin/mails_ticket.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Load translation files required by the page $langs->loadLangs(array('companies', 'products', 'admin', 'mails', 'other', 'errors')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php index 04c1b79a5bc..31e0f896633 100644 --- a/htdocs/admin/menus/edit.php +++ b/htdocs/admin/menus/edit.php @@ -31,7 +31,8 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/menubase.class.php'; // Load translation files required by the page $langs->loadLangs(array("other", "admin")); -$cancel = GETPOST('cancel', 'alpha'); // We click on a Cancel button +$cancel = GETPOST('cancel', 'alphanohtml'); // We click on a Cancel button +$confirm = GETPOST('confirm'); if (!$user->admin) accessforbidden(); @@ -69,9 +70,9 @@ if ($action == 'update') if (!$cancel) { $leftmenu = ''; $mainmenu = ''; - if (GETPOST('menuIdParent', 'alpha') && !is_numeric(GETPOST('menuIdParent', 'alpha'))) + if (GETPOST('menuIdParent', 'alphanohtml') && !is_numeric(GETPOST('menuIdParent', 'alphanohtml'))) { - $tmp = explode('&', GETPOST('menuIdParent', 'alpha')); + $tmp = explode('&', GETPOST('menuIdParent', 'alphanohtml')); foreach ($tmp as $s) { if (preg_match('/fk_mainmenu=/', $s)) @@ -89,21 +90,21 @@ if ($action == 'update') $result = $menu->fetch(GETPOST('menuId', 'int')); if ($result > 0) { - $menu->title = GETPOST('titre', 'alpha'); + $menu->title = GETPOST('titre', 'alphanohtml'); $menu->leftmenu = GETPOST('leftmenu', 'aZ09'); - $menu->url = GETPOST('url', 'alpha'); - $menu->langs = GETPOST('langs', 'alpha'); + $menu->url = GETPOST('url', 'alphanohtml'); + $menu->langs = GETPOST('langs', 'alphanohtml'); $menu->position = GETPOST('position', 'int'); - $menu->enabled = GETPOST('enabled', 'alpha'); - $menu->perms = GETPOST('perms', 'alpha'); - $menu->target = GETPOST('target', 'alpha'); - $menu->user = GETPOST('user', 'alpha'); - $menu->mainmenu = GETPOST('propertymainmenu', 'alpha'); - if (is_numeric(GETPOST('menuIdParent', 'alpha'))) + $menu->enabled = GETPOST('enabled', 'alphanohtml'); + $menu->perms = GETPOST('perms', 'alphanohtml'); + $menu->target = GETPOST('target', 'alphanohtml'); + $menu->user = GETPOST('user', 'alphanohtml'); + $menu->mainmenu = GETPOST('propertymainmenu', 'alphanohtml'); + if (is_numeric(GETPOST('menuIdParent', 'alphanohtml'))) { - $menu->fk_menu = GETPOST('menuIdParent', 'alpha'); + $menu->fk_menu = GETPOST('menuIdParent', 'alphanohtml'); } else { - if (GETPOST('type', 'alpha') == 'top') $menu->fk_menu = 0; + if (GETPOST('type', 'alphanohtml') == 'top') $menu->fk_menu = 0; else $menu->fk_menu = -1; $menu->fk_mainmenu = $mainmenu; $menu->fk_leftmenu = $leftmenu; @@ -138,9 +139,9 @@ if ($action == 'add') } $leftmenu = ''; $mainmenu = ''; - if (GETPOST('menuId', 'alpha', 3) && !is_numeric(GETPOST('menuId', 'alpha', 3))) + if (GETPOST('menuId', 'alphanohtml', 3) && !is_numeric(GETPOST('menuId', 'alphanohtml', 3))) { - $tmp = explode('&', GETPOST('menuId', 'alpha', 3)); + $tmp = explode('&', GETPOST('menuId', 'alphanohtml', 3)); foreach ($tmp as $s) { if (preg_match('/fk_mainmenu=/', $s)) @@ -198,21 +199,21 @@ if ($action == 'add') { $menu = new Menubase($db); $menu->menu_handler = preg_replace('/_menu$/', '', GETPOST('menu_handler', 'aZ09')); - $menu->type = GETPOST('type', 'alpha'); - $menu->title = GETPOST('titre', 'alpha'); - $menu->url = GETPOST('url', 'alpha'); - $menu->langs = GETPOST('langs', 'alpha'); + $menu->type = GETPOST('type', 'alphanohtml'); + $menu->title = GETPOST('titre', 'alphanohtml'); + $menu->url = GETPOST('url', 'alphanohtml'); + $menu->langs = GETPOST('langs', 'alphanohtml'); $menu->position = GETPOST('position', 'int'); - $menu->enabled = GETPOST('enabled', 'alpha'); - $menu->perms = GETPOST('perms', 'alpha'); - $menu->target = GETPOST('target', 'alpha'); - $menu->user = GETPOST('user', 'alpha'); - $menu->mainmenu = GETPOST('propertymainmenu', 'alpha'); - if (is_numeric(GETPOST('menuId', 'alpha', 3))) + $menu->enabled = GETPOST('enabled', 'alphanohtml'); + $menu->perms = GETPOST('perms', 'alphanohtml'); + $menu->target = GETPOST('target', 'alphanohtml'); + $menu->user = GETPOST('user', 'alphanohtml'); + $menu->mainmenu = GETPOST('propertymainmenu', 'alphanohtml'); + if (is_numeric(GETPOST('menuId', 'alphanohtml', 3))) { - $menu->fk_menu = GETPOST('menuId', 'alpha', 3); + $menu->fk_menu = GETPOST('menuId', 'alphanohtml', 3); } else { - if (GETPOST('type', 'alpha') == 'top') $menu->fk_menu = 0; + if (GETPOST('type', 'alphanohtml') == 'top') $menu->fk_menu = 0; else $menu->fk_menu = -1; $menu->fk_mainmenu = $mainmenu; $menu->fk_leftmenu = $leftmenu; @@ -231,26 +232,27 @@ if ($action == 'add') } // delete -if ($action == 'confirm_delete' && $_POST["confirm"] == 'yes') +if ($action == 'confirm_delete' && $confirm == 'yes') { - $this->db->begin(); + $db->begin(); $sql = "DELETE FROM ".MAIN_DB_PREFIX."menu WHERE rowid = ".GETPOST('menuId', 'int'); $result = $db->query($sql); if ($result == 0) { - $this->db->commit(); + $db->commit(); llxHeader(); setEventMessages($langs->trans("MenuDeleted"), null, 'mesgs'); llxFooter(); exit; } else { - $this->db->rollback(); + $db->rollback(); $reload = 0; $_GET["action"] = ''; + $action = ''; } } @@ -353,7 +355,7 @@ if ($action == 'create') // Mainmenu code print ''.$langs->trans('MainMenuCode').''; - print ''; + print ''; print ''; print $langs->trans("Example").': mytopmenukey'; print ''; @@ -364,23 +366,23 @@ if ($action == 'create') { print ''.$parent_rowid.''; } else { - print ''; + print ''; } print ''.$langs->trans('DetailMenuIdParent'); print ', '.$langs->trans("Example").': fk_mainmenu=abc&fk_leftmenu=def'; print ''; // Title - print ''.$langs->trans('Title').''.$langs->trans('DetailTitre').''; + print ''.$langs->trans('Title').''.$langs->trans('DetailTitre').''; // URL - print ''.$langs->trans('URL').''.$langs->trans('DetailUrl').''; + print ''.$langs->trans('URL').''.$langs->trans('DetailUrl').''; // Langs print ''.$langs->trans('LangFile').''.$langs->trans('DetailLangs').''; // Position - print ''.$langs->trans('Position').''.$langs->trans('DetailPosition').''; + print ''.$langs->trans('Position').''.$langs->trans('DetailPosition').''; // Target print ''.$langs->trans('Target').''.$langs->trans('DetailTarget').''; // Enabled - print ''.$langs->trans('Enabled').''.$langs->trans('DetailEnabled').''; + print ''.$langs->trans('Enabled').''.$langs->trans('DetailEnabled').''; // Perms - print ''.$langs->trans('Rights').''.$langs->trans('DetailRight').''; + print ''.$langs->trans('Rights').''.$langs->trans('DetailRight').''; print ''; @@ -454,7 +456,7 @@ if ($action == 'create') } else {*/ - print 'mainmenu).'">'; + print 'mainmenu).'">'; //} print ''; print $langs->trans("Example").': mytopmenukey'; diff --git a/htdocs/admin/menus/index.php b/htdocs/admin/menus/index.php index 095905afe8b..101e57970c0 100644 --- a/htdocs/admin/menus/index.php +++ b/htdocs/admin/menus/index.php @@ -42,7 +42,7 @@ foreach ($dirmenus as $dirmenu) $dirsmartphone[] = $dirmenu.'smartphone'; } -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $menu_handler_top = $conf->global->MAIN_MENU_STANDARD; diff --git a/htdocs/admin/menus/other.php b/htdocs/admin/menus/other.php index 2fad8491e7a..cd8c7cccfa6 100644 --- a/htdocs/admin/menus/other.php +++ b/htdocs/admin/menus/other.php @@ -29,7 +29,7 @@ $langs->loadLangs(array("user", "other", "admin")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/admin/modulehelp.php b/htdocs/admin/modulehelp.php index 2e256f3c5ad..c788eca01d3 100644 --- a/htdocs/admin/modulehelp.php +++ b/htdocs/admin/modulehelp.php @@ -34,7 +34,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; $langs->loadLangs(array('errors', 'admin', 'modulebuilder')); $mode = GETPOST('mode', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); if (empty($mode)) $mode = 'desc'; diff --git a/htdocs/admin/modules.php b/htdocs/admin/modules.php index 3c525200442..38cfe37265b 100644 --- a/htdocs/admin/modules.php +++ b/htdocs/admin/modules.php @@ -40,7 +40,7 @@ $langs->loadLangs(array("errors", "admin", "modulebuilder")); $mode = GETPOSTISSET('mode') ? GETPOST('mode', 'alpha') : (empty($conf->global->MAIN_MODULE_SETUP_ON_LIST_BY_DEFAULT) ? 'commonkanban' : 'common'); if (empty($mode)) $mode = 'common'; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); //var_dump($_POST);exit; $value = GETPOST('value', 'alpha'); $page_y = GETPOST('page_y', 'int'); diff --git a/htdocs/admin/mrp.php b/htdocs/admin/mrp.php index 2ea4853e3ca..10e992c7ac2 100644 --- a/htdocs/admin/mrp.php +++ b/htdocs/admin/mrp.php @@ -33,7 +33,7 @@ $langs->loadLangs(array('admin', 'errors', 'mrp', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -152,7 +152,7 @@ elseif ($action == 'setdoc') } } elseif ($action == 'set_MRP_MO_FREE_TEXT') { - $freetext = GETPOST("MRP_MO_FREE_TEXT", 'none'); // No alpha here, we want exact string + $freetext = GETPOST("MRP_MO_FREE_TEXT", 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "MRP_MO_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); @@ -293,7 +293,7 @@ print load_fiche_titre($langs->trans("MOsModelModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/mrp_extrafields.php b/htdocs/admin/mrp_extrafields.php index cab7232f569..b0bd0e522ab 100644 --- a/htdocs/admin/mrp_extrafields.php +++ b/htdocs/admin/mrp_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'mrp_mo'; diff --git a/htdocs/admin/multicurrency.php b/htdocs/admin/multicurrency.php index a7e073f08d2..a447551b04e 100644 --- a/htdocs/admin/multicurrency.php +++ b/htdocs/admin/multicurrency.php @@ -38,7 +38,7 @@ if (!$user->admin) { } // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/admin/notification.php b/htdocs/admin/notification.php index a32cd0fa1f5..b484e7acea9 100644 --- a/htdocs/admin/notification.php +++ b/htdocs/admin/notification.php @@ -95,7 +95,7 @@ if ($action == 'setvalue' && $user->admin) { $db->begin(); - $result = dolibarr_set_const($db, "NOTIFICATION_EMAIL_FROM", GETPOST("email_from", "none"), 'chaine', 0, '', $conf->entity); + $result = dolibarr_set_const($db, "NOTIFICATION_EMAIL_FROM", GETPOST("email_from", "restricthtml"), 'chaine', 0, '', $conf->entity); if ($result < 0) $error++; diff --git a/htdocs/admin/oauth.php b/htdocs/admin/oauth.php index 85cd9284535..8b0e9516abd 100644 --- a/htdocs/admin/oauth.php +++ b/htdocs/admin/oauth.php @@ -40,7 +40,7 @@ $langs->loadLangs(array('admin', 'oauth')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/admin/oauthlogintokens.php b/htdocs/admin/oauthlogintokens.php index a78913b7e16..0f12da3a02a 100644 --- a/htdocs/admin/oauthlogintokens.php +++ b/htdocs/admin/oauthlogintokens.php @@ -1,6 +1,7 @@ * Copyright (C) 2014-2018 Frederic France + * Copyright (C) 2020 Nicolas ZABOURI * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -33,7 +34,7 @@ $langs->loadLangs(array('admin', 'printing', 'oauth')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $mode = GETPOST('mode', 'alpha'); $value = GETPOST('value', 'alpha'); $varname = GETPOST('varname', 'alpha'); @@ -155,6 +156,9 @@ if ($mode == 'setup' && $user->admin) // List of keys that will be converted into scopes (from constants 'SCOPE_state_in_uppercase' in file of service). // We pass this param list in to 'state' because we need it before and after the redirect. $shortscope = 'userinfo_email,userinfo_profile,cloud_print'; + if (!empty($conf->global->OAUTH_GSUITE)){ + $shortscope .= ',admin_directory_user'; + } //$scope.=',gmail_full'; $urltorenew = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?shortscope='.$shortscope.'&state='.$shortscope.'&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php'); $urltodelete = $urlwithroot.'/core/modules/oauth/google_oauthcallback.php?action=delete&backtourl='.urlencode(DOL_URL_ROOT.'/admin/oauthlogintokens.php'); diff --git a/htdocs/admin/order_extrafields.php b/htdocs/admin/order_extrafields.php index 2c72c55697f..1b2bb0c0cd0 100644 --- a/htdocs/admin/order_extrafields.php +++ b/htdocs/admin/order_extrafields.php @@ -45,7 +45,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'commande'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/orderdet_extrafields.php b/htdocs/admin/orderdet_extrafields.php index 55732a40a51..1f645241646 100644 --- a/htdocs/admin/orderdet_extrafields.php +++ b/htdocs/admin/orderdet_extrafields.php @@ -46,7 +46,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'commandedet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/payment.php b/htdocs/admin/payment.php index 85d7e140a6d..926c102c25a 100644 --- a/htdocs/admin/payment.php +++ b/htdocs/admin/payment.php @@ -32,7 +32,7 @@ $langs->loadLangs(array("admin", "other", "errors", "bills")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -68,7 +68,7 @@ if ($action == 'setmod') if ($action == 'setparams') { - $freetext = GETPOST('FACTURE_PAYMENTS_ON_DIFFERENT_THIRDPARTIES_BILLS', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('FACTURE_PAYMENTS_ON_DIFFERENT_THIRDPARTIES_BILLS', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "FACTURE_PAYMENTS_ON_DIFFERENT_THIRDPARTIES_BILLS", $freetext, 'chaine', 0, '', $conf->entity); if (!$res > 0) $error++; diff --git a/htdocs/admin/paymentbybanktransfer.php b/htdocs/admin/paymentbybanktransfer.php index a19a69c75a5..4056ce238e3 100644 --- a/htdocs/admin/paymentbybanktransfer.php +++ b/htdocs/admin/paymentbybanktransfer.php @@ -36,7 +36,7 @@ $langs->loadLangs(array("admin", "withdrawals")); // Security check if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $type = 'paymentorder'; @@ -210,7 +210,7 @@ print load_fiche_titre($langs->trans("OrdersModelModule"),'',''); $def = array(); $sql = "SELECT nom"; $sql.= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql.= " WHERE type = '".$type."'"; +$sql.= " WHERE type = '".$db->escape($type)."'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); if ($resql) diff --git a/htdocs/admin/pdf.php b/htdocs/admin/pdf.php index 6fb1cb297dd..95487fc0bc3 100644 --- a/htdocs/admin/pdf.php +++ b/htdocs/admin/pdf.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('admin', 'languages', 'other', 'companies', 'products', if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); diff --git a/htdocs/admin/prelevement.php b/htdocs/admin/prelevement.php index 3419551f627..24d4a379f83 100644 --- a/htdocs/admin/prelevement.php +++ b/htdocs/admin/prelevement.php @@ -36,7 +36,7 @@ $langs->loadLangs(array("admin", "withdrawals")); // Security check if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $type = 'paymentorder'; @@ -217,7 +217,7 @@ print load_fiche_titre($langs->trans("OrdersModelModule"),'',''); $def = array(); $sql = "SELECT nom"; $sql.= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql.= " WHERE type = '".$type."'"; +$sql.= " WHERE type = '".$db->escape($type)."'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); if ($resql) diff --git a/htdocs/admin/propal.php b/htdocs/admin/propal.php index 4855a164412..843cf0cfd55 100644 --- a/htdocs/admin/propal.php +++ b/htdocs/admin/propal.php @@ -39,7 +39,7 @@ $langs->loadLangs(array("admin", "other", "errors", "propal")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -130,7 +130,7 @@ if ($action == 'updateMask') { setEventMessages($langs->trans("Error"), null, 'errors'); } } elseif ($action == 'set_PROPOSAL_FREE_TEXT') { - $freetext = GETPOST('PROPOSAL_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('PROPOSAL_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "PROPOSAL_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); @@ -316,7 +316,7 @@ print load_fiche_titre($langs->trans("ProposalsPDFModules"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/receiptprinter.php b/htdocs/admin/receiptprinter.php index 4332c4feab0..9b3563edd63 100644 --- a/htdocs/admin/receiptprinter.php +++ b/htdocs/admin/receiptprinter.php @@ -36,7 +36,7 @@ $langs->loadLangs(array("admin", "receiptprinter")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $mode = GETPOST('mode', 'alpha'); $printername = GETPOST('printername', 'alpha'); diff --git a/htdocs/admin/reception_extrafields.php b/htdocs/admin/reception_extrafields.php index ce5cbcd7179..d9babd5d95b 100644 --- a/htdocs/admin/reception_extrafields.php +++ b/htdocs/admin/reception_extrafields.php @@ -50,7 +50,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->trans($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'reception'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/reception_setup.php b/htdocs/admin/reception_setup.php index 3d0b591af10..60833669753 100644 --- a/htdocs/admin/reception_setup.php +++ b/htdocs/admin/reception_setup.php @@ -32,7 +32,7 @@ $langs->loadLangs(array("admin", "receptions", 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -76,7 +76,7 @@ if ($action == 'updateMask') } } elseif ($action == 'set_param') { - $freetext = GETPOST('RECEPTION_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('RECEPTION_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "RECEPTION_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); if ($res <= 0) { @@ -301,7 +301,7 @@ $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/admin/resource.php b/htdocs/admin/resource.php index 288f338941c..b57e41ddfd4 100644 --- a/htdocs/admin/resource.php +++ b/htdocs/admin/resource.php @@ -37,7 +37,7 @@ $langs->loadLangs(array("admin", "resource")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/admin/resource_extrafields.php b/htdocs/admin/resource_extrafields.php index 57eaa0d245c..61b0bf900df 100644 --- a/htdocs/admin/resource_extrafields.php +++ b/htdocs/admin/resource_extrafields.php @@ -44,7 +44,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'resource'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/security_file.php b/htdocs/admin/security_file.php index d4d8b0718ae..4b665123e4f 100644 --- a/htdocs/admin/security_file.php +++ b/htdocs/admin/security_file.php @@ -34,7 +34,7 @@ $langs->loadLangs(array('users', 'admin', 'other')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $upload_dir = $conf->admin->dir_temp; @@ -52,8 +52,8 @@ if (GETPOST('sendit') && !empty($conf->global->MAIN_UPLOAD_DOC)) if ($action == 'updateform') { - $antivircommand = GETPOST('MAIN_ANTIVIRUS_COMMAND', 'none'); // Use GETPOST none because we must accept ". Example c:\Progra~1\ClamWin\bin\clamscan.exe - $antivirparam = GETPOST('MAIN_ANTIVIRUS_PARAM', 'none'); // Use GETPOST none because we must accept ". Example --database="C:\Program Files (x86)\ClamWin\lib" + $antivircommand = GETPOST('MAIN_ANTIVIRUS_COMMAND', 'restricthtml'); // Use GETPOST restricthtml because we must accept ". Example c:\Progra~1\ClamWin\bin\clamscan.exe + $antivirparam = GETPOST('MAIN_ANTIVIRUS_PARAM', 'restricthtml'); // Use GETPOST restricthtml because we must accept ". Example --database="C:\Program Files (x86)\ClamWin\lib" $antivircommand = dol_string_nospecial($antivircommand, '', array("|", ";", "<", ">", "&")); // Sanitize command $antivirparam = dol_string_nospecial($antivirparam, '', array("|", ";", "<", ">", "&")); // Sanitize params diff --git a/htdocs/admin/security_other.php b/htdocs/admin/security_other.php index 2bc477f6e39..686c0ddc21c 100644 --- a/htdocs/admin/security_other.php +++ b/htdocs/admin/security_other.php @@ -34,7 +34,7 @@ $langs->loadLangs(array("users", "admin", "other")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); diff --git a/htdocs/admin/stock.php b/htdocs/admin/stock.php index 4edff5e93b3..c7508e996ad 100644 --- a/htdocs/admin/stock.php +++ b/htdocs/admin/stock.php @@ -36,7 +36,7 @@ $langs->loadLangs(array("admin", "stocks")); // Securit check if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -516,7 +516,7 @@ print load_fiche_titre($langs->trans("WarehouseModelModules"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) @@ -760,76 +760,6 @@ print ''; print ''; -/* -print '
'; -if ($conf->global->MAIN_FEATURES_LEVEL >= 2) -{ - print ''; - print ''; - print ''."\n"; - print ''."\n"; - print ''."\n"; - - // Example with a yes / no select - print ''; - print ''; - print ''; - - - // Example with a yes / no select - print ''; - print ''; - print ''; - - - // Example with a yes / no select - print ''; - print ''; - print ''; - - print '
'.$langs->trans("Inventory").''.$langs->trans("Status").'
'.$langs->trans("INVENTORY_DISABLE_VIRTUAL").''; - if ($conf->use_javascript_ajax) { - print ajax_constantonoff('INVENTORY_DISABLE_VIRTUAL'); - } else { - $arrval = array('0' => $langs->trans("No"), '1' => $langs->trans("Yes")); - print $form->selectarray("INVENTORY_DISABLE_VIRTUAL", $arrval, $conf->global->INVENTORY_DISABLE_VIRTUAL); - } - print '
'.$langs->trans("INVENTORY_USE_MIN_PA_IF_NO_LAST_PA").''; - if ($conf->use_javascript_ajax) { - print ajax_constantonoff('INVENTORY_USE_MIN_PA_IF_NO_LAST_PA'); - } else { - $arrval = array('0' => $langs->trans("No"), '1' => $langs->trans("Yes")); - print $form->selectarray("INVENTORY_USE_MIN_PA_IF_NO_LAST_PA", $arrval, $conf->global->INVENTORY_USE_MIN_PA_IF_NO_LAST_PA); - } - print '
'.$langs->trans("INVENTORY_USE_INVENTORY_DATE_FOR_DATE_OF_MVT").''; - if ($conf->use_javascript_ajax) { - print ajax_constantonoff('INVENTORY_USE_INVENTORY_DATE_FOR_DATE_OF_MVT'); - } else { - $arrval = array('0' => $langs->trans("No"), '1' => $langs->trans("Yes")); - print $form->selectarray("INVENTORY_USE_INVENTORY_DATE_FOR_DATE_OF_MVT", $arrval, $conf->global->INVENTORY_USE_INVENTORY_DATE_FOR_DATE_OF_MVT); - } - print '
'; -} -*/ - -/* I keep the option/feature, but hidden to end users for the moment. If feature is used by module, no need to have users see it. -If not used by a module, I still need to understand in which case user may need this now we can set rule on product page. -if ($conf->global->PRODUIT_SOUSPRODUITS) -{ - print ''; - print ''.$langs->trans("IndependantSubProductStock").''; - print ''; - print "
"; - print ''; - print ""; - print $form->selectyesno("INDEPENDANT_SUBPRODUCT_STOCK",$conf->global->INDEPENDANT_SUBPRODUCT_STOCK,1); - print ''; - print '
'; - print "\n"; - print "\n"; -} -*/ - // End of page llxFooter(); $db->close(); diff --git a/htdocs/admin/supplier_invoice.php b/htdocs/admin/supplier_invoice.php index 59613f6af5b..9b618fa3d31 100644 --- a/htdocs/admin/supplier_invoice.php +++ b/htdocs/admin/supplier_invoice.php @@ -42,7 +42,7 @@ accessforbidden(); $type = GETPOST('type', 'alpha'); $value = GETPOST('value', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -167,7 +167,7 @@ if ($action == 'addcat') if ($action == 'set_SUPPLIER_INVOICE_FREE_TEXT') { - $freetext = GETPOST('SUPPLIER_INVOICE_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('SUPPLIER_INVOICE_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "SUPPLIER_INVOICE_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); diff --git a/htdocs/admin/supplier_order.php b/htdocs/admin/supplier_order.php index a390e4a4522..c7026ca7327 100644 --- a/htdocs/admin/supplier_order.php +++ b/htdocs/admin/supplier_order.php @@ -43,7 +43,7 @@ accessforbidden(); $type = GETPOST('type', 'alpha'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $scandir = GETPOST('scan_dir', 'alpha'); $specimenthirdparty = new Societe($db); @@ -154,7 +154,7 @@ elseif ($action == 'setdoc') $fourn->CreateCategory($user, GETPOST('cat', 'alphanohtml')); } elseif ($action == 'set_SUPPLIER_ORDER_OTHER') { - $freetext = GETPOST('SUPPLIER_ORDER_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('SUPPLIER_ORDER_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $doubleapproval = GETPOST('SUPPLIER_ORDER_3_STEPS_TO_BE_APPROVED', 'alpha'); $doubleapproval = price2num($doubleapproval); diff --git a/htdocs/admin/supplier_payment.php b/htdocs/admin/supplier_payment.php index da74784505a..5541b8ff895 100644 --- a/htdocs/admin/supplier_payment.php +++ b/htdocs/admin/supplier_payment.php @@ -33,10 +33,10 @@ $langs->loadLangs(array("admin", "errors", "other", "bills", "orders")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); -$scandir = GETPOST('scan_dir', 'alpha'); +$scandir = GETPOST('scandir', 'alpha'); $type = 'supplier_payment'; @@ -179,7 +179,7 @@ print load_fiche_titre($langs->trans("PaymentsNumberingModule"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) @@ -267,7 +267,7 @@ foreach ($dirmodels as $reldir) { print img_picto($langs->trans("Activated"), 'switch_on'); } else { - print ''.img_picto($langs->trans("Disabled"), 'switch_off').''; + print ''.img_picto($langs->trans("Disabled"), 'switch_off').''; } print ''; diff --git a/htdocs/admin/supplier_proposal.php b/htdocs/admin/supplier_proposal.php index 5f35f3af310..f2110687042 100644 --- a/htdocs/admin/supplier_proposal.php +++ b/htdocs/admin/supplier_proposal.php @@ -34,7 +34,7 @@ $langs->loadLangs(array("admin", "errors", "other", "supplier_proposal")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -123,7 +123,7 @@ if ($action == 'set_SUPPLIER_PROPOSAL_DRAFT_WATERMARK') if ($action == 'set_SUPPLIER_PROPOSAL_FREE_TEXT') { - $freetext = GETPOST('SUPPLIER_PROPOSAL_FREE_TEXT', 'none'); // No alpha here, we want exact string + $freetext = GETPOST('SUPPLIER_PROPOSAL_FREE_TEXT', 'restricthtml'); // No alpha here, we want exact string $res = dolibarr_set_const($db, "SUPPLIER_PROPOSAL_FREE_TEXT", $freetext, 'chaine', 0, '', $conf->entity); @@ -310,7 +310,7 @@ print load_fiche_titre($langs->trans("SupplierProposalPDFModules"), '', ''); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/supplierinvoice_extrafields.php b/htdocs/admin/supplierinvoice_extrafields.php index 172f243a22c..50e2fbbbb91 100644 --- a/htdocs/admin/supplierinvoice_extrafields.php +++ b/htdocs/admin/supplierinvoice_extrafields.php @@ -45,7 +45,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'facture_fourn'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/supplierinvoicedet_extrafields.php b/htdocs/admin/supplierinvoicedet_extrafields.php index a9fa9c1b09d..15a96009392 100644 --- a/htdocs/admin/supplierinvoicedet_extrafields.php +++ b/htdocs/admin/supplierinvoicedet_extrafields.php @@ -47,7 +47,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'facture_fourn_det'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/supplierorder_extrafields.php b/htdocs/admin/supplierorder_extrafields.php index c280e56ac86..17d866d8f94 100644 --- a/htdocs/admin/supplierorder_extrafields.php +++ b/htdocs/admin/supplierorder_extrafields.php @@ -45,7 +45,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'commande_fournisseur'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/supplierorderdet_extrafields.php b/htdocs/admin/supplierorderdet_extrafields.php index 59cc6783db8..1bcfcec05c4 100644 --- a/htdocs/admin/supplierorderdet_extrafields.php +++ b/htdocs/admin/supplierorderdet_extrafields.php @@ -46,7 +46,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'commande_fournisseurdet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/syslog.php b/htdocs/admin/syslog.php index 079fb3a6052..60de87d2d2e 100644 --- a/htdocs/admin/syslog.php +++ b/htdocs/admin/syslog.php @@ -212,6 +212,12 @@ foreach ($syslogModules as $moduleName) print ''; print ' '; print $module->getName(); + if ($moduleName == 'mod_syslog_syslog') { + if (! $module->isActive()) { + $langs->load("errors"); + print $form->textwithpicto('', $langs->trans("ErrorPHPNeedModule", 'SysLog')); + } + } print ''; print ''; diff --git a/htdocs/admin/system/about.php b/htdocs/admin/system/about.php index 615d353bbf1..bbac6bdfe0c 100644 --- a/htdocs/admin/system/about.php +++ b/htdocs/admin/system/about.php @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Load translation files required by the page $langs->loadLangs(array("help", "members", "other", "admin")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); diff --git a/htdocs/admin/system/database-tables.php b/htdocs/admin/system/database-tables.php index c0a52337a25..683fc3c4f3a 100644 --- a/htdocs/admin/system/database-tables.php +++ b/htdocs/admin/system/database-tables.php @@ -32,7 +32,7 @@ if (!$user->admin) { accessforbidden(); } -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if ($action == 'convert') diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php index 9288c2e2f1b..57d288dfb4c 100644 --- a/htdocs/admin/system/dolibarr.php +++ b/htdocs/admin/system/dolibarr.php @@ -32,7 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Load translation files required by the page $langs->loadLangs(array("install", "other", "admin")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); @@ -365,7 +365,12 @@ foreach ($configfileparameters as $key => $value) print ''.$newkey.''; // Value print ""; - if ($newkey == 'dolibarr_main_db_pass') print preg_replace('/./i', '*', ${$newkey}); + if ($newkey == 'dolibarr_main_db_pass') { + if (empty($dolibarr_main_prod)) { + print ''; + } + print '**********'; + } elseif ($newkey == 'dolibarr_main_url_root' && preg_match('/__auto__/', ${$newkey})) print ${$newkey}.' => '.constant('DOL_MAIN_URL_ROOT'); elseif ($newkey == 'dolibarr_main_document_root_alt') { $tmparray = explode(',', ${$newkey}); @@ -395,7 +400,14 @@ foreach ($configfileparameters as $key => $value) $valuetoshow = ${$newkey}; if (empty($valuetoshow)) { - print img_warning($langs->trans('SwitchThisForABetterSecurity')); + print img_warning($langs->trans('SwitchThisForABetterSecurity', 1)); + } + } elseif ($newkey == 'dolibarr_nocsrfcheck') { + print ${$newkey}; + + $valuetoshow = ${$newkey}; + if (!empty($valuetoshow)) { + print img_warning($langs->trans('SwitchThisForABetterSecurity', 0)); } } else { print ${$newkey}; @@ -451,7 +463,16 @@ if ($resql) print ''; print ''.$obj->name.''."\n"; - print ''.dol_escape_htmltag($obj->value).''."\n"; + print ''; + if (preg_match('/(_pass|password|_pw|_key|securekey|serverkey|secret\d?|p12key|exportkey|_PW_[a-z]+|token)$/i', $obj->name)) { + if (empty($dolibarr_main_prod)) { + print ''; + } + print '**********'; + } else { + print dol_escape_htmltag($obj->value); + } + print ''."\n"; if (empty($conf->multicompany->enabled) || !$user->entity) print ''.$obj->entity.''."\n"; // If superadmin or multicompany disabled print "\n"; diff --git a/htdocs/admin/system/filecheck.php b/htdocs/admin/system/filecheck.php index e1f85ca77ce..a3d54104a02 100644 --- a/htdocs/admin/system/filecheck.php +++ b/htdocs/admin/system/filecheck.php @@ -1,5 +1,5 @@ +/* Copyright (C) 2005-2020 Laurent Destailleur * Copyright (C) 2007 Rodolphe Quiedeville * Copyright (C) 2007-2012 Regis Houssin * Copyright (C) 2015-2019 Frederic France @@ -91,6 +91,7 @@ if (preg_match('/beta|alpha|rc/i', DOL_VERSION) || !empty($conf->global->MAIN_AL $enableremotecheck = true; print '
'; +print ''; print $langs->trans("MakeIntegrityAnalysisFrom").':
'; print ''."\n"; if (dol_is_file($xmlfile)) @@ -195,9 +196,9 @@ if (!$error && $xml) $i++; $out .= ''; $out .= ''.$i.''."\n"; - $out .= ''.$constname.''."\n"; - $out .= ''.$constvalue.''."\n"; - $out .= ''.$valueforchecksum.''."\n"; + $out .= ''.dol_escape_htmltag($constname).''."\n"; + $out .= ''.dol_escape_htmltag($constvalue).''."\n"; + $out .= ''.dol_escape_htmltag($valueforchecksum).''."\n"; $out .= "\n"; } @@ -255,11 +256,11 @@ if (!$error && $xml) $i++; $out .= ''; $out .= ''.$i.''."\n"; - $out .= ''.$file['filename'].''."\n"; + $out .= ''.dol_escape_htmltag($file['filename']).''."\n"; $out .= ''; if (!empty($file['expectedsize'])) $out .= dol_print_size($file['expectedsize']); $out .= ''."\n"; - $out .= ''.$file['expectedmd5'].''."\n"; + $out .= ''.dol_escape_htmltag($file['expectedmd5']).''."\n"; $out .= "\n"; } } else { @@ -294,9 +295,9 @@ if (!$error && $xml) $i++; $out .= ''; $out .= ''.$i.''."\n"; - $out .= ''.$file['filename'].''."\n"; - $out .= ''.$file['expectedmd5'].''."\n"; - $out .= ''.$file['md5'].''."\n"; + $out .= ''.dol_escape_htmltag($file['filename']).''."\n"; + $out .= ''.dol_escape_htmltag($file['expectedmd5']).''."\n"; + $out .= ''.dol_escape_htmltag($file['md5']).''."\n"; $out .= ''; if ($file['expectedsize']) $out .= dol_print_size($file['expectedsize']); $out .= ''."\n"; @@ -346,14 +347,14 @@ if (!$error && $xml) $i++; $out .= ''; $out .= ''.$i.''."\n"; - $out .= ''.$file['filename']; + $out .= ''.dol_escape_htmltag($file['filename']); if (!preg_match('/^win/i', PHP_OS)) { $htmltext = $langs->trans("YouCanDeleteFileOnServerWith", 'rm '.DOL_DOCUMENT_ROOT.$file['filename']); // The slash is included int file['filename'] $out .= ' '.$form->textwithpicto('', $htmltext, 1, 'help', '', 0, 2, 'helprm'.$i); } $out .= ''."\n"; - $out .= ''.$file['expectedmd5'].''."\n"; - $out .= ''.$file['md5'].''."\n"; + $out .= ''.dol_escape_htmltag($file['expectedmd5']).''."\n"; + $out .= ''.dol_escape_htmltag($file['md5']).''."\n"; $size = dol_filesize(DOL_DOCUMENT_ROOT.'/'.$file['filename']); $totalsize += $size; $out .= ''.dol_print_size($size).''."\n"; diff --git a/htdocs/admin/taxes.php b/htdocs/admin/taxes.php index 687b43a6918..51a089336c6 100644 --- a/htdocs/admin/taxes.php +++ b/htdocs/admin/taxes.php @@ -34,7 +34,7 @@ $langs->loadLangs(array('admin', 'objects', 'companies', 'products')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); diff --git a/htdocs/admin/ticket.php b/htdocs/admin/ticket.php index 974f8874096..4dd8a6fa5c1 100644 --- a/htdocs/admin/ticket.php +++ b/htdocs/admin/ticket.php @@ -37,7 +37,7 @@ if (!$user->admin) { // Parameters $value = GETPOST('value', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scandir', 'alpha'); $type = 'ticket'; diff --git a/htdocs/admin/ticket_extrafields.php b/htdocs/admin/ticket_extrafields.php index a01996b31ac..91e5df44180 100644 --- a/htdocs/admin/ticket_extrafields.php +++ b/htdocs/admin/ticket_extrafields.php @@ -39,7 +39,7 @@ foreach ($tmptype2label as $key => $val) { $type2label[$key] = $langs->trans($val); } -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'ticket'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/admin/ticket_public.php b/htdocs/admin/ticket_public.php index 72427de3ab0..02e6e6916ee 100644 --- a/htdocs/admin/ticket_public.php +++ b/htdocs/admin/ticket_public.php @@ -37,7 +37,7 @@ if (!$user->admin) { // Parameters $value = GETPOST('value', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scandir', 'alpha'); $type = 'ticket'; diff --git a/htdocs/admin/tools/dolibarr_export.php b/htdocs/admin/tools/dolibarr_export.php index b7d69247763..f1a95a48e9f 100644 --- a/htdocs/admin/tools/dolibarr_export.php +++ b/htdocs/admin/tools/dolibarr_export.php @@ -29,10 +29,10 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; $langs->load("admin"); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "DESC"; if (!$sortfield) $sortfield = "date"; diff --git a/htdocs/admin/tools/export.php b/htdocs/admin/tools/export.php index 408d82404dc..cbe25f0ff75 100644 --- a/htdocs/admin/tools/export.php +++ b/htdocs/admin/tools/export.php @@ -30,15 +30,15 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; $langs->load("admin"); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $what = GETPOST('what', 'alpha'); $export_type = GETPOST('export_type', 'alpha'); $file = GETPOST('filename_template', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/admin/tools/export_files.php b/htdocs/admin/tools/export_files.php index e8b60eba5fb..485df8c318b 100644 --- a/htdocs/admin/tools/export_files.php +++ b/htdocs/admin/tools/export_files.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; $langs->load("admin"); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $what = GETPOST('what', 'alpha'); $export_type = GETPOST('export_type', 'alpha'); $file = GETPOST('zipfilename_template', 'alpha'); @@ -39,8 +39,8 @@ $compression = GETPOST('compression'); $file = dol_sanitizeFileName($file); $file = preg_replace('/(\.zip|\.tar|\.tgz|\.gz|\.tar\.gz|\.bz2)$/i', '', $file); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "DESC"; if (!$sortfield) $sortfield = "date"; diff --git a/htdocs/admin/tools/listevents.php b/htdocs/admin/tools/listevents.php index e9d06885dfd..84fe534f473 100644 --- a/htdocs/admin/tools/listevents.php +++ b/htdocs/admin/tools/listevents.php @@ -1,8 +1,8 @@ +/* Copyright (C) 2004-2020 Laurent Destailleur * Copyright (C) 2005-2012 Regis Houssin * Copyright (C) 2015 Bahfir Abbes - * Copyright (C) 2018 Frédéric France + * Copyright (C) 2018 Frédéric France * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check @@ -46,8 +46,8 @@ $langs->loadLangs(array("companies", "admin", "users", "other")); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; @@ -60,8 +60,8 @@ $search_code = GETPOST("search_code", "alpha"); $search_ip = GETPOST("search_ip", "alpha"); $search_user = GETPOST("search_user", "alpha"); $search_desc = GETPOST("search_desc", "alpha"); -$search_ua = GETPOST("search_ua", "none"); -$search_prefix_session = GETPOST("search_prefix_session", "none"); +$search_ua = GETPOST("search_ua", "restricthtml"); +$search_prefix_session = GETPOST("search_prefix_session", "restricthtml"); if (GETPOST("date_startmonth") == '' || GETPOST("date_startmonth") > 0) $date_start = dol_mktime(0, 0, 0, GETPOST("date_startmonth"), GETPOST("date_startday"), GETPOST("date_startyear")); else $date_start = -1; @@ -235,6 +235,20 @@ if ($result) print $form->formconfirm($_SERVER["PHP_SELF"].'?noparam=noparam', $langs->trans('PurgeAuditEvents'), $langs->trans('ConfirmPurgeAuditEvents'), 'confirm_purge', $formquestion, 'no', 1); } + // Check some parameters + // TODO Add a tab with this and other information + /* + global $dolibarr_main_prod, $dolibarr_nocsrfcheck; + if (empty($dolibarr_main_prod)) { + print $langs->trans("Warning").' dolibarr_main_prod = '.$dolibarr_main_prod; + print ' '.img_warning($langs->trans('SwitchThisForABetterSecurity', 1)).'
'; + } + if (!empty($dolibarr_nocsrfcheck)) { + print $langs->trans("Warning").' dolibarr_nocsrfcheck = '.$dolibarr_nocsrfcheck; + print ' '.img_warning($langs->trans('SwitchThisForABetterSecurity', 0)).'
'; + } + */ + print '
'; print ''; diff --git a/htdocs/admin/tools/listsessions.php b/htdocs/admin/tools/listsessions.php index 07f9f1ef47c..aedc41e0b23 100644 --- a/htdocs/admin/tools/listsessions.php +++ b/htdocs/admin/tools/listsessions.php @@ -31,7 +31,7 @@ $langs->loadLangs(array("companies", "install", "users", "other")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/admin/tools/purge.php b/htdocs/admin/tools/purge.php index 9898e290ddc..c41b43b3b48 100644 --- a/htdocs/admin/tools/purge.php +++ b/htdocs/admin/tools/purge.php @@ -29,7 +29,7 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $choice = GETPOST('choice', 'aZ09'); diff --git a/htdocs/admin/tools/update.php b/htdocs/admin/tools/update.php index 67f07a4eb24..27b53e8266e 100644 --- a/htdocs/admin/tools/update.php +++ b/htdocs/admin/tools/update.php @@ -30,7 +30,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/geturl.lib.php'; // Load translation files required by the page $langs->loadLangs(array("admin", "other")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); diff --git a/htdocs/admin/translation.php b/htdocs/admin/translation.php index 309d15485eb..9259ac420b7 100644 --- a/htdocs/admin/translation.php +++ b/htdocs/admin/translation.php @@ -33,11 +33,11 @@ $langs->loadLangs(array("companies", "products", "admin", "sms", "other", "error if (!$user->admin) accessforbidden(); $id = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $langcode = GETPOST('langcode', 'alphanohtml'); $transkey = GETPOST('transkey', 'alphanohtml'); -$transvalue = GETPOST('transvalue', 'none'); +$transvalue = GETPOST('transvalue', 'restricthtml'); $mode = GETPOST('mode', 'aZ09') ?GETPOST('mode', 'aZ09') : 'searchkey'; diff --git a/htdocs/admin/user.php b/htdocs/admin/user.php index f866b418131..723a4bb0063 100644 --- a/htdocs/admin/user.php +++ b/htdocs/admin/user.php @@ -38,7 +38,7 @@ if (!$user->admin) accessforbidden(); $extrafields = new ExtraFields($db); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); $value = GETPOST('value', 'alpha'); @@ -192,7 +192,7 @@ $dirmodels = array_merge(array('/'), (array) $conf->modules_parts['models']); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/usergroup.php b/htdocs/admin/usergroup.php index 490c79a3363..0b372bf3518 100644 --- a/htdocs/admin/usergroup.php +++ b/htdocs/admin/usergroup.php @@ -38,7 +38,7 @@ if (!$user->admin) accessforbidden(); $extrafields = new ExtraFields($db); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $type = 'group'; @@ -124,7 +124,7 @@ $form = new Form($db); $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/admin/website.php b/htdocs/admin/website.php index 4254408ed90..83aeed6bd13 100644 --- a/htdocs/admin/website.php +++ b/htdocs/admin/website.php @@ -51,8 +51,8 @@ $actl[1] = img_picto($langs->trans("Activated"), 'switch_on'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; @@ -252,7 +252,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'"; $i++; } - $sql .= " WHERE ".$rowidcol." = '".$rowid."'"; + $sql .= " WHERE ".$rowidcol." = ".((int) $rowid); dol_syslog("actionmodify", LOG_DEBUG); //print $sql; @@ -310,16 +310,16 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete if ($website->id > 0) { - $sql = "DELETE from ".MAIN_DB_PREFIX."website_account WHERE fk_website ='".$rowid."'"; + $sql = "DELETE from ".MAIN_DB_PREFIX."website_account WHERE fk_website = ".((int) $rowid); $result = $db->query($sql); - $sql = "DELETE from ".MAIN_DB_PREFIX."website_page WHERE fk_website ='".$rowid."'"; + $sql = "DELETE from ".MAIN_DB_PREFIX."website_page WHERE fk_website = ".((int) $rowid); $result = $db->query($sql); - $sql = "DELETE from ".MAIN_DB_PREFIX."website_extrafields WHERE fk_object ='".$rowid."'"; + $sql = "DELETE from ".MAIN_DB_PREFIX."website_extrafields WHERE fk_object = ".((int) $rowid); $result = $db->query($sql); - $sql = "DELETE from ".MAIN_DB_PREFIX."website WHERE rowid ='".$rowid."'"; + $sql = "DELETE from ".MAIN_DB_PREFIX."website WHERE rowid = ".((int) $rowid); $result = $db->query($sql); if (!$result) { @@ -346,7 +346,7 @@ if ($action == $acts[0]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET status = 1 WHERE rowid ='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET status = 1 WHERE rowid = ".((int) $rowid); } $result = $db->query($sql); @@ -362,7 +362,7 @@ if ($action == $acts[1]) if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; } if ($rowid) { - $sql = "UPDATE ".$tabname[$id]." SET status = 0 WHERE rowid ='".$rowid."'"; + $sql = "UPDATE ".$tabname[$id]." SET status = 0 WHERE rowid = ".((int) $rowid); } $result = $db->query($sql); @@ -411,7 +411,7 @@ print "
\n"; // Confirmation de la suppression de la ligne if ($action == 'delete') { - print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page ? 'page='.$page.'&' : '').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid, $langs->trans('DeleteWebsite'), $langs->trans('ConfirmDeleteWebsite'), 'confirm_delete', '', 0, 1); + print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page ? 'page='.$page.'&' : '').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid, $langs->trans('DeleteWebsite'), $langs->trans('ConfirmDeleteWebsite'), 'confirm_delete', '', 0, 1, 220); } //var_dump($elementList); diff --git a/htdocs/admin/website_options.php b/htdocs/admin/website_options.php index 6f0cffa41c8..1df7642b646 100644 --- a/htdocs/admin/website_options.php +++ b/htdocs/admin/website_options.php @@ -46,8 +46,8 @@ $status = 1; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/admin/workflow.php b/htdocs/admin/workflow.php index 671bacee080..dddcaf91c81 100644 --- a/htdocs/admin/workflow.php +++ b/htdocs/admin/workflow.php @@ -33,7 +33,7 @@ if (!$user->admin) accessforbidden(); // Load translation files required by the page $langs->loadLangs(array("admin", "workflow", "propal", "workflow", "orders", "supplier_proposal", "receptions", "errors")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/api/class/api_access.class.php b/htdocs/api/class/api_access.class.php index a6d0d72b8de..84f7bf303e7 100644 --- a/htdocs/api/class/api_access.class.php +++ b/htdocs/api/class/api_access.class.php @@ -59,6 +59,16 @@ class DolibarrApiAccess implements iAuthenticate */ public static $user = ''; + + /** + * Constructor + */ + public function __construct() + { + global $db; + $this->db = $db; + } + // phpcs:disable PEAR.NamingConventions.ValidFunctionName /** * Check access @@ -107,15 +117,15 @@ class DolibarrApiAccess implements iAuthenticate $sql = "SELECT u.login, u.datec, u.api_key, "; $sql .= " u.tms as date_modification, u.entity"; $sql .= " FROM ".MAIN_DB_PREFIX."user as u"; - $sql .= " WHERE u.api_key = '".$db->escape($api_key)."'"; + $sql .= " WHERE u.api_key = '".$this->db->escape($api_key)."'"; // TODO Check if 2 users has same API key. - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - if ($db->num_rows($result)) + if ($this->db->num_rows($result)) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $login = $obj->login; $stored_key = $obj->api_key; $userentity = $obj->entity; @@ -125,11 +135,11 @@ class DolibarrApiAccess implements iAuthenticate $conf->entity = ($obj->entity ? $obj->entity : 1); // We must also reload global conf to get params from the entity dol_syslog("Entity was not set on http header with HTTP_DOLAPIENTITY (recommanded for performance purpose), so we switch now on entity of user (".$conf->entity.") and we have to reload configuration.", LOG_WARNING); - $conf->setValues($db); + $conf->setValues($this->db); } } } else { - throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg); + throw new RestException(503, 'Error when fetching user api_key :'.$this->db->error_msg); } if ($stored_key != $api_key) { // This should not happen since we did a search on api_key @@ -141,7 +151,7 @@ class DolibarrApiAccess implements iAuthenticate { throw new RestException(503, 'Error when searching login user from api key'); } - $fuser = new User($db); + $fuser = new User($this->db); $result = $fuser->fetch('', $login, '', 0, (empty($userentity) ? -1 : $conf->entity)); // If user is not entity 0, we search in working entity $conf->entity (that may have been forced to a different value than user entity) if ($result <= 0) { throw new RestException(503, 'Error when fetching user :'.$fuser->error.' (conf->entity='.$conf->entity.')'); diff --git a/htdocs/api/class/api_setup.class.php b/htdocs/api/class/api_setup.class.php index 58b8954762c..f0812262e4b 100644 --- a/htdocs/api/class/api_setup.class.php +++ b/htdocs/api/class/api_setup.class.php @@ -4,7 +4,7 @@ * Copyright (C) 2017 Regis Houssin * Copyright (C) 2017 Neil Orley * Copyright (C) 2018 Frédéric France - * Copyright (C) 2018-2019 Thibault FOUCART + * Copyright (C) 2018-2020 Thibault FOUCART * * * This program is free software; you can redistribute it and/or modify @@ -24,6 +24,7 @@ use Luracast\Restler\RestException; require_once DOL_DOCUMENT_ROOT.'/main.inc.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/cstate.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/ccountry.class.php'; /** @@ -168,6 +169,107 @@ class Setup extends DolibarrApi return $list; } + /** + * Get the list of states/provinces. + * + * The names of the states will be translated to the given language if + * the $lang parameter is provided. The value of $lang must be a language + * code supported by Dolibarr, for example 'en_US' or 'fr_FR'. + * The returned list is sorted by state ID. + * + * @param string $sortfield Sort field + * @param string $sortorder Sort order + * @param int $limit Number of items per page + * @param int $page Page number (starting from zero) + * @param string $filter To filter the countries by name + * @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.code:like:'A%') and (t.active:>=:0)" + * @return array List of countries + * + * @url GET dictionary/states + * + * @throws RestException + */ + public function getListOfStates($sortfield = "code_departement", $sortorder = 'ASC', $limit = 100, $page = 0, $filter = '', $sqlfilters = '') + { + $list = array(); + + // Note: The filter is not applied in the SQL request because it must + // be applied to the translated names, not to the names in database. + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."c_departements as t"; + $sql .= " WHERE 1 = 1"; + // Add sql filters + if ($sqlfilters) + { + if (!DolibarrApi::_checkFilters($sqlfilters)) + { + throw new RestException(503, 'Error when validating parameter sqlfilters '.$sqlfilters); + } + $regexstring = '\(([^:\'\(\)]+:[^:\'\(\)]+:[^:\(\)]+)\)'; + $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; + } + + $sql .= $this->db->order($sortfield, $sortorder); + + if ($limit) { + if ($page < 0) { + $page = 0; + } + $offset = $limit * $page; + + $sql .= $this->db->plimit($limit, $offset); + } + + $result = $this->db->query($sql); + + if ($result) { + $num = $this->db->num_rows($result); + $min = min($num, ($limit <= 0 ? $num : $limit)); + for ($i = 0; $i < $min; $i++) { + $obj = $this->db->fetch_object($result); + $state = new Cstate($this->db); + if ($state->fetch($obj->rowid) > 0) { + if (empty($filter) || stripos($state->label, $filter) !== false) { + $list[] = $this->_cleanObjectDatas($state); + } + } + } + } else { + throw new RestException(503, 'Error when retrieving list of states'); + } + + return $list; + } + + /** + * Get state by ID. + * + * @param int $id ID of state + * @return array Array of cleaned object properties + * + * @url GET dictionary/states/{id} + * + * @throws RestException + */ + public function getStateByID($id) + { + return $this->_fetchCstate($id, ''); + } + + /** + * Get state by Code. + * + * @param string $code Code of state + * @return array Array of cleaned object properties + * + * @url GET dictionary/states/byCode/{code} + * + * @throws RestException + */ + public function getStateByCode($code) + { + return $this->_fetchCstate('', $code); + } + /** * Get the list of countries. * @@ -295,6 +397,29 @@ class Setup extends DolibarrApi return $this->_fetchCcountry('', '', $iso, $lang); } + /** + * Get state. + * + * @param int $id ID of state + * @param string $code Code of state + * @return array Array of cleaned object properties + * + * @throws RestException + */ + private function _fetchCstate($id, $code = '') + { + $state = new Cstate($this->db); + + $result = $state->fetch($id, $code); + if ($result < 0) { + throw new RestException(503, 'Error when retrieving state : '.$state->error); + } elseif ($result == 0) { + throw new RestException(404, 'State not found'); + } + + return $this->_cleanObjectDatas($state); + } + /** * Get country. * diff --git a/htdocs/asset/admin/assets_extrafields.php b/htdocs/asset/admin/assets_extrafields.php index be36482c295..0bdbff93569 100644 --- a/htdocs/asset/admin/assets_extrafields.php +++ b/htdocs/asset/admin/assets_extrafields.php @@ -37,7 +37,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'don'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/asset/admin/assets_type_extrafields.php b/htdocs/asset/admin/assets_type_extrafields.php index 2f10938d356..ba42a3374dc 100644 --- a/htdocs/asset/admin/assets_type_extrafields.php +++ b/htdocs/asset/admin/assets_type_extrafields.php @@ -36,7 +36,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'adherent_type'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/asset/admin/setup.php b/htdocs/asset/admin/setup.php index c1afe7ba472..64e2bc2b5ad 100644 --- a/htdocs/asset/admin/setup.php +++ b/htdocs/asset/admin/setup.php @@ -35,7 +35,7 @@ $langs->loadLangs(array("admin", "assets")); if (!$user->admin) accessforbidden(); // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); $arrayofparameters = array('FIXEDASSETS_MYPARAM1'=>array('css'=>'minwidth200'), 'FIXEDASSETS_MYPARAM2'=>array('css'=>'minwidth500')); diff --git a/htdocs/asset/info.php b/htdocs/asset/info.php index 900bbc61bf2..2654ebc2d81 100644 --- a/htdocs/asset/info.php +++ b/htdocs/asset/info.php @@ -31,7 +31,7 @@ $langs->loadLangs(array("asset")); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/asset/list.php b/htdocs/asset/list.php index ab31c6c9831..975551968b4 100644 --- a/htdocs/asset/list.php +++ b/htdocs/asset/list.php @@ -47,8 +47,8 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/asset/note.php b/htdocs/asset/note.php index 7b92e1dab92..8df2a7a5452 100644 --- a/htdocs/asset/note.php +++ b/htdocs/asset/note.php @@ -32,7 +32,7 @@ $langs->loadLangs(array("asset", "companies")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/asset/type.php b/htdocs/asset/type.php index eebc85fc099..01418fde201 100644 --- a/htdocs/asset/type.php +++ b/htdocs/asset/type.php @@ -34,7 +34,7 @@ if (!empty($conf->accounting->enabled)) require_once DOL_DOCUMENT_ROOT.'/account $langs->load("assets"); $rowid = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/barcode/printsheet.php b/htdocs/barcode/printsheet.php index 1ac908f361a..dabd05bf745 100644 --- a/htdocs/barcode/printsheet.php +++ b/htdocs/barcode/printsheet.php @@ -36,10 +36,10 @@ $now = dol_now(); $year = dol_print_date($now, '%Y'); $month = dol_print_date($now, '%m'); $day = dol_print_date($now, '%d'); -$forbarcode = GETPOST('forbarcode'); -$fk_barcode_type = GETPOST('fk_barcode_type'); -$mode = GETPOST('mode'); -$modellabel = GETPOST("modellabel"); // Doc template to use +$forbarcode = GETPOST('forbarcode', 'alphanohtml'); +$fk_barcode_type = GETPOST('fk_barcode_type', 'int'); +$mode = GETPOST('mode', 'aZ09'); +$modellabel = GETPOST("modellabel", 'aZ09'); // Doc template to use $numberofsticker = GETPOST('numberofsticker', 'int'); $mesg = ''; @@ -57,8 +57,8 @@ $thirdpartytmp = new Societe($db); if (GETPOST('submitproduct') && GETPOST('submitproduct')) { $action = ''; // We reset because we don't want to build doc - if (GETPOST('productid') > 0) { - $result = $producttmp->fetch(GETPOST('productid')); + if (GETPOST('productid', 'int') > 0) { + $result = $producttmp->fetch(GETPOST('productid', 'int')); if ($result < 0) { setEventMessage($producttmp->error, 'errors'); } @@ -76,9 +76,9 @@ if (GETPOST('submitproduct') && GETPOST('submitproduct')) if (GETPOST('submitthirdparty') && GETPOST('submitthirdparty')) { $action = ''; // We reset because we don't want to build doc - if (GETPOST('socid') > 0) + if (GETPOST('socid', 'int') > 0) { - $thirdpartytmp->fetch(GETPOST('socid')); + $thirdpartytmp->fetch(GETPOST('socid', 'int')); $forbarcode = $thirdpartytmp->barcode; $fk_barcode_type = $thirdpartytmp->barcode_type_code; @@ -381,7 +381,7 @@ if (!empty($user->rights->produit->lire) || !empty($user->rights->service->lire) print ' '.$langs->trans("FillBarCodeTypeAndValueFromProduct").'   '; print '
'; print '
'; - $form->select_produits(GETPOST('productid'), 'productid', '', '', 0, -1, 2, '', 0, array(), 0, '1', 0, 'minwidth400imp', 1); + $form->select_produits(GETPOST('productid', 'int'), 'productid', '', '', 0, -1, 2, '', 0, array(), 0, '1', 0, 'minwidth400imp', 1); print '   '; print '
'; } @@ -391,7 +391,7 @@ if (!empty($user->rights->societe->lire)) print ' '.$langs->trans("FillBarCodeTypeAndValueFromThirdParty").'   '; print '
'; print '
'; - print $form->select_company(GETPOST('socid'), 'socid', '', 'SelectThirdParty', 0, 0, array(), 0, 'minwidth300'); + print $form->select_company(GETPOST('socid', 'int'), 'socid', '', 'SelectThirdParty', 0, 0, array(), 0, 'minwidth300'); print '   '; print '
'; } diff --git a/htdocs/blockedlog/admin/blockedlog.php b/htdocs/blockedlog/admin/blockedlog.php index 1b6ff1fa021..051f8bb049a 100644 --- a/htdocs/blockedlog/admin/blockedlog.php +++ b/htdocs/blockedlog/admin/blockedlog.php @@ -32,7 +32,7 @@ $langs->loadLangs(array("admin", "other", "blockedlog")); if (!$user->admin || empty($conf->blockedlog->enabled)) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/blockedlog/admin/blockedlog_list.php b/htdocs/blockedlog/admin/blockedlog_list.php index ab36caedba4..f70e402b667 100644 --- a/htdocs/blockedlog/admin/blockedlog_list.php +++ b/htdocs/blockedlog/admin/blockedlog_list.php @@ -35,7 +35,7 @@ $langs->loadLangs(array("admin", "other", "blockedlog", "bills")); if ((!$user->admin && !$user->rights->blockedlog->read) || empty($conf->blockedlog->enabled)) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'blockedloglist'; // To manage different context of search $backtopage = GETPOST('backtopage', 'alpha'); // Go back to a dedicated page $optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always '' except when 'print') @@ -56,8 +56,8 @@ if (($search_start == -1 || empty($search_start)) && !GETPOSTISSET('search_start // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/blockedlog/ajax/block-add.php b/htdocs/blockedlog/ajax/block-add.php index 5aa344c0237..1102438f5b5 100644 --- a/htdocs/blockedlog/ajax/block-add.php +++ b/htdocs/blockedlog/ajax/block-add.php @@ -34,7 +34,7 @@ $res = require '../../main.inc.php'; $id = GETPOST('id', 'int'); $element = GETPOST('element', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if ($element === 'facture') { require_once DOL_DOCUMENT_ROOT.'/blockedlog/class/blockedlog.class.php'; diff --git a/htdocs/bom/bom_agenda.php b/htdocs/bom/bom_agenda.php index 43f1604e08c..d8361d30258 100644 --- a/htdocs/bom/bom_agenda.php +++ b/htdocs/bom/bom_agenda.php @@ -37,7 +37,7 @@ $langs->loadLangs(array("mrp", "other")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/bom/bom_list.php b/htdocs/bom/bom_list.php index 6092f11aea5..121517b2544 100644 --- a/htdocs/bom/bom_list.php +++ b/htdocs/bom/bom_list.php @@ -45,8 +45,8 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/bom/bom_note.php b/htdocs/bom/bom_note.php index dce9bc82b06..df1693e84b0 100644 --- a/htdocs/bom/bom_note.php +++ b/htdocs/bom/bom_note.php @@ -33,7 +33,7 @@ $langs->loadLangs(array("mrp", "companies")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/bom/class/api_boms.class.php b/htdocs/bom/class/api_boms.class.php index a6295d12589..b9123b8c226 100644 --- a/htdocs/bom/class/api_boms.class.php +++ b/htdocs/bom/class/api_boms.class.php @@ -99,7 +99,7 @@ class Boms extends DolibarrApi global $db, $conf; $obj_ret = array(); - $tmpobject = new BOM($db); + $tmpobject = new BOM($this->db); $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; @@ -139,7 +139,7 @@ class Boms extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -147,18 +147,18 @@ class Boms extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $i = 0; while ($i < $num) { - $obj = $db->fetch_object($result); - $bom_static = new BOM($db); + $obj = $this->db->fetch_object($result); + $bom_static = new BOM($this->db); if ($bom_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($bom_static); } diff --git a/htdocs/bookmarks/admin/bookmark.php b/htdocs/bookmarks/admin/bookmark.php index 2d8501130dc..9aa1989fa2e 100644 --- a/htdocs/bookmarks/admin/bookmark.php +++ b/htdocs/bookmarks/admin/bookmark.php @@ -31,7 +31,7 @@ $langs->load("admin"); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if ($action == 'setvalue') { diff --git a/htdocs/bookmarks/list.php b/htdocs/bookmarks/list.php index a4f0939c054..ca8e1d5c16a 100644 --- a/htdocs/bookmarks/list.php +++ b/htdocs/bookmarks/list.php @@ -27,7 +27,7 @@ require_once DOL_DOCUMENT_ROOT.'/bookmarks/class/bookmark.class.php'; // Load translation files required by the page $langs->loadLangs(array('bookmarks', 'admin')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -42,8 +42,8 @@ $optioncss = GETPOST('optioncss', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/cashdesk/facturation.php b/htdocs/cashdesk/facturation.php index e1a42aed012..85347e4c7ff 100644 --- a/htdocs/cashdesk/facturation.php +++ b/htdocs/cashdesk/facturation.php @@ -42,7 +42,7 @@ if (GETPOST('filtre', 'alpha')) { $sql = "SELECT p.rowid, p.ref, p.label, p.tva_tx, p.fk_product_type"; if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; - if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'"; + if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; $sql .= " AND p.tosell = 1"; if (!$conf->global->CASHDESK_SERVICES) $sql .= " AND p.fk_product_type = 0"; @@ -92,7 +92,7 @@ if (GETPOST('filtre', 'alpha')) { $sql = "SELECT p.rowid, ref, label, tva_tx, p.fk_product_type"; if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; - if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'"; + if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; $sql .= " AND p.tosell = 1"; if (!$conf->global->CASHDESK_SERVICES) $sql .= " AND p.fk_product_type = 0"; diff --git a/htdocs/cashdesk/facturation_dhtml.php b/htdocs/cashdesk/facturation_dhtml.php index 99e1ed2f942..9ee4bdb856c 100644 --- a/htdocs/cashdesk/facturation_dhtml.php +++ b/htdocs/cashdesk/facturation_dhtml.php @@ -45,7 +45,7 @@ if (dol_strlen($search) >= 0) // If search criteria is on char length at least $sql = "SELECT p.rowid, p.ref, p.label, p.tva_tx"; if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel"; $sql .= " FROM ".MAIN_DB_PREFIX."product as p"; - if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'"; + if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; $sql .= " AND p.tosell = 1"; $sql .= " AND p.fk_product_type = 0"; diff --git a/htdocs/cashdesk/facturation_verif.php b/htdocs/cashdesk/facturation_verif.php index c62e31b1e3f..16b4bfec017 100644 --- a/htdocs/cashdesk/facturation_verif.php +++ b/htdocs/cashdesk/facturation_verif.php @@ -29,7 +29,7 @@ require_once DOL_DOCUMENT_ROOT.'/cashdesk/class/Facturation.class.php'; require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php'; require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $obj_facturation = unserialize($_SESSION['serObjFacturation']); unset($_SESSION['serObjFacturation']); diff --git a/htdocs/cashdesk/index_verif.php b/htdocs/cashdesk/index_verif.php index 204af8f51f7..e8366e981cc 100644 --- a/htdocs/cashdesk/index_verif.php +++ b/htdocs/cashdesk/index_verif.php @@ -89,7 +89,7 @@ if ($retour >= 0) $sql = "SELECT rowid, lastname, firstname"; $sql .= " FROM ".MAIN_DB_PREFIX."user"; - $sql .= " WHERE login = '".$username."'"; + $sql .= " WHERE login = '".$db->escape($username)."'"; $sql .= " AND entity IN (0,".$conf->entity.")"; $result = $db->query($sql); diff --git a/htdocs/categories/admin/categorie_extrafields.php b/htdocs/categories/admin/categorie_extrafields.php index bd285e5efaf..72151abdcdb 100644 --- a/htdocs/categories/admin/categorie_extrafields.php +++ b/htdocs/categories/admin/categorie_extrafields.php @@ -39,7 +39,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'categorie'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/categories/card.php b/htdocs/categories/card.php index 8eb6c3d8eda..096a5497efd 100644 --- a/htdocs/categories/card.php +++ b/htdocs/categories/card.php @@ -88,6 +88,10 @@ if ($action == 'add' && $user->rights->categorie->creer) { header("Location: ".$urlfrom); exit; + } elseif ($backtopage) + { + header("Location: ".$backtopage); + exit; } elseif ($idProdOrigin) { header("Location: ".DOL_URL_ROOT.'/categories/viewcat.php?id='.$idProdOrigin.'&type='.$type); @@ -235,13 +239,13 @@ if ($user->rights->categorie->creer) // Ref print ''; - print ''; // Description print ''; diff --git a/htdocs/categories/class/api_categories.class.php b/htdocs/categories/class/api_categories.class.php index 4a84a25e5ca..5f0a28340f9 100644 --- a/htdocs/categories/class/api_categories.class.php +++ b/htdocs/categories/class/api_categories.class.php @@ -155,7 +155,7 @@ class Categories extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -163,19 +163,19 @@ class Categories extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $category_static = new Categorie($db); + $obj = $this->db->fetch_object($result); + $category_static = new Categorie($this->db); if ($category_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($category_static); } @@ -183,7 +183,7 @@ class Categories extends DolibarrApi } } else { - throw new RestException(503, 'Error when retrieve category list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve category list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No category found'); diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index f9cf55e9a8c..1bc9f47ded4 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -1616,9 +1616,10 @@ class Categorie extends CommonObject * @param int $withpicto 0=No picto, 1=Include picto into link, 2=Only picto * @param string $option Sur quoi pointe le lien ('', 'xyz') * @param int $maxlength Max length of text + * @param string $moreparam More param on URL link * @return string Chaine avec URL */ - public function getNomUrl($withpicto = 0, $option = '', $maxlength = 0) + public function getNomUrl($withpicto = 0, $option = '', $maxlength = 0, $moreparam = '') { global $langs; @@ -1632,7 +1633,7 @@ class Categorie extends CommonObject if (colorIsLight($this->color)) $forced_color = 'categtextblack'; } - $link = ''; + $link = ''; $linkend = ''; $picto = 'category'; diff --git a/htdocs/categories/index.php b/htdocs/categories/index.php index ccdd8be58b9..35420759ded 100644 --- a/htdocs/categories/index.php +++ b/htdocs/categories/index.php @@ -39,6 +39,7 @@ if (!$user->rights->categorie->lire) accessforbidden(); $id = GETPOST('id', 'int'); $type = (GETPOST('type', 'aZ09') ? GETPOST('type', 'aZ09') : Categorie::TYPE_PRODUCT); $catname = GETPOST('catname', 'alpha'); +$nosearch = GETPOST('nosearch', 'int'); $categstatic = new Categorie($db); if (is_numeric($type)) $type = Categorie::$MAP_ID_TO_CODE[$type]; // For backward compatibility @@ -50,6 +51,8 @@ if (is_numeric($type)) $type = Categorie::$MAP_ID_TO_CODE[$type]; // For backwar $form = new Form($db); +$moreparam = ($nosearch ? '&nosearch=1' : ''); + $typetext = $type; if ($type == Categorie::TYPE_ACCOUNT) $title = $langs->trans('AccountsCategoriesArea'); elseif ($type == Categorie::TYPE_WAREHOUSE) $title = $langs->trans('StocksCategoriesArea'); @@ -64,70 +67,69 @@ $arrayofcss = array('/includes/jquery/plugins/jquerytreeview/jquery.treeview.css llxHeader('', $title, '', '', 0, 0, $arrayofjs, $arrayofcss); - $newcardbutton = ''; if (!empty($user->rights->categorie->creer)) { - $newcardbutton .= dolGetButtonTitle($langs->trans('NewCategory'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/categories/card.php?action=create&type='.$type.'&backtopage='.urlencode($_SERVER["PHP_SELF"].'?type='.$type)); + $newcardbutton .= dolGetButtonTitle($langs->trans('NewCategory'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/categories/card.php?action=create&type='.$type.'&backtopage='.urlencode($_SERVER["PHP_SELF"].'?type='.$type.$moreparam).$moreparam); } print load_fiche_titre($title, $newcardbutton, 'object_category'); -print '
'; +// Search categories +if (empty($nosearch)) { + print '
'; -/* - * Zone recherche produit/service - */ -print ''; -print ''; -print ''; + print ''; + print ''; + print ''; + print ''; -print '
'.$langs->trans("Ref").''; + print ''.$langs->trans("Ref").''; print'
'.$langs->trans("Description").''; require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; - $doleditor = new DolEditor('description', $description, '', 200, 'dolibarr_notes', '', false, true, $conf->global->FCKEDITOR_ENABLE_PRODUCTDESC, ROWS_6, '90%'); + $doleditor = new DolEditor('description', $description, '', 160, 'dolibarr_notes', '', false, true, $conf->global->FCKEDITOR_ENABLE_PRODUCTDESC, ROWS_5, '90%'); $doleditor->Create(); print '
'; -print ''; -print ''; -print ''; -print ''; -print '
'.$langs->trans("Search").'
'; -print $langs->trans("Name").':
'; + print ''; + print ''; + print ''; + print ''; + print ''; + print '
'.$langs->trans("Search").'
'; + print $langs->trans("Name").':
'; -print '
'; + print '
'; -/* - * Categories found - */ -if ($catname || $id > 0) -{ - $cats = $categstatic->rechercher($id, $catname, $typetext); - - print ''; - print ''; - - foreach ($cats as $cat) + /* + * Categories found + */ + if ($catname || $id > 0) { - print "\t".''."\n"; - print "\t\t\n"; - print "\t\t\n"; - print "\t\n"; - } - print "
'.$langs->trans("FoundCats").'
"; - $categstatic->id = $cat->id; - $categstatic->ref = $cat->label; - $categstatic->label = $cat->label; - $categstatic->type = $cat->type; - $categstatic->color = $cat->color; - print 'color ? ' style="background: #'.$categstatic->color.';"' : ' style="background: #aaa"').'>'; - print $categstatic->getNomUrl(1, ''); - print ''; - print ""; - print dolGetFirstLineOfText($cat->description); - print "
"; -} else print ' '; + $cats = $categstatic->rechercher($id, $catname, $typetext); + print ''; + print ''; -print ''; + foreach ($cats as $cat) + { + print "\t".''."\n"; + print "\t\t\n"; + print "\t\t\n"; + print "\t\n"; + } + print "
'.$langs->trans("FoundCats").'
"; + $categstatic->id = $cat->id; + $categstatic->ref = $cat->label; + $categstatic->label = $cat->label; + $categstatic->type = $cat->type; + $categstatic->color = $cat->color; + print 'color ? ' style="background: #'.$categstatic->color.';"' : ' style="background: #aaa"').'>'; + print $categstatic->getNomUrl(1, ''); + print ''; + print ""; + print dolGetFirstLineOfText($cat->description); + print "
"; + } else print ' '; + + print '
'; +} print '

'; @@ -156,7 +158,7 @@ foreach ($fulltree as $key => $val) $categstatic->ref = $val['label']; $categstatic->color = $val['color']; $categstatic->type = $type; - $li = $categstatic->getNomUrl(1, '', 60); + $li = $categstatic->getNomUrl(1, '', 60, $moreparam.'&backtolist='.urlencode($_SERVER["PHP_SELF"].'?type='.$type.$moreparam)); $desc = dol_htmlcleanlastbr($val['description']); $counter = ''; @@ -172,7 +174,7 @@ foreach ($fulltree as $key => $val) 'rowid'=>$val['rowid'], 'fk_menu'=>$val['fk_parent'], 'entry'=>''.$counter. - '
color ? ' style="background: #'.$categstatic->color.';"' : ' style="background: #aaa"').'>'.$li.''.img_view().'
' + ''.img_view().'' ); } diff --git a/htdocs/categories/traduction.php b/htdocs/categories/traduction.php index a8f3510c31b..cf3db3444c7 100644 --- a/htdocs/categories/traduction.php +++ b/htdocs/categories/traduction.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('categories', 'languages')); $id = GETPOST('id', 'int'); $label = GETPOST('label', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $type = GETPOST('type', 'aZ09'); @@ -85,7 +85,7 @@ $cancel != $langs->trans("Cancel") && // check parameters $forcelangprod = GETPOST('forcelangprod', 'alpha'); $libelle = GETPOST('libelle', 'alpha'); - $desc = GETPOST('desc', 'none'); + $desc = GETPOST('desc', 'restricthtml'); if (empty($forcelangprod)) { $error++; @@ -338,7 +338,7 @@ if ($action == 'add' && ($user->rights->produit->creer || $user->rights->service print ''.$langs->trans('Label').''; print ''; print ''.$langs->trans('Description').''; - $doleditor = new DolEditor('desc', GETPOST('desc', 'none'), '', 160, 'dolibarr_notes', '', false, true, $conf->global->FCKEDITOR_ENABLE_PRODUCTDESC, ROWS_3, '90%'); + $doleditor = new DolEditor('desc', GETPOST('desc', 'restricthtml'), '', 160, 'dolibarr_notes', '', false, true, $conf->global->FCKEDITOR_ENABLE_PRODUCTDESC, ROWS_3, '90%'); $doleditor->Create(); print ''; diff --git a/htdocs/categories/viewcat.php b/htdocs/categories/viewcat.php index 0e5b50085c9..202a5770f06 100644 --- a/htdocs/categories/viewcat.php +++ b/htdocs/categories/viewcat.php @@ -51,10 +51,11 @@ $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'myo $backtopage = GETPOST('backtopage', 'alpha'); // Go back to a dedicated page $optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always '' except when 'print') + // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/collab/index.php b/htdocs/collab/index.php index 0c457fb6f47..7353ea881ee 100644 --- a/htdocs/collab/index.php +++ b/htdocs/collab/index.php @@ -39,7 +39,7 @@ $error = 0; $website = GETPOST('website', 'alpha'); $page = GETPOST('page', 'alpha'); $pageid = GETPOST('pageid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (GETPOST('delete')) { $action = 'delete'; } if (GETPOST('preview')) $action = 'preview'; diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php index d24bf74e99f..0fe69fa10ea 100644 --- a/htdocs/comm/action/card.php +++ b/htdocs/comm/action/card.php @@ -50,7 +50,7 @@ require_once DOL_DOCUMENT_ROOT.'/categories/class/categorie.class.php'; // Load translation files required by the page $langs->loadLangs(array("companies", "other", "commercial", "bills", "orders", "agenda")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); $socpeopleassigned = GETPOST('socpeopleassigned', 'array'); @@ -120,6 +120,12 @@ $parameters = array('socid' => $socid); $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); +$TRemindTypes = array(); +if (!empty($conf->global->AGENDA_REMINDER_EMAIL)) $TRemindTypes['email'] = $langs->trans('EMail'); +if (!empty($conf->global->AGENDA_REMINDER_BROWSER)) $TRemindTypes['browser'] = $langs->trans('BrowserPush'); + +$TDurationTypes = array('y'=>$langs->trans('Years'), 'm'=>$langs->trans('Month'), 'w'=>$langs->trans('Weeks'), 'd'=>$langs->trans('Days'), 'h'=>$langs->trans('Hours'), 'i'=>$langs->trans('Minutes')); + /* * Actions @@ -320,7 +326,7 @@ if (empty($reshook) && $action == 'add') if (GETPOST("doneby") > 0) $object->userdoneid = GETPOST("doneby", "int"); } - $object->note_private = trim(GETPOST("note", "none")); + $object->note_private = trim(GETPOST("note", "restricthtml")); if (isset($_POST["contactid"])) $object->contact = $contact; @@ -493,7 +499,7 @@ if (empty($reshook) && $action == 'update') $object->contact_id = key($object->socpeopleassigned); } $object->fk_project = GETPOST("projectid", 'int'); - $object->note_private = trim(GETPOST("note", "none")); + $object->note_private = trim(GETPOST("note", "restricthtml")); $object->fk_element = GETPOST("fk_element", "int"); $object->elementtype = GETPOST("elementtype", "alphanohtml"); @@ -789,6 +795,7 @@ if (empty($reshook)) { } + /* * View */ @@ -796,6 +803,13 @@ if (empty($reshook)) { $form = new Form($db); $formproject = new FormProjets($db); +$arrayrecurrulefreq = array( + 'no'=>$langs->trans("OnceOnly"), + 'MONTHLY'=>$langs->trans("EveryMonth"), + 'WEEKLY'=>$langs->trans("EveryWeek"), + //'DAYLY'=>$langs->trans("EveryDay") +); + $help_url = 'EN:Module_Agenda_En|FR:Module_Agenda|ES:M&omodulodulo_Agenda'; llxHeader('', $langs->trans("Agenda"), $help_url); @@ -945,14 +959,8 @@ if ($action == 'create') if ($userepeatevent) { // Repeat - print ''.$langs->trans("RepeatEvent").''; + print ''; print ''; - $arrayrecurrulefreq = array( - 'no'=>$langs->trans("No"), - 'MONTHLY'=>$langs->trans("EveryMonth"), - 'WEEKLY'=>$langs->trans("EveryWeek"), - //'DAYLY'=>$langs->trans("EveryDay") - ); $selectedrecurrulefreq = 'no'; $selectedrecurrulebymonthday = ''; $selectedrecurrulebyday = ''; @@ -1013,7 +1021,7 @@ if ($action == 'create') // Location if (empty($conf->global->AGENDA_DISABLE_LOCATION)) { - print ''.$langs->trans("Location").''; + print ''.$langs->trans("Location").''; } // Assigned to @@ -1082,9 +1090,9 @@ if ($action == 'create') $events[] = array('method' => 'getContacts', 'url' => dol_buildpath('/core/ajax/contacts.php?showempty=1', 1), 'htmlname' => 'contactid', 'params' => array('add-customer-contact' => 'disabled')); //For external user force the company to user company if (!empty($user->socid)) { - print $form->select_company($user->socid, 'socid', '', 1, 1, 0, $events, 0, 'minwidth300'); + print img_picto('', 'company', 'class="paddingrightonly"').$form->select_company($user->socid, 'socid', '', 1, 1, 0, $events, 0, 'minwidth300'); } else { - print $form->select_company('', 'socid', '', 'SelectThirdParty', 1, 0, $events, 0, 'minwidth300'); + print img_picto('', 'company', 'class="paddingrightonly"').$form->select_company('', 'socid', '', 'SelectThirdParty', 1, 0, $events, 0, 'minwidth300'); } } print ''; @@ -1093,7 +1101,7 @@ if ($action == 'create') print ''.$langs->trans("ActionOnContact").''; $preselectedids = GETPOST('socpeopleassigned', 'array'); if (GETPOST('contactid', 'int')) $preselectedids[GETPOST('contactid', 'int')] = GETPOST('contactid', 'int'); - print $form->selectcontacts(GETPOST('socid', 'int'), $preselectedids, 'socpeopleassigned[]', 1, '', '', 0, 'quatrevingtpercent', false, 0, array(), false, 'multiple', 'contactid'); + print img_picto('', 'contact', 'class="paddingrightonly"').$form->selectcontacts(GETPOST('socid', 'int'), $preselectedids, 'socpeopleassigned[]', 1, '', '', 0, 'quatrevingtpercent', false, 0, array(), false, 'multiple', 'contactid'); print ''; } @@ -1105,7 +1113,7 @@ if ($action == 'create') $projectid = GETPOST('projectid', 'int'); print ''.$langs->trans("Project").''; - + print img_picto('', 'project', 'class="paddingrightonly"'); $numproject = $formproject->select_projects((!empty($societe->id) ? $societe->id : -1), $projectid, 'projectid', 0, 0, 1, 1, 0, 0, 0, '', 0, 0, 'maxwidth500'); print ' '; @@ -1128,7 +1136,7 @@ if ($action == 'create') print ''; print ''.$langs->trans("Task").''; - + print img_picto('', 'projecttask', 'class="paddingrightonly"'); $projectsListId = false; if (!empty($projectid)) { $projectsListId = $projectid; } $tid = GETPOST("projecttaskid") ?GETPOST("projecttaskid") : ''; @@ -1164,7 +1172,7 @@ if ($action == 'create') // Description print ''.$langs->trans("Description").''; require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; - $doleditor = new DolEditor('note', (GETPOSTISSET('note') ? GETPOST('note', 'none') : $object->note_private), '', 180, 'dolibarr_notes', 'In', true, true, $conf->fckeditor->enabled, ROWS_4, '90%'); + $doleditor = new DolEditor('note', (GETPOSTISSET('note') ? GETPOST('note', 'restricthtml') : $object->note_private), '', 120, 'dolibarr_notes', 'In', true, true, $conf->fckeditor->enabled, ROWS_4, '90%'); $doleditor->Create(); print ''; @@ -1205,9 +1213,6 @@ if ($action == 'create') print ''; //Reminder Type - $TRemindTypes = array(); - if (!empty($conf->global->AGENDA_REMINDER_EMAIL)) $TRemindTypes['email'] = $langs->trans('EMail'); - if (!empty($conf->global->AGENDA_REMINDER_BROWSER)) $TRemindTypes['browser'] = $langs->trans('BrowserPush'); print ''.$langs->trans("ReminderType").''; print $form->selectarray('selectremindertype', $TRemindTypes); print ''; @@ -1298,7 +1303,7 @@ if ($id > 0) $object->contact_id = GETPOST("contactid", 'int'); $object->fk_project = GETPOST("projectid", 'int'); - $object_private = GETPOST("note", 'none'); + $object_private = GETPOST("note", 'restricthtml'); } if ($result2 < 0 || $result3 < 0 || $result4 < 0 || $result5 < 0) @@ -1389,7 +1394,7 @@ if ($id > 0) print ''.$langs->trans("EventOnFullDay").'fulldayevent ? ' checked' : '').'>'; // Date start - print ''.$langs->trans("DateActionStart").''; + print ''.$langs->trans("DateActionStart").' - '.$langs->trans("DateActionEnd").''; if (GETPOST("afaire") == 1) { print $form->selectDate($datep ? $datep : $object->datep, 'ap', 1, 1, 0, "action", 1, 1, 0, 'fulldaystart'); } elseif (GETPOST("afaire") == 2) { @@ -1397,9 +1402,7 @@ if ($id > 0) } else { print $form->selectDate($datep ? $datep : $object->datep, 'ap', 1, 1, 1, "action", 1, 1, 0, 'fulldaystart'); } - print ''; - // Date end - print ''.$langs->trans("DateActionEnd").''; + print ' - '; if (GETPOST("afaire") == 1) { print $form->selectDate($datef ? $datef : $object->datef, 'p2', 1, 1, 1, "action", 1, 1, 0, 'fulldayend'); } elseif (GETPOST("afaire") == 2) { @@ -1414,14 +1417,8 @@ if ($id > 0) if ($userepeatevent) { // Repeat - print ''.$langs->trans("RepeatEvent").''; + print ''; print ''; - $arrayrecurrulefreq = array( - 'no'=>$langs->trans("No"), - 'MONTHLY'=>$langs->trans("EveryMonth"), - 'WEEKLY'=>$langs->trans("EveryWeek"), - //'DAYLY'=>$langs->trans("EveryDay"), - ); $selectedrecurrulefreq = 'no'; $selectedrecurrulebymonthday = ''; $selectedrecurrulebyday = ''; @@ -1469,7 +1466,7 @@ if ($id > 0) // Status print ''.$langs->trans("Status").' / '.$langs->trans("Percentage").''; $percent = GETPOST("percentage") ? GETPOST("percentage") : $object->percentage; - $formactions->form_select_status_action('formaction', $percent, 1); + $formactions->form_select_status_action('formaction', $percent, 1, 'complete', 0, 0, 'maxwidth200'); print ''; // Location @@ -1554,7 +1551,7 @@ if ($id > 0) print '

'; - print ''; + print '
'; if ($conf->societe->enabled) { @@ -1566,14 +1563,14 @@ if ($id > 0) $events[] = array('method' => 'getContacts', 'url' => dol_buildpath('/core/ajax/contacts.php?showempty=1', 1), 'htmlname' => 'contactid', 'params' => array('add-customer-contact' => 'disabled')); // TODO Refresh also list of project if $conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY not defined with list linked to socid ? // FIXME If we change company, we may get a project that does not match - print $form->select_company($object->socid, 'socid', '', 'SelectThirdParty', 1, 0, $events, 0, 'minwidth200'); + print img_picto('', 'company', 'class="paddingrightonly"').$form->select_company($object->socid, 'socid', '', 'SelectThirdParty', 1, 0, $events, 0, 'minwidth200'); print ''; print ''; // related contact print ''; print ''; @@ -1585,6 +1582,7 @@ if ($id > 0) $langs->load("projects"); print '
'.$langs->trans("ActionOnContact").''; print '
'; - print $form->selectcontacts($object->socid, array_keys($object->socpeopleassigned), 'socpeopleassigned[]', 1, '', '', 1, 'quatrevingtpercent', false, 0, 0, array(), 'multiple', 'contactid'); + print img_picto('', 'contact', 'class="paddingrightonly"').$form->selectcontacts($object->socid, array_keys($object->socpeopleassigned), 'socpeopleassigned[]', 1, '', '', 1, 'quatrevingtpercent', false, 0, 0, array(), 'multiple', 'contactid'); print '
'; print '
'.$langs->trans("Project").''; + print img_picto('', 'project', 'class="paddingrightonly"'); $numprojet = $formproject->select_projects(($object->socid > 0 ? $object->socid : -1), $object->fk_project, 'projectid', 0, 0, 1, 0, 0, 0, 0, '', 0, 0, 'maxwidth500'); if ($numprojet == 0) { @@ -1661,6 +1659,48 @@ if ($id > 0) print '
'; + // Reminders + if ($conf->global->AGENDA_REMINDER_EMAIL || $conf->global->AGENDA_REMINDER_BROWSER) + { + $filtreuserid = $user->id; + if ($user->rights->agenda->allactions->read) $filtreuserid = 0; + $object->loadReminders('', $filteruserid); + + print '
'; + + print ''; + + print ''; + + print '
'.$langs->trans("Reminders").''; + + if (count($object->reminders) > 0) { + if (count($object->reminders) > 0) { + $tmpuserstatic = new User($db); + + foreach ($object->reminders as $actioncommreminderid => $actioncommreminder) { + print $TRemindTypes[$actioncommreminder->typeremind]; + if ($actioncommreminder->fk_user > 0) { + $tmpuserstatic->fetch($actioncommreminder->fk_user); + print ' ('.$tmpuser->getNomUrl(0, '', 0, 0, 16).')'; + } + print ' - '.$actioncommreminder->offsetvalue.' '.$TDurationTypes[$actioncommreminder->offsetunit]; + if ($actioncommreminder->status == $actioncommreminder::STATUS_TODO) { + print ' - '; + print $langs->trans("NotSent"); + print ' '; + } elseif ($actioncommreminder->status == $actioncommreminder::STATUS_DONE) { + print ' - '; + print $langs->trans("Done"); + print ' '; + } + } + } + } + + print '
'; + } + dol_fiche_end(); print '
'; @@ -1750,6 +1790,7 @@ if ($id > 0) dol_banner_tab($object, 'id', $linkback, ($user->socid ? 0 : 1), 'id', 'ref', $morehtmlref); print '
'; + print '
'; print '
'; @@ -1759,17 +1800,17 @@ if ($id > 0) // Type if (!empty($conf->global->AGENDA_USE_EVENT_TYPE)) { - print ''.$langs->trans("Type").''.$langs->trans($object->type).''; + print ''.$langs->trans("Type").''.$langs->trans($object->type).''; } // Full day event - print ''.$langs->trans("EventOnFullDay").''.yn($object->fulldayevent, 3).''; + print ''.$langs->trans("EventOnFullDay").''.yn($object->fulldayevent, 3).''; $rowspan = 4; if (empty($conf->global->AGENDA_DISABLE_LOCATION)) $rowspan++; // Date start - print ''.$langs->trans("DateActionStart").''; + print ''.$langs->trans("DateActionStart").''; if (!$object->fulldayevent) print dol_print_date($object->datep, 'dayhour'); else print dol_print_date($object->datep, 'day'); if ($object->percentage == 0 && $object->datep && $object->datep < ($now - $delay_warning)) print img_warning($langs->trans("Late")); @@ -1777,7 +1818,7 @@ if ($id > 0) print ''; // Date end - print ''.$langs->trans("DateActionEnd").''; + print ''.$langs->trans("DateActionEnd").''; if (!$object->fulldayevent) print dol_print_date($object->datef, 'dayhour'); else print dol_print_date($object->datef, 'day'); if ($object->percentage > 0 && $object->percentage < 100 && $object->datef && $object->datef < ($now - $delay_warning)) print img_warning($langs->trans("Late")); @@ -1786,11 +1827,11 @@ if ($id > 0) // Location if (empty($conf->global->AGENDA_DISABLE_LOCATION)) { - print ''.$langs->trans("Location").''.$object->location.''; + print ''.$langs->trans("Location").''.$object->location.''; } // Assigned to - print ''.$langs->trans("ActionAssignedTo").''; + print ''.$langs->trans("ActionAssignedTo").''; $listofuserid = array(); if (empty($donotclearsession)) { @@ -1840,7 +1881,7 @@ if ($id > 0) // Done by if ($conf->global->AGENDA_ENABLE_DONEBY) { - print ''.$langs->trans("ActionDoneBy").''; + print ''.$langs->trans("ActionDoneBy").''; if ($object->userdoneid > 0) { $tmpuser = new User($db); @@ -1852,14 +1893,16 @@ if ($id > 0) // Categories if ($conf->categorie->enabled) { - print ''.$langs->trans("Categories").''; + print ''.$langs->trans("Categories").''; print $form->showCategories($object->id, Categorie::TYPE_ACTIONCOMM, 1); print ""; } print ''; - print '
'; + print '
'; + + print '
'; print '
'; print ''; @@ -1867,7 +1910,7 @@ if ($id > 0) if ($conf->societe->enabled) { // Related company - print ''; - print ''; @@ -1918,24 +1961,59 @@ if ($id > 0) include_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; print ''; $link = dolGetElementUrl($object->fk_element, $object->elementtype, 1); - print ''; } // Description - print ''; // Other attributes - $cols = 3; include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_view.tpl.php'; + // Reminders + if ($conf->global->AGENDA_REMINDER_EMAIL || $conf->global->AGENDA_REMINDER_BROWSER) + { + $filtreuserid = $user->id; + if ($user->rights->agenda->allactions->read) $filtreuserid = 0; + $object->loadReminders('', $filteruserid); + + print ''; + } + print '
'.$langs->trans("ActionOnCompany").''.($object->thirdparty->id ? $object->thirdparty->getNomUrl(1) : (''.$langs->trans("None").'')); + print '
'.$langs->trans("ActionOnCompany").''.($object->thirdparty->id ? $object->thirdparty->getNomUrl(1) : (''.$langs->trans("None").'')); if (is_object($object->thirdparty) && $object->thirdparty->id > 0 && $object->type_code == 'AC_TEL') { if ($object->thirdparty->fetch($object->thirdparty->id)) @@ -1879,7 +1922,7 @@ if ($id > 0) // Related contact print '
'.$langs->trans("ActionOnContact").''; + print ''; if (!empty($object->socpeopleassigned)) { @@ -1907,7 +1950,7 @@ if ($id > 0) } // Priority - print '
'.$langs->trans("Priority").''; + print '
'.$langs->trans("Priority").''; print ($object->priority ? $object->priority : ''); print '
'.$langs->trans("LinkedObject").''; + print ''; if (empty($link)) print ''.$langs->trans("ObjectDeleted").''; else print $link; print '
'.$langs->trans("Description").''; + print '
'.$langs->trans("Description").''; print dol_string_onlythesehtmltags(dol_htmlentitiesbr($object->note_private)); print '
'.$langs->trans("Reminders").''; + + if (count($object->reminders) > 0) { + $tmpuserstatic = new User($db); + + foreach ($object->reminders as $actioncommreminderid => $actioncommreminder) { + print $TRemindTypes[$actioncommreminder->typeremind]; + if ($actioncommreminder->fk_user > 0) { + $tmpuserstatic->fetch($actioncommreminder->fk_user); + print ' ('.$tmpuser->getNomUrl(0, '', 0, 0, 16).')'; + } + print ' - '.$actioncommreminder->offsetvalue.' '.$TDurationTypes[$actioncommreminder->offsetunit]; + if ($actioncommreminder->status == $actioncommreminder::STATUS_TODO) { + print ' - '; + print $langs->trans("NotSent"); + print ' '; + } elseif ($actioncommreminder->status == $actioncommreminder::STATUS_DONE) { + print ' - '; + print $langs->trans("Done"); + print ' '; + } + } + } + + print '
'; print '
'; + print '
'; + print '
'; dol_fiche_end(); } diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index dc82c0cfaa4..a5084bfac74 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -226,6 +226,10 @@ class ActionComm extends CommonObject */ public $otherassigned = array(); + /** + * @var array Array of reminders + */ + public $reminders = array(); /** * @var User Object user of owner @@ -1027,8 +1031,8 @@ class ActionComm extends CommonObject $sql .= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'" : "null"); $sql .= ", transparency = '".$this->db->escape($this->transparency)."'"; $sql .= ", fk_user_mod = ".$user->id; - $sql .= ", fk_user_action=".($userownerid > 0 ? "'".$userownerid."'" : "null"); - $sql .= ", fk_user_done=".($userdoneid > 0 ? "'".$userdoneid."'" : "null"); + $sql .= ", fk_user_action = ".($userownerid > 0 ? "'".$this->db->escape($userownerid)."'" : "null"); + $sql .= ", fk_user_done = ".($userdoneid > 0 ? "'".$this->db->escape($userdoneid)."'" : "null"); if (!empty($this->fk_element)) $sql .= ", fk_element=".($this->fk_element ? $this->db->escape($this->fk_element) : "null"); if (!empty($this->elementtype)) $sql .= ", elementtype=".($this->elementtype ? "'".$this->db->escape($this->elementtype)."'" : "null"); $sql .= " WHERE id=".$this->id; @@ -1123,7 +1127,7 @@ class ActionComm extends CommonObject * Load all objects with filters. * @todo WARNING: This make a fetch on all records instead of making one request with a join. * - * @param DoliDb $db Database handler + * @param DoliDb $db Not used * @param int $socid Filter by thirdparty * @param int $fk_element Id of element action is linked to * @param string $elementtype Type of element action is linked to @@ -1156,7 +1160,7 @@ class ActionComm extends CommonObject $sql .= " element_type = 'socpeople' AND fk_element = ".$fk_element.')'; } else { - $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$elementtype."'"; + $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$db->escape($elementtype)."'"; } } if (!empty($filter)) $sql .= $filter; @@ -1949,6 +1953,59 @@ class ActionComm extends CommonObject } + /** + * Load event reminder of events + * + * @param string $type Type of reminder 'browser' or 'email' + * @param int $fk_user Id of user + * @return int 0 if OK, <>0 if KO (this function is used also by cron so only 0 is OK) + */ + public function loadReminders($type = '', $fk_user = 0) + { + global $conf, $langs, $user; + + $error = 0; + + $this->reminders = array(); + + //Select all action comm reminders for event + $sql = "SELECT rowid as id, typeremind, dateremind, status, offsetvalue, offsetunit, fk_user"; + $sql .= " FROM ".MAIN_DB_PREFIX."actioncomm_reminder"; + $sql .= " WHERE fk_actioncomm = ".$this->id." AND dateremind <= '".$this->db->idate(dol_now())."'"; + if ($type) { + $sql .= " AND typeremind ='".$this->db->escape($type)."'"; + } + if ($fk_user > 0) { + $sql .= " AND fk_user = ".((int) $fk_user); + } + if (empty($conf->global->AGENDA_REMINDER_EMAIL)) $sql .= " AND typeremind != 'email'"; + if (empty($conf->global->AGENDA_REMINDER_BROWSER)) $sql .= " AND typeremind != 'browser'"; + + $sql .= $this->db->order("dateremind", "ASC"); + $resql = $this->db->query($sql); + + if ($resql) { + while ($obj = $this->db->fetch_object($resql)) { + $tmpactioncommreminder = new ActionCommReminder($this->db); + $tmpactioncommreminder->id = $obj->id; + $tmpactioncommreminder->typeremind = $obj->typeremind; + $tmpactioncommreminder->dateremind = $obj->dateremind; + $tmpactioncommreminder->offsetvalue = $obj->offsetvalue; + $tmpactioncommreminder->offsetunit = $obj->offsetunit; + $tmpactioncommreminder->status = $obj->status; + $tmpactioncommreminder->fk_user = $obj->fk_user; + + $this->reminders[$obj->id] = $tmpactioncommreminder; + } + } else { + $this->error = $this->db->lasterror(); + $error++; + } + + return count($this->reminders); + } + + /** * Send reminders by emails * CAN BE A CRON TASK diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 43d880b3866..473c87e22a0 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -148,7 +148,7 @@ class AgendaEvents extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -156,27 +156,27 @@ class AgendaEvents extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $actioncomm_static = new ActionComm($db); + $obj = $this->db->fetch_object($result); + $actioncomm_static = new ActionComm($this->db); if ($actioncomm_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($actioncomm_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve Agenda Event list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve Agenda Event list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No Agenda Event found'); diff --git a/htdocs/comm/action/class/cactioncomm.class.php b/htdocs/comm/action/class/cactioncomm.class.php index 147a6ff7ef0..6e86a556a1a 100644 --- a/htdocs/comm/action/class/cactioncomm.class.php +++ b/htdocs/comm/action/class/cactioncomm.class.php @@ -139,7 +139,7 @@ class CActionComm $sql .= " FROM ".MAIN_DB_PREFIX."c_actioncomm"; $sql .= " WHERE 1=1"; if ($active != '') $sql .= " AND active=".$active; - if (!empty($excludetype)) $sql .= " AND type <> '".$excludetype."'"; + if (!empty($excludetype)) $sql .= " AND type <> '".$this->db->escape($excludetype)."'"; if ($morefilter) $sql .= " AND ".$morefilter; $sql .= " ORDER BY module, position, type"; diff --git a/htdocs/comm/action/document.php b/htdocs/comm/action/document.php index 028de1e6fb7..bed4054e018 100644 --- a/htdocs/comm/action/document.php +++ b/htdocs/comm/action/document.php @@ -40,7 +40,7 @@ if (!empty($conf->projet->enabled)) require_once DOL_DOCUMENT_ROOT.'/projet/clas $langs->loadLangs(array('companies', 'commercial', 'other', 'bills')); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index 135f91c56f4..a48dc03aea2 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -79,7 +79,7 @@ if (!$user->rights->agenda->allactions->read || $filter == 'mine') // If no per $filtert = $user->id; } -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $resourceid = GETPOST("search_resourceid", "int"); $year = GETPOST("year", "int") ?GETPOST("year", "int") : date("Y"); $month = GETPOST("month", "int") ?GETPOST("month", "int") : date("m"); @@ -118,13 +118,13 @@ if ($action == 'default') // When action is default, we want a calendar view and { $action = (($defaultview != 'show_list') ? $defaultview : 'show_month'); } -if (GETPOST('viewcal', 'none') && GETPOST('action', 'alpha') != 'show_day' && GETPOST('action', 'alpha') != 'show_week') { +if (GETPOST('viewcal', 'restricthtml') && GETPOST('action', 'alpha') != 'show_day' && GETPOST('action', 'alpha') != 'show_week') { $action = 'show_month'; $day = ''; } // View by month -if (GETPOST('viewweek', 'none') || GETPOST('action', 'alpha') == 'show_week') { +if (GETPOST('viewweek', 'restricthtml') || GETPOST('action', 'alpha') == 'show_week') { $action = 'show_week'; $week = ($week ? $week : date("W")); $day = ($day ? $day : date("d")); } // View by week -if (GETPOST('viewday', 'none') || GETPOST('action', 'alpha') == 'show_day') { +if (GETPOST('viewday', 'restricthtml') || GETPOST('action', 'alpha') == 'show_day') { $action = 'show_day'; $day = ($day ? $day : date("d")); } // View by day @@ -810,7 +810,7 @@ if ($conf->global->AGENDA_SHOW_HOLIDAYS) if ($action == 'show_day') { // Request only leaves for the current selected day - $sql .= " AND '".$year."-".$month."-".$day."' BETWEEN x.date_debut AND x.date_fin"; + $sql .= " AND '".$db->escape($year)."-".$db->escape($month)."-".$db->escape($day)."' BETWEEN x.date_debut AND x.date_fin"; } elseif ($action == 'show_week') { // TODO: Add filter to reduce database request diff --git a/htdocs/comm/action/list.php b/htdocs/comm/action/list.php index ee47dbc3387..92975aafec0 100644 --- a/htdocs/comm/action/list.php +++ b/htdocs/comm/action/list.php @@ -40,7 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/extrafields.class.php'; // Load translation files required by the page $langs->loadLangs(array("users", "companies", "agenda", "commercial", "other")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'actioncommlist'; // To manage different context of search $resourceid = GETPOST("search_resourceid", "int") ?GETPOST("search_resourceid", "int") : GETPOST("resourceid", "int"); @@ -519,20 +519,21 @@ if ($resql) $viewmode .= ''; - $newcardbutton = ''; - if ($user->rights->agenda->myactions->create || $user->rights->agenda->allactions->create) - { - $tmpforcreatebutton = dol_getdate(dol_now(), true); + $tmpforcreatebutton = dol_getdate(dol_now(), true); - $newparam .= '&month='.str_pad($month, 2, "0", STR_PAD_LEFT).'&year='.$tmpforcreatebutton['year']; + $newparam .= '&month='.str_pad($month, 2, "0", STR_PAD_LEFT).'&year='.$tmpforcreatebutton['year']; + + //$param='month='.$monthshown.'&year='.$year; + $hourminsec = '100000'; + + $url = DOL_URL_ROOT.'/comm/action/card.php?action=create'; + $url .= '&datep='.sprintf("%04d%02d%02d", $tmpforcreatebutton['year'], $tmpforcreatebutton['mon'], $tmpforcreatebutton['mday']).$hourminsec; + $url .= '&backtopage='.urlencode($_SERVER["PHP_SELF"].($newparam ? '?'.$newparam : '')); + + $newcardbutton = dolGetButtonTitle($langs->trans('AddAction'), '', 'fa fa-plus-circle', $url, '', $user->rights->agenda->myactions->create || $user->rights->agenda->allactions->create); - //$param='month='.$monthshown.'&year='.$year; - $hourminsec = '100000'; - $newcardbutton .= dolGetButtonTitle($langs->trans('AddAction'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/comm/action/card.php?action=create&datep='.sprintf("%04d%02d%02d", $tmpforcreatebutton['year'], $tmpforcreatebutton['mon'], $tmpforcreatebutton['mday']).$hourminsec.'&backtopage='.urlencode($_SERVER["PHP_SELF"].($newparam ? '?'.$newparam : ''))); - } $param .= '&action='.$action; - print_barre_liste($langs->trans("Agenda"), $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, -1 * $nbtotalofrecords, 'object_action', 0, $nav.$newcardbutton, '', $limit, 0, 0, 1, $viewmode); print $s; diff --git a/htdocs/comm/action/rapport/index.php b/htdocs/comm/action/rapport/index.php index 6852ec2476b..fbb49772d3e 100644 --- a/htdocs/comm/action/rapport/index.php +++ b/htdocs/comm/action/rapport/index.php @@ -34,7 +34,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/modules/action/rapport.pdf.php'; // Load translation files required by the page $langs->loadLangs(array("agenda", "commercial")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $month = GETPOST('month', 'int'); $year = GETPOST('year', 'int'); diff --git a/htdocs/comm/admin/propal_extrafields.php b/htdocs/comm/admin/propal_extrafields.php index 699f290ed79..d154dc7aafb 100644 --- a/htdocs/comm/admin/propal_extrafields.php +++ b/htdocs/comm/admin/propal_extrafields.php @@ -39,7 +39,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'propal'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/comm/admin/propaldet_extrafields.php b/htdocs/comm/admin/propaldet_extrafields.php index 635ffaf8b37..1acdbfa5ca1 100644 --- a/htdocs/comm/admin/propaldet_extrafields.php +++ b/htdocs/comm/admin/propaldet_extrafields.php @@ -46,7 +46,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'propaldet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/comm/card.php b/htdocs/comm/card.php index 2c20df32c90..18bd6b22ce0 100644 --- a/htdocs/comm/card.php +++ b/htdocs/comm/card.php @@ -203,7 +203,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) { @@ -591,7 +591,7 @@ if ($object->id > 0) $icon = 'bill'; if ($link) $boxstat .= ''; $boxstat .= '
'; - $boxstat .= ''.img_object("", $icon).' '.$text.'
'; + $boxstat .= ''.img_object("", $icon).' '.$text.'
'; $boxstat .= ''.price($outstandingTotal, 1, $langs, 1, -1, -1, $conf->currency).''; $boxstat .= '
'; if ($link) $boxstat .= ''; @@ -609,7 +609,7 @@ if ($object->id > 0) $icon = 'bill'; if ($link) $boxstat .= ''; $boxstat .= '
'; - $boxstat .= ''.img_object("", $icon).' '.$text.'
'; + $boxstat .= ''.img_object("", $icon).' '.$text.'
'; $boxstat .= ''.price($outstandingTotal, 1, $langs, 1, -1, -1, $conf->currency).''; $boxstat .= '
'; if ($link) $boxstat .= ''; @@ -627,7 +627,7 @@ if ($object->id > 0) $icon = 'bill'; if ($link) $boxstat .= ''; $boxstat .= '
'; - $boxstat .= ''.img_object("", $icon).' '.$text.'
'; + $boxstat .= ''.img_object("", $icon).' '.$text.'
'; $boxstat .= ''.price($outstandingTotal, 1, $langs, 1, -1, -1, $conf->currency).''; $boxstat .= '
'; if ($link) $boxstat .= ''; @@ -643,7 +643,7 @@ if ($object->id > 0) $icon = 'bill'; if ($link) $boxstat .= ''; $boxstat .= '
'; - $boxstat .= ''.img_object("", $icon).' '.$text.'
'; + $boxstat .= ''.img_object("", $icon).' '.$text.'
'; $boxstat .= ''.price($outstandingOpened, 1, $langs, 1, -1, -1, $conf->currency).$warn.''; $boxstat .= '
'; if ($link) $boxstat .= ''; diff --git a/htdocs/comm/contact.php b/htdocs/comm/contact.php index d3075916367..1038afa923f 100644 --- a/htdocs/comm/contact.php +++ b/htdocs/comm/contact.php @@ -29,8 +29,8 @@ require '../main.inc.php'; // Load translation files required by the page $langs->load("companies"); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "ASC"; if (!$sortfield) $sortfield = "p.name"; diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php index 555b5895fac..cfd2d67ea4e 100644 --- a/htdocs/comm/index.php +++ b/htdocs/comm/index.php @@ -1,11 +1,11 @@ - * Copyright (C) 2004-2015 Laurent Destailleur - * Copyright (C) 2005-2012 Regis Houssin - * Copyright (C) 2015 Jean-François Ferry - * Copyright (C) 2019 Nicolas ZABOURI - * Copyright (C) 2020 Pierre Ardoin - * Copyright (C) 2020 Tobias Sekan +/* Copyright (C) 2001-2005 Rodolphe Quiedeville + * Copyright (C) 2004-2015 Laurent Destailleur + * Copyright (C) 2005-2012 Regis Houssin + * Copyright (C) 2015 Jean-François Ferry + * Copyright (C) 2019 Nicolas ZABOURI + * Copyright (C) 2020 Pierre Ardoin + * Copyright (C) 2020 Tobias Sekan * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -22,33 +22,33 @@ */ /** - * \file htdocs/comm/index.php - * \ingroup commercial - * \brief Home page of commercial area + * \file htdocs/comm/index.php + * \ingroup commercial + * \brief Home page of commercial area */ require '../main.inc.php'; -require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; -require_once DOL_DOCUMENT_ROOT.'/societe/class/client.class.php'; -require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php'; -require_once DOL_DOCUMENT_ROOT.'/core/lib/agenda.lib.php'; -if (!empty($conf->contrat->enabled)) require_once DOL_DOCUMENT_ROOT.'/contrat/class/contrat.class.php'; -if (!empty($conf->propal->enabled)) require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php'; -if (!empty($conf->supplier_proposal->enabled)) require_once DOL_DOCUMENT_ROOT.'/supplier_proposal/class/supplier_proposal.class.php'; -if (!empty($conf->commande->enabled)) require_once DOL_DOCUMENT_ROOT.'/commande/class/commande.class.php'; -if (!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD) || ! empty($conf->supplier_order->enabled)) require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.commande.class.php'; if (!$user->rights->societe->lire) accessforbidden(); -$hookmanager = new HookManager($db); +require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/agenda.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php'; +require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php'; +require_once DOL_DOCUMENT_ROOT.'/commande/class/commande.class.php'; +require_once DOL_DOCUMENT_ROOT.'/contrat/class/contrat.class.php'; +require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.commande.class.php'; +require_once DOL_DOCUMENT_ROOT.'/societe/class/client.class.php'; +require_once DOL_DOCUMENT_ROOT.'/supplier_proposal/class/supplier_proposal.class.php'; // Initialize technical object to manage hooks. Note that conf->hooks_modules contains array +$hookmanager = new HookManager($db); $hookmanager->initHooks(array('commercialindex')); // Load translation files required by the page -$langs->loadLangs(array("commercial", "propal")); +$langs->loadLangs(array("boxes", "commercial", "contracts", "orders", "propal", "supplier_proposal")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $bid = GETPOST('bid', 'int'); // Securite acces client @@ -58,7 +58,7 @@ if (isset($user->socid) && $user->socid > 0) { $socid = $user->socid; } -$max = 3; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; $now = dol_now(); /* @@ -84,7 +84,8 @@ print load_fiche_titre($langs->trans("CommercialArea"), '', 'commercial'); print '
'; -if (!empty($conf->global->MAIN_SEARCH_FORM_ON_HOME_AREAS)) { // This is useless due to the global search combo +// This is useless due to the global search combo +if (!empty($conf->global->MAIN_SEARCH_FORM_ON_HOME_AREAS)) { // Search proposal if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { $listofsearchfields['search_proposal'] = array('text'=>'Proposal'); @@ -136,19 +137,14 @@ if (!empty($conf->global->MAIN_SEARCH_FORM_ON_HOME_AREAS)) { // This is useless * Draft customer proposals */ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { - $langs->load("propal"); - - $sql = "SELECT p.rowid, p.ref, p.ref_client, p.total_ht, p.tva as total_tva, p.total as total_ttc, s.rowid as socid, s.nom as name, s.client, s.canvas"; - $sql .= ", s.code_client"; - $sql .= ", s.email"; - $sql .= ", s.entity"; - $sql .= ", s.code_compta"; + $sql = "SELECT p.rowid, p.ref, p.ref_client, p.total_ht, p.tva as total_tva, p.total as total_ttc"; + $sql .= ", s.rowid as socid, s.nom as name, s.client, s.canvas, s.code_client, s.email, s.entity, s.code_compta"; $sql .= " FROM ".MAIN_DB_PREFIX."propal as p"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE p.fk_statut = 0"; + $sql .= " WHERE p.entity IN (".getEntity($propalstatic->element).")"; $sql .= " AND p.fk_soc = s.rowid"; - $sql .= " AND p.entity IN (".getEntity('propal').")"; + $sql .= " AND p.fk_statut = ".Propal::STATUS_DRAFT; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($socid) $sql .= " AND s.rowid = ".$socid; @@ -157,7 +153,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { $total = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - startSimpleTable("ProposalsDraft", "comm/propal/list.php", "search_status=0", 2, $num); + startSimpleTable("ProposalsDraft", "comm/propal/list.php", "search_status=".Propal::STATUS_DRAFT, 2, $num); if ($num > 0) { $i = 0; @@ -185,16 +181,17 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { print ''; print ''.$propalstatic->getNomUrl(1).''; print ''.$companystatic->getNomUrl(1, 'customer', 16).''; - print ''.price($obj->total_ht).''; + print ''.price((!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc)).''; print ''; $i++; - $total += $obj->total_ht; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } } addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -206,28 +203,23 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { * Draft supplier proposals */ if (!empty($conf->supplier_proposal->enabled) && $user->rights->supplier_proposal->lire) { - $langs->load("supplier_proposal"); - - $sql = "SELECT p.rowid, p.ref, p.total_ht, p.tva as total_tva, p.total as total_ttc, s.rowid as socid, s.nom as name, s.client, s.canvas"; - $sql .= ", s.code_client"; - $sql .= ", s.code_fournisseur"; - $sql .= ", s.entity"; - $sql .= ", s.email"; + $sql = "SELECT p.rowid, p.ref, p.total_ht, p.tva as total_tva, p.total as total_ttc"; + $sql .= ", s.rowid as socid, s.nom as name, s.client, s.canvas, s.code_client, s.code_fournisseur, s.entity, s.email"; $sql .= " FROM ".MAIN_DB_PREFIX."supplier_proposal as p"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE p.fk_statut = 0"; + $sql .= " WHERE p.entity IN (".getEntity($supplierproposalstatic->element).")"; + $sql .= " AND p.fk_statut = ".SupplierProposal::STATUS_DRAFT; $sql .= " AND p.fk_soc = s.rowid"; - $sql .= " AND p.entity IN (".getEntity('supplier_proposal').")"; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; - if ($socid) $sql .= " AND s.rowid = ".$socid; + if ($socid) $sql .= " AND s.rowid = ".$socid; $resql = $db->query($sql); if ($resql) { $total = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - startSimpleTable("SupplierProposalsDraft", "supplier_proposal/list.php", "search_status=0", 2, $num); + startSimpleTable("SupplierProposalsDraft", "supplier_proposal/list.php", "search_status=".SupplierProposal::STATUS_DRAFT, 2, $num); if ($num > 0) { $i = 0; @@ -251,18 +243,19 @@ if (!empty($conf->supplier_proposal->enabled) && $user->rights->supplier_proposa $companystatic->email = $obj->email; print ''; - print ''.$supplierproposalstatic->getNomUrl(1).''; + print ''.$supplierproposalstatic->getNomUrl(1).''; print ''.$companystatic->getNomUrl(1, 'supplier', 16).''; - print ''.price($obj->total_ht).''; + print ''.price(!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc).''; print ''; $i++; - $total += $obj->total_ht; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } } addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -274,28 +267,23 @@ if (!empty($conf->supplier_proposal->enabled) && $user->rights->supplier_proposa * Draft customer orders */ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { - $langs->load("orders"); - - $sql = "SELECT c.rowid, c.ref, c.ref_client, c.total_ht, c.tva as total_tva, c.total_ttc, s.rowid as socid, s.nom as name, s.client, s.canvas"; - $sql .= ", s.code_client"; - $sql .= ", s.email"; - $sql .= ", s.entity"; - $sql .= ", s.code_compta"; + $sql = "SELECT c.rowid, c.ref, c.ref_client, c.total_ht, c.tva as total_tva, c.total_ttc"; + $sql .= ", s.rowid as socid, s.nom as name, s.client, s.canvas, s.code_client, s.email, s.entity, s.code_compta"; $sql .= " FROM ".MAIN_DB_PREFIX."commande as c"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE c.fk_soc = s.rowid"; - $sql .= " AND c.fk_statut = 0"; - $sql .= " AND c.entity IN (".getEntity('commande').")"; + $sql .= " WHERE c.entity IN (".getEntity($orderstatic->element).")"; + $sql .= " AND c.fk_statut = ".Commande::STATUS_DRAFT; + $sql .= " AND c.fk_soc = s.rowid"; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; - if ($socid) $sql .= " AND c.fk_soc = ".$socid; + if ($socid) $sql .= " AND c.fk_soc = ".$socid; $resql = $db->query($sql); if ($resql) { $total = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - startSimpleTable("DraftOrders", "commande/list.php", "search_status=0", 2, $num); + startSimpleTable("DraftOrders", "commande/list.php", "search_status=".Commande::STATUS_DRAFT, 2, $num); if ($num > 0) { $i = 0; @@ -326,12 +314,13 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { print ''; $i++; - $total += $obj->total_ttc; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } } addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -343,28 +332,23 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { * Draft suppliers orders */ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD) || !empty($conf->supplier_order->enabled)) && $user->rights->fournisseur->commande->lire) { - $langs->load("orders"); - - $sql = "SELECT cf.rowid, cf.ref, cf.ref_supplier, cf.total_ttc, s.rowid as socid, s.nom as name, s.client, s.canvas"; - $sql .= ", s.code_client"; - $sql .= ", s.code_fournisseur"; - $sql .= ", s.entity"; - $sql .= ", s.email"; + $sql = "SELECT cf.rowid, cf.ref, cf.ref_supplier, cf.total_ttc"; + $sql .= ", s.rowid as socid, s.nom as name, s.client, s.canvas, s.code_client, s.code_fournisseur, s.entity, s.email"; $sql .= " FROM ".MAIN_DB_PREFIX."commande_fournisseur as cf"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE cf.fk_soc = s.rowid"; - $sql .= " AND cf.fk_statut = 0"; - $sql .= " AND cf.entity IN (".getEntity('supplier_order').")"; + $sql .= " WHERE cf.entity IN (".getEntity($supplierorderstatic->element).")"; + $sql .= " AND cf.fk_statut = ".CommandeFournisseur::STATUS_DRAFT; + $sql .= " AND cf.fk_soc = s.rowid"; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; - if ($socid) $sql .= " AND cf.fk_soc = ".$socid; + if ($socid) $sql .= " AND cf.fk_soc = ".$socid; $resql = $db->query($sql); if ($resql) { $total = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - startSimpleTable("DraftSuppliersOrders", "fourn/commande/list.php", "search_status=0", 2, $num); + startSimpleTable("DraftSuppliersOrders", "fourn/commande/list.php", "search_status=".CommandeFournisseur::STATUS_DRAFT, 2, $num); if ($num > 0) { $i = 0; @@ -395,39 +379,33 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU print ''; $i++; - $total += $obj->total_ttc; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } } addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); } } -print '
'; - -$max = 3; +print '
'; +print '
'; /* * Last modified customers or prospects */ if (!empty($conf->societe->enabled) && $user->rights->societe->lire) { - $langs->load("boxes"); - - $sql = "SELECT s.rowid, s.nom as name, s.client, s.datec, s.tms, s.canvas"; - $sql .= ", s.code_client"; - $sql .= ", s.code_compta"; - $sql .= ", s.entity"; - $sql .= ", s.email"; + $sql = "SELECT s.rowid, s.nom as name, s.client, s.datec, s.tms, s.canvas, s.code_client, s.code_compta, s.entity, s.email"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE s.client IN (1, 2, 3)"; - $sql .= " AND s.entity IN (".getEntity($companystatic->element).")"; + $sql .= " WHERE s.entity IN (".getEntity($companystatic->element).")"; + $sql .= " AND s.client IN (".Societe::CUSTOMER.", ".Societe::PROSPECT.", ".Societe::CUSTOMER_AND_PROSPECT.")"; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; - if ($socid) $sql .= " AND s.rowid = $socid"; + if ($socid) $sql .= " AND s.rowid = $socid"; $sql .= " ORDER BY s.tms DESC"; $sql .= $db->plimit($max, 0); @@ -474,6 +452,7 @@ if (!empty($conf->societe->enabled) && $user->rights->societe->lire) { addSummaryTableLine(3, $num); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -485,18 +464,13 @@ if (!empty($conf->societe->enabled) && $user->rights->societe->lire) { * Last suppliers */ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SUPPLIERMOD) || !empty($conf->supplier_order->enabled) || !empty($conf->supplier_invoice->enabled)) && $user->rights->societe->lire) { - $langs->load("boxes"); - - $sql = "SELECT s.nom as name, s.rowid, s.datec as dc, s.canvas, s.tms as dm"; - $sql .= ", s.code_fournisseur"; - $sql .= ", s.entity"; - $sql .= ", s.email"; + $sql = "SELECT s.nom as name, s.rowid, s.datec as dc, s.canvas, s.tms as dm, s.code_fournisseur, s.entity, s.email"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$user->socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE s.fournisseur = 1"; - $sql .= " AND s.entity IN (".getEntity($companystatic->element).")"; + $sql .= " WHERE s.entity IN (".getEntity($companystatic->element).")"; + $sql .= " AND s.fournisseur = ".Societe::SUPPLIER; if (!$user->rights->societe->client->voir && !$user->socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; - if ($socid) $sql .= " AND s.rowid = ".$socid; + if ($socid) $sql .= " AND s.rowid = ".$socid; $sql .= " ORDER BY s.datec DESC"; $sql .= $db->plimit($max, 0); @@ -529,6 +503,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU addSummaryTableLine(2, $num); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -548,7 +523,7 @@ if ($user->rights->agenda->myactions->read) { * Actions to do */ if ($user->rights->agenda->myactions->read) { - show_array_actions_to_do(10); + show_array_actions_to_do($max); } @@ -556,33 +531,29 @@ if ($user->rights->agenda->myactions->read) { * Latest contracts */ if (!empty($conf->contrat->enabled) && $user->rights->contrat->lire && 0) { // TODO A REFAIRE DEPUIS NOUVEAU CONTRAT - $langs->load("contracts"); + $staticcontrat = new Contrat($db); - $sql = "SELECT s.nom as name, s.rowid, s.canvas, "; - $sql .= ", s.code_client"; - $sql .= ", s.entity"; - $sql .= ", s.email"; + $sql = "SELECT s.nom as name, s.rowid, s.canvas, s.code_client, s.entity, s.email"; $sql .= ", c.statut, c.rowid as contratid, p.ref, c.fin_validite as datefin, c.date_cloture as dateclo"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; $sql .= ", ".MAIN_DB_PREFIX."contrat as c"; $sql .= ", ".MAIN_DB_PREFIX."product as p"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE c.fk_soc = s.rowid"; - $sql .= " AND c.entity IN (".getEntity('contract').")"; + $sql .= " WHERE c.entity IN (".getEntity($staticcontrat->element).")"; + $sql .= " AND c.fk_soc = s.rowid"; $sql .= " AND c.fk_product = p.rowid"; - if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; + if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($socid) $sql .= " AND s.rowid = ".$socid; $sql .= " ORDER BY c.tms DESC"; - $sql .= $db->plimit(5, 0); + $sql .= $db->plimit($max + 1, 0); $resql = $db->query($sql); if ($resql) { $num = $db->num_rows($resql); - startSimpleTable($langs->trans("LastContracts", 5), "", "", 2); + startSimpleTable($langs->trans("LastContracts", $max), "", "", 2); if ($num > 0) { $i = 0; - $staticcontrat = new Contrat($db); while ($i < $num) { $obj = $db->fetch_object($resql); @@ -607,6 +578,7 @@ if (!empty($conf->contrat->enabled) && $user->rights->contrat->lire && 0) { // T addSummaryTableLine(2, $num); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -615,38 +587,43 @@ if (!empty($conf->contrat->enabled) && $user->rights->contrat->lire && 0) { // T /* - * Opened proposals + * Opened (validated) proposals */ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { - $langs->load("propal"); - - $sql = "SELECT s.nom as name, s.rowid, s.code_client"; - $sql .= ", s.entity"; - $sql .= ", s.email"; - $sql .= ", p.rowid as propalid, p.entity, p.total as total_ttc, p.total_ht, p.tva as total_tva, p.ref, p.ref_client, p.fk_statut, p.datep as dp, p.fin_validite as dfv"; - $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; - $sql .= ", ".MAIN_DB_PREFIX."propal as p"; + $sql = "SELECT p.rowid as propalid, p.entity, p.total as total_ttc, p.total_ht, p.tva as total_tva, p.ref, p.ref_client, p.fk_statut, p.datep as dp, p.fin_validite as dfv"; + $sql .= ", s.nom as name, s.rowid, s.code_client, s.entity, s.email"; + $sql .= " FROM ".MAIN_DB_PREFIX."propal as p"; + $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE p.fk_soc = s.rowid"; - $sql .= " AND p.entity IN (".getEntity('propal').")"; - $sql .= " AND p.fk_statut = 1"; + $sql .= " WHERE p.entity IN (".getEntity($propalstatic->element).")"; + $sql .= " AND p.fk_soc = s.rowid"; + $sql .= " AND p.fk_statut = ".Propal::STATUS_VALIDATED; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($socid) $sql .= " AND s.rowid = ".$socid; $sql .= " ORDER BY p.rowid DESC"; $resql = $db->query($sql); if ($resql) { - $total = 0; + $total = $total_ttc = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); startSimpleTable("ProposalsOpened", "comm/propal/list.php", "search_status=1", 4, $num); if ($num > 0) { $i = 0; + $othernb = 0; while ($i < $nbofloop) { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $propalstatic->id = $obj->propalid; $propalstatic->ref = $obj->ref; $propalstatic->ref_client = $obj->ref_client; @@ -663,24 +640,21 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { $companystatic->entity = $obj->entity; $companystatic->email = $obj->email; - print ''; - - // Ref - print ''; - print ''; - print ''; - print ''; - print '
'; - print $propalstatic->getNomUrl(1); - print ''; - if ($db->jdate($obj->dfv) < ($now - $conf->propal->cloture->warning_delay)) print img_warning($langs->trans("Late")); - print ''; $filename = dol_sanitizeFileName($obj->ref); $filedir = $conf->propal->multidir_output[$obj->entity].'/'.dol_sanitizeFileName($obj->ref); $urlsource = $_SERVER['PHP_SELF'].'?id='.$obj->propalid; - print $formfile->getDocumentsLink($propalstatic->element, $filename, $filedir); - print '
'; - print ""; + $warning = ($db->jdate($obj->dfv) < ($now - $conf->propal->cloture->warning_delay)) ? img_warning($langs->trans("Late")) : ''; + + print ''; + + print ''; + print ''; + print ''; + print ''; + print ''; + print ''; + print '
'.$propalstatic->getNomUrl(1).''.$warning.''.$formfile->getDocumentsLink($propalstatic->element, $filename, $filedir).'
'; + print ''; print ''.$companystatic->getNomUrl(1, 'customer', 44).''; print ''.dol_print_date($db->jdate($obj->dp), 'day').''; @@ -690,12 +664,22 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { print ''; $i++; - $total += $obj->total_ttc; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + } + + if ($othernb) { + print ''; + print ''; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print ''; + print "\n"; } } - addSummaryTableLine(5, $num, $nbofloop, $total, "NoProposal", true); + addSummaryTableLine(5, $num, $nbofloop, empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $total_ttc : $total, "NoProposal", true); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); @@ -704,38 +688,43 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { /* - * Opened Order + * Opened (validated) order */ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { - $langs->load("orders"); - - $sql = "SELECT s.nom as name, s.rowid, c.rowid as commandeid, c.total_ttc, c.total_ht, c.tva as total_tva, c.ref, c.ref_client, c.fk_statut, c.date_valid as dv, c.facture as billed"; - $sql .= ", s.code_client"; - $sql .= ", s.entity"; - $sql .= ", s.email"; - $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; - $sql .= ", ".MAIN_DB_PREFIX."commande as c"; + $sql = "SELECT c.rowid as commandeid, c.total_ttc, c.total_ht, c.tva as total_tva, c.ref, c.ref_client, c.fk_statut, c.date_valid as dv, c.facture as billed"; + $sql .= ", s.nom as name, s.rowid, s.code_client, s.entity, s.email"; + $sql .= " FROM ".MAIN_DB_PREFIX."commande as c"; + $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE c.fk_soc = s.rowid"; - $sql .= " AND c.entity IN (".getEntity('commande').")"; - $sql .= " AND (c.fk_statut = ".Commande::STATUS_VALIDATED." or c.fk_statut = ".Commande::STATUS_SHIPMENTONPROCESS.")"; + $sql .= " WHERE c.entity IN (".getEntity($orderstatic->element).")"; + $sql .= " AND c.fk_soc = s.rowid"; + $sql .= " AND c.fk_statut IN (".Commande::STATUS_VALIDATED.", ".Commande::STATUS_SHIPMENTONPROCESS.")"; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($socid) $sql .= " AND s.rowid = ".$socid; $sql .= " ORDER BY c.rowid DESC"; $resql = $db->query($sql); if ($resql) { - $total = 0; + $total = $total_ttc = 0; $num = $db->num_rows($resql); $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - startSimpleTable("OrdersOpened", "commande/list.php", "search_status=1", 4, $num); + startSimpleTable("OrdersOpened", "commande/list.php", "search_status=".Commande::STATUS_VALIDATED, 4, $num); if ($num > 0) { $i = 0; + $othernb = 0; while ($i < $nbofloop) { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $orderstatic->id = $obj->commandeid; $orderstatic->ref = $obj->ref; $orderstatic->ref_client = $obj->ref_client; @@ -752,45 +741,55 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { $companystatic->entity = $obj->entity; $companystatic->email = $obj->email; - print ''; - - // Ref - print ''; - print ''; - print ''; - print ''; - print '
'; - print $orderstatic->getNomUrl(1); - print ''; - //if ($db->jdate($obj->dfv) < ($now - $conf->propal->cloture->warning_delay)) print img_warning($langs->trans("Late")); - print ''; $filename = dol_sanitizeFileName($obj->ref); $filedir = $conf->commande->dir_output.'/'.dol_sanitizeFileName($obj->ref); $urlsource = $_SERVER['PHP_SELF'].'?id='.$obj->propalid; - print $formfile->getDocumentsLink($orderstatic->element, $filename, $filedir); - print '
'; - print ""; + //$warning = ($db->jdate($obj->dfv) < ($now - $conf->propal->cloture->warning_delay)) ? img_warning($langs->trans("Late")) : ''; + + print ''; + + print ''; + print ''; + print ''; + print ''; + print ''; + print ''; + print '
'.$orderstatic->getNomUrl(1).''.$formfile->getDocumentsLink($orderstatic->element, $filename, $filedir).'
'; + print ''; print ''.$companystatic->getNomUrl(1, 'customer', 44).''; print ''.dol_print_date($db->jdate($obj->dp), 'day').''; print ''.price(!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc).''; print ''.$orderstatic->LibStatut($obj->fk_statut, $obj->billed, 3).''; - print ''."\n"; + + print ''; $i++; - $total += $obj->total_ttc; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + } + + if ($othernb) { + print ''; + print ''; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print ''; + print "\n"; } } - addSummaryTableLine(5, $num, $nbofloop, $num, $total, "None", true); + addSummaryTableLine(5, $num, $nbofloop, empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $total_ttc : $total, "None", true); finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); } } -print '
'; +print '
'; +print '
'; +print '
'; $parameters = array('user' => $user); $reshook = $hookmanager->executeHooks('dashboardCommercials', $parameters, $object); // Note that $action and $object may have been modified by hook diff --git a/htdocs/comm/mailing/advtargetemailing.php b/htdocs/comm/mailing/advtargetemailing.php index da24f7bcb4f..29b06819e9e 100644 --- a/htdocs/comm/mailing/advtargetemailing.php +++ b/htdocs/comm/mailing/advtargetemailing.php @@ -46,8 +46,8 @@ if (!$user->rights->mailing->lire || $user->socid > 0) // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php index ccccc93da4f..13037b58769 100644 --- a/htdocs/comm/mailing/card.php +++ b/htdocs/comm/mailing/card.php @@ -41,7 +41,7 @@ $langs->load("mails"); if (!$user->rights->mailing->lire || (empty($conf->global->EXTERNAL_USERS_ARE_AUTHORIZED) && $user->socid > 0)) accessforbidden(); $id = (GETPOST('mailid', 'int') ? GETPOST('mailid', 'int') : GETPOST('id', 'int')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $urlfrom = GETPOST('urlfrom'); @@ -462,14 +462,14 @@ if (empty($reshook)) { $mesgs = array(); - $object->email_from = trim($_POST["from"]); - $object->email_replyto = trim($_POST["replyto"]); - $object->email_errorsto = trim($_POST["errorsto"]); - $object->titre = trim($_POST["titre"]); - $object->sujet = trim($_POST["sujet"]); - $object->body = trim($_POST["bodyemail"]); - $object->bgcolor = trim($_POST["bgcolor"]); - $object->bgimage = trim($_POST["bgimage"]); + $object->email_from = GETPOST("from"); + $object->email_replyto = GETPOST("replyto"); + $object->email_errorsto = GETPOST("errorsto"); + $object->titre = GETPOST("titre"); + $object->sujet = GETPOST("sujet"); + $object->body = GETPOST("bodyemail", 'restricthtml'); + $object->bgcolor = GETPOST("bgcolor"); + $object->bgimage = GETPOST("bgimage"); if (!$object->titre) { $mesgs[] = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTitle")); @@ -563,10 +563,10 @@ if (empty($reshook)) { $mesgs = array(); - $object->sujet = trim($_POST["sujet"]); - $object->body = trim($_POST["bodyemail"]); - $object->bgcolor = trim($_POST["bgcolor"]); - $object->bgimage = trim($_POST["bgimage"]); + $object->sujet = GETPOST("sujet"); + $object->body = GETPOST("bodyemail", 'restricthtml'); + $object->bgcolor = GETPOST("bgcolor"); + $object->bgimage = GETPOST("bgimage"); if (!$object->sujet) { $mesgs[] = $langs->trans("ErrorFieldRequired", $langs->transnoentities("MailTopic")); @@ -738,7 +738,7 @@ if ($action == 'create') print '
'; // Editeur wysiwyg require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; - $doleditor = new DolEditor('bodyemail', GETPOST('bodyemail', 'none'), '', 600, 'dolibarr_mailings', '', true, true, $conf->global->FCKEDITOR_ENABLE_MAILING, 20, '90%'); + $doleditor = new DolEditor('bodyemail', GETPOST('bodyemail', 'restricthtml'), '', 600, 'dolibarr_mailings', '', true, true, $conf->global->FCKEDITOR_ENABLE_MAILING, 20, '90%'); $doleditor->Create(); print '
'; diff --git a/htdocs/comm/mailing/cibles.php b/htdocs/comm/mailing/cibles.php index 27e0c2e5b0c..813a195007b 100644 --- a/htdocs/comm/mailing/cibles.php +++ b/htdocs/comm/mailing/cibles.php @@ -41,8 +41,8 @@ if (!$user->rights->mailing->lire || $user->socid > 0) accessforbidden(); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/comm/mailing/class/advtargetemailing.class.php b/htdocs/comm/mailing/class/advtargetemailing.class.php index 983ad374980..f82ebec9d6f 100644 --- a/htdocs/comm/mailing/class/advtargetemailing.class.php +++ b/htdocs/comm/mailing/class/advtargetemailing.class.php @@ -567,7 +567,7 @@ class AdvanceTargetingMailing extends CommonObject if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') || ($extrafields->attributes[$elementtype]['type'][$key] == 'text')) { if (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') || ($extrafields->attributes[$elementtype]['type'][$key] == 'double')) { @@ -587,7 +587,7 @@ class AdvanceTargetingMailing extends CommonObject if (is_array($arrayquery['options_'.$key])) { $sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))"; } elseif (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } } @@ -664,13 +664,13 @@ class AdvanceTargetingMailing extends CommonObject $sqlwhere[] = $this->transformToSQL('t.firstname', $arrayquery['contact_firstname']); } if (!empty($arrayquery['contact_country']) && count($arrayquery['contact_country'])) { - $sqlwhere[] = " (t.fk_pays IN (".$this->db->escape(implode(',', $arrayquery['contact_country']))."))"; + $sqlwhere[] = " (t.fk_pays IN (".$this->db->sanitize($this->db->escape(implode(',', $arrayquery['contact_country'])))."))"; } if (!empty($arrayquery['contact_status']) && count($arrayquery['contact_status']) > 0) { - $sqlwhere[] = " (t.statut IN (".$this->db->escape(implode(',', $arrayquery['contact_status']))."))"; + $sqlwhere[] = " (t.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $arrayquery['contact_status'])))."))"; } if (!empty($arrayquery['contact_civility']) && count($arrayquery['contact_civility']) > 0) { - $sqlwhere[] = " (t.civility IN ('".$this->db->escape(implode("','", $arrayquery['contact_civility']))."'))"; + $sqlwhere[] = " (t.civility IN ('".$this->db->sanitize($this->db->escape(implode("','", $arrayquery['contact_civility'])))."'))"; } if ($arrayquery['contact_no_email'] != '') { $tmpwhere = ''; @@ -708,7 +708,7 @@ class AdvanceTargetingMailing extends CommonObject if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') || ($extrafields->attributes[$elementtype]['type'][$key] == 'text')) { if (!empty($arrayquery['options_'.$key.'_cnct'])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key.'_cnct']."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')"; } } elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') || ($extrafields->attributes[$elementtype]['type'][$key] == 'double')) { @@ -732,7 +732,7 @@ class AdvanceTargetingMailing extends CommonObject if (is_array($arrayquery['options_'.$key.'_cnct'])) { $sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key.'_cnct'])."'))"; } elseif (!empty($arrayquery['options_'.$key.'_cnct'])) { - $sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key.'_cnct']."')"; + $sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')"; } } } @@ -810,7 +810,7 @@ class AdvanceTargetingMailing extends CommonObject if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') || ($extrafields->attributes[$elementtype]['type'][$key] == 'text')) { if (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (tse.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') || ($extrafields->attributes[$elementtype]['type'][$key] == 'double')) { @@ -830,7 +830,7 @@ class AdvanceTargetingMailing extends CommonObject if (is_array($arrayquery['options_'.$key])) { $sqlwhere[] = " (tse.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))"; } elseif (!empty($arrayquery['options_'.$key])) { - $sqlwhere[] = " (tse.".$key." LIKE '".$arrayquery['options_'.$key]."')"; + $sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')"; } } } diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index 5c53f6715a2..f42b82718e6 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -68,7 +68,7 @@ $error = 0; $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $origin = GETPOST('origin', 'alpha'); $originid = GETPOST('originid', 'int'); @@ -355,8 +355,8 @@ if (empty($reshook)) $object->fk_project = GETPOST('projectid', 'int'); $object->model_pdf = GETPOST('model'); $object->author = $user->id; // deprecated - $object->note_private = GETPOST('note_private', 'none'); - $object->note_public = GETPOST('note_public', 'none'); + $object->note_private = GETPOST('note_private', 'restricthtml'); + $object->note_public = GETPOST('note_public', 'restricthtml'); $object->statut = Propal::STATUS_DRAFT; $object->fk_incoterms = GETPOST('incoterm_id', 'int'); $object->location_incoterms = GETPOST('location_incoterms', 'alpha'); @@ -383,8 +383,8 @@ if (empty($reshook)) $object->fk_project = GETPOST('projectid', 'int'); $object->model_pdf = GETPOST('model'); $object->author = $user->id; // deprecated - $object->note_private = GETPOST('note_private', 'none'); - $object->note_public = GETPOST('note_public', 'none'); + $object->note_private = GETPOST('note_private', 'restricthtml'); + $object->note_public = GETPOST('note_public', 'restricthtml'); $object->fk_incoterms = GETPOST('incoterm_id', 'int'); $object->location_incoterms = GETPOST('location_incoterms', 'alpha'); @@ -627,7 +627,7 @@ if (empty($reshook)) { $db->begin(); - $result = $object->cloture($user, GETPOST('statut', 'int'), GETPOST('note_private', 'none')); + $result = $object->cloture($user, GETPOST('statut', 'int'), GETPOST('note_private', 'restricthtml')); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); @@ -792,9 +792,9 @@ if (empty($reshook)) } elseif ($action == 'addline' && $usercancreate) { // Add line // Set if we used free entry or predefined product $predef = ''; - $product_desc = (GETPOST('dp_desc', 'none') ?GETPOST('dp_desc', 'none') : ''); - $price_ht = GETPOST('price_ht'); - $price_ht_devise = GETPOST('multicurrency_price_ht'); + $product_desc = (GETPOSTISSET('dp_desc') ?GETPOST('dp_desc', 'restricthtml') : ''); + $price_ht = price2num(GETPOST('price_ht')); + $price_ht_devise = price2num(GETPOST('multicurrency_price_ht')); $prod_entry_mode = GETPOST('prod_entry_mode'); if ($prod_entry_mode == 'free') { @@ -1152,7 +1152,7 @@ if (empty($reshook)) $info_bits |= 0x01; // Clean parameters - $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'none')); + $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'restricthtml')); // Define vat_rate $vat_rate = (GETPOST('tva_tx') ? GETPOST('tva_tx') : 0); @@ -1316,7 +1316,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) { @@ -1508,7 +1508,7 @@ if ($action == 'create') } } else { print ''; - print $form->select_company('', 'socid', '(s.client = 1 OR s.client = 2 OR s.client = 3) AND status=1', 'SelectThirdParty', 0, 0, null, 0, 'minwidth300'); + print $form->select_company('', 'socid', '(s.client = 1 OR s.client = 2 OR s.client = 3) AND status=1', 'SelectThirdParty', 0, 0, null, 0, 'minwidth300 maxwidth500'); // reload page to retrieve customer informations if (!empty($conf->global->RELOAD_PAGE_ON_CUSTOMER_CHANGE)) { diff --git a/htdocs/comm/propal/class/api_proposals.class.php b/htdocs/comm/propal/class/api_proposals.class.php index 8efc4aa5c19..0f157396f35 100644 --- a/htdocs/comm/propal/class/api_proposals.class.php +++ b/htdocs/comm/propal/class/api_proposals.class.php @@ -190,7 +190,7 @@ class Proposals extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -198,21 +198,21 @@ class Proposals extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $proposal_static = new Propal($db); + $obj = $this->db->fetch_object($result); + $proposal_static = new Propal($this->db); if ($proposal_static->fetch($obj->rowid)) { // Add external contacts ids $proposal_static->contacts_ids = $proposal_static->liste_contact(-1, 'external', 1); @@ -221,7 +221,7 @@ class Proposals extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve propal list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve propal list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No proposal found'); diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index d1936d9d17e..7e34ac6fc3c 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -41,12 +41,15 @@ require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php'; require_once DOL_DOCUMENT_ROOT.'/margin/lib/margins.lib.php'; require_once DOL_DOCUMENT_ROOT.'/multicurrency/class/multicurrency.class.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/commonincoterm.class.php'; /** * Class to manage proposals */ class Propal extends CommonObject { + use CommonIncoterm; + /** * @var string ID to identify managed object */ @@ -1058,7 +1061,7 @@ class Propal extends CommonObject $sql .= ", '".$this->db->idate($this->date)."'"; $sql .= ", '".$this->db->idate($now)."'"; $sql .= ", '(PROV)'"; - $sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "NULL"); + $sql .= ", ".($user->id > 0 ? "'".$this->db->escape($user->id)."'" : "NULL"); $sql .= ", '".$this->db->escape($this->note_private)."'"; $sql .= ", '".$this->db->escape($this->note_public)."'"; $sql .= ", '".$this->db->escape($this->model_pdf)."'"; diff --git a/htdocs/comm/propal/contact.php b/htdocs/comm/propal/contact.php index c2f60516f1c..16be5930e89 100644 --- a/htdocs/comm/propal/contact.php +++ b/htdocs/comm/propal/contact.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('facture', 'orders', 'sendings', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $lineid = GETPOST('lineid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/comm/propal/index.php b/htdocs/comm/propal/index.php index 9e138c52cbe..692f561867a 100644 --- a/htdocs/comm/propal/index.php +++ b/htdocs/comm/propal/index.php @@ -1,8 +1,9 @@ - * Copyright (C) 2004-2017 Laurent Destailleur - * Copyright (C) 2005-2012 Regis Houssin - * Copyright (C) 2019 Nicolas ZABOURI +/* Copyright (C) 2003-2004 Rodolphe Quiedeville + * Copyright (C) 2004-2017 Laurent Destailleur + * Copyright (C) 2005-2012 Regis Houssin + * Copyright (C) 2019 Nicolas ZABOURI + * Copyright (C) 2020 Tobias Sekan * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -19,22 +20,12 @@ */ /** - * \file htdocs/comm/propal/index.php - * \ingroup propal - * \brief Home page of proposal area + * \file htdocs/comm/propal/index.php + * \ingroup propal + * \brief Home page of proposal area */ require '../../main.inc.php'; -require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; -require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php'; - -$hookmanager = new HookManager($db); - -// Initialize technical object to manage hooks. Note that conf->hooks_modules contains array -$hookmanager->initHooks(array('proposalindex')); - -// Load translation files required by the page -$langs->loadLangs(array('propal', 'companies')); // Security check $socid = GETPOST('socid', 'int'); @@ -43,13 +34,24 @@ if (isset($user->socid) && $user->socid > 0) $action = ''; $socid = $user->socid; } -$result = restrictedArea($user, 'propal'); +restrictedArea($user, 'propal'); +require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; +require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php'; + +// Initialize technical object to manage hooks. Note that conf->hooks_modules contains array +$hookmanager = new HookManager($db); +$hookmanager->initHooks(array('proposalindex')); + +// Load translation files required by the page +$langs->loadLangs(array('propal', 'companies')); + +$now = dol_now(); +$max = 5; /* * View */ -$now = dol_now(); $propalstatic = new Propal($db); $companystatic = new Societe($db); $form = new Form($db); @@ -60,192 +62,218 @@ llxHeader("", $langs->trans("ProspectionArea"), $help_url); print load_fiche_titre($langs->trans("ProspectionArea"), '', 'propal'); -//print ''; -//print ''; + print ''; + print ''; + } + + //if ($totalinprocess != $total) + //{ + // print ''; + // print ''; + // print ''; + // print ''; + //} + + print ''; + print ''; + print ''; + print ''; + + print '
'; -print '
'; +print '
'; +print '
'; - -if (!empty($conf->global->MAIN_SEARCH_FORM_ON_HOME_AREAS)) // This is useless due to the global search combo +// This is useless due to the global search combo +if (!empty($conf->global->MAIN_SEARCH_FORM_ON_HOME_AREAS)) { - print '
'; - print '
'; - print ''; - print ''; - print ''; - print ''; - print "
'.$langs->trans("Search").'
'; - print $langs->trans("Proposal").':

\n"; -} + print '
'; + print '
'; + print ''; + print ''; + print ''; + print ''; + print ''; + + print ''; + print ''; + print ''; + print ''; + print ''; + + print '
'.$langs->trans("Search").'
'.$langs->trans("Proposal").':
'; + print '
'; + print '
'; + print '
'; +} /* * Statistics */ +$listofstatus = array(Propal::STATUS_DRAFT, Propal::STATUS_VALIDATED, Propal::STATUS_SIGNED, Propal::STATUS_NOTSIGNED, Propal::STATUS_BILLED); $sql = "SELECT count(p.rowid) as nb, p.fk_statut as status"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; $sql .= ", ".MAIN_DB_PREFIX."propal as p"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; -$sql .= " WHERE p.fk_soc = s.rowid"; -$sql .= " AND p.entity IN (".getEntity('propal').")"; +$sql .= " WHERE p.entity IN (".getEntity($propalstatic->element).")"; +$sql .= " AND p.fk_soc = s.rowid"; if ($user->socid) $sql .= ' AND p.fk_soc = '.$user->socid; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; -$sql .= " AND p.fk_statut IN (0,1,2,3,4)"; +$sql .= " AND p.fk_statut IN (".implode(" ,", $listofstatus).")"; $sql .= " GROUP BY p.fk_statut"; $resql = $db->query($sql); if ($resql) { - $num = $db->num_rows($resql); - $i = 0; + $num = $db->num_rows($resql); + $i = 0; + $total = 0; + $totalinprocess = 0; + $dataseries = array(); + $colorseries = array(); + $vals = array(); - $total = 0; - $totalinprocess = 0; - $dataseries = array(); - $colorseries = array(); - $vals = array(); + while ($i < $num) + { + $obj = $db->fetch_object($resql); + if ($obj) + { + $vals[$obj->status] = $obj->nb; + $totalinprocess += $obj->nb; - // -1=Canceled, 0=Draft, 1=Validated, (2=Accepted/On process not managed for customer orders), 3=Closed (Sent/Received, billed or not) - while ($i < $num) - { - $obj = $db->fetch_object($resql); - if ($obj) - { - $vals[$obj->status] = $obj->nb; - $totalinprocess += $obj->nb; + $total += $obj->nb; + } + $i++; + } + $db->free($resql); - $total += $obj->nb; - } - $i++; - } - $db->free($resql); + include_once DOL_DOCUMENT_ROOT.'/theme/'.$conf->theme.'/theme_vars.inc.php'; - include_once DOL_DOCUMENT_ROOT.'/theme/'.$conf->theme.'/theme_vars.inc.php'; + print '
'; + print ''; - print '
'; - print '
'; - print ''."\n"; - $listofstatus = array(0, 1, 2, 3, 4); - foreach ($listofstatus as $status) - { - $dataseries[] = array($propalstatic->LibStatut($status, 1), (isset($vals[$status]) ? (int) $vals[$status] : 0)); - if ($status == Propal::STATUS_DRAFT) $colorseries[$status] = '-'.$badgeStatus0; - if ($status == Propal::STATUS_VALIDATED) $colorseries[$status] = $badgeStatus1; - if ($status == Propal::STATUS_SIGNED) $colorseries[$status] = $badgeStatus4; - if ($status == Propal::STATUS_NOTSIGNED) $colorseries[$status] = $badgeStatus9; - if ($status == Propal::STATUS_BILLED) $colorseries[$status] = $badgeStatus6; + print ''; + print ''; + print ''; - if (empty($conf->use_javascript_ajax)) - { - print ''; - print ''; - print ''; - print "\n"; - } - } - if ($conf->use_javascript_ajax) - { - print ''; + print ''; + print ''; + print "\n"; + } + } - print ''; - } - //if ($totalinprocess != $total) - //print ''; - print ''; - print "
'.$langs->trans("Statistics").' - '.$langs->trans("Proposals").'
'.$langs->trans("Statistics").' - '.$langs->trans("Proposals").'
'.$propalstatic->LibStatut($status, 0).''.(isset($vals[$status]) ? $vals[$status] : 0).'
'; + foreach ($listofstatus as $status) { + $dataseries[] = array($propalstatic->LibStatut($status, 1), (isset($vals[$status]) ? (int) $vals[$status] : 0)); + if ($status == Propal::STATUS_DRAFT) $colorseries[$status] = '-'.$badgeStatus0; + if ($status == Propal::STATUS_VALIDATED) $colorseries[$status] = $badgeStatus1; + if ($status == Propal::STATUS_SIGNED) $colorseries[$status] = $badgeStatus4; + if ($status == Propal::STATUS_NOTSIGNED) $colorseries[$status] = $badgeStatus9; + if ($status == Propal::STATUS_BILLED) $colorseries[$status] = $badgeStatus6; - include_once DOL_DOCUMENT_ROOT.'/core/class/dolgraph.class.php'; - $dolgraph = new DolGraph(); - $dolgraph->SetData($dataseries); - $dolgraph->SetDataColor(array_values($colorseries)); - $dolgraph->setShowLegend(2); - $dolgraph->setShowPercent(1); - $dolgraph->SetType(array('pie')); - $dolgraph->setHeight('200'); - $dolgraph->draw('idgraphthirdparties'); - print $dolgraph->show($total ? 0 : 1); + if (empty($conf->use_javascript_ajax)) { + print '
'.$propalstatic->LibStatut($status, 0).''.(isset($vals[$status]) ? $vals[$status] : 0).'
'.$langs->trans("Total").' ('.$langs->trans("CustomersOrdersRunning").')'.$totalinprocess.'
'.$langs->trans("Total").''.$total.'

"; + if ($conf->use_javascript_ajax) { + print '
'; + + include_once DOL_DOCUMENT_ROOT.'/core/class/dolgraph.class.php'; + $dolgraph = new DolGraph(); + $dolgraph->SetData($dataseries); + $dolgraph->SetDataColor(array_values($colorseries)); + $dolgraph->setShowLegend(2); + $dolgraph->setShowPercent(1); + $dolgraph->SetType(array('pie')); + $dolgraph->setHeight('200'); + $dolgraph->draw('idgraphthirdparties'); + print $dolgraph->show($total ? 0 : 1); + + print '
'.$langs->trans("Total").' ('.$langs->trans("CustomersOrdersRunning").')'.$totalinprocess.'
'.$langs->trans("Total").''.$total.'
'; + print ''; + print '
'; } else { - dol_print_error($db); + dol_print_error($db); } /* * Draft proposals */ -if (!empty($conf->propal->enabled)) -{ - $sql = "SELECT c.rowid, c.ref, s.nom as socname, s.rowid as socid, s.canvas, s.client"; - $sql .= " FROM ".MAIN_DB_PREFIX."propal as c"; +if (!empty($conf->propal->enabled)) { + $sql = "SELECT p.rowid, p.ref, p.ref_client, p.total_ht, p.tva as total_tva, p.total as total_ttc"; + $sql .= ", s.rowid as socid, s.nom as name, s.client, s.canvas, s.code_client, s.email, s.entity, s.code_compta"; + $sql .= " FROM ".MAIN_DB_PREFIX."propal as p"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql .= " WHERE c.fk_soc = s.rowid"; - $sql .= " AND c.entity IN (".getEntity('propal').")"; - $sql .= " AND c.fk_statut = 0"; - if ($socid) $sql .= " AND c.fk_soc = ".$socid; + $sql .= " WHERE p.entity IN (".getEntity($propalstatic->element).")"; + $sql .= " AND p.fk_soc = s.rowid"; + $sql .= " AND p.fk_statut =".Propal::STATUS_DRAFT; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; + if ($socid) $sql .= " AND p.fk_soc = ".$socid; $resql = $db->query($sql); - if ($resql) - { + if ($resql) { $num = $db->num_rows($resql); - if ($num) - { - print '
'; - print ''; - print ''; - $langs->load("propal"); - print ''; + $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); + startSimpleTable("DraftPropals", "comm/propal/list.php", "search_status=".Propal::STATUS_DRAFT, 2, $num); + if ($num) { + $total = 0; $i = 0; - $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - while ($i < $nbofloop) - { + + while ($i < $nbofloop) { $obj = $db->fetch_object($resql); - print ''; $propalstatic->id = $obj->rowid; $propalstatic->ref = $obj->ref; - print ''; + $propalstatic->ref_client = $obj->ref_client; + $propalstatic->total_ht = $obj->total_ht; + $propalstatic->total_tva = $obj->total_tva; + $propalstatic->total_ttc = $obj->total_ttc; $companystatic->id = $obj->socid; - $companystatic->name = $obj->socname; + $companystatic->name = $obj->name; $companystatic->client = $obj->client; + $companystatic->code_client = $obj->code_client; + $companystatic->code_fournisseur = $obj->code_fournisseur; $companystatic->canvas = $obj->canvas; - print ''; + $companystatic->entity = $obj->entity; + $companystatic->email = $obj->email; + $companystatic->code_compta = $obj->code_compta; + print ''; + print ''; + print ''; + print ''; print ''; + $i++; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } - if ($num > $nbofloop) - { - print '"; - } elseif ($total > 0) - { - print '"; - } - print "
'.$langs->trans("DraftPropals").' '.$num.'
'.$propalstatic->getNomUrl(1).''.$companystatic->getNomUrl(1, 'customer', 24).'
'.$propalstatic->getNomUrl(1).''.$companystatic->getNomUrl(1, 'customer', 16).''.price(!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc).'
'.$langs->trans("XMoreLines", ($num - $nbofloop))."
'.$langs->trans("Total").''.price($total)."
"; - print "

"; } + + addSummaryTableLine(3, $num, $nbofloop, $total, "NoProposal"); + finishSimpleTable(true); + $db->free($resql); + } else { + dol_print_error($db); } } +print ''; -//print ''; -print '
'; - - -$max = 5; +print '
'; +print '
'; /* * Last modified proposals */ -$sql = "SELECT c.rowid, c.entity, c.ref, c.fk_statut, s.nom as socname, s.rowid as socid, s.canvas, s.client,"; -$sql .= " date_cloture as datec"; +$sql = "SELECT c.rowid, c.entity, c.ref, c.fk_statut, date_cloture as datec"; +$sql .= ", s.nom as socname, s.rowid as socid, s.canvas, s.client"; $sql .= " FROM ".MAIN_DB_PREFIX."propal as c"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; -$sql .= " WHERE c.fk_soc = s.rowid"; -$sql .= " AND c.entity IN (".getEntity('propal').")"; +$sql .= " WHERE c.entity IN (".getEntity($propalstatic->element).")"; +$sql .= " AND c.fk_soc = s.rowid"; //$sql.= " AND c.fk_statut > 2"; if ($socid) $sql .= " AND c.fk_soc = ".$socid; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; @@ -253,150 +281,126 @@ $sql .= " ORDER BY c.tms DESC"; $sql .= $db->plimit($max, 0); $resql = $db->query($sql); -if ($resql) -{ - print '
'; - print ''; - print ''; - print ''; - +if ($resql) { $num = $db->num_rows($resql); - if ($num) - { - $i = 0; - while ($i < $num) - { - $obj = $db->fetch_object($resql); + startSimpleTable($langs->trans("LastModifiedProposals", $max), "", "", 3); - print ''; - print ''; - $companystatic->id = $obj->socid; $companystatic->name = $obj->socname; $companystatic->client = $obj->client; $companystatic->canvas = $obj->canvas; - print ''; - print ''; + $filename = dol_sanitizeFileName($obj->ref); + $filedir = $conf->propal->multidir_output[$obj->entity].'/'.dol_sanitizeFileName($obj->ref); + $urlsource = $_SERVER['PHP_SELF'].'?id='.$obj->rowid; - print ''; + print ''; + + print ''; + + print ''; + print ''; + print ''; + + print ''; + $i++; } } - print "
'.$langs->trans("LastModifiedProposals", $max).'
'; + if ($num) { + $i = 0; + while ($i < $num) { + $obj = $db->fetch_object($resql); $propalstatic->id = $obj->rowid; $propalstatic->ref = $obj->ref; - print ''; - print ''; - - print ''; - - print '
'; - print $propalstatic->getNomUrl(1); - print ''; - print ' '; - print ''; - $filename = dol_sanitizeFileName($obj->ref); - $filedir = $conf->propal->multidir_output[$obj->entity].'/'.dol_sanitizeFileName($obj->ref); - $urlsource = $_SERVER['PHP_SELF'].'?id='.$obj->rowid; - print $formfile->getDocumentsLink($propalstatic->element, $filename, $filedir); - print '
'; - - print '		'.$companystatic->getNomUrl(1, 'customer').''.dol_print_date($db->jdate($obj->datec), 'day').''.$propalstatic->LibStatut($obj->fk_statut, 3).'
'; + print ''; + print ''; + print ''; + print ''; + print ''; print ''; + print '
'.$propalstatic->getNomUrl(1).''.$formfile->getDocumentsLink($propalstatic->element, $filename, $filedir).'
'; + print '		'.$companystatic->getNomUrl(1, 'customer').''.dol_print_date($db->jdate($obj->datec), 'day').''.$propalstatic->LibStatut($obj->fk_statut, 3).'
"; - print "

"; -} else dol_print_error($db); + + finishSimpleTable(true); + $db->free($resql); +} else { + dol_print_error($db); +} /* - * Open proposals + * Open (validated) proposals */ -if (!empty($conf->propal->enabled) && $user->rights->propale->lire) -{ - $langs->load("propal"); - - $now = dol_now(); - +if (!empty($conf->propal->enabled) && $user->rights->propale->lire) { $sql = "SELECT s.nom as socname, s.rowid as socid, s.canvas, s.client"; $sql .= ", p.rowid as propalid, p.entity, p.total as total_ttc, p.total_ht, p.ref, p.fk_statut, p.datep as dp, p.fin_validite as dfv"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s"; $sql .= ", ".MAIN_DB_PREFIX."propal as p"; if (!$user->rights->societe->client->voir && !$socid) $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql .= " WHERE p.fk_soc = s.rowid"; - $sql .= " AND p.entity IN (".getEntity('propal').")"; - $sql .= " AND p.fk_statut = 1"; + $sql .= " AND p.entity IN (".getEntity($propalstatic->element).")"; + $sql .= " AND p.fk_statut = ".Propal::STATUS_VALIDATED; if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; if ($socid) $sql .= " AND s.rowid = ".$socid; $sql .= " ORDER BY p.rowid DESC"; - $result = $db->query($sql); - if ($result) - { + $resql = $db->query($sql); + if ($resql) { $total = 0; - $num = $db->num_rows($result); - $i = 0; - if ($num > 0) - { - print '
'; - print ''; - print ''; + $num = $db->num_rows($resql); + $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); + startSimpleTable("ProposalsOpened", "comm/propal/list.php", "search_status=".Propal::STATUS_VALIDATED, 4, $num); - $nbofloop = min($num, (empty($conf->global->MAIN_MAXLIST_OVERLOAD) ? 500 : $conf->global->MAIN_MAXLIST_OVERLOAD)); - while ($i < $nbofloop) - { - $obj = $db->fetch_object($result); - - print ''; - - // Ref - print '"; - $companystatic->id = $obj->socid; $companystatic->name = $obj->socname; $companystatic->client = $obj->client; $companystatic->canvas = $obj->canvas; - print ''."\n"; - print ''."\n"; + $filename = dol_sanitizeFileName($obj->ref); + $filedir = $conf->propal->multidir_output[$obj->entity].'/'.dol_sanitizeFileName($obj->ref); + $urlsource = $_SERVER['PHP_SELF'].'?id='.$obj->propalid; - print ''; + $warning = ($db->jdate($obj->dfv) < ($now - $conf->propal->cloture->warning_delay)) ? img_warning($langs->trans("Late")) : ''; + + print ''; + + // Ref + print ''; + + print ''; + print ''; + print ''; + print ''; + + print ''; - print ''."\n"; - print ''."\n"; $i++; - $total += $obj->total_ttc; + $total += (!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc); } - if ($num > $nbofloop) - { - print '"; - } elseif ($total > 0) - { - print '"; - } - print "
'.$langs->trans("ProposalsOpened").' '.$num.'
'; + if ($num > 0) { + $i = 0; + while ($i < $nbofloop) { + $obj = $db->fetch_object($resql); $propalstatic->id = $obj->propalid; $propalstatic->ref = $obj->ref; - print ''; - print ''; - print ''; - print '
'; - print $propalstatic->getNomUrl(1); - print ''; - if ($db->jdate($obj->dfv) < ($now - $conf->propal->cloture->warning_delay)) print img_warning($langs->trans("Late")); - print ''; - $filename = dol_sanitizeFileName($obj->ref); - $filedir = $conf->propal->multidir_output[$obj->entity].'/'.dol_sanitizeFileName($obj->ref); - $urlsource = $_SERVER['PHP_SELF'].'?id='.$obj->propalid; - print $formfile->getDocumentsLink($propalstatic->element, $filename, $filedir); - print '
'; - - print "		'.$companystatic->getNomUrl(1, 'customer', 44).''.dol_print_date($db->jdate($obj->dp), 'day').''.price($obj->total_ttc).'
'; + print ''; + print ''; + print ''; + print ''; + print ''; + print ''; + print '
'.$propalstatic->getNomUrl(1).''.$warning.''.$formfile->getDocumentsLink($propalstatic->element, $filename, $filedir).'
'; + print '		'.$companystatic->getNomUrl(1, 'customer', 44).''.dol_print_date($db->jdate($obj->dp), 'day').''.price(!empty($conf->global->MAIN_DASHBOARD_USE_TOTAL_HT) ? $obj->total_ht : $obj->total_ttc).''.$propalstatic->LibStatut($obj->fk_statut, 3).'
'.$propalstatic->LibStatut($obj->fk_statut, 3).'
'.$langs->trans("XMoreLines", ($num - $nbofloop))."
'.$langs->trans("Total")."".price($total)." 
"; - print "

"; } + + addSummaryTableLine(5, $num, $nbofloop, $total, "None", true); + finishSimpleTable(true); + $db->free($resql); } else { dol_print_error($db); } @@ -405,6 +409,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propale->lire) /* * Proposals to process */ + /* if (! empty($conf->propal->enabled)) { @@ -479,7 +484,9 @@ if (! empty($conf->propal->enabled)) /* * Proposal that are in a shipping process */ -/*if (! empty($conf->propal->enabled)) + +/* +if (! empty($conf->propal->enabled)) { $sql = "SELECT c.rowid, c.ref, c.fk_statut, c.facture, s.nom as name, s.rowid as socid"; $sql.= " FROM ".MAIN_DB_PREFIX."commande as c"; @@ -548,8 +555,9 @@ if (! empty($conf->propal->enabled)) } */ -//print ''; -print '
'; +print '
'; +print ''; +print ''; $parameters = array('user' => $user); $reshook = $hookmanager->executeHooks('dashboardPropals', $parameters, $object); // Note that $action and $object may have been modified by hook diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index 7bce96633fc..dde38d98489 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -50,7 +50,7 @@ $langs->loadLangs(array('companies', 'propal', 'compta', 'bills', 'orders', 'pro $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -333,13 +333,13 @@ if (!$user->rights->societe->client->voir && !$socid) //restriction if ($search_town) $sql .= natural_search('s.town', $search_town); if ($search_zip) $sql .= natural_search("s.zip", $search_zip); if ($search_state) $sql .= natural_search("state.nom", $search_state); -if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; -if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')'; +if ($search_country) $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')'; +if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->sanitize($db->escape($search_type_thirdparty)).')'; if ($search_ref) $sql .= natural_search('p.ref', $search_ref); if ($search_refcustomer) $sql .= natural_search('p.ref_client', $search_refcustomer); if ($search_refproject) $sql .= natural_search('pr.ref', $search_refproject); if ($search_project) $sql .= natural_search('pr.title', $search_project); -if ($search_availability) $sql .= " AND p.fk_availability IN (".$db->escape($search_availability).')'; +if ($search_availability) $sql .= " AND p.fk_availability IN (".$db->sanitize($db->escape($search_availability)).')'; if ($search_societe) $sql .= natural_search('s.nom', $search_societe); if ($search_login) $sql .= natural_search("u.login", $search_login); @@ -361,7 +361,7 @@ if ($search_product_category > 0) $sql .= " AND cp.fk_categorie = ".$db->escape( if ($socid > 0) $sql .= ' AND s.rowid = '.$socid; if ($search_status != '' && $search_status != '-1') { - $sql .= ' AND p.fk_statut IN ('.$db->escape($search_status).')'; + $sql .= ' AND p.fk_statut IN ('.$db->sanitize($db->escape($search_status)).')'; } if ($search_date_start) $sql .= " AND p.datep >= '".$db->idate($search_date_start)."'"; if ($search_date_end) $sql .= " AND p.datep <= '".$db->idate($search_date_end)."'"; @@ -480,11 +480,9 @@ if ($resql) if (in_array($massaction, array('presend', 'predelete', 'closed'))) $arrayofmassactions = array(); $massactionbutton = $form->selectMassAction('', $arrayofmassactions); - $newcardbutton = ''; - if ($user->rights->propal->creer) - { - $newcardbutton .= dolGetButtonTitle($langs->trans('NewPropal'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/comm/propal/card.php?action=create'); - } + $url = DOL_URL_ROOT.'/comm/propal/card.php?action=create'; + if (!empty($socid)) $url .= '&socid='.$socid; + $newcardbutton = dolGetButtonTitle($langs->trans('NewPropal'), '', 'fa fa-plus-circle', $url, '', $user->rights->propal->creer); // Fields title search print '
'; @@ -638,12 +636,10 @@ if ($resql) { print ''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_date_start ? $search_date_start : -1, 'search_date_start', 0, 0, 1); + print $form->selectDate($search_date_start ? $search_date_start : -1, 'search_date_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_date_end ? $search_date_end : -1, 'search_date_end', 0, 0, 1); + print $form->selectDate($search_date_end ? $search_date_end : -1, 'search_date_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print ''; } @@ -652,12 +648,10 @@ if ($resql) { print ''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_dateend_start ? $search_dateend_start : -1, 'search_dateend_start', 0, 0, 1); + print $form->selectDate($search_dateend_start ? $search_dateend_start : -1, 'search_dateend_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_dateend_end ? $search_dateend_end : -1, 'search_dateend_end', 0, 0, 1); + print $form->selectDate($search_dateend_end ? $search_dateend_end : -1, 'search_dateend_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print ''; } @@ -666,12 +660,10 @@ if ($resql) { print ''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_datedelivery_start ? $search_datedelivery_start : -1, 'search_datedelivery_start', 0, 0, 1); + print $form->selectDate($search_datedelivery_start ? $search_datedelivery_start : -1, 'search_datedelivery_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_datedelivery_end ? $search_datedelivery_end : -1, 'search_datedelivery_end', 0, 0, 1); + print $form->selectDate($search_datedelivery_end ? $search_datedelivery_end : -1, 'search_datedelivery_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print ''; } diff --git a/htdocs/comm/propal/note.php b/htdocs/comm/propal/note.php index 06385bd40e9..ef35903fcd0 100644 --- a/htdocs/comm/propal/note.php +++ b/htdocs/comm/propal/note.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('propal', 'compta', 'bills', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/comm/propal/stats/index.php b/htdocs/comm/propal/stats/index.php index 00a79f3c1be..49e1141fec1 100644 --- a/htdocs/comm/propal/stats/index.php +++ b/htdocs/comm/propal/stats/index.php @@ -101,7 +101,7 @@ dol_mkdir($dir); $stats = new PropaleStats($db, $socid, ($userid > 0 ? $userid : 0), $mode, ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); -if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$db->escape($object_status).')'; +if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; // Build graphic number of object $data = $stats->getNbByMonthWithPrevYear($endyear, $startyear); diff --git a/htdocs/comm/remx.php b/htdocs/comm/remx.php index ffd4c1738c0..16a7d362ba6 100644 --- a/htdocs/comm/remx.php +++ b/htdocs/comm/remx.php @@ -35,7 +35,7 @@ $langs->loadLangs(array('orders', 'bills', 'companies')); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); // Security check diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index c2536ee59d6..b447a00c404 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -67,7 +67,7 @@ if (!empty($conf->productbatch->enabled)) $langs->load("productbatch"); $id = (GETPOST('id', 'int') ? GETPOST('id', 'int') : GETPOST('orderid', 'int')); $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $confirm = GETPOST('confirm', 'alpha'); $lineid = GETPOST('lineid', 'int'); @@ -263,8 +263,8 @@ if (empty($reshook)) $db->begin(); $object->date_commande = $datecommande; - $object->note_private = GETPOST('note_private', 'none'); - $object->note_public = GETPOST('note_public', 'none'); + $object->note_private = GETPOST('note_private', 'restricthtml'); + $object->note_public = GETPOST('note_public', 'restricthtml'); $object->source = GETPOST('source_id'); $object->fk_project = GETPOST('projectid', 'int'); $object->ref_client = GETPOST('ref_client', 'alpha'); @@ -417,7 +417,7 @@ if (empty($reshook)) $originidforcontact=$srcobject->origin_id; } $sqlcontact = "SELECT code, fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$db->escape($originforcontact)."'"; $resqlcontact = $db->query($sqlcontact); if ($resqlcontact) @@ -992,7 +992,7 @@ if (empty($reshook)) $date_end = ''; $date_start = dol_mktime(GETPOST('date_starthour'), GETPOST('date_startmin'), GETPOST('date_startsec'), GETPOST('date_startmonth'), GETPOST('date_startday'), GETPOST('date_startyear')); $date_end = dol_mktime(GETPOST('date_endhour'), GETPOST('date_endmin'), GETPOST('date_endsec'), GETPOST('date_endmonth'), GETPOST('date_endday'), GETPOST('date_endyear')); - $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'none')); + $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'restricthtml')); $pu_ht = GETPOST('price_ht'); $vat_rate = (GETPOST('tva_tx') ?GETPOST('tva_tx') : 0); $pu_ht_devise = GETPOST('multicurrency_subprice'); @@ -1256,7 +1256,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index f62c00ee81b..2202ad5b67e 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -193,7 +193,7 @@ class Orders extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -201,21 +201,21 @@ class Orders extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $commande_static = new Commande($db); + $obj = $this->db->fetch_object($result); + $commande_static = new Commande($this->db); if ($commande_static->fetch($obj->rowid)) { // Add external contacts ids $commande_static->contacts_ids = $commande_static->liste_contact(-1, 'external', 1); @@ -224,7 +224,7 @@ class Orders extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve commande list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve commande list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No order found'); diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 6c6c26c135f..5c314226214 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -37,6 +37,7 @@ require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; require_once DOL_DOCUMENT_ROOT.'/margin/lib/margins.lib.php'; require_once DOL_DOCUMENT_ROOT.'/multicurrency/class/multicurrency.class.php'; + /** * Class to manage customers orders */ @@ -1121,7 +1122,7 @@ class Commande extends CommonOrder } $sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'"; $resqlcontact = $this->db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/commande/contact.php b/htdocs/commande/contact.php index 2d11feeeee2..f44813a4994 100644 --- a/htdocs/commande/contact.php +++ b/htdocs/commande/contact.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('orders', 'sendings', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php index 898c581407f..921e1de185b 100644 --- a/htdocs/commande/list.php +++ b/htdocs/commande/list.php @@ -483,11 +483,9 @@ if ($resql) if (in_array($massaction, array('presend', 'predelete', 'createbills'))) $arrayofmassactions = array(); $massactionbutton = $form->selectMassAction('', $arrayofmassactions); - $newcardbutton = ''; - if ($contextpage == 'orderlist' && $user->rights->commande->creer) - { - $newcardbutton .= dolGetButtonTitle($langs->trans('NewOrder'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/commande/card.php?action=create'); - } + $url = DOL_URL_ROOT.'/commande/card.php?action=create'; + if (!empty($socid)) $url .= '&socid='.$socid; + $newcardbutton = dolGetButtonTitle($langs->trans('NewOrder'), '', 'fa fa-plus-circle', $url, '', $contextpage == 'orderlist' && $user->rights->commande->creer); // Lines of title fields print ''; @@ -632,31 +630,31 @@ if ($resql) if (!empty($arrayfields['c.ref']['checked'])) { print ''; - print ''; + print ''; print ''; } // Ref customer if (!empty($arrayfields['c.ref_client']['checked'])) { print ''; - print ''; + print ''; print ''; } // Project ref if (!empty($arrayfields['p.ref']['checked'])) { - print ''; + print ''; } // Project title if (!empty($arrayfields['p.title']['checked'])) { - print ''; + print ''; } // Thirpdarty if (!empty($arrayfields['s.nom']['checked'])) { print ''; - print ''; + print ''; print ''; } // Town @@ -689,12 +687,10 @@ if ($resql) { print ''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_dateorder_start ? $search_dateorder_start : -1, 'search_dateorder_start', 0, 0, 1); + print $form->selectDate($search_dateorder_start ? $search_dateorder_start : -1, 'search_dateorder_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_dateorder_end ? $search_dateorder_end : -1, 'search_dateorder_end', 0, 0, 1); + print $form->selectDate($search_dateorder_end ? $search_dateorder_end : -1, 'search_dateorder_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print ''; } @@ -702,12 +698,10 @@ if ($resql) { print ''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_datedelivery_start ? $search_datedelivery_start : -1, 'search_datedelivery_start', 0, 0, 1); + print $form->selectDate($search_datedelivery_start ? $search_datedelivery_start : -1, 'search_datedelivery_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_datedelivery_end ? $search_datedelivery_end : -1, 'search_datedelivery_end', 0, 0, 1); + print $form->selectDate($search_datedelivery_end ? $search_datedelivery_end : -1, 'search_datedelivery_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print ''; } @@ -715,14 +709,14 @@ if ($resql) { // Amount print ''; - print ''; + print ''; print ''; } if (!empty($arrayfields['c.total_vat']['checked'])) { // Amount print ''; - print ''; + print ''; print ''; } if (!empty($arrayfields['c.total_ttc']['checked'])) diff --git a/htdocs/commande/note.php b/htdocs/commande/note.php index 9054252e6d9..9922d3b0e3e 100644 --- a/htdocs/commande/note.php +++ b/htdocs/commande/note.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('companies', 'bills', 'orders')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check $socid = 0; diff --git a/htdocs/commande/orderstoinvoice.php b/htdocs/commande/orderstoinvoice.php index 7b8e31ce7a4..a4d4ed07dee 100644 --- a/htdocs/commande/orderstoinvoice.php +++ b/htdocs/commande/orderstoinvoice.php @@ -199,9 +199,9 @@ if (($action == 'create' || $action == 'add') && !$error) $sql .= ", targettype"; $sql .= ") VALUES ("; $sql .= $origin_id; - $sql .= ", '".$object->origin."'"; + $sql .= ", '".$db->escape($object->origin)."'"; $sql .= ", ".$id; - $sql .= ", '".$object->element."'"; + $sql .= ", '".$db->escape($object->element)."'"; $sql .= ")"; if ($db->query($sql)) diff --git a/htdocs/commande/stats/index.php b/htdocs/commande/stats/index.php index 0910e4ee7ad..346b5549bfd 100644 --- a/htdocs/commande/stats/index.php +++ b/htdocs/commande/stats/index.php @@ -94,11 +94,11 @@ dol_mkdir($dir); $stats = new CommandeStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { - if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')'; + if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; } if ($mode == 'supplier') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; } diff --git a/htdocs/compta/accounting-files.php b/htdocs/compta/accounting-files.php index 0c20e46e316..2a8a0358744 100644 --- a/htdocs/compta/accounting-files.php +++ b/htdocs/compta/accounting-files.php @@ -60,15 +60,15 @@ $date_stopMonth = GETPOST('date_stopmonth', 'int'); $date_stopYear = GETPOST('date_stopyear', 'int'); //FIXME doldate $date_stop = ($date_stopDay) ?dol_mktime(23, 59, 59, $date_stopMonth, $date_stopDay, $date_stopYear) : strtotime($date_stop); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('comptafileslist', 'globallist')); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/bank/account_statement_document.php b/htdocs/compta/bank/account_statement_document.php index 1e9c6e3b358..3b8423b68dc 100644 --- a/htdocs/compta/bank/account_statement_document.php +++ b/htdocs/compta/bank/account_statement_document.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('banks', 'companies', 'other')); $id = (GETPOST('id', 'int') ? GETPOST('id', 'int') : GETPOST('account', 'int')); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $numref = (GETPOST('num', 'alpha') ? GETPOST('num', 'alpha') : GETPOST('sectionid', 'alpha')); diff --git a/htdocs/compta/bank/annuel.php b/htdocs/compta/bank/annuel.php index 72a7e33d3f2..cd82da0e1bd 100644 --- a/htdocs/compta/bank/annuel.php +++ b/htdocs/compta/bank/annuel.php @@ -91,7 +91,7 @@ $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; $sql .= " AND b.amount >= 0"; if (!empty($id)) - $sql .= " AND b.fk_account IN (".$db->escape($id).")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($db->escape($id)).")"; $sql .= " GROUP BY dm"; $resql = $db->query($sql); @@ -117,7 +117,7 @@ $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; $sql .= " AND b.amount <= 0"; if (!empty($id)) - $sql .= " AND b.fk_account IN (".$db->escape($id).")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($db->escape($id)).")"; $sql .= " GROUP BY dm"; $resql = $db->query($sql); @@ -240,7 +240,7 @@ $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if (!empty($id)) - $sql .= " AND b.fk_account IN (".$db->escape($id).")"; + $sql .= " AND b.fk_account IN (".$db->sanitize($db->escape($id)).")"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/compta/bank/bankentries_list.php b/htdocs/compta/bank/bankentries_list.php index fb4c2150495..950d0c7d3c6 100644 --- a/htdocs/compta/bank/bankentries_list.php +++ b/htdocs/compta/bank/bankentries_list.php @@ -56,7 +56,7 @@ $langs->loadLangs(array("banks", "bills", "categories", "companies", "margins", $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $confirm = GETPOST('confirm', 'alpha'); $contextpage = 'banktransactionlist'.(empty($object->ref) ? '' : '-'.$object->id); @@ -811,19 +811,19 @@ if ($resql) $moreforfilter .= '
'; $moreforfilter .= $langs->trans('DateOperationShort').' :'; $moreforfilter .= ($conf->browser->layout == 'phone' ? '
' : ' '); - $moreforfilter .= '
'.$langs->trans('From').' '; - $moreforfilter .= $form->selectDate($search_dt_start, 'search_start_dt', 0, 0, 1, "search_form", 1, 0).'
'; + $moreforfilter .= '
'; + $moreforfilter .= $form->selectDate($search_dt_start, 'search_start_dt', 0, 0, 1, "search_form", 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')).'
'; //$moreforfilter .= ' - '; - $moreforfilter .= '
'.$langs->trans('to').' '.$form->selectDate($search_dt_end, 'search_end_dt', 0, 0, 1, "search_form", 1, 0).'
'; + $moreforfilter .= '
'.$form->selectDate($search_dt_end, 'search_end_dt', 0, 0, 1, "search_form", 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')).'
'; $moreforfilter .= '
'; $moreforfilter .= '
'; $moreforfilter .= $langs->trans('DateValueShort').' : '; $moreforfilter .= ($conf->browser->layout == 'phone' ? '
' : ' '); - $moreforfilter .= '
'.$langs->trans('From').' '; - $moreforfilter .= $form->selectDate($search_dv_start, 'search_start_dv', 0, 0, 1, "search_form", 1, 0).'
'; + $moreforfilter .= '
'; + $moreforfilter .= $form->selectDate($search_dv_start, 'search_start_dv', 0, 0, 1, "search_form", 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')).'
'; //$moreforfilter .= ' - '; - $moreforfilter .= '
'.$langs->trans('to').' '.$form->selectDate($search_dv_end, 'search_end_dv', 0, 0, 1, "search_form", 1, 0).'
'; + $moreforfilter .= '
'.$form->selectDate($search_dv_end, 'search_end_dv', 0, 0, 1, "search_form", 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')).'
'; $moreforfilter .= '
'; if (!empty($conf->categorie->enabled)) @@ -1141,13 +1141,17 @@ if ($resql) $backgroundcolor = 'style="background: '.$color.';"'; } } + + $banklinestatic->id = $objp->rowid; + $banklinestatic->ref = $objp->rowid; + print ''; // Ref if (!empty($arrayfields['b.rowid']['checked'])) { print ''; - print "rowid.'&save_lastsearch_values=1">'.img_object($langs->trans("ShowPayment").': '.$objp->rowid, 'account', 'class="classfortooltip"').' '.$objp->rowid."   "; + print $banklinestatic->getNomUrl(1); print ''; if (!$i) $totalarray['nbfield']++; } diff --git a/htdocs/compta/bank/card.php b/htdocs/compta/bank/card.php index c99f303210b..7d9e825ce08 100644 --- a/htdocs/compta/bank/card.php +++ b/htdocs/compta/bank/card.php @@ -115,7 +115,7 @@ if ($action == 'add') $object->min_allowed = GETPOST("account_min_allowed", 'int'); $object->min_desired = GETPOST("account_min_desired", 'int'); - $object->comment = trim(GETPOST("account_comment", 'none')); + $object->comment = trim(GETPOST("account_comment", 'restricthtml')); $object->fk_user_author = $user->id; @@ -213,7 +213,7 @@ if ($action == 'update') $object->min_allowed = GETPOST("account_min_allowed", 'int'); $object->min_desired = GETPOST("account_min_desired", 'int'); - $object->comment = trim(GETPOST("account_comment", 'none')); + $object->comment = trim(GETPOST("account_comment", 'restricthtml')); if ($conf->global->MAIN_BANK_ACCOUNTANCY_CODE_ALWAYS_REQUIRED && empty($object->account_number)) { diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index fcbedc2f140..dffd62dc5a3 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -390,11 +390,11 @@ class Account extends CommonObject $sql .= ", label"; $sql .= ", type"; $sql .= ") VALUES ("; - $sql .= "'".$line_id."'"; - $sql .= ", '".$url_id."'"; - $sql .= ", '".$url."'"; + $sql .= " ".((int) $line_id); + $sql .= ", '".$this->db->escape($url_id)."'"; + $sql .= ", '".$this->db->escape($url)."'"; $sql .= ", '".$this->db->escape($label)."'"; - $sql .= ", '".$type."'"; + $sql .= ", '".$this->db->escape($type)."'"; $sql .= ")"; dol_syslog(get_class($this)."::add_url_line", LOG_DEBUG); @@ -434,7 +434,7 @@ class Account extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."bank_url"; if ($fk_bank > 0) { $sql .= " WHERE fk_bank = ".$fk_bank; - } else { $sql .= " WHERE url_id = ".$url_id." AND type = '".$type."'"; + } else { $sql .= " WHERE url_id = ".$url_id." AND type = '".$this->db->escape($type)."'"; } $sql .= " ORDER BY type, label"; @@ -1315,7 +1315,7 @@ class Account extends CommonObject * * @return int Nb of account we can reconciliate */ - public static function countAccountToReconcile() + public function countAccountToReconcile() { global $db, $conf, $user; @@ -1331,12 +1331,12 @@ class Account extends CommonObject $sql .= " WHERE ba.rappro > 0 and ba.clos = 0"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if (empty($conf->global->BANK_CAN_RECONCILIATE_CASHACCOUNT)) $sql .= " AND ba.courant != 2"; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $obj = $db->fetch_object($resql); + $obj = $this->db->fetch_object($resql); $nb = $obj->nb; - } else dol_print_error($db); + } else dol_print_error($this->db); return $nb; } @@ -1706,7 +1706,7 @@ class AccountLine extends CommonObject /** * @var string String with name of icon for myobject. Must be the part after the 'object_' into object_myobject.png */ - public $picto = 'generic'; + public $picto = 'accountline'; /** * @var int ID @@ -1825,7 +1825,7 @@ class AccountLine extends CommonObject $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if ($num) $sql .= " AND b.num_chq='".$this->db->escape($num)."'"; elseif ($ref) $sql .= " AND b.rowid='".$this->db->escape($ref)."'"; - else $sql .= " AND b.rowid=".$rowid; + else $sql .= " AND b.rowid = ".((int) $rowid); dol_syslog(get_class($this)."::fetch", LOG_DEBUG); $result = $this->db->query($sql); @@ -2306,13 +2306,16 @@ class AccountLine extends CommonObject global $langs; $result = ''; - $label = $langs->trans("ShowTransaction").': '.$this->rowid; - $linkstart = ''; + + $label = img_picto('', $this->picto).' '.$langs->trans("Transaction").':
'; + $label .= ''.$langs->trans("Ref").': '.$this->ref; + + $linkstart = ''; $linkend = ''; $result .= $linkstart; if ($withpicto) $result .= img_object(($notooltip ? '' : $label), ($this->picto ? $this->picto : 'account'), ($notooltip ? (($withpicto != 2) ? 'class="paddingright"' : '') : 'class="'.(($withpicto != 2) ? 'paddingright ' : '').'classfortooltip"'), 0, 0, $notooltip ? 0 : 1); - if ($withpicto != 2) $result .= ($this->ref ? $this->ref : $this->rowid); + if ($withpicto != 2) $result .= ($this->ref ? $this->ref : $this->id); $result .= $linkend; if ($option == 'showall' || $option == 'showconciliated' || $option == 'showconciliatedandaccounted') $result .= ' ('; @@ -2418,7 +2421,7 @@ class AccountLine extends CommonObject $type = 'bank'; - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$this->id; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/compta/bank/class/paymentvarious.class.php b/htdocs/compta/bank/class/paymentvarious.class.php index bfb522b6e3a..14466915d76 100644 --- a/htdocs/compta/bank/class/paymentvarious.class.php +++ b/htdocs/compta/bank/class/paymentvarious.class.php @@ -710,7 +710,7 @@ class PaymentVarious extends CommonObject $type = 'bank'; - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$banklineid; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$banklineid; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/compta/bank/document.php b/htdocs/compta/bank/document.php index e3863cd2922..2bd95409827 100644 --- a/htdocs/compta/bank/document.php +++ b/htdocs/compta/bank/document.php @@ -36,7 +36,7 @@ $langs->loadLangs(array('banks', 'companies', 'other')); $id = (GETPOST('id', 'int') ? GETPOST('id', 'int') : GETPOST('account', 'int')); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/compta/bank/graph.php b/htdocs/compta/bank/graph.php index 296211bf35c..686122f4d56 100644 --- a/htdocs/compta/bank/graph.php +++ b/htdocs/compta/bank/graph.php @@ -130,8 +130,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-".$month."-01 00:00:00'"; - $sql .= " AND b.datev < '".$yearnext."-".$monthnext."-01 00:00:00'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; + $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -159,7 +159,7 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev < '".$year."-".sprintf("%02s", $month)."-01'"; + $sql .= " AND b.datev < '".$db->escape($year)."-".sprintf("%02s", $month)."-01'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $resql = $db->query($sql); @@ -267,8 +267,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-01-01 00:00:00'"; - $sql .= " AND b.datev <= '".$year."-12-31 23:59:59'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; + $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -296,7 +296,7 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev < '".$year."-01-01'"; + $sql .= " AND b.datev < '".$db->escape($year)."-01-01'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $resql = $db->query($sql); @@ -519,8 +519,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-".$month."-01 00:00:00'"; - $sql .= " AND b.datev < '".$yearnext."-".$monthnext."-01 00:00:00'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; + $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; $sql .= " AND b.amount > 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%d')"; @@ -555,8 +555,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-".$month."-01 00:00:00'"; - $sql .= " AND b.datev < '".$yearnext."-".$monthnext."-01 00:00:00'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; + $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; $sql .= " AND b.amount < 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%d')"; @@ -632,8 +632,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-01-01 00:00:00'"; - $sql .= " AND b.datev <= '".$year."-12-31 23:59:59'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; + $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; $sql .= " AND b.amount > 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%m');"; @@ -659,8 +659,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-01-01 00:00:00'"; - $sql .= " AND b.datev <= '".$year."-12-31 23:59:59'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; + $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; $sql .= " AND b.amount < 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%m')"; diff --git a/htdocs/compta/bank/info.php b/htdocs/compta/bank/info.php index 6f6d7236f15..e1adb0b5e41 100644 --- a/htdocs/compta/bank/info.php +++ b/htdocs/compta/bank/info.php @@ -29,7 +29,7 @@ require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; // Load translation files required by the page $langs->loadLangs(array('banks', 'categories', 'companies')); -$id = GETPOST("rowid"); +$id = GETPOST("rowid", 'int'); /* @@ -55,7 +55,7 @@ $hselected = $h; $h++; -dol_fiche_head($head, $hselected, $langs->trans("LineRecord"), -1, 'account'); +dol_fiche_head($head, $hselected, $langs->trans("LineRecord"), -1, 'accountline'); $linkback = ''.$langs->trans("BackToList").''; diff --git a/htdocs/compta/bank/line.php b/htdocs/compta/bank/line.php index d2b3e6099dd..7502d4644f5 100644 --- a/htdocs/compta/bank/line.php +++ b/htdocs/compta/bank/line.php @@ -43,7 +43,7 @@ if (!empty($conf->salaries->enabled)) $langs->load("salaries"); $id = (GETPOST('id', 'int') ? GETPOST('id', 'int') : GETPOST('account', 'int')); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $rowid = GETPOST("rowid", 'int'); $orig_account = GETPOST("orig_account"); @@ -138,15 +138,15 @@ if ($user->rights->banque->modifier && $action == "update") $sql = "UPDATE ".MAIN_DB_PREFIX."bank"; $sql .= " SET "; // Always opened - if (isset($_POST['value'])) $sql .= " fk_type='".$db->escape($_POST['value'])."',"; - if (isset($_POST['num_chq'])) $sql .= " num_chq='".$db->escape($_POST["num_chq"])."',"; - if (isset($_POST['banque'])) $sql .= " banque='".$db->escape($_POST["banque"])."',"; - if (isset($_POST['emetteur'])) $sql .= " emetteur='".$db->escape($_POST["emetteur"])."',"; + if (isset($_POST['value'])) $sql .= " fk_type='".$db->escape(GETPOST('value'))."',"; + if (isset($_POST['num_chq'])) $sql .= " num_chq='".$db->escape(GETPOST("num_chq"))."',"; + if (isset($_POST['banque'])) $sql .= " banque='".$db->escape(GETPOST("banque"))."',"; + if (isset($_POST['emetteur'])) $sql .= " emetteur='".$db->escape(GETPOST("emetteur"))."',"; // Blocked when conciliated if (!$acline->rappro) { - if (isset($_POST['label'])) $sql .= " label='".$db->escape($_POST["label"])."',"; - if (isset($_POST['amount'])) $sql .= " amount='".$amount."',"; + if (isset($_POST['label'])) $sql .= " label = '".$db->escape(GETPOST("label"))."',"; + if (isset($_POST['amount'])) $sql .= " amount= '".$db->escape($amount)."',"; if (isset($_POST['dateomonth'])) $sql .= " dateo = '".$db->idate($dateop)."',"; if (isset($_POST['datevmonth'])) $sql .= " datev = '".$db->idate($dateval)."',"; } @@ -212,7 +212,7 @@ if ($user->rights->banque->consolidate && ($action == 'num_releve' || $action == $db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."bank"; - $sql .= " SET num_releve=".($num_rel ? "'".$num_rel."'" : "null"); + $sql .= " SET num_releve=".($num_rel ? "'".$db->escape($num_rel)."'" : "null"); if (empty($num_rel)) $sql .= ", rappro = 0"; else $sql .= ", rappro = ".$rappro; $sql .= " WHERE rowid = ".$rowid; @@ -296,7 +296,7 @@ if ($result) print ''; print ''; - dol_fiche_head($tabs, 0, $langs->trans('LineRecord'), 0, 'account', 0); + dol_fiche_head($tabs, 0, $langs->trans('LineRecord'), 0, 'accountline', 0); $linkback = ''.$langs->trans("BackToList").''; @@ -306,7 +306,7 @@ if ($result) print '
'; print '
'; - print ''; + print '
'; $i++; diff --git a/htdocs/compta/bank/list.php b/htdocs/compta/bank/list.php index 882244518f7..5cdd4711871 100644 --- a/htdocs/compta/bank/list.php +++ b/htdocs/compta/bank/list.php @@ -39,7 +39,7 @@ if (!empty($conf->categorie->enabled)) require_once DOL_DOCUMENT_ROOT.'/categori // Load translation files required by the page $langs->loadLangs(array('banks', 'categories', 'accountancy', 'compta')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -247,12 +247,7 @@ if ($user->rights->banque->supprimer) $arrayofmassactions['predelete'] = 'selectMassAction('', $arrayofmassactions); -$newcardbutton = ''; -if ($user->rights->banque->configurer) -{ - $newcardbutton .= dolGetButtonTitle($langs->trans('NewFinancialAccount'), '', 'fa fa-plus-circle', 'card.php?action=create'); -} - +$newcardbutton = dolGetButtonTitle($langs->trans('NewFinancialAccount'), '', 'fa fa-plus-circle', 'card.php?action=create', '', $user->rights->banque->configurer); // Lines of title fields print ''; diff --git a/htdocs/compta/bank/releve.php b/htdocs/compta/bank/releve.php index aee53fe3f23..ba5e20c11c1 100644 --- a/htdocs/compta/bank/releve.php +++ b/htdocs/compta/bank/releve.php @@ -48,7 +48,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/functions.lib.php'; // Load translation files required by the page $langs->loadLangs(array("banks", "categories", "companies", "bills", "trips", "donations", "loan")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('account', 'int') ? GETPOST('account', 'int') : GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $dvid = GETPOST('dvid', 'alpha'); diff --git a/htdocs/compta/bank/transfer.php b/htdocs/compta/bank/transfer.php index 7228c38fe50..70903f9120f 100644 --- a/htdocs/compta/bank/transfer.php +++ b/htdocs/compta/bank/transfer.php @@ -37,7 +37,7 @@ $langs->loadLangs(array("banks", "categories", "multicurrency")); if (!$user->rights->banque->transfer) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $error = 0; diff --git a/htdocs/compta/bank/various_payment/card.php b/htdocs/compta/bank/various_payment/card.php index 071a5abf0a9..20eab8b349e 100644 --- a/htdocs/compta/bank/various_payment/card.php +++ b/htdocs/compta/bank/various_payment/card.php @@ -107,8 +107,8 @@ if (empty($reshook)) $object->datev = $datev; $object->datep = $datep; $object->amount = price2num(GETPOST("amount", 'alpha')); - $object->label = GETPOST("label", 'none'); - $object->note = GETPOST("note", 'none'); + $object->label = GETPOST("label", 'restricthtml'); + $object->note = GETPOST("note", 'restricthtml'); $object->type_payment = GETPOST("paymenttype", 'int') > 0 ? GETPOST("paymenttype", "int") : 0; $object->num_payment = GETPOST("num_payment", 'alpha'); $object->fk_user_author = $user->id; diff --git a/htdocs/compta/bank/various_payment/document.php b/htdocs/compta/bank/various_payment/document.php index 7a89fd77986..744daa939d5 100644 --- a/htdocs/compta/bank/various_payment/document.php +++ b/htdocs/compta/bank/various_payment/document.php @@ -34,7 +34,7 @@ $langs->loadLangs(array("compta", "banks", "bills", "users", "accountancy")); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check @@ -44,8 +44,8 @@ $result = restrictedArea($user, 'banque', '', '', ''); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/bank/various_payment/list.php b/htdocs/compta/bank/various_payment/list.php index cfecfecffa5..54216f06358 100644 --- a/htdocs/compta/bank/various_payment/list.php +++ b/htdocs/compta/bank/various_payment/list.php @@ -240,8 +240,10 @@ if ($result) if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.urlencode($limit); if ($search_ref) $param .= '&search_ref='.urlencode($search_ref); if ($search_label) $param .= '&search_label='.urlencode($search_label); - if ($search_date_start) $param .= '&search_date_start='.urlencode($search_date_start); - if ($search_date_end) $param .= '&search_date_end='.urlencode($search_date_end); + if ($search_datep_start) $param .= '&search_datep_start='.urlencode($search_datep_start); + if ($search_datep_end) $param .= '&search_datep_end='.urlencode($search_datep_end); + if ($search_datev_start) $param .= '&search_datev_start='.urlencode($search_datev_start); + if ($search_datev_end) $param .= '&search_datev_end='.urlencode($search_datev_end); if ($typeid > 0) $param .= '&typeid='.urlencode($typeid); if ($search_amount_deb) $param .= '&search_amount_deb='.urlencode($search_amount_deb); if ($search_amount_cred) $param .= '&search_amount_cred='.urlencode($search_amount_cred); @@ -251,11 +253,9 @@ if ($result) if ($optioncss != '') $param .= '&optioncss='.urlencode($optioncss); - $newcardbutton = ''; - if ($user->rights->banque->modifier) - { - $newcardbutton .= dolGetButtonTitle($langs->trans('MenuNewVariousPayment'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/compta/bank/various_payment/card.php?action=create'); - } + $url = DOL_URL_ROOT.'/compta/bank/various_payment/card.php?action=create'; + if (!empty($socid)) $url .= '&socid='.$socid; + $newcardbutton = dolGetButtonTitle($langs->trans('MenuNewVariousPayment'), '', 'fa fa-plus-circle', $url, '', $user->rights->banque->modifier); print ''; @@ -306,12 +306,10 @@ if ($result) if ($arrayfields['datep']['checked']) { print ''; } @@ -320,12 +318,10 @@ if ($result) if ($arrayfields['datev']['checked']) { print ''; } @@ -333,7 +329,7 @@ if ($result) // Payment type if ($arrayfields['type']['checked']) { print ''; } @@ -347,14 +343,14 @@ if ($result) // Bank account if ($arrayfields['bank']['checked']) { print ''; } // Bank entry if ($arrayfields['entry']['checked']) { - print ''; } @@ -379,14 +375,14 @@ if ($result) // Debit if ($arrayfields['debit']['checked']) { print ''; } // Credit if ($arrayfields['credit']['checked']) { print ''; } @@ -471,7 +467,7 @@ if ($result) // Project if ($arrayfields['project']['checked']) { $proj->fetch($obj->fk_project); - print ''; + print ''; if (!$i) $totalarray['nbfield']++; } diff --git a/htdocs/compta/cashcontrol/cashcontrol_list.php b/htdocs/compta/cashcontrol/cashcontrol_list.php index d24c4ac1059..2adf3a01a83 100644 --- a/htdocs/compta/cashcontrol/cashcontrol_list.php +++ b/htdocs/compta/cashcontrol/cashcontrol_list.php @@ -63,8 +63,8 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/compta/cashcontrol/report.php b/htdocs/compta/cashcontrol/report.php index f2d8e38fb15..02299788794 100644 --- a/htdocs/compta/cashcontrol/report.php +++ b/htdocs/compta/cashcontrol/report.php @@ -297,8 +297,8 @@ if ($resql) /* $sql = "UPDATE ".MAIN_DB_PREFIX."pos_cash_fence "; $sql .= "SET"; - $sql .= " cash='".$cash."'"; - $sql .= ", card='".$bank."'"; + $sql .= " cash='".$db->escape($cash)."'"; + $sql .= ", card='".$db->escape($bank)."'"; $sql .= " where rowid=".$id; $db->query($sql); */ diff --git a/htdocs/compta/clients.php b/htdocs/compta/clients.php index 5632e8ebc1a..1b4e86bbb4c 100644 --- a/htdocs/compta/clients.php +++ b/htdocs/compta/clients.php @@ -66,7 +66,7 @@ $thirdpartystatic = new Societe($db); if ($action == 'note') { - $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".$note."' WHERE rowid=".$socid; + $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".$db->escape($note)."' WHERE rowid=".$socid; $result = $db->query($sql); } diff --git a/htdocs/compta/deplacement/card.php b/htdocs/compta/deplacement/card.php index 4d3ec6b1ee6..682981852d8 100644 --- a/htdocs/compta/deplacement/card.php +++ b/htdocs/compta/deplacement/card.php @@ -43,7 +43,7 @@ $id = GETPOST('id', 'int'); if ($user->socid) $socid = $user->socid; $result = restrictedArea($user, 'deplacement', $id, ''); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $object = new Deplacement($db); diff --git a/htdocs/compta/deplacement/class/deplacementstats.class.php b/htdocs/compta/deplacement/class/deplacementstats.class.php index 6fdd54095a2..953ee78a3d6 100644 --- a/htdocs/compta/deplacement/class/deplacementstats.class.php +++ b/htdocs/compta/deplacement/class/deplacementstats.class.php @@ -122,7 +122,7 @@ class DeplacementStats extends Stats { $sql = "SELECT date_format(dated,'%m') as dm, sum(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(dated,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(dated,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -142,7 +142,7 @@ class DeplacementStats extends Stats { $sql = "SELECT date_format(dated,'%m') as dm, avg(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(dated,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(dated,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/compta/deplacement/document.php b/htdocs/compta/deplacement/document.php index 889eb390ca2..47b1709ff60 100644 --- a/htdocs/compta/deplacement/document.php +++ b/htdocs/compta/deplacement/document.php @@ -39,7 +39,7 @@ $langs->loadLangs(array('other', 'trips', 'companies', 'interventions')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check @@ -49,8 +49,8 @@ $result = restrictedArea($user, 'deplacement', $id, ''); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/facture/admin/facture_cust_extrafields.php b/htdocs/compta/facture/admin/facture_cust_extrafields.php index 55d4141fc07..df5cb39f9e4 100644 --- a/htdocs/compta/facture/admin/facture_cust_extrafields.php +++ b/htdocs/compta/facture/admin/facture_cust_extrafields.php @@ -40,7 +40,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'facture'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/compta/facture/admin/facture_rec_cust_extrafields.php b/htdocs/compta/facture/admin/facture_rec_cust_extrafields.php index feeca2046d6..a8d073958ad 100644 --- a/htdocs/compta/facture/admin/facture_rec_cust_extrafields.php +++ b/htdocs/compta/facture/admin/facture_rec_cust_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'facture_rec'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/compta/facture/admin/facturedet_cust_extrafields.php b/htdocs/compta/facture/admin/facturedet_cust_extrafields.php index 87467f0dba6..ebe2a437a92 100644 --- a/htdocs/compta/facture/admin/facturedet_cust_extrafields.php +++ b/htdocs/compta/facture/admin/facturedet_cust_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'facturedet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/compta/facture/admin/facturedet_rec_cust_extrafields.php b/htdocs/compta/facture/admin/facturedet_rec_cust_extrafields.php index 32a7a8cb75a..a09b0380f59 100644 --- a/htdocs/compta/facture/admin/facturedet_rec_cust_extrafields.php +++ b/htdocs/compta/facture/admin/facturedet_rec_cust_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'facturedet_rec'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/compta/facture/card-rec.php b/htdocs/compta/facture/card-rec.php index 0074fcc8ba9..a11f0f7c800 100644 --- a/htdocs/compta/facture/card-rec.php +++ b/htdocs/compta/facture/card-rec.php @@ -190,8 +190,8 @@ if (empty($reshook)) { $object->titre = GETPOST('titre', 'nohtml'); // deprecated $object->title = GETPOST('titre', 'nohtml'); - $object->note_private = GETPOST('note_private', 'none'); - $object->note_public = GETPOST('note_public', 'none'); + $object->note_private = GETPOST('note_private', 'restricthtml'); + $object->note_public = GETPOST('note_public', 'restricthtml'); $object->model_pdf = GETPOST('modelpdf', 'alpha'); $object->usenewprice = GETPOST('usenewprice', 'alpha'); @@ -405,7 +405,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) @@ -713,7 +713,7 @@ if (empty($reshook)) $date_end = ''; //$date_start = dol_mktime(GETPOST('date_starthour'), GETPOST('date_startmin'), GETPOST('date_startsec'), GETPOST('date_startmonth'), GETPOST('date_startday'), GETPOST('date_startyear')); //$date_end = dol_mktime(GETPOST('date_endhour'), GETPOST('date_endmin'), GETPOST('date_endsec'), GETPOST('date_endmonth'), GETPOST('date_endday'), GETPOST('date_endyear')); - $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'none') ? GETPOST('product_desc', 'none') : GETPOST('desc', 'none')); + $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'restricthtml') ? GETPOST('product_desc', 'restricthtml') : GETPOST('desc', 'restricthtml')); $pu_ht = GETPOST('price_ht'); $vat_rate = (GETPOST('tva_tx') ? GETPOST('tva_tx') : 0); $qty = GETPOST('qty'); @@ -964,8 +964,8 @@ if ($action == 'create') print ''; print ''; - $note_public = GETPOST('note_public', 'none') ?GETPOST('note_public', 'none') : $object->note_public; - $note_private = GETPOST('note_private', 'none') ?GETPOST('note_private', 'none') : $object->note_private; + $note_public = GETPOSTISSET('note_public') ? GETPOST('note_public', 'restricthtml') : $object->note_public; + $note_private = GETPOSTISSET('note_private') ? GETPOST('note_private', 'restricthtml') : $object->note_private; // Help of substitution key $substitutionarray = getCommonSubstitutionArray($langs, 2, null, $object); @@ -1617,13 +1617,12 @@ if ($action == 'create') // Show object lines if (!empty($object->lines)) { - //$disableedit=1; - //$disablemove=1; + $canchangeproduct = 1; $ret = $object->printObjectLines($action, $mysoc, $object->thirdparty, $lineid, 0); // No date selector for template invoice } // Form to add new line - if ($object->statut == 0 && $user->rights->facture->creer && $action != 'valid' && $action != 'editline') + if ($object->statut == $object::STATUS_DRAFT && $user->rights->facture->creer && $action != 'valid' && $action != 'editline') { if ($action != 'editline') { diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index ed77c0e8a56..87a3a3c8be2 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -75,7 +75,7 @@ $projectid = (GETPOST('projectid', 'int') ? GETPOST('projectid', 'int') : 0); $id = (GETPOST('id', 'int') ? GETPOST('id', 'int') : GETPOST('facid', 'int')); // For backward compatibility $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); $lineid = GETPOST('lineid', 'int'); @@ -746,8 +746,8 @@ if (empty($reshook)) elseif ($action == 'confirm_paid_partially' && $confirm == 'yes' && $usercanissuepayment) { $object->fetch($id); - $close_code = GETPOST("close_code", 'none'); - $close_note = GETPOST("close_note", 'none'); + $close_code = GETPOST("close_code", 'restricthtml'); + $close_note = GETPOST("close_note", 'restricthtml'); if ($close_code) { $result = $object->set_paid($user, $close_code, $close_note); if ($result < 0) setEventMessages($object->error, $object->errors, 'errors'); @@ -757,8 +757,8 @@ if (empty($reshook)) } // Classify "abandoned" elseif ($action == 'confirm_canceled' && $confirm == 'yes') { $object->fetch($id); - $close_code = GETPOST("close_code", 'none'); - $close_note = GETPOST("close_note", 'none'); + $close_code = GETPOST("close_code", 'restricthtml'); + $close_note = GETPOST("close_note", 'restricthtml'); if ($close_code) { $result = $object->set_canceled($user, $close_code, $close_note); if ($result < 0) setEventMessages($object->error, $object->errors, 'errors'); @@ -987,7 +987,7 @@ if (empty($reshook)) $object->date = $dateinvoice; $object->date_pointoftax = $date_pointoftax; - $object->note_public = trim(GETPOST('note_public', 'none')); + $object->note_public = trim(GETPOST('note_public', 'restricthtml')); // We do not copy the private note $object->ref_client = $_POST['ref_client']; $object->ref_int = $_POST['ref_int']; @@ -1015,7 +1015,7 @@ if (empty($reshook)) } // Credit note invoice - if ($_POST['type'] == Facture::TYPE_CREDIT_NOTE) + if (GETPOST('type') == Facture::TYPE_CREDIT_NOTE) { $sourceinvoice = GETPOST('fac_avoir'); if (!($sourceinvoice > 0) && empty($conf->global->INVOICE_CREDIT_NOTE_STANDALONE)) @@ -1033,7 +1033,7 @@ if (empty($reshook)) $action = 'create'; } - $date_pointoftax = dol_mktime(12, 0, 0, $_POST['date_pointoftaxmonth'], $_POST['date_pointoftaxday'], $_POST['date_pointoftaxyear']); + $date_pointoftax = dol_mktime(12, 0, 0, GETPOST('date_pointoftaxmonth', 'int'), GETPOST('date_pointoftaxday', 'int'), GETPOST('date_pointoftaxyear', 'int')); if (!$error) { @@ -1041,20 +1041,19 @@ if (empty($reshook)) $object->entity = $originentity; } $object->socid = GETPOST('socid', 'int'); - $object->ref = $_POST['ref']; + $object->ref = GETPOST('ref'); $object->date = $dateinvoice; $object->date_pointoftax = $date_pointoftax; - $object->note_public = trim(GETPOST('note_public', 'none')); + $object->note_public = trim(GETPOST('note_public', 'restricthtml')); // We do not copy the private note - $object->ref_client = $_POST['ref_client']; - $object->ref_int = $_POST['ref_int']; - $object->model_pdf = $_POST['model']; - $object->fk_project = $_POST['projectid']; + $object->ref_client = GETPOST('ref_client'); + $object->model_pdf = GETPOST('model'); + $object->fk_project = GETPOST('projectid', 'int'); $object->cond_reglement_id = 0; - $object->mode_reglement_id = $_POST['mode_reglement_id']; + $object->mode_reglement_id = GETPOST('mode_reglement_id'); $object->fk_account = GETPOST('fk_account', 'int'); - $object->remise_absolue = $_POST['remise_absolue']; - $object->remise_percent = $_POST['remise_percent']; + $object->remise_absolue = GETPOST('remise_absolue'); + $object->remise_percent = GETPOST('remise_percent'); $object->fk_incoterms = GETPOST('incoterm_id', 'int'); $object->location_incoterms = GETPOST('location_incoterms', 'alpha'); $object->multicurrency_code = GETPOST('multicurrency_code', 'alpha'); @@ -1256,22 +1255,21 @@ if (empty($reshook)) if (!$error) { $object->socid = GETPOST('socid', 'int'); - $object->type = $_POST['type']; - $object->ref = $_POST['ref']; + $object->type = GETPOST('type'); + $object->ref = GETPOST('ref'); $object->date = $dateinvoice; $object->date_pointoftax = $date_pointoftax; - $object->note_public = trim(GETPOST('note_public', 'none')); - $object->note_private = trim(GETPOST('note_private', 'none')); - $object->ref_client = $_POST['ref_client']; - $object->ref_int = $_POST['ref_int']; - $object->model_pdf = $_POST['model']; - $object->fk_project = $_POST['projectid']; - $object->cond_reglement_id = ($_POST['type'] == 3 ? 1 : $_POST['cond_reglement_id']); - $object->mode_reglement_id = $_POST['mode_reglement_id']; + $object->note_public = trim(GETPOST('note_public', 'restricthtml')); + $object->note_private = trim(GETPOST('note_private', 'restricthtml')); + $object->ref_client = GETPOST('ref_client'); + $object->model_pdf = GETPOST('model'); + $object->fk_project = GETPOST('projectid', 'int'); + $object->cond_reglement_id = (GETPOST('type') == 3 ? 1 : GETPOST('cond_reglement_id')); + $object->mode_reglement_id = GETPOST('mode_reglement_id', 'int'); $object->fk_account = GETPOST('fk_account', 'int'); - $object->amount = $_POST['amount']; - $object->remise_absolue = $_POST['remise_absolue']; - $object->remise_percent = $_POST['remise_percent']; + $object->amount = price2num(GETPOST('amount')); + $object->remise_absolue = GETPOST('remise_absolue'); + $object->remise_percent = GETPOST('remise_percent'); $object->fk_incoterms = GETPOST('incoterm_id', 'int'); $object->location_incoterms = GETPOST('location_incoterms', 'alpha'); $object->multicurrency_code = GETPOST('multicurrency_code', 'alpha'); @@ -1309,21 +1307,20 @@ if (empty($reshook)) // Si facture standard $object->socid = GETPOST('socid', 'int'); $object->type = GETPOST('type'); - $object->ref = $_POST['ref']; + $object->ref = GETPOST('ref'); $object->date = $dateinvoice; $object->date_pointoftax = $date_pointoftax; - $object->note_public = trim(GETPOST('note_public', 'none')); - $object->note_private = trim(GETPOST('note_private', 'none')); - $object->ref_client = $_POST['ref_client']; - $object->ref_int = $_POST['ref_int']; - $object->model_pdf = $_POST['model']; - $object->fk_project = $_POST['projectid']; - $object->cond_reglement_id = ($_POST['type'] == 3 ? 1 : $_POST['cond_reglement_id']); - $object->mode_reglement_id = $_POST['mode_reglement_id']; + $object->note_public = trim(GETPOST('note_public', 'restricthtml')); + $object->note_private = trim(GETPOST('note_private', 'restricthtml')); + $object->ref_client = GETPOST('ref_client'); + $object->model_pdf = GETPOST('model'); + $object->fk_project = GETPOST('projectid'); + $object->cond_reglement_id = (GETPOST('type') == 3 ? 1 : GETPOST('cond_reglement_id')); + $object->mode_reglement_id = GETPOST('mode_reglement_id'); $object->fk_account = GETPOST('fk_account', 'int'); - $object->amount = $_POST['amount']; - $object->remise_absolue = $_POST['remise_absolue']; - $object->remise_percent = $_POST['remise_percent']; + $object->amount = price2num(GETPOST('amount')); + $object->remise_absolue = GETPOST('remise_absolue'); + $object->remise_percent = GETPOST('remise_percent'); $object->fk_incoterms = GETPOST('incoterm_id', 'int'); $object->location_incoterms = GETPOST('location_incoterms', 'alpha'); $object->multicurrency_code = GETPOST('multicurrency_code', 'alpha'); @@ -1667,7 +1664,7 @@ if (empty($reshook)) $originidforcontact=$srcobject->origin_id; } $sqlcontact = "SELECT code, fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$db->escape($originforcontact)."'"; $resqlcontact = $db->query($sqlcontact); if ($resqlcontact) @@ -1801,11 +1798,10 @@ if (empty($reshook)) $object->fetch_thirdparty(); $object->date = $datefacture; $object->date_pointoftax = $date_pointoftax; - $object->note_public = trim(GETPOST('note_public', 'none')); - $object->note = trim(GETPOST('note', 'none')); - $object->note_private = trim(GETPOST('note', 'none')); + $object->note_public = trim(GETPOST('note_public', 'restricthtml')); + $object->note = trim(GETPOST('note', 'restricthtml')); + $object->note_private = trim(GETPOST('note', 'restricthtml')); $object->ref_client = GETPOST('ref_client', 'alpha'); - $object->ref_int = GETPOST('ref_int', 'alpha'); $object->model_pdf = GETPOST('model', 'alpha'); $object->fk_project = GETPOST('projectid', 'int'); $object->cond_reglement_id = GETPOST('cond_reglement_id', 'int'); @@ -1883,9 +1879,9 @@ if (empty($reshook)) // Set if we used free entry or predefined product $predef = ''; - $product_desc = (GETPOST('dp_desc', 'none') ?GETPOST('dp_desc', 'none') : ''); - $price_ht = GETPOST('price_ht'); - $price_ht_devise = GETPOST('multicurrency_price_ht'); + $product_desc = (GETPOST('dp_desc', 'none') ?GETPOST('dp_desc', 'restricthtml') : ''); + $price_ht = price2num(GETPOST('price_ht')); + $price_ht_devise = price2num(GETPOST('multicurrency_price_ht')); $prod_entry_mode = GETPOST('prod_entry_mode', 'alpha'); if ($prod_entry_mode == 'free') { @@ -2204,7 +2200,7 @@ if (empty($reshook)) $date_end = ''; $date_start = dol_mktime(GETPOST('date_starthour'), GETPOST('date_startmin'), GETPOST('date_startsec'), GETPOST('date_startmonth'), GETPOST('date_startday'), GETPOST('date_startyear')); $date_end = dol_mktime(GETPOST('date_endhour'), GETPOST('date_endmin'), GETPOST('date_endsec'), GETPOST('date_endmonth'), GETPOST('date_endday'), GETPOST('date_endyear')); - $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'none') ? GETPOST('product_desc', 'none') : GETPOST('desc', 'none')); + $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'restricthtml') ? GETPOST('product_desc', 'restricthtml') : GETPOST('desc', 'restricthtml')); $pu_ht = GETPOST('price_ht'); $vat_rate = (GETPOST('tva_tx') ? GETPOST('tva_tx') : 0); $qty = GETPOST('qty'); @@ -2335,10 +2331,10 @@ if (empty($reshook)) } } - $result = $object->updateline(GETPOST('lineid'), $description, $pu_ht, $qty, GETPOST('remise_percent'), + $result = $object->updateline(GETPOST('lineid', 'int'), $description, $pu_ht, $qty, price2num(GETPOST('remise_percent', 'alpha')), $date_start, $date_end, $vat_rate, $localtax1_rate, $localtax2_rate, 'HT', $info_bits, $type, - GETPOST('fk_parent_line'), 0, $fournprice, $buyingprice, $label, $special_code, $array_options, GETPOST('progress'), - $_POST['units'], $pu_ht_devise); + GETPOST('fk_parent_line', 'int'), 0, $fournprice, $buyingprice, $label, $special_code, $array_options, price2num(GETPOST('progress', 'alpha')), + GETPOST('units', 'alpha'), $pu_ht_devise); if ($result >= 0) { if (empty($conf->global->MAIN_DISABLE_PDF_AUTOUPDATE)) { @@ -2629,7 +2625,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from add form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) @@ -4420,44 +4416,50 @@ if ($action == 'create') print '
'; print '
'; + print ''."\n"; print '
'; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_datep_start ? $search_datep_start : -1, 'search_date_start', 0, 0, 1); + print $form->selectDate($search_datep_start ? $search_datep_start : -1, 'search_date_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_datep_end ? $search_datep_end : -1, 'search_date_end', 0, 0, 1); + print $form->selectDate($search_datep_end ? $search_datep_end : -1, 'search_date_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print '		'; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_datev_start ? $search_datev_start : -1, 'search_date_value_start', 0, 0, 1); + print $form->selectDate($search_datev_start ? $search_datev_start : -1, 'search_date_value_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_datev_end ? $search_datev_end : -1, 'search_date_value_end', 0, 0, 1); + print $form->selectDate($search_datev_end ? $search_datev_end : -1, 'search_date_value_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print '		'; - $form->select_types_paiements($typeid, 'typeid', '', 0, 1, 1, 16); + $form->select_types_paiements($typeid, 'typeid', '', 0, 1, 1, 16, 1, 'maxwidth100'); print ''; - $form->select_comptes($search_bank_account, 'search_account', 0, '', 1); + $form->select_comptes($search_bank_account, 'search_account', 0, '', 1, '', 0, 'maxwidth100'); print ''; - print ''; + print ''; + print ''; print ''; - print ''; + print ''; print ''; - print ''; + print ''; print ''.$proj->getNomUrl(1).''.$proj->getNomUrl(1).'
'.$langs->trans("Customer").''.$object->thirdparty->getNomUrl(1, 'customer').'
'; + $sign = 1; + if (!empty($conf->global->INVOICE_POSITIVE_CREDIT_NOTE_SCREEN) && $object->type == $object::TYPE_CREDIT_NOTE) { + $sign = -1; // We invert sign for output + } + if (!empty($conf->multicurrency->enabled) && ($object->multicurrency_code != $conf->currency)) { // Multicurrency Amount HT print ''; - print ''; + print ''; print ''; // Multicurrency Amount VAT print ''; - print ''; + print ''; print ''; // Multicurrency Amount TTC print ''; - print ''; + print ''; print ''; } // Amount print ''; - print ''; + print ''; // Vat - print ''; + print ''; print ''; // Amount Local Taxes if (($mysoc->localtax1_assuj == "1" && $mysoc->useLocalTax(1)) || $object->total_localtax1 != 0) // Localtax1 { print ''; - print ''; + print ''; } if (($mysoc->localtax2_assuj == "1" && $mysoc->useLocalTax(2)) || $object->total_localtax2 != 0) // Localtax2 { print ''; - print ''; + print ''; } // Revenue stamp @@ -4515,13 +4517,11 @@ if ($action == 'create') } // Total with tax - print ''; + print ''; print '
'.$form->editfieldkey('MulticurrencyAmountHT', 'multicurrency_total_ht', '', $object, 0).''.price($object->multicurrency_total_ht, '', $langs, 0, - 1, - 1, (!empty($object->multicurrency_code) ? $object->multicurrency_code : $conf->currency)).''.price($sign * $object->multicurrency_total_ht, '', $langs, 0, -1, -1, (!empty($object->multicurrency_code) ? $object->multicurrency_code : $conf->currency)).'
'.$form->editfieldkey('MulticurrencyAmountVAT', 'multicurrency_total_tva', '', $object, 0).''.price($object->multicurrency_total_tva, '', $langs, 0, - 1, - 1, (!empty($object->multicurrency_code) ? $object->multicurrency_code : $conf->currency)).''.price($sign * $object->multicurrency_total_tva, '', $langs, 0, -1, -1, (!empty($object->multicurrency_code) ? $object->multicurrency_code : $conf->currency)).'
'.$form->editfieldkey('MulticurrencyAmountTTC', 'multicurrency_total_ttc', '', $object, 0).''.price($object->multicurrency_total_ttc, '', $langs, 0, - 1, - 1, (!empty($object->multicurrency_code) ? $object->multicurrency_code : $conf->currency)).''.price($sign * $object->multicurrency_total_ttc, '', $langs, 0, -1, -1, (!empty($object->multicurrency_code) ? $object->multicurrency_code : $conf->currency)).'
'.$langs->trans('AmountHT').''.price($object->total_ht, 1, '', 1, - 1, - 1, $conf->currency).'
'.price($sign * $object->total_ht, 1, '', 1, - 1, - 1, $conf->currency).'
'.$langs->trans('AmountVAT').''.price($object->total_tva, 1, '', 1, - 1, - 1, $conf->currency).'
'.$langs->trans('AmountVAT').''.price($sign * $object->total_tva, 1, '', 1, - 1, - 1, $conf->currency).'
'.$langs->transcountry("AmountLT1", $mysoc->country_code).''.price($object->total_localtax1, 1, '', 1, - 1, - 1, $conf->currency).'
'.price($sign * $object->total_localtax1, 1, '', 1, - 1, - 1, $conf->currency).'
'.$langs->transcountry("AmountLT2", $mysoc->country_code).''.price($object->total_localtax2, 1, '', 1, - 1, - 1, $conf->currency).'
'.price($sign * $object->total_localtax2, 1, '', 1, - 1, - 1, $conf->currency).'
'.$langs->trans('AmountTTC').''.price($object->total_ttc, 1, '', 1, - 1, - 1, $conf->currency).'
'.$langs->trans('AmountTTC').''.price($sign * $object->total_ttc, 1, '', 1, - 1, - 1, $conf->currency).'
'; - $sign = 1; - if ($object->type == Facture::TYPE_CREDIT_NOTE) $sign = - 1; $nbrows = 8; $nbcols = 3; if (!empty($conf->projet->enabled)) @@ -4664,6 +4664,8 @@ if ($action == 'create') print ''; } + $sign = 1; + if ($object->type == $object::TYPE_CREDIT_NOTE) $sign = -1; // List of payments already done diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php index 1828493d89f..cc1b7fe57ed 100644 --- a/htdocs/compta/facture/class/api_invoices.class.php +++ b/htdocs/compta/facture/class/api_invoices.class.php @@ -207,7 +207,7 @@ class Invoices extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) @@ -216,19 +216,19 @@ class Invoices extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $invoice_static = new Facture($db); + $obj = $this->db->fetch_object($result); + $invoice_static = new Facture($this->db); if ($invoice_static->fetch($obj->rowid)) { // Get payment details @@ -245,7 +245,7 @@ class Invoices extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve invoice list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve invoice list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No invoice found'); diff --git a/htdocs/compta/facture/class/facture-rec.class.php b/htdocs/compta/facture/class/facture-rec.class.php index c5e93bc41ad..67dd4e304ea 100644 --- a/htdocs/compta/facture/class/facture-rec.class.php +++ b/htdocs/compta/facture/class/facture-rec.class.php @@ -277,8 +277,8 @@ class FactureRec extends CommonInvoice $sql .= ", ".(!empty($this->note_public) ? ("'".$this->db->escape($this->note_public)."'") : "NULL"); $sql .= ", ".(!empty($this->modelpdf) ? ("'".$this->db->escape($this->modelpdf)."'") : "NULL"); $sql .= ", '".$this->db->escape($user->id)."'"; - $sql .= ", ".(!empty($facsrc->fk_project) ? "'".$facsrc->fk_project."'" : "null"); - $sql .= ", ".(!empty($facsrc->fk_account) ? "'".$facsrc->fk_account."'" : "null"); + $sql .= ", ".(!empty($facsrc->fk_project) ? "'".$this->db->escape($facsrc->fk_project)."'" : "null"); + $sql .= ", ".(!empty($facsrc->fk_account) ? "'".$this->db->escape($facsrc->fk_account)."'" : "null"); $sql .= ", ".($facsrc->cond_reglement_id > 0 ? $this->db->escape($facsrc->cond_reglement_id) : "null"); $sql .= ", ".($facsrc->mode_reglement_id > 0 ? $this->db->escape($facsrc->mode_reglement_id) : "null"); $sql .= ", ".$this->usenewprice; @@ -921,7 +921,7 @@ class FactureRec extends CommonInvoice $sql .= ", fk_unit"; $sql .= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc'; $sql .= ") VALUES ("; - $sql .= "'".$facid."'"; + $sql .= " ".((int) $facid); $sql .= ", ".(!empty($label) ? "'".$this->db->escape($label)."'" : "null"); $sql .= ", '".$this->db->escape($desc)."'"; $sql .= ", ".price2num($pu_ht); @@ -932,7 +932,7 @@ class FactureRec extends CommonInvoice $sql .= ", '".$this->db->escape($localtaxes_type[0])."'"; $sql .= ", ".price2num($txlocaltax2); $sql .= ", '".$this->db->escape($localtaxes_type[2])."'"; - $sql .= ", ".(!empty($fk_product) ? "'".$fk_product."'" : "null"); + $sql .= ", ".(!empty($fk_product) ? "'".$this->db->escape($fk_product)."'" : "null"); $sql .= ", ".$product_type; $sql .= ", ".price2num($remise_percent); $sql .= ", ".price2num($pu_ht); @@ -1083,7 +1083,7 @@ class FactureRec extends CommonInvoice } $sql = "UPDATE ".MAIN_DB_PREFIX."facturedet_rec SET "; - $sql .= "fk_facture = '".$facid."'"; + $sql .= "fk_facture = ".((int) $facid); $sql .= ", label=".(!empty($label) ? "'".$this->db->escape($label)."'" : "null"); $sql .= ", description='".$this->db->escape($desc)."'"; $sql .= ", price=".price2num($pu_ht); @@ -1094,7 +1094,7 @@ class FactureRec extends CommonInvoice $sql .= ", localtax1_type='".$this->db->escape($localtaxes_type[0])."'"; $sql .= ", localtax2_tx=".$txlocaltax2; $sql .= ", localtax2_type='".$this->db->escape($localtaxes_type[2])."'"; - $sql .= ", fk_product=".(!empty($fk_product) ? "'".$fk_product."'" : "null"); + $sql .= ", fk_product=".(!empty($fk_product) ? "'".$this->db->escape($fk_product)."'" : "null"); $sql .= ", product_type=".$product_type; $sql .= ", remise_percent='".price2num($remise_percent)."'"; $sql .= ", subprice='".price2num($pu_ht)."'"; @@ -1194,13 +1194,13 @@ class FactureRec extends CommonInvoice $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'facture_rec'; $sql .= ' WHERE frequency > 0'; // A recurring invoice is an invoice with a frequency - $sql .= " AND (date_when IS NULL OR date_when <= '".$db->idate($today)."')"; + $sql .= " AND (date_when IS NULL OR date_when <= '".$this->db->idate($today)."')"; $sql .= ' AND (nb_gen_done < nb_gen_max OR nb_gen_max = 0)'; $sql .= ' AND suspended = 0'; $sql .= ' AND entity = '.$conf->entity; // MUST STAY = $conf->entity here if ($restrictioninvoiceid > 0) $sql .= ' AND rowid = '.$restrictioninvoiceid; - $sql .= $db->order('entity', 'ASC'); + $sql .= $this->db->order('entity', 'ASC'); //print $sql;exit; $parameters = array( 'restrictioninvoiceid' => $restrictioninvoiceid, @@ -1208,11 +1208,11 @@ class FactureRec extends CommonInvoice ); $reshook = $hookmanager->executeHooks('beforeCreationOfRecurringInvoices', $parameters, $sql); // note that $sql might be modified by hooks - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { $i = 0; - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) $this->output .= $langs->trans("FoundXQualifiedRecurringInvoiceTemplate", $num)."\n"; @@ -1222,14 +1222,14 @@ class FactureRec extends CommonInvoice while ($i < $num) // Loop on each template invoice. If $num = 0, test is false at first pass. { - $line = $db->fetch_object($resql); + $line = $this->db->fetch_object($resql); - $db->begin(); + $this->db->begin(); $invoiceidgenerated = 0; $facture = null; - $facturerec = new FactureRec($db); + $facturerec = new FactureRec($this->db); $facturerec->fetch($line->rowid); if ($facturerec->id > 0) @@ -1239,7 +1239,7 @@ class FactureRec extends CommonInvoice dol_syslog("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref.", entity=".$facturerec->entity); - $facture = new Facture($db); + $facture = new Facture($this->db); $facture->fac_rec = $facturerec->id; // We will create $facture from this recurring invoice $facture->fk_fac_rec_source = $facturerec->id; // We will create $facture from this recurring invoice @@ -1286,12 +1286,12 @@ class FactureRec extends CommonInvoice if (!$error && $invoiceidgenerated >= 0) { - $db->commit("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); + $this->db->commit("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); dol_syslog("createRecurringInvoices Process invoice template ".$facturerec->ref." is finished with a success generation"); $nb_create++; $this->output .= $langs->trans("InvoiceGeneratedFromTemplate", $facture->ref, $facturerec->ref)."\n"; } else { - $db->rollback("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); + $this->db->rollback("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); } $parameters = array( @@ -1308,7 +1308,7 @@ class FactureRec extends CommonInvoice } $conf->entity = $saventity; // Restore entity context - } else dol_print_error($db); + } else dol_print_error($this->db); $this->output = trim($this->output); diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 5110b1194e5..4110e5ad26d 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -481,8 +481,8 @@ class Facture extends CommonInvoice // Fields coming from GUI (priority on template). TODO Value of template should be used as default value on GUI so we can use here always value from GUI $this->fk_project = GETPOST('projectid', 'int') > 0 ? ((int) GETPOST('projectid', 'int')) : $_facrec->fk_project; - $this->note_public = GETPOST('note_public', 'none') ? GETPOST('note_public', 'none') : $_facrec->note_public; - $this->note_private = GETPOST('note_private', 'none') ? GETPOST('note_private', 'none') : $_facrec->note_private; + $this->note_public = GETPOST('note_public', 'none') ? GETPOST('note_public', 'restricthtml') : $_facrec->note_public; + $this->note_private = GETPOST('note_private', 'none') ? GETPOST('note_private', 'restricthtml') : $_facrec->note_private; $this->modelpdf = GETPOST('model', 'alpha') ? GETPOST('model', 'alpha') : $_facrec->modelpdf; $this->cond_reglement_id = GETPOST('cond_reglement_id', 'int') > 0 ? ((int) GETPOST('cond_reglement_id', 'int')) : $_facrec->cond_reglement_id; $this->mode_reglement_id = GETPOST('mode_reglement_id', 'int') > 0 ? ((int) GETPOST('mode_reglement_id', 'int')) : $_facrec->mode_reglement_id; @@ -612,7 +612,7 @@ class Facture extends CommonInvoice $sql .= ", ".setEntity($this); $sql .= ", ".($this->ref_ext ? "'".$this->db->escape($this->ref_ext)."'" : "null"); $sql .= ", '".$this->db->escape($this->type)."'"; - $sql .= ", '".$socid."'"; + $sql .= ", ".((int) $socid); $sql .= ", '".$this->db->idate($now)."'"; $sql .= ", ".($this->remise_absolue > 0 ? $this->remise_absolue : 'NULL'); $sql .= ", ".($this->remise_percent > 0 ? $this->remise_percent : 'NULL'); @@ -627,7 +627,7 @@ class Facture extends CommonInvoice $sql .= ", ".($this->pos_source != '' ? "'".$this->db->escape($this->pos_source)."'" : "null"); $sql .= ", ".($this->fk_fac_rec_source ? "'".$this->db->escape($this->fk_fac_rec_source)."'" : "null"); $sql .= ", ".($this->fk_facture_source ? "'".$this->db->escape($this->fk_facture_source)."'" : "null"); - $sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "null"); + $sql .= ", ".($user->id > 0 ? (int) $user->id : "null"); $sql .= ", ".($this->fk_project ? $this->fk_project : "null"); $sql .= ", ".$this->cond_reglement_id; $sql .= ", ".$this->mode_reglement_id; @@ -715,7 +715,7 @@ class Facture extends CommonInvoice } $sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'"; $resqlcontact = $this->db->query($sqlcontact); if ($resqlcontact) @@ -3351,7 +3351,7 @@ class Facture extends CommonInvoice $this->line->localtax2_type = $localtaxes_type[2]; $this->line->remise_percent = $remise_percent; - $this->line->subprice = ($this->type == 2 ?-abs($pu_ht) : $pu_ht); // For credit note, unit price always negative, always positive otherwise + $this->line->subprice = ($this->type == self::TYPE_CREDIT_NOTE ?-abs($pu_ht) : $pu_ht); // For credit note, unit price always negative, always positive otherwise $this->line->date_start = $date_start; $this->line->date_end = $date_end; $this->line->total_ht = (($this->type == self::TYPE_CREDIT_NOTE || $qty < 0) ?-abs($total_ht) : $total_ht); // For credit note and if qty is negative, total is negative @@ -3371,10 +3371,10 @@ class Facture extends CommonInvoice $this->line->pa_ht = $pa_ht; // Multicurrency - $this->line->multicurrency_subprice = $pu_ht_devise; - $this->line->multicurrency_total_ht = $multicurrency_total_ht; - $this->line->multicurrency_total_tva = $multicurrency_total_tva; - $this->line->multicurrency_total_ttc = $multicurrency_total_ttc; + $this->line->multicurrency_subprice = ($this->type == self::TYPE_CREDIT_NOTE ?-abs($pu_ht_devise) : $pu_ht_devise); // For credit note, unit price always negative, always positive otherwise + $this->line->multicurrency_total_ht = (($this->type == self::TYPE_CREDIT_NOTE || $qty < 0) ?-abs($multicurrency_total_ht) : $multicurrency_total_ht); // For credit note and if qty is negative, total is negative + $this->line->multicurrency_total_tva = (($this->type == self::TYPE_CREDIT_NOTE || $qty < 0) ?-abs($multicurrency_total_tva) : $multicurrency_total_tva); + $this->line->multicurrency_total_ttc = (($this->type == self::TYPE_CREDIT_NOTE || $qty < 0) ?-abs($multicurrency_total_ttc) : $multicurrency_total_ttc); if (is_array($array_options) && count($array_options) > 0) { // We replace values in this->line->array_options only for entries defined into $array_options diff --git a/htdocs/compta/facture/contact.php b/htdocs/compta/facture/contact.php index c88fef5015c..459543dfc74 100644 --- a/htdocs/compta/facture/contact.php +++ b/htdocs/compta/facture/contact.php @@ -42,7 +42,7 @@ $id = (GETPOST('id') ?GETPOST('id', 'int') : GETPOST('facid', 'int')); // Fo $ref = GETPOST('ref', 'alpha'); $lineid = GETPOST('lineid', 'int'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/compta/facture/document.php b/htdocs/compta/facture/document.php index ed9b032ae90..722286044cc 100644 --- a/htdocs/compta/facture/document.php +++ b/htdocs/compta/facture/document.php @@ -45,7 +45,7 @@ $langs->loadLangs(array('propal', 'compta', 'other', 'bills', 'companies')); $id = (GETPOST('id', 'int') ?GETPOST('id', 'int') : GETPOST('facid', 'int')); // For backward compatibility $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index 41e0817310e..c144b388093 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -61,7 +61,7 @@ $id = (GETPOST('id', 'int') ?GETPOST('id', 'int') : GETPOST('facid', 'int')); // $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -478,15 +478,15 @@ if ($filtre) } if ($search_ref) $sql .= natural_search('f.ref', $search_ref); if ($search_refcustomer) $sql .= natural_search('f.ref_client', $search_refcustomer); -if ($search_type != '' && $search_type != '-1') $sql .= " AND f.type IN (".$db->escape($search_type).")"; +if ($search_type != '' && $search_type != '-1') $sql .= " AND f.type IN (".$db->sanitize($db->escape($search_type)).")"; if ($search_project_ref) $sql .= natural_search('p.ref', $search_project_ref); if ($search_project) $sql .= natural_search('p.title', $search_project); if ($search_societe) $sql .= natural_search('s.nom', $search_societe); if ($search_town) $sql .= natural_search('s.town', $search_town); if ($search_zip) $sql .= natural_search("s.zip", $search_zip); if ($search_state) $sql .= natural_search("state.nom", $search_state); -if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; -if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')'; +if ($search_country) $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')'; +if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->sanitize($db->escape($search_type_thirdparty)).')'; if ($search_company) $sql .= natural_search('s.nom', $search_company); if ($search_montant_ht != '') $sql .= natural_search('f.total', $search_montant_ht, 1); if ($search_montant_vat != '') $sql .= natural_search('f.tva', $search_montant_vat, 1); @@ -510,7 +510,7 @@ if ($search_status != '-1' && $search_status != '') if ($search_status == '2') $sql .= " AND f.fk_statut = 2"; // payed Not that some corrupted data may contains f.fk_statut = 1 AND f.paye = 1 (it means payed too but should not happend. If yes, reopen and reclassify billed) if ($search_status == '3') $sql .= " AND f.fk_statut = 3"; // abandonned } else { - $sql .= " AND f.fk_statut IN (".$db->escape($search_status).")"; // When search_status is '1,2' for example + $sql .= " AND f.fk_statut IN (".$db->sanitize($db->escape($search_status)).")"; // When search_status is '1,2' for example } } @@ -674,10 +674,12 @@ if ($resql) if (in_array($massaction, array('presend', 'predelete'))) $arrayofmassactions = array(); $massactionbutton = $form->selectMassAction('', $arrayofmassactions); - $newcardbutton = ''; - if ($user->rights->facture->creer && $contextpage != 'poslist') + // Show the new button only when this page is not opend from the Extended POS + if ($contextpage != 'poslist') { - $newcardbutton .= dolGetButtonTitle($langs->trans('NewBill'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/compta/facture/card.php?action=create'); + $url = DOL_URL_ROOT.'/compta/facture/card.php?action=create'; + if (!empty($socid)) $url .= '&socid='.$socid; + $newcardbutton = dolGetButtonTitle($langs->trans('NewBill'), '', 'fa fa-plus-circle', $url, '', $user->rights->facture->creer); } $i = 0; @@ -756,6 +758,7 @@ if ($resql) $varpage = empty($contextpage) ? $_SERVER["PHP_SELF"] : $contextpage; $selectedfields = $form->multiSelectArrayWithCheckbox('selectedfields', $arrayfields, $varpage); // This also change content of $arrayfields + // Show the massaction checkboxes only when this page is not opend from the Extended POS if ($massactionbutton && $contextpage != 'poslist') $selectedfields .= $form->showCheckAddButtons('checkforselect', 1); print '
'; @@ -804,12 +807,10 @@ if ($resql) { print ''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_date_start ? $search_date_start : -1, 'search_date_start', 0, 0, 1); + print $form->selectDate($search_date_start ? $search_date_start : -1, 'search_date_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_date_end ? $search_date_end : -1, 'search_date_end', 0, 0, 1); + print $form->selectDate($search_date_end ? $search_date_end : -1, 'search_date_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print ''; } @@ -818,12 +819,10 @@ if ($resql) { print ''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_date_valid_start ? $search_date_valid_start : -1, 'search_date_valid_start', 0, 0, 1); + print $form->selectDate($search_date_valid_start ? $search_date_valid_start : -1, 'search_date_valid_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_date_valid_end ? $search_date_valid_end : -1, 'search_date_valid_end', 0, 0, 1); + print $form->selectDate($search_date_valid_end ? $search_date_valid_end : -1, 'search_date_valid_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print ''; } @@ -1566,7 +1565,7 @@ if ($resql) if (!$i) $totalarray['nbfield']++; } - // Action column + // Action column (Show the massaction button only when this page is not opend from the Extended POS) print ''; if (($massactionbutton || $massaction) && $contextpage != 'poslist') // If we are in select mode (massactionbutton defined) or if we have already selected and sent an action ($massaction) defined { @@ -1597,6 +1596,7 @@ if ($resql) print "\n"; + // Show the file area only when this page is not opend from the Extended POS if ($contextpage != 'poslist') { $hidegeneratedfilelistifempty = 1; if ($massaction == 'builddoc' || $action == 'remove_file' || $show_files) $hidegeneratedfilelistifempty = 0; diff --git a/htdocs/compta/facture/note.php b/htdocs/compta/facture/note.php index 954c48ec0c9..249d2dd9b8c 100644 --- a/htdocs/compta/facture/note.php +++ b/htdocs/compta/facture/note.php @@ -39,7 +39,7 @@ $langs->loadLangs(array('companies', 'bills')); $id = (GETPOST('id', 'int') ?GETPOST('id', 'int') : GETPOST('facid', 'int')); // For backward compatibility $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check $socid = 0; diff --git a/htdocs/compta/facture/prelevement.php b/htdocs/compta/facture/prelevement.php index 88a0b922e55..721c0b857ab 100644 --- a/htdocs/compta/facture/prelevement.php +++ b/htdocs/compta/facture/prelevement.php @@ -44,7 +44,7 @@ $langs->loadLangs(array('bills', 'banks', 'withdrawals', 'companies')); $id = (GETPOST('id', 'int') ?GETPOST('id', 'int') : GETPOST('facid', 'int')); // For backward compatibility $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $type = GETPOST('type', 'aZ09'); $fieldid = (!empty($ref) ? 'ref' : 'rowid'); diff --git a/htdocs/compta/facture/stats/index.php b/htdocs/compta/facture/stats/index.php index 82ba8a33467..81466651856 100644 --- a/htdocs/compta/facture/stats/index.php +++ b/htdocs/compta/facture/stats/index.php @@ -94,7 +94,7 @@ dol_mkdir($dir); $stats = new FactureStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; if (is_array($custcats) && !empty($custcats)) { $stats->from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie_societe as cat ON (f.fk_soc = cat.fk_soc)'; $stats->where .= ' AND cat.fk_categorie IN ('.implode(',', $custcats).')'; @@ -102,7 +102,7 @@ if ($mode == 'customer') } if ($mode == 'supplier') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; } // Build graphic number of object diff --git a/htdocs/compta/index.php b/htdocs/compta/index.php index eb11950304f..8c144f6bd71 100644 --- a/htdocs/compta/index.php +++ b/htdocs/compta/index.php @@ -49,7 +49,7 @@ $langs->loadLangs(array('compta', 'bills')); if (!empty($conf->commande->enabled)) $langs->load("orders"); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $bid = GETPOST('bid', 'int'); // Security check @@ -60,7 +60,7 @@ if ($user->socid > 0) $socid = $user->socid; } -$max = 3; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; // Initialize technical object to manage hooks. Note that conf->hooks_modules contains array $hookmanager->initHooks(array('invoiceindex')); @@ -370,6 +370,7 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) { $num = $db->num_rows($resql); $i = 0; + $othernb = 0; print '
'; print ''; @@ -386,6 +387,14 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $facturestatic->ref = $obj->ref; $facturestatic->id = $obj->rowid; $facturestatic->total_ht = $obj->total_ht; @@ -442,6 +451,14 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) $i++; } + + if ($othernb) { + print ''; + print ''; + print "\n"; + } } else { $colspan = 5; if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) $colspan++; @@ -501,10 +518,20 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU { $i = 0; $total = $total_ttc = $totalam = 0; + $othernb = 0; + while ($i < $num) { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $facstatic->ref = $obj->ref; $facstatic->id = $obj->rowid; $facstatic->total_ht = $obj->total_ht; @@ -539,6 +566,14 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU $totalam += $obj->am; $i++; } + + if ($othernb) { + print ''; + print ''; + print "\n"; + } } else { $colspan = 5; if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) $colspan++; @@ -574,10 +609,10 @@ if (!empty($conf->don->enabled) && $user->rights->don->lire) $result = $db->query($sql); if ($result) { - $var = false; $num = $db->num_rows($result); $i = 0; + $othernb = 0; print '
'; print '
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'; @@ -596,6 +631,14 @@ if (!empty($conf->don->enabled) && $user->rights->don->lire) { $objp = $db->fetch_object($result); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $donationstatic->id = $objp->rowid; $donationstatic->ref = $objp->rowid; $donationstatic->lastname = $objp->lastname; @@ -614,6 +657,14 @@ if (!empty($conf->don->enabled) && $user->rights->don->lire) $i++; } + + if ($othernb) { + print ''; + print ''; + print "\n"; + } } else { print ''; } @@ -663,10 +714,20 @@ if (!empty($conf->tax->enabled) && $user->rights->tax->charges->lire) { $i = 0; $tot_ttc = 0; + $othernb = 0; + while ($i < $num) { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $chargestatic->id = $obj->rowid; $chargestatic->ref = $obj->rowid; $chargestatic->label = $obj->label; @@ -684,6 +745,14 @@ if (!empty($conf->tax->enabled) && $user->rights->tax->charges->lire) $i++; } + if ($othernb) { + print ''; + print ''; + print "\n"; + } + print ''; print ''; print ''; @@ -740,6 +809,7 @@ if (!empty($conf->facture->enabled) && !empty($conf->commande->enabled) && $user if ($num) { $i = 0; + $othernb = 0; print '
'; print '
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'.$langs->trans("None").'
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'.$langs->trans("Total").''.price($tot_ttc).'
'; @@ -764,6 +834,14 @@ if (!empty($conf->facture->enabled) && !empty($conf->commande->enabled) && $user { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $societestatic->id = $obj->socid; $societestatic->name = $obj->name; $societestatic->email = $obj->email; @@ -812,6 +890,14 @@ if (!empty($conf->facture->enabled) && !empty($conf->commande->enabled) && $user $i++; } + if ($othernb) { + print ''; + print ''; + print "\n"; + } + print ''; if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) print ''; print ''; @@ -861,6 +947,7 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) { $num = $db->num_rows($resql); $i = 0; + $othernb = 0; print '
'; print '
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'.$langs->trans("Total").'   ('.$langs->trans("RemainderToBill").': '.price($tot_tobill).') '.price($tot_ht).''.price($tot_ttc).'
'; @@ -887,6 +974,14 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $facturestatic->ref = $obj->ref; $facturestatic->id = $obj->rowid; $facturestatic->total_ht = $obj->total_ht; @@ -934,7 +1029,7 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) print ''; print ''; print ''; - print ''; + print ''; print ''; $total_ttc += $obj->total_ttc; @@ -944,6 +1039,14 @@ if (!empty($conf->facture->enabled) && $user->rights->facture->lire) $i++; } + if ($othernb) { + print ''; + print ''; + print "\n"; + } + print ''; print ''; if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) print ''; @@ -970,7 +1073,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU { $facstatic = new FactureFournisseur($db); - $sql = "SELECT ff.rowid, ff.ref, ff.fk_statut, ff.libelle as label, ff.total_ht, ff.total_tva, ff.total_ttc, ff.paye"; + $sql = "SELECT ff.rowid, ff.ref, ff.fk_statut, ff.type, ff.libelle as label, ff.total_ht, ff.total_tva, ff.total_ttc, ff.paye"; $sql .= ", ff.date_lim_reglement"; $sql .= ", s.nom as name"; $sql .= ", s.rowid as socid, s.email"; @@ -991,7 +1094,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU $reshook = $hookmanager->executeHooks('printFieldListWhereSupplierUnpaid', $parameters); $sql .= $hookmanager->resPrint; - $sql .= " GROUP BY ff.rowid, ff.ref, ff.fk_statut, ff.libelle, ff.total_ht, ff.tva, ff.total_tva, ff.total_ttc, ff.paye, ff.date_lim_reglement,"; + $sql .= " GROUP BY ff.rowid, ff.ref, ff.fk_statut, ff.type, ff.libelle, ff.total_ht, ff.tva, ff.total_tva, ff.total_ttc, ff.paye, ff.date_lim_reglement,"; $sql .= " s.nom, s.rowid, s.email, s.code_client, s.code_fournisseur, s.code_compta, s.code_compta_fournisseur"; $sql .= " ORDER BY ff.date_lim_reglement ASC"; @@ -999,6 +1102,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU if ($resql) { $num = $db->num_rows($resql); + $othernb = 0; print '
'; print '
'.price($obj->total_ht).''.price($obj->total_ttc).''.price($obj->am).''.$facstatic->LibStatut($obj->paye, $obj->fk_statut, 3, $obj->am).''.$facstatic->LibStatut($obj->paye, $obj->fk_statut, 3, $obj->am, $obj->type).'
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'.$langs->trans("Total").'   ('.$langs->trans("RemainderToTake").': '.price($total_ttc - $totalam).')  '.price($total).'
'; @@ -1028,8 +1132,17 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU { $obj = $db->fetch_object($resql); + if ($i >= $max) { + $othernb += 1; + $i++; + $total += $obj->total_ht; + $total_ttc += $obj->total_ttc; + continue; + } + $facstatic->ref = $obj->ref; $facstatic->id = $obj->rowid; + $facstatic->type = $obj->type; $facstatic->total_ht = $obj->total_ht; $facstatic->total_tva = $obj->total_tva; $facstatic->total_ttc = $obj->total_ttc; @@ -1052,7 +1165,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) print ''; print ''; print ''; - print ''; + print ''; print ''; $total += $obj->total_ht; $total_ttc += $obj->total_ttc; @@ -1060,6 +1173,14 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU $i++; } + if ($othernb) { + print ''; + print ''; + print "\n"; + } + print ''; print ''; if (!empty($conf->global->MAIN_SHOW_HT_ON_SUMMARY)) print ''; diff --git a/htdocs/compta/journal/purchasesjournal.php b/htdocs/compta/journal/purchasesjournal.php index 78ef32072d6..d754760dd57 100644 --- a/htdocs/compta/journal/purchasesjournal.php +++ b/htdocs/compta/journal/purchasesjournal.php @@ -106,7 +106,7 @@ $sql .= " s.rowid as socid, s.nom as name, s.code_compta_fournisseur,"; $sql .= " p.rowid as pid, p.ref as ref, p.accountancy_code_buy,"; $sql .= " ct.accountancy_code_buy as account_tva, ct.recuperableonly"; $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn_det as fd"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva as ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = '".$idpays."'"; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva as ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = ".((int) $idpays); $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = fd.fk_product"; $sql .= " JOIN ".MAIN_DB_PREFIX."facture_fourn as f ON f.rowid = fd.fk_facture_fourn"; $sql .= " JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; diff --git a/htdocs/compta/journal/sellsjournal.php b/htdocs/compta/journal/sellsjournal.php index bd44f6c47cc..62e8c77a133 100644 --- a/htdocs/compta/journal/sellsjournal.php +++ b/htdocs/compta/journal/sellsjournal.php @@ -109,7 +109,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = fd.fk_product"; $sql .= " JOIN ".MAIN_DB_PREFIX."facture as f ON f.rowid = fd.fk_facture"; $sql .= " JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = '".$idpays."'"; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = ".((int) $idpays); $sql .= " WHERE f.entity IN (".getEntity('invoice').")"; $sql .= " AND f.fk_statut > 0"; if (!empty($conf->global->FACTURE_DEPOSITS_ARE_JUST_PAYMENTS)) { diff --git a/htdocs/compta/localtax/list.php b/htdocs/compta/localtax/list.php index a8b37c3ef93..2702a962281 100644 --- a/htdocs/compta/localtax/list.php +++ b/htdocs/compta/localtax/list.php @@ -31,7 +31,7 @@ $langs->load("compta"); $socid = GETPOST('socid', 'int'); if ($user->socid) $socid = $user->socid; $result = restrictedArea($user, 'tax', '', '', 'charges'); -$ltt = GETPOST("localTaxType"); +$ltt = GETPOST("localTaxType", 'int'); /* @@ -42,17 +42,15 @@ llxHeader(); $localtax_static = new Localtax($db); -$newcardbutton = ''; -if ($user->rights->tax->charges->creer) -{ - $newcardbutton .= dolGetButtonTitle($langs->trans('NewLocalTaxPayment', ($ltt + 1)), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/compta/localtax/card.php?action=create&localTaxType='.$ltt); -} +$url = DOL_URL_ROOT.'/compta/localtax/card.php?action=create&localTaxType='.$ltt; +if (!empty($socid)) $url .= '&socid='.$socid; +$newcardbutton = dolGetButtonTitle($langs->trans('NewLocalTaxPayment', ($ltt + 1)), '', 'fa fa-plus-circle', $url, '', $user->rights->tax->charges->creer); print load_fiche_titre($langs->transcountry($ltt == 2 ? "LT2Payments" : "LT1Payments", $mysoc->country_code), $newcardbutton, 'title_accountancy'); $sql = "SELECT rowid, amount, label, f.datev, f.datep"; $sql .= " FROM ".MAIN_DB_PREFIX."localtax as f "; -$sql .= " WHERE f.entity = ".$conf->entity." AND localtaxtype=".$db->escape($ltt); +$sql .= " WHERE f.entity = ".$conf->entity." AND localtaxtype = ".$db->escape($ltt); $sql .= " ORDER BY datev DESC"; $result = $db->query($sql); diff --git a/htdocs/compta/paiement.php b/htdocs/compta/paiement.php index 865ef40a258..9d86cff65dd 100644 --- a/htdocs/compta/paiement.php +++ b/htdocs/compta/paiement.php @@ -47,7 +47,7 @@ $accountid = GETPOST('accountid', 'int'); $paymentnum = GETPOST('num_paiement', 'alpha'); $socid = GETPOST('socid', 'int'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $sortorder = GETPOST('sortorder', 'alpha'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); @@ -524,7 +524,7 @@ if ($action == 'create' || $action == 'confirm_paiement' || $action == 'add_paie // Comments print ''; print ''; + print ''; print '
'.price($obj->total_ht).''.price($obj->total_ttc).''.price($obj->am).''.$facstatic->LibStatut($obj->paye, $obj->fk_statut, 3).''.$facstatic->LibStatut($obj->paye, $obj->fk_statut, 3, $obj->am, $obj->type).'
'; + print ''.$langs->trans("More").'... ('.$othernb.')'; + print '
'.$langs->trans("Total").'   ('.$langs->trans("RemainderToPay").': '.price($total_ttc - $totalam).')  '.price($total).'
'.$langs->trans('Comments').''; - print '
'; diff --git a/htdocs/compta/paiement/card.php b/htdocs/compta/paiement/card.php index 4acfd34a53a..85f56d298df 100644 --- a/htdocs/compta/paiement/card.php +++ b/htdocs/compta/paiement/card.php @@ -39,7 +39,7 @@ $langs->loadLangs(array('bills', 'banks', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); @@ -60,7 +60,7 @@ if ($action == 'setnote' && $user->rights->facture->paiement) $db->begin(); $object->fetch($id); - $result = $object->update_note(GETPOST('note', 'none')); + $result = $object->update_note(GETPOST('note', 'restricthtml')); if ($result > 0) { $db->commit(); diff --git a/htdocs/compta/paiement/cheque/card.php b/htdocs/compta/paiement/cheque/card.php index aaf216a7558..2f9182f1693 100644 --- a/htdocs/compta/paiement/cheque/card.php +++ b/htdocs/compta/paiement/cheque/card.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('banks', 'categories', 'bills', 'companies', 'compta')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check @@ -46,8 +46,8 @@ $fieldname = (!empty($ref) ? 'ref' : 'rowid'); if ($user->socid) $socid = $user->socid; $result = restrictedArea($user, 'cheque', $id, 'bordereau_cheque', '', 'fk_user_author', $fieldname); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortorder) $sortorder = "ASC"; if (!$sortfield) $sortfield = "b.dateo,b.rowid"; @@ -57,7 +57,7 @@ $offset = $limit * $page; $dir = $conf->bank->dir_output.'/checkdeposits/'; $filterdate = dol_mktime(0, 0, 0, GETPOST('fdmonth'), GETPOST('fdday'), GETPOST('fdyear')); -$filteraccountid = GETPOST('accountid'); +$filteraccountid = GETPOST('accountid', 'int'); $object = new RemiseCheque($db); @@ -152,10 +152,10 @@ if ($action == 'create' && $_POST["accountid"] > 0 && $user->rights->banque->che } } -if ($action == 'remove' && $id > 0 && $_GET["lineid"] > 0 && $user->rights->banque->cheque) +if ($action == 'remove' && $id > 0 && GETPOST("lineid", 'int') > 0 && $user->rights->banque->cheque) { $object->id = $id; - $result = $object->removeCheck($_GET["lineid"]); + $result = $object->removeCheck(GETPOST("lineid", "int")); if ($result === 0) { header("Location: ".$_SERVER["PHP_SELF"]."?id=".$object->id); @@ -206,7 +206,7 @@ if ($action == 'confirm_valide' && $confirm == 'yes' && $user->rights->banque->c if ($action == 'confirm_reject_check' && $confirm == 'yes' && $user->rights->banque->cheque) { $reject_date = dol_mktime(0, 0, 0, GETPOST('rejectdate_month'), GETPOST('rejectdate_day'), GETPOST('rejectdate_year')); - $rejected_check = GETPOST('bankid'); + $rejected_check = GETPOST('bankid', 'int'); $object->fetch($id); $paiement_id = $object->rejectCheck($rejected_check, $reject_date); @@ -394,7 +394,7 @@ if ($action == 'new') $sql .= " AND b.fk_bordereau = 0"; $sql .= " AND b.amount > 0"; if ($filterdate) $sql .= " AND b.dateo = '".$db->idate($filterdate)."'"; - if ($filteraccountid > 0) $sql .= " AND ba.rowid= '".$filteraccountid."'"; + if ($filteraccountid > 0) $sql .= " AND ba.rowid = ".((int) $filteraccountid); $sql .= $db->order("b.dateo,b.rowid", "ASC"); $resql = $db->query($sql); diff --git a/htdocs/compta/paiement/cheque/class/remisecheque.class.php b/htdocs/compta/paiement/cheque/class/remisecheque.class.php index 48c58dc7219..00815c90f7d 100644 --- a/htdocs/compta/paiement/cheque/class/remisecheque.class.php +++ b/htdocs/compta/paiement/cheque/class/remisecheque.class.php @@ -211,7 +211,7 @@ class RemiseCheque extends CommonObject $sql .= " WHERE b.fk_type = 'CHQ'"; $sql .= " AND b.amount > 0"; $sql .= " AND b.fk_bordereau = 0"; - $sql .= " AND b.fk_account='".$account_id."'"; + $sql .= " AND b.fk_account = ".((int) $account_id); if ($limit) $sql .= $this->db->plimit($limit); dol_syslog("RemiseCheque::Create", LOG_DEBUG); @@ -358,7 +358,7 @@ class RemiseCheque extends CommonObject if ($this->errno == 0 && $numref) { $sql = "UPDATE ".MAIN_DB_PREFIX."bordereau_cheque"; - $sql .= " SET statut = 1, ref = '".$numref."'"; + $sql .= " SET statut = 1, ref = '".$this->db->escape($numref)."'"; $sql .= " WHERE rowid = ".$this->id; $sql .= " AND entity = ".$conf->entity; $sql .= " AND statut = 0"; @@ -662,6 +662,7 @@ class RemiseCheque extends CommonObject global $conf; $this->errno = 0; + $this->db->begin(); $total = 0; $nb = 0; @@ -681,8 +682,8 @@ class RemiseCheque extends CommonObject $this->db->free($resql); $sql = "UPDATE ".MAIN_DB_PREFIX."bordereau_cheque"; - $sql .= " SET amount = '".price2num($total)."'"; - $sql .= ", nbcheque = ".$nb; + $sql .= " SET amount = ".price2num($total); + $sql .= ", nbcheque = ".((int) $nb); $sql .= " WHERE rowid = ".$this->id; $sql .= " AND entity = ".$conf->entity; @@ -722,8 +723,8 @@ class RemiseCheque extends CommonObject { $sql = "UPDATE ".MAIN_DB_PREFIX."bank"; $sql .= " SET fk_bordereau = 0"; - $sql .= " WHERE rowid = '".$account_id."'"; - $sql .= " AND fk_bordereau = ".$this->id; + $sql .= " WHERE rowid = ".((int) $account_id); + $sql .= " AND fk_bordereau = ".((int) $this->id); $resql = $this->db->query($sql); if ($resql) @@ -774,18 +775,18 @@ class RemiseCheque extends CommonObject $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf'; $sql .= ' WHERE pf.fk_paiement = '.$payment->id; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $rejectedPayment = new Paiement($db); + $rejectedPayment = new Paiement($this->db); $rejectedPayment->amounts = array(); $rejectedPayment->datepaye = $rejection_date; $rejectedPayment->paiementid = dol_getIdFromCode($this->db, 'CHQ', 'c_paiement', 'code', 'id', 1); $rejectedPayment->num_payment = $payment->num_payment; - while ($obj = $db->fetch_object($resql)) + while ($obj = $this->db->fetch_object($resql)) { - $invoice = new Facture($db); + $invoice = new Facture($this->db); $invoice->fetch($obj->fk_facture); $invoice->set_unpaid($user); diff --git a/htdocs/compta/paiement/cheque/list.php b/htdocs/compta/paiement/cheque/list.php index e76936c71fd..3bb45c4e312 100644 --- a/htdocs/compta/paiement/cheque/list.php +++ b/htdocs/compta/paiement/cheque/list.php @@ -124,11 +124,9 @@ if ($resql) if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.$contextpage; if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.$limit; - $newcardbutton = ''; - if ($user->rights->banque->cheque) - { - $newcardbutton .= dolGetButtonTitle($langs->trans('NewCheckDeposit'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/compta/paiement/cheque/card.php?action=new'); - } + $url = DOL_URL_ROOT.'/compta/paiement/cheque/card.php?action=new'; + if (!empty($socid)) $url .= '&socid='.$socid; + $newcardbutton = dolGetButtonTitle($langs->trans('NewCheckDeposit'), '', 'fa fa-plus-circle', $url, '', $user->rights->banque->cheque); print '
'; if ($optioncss != '') print ''; diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index f2dc613175f..5cb16bdcbe3 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -800,7 +800,7 @@ class Paiement extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX.'bank'; $sql .= " SET dateo = '".$this->db->idate($date)."', datev = '".$this->db->idate($date)."'"; - $sql .= " WHERE rowid IN (SELECT fk_bank FROM ".MAIN_DB_PREFIX."bank_url WHERE type = '".$type."' AND url_id = ".$this->id.")"; + $sql .= " WHERE rowid IN (SELECT fk_bank FROM ".MAIN_DB_PREFIX."bank_url WHERE type = '".$this->db->escape($type)."' AND url_id = ".$this->id.")"; $sql .= " AND rappro = 0"; $result = $this->db->query($sql); diff --git a/htdocs/compta/paiement/info.php b/htdocs/compta/paiement/info.php index 00c3440b868..68d987b06ff 100644 --- a/htdocs/compta/paiement/info.php +++ b/htdocs/compta/paiement/info.php @@ -33,7 +33,7 @@ $langs->loadLangs(array('bills', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); /* diff --git a/htdocs/compta/paiement/tovalidate.php b/htdocs/compta/paiement/tovalidate.php index 349c483a5db..00e9a0c4074 100644 --- a/htdocs/compta/paiement/tovalidate.php +++ b/htdocs/compta/paiement/tovalidate.php @@ -40,8 +40,8 @@ if ($user->socid > 0) $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/paiement_charge.php b/htdocs/compta/paiement_charge.php index 298866a2020..5f442ab0b18 100644 --- a/htdocs/compta/paiement_charge.php +++ b/htdocs/compta/paiement_charge.php @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php'; $langs->load("bills"); $chid = GETPOST("id", 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $amounts = array(); // Security check @@ -112,8 +112,8 @@ if ($action == 'add_payment' || ($action == 'confirm_paiement' && $confirm == 'y $paiement->amounts = $amounts; // Tableau de montant $paiement->paiementtype = GETPOST("paiementtype", 'alphanohtml'); $paiement->num_payment = GETPOST("num_payment", 'alphanohtml'); - $paiement->note = GETPOST("note", 'none'); - $paiement->note_private = GETPOST("note", 'none'); + $paiement->note = GETPOST("note", 'restricthtml'); + $paiement->note_private = GETPOST("note", 'restricthtml'); if (!$error) { diff --git a/htdocs/compta/prelevement/bons.php b/htdocs/compta/prelevement/bons.php index 608c9fe594d..69d6412b235 100644 --- a/htdocs/compta/prelevement/bons.php +++ b/htdocs/compta/prelevement/bons.php @@ -41,8 +41,8 @@ $result = restrictedArea($user, 'prelevement', '', '', 'bons'); $type = GETPOST('type', 'aZ09'); $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/card.php b/htdocs/compta/prelevement/card.php index 6349660c59c..1370155cb1d 100644 --- a/htdocs/compta/prelevement/card.php +++ b/htdocs/compta/prelevement/card.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('banks', 'categories', 'bills', 'companies', 'withdrawal if ($user->socid > 0) accessforbidden(); // Get supervariables -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); @@ -45,8 +45,8 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/class/bonprelevement.class.php b/htdocs/compta/prelevement/class/bonprelevement.class.php index 067dd33cd81..9d3c5bef7a8 100644 --- a/htdocs/compta/prelevement/class/bonprelevement.class.php +++ b/htdocs/compta/prelevement/class/bonprelevement.class.php @@ -205,9 +205,9 @@ class BonPrelevement extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_lignes"; $sql .= " WHERE fk_prelevement_bons = ".$this->id; $sql .= " AND fk_soc =".$client_id; - $sql .= " AND code_banque ='".$code_banque."'"; - $sql .= " AND code_guichet ='".$code_guichet."'"; - $sql .= " AND number ='".$number."'"; + $sql .= " AND code_banque = '".$this->db->escape($code_banque)."'"; + $sql .= " AND code_guichet = '".$this->db->escape($code_guichet)."'"; + $sql .= " AND number = '".$this->db->escape($number)."'"; $resql = $this->db->query($sql); if ($resql) @@ -234,10 +234,10 @@ class BonPrelevement extends CommonObject $sql .= ", ".$client_id; $sql .= ", '".$this->db->escape($client_nom)."'"; $sql .= ", '".price2num($amount)."'"; - $sql .= ", '".$code_banque."'"; - $sql .= ", '".$code_guichet."'"; - $sql .= ", '".$number."'"; - $sql .= ", '".$number_key."'"; + $sql .= ", '".$this->db->escape($code_banque)."'"; + $sql .= ", '".$this->db->escape($code_guichet)."'"; + $sql .= ", '".$this->db->escape($number)."'"; + $sql .= ", '".$this->db->escape($number_key)."'"; $sql .= ")"; if ($this->db->query($sql)) @@ -1380,7 +1380,7 @@ class BonPrelevement extends CommonObject $result = 0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def"; - $sql .= " WHERE rowid = '".$rowid."'"; + $sql .= " WHERE rowid = ".((int) $rowid); if ($this->db->query($sql)) { @@ -1404,7 +1404,7 @@ class BonPrelevement extends CommonObject $result = 0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def"; - $sql .= " WHERE fk_user=".$user." AND fk_action='".$action."'"; + $sql .= " WHERE fk_user=".$user." AND fk_action='".$this->db->escape($action)."'"; if ($this->db->query($sql)) { @@ -1433,7 +1433,7 @@ class BonPrelevement extends CommonObject $now = dol_now(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."notify_def (datec,fk_user, fk_soc, fk_contact, fk_action)"; - $sql .= " VALUES (".$db->idate($now).",".$user.", 'NULL', 'NULL', '".$action."')"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$user.", 'NULL', 'NULL', '".$this->db->escape($action)."')"; dol_syslog("adnotiff: ".$sql); if ($this->db->query($sql)) diff --git a/htdocs/compta/prelevement/create.php b/htdocs/compta/prelevement/create.php index 842b8b169f5..8c8dc01a22c 100644 --- a/htdocs/compta/prelevement/create.php +++ b/htdocs/compta/prelevement/create.php @@ -46,7 +46,7 @@ $result = restrictedArea($user, 'prelevement', '', '', 'bons'); $type = GETPOST('type', 'aZ09'); // Get supervariables -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $mode = GETPOST('mode', 'alpha') ?GETPOST('mode', 'alpha') : 'real'; $format = GETPOST('format', 'aZ09'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; @@ -185,7 +185,7 @@ if ($mesg) print $mesg; print '
'."\n"; print ''; -print ''; +print ''; print ''; if ($nb) { if ($pricetowithdraw) { diff --git a/htdocs/compta/prelevement/factures.php b/htdocs/compta/prelevement/factures.php index c4cb6f0c7c4..0b0c0eef6d4 100644 --- a/htdocs/compta/prelevement/factures.php +++ b/htdocs/compta/prelevement/factures.php @@ -45,8 +45,8 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/fiche-rejet.php b/htdocs/compta/prelevement/fiche-rejet.php index 2cfc40bb30c..6e601d82ecd 100644 --- a/htdocs/compta/prelevement/fiche-rejet.php +++ b/htdocs/compta/prelevement/fiche-rejet.php @@ -45,8 +45,8 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/fiche-stat.php b/htdocs/compta/prelevement/fiche-stat.php index c59ed2d4232..4ff81467d7c 100644 --- a/htdocs/compta/prelevement/fiche-stat.php +++ b/htdocs/compta/prelevement/fiche-stat.php @@ -43,8 +43,8 @@ $type = GETPOST('type', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/line.php b/htdocs/compta/prelevement/line.php index ae146522f39..3c8d80d4931 100644 --- a/htdocs/compta/prelevement/line.php +++ b/htdocs/compta/prelevement/line.php @@ -39,15 +39,15 @@ $langs->loadlangs(array('banks', 'categories', 'bills', 'withdrawals')); if ($user->socid > 0) accessforbidden(); // Get supervariables -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); $socid = GETPOST('socid', 'int'); $type = GETPOST('type', 'aZ09'); $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortorder = GETPOST('sortorder', 'alpha'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if ($page == -1 || $page == null) { $page = 0; } $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/list.php b/htdocs/compta/prelevement/list.php index 2666e8587e6..6f9685ece18 100644 --- a/htdocs/compta/prelevement/list.php +++ b/htdocs/compta/prelevement/list.php @@ -50,8 +50,8 @@ $result = restrictedArea($user, 'prelevement', '', '', 'bons'); $type = GETPOST('type', 'aZ09'); $limit = GETPOST('limit', 'int')?GETPOST('limit', 'int'):$conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/prelevement/rejets.php b/htdocs/compta/prelevement/rejets.php index a8481d25f7a..da2420aed3f 100644 --- a/htdocs/compta/prelevement/rejets.php +++ b/htdocs/compta/prelevement/rejets.php @@ -42,8 +42,8 @@ $type = GETPOST('type', 'aZ09'); // Get supervariables $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortorder = GETPOST('sortorder', 'alpha'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/recap-compta.php b/htdocs/compta/recap-compta.php index 8b75ec38fce..63368fa94e8 100644 --- a/htdocs/compta/recap-compta.php +++ b/htdocs/compta/recap-compta.php @@ -46,8 +46,8 @@ $hookmanager->initHooks(array('recapcomptacard', 'globalcard')); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/compta/sociales/list.php b/htdocs/compta/sociales/list.php index 40ebcd1cb7c..52d3b9b7fa3 100644 --- a/htdocs/compta/sociales/list.php +++ b/htdocs/compta/sociales/list.php @@ -35,7 +35,7 @@ if (!empty($conf->projet->enabled)) require_once DOL_DOCUMENT_ROOT.'/projet/clas // Load translation files required by the page $langs->loadLangs(array('compta', 'banks', 'bills')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -138,8 +138,8 @@ if ($year > 0) $sql .= " AND ("; // Si period renseignee on l'utilise comme critere de date, sinon on prend date echeance, // ceci afin d'etre compatible avec les cas ou la periode n'etait pas obligatoire - $sql .= " (cs.periode IS NOT NULL AND date_format(cs.periode, '%Y') = '".$year."') "; - $sql .= "OR (cs.periode IS NULL AND date_format(cs.date_ech, '%Y') = '".$year."')"; + $sql .= " (cs.periode IS NOT NULL AND date_format(cs.periode, '%Y') = '".$db->escape($year)."') "; + $sql .= "OR (cs.periode IS NULL AND date_format(cs.date_ech, '%Y') = '".$db->escape($year)."')"; $sql .= ")"; } if ($filtre) { diff --git a/htdocs/compta/stats/cabyprodserv.php b/htdocs/compta/stats/cabyprodserv.php index ab2c1dcadb1..fbecc1df335 100644 --- a/htdocs/compta/stats/cabyprodserv.php +++ b/htdocs/compta/stats/cabyprodserv.php @@ -60,6 +60,9 @@ if (GETPOST('subcat', 'alpha') === 'yes') { $selected_type = GETPOST('search_type', 'int'); if ($selected_type == '') $selected_type = -1; +// Hook +$hookmanager->initHooks(array('cabyprodservlist')); + // Date range $year = GETPOST("year"); $month = GETPOST("month"); diff --git a/htdocs/compta/stats/casoc.php b/htdocs/compta/stats/casoc.php index ab71b147b50..a02d87a8392 100644 --- a/htdocs/compta/stats/casoc.php +++ b/htdocs/compta/stats/casoc.php @@ -61,6 +61,9 @@ if ($user->socid > 0) $socid = $user->socid; if (!empty($conf->comptabilite->enabled)) $result = restrictedArea($user, 'compta', '', '', 'resultat'); if (!empty($conf->accounting->enabled)) $result = restrictedArea($user, 'accounting', '', '', 'comptarapport'); +// Hook +$hookmanager->initHooks(array('casoclist')); + // Date range $year = GETPOST("year", 'int'); $month = GETPOST("month", 'int'); diff --git a/htdocs/compta/stats/supplier_turnover_by_prodserv.php b/htdocs/compta/stats/supplier_turnover_by_prodserv.php index 5911daaba45..83a3cb70a00 100644 --- a/htdocs/compta/stats/supplier_turnover_by_prodserv.php +++ b/htdocs/compta/stats/supplier_turnover_by_prodserv.php @@ -57,6 +57,9 @@ if (GETPOST('subcat', 'alpha') === 'yes') { $selected_type = GETPOST('search_type', 'int'); if ($selected_type == '') $selected_type = -1; +// Hook +$hookmanager->initHooks(array('supplierturnoverbyprodservlist')); + // Date range $year = GETPOST("year"); $month = GETPOST("month"); diff --git a/htdocs/compta/stats/supplier_turnover_by_thirdparty.php b/htdocs/compta/stats/supplier_turnover_by_thirdparty.php index 60d65049800..7a624284cdf 100644 --- a/htdocs/compta/stats/supplier_turnover_by_thirdparty.php +++ b/htdocs/compta/stats/supplier_turnover_by_thirdparty.php @@ -50,6 +50,9 @@ if (GETPOST('subcat', 'alpha') === 'yes') { $subcat = true; } +// Hook +$hookmanager->initHooks(array('supplierturnoverbythirdpartylist')); + // Security check if ($user->socid > 0) $socid = $user->socid; if (!empty($conf->comptabilite->enabled)) $result = restrictedArea($user, 'compta', '', '', 'resultat'); diff --git a/htdocs/compta/tva/card.php b/htdocs/compta/tva/card.php index 78105cf9585..717b584fe44 100644 --- a/htdocs/compta/tva/card.php +++ b/htdocs/compta/tva/card.php @@ -98,7 +98,7 @@ if ($action == 'add' && $_POST["cancel"] <> $langs->trans("Cancel")) } $object->amount = $amount; $object->label = GETPOST("label", 'alpha'); - $object->note = GETPOST("note", 'none'); + $object->note = GETPOST("note", 'restricthtml'); if (empty($object->datep)) { diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index b4201d0bc36..5f661609e52 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -384,7 +384,7 @@ class Tva extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."facture as f WHERE f.paye = 1"; if ($year) { - $sql .= " AND f.datef >= '".$year."-01-01' AND f.datef <= '".$year."-12-31' "; + $sql .= " AND f.datef >= '".$this->db->escape($year)."-01-01' AND f.datef <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql); @@ -421,7 +421,7 @@ class Tva extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f"; if ($year) { - $sql .= " WHERE f.datef >= '".$year."-01-01' AND f.datef <= '".$year."-12-31' "; + $sql .= " WHERE f.datef >= '".$this->db->escape($year)."-01-01' AND f.datef <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql); @@ -460,7 +460,7 @@ class Tva extends CommonObject if ($year) { - $sql .= " WHERE f.datev >= '".$year."-01-01' AND f.datev <= '".$year."-12-31' "; + $sql .= " WHERE f.datev >= '".$this->db->escape($year)."-01-01' AND f.datev <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql); diff --git a/htdocs/compta/tva/list.php b/htdocs/compta/tva/list.php index 5b09da5305c..82829fca12e 100644 --- a/htdocs/compta/tva/list.php +++ b/htdocs/compta/tva/list.php @@ -146,11 +146,9 @@ if ($result) if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.$limit; if ($typeid) $param .= '&typeid='.$typeid; - $newcardbutton = ''; - if ($user->rights->tax->charges->creer) - { - $newcardbutton .= dolGetButtonTitle($langs->trans('NewVATPayment', ($ltt + 1)), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/compta/tva/card.php?action=create'); - } + $url = DOL_URL_ROOT.'/compta/tva/card.php?action=create'; + if (!empty($socid)) $url .= '&socid='.$socid; + $newcardbutton = dolGetButtonTitle($langs->trans('NewVATPayment', ($ltt + 1)), '', 'fa fa-plus-circle', $url, '', $user->rights->tax->charges->creer); print ''; if ($optioncss != '') print ''; @@ -172,22 +170,18 @@ if ($result) // Date end period print ''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_dateend_start ? $search_dateend_start : -1, 'search_dateend_start', 0, 0, 1); + print $form->selectDate($search_dateend_start ? $search_dateend_start : -1, 'search_dateend_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_dateend_end ? $search_dateend_end : -1, 'search_dateend_end', 0, 0, 1); + print $form->selectDate($search_dateend_end ? $search_dateend_end : -1, 'search_dateend_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; // Date payment print ''; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_datepayment_start ? $search_datepayment_start : -1, 'search_datepayment_start', 0, 0, 1); + print $form->selectDate($search_datepayment_start ? $search_datepayment_start : -1, 'search_datepayment_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_datepayment_end ? $search_datepayment_end : -1, 'search_datepayment_end', 0, 0, 1); + print $form->selectDate($search_datepayment_end ? $search_datepayment_end : -1, 'search_datepayment_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; // Type print ''; diff --git a/htdocs/conf/conf.php.example b/htdocs/conf/conf.php.example index 32c37301a0e..6b1b5e0ea0a 100644 --- a/htdocs/conf/conf.php.example +++ b/htdocs/conf/conf.php.example @@ -219,10 +219,10 @@ $dolibarr_main_authentication='dolibarr'; // 1 = Force redirect to https, until SCRIPT_URI start with https into response // 2 = Force redirect to https, until SERVER["HTTPS"] is 'on' into response // 'https://my.domain.com' = Force redirect to https using this domain name. -// Warning: If you enable this parameter, your web server must be configured to -// respond URL with https protocol. -// According to your web server setup, some values may works and other not. Try -// different values (1,2 or 'https://my.domain.com') if you experience problems. +// Warning: If you enable this parameter, your web server must be configured to respond URL with https protocol. +// According to your web server setup, some values may works and other not. Try different values (1,2 or 'https://my.domain.com') if you experience problems. +// Even if a redirect to HTTPS is forced by the webserver, it is recommanded to set this value to another value than 0, so your session cookies will be +// flagged as secured. // Default value: 0 // Possible values: 0, 1, 2 or 'https://my.domain.com' // Examples: @@ -233,12 +233,12 @@ $dolibarr_main_force_https='0'; // dolibarr_main_prod // When this parameter is defined, all errors messages are not reported. // This feature exists for production usage to avoid to give any information to hackers. -// Default value: 0 +// Default value: 1 // Possible values: 0 or 1 // Examples: -// $dolibarr_main_prod='0'; +// $dolibarr_main_prod='1'; // -$dolibarr_main_prod='0'; +$dolibarr_main_prod='1'; // $dolibarr_main_restrict_os_commands // To restrict commands you can execute by the backup feature, enter allowed command here. @@ -260,8 +260,8 @@ $dolibarr_main_restrict_ip=''; // dolibarr_nocsrfcheck // This parameter can be used to disable CSRF protection. -// This might be required if you access Dolibarr behind a proxy that make -// URL rewriting, to avoid false alarms. +// This might be required if you access Dolibarr behind a proxy that make bad URL rewriting, to avoid false alarms. +// In most cases, you should always keep this to 0. // Default value: 0 // Possible values: 0 or 1 // Examples: @@ -269,6 +269,12 @@ $dolibarr_main_restrict_ip=''; // $dolibarr_nocsrfcheck='0'; +// dolibarr_cron_allow_cli +// If set to 1, you will be able to define some command line in the internale Job scheduler module. +// Default value: '0' +// Examples: '1' +$dolibarr_cron_allow_cli='0'; + // dolibarr_mailing_limit_sendbyweb // Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level. // Default value: '25' diff --git a/htdocs/contact/agenda.php b/htdocs/contact/agenda.php index 0ea0018632b..7ac512bd32f 100644 --- a/htdocs/contact/agenda.php +++ b/htdocs/contact/agenda.php @@ -83,7 +83,7 @@ $search_agenda_label = GETPOST('search_agenda_label'); // Security check if ($user->socid) $socid = $user->socid; -$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', $objcanvas); // If we create a contact with no company (shared contacts), no check on write permission +$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; $sortfield = GETPOST("sortfield", 'alpha'); diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index 606e4e626b0..8428b257fac 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -78,7 +78,7 @@ if (!empty($canvas)) // Security check if ($user->socid) $socid = $user->socid; -$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', $objcanvas); // If we create a contact with no company (shared contacts), no check on write permission +$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('contactcard', 'globalcard')); @@ -207,8 +207,8 @@ if (empty($reshook)) $object->phone_mobile = GETPOST("phone_mobile", 'alpha'); $object->fax = GETPOST("fax", 'alpha'); $object->priv = GETPOST("priv", 'int'); - $object->note_public = GETPOST("note_public", 'none'); - $object->note_private = GETPOST("note_private", 'none'); + $object->note_public = GETPOST("note_public", 'restricthtml'); + $object->note_private = GETPOST("note_private", 'restricthtml'); $object->roles = GETPOST("roles", 'array'); $object->statut = 1; //Defult status to Actif @@ -395,8 +395,8 @@ if (empty($reshook)) $object->phone_mobile = GETPOST("phone_mobile", 'alpha'); $object->fax = GETPOST("fax", 'alpha'); $object->priv = GETPOST("priv", 'int'); - $object->note_public = GETPOST("note_public", 'none'); - $object->note_private = GETPOST("note_private", 'none'); + $object->note_public = GETPOST("note_public", 'restricthtml'); + $object->note_private = GETPOST("note_private", 'restricthtml'); $object->roles = GETPOST("roles", 'array'); // Fill array 'array_options' with data from add form @@ -851,7 +851,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) print ''; // Date To Birth - print ''; // Date To Birth - print ''; @@ -272,7 +272,7 @@ if ($action == 'edit') { include_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; - print ''; } else { - print ''; + print ''; } print ""; diff --git a/htdocs/contrat/admin/contract_extrafields.php b/htdocs/contrat/admin/contract_extrafields.php index 031a1b7498d..5343ab8f349 100644 --- a/htdocs/contrat/admin/contract_extrafields.php +++ b/htdocs/contrat/admin/contract_extrafields.php @@ -42,7 +42,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'contrat'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/contrat/admin/contractdet_extrafields.php b/htdocs/contrat/admin/contractdet_extrafields.php index 3e068f5650b..bd0c7b132d0 100644 --- a/htdocs/contrat/admin/contractdet_extrafields.php +++ b/htdocs/contrat/admin/contractdet_extrafields.php @@ -42,7 +42,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'contratdet'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/contrat/card.php b/htdocs/contrat/card.php index cd622b38c28..adb117b7b8f 100644 --- a/htdocs/contrat/card.php +++ b/htdocs/contrat/card.php @@ -50,7 +50,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/extrafields.class.php'; // Load translation files required by the page $langs->loadLangs(array("contracts", "orders", "companies", "bills", "products", 'compta')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $socid = GETPOST('socid', 'int'); $id = GETPOST('id', 'int'); @@ -665,7 +665,8 @@ if (empty($reshook)) $fk_unit = GETPOST('unit', 'alpha'); - $objectline->description = GETPOST('product_desc', 'none'); + $objectline->fk_product = GETPOST('idprod', 'int'); + $objectline->description = GETPOST('product_desc', 'restricthtml'); $objectline->price_ht = GETPOST('elprice'); $objectline->subprice = GETPOST('elprice'); $objectline->qty = GETPOST('elqty'); @@ -811,7 +812,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) { @@ -1436,8 +1437,6 @@ if ($action == 'create') $usemargins = 0; if (!empty($conf->margin->enabled) && !empty($object->element) && in_array($object->element, array('facture', 'propal', 'commande'))) $usemargins = 1; - $var = false; - // Title line for service $cursorline = 1; print '
'; @@ -1448,7 +1447,6 @@ if ($action == 'create') print ''; print ''; print ''; - print ''; print ''; // Area with common detail of line @@ -1632,17 +1630,29 @@ if ($action == 'create') // Ligne carac print '
'; print ''; $out .= ''; if (!empty($options)) $out .= ''; $out .= ''; $out .= ''; } @@ -1204,7 +1207,7 @@ class FormFile $editline = 1; } else { $filenametoshow = preg_replace('/\.noexe$/', '', $file['name']); - print dol_trunc($filenametoshow, 200); + print dol_escape_htmltag(dol_trunc($filenametoshow, 200)); print ''; } // Preview link @@ -1249,7 +1252,7 @@ class FormFile } else { print ''; } - print ''; + print ''; print ''; } else print ' '; print ''; diff --git a/htdocs/core/class/html.formintervention.class.php b/htdocs/core/class/html.formintervention.class.php index 37073e8d3a5..dccbe50333a 100644 --- a/htdocs/core/class/html.formintervention.class.php +++ b/htdocs/core/class/html.formintervention.class.php @@ -80,18 +80,18 @@ class FormIntervention } dol_syslog(get_class($this)."::select_intervention", LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { $out .= ''; - $db->free($resql); + $this->db->free($resql); return $out; } else { - dol_print_error($db); + dol_print_error($this->db); return ''; } } diff --git a/htdocs/core/class/html.formmail.class.php b/htdocs/core/class/html.formmail.class.php index 3c006d8810f..fcd7199137c 100644 --- a/htdocs/core/class/html.formmail.class.php +++ b/htdocs/core/class/html.formmail.class.php @@ -675,7 +675,7 @@ class FormMail extends Form { $tmparray[$key] = dol_htmlentities($tmparray[$key], null, 'UTF-8', true); } - $withtoselected = GETPOST("receiver", 'none'); // Array of selected value + $withtoselected = GETPOST("receiver", 'restricthtml'); // Array of selected value if (empty($withtoselected) && count($tmparray) == 1 && GETPOST('action', 'aZ09') == 'presend') { $withtoselected = array_keys($tmparray); @@ -699,7 +699,7 @@ class FormMail extends Form { $tmparray[$key] = dol_htmlentities($tmparray[$key], null, 'UTF-8', true); } - $withtoselected = GETPOST("receiveruser", 'none'); // Array of selected value + $withtoselected = GETPOST("receiveruser", 'restricthtml'); // Array of selected value if (empty($withtoselected) && count($tmparray) == 1 && GETPOST('action', 'aZ09') == 'presend') { $withtoselected = array_keys($tmparray); @@ -763,7 +763,7 @@ class FormMail extends Form { $tmparray[$key] = dol_htmlentities($tmparray[$key], null, 'UTF-8', true); } - $withtoselected = GETPOST("receiverccuser", 'none'); // Array of selected value + $withtoselected = GETPOST("receiverccuser", 'restricthtml'); // Array of selected value if (empty($withtoselected) && count($tmparray) == 1 && GETPOST('action', 'aZ09') == 'presend') { $withtoselected = array_keys($tmparray); @@ -886,7 +886,7 @@ class FormMail extends Form // Message if (!empty($this->withbody)) { - $defaultmessage = GETPOST('message', 'none'); + $defaultmessage = GETPOST('message', 'restricthtml'); if (!GETPOST('modelselected', 'alpha') || GETPOST('modelmailselected') != '-1') { if ($arraydefaultmessage && $arraydefaultmessage->content) { @@ -1144,7 +1144,7 @@ class FormMail extends Form { global $conf, $langs, $form; - $defaulttopic = GETPOST('subject', 'none'); + $defaulttopic = GETPOST('subject', 'restricthtml'); if (!GETPOST('modelselected', 'alpha') || GETPOST('modelmailselected') != '-1') { if ($arraydefaultmessage && $arraydefaultmessage->topic) { $defaulttopic = $arraydefaultmessage->topic; @@ -1296,7 +1296,7 @@ class FormMail extends Form $sql .= " WHERE type_template='".$this->db->escape($type_template)."'"; $sql .= " AND entity IN (".getEntity('c_email_templates').")"; $sql .= " AND (fk_user is NULL or fk_user = 0 or fk_user = ".$user->id.")"; - if (is_object($outputlangs)) $sql .= " AND (lang = '".$outputlangs->defaultlang."' OR lang IS NULL OR lang = '')"; + if (is_object($outputlangs)) $sql .= " AND (lang = '".$this->db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')"; $sql .= $this->db->order("lang,label", "ASC"); //print $sql; @@ -1330,7 +1330,7 @@ class FormMail extends Form $sql .= " AND entity IN (".getEntity('c_email_templates').")"; $sql .= " AND (private = 0 OR fk_user = ".$user->id.")"; // See all public templates or templates I own. if ($active >= 0) $sql .= " AND active = ".$active; - //if (is_object($outputlangs)) $sql.= " AND (lang = '".$outputlangs->defaultlang."' OR lang IS NULL OR lang = '')"; // Return all languages + //if (is_object($outputlangs)) $sql.= " AND (lang = '".$this->db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')"; // Return all languages $sql .= $this->db->order("position,lang,label", "ASC"); //print $sql; diff --git a/htdocs/core/class/html.formmargin.class.php b/htdocs/core/class/html.formmargin.class.php index 5e18bb20782..cf159819764 100644 --- a/htdocs/core/class/html.formmargin.class.php +++ b/htdocs/core/class/html.formmargin.class.php @@ -87,7 +87,7 @@ class FormMargin if (empty($line->pa_ht) && isset($line->fk_fournprice) && !$force_price) { require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.product.class.php'; - $product = new ProductFournisseur($db); + $product = new ProductFournisseur($this->db); if ($product->fetch_product_fournisseur_price($line->fk_fournprice)) $line->pa_ht = $product->fourn_unitprice * (1 - $product->fourn_remise_percent / 100); } @@ -204,7 +204,7 @@ class FormMargin if (!empty($conf->global->MARGIN_ADD_SHOWHIDE_BUTTON)) // TODO Warning this feature rely on an external js file that may be removed. Using native js function document.cookie should be better { print $langs->trans('ShowMarginInfos').' : '; - $hidemargininfos = $_COOKIE['DOLUSER_MARGININFO_HIDE_SHOW']; + $hidemargininfos = preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE['DOLUSER_MARGININFO_HIDE_SHOW']); // Clean cookie print ''.img_picto($langs->trans("Disabled"), 'switch_off').''; print ''.img_picto($langs->trans("Enabled"), 'switch_on').''; diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index f69ef6703e0..dc55d0931f7 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -256,7 +256,7 @@ class FormOther $sql = "SELECT r.taux, r.revenuestamp_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_revenuestamp as r,".MAIN_DB_PREFIX."c_country as c"; $sql .= " WHERE r.active = 1 AND r.fk_pays = c.rowid"; - $sql .= " AND c.code = '".$country_code."'"; + $sql .= " AND c.code = '".$this->db->escape($country_code)."'"; dol_syslog(get_class($this).'::select_revenue_stamp', LOG_DEBUG); $resql = $this->db->query($sql); @@ -1048,6 +1048,7 @@ class FormOther // Class Form must have been already loaded $selectboxlist .= ''."\n"; $selectboxlist .= ''; + $selectboxlist .= ''; $selectboxlist .= ''; $selectboxlist .= ''; $selectboxlist .= ''; @@ -1141,7 +1142,7 @@ class FormOther // Load translation files required by the page $langs->loadLangs(array("boxes", "projects")); - $emptybox = new ModeleBoxes($db); + $emptybox = new ModeleBoxes($db); $boxlista .= "\n\n"; diff --git a/htdocs/core/class/html.formsocialcontrib.class.php b/htdocs/core/class/html.formsocialcontrib.class.php index c6d28a7b70f..b5adfdba82f 100644 --- a/htdocs/core/class/html.formsocialcontrib.class.php +++ b/htdocs/core/class/html.formsocialcontrib.class.php @@ -83,15 +83,15 @@ class FormSocialContrib $sql = "SELECT c.id, c.libelle as type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_chargesociales as c, ".MAIN_DB_PREFIX."c_country as co"; $sql .= " WHERE c.active = 1 AND c.fk_pays = co.rowid"; - $sql .= " AND co.code = '".$mysoc->country_code."'"; + $sql .= " AND co.code = '".$this->db->escape($mysoc->country_code)."'"; $sql .= " ORDER BY c.libelle ASC"; } dol_syslog("Form::select_type_socialcontrib", LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) { print '
'; + print '
'; $form = new Form($db); if ($object->birthday) { @@ -1249,9 +1249,14 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) } } - if (!empty($id) && $action != 'edit' && $action != 'create') - { - $objsoc = new Societe($db); + // Select mail models is same action as presend + if (GETPOST('modelselected', 'alpha')) { + $action = 'presend'; + } + + if (!empty($id) && $action != 'edit' && $action != 'create') + { + $objsoc = new Societe($db); // View mode diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index 3922dc9069f..0c2c3bf56ce 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -1649,7 +1649,7 @@ class Contact extends CommonObject $sql .= ", ".MAIN_DB_PREFIX."societe_contacts sc"; $sql .= " WHERE sc.fk_soc =".$this->socid; $sql .= " AND sc.fk_c_type_contact=tc.rowid"; - $sql .= " AND tc.element='".$element."'"; + $sql .= " AND tc.element='".$this->db->escape($element)."'"; $sql .= " AND tc.active=1"; dol_syslog(__METHOD__, LOG_DEBUG); diff --git a/htdocs/contact/document.php b/htdocs/contact/document.php index e21ee3e492b..f8498ddae9a 100644 --- a/htdocs/contact/document.php +++ b/htdocs/contact/document.php @@ -52,7 +52,7 @@ if (!empty($canvas)) // Security check if ($user->socid) $socid = $user->socid; -$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', $objcanvas); // If we create a contact with no company (shared contacts), no check on write permission +$result = restrictedArea($user, 'contact', $id, 'socpeople&societe', '', '', 'rowid', 0); // If we create a contact with no company (shared contacts), no check on write permission // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index 1772f94abfb..0f4f01a0916 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -44,7 +44,7 @@ $langs->loadLangs(array("companies", "suppliers", "categories")); $socialnetworks = getArrayOfSocialNetworks(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -104,8 +104,8 @@ $type = GETPOST("type", 'aZ'); $view = GETPOST("view", 'alpha'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); $userid = GETPOST('userid', 'int'); $begin = GETPOST('begin'); @@ -538,11 +538,7 @@ if ($user->rights->societe->supprimer) $arrayofmassactions['predelete'] = 'selectMassAction('', $arrayofmassactions); -$newcardbutton = ''; -if ($user->rights->societe->contact->creer) -{ - $newcardbutton .= dolGetButtonTitle($langs->trans('NewContactAddress'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/contact/card.php?action=create'); -} +$newcardbutton = dolGetButtonTitle($langs->trans('NewContactAddress'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/contact/card.php?action=create', '', $user->rights->societe->contact->creer); print ''; if ($optioncss != '') print ''; diff --git a/htdocs/contact/perso.php b/htdocs/contact/perso.php index a5a1714b6e5..1710b4dda6a 100644 --- a/htdocs/contact/perso.php +++ b/htdocs/contact/perso.php @@ -32,7 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/contact.lib.php'; $langs->loadLangs(array('companies', 'other')); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; @@ -188,7 +188,7 @@ if ($action == 'edit') print '
'.$langs->trans("DateToBirth").''; + print '
'.$langs->trans("DateOfBirth").''; $form = new Form($db); print $form->selectDate($object->birthday, 'birthday', 0, 0, 1, "perso", 1, 0); print ''.$langs->trans("DateToBirth").''.dol_print_date($object->birthday, "day"); + print ''.$langs->trans("DateOfBirth").''.dol_print_date($object->birthday, "day"); print '   '; //var_dump($birthdatearray); @@ -288,7 +288,7 @@ if ($action == 'edit') else print $langs->trans("BirthdayAlertOff"); print ''.$langs->trans("DateToBirth").''.$langs->trans("DateOfBirth").'
'; - if ($objp->fk_product) + if ($objp->fk_product > 0) { - $productstatic->id = $objp->fk_product; - $productstatic->type = $objp->ptype; - $productstatic->ref = $objp->pref; - $productstatic->entity = $objp->pentity; - print $productstatic->getNomUrl(1, '', 32); - print $objp->label ? ' - '.dol_trunc($objp->label, 32) : ''; + $canchangeproduct = 1; + if (empty($canchangeproduct)) { + $productstatic->id = $objp->fk_product; + $productstatic->type = $objp->ptype; + $productstatic->ref = $objp->pref; + $productstatic->entity = $objp->pentity; + print $productstatic->getNomUrl(1, '', 32); + print $objp->label ? ' - '.dol_trunc($objp->label, 32) : ''; + print ''; + } else { + $senderissupplier = 0; + if (empty($senderissupplier)) { + print $form->select_produits((!empty($object->lines[$cursorline - 1]->fk_product) ? $object->lines[$cursorline - 1]->fk_product : 0), 'idprod'); + } else { + print $form->select_produits_fournisseurs((!empty($object->lines[$cursorline - 1]->fk_product) ? $object->lines[$cursorline - 1]->fk_product : 0), 'idprod'); + } + } print '
'; } else { print $objp->label ? $objp->label.'
' : ''; + print ''; } // editeur wysiwyg diff --git a/htdocs/contrat/class/api_contracts.class.php b/htdocs/contrat/class/api_contracts.class.php index ffe66208afe..671ac1177f6 100644 --- a/htdocs/contrat/class/api_contracts.class.php +++ b/htdocs/contrat/class/api_contracts.class.php @@ -141,7 +141,7 @@ class Contracts extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -149,28 +149,28 @@ class Contracts extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $contrat_static = new Contrat($db); + $obj = $this->db->fetch_object($result); + $contrat_static = new Contrat($this->db); if ($contrat_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($contrat_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve contrat list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve contrat list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No contract found'); diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index b555917e2f3..f94b19c30b9 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -510,7 +510,7 @@ class Contrat extends CommonObject if ($num) { - $sql = "UPDATE ".MAIN_DB_PREFIX."contrat SET ref = '".$num."', statut = 1"; + $sql = "UPDATE ".MAIN_DB_PREFIX."contrat SET ref = '".$this->db->escape($num)."', statut = 1"; //$sql.= ", fk_user_valid = ".$user->id.", date_valid = '".$this->db->idate($now)."'"; $sql .= " WHERE rowid = ".$this->id." AND statut = 0"; @@ -1093,7 +1093,7 @@ class Contrat extends CommonObject } $sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'"; $resqlcontact = $this->db->query($sqlcontact); if ($resqlcontact) @@ -1541,15 +1541,15 @@ class Contrat extends CommonObject $sql .= ($fk_product > 0 ? $fk_product : "null").","; $sql .= " ".$qty.","; $sql .= " ".$txtva.","; - $sql .= " ".($vat_src_code ? "'".$vat_src_code."'" : "null").","; + $sql .= " ".($vat_src_code ? "'".$this->db->escape($vat_src_code)."'" : "null").","; $sql .= " ".$txlocaltax1.","; $sql .= " ".$txlocaltax2.","; - $sql .= " '".$localtax1_type."',"; - $sql .= " '".$localtax2_type."',"; + $sql .= " '".$this->db->escape($localtax1_type)."',"; + $sql .= " '".$this->db->escape($localtax2_type)."',"; $sql .= " ".price2num($remise_percent).","; $sql .= " ".price2num($pu_ht).","; $sql .= " ".price2num($total_ht).",".price2num($total_tva).",".price2num($total_localtax1).",".price2num($total_localtax2).",".price2num($total_ttc).","; - $sql .= " '".$info_bits."',"; + $sql .= " '".$this->db->escape($info_bits)."',"; $sql .= " ".price2num($price).",".price2num($remise).","; if (isset($fk_fournprice)) $sql .= ' '.$fk_fournprice.','; else $sql .= ' null,'; @@ -1717,8 +1717,8 @@ class Contrat extends CommonObject $sql .= ",tva_tx='".price2num($tvatx)."'"; $sql .= ",localtax1_tx='".price2num($localtax1tx)."'"; $sql .= ",localtax2_tx='".price2num($localtax2tx)."'"; - $sql .= ",localtax1_type='".$localtax1_type."'"; - $sql .= ",localtax2_type='".$localtax2_type."'"; + $sql .= ",localtax1_type='".$this->db->escape($localtax1_type)."'"; + $sql .= ",localtax2_type='".$this->db->escape($localtax2_type)."'"; $sql .= ", total_ht='".price2num($total_ht)."'"; $sql .= ", total_tva='".price2num($total_tva)."'"; $sql .= ", total_localtax1='".price2num($total_localtax1)."'"; diff --git a/htdocs/contrat/contact.php b/htdocs/contrat/contact.php index 02d9c71776d..38a97d0aaa8 100644 --- a/htdocs/contrat/contact.php +++ b/htdocs/contrat/contact.php @@ -36,7 +36,7 @@ if (!empty($conf->projet->enabled)) { // Load translation files required by the page $langs->loadLangs(array('contracts', 'companies')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $socid = GETPOST('socid', 'int'); $id = GETPOST('id', 'int'); diff --git a/htdocs/contrat/index.php b/htdocs/contrat/index.php index 40a9a4100da..7fe88d03c3d 100644 --- a/htdocs/contrat/index.php +++ b/htdocs/contrat/index.php @@ -37,8 +37,8 @@ $hookmanager->initHooks(array('contractindex')); // Load translation files required by the page $langs->loadLangs(array('products', 'companies', 'contracts')); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); $statut = GETPOST('statut') ?GETPOST('statut') : 1; diff --git a/htdocs/contrat/list.php b/htdocs/contrat/list.php index e15d6467755..608fc6c0d81 100644 --- a/htdocs/contrat/list.php +++ b/htdocs/contrat/list.php @@ -39,7 +39,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php'; // Load translation files required by the page $langs->loadLangs(array('contracts', 'products', 'companies', 'compta')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -369,11 +369,9 @@ if ($user->rights->contrat->supprimer) $arrayofmassactions['predelete'] = 'selectMassAction('', $arrayofmassactions); -$newcardbutton = ''; -if ($user->rights->contrat->creer) -{ - $newcardbutton .= dolGetButtonTitle($langs->trans('NewContractSubscription'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/contrat/card.php?action=create'); -} +$url = DOL_URL_ROOT.'/contrat/card.php?action=create'; +if (!empty($socid)) $url .= '&socid='.$socid; +$newcardbutton = dolGetButtonTitle($langs->trans('NewContractSubscription'), '', 'fa fa-plus-circle', $url, '', $user->rights->contrat->creer); print ''; if ($optioncss != '') print ''; diff --git a/htdocs/contrat/note.php b/htdocs/contrat/note.php index d782ad5b3f5..d9eb8e3ccdc 100644 --- a/htdocs/contrat/note.php +++ b/htdocs/contrat/note.php @@ -34,7 +34,7 @@ if (!empty($conf->projet->enabled)) { // Load translation files required by the page $langs->loadLangs(array('companies', 'contracts')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $socid = GETPOST('socid', 'int'); $id = GETPOST('id', 'int'); diff --git a/htdocs/core/actions_addupdatedelete.inc.php b/htdocs/core/actions_addupdatedelete.inc.php index 09f1c7cf314..4d4c12ce473 100644 --- a/htdocs/core/actions_addupdatedelete.inc.php +++ b/htdocs/core/actions_addupdatedelete.inc.php @@ -64,7 +64,7 @@ if ($action == 'add' && !empty($permissiontoadd)) // Set value to insert if (in_array($object->fields[$key]['type'], array('text', 'html'))) { - $value = GETPOST($key, 'none'); + $value = GETPOST($key, 'restricthtml'); } elseif ($object->fields[$key]['type'] == 'date') { $value = dol_mktime(12, 0, 0, GETPOST($key.'month', 'int'), GETPOST($key.'day', 'int'), GETPOST($key.'year', 'int')); } elseif ($object->fields[$key]['type'] == 'datetime') { @@ -72,7 +72,7 @@ if ($action == 'add' && !empty($permissiontoadd)) } elseif ($object->fields[$key]['type'] == 'duration') { $value = 60 * 60 * GETPOST($key.'hour', 'int') + 60 * GETPOST($key.'min', 'int'); } elseif (preg_match('/^(integer|price|real|double)/', $object->fields[$key]['type'])) { - $value = price2num(GETPOST($key, 'none')); // To fix decimal separator according to lang setup + $value = price2num(GETPOST($key, 'alphanohtml')); // To fix decimal separator according to lang setup } elseif ($object->fields[$key]['type'] == 'boolean') { $value = (GETPOST($key) == 'on' ? 1 : 0); } else { @@ -142,7 +142,7 @@ if ($action == 'update' && !empty($permissiontoadd)) // Set value to update if (in_array($object->fields[$key]['type'], array('text', 'html'))) { - $value = GETPOST($key, 'none'); + $value = GETPOST($key, 'restricthtml'); } elseif ($object->fields[$key]['type'] == 'date') { $value = dol_mktime(12, 0, 0, GETPOST($key.'month'), GETPOST($key.'day'), GETPOST($key.'year')); } elseif ($object->fields[$key]['type'] == 'datetime') { @@ -154,7 +154,7 @@ if ($action == 'update' && !empty($permissiontoadd)) $value = ''; } } elseif (preg_match('/^(integer|price|real|double)/', $object->fields[$key]['type'])) { - $value = price2num(GETPOST($key, 'none')); // To fix decimal separator according to lang setup + $value = price2num(GETPOST($key, 'alphanohtml')); // To fix decimal separator according to lang setup } elseif ($object->fields[$key]['type'] == 'boolean') { $value = ((GETPOST($key, 'aZ09') == 'on' || GETPOST($key, 'aZ09') == '1') ? 1 : 0); } else { diff --git a/htdocs/core/actions_changeselectedfields.inc.php b/htdocs/core/actions_changeselectedfields.inc.php index 9a03ba0d29e..f4e7f01d234 100644 --- a/htdocs/core/actions_changeselectedfields.inc.php +++ b/htdocs/core/actions_changeselectedfields.inc.php @@ -28,7 +28,7 @@ // $object must be defined (object is loaded in this file with fetch) // Save selection -if (GETPOST('formfilteraction', 'none') == 'listafterchangingselectedfields') +if (GETPOST('formfilteraction', 'alphanohtml') == 'listafterchangingselectedfields') { $tabparam = array(); diff --git a/htdocs/core/actions_comments.inc.php b/htdocs/core/actions_comments.inc.php index c352f07f9f7..079f207b4a4 100644 --- a/htdocs/core/actions_comments.inc.php +++ b/htdocs/core/actions_comments.inc.php @@ -35,7 +35,7 @@ $comment = new Comment($db); if ($action == 'addcomment') { - $description = GETPOST('comment_description', 'none'); + $description = GETPOST('comment_description', 'restricthtml'); if (!empty($description)) { $comment->description = $description; @@ -59,7 +59,7 @@ if ($action === 'updatecomment') { if ($comment->fetch($idcomment) >= 0) { - $comment->description = GETPOST('comment_description', 'none'); + $comment->description = GETPOST('comment_description', 'restricthtml'); if ($comment->update($user) > 0) { setEventMessages($langs->trans("CommentAdded"), null, 'mesgs'); diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 7884fc09e67..3caeeed6678 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -63,7 +63,7 @@ if (GETPOST('sendit', 'alpha') && !empty($conf->global->MAIN_UPLOAD_DOC)) } } } -} elseif (GETPOST('linkit', 'none') && !empty($conf->global->MAIN_UPLOAD_DOC)) +} elseif (GETPOST('linkit', 'restricthtml') && !empty($conf->global->MAIN_UPLOAD_DOC)) { $link = GETPOST('link', 'alpha'); if ($link) diff --git a/htdocs/core/actions_massactions.inc.php b/htdocs/core/actions_massactions.inc.php index 612f988305f..98e936a2d7a 100644 --- a/htdocs/core/actions_massactions.inc.php +++ b/htdocs/core/actions_massactions.inc.php @@ -141,7 +141,7 @@ if (!$error && $massaction == 'confirm_presend') $massaction = 'presend'; } - if (!GETPOST('subject', 'none')) + if (!GETPOST('subject', 'restricthtml')) { $error++; setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("MailTopic")), null, 'warnings'); @@ -376,8 +376,8 @@ if (!$error && $massaction == 'confirm_presend') } $replyto = $from; - $subject = GETPOST('subject', 'none'); - $message = GETPOST('message', 'none'); + $subject = GETPOST('subject', 'restricthtml'); + $message = GETPOST('message', 'restricthtml'); $sendtobcc = GETPOST('sendtoccc'); if ($objectclass == 'Propal') $sendtobcc .= (empty($conf->global->MAIN_MAIL_AUTOCOPY_PROPOSAL_TO) ? '' : (($sendtobcc ? ", " : "").$conf->global->MAIN_MAIL_AUTOCOPY_PROPOSAL_TO)); @@ -648,9 +648,9 @@ if ($massaction == 'confirm_createbills') // Create bills from orders $sql .= ", targettype"; $sql .= ") VALUES ("; $sql .= $id_order; - $sql .= ", '".$objecttmp->origin."'"; + $sql .= ", '".$db->escape($objecttmp->origin)."'"; $sql .= ", ".$objecttmp->id; - $sql .= ", '".$objecttmp->element."'"; + $sql .= ", '".$db->escape($objecttmp->element)."'"; $sql .= ")"; if (!$db->query($sql)) diff --git a/htdocs/core/actions_sendmails.inc.php b/htdocs/core/actions_sendmails.inc.php index da010380276..5be25002079 100644 --- a/htdocs/core/actions_sendmails.inc.php +++ b/htdocs/core/actions_sendmails.inc.php @@ -300,8 +300,8 @@ if (($action == 'send' || $action == 'relance') && !$_POST['addfile'] && !$_POST } $replyto = dol_string_nospecial($_POST['replytoname'], ' ', array(",")).' <'.$_POST['replytomail'].'>'; - $message = GETPOST('message', 'none'); - $subject = GETPOST('subject', 'none'); + $message = GETPOST('message', 'restricthtml'); + $subject = GETPOST('subject', 'restricthtml'); // Make a change into HTML code to allow to include images from medias directory with an external reabable URL. // diff --git a/htdocs/core/actions_setnotes.inc.php b/htdocs/core/actions_setnotes.inc.php index 7ea3dd5016f..61db9b9fc55 100644 --- a/htdocs/core/actions_setnotes.inc.php +++ b/htdocs/core/actions_setnotes.inc.php @@ -33,7 +33,7 @@ if ($action == 'setnote_public' && !empty($permissionnote) && !GETPOST('cancel', if (empty($action) || !is_object($object) || empty($id)) dol_print_error('', 'Include of actions_setnotes.inc.php was done but required variable was not set before'); if (empty($object->id)) $object->fetch($id); // Fetch may not be already done - $result_update = $object->update_note(dol_html_entity_decode(GETPOST('note_public', 'none'), ENT_QUOTES, 'UTF-8', 1), '_public'); + $result_update = $object->update_note(dol_html_entity_decode(GETPOST('note_public', 'restricthtml'), ENT_QUOTES, 'UTF-8', 1), '_public'); if ($result_update < 0) setEventMessages($object->error, $object->errors, 'errors'); elseif (in_array($object->table_element, array('supplier_proposal', 'propal', 'commande_fournisseur', 'commande', 'facture_fourn', 'facture'))) @@ -63,6 +63,6 @@ if ($action == 'setnote_public' && !empty($permissionnote) && !GETPOST('cancel', // Set public note if (empty($action) || !is_object($object) || empty($id)) dol_print_error('', 'Include of actions_setnotes.inc.php was done but required variable was not set before'); if (empty($object->id)) $object->fetch($id); // Fetch may not be already done - $result = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'none'), ENT_QUOTES), '_private'); + $result = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'restricthtml'), ENT_QUOTES), '_private'); if ($result < 0) setEventMessages($object->error, $object->errors, 'errors'); } diff --git a/htdocs/core/ajax/check_notifications.php b/htdocs/core/ajax/check_notifications.php index f8a30e69aa9..098ac586ce1 100644 --- a/htdocs/core/ajax/check_notifications.php +++ b/htdocs/core/ajax/check_notifications.php @@ -101,7 +101,7 @@ $eventfound = array(); //dol_syslog('time='.$time.' $_SESSION[auto_ck_events_not_before]='.$_SESSION['auto_check_events_not_before']); // TODO Try to make a solution with only a javascript timer that is easier. Difficulty is to avoid notification twice when several tabs are opened. -// This need to extend period to be sure to not miss and save in session what we notified to avoid duplicate (save is not done yet). +// This need to extend period to be sure to not miss and save in session what we notified to avoid duplicate. if ($time >= $_SESSION['auto_check_events_not_before'] || GETPOST('forcechecknow', 'int')) { $time_update = (int) $conf->global->MAIN_BROWSER_NOTIFICATION_FREQUENCY; // Always defined diff --git a/htdocs/core/ajax/constantonoff.php b/htdocs/core/ajax/constantonoff.php index 1ed8ca34076..710759e10bb 100644 --- a/htdocs/core/ajax/constantonoff.php +++ b/htdocs/core/ajax/constantonoff.php @@ -26,13 +26,15 @@ if (!defined('NOREQUIREHTML')) define('NOREQUIREHTML', '1'); if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); if (!defined('NOREQUIRESOC')) define('NOREQUIRESOC', '1'); if (!defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1'); +if (!defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Token is required even in GET mode require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // set or del $name = GETPOST('name', 'alpha'); + /* * View */ @@ -46,7 +48,7 @@ top_httphead(); //print ''."\n"; -// Registering the location of boxes +// Registering the new value of constant if (!empty($action) && !empty($name)) { $entity = GETPOST('entity', 'int'); @@ -62,4 +64,6 @@ if (!empty($action) && !empty($name)) dolibarr_del_const($db, $name, $entity); } } +} else { + http_response_code(403); } diff --git a/htdocs/core/ajax/contacts.php b/htdocs/core/ajax/contacts.php index 67e769ab17f..6b476a8f59a 100644 --- a/htdocs/core/ajax/contacts.php +++ b/htdocs/core/ajax/contacts.php @@ -1,6 +1,6 @@ - * Copyright (C) 2016 Laurent Destailleur + * Copyright (C) 2020 Laurent Destailleur * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -27,11 +27,15 @@ if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); require '../../main.inc.php'; -$id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$id = GETPOST('id', 'int'); // id of thirdparty +$action = GETPOST('action', 'aZ09'); $htmlname = GETPOST('htmlname', 'alpha'); $showempty = GETPOST('showempty', 'int'); +// Security check +$result = restrictedArea($user, 'societe', $id, '&societe', '', 'fk_soc', 'rowid', 0); + + /* * View */ diff --git a/htdocs/core/ajax/objectonoff.php b/htdocs/core/ajax/objectonoff.php index 6c9f97bfbb0..ceb221b4870 100644 --- a/htdocs/core/ajax/objectonoff.php +++ b/htdocs/core/ajax/objectonoff.php @@ -30,7 +30,7 @@ if (!defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1'); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php'; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); $value = GETPOST('value', 'int'); $field = GETPOST('field', 'alpha'); diff --git a/htdocs/core/ajax/pingresult.php b/htdocs/core/ajax/pingresult.php index e08b2c5efcf..e58895a967f 100644 --- a/htdocs/core/ajax/pingresult.php +++ b/htdocs/core/ajax/pingresult.php @@ -30,7 +30,7 @@ if (!defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1'); require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $hash_unique_id = GETPOST('hash_unique_id', 'alpha'); $hash_algo = GETPOST('hash_algo', 'alpha'); diff --git a/htdocs/core/ajax/selectobject.php b/htdocs/core/ajax/selectobject.php index eed6c21c126..9d9b7bbfc42 100644 --- a/htdocs/core/ajax/selectobject.php +++ b/htdocs/core/ajax/selectobject.php @@ -33,7 +33,7 @@ $objectdesc = GETPOST('objectdesc', 'alpha'); $htmlname = GETPOST('htmlname', 'aZ09'); $sqlfilter = GETPOST('sqlfilter', 'alpha'); $outjson = (GETPOST('outjson', 'int') ? GETPOST('outjson', 'int') : 0); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); @@ -75,9 +75,10 @@ if (!is_object($objecttmp)) } // When used from jQuery, the search term is added as GET param "term". -$searchkey = (($id && GETPOST($id, 'alpha')) ?GETPOST($id, 'alpha') : (($htmlname && GETPOST($htmlname, 'alpha')) ?GETPOST($htmlname, 'alpha') : '')); +$searchkey = (($id && GETPOST($id, 'alpha')) ? GETPOST($id, 'alpha') : (($htmlname && GETPOST($htmlname, 'alpha')) ? GETPOST($htmlname, 'alpha') : '')); -// TODO Add a security test to avoid to get content of all tables +// Add a security test to avoid to get content of all tables +restrictedArea($user, $objecttmp->element, $id); $arrayresult = $form->selectForFormsList($objecttmp, $htmlname, '', 0, $searchkey, '', '', '', 0, 1); diff --git a/htdocs/core/ajax/selectsearchbox.php b/htdocs/core/ajax/selectsearchbox.php index 00b66ced374..29aeb9cc7eb 100644 --- a/htdocs/core/ajax/selectsearchbox.php +++ b/htdocs/core/ajax/selectsearchbox.php @@ -48,7 +48,7 @@ include_once DOL_DOCUMENT_ROOT.'/core/lib/json.lib.php'; //global $hookmanager; $hookmanager->initHooks(array('searchform')); -$search_boxvalue = GETPOST('q', 'none'); +$search_boxvalue = GETPOST('q', 'restricthtml'); $arrayresult = array(); diff --git a/htdocs/core/ajax/vatrates.php b/htdocs/core/ajax/vatrates.php index b0ab6ed2a7e..0bd16eb6449 100644 --- a/htdocs/core/ajax/vatrates.php +++ b/htdocs/core/ajax/vatrates.php @@ -27,7 +27,7 @@ if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); require '../../main.inc.php'; $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $htmlname = GETPOST('htmlname', 'alpha'); $selected = (GETPOST('selected') ?GETPOST('selected') : '-1'); $productid = (GETPOST('productid', 'int') ?GETPOST('productid', 'int') : 0); diff --git a/htdocs/core/boxes/box_produits.php b/htdocs/core/boxes/box_produits.php index 8dffe4adf20..52591fa5292 100644 --- a/htdocs/core/boxes/box_produits.php +++ b/htdocs/core/boxes/box_produits.php @@ -117,7 +117,7 @@ class box_produits extends ModeleBoxes $sqld = "SELECT label"; $sqld .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sqld .= " WHERE fk_product=".$objp->rowid; - $sqld .= " AND lang='".$langs->getDefaultLang()."'"; + $sqld .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'"; $sqld .= " LIMIT 1"; $resultd = $this->db->query($sqld); diff --git a/htdocs/core/boxes/box_produits_alerte_stock.php b/htdocs/core/boxes/box_produits_alerte_stock.php index 5b17ef22ddf..6845cb2db5f 100644 --- a/htdocs/core/boxes/box_produits_alerte_stock.php +++ b/htdocs/core/boxes/box_produits_alerte_stock.php @@ -130,7 +130,7 @@ class box_produits_alerte_stock extends ModeleBoxes $sqld = "SELECT label"; $sqld .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sqld .= " WHERE fk_product=".$objp->rowid; - $sqld .= " AND lang='".$langs->getDefaultLang()."'"; + $sqld .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'"; $sqld .= " LIMIT 1"; $resultd = $this->db->query($sqld); diff --git a/htdocs/core/boxes/box_task.php b/htdocs/core/boxes/box_task.php index 9c6020bebdc..c1d728eb667 100644 --- a/htdocs/core/boxes/box_task.php +++ b/htdocs/core/boxes/box_task.php @@ -94,7 +94,7 @@ class box_task extends ModeleBoxes if (in_array(GETPOST($cookie_name), array('all', 'im_project_contact', 'im_task_contact'))) { $filterValue = GETPOST($cookie_name); } elseif (!empty($_COOKIE[$cookie_name])) { - $filterValue = $_COOKIE[$cookie_name]; + $filterValue = preg_replace('/[^a-z_]/', '', $_COOKIE[$cookie_name]); // Clean cookie from evil data } if ($filterValue == 'im_task_contact') { @@ -154,10 +154,10 @@ class box_task extends ModeleBoxes $sql .= " JOIN ".MAIN_DB_PREFIX."projet as p ON (pt.fk_projet = p.rowid)"; if ($filterValue === 'im_task_contact') { - $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = pt.rowid AND ec.fk_socpeople = '".$user->id."' )"; + $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = pt.rowid AND ec.fk_socpeople = ".((int) $user->id).")"; $sql .= " JOIN ".MAIN_DB_PREFIX."c_type_contact as tc ON (ec.fk_c_type_contact = tc.rowid AND tc.element = 'project_task' AND tc.source = 'internal' )"; } elseif ($filterValue === 'im_project_contact') { - $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = p.rowid AND ec.fk_socpeople = '".$user->id."' )"; + $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = p.rowid AND ec.fk_socpeople = ".((int) $user->id).")"; $sql .= " JOIN ".MAIN_DB_PREFIX."c_type_contact as tc ON (ec.fk_c_type_contact = tc.rowid AND tc.element = 'project' AND tc.source = 'internal' )"; } diff --git a/htdocs/core/boxes/modules_boxes.php b/htdocs/core/boxes/modules_boxes.php index e5fa9d8fb0d..51719ec6c15 100644 --- a/htdocs/core/boxes/modules_boxes.php +++ b/htdocs/core/boxes/modules_boxes.php @@ -422,6 +422,7 @@ class ModeleBoxes // Can't be abtract as it is instantiated to build "empty" box { while (($file = readdir($handle)) !== false) { + $reg = array(); if (is_readable($newdir.'/'.$file) && preg_match('/^(.+)\.php/', $file, $reg)) { if (preg_match('/\.back$/', $file)) continue; diff --git a/htdocs/core/class/CMailFile.class.php b/htdocs/core/class/CMailFile.class.php index a90e3a2cf26..10c539a48de 100644 --- a/htdocs/core/class/CMailFile.class.php +++ b/htdocs/core/class/CMailFile.class.php @@ -294,6 +294,16 @@ class CMailFile $addr_bcc .= ($addr_bcc ? ', ' : '').$conf->global->MAIN_MAIL_AUTOCOPY_TO; } + $keyforsslseflsigned ='MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED'; + if (!empty($this->sendcontext)) { + $smtpContextKey = strtoupper($this->sendcontext); + $keyForSMTPSendMode = 'MAIN_MAIL_SENDMODE_' . $smtpContextKey; + $smtpContextSendMode = $conf->global->{$keyForSMTPSendMode}; + if (!empty($smtpContextSendMode) && $smtpContextSendMode != 'default') { + $keyforsslseflsigned ='MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_' . $smtpContextKey; + } + } + // We set all data according to choosed sending method. // We also set a value for ->msgid if ($this->sendmode == 'mail') @@ -404,6 +414,7 @@ class CMailFile $smtps->setBCC($this->addr_bcc); $smtps->setErrorsTo($this->errors_to); $smtps->setDeliveryReceipt($this->deliveryreceipt); + if (!empty($conf->global->$keyforsslseflsigned)) $smtps->setOptions(array('ssl' => array('verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true))); $host = dol_getprefix('email'); $this->msgid = time().'.SMTPs-dolibarr-'.$this->trackid.'@'.$host; @@ -642,17 +653,19 @@ class CMailFile $keyforsmtppw = 'MAIN_MAIL_SMTPS_PW'; $keyfortls = 'MAIN_MAIL_EMAIL_TLS'; $keyforstarttls = 'MAIN_MAIL_EMAIL_STARTTLS'; + $keyforsslseflsigned ='MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED'; if (!empty($this->sendcontext)) { $smtpContextKey = strtoupper($this->sendcontext); $keyForSMTPSendMode = 'MAIN_MAIL_SENDMODE_'.$smtpContextKey; $smtpContextSendMode = $conf->global->{$keyForSMTPSendMode}; if (!empty($smtpContextSendMode) && $smtpContextSendMode != 'default') { - $keyforsmtpserver = 'MAIN_MAIL_SMTP_SERVER_'.$smtpContextKey; - $keyforsmtpport = 'MAIN_MAIL_SMTP_PORT_'.$smtpContextKey; - $keyforsmtpid = 'MAIN_MAIL_SMTPS_ID_'.$smtpContextKey; - $keyforsmtppw = 'MAIN_MAIL_SMTPS_PW_'.$smtpContextKey; - $keyfortls = 'MAIN_MAIL_EMAIL_TLS_'.$smtpContextKey; - $keyforstarttls = 'MAIN_MAIL_EMAIL_STARTTLS_'.$smtpContextKey; + $keyforsmtpserver = 'MAIN_MAIL_SMTP_SERVER_' . $smtpContextKey; + $keyforsmtpport = 'MAIN_MAIL_SMTP_PORT_' . $smtpContextKey; + $keyforsmtpid = 'MAIN_MAIL_SMTPS_ID_' . $smtpContextKey; + $keyforsmtppw = 'MAIN_MAIL_SMTPS_PW_' . $smtpContextKey; + $keyfortls = 'MAIN_MAIL_EMAIL_TLS_' . $smtpContextKey; + $keyforstarttls = 'MAIN_MAIL_EMAIL_STARTTLS_' . $smtpContextKey; + $keyforsslseflsigned ='MAIN_MAIL_EMAIL_SMTP_ALLOW_SELF_SIGNED_' . $smtpContextKey; } } @@ -849,6 +862,7 @@ class CMailFile if (!empty($conf->global->$keyforsmtpid)) $this->transport->setUsername($conf->global->$keyforsmtpid); if (!empty($conf->global->$keyforsmtppw)) $this->transport->setPassword($conf->global->$keyforsmtppw); + if (! empty($conf->global->$keyforsslseflsigned)) $this->transport->setStreamOptions(array('ssl' => array('allow_self_signed' => true, 'verify_peer' => false)));; //$smtps->_msgReplyTo = 'reply@web.com'; // Switch content encoding to base64 - avoid the doubledot issue with quoted-printable diff --git a/htdocs/core/class/comment.class.php b/htdocs/core/class/comment.class.php index 91fba374181..a083576aacb 100644 --- a/htdocs/core/class/comment.class.php +++ b/htdocs/core/class/comment.class.php @@ -349,25 +349,25 @@ class Comment extends CommonObject $sql .= " c.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX.$this->table_element." as c"; $sql .= " WHERE c.fk_element = ".$fk_element; - $sql .= " AND c.element_type = '".$db->escape($element_type)."'"; + $sql .= " AND c.element_type = '".$this->db->escape($element_type)."'"; $sql .= " AND c.entity = ".$conf->entity; $sql .= " ORDER BY c.tms DESC"; dol_syslog(get_class($this).'::'.__METHOD__, LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num_rows = $db->num_rows($resql); + $num_rows = $this->db->num_rows($resql); if ($num_rows > 0) { - while ($obj = $db->fetch_object($resql)) + while ($obj = $this->db->fetch_object($resql)) { $comment = new self($db); $comment->fetch($obj->rowid); $this->comments[] = $comment; } } - $db->free($resql); + $this->db->free($resql); } else { $this->errors[] = "Error ".$this->db->lasterror(); return -1; diff --git a/htdocs/core/class/commondocgenerator.class.php b/htdocs/core/class/commondocgenerator.class.php index f610e6bb952..54f14c25cab 100644 --- a/htdocs/core/class/commondocgenerator.class.php +++ b/htdocs/core/class/commondocgenerator.class.php @@ -397,6 +397,8 @@ abstract class CommonDocGenerator $array_key.'_payment_term_code'=>$object->cond_reglement_code, $array_key.'_payment_term'=>($outputlangs->transnoentitiesnoconv('PaymentCondition'.$object->cond_reglement_code) != 'PaymentCondition'.$object->cond_reglement_code ? $outputlangs->transnoentitiesnoconv('PaymentCondition'.$object->cond_reglement_code) : ($object->cond_reglement_doc ? $object->cond_reglement_doc : $object->cond_reglement)), + $array_key.'_incoterms'=>(method_exists($object, 'display_incoterms') ? $object->display_incoterms() : ''), + $array_key.'_bank_iban'=>$bank_account->iban, $array_key.'_bank_bic'=>$bank_account->bic, @@ -604,7 +606,7 @@ abstract class CommonDocGenerator if ($columns != "") { $columns = substr($columns, 0, strlen($columns) - 2); - $resql = $this->db->query("SELECT $columns FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields AS ex INNER JOIN ".MAIN_DB_PREFIX."product_fournisseur_price AS f ON ex.fk_object = f.rowid WHERE f.ref_fourn = '".$line->ref_supplier."'"); + $resql = $this->db->query("SELECT ".$columns." FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields AS ex INNER JOIN ".MAIN_DB_PREFIX."product_fournisseur_price AS f ON ex.fk_object = f.rowid WHERE f.ref_fourn = '".$this->db->escape($line->ref_supplier)."'"); if ($this->db->num_rows($resql) > 0) { diff --git a/htdocs/core/class/commonincoterm.class.php b/htdocs/core/class/commonincoterm.class.php new file mode 100644 index 00000000000..b2d5491684e --- /dev/null +++ b/htdocs/core/class/commonincoterm.class.php @@ -0,0 +1,141 @@ + + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +/** + * \file htdocs/core/class/commonincoterm.class.php + * \ingroup core + * \brief File of the superclass of object classes that support incoterm (customer and supplier) + */ + + +/** + * Superclass for incoterm classes + */ +trait CommonIncoterm +{ + /** + * @var int ID incoterm. + * @see setIncoterms() + */ + public $fk_incoterms; + + /** + * @var string Label of incoterm. Used for tooltip. + * @see SetIncoterms() + */ + public $label_incoterms; + + /** + * @var string Location of incoterm. + * @see display_incoterms() + */ + public $location_incoterms; + + + // phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps + /** + * Return incoterms informations + * TODO Use a cache for label get + * + * @return string incoterms info + */ + public function display_incoterms() + { + // phpcs:enable + $out = ''; + + $this->label_incoterms = ''; + if (!empty($this->fk_incoterms)) + { + $sql = 'SELECT code FROM '.MAIN_DB_PREFIX.'c_incoterms WHERE rowid = '.(int) $this->fk_incoterms; + $result = $this->db->query($sql); + if ($result) + { + $res = $this->db->fetch_object($result); + $out .= $res->code; + } + } + + $out .= (($out && $this->location_incoterms) ? ' - ' : '').$this->location_incoterms; + + return $out; + } + + /** + * Return incoterms informations for pdf display + * + * @return string incoterms info + */ + public function getIncotermsForPDF() + { + $sql = 'SELECT code FROM '.MAIN_DB_PREFIX.'c_incoterms WHERE rowid = '.(int) $this->fk_incoterms; + $resql = $this->db->query($sql); + if ($resql) + { + $num = $this->db->num_rows($resql); + if ($num > 0) + { + $res = $this->db->fetch_object($resql); + return 'Incoterm : '.$res->code.' - '.$this->location_incoterms; + } else { + return ''; + } + } else { + $this->errors[] = $this->db->lasterror(); + return false; + } + } + + /** + * Define incoterms values of current object + * + * @param int $id_incoterm Id of incoterm to set or '' to remove + * @param string $location location of incoterm + * @return int <0 if KO, >0 if OK + */ + public function setIncoterms($id_incoterm, $location) + { + if ($this->id && $this->table_element) + { + $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element; + $sql .= " SET fk_incoterms = ".($id_incoterm > 0 ? $id_incoterm : "null"); + $sql .= ", location_incoterms = ".($id_incoterm > 0 ? "'".$this->db->escape($location)."'" : "null"); + $sql .= " WHERE rowid = ".$this->id; + dol_syslog(get_class($this).'::setIncoterms', LOG_DEBUG); + $resql = $this->db->query($sql); + if ($resql) + { + $this->fk_incoterms = $id_incoterm; + $this->location_incoterms = $location; + + $sql = 'SELECT libelle as label_incotermsFROM '.MAIN_DB_PREFIX.'c_incoterms WHERE rowid = '.(int) $this->fk_incoterms; + $res = $this->db->query($sql); + if ($res) + { + $obj = $this->db->fetch_object($res); + $this->label_incoterms = $obj->label_incoterms; + } + return 1; + } else { + $this->errors[] = $this->db->lasterror(); + return -1; + } + } else { + return -1; + } + } +} diff --git a/htdocs/core/class/commoninvoice.class.php b/htdocs/core/class/commoninvoice.class.php index 9e78d186172..98890744701 100644 --- a/htdocs/core/class/commoninvoice.class.php +++ b/htdocs/core/class/commoninvoice.class.php @@ -24,12 +24,15 @@ */ require_once DOL_DOCUMENT_ROOT.'/core/class/commonobject.class.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/commonincoterm.class.php'; /** * Superclass for invoices classes */ abstract class CommonInvoice extends CommonObject { + use CommonIncoterm; + /** * Standard invoice */ @@ -459,7 +462,7 @@ abstract class CommonInvoice extends CommonObject $type = 'customer_invoice'; if ($this->element == 'invoice_supplier') $type = 'supplier_invoice'; - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$this->id; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id; $resql = $this->db->query($sql); if ($resql) { @@ -541,7 +544,7 @@ abstract class CommonInvoice extends CommonObject $labelStatus = $langs->trans('BillStatusClosedPaidPartially'); $labelStatusShort = $langs->trans('Bill'.$prefix.'StatusClosedPaidPartially'); $statusType = 'status9'; - } elseif ($alreadypaid <= 0) { + } elseif ($alreadypaid == 0) { $labelStatus = $langs->trans('BillStatusNotPaid'); $labelStatusShort = $langs->trans('Bill'.$prefix.'StatusNotPaid'); $statusType = 'status1'; diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 55b5628705d..38596f2a265 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -393,24 +393,6 @@ abstract class CommonObject */ public $comments = array(); - /** - * @var int - * @see setIncoterms() - */ - public $fk_incoterms; - - /** - * @var string - * @see SetIncoterms() - */ - public $label_incoterms; - - /** - * @var string - * @see display_incoterms() - */ - public $location_incoterms; - /** * @var string The name */ @@ -1046,8 +1028,8 @@ abstract class CommonObject // Insert into database $sql = "UPDATE ".MAIN_DB_PREFIX."element_contact set"; $sql .= " statut = ".$statut; - if ($type_contact_id) $sql .= ", fk_c_type_contact = '".$type_contact_id."'"; - if ($fk_socpeople) $sql .= ", fk_socpeople = '".$fk_socpeople."'"; + if ($type_contact_id) $sql .= ", fk_c_type_contact = ".((int) $type_contact_id); + if ($fk_socpeople) $sql .= ", fk_socpeople = ".((int) $fk_socpeople); $sql .= " where rowid = ".$rowid; $resql = $this->db->query($sql); if ($resql) @@ -1407,9 +1389,9 @@ abstract class CommonObject if ($source == 'internal') $sql .= " AND c.entity IN (".getEntity('user').")"; if ($source == 'external') $sql .= " AND c.entity IN (".getEntity('societe').")"; $sql .= " AND ec.fk_c_type_contact = tc.rowid"; - $sql .= " AND tc.element = '".$element."'"; - $sql .= " AND tc.source = '".$source."'"; - if ($code) $sql .= " AND tc.code = '".$code."'"; + $sql .= " AND tc.element = '".$this->db->escape($element)."'"; + $sql .= " AND tc.source = '".$this->db->escape($source)."'"; + if ($code) $sql .= " AND tc.code = '".$this->db->escape($code)."'"; $sql .= " AND tc.active = 1"; if ($status) $sql .= " AND ec.statut = ".$status; @@ -3261,16 +3243,16 @@ abstract class CommonObject { if ($justsource) { - $sql .= "fk_source = ".$sourceid." AND sourcetype = '".$sourcetype."'"; - if ($withtargettype) $sql .= " AND targettype = '".$targettype."'"; + $sql .= "fk_source = ".$sourceid." AND sourcetype = '".$this->db->escape($sourcetype)."'"; + if ($withtargettype) $sql .= " AND targettype = '".$this->db->escape($targettype)."'"; } elseif ($justtarget) { - $sql .= "fk_target = ".$targetid." AND targettype = '".$targettype."'"; - if ($withsourcetype) $sql .= " AND sourcetype = '".$sourcetype."'"; + $sql .= "fk_target = ".$targetid." AND targettype = '".$this->db->escape($targettype)."'"; + if ($withsourcetype) $sql .= " AND sourcetype = '".$this->db->escape($sourcetype)."'"; } } else { - $sql .= "(fk_source = ".$sourceid." AND sourcetype = '".$sourcetype."')"; - $sql .= " ".$clause." (fk_target = ".$targetid." AND targettype = '".$targettype."')"; + $sql .= "(fk_source = ".$sourceid." AND sourcetype = '".$this->db->escape($sourcetype)."')"; + $sql .= " ".$clause." (fk_target = ".$targetid." AND targettype = '".$this->db->escape($targettype)."')"; } $sql .= ' ORDER BY '.$orderby; @@ -3882,98 +3864,6 @@ abstract class CommonObject } - // phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps - /** - * Return incoterms informations - * TODO Use a cache for label get - * - * @return string incoterms info - */ - public function display_incoterms() - { - // phpcs:enable - $out = ''; - - $this->label_incoterms = ''; - if (!empty($this->fk_incoterms)) - { - $sql = 'SELECT code FROM '.MAIN_DB_PREFIX.'c_incoterms WHERE rowid = '.(int) $this->fk_incoterms; - $result = $this->db->query($sql); - if ($result) - { - $res = $this->db->fetch_object($result); - $out .= $res->code; - } - } - - $out .= (($out && $this->location_incoterms) ? ' - ' : '').$this->location_incoterms; - - return $out; - } - - /** - * Return incoterms informations for pdf display - * - * @return string incoterms info - */ - public function getIncotermsForPDF() - { - $sql = 'SELECT code FROM '.MAIN_DB_PREFIX.'c_incoterms WHERE rowid = '.(int) $this->fk_incoterms; - $resql = $this->db->query($sql); - if ($resql) - { - $num = $this->db->num_rows($resql); - if ($num > 0) - { - $res = $this->db->fetch_object($resql); - return 'Incoterm : '.$res->code.' - '.$this->location_incoterms; - } else { - return ''; - } - } else { - $this->errors[] = $this->db->lasterror(); - return false; - } - } - - /** - * Define incoterms values of current object - * - * @param int $id_incoterm Id of incoterm to set or '' to remove - * @param string $location location of incoterm - * @return int <0 if KO, >0 if OK - */ - public function setIncoterms($id_incoterm, $location) - { - if ($this->id && $this->table_element) - { - $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element; - $sql .= " SET fk_incoterms = ".($id_incoterm > 0 ? $id_incoterm : "null"); - $sql .= ", location_incoterms = ".($id_incoterm > 0 ? "'".$this->db->escape($location)."'" : "null"); - $sql .= " WHERE rowid = ".$this->id; - dol_syslog(get_class($this).'::setIncoterms', LOG_DEBUG); - $resql = $this->db->query($sql); - if ($resql) - { - $this->fk_incoterms = $id_incoterm; - $this->location_incoterms = $location; - - $sql = 'SELECT libelle FROM '.MAIN_DB_PREFIX.'c_incoterms WHERE rowid = '.(int) $this->fk_incoterms; - $res = $this->db->query($sql); - if ($res) - { - $obj = $this->db->fetch_object($res); - $this->label_incoterms = $obj->libelle; - } - return 1; - } else { - $this->errors[] = $this->db->lasterror(); - return -1; - } - } else return -1; - } - - // -------------------- // TODO: All functions here must be redesigned and moved as they are not business functions but output functions // -------------------- @@ -4951,7 +4841,7 @@ abstract class CommonObject // Request to get translation values for object $sql = "SELECT rowid, property, lang , value"; $sql .= " FROM ".MAIN_DB_PREFIX."object_lang"; - $sql .= " WHERE type_object = '".$element."'"; + $sql .= " WHERE type_object = '".$this->db->escape($element)."'"; $sql .= " AND fk_object = ".$this->id; //dol_syslog(get_class($this)."::fetch_optionals get extrafields data for ".$this->table_element, LOG_DEBUG); // Too verbose @@ -5851,11 +5741,9 @@ abstract class CommonObject } // Set value of $morecss. For this, we use in priority showsize from parameters, then $val['css'] then autodefine - if (empty($morecss) && !empty($val['css'])) - { + if (empty($morecss) && !empty($val['css'])) { $morecss = $val['css']; - } elseif (empty($morecss)) - { + } elseif (empty($morecss)) { if ($type == 'date') { $morecss = 'minwidth100imp'; @@ -5902,16 +5790,16 @@ abstract class CommonObject { $tmp = explode(',', $size); $newsize = $tmp[0]; - $out = ''; + $out = ''; } elseif (in_array($type, array('real'))) { - $out = ''; + $out = ''; } elseif (preg_match('/varchar/', $type)) { - $out = ''; + $out = ''; } elseif (in_array($type, array('mail', 'phone', 'url'))) { - $out = ''; + $out = ''; } elseif ($type == 'text') { if (!preg_match('/search_/', $keyprefix)) // If keyprefix is search_ or search_options_, we must just use a simple text field @@ -6800,7 +6688,9 @@ abstract class CommonObject break; case "create": case "edit": - $getposttemp = GETPOST($keyprefix.'options_'.$key.$keysuffix, 'none'); // GETPOST can get value from GET, POST or setup of default values. + $check = 'restricthtml'; + // TODO Use check = 'alphahtml' or 'int' for some types + $getposttemp = GETPOST($keyprefix.'options_'.$key.$keysuffix, $check); // GETPOST can get value from GET, POST or setup of default values. // GETPOST("options_" . $key) can be 'abc' or array(0=>'abc') if (is_array($getposttemp) || $getposttemp != '' || GETPOSTISSET($keyprefix.'options_'.$key.$keysuffix)) { @@ -6875,7 +6765,7 @@ abstract class CommonObject // HTML, select, integer and text add default value if (in_array($extrafields->attributes[$this->table_element]['type'][$key], array('html', 'text', 'select', 'int'))) { - if ($action == 'create') $value = GETPOSTISSET($keyprefix.'options_'.$key.$keysuffix) ? GETPOST($keyprefix.'options_'.$key.$keysuffix, 'none', 3) : $extrafields->attributes[$this->table_element]['default'][$key]; + if ($action == 'create') $value = GETPOSTISSET($keyprefix.'options_'.$key.$keysuffix) ? GETPOST($keyprefix.'options_'.$key.$keysuffix, 'restricthtml', 3) : $extrafields->attributes[$this->table_element]['default'][$key]; else $value = $this->array_options['options_'.$key]; } @@ -6885,7 +6775,7 @@ abstract class CommonObject $out .= '
MAP_CAT_TABLE[$type]) ? $type : $categorystatic->MAP_CAT_TABLE[$type])." (fk_categorie, fk_product)"; $sql .= " SELECT fk_categorie, $toId FROM ".MAIN_DB_PREFIX."categorie_".(empty($categorystatic->MAP_CAT_TABLE[$type]) ? $type : $categorystatic->MAP_CAT_TABLE[$type]); - $sql .= " WHERE fk_product = '".$fromId."'"; + $sql .= " WHERE fk_product = ".((int) $fromId); if (!$this->db->query($sql)) { @@ -8449,7 +8339,7 @@ abstract class CommonObject $sql = "DELETE FROM ".MAIN_DB_PREFIX."ecm_files"; $sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%'"; - $sql.= " AND filepath = '".$element."/".$this->db->escape($this->ref)."' AND entity = ".$conf->entity; + $sql.= " AND filepath = '".$this->db->escape($element)."/".$this->db->escape($this->ref)."' AND entity = ".$conf->entity; if (!$this->db->query($sql)) { $this->error = $this->db->lasterror(); diff --git a/htdocs/core/class/commonorder.class.php b/htdocs/core/class/commonorder.class.php index e45d08a9396..83d20e99b95 100644 --- a/htdocs/core/class/commonorder.class.php +++ b/htdocs/core/class/commonorder.class.php @@ -23,13 +23,14 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/commonobject.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/commonobjectline.class.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/commonincoterm.class.php'; /** * Superclass for orders classes */ abstract class CommonOrder extends CommonObject { - + use CommonIncoterm; } /** diff --git a/htdocs/core/class/commonstickergenerator.class.php b/htdocs/core/class/commonstickergenerator.class.php index 6c832c4788d..c3d6e7de299 100644 --- a/htdocs/core/class/commonstickergenerator.class.php +++ b/htdocs/core/class/commonstickergenerator.class.php @@ -127,7 +127,7 @@ abstract class CommonStickerGenerator /** * Output a sticker on page at position _COUNTX, _COUNTY (_COUNTX and _COUNTY start from 0) * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param Translate $outputlangs Output langs * @param array $param Associative array containing label content and optional parameters * @return void @@ -139,7 +139,7 @@ abstract class CommonStickerGenerator * Methode qui permet de modifier la taille des caracteres * Cela modiera aussi l'espace entre chaque ligne * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param int $pt point * @return void */ @@ -158,7 +158,7 @@ abstract class CommonStickerGenerator /** * protected Print dot line * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param int $x1 X1 * @param int $y1 Y1 * @param int $x2 X2 @@ -201,7 +201,7 @@ abstract class CommonStickerGenerator /** * protected Function realisant une croix aux 4 coins des cartes * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param int $x1 X1 * @param int $y1 Y1 * @param int $x2 X2 @@ -280,7 +280,7 @@ abstract class CommonStickerGenerator /** * protected Set format * - * @param PDF $pdf PDF reference + * @param TCPDF $pdf PDF reference * @param string $format Format * @return void */ diff --git a/htdocs/core/class/cstate.class.php b/htdocs/core/class/cstate.class.php index 34ef707b674..80c47591fbb 100644 --- a/htdocs/core/class/cstate.class.php +++ b/htdocs/core/class/cstate.class.php @@ -50,7 +50,7 @@ class Cstate // extends CommonObject public $id; public $code_departement; - + public $code; /** * @var string * @deprecated @@ -167,8 +167,10 @@ class Cstate // extends CommonObject $obj = $this->db->fetch_object($resql); $this->id = $obj->rowid; - $this->code_departement = $obj->code_departement; - $this->nom = $obj->nom; + $this->code_departement = $obj->code_departement; //deprecated + $this->code = $obj->code_departement; + $this->nom = $obj->nom; //deprecated + $this->name = $obj->nom; $this->active = $obj->active; } $this->db->free($resql); diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php index ddf811cfc77..678560b622e 100644 --- a/htdocs/core/class/extrafields.class.php +++ b/htdocs/core/class/extrafields.class.php @@ -426,7 +426,7 @@ class ExtraFields $sql .= " help,"; $sql .= " totalizable"; $sql .= " )"; - $sql .= " VALUES('".$attrname."',"; + $sql .= " VALUES('".$this->db->escape($attrname)."',"; $sql .= " '".$this->db->escape($label)."',"; $sql .= " '".$this->db->escape($type)."',"; $sql .= " ".$pos.","; @@ -494,8 +494,8 @@ class ExtraFields { $sql = "SELECT COUNT(rowid) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX."extrafields"; - $sql .= " WHERE elementtype = '".$elementtype."'"; - $sql .= " AND name = '".$attrname."'"; + $sql .= " WHERE elementtype = '".$this->db->escape($elementtype)."'"; + $sql .= " AND name = '".$this->db->escape($attrname)."'"; //$sql.= " AND entity IN (0,".$conf->entity.")"; Do not test on entity here. We want to see if there is still on field remaning in other entities before deleting field in table $resql = $this->db->query($sql); if ($resql) @@ -539,9 +539,9 @@ class ExtraFields if (isset($attrname) && $attrname != '' && preg_match("/^\w[a-zA-Z0-9-_]*$/", $attrname)) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."extrafields"; - $sql .= " WHERE name = '".$attrname."'"; + $sql .= " WHERE name = '".$this->db->escape($attrname)."'"; $sql .= " AND entity IN (0,".$conf->entity.')'; - $sql .= " AND elementtype = '".$elementtype."'"; + $sql .= " AND elementtype = '".$this->db->escape($elementtype)."'"; dol_syslog(get_class($this)."::delete_label", LOG_DEBUG); $resql = $this->db->query($sql); @@ -724,15 +724,15 @@ class ExtraFields { // We dont want on all entities, we delete all and current $sql_del = "DELETE FROM ".MAIN_DB_PREFIX."extrafields"; - $sql_del .= " WHERE name = '".$attrname."'"; + $sql_del .= " WHERE name = '".$this->db->escape($attrname)."'"; $sql_del .= " AND entity IN (0, ".($entity === '' ? $conf->entity : $entity).")"; - $sql_del .= " AND elementtype = '".$elementtype."'"; + $sql_del .= " AND elementtype = '".$this->db->escape($elementtype)."'"; } else { // We want on all entities ($entities = '0'), we delete on all only (we keep setup specific to each entity) $sql_del = "DELETE FROM ".MAIN_DB_PREFIX."extrafields"; - $sql_del .= " WHERE name = '".$attrname."'"; + $sql_del .= " WHERE name = '".$this->db->escape($attrname)."'"; $sql_del .= " AND entity = 0"; - $sql_del .= " AND elementtype = '".$elementtype."'"; + $sql_del .= " AND elementtype = '".$this->db->escape($elementtype)."'"; } $resql1 = $this->db->query($sql_del); @@ -761,7 +761,7 @@ class ExtraFields $sql .= " enabled,"; $sql .= " help"; $sql .= ") VALUES ("; - $sql .= "'".$attrname."',"; + $sql .= "'".$this->db->escape($attrname)."',"; $sql .= " ".($entity === '' ? $conf->entity : $entity).","; $sql .= " '".$this->db->escape($label)."',"; $sql .= " '".$this->db->escape($type)."',"; @@ -829,7 +829,7 @@ class ExtraFields $sql = "SELECT rowid,name,label,type,size,elementtype,fieldunique,fieldrequired,param,pos,alwayseditable,perms,langs,list,printable,totalizable,fielddefault,fieldcomputed,entity,enabled,help"; $sql .= " FROM ".MAIN_DB_PREFIX."extrafields"; //$sql.= " WHERE entity IN (0,".$conf->entity.")"; // Filter is done later - if ($elementtype) $sql .= " WHERE elementtype = '".$elementtype."'"; // Filed with object->table_element + if ($elementtype) $sql .= " WHERE elementtype = '".$this->db->escape($elementtype)."'"; // Filed with object->table_element $sql .= " ORDER BY pos"; $resql = $this->db->query($sql); diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 3350507e543..e00d544ed22 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1834,18 +1834,7 @@ class Form $userstatic = new User($this->db); $out = ''; - // Method with no ajax - //$out.=''; - if ($action == 'view') - { - $out .= ''; - } else { - $out .= ''; - $out .= ''; - $out .= $this->select_dolusers('', $htmlname, $show_empty, $exclude, $disabled, $include, $enableonly, $force_entity, $maxlength, $showstatus, $morefilter); - $out .= ' '; - $out .= '
'; - } + $assignedtouser = array(); if (!empty($_SESSION['assignedtouser'])) { @@ -1853,7 +1842,7 @@ class Form } $nbassignetouser = count($assignedtouser); - if ($nbassignetouser && $action != 'view') $out .= '
'; + //if ($nbassignetouser && $action != 'view') $out .= '
'; if ($nbassignetouser) $out .= '
    '; $i = 0; $ownerid = 0; foreach ($assignedtouser as $key => $value) @@ -1886,7 +1875,16 @@ class Form } if ($nbassignetouser) $out .= '
'; - //$out.=''; + // Method with no ajax + if ($action != 'view') + { + $out .= ''; + $out .= ''; + $out .= $this->select_dolusers('', $htmlname, $show_empty, $exclude, $disabled, $include, $enableonly, $force_entity, $maxlength, $showstatus, $morefilter); + $out .= ' '; + $out .= '
'; + } + return $out; } @@ -2110,9 +2108,9 @@ class Form $selectFields = " p.rowid, p.ref, p.label, p.description, p.barcode, p.fk_country, p.fk_product_type, p.price, p.price_ttc, p.price_base_type, p.tva_tx, p.duration, p.fk_price_expression"; if (count($warehouseStatusArray)) { - $selectFieldsGrouped = ", sum(".$db->ifsql("e.statut IS NULL", "0", "ps.reel").") as stock"; // e.statut is null if there is no record in stock + $selectFieldsGrouped = ", sum(".$this->db->ifsql("e.statut IS NULL", "0", "ps.reel").") as stock"; // e.statut is null if there is no record in stock } else { - $selectFieldsGrouped = ", ".$db->ifsql("p.stock IS NULL", 0, "p.stock")." AS stock"; + $selectFieldsGrouped = ", ".$this->db->ifsql("p.stock IS NULL", 0, "p.stock")." AS stock"; } $sql = "SELECT "; @@ -2165,7 +2163,7 @@ class Form { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.fk_product = p.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entrepot as e on ps.fk_entrepot = e.rowid AND e.entity IN (".getEntity('stock').")"; - $sql .= ' AND e.statut IN ('.$this->db->escape(implode(',', $warehouseStatusArray)).')'; // Return line if product is inside the selected stock. If not, an empty line will be returned so we will count 0. + $sql .= ' AND e.statut IN ('.$this->db->sanitize($this->db->escape(implode(',', $warehouseStatusArray))).')'; // Return line if product is inside the selected stock. If not, an empty line will be returned so we will count 0. } // include search in supplier ref @@ -2185,7 +2183,7 @@ class Form // Multilang : we add translation if (!empty($conf->global->MAIN_MULTILANGS)) { - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang='".$langs->getDefaultLang()."'"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang='".$this->db->escape($langs->getDefaultLang())."'"; } if (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD)) { @@ -2228,19 +2226,19 @@ class Form foreach ($scrit as $crit) { if ($i > 0) $sql .= " AND "; - $sql .= "(p.ref LIKE '".$db->escape($prefix.$crit)."%' OR p.label LIKE '".$db->escape($prefix.$crit)."%'"; - if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.label LIKE '".$db->escape($prefix.$crit)."%'"; + $sql .= "(p.ref LIKE '".$this->db->escape($prefix.$crit)."%' OR p.label LIKE '".$this->db->escape($prefix.$crit)."%'"; + if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.label LIKE '".$this->db->escape($prefix.$crit)."%'"; if (!empty($conf->global->PRODUCT_AJAX_SEARCH_ON_DESCRIPTION)) { - $sql .= " OR p.description LIKE '".$db->escape($prefix.$crit)."%'"; - if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.description LIKE '".$db->escape($prefix.$crit)."%'"; + $sql .= " OR p.description LIKE '".$this->db->escape($prefix.$crit)."%'"; + if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.description LIKE '".$this->db->escape($prefix.$crit)."%'"; } - if (!empty($conf->global->MAIN_SEARCH_PRODUCT_BY_FOURN_REF)) $sql .= " OR pfp.ref_fourn LIKE '".$db->escape($prefix.$crit)."%'"; + if (!empty($conf->global->MAIN_SEARCH_PRODUCT_BY_FOURN_REF)) $sql .= " OR pfp.ref_fourn LIKE '".$this->db->escape($prefix.$crit)."%'"; $sql .= ")"; $i++; } if (count($scrit) > 1) $sql .= ")"; - if (!empty($conf->barcode->enabled)) $sql .= " OR p.barcode LIKE '".$db->escape($prefix.$filterkey)."%'"; + if (!empty($conf->barcode->enabled)) $sql .= " OR p.barcode LIKE '".$this->db->escape($prefix.$filterkey)."%'"; $sql .= ')'; } if (count($warehouseStatusArray)) @@ -2255,10 +2253,10 @@ class Form //ASC OR DESC order ($conf->global->PRODUCT_SORT_BY_CATEGORY == 1) ? $sql .= "ASC" : $sql .= "DESC"; } else { - $sql .= $db->order("p.ref"); + $sql .= $this->db->order("p.ref"); } - $sql .= $db->plimit($limit, 0); + $sql .= $this->db->plimit($limit, 0); // Build output string dol_syslog(get_class($this)."::select_produits_list search product", LOG_DEBUG); @@ -2505,9 +2503,9 @@ class Form { $sql = "SELECT price, price_ttc, price_base_type, tva_tx"; $sql .= " FROM ".MAIN_DB_PREFIX."product_price"; - $sql .= " WHERE fk_product='".$objp->rowid."'"; + $sql .= " WHERE fk_product = ".((int) $objp->rowid); $sql .= " AND entity IN (".getEntity('productprice').")"; - $sql .= " AND price_level=".$price_level; + $sql .= " AND price_level = ".((int) $price_level); $sql .= " ORDER BY date_price DESC, rowid DESC"; // Warning DESC must be both on date_price and rowid. $sql .= " LIMIT 1"; @@ -2772,7 +2770,7 @@ class Form $sql .= ')'; } $sql .= " ORDER BY pfp.ref_fourn DESC, pfp.quantity ASC"; - $sql .= $db->plimit($limit, 0); + $sql .= $this->db->plimit($limit, 0); // Build output string @@ -4040,7 +4038,7 @@ class Form * type can be 'hidden', 'text', 'password', 'checkbox', 'radio', 'date', 'morecss', ... * @param string $selectedchoice '' or 'no', or 'yes' or '1' or '0' * @param int|string $useajax 0=No, 1=Yes, 2=Yes but submit page with &confirm=no if choice is No, 'xxx'=Yes and preoutput confirm box with div id=dialog-confirm-xxx - * @param int $height Force height of box (0 = auto) + * @param int|string $height Force height of box (0 = auto) * @param int $width Force width of box ('999' or '90%'). Ignored and forced to 90% on smartphones. * @param int $disableformtag 1=Disable form tag. Can be used if we are already inside a
section. * @return string HTML ajax code if a confirm ajax popup is required, Pure HTML code if it's an html form @@ -4060,7 +4058,7 @@ class Form // Set height automatically if not defined if (empty($height)) { - $height = 210; + $height = 220; if (is_array($formquestion) && count($formquestion) > 2) { $height += ((count($formquestion) - 2) * 24); } @@ -4915,10 +4913,10 @@ class Form $sql = 'SELECT code FROM '.MAIN_DB_PREFIX.'multicurrency'; $sql .= " WHERE entity IN ('".getEntity('mutlicurrency')."')"; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - while ($obj = $db->fetch_object($resql)) $TCurrency[$obj->code] = $obj->code; + while ($obj = $this->db->fetch_object($resql)) $TCurrency[$obj->code] = $obj->code; } $out = ''; @@ -5282,10 +5280,11 @@ class Form * @param string $openinghours Specify hour start and hour end for the select ex 8,20 * @param int $stepminutes Specify step for minutes between 1 and 30 * @param string $labeladddateof Label to use for the $adddateof parameter. + * @param string $placeholder Placeholder * @return string Html for selectDate * @see form_date(), select_month(), select_year(), select_dayofweek() */ - public function selectDate($set_time = '', $prefix = 're', $h = 0, $m = 0, $empty = 0, $form_name = "", $d = 1, $addnowlink = 0, $disabled = 0, $fullday = '', $addplusone = '', $adddateof = '', $openinghours = '', $stepminutes = 1, $labeladddateof = '') + public function selectDate($set_time = '', $prefix = 're', $h = 0, $m = 0, $empty = 0, $form_name = "", $d = 1, $addnowlink = 0, $disabled = 0, $fullday = '', $addplusone = '', $adddateof = '', $openinghours = '', $stepminutes = 1, $labeladddateof = '', $placeholder = '') { global $conf, $langs; @@ -5422,6 +5421,7 @@ class Form $retstring .= '
'; $retstring .= 'trans("FormatDateShortJavaInput").'\'); "'; // FormatDateShortInput for dol_print_date / FormatDateShortJavaInput that is same for javascript $retstring .= '>'; @@ -5784,6 +5784,7 @@ class Form /** * Generic method to select a component from a combo list. + * Can use autocomplete with ajax after x key pressed or a full combo, depending on setup. * This is the generic method that will replace all specific existing methods. * * @param string $objectdesc ObjectClass:PathToClass[:AddCreateButtonOrNot[:Filter]] @@ -6462,11 +6463,12 @@ class Form templateSelection: formatSelection /* For 4.0 */ }); });'."\n"; - } elseif ($addjscombo == 2) + } elseif ($addjscombo == 2 && ! defined('DISABLE_MULTISELECT')) { // Add other js lib // TODO external lib multiselect/jquery.multi-select.js must have been loaded to use this multiselect plugin // ... + $out .= 'console.log(\'addjscombo=2 for htmlname='.$htmlname.'\');'; $out .= '$(document).ready(function () { $(\'#'.$htmlname.'\').multiSelect({ containerHTML: \'
\', @@ -7017,7 +7019,7 @@ class Form // phpcs:enable $sql = "SELECT rowid, label"; $sql .= " FROM ".MAIN_DB_PREFIX."export_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$this->db->escape($type)."'"; $sql .= " ORDER BY rowid"; $result = $this->db->query($sql); if ($result) @@ -7159,7 +7161,7 @@ class Form } //if ($conf->browser->layout == 'phone') $ret.='
'; - $ret .= '
'; + $ret .= '
'; // For thirdparty, contact, user, member, the ref is the id, so we show something else if ($object->element == 'societe') @@ -7461,10 +7463,10 @@ class Form if (!empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity) { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entity as e ON e.rowid=ug.entity"; - if ($force_entity) $sql .= " WHERE ug.entity IN (0,".$force_entity.")"; + if ($force_entity) $sql .= " WHERE ug.entity IN (0, ".$force_entity.")"; else $sql .= " WHERE ug.entity IS NOT NULL"; } else { - $sql .= " WHERE ug.entity IN (0,".$conf->entity.")"; + $sql .= " WHERE ug.entity IN (0, ".$conf->entity.")"; } if (is_array($exclude) && $excludeGroups) $sql .= " AND ug.rowid NOT IN ('".$excludeGroups."')"; if (is_array($include) && $includeGroups) $sql .= " AND ug.rowid IN ('".$includeGroups."')"; diff --git a/htdocs/core/class/html.formaccounting.class.php b/htdocs/core/class/html.formaccounting.class.php index 991a8f87006..f48e9b8eb74 100644 --- a/htdocs/core/class/html.formaccounting.class.php +++ b/htdocs/core/class/html.formaccounting.class.php @@ -174,15 +174,15 @@ class FormAccounting extends Form $sql .= " WHERE c.active = 1"; $sql .= " AND c.category_type = 0"; $sql .= " AND c.fk_country = co.rowid"; - if (empty($allcountries)) $sql .= " AND co.code = '".$mysoc->country_code."'"; + if (empty($allcountries)) $sql .= " AND co.code = '".$this->db->escape($mysoc->country_code)."'"; $sql .= " ORDER BY c.label ASC"; } dol_syslog(get_class($this).'::'.__METHOD__, LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) { $out = ''; if ($showempty) print ''; - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); $i = 0; if ($num) { while ($i < $num) { - $obj = $db->fetch_object($resql); + $obj = $this->db->fetch_object($resql); // If we ask to filter on a company and user has no permission to see all companies and project is linked to another company, we hide project. if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && !$user->rights->societe->lire) { @@ -150,7 +150,7 @@ class FormContract } } print ''; - $db->free($resql); + $this->db->free($resql); if (!empty($conf->use_javascript_ajax)) { @@ -161,7 +161,7 @@ class FormContract return $num; } else { - dol_print_error($db); + dol_print_error($this->db); return -1; } } diff --git a/htdocs/core/class/html.formexpensereport.class.php b/htdocs/core/class/html.formexpensereport.class.php new file mode 100644 index 00000000000..e8079b77ed6 --- /dev/null +++ b/htdocs/core/class/html.formexpensereport.class.php @@ -0,0 +1,136 @@ + + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * or see https://www.gnu.org/ + */ + +/** + * \file htdocs/core/class/html.formexpensereport.class.php + * \ingroup core + * \brief File of class with all html predefined components + */ + +/** + * Class to manage generation of HTML components for contract module + */ +class FormExpenseReport +{ + /** + * @var DoliDB Database handler. + */ + public $db; + + /** + * @var string Error code (or message) + */ + public $error = ''; + + + /** + * Constructor + * + * @param DoliDB $db Database handler + */ + public function __construct($db) + { + $this->db = $db; + } + + + /** + * Retourne la liste deroulante des differents etats d'une note de frais. + * Les valeurs de la liste sont les id de la table c_expensereport_statuts + * + * @param int $selected preselect status + * @param string $htmlname Name of HTML select + * @param int $useempty 1=Add empty line + * @param int $useshortlabel Use short labels + * @return string HTML select with status + */ + public function selectExpensereportStatus($selected = '', $htmlname = 'fk_statut', $useempty = 1, $useshortlabel = 0) + { + global $langs; + + $tmpep = new ExpenseReport($this->db); + + print ''; + } + + /** + * Return list of types of notes with select value = id + * + * @param int $selected Preselected type + * @param string $htmlname Name of field in form + * @param int $showempty Add an empty field + * @param int $active 1=Active only, 0=Unactive only, -1=All + * @return string Select html + */ + public function selectTypeExpenseReport($selected = '', $htmlname = 'type', $showempty = 0, $active = 1) + { + // phpcs:enable + global $langs, $user; + $langs->load("trips"); + + $out = ''; + + $out .= ''; + $out .= ajax_combobox($htmlname); + + return $out; + } +} diff --git a/htdocs/core/class/html.formfile.class.php b/htdocs/core/class/html.formfile.class.php index e4bab32a544..2e06837563e 100644 --- a/htdocs/core/class/html.formfile.class.php +++ b/htdocs/core/class/html.formfile.class.php @@ -118,7 +118,7 @@ class FormFile $out .= ''; $out .= ''; $out .= ''; - $out .= ''; + $out .= ''; $out .= ''; } @@ -208,7 +208,10 @@ class FormFile $out .= '
'.$options.''; - $out .= ' '.$langs->trans("SaveUploadedFileWithMask", preg_replace('/__file__/', $langs->transnoentitiesnoconv("OriginFileName"), $savingdocmask), $langs->transnoentitiesnoconv("OriginFileName")); + $out .= ' '; + $out .= ''; + $out .= $langs->trans("SaveUploadedFileWithMask", preg_replace('/__file__/', $langs->transnoentitiesnoconv("OriginFileName"), $savingdocmask), $langs->transnoentitiesnoconv("OriginFileName")); + $out .= ''; $out .= '
'; // If public form, display more information diff --git a/htdocs/core/class/infobox.class.php b/htdocs/core/class/infobox.class.php index 70569f08eb7..26edc402880 100644 --- a/htdocs/core/class/infobox.class.php +++ b/htdocs/core/class/infobox.class.php @@ -125,6 +125,7 @@ class InfoBox if (!in_array($obj->box_id, $excludelist)) { + $regs = array(); if (preg_match('/^([^@]+)@([^@]+)$/i', $obj->file, $regs)) { $boxname = preg_replace('/\.php$/i', '', $regs[1]); @@ -273,12 +274,13 @@ class InfoBox //dol_syslog("aaaaa".count($listarray)); $i++; $ii = sprintf('%02d', $i); + $sql = "INSERT INTO ".MAIN_DB_PREFIX."boxes"; $sql .= "(box_id, position, box_order, fk_user, entity)"; $sql .= " values ("; $sql .= " ".$id.","; $sql .= " ".$zone.","; - $sql .= " '".$colonne.$ii."',"; + $sql .= " '".$db->escape($colonne.$ii)."',"; $sql .= " ".$userid.","; $sql .= " ".$conf->entity; $sql .= ")"; @@ -293,20 +295,17 @@ class InfoBox } } } - if ($error) - { - $error = $db->error(); - $db->rollback(); - return -2; - } else { - $db->commit(); - return 1; - } } else { - $error = $db->lasterror(); - $db->rollback(); - dol_syslog(get_class()."::saveboxorder ".$error); - return -1; + $error++; + } + + if ($error) + { + $db->rollback(); + return -2; + } else { + $db->commit(); + return 1; } } } diff --git a/htdocs/core/class/interfaces.class.php b/htdocs/core/class/interfaces.class.php index b9b5189e81a..c7004eea8b4 100644 --- a/htdocs/core/class/interfaces.class.php +++ b/htdocs/core/class/interfaces.class.php @@ -83,8 +83,7 @@ class Interfaces if (!is_object($user)) // Warning { dol_syslog(get_class($this).'::run_triggers was called with wrong parameters action='.$action.' object='.is_object($object).' user='.is_object($user).' langs='.is_object($langs).' conf='.is_object($conf), LOG_WARNING); - global $db; - $user = new User($db); + $user = new User($this->db); } //dol_syslog(get_class($this)."::run_triggers action=".$action." Launch run_triggers", LOG_DEBUG); diff --git a/htdocs/core/class/link.class.php b/htdocs/core/class/link.class.php index 2599fa69c09..9d70458a198 100644 --- a/htdocs/core/class/link.class.php +++ b/htdocs/core/class/link.class.php @@ -98,7 +98,7 @@ class Link extends CommonObject $this->db->begin(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."links (entity, datea, url, label, objecttype, objectid)"; - $sql .= " VALUES ('".$conf->entity."', '".$this->db->idate($this->datea)."'"; + $sql .= " VALUES (".$conf->entity.", '".$this->db->idate($this->datea)."'"; $sql .= ", '".$this->db->escape($this->url)."'"; $sql .= ", '".$this->db->escape($this->label)."'"; $sql .= ", '".$this->db->escape($this->objecttype)."'"; @@ -175,7 +175,7 @@ class Link extends CommonObject $this->db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."links SET "; - $sql .= "entity = '".$conf->entity."'"; + $sql .= "entity = ".$conf->entity; $sql .= ", datea = '".$this->db->idate(dol_now())."'"; $sql .= ", url = '".$this->db->escape($this->url)."'"; $sql .= ", label = '".$this->db->escape($this->label)."'"; @@ -235,7 +235,7 @@ class Link extends CommonObject global $conf; $sql = "SELECT rowid, entity, datea, url, label, objecttype, objectid FROM ".MAIN_DB_PREFIX."links"; - $sql .= " WHERE objecttype = '".$objecttype."' AND objectid = ".$objectid; + $sql .= " WHERE objecttype = '".$this->db->escape($objecttype)."' AND objectid = ".$objectid; if ($conf->entity != 0) $sql .= " AND entity = ".$conf->entity; if ($sortfield) { if (empty($sortorder)) { @@ -286,7 +286,7 @@ class Link extends CommonObject global $conf; $sql = "SELECT COUNT(rowid) as nb FROM ".MAIN_DB_PREFIX."links"; - $sql .= " WHERE objecttype = '".$objecttype."' AND objectid = ".$objectid; + $sql .= " WHERE objecttype = '".$db->escape($objecttype)."' AND objectid = ".$objectid; if ($conf->entity != 0) $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); diff --git a/htdocs/core/class/menubase.class.php b/htdocs/core/class/menubase.class.php index 4d949f4f7d8..3c0c6bd9389 100644 --- a/htdocs/core/class/menubase.class.php +++ b/htdocs/core/class/menubase.class.php @@ -622,7 +622,7 @@ class Menubase $sql = "SELECT m.rowid, m.type, m.module, m.fk_menu, m.fk_mainmenu, m.fk_leftmenu, m.url, m.titre, m.langs, m.perms, m.enabled, m.target, m.mainmenu, m.leftmenu, m.position"; $sql .= " FROM ".MAIN_DB_PREFIX."menu as m"; $sql .= " WHERE m.entity IN (0,".$conf->entity.")"; - $sql .= " AND m.menu_handler IN ('".$menu_handler."','all')"; + $sql .= " AND m.menu_handler IN ('".$this->db->escape($menu_handler)."','all')"; if ($type_user == 0) $sql .= " AND m.usertype IN (0,2)"; if ($type_user == 1) $sql .= " AND m.usertype IN (1,2)"; $sql .= " ORDER BY m.position, m.rowid"; diff --git a/htdocs/core/class/notify.class.php b/htdocs/core/class/notify.class.php index 130dc09f4f8..82b6c8859bc 100644 --- a/htdocs/core/class/notify.class.php +++ b/htdocs/core/class/notify.class.php @@ -171,7 +171,7 @@ class Notify if ($notifcode) { if (is_numeric($notifcode)) $sql .= " AND n.fk_action = ".$notifcode; // Old usage - else $sql .= " AND a.code = '".$notifcode."'"; // New usage + else $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage } $sql .= " AND s.entity IN (".getEntity('societe').")"; if ($socid > 0) $sql .= " AND s.rowid = ".$socid; @@ -214,7 +214,7 @@ class Notify if ($notifcode) { if (is_numeric($notifcode)) $sql .= " AND n.fk_action = ".$notifcode; // Old usage - else $sql .= " AND a.code = '".$notifcode."'"; // New usage + else $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage } $sql .= " AND c.entity IN (".getEntity('user').")"; if ($userid > 0) $sql .= " AND c.rowid = ".$userid; @@ -355,7 +355,7 @@ class Notify $sql .= " AND n.fk_soc = s.rowid"; $sql .= " AND c.statut = 1"; if (is_numeric($notifcode)) $sql .= " AND n.fk_action = ".$notifcode; // Old usage - else $sql .= " AND a.code = '".$notifcode."'"; // New usage + else $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage $sql .= " AND s.rowid = ".$object->socid; $sql .= "\nUNION\n"; diff --git a/htdocs/core/class/rssparser.class.php b/htdocs/core/class/rssparser.class.php index 21c5b2ad200..c18bfd1d263 100644 --- a/htdocs/core/class/rssparser.class.php +++ b/htdocs/core/class/rssparser.class.php @@ -356,7 +356,9 @@ class RssParser if (!empty($rss->channel['title'])) $this->_title = (string) $rss->channel['title']; //if (!empty($rss->channel['rss_description'])) $this->_description = (string) $rss->channel['rss_description']; - $this->_imageurl = $this->getAtomImageUrl($rss->channel); + if (!empty($rss->channel)) { + $this->_imageurl = $this->getAtomImageUrl($rss->channel); + } } if (!empty($conf->global->EXTERNALRSS_USE_SIMPLEXML)) { $tmprss = xml2php($rss); $items = $tmprss['entry']; diff --git a/htdocs/core/class/smtps.class.php b/htdocs/core/class/smtps.class.php index 87ce3c22e80..3adbf4af4d5 100644 --- a/htdocs/core/class/smtps.class.php +++ b/htdocs/core/class/smtps.class.php @@ -228,6 +228,21 @@ class SMTPs private $_trackId = ''; private $_moreInHeader = ''; + /** + * An array of options for stream_context_create() + */ + private $_options = []; + + /** + * Set delivery receipt + * + * @param array $_options An array of options for stream_context_create() + * @return void + */ + public function setOptions($_options = []) + { + $this->_options = $_options; + } /** * Set delivery receipt @@ -373,14 +388,31 @@ class SMTPs $this->_setErr(99, $host.' is either offline or is an invalid host name.'); $_retVal = false; } else { - //See if we can connect to the SMTP server - if ($this->socket = @fsockopen( - preg_replace('@tls://@i', '', $this->getHost()), // Host to 'hit', IP or domain + if (function_exists('stream_socket_client') && !empty($this->_options)) { + $socket_context = stream_context_create($this->_options); // An array of options for stream_context_create() + set_error_handler([$this, 'errorHandler']); + $this->socket = @stream_socket_client( + preg_replace('@tls://@i', '', $this->getHost()) . // Host to 'hit', IP or domain + ':' . $this->getPort(), // which Port number to use + $this->errno, // actual system level error + $this->errstr, // and any text that goes with the error + $this->_smtpTimeout, // timeout for reading/writing data over the socket + STREAM_CLIENT_CONNECT, + $socket_context // Options for connection + ); + } else { + $this->socket = @fsockopen( + preg_replace('@tls://@i', '', $this->getHost()), // Host to 'hit', IP or domain $this->getPort(), // which Port number to use $this->errno, // actual system level error $this->errstr, // and any text that goes with the error $this->_smtpTimeout // timeout for reading/writing data over the socket - )) { + ); + } + + //See if we can connect to the SMTP server + if (is_resource($this->socket)) + { // Fix from PHP SMTP class by 'Chris Ryan' // Sometimes the SMTP server takes a little longer to respond // so we will give it a longer timeout for the first read diff --git a/htdocs/core/class/utils.class.php b/htdocs/core/class/utils.class.php index c1f85d72a75..454ace0ebfa 100644 --- a/htdocs/core/class/utils.class.php +++ b/htdocs/core/class/utils.class.php @@ -208,7 +208,7 @@ class Utils } // Check type parameter - if ($type == 'auto') $type = $db->type; + if ($type == 'auto') $type = $this->db->type; if (!in_array($type, array('postgresql', 'pgsql', 'mysql', 'mysqli', 'mysqlnobin'))) { $langs->load("errors"); diff --git a/htdocs/core/customreports.php b/htdocs/core/customreports.php index 54ca4043a05..7deb98dbfd5 100644 --- a/htdocs/core/customreports.php +++ b/htdocs/core/customreports.php @@ -54,8 +54,8 @@ if (!defined('USE_CUSTOME_REPORT_AS_INCLUDE')) // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; - $sortfield = GETPOST('sortfield', 'alpha'); - $sortorder = GETPOST('sortorder', 'alpha'); + $sortfield = GETPOST('sortfield', 'aZ09comma'); + $sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; @@ -318,7 +318,7 @@ $startyear = $endyear - 2; $param = ''; print ''; -print ''; +print ''; print ''; print ''; diff --git a/htdocs/core/data/cloud_metadata_for_ssrf_test.txt b/htdocs/core/data/cloud_metadata_for_ssrf_test.txt new file mode 100644 index 00000000000..4d98b656b3c --- /dev/null +++ b/htdocs/core/data/cloud_metadata_for_ssrf_test.txt @@ -0,0 +1,23 @@ +## This file is a list of predefined URLs to block when trying to access them from the application, +## for example when using the grab website feature of module website +## Allowing grabbing local url allow to get metadata. + +10.0.0.0/8 +0.0.0.0/8 +100.64.0.0/10 +127.0.0.0/8 +169.254.0.0/16 +172.16.0.0/12 +192.0.0.0/29 +192.0.2.0/24 +192.88.99.0/24 +192.168.0.0/16 +198.18.0.0/15 +198.51.100.0/24 +203.0.113.0/24 +224.0.0.0/4 +240.0.0.0/4 +metadata.google.internal +100.100.100.200 (Alibaba Metadata) +[::] +[::1] diff --git a/htdocs/core/db/Database.interface.php b/htdocs/core/db/Database.interface.php index 3ba3b322e68..898421978db 100644 --- a/htdocs/core/db/Database.interface.php +++ b/htdocs/core/db/Database.interface.php @@ -177,6 +177,14 @@ interface Database */ public function escape($stringtoencode); + /** + * Sanitize a string for SQL forging + * + * @param string $stringtosanitize String to escape + * @return string String escaped + */ + public function sanitize($stringtosanitize); + // phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps /** * Get last ID after an insert INSERT diff --git a/htdocs/core/db/DoliDB.class.php b/htdocs/core/db/DoliDB.class.php index 2ed52b2f01c..cb290a49c07 100644 --- a/htdocs/core/db/DoliDB.class.php +++ b/htdocs/core/db/DoliDB.class.php @@ -103,6 +103,17 @@ abstract class DoliDB implements Database return $this->lasterrno; } + /** + * Sanitize a string for SQL forging + * + * @param string $stringtosanitize String to escape + * @return string String escaped + */ + public function sanitize($stringtosanitize) + { + return preg_replace('/[^a-z0-9_\-\.,]/i', '', $stringtosanitize); + } + /** * Start transaction * diff --git a/htdocs/core/db/mysqli.class.php b/htdocs/core/db/mysqli.class.php index ed7b2e5947d..e3687f7f405 100644 --- a/htdocs/core/db/mysqli.class.php +++ b/htdocs/core/db/mysqli.class.php @@ -693,7 +693,7 @@ class DoliDBMysqli extends DoliDB if ((preg_match("/null/i", $field_desc['default'])) || (preg_match("/CURRENT_TIMESTAMP/i", $field_desc['default']))) { $sqlfields[$i] .= " default ".$field_desc['default']; } else { - $sqlfields[$i] .= " default '".$field_desc['default']."'"; + $sqlfields[$i] .= " default '".$this->escape($field_desc['default'])."'"; } } if (preg_match("/^[^\s]/i", $field_desc['null'])) { @@ -711,7 +711,7 @@ class DoliDBMysqli extends DoliDB $i = 0; foreach ($unique_keys as $key => $value) { - $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$value."')"; + $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$this->escape($value)."')"; $i++; } } @@ -809,7 +809,7 @@ class DoliDBMysqli extends DoliDB { if (preg_match("/null/i", $field_desc['default'])) $sql .= " default ".$field_desc['default']; - else $sql .= " default '".$field_desc['default']."'"; + else $sql .= " default '".$this->escape($field_desc['default'])."'"; } if (isset($field_desc['extra']) && preg_match("/^[^\s]/i", $field_desc['extra'])) { diff --git a/htdocs/core/db/pgsql.class.php b/htdocs/core/db/pgsql.class.php index 3f33016d7e5..3c49bcf6f4b 100644 --- a/htdocs/core/db/pgsql.class.php +++ b/htdocs/core/db/pgsql.class.php @@ -904,7 +904,7 @@ class DoliDBPgsql extends DoliDB $listtables = array(); $like = ''; - if ($table) $like = " AND table_name LIKE '".$table."'"; + if ($table) $like = " AND table_name LIKE '".$this->escape($table)."'"; $result = pg_query($this->db, "SELECT table_name FROM information_schema.tables WHERE table_schema = 'public'".$like." ORDER BY table_name"); if ($result) { @@ -942,7 +942,7 @@ class DoliDBPgsql extends DoliDB $sql .= " '' as \"Privileges\""; $sql .= " FROM information_schema.columns infcol"; $sql .= " WHERE table_schema='public' "; - $sql .= " AND table_name='".$table."'"; + $sql .= " AND table_name='".$this->escape($table)."'"; $sql .= " ORDER BY ordinal_position;"; dol_syslog($sql, LOG_DEBUG); @@ -992,7 +992,7 @@ class DoliDBPgsql extends DoliDB { if (preg_match("/null/i", $field_desc['default'])) $sqlfields[$i] .= " default ".$field_desc['default']; - else $sqlfields[$i] .= " default '".$field_desc['default']."'"; + else $sqlfields[$i] .= " default '".$this->escape($field_desc['default'])."'"; } elseif (preg_match("/^[^\s]/i", $field_desc['null'])) $sqlfields[$i] .= " ".$field_desc['null']; @@ -1008,7 +1008,7 @@ class DoliDBPgsql extends DoliDB $i = 0; foreach ($unique_keys as $key => $value) { - $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$value."')"; + $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$this->escape($value)."')"; $i++; } } @@ -1090,9 +1090,9 @@ class DoliDBPgsql extends DoliDB public function DDLDescTable($table, $field = "") { // phpcs:enable - $sql = "SELECT attname FROM pg_attribute, pg_type WHERE typname = '".$table."' AND attrelid = typrelid"; + $sql = "SELECT attname FROM pg_attribute, pg_type WHERE typname = '".$this->escape($table)."' AND attrelid = typrelid"; $sql .= " AND attname NOT IN ('cmin', 'cmax', 'ctid', 'oid', 'tableoid', 'xmin', 'xmax')"; - if ($field) $sql .= " AND attname = '".$field."'"; + if ($field) $sql .= " AND attname = '".$this->escape($field)."'"; dol_syslog($sql, LOG_DEBUG); $this->_results = $this->query($sql); @@ -1130,7 +1130,7 @@ class DoliDBPgsql extends DoliDB if (preg_match("/null/i", $field_desc['default'])) { $sql .= " default ".$field_desc['default']; } else { - $sql .= " default '".$field_desc['default']."'"; + $sql .= " default '".$this->escape($field_desc['default'])."'"; } } if (preg_match("/^[^\s]/i", $field_desc['extra'])) { diff --git a/htdocs/core/db/sqlite3.class.php b/htdocs/core/db/sqlite3.class.php index a1a4e10ec7e..c34b9dddac0 100644 --- a/htdocs/core/db/sqlite3.class.php +++ b/htdocs/core/db/sqlite3.class.php @@ -420,7 +420,7 @@ class DoliDBSqlite3 extends DoliDB $constraintname = trim($reg[2]); $tablename = trim($reg[1]); - $descTable = $this->db->querySingle("SELECT sql FROM sqlite_master WHERE name='".$tablename."'"); + $descTable = $this->db->querySingle("SELECT sql FROM sqlite_master WHERE name='".$this->escape($tablename)."'"); // 1- Renommer la table avec un nom temporaire $this->query('ALTER TABLE '.$tablename.' RENAME TO tmp_'.$tablename); @@ -921,7 +921,7 @@ class DoliDBSqlite3 extends DoliDB { if (preg_match("/null/i", $field_desc['default'])) $sqlfields[$i] .= " default ".$field_desc['default']; - else $sqlfields[$i] .= " default '".$field_desc['default']."'"; + else $sqlfields[$i] .= " default '".$this->escape($field_desc['default'])."'"; } elseif (preg_match("/^[^\s]/i", $field_desc['null'])) $sqlfields[$i] .= " ".$field_desc['null']; @@ -937,7 +937,7 @@ class DoliDBSqlite3 extends DoliDB $i = 0; foreach ($unique_keys as $key => $value) { - $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$value."')"; + $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$this->escape($value)."')"; $i++; } } @@ -1030,7 +1030,7 @@ class DoliDBSqlite3 extends DoliDB { if (preg_match("/null/i", $field_desc['default'])) $sql .= " default ".$field_desc['default']; - else $sql .= " default '".$field_desc['default']."'"; + else $sql .= " default '".$this->escape($field_desc['default'])."'"; } if (preg_match("/^[^\s]/i", $field_desc['extra'])) $sql .= " ".$field_desc['extra']; diff --git a/htdocs/core/extrafieldsinexport.inc.php b/htdocs/core/extrafieldsinexport.inc.php index db926a2b6bc..ae6fdf8bf70 100644 --- a/htdocs/core/extrafieldsinexport.inc.php +++ b/htdocs/core/extrafieldsinexport.inc.php @@ -8,7 +8,8 @@ if (empty($keyforselect) || empty($keyforelement) || empty($keyforaliasextra)) } // Add extra fields -$sql = "SELECT name, label, type, param, fieldcomputed, fielddefault FROM ".MAIN_DB_PREFIX."extrafields WHERE elementtype = '".$keyforselect."' AND type != 'separate' AND entity IN (0, ".$conf->entity.') ORDER BY pos ASC'; +$sql = "SELECT name, label, type, param, fieldcomputed, fielddefault FROM ".MAIN_DB_PREFIX."extrafields"; +$sql .= " WHERE elementtype = '".$this->db->escape($keyforselect)."' AND type != 'separate' AND entity IN (0, ".$conf->entity.') ORDER BY pos ASC'; //print $sql; $resql = $this->db->query($sql); if ($resql) // This can fail when class is used on old database (during migration for example) diff --git a/htdocs/core/filemanagerdol/browser/default/browser.php b/htdocs/core/filemanagerdol/browser/default/browser.php index d1d5d434b5b..8f7ff82ecff 100644 --- a/htdocs/core/filemanagerdol/browser/default/browser.php +++ b/htdocs/core/filemanagerdol/browser/default/browser.php @@ -95,6 +95,10 @@ var sServerPath = GetUrlParam( 'ServerPath' ); if ( sServerPath.length > 0 ) oConnector.ConnectorUrl += 'ServerPath=' + encodeURIComponent( sServerPath ) + '&' ; +/* @CHANGE LDR Overwrite value coming from parameters for security purpose */ +oConnector.ConnectorUrl = ''; +console.log('ConnectorUrl='+oConnector.ConnectorUrl); + oConnector.ResourceType = GetUrlParam( 'Type' ); oConnector.ShowAllTypes = ( oConnector.ResourceType.length == 0 ); diff --git a/htdocs/core/filemanagerdol/connectors/php/basexml.php b/htdocs/core/filemanagerdol/connectors/php/basexml.php index 80973006886..648ab675cfa 100644 --- a/htdocs/core/filemanagerdol/connectors/php/basexml.php +++ b/htdocs/core/filemanagerdol/connectors/php/basexml.php @@ -84,8 +84,8 @@ function CreateXmlFooter() /** * SendError * - * @param integer $number Number - * @param unknown_type $text Text + * @param integer $number Number + * @param string $text Text * @return void */ function SendError($number, $text) diff --git a/htdocs/core/js/lib_head.js.php b/htdocs/core/js/lib_head.js.php index 9de5ceba476..b71dfc3eeb2 100644 --- a/htdocs/core/js/lib_head.js.php +++ b/htdocs/core/js/lib_head.js.php @@ -516,7 +516,8 @@ function hideMessage(fieldId,message) { /* - * Used by button to set on/off + * Used by button to set on/off. + * Call url then make complementary action (like show/hide, enable/disable or set another option). * * @param string url Url * @param string code Code @@ -525,12 +526,14 @@ function hideMessage(fieldId,message) { * @param int strict Strict * @param int forcereload Force reload * @param int userid User id + * @param string token Token */ -function setConstant(url, code, input, entity, strict, forcereload, userid) { - $.get( url, { +function setConstant(url, code, input, entity, strict, forcereload, userid, token) { + $.post( url, { action: "set", name: code, - entity: entity + entity: entity, + token: token }, function() { console.log("url request success forcereload="+forcereload); @@ -582,11 +585,12 @@ function setConstant(url, code, input, entity, strict, forcereload, userid) { if (forcereload) { location.reload(); } - }); + }).fail(function(error) { location.reload(); }); /* When it fails, we always force reload to have setEventErrorMEssage in session visible */ } /* * Used by button to set on/off + * Call url then make complementary action (like show/hide, enable/disable or set another option). * * @param string url Url * @param string code Code @@ -595,12 +599,14 @@ function setConstant(url, code, input, entity, strict, forcereload, userid) { * @param int strict Strict * @param int forcereload Force reload * @param int userid User id + * @param string token Token */ -function delConstant(url, code, input, entity, strict, forcereload, userid) { - $.get( url, { +function delConstant(url, code, input, entity, strict, forcereload, userid, token) { + $.post( url, { action: "del", name: code, - entity: entity + entity: entity, + token: token }, function() { console.log("url request success forcereload="+forcereload); @@ -648,7 +654,7 @@ function delConstant(url, code, input, entity, strict, forcereload, userid) { if (forcereload) { location.reload(); } - }); + }).fail(function(error) { location.reload(); }); /* When it fails, we always force reload to have setEventErrorMEssage in session visible */ } /* @@ -664,8 +670,9 @@ function delConstant(url, code, input, entity, strict, forcereload, userid) { * @param int noButton noButton * @param int strict Strict * @param int userid User id + * @param string token Token */ -function confirmConstantAction(action, url, code, input, box, entity, yesButton, noButton, strict, userid) { +function confirmConstantAction(action, url, code, input, box, entity, yesButton, noButton, strict, userid, token) { var boxConfirm = box; $("#confirm_" + code) .attr("title", boxConfirm.title) @@ -681,9 +688,9 @@ function confirmConstantAction(action, url, code, input, box, entity, yesButton, text : yesButton, click : function() { if (action == "set") { - setConstant(url, code, input, entity, strict, 0, userid); + setConstant(url, code, input, entity, strict, 0, userid, token); } else if (action == "del") { - delConstant(url, code, input, entity, strict, 0, userid); + delConstant(url, code, input, entity, strict, 0, userid, token); } // Close dialog $(this).dialog("close"); @@ -1123,4 +1130,15 @@ $(document).ready(function() { }); +// Force to hide menus when page is inside an iFrame +$(document).ready(function() { + if (window.location !== window.parent.location ) { + console.log("Page is detected to be into an iframe, we hide by CSS the menus"); + // The page is in an iframe + jQuery(".side-nav-vert, .side-nav").hide(); + jQuery(".id-container").css('width', '100%'); + + } +}); + // End of lib_head.js.php diff --git a/htdocs/core/js/lib_notification.js.php b/htdocs/core/js/lib_notification.js.php index 50d3f7f3268..277bd5b4904 100644 --- a/htdocs/core/js/lib_notification.js.php +++ b/htdocs/core/js/lib_notification.js.php @@ -39,7 +39,7 @@ if (!($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root.'/' || $_SERVER['HTTP print 'var login = \''.$_SESSION['dol_login'].'\';'."\n"; print 'var nowtime = Date.now();'; print 'var time_auto_update = '.$conf->global->MAIN_BROWSER_NOTIFICATION_FREQUENCY.';'."\n"; // Always defined - print 'var time_js_next_test = (nowtime + time_auto_update);'."\n"; + print 'var time_js_next_test;'."\n"; ?> /* Check if permission ok */ @@ -50,27 +50,31 @@ if (!($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root.'/' || $_SERVER['HTTP /* Launch timer */ // We set a delay before launching first test so next check will arrive after the time_auto_update compared to previous one. - var time_first_execution = (time_auto_update - (nowtime - time_js_next_test)) * 1000; //need milliseconds + //var time_first_execution = (time_auto_update + (time_js_next_test - nowtime)) * 1000; //need milliseconds + var time_first_execution = global->MAIN_BROWSER_NOTIFICATION_CHECK_FIRST_EXECUTION); ?>; if (login != '') { - console.log("Launch browser notif check: setTimeout is set to launch 'first_execution' function after a wait of time_first_execution="+time_first_execution+". nowtime (time php page generation) = "+nowtime+" time_js_next_test = "+time_js_next_test+" time_auto_update="+time_auto_update); - setTimeout(first_execution, time_first_execution); + setTimeout(first_execution, time_first_execution * 1000); + time_js_next_test = nowtime + time_first_execution; + console.log("Launch browser notif check: setTimeout is set to launch 'first_execution' function after a wait of time_first_execution="+time_first_execution+". nowtime (time php page generation) = "+nowtime+" time_js_next_check = "+time_js_next_test); } //first run auto check function first_execution() { - console.log("Call first_execution time_auto_update (MAIN_BROWSER_NOTIFICATION_FREQUENCY) = "+time_auto_update); - check_events(); //one check before launching timer to launch other checks - setInterval(check_events, time_auto_update * 1000); //program time to run next check events + console.log("Call first_execution then set repeat time to time_auto_update = MAIN_BROWSER_NOTIFICATION_FREQUENCY = "+time_auto_update); + check_events(); //one check before setting the new time for other checks + setInterval(check_events, time_auto_update * 1000); // Set new time to run next check events } function check_events() { if (Notification.permission === "granted") { - console.log("Call check_events time_js_next_test = date we are looking for event after this date = "+time_js_next_test); + time_js_next_test += time_auto_update; + console.log("Call ajax to check_events with time_js_next_test = "+time_js_next_test); + $.ajax("", { type: "post", // Usually post or get async: true, - data: {time: time_js_next_test}, + data: { time_js_next_test: time_js_next_test }, success: function (result) { var arr = JSON.parse(result); if (arr.length > 0) { @@ -129,9 +133,9 @@ if (!($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root.'/' || $_SERVER['HTTP // Update status of all notifications we sent on browser (listofreminderids) console.log("Flag notification as done for listofreminderids="+listofreminderids); $.ajax(""+listofreminderids, { - type: "get", // Usually post or get + type: "post", // Usually post or get async: true, - data: {time: time_js_next_test} + data: { time_js_next_test: time_js_next_test } }); } } @@ -139,11 +143,8 @@ if (!($_SERVER['HTTP_REFERER'] === $dolibarr_main_url_root.'/' || $_SERVER['HTTP } else { - console.log("Cancel check_events. Useless because javascript Notification.permission is "+Notification.permission+"."); + console.log("Cancel check_events. Useless because javascript Notification.permission is "+Notification.permission+" (blocked manualy or web site is not https)."); } - - time_js_next_test += time_auto_update; - console.log('Updated time_js_next_test. New value is '+time_js_next_test); } escape($handler)."'", $sql); $newsql = preg_replace('/__ENTITY__/i', (!empty($entity) ? $entity : $conf->entity), $sql); @@ -1630,7 +1630,7 @@ function addDocumentModel($name, $type, $label = '', $description = '') $db->begin(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; - $sql .= " VALUES ('".$db->escape($name)."','".$type."',".$conf->entity.", "; + $sql .= " VALUES ('".$db->escape($name)."','".$db->escape($type)."',".$conf->entity.", "; $sql .= ($label ? "'".$db->escape($label)."'" : 'null').", "; $sql .= (!empty($description) ? "'".$db->escape($description)."'" : "null"); $sql .= ")"; @@ -1663,7 +1663,7 @@ function delDocumentModel($name, $type) $sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; $sql .= " WHERE nom = '".$db->escape($name)."'"; - $sql .= " AND type = '".$type."'"; + $sql .= " AND type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; dol_syslog("admin.lib::delDocumentModel", LOG_DEBUG); diff --git a/htdocs/core/lib/ajax.lib.php b/htdocs/core/lib/ajax.lib.php index 6f730c03976..6b77003e52e 100644 --- a/htdocs/core/lib/ajax.lib.php +++ b/htdocs/core/lib/ajax.lib.php @@ -491,8 +491,8 @@ function ajax_combobox($htmlname, $events = array(), $minLengthToAutocomplete = * @param int $revertonoff Revert on/off * @param int $strict Use only "disabled" with delConstant and "enabled" with setConstant * @param int $forcereload Force to reload page if we click/change value (this is supported only when there is no 'alert' option in input) - * @param string $marginleftonlyshort 1 = Add a short left margin on picto, 2 = Add a larger left margin on picto, 0 = No margin left. Works for fontawesome picto only. - * @param int $forcenoajax 1=Force to use a ahref link instead of ajax code. + * @param string $marginleftonlyshort 1 = Add a short left margin on picto, 2 = Add a larger left margin on picto, 0 = No left margin. Works for fontawesome picto only. + * @param int $forcenoajax 1=Force to use a ahref link instead of ajax code. * @return string */ function ajax_constantonoff($code, $input = array(), $entity = null, $revertonoff = 0, $strict = 0, $forcereload = 0, $marginleftonlyshort = 2, $forcenoajax = 0) @@ -516,17 +516,18 @@ function ajax_constantonoff($code, $input = array(), $entity = null, $revertonof var entity = \''.$entity.'\'; var strict = \''.$strict.'\'; var userid = \''.$user->id.'\'; - var yesButton = "'.dol_escape_js($langs->transnoentities("Yes")).'"; - var noButton = "'.dol_escape_js($langs->transnoentities("No")).'"; + var yesButton = \''.dol_escape_js($langs->transnoentities("Yes")).'\'; + var noButton = \''.dol_escape_js($langs->transnoentities("No")).'\'; + var token = \''.currentToken().'\'; // Set constant $("#set_" + code).click(function() { if (input.alert && input.alert.set) { if (input.alert.set.yesButton) yesButton = input.alert.set.yesButton; if (input.alert.set.noButton) noButton = input.alert.set.noButton; - confirmConstantAction("set", url, code, input, input.alert.set, entity, yesButton, noButton, strict, userid); + confirmConstantAction("set", url, code, input, input.alert.set, entity, yesButton, noButton, strict, userid, token); } else { - setConstant(url, code, input, entity, 0, '.$forcereload.', userid); + setConstant(url, code, input, entity, 0, '.$forcereload.', userid, token); } }); @@ -535,9 +536,9 @@ function ajax_constantonoff($code, $input = array(), $entity = null, $revertonof if (input.alert && input.alert.del) { if (input.alert.del.yesButton) yesButton = input.alert.del.yesButton; if (input.alert.del.noButton) noButton = input.alert.del.noButton; - confirmConstantAction("del", url, code, input, input.alert.del, entity, yesButton, noButton, strict, userid); + confirmConstantAction("del", url, code, input, input.alert.del, entity, yesButton, noButton, strict, userid, token); } else { - delConstant(url, code, input, entity, 0, '.$forcereload.', userid); + delConstant(url, code, input, entity, 0, '.$forcereload.', userid, token); } }); }); @@ -579,7 +580,8 @@ function ajax_object_onoff($object, $code, $field, $text_on, $text_off, $input = field: \''.$field.'\', value: \'1\', element: \''.$object->element.'\', - id: \''.$object->id.'\' + id: \''.$object->id.'\', + token: \''.newToken().'\' }, function() { $("#set_'.$code.'_'.$object->id.'").hide(); @@ -609,7 +611,8 @@ function ajax_object_onoff($object, $code, $field, $text_on, $text_off, $input = field: \''.$field.'\', value: \'0\', element: \''.$object->element.'\', - id: \''.$object->id.'\' + id: \''.$object->id.'\', + token: \''.newToken().'\' }, function() { $("#del_'.$code.'_'.$object->id.'").hide(); diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index 6c32d71024b..d7b5773e1c2 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -574,7 +574,7 @@ function currency_name($code_iso, $withcode = '', $outputlangs = null) // If no translation, we read table to get label by default $sql = "SELECT label FROM ".MAIN_DB_PREFIX."c_currencies"; - $sql .= " WHERE code_iso='".$code_iso."'"; + $sql .= " WHERE code_iso='".$db->escape($code_iso)."'"; $resql = $db->query($sql); if ($resql) @@ -607,7 +607,7 @@ function getFormeJuridiqueLabel($code) if (!$code) return ''; $sql = "SELECT libelle FROM ".MAIN_DB_PREFIX."c_forme_juridique"; - $sql .= " WHERE code='$code'"; + $sql .= " WHERE code='".$db->escape($code)."'"; dol_syslog("Company.lib::getFormeJuridiqueLabel", LOG_DEBUG); $resql = $db->query($sql); diff --git a/htdocs/core/lib/date.lib.php b/htdocs/core/lib/date.lib.php index 30fd6d29a1d..48e347afbd1 100644 --- a/htdocs/core/lib/date.lib.php +++ b/htdocs/core/lib/date.lib.php @@ -466,8 +466,8 @@ function dol_get_next_week($day, $week, $month, $year) * @param int $year Year * @param int $month Month * @param mixed $gm False or 0 or 'server' = Return date to compare with server TZ, True or 1 to compare with GM date. - * Exemple: dol_get_first_day(1970,1,false) will return -3600 with TZ+1, after a dol_print_date will return 1970-01-01 00:00:00 - * Exemple: dol_get_first_day(1970,1,true) will return 0 whatever is TZ, after a dol_print_date will return 1970-01-01 00:00:00 + * Exemple: dol_get_first_day(1970,1,false) will return -3600 with TZ+1, a dol_print_date on it will return 1970-01-01 00:00:00 + * Exemple: dol_get_first_day(1970,1,true) will return 0 whatever is TZ, a dol_print_date on it will return 1970-01-01 00:00:00 * @return int Date for first day, '' if error */ function dol_get_first_day($year, $month = 1, $gm = false) @@ -502,6 +502,28 @@ function dol_get_last_day($year, $month = 12, $gm = false) return $datelim; } +/** Return GMT time for last hour of a given GMT date (it removes hours, min and second part) + * + * @param int $date Date + * @return int Date for last hour of a given date + */ +function dol_get_last_hour($date) +{ + $tmparray = dol_getdate($date); + return dol_mktime(23, 59, 59, $tmparray['mon'], $tmparray['mday'], $tmparray['year'], false); +} + +/** Return GMT time for first hour of a given GMT date (it removes hours, min and second part) + * + * @param int $date Date + * @return int Date for last hour of a given date + */ +function dol_get_first_hour($date) +{ + $tmparray = dol_getdate($date); + return dol_mktime(0, 0, 0, $tmparray['mon'], $tmparray['mday'], $tmparray['year'], false); +} + /** Return first day of week for a date. First day of week may be monday if option MAIN_START_WEEK is 1. * * @param int $day Day diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index ba96efbfd62..f4e8a06920b 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -142,6 +142,7 @@ function dol_dir_list($path, $types = "all", $recursive = 0, $filter = "", $excl if (!$filter || preg_match('/'.$filter.'/i', $file)) // We do not search key $filter into all $path, only into $file part { + $reg = array(); preg_match('/([^\/]+)\/[^\/]+$/', $path.'/'.$file, $reg); $level1name = (isset($reg[1]) ? $reg[1] : ''); $file_list[] = array( @@ -2013,8 +2014,10 @@ function dol_uncompress($inputfile, $outputdir) dol_syslog("Constant ODTPHP_PATHTOPCLZIP for pclzip library is set to ".ODTPHP_PATHTOPCLZIP.", so we use Pclzip to unzip into ".$outputdir); include_once ODTPHP_PATHTOPCLZIP.'/pclzip.lib.php'; $archive = new PclZip($inputfile); - $result = $archive->extract(PCLZIP_OPT_PATH, $outputdir); - //var_dump($result); + + // Extract into outputdir, but only files that match the regex '/^((?!\.\.).)*$/' that means "does not include .." + $result = $archive->extract(PCLZIP_OPT_PATH, $outputdir, PCLZIP_OPT_BY_PREG, '/^((?!\.\.).)*$/'); + if (!is_array($result) && $result <= 0) return array('error'=>$archive->errorInfo(true)); else { $ok = 1; $errmsg = ''; @@ -2035,14 +2038,26 @@ function dol_uncompress($inputfile, $outputdir) } } - if (class_exists('ZipArchive')) + if (class_exists('ZipArchive')) // Must install php-zip to have it { dol_syslog("Class ZipArchive is set so we unzip using ZipArchive to unzip into ".$outputdir); $zip = new ZipArchive; $res = $zip->open($inputfile); if ($res === true) { - $zip->extractTo($outputdir.'/'); + //$zip->extractTo($outputdir.'/'); + // We must extract one file at time so we can check that file name does not contains '..' to avoid transversal path of zip built for example using + // python3 path_traversal_archiver.py test.zip -l 10 -p tmp/ + // with -l is the range of dot to go back in path. + // and path_traversal_archiver.py found at https://github.com/Alamot/code-snippets/blob/master/path_traversal/path_traversal_archiver.py + for ($i = 0; $i < $zip->numFiles; $i++) { + if (preg_match('/\.\./', $zip->getNameIndex($i))) { + dol_syslog("Warning: Try to unzip a file with a transversal path ".$zip->getNameIndex($i), LOG_WARNING); + continue; // Discard the file + } + $zip->extractTo($outputdir.'/', array($zip->getNameIndex($i))); + } + $zip->close(); return array(); } else { diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 8fb8ec3be57..e9375f91e30 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -82,6 +82,12 @@ function getEntity($element, $shared = 1, $currentobject = null) { global $conf, $mc; + // fix different element names (France to English) + switch ($element) { + case 'contrat': $element = 'contract'; break; // "/contrat/class/contrat.class.php" + case 'order_supplier': $element = 'supplier_order'; break; // "/fourn/class/fournisseur.commande.class.php" + } + if (is_object($mc)) { return $mc->getEntity($element, $shared, $currentobject); @@ -89,7 +95,7 @@ function getEntity($element, $shared = 1, $currentobject = null) $out = ''; $addzero = array('user', 'usergroup', 'c_email_templates', 'email_template', 'default_values'); if (in_array($element, $addzero)) $out .= '0,'; - $out .= $conf->entity; + $out .= ((int) $conf->entity); return $out; } } @@ -271,12 +277,13 @@ function GETPOSTISSET($paramname) * 'none'=no check (only for param that should have very rich content) * 'int'=check it's numeric (integer or float) * 'intcomma'=check it's integer+comma ('1,2,3,4...') - * 'alpha'=check it's text and sign + * 'alpha'=Same than alphanohtml since v13 + * 'alphanohtml'=check there is no html content and no " and no ../ * 'aZ'=check it's a-z only * 'aZ09'=check it's simple alpha string (recommended for keys) * 'array'=check it's array * 'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string) - * 'nohtml', 'alphanohtml'=check there is no html content + * 'nohtml'=check there is no html content and no " and no ../ * 'restricthtml'=check html content is restricted to some tags only * 'custom'= custom filter specify $filter and $options) * @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get) @@ -538,6 +545,60 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null } } + // Check rule + if ($check == 'array') { + if (!is_array($out) || empty($out)) { + $out = array(); + } else { + foreach ($out as $outkey => $outval) { + $out[$outkey] = checkVal($outval, 'alphanohtml', $filter, $options); + } + } + } + else { + $out = checkVal($out, $check, $filter, $options); + } + + // Sanitizing for special parameters. There is no reason to allow the backtopage parameter to contains an external URL. + if ($paramname == 'backtopage') { + $out = str_replace('\\', '/', $out); + $out = preg_replace(array('/^\/\/+/', '/^[a-z]*:/i'), '', $out); + } + + // Code for search criteria persistence. + // Save data into session if key start with 'search_' or is 'smonth', 'syear', 'month', 'year' + if (empty($method) || $method == 3 || $method == 4) + { + if (preg_match('/^search_/', $paramname) || in_array($paramname, array('sortorder', 'sortfield'))) + { + //var_dump($paramname.' - '.$out.' '.$user->default_values[$relativepathstring]['filters'][$paramname]); + + // We save search key only if $out not empty that means: + // - posted value not empty, or + // - if posted value is empty and a default value exists that is not empty (it means we did a filter to an empty value when default was not). + + if ($out != '') // $out = '0' or 'abc', it is a search criteria to keep + { + $user->lastsearch_values_tmp[$relativepathstring][$paramname] = $out; + } + } + } + + return $out; +} + + +/** + * Return a value after checking on a rule. + * + * @param string $out Value to get/check + * @param string $check Type of check + * @param int $filter Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails) + * @param mixed $options Options to pass to filter_var when $check is set to 'custom' + * @return string|array Value found (string or array), or '' if check fails + */ +function checkVal($out = '', $check = 'alphanohtml', $filter = null, $options = null) +{ // Check is done after replacement switch ($check) { @@ -549,13 +610,6 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null case 'intcomma': if (preg_match('/[^0-9,-]+/i', $out)) $out = ''; break; - case 'alpha': - if (!is_array($out)) { - // '"' is dangerous because param in url can close the href= or src= and add javascript functions. - // '../' is dangerous because it allows dir transversals - $out = str_replace(array('"', '../'), '', trim($out)); - } - break; case 'san_alpha': $out = filter_var($out, FILTER_SANITIZE_STRING); break; @@ -580,23 +634,22 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null if (preg_match('/[^a-z0-9_\-\.,]+/i', $out)) $out = ''; } break; - case 'array': - if (!is_array($out) || empty($out)) $out = array(); - break; case 'nohtml': $out = dol_string_nohtmltag($out, 0); break; + case 'alpha': // No html and no " and no ../ case 'alphanohtml': // Recommended for most scalar parameters and search parameters if (!is_array($out)) { // '"' is dangerous because param in url can close the href= or src= and add javascript functions. // '../' is dangerous because it allows dir transversals - $out = str_replace(array('"', '../'), '', trim($out)); + $out = str_replace(array('"', '"', '../'), '', trim($out)); $out = dol_string_nohtmltag($out, 0); } break; case 'restricthtml': // Recommended for most html textarea $out = dol_string_onlythesehtmltags($out, 0); + // TODO We can also remove all javascripts reference break; case 'custom': if (empty($filter)) return 'BadFourthParameterForGETPOST'; @@ -604,29 +657,11 @@ function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null break; } - // Code for search criteria persistence. - // Save data into session if key start with 'search_' or is 'smonth', 'syear', 'month', 'year' - if (empty($method) || $method == 3 || $method == 4) - { - if (preg_match('/^search_/', $paramname) || in_array($paramname, array('sortorder', 'sortfield'))) - { - //var_dump($paramname.' - '.$out.' '.$user->default_values[$relativepathstring]['filters'][$paramname]); - - // We save search key only if $out not empty that means: - // - posted value not empty, or - // - if posted value is empty and a default value exists that is not empty (it means we did a filter to an empty value when default was not). - - if ($out != '') // $out = '0' or 'abc', it is a search criteria to keep - { - $user->lastsearch_values_tmp[$relativepathstring][$paramname] = $out; - } - } - } - return $out; } + if (!function_exists('dol_getprefix')) { /** @@ -936,7 +971,7 @@ function dol_string_unaccent($str) * @param array $badcharstoreplace List of forbidden characters * @return string Cleaned string * - * @see dol_sanitizeFilename(), dol_string_unaccent() + * @see dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nounprintableascii() */ function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '') { @@ -949,6 +984,21 @@ function dol_string_nospecial($str, $newstr = '_', $badcharstoreplace = '') } +/** + * Clean a string from all non printable ascii chars (0x00-0x1F and 0x7F). It removes also CR-LF + * This can be used to sanitize a string and view its real content. Some hacks try to obfuscate attacks by inserting non printable chars. + * + * @param string $str String to clean + * @return string Cleaned string + * + * @see dol_sanitizeFilename(), dol_string_unaccent(), dol_string_nospecial() + */ +function dol_string_nounprintableascii($str) +{ + return preg_replace('/[\x00-\x1F\x7F]/u', '', $str); +} + + /** * Returns text escaped for inclusion into javascript code * @@ -1197,11 +1247,11 @@ function dol_get_fiche_head($links = array(), $active = '', $title = '', $notab if ($morehtmlright) $out .= '
'.$morehtmlright.'
'; // Output right area first so when space is missing, text is in front of tabs and not under. // Show title - if (!empty($title) && $showtitle) + if (!empty($title) && $showtitle && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) { $limittitle = 30; $out .= ''; - if ($picto && empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) $out .= img_picto($title, ($pictoisfullpath ? '' : 'object_').$picto, '', $pictoisfullpath, 0, 0, '', 'imgTabTitle').' '; + if ($picto) $out .= img_picto($title, ($pictoisfullpath ? '' : 'object_').$picto, '', $pictoisfullpath, 0, 0, '', 'imgTabTitle').' '; $out .= ''.dol_trunc($title, $limittitle).''; $out .= ''; } @@ -1300,19 +1350,28 @@ function dol_get_fiche_head($links = array(), $active = '', $title = '', $notab { $left = ($langs->trans("DIRECTION") == 'rtl' ? 'right' : 'left'); $right = ($langs->trans("DIRECTION") == 'rtl' ? 'left' : 'right'); + $widthofpopup = 200; $tabsname = $moretabssuffix; if (empty($tabsname)) { $tabsname = str_replace("@", "", $picto); } $out .= '
'; - $out .= ''.$langs->trans("More").'... ('.$nbintab.')'; - $out .= '
'; + $out .= ''.$langs->trans("More").'... ('.$nbintab.')'; // Do not use "reposition" class in the "More". + $out .= '
'; $out .= $outmore; $out .= '
'; $out .= '
'; $out .= "
\n"; $out .= ""; } @@ -1424,8 +1483,7 @@ function dol_banner_tab($object, $paramid, $morehtml = '', $shownav = 1, $fieldi $morehtmlleft .= '
No photo
'; } } - } elseif ($object->element == 'ticket') - { + } elseif ($object->element == 'ticket') { $width = 80; $cssclass = 'photoref'; $showimage = $object->is_photo_available($conf->ticket->multidir_output[$entity].'/'.$object->ref); $maxvisiblephotos = (isset($conf->global->TICKET_MAX_VISIBLE_PHOTO) ? $conf->global->TICKET_MAX_VISIBLE_PHOTO : 2); @@ -1627,7 +1685,8 @@ function dol_banner_tab($object, $paramid, $morehtml = '', $shownav = 1, $fieldi } if (!empty($conf->global->MAIN_SHOW_TECHNICAL_ID) && ($conf->global->MAIN_SHOW_TECHNICAL_ID == '1' || preg_match('/'.preg_quote($object->element, '/').'/i', $conf->global->MAIN_SHOW_TECHNICAL_ID)) && !empty($object->id)) { - $morehtmlref .= '
'; + $morehtmlref .= '
'; + $morehtmlref .= '
'; $morehtmlref .= $langs->trans("TechnicalID").': '.$object->id; $morehtmlref .= '
'; } @@ -2693,7 +2752,15 @@ function dol_print_ip($ip, $mode = 0) */ function getUserRemoteIP() { - $ip = empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? (empty($_SERVER['HTTP_CLIENT_IP']) ? (empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR']) : $_SERVER['HTTP_CLIENT_IP']) : $_SERVER['HTTP_X_FORWARDED_FOR']; + if (empty($_SERVER['HTTP_X_FORWARDED_FOR']) || preg_match('/[^0-9\.\:,\[\]]/', $_SERVER['HTTP_X_FORWARDED_FOR'])) { + if (empty($_SERVER['HTTP_CLIENT_IP']) || preg_match('/[^0-9\.\:,\[\]]/', $_SERVER['HTTP_CLIENT_IP'])) { + $ip = (empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR']); + } else { + $ip = $_SERVER['HTTP_CLIENT_IP']; // value is clean here + } + } else { + $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; // value is clean here + } return $ip; } @@ -3011,14 +3078,14 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ $pictowithouttext = preg_replace('/(\.png|\.gif|\.svg)$/', '', $picto); if (empty($srconly) && in_array($pictowithouttext, array( '1downarrow', '1uparrow', '1leftarrow', '1rightarrow', '1uparrow_selected', '1downarrow_selected', '1leftarrow_selected', '1rightarrow_selected', - 'accountancy', 'account', 'action', 'add', 'address', 'bank_account', 'barcode', 'bank', 'bill', 'bookmark', 'bom', 'building', + 'accountancy', 'account', 'accountline', 'action', 'add', 'address', 'bank_account', 'barcode', 'bank', 'bill', 'bookmark', 'bom', 'building', 'cash-register', 'category', 'check', 'clock', 'close_title', 'company', 'contact', 'contract', 'cubes', 'delete', 'dolly', 'dollyrevert', 'edit', 'ellipsis-h', 'email', 'external-link-alt', 'external-link-square-alt', 'filter', 'file-code', 'file-export', 'file-import', 'file-upload', 'folder', 'folder-open', 'globe', 'globe-americas', 'grip', 'grip_title', 'help', 'holiday', 'intervention', 'label', 'language', 'list', 'listlight', 'lot', 'map-marker-alt', 'money-bill-alt', 'mrp', 'note', - 'object_accounting', 'object_action', 'object_account', 'object_barcode', 'object_bill', 'object_billa', 'object_billd', 'object_bom', + 'object_accounting', 'object_account', 'object_accountline', 'object_action', 'object_barcode', 'object_bill', 'object_billa', 'object_billd', 'object_bom', 'object_category', 'object_conversation', 'object_bookmark', 'object_bug', 'object_dolly', 'object_dollyrevert', 'object_generic', 'object_folder', 'object_list-alt', 'object_calendar', 'object_calendarweek', 'object_calendarmonth', 'object_calendarday', 'object_calendarperuser', 'object_cash-register', 'object_company', 'object_contact', 'object_contract', 'object_donation', 'object_dynamicprice', @@ -3036,9 +3103,9 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'jabber', 'skype', 'twitter', 'facebook', 'linkedin', 'instagram', 'snapchat', 'youtube', 'google-plus-g', 'whatsapp', 'chevron-left', 'chevron-right', 'chevron-down', 'chevron-top', 'commercial', 'companies', 'generic', 'home', 'hrm', 'members', 'products', 'invoicing', - 'payment', 'pencil-ruler', 'preview', 'project', 'projectpub', 'supplier_invoice', 'ticket', + 'payment', 'pencil-ruler', 'preview', 'project', 'projectpub', 'refresh', 'supplier_invoice', 'ticket', 'error', 'warning', - 'recruitmentcandidature', 'recruitmentjobposition', + 'recruitmentcandidature', 'recruitmentjobposition', 'resource', 'supplier_proposal', 'supplier_order', 'supplier_invoice', 'title_setup', 'title_accountancy', 'title_bank', 'title_hrm', 'title_agenda' ) @@ -3056,7 +3123,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ $pictowithouttext = str_replace('object_', '', $pictowithouttext); $arrayconvpictotofa = array( - 'account'=>'university', 'accountancy'=>'money-check-alt', 'action'=>'calendar-alt', 'add'=>'plus-circle', 'address'=> 'address-book', + 'account'=>'university', 'accountline'=>'receipt', 'accountancy'=>'money-check-alt', 'action'=>'calendar-alt', 'add'=>'plus-circle', 'address'=> 'address-book', 'bank_account'=>'university', 'bill'=>'file-invoice-dollar', 'billa'=>'file-excel', 'supplier_invoicea'=>'file-excel', 'billd'=>'file-medical', 'supplier_invoiced'=>'file-medical', 'bom'=>'cubes', 'company'=>'building', 'contact'=>'address-book', 'contract'=>'suitcase', 'conversation'=>'comments', 'donation'=>'file-alt', 'dynamicprice'=>'hand-holding-usd', 'setup'=>'cog', 'companies'=>'building', 'products'=>'cube', 'commercial'=>'suitcase', 'invoicing'=>'coins', @@ -3077,7 +3144,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ 'recruitmentjobposition'=>'id-card-alt', 'recruitmentcandidature'=>'id-badge', 'resize'=>'crop', 'supplier_order'=>'dol-order_supplier', 'supplier_proposal'=>'file-signature', 'payment'=>'money-check-alt', 'phoning'=>'phone', 'phoning_mobile'=>'mobile-alt', 'phoning_fax'=>'fax', 'printer'=>'print', 'product'=>'cube', 'service'=>'concierge-bell', - 'resource'=>'laptop-house', + 'refresh'=>'redo', 'resource'=>'laptop-house', 'shipment'=>'dolly', 'stock'=>'box-open', 'stats' => 'chart-bar', 'split'=>'code-branch', 'supplier_invoice'=>'file-invoice-dollar', 'technic'=>'cogs', 'ticket'=>'ticket-alt', 'title_setup'=>'tools', 'title_accountancy'=>'money-check-alt', 'title_bank'=>'university', 'title_hrm'=>'umbrella-beach', 'title_agenda'=>'calendar-alt', @@ -3124,7 +3191,7 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ // Add CSS $arrayconvpictotomorcess = array( - 'action'=>'infobox-action', 'account'=>'infobox-bank_account', 'accountancy'=>'infobox-bank_account', + 'action'=>'infobox-action', 'account'=>'infobox-bank_account', 'accountline'=>'infobox-bank_account', 'accountancy'=>'infobox-bank_account', 'bank_account'=>'bg-infobox-bank_account', 'bill'=>'infobox-commande', 'billa'=>'infobox-commande', 'billd'=>'infobox-commande', 'cash-register'=>'infobox-bank_account', 'contract'=>'infobox-contrat', 'check'=>'font-status4', 'conversation'=>'infobox-contrat', @@ -3151,8 +3218,8 @@ function img_picto($titlealt, $picto, $moreatt = '', $pictoisfullpath = false, $ // Define $color $arrayconvpictotocolor = array( - 'address'=>'#37a', 'building'=>'#37a', 'bom'=>'#a69944', - 'companies'=>'#37a', 'company'=>'#37a', 'contact'=>'#37a', 'dynamicprice'=>'#a69944', + 'address'=>'#6c6aa8', 'building'=>'#6c6aa8', 'bom'=>'#a69944', + 'companies'=>'#6c6aa8', 'company'=>'#6c6aa8', 'contact'=>'#37a', 'dynamicprice'=>'#a69944', 'edit'=>'#444', 'note'=>'#999', 'error'=>'', 'help'=>'#bbb', 'listlight'=>'#999', 'dolly'=>'#a69944', 'dollyrevert'=>'#a69944', 'lot'=>'#a69944', 'map-marker-alt'=>'#aaa', 'mrp'=>'#a69944', 'product'=>'#a69944', 'service'=>'#a69944', 'stock'=>'#a69944', @@ -3265,12 +3332,13 @@ function img_weather($titlealt, $picto, $moreatt = '', $pictoisfullpath = 0, $mo { global $conf; - if (is_numeric($picto)) - { - $leveltopicto = array(0=>'weather-clear.png', 1=>'weather-few-clouds.png', 2=>'weather-clouds.png', 3=>'weather-many-clouds.png', 4=>'weather-storm.png'); - //return ''; - $picto = $leveltopicto[$picto]; - } elseif (!preg_match('/(\.png|\.gif)$/i', $picto)) $picto .= '.png'; + if (is_numeric($picto)) { + //$leveltopicto = array(0=>'weather-clear.png', 1=>'weather-few-clouds.png', 2=>'weather-clouds.png', 3=>'weather-many-clouds.png', 4=>'weather-storm.png'); + //$picto = $leveltopicto[$picto]; + return ''; + } elseif (!preg_match('/(\.png|\.gif)$/i', $picto)) { + $picto .= '.png'; + } $path = DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/weather/'.$picto; @@ -3791,7 +3859,7 @@ function info_admin($text, $infoonimgalt = 0, $nodiv = 0, $admin = '1', $morecss $result = ($nodiv ? '' : '
').' '.$text.($nodiv ? '' : '
'); if ($textfordropdown) { - $tmpresult .= ''.$langs->trans($textfordropdown).' '.img_picto($langs->trans($textfordropdown), '1downarrow').''; + $tmpresult .= ''.$langs->trans($textfordropdown).' '.img_picto($langs->trans($textfordropdown), '1downarrow').''; $tmpresult .= '"; print ''; -print ''; +print ''; print ''; print ''; if ($conf->global->MAIN_MULTILANGS) { diff --git a/htdocs/datapolicy/public/index.php b/htdocs/datapolicy/public/index.php index c6e23db9083..079bcd340da 100644 --- a/htdocs/datapolicy/public/index.php +++ b/htdocs/datapolicy/public/index.php @@ -39,7 +39,7 @@ require_once DOL_DOCUMENT_ROOT.'/datapolicy/class/datapolicy.class.php'; $idc = GETPOST('c', 'int'); $ids = GETPOST('s', 'int'); $ida = GETPOST('a', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $lang = GETPOST('l', 'alpha'); $code = GETPOST('key', 'alpha'); diff --git a/htdocs/debugbar/class/TraceableDB.php b/htdocs/debugbar/class/TraceableDB.php index 8b94959a43c..77c20325a9d 100644 --- a/htdocs/debugbar/class/TraceableDB.php +++ b/htdocs/debugbar/class/TraceableDB.php @@ -46,7 +46,7 @@ class TraceableDB extends DoliDB public function __construct($db) { $this->db = $db; - $this->type = $db->type; + $this->type = $this->db->type; $this->queries = array(); } diff --git a/htdocs/document.php b/htdocs/document.php index 99d9e1a29e2..ab3ad20a8f8 100644 --- a/htdocs/document.php +++ b/htdocs/document.php @@ -76,7 +76,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/images.lib.php'; $encoding = ''; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $original_file = GETPOST('file', 'alphanohtml'); // Do not use urldecode here ($_GET are already decoded by PHP). $hashp = GETPOST('hashp', 'aZ09'); $modulepart = GETPOST('modulepart', 'alpha'); @@ -153,11 +153,15 @@ if (isset($_GET["attachment"])) $attachment = GETPOST("attachment", 'alpha') ?tr if (!empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment = false; // Define mime type -$type = 'application/octet-stream'; +$type = 'application/octet-stream'; // By default if (GETPOST('type', 'alpha')) $type = GETPOST('type', 'alpha'); else $type = dol_mimetype($original_file); -// Security: Force to octet-stream if file is a dangerous file -if (preg_match('/\.noexe$/i', $original_file)) $type = 'application/octet-stream'; +// Security: Force to octet-stream if file is a dangerous file. For example when it is a .noexe file +// We do not force if file is a javascript to be able to get js from website module with '."\n"; // We include full because we need the support of containerCssClass + } + if (! defined('DISABLE_MULTISELECT')) // jQuery plugin "mutiselect" to select with checkboxes. Can be removed once we have an enhanced search tool + { + print ''."\n"; } } @@ -1632,9 +1667,10 @@ function top_menu($head, $title = '', $target = '', $disablejs = 0, $disablehead } } - $text = ''.DOL_VERSION.''; - $toprightmenu .= @Form::textwithtooltip('', $appli, 2, 1, $text, 'login_block_elem', 2); - + if (empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER)) { + $text = ''.DOL_VERSION.''; + $toprightmenu .= @Form::textwithtooltip('', $appli, 2, 1, $text, 'login_block_elem', 2); + } // Logout link $toprightmenu .= @Form::textwithtooltip('', $logouthtmltext, 2, 1, $logouttext, 'login_block_elem logout-btn', 2); diff --git a/htdocs/margin/admin/margin.php b/htdocs/margin/admin/margin.php index 9efea04e415..cea00dfdff6 100644 --- a/htdocs/margin/admin/margin.php +++ b/htdocs/margin/admin/margin.php @@ -33,7 +33,7 @@ $langs->loadLangs(array("admin", "bills", "margins", "stocks")); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/margin/agentMargins.php b/htdocs/margin/agentMargins.php index 6ff9cdc7274..7e15b94aede 100644 --- a/htdocs/margin/agentMargins.php +++ b/htdocs/margin/agentMargins.php @@ -36,8 +36,8 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/margin/checkMargins.php b/htdocs/margin/checkMargins.php index 83e743e0d68..60052294baa 100644 --- a/htdocs/margin/checkMargins.php +++ b/htdocs/margin/checkMargins.php @@ -41,8 +41,8 @@ $optioncss = GETPOST('optioncss', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/margin/customerMargins.php b/htdocs/margin/customerMargins.php index e1fd6876e0f..a566c7bd620 100644 --- a/htdocs/margin/customerMargins.php +++ b/htdocs/margin/customerMargins.php @@ -45,8 +45,8 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/margin/productMargins.php b/htdocs/margin/productMargins.php index 71b8b41ef8d..e390be68068 100644 --- a/htdocs/margin/productMargins.php +++ b/htdocs/margin/productMargins.php @@ -34,7 +34,7 @@ $langs->loadLangs(array('companies', 'bills', 'products', 'margins')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $TSelectedCats = GETPOST('categories', 'array'); @@ -49,8 +49,8 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/margin/tabs/productMargins.php b/htdocs/margin/tabs/productMargins.php index 70cbf6a9e42..d5069249cbe 100644 --- a/htdocs/margin/tabs/productMargins.php +++ b/htdocs/margin/tabs/productMargins.php @@ -30,7 +30,7 @@ $langs->loadLangs(array("companies", "bills", "products", "margins")); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/modulebuilder/admin/setup.php b/htdocs/modulebuilder/admin/setup.php index c1d58ab3ff2..c100c4a1ab0 100644 --- a/htdocs/modulebuilder/admin/setup.php +++ b/htdocs/modulebuilder/admin/setup.php @@ -29,7 +29,7 @@ $langs->loadLangs(array("admin", "other", "modulebuilder")); if (!$user->admin || empty($conf->modulebuilder->enabled)) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); /* @@ -37,7 +37,7 @@ $backtopage = GETPOST('backtopage', 'alpha'); */ if ($action == "update") { - $res1 = dolibarr_set_const($db, 'MODULEBUILDER_SPECIFIC_README', GETPOST('MODULEBUILDER_SPECIFIC_README', 'none'), 'chaine', 0, '', $conf->entity); + $res1 = dolibarr_set_const($db, 'MODULEBUILDER_SPECIFIC_README', GETPOST('MODULEBUILDER_SPECIFIC_README', 'restricthtml'), 'chaine', 0, '', $conf->entity); $res2 = dolibarr_set_const($db, 'MODULEBUILDER_ASCIIDOCTOR', GETPOST('MODULEBUILDER_ASCIIDOCTOR', 'nohtml'), 'chaine', 0, '', $conf->entity); $res3 = dolibarr_set_const($db, 'MODULEBUILDER_ASCIIDOCTORPDF', GETPOST('MODULEBUILDER_ASCIIDOCTORPDF', 'nohtml'), 'chaine', 0, '', $conf->entity); $res4 = dolibarr_set_const($db, 'MODULEBUILDER_SPECIFIC_EDITOR_NAME', GETPOST('MODULEBUILDER_SPECIFIC_EDITOR_NAME', 'nohtml'), 'chaine', 0, '', $conf->entity); diff --git a/htdocs/modulebuilder/index.php b/htdocs/modulebuilder/index.php index eb350eb9a3a..2404a81b101 100644 --- a/htdocs/modulebuilder/index.php +++ b/htdocs/modulebuilder/index.php @@ -94,6 +94,7 @@ $result = restrictedArea($user, 'modulebuilder', null); $error = 0; +$form = new Form($db); // Define $listofmodules $dirsrootforscan = array($dirread); @@ -101,7 +102,7 @@ $dirsrootforscan = array($dirread); if ($dirread != DOL_DOCUMENT_ROOT && ($conf->global->MAIN_FEATURES_LEVEL >= 2 || !empty($conf->global->MODULEBUILDER_ADD_DOCUMENT_ROOT))) { $dirsrootforscan[] = DOL_DOCUMENT_ROOT; } // Search modules to edit -$textforlistofdirs = ''."\n"; +$textforlistofdirs = ''."\n"; $listofmodules = array(); $i = 0; foreach ($dirsrootforscan as $dirread) @@ -170,6 +171,10 @@ foreach ($dirsrootforscan as $dirread) if (empty($i)) $textforlistofdirs .= $langs->trans("DirScanned").' : '; else $textforlistofdirs .= ', '; $textforlistofdirs .= ''.$dirread.''; + if ($dirread == DOL_DOCUMENT_ROOT) { + if ($conf->global->MAIN_FEATURES_LEVEL >= 2) $textforlistofdirs .= $form->textwithpicto('', $langs->trans("ConstantIsOn", "MAIN_FEATURES_LEVEL")); + if (! empty($conf->global->MODULEBUILDER_ADD_DOCUMENT_ROOT)) $textforlistofdirs .= $form->textwithpicto('', $langs->trans("ConstantIsOn", "MODULEBUILDER_ADD_DOCUMENT_ROOT")); + } $i++; } @@ -1187,7 +1192,7 @@ if ($dirins && $action == 'addproperty' && !empty($module) && !empty($tabobj)) { $addfieldentry = array( 'name'=>GETPOST('propname', 'aZ09'), 'label'=>GETPOST('proplabel', 'alpha'), 'type'=>GETPOST('proptype', 'alpha'), - 'arrayofkeyval'=>GETPOST('proparrayofkeyval', 'none'), // Example json string '{"0":"Draft","1":"Active","-1":"Cancel"}' + 'arrayofkeyval'=>GETPOST('proparrayofkeyval', 'restricthtml'), // Example json string '{"0":"Draft","1":"Active","-1":"Cancel"}' 'visible'=>GETPOST('propvisible', 'int'), 'enabled'=>GETPOST('propenabled', 'int'), 'position'=>GETPOST('propposition', 'int'), 'notnull'=>GETPOST('propnotnull', 'int'), 'index'=>GETPOST('propindex', 'int'), 'searchall'=>GETPOST('propsearchall', 'int'), 'isameasure'=>GETPOST('propisameasure', 'int'), 'comment'=>GETPOST('propcomment', 'alpha'), 'help'=>GETPOST('prophelp', 'alpha') @@ -1463,7 +1468,13 @@ if ($action == 'savefile' && empty($cancel)) dol_copy($pathoffile, $pathoffilebackup, 0, 1); } - $content = GETPOST('editfilecontent', 'none'); + $check = 'restricthtml'; + $srclang = dol_mimetype($pathoffile, '', 3); + if ($srclang == 'md') $check = 'restricthtml'; + if ($srclang == 'lang') $check = 'restricthtml'; + if ($srclang == 'php') $check = 'none'; + + $content = GETPOST('editfilecontent', $check); // Save file on disk if ($content) @@ -1556,7 +1567,7 @@ llxHeader('', $langs->trans("ModuleBuilder"), '', '', 0, 0, '/includes/ace/src/ext-statusbar.js', '/includes/ace/src/ext-language_tools.js', //'/includes/ace/src/ext-chromevox.js' - ), array()); + ), array(), '', 'classforhorizontalscrolloftabs'); $text = $langs->trans("ModuleBuilder"); @@ -2552,6 +2563,7 @@ if ($module == 'initmodule') print ''; print ''; print ''; + print ''; print ''; print ''; //print ''; @@ -2571,7 +2583,7 @@ if ($module == 'initmodule') print ''; print ''; print ''; - print ''; + print ''; print ''; print ''; print ''; @@ -2583,6 +2595,7 @@ if ($module == 'initmodule') print ''; print ''; print ''; + print ''; print ''; print ''; //print ''; @@ -2623,6 +2636,7 @@ if ($module == 'initmodule') $propsearchall = $propval['searchall']; $propisameasure = $propval['isameasure']; $propcss = $propval['css']; + $propcssview = $propval['cssview']; $prophelp = $propval['help']; $propshowoncombobox = $propval['showoncombobox']; //$propdisabled=$propval['disabled']; @@ -2631,63 +2645,70 @@ if ($module == 'initmodule') print ''; print ''; print ''; - print ''; - print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; print ''; + print ''; print ''; /*print '';*/ - print ''; print ''; // Expire date print ''; // Author @@ -1015,7 +1018,7 @@ if ($nbofcheckbox >= 2) } // S'il a oublié de remplir un nom -if (isset($_POST["boutonp"]) && $_POST["nom"] == "") { +if (GETPOSTISSET("boutonp") && GETPOST("nom") == "") { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Name")), null, 'errors'); } diff --git a/htdocs/opensurvey/wizard/choix_autre.php b/htdocs/opensurvey/wizard/choix_autre.php index 5819d901ec9..6b39a70d5e9 100644 --- a/htdocs/opensurvey/wizard/choix_autre.php +++ b/htdocs/opensurvey/wizard/choix_autre.php @@ -36,14 +36,17 @@ if (!$user->rights->opensurvey->write) accessforbidden(); * Action */ +$arrayofchoices = GETPOST('choix', 'array'); +$arrayoftypecolumn = GETPOST('typecolonne', 'array'); + // Set session vars if (isset($_SESSION["nbrecases"])) { for ($i = 0; $i < $_SESSION["nbrecases"]; $i++) { - if (isset($_POST["choix"][$i])) { - $_SESSION["choix$i"] = $_POST["choix"][$i]; + if (isset($arrayofchoices[$i])) { + $_SESSION["choix$i"] = $arrayofchoices[$i]; } - if (isset($_POST["typecolonne"][$i])) { - $_SESSION["typecolonne$i"] = $_POST["typecolonne"][$i]; + if (isset($arrayoftypecolumn[$i])) { + $_SESSION["typecolonne$i"] = $arrayoftypecolumn[$i]; } } } else { //nombre de cases par défaut @@ -56,16 +59,16 @@ if (GETPOST("ajoutcases") || GETPOST("ajoutcases_x")) } // Create survey into database -if (isset($_POST["confirmecreation"])) +if (GETPOSTISSET("confirmecreation")) { //recuperation des données de champs textes $toutchoix = ''; for ($i = 0; $i < $_SESSION["nbrecases"] + 1; $i++) { - if (!empty($_POST["choix"][$i])) + if (!empty($arrayofchoices[$i])) { $toutchoix .= ','; - $toutchoix .= str_replace(array(",", "@"), " ", $_POST["choix"][$i]).(empty($_POST["typecolonne"][$i]) ? '' : '@'.$_POST["typecolonne"][$i]); + $toutchoix .= str_replace(array(",", "@"), " ", $arrayofchoices[$i]).(empty($arrayoftypecolumn[$i]) ? '' : '@'.$arrayoftypecolumn[$i]); } } @@ -76,7 +79,7 @@ if (isset($_POST["confirmecreation"])) $testremplissage = ''; for ($i = 0; $i < $_SESSION["nbrecases"]; $i++) { - if (isset($_POST["choix"][$i])) + if (isset($arrayofchoices[$i])) { $testremplissage = "ok"; } @@ -94,7 +97,7 @@ if (isset($_POST["confirmecreation"])) } } - +var_dump($_SESSION);exit; /* diff --git a/htdocs/paybox/admin/paybox.php b/htdocs/paybox/admin/paybox.php index 5323fd8d7df..68d55558c9f 100644 --- a/htdocs/paybox/admin/paybox.php +++ b/htdocs/paybox/admin/paybox.php @@ -35,7 +35,7 @@ $langs->loadLangs(array('admin', 'other', 'paybox', 'paypal')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if ($action == 'setvalue' && $user->admin) diff --git a/htdocs/paypal/admin/paypal.php b/htdocs/paypal/admin/paypal.php index 71f4b25829b..4c304201c6c 100644 --- a/htdocs/paypal/admin/paypal.php +++ b/htdocs/paypal/admin/paypal.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('admin', 'other', 'paypal', 'paybox')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if ($action == 'setvalue' && $user->admin) { @@ -72,11 +72,14 @@ if ($action == 'setvalue' && $user->admin) // Payment token for URL $result = dolibarr_set_const($db, "PAYMENT_SECURITY_TOKEN", GETPOST('PAYMENT_SECURITY_TOKEN', 'alpha'), 'chaine', 0, '', $conf->entity); if (!$result > 0) $error++; - $result = dolibarr_set_const($db, "PAYMENT_SECURITY_TOKEN_UNIQUE", GETPOST('PAYMENT_SECURITY_TOKEN_UNIQUE', 'alpha'), 'chaine', 0, '', $conf->entity); - if (!$result > 0) $error++; + if (empty($conf->use_javascript_ajax)) { + $result = dolibarr_set_const($db, "PAYMENT_SECURITY_TOKEN_UNIQUE", GETPOST('PAYMENT_SECURITY_TOKEN_UNIQUE', 'alpha'), 'chaine', 0, '', $conf->entity); + if (!$result > 0) { + $error++; + } + } - if (!$error) - { + if (!$error) { $db->commit(); setEventMessages($langs->trans("SetupSaved"), null, 'mesgs'); } else { @@ -120,7 +123,7 @@ print ''; dol_fiche_head($head, 'paypalaccount', '', -1); -print $langs->trans("PaypalDesc")."
\n"; +print ''.$langs->trans("PaypalDesc")."
\n"; // Test if php curl exist if (!function_exists('curl_version')) @@ -156,7 +159,7 @@ print ''; print ''; @@ -169,7 +172,7 @@ print ''; print ''; @@ -199,9 +202,9 @@ print ''; print ''; if (!empty($conf->banque->enabled)) @@ -215,7 +218,7 @@ if (!empty($conf->banque->enabled)) print ''; @@ -248,8 +251,8 @@ print ''; print ''; print ''; @@ -260,15 +263,25 @@ print "\n"; // Payment token for URL print ''; +} +if (! empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) { + $langs->load("errors"); + print img_warning($langs->trans("WarningTheHiddenOptionIsOn", 'PAYMENT_SECURITY_ACCEPT_ANY_TOKEN'), '', 'pictowarning marginleftonly'); +} +print ''; - print ''; +print ''; print '
'.$form->textwithpicto($langs->trans("SearchAll"), $langs->trans("SearchAllDesc")).''.$form->textwithpicto($langs->trans("IsAMeasure"), $langs->trans("IsAMeasureDesc")).''.$langs->trans("CSSClass").''.$langs->trans("CSSViewClass").''.$langs->trans("KeyForTooltip").''.$langs->trans("ShowOnCombobox").''.$langs->trans("Disabled").'
'; - print $propname; + print dol_escape_htmltag($propname); print ''; - print $proplabel; + print dol_escape_htmltag($proplabel); print ''; - print $proptype; + print ''; + print ''.dol_escape_htmltag($proptype).''; print ''; + print ''; if ($proparrayofkeyval) { - print json_encode($proparrayofkeyval); + print ''; + print dol_escape_htmltag(json_encode($proparrayofkeyval)); + print ''; } print ''; - print $propnotnull; + print dol_escape_htmltag($propnotnull); print ''; - print $propdefault; + print dol_escape_htmltag($propdefault); print ''; print $propindex ? '1' : ''; print ''; - print $propforeignkey ? $propforeignkey : ''; + print $propforeignkey ? dol_escape_htmltag($propforeignkey) : ''; print ''; - print $propposition; + print dol_escape_htmltag($propposition); print ''; - print $propenabled ? $propenabled : ''; + print $propenabled ? dol_escape_htmltag($propenabled) : ''; print ''; - print $propvisible ? $propvisible : '0'; + print $propvisible ? dol_escape_htmltag($propvisible) : '0'; print ''; - print $propnoteditable ? $propnoteditable : ''; + print $propnoteditable ? dol_escape_htmltag($propnoteditable) : ''; print ''; print $propsearchall ? '1' : ''; print ''; - print $propisameasure ? $propisameasure : ''; + print $propisameasure ? dol_escape_htmltag($propisameasure) : ''; print ''; - print $propcss ? $propcss : ''; + print $propcss ? dol_escape_htmltag($propcss) : ''; print ''; - print $prophelp ? $prophelp : ''; + print $propcssview ? dol_escape_htmltag($propcssview) : ''; + print ''; + print $prophelp ? dol_escape_htmltag($prophelp) : ''; print ''; - print $propshowoncombobox ? $propshowoncombobox : ''; + print $propshowoncombobox ? dol_escape_htmltag($propshowoncombobox) : ''; print ''; print $propdisabled?$propdisabled:''; print ''; - print $propcomment; + print ''; + print ''; + print dol_escape_htmltag($propcomment); + print ''; print ''; if ($propname != 'rowid') diff --git a/htdocs/modulebuilder/template/admin/about.php b/htdocs/modulebuilder/template/admin/about.php index 2140d679695..ebb392810d1 100644 --- a/htdocs/modulebuilder/template/admin/about.php +++ b/htdocs/modulebuilder/template/admin/about.php @@ -48,7 +48,7 @@ $langs->loadLangs(array("errors", "admin", "mymodule@mymodule")); if (!$user->admin) accessforbidden(); // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/modulebuilder/template/admin/myobject_extrafields.php b/htdocs/modulebuilder/template/admin/myobject_extrafields.php index 065feb6cebe..31bd430d6a3 100644 --- a/htdocs/modulebuilder/template/admin/myobject_extrafields.php +++ b/htdocs/modulebuilder/template/admin/myobject_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'mymodule_myobject'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/modulebuilder/template/admin/setup.php b/htdocs/modulebuilder/template/admin/setup.php index 4cafe1b9824..b0ef752707c 100644 --- a/htdocs/modulebuilder/template/admin/setup.php +++ b/htdocs/modulebuilder/template/admin/setup.php @@ -50,7 +50,7 @@ $langs->loadLangs(array("admin", "mymodule@mymodule")); if (!$user->admin) accessforbidden(); // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); $value = GETPOST('value', 'alpha'); @@ -374,7 +374,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) { $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/modulebuilder/template/class/api_mymodule.class.php b/htdocs/modulebuilder/template/class/api_mymodule.class.php index 67c7246b855..32113b71ef0 100644 --- a/htdocs/modulebuilder/template/class/api_mymodule.class.php +++ b/htdocs/modulebuilder/template/class/api_mymodule.class.php @@ -64,7 +64,8 @@ class MyModuleApi extends DolibarrApi * * @url GET myobjects/{id} * - * @throws RestException + * @throws RestException 401 Not allowed + * @throws RestException 404 Not found */ public function get($id) { @@ -106,7 +107,7 @@ class MyModuleApi extends DolibarrApi global $db, $conf; $obj_ret = array(); - $tmpobject = new MyObject($db); + $tmpobject = new MyObject($this->db); if (!DolibarrApiAccess::$user->rights->mymodule->myobject->read) { throw new RestException(401); @@ -148,32 +149,32 @@ class MyModuleApi extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); $i = 0; if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $obj = $db->fetch_object($result); - $tmp_object = new MyObject($db); + $obj = $this->db->fetch_object($result); + $tmp_object = new MyObject($this->db); if ($tmp_object->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($tmp_object); } $i++; } } else { - throw new RestException(503, 'Error when retrieving myobject list: '.$db->lasterror()); + throw new RestException(503, 'Error when retrieving myobject list: '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No myobject found'); diff --git a/htdocs/modulebuilder/template/class/myobject.class.php b/htdocs/modulebuilder/template/class/myobject.class.php index edf757d96b0..399dd3b10b8 100644 --- a/htdocs/modulebuilder/template/class/myobject.class.php +++ b/htdocs/modulebuilder/template/class/myobject.class.php @@ -83,7 +83,7 @@ class MyObject extends CommonObject * 'foreignkey'=>'tablename.field' if the field is a foreign key (it is recommanded to name the field fk_...). * 'searchall' is 1 if we want to search in this field when making a search from the quick search button. * 'isameasure' must be set to 1 if you want to have a total on list for this field. Field type must be summable like integer or double(24,8). - * 'css' is the CSS style to use on field. For example: 'maxwidth200' + * 'css' and 'cssview' is the CSS style to use on field. 'css' is used in creation and update. 'cssview' is used in view mode. For example: 'maxwidth200', 'wordbreak' * 'help' is a string visible as a tooltip on field * 'showoncombobox' if value of the field must be visible into the label of the combobox that list record * 'disabled' is 1 if we want to have the field locked by a 'disabled' attribute. In most cases, this is never set into the definition of $fields into class, but is set dynamically by some part of code. @@ -102,7 +102,7 @@ class MyObject extends CommonObject 'rowid' => array('type'=>'integer', 'label'=>'TechnicalID', 'enabled'=>1, 'visible'=>-2, 'noteditable'=>1, 'notnull'=> 1, 'index'=>1, 'position'=>1, 'comment'=>'Id', 'css'=>'left'), 'ref' => array('type'=>'varchar(128)', 'label'=>'Ref', 'enabled'=>1, 'visible'=>1, 'noteditable'=>0, 'default'=>'', 'notnull'=> 1, 'showoncombobox'=>1, 'index'=>1, 'position'=>10, 'searchall'=>1, 'comment'=>'Reference of object'), 'entity' => array('type'=>'integer', 'label'=>'Entity', 'enabled'=>1, 'visible'=>0, 'notnull'=> 1, 'default'=>1, 'index'=>1, 'position'=>20), - 'label' => array('type'=>'varchar(255)', 'label'=>'Label', 'enabled'=>1, 'visible'=>1, 'position'=>30, 'searchall'=>1, 'css'=>'minwidth200', 'help'=>'Help text', 'showoncombobox'=>1), + 'label' => array('type'=>'varchar(255)', 'label'=>'Label', 'enabled'=>1, 'visible'=>1, 'position'=>30, 'searchall'=>1, 'css'=>'minwidth300', 'cssview'=>'wordbreak', 'help'=>'Help text', 'showoncombobox'=>1), 'amount' => array('type'=>'price', 'label'=>'Amount', 'enabled'=>1, 'visible'=>1, 'default'=>'null', 'position'=>40, 'searchall'=>0, 'isameasure'=>1, 'help'=>'Help text for amount'), 'qty' => array('type'=>'real', 'label'=>'Qty', 'enabled'=>1, 'visible'=>1, 'default'=>'0', 'position'=>45, 'searchall'=>0, 'isameasure'=>1, 'help'=>'Help text for quantity', 'css'=>'maxwidth75imp'), 'fk_soc' => array('type'=>'integer:Societe:societe/class/societe.class.php:1:status=1 AND entity IN (__SHARED_ENTITIES__)', 'label'=>'ThirdParty', 'visible'=> 1, 'enabled'=>1, 'position'=>50, 'notnull'=>-1, 'index'=>1, 'help'=>'LinkToThirparty'), @@ -426,7 +426,7 @@ class MyObject extends CommonObject } elseif ($key == 'customsql') { $sqlwhere[] = $value; } elseif (strpos($value, '%') === false) { - $sqlwhere[] = $key.' IN ('.$this->db->escape($value).')'; + $sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')'; } else { $sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\''; } @@ -813,7 +813,7 @@ class MyObject extends CommonObject } /** - * Return label of the status + * Return the label of the status * * @param int $mode 0=long label, 1=short label, 2=Picto + short label, 3=Picto, 4=Picto + long label, 5=Short label + Picto, 6=Long label + Picto * @return string Label of status diff --git a/htdocs/modulebuilder/template/core/modules/mymodule/doc/pdf_standard_myobject.modules.php b/htdocs/modulebuilder/template/core/modules/mymodule/doc/pdf_standard_myobject.modules.php index 0dbd92aa379..f8fc8466349 100644 --- a/htdocs/modulebuilder/template/core/modules/mymodule/doc/pdf_standard_myobject.modules.php +++ b/htdocs/modulebuilder/template/core/modules/mymodule/doc/pdf_standard_myobject.modules.php @@ -1139,7 +1139,7 @@ class pdf_standard_myobject extends ModelePDFMyObject /** * Show footer of page. Need this->emetteur object * - * @param PDF $pdf PDF + * @param TCPDF $pdf PDF * @param Object $object Object to show * @param Translate $outputlangs Object lang for output * @param int $hidefreetext 1=Hide free text diff --git a/htdocs/modulebuilder/template/mymoduleindex.php b/htdocs/modulebuilder/template/mymoduleindex.php index 91eb5eca8da..3da38a7e02c 100644 --- a/htdocs/modulebuilder/template/mymoduleindex.php +++ b/htdocs/modulebuilder/template/mymoduleindex.php @@ -44,7 +44,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; // Load translation files required by the page $langs->loadLangs(array("mymodule@mymodule")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check @@ -159,8 +159,8 @@ END MODULEBUILDER DRAFT MYOBJECT */ print '
'; -$NBMAX = 3; -$max = 3; +$NBMAX = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; /* BEGIN MODULEBUILDER LASTMODIFIED MYOBJECT // Last modified myobject diff --git a/htdocs/modulebuilder/template/myobject_agenda.php b/htdocs/modulebuilder/template/myobject_agenda.php index 244a7e01a9c..e05b4e93491 100644 --- a/htdocs/modulebuilder/template/myobject_agenda.php +++ b/htdocs/modulebuilder/template/myobject_agenda.php @@ -19,9 +19,29 @@ /** * \file htdocs/modulebuilder/template/myobject_agenda.php * \ingroup mymodule - * \brief Page of MyObject events + * \brief Tab of events on MyObject */ +//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); // Do not create database handler $db +//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); // Do not load object $user +//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); // Do not load object $mysoc +//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1'); // Do not load object $langs +//if (! defined('NOSCANGETFORINJECTION')) define('NOSCANGETFORINJECTION','1'); // Do not check injection attack on GET parameters +//if (! defined('NOSCANPOSTFORINJECTION')) define('NOSCANPOSTFORINJECTION','1'); // Do not check injection attack on POST parameters +//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on). +//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on) +//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data +//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu +//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php +//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); // Do not load ajax.lib.php library +//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session). This include the NOIPCHECK too. +//if (! defined('NOIPCHECK')) define('NOIPCHECK','1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip +//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT','auto'); // Force lang to a particular value +//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE','aloginmodule'); // Force authentication handler +//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN',1); // The main.inc.php does not make a redirect if not logged, instead show simple error message +//if (! defined("FORCECSP")) define('FORCECSP','none'); // Disable all Content Security Policies +//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN','1'); // Force use of CSRF protection with tokens even for GET + // Load Dolibarr environment $res = 0; // Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined) @@ -50,7 +70,7 @@ $langs->loadLangs(array("mymodule@mymodule", "other")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/modulebuilder/template/myobject_card.php b/htdocs/modulebuilder/template/myobject_card.php index 1fcfabbe7c6..d97bc8f7f35 100644 --- a/htdocs/modulebuilder/template/myobject_card.php +++ b/htdocs/modulebuilder/template/myobject_card.php @@ -40,7 +40,7 @@ //if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE','aloginmodule'); // Force authentication handler //if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN',1); // The main.inc.php does not make a redirect if not logged, instead show simple error message //if (! defined("FORCECSP")) define('FORCECSP','none'); // Disable all Content Security Policies - +//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN','1'); // Force use of CSRF protection with tokens even for GET // Load Dolibarr environment $res = 0; diff --git a/htdocs/modulebuilder/template/myobject_document.php b/htdocs/modulebuilder/template/myobject_document.php index 186edc11da1..46a8d0c3a10 100644 --- a/htdocs/modulebuilder/template/myobject_document.php +++ b/htdocs/modulebuilder/template/myobject_document.php @@ -22,6 +22,26 @@ * \brief Tab for documents linked to MyObject */ +//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); // Do not create database handler $db +//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); // Do not load object $user +//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); // Do not load object $mysoc +//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1'); // Do not load object $langs +//if (! defined('NOSCANGETFORINJECTION')) define('NOSCANGETFORINJECTION','1'); // Do not check injection attack on GET parameters +//if (! defined('NOSCANPOSTFORINJECTION')) define('NOSCANPOSTFORINJECTION','1'); // Do not check injection attack on POST parameters +//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on). +//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on) +//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data +//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu +//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php +//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); // Do not load ajax.lib.php library +//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session). This include the NOIPCHECK too. +//if (! defined('NOIPCHECK')) define('NOIPCHECK','1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip +//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT','auto'); // Force lang to a particular value +//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE','aloginmodule'); // Force authentication handler +//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN',1); // The main.inc.php does not make a redirect if not logged, instead show simple error message +//if (! defined("FORCECSP")) define('FORCECSP','none'); // Disable all Content Security Policies +//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN','1'); // Force use of CSRF protection with tokens even for GET + // Load Dolibarr environment $res = 0; // Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined) diff --git a/htdocs/modulebuilder/template/myobject_list.php b/htdocs/modulebuilder/template/myobject_list.php index 333c7dce45a..50307c91161 100644 --- a/htdocs/modulebuilder/template/myobject_list.php +++ b/htdocs/modulebuilder/template/myobject_list.php @@ -22,24 +22,25 @@ * \brief List page for myobject */ -//if (! defined('NOREQUIREDB')) define('NOREQUIREDB', '1'); // Do not create database handler $db -//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER', '1'); // Do not load object $user -//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC', '1'); // Do not load object $mysoc -//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1'); // Do not load object $langs -//if (! defined('NOSCANGETFORINJECTION')) define('NOSCANGETFORINJECTION', '1'); // Do not check injection attack on GET parameters -//if (! defined('NOSCANPOSTFORINJECTION')) define('NOSCANPOSTFORINJECTION', '1'); // Do not check injection attack on POST parameters -//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK', '1'); // Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on). -//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL', '1'); // Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on) -//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK', '1'); // Do not check style html tag into posted data -//if (! defined('NOIPCHECK')) define('NOIPCHECK', '1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip -//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU', '1'); // If there is no need to load and show top and left menu -//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php -//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); // Do not load ajax.lib.php library -//if (! defined("NOLOGIN")) define("NOLOGIN", '1'); // If this page is public (can be called outside logged session) -//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT', 'auto'); // Force lang to a particular value -//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE', 'aloginmodule'); // Force authentication handler -//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN', '1'); // The main.inc.php does not make a redirect if not logged, instead show simple error message -//if (! defined("XFRAMEOPTIONS_ALLOWALL")) define('XFRAMEOPTIONS_ALLOWALL', '1'); // Do not add the HTTP header 'X-Frame-Options: SAMEORIGIN' but 'X-Frame-Options: ALLOWALL' +//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); // Do not create database handler $db +//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); // Do not load object $user +//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); // Do not load object $mysoc +//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1'); // Do not load object $langs +//if (! defined('NOSCANGETFORINJECTION')) define('NOSCANGETFORINJECTION','1'); // Do not check injection attack on GET parameters +//if (! defined('NOSCANPOSTFORINJECTION')) define('NOSCANPOSTFORINJECTION','1'); // Do not check injection attack on POST parameters +//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on). +//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on) +//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data +//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu +//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php +//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); // Do not load ajax.lib.php library +//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session). This include the NOIPCHECK too. +//if (! defined('NOIPCHECK')) define('NOIPCHECK','1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip +//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT','auto'); // Force lang to a particular value +//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE','aloginmodule'); // Force authentication handler +//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN',1); // The main.inc.php does not make a redirect if not logged, instead show simple error message +//if (! defined("FORCECSP")) define('FORCECSP','none'); // Disable all Content Security Policies +//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN','1'); // Force use of CSRF protection with tokens even for GET // Load Dolibarr environment $res = 0; @@ -83,8 +84,8 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters $offset = $limit * $page; diff --git a/htdocs/modulebuilder/template/myobject_note.php b/htdocs/modulebuilder/template/myobject_note.php index aece1f98f29..1a6fd1a4cc6 100644 --- a/htdocs/modulebuilder/template/myobject_note.php +++ b/htdocs/modulebuilder/template/myobject_note.php @@ -19,9 +19,29 @@ /** * \file htdocs/modulebuilder/template/myobject_note.php * \ingroup mymodule - * \brief Car with notes on MyObject + * \brief Tab for notes on MyObject */ +//if (! defined('NOREQUIREDB')) define('NOREQUIREDB','1'); // Do not create database handler $db +//if (! defined('NOREQUIREUSER')) define('NOREQUIREUSER','1'); // Do not load object $user +//if (! defined('NOREQUIRESOC')) define('NOREQUIRESOC','1'); // Do not load object $mysoc +//if (! defined('NOREQUIRETRAN')) define('NOREQUIRETRAN','1'); // Do not load object $langs +//if (! defined('NOSCANGETFORINJECTION')) define('NOSCANGETFORINJECTION','1'); // Do not check injection attack on GET parameters +//if (! defined('NOSCANPOSTFORINJECTION')) define('NOSCANPOSTFORINJECTION','1'); // Do not check injection attack on POST parameters +//if (! defined('NOCSRFCHECK')) define('NOCSRFCHECK','1'); // Do not check CSRF attack (test on referer + on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on). +//if (! defined('NOTOKENRENEWAL')) define('NOTOKENRENEWAL','1'); // Do not roll the Anti CSRF token (used if MAIN_SECURITY_CSRF_WITH_TOKEN is on) +//if (! defined('NOSTYLECHECK')) define('NOSTYLECHECK','1'); // Do not check style html tag into posted data +//if (! defined('NOREQUIREMENU')) define('NOREQUIREMENU','1'); // If there is no need to load and show top and left menu +//if (! defined('NOREQUIREHTML')) define('NOREQUIREHTML','1'); // If we don't need to load the html.form.class.php +//if (! defined('NOREQUIREAJAX')) define('NOREQUIREAJAX','1'); // Do not load ajax.lib.php library +//if (! defined("NOLOGIN")) define("NOLOGIN",'1'); // If this page is public (can be called outside logged session). This include the NOIPCHECK too. +//if (! defined('NOIPCHECK')) define('NOIPCHECK','1'); // Do not check IP defined into conf $dolibarr_main_restrict_ip +//if (! defined("MAIN_LANG_DEFAULT")) define('MAIN_LANG_DEFAULT','auto'); // Force lang to a particular value +//if (! defined("MAIN_AUTHENTICATION_MODE")) define('MAIN_AUTHENTICATION_MODE','aloginmodule'); // Force authentication handler +//if (! defined("NOREDIRECTBYMAINTOLOGIN")) define('NOREDIRECTBYMAINTOLOGIN',1); // The main.inc.php does not make a redirect if not logged, instead show simple error message +//if (! defined("FORCECSP")) define('FORCECSP','none'); // Disable all Content Security Policies +//if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN','1'); // Force use of CSRF protection with tokens even for GET + // Load Dolibarr environment $res = 0; // Try main.inc.php into web root known defined into CONTEXT_DOCUMENT_ROOT (not always defined) @@ -46,7 +66,7 @@ $langs->loadLangs(array("mymodule@mymodule", "companies")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php b/htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php index d9693402980..169bfeb92f6 100644 --- a/htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php +++ b/htdocs/modulebuilder/template/test/phpunit/MyObjectTest.php @@ -17,12 +17,26 @@ */ /** - * \file test/unit/MyObjectTest.php + * \file test/phpunit/MyObjectTest.php * \ingroup mymodule * \brief PHPUnit test for MyObject class. */ -namespace test\unit; +global $conf,$user,$langs,$db; +//define('TEST_DB_FORCE_TYPE','mysql'); // This is to force using mysql driver +//require_once 'PHPUnit/Autoload.php'; +require_once dirname(__FILE__).'/../../htdocs/master.inc.php'; +require_once dirname(__FILE__).'/../../htdocs/mymodule/class/myobject.class.php'; + +if (empty($user->id)) { + print "Load permissions for admin user nb 1\n"; + $user->fetch(1); + $user->getrights(); +} +$conf->global->MAIN_DISABLE_ALL_MAILS=1; + +$langs->load("main"); + /** * Class MyObjectTest @@ -30,13 +44,43 @@ namespace test\unit; */ class MyObjectTest extends \PHPUnit_Framework_TestCase { + protected $savconf; + protected $savuser; + protected $savlangs; + protected $savdb; + + /** + * Constructor + * We save global variables into local variables + * + * @return MyObject + */ + public function __construct() + { + parent::__construct(); + + //$this->sharedFixture + global $conf,$user,$langs,$db; + $this->savconf=$conf; + $this->savuser=$user; + $this->savlangs=$langs; + $this->savdb=$db; + + print __METHOD__." db->type=".$db->type." user->id=".$user->id; + //print " - db ".$db->db; + print "\n"; + } + /** * Global test setup * @return void */ public static function setUpBeforeClass() { - fwrite(STDOUT, __METHOD__."\n"); + global $conf,$user,$langs,$db; + $db->begin(); // This is to have all actions inside a transaction even if test launched without suite. + + print __METHOD__."\n"; } /** @@ -45,36 +89,13 @@ class MyObjectTest extends \PHPUnit_Framework_TestCase */ protected function setUp() { - fwrite(STDOUT, __METHOD__."\n"); - } + global $conf,$user,$langs,$db; + $conf=$this->savconf; + $user=$this->savuser; + $langs=$this->savlangs; + $db=$this->savdb; - /** - * Verify pre conditions - * @return void - */ - protected function assertPreConditions() - { - fwrite(STDOUT, __METHOD__."\n"); - } - - /** - * A sample test - * @return bool - */ - public function testSomething() - { - fwrite(STDOUT, __METHOD__."\n"); - // TODO: test something - $this->assertTrue(true); - } - - /** - * Verify post conditions - * @return void - */ - protected function assertPostConditions() - { - fwrite(STDOUT, __METHOD__."\n"); + print __METHOD__."\n"; } /** @@ -83,7 +104,7 @@ class MyObjectTest extends \PHPUnit_Framework_TestCase */ protected function tearDown() { - fwrite(STDOUT, __METHOD__."\n"); + print __METHOD__."\n"; } /** @@ -92,19 +113,30 @@ class MyObjectTest extends \PHPUnit_Framework_TestCase */ public static function tearDownAfterClass() { - fwrite(STDOUT, __METHOD__."\n"); + global $conf,$user,$langs,$db; + $db->rollback(); + + print __METHOD__."\n"; } + /** - * Unsuccessful test - * - * @param Exception $e Exception - * @return void - * @throws Exception + * A sample test + * @return bool */ - protected function onNotSuccessfulTest(Exception $e) + public function testSomething() { - fwrite(STDOUT, __METHOD__."\n"); - throw $e; + global $conf,$user,$langs,$db; + $conf=$this->savconf; + $user=$this->savuser; + $langs=$this->savlangs; + $db=$this->savdb; + + $result = true; + + print __METHOD__." result=".$result."\n"; + $this->assertTrue($result); + + return $result; } } diff --git a/htdocs/mrp/ajax/ajax_bom.php b/htdocs/mrp/ajax/ajax_bom.php index 57f1089c2e2..adf4a8f4ee7 100644 --- a/htdocs/mrp/ajax/ajax_bom.php +++ b/htdocs/mrp/ajax/ajax_bom.php @@ -34,7 +34,7 @@ require '../../main.inc.php'; // Load $user and permissions require_once DOL_DOCUMENT_ROOT.'/bom/class/bom.class.php'; $idbom = GETPOST('idbom', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/mrp/class/api_mos.class.php b/htdocs/mrp/class/api_mos.class.php index 9dcb26149ef..d502e5cc99d 100644 --- a/htdocs/mrp/class/api_mos.class.php +++ b/htdocs/mrp/class/api_mos.class.php @@ -99,7 +99,7 @@ class Mos extends DolibarrApi global $db, $conf; $obj_ret = array(); - $tmpobject = new Mo($db); + $tmpobject = new Mo($this->db); $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; @@ -139,7 +139,7 @@ class Mos extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -147,18 +147,18 @@ class Mos extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $i = 0; while ($i < $num) { - $obj = $db->fetch_object($result); - $tmp_object = new Mo($db); + $obj = $this->db->fetch_object($result); + $tmp_object = new Mo($this->db); if ($tmp_object->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($tmp_object); } diff --git a/htdocs/mrp/mo_agenda.php b/htdocs/mrp/mo_agenda.php index 755b2232df3..c2107296b2b 100644 --- a/htdocs/mrp/mo_agenda.php +++ b/htdocs/mrp/mo_agenda.php @@ -40,7 +40,7 @@ $langs->loadLangs(array("mrp", "other")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/mrp/mo_list.php b/htdocs/mrp/mo_list.php index 57efff54bc0..b9da34958d4 100644 --- a/htdocs/mrp/mo_list.php +++ b/htdocs/mrp/mo_list.php @@ -51,8 +51,8 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/mrp/mo_note.php b/htdocs/mrp/mo_note.php index 7d0fe785c58..f25ebc35d0d 100644 --- a/htdocs/mrp/mo_note.php +++ b/htdocs/mrp/mo_note.php @@ -35,7 +35,7 @@ $langs->loadLangs(array("mrp", "companies")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/multicurrency/class/multicurrency.class.php b/htdocs/multicurrency/class/multicurrency.class.php index 3641c6abf0f..2ce3277ae89 100644 --- a/htdocs/multicurrency/class/multicurrency.class.php +++ b/htdocs/multicurrency/class/multicurrency.class.php @@ -427,11 +427,11 @@ class MultiCurrency extends CommonObject { global $db, $user; - $currency = new MultiCurrency($db); + $currency = new MultiCurrency($this->db); $currency->code = $code; $currency->name = $code; - $sql = 'SELECT label FROM '.MAIN_DB_PREFIX.'c_currencies WHERE code_iso = \''.$db->escape($code).'\''; + $sql = 'SELECT label FROM '.MAIN_DB_PREFIX."c_currencies WHERE code_iso = '".$this->db->escape($code)."'"; dol_syslog(__METHOD__, LOG_DEBUG); $resql = $db->query($sql); @@ -486,15 +486,15 @@ class MultiCurrency extends CommonObject * Get id of currency from code * * @param DoliDB $db object db - * @param string $code code value search + * @param string $code code value search * * @return int 0 if not found, >0 if OK */ - public static function getIdFromCode(&$db, $code) + public static function getIdFromCode($db, $code) { global $conf; - $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'multicurrency WHERE code = \''.$db->escape($code).'\' AND entity = '.$conf->entity; + $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX."multicurrency WHERE code = '".$db->escape($code)."' AND entity = ".$conf->entity; dol_syslog(__METHOD__, LOG_DEBUG); $resql = $db->query($sql); @@ -512,7 +512,7 @@ class MultiCurrency extends CommonObject * @return array [0] => id currency * [1] => rate */ - public static function getIdAndTxFromCode(&$db, $code, $date_document = '') + public static function getIdAndTxFromCode($db, $code, $date_document = '') { global $conf; diff --git a/htdocs/opensurvey/list.php b/htdocs/opensurvey/list.php index e4eed717333..f17a4615eef 100644 --- a/htdocs/opensurvey/list.php +++ b/htdocs/opensurvey/list.php @@ -47,8 +47,8 @@ $search_status = GETPOST('search_status', 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/opensurvey/results.php b/htdocs/opensurvey/results.php index be252188190..3327800527d 100644 --- a/htdocs/opensurvey/results.php +++ b/htdocs/opensurvey/results.php @@ -58,7 +58,7 @@ if (GETPOST('retoursondage')) { $nbcolonnes = substr_count($object->sujet, ',') + 1; // Add vote -if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) // boutonp for chrom, boutonp.x for firefox +if (GETPOST("boutonp") || GETPOST("boutonp.x") || GETPOST("boutonp_x")) // boutonp for chrome, boutonp.x for firefox { if (GETPOST('nom')) { @@ -158,7 +158,7 @@ if (GETPOST("ajoutercolonne") && GETPOST('nouvellecolonne') && $object->format = //on rajoute la valeur a la fin de tous les sujets deja entrés $nouveauxsujets .= ','; - $nouveauxsujets .= str_replace(array(",", "@"), " ", $_POST["nouvellecolonne"]).(empty($_POST["typecolonne"]) ? '' : '@'.$_POST["typecolonne"]); + $nouveauxsujets .= str_replace(array(",", "@"), " ", GETPOST("nouvellecolonne")).(empty($_POST["typecolonne"]) ? '' : '@'.GETPOST("typecolonne")); //mise a jour avec les nouveaux sujets dans la base $sql = 'UPDATE '.MAIN_DB_PREFIX."opensurvey_sondage"; @@ -186,21 +186,21 @@ if (isset($_POST["ajoutercolonne"]) && $object->format == "D") if (isset($_POST["nouvelleheuredebut"]) && $_POST["nouvelleheuredebut"] != "vide") { $nouvelledate .= "@"; - $nouvelledate .= $_POST["nouvelleheuredebut"]; + $nouvelledate .= GETPOST("nouvelleheuredebut"); $nouvelledate .= "h"; if ($_POST["nouvelleminutedebut"] != "vide") { - $nouvelledate .= $_POST["nouvelleminutedebut"]; + $nouvelledate .= GETPOST("nouvelleminutedebut"); } } if (isset($_POST["nouvelleheurefin"]) && $_POST["nouvelleheurefin"] != "vide") { $nouvelledate .= "-"; - $nouvelledate .= $_POST["nouvelleheurefin"]; + $nouvelledate .= GETPOST("nouvelleheurefin"); $nouvelledate .= "h"; if ($_POST["nouvelleminutefin"] != "vide") { - $nouvelledate .= $_POST["nouvelleminutefin"]; + $nouvelledate .= GETPOST("nouvelleminutefin"); } } @@ -451,7 +451,10 @@ print '
'.$langs->trans('ExpireDate').''; if ($action == 'edit') print $form->selectDate($expiredate ? $expiredate : $object->date_fin, 'expire', 0, 0, 0, '', 1, 0); -else print dol_print_date($object->date_fin, 'day'); +else { + print dol_print_date($object->date_fin, 'day'); + if ($object->date_fin && $object->date_fin < dol_now() && $object->status == Opensurveysondage::STATUS_VALIDATED) print img_warning($langs->trans("Expired")); +} print '
'; print $langs->trans("PAYPAL_API_USER").''; print ''; -print '   '.$langs->trans("Example").': admin-facilitator_api1.example.com, paypal_api1.mywebsite.com'; +print '   '.$langs->trans("Example").': admin-facilitator_api1.example.com, paypal_api1.mywebsite.com'; print '
'; print $langs->trans("PAYPAL_API_SIGNATURE").''; print ''; -print '
'.$langs->trans("Example").': ASsqXEmw4KzmX-CPChWSVDNCNfd.A3YNR7uz-VncXXAERFDFDFDF'; +print '
'.$langs->trans("Example").': ASsqXEmw4KzmX-CPChWSVDNCNfd.A3YNR7uz-VncXXAERFDFDFDF'; print '
'; -print $langs->trans("VendorName").''; +print $langs->trans("PublicVendorName").''; print ''; -print '   '.$langs->trans("Example").': '.$mysoc->name; +print '   '.$langs->trans("Example").': '.$mysoc->name.''; print '
'; print $langs->trans("CSSUrlForPaymentForm").''; print ''; -print '   '.$langs->trans("Example").': http://mysite/mycss.css'; +print '   '.$langs->trans("Example").': http://mysite/mycss.css'; print '
'; print $langs->trans("ONLINE_PAYMENT_SENDEMAIL").''; -print ''; -print '   '.$langs->trans("Example").': myemail@myserver.com, Payment service <myemail2@myserver2.com>'; +print ''; +print '   '.$langs->trans("Example").': myemail@myserver.com, Payment service <myemail2@myserver2.com>'; print '
'; print $langs->trans("SecurityToken").''; -print ''; -if (!empty($conf->use_javascript_ajax)) +print ''; +if (!empty($conf->use_javascript_ajax)) { print ' '.img_picto($langs->trans('Generate'), 'refresh', 'id="generate_token" class="linkobject"'); - print '
'; - print $langs->trans("SecurityTokenIsUnique").''; - print $form->selectyesno("PAYMENT_SECURITY_TOKEN_UNIQUE", (empty($conf->global->PAYMENT_SECURITY_TOKEN) ? 0 : $conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE), 1); - print '
'; +print $langs->trans("SecurityTokenIsUnique").''; +if ($conf->use_javascript_ajax) { + print ajax_constantonoff('PAYMENT_SECURITY_TOKEN_UNIQUE'); +} else { + $arrval = array('0' => $langs->trans("No"), '1' => $langs->trans("Yes")); + print $form->selectarray("PAYMENT_SECURITY_TOKEN_UNIQUE", $arrval, $conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE); +} +print '
'; diff --git a/htdocs/printing/admin/printing.php b/htdocs/printing/admin/printing.php index 02fd4545c84..f76b7d66fbe 100644 --- a/htdocs/printing/admin/printing.php +++ b/htdocs/printing/admin/printing.php @@ -35,7 +35,7 @@ $langs->loadLangs(array('admin', 'printing', 'oauth')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $mode = GETPOST('mode', 'alpha'); $value = GETPOST('value', 'alpha', 0, null, null, 1); // The value may be __google__docs so we force disable of replace $varname = GETPOST('varname', 'alpha'); diff --git a/htdocs/product/admin/dynamic_prices.php b/htdocs/product/admin/dynamic_prices.php index 752ddecbea8..bc9f1048b4b 100644 --- a/htdocs/product/admin/dynamic_prices.php +++ b/htdocs/product/admin/dynamic_prices.php @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/product/dynamic_price/class/price_global_variab $langs->load("products"); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $save = GETPOST('save', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); $selection = GETPOST('selection', 'int'); @@ -64,7 +64,7 @@ if (!empty($action) && empty($cancel)) { //Global variable actions if ($action == 'create_variable' || $action == 'edit_variable') { $price_globals->code = GETPOSTISSET('code') ?GETPOST('code', 'alpha') : $price_globals->code; - $price_globals->description = GETPOSTISSET('description') ?GETPOST('description', 'alpha') : $price_globals->description; + $price_globals->description = GETPOSTISSET('description') ?GETPOST('description', 'restricthtml') : $price_globals->description; $price_globals->value = GETPOSTISSET('value') ?GETPOST('value', 'int') : $price_globals->value; //Check if record already exists only when saving if (!empty($save)) { @@ -101,11 +101,11 @@ if (!empty($action) && empty($cancel)) { //Updaters actions if ($action == 'create_updater' || $action == 'edit_updater') { - $price_updaters->type = GETPOSTISSET('type') ?GETPOST('type', 'int') : $price_updaters->type; - $price_updaters->description = GETPOSTISSET('description') ?GETPOST('description', 'alpha') : $price_updaters->description; - $price_updaters->parameters = GETPOSTISSET('parameters') ?GETPOST('parameters') : $price_updaters->parameters; - $price_updaters->fk_variable = GETPOSTISSET('fk_variable') ?GETPOST('fk_variable', 'int') : $price_updaters->fk_variable; - $price_updaters->update_interval = GETPOSTISSET('update_interval') ?GETPOST('update_interval', 'int') : $price_updaters->update_interval; + $price_updaters->type = GETPOSTISSET('type') ? GETPOST('type', 'int') : $price_updaters->type; + $price_updaters->description = GETPOSTISSET('description') ? GETPOST('description', 'restricthtml') : $price_updaters->description; + $price_updaters->parameters = GETPOSTISSET('parameters') ? GETPOST('parameters', 'alphanohtml') : $price_updaters->parameters; + $price_updaters->fk_variable = GETPOSTISSET('fk_variable') ? GETPOST('fk_variable', 'int') : $price_updaters->fk_variable; + $price_updaters->update_interval = GETPOSTISSET('update_interval') ? GETPOST('update_interval', 'int') : $price_updaters->update_interval; } if ($action == 'create_updater' && !empty($save)) { //Verify if process() works diff --git a/htdocs/product/admin/product.php b/htdocs/product/admin/product.php index ef11037a656..f037dfb3d6f 100644 --- a/htdocs/product/admin/product.php +++ b/htdocs/product/admin/product.php @@ -43,7 +43,7 @@ $langs->loadLangs(array("admin", "products")); if (!$user->admin || (empty($conf->product->enabled) && empty($conf->service->enabled))) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); $label = GETPOST('label', 'alpha'); $scandir = GETPOST('scan_dir', 'alpha'); @@ -378,7 +378,7 @@ print '
'; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/product/admin/product_extrafields.php b/htdocs/product/admin/product_extrafields.php index 1e67a1d469a..59d6437578c 100644 --- a/htdocs/product/admin/product_extrafields.php +++ b/htdocs/product/admin/product_extrafields.php @@ -40,7 +40,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'product'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/product/admin/product_lot_extrafields.php b/htdocs/product/admin/product_lot_extrafields.php index 625ca8bf1b3..e5e058927a1 100644 --- a/htdocs/product/admin/product_lot_extrafields.php +++ b/htdocs/product/admin/product_lot_extrafields.php @@ -40,7 +40,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'product_lot'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/product/admin/product_supplier_extrafields.php b/htdocs/product/admin/product_supplier_extrafields.php index b400843ab5c..daaf3a9edfd 100644 --- a/htdocs/product/admin/product_supplier_extrafields.php +++ b/htdocs/product/admin/product_supplier_extrafields.php @@ -41,7 +41,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'product_fournisseur_price'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/product/admin/product_tools.php b/htdocs/product/admin/product_tools.php index ce7bcf733a5..592dd89baaa 100644 --- a/htdocs/product/admin/product_tools.php +++ b/htdocs/product/admin/product_tools.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('admin', 'products')); // Security check if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $oldvatrate = GETPOST('oldvatrate', 'alpha'); $newvatrate = GETPOST('newvatrate', 'alpha'); //$price_base_type=GETPOST('price_base_type'); @@ -90,7 +90,7 @@ if ($action == 'convert') $sql .= ' FROM '.MAIN_DB_PREFIX.'product'; $sql .= ' WHERE entity IN ('.getEntity('product').')'; $sql .= " AND tva_tx = '".$db->escape($oldvatrateclean)."'"; - if ($vat_src_code_old) $sql .= " AND default_vat_code = '".$vat_src_code_old."'"; + if ($vat_src_code_old) $sql .= " AND default_vat_code = '".$db->escape($vat_src_code_old)."'"; else " AND default_vat_code = IS NULL"; $resql = $db->query($sql); @@ -182,9 +182,9 @@ if ($action == 'convert') $sql .= ' FROM '.MAIN_DB_PREFIX.'product_fournisseur_price as pfp, '.MAIN_DB_PREFIX.'societe as s'; $sql .= ' WHERE pfp.fk_soc = s.rowid AND pfp.entity IN ('.getEntity('product').')'; $sql .= " AND tva_tx = '".$db->escape($oldvatrate)."'"; - if ($vat_src_code_old) $sql .= " AND default_vat_code = '".$vat_src_code_old."'"; + if ($vat_src_code_old) $sql .= " AND default_vat_code = '".$db->escape($vat_src_code_old)."'"; else " AND default_vat_code = IS NULL"; - $sql .= " AND s.fk_pays = '".$country_id."'"; + $sql .= " AND s.fk_pays = ".((int) $country_id); //print $sql; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/product/admin/stock_extrafields.php b/htdocs/product/admin/stock_extrafields.php index 22ad53cd0e8..4c9e1435c15 100644 --- a/htdocs/product/admin/stock_extrafields.php +++ b/htdocs/product/admin/stock_extrafields.php @@ -39,7 +39,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'entrepot'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/product/ajax/products.php b/htdocs/product/ajax/products.php index f206d868347..7441d88abc0 100644 --- a/htdocs/product/ajax/products.php +++ b/htdocs/product/ajax/products.php @@ -39,7 +39,7 @@ $mode = GETPOST('mode', 'int'); $status = ((GETPOST('status', 'int') >= 0) ? GETPOST('status', 'int') : - 1); $outjson = (GETPOST('outjson', 'int') ? GETPOST('outjson', 'int') : 0); $price_level = GETPOST('price_level', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); $price_by_qty_rowid = GETPOST('pbq', 'int'); $finished = GETPOST('finished', 'int'); diff --git a/htdocs/product/card.php b/htdocs/product/card.php index df3f21a453a..f86b94f314e 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -44,6 +44,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/canvas.class.php'; require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; require_once DOL_DOCUMENT_ROOT.'/product/class/html.formproduct.class.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/extrafields.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/genericobject.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/product.lib.php'; @@ -233,6 +234,7 @@ if (empty($reshook)) $npr = preg_match('/\*/', $tva_tx_txt) ? 1 : 0; $localtax1 = 0; $localtax2 = 0; $localtax1_type = '0'; $localtax2_type = '0'; // If value contains the unique code of vat line (new recommanded method), we use it to find npr and local taxes + $reg = array(); if (preg_match('/\((.*)\)/', $tva_tx_txt, $reg)) { // We look into database using code (we can't use get_localtax() because it depends on buyer that is not known). Same in update price. @@ -240,9 +242,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code = '".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -285,12 +287,13 @@ if (empty($reshook)) $object->barcode_type_coder = $stdobject->barcode_type_coder; $object->barcode_type_label = $stdobject->barcode_type_label; - $object->description = dol_htmlcleanlastbr(GETPOST('desc', 'none')); + $object->description = dol_htmlcleanlastbr(GETPOST('desc', 'restricthtml')); $object->url = GETPOST('url'); - $object->note_private = dol_htmlcleanlastbr(GETPOST('note_private', 'none')); + $object->note_private = dol_htmlcleanlastbr(GETPOST('note_private', 'restricthtml')); $object->note = $object->note_private; // deprecated $object->customcode = GETPOST('customcode', 'alphanohtml'); - $object->country_id = GETPOST('country_id', 'int'); + $object->country_id = GETPOST('country_id', 'int'); + $object->state_id = GETPOST('state_id', 'int'); $object->duration_value = $duration_value; $object->duration_unit = $duration_unit; $object->fk_default_warehouse = GETPOST('fk_default_warehouse'); @@ -387,15 +390,16 @@ if (empty($reshook)) $object->ref = $ref; $object->label = GETPOST('label', 'alphanohtml'); - $object->description = dol_htmlcleanlastbr(GETPOST('desc', 'none')); + $object->description = dol_htmlcleanlastbr(GETPOST('desc', 'restricthtml')); $object->url = GETPOST('url'); if (!empty($conf->global->MAIN_DISABLE_NOTES_TAB)) { - $object->note_private = dol_htmlcleanlastbr(GETPOST('note_private', 'none')); + $object->note_private = dol_htmlcleanlastbr(GETPOST('note_private', 'restricthtml')); $object->note = $object->note_private; } $object->customcode = GETPOST('customcode', 'alpha'); - $object->country_id = GETPOST('country_id', 'int'); + $object->country_id = GETPOST('country_id', 'int'); + $object->state_id = GETPOST('state_id', 'int'); $object->status = GETPOST('statut', 'int'); $object->status_buy = GETPOST('statut_buy', 'int'); $object->status_batch = GETPOST('status_batch', 'aZ09'); @@ -866,6 +870,7 @@ llxHeader('', $title, $helpurl); $form = new Form($db); $formfile = new FormFile($db); $formproduct = new FormProduct($db); +$formcompany = new FormCompany($db); if (!empty($conf->accounting->enabled)) $formaccounting = new FormAccounting($db); // Load object modBarCodeProduct @@ -908,6 +913,15 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) //WYSIWYG Editor require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; + print ''."\n"; + // Load object modCodeProduct $module = (!empty($conf->global->PRODUCT_CODEPRODUCT_ADDON) ? $conf->global->PRODUCT_CODEPRODUCT_ADDON : 'mod_codeproduct_leopard'); if (substr($module, 0, 16) == 'mod_codeproduct_' && substr($module, -3) == 'php') @@ -922,7 +936,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) dol_set_focus('input[name="ref"]'); - print ''; + print ''; print ''; print ''; print ''."\n"; @@ -942,6 +956,15 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) $linkback = ""; print load_fiche_titre($title, $linkback, $picto); + // We set country_id, country_code and country for the selected country + $object->country_id = GETPOSTISSET('country_id') ? GETPOST('country_id', 'int') : null; + if ($object->country_id > 0) + { + $tmparray = getCountry($object->country_id, 'all'); + $object->country_code = $tmparray['code']; + $object->country = $tmparray['label']; + } + dol_fiche_head(''); print ''; @@ -1007,7 +1030,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) // Description (used in invoice, propal...) print '"; @@ -1114,14 +1137,31 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) // Custom code if (empty($conf->global->PRODUCT_DISABLE_CUSTOM_INFO) && empty($type)) { - print ''; - if ($conf->browser->layout == 'phone') print ''; + print ''; + // Origin country print ''; print ''; + print img_picto('', 'globe-americas', 'class="paddingrightonly"'); + print $form->select_country((GETPOSTISSET('country_id') ? GETPOST('country_id') : $object->country_id), 'country_id', '', 0, 'minwidth300 widthcentpercentminusx'); + if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"), 1); + print ''; + + // State + if (empty($conf->global->PRODUCT_DISABLE_STATE)) + { + if ($conf->browser->layout == 'phone') print ''; + if (!empty($conf->global->MAIN_SHOW_REGION_IN_STATE_SELECT) && ($conf->global->MAIN_SHOW_REGION_IN_STATE_SELECT == 1 || $conf->global->MAIN_SHOW_REGION_IN_STATE_SELECT == 2)) + { + print ''; + } + print ''; } // Other attributes @@ -1139,7 +1179,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) print '"; @@ -1333,12 +1373,31 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) //WYSIWYG Editor require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; + print ''."\n"; + + // We set country_id, country_code and country for the selected country + $object->country_id = GETPOST('country_id') ? GETPOST('country_id') : $object->country_id; + if ($object->country_id) + { + $tmparray = getCountry($object->country_id, 'all'); + $object->country_code = $tmparray['code']; + $object->country = $tmparray['label']; + } + + $type = $langs->trans('Product'); if ($object->isService()) $type = $langs->trans('Service'); //print load_fiche_titre($langs->trans('Modify').' '.$type.' : '.(is_object($object->oldcopy)?$object->oldcopy->ref:$object->ref), ""); // Main official, simple, and not duplicated code - print ''."\n"; + print ''."\n"; print ''; print ''; print ''; @@ -1349,6 +1408,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) $picto = ($object->type == Product::TYPE_SERVICE ? 'service' : 'product'); dol_fiche_head($head, 'card', $titre, 0, $picto); + print '
'.$langs->trans("Description").''; - $doleditor = new DolEditor('desc', GETPOST('desc', 'none'), '', 160, 'dolibarr_details', '', false, true, $conf->global->FCKEDITOR_ENABLE_PRODUCTDESC, ROWS_4, '90%'); + $doleditor = new DolEditor('desc', GETPOST('desc', 'restricthtml'), '', 160, 'dolibarr_details', '', false, true, $conf->global->FCKEDITOR_ENABLE_PRODUCTDESC, ROWS_4, '90%'); $doleditor->Create(); print "
'.$langs->trans("CustomCode").'
'.$langs->trans("CustomCode").'
'.$langs->trans("CountryOrigin").''; - print $form->select_country(GETPOST('country_id', 'int'), 'country_id'); - if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"), 1); - print '
'.$form->editfieldkey('Region-StateOrigine', 'state_id', '', $object, 0).''; + } else { + print ''.$form->editfieldkey('StateOrigin', 'state_id', '', $object, 0).''; + } + + print $formcompany->select_state($object->state_id, $object->country_code); + print '
'.$langs->trans("NoteNotVisibleOnBill").''; // We use dolibarr_details as type of DolEditor here, because we must not accept images as description is included into PDF and not accepted by TCPDF. - $doleditor = new DolEditor('note_private', GETPOST('note_private', 'none'), '', 140, 'dolibarr_details', '', false, true, $conf->global->FCKEDITOR_ENABLE_PRODUCTDESC, ROWS_8, '90%'); + $doleditor = new DolEditor('note_private', GETPOST('note_private', 'restricthtml'), '', 140, 'dolibarr_details', '', false, true, $conf->global->FCKEDITOR_ENABLE_PRODUCTDESC, ROWS_8, '90%'); $doleditor->Create(); print "
'; // Ref @@ -1529,12 +1589,29 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) // Custom code if (!$object->isService() && empty($conf->global->PRODUCT_DISABLE_CUSTOM_INFO)) { - print ''; + print ''; // Origin country - print ''; + print ''; + print ''; + // State + if (empty($conf->global->PRODUCT_DISABLE_STATE)) + { + if ($conf->browser->layout == 'phone') print ''; + if (!empty($conf->global->MAIN_SHOW_REGION_IN_STATE_SELECT) && ($conf->global->MAIN_SHOW_REGION_IN_STATE_SELECT == 1 || $conf->global->MAIN_SHOW_REGION_IN_STATE_SELECT == 2)) + { + print ''; + } + print ''; } // Other attributes @@ -2031,7 +2108,9 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) print ''; // Origin country code - print ''; + print ''; } // Other attributes diff --git a/htdocs/product/class/api_products.class.php b/htdocs/product/class/api_products.class.php index 267e3bc2890..a90c9dd5b1b 100644 --- a/htdocs/product/class/api_products.class.php +++ b/htdocs/product/class/api_products.class.php @@ -58,6 +58,7 @@ class Products extends DolibarrApi public function __construct() { global $db, $conf; + $this->db = $db; $this->product = new Product($this->db); $this->productsupplier = new ProductFournisseur($this->db); @@ -178,7 +179,7 @@ class Products extends DolibarrApi $sql .= ' WHERE t.entity IN ('.getEntity('product').')'; // Select products of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_product = t.rowid "; } if ($mode == 1) { @@ -197,32 +198,32 @@ class Products extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $product_static = new Product($db); + $obj = $this->db->fetch_object($result); + $product_static = new Product($this->db); if ($product_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($product_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve product list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve product list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No product found'); @@ -445,8 +446,7 @@ class Products extends DolibarrApi /** * Remove subproduct. - * - * Unlink a product/service from a parent product/service + * Unlink a product/service from a parent product/service * * @param int $id Id of parent product/service * @param int $subproduct_id Id of child product/service @@ -750,8 +750,11 @@ class Products extends DolibarrApi public function getSupplierProducts($sortfield = "t.ref", $sortorder = 'ASC', $limit = 100, $page = 0, $mode = 0, $category = 0, $supplier = 0, $sqlfilters = '') { global $db, $conf; + $obj_ret = array(); + $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; + $sql = "SELECT t.rowid, t.ref, t.ref_ext"; $sql .= " FROM ".MAIN_DB_PREFIX."product as t"; if ($category > 0) { @@ -762,12 +765,12 @@ class Products extends DolibarrApi $sql .= ' WHERE t.entity IN ('.getEntity('product').')'; if ($supplier > 0) { - $sql .= " AND s.fk_soc = ".$db->escape($supplier); + $sql .= " AND s.fk_soc = ".$this->db->escape($supplier); } $sql .= " AND s.fk_product = t.rowid"; // Select products of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_product = t.rowid"; } if ($mode == 1) { @@ -785,22 +788,22 @@ class Products extends DolibarrApi $regexstring = '\(([^:\'\(\)]+:[^:\'\(\)]+:[^:\(\)]+)\)'; $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $product_fourn = new ProductFournisseur($this->db); $product_fourn_list = $product_fourn->list_product_fournisseur_price($obj->rowid, '', '', 0, 0); @@ -814,7 +817,7 @@ class Products extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve product list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve product list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No product found'); @@ -878,21 +881,71 @@ class Products extends DolibarrApi /** * Get attributes. - * + * + * @param string $sortfield Sort field + * @param string $sortorder Sort order + * @param int $limit Limit for list + * @param int $page Page number + * @param string $sqlfilters Other criteria to filter answers separated by a comma. Syntax example "(t.ref:like:color)" * @return array * * @throws RestException * * @url GET attributes */ - public function getAttributes() + public function getAttributes($sortfield = "t.ref", $sortorder = 'ASC', $limit = 100, $page = 0, $sqlfilters = '') { if (!DolibarrApiAccess::$user->rights->produit->lire) { throw new RestException(401); } - $prodattr = new ProductAttribute($this->db); - return $prodattr->fetchAll(); + $sql = "SELECT t.rowid, t.ref, t.ref_ext, t.label, t.rang, t.entity"; + $sql .= " FROM ".MAIN_DB_PREFIX."product_attribute as t"; + $sql .= ' WHERE t.entity IN ('.getEntity('product').')'; + + // Add sql filters + if ($sqlfilters) { + if (!DolibarrApi::_checkFilters($sqlfilters)) { + throw new RestException(503, 'Error when validating parameter sqlfilters '.$sqlfilters); + } + $regexstring = '\(([^:\'\(\)]+:[^:\'\(\)]+:[^:\(\)]+)\)'; + $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; + } + + $sql .= $this->db->order($sortfield, $sortorder); + if ($limit) { + if ($page < 0) { + $page = 0; + } + $offset = $limit * $page; + + $sql .= $this->db->plimit($limit, $offset); + } + + $result = $this->db->query($sql); + + if (!$result) { + throw new RestException(503, 'Error when retrieve product attribute list : '.$this->db->lasterror()); + } + + $return = []; + while ($result = $this->db->fetch_object($query)) { + $tmp = new ProductAttribute($this->db); + $tmp->id = $result->rowid; + $tmp->ref = $result->ref; + $tmp->ref_ext = $result->ref_ext; + $tmp->label = $result->label; + $tmp->rang = $result->rang; + $tmp->entity = $result->entity; + + $return[] = $this->_cleanObjectDatas($tmp); + } + + if (!count($return)) { + throw new RestException(404, 'No product attribute found'); + } + + return $return; } /** @@ -917,9 +970,25 @@ class Products extends DolibarrApi $result = $prodattr->fetch((int) $id); if ($result < 0) { - throw new RestException(404, "Attribute not found"); + throw new RestException(404, "Product attribute not found"); } + $fields = ["id", "ref", "ref_ext", "label", "rang", "entity"]; + + foreach ($prodattr as $field => $value) { + if (!in_array($field, $fields)) { + unset($prodattr->{$field}); + } + } + + $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; + $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; + $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $prodattr->id)." AND pac.entity IN (".getEntity('product').")"; + + $resql = $this->db->query($sql); + $obj = $this->db->fetch_object($resql); + $prodattr->is_used_by_products = (int) $obj->nb; + return $prodattr; } @@ -940,7 +1009,7 @@ class Products extends DolibarrApi throw new RestException(401); } - $sql = "SELECT rowid, ref, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".trim($ref)."' AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, ref, ref_ext, label, rang, entity FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".trim($ref)."' AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -953,8 +1022,65 @@ class Products extends DolibarrApi $attr = []; $attr['id'] = $result->rowid; $attr['ref'] = $result->ref; + $attr['ref_ext'] = $result->ref_ext; $attr['label'] = $result->label; $attr['rang'] = $result->rang; + $attr['entity'] = $result->entity; + + $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; + $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; + $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $result->rowid)." AND pac.entity IN (".getEntity('product').")"; + + $resql = $this->db->query($sql); + $obj = $this->db->fetch_object($resql); + + $attr["is_used_by_products"] = (int) $obj->nb; + + return $attr; + } + + /** + * Get attributes by ref_ext. + * + * @param string $ref_ext External reference of Attribute + * @return array + * + * @throws RestException 500 + * @throws RestException 401 + * + * @url GET attributes/ref_ext/{ref_ext} + */ + public function getAttributesByRefExt($ref_ext) + { + if (!DolibarrApiAccess::$user->rights->produit->lire) { + throw new RestException(401); + } + + $sql = "SELECT rowid, ref, ref_ext, label, rang, entity FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref_ext LIKE '".trim($ref_ext)."' AND entity IN (".getEntity('product').")"; + + $query = $this->db->query($sql); + + if (!$this->db->num_rows($query)) { + throw new RestException(404); + } + + $result = $this->db->fetch_object($query); + + $attr = []; + $attr['id'] = $result->rowid; + $attr['ref'] = $result->ref; + $attr['ref_ext'] = $result->ref_ext; + $attr['label'] = $result->label; + $attr['rang'] = $result->rang; + $attr['entity'] = $result->entity; + + $sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination2val as pac2v"; + $sql .= " JOIN ".MAIN_DB_PREFIX."product_attribute_combination as pac ON pac2v.fk_prod_combination = pac.rowid"; + $sql .= " WHERE pac2v.fk_prod_attr = ".((int) $result->rowid)." AND pac.entity IN (".getEntity('product').")"; + + $resql = $this->db->query($sql); + $obj = $this->db->fetch_object($resql); + $attr["is_used_by_products"] = (int) $obj->nb; return $attr; } @@ -964,6 +1090,7 @@ class Products extends DolibarrApi * * @param string $ref Reference of Attribute * @param string $label Label of Attribute + * @param string $ref_ext Reference of Attribute * @return int * * @throws RestException 500 @@ -971,7 +1098,7 @@ class Products extends DolibarrApi * * @url POST attributes */ - public function addAttributes($ref, $label) + public function addAttributes($ref, $label, $ref_ext = '') { if (!DolibarrApiAccess::$user->rights->produit->creer) { throw new RestException(401); @@ -980,6 +1107,7 @@ class Products extends DolibarrApi $prodattr = new ProductAttribute($this->db); $prodattr->label = $label; $prodattr->ref = $ref; + $prodattr->ref_ext = $ref_ext; $resid = $prodattr->create(DolibarrApiAccess::$user); if ($resid <= 0) { @@ -1202,7 +1330,18 @@ class Products extends DolibarrApi } $objectval = new ProductAttributeValue($this->db); - return $objectval->fetchAllByProductAttribute((int) $id); + + $return = $objectval->fetchAllByProductAttribute((int) $id); + + if (count($return) == 0) { + throw new RestException(404, 'Attribute values not found'); + } + + foreach ($return as $key => $val) { + $return[$key] = $this->_cleanObjectDatas($return[$key]); + } + + return $return; } /** @@ -1224,19 +1363,19 @@ class Products extends DolibarrApi $return = array(); $sql = 'SELECT '; - $sql .= 'v.fk_product_attribute, v.rowid, v.ref, v.value FROM '.MAIN_DB_PREFIX.'product_attribute_value v '; - $sql .= "WHERE v.fk_product_attribute = ( SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".strtoupper(trim($ref))."' LIMIT 1)"; + $sql .= 'v.fk_product_attribute, v.rowid, v.ref, v.value FROM '.MAIN_DB_PREFIX.'product_attribute_value as v'; + $sql .= " WHERE v.fk_product_attribute IN (SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute WHERE ref LIKE '".$this->db->escape(trim($ref))."')"; - $query = $this->db->query($sql); + $resql = $this->db->query($sql); - while ($result = $this->db->fetch_object($query)) { + while ($result = $this->db->fetch_object($resql)) { $tmp = new ProductAttributeValue($this->db); $tmp->fk_product_attribute = $result->fk_product_attribute; $tmp->id = $result->rowid; $tmp->ref = $result->ref; $tmp->value = $result->value; - $return[] = $tmp; + $return[] = $this->_cleanObjectDatas($tmp); } return $return; @@ -1419,7 +1558,8 @@ class Products extends DolibarrApi * @param float $price_impact Price impact of variant * @param bool $price_impact_is_percent Price impact in percent (true or false) * @param array $features List of attributes pairs id_attribute->id_value. Example: array(id_color=>id_Blue, id_size=>id_small, id_option=>id_val_a, ...) - * @param bool|string $reference Customized reference of variant + * @param string $reference Customized reference of variant + * @param string $ref_ext External reference of variant * @return int * * @throws RestException 500 @@ -1428,7 +1568,7 @@ class Products extends DolibarrApi * * @url POST {id}/variants */ - public function addVariant($id, $weight_impact, $price_impact, $price_impact_is_percent, $features, $reference = false) + public function addVariant($id, $weight_impact, $price_impact, $price_impact_is_percent, $features, $reference = '', $ref_ext = '') { if (!DolibarrApiAccess::$user->rights->produit->creer) { throw new RestException(401); @@ -1459,7 +1599,7 @@ class Products extends DolibarrApi $prodcomb = new ProductCombination($this->db); - $result = $prodcomb->createProductCombination(DolibarrApiAccess::$user, $this->product, $features, array(), $price_impact_is_percent, $price_impact, $weight_impact, $reference); + $result = $prodcomb->createProductCombination(DolibarrApiAccess::$user, $this->product, $features, array(), $price_impact_is_percent, $price_impact, $weight_impact, $reference, $ref_ext); if ($result > 0) { return $result; @@ -1650,14 +1790,15 @@ class Products extends DolibarrApi * @param string $ref_ext Ref ext of element * @param string $barcode Barcode of element * @param int $includestockdata Load also information about stock (slower) - * @param bool $includesubproducts Load information about subproducts + * @param bool $includesubproducts Load information about subproducts (if product is a virtual product) + * @param bool $includeparentid Load also ID of parent product (if product is a variant of a parent product) * @return array|mixed Data without useless information * * @throws RestException 401 * @throws RestException 403 * @throws RestException 404 */ - private function _fetch($id, $ref = '', $ref_ext = '', $barcode = '', $includestockdata = 0, $includesubproducts = false) + private function _fetch($id, $ref = '', $ref_ext = '', $barcode = '', $includestockdata = 0, $includesubproducts = false, $includeparentid = false) { if (empty($id) && empty($ref) && empty($ref_ext) && empty($barcode)) { throw new RestException(400, 'bad value for parameter id, ref, ref_ext or barcode'); @@ -1704,6 +1845,14 @@ class Products extends DolibarrApi $this->product->sousprods = $childs; } + if ($includeparentid) { + $prodcomb = new ProductCombination($this->db); + $this->product->fk_product_parent = null; + if (($fk_product_parent = $prodcomb->fetchByFkProductChild($this->product->id)) > 0) { + $this->product->fk_product_parent = $fk_product_parent; + } + } + return $this->_cleanObjectDatas($this->product); } } diff --git a/htdocs/product/class/html.formproduct.class.php b/htdocs/product/class/html.formproduct.class.php index 2a2228422d9..a0fd2bdb10c 100644 --- a/htdocs/product/class/html.formproduct.class.php +++ b/htdocs/product/class/html.formproduct.class.php @@ -112,16 +112,16 @@ class FormProduct $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.fk_entrepot = e.rowid"; if (!empty($fk_product)) { - $sql .= " AND ps.fk_product = '".$fk_product."'"; + $sql .= " AND ps.fk_product = ".((int) $fk_product); if (!empty($batch)) { - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$batch."'"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$this->db->escape($batch)."'"; } } $sql .= " WHERE e.entity IN (".getEntity('stock').")"; if (count($warehouseStatus)) { - $sql .= " AND e.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")"; + $sql .= " AND e.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; } else { $sql .= " AND e.statut = 1"; } diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 8ae09ea45aa..18565347072 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -883,6 +883,10 @@ class Product extends CommonObject $this->country_id = 0; } + if (empty($this->state_id)) { + $this->state_id = 0; + } + // Barcode value $this->barcode = trim($this->barcode); @@ -925,7 +929,7 @@ class Product extends CommonObject { if ($detail->batch == $valueforundefinedlot || $detail->batch == 'Undefined') { // We discard this line, we will create it later - $sqlclean = "DELETE FROM ".MAIN_DB_PREFIX."product_batch WHERE batch in('Undefined', '".$valueforundefinedlot."') AND fk_product_stock = ".$ObjW->id; + $sqlclean = "DELETE FROM ".MAIN_DB_PREFIX."product_batch WHERE batch in('Undefined', '".$this->db->escape($valueforundefinedlot)."') AND fk_product_stock = ".$ObjW->id; $result = $this->db->query($sqlclean); if (!$result) { dol_print_error($this->db); @@ -1000,6 +1004,7 @@ class Product extends CommonObject $sql .= ", url = ".($this->url ? "'".$this->db->escape($this->url)."'" : 'null'); $sql .= ", customcode = '".$this->db->escape($this->customcode)."'"; $sql .= ", fk_country = ".($this->country_id > 0 ? (int) $this->country_id : 'null'); + $sql .= ", fk_state = ".($this->state_id > 0 ? (int) $this->state_id : 'null'); $sql .= ", note = ".(isset($this->note) ? "'".$this->db->escape($this->note)."'" : 'null'); $sql .= ", duration = '".$this->db->escape($this->duration_value.$this->duration_unit)."'"; $sql .= ", accountancy_code_buy = '".$this->db->escape($this->accountancy_code_buy)."'"; @@ -1607,7 +1612,7 @@ class Product extends CommonObject // If price per customer require_once DOL_DOCUMENT_ROOT.'/product/class/productcustomerprice.class.php'; - $prodcustprice = new Productcustomerprice($db); + $prodcustprice = new Productcustomerprice($this->db); $filter = array('t.fk_product' => $this->id, 't.fk_soc' => $thirdparty_buyer->id); @@ -1744,7 +1749,7 @@ class Product extends CommonObject if (!empty($conf->global->PRODUCT_USE_SUPPLIER_PACKAGING)) $sql .= ", pfp.packaging"; $sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price as pfp"; $sql .= " WHERE pfp.fk_product = ".$product_id; - if ($fourn_ref != 'none') { $sql .= " AND pfp.ref_fourn = '".$fourn_ref."'"; + if ($fourn_ref != 'none') { $sql .= " AND pfp.ref_fourn = '".$this->db->escape($fourn_ref)."'"; } if ($fk_soc > 0) { $sql .= " AND pfp.fk_soc = ".$fk_soc; } @@ -1917,18 +1922,18 @@ class Product extends CommonObject // Ne pas mettre de quote sur les numeriques decimaux. // Ceci provoque des stockages avec arrondis en base au lieu des valeurs exactes. $sql = "UPDATE ".MAIN_DB_PREFIX."product SET"; - $sql .= " price_base_type='".$newpricebase."',"; + $sql .= " price_base_type='".$this->db->escape($newpricebase)."',"; $sql .= " price=".$price.","; $sql .= " price_ttc=".$price_ttc.","; $sql .= " price_min=".$price_min.","; $sql .= " price_min_ttc=".$price_min_ttc.","; $sql .= " localtax1_tx=".($localtax1 >= 0 ? $localtax1 : 'NULL').","; $sql .= " localtax2_tx=".($localtax2 >= 0 ? $localtax2 : 'NULL').","; - $sql .= " localtax1_type=".($localtaxtype1 != '' ? "'".$localtaxtype1."'" : "'0'").","; - $sql .= " localtax2_type=".($localtaxtype2 != '' ? "'".$localtaxtype2."'" : "'0'").","; + $sql .= " localtax1_type=".($localtaxtype1 != '' ? "'".$this->db->escape($localtaxtype1)."'" : "'0'").","; + $sql .= " localtax2_type=".($localtaxtype2 != '' ? "'".$this->db->escape($localtaxtype2)."'" : "'0'").","; $sql .= " default_vat_code=".($newdefaultvatcode ? "'".$this->db->escape($newdefaultvatcode)."'" : "null").","; $sql .= " tva_tx='".price2num($newvat)."',"; - $sql .= " recuperableonly='".$newnpr."'"; + $sql .= " recuperableonly='".$this->db->escape($newnpr)."'"; $sql .= " WHERE rowid = ".$id; dol_syslog(get_class($this)."::update_price", LOG_DEBUG); @@ -2025,7 +2030,7 @@ class Product extends CommonObject return -1; } - $sql = "SELECT rowid, ref, ref_ext, label, description, url, note_public, note as note_private, customcode, fk_country, price, price_ttc,"; + $sql = "SELECT rowid, ref, ref_ext, label, description, url, note_public, note as note_private, customcode, fk_country, fk_state, price, price_ttc,"; $sql .= " price_min, price_min_ttc, price_base_type, cost_price, default_vat_code, tva_tx, recuperableonly as tva_npr, localtax1_tx, localtax2_tx, localtax1_type, localtax2_type, tosell,"; $sql .= " tobuy, fk_product_type, duration, fk_default_warehouse, seuil_stock_alerte, canvas, net_measure, net_measure_units, weight, weight_units,"; $sql .= " length, length_units, width, width_units, height, height_units,"; @@ -2073,6 +2078,7 @@ class Product extends CommonObject $this->customcode = $obj->customcode; $this->country_id = $obj->fk_country; $this->country_code = getCountry($this->country_id, 2, $this->db); + $this->state_id = $obj->fk_state; $this->price = $obj->price; $this->price_ttc = $obj->price_ttc; $this->price_min = $obj->price_min; @@ -2936,7 +2942,7 @@ class Product extends CommonObject global $db, $conf, $user, $hookmanager; $sql = "SELECT COUNT(DISTINCT f.fk_soc) as nb_customers, COUNT(DISTINCT f.rowid) as nb,"; - $sql .= " COUNT(fd.rowid) as nb_rows, SUM(".$db->ifsql('f.type != 2', 'fd.qty', 'fd.qty * -1').") as qty"; + $sql .= " COUNT(fd.rowid) as nb_rows, SUM(".$this->db->ifsql('f.type != 2', 'fd.qty', 'fd.qty * -1').") as qty"; $sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd"; $sql .= ", ".MAIN_DB_PREFIX."facture as f"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; @@ -3666,8 +3672,8 @@ class Product extends CommonObject // phpcs:enable $sql = "SELECT fk_product_pere, qty, incdec"; $sql .= " FROM ".MAIN_DB_PREFIX."product_association"; - $sql .= " WHERE fk_product_pere = '".$fk_parent."'"; - $sql .= " AND fk_product_fils = '".$fk_child."'"; + $sql .= " WHERE fk_product_pere = ".((int) $fk_parent); + $sql .= " AND fk_product_fils = ".((int) $fk_child); $result = $this->db->query($sql); if ($result) { @@ -4692,7 +4698,7 @@ class Product extends CommonObject $sql .= " AND w.rowid = ps.fk_entrepot"; $sql .= " AND ps.fk_product = ".$this->id; if ($conf->global->ENTREPOT_EXTRA_STATUS && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")"; + $sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; } dol_syslog(get_class($this)."::load_stock", LOG_DEBUG); @@ -5204,17 +5210,15 @@ class Product extends CommonObject $this->barcode = -1; // Create barcode automatically } - /** - * Returns the label, shot_label or code found in units dictionary from ->fk_unit. - * A langs->trans() must be called on result to get translated value. - * - * @param string $type Label type (long, short or code) - * @return string|int <0 if KO, label if OK (Example: 'long', 'short', 'unitCODE') - * @see getLabelOfUnit() in CommonObjectLine - */ - public function getLabelOfUnit($type = 'long') - { - global $langs; + /** + * Returns the text label from units dictionary + * + * @param string $type Label type (long or short) + * @return string|int <0 if ko, label if ok + */ + public function getLabelOfUnit($type = 'long') + { + global $langs; if (!$this->fk_unit) { return ''; @@ -5222,24 +5226,25 @@ class Product extends CommonObject $langs->load('products'); - $label_type = 'label'; - if ($type == 'short') $label_type = 'short_label'; - elseif ($type == 'code') $label_type = 'code'; + $label_type = 'label'; - $sql = 'select '.$label_type.', code from '.MAIN_DB_PREFIX.'c_units where rowid='.$this->fk_unit; - $resql = $this->db->query($sql); - if ($resql && $this->db->num_rows($resql) > 0) { - $res = $this->db->fetch_array($resql); - if ($label_type == 'code') $label = 'unit'.$res['code']; - else $label = $res[$label_type]; - $this->db->free($resql); - return $label; - } else { - $this->error = $this->db->error().' sql='.$sql; - dol_syslog(get_class($this)."::getLabelOfUnit Error ".$this->error, LOG_ERR); - return -1; - } - } + if ($type == 'short') { + $label_type = 'short_label'; + } + + $sql = 'select '.$label_type.', code from '.MAIN_DB_PREFIX.'c_units where rowid='.$this->fk_unit; + $resql = $this->db->query($sql); + if ($resql && $this->db->num_rows($resql) > 0) { + $res = $this->db->fetch_array($resql); + $label = ($label_type == 'short_label' ? $res[$label_type] : 'unit'.$res['code']); + $this->db->free($resql); + return $label; + } else { + $this->error = $this->db->error().' sql='.$sql; + dol_syslog(get_class($this)."::getLabelOfUnit Error ".$this->error, LOG_ERR); + return -1; + } + } /** * Return if object has a sell-by date or eat-by date @@ -5366,17 +5371,17 @@ class Product extends CommonObject global $conf, $db; $sql = "SELECT rowid, level, fk_level, var_percent, var_min_percent FROM ".MAIN_DB_PREFIX."product_pricerules"; - $query = $db->query($sql); + $query = $this->db->query($sql); $rules = array(); - while ($result = $db->fetch_object($query)) { + while ($result = $this->db->fetch_object($query)) { $rules[$result->level] = $result; } //Because prices can be based on other level's prices, we temporarily store them $prices = array( - 1 => $baseprice + 1 => $baseprice ); for ($i = 1; $i <= $conf->global->PRODUIT_MULTIPRICES_LIMIT; $i++) { diff --git a/htdocs/product/class/propalmergepdfproduct.class.php b/htdocs/product/class/propalmergepdfproduct.class.php index 331708ff096..30ed73d8c77 100644 --- a/htdocs/product/class/propalmergepdfproduct.class.php +++ b/htdocs/product/class/propalmergepdfproduct.class.php @@ -232,7 +232,7 @@ class Propalmergepdfproduct extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t"; $sql .= " WHERE t.fk_product = ".$product_id; if ($conf->global->MAIN_MULTILANGS && !empty($lang)) { - $sql .= " AND t.lang = '".$lang."'"; + $sql .= " AND t.lang = '".$this->db->escape($lang)."'"; } dol_syslog(__METHOD__, LOG_DEBUG); @@ -398,7 +398,7 @@ class Propalmergepdfproduct extends CommonObject $sql .= " WHERE fk_product=".$product_id; if ($conf->global->MAIN_MULTILANGS && !empty($lang_id)) { - $sql .= " AND lang='".$lang_id."'"; + $sql .= " AND lang='".$this->db->escape($lang_id)."'"; } dol_syslog(__METHOD__, LOG_DEBUG); diff --git a/htdocs/product/composition/card.php b/htdocs/product/composition/card.php index 1c1dfa0913e..843e1e6cb59 100644 --- a/htdocs/product/composition/card.php +++ b/htdocs/product/composition/card.php @@ -38,7 +38,7 @@ $langs->loadLangs(array('bills', 'products', 'stocks')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); $key = GETPOST('key'); diff --git a/htdocs/product/document.php b/htdocs/product/document.php index 4f505bff187..8d06e211bab 100644 --- a/htdocs/product/document.php +++ b/htdocs/product/document.php @@ -42,7 +42,7 @@ $langs->loadLangs(array('other', 'products')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/product/dynamic_price/editor.php b/htdocs/product/dynamic_price/editor.php index c8855b0665e..c0bbf8388a2 100644 --- a/htdocs/product/dynamic_price/editor.php +++ b/htdocs/product/dynamic_price/editor.php @@ -33,7 +33,7 @@ $langs->loadLangs(array('products', 'accountancy')); //"Back" translation is on $id = GETPOST('id', 'int'); $eid = GETPOST('eid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $title = GETPOST('expression_title', 'alpha'); $expression = GETPOST('expression'); $tab = GETPOST('tab', 'alpha'); diff --git a/htdocs/product/fournisseurs.php b/htdocs/product/fournisseurs.php index 56f91bfa2ee..1f347353b81 100644 --- a/htdocs/product/fournisseurs.php +++ b/htdocs/product/fournisseurs.php @@ -47,7 +47,7 @@ $langs->loadLangs(array('products', 'suppliers', 'bills', 'margins', 'stocks')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $rowid = GETPOST('rowid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'pricesuppliercard'; diff --git a/htdocs/product/index.php b/htdocs/product/index.php index 6dcc5799c26..53136237eca 100644 --- a/htdocs/product/index.php +++ b/htdocs/product/index.php @@ -327,7 +327,7 @@ if ((!empty($conf->product->enabled) || !empty($conf->service->enabled)) && ($us $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $resultd = $db->query($sql); if ($resultd) diff --git a/htdocs/product/inventory/inventory.php b/htdocs/product/inventory/inventory.php index 790d30b444f..9b871da7a8b 100644 --- a/htdocs/product/inventory/inventory.php +++ b/htdocs/product/inventory/inventory.php @@ -349,7 +349,7 @@ if ($object->id > 0) print ''.$langs->trans('UpdateByScaningLot').''; }*/ if ($conf->barcode->enabled || $conf->productbatch->enabled) { - print ''.$langs->trans("UpdateByScaning").''; + print ''.$langs->trans("UpdateByScaning").''; } } else { print ''.$langs->trans('Save').''."\n"; @@ -381,6 +381,15 @@ if ($object->id > 0) print ''."\n"; } + if ($action == 'updatebyscaning') { + print '
'; + + print 'TODO'; + + print '
'; + } + + print ''; print ''; print ''; diff --git a/htdocs/product/inventory/list.php b/htdocs/product/inventory/list.php index 851c37ed258..09947e80ac7 100644 --- a/htdocs/product/inventory/list.php +++ b/htdocs/product/inventory/list.php @@ -45,8 +45,8 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/product/list.php b/htdocs/product/list.php index 6d9a60b0c66..a0bfa073afa 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -38,6 +38,7 @@ require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.product.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/product.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php'; if (!empty($conf->categorie->enabled)) require_once DOL_DOCUMENT_ROOT.'/categories/class/categorie.class.php'; @@ -46,7 +47,7 @@ if (!empty($conf->categorie->enabled)) $langs->loadLangs(array('products', 'stocks', 'suppliers', 'companies', 'margins')); if (!empty($conf->productbatch->enabled)) $langs->load("productbatch"); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -63,6 +64,8 @@ $searchCategoryProductOperator = (GETPOST('search_category_product_operator', 'i $searchCategoryProductList = GETPOST('search_category_product_list', 'array'); $search_tosell = GETPOST("search_tosell", 'int'); $search_tobuy = GETPOST("search_tobuy", 'int'); +$search_country = GETPOST("search_country", 'int'); +$search_state = GETPOST("state_id", 'int'); $fourn_id = GETPOST("fourn_id", 'int'); $catid = GETPOST('catid', 'int'); $search_tobatch = GETPOST("search_tobatch", 'int'); @@ -105,6 +108,7 @@ $object = new Product($db); $hookmanager->initHooks(array('productservicelist')); $extrafields = new ExtraFields($db); $form = new Form($db); +$formcompany = new FormCompany($db); // fetch optionals attributes and labels $extrafields->fetch_name_optionals_label($object->table_element); @@ -123,9 +127,9 @@ if (!empty($canvas)) } // Security check -if ($search_type == '0') $result = restrictedArea($user, 'produit', '', '', '', '', '', $objcanvas); -elseif ($search_type == '1') $result = restrictedArea($user, 'service', '', '', '', '', '', $objcanvas); -else $result = restrictedArea($user, 'produit|service', '', '', '', '', '', $objcanvas); +if ($search_type == '0') $result = restrictedArea($user, 'produit', '', '', '', '', '', 0); +elseif ($search_type == '1') $result = restrictedArea($user, 'service', '', '', '', '', '', 0); +else $result = restrictedArea($user, 'produit|service', '', '', '', '', '', 0); // Define virtualdiffersfromphysical $virtualdiffersfromphysical = 0; @@ -206,7 +210,9 @@ $arrayfields = array( 'p.stock'=>array('label'=>$langs->trans("PhysicalStock"), 'checked'=>1, 'enabled'=>(!empty($conf->stock->enabled) && $user->rights->stock->lire && $contextpage != 'service'), 'position'=>52), 'stock_virtual'=>array('label'=>$langs->trans("VirtualStock"), 'checked'=>1, 'enabled'=>(!empty($conf->stock->enabled) && $user->rights->stock->lire && $contextpage != 'service' && $virtualdiffersfromphysical), 'position'=>53), 'p.tobatch'=>array('label'=>$langs->trans("ManageLotSerial"), 'checked'=>0, 'enabled'=>(!empty($conf->productbatch->enabled)), 'position'=>60), - 'p.accountancy_code_sell'=>array('label'=>$langs->trans("ProductAccountancySellCode"), 'checked'=>0, 'position'=>400), + 'p.fk_country'=>array('label'=>$langs->trans("Country"), 'checked'=>0, 'position'=>100), + 'p.fk_state'=>array('label'=>$langs->trans("State"), 'checked'=>0, 'position'=>101), + 'p.accountancy_code_sell'=>array('label'=>$langs->trans("ProductAccountancySellCode"), 'checked'=>0, 'position'=>400), 'p.accountancy_code_sell_intra'=>array('label'=>$langs->trans("ProductAccountancySellIntraCode"), 'checked'=>0, 'enabled'=>$isInEEC, 'position'=>401), 'p.accountancy_code_sell_export'=>array('label'=>$langs->trans("ProductAccountancySellExportCode"), 'checked'=>0, 'position'=>402), 'p.accountancy_code_buy'=>array('label'=>$langs->trans("ProductAccountancyBuyCode"), 'checked'=>0, 'position'=>403), @@ -275,6 +281,8 @@ if (empty($reshook)) $searchCategoryProductList = array(); $search_tosell = ""; $search_tobuy = ""; + $search_country = ""; + $search_state = ""; $search_vatrate = ""; $search_tobatch = ''; //$search_type=''; // There is 2 types of list: a list of product and a list of services. No list with both. So when we clear search criteria, we must keep the filter on type. @@ -305,8 +313,6 @@ if (empty($reshook)) * View */ -$htmlother = new FormOther($db); - $title = $langs->trans("ProductsAndServices"); if ($search_type != '' && $search_type != '-1') @@ -326,7 +332,7 @@ $sql .= ' p.fk_product_type, p.duration, p.finished, p.tosell, p.tobuy, p.seuil_ $sql .= ' p.tobatch, p.accountancy_code_sell, p.accountancy_code_sell_intra, p.accountancy_code_sell_export,'; $sql .= ' p.accountancy_code_buy, p.accountancy_code_buy_intra, p.accountancy_code_buy_export,'; $sql .= ' p.datec as date_creation, p.tms as date_update, p.pmp, p.stock, p.cost_price,'; -$sql .= ' p.weight, p.weight_units, p.length, p.length_units, p.width, p.width_units, p.height, p.height_units, p.surface, p.surface_units, p.volume, p.volume_units,'; +$sql .= ' p.weight, p.weight_units, p.length, p.length_units, p.width, p.width_units, p.height, p.height_units, p.surface, p.surface_units, p.volume, p.volume_units, fk_country, fk_state,'; if (!empty($conf->global->PRODUCT_USE_UNITS)) $sql .= ' p.fk_unit, cu.label as cu_label,'; $sql .= ' MIN(pfp.unitprice) as minsellprice'; if (!empty($conf->variants->enabled) && (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD) && !$show_childproducts)) { @@ -345,7 +351,7 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count if (!empty($searchCategoryProductList) || !empty($catid)) $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_product as cp ON p.rowid = cp.fk_product"; // We'll need this table joined to the select in order to filter by categ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_fournisseur_price as pfp ON p.rowid = pfp.fk_product"; // multilang -if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang = '".$langs->getDefaultLang()."'"; +if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang = '".$db->escape($langs->getDefaultLang())."'"; if (!empty($conf->variants->enabled) && (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD) && !$show_childproducts)) { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac.fk_product_child = p.rowid"; @@ -401,6 +407,8 @@ if ($searchCategoryProductOperator == 1) { } if ($fourn_id > 0) $sql .= " AND pfp.fk_soc = ".$fourn_id; if ($search_tobatch != '' && $search_tobatch >= 0) $sql .= " AND p.tobatch = ".$db->escape($search_tobatch); +if ($search_country) $sql .= " AND p.fk_country = ".$search_country; +if ($search_state) $sql .= " AND p.fk_state = ".$search_state; if ($search_accountancy_code_sell) $sql .= natural_search('p.accountancy_code_sell', $search_accountancy_code_sell); if ($search_accountancy_code_sell_intra) $sql .= natural_search('p.accountancy_code_sell_intra', $search_accountancy_code_sell_intra); if ($search_accountancy_code_sell_export) $sql .= natural_search('p.accountancy_code_sell_export', $search_accountancy_code_sell_export); @@ -418,7 +426,7 @@ $sql .= " GROUP BY p.rowid, p.ref, p.label, p.barcode, p.price, p.tva_tx, p.pric $sql .= " p.fk_product_type, p.duration, p.finished, p.tosell, p.tobuy, p.seuil_stock_alerte, p.desiredstock,"; $sql .= ' p.datec, p.tms, p.entity, p.tobatch, p.accountancy_code_sell, p.accountancy_code_sell_intra, p.accountancy_code_sell_export,'; $sql .= ' p.accountancy_code_buy, p.accountancy_code_buy_intra, p.accountancy_code_buy_export, p.pmp, p.cost_price, p.stock,'; -$sql .= ' p.weight, p.weight_units, p.length, p.length_units, p.width, p.width_units, p.height, p.height_units, p.surface, p.surface_units, p.volume, p.volume_units'; +$sql .= ' p.weight, p.weight_units, p.length, p.length_units, p.width, p.width_units, p.height, p.height_units, p.surface, p.surface_units, p.volume, p.volume_units, p.fk_country, p.fk_state'; if (!empty($conf->global->PRODUCT_USE_UNITS)) $sql .= ', p.fk_unit, cu.label'; if (!empty($conf->variants->enabled) && (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD) && !$show_childproducts)) { @@ -498,6 +506,8 @@ if ($resql) if ($search_label) $param .= "&search_label=".urlencode($search_label); if ($search_tosell != '') $param .= "&search_tosell=".urlencode($search_tosell); if ($search_tobuy != '') $param .= "&search_tobuy=".urlencode($search_tobuy); + if ($search_country != '') $param .= "&search_country=".urlencode($search_country); + if ($search_state != '') $param .= "&search_state=".urlencode($search_state); if ($search_vatrate) $sql .= natural_search('p.tva_tx', $search_vatrate); if ($fourn_id > 0) $param .= ($fourn_id ? "&fourn_id=".$fourn_id : ""); //if ($seach_categ) $param.=($search_categ?"&search_categ=".urlencode($search_categ):""); @@ -531,21 +541,18 @@ if ($resql) if ($type === "") $perm = ($user->rights->produit->creer || $user->rights->service->creer); elseif ($type == Product::TYPE_SERVICE) $perm = $user->rights->service->creer; elseif ($type == Product::TYPE_PRODUCT) $perm = $user->rights->produit->creer; - if ($perm) - { - $oldtype = $type; - $params = array(); - if ($type === "") $params['forcenohideoftext'] = 1; - if ($type === "") { - $newcardbutton .= dolGetButtonTitle($langs->trans('NewProduct'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/product/card.php?action=create&type=0', '', 1, $params); - $type = Product::TYPE_SERVICE; - } - $label = 'NewProduct'; - if ($type == Product::TYPE_SERVICE) $label = 'NewService'; - $newcardbutton .= dolGetButtonTitle($langs->trans($label), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/product/card.php?action=create&type='.$type, '', 1, $params); - - $type = $oldtype; + $oldtype = $type; + $params = array(); + if ($type === "") $params['forcenohideoftext'] = 1; + if ($type === "") { + $newcardbutton .= dolGetButtonTitle($langs->trans('NewProduct'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/product/card.php?action=create&type=0', '', $perm, $params); + $type = Product::TYPE_SERVICE; } + $label = 'NewProduct'; + if ($type == Product::TYPE_SERVICE) $label = 'NewService'; + $newcardbutton .= dolGetButtonTitle($langs->trans($label), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/product/card.php?action=create&type='.$type, '', $perm, $params); + + $type = $oldtype; print ''; if ($optioncss != '') print ''; @@ -593,7 +600,7 @@ if ($resql) $categoriesProductArr = $form->select_all_categories(Categorie::TYPE_PRODUCT, '', '', 64, 0, 1); $categoriesProductArr[-2] = '- '.$langs->trans('NotCategorized').' -'; $moreforfilter .= Form::multiselectarray('search_category_product_list', $categoriesProductArr, $searchCategoryProductList, 0, 0, 'minwidth300'); - $moreforfilter .= ' '.$langs->trans('UseOrOperatorForCategories'); + $moreforfilter .= ' '.$langs->trans('UseOrOperatorForCategories').''; $moreforfilter .= ''; } @@ -819,6 +826,10 @@ if ($resql) if (!empty($arrayfields['stock_virtual']['checked'])) print ''; // To batch if (!empty($arrayfields['p.tobatch']['checked'])) print ''; + // Country + if (!empty($arrayfields['p.fk_country']['checked'])) print ''; + // State + if (!empty($arrayfields['p.fk_state']['checked'])) print ''; // Accountancy code sell if (!empty($arrayfields['p.accountancy_code_sell']['checked'])) print ''; if (!empty($arrayfields['p.accountancy_code_sell_intra']['checked'])) print ''; @@ -945,6 +956,12 @@ if ($resql) if (!empty($arrayfields['p.tobatch']['checked'])) { print_liste_field_titre($arrayfields['p.tobatch']['label'], $_SERVER["PHP_SELF"], "p.tobatch", "", $param, '', $sortfield, $sortorder, 'center '); } + if (!empty($arrayfields['p.fk_country']['checked'])) { + print_liste_field_titre($arrayfields['p.fk_country']['label'], $_SERVER["PHP_SELF"], "p.fk_country", "", $param, '', $sortfield, $sortorder); + } + if (!empty($arrayfields['p.fk_state']['checked'])) { + print_liste_field_titre($arrayfields['p.fk_state']['label'], $_SERVER["PHP_SELF"], "p.fk_state", "", $param, '', $sortfield, $sortorder); + } if (!empty($arrayfields['p.accountancy_code_sell']['checked'])) { print_liste_field_titre($arrayfields['p.accountancy_code_sell']['label'], $_SERVER["PHP_SELF"], "p.accountancy_code_sell", "", $param, '', $sortfield, $sortorder); } @@ -1414,6 +1431,20 @@ if ($resql) print ''; if (!$i) $totalarray['nbfield']++; } + // Country + if (!empty($arrayfields['p.fk_country']['checked'])) + { + print ''; + if (!$i) $totalarray['nbfield']++; + } + // State + if (!empty($arrayfields['p.fk_state']['checked'])) + { + print ''; + if (!$i) $totalarray['nbfield']++; + } // Accountancy code sell if (!empty($arrayfields['p.accountancy_code_sell']['checked'])) { diff --git a/htdocs/product/popuprop.php b/htdocs/product/popuprop.php index affd5a8b3f2..7e5015b7813 100644 --- a/htdocs/product/popuprop.php +++ b/htdocs/product/popuprop.php @@ -203,7 +203,7 @@ if ($mode && $mode != '-1') { $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$prodid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $resultp = $db->query($sql); diff --git a/htdocs/product/price.php b/htdocs/product/price.php index 8f25eab11b1..c73e43dc6f0 100644 --- a/htdocs/product/price.php +++ b/htdocs/product/price.php @@ -53,7 +53,7 @@ $mesg = ''; $error = 0; $errors = array(); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $eid = GETPOST('eid', 'int'); @@ -127,9 +127,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -243,9 +243,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -296,9 +296,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -436,7 +436,7 @@ if (empty($reshook)) // Ajout / mise à jour if ($rowid > 0) { $sql = "UPDATE ".MAIN_DB_PREFIX."product_price_by_qty SET"; - $sql .= " price='".$price."',"; + $sql .= " price='".$db->escape($price)."',"; $sql .= " unitprice=".$unitPrice.","; $sql .= " quantity=".$quantity.","; $sql .= " remise_percent=".$remise_percent.","; @@ -525,9 +525,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -625,9 +625,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/product/reassort.php b/htdocs/product/reassort.php index 90c616fcd6b..f881a429d1a 100644 --- a/htdocs/product/reassort.php +++ b/htdocs/product/reassort.php @@ -40,7 +40,7 @@ if ($user->socid) $socid = $user->socid; $result = restrictedArea($user, 'produit|service'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $sref = GETPOST("sref", 'alpha'); $snom = GETPOST("snom", 'alpha'); $sall = trim((GETPOST('search_all', 'alphanohtml') != '') ?GETPOST('search_all', 'alphanohtml') : GETPOST('sall', 'alphanohtml')); @@ -402,7 +402,7 @@ if ($resql) { print ''; } // Units diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php index 050d0d12f4b..cc37d930280 100644 --- a/htdocs/product/reassortlot.php +++ b/htdocs/product/reassortlot.php @@ -42,7 +42,7 @@ if ($user->socid) $socid = $user->socid; $result = restrictedArea($user, 'produit|service'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $sref = GETPOST("sref", 'alpha'); $snom = GETPOST("snom", 'alpha'); $sall = trim((GETPOST('search_all', 'alphanohtml') != '') ?GETPOST('search_all', 'alphanohtml') : GETPOST('sall', 'alphanohtml')); @@ -335,7 +335,7 @@ if ($resql) $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $result = $db->query($sql); diff --git a/htdocs/product/stats/card.php b/htdocs/product/stats/card.php index 4d4b0820e18..1d61018467a 100644 --- a/htdocs/product/stats/card.php +++ b/htdocs/product/stats/card.php @@ -217,18 +217,20 @@ if ($result || empty($id)) // Choice of stats mode (byunit or bynumber) if (!empty($conf->dol_use_jmobile)) print "\n".'
'."\n"; - if ($mode == 'bynumber') print 'id).($type != '' ? '&type='.$type : '').'&mode=byunit&search_year='.$search_year.'">'; - else print img_picto('', 'tick').' '; + if ($mode == 'bynumber') print 'id).($type != '' ? '&type='.$type : '').'&mode=byunit&search_year='.$search_year.'">'; + else print ''; print $langs->trans("StatsByNumberOfUnits"); if ($mode == 'bynumber') print ''; + else print ''; if (!empty($conf->dol_use_jmobile)) print '
'."\n".'
'."\n"; - else print '   /   '; + else print '   '; - if ($mode == 'byunit') print 'id).($type != '' ? '&type='.$type : '').'&mode=bynumber&search_year='.$search_year.'">'; - else print img_picto('', 'tick').' '; + if ($mode == 'byunit') print 'id).($type != '' ? '&type='.$type : '').'&mode=bynumber&search_year='.$search_year.'">'; + else print ''; print $langs->trans("StatsByNumberOfEntities"); if ($mode == 'byunit') print ''; + else print ''; if (!empty($conf->dol_use_jmobile)) print '
'; else print '
'; diff --git a/htdocs/product/stats/commande_fournisseur.php b/htdocs/product/stats/commande_fournisseur.php index c111e075972..162a108029e 100644 --- a/htdocs/product/stats/commande_fournisseur.php +++ b/htdocs/product/stats/commande_fournisseur.php @@ -50,8 +50,8 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/product/stats/propal.php b/htdocs/product/stats/propal.php index f5b097d0655..6766864b042 100644 --- a/htdocs/product/stats/propal.php +++ b/htdocs/product/stats/propal.php @@ -50,8 +50,8 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/product/stats/supplier_proposal.php b/htdocs/product/stats/supplier_proposal.php index 5a59cbb9c83..f4d2a5d4644 100644 --- a/htdocs/product/stats/supplier_proposal.php +++ b/htdocs/product/stats/supplier_proposal.php @@ -50,8 +50,8 @@ $mesg = ''; // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php index 82ec490bb74..11aa5e860ae 100644 --- a/htdocs/product/stock/card.php +++ b/htdocs/product/stock/card.php @@ -197,7 +197,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) { $result = $object->insertExtraFields(); @@ -258,7 +258,7 @@ if ($action == 'create') // Parent entrepot print ''; // Description @@ -432,7 +432,7 @@ if ($action == 'create') if (!empty($user->rights->stock->mouvement->lire)) { $sql = "SELECT max(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_entrepot = '".$object->id."'"; + $sql .= " WHERE m.fk_entrepot = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { $obj = $db->fetch_object($resqlbis); @@ -555,7 +555,7 @@ if ($action == 'create') $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $result = $db->query($sql); diff --git a/htdocs/product/stock/class/api_stockmovements.class.php b/htdocs/product/stock/class/api_stockmovements.class.php index 1efa81bc0a8..71f687a1b03 100644 --- a/htdocs/product/stock/class/api_stockmovements.class.php +++ b/htdocs/product/stock/class/api_stockmovements.class.php @@ -118,7 +118,7 @@ class StockMovements extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -126,26 +126,26 @@ class StockMovements extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $stockmovement_static = new MouvementStock($db); + $obj = $this->db->fetch_object($result); + $stockmovement_static = new MouvementStock($this->db); if ($stockmovement_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($stockmovement_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve stock movement list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve stock movement list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No stock movement found'); diff --git a/htdocs/product/stock/class/api_warehouses.class.php b/htdocs/product/stock/class/api_warehouses.class.php index e84b017ed93..1c31bbbc2af 100644 --- a/htdocs/product/stock/class/api_warehouses.class.php +++ b/htdocs/product/stock/class/api_warehouses.class.php @@ -111,7 +111,7 @@ class Warehouses extends DolibarrApi $sql .= ' WHERE t.entity IN ('.getEntity('stock').')'; // Select warehouses of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_warehouse = t.rowid "; } // Add sql filters @@ -125,7 +125,7 @@ class Warehouses extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -133,26 +133,26 @@ class Warehouses extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $warehouse_static = new Entrepot($db); + $obj = $this->db->fetch_object($result); + $warehouse_static = new Entrepot($this->db); if ($warehouse_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($warehouse_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve warehouse list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve warehouse list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No warehouse found'); diff --git a/htdocs/product/stock/class/mouvementstock.class.php b/htdocs/product/stock/class/mouvementstock.class.php index bfdfb14f6e8..534b9300158 100644 --- a/htdocs/product/stock/class/mouvementstock.class.php +++ b/htdocs/product/stock/class/mouvementstock.class.php @@ -211,6 +211,7 @@ class MouvementStock extends CommonObject { if (empty($batch)) { + $langs->load("errors"); $this->errors[] = $langs->transnoentitiesnoconv("ErrorTryToMakeMoveOnProductRequiringBatchData", $product->ref); dol_syslog("Try to make a movement of a product with status_batch on without any batch data"); @@ -418,7 +419,7 @@ class MouvementStock extends CommonObject $sql .= " fk_entrepot, value, type_mouvement, fk_user_author, label, inventorycode, price, fk_origin, origintype, fk_projet"; $sql .= ")"; $sql .= " VALUES ('".$this->db->idate($now)."', ".$this->product_id.", "; - $sql .= " ".($batch ? "'".$batch."'" : "null").", "; + $sql .= " ".($batch ? "'".$this->db->escape($batch)."'" : "null").", "; $sql .= " ".($eatby ? "'".$this->db->idate($eatby)."'" : "null").", "; $sql .= " ".($sellby ? "'".$this->db->idate($sellby)."'" : "null").", "; $sql .= " ".$this->entrepot_id.", ".$this->qty.", ".((int) $this->type).","; diff --git a/htdocs/product/stock/list.php b/htdocs/product/stock/list.php index 3a5aac6ab35..b0f593f82d9 100644 --- a/htdocs/product/stock/list.php +++ b/htdocs/product/stock/list.php @@ -59,8 +59,8 @@ if (!empty($conf->categorie->enabled)) // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action $offset = $limit * $page; diff --git a/htdocs/product/stock/massstockmove.php b/htdocs/product/stock/massstockmove.php index bc7949f5a1b..86458966b34 100644 --- a/htdocs/product/stock/massstockmove.php +++ b/htdocs/product/stock/massstockmove.php @@ -45,7 +45,7 @@ $result = restrictedArea($user, 'produit|service'); //checks if a product has been ordered -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id_product = GETPOST('productid', 'int'); $id_sw = GETPOST('id_sw', 'int'); $id_tw = GETPOST('id_tw', 'int'); @@ -53,8 +53,8 @@ $batch = GETPOST('batch'); $qty = GETPOST('qty'); $idline = GETPOST('idline'); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 diff --git a/htdocs/product/stock/movement_card.php b/htdocs/product/stock/movement_card.php index 2000ab4cdec..6d0eb0dc24c 100644 --- a/htdocs/product/stock/movement_card.php +++ b/htdocs/product/stock/movement_card.php @@ -457,7 +457,7 @@ $sql .= " AND e.entity IN (".getEntity('stock').")"; if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) $sql .= " AND p.fk_product_type = 0"; if ($id > 0) $sql .= " AND e.rowid ='".$id."'"; $sql .= dolSqlDateFilter('m.datem', 0, $month, $year); -if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'"; +if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct); if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1); if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement); if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode); diff --git a/htdocs/product/stock/movement_list.php b/htdocs/product/stock/movement_list.php index fd4c57ca4cc..b533d4407a6 100644 --- a/htdocs/product/stock/movement_list.php +++ b/htdocs/product/stock/movement_list.php @@ -193,7 +193,7 @@ if ($action == 'update_extras') { $tmpwarehouse->oldcopy = dol_clone($tmpwarehouse); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $tmpwarehouse, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $tmpwarehouse, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) { $result = $tmpwarehouse->insertExtraFields(); @@ -483,7 +483,7 @@ $sql .= " AND e.entity IN (".getEntity('stock').")"; if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) $sql .= " AND p.fk_product_type = 0"; if ($id > 0) $sql .= " AND e.rowid ='".$id."'"; $sql .= dolSqlDateFilter('m.datem', 0, $month, $year); -if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'"; +if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct); if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1); if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement); if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode); @@ -624,7 +624,7 @@ if ($resql) // Last movement $sql = "SELECT MAX(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_entrepot = '".$object->id."'"; + $sql .= " WHERE m.fk_entrepot = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { diff --git a/htdocs/product/stock/product.php b/htdocs/product/stock/product.php index cd83f2c19c8..54d57bf5d75 100644 --- a/htdocs/product/stock/product.php +++ b/htdocs/product/stock/product.php @@ -195,7 +195,7 @@ if ($action == 'setdesiredstock' && !empty($user->rights->produit->creer)) // Correct stock if ($action == "correct_stock" && !$cancel) { - if (!(GETPOST("id_entrepot") > 0)) + if (!(GETPOST("id_entrepot", 'int') > 0)) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("Warehouse")), null, 'errors'); $error++; @@ -710,7 +710,7 @@ if ($id > 0 || $ref) { $sql = "SELECT max(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_product = '".$object->id."'"; + $sql .= " WHERE m.fk_product = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { $obj = $db->fetch_object($resqlbis); diff --git a/htdocs/product/stock/productlot_card.php b/htdocs/product/stock/productlot_card.php index 0f706c3ccae..bdc68f5c3e5 100644 --- a/htdocs/product/stock/productlot_card.php +++ b/htdocs/product/stock/productlot_card.php @@ -122,7 +122,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) diff --git a/htdocs/product/stock/productlot_document.php b/htdocs/product/stock/productlot_document.php index 6a28f595f86..59ab61fb86a 100644 --- a/htdocs/product/stock/productlot_document.php +++ b/htdocs/product/stock/productlot_document.php @@ -42,7 +42,7 @@ $langs->loadLangs(array('other', 'products')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check diff --git a/htdocs/product/stock/productlot_list.php b/htdocs/product/stock/productlot_list.php index c7d9facf74d..33d49c0c5e5 100644 --- a/htdocs/product/stock/productlot_list.php +++ b/htdocs/product/stock/productlot_list.php @@ -36,7 +36,7 @@ $langs->loadLangs(array('stocks', 'productbatch', 'other', 'users')); // Get parameters $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); $toselect = GETPOST('toselect', 'array'); // Array of ids of elements selected into a list $contextpage = GETPOST('contextpage', 'aZ') ? GETPOST('contextpage', 'aZ') : 'myobjectlist'; // To manage different context of search @@ -51,8 +51,8 @@ $search_import_key = GETPOST('search_import_key', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/product/stock/replenish.php b/htdocs/product/stock/replenish.php index ff71f5f605c..98b9f54b2ff 100644 --- a/htdocs/product/stock/replenish.php +++ b/htdocs/product/stock/replenish.php @@ -48,7 +48,7 @@ $hookmanager->initHooks(array('stockreplenishlist')); //checks if a product has been ordered -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $search_ref = GETPOST('search_ref', 'alpha'); $search_label = GETPOST('search_label', 'alpha'); $sall = trim((GETPOST('search_all', 'alphanohtml') != '') ?GETPOST('search_all', 'alphanohtml') : GETPOST('sall', 'alphanohtml')); @@ -65,8 +65,8 @@ $fk_supplier = GETPOST('fk_supplier', 'int'); $fk_entrepot = GETPOST('fk_entrepot', 'int'); $texte = ''; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; @@ -312,6 +312,9 @@ if (!empty($conf->global->STOCK_ALLOW_ADD_LIMIT_STOCK_BY_WAREHOUSE) && $fk_entre $sql .= ' '.$sqldesiredtock.' as desiredstockcombined, '.$sqlalertstock.' as seuil_stock_alertecombined,'; $sql .= ' s.fk_product,'; $sql .= ' SUM('.$db->ifsql("s.reel IS NULL", "0", "s.reel").') as stock_physique'; +if (!empty($conf->global->STOCK_ALLOW_ADD_LIMIT_STOCK_BY_WAREHOUSE) && $fk_entrepot > 0) { + $sql .= ', SUM('.$db->ifsql("s.reel IS NULL OR s.fk_entrepot <> ".$fk_entrepot, "0", "s.reel").') as stock_real_warehouse'; +} // Add fields from hooks $parameters = array(); @@ -530,18 +533,20 @@ if (empty($fk_warhouse) && !empty($conf->global->STOCK_ALLOW_ADD_LIMIT_STOCK_BY_ if ($usevirtualstock == 1) { print $langs->trans("CurentSelectionMode").': '; - print $langs->trans("CurentlyUsingVirtualStock").' - '; - print ''.$langs->trans("UsePhysicalStock").'
'; + print $langs->trans("CurentlyUsingVirtualStock"); + print ' ('.$langs->trans("UsePhysicalStock").')'; + print '
'; } if ($usevirtualstock == 0) { print $langs->trans("CurentSelectionMode").': '; - print $langs->trans("CurentlyUsingPhysicalStock").' - '; - print ''.$langs->trans("UseVirtualStock").'
'; + print $langs->trans("CurentlyUsingPhysicalStock"); + print ' ('.$langs->trans("UseVirtualStock").')'; + print '
'; } print '
'."\n"; -print ''; +print ''; print ''; print ''; print ''; @@ -636,11 +641,13 @@ $param .= '&fk_supplier='.$fk_supplier; $param .= '&fk_entrepot='.$fk_entrepot; $stocklabel = $langs->trans('Stock'); +$stocklabelbis = $langs->trans('Stock'); if ($usevirtualstock == 1) $stocklabel = $langs->trans('VirtualStock'); if ($usevirtualstock == 0) $stocklabel = $langs->trans('PhysicalStock'); if (!empty($conf->global->STOCK_ALLOW_ADD_LIMIT_STOCK_BY_WAREHOUSE) && $fk_entrepot > 0) { - $stocklabel .= ' ('.$langs->trans("AllWarehouses").')'; + $stocklabelbis = $stocklabel.' (Selected warehouse)'; + $stocklabel .= ' ('.$langs->trans("AllWarehouses").')'; } $texte = $langs->trans('Replenishment'); @@ -689,6 +696,10 @@ if (!empty($conf->service->enabled) && $type == 1) print ''; print ''; print ''; +if (!empty($conf->global->STOCK_ALLOW_ADD_LIMIT_STOCK_BY_WAREHOUSE) && $fk_entrepot > 0) +{ + print ''; +} print ''; + $variants = $prod->hasVariants(); + if (!$variants || !empty($conf->global->VARIANT_ALLOW_STOCK_MOVEMENT_ON_VARIANT_PARENT)) { + print ''; - // Select field - print ''; + // Select field + print ''; - print ''; + print ''; - print ''; + print ''; - if (!empty($conf->service->enabled) && $type == 1) - { - if (preg_match('/([0-9]+)y/i', $objp->duration, $regs)) { - $duration = $regs[1].' '.$langs->trans('DurationYear'); - } elseif (preg_match('/([0-9]+)m/i', $objp->duration, $regs)) { - $duration = $regs[1].' '.$langs->trans('DurationMonth'); - } elseif (preg_match('/([0-9]+)d/i', $objp->duration, $regs)) { - $duration = $regs[1].' '.$langs->trans('DurationDay'); - } else { - $duration = $objp->duration; + if (!empty($conf->service->enabled) && $type == 1) + { + $regs = array(); + if (preg_match('/([0-9]+)y/i', $objp->duration, $regs)) { + $duration = $regs[1].' '.$langs->trans('DurationYear'); + } elseif (preg_match('/([0-9]+)m/i', $objp->duration, $regs)) { + $duration = $regs[1].' '.$langs->trans('DurationMonth'); + } elseif (preg_match('/([0-9]+)d/i', $objp->duration, $regs)) { + $duration = $regs[1].' '.$langs->trans('DurationDay'); + } else { + $duration = $objp->duration; + } + print ''; } - print ''; + + // Desired stock + print ''; + + // Limit stock for alert + print ''; + + // Current stock (all warehouses) + print ''; + + // Current stock (warehouse selected only) + if (!empty($conf->global->STOCK_ALLOW_ADD_LIMIT_STOCK_BY_WAREHOUSE) && $fk_entrepot > 0) + { + print ''; + } + + // Already ordered + print ''; + + // To order + print ''; + + // Supplier + print ''; + + // Fields from hook + $parameters = array('objp'=>$objp); + $reshook = $hookmanager->executeHooks('printFieldListValue', $parameters); // Note that $action and $object may have been modified by hook + print $hookmanager->resPrint; + + print ''; } - - // Desired stock - print ''; - - // Limit stock for alert - print ''; - - // Current stock (all warehouses) - print ''; - - // Already ordered - print ''; - - // To order - print ''; - - // Supplier - print ''; - - // Fields from hook - $parameters = array('objp'=>$objp); - $reshook = $hookmanager->executeHooks('printFieldListValue', $parameters); // Note that $action and $object may have been modified by hook - print $hookmanager->resPrint; - - print ''; } $i++; } diff --git a/htdocs/product/stock/stockatdate.php b/htdocs/product/stock/stockatdate.php index 9b03d5ecfc4..f581242c9f2 100644 --- a/htdocs/product/stock/stockatdate.php +++ b/htdocs/product/stock/stockatdate.php @@ -49,7 +49,7 @@ $hookmanager->initHooks(array('stockreplenishlist')); //checks if a product has been ordered -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $type = GETPOST('type', 'int'); $mode = GETPOST('mode', 'alpha'); $date = ''; @@ -64,8 +64,8 @@ $now = dol_now(); $productid = GETPOST('productid', 'int'); $fk_warehouse = GETPOST('fk_warehouse', 'int'); -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; @@ -124,7 +124,7 @@ if ($date && $dateIsValid) { // Avoid heavy sql if mandatory date is not defined $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = ps.fk_entrepot"; if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")"; + $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")"; } if ($productid > 0) { $sql .= " AND ps.fk_product = ".$productid; @@ -175,7 +175,7 @@ if ($date && $dateIsValid) { $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = sm.fk_entrepot"; if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")"; + $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")"; } if ($mode == 'future') { $sql .= " AND sm.datem <= '".$db->idate($dateendofday)."'"; diff --git a/htdocs/product/traduction.php b/htdocs/product/traduction.php index 055e3cbefc7..502a15cd04e 100644 --- a/htdocs/product/traduction.php +++ b/htdocs/product/traduction.php @@ -36,7 +36,7 @@ $langs->loadLangs(array('products', 'languages')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); // Security check diff --git a/htdocs/projet/activity/index.php b/htdocs/projet/activity/index.php index da8a6dc9c0c..295f96370f3 100644 --- a/htdocs/projet/activity/index.php +++ b/htdocs/projet/activity/index.php @@ -145,7 +145,7 @@ $sql .= " AND p.entity = ".$conf->entity; $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".$user->id; $sql .= " AND task_date BETWEEN '".$db->idate(dol_mktime(0, 0, 0, $month, $day, $year))."' AND '".$db->idate(dol_mktime(23, 59, 59, $month, $day, $year))."'"; -$sql .= " AND p.rowid in (".$projectsListId.")"; +$sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql .= " GROUP BY p.rowid, p.ref, p.title, p.public"; $resql = $db->query($sql); @@ -200,7 +200,7 @@ $sql .= " AND p.entity = ".$conf->entity; $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".$user->id; $sql .= " AND task_date BETWEEN '".$db->idate(dol_time_plus_duree(dol_mktime(0, 0, 0, $month, $day, $year), -1, 'd'))."' AND '".$db->idate(dol_time_plus_duree(dol_mktime(23, 59, 59, $month, $day, $year), -1, 'd'))."'"; -$sql .= " AND p.rowid in (".$projectsListId.")"; +$sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql .= " GROUP BY p.rowid, p.ref, p.title, p.public"; $resql = $db->query($sql); @@ -258,7 +258,7 @@ if ($db->type != 'pgsql') $sql.= " AND tt.fk_task = t.rowid"; $sql.= " AND tt.fk_user = ".$user->id; $sql.= " AND task_date >= '".$db->idate(dol_get_first_day($year, $month)).'" AND ..."; - $sql.= " AND p.rowid in (".$projectsListId.")"; + $sql.= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql.= " GROUP BY p.rowid, p.ref, p.title"; $resql = $db->query($sql); @@ -315,7 +315,7 @@ if (!empty($conf->global->PROJECT_TASK_TIME_MONTH)) $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".$user->id; $sql .= " AND task_date BETWEEN '".$db->idate(dol_get_first_day($year, $month))."' AND '".$db->idate(dol_get_last_day($year, $month))."'"; - $sql .= " AND p.rowid in (".$projectsListId.")"; + $sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql .= " GROUP BY p.rowid, p.ref, p.title, p.public"; $resql = $db->query($sql); @@ -364,7 +364,7 @@ if (!empty($conf->global->PROJECT_TASK_TIME_YEAR)) $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".$user->id; $sql .= " AND YEAR(task_date) = '".strftime("%Y", $now)."'"; - $sql .= " AND p.rowid in (".$projectsListId.")"; + $sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")"; $sql .= " GROUP BY p.rowid, p.ref, p.title, p.public"; $resql = $db->query($sql); @@ -400,7 +400,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH // Get id of types of contacts for projects (This list never contains a lot of elements) $listofprojectcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sql .= " WHERE ctc.element = '".$projectstatic->element."'"; + $sql .= " WHERE ctc.element = '".$db->escape($projectstatic->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) @@ -414,7 +414,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH // Get id of types of contacts for tasks (This list never contains a lot of elements) $listoftaskcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sql .= " WHERE ctc.element = '".$taskstatic->element."'"; + $sql .= " WHERE ctc.element = '".$db->escape($taskstatic->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) @@ -445,7 +445,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH $sql .= ", ".MAIN_DB_PREFIX."element_contact as ect"; } $sql .= " WHERE p.entity IN (".getEntity('project').")"; - if ($mine || empty($user->rights->projet->all->lire)) $sql .= " AND p.rowid IN (".$projectsListId.")"; // project i have permission on + if ($mine || empty($user->rights->projet->all->lire)) $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // project i have permission on if ($mine) // this may duplicate record if we are contact twice { $sql .= " AND ect.fk_c_type_contact IN (".join(',', array_keys($listoftaskcontacttype)).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$user->id; diff --git a/htdocs/projet/activity/permonth.php b/htdocs/projet/activity/permonth.php index 576f580db6a..72128b5e052 100644 --- a/htdocs/projet/activity/permonth.php +++ b/htdocs/projet/activity/permonth.php @@ -365,7 +365,7 @@ $nav .= ' '; + print ''; // Usage (opp, task, bill time, ...) print ''; print ''; @@ -971,7 +971,7 @@ if ($action == 'create' && $user->rights->projet->creer) $morehtmlref = '
'; // Title - $morehtmlref .= $object->title; + $morehtmlref .= dol_escape_htmltag($object->title); // Thirdparty $morehtmlref .= '
'.$langs->trans('ThirdParty').' : '; if ($object->thirdparty->id > 0) diff --git a/htdocs/projet/class/api_projects.class.php b/htdocs/projet/class/api_projects.class.php index 5ef21879c7f..214cbe96154 100644 --- a/htdocs/projet/class/api_projects.class.php +++ b/htdocs/projet/class/api_projects.class.php @@ -131,7 +131,7 @@ class Projects extends DolibarrApi } // Select projects of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category)." AND c.fk_project = t.rowid "; + $sql .= " AND c.fk_categorie = ".$this->db->escape($category)." AND c.fk_project = t.rowid "; } // Add sql filters if ($sqlfilters) @@ -144,7 +144,7 @@ class Projects extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -152,27 +152,27 @@ class Projects extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $project_static = new Project($db); + $obj = $this->db->fetch_object($result); + $project_static = new Project($this->db); if ($project_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($project_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve project list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve project list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No project found'); diff --git a/htdocs/projet/class/api_tasks.class.php b/htdocs/projet/class/api_tasks.class.php index d5ad064f84f..5181beb3707 100644 --- a/htdocs/projet/class/api_tasks.class.php +++ b/htdocs/projet/class/api_tasks.class.php @@ -146,7 +146,7 @@ class Tasks extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -154,28 +154,28 @@ class Tasks extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $task_static = new Task($db); + $obj = $this->db->fetch_object($result); + $task_static = new Task($this->db); if ($task_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($task_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve task list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve task list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No task found'); diff --git a/htdocs/projet/comment.php b/htdocs/projet/comment.php index 04e306f9dfb..905b57e875f 100644 --- a/htdocs/projet/comment.php +++ b/htdocs/projet/comment.php @@ -41,7 +41,7 @@ $id = GETPOST('id', 'int'); $idcomment = GETPOST('idcomment', 'int'); $ref = GETPOST("ref", 'alpha', 1); // task ref $objectref = GETPOST("taskref", 'alpha'); // task ref -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $withproject = GETPOST('withproject', 'int'); $project_ref = GETPOST('project_ref', 'alpha'); diff --git a/htdocs/projet/contact.php b/htdocs/projet/contact.php index b8f1a24013d..8bbdbed9e6a 100644 --- a/htdocs/projet/contact.php +++ b/htdocs/projet/contact.php @@ -36,7 +36,7 @@ $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $lineid = GETPOST('lineid', 'int'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $mine = GETPOST('mode') == 'mine' ? 1 : 0; //if (! $user->rights->projet->all->lire) $mine=1; // Special for projects diff --git a/htdocs/projet/element.php b/htdocs/projet/element.php index acfa8297df6..026aeae32d9 100644 --- a/htdocs/projet/element.php +++ b/htdocs/projet/element.php @@ -72,7 +72,7 @@ if (!empty($conf->mrp->enabled)) $langs->load("mrp"); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $datesrfc = GETPOST('datesrfc'); $dateerfc = GETPOST('dateerfc'); $dates = dol_mktime(0, 0, 0, GETPOST('datesmonth'), GETPOST('datesday'), GETPOST('datesyear')); diff --git a/htdocs/projet/index.php b/htdocs/projet/index.php index 3d485793fb6..847d7b03d47 100644 --- a/htdocs/projet/index.php +++ b/htdocs/projet/index.php @@ -39,7 +39,7 @@ $hookmanager->initHooks(array('projectsindex')); // Load translation files required by the page $langs->loadLangs(array('projects', 'companies')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $search_project_user = GETPOST('search_project_user', 'int'); $mine = GETPOST('mode', 'aZ09') == 'mine' ? 1 : 0; if ($mine == 0 && $search_project_user === '') $search_project_user = $user->conf->MAIN_SEARCH_PROJECT_USER_PROJECTSINDEX; @@ -53,7 +53,7 @@ if (!$user->rights->projet->lire) accessforbidden(); $sortfield = GETPOST("sortfield", 'alpha'); $sortorder = GETPOST("sortorder", 'alpha'); -$max = 3; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; /* @@ -362,7 +362,7 @@ if ($resql) if ($othernb) { print '
'; print ''; print ''; if (!empty($arrayfields['p.ref']['checked'])) print_liste_field_titre($arrayfields['p.ref']['label'], $_SERVER["PHP_SELF"], "p.ref", "", $param, "", $sortfield, $sortorder); if (!empty($arrayfields['p.title']['checked'])) print_liste_field_titre($arrayfields['p.title']['label'], $_SERVER["PHP_SELF"], "p.title", "", $param, "", $sortfield, $sortorder); if (!empty($arrayfields['s.nom']['checked'])) print_liste_field_titre($arrayfields['s.nom']['label'], $_SERVER["PHP_SELF"], "s.nom", "", $param, "", $sortfield, $sortorder); -if (!empty($arrayfields['commercial']['checked'])) print_liste_field_titre($arrayfields['commercial']['label'], $_SERVER["PHP_SELF"], "", "", $param, "", $sortfield, $sortorder); +if (!empty($arrayfields['commercial']['checked'])) print_liste_field_titre($arrayfields['commercial']['label'], $_SERVER["PHP_SELF"], "", "", $param, "", $sortfield, $sortorder, 'tdoverflowmax100imp '); if (!empty($arrayfields['p.dateo']['checked'])) print_liste_field_titre($arrayfields['p.dateo']['label'], $_SERVER["PHP_SELF"], "p.dateo", "", $param, '', $sortfield, $sortorder, 'center '); if (!empty($arrayfields['p.datee']['checked'])) print_liste_field_titre($arrayfields['p.datee']['label'], $_SERVER["PHP_SELF"], "p.datee", "", $param, '', $sortfield, $sortorder, 'center '); if (!empty($arrayfields['p.public']['checked'])) print_liste_field_titre($arrayfields['p.public']['label'], $_SERVER["PHP_SELF"], "p.public", "", $param, "", $sortfield, $sortorder); diff --git a/htdocs/projet/tasks.php b/htdocs/projet/tasks.php index c11ffcd8d6f..522468257e0 100644 --- a/htdocs/projet/tasks.php +++ b/htdocs/projet/tasks.php @@ -36,7 +36,7 @@ if ($conf->categorie->enabled) { require_once DOL_DOCUMENT_ROOT.'/categories/cla // Load translation files required by the page $langs->loadLangs(array('projects', 'users', 'companies')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -95,7 +95,7 @@ $hookmanager->initHooks(array('projecttaskscard', 'globalcard')); $progress = GETPOST('progress', 'int'); $label = GETPOST('label', 'alpha'); -$description = GETPOST('description', 'none'); +$description = GETPOST('description', 'restricthtml'); $planned_workloadhour = (GETPOST('planned_workloadhour', 'int') ?GETPOST('planned_workloadhour', 'int') : 0); $planned_workloadmin = (GETPOST('planned_workloadmin', 'int') ?GETPOST('planned_workloadmin', 'int') : 0); $planned_workload = $planned_workloadhour * 3600 + $planned_workloadmin * 60; diff --git a/htdocs/projet/tasks/comment.php b/htdocs/projet/tasks/comment.php index e8a4ae93168..0549710ff25 100644 --- a/htdocs/projet/tasks/comment.php +++ b/htdocs/projet/tasks/comment.php @@ -41,7 +41,7 @@ $id = GETPOST('id', 'int'); $idcomment = GETPOST('idcomment', 'int'); $ref = GETPOST("ref", 'alpha', 1); // task ref $objectref = GETPOST("taskref", 'alpha'); // task ref -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $withproject = GETPOST('withproject', 'int'); $project_ref = GETPOST('project_ref', 'alpha'); diff --git a/htdocs/projet/tasks/contact.php b/htdocs/projet/tasks/contact.php index 2c3737c6788..72e3a1bae32 100644 --- a/htdocs/projet/tasks/contact.php +++ b/htdocs/projet/tasks/contact.php @@ -35,7 +35,7 @@ $langs->loadLangs(array('projects', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $withproject = GETPOST('withproject', 'int'); $project_ref = GETPOST('project_ref', 'alpha'); diff --git a/htdocs/projet/tasks/document.php b/htdocs/projet/tasks/document.php index 1493542c5ed..2a8e3cdd944 100644 --- a/htdocs/projet/tasks/document.php +++ b/htdocs/projet/tasks/document.php @@ -35,7 +35,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; // Load translation files required by the page $langs->loadLangs(array('projects', 'other')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $mine = $_REQUEST['mode'] == 'mine' ? 1 : 0; //if (! $user->rights->projet->all->lire) $mine=1; // Special for projects diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php index 1ffd3541344..7d1a8354bb3 100644 --- a/htdocs/projet/tasks/list.php +++ b/htdocs/projet/tasks/list.php @@ -34,7 +34,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php'; // Load translation files required by the page $langs->loadLangs(array('projects', 'users', 'companies')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -239,7 +239,7 @@ if (!$user->rights->projet->all->lire) $projectsListId = $projectstatic->getProj // Get id of types of contacts for projects (This list never contains a lot of elements) $listofprojectcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; -$sql .= " WHERE ctc.element = '".$projectstatic->element."'"; +$sql .= " WHERE ctc.element = '".$db->escape($projectstatic->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) @@ -253,7 +253,7 @@ if (count($listofprojectcontacttype) == 0) $listofprojectcontacttype[0] = '0'; / // Get id of types of contacts for tasks (This list never contains a lot of elements) $listoftaskcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; -$sql .= " WHERE ctc.element = '".$object->element."'"; +$sql .= " WHERE ctc.element = '".$db->escape($object->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) @@ -421,11 +421,7 @@ if ($user->rights->societe->supprimer) $arrayofmassactions['predelete'] = 'selectMassAction('', $arrayofmassactions); -$newcardbutton = ''; -if ($user->rights->projet->creer) -{ - $newcardbutton .= dolGetButtonTitle($langs->trans('NewTask'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/projet/tasks.php?action=create'); -} +$newcardbutton = dolGetButtonTitle($langs->trans('NewTask'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/projet/tasks.php?action=create', '', $user->rights->projet->creer); print ''; if ($optioncss != '') print ''; diff --git a/htdocs/projet/tasks/note.php b/htdocs/projet/tasks/note.php index 7af9bbbacef..c281da3b877 100644 --- a/htdocs/projet/tasks/note.php +++ b/htdocs/projet/tasks/note.php @@ -29,7 +29,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/project.lib.php'; // Load translation files required by the page $langs->load('projects'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $mine = $_REQUEST['mode'] == 'mine' ? 1 : 0; //if (! $user->rights->projet->all->lire) $mine=1; // Special for projects diff --git a/htdocs/projet/tasks/task.php b/htdocs/projet/tasks/task.php index 0a432351f60..49e1a3e6866 100644 --- a/htdocs/projet/tasks/task.php +++ b/htdocs/projet/tasks/task.php @@ -40,7 +40,7 @@ $langs->loadlangs(array('projects', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST("ref", 'alpha', 1); // task ref $taskref = GETPOST("taskref", 'alpha'); // task ref -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $withproject = GETPOST('withproject', 'int'); $project_ref = GETPOST('project_ref', 'alpha'); diff --git a/htdocs/public/members/new.php b/htdocs/public/members/new.php index 501fccc6ed3..eea293504d2 100644 --- a/htdocs/public/members/new.php +++ b/htdocs/public/members/new.php @@ -59,7 +59,7 @@ $errmsg = ''; $num = 0; $error = 0; $backtopage = GETPOST('backtopage', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Load translation files $langs->loadLangs(array("main", "members", "companies", "install", "other")); @@ -580,7 +580,7 @@ print ''; print ''."\n"; // Address print ''."\n"; +print ''."\n"; // Zip / Town print ''; print ''; -print ''; +print ''; print ''."\n"; // Add specific fields used by Dolibarr foundation for example diff --git a/htdocs/public/opensurvey/studs.php b/htdocs/public/opensurvey/studs.php index 292f91f873f..8b2e8663dac 100644 --- a/htdocs/public/opensurvey/studs.php +++ b/htdocs/public/opensurvey/studs.php @@ -66,7 +66,7 @@ if (GETPOST('ajoutcomment', 'alpha')) $error = 0; - $comment = GETPOST("comment", 'none'); + $comment = GETPOST("comment", 'restricthtml'); $comment_user = GETPOST('commentuser', 'nohtml'); if (!$comment) @@ -390,7 +390,7 @@ if ($object->format == "D") for ($i = 0; isset($toutsujet[$i]); $i++) { $tmp = explode('@', $toutsujet[$i]); - print ''."\n"; + print ''."\n"; } print ''."\n"; @@ -733,7 +733,7 @@ if ($comments) if ($object->allow_comments) { print '
'.$langs->trans("AddACommentForPoll")."
\n"; - print '
'."\n"; + print '
'."\n"; print $langs->trans("Name").': '; print '   '."\n"; print '
'."\n"; diff --git a/htdocs/public/payment/newpayment.php b/htdocs/public/payment/newpayment.php index f7f632459d4..d880025259b 100644 --- a/htdocs/public/payment/newpayment.php +++ b/htdocs/public/payment/newpayment.php @@ -68,8 +68,8 @@ $action = GETPOST('action', 'aZ09'); $suffix = GETPOST("suffix", 'aZ09'); $amount = price2num(GETPOST("amount", 'alpha')); if (!GETPOST("currency", 'alpha')) $currency = $conf->currency; -else $currency = GETPOST("currency", 'alpha'); -$source = GETPOST("s", 'alpha') ?GETPOST("s", 'alpha') : GETPOST("source", 'alpha'); +else $currency = GETPOST("currency", 'aZ09'); +$source = GETPOST("s", 'aZ09') ?GETPOST("s", 'aZ09') : GETPOST("source", 'aZ09'); $download = GETPOST('d', 'int') ?GETPOST('d', 'int') : GETPOST('download', 'int'); if (!$action) @@ -964,8 +964,8 @@ if ($source == 'order') // Tag print '
'."\n"; // Shipping address @@ -979,20 +979,20 @@ if ($source == 'order') $phoneNum = $order->thirdparty->phone; if ($shipToName && $shipToStreet && $shipToCity && $shipToCountryCode && $shipToZip) { - print ''."\n"; - print ''."\n"; - print ''."\n"; - print ''."\n"; - print ''."\n"; - print ''."\n"; - print ''."\n"; - print ''."\n"; + print ''."\n"; + print ''."\n"; + print ''."\n"; + print ''."\n"; + print ''."\n"; + print ''."\n"; + print ''."\n"; + print ''."\n"; } else { print ''."\n"; } if (is_object($order->thirdparty)) print ''."\n"; print ''."\n"; - print ''."\n"; + print ''."\n"; $labeldesc = $langs->trans("Order").' '.$order->ref; if (GETPOST('desc', 'alpha')) $labeldesc = GETPOST('desc', 'alpha'); print ''."\n"; @@ -1065,8 +1065,9 @@ if ($source == 'invoice') print ''."\n"; // Tag diff --git a/htdocs/public/payment/paymentko.php b/htdocs/public/payment/paymentko.php index 6fdae36803a..b3833bd14b5 100644 --- a/htdocs/public/payment/paymentko.php +++ b/htdocs/public/payment/paymentko.php @@ -251,7 +251,7 @@ $key = 'ONLINE_PAYMENT_MESSAGE_KO'; if (!empty($conf->global->$key)) print $conf->global->$key; $type = GETPOST('s', 'alpha'); -$ref = GETPOST('ref', 'none'); +$ref = GETPOST('ref', 'alphanohtml'); $tag = GETPOST('tag', 'alpha'); require_once DOL_DOCUMENT_ROOT.'/core/lib/payments.lib.php'; if ($type || $tag) diff --git a/htdocs/public/ticket/create_ticket.php b/htdocs/public/ticket/create_ticket.php index bc91273816b..ed26c881fd7 100644 --- a/htdocs/public/ticket/create_ticket.php +++ b/htdocs/public/ticket/create_ticket.php @@ -47,7 +47,7 @@ $langs->loadLangs(array('companies', 'other', 'mails', 'ticket')); $id = GETPOST('id', 'int'); $msg_id = GETPOST('msg_id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $object = new Ticket($db); $extrafields = new ExtraFields($db); @@ -114,11 +114,11 @@ if ($action == 'create_ticket' && GETPOST('add', 'alpha')) { } } - if (!GETPOST("subject", "none")) { + if (!GETPOST("subject", "restricthtml")) { $error++; array_push($object->errors, $langs->trans("ErrorFieldRequired", $langs->transnoentities("Subject"))); $action = ''; - } elseif (!GETPOST("message", "none")) { + } elseif (!GETPOST("message", "restricthtml")) { $error++; array_push($object->errors, $langs->trans("ErrorFieldRequired", $langs->transnoentities("message"))); $action = ''; @@ -136,8 +136,8 @@ if ($action == 'create_ticket' && GETPOST('add', 'alpha')) { $object->track_id = generate_random_id(16); - $object->subject = GETPOST("subject", "none"); - $object->message = GETPOST("message", "none"); + $object->subject = GETPOST("subject", "restricthtml"); + $object->message = GETPOST("message", "restricthtml"); $object->origin_email = $origin_email; $object->type_code = GETPOST("type_code", 'aZ09'); diff --git a/htdocs/public/ticket/index.php b/htdocs/public/ticket/index.php index d150d4c2f41..be7c44580cd 100644 --- a/htdocs/public/ticket/index.php +++ b/htdocs/public/ticket/index.php @@ -46,7 +46,7 @@ $langs->loadLangs(array('companies', 'other', 'ticket', 'errors')); // Get parameters $track_id = GETPOST('track_id', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/reception/card.php b/htdocs/reception/card.php index 98d35d1e14e..0758e1456ce 100644 --- a/htdocs/reception/card.php +++ b/htdocs/reception/card.php @@ -189,7 +189,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) @@ -246,9 +246,8 @@ if (empty($reshook)) $object->fk_delivery_address = $objectsrc->fk_delivery_address; $object->shipping_method_id = GETPOST('shipping_method_id', 'int'); $object->tracking_number = GETPOST('tracking_number', 'alpha'); - $object->ref_int = GETPOST('ref_int', 'alpha'); - $object->note_private = GETPOST('note_private', 'none'); - $object->note_public = GETPOST('note_public', 'none'); + $object->note_private = GETPOST('note_private', 'restricthtml'); + $object->note_public = GETPOST('note_public', 'restricthtml'); $object->fk_incoterms = GETPOST('incoterm_id', 'int'); $object->location_incoterms = GETPOST('location_incoterms', 'alpha'); diff --git a/htdocs/reception/class/reception.class.php b/htdocs/reception/class/reception.class.php index 7b2f4927a22..8ea45ccd1c8 100644 --- a/htdocs/reception/class/reception.class.php +++ b/htdocs/reception/class/reception.class.php @@ -34,6 +34,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/commonobject.class.php'; require_once DOL_DOCUMENT_ROOT."/core/class/commonobjectline.class.php"; +require_once DOL_DOCUMENT_ROOT.'/core/class/commonincoterm.class.php'; if (!empty($conf->propal->enabled)) require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php'; if (!empty($conf->commande->enabled)) require_once DOL_DOCUMENT_ROOT.'/commande/class/commande.class.php'; @@ -43,6 +44,8 @@ if (!empty($conf->commande->enabled)) require_once DOL_DOCUMENT_ROOT.'/commande/ */ class Reception extends CommonObject { + use CommonIncoterm; + public $element = "reception"; public $fk_element = "fk_reception"; public $table_element = "reception"; @@ -1009,21 +1012,20 @@ class Reception extends CommonObject public function fetch_lines() { // phpcs:enable - global $db; dol_include_once('/fourn/class/fournisseur.commande.dispatch.class.php'); $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'commande_fournisseur_dispatch WHERE fk_reception='.$this->id; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if (!empty($resql)) { $this->lines = array(); while ($obj = $resql->fetch_object()) { - $line = new CommandeFournisseurDispatch($db); + $line = new CommandeFournisseurDispatch($this->db); $line->fetch($obj->rowid); $line->fetch_product(); $sql_commfourndet = 'SELECT qty, ref, label, tva_tx, vat_src_code, subprice, multicurrency_subprice, remise_percent FROM llx_commande_fournisseurdet WHERE rowid='.$line->fk_commandefourndet; $resql_commfourndet = $db->query($sql_commfourndet); if (!empty($resql_commfourndet)) { - $obj = $db->fetch_object($resql_commfourndet); + $obj = $this->db->fetch_object($resql_commfourndet); $line->qty_asked = $obj->qty; $line->description = $line->comment; $line->desc = $line->comment; diff --git a/htdocs/reception/contact.php b/htdocs/reception/contact.php index 4e8605ac74a..0492c0db1b8 100644 --- a/htdocs/reception/contact.php +++ b/htdocs/reception/contact.php @@ -41,7 +41,7 @@ $langs->load("companies"); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/reception/list.php b/htdocs/reception/list.php index 53b15dacb70..891a5630c7f 100644 --- a/htdocs/reception/list.php +++ b/htdocs/reception/list.php @@ -61,8 +61,8 @@ $sall = GETPOST('sall', 'alphanohtml'); $optioncss = GETPOST('optioncss', 'alpha'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (!$sortfield) $sortfield = "e.ref"; if (!$sortorder) $sortorder = "DESC"; diff --git a/htdocs/reception/note.php b/htdocs/reception/note.php index 9e9b6c20f92..ade403ab39b 100644 --- a/htdocs/reception/note.php +++ b/htdocs/reception/note.php @@ -44,7 +44,7 @@ $langs->load('propal'); $id = (GETPOST('id', 'int') ?GETPOST('id', 'int') : GETPOST('facid', 'int')); // For backward compatibility $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check $socid = ''; diff --git a/htdocs/reception/stats/month.php b/htdocs/reception/stats/month.php index d2cf628e605..dab1a806406 100644 --- a/htdocs/reception/stats/month.php +++ b/htdocs/reception/stats/month.php @@ -27,6 +27,8 @@ require_once DOL_DOCUMENT_ROOT.'/reception/class/reception.class.php'; require_once DOL_DOCUMENT_ROOT.'/reception/class/receptionstats.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/dolgraph.class.php'; +$year = GETPOST("year", 'int'); + /* * View @@ -39,10 +41,10 @@ $HEIGHT = DolGraph::getDefaultGraphSizeForStats('height'); $mesg = ''; -print load_fiche_titre($langs->trans("StatisticsOfReceptions").' '.$_GET["year"], $mesg); +print load_fiche_titre($langs->trans("StatisticsOfReceptions").' '.GETPOST("year", 'int'), $mesg); $stats = new ReceptionStats($db); -$data = $stats->getNbReceptionByMonth($_GET["year"]); +$data = $stats->getNbReceptionByMonth(GETPOST("year", 'int')); dol_mkdir($conf->reception->dir_temp); diff --git a/htdocs/recruitment/admin/candidature_extrafields.php b/htdocs/recruitment/admin/candidature_extrafields.php index 953f2186e1c..b81668d6337 100644 --- a/htdocs/recruitment/admin/candidature_extrafields.php +++ b/htdocs/recruitment/admin/candidature_extrafields.php @@ -36,7 +36,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'recruitment_recruitmentcandidature'; diff --git a/htdocs/recruitment/admin/jobposition_extrafields.php b/htdocs/recruitment/admin/jobposition_extrafields.php index 0dcf840cd00..62d6b8418c2 100644 --- a/htdocs/recruitment/admin/jobposition_extrafields.php +++ b/htdocs/recruitment/admin/jobposition_extrafields.php @@ -36,7 +36,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'recruitment_recruitmentjobposition'; diff --git a/htdocs/recruitment/admin/public_interface.php b/htdocs/recruitment/admin/public_interface.php index f8985507081..8f80a7ef48d 100644 --- a/htdocs/recruitment/admin/public_interface.php +++ b/htdocs/recruitment/admin/public_interface.php @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/recruitment/lib/recruitment.lib.php'; // Load translation files required by the page $langs->loadLangs(array("admin", "recruitment")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (!$user->admin) accessforbidden(); diff --git a/htdocs/recruitment/admin/setup.php b/htdocs/recruitment/admin/setup.php index 562531262f9..72d455d7a14 100644 --- a/htdocs/recruitment/admin/setup.php +++ b/htdocs/recruitment/admin/setup.php @@ -50,7 +50,7 @@ $langs->loadLangs(array("admin", "recruitment")); if (!$user->admin) accessforbidden(); // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); $value = GETPOST('value', 'alpha'); @@ -372,7 +372,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) { $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/recruitment/admin/setup_candidatures.php b/htdocs/recruitment/admin/setup_candidatures.php index c49ee158db3..e3738f57564 100644 --- a/htdocs/recruitment/admin/setup_candidatures.php +++ b/htdocs/recruitment/admin/setup_candidatures.php @@ -50,7 +50,7 @@ $langs->loadLangs(array("admin", "recruitment")); if (!$user->admin) accessforbidden(); // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); $value = GETPOST('value', 'alpha'); @@ -372,7 +372,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) { $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/recruitment/class/recruitmentcandidature.class.php b/htdocs/recruitment/class/recruitmentcandidature.class.php index 036d6bb1610..df96744526b 100644 --- a/htdocs/recruitment/class/recruitmentcandidature.class.php +++ b/htdocs/recruitment/class/recruitmentcandidature.class.php @@ -116,6 +116,7 @@ class RecruitmentCandidature extends CommonObject 'firstname' => array('type'=>'varchar(128)', 'label'=>'Firstname', 'enabled'=>'1', 'position'=>21, 'notnull'=>0, 'visible'=>1,), 'email' => array('type'=>'varchar(255)', 'label'=>'EMail', 'enabled'=>'1', 'position'=>30, 'notnull'=>1, 'visible'=>1,), 'phone' => array('type'=>'varchar(64)', 'label'=>'Phone', 'enabled'=>'1', 'position'=>31, 'notnull'=>0, 'visible'=>1,), + 'date_birth' => array('type'=>'date', 'label'=>'DateOfBirth', 'enabled'=>'1', 'position'=>70, 'visible'=>-1,), 'email_msgid' => array('type'=>'varchar(255)', 'label'=>'EmailMsgID', 'visible'=>-2, 'enabled'=>1, 'position'=>540, 'notnull'=>-1, 'help'=>'EmailMsgIDDesc'), //'fk_recruitment_origin' => array('type'=>'integer:CRecruitmentOrigin:recruitment/class/crecruitmentorigin.class.php', 'label'=>'Origin', 'enabled'=>'1', 'position'=>45, 'visible'=>1, 'index'=>1), 'remuneration_requested' => array('type'=>'integer', 'label'=>'RequestedRemuneration', 'enabled'=>'1', 'position'=>80, 'notnull'=>0, 'visible'=>-1,), @@ -140,9 +141,10 @@ class RecruitmentCandidature extends CommonObject public $firstname; public $email; public $phone; + public $date_birth; + public $email_msgid; public $remuneration_requested; public $remuneration_proposed; - public $email_msgid; public $fk_recruitment_origin; public $import_key; public $model_pdf; @@ -401,7 +403,7 @@ class RecruitmentCandidature extends CommonObject } elseif ($key == 'customsql') { $sqlwhere[] = $value; } elseif (strpos($value, '%') === false) { - $sqlwhere[] = $key.' IN ('.$this->db->escape($value).')'; + $sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')'; } else { $sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\''; } diff --git a/htdocs/recruitment/class/recruitmentjobposition.class.php b/htdocs/recruitment/class/recruitmentjobposition.class.php index 0f28b34be6a..355cae49c89 100644 --- a/htdocs/recruitment/class/recruitmentjobposition.class.php +++ b/htdocs/recruitment/class/recruitmentjobposition.class.php @@ -396,7 +396,7 @@ class RecruitmentJobPosition extends CommonObject } elseif ($key == 'customsql') { $sqlwhere[] = $value; } elseif (strpos($value, '%') === false) { - $sqlwhere[] = $key.' IN ('.$this->db->escape($value).')'; + $sqlwhere[] = $key.' IN ('.$this->db->sanitize($this->db->escape($value)).')'; } else { $sqlwhere[] = $key.' LIKE \'%'.$this->db->escape($value).'%\''; } diff --git a/htdocs/recruitment/core/modules/recruitment/doc/pdf_standard_recruitmentjobposition.modules.php b/htdocs/recruitment/core/modules/recruitment/doc/pdf_standard_recruitmentjobposition.modules.php index 42b536c4bd6..ee0f63f6c4f 100644 --- a/htdocs/recruitment/core/modules/recruitment/doc/pdf_standard_recruitmentjobposition.modules.php +++ b/htdocs/recruitment/core/modules/recruitment/doc/pdf_standard_recruitmentjobposition.modules.php @@ -1051,7 +1051,7 @@ class pdf_standard_recruitmentjobposition extends ModelePDFRecruitmentJobPositio /** * Show footer of page. Need this->emetteur object * - * @param PDF $pdf PDF + * @param TCPDF $pdf PDF * @param Object $object Object to show * @param Translate $outputlangs Object lang for output * @param int $hidefreetext 1=Hide free text diff --git a/htdocs/recruitment/recruitmentcandidature_agenda.php b/htdocs/recruitment/recruitmentcandidature_agenda.php index 876a1220735..f8aff07c352 100644 --- a/htdocs/recruitment/recruitmentcandidature_agenda.php +++ b/htdocs/recruitment/recruitmentcandidature_agenda.php @@ -50,7 +50,7 @@ $langs->loadLangs(array("recruitment", "other")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/recruitment/recruitmentcandidature_list.php b/htdocs/recruitment/recruitmentcandidature_list.php index 2bc5ce3e015..1db036f6878 100644 --- a/htdocs/recruitment/recruitmentcandidature_list.php +++ b/htdocs/recruitment/recruitmentcandidature_list.php @@ -83,8 +83,8 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters $offset = $limit * $page; diff --git a/htdocs/recruitment/recruitmentcandidature_note.php b/htdocs/recruitment/recruitmentcandidature_note.php index f6b710821ce..81d227c5da6 100644 --- a/htdocs/recruitment/recruitmentcandidature_note.php +++ b/htdocs/recruitment/recruitmentcandidature_note.php @@ -46,7 +46,7 @@ $langs->loadLangs(array("recruitment", "companies")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/recruitment/recruitmentindex.php b/htdocs/recruitment/recruitmentindex.php index 4087ae25bd7..93e4c53eb7c 100644 --- a/htdocs/recruitment/recruitmentindex.php +++ b/htdocs/recruitment/recruitmentindex.php @@ -32,7 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; // Load translation files required by the page $langs->loadLangs(array("recruitment", "boxes")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check @@ -317,8 +317,8 @@ END MODULEBUILDER DRAFT MYOBJECT */ print '
'; -$NBMAX = 3; -$max = 3; +$NBMAX = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; +$max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT; // Last modified job position if (!empty($conf->recruitment->enabled) && $user->rights->recruitment->recruitmentjobposition->read) diff --git a/htdocs/recruitment/recruitmentjobposition_agenda.php b/htdocs/recruitment/recruitmentjobposition_agenda.php index a96455a33ff..2984deb0443 100644 --- a/htdocs/recruitment/recruitmentjobposition_agenda.php +++ b/htdocs/recruitment/recruitmentjobposition_agenda.php @@ -50,7 +50,7 @@ $langs->loadLangs(array("recruitment", "other")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/recruitment/recruitmentjobposition_card.php b/htdocs/recruitment/recruitmentjobposition_card.php index 638bc9e4cef..ee09413905d 100644 --- a/htdocs/recruitment/recruitmentjobposition_card.php +++ b/htdocs/recruitment/recruitmentjobposition_card.php @@ -175,7 +175,7 @@ if (empty($reshook)) { $db->begin(); - $result = $object->cloture($user, GETPOST('status', 'int'), GETPOST('note_private', 'none')); + $result = $object->cloture($user, GETPOST('status', 'int'), GETPOST('note_private', 'restricthtml')); if ($result < 0) { setEventMessages($object->error, $object->errors, 'errors'); diff --git a/htdocs/recruitment/recruitmentjobposition_list.php b/htdocs/recruitment/recruitmentjobposition_list.php index 38657db557b..24c98a3fbb9 100644 --- a/htdocs/recruitment/recruitmentjobposition_list.php +++ b/htdocs/recruitment/recruitmentjobposition_list.php @@ -83,8 +83,8 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page < 0 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha')) { $page = 0; } // If $page is not defined, or '' or -1 or if we click on clear filters $offset = $limit * $page; diff --git a/htdocs/recruitment/recruitmentjobposition_note.php b/htdocs/recruitment/recruitmentjobposition_note.php index b8f873309d7..12de0611cdf 100644 --- a/htdocs/recruitment/recruitmentjobposition_note.php +++ b/htdocs/recruitment/recruitmentjobposition_note.php @@ -46,7 +46,7 @@ $langs->loadLangs(array("recruitment", "companies")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/resource/agenda.php b/htdocs/resource/agenda.php index 72d055da41d..aaf9b451414 100644 --- a/htdocs/resource/agenda.php +++ b/htdocs/resource/agenda.php @@ -40,7 +40,7 @@ $langs->load("companies"); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/resource/card.php b/htdocs/resource/card.php index 8d965c69c2c..b1fec3058c0 100644 --- a/htdocs/resource/card.php +++ b/htdocs/resource/card.php @@ -35,12 +35,12 @@ $langs->loadLangs(array('resource', 'companies', 'other', 'main')); // Get parameters $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $ref = GETPOST('ref', 'alpha'); -$description = GETPOST('description'); -$confirm = GETPOST('confirm'); -$fk_code_type_resource = GETPOST('fk_code_type_resource', 'alpha'); +$description = GETPOST('description', 'restricthtml'); +$confirm = GETPOST('confirm', 'aZ09'); +$fk_code_type_resource = GETPOST('fk_code_type_resource', 'alpha'); $country_id = GETPOST('country_id', 'int'); // Protection if external user diff --git a/htdocs/resource/class/dolresource.class.php b/htdocs/resource/class/dolresource.class.php index 0fc5d256541..43756f84405 100644 --- a/htdocs/resource/class/dolresource.class.php +++ b/htdocs/resource/class/dolresource.class.php @@ -922,7 +922,7 @@ class Dolresource extends CommonObject global $conf, $langs; $result = ''; - $label = img_picto('', $this->picto).' '.$langs->trans("ShowResource").''; + $label = img_picto('', $this->picto).' '.$langs->trans("Resource").''; $label .= '
'; $label .= ''.$langs->trans('Ref').': '.$this->ref; /*if (isset($this->status)) { diff --git a/htdocs/resource/contact.php b/htdocs/resource/contact.php index ee20d918648..de4d0ad3e3f 100644 --- a/htdocs/resource/contact.php +++ b/htdocs/resource/contact.php @@ -36,7 +36,7 @@ $langs->loadLangs(array('resource', 'sendings', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/resource/document.php b/htdocs/resource/document.php index 077430cf4bb..0e1e6ba5cc1 100644 --- a/htdocs/resource/document.php +++ b/htdocs/resource/document.php @@ -40,7 +40,7 @@ $langs->loadLangs(array('other', 'resource', 'companies')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check @@ -50,8 +50,8 @@ $result = restrictedArea($user, 'resource', $id, 'resource'); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/resource/list.php b/htdocs/resource/list.php index 4dca64b47a6..e2d10ffceef 100644 --- a/htdocs/resource/list.php +++ b/htdocs/resource/list.php @@ -39,7 +39,7 @@ $element_id = GETPOST('element_id', 'int'); $resource_id = GETPOST('resource_id', 'int'); $sortorder = GETPOST('sortorder', 'alpha'); -$sortfield = GETPOST('sortfield', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); // Initialize context for list $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'resourcelist'; diff --git a/htdocs/resource/note.php b/htdocs/resource/note.php index 1162909114e..26038c74d96 100644 --- a/htdocs/resource/note.php +++ b/htdocs/resource/note.php @@ -34,7 +34,7 @@ $langs->loadLangs(array('companies', 'interventions')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/salaries/admin/salaries.php b/htdocs/salaries/admin/salaries.php index a824a7d8eee..01c2b5c8be6 100644 --- a/htdocs/salaries/admin/salaries.php +++ b/htdocs/salaries/admin/salaries.php @@ -36,7 +36,7 @@ $langs->loadLangs(array('admin', 'salaries')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Other parameters SALARIES_* $list = array( diff --git a/htdocs/salaries/admin/salaries_extrafields.php b/htdocs/salaries/admin/salaries_extrafields.php index 48f574557ec..bac3824db53 100644 --- a/htdocs/salaries/admin/salaries_extrafields.php +++ b/htdocs/salaries/admin/salaries_extrafields.php @@ -38,7 +38,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'payment_salary'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/salaries/card.php b/htdocs/salaries/card.php index 94add08291c..6a696aa4132 100644 --- a/htdocs/salaries/card.php +++ b/htdocs/salaries/card.php @@ -100,7 +100,7 @@ if ($action == 'add' && empty($cancel)) $object->label = GETPOST("label", 'alphanohtml'); $object->datesp = $datesp; $object->dateep = $dateep; - $object->note = GETPOST("note", 'none'); + $object->note = GETPOST("note", 'restricthtml'); $object->type_payment = ($type_payment > 0 ? $type_payment : 0); $object->num_payment = GETPOST("num_payment", 'alphanohtml'); $object->fk_user_author = $user->id; diff --git a/htdocs/salaries/class/salariesstats.class.php b/htdocs/salaries/class/salariesstats.class.php index 3601e14bcdc..f20bde818a1 100644 --- a/htdocs/salaries/class/salariesstats.class.php +++ b/htdocs/salaries/class/salariesstats.class.php @@ -119,7 +119,7 @@ class SalariesStats extends Stats { $sql = "SELECT date_format(datep,'%m') as dm, sum(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(datep,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(datep,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -140,7 +140,7 @@ class SalariesStats extends Stats { $sql = "SELECT date_format(datep,'%m') as dm, avg(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(datep,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(datep,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/salaries/document.php b/htdocs/salaries/document.php index 69680df6a2a..403a5b3af3b 100644 --- a/htdocs/salaries/document.php +++ b/htdocs/salaries/document.php @@ -40,7 +40,7 @@ $langs->loadLangs(array("compta", "bills", "users", "salaries", "hrm")); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); // Security check @@ -51,8 +51,8 @@ $result = restrictedArea($user, 'salaries', '', '', ''); // Get parameters $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1 $offset = $limit * $page; diff --git a/htdocs/salaries/list.php b/htdocs/salaries/list.php index 6c4ee37a979..9341599ba70 100644 --- a/htdocs/salaries/list.php +++ b/htdocs/salaries/list.php @@ -56,7 +56,7 @@ if (!$sortfield) $sortfield = "s.datep,s.rowid"; if (!$sortorder) $sortorder = "DESC,DESC"; $optioncss = GETPOST('optioncss', 'alpha'); -$filtre = GETPOST("filtre", 'none'); +$filtre = GETPOST("filtre", 'restricthtml'); if (!GETPOST('typeid', 'int')) { @@ -153,11 +153,9 @@ if ($result) if ($typeid) $param .= '&typeid='.$typeid; if ($optioncss != '') $param .= '&optioncss='.$optioncss; - $newcardbutton = ''; - if (!empty($user->rights->salaries->write)) - { - $newcardbutton .= dolGetButtonTitle($langs->trans('NewSalaryPayment'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/salaries/card.php?action=create'); - } + $url = DOL_URL_ROOT.'/salaries/card.php?action=create'; + if (!empty($socid)) $url .= '&socid='.$socid; + $newcardbutton = dolGetButtonTitle($langs->trans('NewSalaryPayment'), '', 'fa fa-plus-circle', $url, '', $user->rights->salaries->write); print ''; if ($optioncss != '') print ''; @@ -186,12 +184,10 @@ if ($result) // Date print '
'; // Type diff --git a/htdocs/societe/admin/contact_extrafields.php b/htdocs/societe/admin/contact_extrafields.php index 2e657805b96..d8a2ec15c52 100644 --- a/htdocs/societe/admin/contact_extrafields.php +++ b/htdocs/societe/admin/contact_extrafields.php @@ -38,7 +38,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'socpeople'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/societe/admin/societe.php b/htdocs/societe/admin/societe.php index 21ee679292a..a66f17ca915 100644 --- a/htdocs/societe/admin/societe.php +++ b/htdocs/societe/admin/societe.php @@ -32,7 +32,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php'; $langs->loadLangs(array("admin", "companies", "other")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $value = GETPOST('value', 'alpha'); if (!$user->admin) accessforbidden(); @@ -119,7 +119,7 @@ if ($action == 'set') $type = 'company'; $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; - $sql .= " VALUES ('".$db->escape($value)."','".$type."',".$conf->entity.", "; + $sql .= " VALUES ('".$db->escape($value)."','".$db->escape($type)."',".$conf->entity.", "; $sql .= ($label ? "'".$db->escape($label)."'" : 'null').", "; $sql .= (!empty($scandir) ? "'".$db->escape($scandir)."'" : "null"); $sql .= ")"; @@ -133,7 +133,7 @@ if ($action == 'del') { $type = 'company'; $sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE nom='".$db->escape($value)."' AND type='".$type."' AND entity=".$conf->entity; + $sql .= " WHERE nom='".$db->escape($value)."' AND type='".$db->escape($type)."' AND entity=".$conf->entity; $resql = $db->query($sql); if (!$resql) dol_print_error($db); } @@ -152,13 +152,13 @@ if ($action == 'setdoc') $type = 'company'; $sql_del = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; $sql_del .= " WHERE nom = '".$db->escape(GETPOST('value', 'alpha'))."'"; - $sql_del .= " AND type = '".$type."'"; + $sql_del .= " AND type = '".$db->escape($type)."'"; $sql_del .= " AND entity = ".$conf->entity; dol_syslog("societe.php ".$sql); $result1 = $db->query($sql_del); $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)"; - $sql .= " VALUES ('".$db->escape($value)."', '".$type."', ".$conf->entity.", "; + $sql .= " VALUES ('".$db->escape($value)."', '".$db->escape($type)."', ".$conf->entity.", "; $sql .= ($label ? "'".$db->escape($label)."'" : 'null').", "; $sql .= (!empty($scandir) ? "'".$db->escape($scandir)."'" : "null"); $sql .= ")"; diff --git a/htdocs/societe/admin/societe_extrafields.php b/htdocs/societe/admin/societe_extrafields.php index f0812485211..02c7dc51231 100644 --- a/htdocs/societe/admin/societe_extrafields.php +++ b/htdocs/societe/admin/societe_extrafields.php @@ -38,7 +38,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'societe'; //Must be the $element of the class that manage extrafield diff --git a/htdocs/societe/ajax/company.php b/htdocs/societe/ajax/company.php index dc2d60df5e6..a56fa0d9f81 100644 --- a/htdocs/societe/ajax/company.php +++ b/htdocs/societe/ajax/company.php @@ -34,7 +34,7 @@ require '../../main.inc.php'; $htmlname = GETPOST('htmlname', 'alpha'); $filter = GETPOST('filter', 'alpha'); $outjson = (GETPOST('outjson', 'int') ? GETPOST('outjson', 'int') : 0); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); $showtype = GETPOST('showtype', 'int'); diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php index 4218dcd7872..42de4d74b39 100644 --- a/htdocs/societe/card.php +++ b/htdocs/societe/card.php @@ -85,7 +85,6 @@ if (!($object->id > 0) && $action == 'view') } // Get object canvas (By default, this is not defined, so standard usage of dolibarr) -$object->getCanvas($socid); $canvas = $object->canvas ? $object->canvas : GETPOST("canvas"); $objcanvas = null; if (!empty($canvas)) @@ -96,7 +95,7 @@ if (!empty($canvas)) } // Security check -$result = restrictedArea($user, 'societe', $socid, '&societe', '', 'fk_soc', 'rowid', $objcanvas); +$result = restrictedArea($user, 'societe', $socid, '&societe', '', 'fk_soc', 'rowid', 0); $permissiontoread = $user->rights->societe->lire; $permissiontoadd = $user->rights->societe->creer; // Used by the include of actions_addupdatedelete.inc.php and actions_lineupdown.inc.php @@ -343,7 +342,7 @@ if (empty($reshook)) // Fill array 'array_options' with data from update form $extrafields->fetch_name_optionals_label($object->table_element); - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) @@ -1182,12 +1181,12 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) print ''.$form->editfieldkey('ThirdPartyName', 'name', '', $object, 0).''; } print 'global->SOCIETE_USEPREFIX) ? ' colspan="3"' : '').'>'; - print ''; + print ''; print $form->widgetForTranslation("name", $object, $permissiontoadd, 'string', 'alpahnohtml', 'minwidth300'); print ''; if (!empty($conf->global->SOCIETE_USEPREFIX)) // Old not used prefix field { - print ''; + print ''; } print ''; @@ -1198,7 +1197,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) { // Firstname print ''; - print ''; + print ''; print ''; // Title @@ -1210,7 +1209,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) // Alias names (commercial, trademark or alias names) print ''; - print ''; + print ''; // Prospect/Customer print ''; @@ -1275,7 +1274,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if (!empty($conf->barcode->enabled)) { print ''; - print ''; } @@ -1285,7 +1284,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) print ''; print ''; @@ -1858,7 +1857,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) print ''; } elseif ($object->codefournisseur_modifiable()) { - print ''; + print ''; } else { print $object->code_fournisseur; print ''; @@ -1874,7 +1873,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if (!empty($conf->barcode->enabled)) { print ''; - print ''; } @@ -1886,7 +1885,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) // Address print ''; print ''; @@ -2281,7 +2280,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if (!empty($conf->barcode->enabled)) { print ''; print ''; } @@ -2419,7 +2418,7 @@ if (is_object($objcanvas) && $objcanvas->displayCanvasExists($action)) if ($object->tva_intra) { $s = ''; - $s .= $object->tva_intra; + $s .= dol_escape_htmltag($object->tva_intra); $s .= ''; if (empty($conf->global->MAIN_DISABLEVATCHECK) && isInEEC($object)) diff --git a/htdocs/societe/class/api_contacts.class.php b/htdocs/societe/class/api_contacts.class.php index 37d9239265f..d5280ee80dd 100644 --- a/htdocs/societe/class/api_contacts.class.php +++ b/htdocs/societe/class/api_contacts.class.php @@ -98,6 +98,48 @@ class Contacts extends DolibarrApi return $this->_cleanObjectDatas($this->contact); } + /** + * Get properties of a contact object by Email + * + * @param string $email Email of contact + * @param int $includecount Count and return also number of elements the contact is used as a link for + * @return array|mixed data without useless information + * + * @url GET email/{email} + * + * @throws RestException 401 Insufficient rights + * @throws RestException 404 User or group not found + */ + public function getByEmail($email, $includecount = 0) + { + if (!DolibarrApiAccess::$user->rights->societe->contact->lire) + { + throw new RestException(401, 'No permission to read contacts'); + } + if (empty($email)) { + $result = $this->contact->initAsSpecimen(); + } else { + $result = $this->contact->fetch('', '', '', $email); + } + + if (!$result) + { + throw new RestException(404, 'Contact not found'); + } + + if (!DolibarrApi::_checkAccessToResource('contact', $this->contact->id, 'socpeople&societe')) + { + throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); + } + + if ($includecount) + { + $this->contact->load_ref_elements(); + } + + return $this->_cleanObjectDatas($this->contact); + } + /** * List contacts * @@ -160,7 +202,7 @@ class Contacts extends DolibarrApi // Select contacts of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_socpeople = t.rowid "; } @@ -175,7 +217,7 @@ class Contacts extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { @@ -185,18 +227,18 @@ class Contacts extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $contact_static = new Contact($db); + $obj = $this->db->fetch_object($result); + $contact_static = new Contact($this->db); if ($contact_static->fetch($obj->rowid)) { if ($includecount) diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index 48b6f989408..8551cb61f10 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -160,7 +160,9 @@ class Thirdparties extends DolibarrApi // Select thirdparties of given category if ($category > 0) { - if (!empty($mode) && $mode != 4) { $sql .= " AND c.fk_categorie = ".$db->escape($category)." AND c.fk_soc = t.rowid"; } elseif (!empty($mode) && $mode == 4) { $sql .= " AND cc.fk_categorie = ".$db->escape($category)." AND cc.fk_soc = t.rowid"; } else { $sql .= " AND ((c.fk_categorie = ".$db->escape($category)." AND c.fk_soc = t.rowid) OR (cc.fk_categorie = ".$db->escape($category)." AND cc.fk_soc = t.rowid))"; } + if (!empty($mode) && $mode != 4) { $sql .= " AND c.fk_categorie = ".$this->db->escape($category)." AND c.fk_soc = t.rowid"; } + elseif (!empty($mode) && $mode == 4) { $sql .= " AND cc.fk_categorie = ".$this->db->escape($category)." AND cc.fk_soc = t.rowid"; } + else { $sql .= " AND ((c.fk_categorie = ".$this->db->escape($category)." AND c.fk_soc = t.rowid) OR (cc.fk_categorie = ".$this->db->escape($category)." AND cc.fk_soc = t.rowid))"; } } if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socids) || $search_sale > 0) $sql .= " AND t.rowid = sc.fk_soc"; @@ -183,7 +185,7 @@ class Thirdparties extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) @@ -192,26 +194,26 @@ class Thirdparties extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $soc_static = new Societe($db); + $obj = $this->db->fetch_object($result); + $soc_static = new Societe($this->db); if ($soc_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($soc_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve thirdparties : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve thirdparties : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'Thirdparties not found'); @@ -313,7 +315,7 @@ class Thirdparties extends DolibarrApi throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login); } - $this->companytoremove = new Societe($db); + $this->companytoremove = new Societe($this->db); $result = $this->companytoremove->fetch($idtodelete); // include the fetch of extra fields if (!$result) { @@ -332,7 +334,7 @@ class Thirdparties extends DolibarrApi // Call same code than into action 'confirm_merge' - $db->begin(); + $this->db->begin(); // Recopy some data $object->client = $object->client | $soc_origin->client; @@ -369,7 +371,7 @@ class Thirdparties extends DolibarrApi } // Merge categories - $static_cat = new Categorie($db); + $static_cat = new Categorie($this->db); $custcats = $static_cat->containing($soc_origin->id, 'customer', 'id'); $object->setCategories($custcats, 'customer'); $suppcats = $static_cat->containing($soc_origin->id, 'supplier', 'id'); @@ -426,10 +428,10 @@ class Thirdparties extends DolibarrApi { require_once DOL_DOCUMENT_ROOT.$object_file; - if (!$errors && !$object_name::replaceThirdparty($db, $soc_origin->id, $object->id)) + if (!$errors && !$object_name::replaceThirdparty($this->db, $soc_origin->id, $object->id)) { $errors++; - //setEventMessages($db->lasterror(), null, 'errors'); + //setEventMessages($this->db->lasterror(), null, 'errors'); } } } @@ -477,11 +479,11 @@ class Thirdparties extends DolibarrApi if ($error) { - $db->rollback(); + $this->db->rollback(); throw new RestException(500, 'Error failed to merged thirdparty '.$this->companytoremove->id.' into '.$id.'. Enable and read log file for more information.'); } else { - $db->commit(); + $this->db->commit(); } return $this->get($id); @@ -1155,7 +1157,7 @@ class Thirdparties extends DolibarrApi if ($id) $sql .= " WHERE fk_soc = ".$id." "; - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result->num_rows == 0) { throw new RestException(404, 'Account not found'); @@ -1167,11 +1169,11 @@ class Thirdparties extends DolibarrApi if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $obj = $db->fetch_object($result); - $account = new CompanyBankAccount($db); + $obj = $this->db->fetch_object($result); + $account = new CompanyBankAccount($this->db); if ($account->fetch($obj->rowid)) { $accounts[] = $account; } @@ -1435,7 +1437,7 @@ class Thirdparties extends DolibarrApi $sql .= " WHERE fk_soc = $id"; if ($site) $sql .= " AND site ='$site'"; - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result->num_rows == 0) { throw new RestException(404, 'This thirdparty does not have any gateway attached or does not exist.'); @@ -1445,11 +1447,11 @@ class Thirdparties extends DolibarrApi $accounts = array(); - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $obj = $db->fetch_object($result); - $account = new SocieteAccount($db); + $obj = $this->db->fetch_object($result); + $account = new SocieteAccount($this->db); if ($account->fetch($obj->rowid)) { $accounts[] = $account; @@ -1505,8 +1507,8 @@ class Thirdparties extends DolibarrApi throw new RestException(422, 'Unprocessable Entity: You must pass the site attribute in your request data !'); } - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$request_data['site']."' "; - $result = $db->query($sql); + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$this->db->escape($request_data['site'])."'"; + $result = $this->db->query($sql); if ($result->num_rows == 0) { $account = new SocieteAccount($this->db); @@ -1560,8 +1562,8 @@ class Thirdparties extends DolibarrApi throw new RestException(401); } - $sql = "SELECT rowid, fk_user_creat, date_creation FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = $id AND site = '$site' "; - $result = $db->query($sql); + $sql = "SELECT rowid, fk_user_creat, date_creation FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = $id AND site = '".$this->db->escape($site)."'"; + $result = $this->db->query($sql); // We do not found an existing SocieteAccount entity for this fk_soc and site ; we then create a new one. if ($result->num_rows == 0) { @@ -1586,15 +1588,15 @@ class Thirdparties extends DolibarrApi // We found an existing SocieteAccount entity, we are replacing it } else { if (isset($request_data['site']) && $request_data['site'] !== $site) { - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$request_data['site']."' "; - $result = $db->query($sql); + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$this->db->escape($request_data['site'])."' "; + $result = $this->db->query($sql); if ($result->num_rows !== 0) { throw new RestException(409, "You are trying to update this thirdparty SocieteAccount (gateway record) from $site to ".$request_data['site']." but another SocieteAccount entity already exists with this site key."); } } - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $account = new SocieteAccount($this->db); $account->id = $obj->rowid; @@ -1644,21 +1646,21 @@ class Thirdparties extends DolibarrApi } $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = $id AND site = '$site' "; - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result->num_rows == 0) { throw new RestException(404, "This thirdparty does not have $site gateway attached or does not exist."); } else { // If the user tries to edit the site member, we check first if if (isset($request_data['site']) && $request_data['site'] !== $site) { - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$request_data['site']."' "; - $result = $db->query($sql); + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$this->db->escape($request_data['site'])."' "; + $result = $this->db->query($sql); if ($result->num_rows !== 0) throw new RestException(409, "You are trying to update this thirdparty SocieteAccount (gateway record) site member from $site to ".$request_data['site']." but another SocieteAccount entity already exists for this thirdparty with this site key."); } - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $account = new SocieteAccount($this->db); $account->fetch($obj->rowid); @@ -1690,20 +1692,19 @@ class Thirdparties extends DolibarrApi */ public function deleteSocieteAccount($id, $site) { - global /** @var Database $db */ - $db; + global $db; if (!DolibarrApiAccess::$user->rights->societe->creer) { throw new RestException(401); } - $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = $id AND site = '$site' "; - $result = $db->query($sql); + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = $id AND site = '".$this->db->escape($site)."'"; + $result = $this->db->query($sql); if ($result->num_rows == 0) { throw new RestException(404); } else { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $account = new SocieteAccount($this->db); $account->fetch($obj->rowid); @@ -1727,8 +1728,7 @@ class Thirdparties extends DolibarrApi */ public function deleteSocieteAccounts($id) { - global /** @var Database $db */ - $db; + global $db; if (!DolibarrApiAccess::$user->rights->societe->creer) { throw new RestException(401); @@ -1739,20 +1739,20 @@ class Thirdparties extends DolibarrApi */ $sql = "SELECT rowid, fk_soc, key_account, site, date_creation, tms"; - $sql .= " FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = $id "; + $sql .= " FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id; - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result->num_rows == 0) { throw new RestException(404, 'This third party does not have any gateway attached or does not exist.'); } else { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $obj = $db->fetch_object($result); - $account = new SocieteAccount($db); + $obj = $this->db->fetch_object($result); + $account = new SocieteAccount($this->db); $account->fetch($obj->rowid); if ($account->delete(DolibarrApiAccess::$user) < 0) { diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index a5a489f014b..f28c6953d82 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -38,6 +38,7 @@ * \brief File for third party class */ require_once DOL_DOCUMENT_ROOT.'/core/class/commonobject.class.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/commonincoterm.class.php'; require_once DOL_DOCUMENT_ROOT.'/multicurrency/class/multicurrency.class.php'; /** @@ -45,6 +46,8 @@ require_once DOL_DOCUMENT_ROOT.'/multicurrency/class/multicurrency.class.php'; */ class Societe extends CommonObject { + use CommonIncoterm; + /** * @var string ID to identify managed object */ @@ -692,20 +695,6 @@ class Societe extends CommonObject */ public $logo_squarred_mini; - /** - * @var int ID Incoterms - */ - public $fk_incoterms; - - /** - * @var string Incoterms Location - */ - public $location_incoterms; - - /** - * @var string Incoterm label - */ - public $label_incoterms; //Used into tooltip // Multicurrency /** @@ -724,6 +713,35 @@ class Societe extends CommonObject */ public $bank_account; + /** + * Third party is no customer + */ + const NO_CUSTOMER = 0; + + /** + * Third party is a customer + */ + const CUSTOMER = 1; + + /** + * Third party is a prospect + */ + const PROSPECT = 2; + + /** + * Third party is a customer and a prospect + */ + const CUSTOMER_AND_PROSPECT = 3; + + /** + * Third party is no supplier + */ + const NO_SUPPLIER = 0; + + /** + * Third party is a supplier + */ + const SUPPLIER = 1; /** * Constructor @@ -802,12 +820,11 @@ class Societe extends CommonObject { $this->entity = ((isset($this->entity) && is_numeric($this->entity)) ? $this->entity : $conf->entity); - $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe (nom, name_alias, entity, datec, fk_user_creat, canvas, status, ref_int, ref_ext, fk_stcomm, fk_incoterms, location_incoterms ,import_key, fk_multicurrency, multicurrency_code)"; + $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe (nom, name_alias, entity, datec, fk_user_creat, canvas, status, ref_ext, fk_stcomm, fk_incoterms, location_incoterms ,import_key, fk_multicurrency, multicurrency_code)"; $sql .= " VALUES ('".$this->db->escape($this->name)."', '".$this->db->escape($this->name_alias)."', ".$this->db->escape($this->entity).", '".$this->db->idate($now)."'"; - $sql .= ", ".(!empty($user->id) ? "'".$user->id."'" : "null"); + $sql .= ", ".(!empty($user->id) ? ((int) $user->id) : "null"); $sql .= ", ".(!empty($this->canvas) ? "'".$this->db->escape($this->canvas)."'" : "null"); $sql .= ", ".$this->status; - $sql .= ", ".(!empty($this->ref_int) ? "'".$this->db->escape($this->ref_int)."'" : "null"); $sql .= ", ".(!empty($this->ref_ext) ? "'".$this->db->escape($this->ref_ext)."'" : "null"); $sql .= ", 0"; $sql .= ", ".(int) $this->fk_incoterms; @@ -2724,7 +2741,7 @@ class Societe extends CommonObject $sql = "SELECT rowid, email, phone_mobile, lastname, firstname"; $sql .= " FROM ".MAIN_DB_PREFIX."socpeople"; - $sql .= " WHERE rowid = '".$rowid."'"; + $sql .= " WHERE rowid = ".((int) $rowid); $resql = $this->db->query($sql); if ($resql) @@ -3168,7 +3185,7 @@ class Societe extends CommonObject } //Verify duplicate entries - $sql = "SELECT COUNT(*) as idprof FROM ".MAIN_DB_PREFIX."societe WHERE ".$field." = '".$value."' AND entity IN (".getEntity('societe').")"; + $sql = "SELECT COUNT(*) as idprof FROM ".MAIN_DB_PREFIX."societe WHERE ".$field." = '".$this->db->escape($value)."' AND entity IN (".getEntity('societe').")"; if ($socid) $sql .= " AND rowid <> ".$socid; $resql = $this->db->query($sql); if ($resql) diff --git a/htdocs/societe/contact.php b/htdocs/societe/contact.php index 2b362268c4b..c1761c7f601 100644 --- a/htdocs/societe/contact.php +++ b/htdocs/societe/contact.php @@ -68,7 +68,7 @@ $extrafields->fetch_name_optionals_label($object->table_element); // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('thirdpartycontact', 'globalcard')); -if ($action == 'view' && $object->fetch($socid) <= 0) +if ($object->fetch($socid) <= 0 && $action == 'view') { $langs->load("errors"); print($langs->trans('ErrorRecordNotFound')); @@ -76,7 +76,6 @@ if ($action == 'view' && $object->fetch($socid) <= 0) } // Get object canvas (By default, this is not defined, so standard usage of dolibarr) -$object->getCanvas($socid); $canvas = $object->canvas ? $object->canvas : GETPOST("canvas"); $objcanvas = null; if (!empty($canvas)) @@ -87,12 +86,10 @@ if (!empty($canvas)) } // Security check -$result = restrictedArea($user, 'societe', $socid, '&societe', '', 'fk_soc', 'rowid', $objcanvas); +$result = restrictedArea($user, 'societe', $socid, '&societe', '', 'fk_soc', 'rowid', 0); if (empty($user->rights->societe->contact->lire)) accessforbidden(); - - /* * Actions */ diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php index 96b50a34bf8..ea0b3a55d8e 100644 --- a/htdocs/societe/list.php +++ b/htdocs/societe/list.php @@ -43,7 +43,7 @@ require_once DOL_DOCUMENT_ROOT.'/societe/class/client.class.php'; $langs->loadLangs(array("companies", "commercial", "customers", "suppliers", "bills", "compta", "categories", "cashdesk")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -64,9 +64,9 @@ $search_all = trim(GETPOST('search_all', 'alphanohtml') ?GETPOST('search_all', ' $search_cti = preg_replace('/^0+/', '', preg_replace('/[^0-9]/', '', GETPOST('search_cti', 'alphanohtml'))); // Phone number without any special chars $search_id = trim(GETPOST("search_id", "int")); -$search_nom = trim(GETPOST("search_nom", 'none')); -$search_alias = trim(GETPOST("search_alias", 'none')); -$search_nom_only = trim(GETPOST("search_nom_only", 'none')); +$search_nom = trim(GETPOST("search_nom", 'restricthtml')); +$search_alias = trim(GETPOST("search_alias", 'restricthtml')); +$search_nom_only = trim(GETPOST("search_nom_only", 'restricthtml')); $search_barcode = trim(GETPOST("search_barcode", 'alpha')); $search_customer_code = trim(GETPOST('search_customer_code', 'alpha')); $search_supplier_code = trim(GETPOST('search_supplier_code', 'alpha')); @@ -457,7 +457,7 @@ if ($search_town) $sql .= natural_search("s.town", $search_town); if (strlen($search_zip)) $sql .= natural_search("s.zip", $search_zip); if ($search_state) $sql .= natural_search("state.nom", $search_state); if ($search_region) $sql .= natural_search("region.nom", $search_region); -if ($search_country && $search_country != '-1') $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')'; +if ($search_country && $search_country != '-1') $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')'; if ($search_email) $sql .= natural_search("s.email", $search_email); if (strlen($search_phone)) $sql .= natural_search("s.phone", $search_phone); if (strlen($search_fax)) $sql .= natural_search("s.fax", $search_fax); @@ -470,7 +470,7 @@ if (strlen($search_idprof5)) $sql .= natural_search("s.idprof5", $search_idprof5 if (strlen($search_idprof6)) $sql .= natural_search("s.idprof6", $search_idprof6); if (strlen($search_vat)) $sql .= natural_search("s.tva_intra", $search_vat); // Filter on type of thirdparty -if ($search_type > 0 && in_array($search_type, array('1,3', '2,3'))) $sql .= " AND s.client IN (".$db->escape($search_type).")"; +if ($search_type > 0 && in_array($search_type, array('1,3', '2,3'))) $sql .= " AND s.client IN (".$db->sanitize($db->escape($search_type)).")"; if ($search_type > 0 && in_array($search_type, array('4'))) $sql .= " AND s.fournisseur = 1"; if ($search_type == '0') $sql .= " AND s.client = 0 AND s.fournisseur = 0"; if ($search_status != '' && $search_status >= 0) $sql .= natural_search("s.status", $search_status, 2); @@ -598,21 +598,28 @@ if ($user->rights->societe->supprimer) $arrayofmassactions['predelete'] = 'selectMassAction('', $arrayofmassactions); -$newcardbutton = ''; -if ($user->rights->societe->creer && $contextpage != 'poslist') +$typefilter = ''; +$label = 'MenuNewThirdParty'; + +if (!empty($type)) { - $typefilter = ''; - $label = 'MenuNewThirdParty'; + $typefilter = '&type='.$type; + if ($type == 'p') $label = 'MenuNewProspect'; + if ($type == 'c') $label = 'MenuNewCustomer'; + if ($type == 'f') $label = 'NewSupplier'; +} - if (!empty($type)) - { - $typefilter = '&type='.$type; - if ($type == 'p') $label = 'MenuNewProspect'; - if ($type == 'c') $label = 'MenuNewCustomer'; - if ($type == 'f') $label = 'NewSupplier'; - } - - $newcardbutton .= dolGetButtonTitle($langs->trans($label), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/societe/card.php?action=create'.$typefilter); +// Show the new button only when this page is not opend from the Extended POS (pop-up window) +// but allow it too, when a user has the rights to create a new customer +if ($contextpage != 'poslist') +{ + $url = DOL_URL_ROOT.'/societe/card.php?action=create'.$typefilter; + if (!empty($socid)) $url .= '&socid='.$socid; + $newcardbutton = dolGetButtonTitle($langs->trans($label), '', 'fa fa-plus-circle', $url, '', $user->rights->societe->creer); +} elseif ($user->rights->societe->creer) { + $url = DOL_URL_ROOT.'/societe/card.php?action=create&type=c&contextpage=poslist&optioncss=print&backtopage='.$_SERVER["PHP_SELF"].'?contextpage=poslist&nomassaction=1&optioncss=print&place='.urlencode($place); + $label = 'MenuNewCustomer'; + $newcardbutton .= dolGetButtonTitle($langs->trans($label), '', 'fa fa-plus-circle', $url); } print ''; @@ -696,6 +703,7 @@ if ($moreforfilter) $varpage = empty($contextpage) ? $_SERVER["PHP_SELF"] : $contextpage; $selectedfields = $form->multiSelectArrayWithCheckbox('selectedfields', $arrayfields, $varpage); // This also change content of $arrayfields +// Show the massaction checkboxes only when this page is not opend from the Extended POS if ($massactionbutton && $contextpage != 'poslist') $selectedfields .= $form->showCheckAddButtons('checkforselect', 1); if (empty($arrayfields['customerorsupplier']['checked'])) print ''; @@ -1303,7 +1311,7 @@ while ($i < min($num, $limit)) if (!$i) $totalarray['nbfield']++; } - // Action column + // Action column (Show the massaction button only when this page is not opend from the Extended POS) print ''; print ''; // Payment token for URL print ''; print '
'.$langs->trans("CustomCode").'
'.$langs->trans("CustomCode").'
'.$langs->trans("CountryOrigin").''; + print ''.$langs->trans("CountryOrigin").''; + print img_picto('', 'globe-americas', 'class="paddingrightonly"'); print $form->select_country($object->country_id, 'country_id', '', 0, 'minwidth100 maxwidthonsmartphone'); if ($user->admin) print info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"), 1); - print '
'.$form->editfieldkey('Region-StateOrigine', 'state_id', '', $object, 0).''; + } else { + print ''.$form->editfieldkey('StateOrigin', 'state_id', '', $object, 0).''; + } + + print $formcompany->select_state($object->state_id, $object->country_code); + print '
'.$langs->trans("CustomCode").''.$object->customcode.'
'.$langs->trans("CountryOrigin").''.getCountry($object->country_id, 0, $db).'
'.$langs->trans("Origin").''.getCountry($object->country_id, 0, $db); + if (!empty($object->state_id)) print ' - '.getState($object->state_id, 0, $db); + print '  '.$form->selectyesno($search_tobatch, '', '', '', 1).''.$form->select_country($search_country, 'search_country', '', 0).''.$formcompany->select_state($search_state, $search_country).''.getCountry($obj->fk_country, 0, $db).''; + if (!empty($obj->fk_state)) print getState($obj->fk_state, 0, $db); + print ''; if ($objp->seuil_stock_alerte != '' && ($product->stock_theorique < $objp->seuil_stock_alerte)) print img_warning($langs->trans("StockTooLow")).' '; - print $product->stock_theorique; + print price2num($product->stock_theorique, 'MS'); print '
'.$langs->trans("AddIn").''; - print $formproduct->selectWarehouses('', 'fk_parent', '', 1); + print $formproduct->selectWarehouses('ifone', 'fk_parent', '', 1); print '
'.$form->textwithpicto($langs->trans('IncludeEmptyDesiredStock'), $langs->trans('IncludeProductWithUndefinedAlerts')).' '.$langs->trans('AlertOnly').'  '; if (! empty($conf->global->STOCK_REPLENISH_ADD_CHECKBOX_INCLUDE_DRAFT_ORDER)) { print $langs->trans('IncludeAlsoDraftOrders').' '; @@ -715,6 +726,10 @@ if (!empty($conf->service->enabled) && $type == 1) print_liste_field_titre('Dura print_liste_field_titre('DesiredStock', $_SERVER["PHP_SELF"], 'p.desiredstock', $param, '', '', $sortfield, $sortorder, 'right '); print_liste_field_titre('StockLimitShort', $_SERVER["PHP_SELF"], 'p.seuil_stock_alerte', $param, '', '', $sortfield, $sortorder, 'right '); print_liste_field_titre($stocklabel, $_SERVER["PHP_SELF"], 'stock_physique', $param, '', '', $sortfield, $sortorder, 'right '); +if (!empty($conf->global->STOCK_ALLOW_ADD_LIMIT_STOCK_BY_WAREHOUSE) && $fk_entrepot > 0) +{ + print_liste_field_titre($stocklabelbis, $_SERVER["PHP_SELF"], 'stock_real_warehouse', $param, '', '', $sortfield, $sortorder, 'right '); +} print_liste_field_titre('Ordered', $_SERVER["PHP_SELF"], '', $param, '', '', $sortfield, $sortorder, 'right '); print_liste_field_titre('StockToBuy', $_SERVER["PHP_SELF"], '', $param, '', '', $sortfield, $sortorder, 'right '); print_liste_field_titre('SupplierRef', $_SERVER["PHP_SELF"], '', $param, '', '', $sortfield, $sortorder, 'right '); @@ -757,8 +772,10 @@ while ($i < ($limit ? min($num, $limit) : $num)) { // If option to increase/decrease is not on an object validation, virtual stock may differs from physical stock. $stock = $prod->stock_theorique; + //TODO $stockwarehouse = $prod->stock_warehouse[$fk_entrepot]->; } else { $stock = $prod->stock_reel; + $stockwarehouse = $prod->stock_warehouse[$fk_entrepot]->real; } // Force call prod->load_stats_xxx to choose status to count (otherwise it is loaded by load_stock function) @@ -774,20 +791,29 @@ while ($i < ($limit ? min($num, $limit) : $num)) //print $prod->stats_reception['qty']; $ordered = $prod->stats_commande_fournisseur['qty'] - $prod->stats_reception['qty']; - $desiredstock = ($objp->desiredstockpse ? $objp->desiredstockpse : $objp->desiredstock); - $alertstock = ($objp->seuil_stock_alertepse ? $objp->seuil_stock_alertepse : $objp->seuil_stock_alerte); + $desiredstock = $objp->desiredstock; + $alertstock = $objp->seuil_stock_alerte; + $desiredstockwarehouse = ($objp->desiredstockpse ? $objp->desiredstockpse : ''); + $alertstockwarehouse = ($objp->seuil_stock_alertepse ? $objp->seuil_stock_alertepse : ''); $warning = ''; if ($alertstock && ($stock < $alertstock)) { $warning = img_warning($langs->trans('StockTooLow')).' '; } + $warningwarehouse = ''; + if ($alertstockwarehouse && ($stockwarehouse < $alertstockwarehouse)) + { + $warningwarehouse = img_warning($langs->trans('StockTooLow')).' '; + } //depending on conf, use either physical stock or //virtual stock to compute the stock to buy value if (empty($usevirtualstock)) $stocktobuy = max(max($desiredstock, $alertstock) - $stock - $ordered, 0); else $stocktobuy = max(max($desiredstock, $alertstock) - $stock, 0); //ordered is already in $stock in virtual mode + if (empty($usevirtualstock)) $stocktobuywarehouse = max(max($desiredstockwarehouse, $alertstockwarehouse) - $stockwarehouse - $ordered, 0); + else $stocktobuywarehouse = max(max($desiredstockwarehouse, $alertstockwarehouse) - $stockwarehouse, 0); //ordered is already in $stock in virtual mode $picto = ''; if ($ordered > 0) @@ -803,57 +829,67 @@ while ($i < ($limit ? min($num, $limit) : $num)) $picto = img_picto($langs->trans("NoPendingReceptionOnSupplierOrder"), 'help'); } - print '
'.$prod->getNomUrl(1, '').''.$prod->getNomUrl(1, 'stock').''.$objp->label; - print ''; // TODO Remove this and make a fetch to get description when creating order instead of a GETPOST - print ''.$objp->label; + print ''; // TODO Remove this and make a fetch to get description when creating order instead of a GETPOST + print ''.$duration.''.$duration.''.($fk_entrepot > 0 ? $desiredstockwarehouse : $desiredstock).''.($fk_entrepot > 0 ? $alertstockwarehouse : $alertstock).''.$warning.$stock.''.$warningwarehouse.$stockwarehouse.''.$ordered.' '.$picto.''; + print $form->select_product_fourn_price($prod->id, 'fourn'.$i, $fk_supplier); + print '
'.$desiredstock.''.$alertstock.''.$warning.$stock.''.$ordered.' '.$picto.''; - print $form->select_product_fourn_price($prod->id, 'fourn'.$i, $fk_supplier); - print '
'.$langs->trans("Label").'
'.$langs->trans("Label").'
'; @@ -653,7 +653,7 @@ if ($action == 'create' && $user->rights->projet->creer) // Description print '
'.$langs->trans("Description").''; - $doleditor = new DolEditor('description', GETPOST("description", 'none'), '', 90, 'dolibarr_notes', '', false, true, $conf->global->FCKEDITOR_ENABLE_SOCIETE, ROWS_3, '90%'); + $doleditor = new DolEditor('description', GETPOST("description", 'restricthtml'), '', 90, 'dolibarr_notes', '', false, true, $conf->global->FCKEDITOR_ENABLE_SOCIETE, ROWS_3, '90%'); $doleditor->Create(); print '
'; - print '...'; + print '...'; print ''; print $othernb; diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index a682d7ef383..c73a68b98ee 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -44,7 +44,7 @@ if (!empty($conf->categorie->enabled)) // Load translation files required by the page $langs->loadLangs(array('projects', 'companies', 'commercial')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -132,10 +132,10 @@ $fieldstosearchall = array( if (empty($user->socid)) $fieldstosearchall["p.note_private"] = "NotePrivate"; $arrayfields = array( - 'p.ref'=>array('label'=>$langs->trans("Ref"), 'checked'=>1), - 'p.title'=>array('label'=>$langs->trans("Label"), 'checked'=>1), - 's.nom'=>array('label'=>$langs->trans("ThirdParty"), 'checked'=>1, 'enabled'=>(empty($conf->societe->enabled) ? 0 : 1)), - 'commercial'=>array('label'=>$langs->trans("SaleRepresentativesOfThirdParty"), 'checked'=>0), + 'p.ref'=>array('label'=>$langs->trans("Ref"), 'checked'=>1, 'position'=>10), + 'p.title'=>array('label'=>$langs->trans("Label"), 'checked'=>1, 'position'=>11), + 's.nom'=>array('label'=>$langs->trans("ThirdParty"), 'checked'=>1, 'enabled'=>(empty($conf->societe->enabled) ? 0 : 1), 'position'=>20), + 'commercial'=>array('label'=>$langs->trans("SaleRepresentativesOfThirdParty"), 'checked'=>0, 'css'=>'tdoverflowmax100', 'position'=>21), 'p.dateo'=>array('label'=>$langs->trans("DateStart"), 'checked'=>1, 'position'=>100), 'p.datee'=>array('label'=>$langs->trans("DateEnd"), 'checked'=>1, 'position'=>101), 'p.public'=>array('label'=>$langs->trans("Visibility"), 'checked'=>1, 'position'=>102), @@ -282,7 +282,7 @@ if (!$user->rights->projet->all->lire) $projectsListId = $object->getProjectsAut // Get id of types of contacts for projects (This list never contains a lot of elements) $listofprojectcontacttype = array(); $sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc"; -$sql .= " WHERE ctc.element = '".$object->element."'"; +$sql .= " WHERE ctc.element = '".$db->escape($object->element)."'"; $sql .= " AND ctc.source = 'internal'"; $resql = $db->query($sql); if ($resql) @@ -448,11 +448,9 @@ if (in_array($massaction, array('presend', 'predelete'))) $arrayofmassactions = $massactionbutton = $form->selectMassAction('', $arrayofmassactions); -$newcardbutton = ''; -if ($user->rights->projet->creer) -{ - $newcardbutton .= dolGetButtonTitle($langs->trans('NewProject'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/projet/card.php?action=create'); -} +$url = DOL_URL_ROOT.'/projet/card.php?action=create'; +if (!empty($socid)) $url .= '&socid='.$socid; +$newcardbutton = dolGetButtonTitle($langs->trans('NewProject'), '', 'fa fa-plus-circle', $url, '', $user->rights->projet->creer); print ''; if ($optioncss != '') print ''; @@ -461,7 +459,6 @@ print ''; print ''; print ''; -print ''; print ''; // Show description of content @@ -679,7 +676,7 @@ print '
'.$langs->trans("Company").'
'.$langs->trans("Address").''."\n"; -print '
'.$langs->trans('Zip').' / '.$langs->trans('Town').''; print $formcompany->select_ziptown(GETPOST('zipcode'), 'zipcode', array('town', 'selectcountry_id', 'state_id'), 6, 1); @@ -636,7 +636,7 @@ include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_add.tpl.php'; // Comments print '
'.$langs->trans("Comments").'
'.$tmp[0].''.dol_escape_htmltag($tmp[0]).'
'.$langs->trans("PaymentCode"); print ''.$fulltag.''; - print ''; - print ''; + print ''; + print ''; print '
'.$langs->trans("PaymentAmount"); if (empty($amount) && empty($object->paye)) print ' ('.$langs->trans("ToComplete").')'; print ''; - if (empty($object->paye)) - { + if ($object->type == $object::TYPE_CREDIT_NOTE) { + print ''.$langs->trans("CreditNote").''; + } elseif (empty($object->paye)) { if (empty($amount) || !is_numeric($amount)) { print ''; @@ -1076,12 +1077,13 @@ if ($source == 'invoice') print ''; print ''; } + print ' '.$langs->trans("Currency".$currency).''; + print ''; } else { print ''.price($object->total_ttc, 1, $langs).''; + print ' '.$langs->trans("Currency".$currency).''; + print ''; } - // Currency - print ' '.$langs->trans("Currency".$currency).''; - print ''; print '
'; print '
'; - print $langs->trans('From').' '; - print $form->selectDate($search_date_start ? $search_date_start : -1, 'search_date_start', 0, 0, 1); + print $form->selectDate($search_date_start ? $search_date_start : -1, 'search_date_start', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('From')); print '
'; print '
'; - print $langs->trans('to').' '; - print $form->selectDate($search_date_end ? $search_date_end : -1, 'search_date_end', 0, 0, 1); + print $form->selectDate($search_date_end ? $search_date_end : -1, 'search_date_end', 0, 0, 1, '', 1, 0, 0, '', '', '', '', 1, '', $langs->trans('to')); print '
'; print '		'.$langs->trans('Prefix').''.$langs->trans('Prefix').'
'.$form->editfieldkey('FirstName', 'firstname', '', $object, 0).'
'.$form->editfieldkey('ProspectCustomer', 'customerprospect', '', $object, 0, 'string', '', 1).'
'.$form->editfieldkey('Gencod', 'barcode', '', $object, 0).''; + print ''; print '
'; print ''; print $form->widgetForTranslation("address", $object, $permissiontoadd, 'textarea', 'alphanohtml', 'quatrevingtpercent'); print '
'.$form->editfieldkey('Gencod', 'barcode', '', $object, 0).''; + print ''; print '
'.$form->editfieldkey('Address', 'address', '', $object, 0).''; print $form->widgetForTranslation("address", $object, $permissiontoadd, 'textarea', 'alphanohtml', 'quatrevingtpercent'); print '
'; - print $langs->trans('Gencod').''.$object->barcode; + print $langs->trans('Gencod').''.dol_escape_htmltag($object->barcode); print '
'; if (($massactionbutton || $massaction) && $contextpage != 'poslist') // If we are in select mode (massactionbutton defined) or if we have already selected and sent an action ($massaction) defined { diff --git a/htdocs/societe/paymentmodes.php b/htdocs/societe/paymentmodes.php index 739c4456a78..26828773753 100644 --- a/htdocs/societe/paymentmodes.php +++ b/htdocs/societe/paymentmodes.php @@ -551,10 +551,10 @@ if (empty($reshook)) $db->begin(); if (empty($newcu)) { - $sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_account WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_account WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; } else { $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX."societe_account"; - $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! + $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! } $resql = $db->query($sql); @@ -577,8 +577,8 @@ if (empty($reshook)) } } else { $sql = 'UPDATE '.MAIN_DB_PREFIX."societe_account"; - $sql .= " SET key_account = '".$db->escape(GETPOST('key_account', 'alpha'))."', site_account = '".$site_account."'"; - $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! + $sql .= " SET key_account = '".$db->escape(GETPOST('key_account', 'alpha'))."', site_account = '".$db->escape($site_account)."'"; + $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! $resql = $db->query($sql); } } @@ -602,9 +602,9 @@ if (empty($reshook)) $db->begin(); if (empty($newsup)) { - $sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; // TODO Add site and site_account on oauth_token table - //$sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; + //$sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; } else { try { $stripesup = \Stripe\Account::retrieve($db->escape(GETPOST('key_account_supplier', 'alpha'))); @@ -612,9 +612,9 @@ if (empty($reshook)) $tokenstring['type'] = $stripesup->type; $sql = "UPDATE ".MAIN_DB_PREFIX."oauth_token"; $sql .= " SET tokenstring = '".dol_json_encode($tokenstring)."'"; - $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! + $sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! // TODO Add site and site_account on oauth_token table - $sql .= " WHERE fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! + $sql .= " WHERE fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified ! } catch (Exception $e) { $error++; setEventMessages($e->getMessage(), null, 'errors'); @@ -630,7 +630,7 @@ if (empty($reshook)) $tokenstring['stripe_user_id'] = $stripesup->id; $tokenstring['type'] = $stripesup->type; $sql = "INSERT INTO ".MAIN_DB_PREFIX."oauth_token (service, fk_soc, entity, tokenstring)"; - $sql .= " VALUES ('".$service."', ".$object->id.", ".$conf->entity.", '".dol_json_encode($tokenstring)."')"; + $sql .= " VALUES ('".$db->escape($service)."', ".$object->id.", ".$conf->entity.", '".dol_json_encode($tokenstring)."')"; // TODO Add site and site_account on oauth_token table } catch (Exception $e) { $error++; diff --git a/htdocs/societe/price.php b/htdocs/societe/price.php index 118d85e0fbb..8fb17a59e3f 100644 --- a/htdocs/societe/price.php +++ b/htdocs/societe/price.php @@ -40,7 +40,7 @@ if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES)) { $langs->loadLangs(array("products", "companies", "bills")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $search_prod = GETPOST('search_prod', 'alpha'); $cancel = GETPOST('cancel', 'alpha'); @@ -105,9 +105,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/societe/societecontact.php b/htdocs/societe/societecontact.php index 1369f29a185..20ddbfa4cf7 100644 --- a/htdocs/societe/societecontact.php +++ b/htdocs/societe/societecontact.php @@ -36,7 +36,7 @@ $langs->loadLangs(array("orders", "companies")); $id = GETPOST('id', 'int') ?GETPOST('id', 'int') : GETPOST('socid', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; diff --git a/htdocs/societe/tpl/linesalesrepresentative.tpl.php b/htdocs/societe/tpl/linesalesrepresentative.tpl.php index 9c6e485e97d..039379be8c7 100644 --- a/htdocs/societe/tpl/linesalesrepresentative.tpl.php +++ b/htdocs/societe/tpl/linesalesrepresentative.tpl.php @@ -49,7 +49,7 @@ if ($action == 'editsalesrepresentatives') { } else { $listsalesrepresentatives = $object->getSalesRepresentatives($user); $nbofsalesrepresentative = count($listsalesrepresentatives); - if ($nbofsalesrepresentative > 0) { + if ($nbofsalesrepresentative > 0 && is_array($listsalesrepresentatives)) { $userstatic = new User($db); foreach ($listsalesrepresentatives as $val) { $userstatic->id = $val['id']; diff --git a/htdocs/stripe/admin/stripe.php b/htdocs/stripe/admin/stripe.php index 693f02b480c..46f59039c36 100644 --- a/htdocs/stripe/admin/stripe.php +++ b/htdocs/stripe/admin/stripe.php @@ -39,7 +39,7 @@ $langs->loadLangs(array('admin', 'other', 'paypal', 'paybox', 'stripe')); if (!$user->admin) accessforbidden(); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* @@ -433,16 +433,21 @@ print '
'; print $langs->trans("ONLINE_PAYMENT_SENDEMAIL").''; -print ''; +print ''; print '   '.$langs->trans("Example").': myemail@myserver.com, Payment service <myemail2@myserver2.com>'; print '
'; print $langs->trans("SecurityToken").''; -print ''; -if (!empty($conf->use_javascript_ajax)) +print ''; +if (!empty($conf->use_javascript_ajax)) { print ' '.img_picto($langs->trans('Generate'), 'refresh', 'id="generate_token" class="linkobject"'); +} +if (! empty($conf->global->PAYMENT_SECURITY_ACCEPT_ANY_TOKEN)) { + $langs->load("errors"); + print img_warning($langs->trans("WarningTheHiddenOptionIsOn", 'PAYMENT_SECURITY_ACCEPT_ANY_TOKEN'), '', 'pictowarning marginleftonly'); +} print '
'; diff --git a/htdocs/stripe/class/actions_stripe.class.php b/htdocs/stripe/class/actions_stripe.class.php index 2fafe09a693..a7a868f7e4a 100644 --- a/htdocs/stripe/class/actions_stripe.class.php +++ b/htdocs/stripe/class/actions_stripe.class.php @@ -98,7 +98,7 @@ class ActionsStripeconnect $this->resprints .= '
'; $this->resprints .= ''; $this->resprints .= ''; - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if ($stripe->getStripeAccount($service) && $object->client != 0) { $customer = $stripe->customerStripe($object, $stripe->getStripeAccount($service)); $this->resprints .= $customer->id; @@ -114,7 +114,7 @@ class ActionsStripeconnect $this->resprints .= ''; $this->resprints .= ''; $this->resprints .= ''; - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if ($stripe->getStripeAccount($service) && $object->fk_soc > 0) { $object->fetch_thirdparty(); $customer = $stripe->customerStripe($object->thirdparty, $stripe->getStripeAccount($service)); @@ -131,7 +131,7 @@ class ActionsStripeconnect $this->resprints .= ''; $this->resprints .= ''; $this->resprints .= ''; - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if (7 == 4) { $object->fetch_thirdparty(); $customer = $stripe->customerStripe($object, $stripe->getStripeAccount($service)); @@ -149,7 +149,7 @@ class ActionsStripeconnect $this->resprints .= ''; $this->resprints .= ''; $this->resprints .= ''; - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if (7 == 4) { $object->fetch_thirdparty(); $customer = $stripe->customerStripe($object, $stripe->getStripeAccount($service)); @@ -179,25 +179,25 @@ class ActionsStripeconnect $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf'; $sql .= ' WHERE pf.fk_facture = '.$object->id; - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $objp = $db->fetch_object($result); + $objp = $this->db->fetch_object($result); $totalpaye += $objp->amount; $i++; } } else { - dol_print_error($db, ''); + dol_print_error($this->db, ''); } $resteapayer = $object->total_ttc - $totalpaye; // Request a direct debit order if ($object->statut > Facture::STATUS_DRAFT && $object->statut < Facture::STATUS_ABANDONED && $object->paye == 0) { - $stripe = new Stripe($db); + $stripe = new Stripe($this->db); if ($resteapayer > 0) { if ($stripe->getStripeAccount($conf->entity)) // a modifier avec droit stripe diff --git a/htdocs/stripe/class/stripe.class.php b/htdocs/stripe/class/stripe.class.php index 961011b51e0..a3199917f53 100644 --- a/htdocs/stripe/class/stripe.class.php +++ b/htdocs/stripe/class/stripe.class.php @@ -92,7 +92,7 @@ class Stripe extends CommonObject $sql = "SELECT tokenstring"; $sql .= " FROM ".MAIN_DB_PREFIX."oauth_token"; $sql .= " WHERE entity = ".$conf->entity; - $sql .= " AND service = '".$mode."'"; + $sql .= " AND service = '".$this->db->escape($mode)."'"; if ($fk_soc > 0) { $sql .= " AND fk_soc = ".$fk_soc; } else { @@ -356,9 +356,9 @@ class Stripe extends CommonObject $sql = "SELECT pi.ext_payment_id, pi.entity, pi.fk_facture, pi.sourcetype, pi.ext_payment_site"; $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pi"; $sql .= " WHERE pi.fk_facture = ".$object->id; - $sql .= " AND pi.sourcetype = '".$object->element."'"; + $sql .= " AND pi.sourcetype = '".$this->db->escape($object->element)."'"; $sql .= " AND pi.entity IN (".getEntity('societe').")"; - $sql .= " AND pi.ext_payment_site = '".$service."'"; + $sql .= " AND pi.ext_payment_site = '".$this->db->escape($service)."'"; dol_syslog(get_class($this)."::getPaymentIntent search stripe payment intent for object id = ".$object->id, LOG_DEBUG); $resql = $this->db->query($sql); @@ -465,7 +465,7 @@ class Stripe extends CommonObject $sql = "SELECT pi.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pi"; $sql .= " WHERE pi.entity IN (".getEntity('societe').")"; - $sql .= " AND pi.ext_payment_site = '".$service."'"; + $sql .= " AND pi.ext_payment_site = '".$this->db->escape($service)."'"; $sql .= " AND pi.ext_payment_id = '".$this->db->escape($paymentintent->id)."'"; dol_syslog(get_class($this)."::getPaymentIntent search if payment intent already in prelevement_facture_demande", LOG_DEBUG); @@ -484,7 +484,7 @@ class Stripe extends CommonObject { $now = dol_now(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."prelevement_facture_demande (date_demande, fk_user_demande, ext_payment_id, fk_facture, sourcetype, entity, ext_payment_site, amount)"; - $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($paymentintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', ".$conf->entity.", '".$service."', ".$amount.")"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($paymentintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', ".$conf->entity.", '".$this->db->escape($service)."', ".$amount.")"; $resql = $this->db->query($sql); if (!$resql) { @@ -617,7 +617,7 @@ class Stripe extends CommonObject $sql = "SELECT pi.rowid"; $sql.= " FROM " . MAIN_DB_PREFIX . "prelevement_facture_demande as pi"; $sql.= " WHERE pi.entity IN (".getEntity('societe').")"; - $sql.= " AND pi.ext_payment_site = '" . $service . "'"; + $sql.= " AND pi.ext_payment_site = '" . $this->db->escape($service) . "'"; $sql.= " AND pi.ext_payment_id = '".$this->db->escape($setupintent->id)."'"; dol_syslog(get_class($this) . "::getPaymentIntent search if payment intent already in prelevement_facture_demande", LOG_DEBUG); @@ -637,7 +637,7 @@ class Stripe extends CommonObject { $now=dol_now(); $sql = "INSERT INTO " . MAIN_DB_PREFIX . "prelevement_facture_demande (date_demande, fk_user_demande, ext_payment_id, fk_facture, sourcetype, entity, ext_payment_site)"; - $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($setupintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', " . $conf->entity . ", '" . $service . "', ".$amount.")"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($setupintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', " . $conf->entity . ", '" . $this->db->escape($service) . "', ".$amount.")"; $resql = $this->db->query($sql); if (! $resql) { diff --git a/htdocs/supplier_proposal/admin/supplier_proposal_extrafields.php b/htdocs/supplier_proposal/admin/supplier_proposal_extrafields.php index 132820e8e09..61077e2c5bd 100644 --- a/htdocs/supplier_proposal/admin/supplier_proposal_extrafields.php +++ b/htdocs/supplier_proposal/admin/supplier_proposal_extrafields.php @@ -33,7 +33,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'supplier_proposal'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/supplier_proposal/admin/supplier_proposaldet_extrafields.php b/htdocs/supplier_proposal/admin/supplier_proposaldet_extrafields.php index 73ba689f47a..08f17504de9 100644 --- a/htdocs/supplier_proposal/admin/supplier_proposaldet_extrafields.php +++ b/htdocs/supplier_proposal/admin/supplier_proposaldet_extrafields.php @@ -40,7 +40,7 @@ $tmptype2label = ExtraFields::$type2label; $type2label = array(''); foreach ($tmptype2label as $key => $val) $type2label[$key] = $langs->transnoentitiesnoconv($val); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $attrname = GETPOST('attrname', 'alpha'); $elementtype = 'supplier_proposaldet'; //Must be the $table_element of the class that manage extrafield diff --git a/htdocs/supplier_proposal/card.php b/htdocs/supplier_proposal/card.php index 0c4e53da2b9..1e884629791 100644 --- a/htdocs/supplier_proposal/card.php +++ b/htdocs/supplier_proposal/card.php @@ -58,7 +58,7 @@ $error = 0; $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $origin = GETPOST('origin', 'alpha'); $originid = GETPOST('originid', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -268,7 +268,8 @@ if (empty($reshook)) $object->fk_project = GETPOST('projectid', 'int'); $object->model_pdf = GETPOST('model'); $object->author = $user->id; // deprecated - $object->note = GETPOST('note', 'none'); + $object->note = GETPOST('note', 'restricthtml'); + $object->note_private = GETPOST('note', 'restricthtml'); $object->statut = SupplierProposal::STATUS_DRAFT; $id = $object->create_from($user); @@ -286,7 +287,8 @@ if (empty($reshook)) $object->fk_project = GETPOST('projectid', 'int'); $object->model_pdf = GETPOST('model'); $object->author = $user->id; // deprecated - $object->note = GETPOST('note', 'none'); + $object->note = GETPOST('note', 'restricthtml'); + $object->note_private = GETPOST('note', 'restricthtml'); $object->origin = GETPOST('origin'); $object->origin_id = GETPOST('originid'); @@ -482,7 +484,7 @@ if (empty($reshook)) } else { // prevent browser refresh from closing proposal several times if ($object->statut == SupplierProposal::STATUS_VALIDATED) { - $object->cloture($user, GETPOST('statut'), GETPOST('note', 'none')); + $object->cloture($user, GETPOST('statut'), GETPOST('note', 'restricthtml')); } } } @@ -841,7 +843,7 @@ if (empty($reshook)) $info_bits |= 0x01; // Clean parameters - $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'none')); + $description = dol_htmlcleanlastbr(GETPOST('product_desc', 'restricthtml')); // Define vat_rate $vat_rate = str_replace('*', '', $vat_rate); @@ -1039,7 +1041,7 @@ if (empty($reshook)) $object->oldcopy = dol_clone($object); // Fill array 'array_options' with data from update form - $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'none')); + $ret = $extrafields->setOptionalsFromPost(null, $object, GETPOST('attribute', 'restricthtml')); if ($ret < 0) $error++; if (!$error) diff --git a/htdocs/supplier_proposal/class/api_supplier_proposals.class.php b/htdocs/supplier_proposal/class/api_supplier_proposals.class.php index 3eea10bdf13..ba2fa37e1b9 100644 --- a/htdocs/supplier_proposal/class/api_supplier_proposals.class.php +++ b/htdocs/supplier_proposal/class/api_supplier_proposals.class.php @@ -133,7 +133,7 @@ class Supplierproposals extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -141,27 +141,27 @@ class Supplierproposals extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $propal_static = new SupplierProposal($db); + $obj = $this->db->fetch_object($result); + $propal_static = new SupplierProposal($this->db); if ($propal_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($propal_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieving supplier proposal list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieving supplier proposal list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No supplier proposal found'); diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php index 79b50071a18..92759515ba4 100644 --- a/htdocs/supplier_proposal/class/supplier_proposal.class.php +++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php @@ -41,12 +41,15 @@ require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php'; require_once DOL_DOCUMENT_ROOT.'/margin/lib/margins.lib.php'; require_once DOL_DOCUMENT_ROOT.'/multicurrency/class/multicurrency.class.php'; +require_once DOL_DOCUMENT_ROOT.'/core/class/commonincoterm.class.php'; /** * Class to manage price ask supplier */ class SupplierProposal extends CommonObject { + use CommonIncoterm; + /** * @var string ID to identify managed object */ @@ -915,7 +918,7 @@ class SupplierProposal extends CommonObject $sql .= ", 0"; $sql .= ", '".$this->db->idate($now)."'"; $sql .= ", '(PROV)'"; - $sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "null"); + $sql .= ", ".($user->id > 0 ? ((int) $user->id) : "null"); $sql .= ", '".$this->db->escape($this->note_private)."'"; $sql .= ", '".$this->db->escape($this->note_public)."'"; $sql .= ", '".$this->db->escape($this->model_pdf)."'"; diff --git a/htdocs/supplier_proposal/contact.php b/htdocs/supplier_proposal/contact.php index 4bd027299fa..f0d6a62d9c9 100644 --- a/htdocs/supplier_proposal/contact.php +++ b/htdocs/supplier_proposal/contact.php @@ -36,7 +36,7 @@ $langs->loadLangs(array("propal", "facture", "orders", "sendings", "companies")) $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php index 008a81542ec..b0f8bf40609 100644 --- a/htdocs/supplier_proposal/list.php +++ b/htdocs/supplier_proposal/list.php @@ -48,7 +48,7 @@ $langs->loadLangs(array('companies', 'propal', 'supplier_proposal', 'compta', 'b $socid = GETPOST('socid', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); @@ -314,7 +314,7 @@ if ($search_multicurrency_montant_vat != '') $sql .= natural_search('sp.multicur if ($search_multicurrency_montant_ttc != '') $sql .= natural_search('sp.multicurrency_total_ttc', $search_multicurrency_montant_ttc, 1); if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall); if ($socid) $sql .= ' AND s.rowid = '.$socid; -if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$db->escape($search_status).')'; +if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$db->sanitize($db->escape($search_status)).')'; $sql .= dolSqlDateFilter("sp.date_livraison", $day, $month, $year); $sql .= dolSqlDateFilter("sp.date_valid", $dayvalid, $monthvalid, $yearvalid); if ($search_sale > 0) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale; @@ -414,11 +414,9 @@ if ($resql) if (in_array($massaction, array('presend', 'predelete'))) $arrayofmassactions = array(); $massactionbutton = $form->selectMassAction('', $arrayofmassactions); - $newcardbutton = ''; - if ($user->rights->supplier_proposal->creer) - { - $newcardbutton .= dolGetButtonTitle($langs->trans('NewAskPrice'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/supplier_proposal/card.php?action=create'); - } + $url = DOL_URL_ROOT.'/supplier_proposal/card.php?action=create'; + if (!empty($socid)) $url .= '&socid='.$socid; + $newcardbutton = dolGetButtonTitle($langs->trans('NewAskPrice'), '', 'fa fa-plus-circle', $url, '', $user->rights->supplier_proposal->creer); // Fields title search print ''; diff --git a/htdocs/supplier_proposal/note.php b/htdocs/supplier_proposal/note.php index aaf40288e15..16e3d192547 100644 --- a/htdocs/supplier_proposal/note.php +++ b/htdocs/supplier_proposal/note.php @@ -37,7 +37,7 @@ $langs->loadLangs(array('supplier_proposal', 'compta', 'bills')); $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Security check if ($user->socid) $socid = $user->socid; diff --git a/htdocs/takepos/admin/orderprinters.php b/htdocs/takepos/admin/orderprinters.php index 79a16d77861..b396655dea4 100644 --- a/htdocs/takepos/admin/orderprinters.php +++ b/htdocs/takepos/admin/orderprinters.php @@ -39,7 +39,7 @@ if (!$user->rights->categorie->lire) accessforbidden(); $id = GETPOST('id', 'int'); $type = (GETPOST('type', 'aZ09') ? GETPOST('type', 'aZ09') : Categorie::TYPE_PRODUCT); $catname = GETPOST('catname', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $printer1 = GETPOST('printer1', 'alpha'); $printer2 = GETPOST('printer2', 'alpha'); diff --git a/htdocs/takepos/admin/setup.php b/htdocs/takepos/admin/setup.php index 148976cc778..48c713f4b66 100644 --- a/htdocs/takepos/admin/setup.php +++ b/htdocs/takepos/admin/setup.php @@ -57,7 +57,7 @@ if ($resql) { } } -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); /* diff --git a/htdocs/takepos/admin/terminal.php b/htdocs/takepos/admin/terminal.php index fb43af6356a..384be4f8f13 100644 --- a/htdocs/takepos/admin/terminal.php +++ b/htdocs/takepos/admin/terminal.php @@ -202,11 +202,11 @@ if (!empty($conf->stock->enabled)) print ''.$langs->trans("CashDeskIdWareHouse").''; // Force warehouse (this is not a default value) - print ''; + print ''; if (!$disabled) { - print $formproduct->selectWarehouses($conf->global->{'CASHDESK_ID_WAREHOUSE'.$terminal}, 'CASHDESK_ID_WAREHOUSE'.$terminal, '', 1, $disabled); - print ' '; + print $formproduct->selectWarehouses($conf->global->{'CASHDESK_ID_WAREHOUSE'.$terminal}, 'CASHDESK_ID_WAREHOUSE'.$terminal, '', 1, $disabled, 0, '', 0, 0, array(), 'maxwidth250'); + print ' '; } else { print ''.$langs->trans("StockDecreaseForPointOfSaleDisabled").''; } diff --git a/htdocs/takepos/ajax/ajax.php b/htdocs/takepos/ajax/ajax.php index 7f9555c3226..531598668a7 100644 --- a/htdocs/takepos/ajax/ajax.php +++ b/htdocs/takepos/ajax/ajax.php @@ -35,7 +35,7 @@ require '../../main.inc.php'; // Load $user and permissions require_once DOL_DOCUMENT_ROOT.'/categories/class/categorie.class.php'; $category = GETPOST('category', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $term = GETPOST('term', 'alpha'); $id = GETPOST('id', 'int'); diff --git a/htdocs/takepos/css/pos.css.php b/htdocs/takepos/css/pos.css.php index f4c9cf3a88a..4666de59a8e 100644 --- a/htdocs/takepos/css/pos.css.php +++ b/htdocs/takepos/css/pos.css.php @@ -141,6 +141,27 @@ button.calcbutton3 { border-radius: 3px; } +button.productbutton { + display: inline-block; + position: relative; + padding: 0; + line-height: normal; + cursor: pointer; + vertical-align: middle; + text-align: center; + overflow: visible; /* removes extra width in IE */ + width: calc(100% - 2px); + height: calc(100% - 2px); + font-weight: bold; + background-color: #a3a6a3; + color: #fff; + /* border-color: unset; */ + border-width: 0; + margin: 1px; + font-size: 14pt; + border-radius: 3px; +} + button.actionbutton { background: #EABCA6; border: 2px solid #EEE; diff --git a/htdocs/takepos/floors.php b/htdocs/takepos/floors.php index 5af2eb1d238..257c8db7fa0 100644 --- a/htdocs/takepos/floors.php +++ b/htdocs/takepos/floors.php @@ -38,7 +38,7 @@ $langs->loadLangs(array("bills", "orders", "commercial", "cashdesk")); $floor = GETPOST('floor', 'int'); if ($floor == "") $floor = 1; $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $left = GETPOST('left', 'alpha'); $top = GETPOST('top', 'alpha'); diff --git a/htdocs/takepos/freezone.php b/htdocs/takepos/freezone.php index c6dc094ca28..79a638456f2 100644 --- a/htdocs/takepos/freezone.php +++ b/htdocs/takepos/freezone.php @@ -44,7 +44,7 @@ $langs->loadLangs(array("bills", "cashdesk")); $place = (GETPOST('place', 'aZ09') ? GETPOST('place', 'aZ09') : '0'); // $place is id of table for Bar or Restaurant $idline = GETPOST('idline', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); if (empty($user->rights->takepos->run)) { accessforbidden(); diff --git a/htdocs/takepos/index.php b/htdocs/takepos/index.php index 390f71491ba..73b039d97e9 100644 --- a/htdocs/takepos/index.php +++ b/htdocs/takepos/index.php @@ -42,13 +42,13 @@ require_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php'; $place = (GETPOST('place', 'aZ09') ? GETPOST('place', 'aZ09') : 0); // $place is id of table for Bar or Restaurant or multiple sales -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $setterminal = GETPOST('setterminal', 'int'); if ($_SESSION["takeposterminal"] == "") { if ($conf->global->TAKEPOS_NUM_TERMINALS == "1") $_SESSION["takeposterminal"] = 1; // Use terminal 1 if there is only 1 terminal - elseif (!empty($_COOKIE["takeposterminal"])) $_SESSION["takeposterminal"] = $_COOKIE["takeposterminal"]; // Restore takeposterminal from previous session + elseif (!empty($_COOKIE["takeposterminal"])) $_SESSION["takeposterminal"] = preg_replace('/[^a-zA-Z0-9_\-]/', '', $_COOKIE["takeposterminal"]); // Restore takeposterminal from previous session } if ($setterminal > 0) @@ -291,12 +291,18 @@ function LoadProducts(position, issubcat) { //console.log("ishow"+ishow+" idata="+idata); console.log(data[idata]); if (typeof (data[idata]) == "undefined") { - $("#prodivdesc"+ishow).hide(); - $("#prodesc"+ishow).text(""); + global->TAKEPOS_HIDE_PRODUCT_IMAGES) + { + echo '$("#prodivdesc"+ishow).hide();'; + echo '$("#prodesc"+ishow).text("");'; + echo '$("#proimg"+ishow).attr("title","");'; + echo '$("#proimg"+ishow).attr("src","genimg/empty.png");'; + } else { + echo '$("#probutton"+ishow).hide();'; + echo '$("#probutton"+ishow).text("");'; + }?> $("#proprice"+ishow).attr("class", "hidden"); $("#proprice"+ishow).html(""); - $("#proimg"+ishow).attr("title",""); - $("#proimg"+ishow).attr("src","genimg/empty.png"); $("#prodiv"+ishow).data("rowid",""); $("#prodiv"+ishow).attr("class","wrapper2 divempty"); $("#prowatermark"+ishow).hide(); @@ -308,14 +314,22 @@ function LoadProducts(position, issubcat) { $titlestring .= " + ' - ".dol_escape_js($langs->trans("Barcode").': ')."' + data[idata]['barcode']"; ?> var titlestring = ; - $("#prodivdesc"+ishow).show(); - $("#prodesc"+ishow).text(data[parseInt(idata)]['label']); + global->TAKEPOS_HIDE_PRODUCT_IMAGES) + { + echo '$("#prodivdesc"+ishow).show();'; + echo '$("#prodesc"+ishow).text(data[parseInt(idata)][\'label\']);'; + echo '$("#proimg"+ishow).attr("title", titlestring);'; + echo '$("#proimg"+ishow).attr("src", "genimg/index.php?query=pro&id="+data[idata][\'id\']);'; + } + else { + echo '$("#probutton"+ishow).show();'; + echo '$("#probutton"+ishow).text(data[parseInt(idata)][\'label\']);'; + } + ?> if (data[parseInt(idata)]['price_formated']) { $("#proprice"+ishow).attr("class", "productprice"); $("#proprice"+ishow).html(data[parseInt(idata)]['price_formated']); } - $("#proimg"+ishow).attr("title", titlestring); - $("#proimg"+ishow).attr("src", "genimg/index.php?query=pro&id="+data[idata]['id']); $("#prodiv"+ishow).data("rowid", data[idata]['id']); $("#prodiv"+ishow).data("iscat", 0); $("#prodiv"+ishow).attr("class","wrapper2"); @@ -544,7 +558,7 @@ function Search2(keyCodeForEnter) { if ($('#search').val() == data[0]['barcode'] && 'thirdparty' == data[0]['object']) { console.log("There is only 1 answer with barcode matching the search, so we change the thirdparty "+data[0]['rowid']); ChangeThirdparty(data[0]['rowid']); - } + } else if ($('#search').val() == data[0]['barcode'] && 'product' == data[0]['object']) { console.log("There is only 1 answer with barcode matching the search, so we add the product in basket"); ClickProduct(0); @@ -562,7 +576,7 @@ function Search2(keyCodeForEnter) { } }); } - + } function Edit(number) { @@ -751,7 +765,7 @@ function WeighingScale(){ console.log("Weighing Scale"); $.ajax({ type: "POST", - url: 'global->TAKEPOS_PRINT_SERVER; ?>/scale', + url: 'global->TAKEPOS_PRINT_SERVER; ?>/scale/index.php', }) .done(function( editnumber ) { $("#poslines").load("invoice.php?action=updateqty&place="+place+"&idline="+selectedline+"&number="+editnumber, function() { @@ -822,7 +836,7 @@ if (empty($conf->global->TAKEPOS_HIDE_HEAD_BAR)) {
'; diff --git a/htdocs/user/card.php b/htdocs/user/card.php index 94f801fed6d..96b9d55af6a 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -1,7 +1,7 @@ * Copyright (C) 2002-2003 Jean-Louis Bergamo - * Copyright (C) 2004-2015 Laurent Destailleur + * Copyright (C) 2004-2020 Laurent Destailleur * Copyright (C) 2004 Eric Seigne * Copyright (C) 2005-2018 Regis Houssin * Copyright (C) 2005 Lionel Cousteix @@ -61,6 +61,12 @@ $group = GETPOST("group", "int", 3); $cancel = GETPOST('cancel', 'alpha'); $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'useracard'; // To manage different context of search +$dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth', 'int'), GETPOST('dateemploymentday', 'int'), GETPOST('dateemploymentyear', 'int')); +$dateemploymentend = dol_mktime(0, 0, 0, GETPOST('dateemploymentendmonth', 'int'), GETPOST('dateemploymentendday', 'int'), GETPOST('dateemploymentendyear', 'int')); +$datestartvalidity = dol_mktime(0, 0, 0, GETPOST('datestartvaliditymonth', 'int'), GETPOST('datestartvalidityday', 'int'), GETPOST('datestartvalidityyear', 'int')); +$dateendvalidity = dol_mktime(0, 0, 0, GETPOST('dateendvaliditymonth', 'int'), GETPOST('dateendvalidityday', 'int'), GETPOST('dateendvalidityyear', 'int')); +$dateofbirth = dol_mktime(0, 0, 0, GETPOST('dateofbirthmonth', 'int'), GETPOST('dateofbirthday', 'int'), GETPOST('dateofbirthyear', 'int')); + // Define value to know what current user can do on users $canadduser = (!empty($user->admin) || $user->rights->user->user->creer); $canreaduser = (!empty($user->admin) || $user->rights->user->user->lire); @@ -202,8 +208,6 @@ if (empty($reshook)) { $object->login = GETPOST("login", 'alphanohtml'); $object->api_key = GETPOST("api_key", 'alphanohtml'); $object->gender = GETPOST("gender", 'aZ09'); - $birth = dol_mktime(0, 0, 0, GETPOST('birthmonth', 'int'), GETPOST('birthday', 'int'), GETPOST('birthyear', 'int')); - $object->birth = $birth; $object->admin = GETPOST("admin", 'int'); $object->address = GETPOST('address', 'alphanohtml'); $object->zip = GETPOST('zipcode', 'alphanohtml'); @@ -226,10 +230,11 @@ if (empty($reshook)) { } $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alphanohtml')); - $object->job = GETPOST("job", 'nohtml'); - $object->signature = GETPOST("signature", 'none'); + $object->job = GETPOST("job", 'alphanohtml'); + $object->signature = GETPOST("signature", 'restricthtml'); $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); - $object->note = GETPOST("note", 'none'); + $object->note = GETPOST("note", 'restricthtml'); + $object->note_private = GETPOST("note", 'restricthtml'); $object->ldap_sid = GETPOST("ldap_sid", 'alphanohtml'); $object->fk_user = GETPOST("fk_user", 'int') > 0 ? GETPOST("fk_user", 'int') : 0; $object->fk_user_expense_validator = GETPOST("fk_user_expense_validator", 'int') > 0 ? GETPOST("fk_user_expense_validator", 'int') : 0; @@ -246,11 +251,12 @@ if (empty($reshook)) { $object->weeklyhours = GETPOST("weeklyhours", 'alphanohtml') != '' ? GETPOST("weeklyhours", 'alphanohtml') : ''; $object->color = GETPOST("color", 'alphanohtml') != '' ? GETPOST("color", 'alphanohtml') : ''; - $dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth', 'int'), GETPOST('dateemploymentday', 'int'), GETPOST('dateemploymentyear', 'int')); - $object->dateemployment = $dateemployment; - $dateemploymentend = dol_mktime(0, 0, 0, GETPOST('dateemploymentendmonth', 'int'), GETPOST('dateemploymentendday', 'int'), GETPOST('dateemploymentendyear', 'int')); + $object->dateemployment = $dateemployment; $object->dateemploymentend = $dateemploymentend; + $object->datestartvalidity = $datestartvalidity; + $object->dateendvalidity = $dateendvalidity; + $object->birth = $dateofbirth; $object->fk_warehouse = GETPOST('fk_warehouse', 'int'); @@ -363,8 +369,6 @@ if (empty($reshook)) { $object->firstname = GETPOST("firstname", 'alphanohtml'); $object->login = GETPOST("login", 'alphanohtml'); $object->gender = GETPOST("gender", 'aZ09'); - $birth = dol_mktime(0, 0, 0, GETPOST('birthmonth', 'int'), GETPOST('birthday', 'int'), GETPOST('birthyear', 'int')); - $object->birth = $birth; $object->pass = GETPOST("password", 'none'); $object->api_key = (GETPOST("api_key", 'alphanohtml')) ? GETPOST("api_key", 'alphanohtml') : $object->api_key; if (!empty($user->admin)) $object->admin = GETPOST("admin", "int"); // admin flag can only be set/unset by an admin user. A test is also done later when forging sql request @@ -387,8 +391,8 @@ if (empty($reshook)) { } } $object->email = preg_replace('/\s+/', '', GETPOST("email", 'alphanohtml')); - $object->job = GETPOST("job", 'nohtml'); - $object->signature = GETPOST("signature", 'none'); + $object->job = GETPOST("job", 'alphanohtml'); + $object->signature = GETPOST("signature", 'restricthtml'); $object->accountancy_code = GETPOST("accountancy_code", 'alphanohtml'); $object->openid = GETPOST("openid", 'alphanohtml'); $object->fk_user = GETPOST("fk_user", 'int') > 0 ? GETPOST("fk_user", 'int') : 0; @@ -408,10 +412,11 @@ if (empty($reshook)) { $object->weeklyhours = price2num($object->weeklyhours); $object->color = GETPOST("color", 'alphanohtml') != '' ? GETPOST("color", 'alphanohtml') : ''; - $dateemployment = dol_mktime(0, 0, 0, GETPOST('dateemploymentmonth', 'int'), GETPOST('dateemploymentday', 'int'), GETPOST('dateemploymentyear', 'int')); $object->dateemployment = $dateemployment; - $dateemploymentend = dol_mktime(0, 0, 0, GETPOST('dateemploymentendmonth', 'int'), GETPOST('dateemploymentendday', 'int'), GETPOST('dateemploymentendyear', 'int')); $object->dateemploymentend = $dateemploymentend; + $object->datestartvalidity = $datestartvalidity; + $object->dateendvalidity = $dateendvalidity; + $object->birth = $dateofbirth; if (!empty($conf->stock->enabled)) { @@ -943,7 +948,7 @@ if ($action == 'create' || $action == 'adduserldap') // Gender print ''.$langs->trans("Gender").''; print ''; - $arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman")); + $arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman"), 'other'=>$langs->trans("Genderother")); print $form->selectarray('gender', $arraygender, GETPOST('gender'), 1); print ''; @@ -1153,7 +1158,7 @@ if ($action == 'create' || $action == 'adduserldap') print $langs->trans("Note"); print ''; require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; - $doleditor = new DolEditor('note', GETPOSTISSET('note') ?GETPOST('note', 'none') : '', '', 120, 'dolibarr_notes', '', false, true, $conf->global->FCKEDITOR_ENABLE_SOCIETE, ROWS_3, '90%'); + $doleditor = new DolEditor('note', GETPOSTISSET('note') ? GETPOST('note', 'restricthtml') : '', '', 120, 'dolibarr_notes', '', false, true, $conf->global->FCKEDITOR_ENABLE_SOCIETE, ROWS_3, '90%'); $doleditor->Create(); print "\n"; @@ -1161,7 +1166,7 @@ if ($action == 'create' || $action == 'adduserldap') print ''.$langs->trans("Signature").''; print ''; require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; - $doleditor = new DolEditor('signature', GETPOST('signature'), '', 138, 'dolibarr_notes', 'In', true, true, empty($conf->global->FCKEDITOR_ENABLE_USERSIGN) ? 0 : 1, ROWS_4, '90%'); + $doleditor = new DolEditor('signature', GETPOST('signature', 'restricthtml'), '', 138, 'dolibarr_notes', 'In', true, true, empty($conf->global->FCKEDITOR_ENABLE_USERSIGN) ? 0 : 1, ROWS_4, '90%'); print $doleditor->Create(1); print ''; @@ -1182,7 +1187,7 @@ if ($action == 'create' || $action == 'adduserldap') // Position/Job print ''.$langs->trans("PostOrFunction").''; print ''; - print ''; + print ''; print ''; if ((!empty($conf->salaries->enabled) && !empty($user->rights->salaries->read)) @@ -1228,21 +1233,29 @@ if ($action == 'create' || $action == 'adduserldap') // Date employment print ''.$langs->trans("DateEmployment").''; print ''; - print $form->selectDate(GETPOST('dateemployment'), 'dateemployment', 0, 0, 1, 'formdateemployment', 1, 0); + print $form->selectDate($dateemployment, 'dateemployment', 0, 0, 1, 'formdateemployment', 1, 1); + + print ' - '; + + print $form->selectDate($dateemploymentend, 'dateemploymentend', 0, 0, 1, 'formdateemploymentend', 1, 0); print ''; print "\n"; - // Date employment END - print ''.$langs->trans("DateEmploymentEnd").''; + // Date validity + print ''.$langs->trans("RangeOfLoginValidity").''; print ''; - print $form->selectDate(GETPOST('dateemploymentend'), 'dateemploymentend', 0, 0, 1, 'formdateemploymentend', 1, 0); + print $form->selectDate($datestartvalidity, 'datestartvalidity', 0, 0, 1, 'formdatestartvalidity', 1, 1); + + print ' - '; + + print $form->selectDate($dateendvalidity, 'dateendvalidity', 0, 0, 1, 'formdateendvalidity', 1, 0); print ''; print "\n"; // Date birth - print ''.$langs->trans("DateToBirth").''; + print ''.$langs->trans("DateOfBirth").''; print ''; - print $form->selectDate(GETPOST('birth'), 'birth', 0, 0, 1, 'createuser', 1, 0); + print $form->selectDate($dateofbirth, 'dateofbirth', 0, 0, 1, 'createuser', 1, 0); print ''; print "\n"; @@ -1434,7 +1447,13 @@ if ($action == 'create' || $action == 'adduserldap') { if ($object->pass) $valuetoshow .= ($valuetoshow ? (' '.$langs->trans("or").' ') : '').preg_replace('/./i', '*', $object->pass); else { - if ($user->admin) $valuetoshow .= ($valuetoshow ? (' '.$langs->trans("or").' ') : '').$langs->trans("Crypted").': '.$object->pass_indatabase_crypted; + if ($user->admin && $user->id == $object->id) { + $valuetoshow .= ($valuetoshow ? (' '.$langs->trans("or").' ') : ''); + //$valuetoshow .= ''.$langs->trans("Crypted").' - '; + $valuetoshow .= ''.$langs->trans("Hidden").''; + // TODO Add a feature to reveal the hash + $valuetoshow .= ''; + } else $valuetoshow .= ($valuetoshow ? (' '.$langs->trans("or").' ') : '').''.$langs->trans("Hidden").''; } } @@ -1453,7 +1472,10 @@ if ($action == 'create' || $action == 'adduserldap') if (!empty($conf->api->enabled) && $user->admin) { print ''.$langs->trans("ApiKey").''; print ''; - if (!empty($object->api_key)) print preg_replace('/./', '*', $object->api_key); + if (!empty($object->api_key)) print ''.preg_replace('/./', '*', $object->api_key).''; + if ($user->admin || $user->id == $object->id) { + // TODO Add a feature to reveal the hash + } print ''; } @@ -1560,7 +1582,7 @@ if ($action == 'create' || $action == 'adduserldap') // Position/Job print ''.$langs->trans("PostOrFunction").''; - print ''.$object->job.''; + print ''.dol_escape_htmltag($object->job).''; print ''."\n"; //$childids = $user->getAllChildIds(1); @@ -1611,24 +1633,32 @@ if ($action == 'create' || $action == 'adduserldap') print ''.$langs->trans("DateOfEmployment").''; print ''; if ($object->dateemployment) { - print ''.$langs->trans("FromDate ").''; + print ''.$langs->trans("FromDate").' '; print dol_print_date($object->dateemployment, 'day'); } - //print ''; - //print "\n"; - - // Date employment - //print ''.$langs->trans("DateEmploymentEnd").''; - //print ''; if ($object->dateemploymentend) { - print ' - '.$langs->trans("To ").''; + print ' - '.$langs->trans("To").' '; print dol_print_date($object->dateemploymentend, 'day'); } print ''; print "\n"; + // Date login validity + print ''.$langs->trans("RangeOfLoginValidity").''; + print ''; + if ($object->datestartvalidity) { + print ''.$langs->trans("FromDate").' '; + print dol_print_date($object->datestartvalidity, 'day'); + } + if ($object->dateendvalidity) { + print ' - '.$langs->trans("To").' '; + print dol_print_date($object->dateendvalidity, 'day'); + } + print ''; + print "\n"; + // Date of birth - print ''.$langs->trans("DateToBirth").''; + print ''.$langs->trans("DateOfBirth").''; print ''; print dol_print_date($object->birth, 'day'); print ''; @@ -2200,7 +2230,7 @@ if ($action == 'create' || $action == 'adduserldap') // Gender print ''.$langs->trans("Gender").''; print ''; - $arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman")); + $arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman"), 'other'=>$langs->trans("Genderother")); if ($caneditfield) { print $form->selectarray('gender', $arraygender, GETPOSTISSET('gender') ?GETPOST('gender') : $object->gender, 1); } else { @@ -2596,10 +2626,10 @@ if ($action == 'create' || $action == 'adduserldap') print ''; if ($caneditfield) { - print ''; + print ''; } else { - print ''; - print $object->job; + print ''; + print dol_escape_htmltag($object->job); } print ''; @@ -2662,19 +2692,16 @@ if ($action == 'create' || $action == 'adduserldap') print ''; if ($caneditfield) { - print $form->selectDate(GETPOST('dateemployment') ?GETPOST('dateemployment') : $object->dateemployment, 'dateemployment', 0, 0, 1, 'formdateemployment', 1, 0); + print $form->selectDate($dateemployment ? $dateemployment : $object->dateemployment, 'dateemployment', 0, 0, 1, 'formdateemployment', 1, 1); } else { print dol_print_date($object->dateemployment, 'day'); } - print ''; - print "\n"; - // Date employmentEnd - print ''.$langs->trans("DateEmploymentEnd").''; - print ''; + if ($dateemployment && $dateemploymentend) print ' - '; + if ($caneditfield) { - print $form->selectDate(GETPOST('dateemploymentend') ?GETPOST('dateemploymentend') : $object->dateemploymentend, 'dateemploymentend', 0, 0, 1, 'formdateemploymentend', 1, 0); + print $form->selectDate($dateemploymentend ? $dateemploymentend : $object->dateemploymentend, 'dateemploymentend', 0, 0, 1, 'formdateemploymentend', 1, 0); } else { print dol_print_date($object->dateemploymentend, 'day'); } @@ -2682,12 +2709,33 @@ if ($action == 'create' || $action == 'adduserldap') print "\n"; - // Date birth - print ''.$langs->trans("DateToBirth").''; + // Date login validity + print ''.$langs->trans("RangeOfLoginValidity").''; print ''; if ($caneditfield) { - echo $form->selectDate(GETPOST('birth') ?GETPOST('birth') : $object->birth, 'birth', 0, 0, 1, 'updateuser', 1, 0); + print $form->selectDate($datestartvalidity ? $datestartvalidity : $object->datestartvalidity, 'datestartvalidity', 0, 0, 1, 'formdatestartvalidity', 1, 1); + } else { + print dol_print_date($object->datestartvalidity, 'day'); + } + + if ($datestartvalidity && $dateendvalidity) print ' - '; + + if ($caneditfield) + { + print $form->selectDate($dateendvalidity ? $datendevalidity : $object->dateendvalidity, 'dateendvalidity', 0, 0, 1, 'formdateendvalidity', 1, 0); + } else { + print dol_print_date($object->dateendvalidity, 'day'); + } + print ''; + print "\n"; + + + // Date birth + print ''.$langs->trans("DateOfBirth").''; + print ''; + if ($caneditfield) { + echo $form->selectDate($dateofbirth ? $dateofbirth : $object->birth, 'dateofbirth', 0, 0, 1, 'updateuser', 1, 0); } else { print dol_print_date($object->birth, 'day'); } diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index cab2b56f5d9..5245ff0b961 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -90,7 +90,7 @@ class Users extends DolibarrApi // Select products of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_user = t.rowid "; } @@ -105,7 +105,7 @@ class Users extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -113,27 +113,27 @@ class Users extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $user_static = new User($db); + $obj = $this->db->fetch_object($result); + $user_static = new User($this->db); if ($user_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($user_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve User list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve User list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No User found'); @@ -490,7 +490,7 @@ class Users extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -498,19 +498,19 @@ class Users extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $group_static = new UserGroup($this->db); if ($group_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($group_static); @@ -518,7 +518,7 @@ class Users extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve Group list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve Group list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No Group found'); diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 3672462fe0f..786af8c81d1 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -154,7 +154,7 @@ class User extends CommonObject public $datelastlogin; public $datepreviouslogin; public $datestartvalidity; - public $dateedvalidity; + public $dateendvalidity; public $photo; public $lang; @@ -1038,6 +1038,14 @@ class User extends CommonObject $this->error = $this->db->lasterror(); } + // Remove params + $sql = "DELETE FROM ".MAIN_DB_PREFIX."user_param WHERE fk_user = ".$this->id; + if (!$error && !$this->db->query($sql)) + { + $error++; + $this->error = $this->db->lasterror(); + } + // If contact, remove link if ($this->contact_id > 0) { @@ -1459,7 +1467,6 @@ class User extends CommonObject $this->employee = $this->employee ? $this->employee : 0; $this->login = trim($this->login); $this->gender = trim($this->gender); - $this->birth = trim($this->birth); $this->pass = trim($this->pass); $this->api_key = trim($this->api_key); $this->address = $this->address ?trim($this->address) : trim($this->address); @@ -1487,6 +1494,9 @@ class User extends CommonObject $this->color = empty($this->color) ? '' : $this->color; $this->dateemployment = empty($this->dateemployment) ? '' : $this->dateemployment; $this->dateemploymentend = empty($this->dateemploymentend) ? '' : $this->dateemploymentend; + $this->datestartvalidity = empty($this->datestartvalidity) ? '' : $this->datestartvalidity; + $this->dateendvalidity = empty($this->dateendvalidity) ? '' : $this->dateendvalidity; + $this->birth = trim($this->birth); $this->fk_warehouse = trim(empty($this->fk_warehouse) ? '' : $this->fk_warehouse); // Check parameters @@ -1499,7 +1509,7 @@ class User extends CommonObject if (empty($this->login)) { $langs->load("errors"); - $this->error = $langs->trans("ErrorFieldRequired", $this->login); + $this->error = $langs->trans("ErrorFieldRequired", 'Login'); return -1; } @@ -1533,6 +1543,8 @@ class User extends CommonObject $sql .= ", color = '".$this->db->escape($this->color)."'"; $sql .= ", dateemployment=".(strval($this->dateemployment) != '' ? "'".$this->db->idate($this->dateemployment)."'" : 'null'); $sql .= ", dateemploymentend=".(strval($this->dateemploymentend) != '' ? "'".$this->db->idate($this->dateemploymentend)."'" : 'null'); + $sql .= ", datestartvalidity=".(strval($this->datestartvalidity) != '' ? "'".$this->db->idate($this->datestartvalidity)."'" : 'null'); + $sql .= ", dateendvalidity=".(strval($this->dateendvalidity) != '' ? "'".$this->db->idate($this->dateendvalidity)."'" : 'null'); $sql .= ", note = '".$this->db->escape($this->note_private)."'"; $sql .= ", note_public = '".$this->db->escape($this->note_public)."'"; $sql .= ", photo = ".($this->photo ? "'".$this->db->escape($this->photo)."'" : "null"); @@ -1550,7 +1562,6 @@ class User extends CommonObject $sql .= ", default_c_exp_tax_cat = ".($this->default_c_exp_tax_cat > 0 ? $this->default_c_exp_tax_cat : 'null'); $sql .= ", fk_warehouse = ".($this->fk_warehouse ? "'".$this->db->escape($this->fk_warehouse)."'" : "null"); $sql .= ", lang = ".($this->lang ? "'".$this->db->escape($this->lang)."'" : "null"); - $sql .= " WHERE rowid = ".$this->id; dol_syslog(get_class($this)."::update", LOG_DEBUG); @@ -2392,9 +2403,9 @@ class User extends CommonObject } /** - * Return label of status of user (active, inactive) + * Return the label of the status of user (active, inactive) * - * @param int $mode 0=libelle long, 1=libelle court, 2=Picto + Libelle court, 3=Picto, 4=Picto + Libelle long, 5=Libelle court + Picto + * @param int $mode 0=long label, 1=short label, 2=Picto + short label, 3=Picto, 4=Picto + long label, 5=Short label + Picto, 6=Long label + Picto * @return string Label of status */ public function getLibStatut($mode = 0) @@ -2404,7 +2415,7 @@ class User extends CommonObject // phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps /** - * Return label of a status of user (active, inactive) + * Return the label of a status of user (active, inactive) * * @param int $status Id status * @param int $mode 0=long label, 1=short label, 2=Picto + short label, 3=Picto, 4=Picto + long label, 5=Short label + Picto, 6=Long label + Picto @@ -3133,7 +3144,7 @@ class User extends CommonObject $sql = "SELECT rowid, email, user_mobile, civility, lastname, firstname"; $sql .= " FROM ".MAIN_DB_PREFIX."user"; - $sql .= " WHERE rowid = '".$rowid."'"; + $sql .= " WHERE rowid = ".((int) $rowid); $resql = $this->db->query($sql); if ($resql) diff --git a/htdocs/user/class/userbankaccount.class.php b/htdocs/user/class/userbankaccount.class.php index 325753fc773..25c751b4cb9 100644 --- a/htdocs/user/class/userbankaccount.class.php +++ b/htdocs/user/class/userbankaccount.class.php @@ -170,7 +170,7 @@ class UserBankAccount extends Account $sql .= " FROM ".MAIN_DB_PREFIX."user_rib"; if ($id) $sql .= " WHERE rowid = ".$id; if ($ref) $sql .= " WHERE label = '".$this->db->escape($ref)."'"; - if ($userid) $sql .= " WHERE fk_user = '".$userid."'"; + if ($userid) $sql .= " WHERE fk_user = ".((int) $userid); $resql = $this->db->query($sql); if ($resql) diff --git a/htdocs/user/clicktodial.php b/htdocs/user/clicktodial.php index b3dc8a0bfa9..cebb7824303 100644 --- a/htdocs/user/clicktodial.php +++ b/htdocs/user/clicktodial.php @@ -28,7 +28,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php'; // Load translation files required by page $langs->loadLangs(array('users', 'admin')); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $id = GETPOST('id', 'int'); // Security check diff --git a/htdocs/user/group/card.php b/htdocs/user/group/card.php index 462ba32e7ba..febdf3373fe 100644 --- a/htdocs/user/group/card.php +++ b/htdocs/user/group/card.php @@ -50,7 +50,7 @@ if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) $langs->loadLangs(array('users', 'other')); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'groupcard'; // To manage different context of search @@ -130,7 +130,7 @@ if (empty($reshook)) { $action = "create"; // Go back to create page } else { $object->name = GETPOST("nom", 'nohtml'); - $object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'none'))); + $object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'restricthtml'))); // Fill array 'array_options' with data from add form $ret = $extrafields->setOptionalsFromPost(null, $object); @@ -204,7 +204,7 @@ if (empty($reshook)) { $object->oldcopy = clone $object; $object->name = GETPOST("nom", 'nohtml'); - $object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'none'))); + $object->note = dol_htmlcleanlastbr(trim(GETPOST("note", 'restricthtml'))); // Fill array 'array_options' with data from add form $ret = $extrafields->setOptionalsFromPost(null, $object); diff --git a/htdocs/user/group/ldap.php b/htdocs/user/group/ldap.php index 8e69101b44d..d280fe37701 100644 --- a/htdocs/user/group/ldap.php +++ b/htdocs/user/group/ldap.php @@ -46,7 +46,7 @@ if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) } $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $socid = 0; if ($user->socid > 0) $socid = $user->socid; diff --git a/htdocs/user/group/list.php b/htdocs/user/group/list.php index ace4e863c01..0b6cdf23d47 100644 --- a/htdocs/user/group/list.php +++ b/htdocs/user/group/list.php @@ -57,8 +57,8 @@ if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } $offset = $limit * $page; diff --git a/htdocs/user/group/perms.php b/htdocs/user/group/perms.php index b22dafce758..af81542d99a 100644 --- a/htdocs/user/group/perms.php +++ b/htdocs/user/group/perms.php @@ -35,7 +35,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; $langs->loadLangs(array('users', 'admin')); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $module = GETPOST('module', 'alpha'); $rights = GETPOST('rights', 'int'); diff --git a/htdocs/user/hierarchy.php b/htdocs/user/hierarchy.php index 5278835be3c..6918d1638e4 100644 --- a/htdocs/user/hierarchy.php +++ b/htdocs/user/hierarchy.php @@ -126,11 +126,13 @@ if (!is_array($user_arbo) && $user_arbo < 0) } $li .= ' ('.$val['login'].($entitystring ? ' - '.$entitystring : '').')'; + $entry = '
'.$li.''.$userstatic->getLibStatut(2).'
'; + $data[] = array( 'rowid'=>$val['rowid'], 'fk_menu'=>$val['fk_user'], 'statut'=>$val['statut'], - 'entry'=>'
'.$li.''.$userstatic->getLibStatut(3).'
' + 'entry'=>$entry ); } @@ -146,7 +148,9 @@ if (!is_array($user_arbo) && $user_arbo < 0) $newcardbutton .= dolGetButtonTitle($langs->trans('NewUser'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/user/card.php?action=create'.($mode == 'employee' ? '&employee=1' : '').'&leftmenu='); } - $morehtmlright .= dolGetButtonTitle($langs->trans('ViewList'), '', 'fa fa-list paddingleft', DOL_URL_ROOT.'/user/list.php'.(($search_statut != '' && $search_statut >= 0) ? '?search_statut='.$search_statut : '')); + $morehtmlright .= dolGetButtonTitle($langs->trans("List"), '', 'fa fa-list paddingleft imgforviewmode', DOL_URL_ROOT.'/user/list.php'.(($search_statut != '' && $search_statut >= 0) ? '?search_statut='.$search_statut : '')); + $param = array('morecss'=>'marginleftonly btnTitleSelected'); + $morehtmlright .= dolGetButtonTitle($langs->trans("HierarchicView"), '', 'fa fa-stream paddingleft imgforviewmode', DOL_URL_ROOT.'/user/hierarchy.php'.(($search_statut != '' && $search_statut >= 0) ? '?search_statut='.$search_statut : ''), '', 1, $param); print load_fiche_titre($title, $morehtmlright.' '.$newcardbutton, 'user'); @@ -186,13 +190,13 @@ if (!is_array($user_arbo) && $user_arbo < 0) if ($nbofentries > 0) { - print ''; + print ''; tree_recur($data, $data[0], 0); print ''; print ''; print ''; } else { - print ''; + print ''; print ''; print ''; print ''; } diff --git a/htdocs/user/note.php b/htdocs/user/note.php index beece592a3b..955c1f14599 100644 --- a/htdocs/user/note.php +++ b/htdocs/user/note.php @@ -64,7 +64,7 @@ if (empty($reshook)) { if ($action == 'update' && $user->rights->user->user->creer && !$_POST["cancel"]) { $db->begin(); - $res = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'none'), ENT_QUOTES)); + $res = $object->update_note(dol_html_entity_decode(GETPOST('note_private', 'restricthtml'), ENT_QUOTES)); if ($res < 0) { $mesg = '
'.$adh->error.'
'; $db->rollback(); diff --git a/htdocs/user/param_ihm.php b/htdocs/user/param_ihm.php index 7a27bb9b466..b331e6c1cc2 100644 --- a/htdocs/user/param_ihm.php +++ b/htdocs/user/param_ihm.php @@ -35,7 +35,7 @@ $langs->loadLangs(array('companies', 'products', 'admin', 'users', 'languages', $canreaduser = ($user->admin || $user->rights->user->user->lire); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $contextpage = GETPOST('contextpage', 'aZ') ?GETPOST('contextpage', 'aZ') : 'userihm'; // To manage different context of search if ($id) diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php index 74512718cb3..96497492a15 100644 --- a/htdocs/user/passwordforgotten.php +++ b/htdocs/user/passwordforgotten.php @@ -41,11 +41,11 @@ if (!empty($conf->global->MAIN_SECURITY_DISABLEFORGETPASSLINK)) exit; } -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $mode = $dolibarr_main_authentication; if (!$mode) $mode = 'http'; -$username = GETPOST('username', 'alpha'); +$username = GETPOST('username', 'alphanohtml'); $passwordhash = GETPOST('passwordhash', 'alpha'); $conf->entity = (GETPOST('entity', 'int') ? GETPOST('entity', 'int') : 1); @@ -100,16 +100,24 @@ if ($action == 'buildnewpassword' && $username) { $message = '
'.$langs->trans("ErrorBadValueForCode").'
'; } else { + $isanemail = preg_match('/@/', $username); + $edituser = new User($db); $result = $edituser->fetch('', $username, '', 1); - if ($result == 0 && preg_match('/@/', $username)) + if ($result == 0 && $isanemail) { $result = $edituser->fetch('', '', '', 1, -1, $username); } if ($result <= 0 && $edituser->error == 'USERNOTFOUND') { - $message = '
'.$langs->trans("ErrorLoginDoesNotExists", $username).'
'; + $message = ''; $username = ''; } else { if (!$edituser->email) @@ -125,7 +133,14 @@ if ($action == 'buildnewpassword' && $username) // Success if ($edituser->send_password($user, $newpassword, 1) > 0) { - $message = ''; + $message = ''; $username = ''; } else { $message .= '
'.$edituser->error.'
'; diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php index f87785da31f..97cf6007327 100644 --- a/htdocs/user/perms.php +++ b/htdocs/user/perms.php @@ -23,9 +23,11 @@ /** * \file htdocs/user/perms.php - * \brief Onglet user et permissions de la fiche utilisateur + * \brief Page to set permission of a user record */ +if (! defined('CSRFCHECK_WITH_TOKEN')) define('CSRFCHECK_WITH_TOKEN', '1'); // Force use of CSRF protection with tokens even for GET + require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/usergroups.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; @@ -35,7 +37,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; $langs->loadLangs(array('users', 'admin')); $id = GETPOST('id', 'int'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $module = GETPOST('module', 'alpha'); $rights = GETPOST('rights', 'int'); @@ -87,7 +89,7 @@ $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); if (empty($reshook)) { - if ($action == 'addrights' && $caneditperms) { + if ($action == 'addrights' && $caneditperms && $confirm == 'yes') { $edituser = new User($db); $edituser->fetch($object->id); $result = $edituser->addrights($rights, $module, '', $entity); @@ -107,7 +109,7 @@ if (empty($reshook)) { $object->getrights(); } - if ($action == 'delrights' && $caneditperms) { + if ($action == 'delrights' && $caneditperms && $confirm == 'yes') { $edituser = new User($db); $edituser->fetch($object->id); $result = $edituser->delrights($rights, $module, '', $entity); @@ -278,9 +280,9 @@ if (($caneditperms && empty($objMod->rights_admin_allowed)) || empty($object->ad if ($caneditperms) { print ''; } print ''; @@ -349,9 +351,9 @@ if ($result) if ($caneditperms) { print ''; } print ''; @@ -365,7 +367,7 @@ if ($result) print ''; // Module Id - if ($user->admin) print ''; + print ''; print ''."\n"; } @@ -392,7 +394,7 @@ if ($result) { if ($caneditperms) { - print ''; + print ''; } print ''; + print ''; } print ''; } @@ -422,7 +424,7 @@ if ($result) // Do not own permission if ($caneditperms) { - print ''; + print ''; } print ''; } diff --git a/htdocs/variants/card.php b/htdocs/variants/card.php index 6d077e85ad1..13b7408fc93 100644 --- a/htdocs/variants/card.php +++ b/htdocs/variants/card.php @@ -22,7 +22,7 @@ require 'class/ProductAttributeValue.class.php'; $id = GETPOST('id', 'int'); $valueid = GETPOST('valueid', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $label = GETPOST('label', 'alpha'); $ref = GETPOST('ref', 'alpha'); $confirm = GETPOST('confirm', 'alpha'); diff --git a/htdocs/variants/class/ProductAttribute.class.php b/htdocs/variants/class/ProductAttribute.class.php index 52ee3153108..bbc3a188137 100644 --- a/htdocs/variants/class/ProductAttribute.class.php +++ b/htdocs/variants/class/ProductAttribute.class.php @@ -41,6 +41,12 @@ class ProductAttribute extends CommonObject */ public $ref; + /** + * External ref of the product attribute + * @var string + */ + public $ref_ext; + /** * Label of the product attribute * @var string @@ -79,7 +85,7 @@ class ProductAttribute extends CommonObject return -1; } - $sql = "SELECT rowid, ref, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE rowid = ".(int) $id." AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, ref, ref_ext, label, rang FROM ".MAIN_DB_PREFIX."product_attribute WHERE rowid = ".(int) $id." AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -91,6 +97,7 @@ class ProductAttribute extends CommonObject $this->id = $obj->rowid; $this->ref = $obj->ref; + $this->ref_ext = $obj->ref_ext; $this->label = $obj->label; $this->rang = $obj->rang; @@ -106,7 +113,7 @@ class ProductAttribute extends CommonObject { $return = array(); - $sql = 'SELECT rowid, ref, label, rang FROM '.MAIN_DB_PREFIX."product_attribute WHERE entity IN (".getEntity('product').')'; + $sql = 'SELECT rowid, ref, ref_ext, label, rang FROM '.MAIN_DB_PREFIX."product_attribute WHERE entity IN (".getEntity('product').')'; $sql .= $this->db->order('rang', 'asc'); $query = $this->db->query($sql); if ($query) @@ -115,6 +122,7 @@ class ProductAttribute extends CommonObject $tmp = new ProductAttribute($this->db); $tmp->id = $result->rowid; $tmp->ref = $result->ref; + $tmp->ref_ext = $result->ref_ext; $tmp->label = $result->label; $tmp->rang = $result->rang; @@ -147,8 +155,8 @@ class ProductAttribute extends CommonObject //Ref must be uppercase $this->ref = strtoupper($this->ref); - $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_attribute (ref, label, entity, rang) - VALUES ('".$this->db->escape($this->ref)."', '".$this->db->escape($this->label)."', ".(int) $this->entity.", ".(int) $this->rang.")"; + $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_attribute (ref, ref_ext, label, entity, rang) + VALUES ('".$this->db->escape($this->ref)."', '".$this->db->escape($this->ref_ext)."', '".$this->db->escape($this->label)."', ".(int) $this->entity.", ".(int) $this->rang.")"; $query = $this->db->query($sql); if ($query) @@ -183,7 +191,7 @@ class ProductAttribute extends CommonObject $this->ref = trim(strtoupper($this->ref)); $this->label = trim($this->label); - $sql = "UPDATE ".MAIN_DB_PREFIX."product_attribute SET ref = '".$this->db->escape($this->ref)."', label = '".$this->db->escape($this->label)."', rang = ".(int) $this->rang." WHERE rowid = ".(int) $this->id; + $sql = "UPDATE ".MAIN_DB_PREFIX."product_attribute SET ref = '".$this->db->escape($this->ref)."', ref_ext = '".$this->db->escape($this->ref_ext)."', label = '".$this->db->escape($this->label)."', rang = ".(int) $this->rang." WHERE rowid = ".(int) $this->id; if ($this->db->query($sql)) { return 1; diff --git a/htdocs/variants/class/ProductCombination.class.php b/htdocs/variants/class/ProductCombination.class.php index b4dac8475c0..721d31ef3ca 100644 --- a/htdocs/variants/class/ProductCombination.class.php +++ b/htdocs/variants/class/ProductCombination.class.php @@ -27,7 +27,7 @@ class ProductCombination * Database handler * @var DoliDB */ - private $db; + public $db; /** * Rowid of combination @@ -77,6 +77,12 @@ class ProductCombination */ public $combination_price_levels; + /** + * External ref + * @var string + */ + public $variation_ref_ext = ''; + /** * Constructor * @@ -100,7 +106,7 @@ class ProductCombination { global $conf; - $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE rowid = ".(int) $rowid." AND entity IN (".getEntity('product').")"; + $sql = "SELECT rowid, fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE rowid = ".(int) $rowid." AND entity IN (".getEntity('product').")"; $query = $this->db->query($sql); @@ -120,6 +126,7 @@ class ProductCombination $this->variation_price = $obj->variation_price; $this->variation_price_percentage = $obj->variation_price_percentage; $this->variation_weight = $obj->variation_weight; + $this->variation_ref_ext = $obj->variation_ref_ext; if (!empty($conf->global->PRODUIT_MULTIPRICES)) { $this->fetchCombinationPriceLevels(); @@ -226,7 +233,6 @@ class ProductCombination } } - /** * Retrieves information of a variant product and ID of its parent product. * @@ -295,6 +301,7 @@ class ProductCombination $tmp->variation_price = $result->variation_price; $tmp->variation_price_percentage = $result->variation_price_percentage; $tmp->variation_weight = $result->variation_weight; + $tmp->variation_ref_ext = $result->variation_ref_ext; if (!empty($conf->global->PRODUIT_MULTIPRICES)) { $tmp->fetchCombinationPriceLevels(); @@ -339,10 +346,10 @@ class ProductCombination /* $this->fk_product_child may be empty and will be filled later after subproduct has been created */ $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_attribute_combination"; - $sql .= " (fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, entity)"; + $sql .= " (fk_product_parent, fk_product_child, variation_price, variation_price_percentage, variation_weight, variation_ref_ext, entity)"; $sql .= " VALUES (".((int) $this->fk_product_parent).", ".((int) $this->fk_product_child).","; $sql .= (float) $this->variation_price.", ".(int) $this->variation_price_percentage.","; - $sql .= (float) $this->variation_weight.", ".(int) $this->entity.")"; + $sql .= (float) $this->variation_weight.", '".$this->db->escape($this->variation_ref_ext)."', ".(int) $this->entity.")"; $resql = $this->db->query($sql); if ($resql) { @@ -375,7 +382,8 @@ class ProductCombination $sql = "UPDATE ".MAIN_DB_PREFIX."product_attribute_combination"; $sql .= " SET fk_product_parent = ".(int) $this->fk_product_parent.", fk_product_child = ".(int) $this->fk_product_child.","; $sql .= " variation_price = ".(float) $this->variation_price.", variation_price_percentage = ".(int) $this->variation_price_percentage.","; - $sql .= " variation_weight = ".(float) $this->variation_weight." WHERE rowid = ".((int) $this->id); + $sql .= " variation_ref_ext = '".$this->db->escape($this->variation_ref_ext)."',"; + $sql .= " variation_weight = ".(float) $this->variation_weight." WHERE rowid = ".((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { @@ -663,23 +671,24 @@ class ProductCombination * @param bool|float $forced_pricevar If the price variation is forced * @param bool|float $forced_weightvar If the weight variation is forced * @param bool|string $forced_refvar If the reference is forced + * @param string $ref_ext External reference * @return int <0 KO, >0 OK */ - public function createProductCombination(User $user, Product $product, array $combinations, array $variations, $price_var_percent = false, $forced_pricevar = false, $forced_weightvar = false, $forced_refvar = false) + public function createProductCombination(User $user, Product $product, array $combinations, array $variations, $price_var_percent = false, $forced_pricevar = false, $forced_weightvar = false, $forced_refvar = false, $ref_ext = '') { - global $db, $conf; + global $conf; require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductAttribute.class.php'; require_once DOL_DOCUMENT_ROOT.'/variants/class/ProductAttributeValue.class.php'; - $db->begin(); + $this->db->begin(); $price_impact = array(1=>0); // init level price impact $forced_refvar = trim($forced_refvar); if (!empty($forced_refvar) && $forced_refvar != $product->ref) { - $existingProduct = new Product($db); + $existingProduct = new Product($this->db); $result = $existingProduct->fetch('', $forced_refvar); if ($result > 0) { $newproduct = $existingProduct; @@ -705,7 +714,7 @@ class ProductCombination $price_impact = $forced_pricevar; } - $newcomb = new ProductCombination($db); + $newcomb = new ProductCombination($this->db); $existingCombination = $newcomb->fetchByProductCombination2ValuePairs($product->id, $combinations); if ($existingCombination) { @@ -718,13 +727,13 @@ class ProductCombination if ($result < 0) { $this->error = $newcomb->error; $this->errors = $newcomb->errors; - $db->rollback(); + $this->db->rollback(); return -1; } } - $prodattr = new ProductAttribute($db); - $prodattrval = new ProductAttributeValue($db); + $prodattr = new ProductAttribute($this->db); + $prodattrval = new ProductAttributeValue($this->db); // $combination contains list of attributes pairs key->value. Example: array('id Color'=>id Blue, 'id Size'=>id Small, 'id Option'=>id val a, ...) //var_dump($combinations); @@ -735,7 +744,7 @@ class ProductCombination //If there is an existing combination, there is no need to duplicate the valuepair if (!$existingCombination) { - $tmp = new ProductCombination2ValuePair($db); + $tmp = new ProductCombination2ValuePair($this->db); $tmp->fk_prod_attr = $currcombattr; $tmp->fk_prod_attr_val = $currcombval; $tmp->fk_prod_combination = $newcomb->id; @@ -743,7 +752,7 @@ class ProductCombination if ($tmp->create($user) < 0) { // Create 1 entry into product_attribute_combination2val $this->error = $tmp->error; $this->errors = $tmp->errors; - $db->rollback(); + $this->db->rollback(); return -1; } } @@ -781,6 +790,7 @@ class ProductCombination $newcomb->variation_price_percentage = $price_var_percent; $newcomb->variation_price = $price_impact[1]; $newcomb->variation_weight = $weight_impact; + $newcomb->variation_ref_ext = $this->db->escape($ref_ext); // Init price level if ($conf->global->PRODUIT_MULTIPRICES) { @@ -822,7 +832,7 @@ class ProductCombination if ($newproduct->error != 'ErrorProductAlreadyExists') { $this->error[] = $newproduct->error; $this->errors = $newproduct->errors; - $db->rollback(); + $this->db->rollback(); return -1; } @@ -851,7 +861,7 @@ class ProductCombination } if ($res < 0) { - $db->rollback(); + $this->db->rollback(); return -1; } } @@ -859,7 +869,7 @@ class ProductCombination $result = $newproduct->update($newproduct->id, $user); if ($result < 0) { - $db->rollback(); + $this->db->rollback(); return -1; } } @@ -870,11 +880,11 @@ class ProductCombination { $this->error = $newcomb->error; $this->errors = $newcomb->errors; - $db->rollback(); + $this->db->rollback(); return -1; } - $db->commit(); + $this->db->commit(); return $newproduct->id; } @@ -971,7 +981,7 @@ class ProductCombinationLevel * Database handler * @var DoliDB */ - private $db; + public $db; /** * @var string Name of table without prefix where object is stored diff --git a/htdocs/variants/combinations.php b/htdocs/variants/combinations.php index d218b762fef..31dc07b6bad 100644 --- a/htdocs/variants/combinations.php +++ b/htdocs/variants/combinations.php @@ -40,7 +40,7 @@ $level_price_impact_percent = GETPOST('level_price_impact_percent', 'array'); $reference = GETPOST('reference', 'alpha'); $form = new Form($db); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $massaction = GETPOST('massaction', 'alpha'); $show_files = GETPOST('show_files', 'int'); $confirm = GETPOST('confirm', 'alpha'); diff --git a/htdocs/variants/create_val.php b/htdocs/variants/create_val.php index e724b5693c4..b5a57d514ae 100644 --- a/htdocs/variants/create_val.php +++ b/htdocs/variants/create_val.php @@ -24,7 +24,7 @@ $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $value = GETPOST('value', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'alpha'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/viewimage.php b/htdocs/viewimage.php index c2856848dc5..f13b786082a 100644 --- a/htdocs/viewimage.php +++ b/htdocs/viewimage.php @@ -93,7 +93,7 @@ function llxFooter() require 'main.inc.php'; // Load $user and permissions require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $original_file = GETPOST('file', 'alphanohtml'); // Do not use urldecode here ($_GET are already decoded by PHP). $hashp = GETPOST('hashp', 'aZ09'); $modulepart = GETPOST('modulepart', 'alpha'); @@ -236,7 +236,7 @@ if (!$accessallowed) if (preg_match('/\.\./', $fullpath_original_file) || preg_match('/[<>|]/', $fullpath_original_file)) { dol_syslog("Refused to deliver file ".$fullpath_original_file); - print "ErrorFileNameInvalid: ".$original_file; + print "ErrorFileNameInvalid: ".dol_escape_htmltag($original_file); exit; } diff --git a/htdocs/webservices/server_productorservice.php b/htdocs/webservices/server_productorservice.php index ae5f1f285a4..bf29795f0de 100644 --- a/htdocs/webservices/server_productorservice.php +++ b/htdocs/webservices/server_productorservice.php @@ -503,7 +503,7 @@ function createProductOrService($authentication, $product) if ($product['barcode'] && !$product['barcode_type']) { - $errror++; $errorcode = 'KO'; $errorlabel = "You must set a barcode type when setting a barcode."; + $error++; $errorcode = 'KO'; $errorlabel = "You must set a barcode type when setting a barcode."; } @@ -593,7 +593,7 @@ function createProductOrService($authentication, $product) if ($savstockreal != $getstockreal) { - $warehouse = new Entrepot($this->db); + $warehouse = new Entrepot($db); $warehouse->fetch(0, $product['warehouse_ref']); if ($warehouse->id > 0) { @@ -675,7 +675,7 @@ function updateProductOrService($authentication, $product) if ($product['barcode'] && !$product['barcode_type']) { - $errror++; $errorcode = 'KO'; $errorlabel = "You must set a barcode type when setting a barcode."; + $error++; $errorcode = 'KO'; $errorlabel = "You must set a barcode type when setting a barcode."; } if (!$error) @@ -762,7 +762,7 @@ function updateProductOrService($authentication, $product) if ($savstockreal != $getstockreal) { - $warehouse = new Entrepot($this->db); + $warehouse = new Entrepot($db); $warehouse->fetch(0, $product['warehouse_ref']); if ($warehouse->id > 0) { @@ -841,8 +841,6 @@ function deleteProductOrService($authentication, $listofidstring) { global $db, $conf, $langs; - $now = dol_now(); - dol_syslog("Function: deleteProductOrService login=".$authentication['login']); if ($authentication['entity']) $conf->entity = $authentication['entity']; @@ -936,8 +934,6 @@ function getListOfProductsOrServices($authentication, $filterproduct) { global $db, $conf, $langs; - $now = dol_now(); - dol_syslog("Function: getListOfProductsOrServices login=".$authentication['login']); if ($authentication['entity']) $conf->entity = $authentication['entity']; diff --git a/htdocs/webservices/server_user.php b/htdocs/webservices/server_user.php index bc43c4ab6d4..000bad4b563 100644 --- a/htdocs/webservices/server_user.php +++ b/htdocs/webservices/server_user.php @@ -540,7 +540,7 @@ function createUserFromThirdparty($authentication, $thirdpartywithuser) $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."c_country"; $sql .= " WHERE active = 1"; - $sql .= " AND code='".$thirdparty->country_code."'"; + $sql .= " AND code='".$db->escape($thirdparty->country_code)."'"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/website/class/websitepage.class.php b/htdocs/website/class/websitepage.class.php index 2ed4b9a75a3..b5e29e04176 100644 --- a/htdocs/website/class/websitepage.class.php +++ b/htdocs/website/class/websitepage.class.php @@ -382,9 +382,9 @@ class WebsitePage extends CommonObject if (count($filter) > 0) { foreach ($filter as $key => $value) { if ($key == 't.rowid' || $key == 't.fk_website' || $key == 'status') { - $sqlwhere[] = $key.'='.$value; + $sqlwhere[] = $key.' = '.$value; } elseif ($key == 'type_container') { - $sqlwhere[] = $key."='".$value."'"; + $sqlwhere[] = $key." = '".$this->db->escape($value)."'"; } elseif ($key == 'lang' || $key == 't.lang') { $listoflang = array(); $foundnull = 0; diff --git a/htdocs/website/index.php b/htdocs/website/index.php index e0afd583ea2..a36f33ee682 100644 --- a/htdocs/website/index.php +++ b/htdocs/website/index.php @@ -108,7 +108,7 @@ $objectpage = new WebsitePage($db); $object->fetchAll('ASC', 'position'); // Init $object->records with list of websites // If website not defined, we take first found -if (!($websiteid > 0) && empty($websitekey)) +if (!($websiteid > 0) && empty($websitekey) && $action != 'createsite') { foreach ($object->records as $key => $valwebsite) { @@ -278,7 +278,7 @@ if (empty($sortfield)) { } } -$searchkey = GETPOST('searchstring', 'none'); +$searchkey = GETPOST('searchstring', 'restricthtml'); if ($action == 'replacesiteconfirm') { $containertype = GETPOST('optioncontainertype', 'aZ09') != '-1' ? GETPOST('optioncontainertype', 'aZ09') : ''; @@ -395,7 +395,7 @@ if ($massaction == 'setcategory' && GETPOST('confirmmassaction', 'alpha') && $us $db->begin(); - $categoryid = GETPOST('setcategory', 'none'); + $categoryid = GETPOST('setcategory', 'restricthtml'); if ($categoryid > 0) { $tmpwebsitepage = new WebsitePage($db); $category = new Categorie($db); @@ -1420,7 +1420,7 @@ if ($action == 'updatecss') $robotcontent.= "header('Content-type: text/css');\n"; $robotcontent.= "// END PHP ?>\n";*/ - $robotcontent .= trim(GETPOST('WEBSITE_ROBOT', 'none'))."\n"; + $robotcontent .= trim(GETPOST('WEBSITE_ROBOT', 'restricthtml'))."\n"; /*$robotcontent.= "\n".'\n";*/ - $readmecontent .= trim(GETPOST('WEBSITE_README', 'none'))."\n"; + $readmecontent .= trim(GETPOST('WEBSITE_README', 'restricthtml'))."\n"; /*$readmecontent.= ''."\n"; $moreheadjs .= 'var indicatorBlockUI = \''.DOL_URL_ROOT."/theme/".$conf->theme."/img/working.gif".'\';'."\n"; $moreheadjs .= ''."\n"; -llxHeader($moreheadcss.$moreheadjs, $langs->trans("WebsiteSetup"), $help_url, '', 0, 0, $arrayofjs, $arrayofcss, '', '', ''."\n".'
'); +llxHeader($moreheadcss.$moreheadjs, $langs->trans("WebsiteSetup"), $helpurl, '', 0, 0, $arrayofjs, $arrayofcss, '', '', ''."\n".'
'); print "\n"; print ''; @@ -2276,45 +2276,6 @@ if (!GETPOST('hide_websitemenu')) $disabled = ''; if (empty($user->rights->website->write)) $disabled = ' disabled="disabled"'; - //var_dump($objectpage);exit; - print '
'; - - - // ***** Part for web sites - print ''; - print ''; - print $langs->trans("Website").' : '; - print ''; - - print ''; - print 'ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("AddWebsite")).'">'; - print ''; - - // List of website - print ''; - $out = ''; - $out .= ''; - $out .= ajax_combobox('website'); - print $out; - //print ''; - print ''; - - if ($websitekey) { $virtualurl = ''; @@ -2331,70 +2292,146 @@ if (!GETPOST('hide_websitemenu')) if (!is_array($array) && $array < 0) dol_print_error('', $objectpage->error, $objectpage->errors); $atleastonepage = (is_array($array) && count($array) > 0); - if ($websitekey && $websitekey != '-1' && ($action == 'preview' || $action == 'createfromclone' || $action == 'createpagefromclone' || $action == 'deletesite')) - { - print '   '; - print ''; + //var_dump($objectpage);exit; + print '
'; - $importlabel = $langs->trans("ImportSite"); - $exportlabel = $langs->trans("ExportSite"); - if (! empty($conf->dol_optimize_smallscreen)) { - $importlabel = $langs->trans("Import"); - $exportlabel = $langs->trans("Export"); + // + // Toolbar for websites + // + + print ''; + if ($action != 'file_manager') { + print ''; + print $langs->trans("Website").' : '; + print ''; + + $urltocreatenewwebsite = $_SERVER["PHP_SEFL"].'?action=createsite'; + if (empty($conf->use_javascript_ajax)) { + print ''; + print ''; + print ''; } - if ($atleastonepage) + // List of website + print ''; + $out = ''; + $out .= ''; + if (empty($websitekey)) { + if ($action != 'createsite') $websitekey = $valwebsite->ref; + } + + $out .= ''; + $i++; } - else { - print ''; + $out .= ''; + $out .= ajax_combobox('website'); + + if (!empty($conf->use_javascript_ajax)) { + $out .= ''; + } + print $out; + + if (empty($conf->use_javascript_ajax)) { + print ''; } - //print ''; - print ''; - print ''; + if ($websitekey && $websitekey != '-1' && ($action == 'preview' || $action == 'createfromclone' || $action == 'createpagefromclone' || $action == 'deletesite')) + { + print '   '; - print ''; + print ''; - print '   '; + $importlabel = $langs->trans("ImportSite"); + $exportlabel = $langs->trans("ExportSite"); + if (! empty($conf->dol_optimize_smallscreen)) { + $importlabel = $langs->trans("Import"); + $exportlabel = $langs->trans("Export"); + } - print 'ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("MediaFiles")).'">'; - //print ''; - /*print ''.dol_escape_htmltag($langs->trans("MediaFiles")).''; - print ''; - */ + if ($atleastonepage) + { + print ''; + } + else { + print ''; + } - print 'ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("ReplaceWebsiteContent")).'">'; + //print ''; + print ''; + print ''; - if (! empty($conf->categorie->enabled)) { - print ''; - } + print ''; + + print '   '; + + print 'ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("ReplaceWebsiteContent")).'">'; - if (! empty($conf->global->WEBSITE_ADD_REGENERATE_BUTTON)) { print 'ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("RegenerateWebsiteContent")).'">'; } + + print ''; + + if ($websitekey && $websitekey != '-1' && ($action == 'preview' || $action == 'createfromclone' || $action == 'createpagefromclone' || $action == 'deletesite')) + { + print ''; + print 'ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("MediaFiles")).'">'; + + if (! empty($conf->categorie->enabled)) { + //print ''; + + //print ''; + print ''; + print ''; + } + + print ''; + } + } else { + print ''; } - print ''; - - - // Toolbar for websites print ''; @@ -2405,7 +2442,7 @@ if (!GETPOST('hide_websitemenu')) print ''; $linktotestonwebserver = ''; - $linktotestonwebserver .= ''.$langs->trans("TestDeployOnWeb", $virtualurl).' '.img_picto('', 'globe'); + $linktotestonwebserver .= ''.$langs->trans("TestDeployOnWeb", $virtualurl).''.img_picto('', 'globe'); $linktotestonwebserver .= ''; $htmltext = ''; if (empty($object->fk_default_home)) @@ -2469,8 +2506,10 @@ if (!GETPOST('hide_websitemenu')) print ''; - + // // Toolbar for pages + // + if ($websitekey && $websitekey != '-1' && !in_array($action, array('editcss', 'editmenu', 'importsite', 'file_manager', 'replacesite', 'replacesiteconfirm')) && !$file_manager) { print '
'; // Close current websitebar to open a new one @@ -2483,7 +2522,6 @@ if (!GETPOST('hide_websitemenu')) print ''; print ''; - //print ''; print 'ref.'" class="button bordertransp"'.$disabled.' title="'.dol_escape_htmltag($langs->trans("AddPage")).'">'; print ''; @@ -2491,7 +2529,28 @@ if (!GETPOST('hide_websitemenu')) if ($action != 'addcontainer') { - print ''.$formwebsite->selectContainer($website, 'pageid', $pageid, 0, $action, 'maxwidth200onsmartphone').''; + print ''; + print $formwebsite->selectContainer($website, 'pageid', $pageid, 0, $action, 'maxwidth200onsmartphone'); + print ''; + + $urltocreatenewpage = $_SERVER["PHP_SEFL"].'?action=createcontainer&website='.$website->ref; + + $out = ''; + if (!empty($conf->use_javascript_ajax)) { + $out .= ''; + } + print $out; } else { print $langs->trans("New"); @@ -2939,7 +2998,7 @@ if ($action == 'editcss') $manifestjsoncontent = preg_replace('/<\?php \/\/ BEGIN PHP[^\?]*END PHP \?>\n*/ims', '', $manifestjsoncontent); } else { - $manifestjsoncontent = GETPOST('WEBSITE_MANIFEST_JSON', 'none'); + $manifestjsoncontent = GETPOST('WEBSITE_MANIFEST_JSON', 'restricthtml'); } if (!trim($manifestjsoncontent)) { @@ -3142,7 +3201,7 @@ if ($action == 'createsite') if (GETPOST('WEBSITE_OTHERLANG')) $siteotherlang = GETPOST('WEBSITE_OTHERLANG', 'aZ09comma'); print '
'; diff --git a/htdocs/website/samples/wrapper.php b/htdocs/website/samples/wrapper.php index a04ff14882c..24b804058ea 100644 --- a/htdocs/website/samples/wrapper.php +++ b/htdocs/website/samples/wrapper.php @@ -61,7 +61,7 @@ if (!empty($hashp)) // Define attachment (attachment=true to force choice popup 'open'/'save as') $attachment = true; if (preg_match('/\.(html|htm)$/i', $original_file)) $attachment = false; -if (isset($_GET["attachment"])) $attachment = GETPOST("attachment", 'none') ?true:false; +if (isset($_GET["attachment"])) $attachment = (GETPOST("attachment", 'alphanohtml') ? true : false); if (!empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS_WEBSITE)) $attachment = false; // Define mime type @@ -73,7 +73,7 @@ else $type = dol_mimetype($original_file); $original_file = str_replace("../", "/", $original_file); // Cache or not -if (GETPOST("cache", 'none') || image_format_supported($original_file) >= 0) +if (GETPOST("cache", 'aZ09') || image_format_supported($original_file) >= 0) { // Important: Following code is to avoid page request by browser and PHP CPU at // each Dolibarr page access. diff --git a/htdocs/website/websiteaccount_card.php b/htdocs/website/websiteaccount_card.php index d2b592477fd..c1057935e31 100644 --- a/htdocs/website/websiteaccount_card.php +++ b/htdocs/website/websiteaccount_card.php @@ -34,7 +34,7 @@ $langs->loadLangs(array("website", "other")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $confirm = GETPOST('confirm', 'alpha'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/zapier/admin/about.php b/htdocs/zapier/admin/about.php index 43eded7ab7c..31d54c35893 100644 --- a/htdocs/zapier/admin/about.php +++ b/htdocs/zapier/admin/about.php @@ -37,7 +37,7 @@ $langs->loadLangs(array("errors", "admin", "zapier@zapier")); if (!$user->admin) accessforbidden(); // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/zapier/admin/setup.php b/htdocs/zapier/admin/setup.php index 8a74b525c2b..7077551749e 100644 --- a/htdocs/zapier/admin/setup.php +++ b/htdocs/zapier/admin/setup.php @@ -36,7 +36,7 @@ $langs->loadLangs(array("admin", "zapier@zapier")); if (!$user->admin) accessforbidden(); // Parameters -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); $arrayofparameters = array( diff --git a/htdocs/zapier/class/api_zapier.class.php b/htdocs/zapier/class/api_zapier.class.php index 082ca5a5490..9fbaf56c303 100644 --- a/htdocs/zapier/class/api_zapier.class.php +++ b/htdocs/zapier/class/api_zapier.class.php @@ -174,7 +174,7 @@ class ZapierApi extends DolibarrApi //if ($mode == 1) $sql.= " AND s.client IN (1, 3)"; //if ($mode == 2) $sql.= " AND s.client IN (2, 3)"; - $tmpobject = new Hook($db); + $tmpobject = new Hook($this->db); if ($tmpobject->ismultientitymanaged) { $sql .= ' AND t.entity IN ('.getEntity('hook').')'; } @@ -200,23 +200,23 @@ class ZapierApi extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); $i = 0; if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < $num) { - $obj = $db->fetch_object($result); - $hook_static = new Hook($db); + $obj = $this->db->fetch_object($result); + $hook_static = new Hook($this->db); if ($hook_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($hook_static); } diff --git a/htdocs/zapier/hook_agenda.php b/htdocs/zapier/hook_agenda.php index a9b44fbd089..89f2415ad05 100644 --- a/htdocs/zapier/hook_agenda.php +++ b/htdocs/zapier/hook_agenda.php @@ -37,7 +37,7 @@ $langs->loadLangs(array("mymodule@mymodule", "other")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/zapier/hook_list.php b/htdocs/zapier/hook_list.php index 8b2a8d70bc4..ac90713f13c 100644 --- a/htdocs/zapier/hook_list.php +++ b/htdocs/zapier/hook_list.php @@ -49,8 +49,8 @@ $id = GETPOST('id', 'int'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1 || GETPOST('button_search', 'alpha') || GETPOST('button_removefilter', 'alpha') || (empty($toselect) && $massaction === '0')) { // If $page is not defined, or '' or -1 or if we click on clear filters or if we select empty mass action diff --git a/htdocs/zapier/hook_note.php b/htdocs/zapier/hook_note.php index 151c762be56..d8a5404fd3c 100644 --- a/htdocs/zapier/hook_note.php +++ b/htdocs/zapier/hook_note.php @@ -33,7 +33,7 @@ $langs->loadLangs(array("mymodule@mymodule", "companies")); // Get parameters $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); $cancel = GETPOST('cancel', 'aZ09'); $backtopage = GETPOST('backtopage', 'alpha'); diff --git a/htdocs/zapier/zapierindex.php b/htdocs/zapier/zapierindex.php index 760bd85322a..5ecdf24e6cd 100644 --- a/htdocs/zapier/zapierindex.php +++ b/htdocs/zapier/zapierindex.php @@ -31,7 +31,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php'; // Load translation files required by the page $langs->loadLangs(array("zapier@zapier")); -$action = GETPOST('action', 'alpha'); +$action = GETPOST('action', 'aZ09'); // Securite acces client @@ -67,156 +67,9 @@ print load_fiche_titre($langs->trans("ZapierForDolibarrArea"), '', 'zapier.png@z print '
'; -/* BEGIN MODULEBUILDER DRAFT MYOBJECT -// Draft MyObject -if (! empty($conf->zapier->enabled) && $user->rights->zapier->read) -{ - $langs->load("orders"); - - $sql = "SELECT c.rowid, c.ref, c.ref_client, c.total_ht, c.tva as total_tva, c.total_ttc, s.rowid as socid, s.nom as name, s.client, s.canvas"; - $sql.= ", s.code_client"; - $sql.= " FROM ".MAIN_DB_PREFIX."commande as c"; - $sql.= ", ".MAIN_DB_PREFIX."societe as s"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql.= " WHERE c.fk_soc = s.rowid"; - $sql.= " AND c.fk_statut = 0"; - $sql.= " AND c.entity IN (".getEntity('commande').")"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; - if ($socid) $sql.= " AND c.fk_soc = ".$socid; - - $resql = $db->query($sql); - if ($resql) - { - $total = 0; - $num = $db->num_rows($resql); - - print '
'.img_picto_common('', 'treemenu/branchbottom.gif').''; diff --git a/htdocs/user/list.php b/htdocs/user/list.php index 84447ea9781..406401bdf38 100644 --- a/htdocs/user/list.php +++ b/htdocs/user/list.php @@ -51,8 +51,8 @@ $mode = GETPOST("mode", 'alpha'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; -$sortfield = GETPOST('sortfield', 'alpha'); -$sortorder = GETPOST('sortorder', 'alpha'); +$sortfield = GETPOST('sortfield', 'aZ09comma'); +$sortorder = GETPOST('sortorder', 'aZ09comma'); $page = GETPOSTISSET('pageplusone') ? (GETPOST('pageplusone') - 1) : GETPOST("page", 'int'); if (empty($page) || $page == -1) { $page = 0; } $offset = $limit * $page; @@ -195,8 +195,6 @@ $htmlother = new FormOther($db); $user2 = new User($db); -$buttonviewhierarchy = '
'; - $sql = "SELECT DISTINCT u.rowid, u.lastname, u.firstname, u.admin, u.fk_soc, u.login, u.email, u.api_key, u.accountancy_code, u.gender, u.employee, u.photo,"; $sql .= " u.datelastlogin, u.datepreviouslogin,"; $sql .= " u.ldap_sid, u.statut, u.entity,"; @@ -226,21 +224,21 @@ if ($reshook > 0) { } if ($socid > 0) $sql .= " AND u.fk_soc = ".$socid; //if ($search_user != '') $sql.=natural_search(array('u.login', 'u.lastname', 'u.firstname'), $search_user); -if ($search_supervisor > 0) $sql .= " AND u.fk_user IN (".$db->escape($search_supervisor).")"; +if ($search_supervisor > 0) $sql .= " AND u.fk_user IN (".$db->sanitize($db->escape($search_supervisor)).")"; if ($search_thirdparty != '') $sql .= natural_search(array('s.nom'), $search_thirdparty); if ($search_login != '') $sql .= natural_search("u.login", $search_login); if ($search_lastname != '') $sql .= natural_search("u.lastname", $search_lastname); if ($search_firstname != '') $sql .= natural_search("u.firstname", $search_firstname); -if ($search_gender != '' && $search_gender != '-1') $sql .= " AND u.gender = '".$search_gender."'"; +if ($search_gender != '' && $search_gender != '-1') $sql .= natural_search("u.gender", $search_gender); if (is_numeric($search_employee) && $search_employee >= 0) { $sql .= ' AND u.employee = '.(int) $search_employee; } if ($search_accountancy_code != '') $sql .= natural_search("u.accountancy_code", $search_accountancy_code); if ($search_email != '') $sql .= natural_search("u.email", $search_email); if ($search_api_key != '') $sql .= natural_search("u.api_key", $search_api_key); -if ($search_statut != '' && $search_statut >= 0) $sql .= " AND u.statut IN (".$db->escape($search_statut).")"; +if ($search_statut != '' && $search_statut >= 0) $sql .= " AND u.statut IN (".$db->sanitize($db->escape($search_statut)).")"; if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall); -if ($catid > 0) $sql .= " AND cu.fk_categorie = ".$catid; +if ($catid > 0) $sql .= " AND cu.fk_categorie = ".((int) $catid); if ($catid == -2) $sql .= " AND cu.fk_categorie IS NULL"; if ($search_categ > 0) $sql .= " AND cu.fk_categorie = ".$db->escape($search_categ); if ($search_categ == -2) $sql .= " AND cu.fk_categorie IS NULL"; @@ -303,11 +301,9 @@ include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_param.tpl.php'; $text = $langs->trans("ListOfUsers"); -$newcardbutton = ''; -if ($canadduser) -{ - $newcardbutton .= dolGetButtonTitle($langs->trans('NewUser'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/user/card.php?action=create'.($mode == 'employee' ? '&employee=1' : '').'&leftmenu='); -} +$url = DOL_URL_ROOT.'/user/card.php?action=create'.($mode == 'employee' ? '&employee=1' : '').'&leftmenu='; +if (!empty($socid)) $url .= '&socid='.$socid; +$newcardbutton = dolGetButtonTitle($langs->trans('NewUser'), '', 'fa fa-plus-circle', $url, '', $canadduser); print '
'."\n"; if ($optioncss != '') print ''; @@ -318,7 +314,10 @@ print ''; print ''; print ''; -$morehtmlright .= dolGetButtonTitle($langs->trans("HierarchicView"), '', 'fa fa-sitemap paddingleft', DOL_URL_ROOT.'/user/hierarchy.php'.(($search_statut != '' && $search_statut >= 0) ? '?search_statut='.$search_statut : '')); +$param = array('morecss'=>'btnTitleSelected'); +$morehtmlright .= dolGetButtonTitle($langs->trans("List"), '', 'fa fa-list paddingleft imgforviewmode', DOL_URL_ROOT.'/user/list.php'.(($search_statut != '' && $search_statut >= 0) ? '?search_statut='.$search_statut : ''), '', 1, $param); +$param = array('morecss'=>'marginleftonly'); +$morehtmlright .= dolGetButtonTitle($langs->trans("HierarchicView"), '', 'fa fa-stream paddingleft imgforviewmode', DOL_URL_ROOT.'/user/hierarchy.php'.(($search_statut != '' && $search_statut >= 0) ? '?search_statut='.$search_statut : ''), '', 1, $param); print_barre_liste($text, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, "", $num, $nbtotalofrecords, 'user', 0, $morehtmlright.' '.$newcardbutton, '', $limit, 0, 0, 1); @@ -385,7 +384,7 @@ if (!empty($arrayfields['u.firstname']['checked'])) if (!empty($arrayfields['u.gender']['checked'])) { print '
'; - $arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman")); + $arraygender = array('man'=>$langs->trans("Genderman"), 'woman'=>$langs->trans("Genderwoman"), 'other'=>$langs->trans("Genderother")); print $form->selectarray('search_gender', $arraygender, $search_gender, 1); print ''; - print ''.$langs->trans("All").""; + print ''.$langs->trans("All").""; print ' / '; - print ''.$langs->trans("None").""; + print ''.$langs->trans("None").""; print ' '; - print 'module.'">'.$langs->trans("All").""; + print 'module.'&confirm=yes&token='.newToken().'">'.$langs->trans("All").""; print ' / '; - print 'module.'">'.$langs->trans("None").""; + print 'module.'&confirm=yes&token='.newToken().'">'.$langs->trans("None").""; print '  '.$objMod->numero.'
id.'">'.img_edit_remove($langs->trans("Remove")).'id.'&confirm=yes&token='.newToken().'">'.img_edit_remove($langs->trans("Remove")).''; print img_picto($langs->trans("Active"), 'tick'); @@ -414,7 +416,7 @@ if ($result) // Do not own permission if ($caneditperms) { - print 'id.'">'.img_edit_add($langs->trans("Add")).'id.'&confirm=yes&token='.newToken().'">'.img_edit_add($langs->trans("Add")).' id.'">'.img_edit_add($langs->trans("Add")).'id.'&confirm=yes&token='.newToken().'">'.img_edit_add($langs->trans("Add")).' 
'; - print $langs->trans('Ref'); + print $form->textwithpicto($langs->trans('WebSite'), $langs->trans("Example").': www.mywebsite.com, myportal, ...'); print ''; print ''; print '
'; - print ''; - print ''; - - $var = true; - if ($num > 0) - { - $i = 0; - while ($i < $num) - { - - $obj = $db->fetch_object($resql); - print ''; - print ''; - print ''; - $i++; - $total += $obj->total_ttc; - } - if ($total>0) - { - - print '"; - } - } - else - { - - print ''; - } - print "
'.$langs->trans("DraftOrders").($num?''.$num.'':'').'
'; - $orderstatic->id=$obj->rowid; - $orderstatic->ref=$obj->ref; - $orderstatic->ref_client=$obj->ref_client; - $orderstatic->total_ht = $obj->total_ht; - $orderstatic->total_tva = $obj->total_tva; - $orderstatic->total_ttc = $obj->total_ttc; - print $orderstatic->getNomUrl(1); - print ''; - $companystatic->id=$obj->socid; - $companystatic->name=$obj->name; - $companystatic->client=$obj->client; - $companystatic->code_client = $obj->code_client; - $companystatic->code_fournisseur = $obj->code_fournisseur; - $companystatic->canvas=$obj->canvas; - print $companystatic->getNomUrl(1,'customer',16); - print ''.price($obj->total_ttc).'
'.$langs->trans("Total").''.price($total)."
'.$langs->trans("NoOrder").'

"; - - $db->free($resql); - } - else - { - dol_print_error($db); - } -} -END MODULEBUILDER DRAFT MYOBJECT */ - - print '
'; -$NBMAX = 3; -$max = 3; - -/* BEGIN MODULEBUILDER LASTMODIFIED MYOBJECT -// Last modified myobject -if (! empty($conf->zapier->enabled) && $user->rights->zapier->read) -{ - $sql = "SELECT s.rowid, s.nom as name, s.client, s.datec, s.tms, s.canvas"; - $sql.= ", s.code_client"; - $sql.= " FROM ".MAIN_DB_PREFIX."societe as s"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; - $sql.= " WHERE s.client IN (1, 2, 3)"; - $sql.= " AND s.entity IN (".getEntity($companystatic->element).")"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; - if ($socid) $sql.= " AND s.rowid = $socid"; - $sql .= " ORDER BY s.tms DESC"; - $sql .= $db->plimit($max, 0); - - $resql = $db->query($sql); - if ($resql) - { - $num = $db->num_rows($resql); - $i = 0; - - print ''; - print ''; - print ''; - print ''; - print ''; - if ($num) - { - while ($i < $num) - { - $objp = $db->fetch_object($resql); - $companystatic->id=$objp->rowid; - $companystatic->name=$objp->name; - $companystatic->client=$objp->client; - $companystatic->code_client = $objp->code_client; - $companystatic->code_fournisseur = $objp->code_fournisseur; - $companystatic->canvas=$objp->canvas; - print ''; - print ''; - print '"; - print '"; - print ''; - $i++; - - - } - - $db->free($resql); - } - else - { - print ''; - } - print "
'; - if (empty($conf->global->SOCIETE_DISABLE_PROSPECTS) && empty($conf->global->SOCIETE_DISABLE_CUSTOMERS)) print $langs->trans("BoxTitleLastCustomersOrProspects",$max); - else if (! empty($conf->global->SOCIETE_DISABLE_CUSTOMERS)) print $langs->trans("BoxTitleLastModifiedProspects",$max); - else print $langs->trans("BoxTitleLastModifiedCustomers",$max); - print ''.$langs->trans("DateModificationShort").'
'.$companystatic->getNomUrl(1,'customer',48).''; - print $companystatic->getLibCustProspStatut(); - print "'.dol_print_date($db->jdate($objp->tms),'day')."
'.$langs->trans("None").'

"; - } -} -*/ - print '
'; // End of page diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index c28021a6957..b819671578c 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -153,6 +153,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); + //$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); foreach ($filesarray as $key => $file) { @@ -165,10 +166,71 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase print 'Check php file '.$file['fullname']."\n"; $filecontent=file_get_contents($file['fullname']); + if (preg_match('/\.class\.php/', $file['relativename']) + || preg_match('/boxes\/box_/', $file['relativename']) + || preg_match('/modules\/.*\/doc\/(doc|pdf)_/', $file['relativename']) + || preg_match('/modules\/(import|mailings|printing)\//', $file['relativename']) + || in_array($file['name'], array('modules_boxes.php', 'rapport.pdf.php', 'TraceableDB.php'))) { + if (! in_array($file['name'], array( + 'api.class.php', + 'actioncomm.class.php', + 'commonobject.class.php', + 'conf.class.php', + 'html.form.class.php', + 'html.formmail.class.php', + 'infobox.class.php', + 'link.class.php', + 'translate.class.php', + 'utils.class.php', + 'modules_product.class.php', + 'modules_societe.class.php', + 'TraceableDB.php', + 'expeditionbatch.class.php', + 'expensereport_ik.class.php', + 'expensereport_rule.class.php', + 'multicurrency.class.php', + 'productbatch.class.php', + 'reception.class.php', + 'societe.class.php' + ))) { + // Must must not found $db-> + $ok=true; + $matches=array(); + // Check string get_class... + preg_match_all('/'.preg_quote('$db->', '/').'/', $filecontent, $matches, PREG_SET_ORDER); + foreach ($matches as $key => $val) + { + $ok=false; + break; + } + //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; + $this->assertTrue($ok, 'Found string $db-> into a .class.php file in '.$file['relativename']); + //exit; + } + } else { + if (! in_array($file['name'], array( + 'extrafieldsinexport.inc.php', + 'DolQueryCollector.php' + ))) { + // Must must not found $this->db-> + $ok=true; + $matches=array(); + // Check string get_class... + preg_match_all('/'.preg_quote('$this->db->', '/').'/', $filecontent, $matches, PREG_SET_ORDER); + foreach ($matches as $key => $val) + { + $ok=false; + break; + } + //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; + $this->assertTrue($ok, 'Found string $this->db-> in '.$file['relativename']); + //exit; + } + } $ok=true; $matches=array(); - // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. + // Check string get_class... preg_match_all('/'.preg_quote('get_class($this)."::".__METHOD__', '/').'/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { @@ -176,12 +238,12 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase break; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; - $this->assertTrue($ok, 'Found string get_class($this)."::".__METHOD__ that must be replaced with __METHOD__ only in '.$file['fullname']); + $this->assertTrue($ok, 'Found string get_class($this)."::".__METHOD__ that must be replaced with __METHOD__ only in '.$file['relativename']); //exit; $ok=true; $matches=array(); - // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. + // Check string $this->db->idate without quotes preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { @@ -193,17 +255,18 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase //if ($reg[0] != 'db') $ok=false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; - $this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['fullname'].' :: '.$val[0]); + $this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['relativename'].' :: '.$val[0]); //exit; $ok=true; $matches=array(); + // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. - preg_match_all('/(=|sql.+)\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER); + preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { - if ($val[2] != 'db->' && $val[2] != 'esca') + if ($val[1] != 'db->' && $val[1] != 'esca') { $ok=false; break; @@ -211,7 +274,21 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase //if ($reg[0] != 'db') $ok=false; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; - $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.'); + $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.'); + //exit; + + // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. + preg_match_all('/sql.+\s*\'"\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER); + foreach ($matches as $key => $val) + { + if (! in_array($val[1], array('this->db-', 'this->esc', 'db->escap', 'db->idate', 'excludeGr', 'includeGr'))) { + $ok=false; + break; + } + //if ($reg[0] != 'db') $ok=false; + } + //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; + $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.'); //exit; @@ -228,7 +305,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase break; } } - $this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag neither dol_string_nohtmltag around it, in file '.$file['fullname'].' ('.$val[1].'$_SERVER[\'QUERY_STRING\']). Bad.'); + $this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag neither dol_string_nohtmltag around it, in file '.$file['relativename'].' ('.$val[1].'$_SERVER[\'QUERY_STRING\']). Bad.'); // Test that first param of print_liste_field_titre is a translation key and not the translated value @@ -241,7 +318,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $ok=false; break; } - $this->assertTrue($ok, 'Found a use of print_liste_field_titre with first parameter that is a translated value instead of just the translation key in file '.$file['fullname'].'. Bad.'); + $this->assertTrue($ok, 'Found a use of print_liste_field_titre with first parameter that is a translated value instead of just the translation key in file '.$file['relativename'].'. Bad.'); // Test we don't have
@@ -257,7 +334,23 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase break; } } - $this->assertTrue($ok, 'Found a tag
that is for xml in file '.$file['fullname'].'. You may use html syntax
instead.'); + $this->assertTrue($ok, 'Found a tag
that is for xml in file '.$file['relativename'].'. You must use html syntax
instead.'); + + + // Test we don't have name="token" value="'.$_SESSION['newtoken'], we must use name="token" value="'.newToken() instead. + $ok=true; + $matches=array(); + // Check string name="token" value="'.$_SESSINON + preg_match_all('/name="token" value="\'\.\$_SESSION/', $filecontent, $matches, PREG_SET_ORDER); + foreach ($matches as $key => $val) + { + if ($file['name'] != 'excludefile.php') + { + $ok=false; + break; + } + } + $this->assertTrue($ok, 'Found a forbidden string sequence into '.$file['relativename'].' : name="token" value="\'.$_SESSION[..., you must use a newToken() instead of $_SESSION[\'newtoken\'].'); // Test we don't have @var array( @@ -270,7 +363,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $ok=false; break; } - $this->assertTrue($ok, 'Found a declaration @var array() instead of @var array in file '.$file['fullname'].'.'); + $this->assertTrue($ok, 'Found a declaration @var array() instead of @var array in file '.$file['relativename'].'.'); } return; diff --git a/test/phpunit/FunctionsLibTest.php b/test/phpunit/FunctionsLibTest.php index e3dabff6df9..d113cde8035 100644 --- a/test/phpunit/FunctionsLibTest.php +++ b/test/phpunit/FunctionsLibTest.php @@ -1312,4 +1312,32 @@ class FunctionsLibTest extends PHPUnit\Framework\TestCase return true; } + + + /** + * testGetUserRemoteIP + * + * @return boolean + */ + public function testGetUserRemoteIP() + { + global $conf, $langs; + + $_SERVER['HTTP_X_FORWARDED_FOR']='1.2.3.4'; + $_SERVER['HTTP_CLIENT_IP']='5.6.7.8'; + $result = getUserRemoteIP(); + $this->assertEquals($result, '1.2.3.4'); + + $_SERVER['HTTP_X_FORWARDED_FOR']='1.2.3.4'; + $_SERVER['HTTP_CLIENT_IP']='5.6.7.8'; + $result = getUserRemoteIP(); + $this->assertEquals($result, '5.6.7.8'); + + $_SERVER['HTTP_X_FORWARDED_FOR']='[1:2:3:4]'; + $_SERVER['HTTP_CLIENT_IP']='5.6.7.8'; + $result = getUserRemoteIP(); + $this->assertEquals($result, '[1:2:3:4]'); + + return true; + } } diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 50ae74e5031..6c4d2270d1a 100644 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -173,9 +173,12 @@ class SecurityTest extends PHPUnit\Framework\TestCase $_GET["param1"]="222"; $_POST["param1"]="333"; $_GET["param2"]='a/b#e(pr)qq-rr\cc'; - $_GET["param3"]='"a/b#e(pr)qq-rr\cc'; // Same than param2 + " + $_GET["param3"]='"na/b#e(pr)qq-rr\cc'; // Same than param2 + " and n $_GET["param4"]='../dir'; $_GET["param5"]="a_1-b"; + $_POST["param6"]="">assertEquals($result, 'a/b#e(pr)qq-rr\cc'); + $this->assertEquals($result, 'na/b#e(pr)qq-rr\cc'); $result=GETPOST("param4", 'alpha'); // Must return string sanitized from ../ print __METHOD__." result=".$result."\n"; @@ -218,11 +221,25 @@ class SecurityTest extends PHPUnit\Framework\TestCase $result=GETPOST("param4", 'aZ09'); // Must return '' as string contains car not in aZ09 definition print __METHOD__." result=".$result."\n"; - $this->assertEquals($result, ''); + $this->assertEquals('', $result); $result=GETPOST("param5", 'aZ09'); print __METHOD__." result=".$result."\n"; - $this->assertEquals($result, $_GET["param5"]); + $this->assertEquals($_GET["param5"], $result); + + $result=GETPOST("param6", 'nohtml'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals('">', $result); + + // With restricthtml we must remove html open/close tag and content but not htmlentities like n + $result=GETPOST("param7", 'restricthtml'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals('"c:\this is a path~1\aaan" abcdef', $result); + + // With alphanohtml, we must convert the html entities like n + $result=GETPOST("param8", 'alphanohtml'); + print __METHOD__." result=".$result."\n"; + $this->assertEquals("Hacker + + diff --git a/test/sqlmap/README b/test/sqlmap/README new file mode 100644 index 00000000000..da3a1ae6daf --- /dev/null +++ b/test/sqlmap/README @@ -0,0 +1,70 @@ +To test there is no SQL injection, we can use: + +-- Installation of sqlmap +------------------------- + +git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap + +cd sqlmap + +./sqlmap.py --update + +./sqlmap.py --purge + + +Add, into file ~/git/sqlmap/data/xml/payloads/boolean_blind.xml, the custom rule: + + + + Our_ORDERBY_Payload + 1 + 1 + 1 + 1 + 1 + ,(select * from(select (CASE WHEN ([INFERENCE]) THEN 1 ELSE exp(710) END))a) + + ,(select * from(select (CASE WHEN (1=1) THEN 1 ELSE exp(710) END))a) + + + ,(select * from(select (CASE WHEN (1=2) THEN 1 ELSE exp(710) END))a) + +
+ mysql + linux +
+ + + + + +-- Launch sqlmap on a given url/parameter +----------------------------------------- + +Introduce a vulnerability by changing the GETPOST on parameter search_status into GETPOST('search_status', 'none') and removing $db->sanitize when parameter is used; + +./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/comm/propal/list.php?search_status=*" --dbms=mysql --os=linux --technique=B --batch --skip-waf \ + --cookie="DOLSESSID_xxxxxx=yyyyyyyy;" --prefix='1' -v 4 > sqlmap.txt + +Check vulnerability is found into sqlmap.txt. Scanner is working. + + + +-- Launch sqlmap on all the application +--------------------------------------- + +Set $dolibarr_nocsrfcheck='1' into conf.php file to make access easier. + +With prefix (required to have some rules working) + +./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/" --crawl=2 --crawl-exclude="logout|user\/card|custom\/" \ + --skip=sortorder --skip=sortfield --dbms=mysql --os=linux --technique=B --batch --skip-waf \ + --cookie="DOLSESSID_xxxxxxxxx=yyyyyyyyyyyyyyyy;" --prefix='1' -v + +Without prefix + +./sqlmap.py -A "securitytest" --threads=4 -u "http://localhostdev/" --crawl=2 --crawl-exclude="logout|user\/card|custom\/" \ + --skip=sortorder --skip=sortfield --dbms=mysql --os=linux --technique=B --batch --skip-waf \ + --cookie="DOLSESSID_xxxxxxxxx=yyyyyyyyyyyyyyyy;" -v + +