From ef56631c8083af8342d0c21a357c26d0e568c1b1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Mon, 3 Jan 2022 18:15:19 +0100 Subject: [PATCH] FIX #yogosha8186 --- .../class/accountingaccount.class.php | 4 ++-- .../adherents/class/adherentstats.class.php | 2 +- htdocs/comm/action/index.php | 2 +- htdocs/contact/consumption.php | 22 ++++++++++--------- htdocs/expedition/class/expedition.class.php | 4 ++-- htdocs/expedition/list.php | 2 +- htdocs/fichinter/class/fichinter.class.php | 4 ++-- htdocs/fichinter/class/fichinterrec.class.php | 4 ++-- htdocs/install/step5.php | 4 ++-- htdocs/reception/class/reception.class.php | 11 +++++----- htdocs/salaries/class/salariesstats.class.php | 2 +- htdocs/ticket/class/ticketstats.class.php | 4 ++-- test/phpunit/CodingPhpTest.php | 8 +++---- 13 files changed, 37 insertions(+), 36 deletions(-) diff --git a/htdocs/accountancy/class/accountingaccount.class.php b/htdocs/accountancy/class/accountingaccount.class.php index 93809efa06a..a42439b1597 100644 --- a/htdocs/accountancy/class/accountingaccount.class.php +++ b/htdocs/accountancy/class/accountingaccount.class.php @@ -168,7 +168,7 @@ class AccountingAccount extends CommonObject global $conf; $this->db = $db; - $this->next_prev_filter = "fk_pcg_version IN (SELECT pcg_version FROM ".MAIN_DB_PREFIX."accounting_system WHERE rowid=".((int) $conf->global->CHARTOFACCOUNTS).")"; // Used to add a filter in Form::showrefnav method + $this->next_prev_filter = "fk_pcg_version IN (SELECT pcg_version FROM ".MAIN_DB_PREFIX."accounting_system WHERE rowid = ".((int) $conf->global->CHARTOFACCOUNTS).")"; // Used to add a filter in Form::showrefnav method } /** @@ -197,7 +197,7 @@ class AccountingAccount extends CommonObject $sql .= " AND a.entity = ".$conf->entity; } if (!empty($limittocurrentchart)) { - $sql .= ' AND a.fk_pcg_version IN (SELECT pcg_version FROM '.MAIN_DB_PREFIX.'accounting_system WHERE rowid='.$this->db->escape($conf->global->CHARTOFACCOUNTS).')'; + $sql .= ' AND a.fk_pcg_version IN (SELECT pcg_version FROM '.MAIN_DB_PREFIX.'accounting_system WHERE rowid = '.((int) $conf->global->CHARTOFACCOUNTS).')'; } if (!empty($limittoachartaccount)) { $sql .= " AND a.fk_pcg_version = '".$this->db->escape($limittoachartaccount)."'"; diff --git a/htdocs/adherents/class/adherentstats.class.php b/htdocs/adherents/class/adherentstats.class.php index 38ad3f037b9..9aa2fe2e8ad 100644 --- a/htdocs/adherents/class/adherentstats.class.php +++ b/htdocs/adherents/class/adherentstats.class.php @@ -74,7 +74,7 @@ class AdherentStats extends Stats if ($this->memberid) { $this->where .= " AND m.rowid = ".((int) $this->memberid); } - //if ($this->userid > 0) $this->where.=' AND fk_user_author = '.$this->userid; + //if ($this->userid > 0) $this->where .= " AND fk_user_author = ".((int) $this->userid); } diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index 93b235a37da..bdbbe74697d 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -721,7 +721,7 @@ if (empty($user->rights->societe->client->voir) && !$socid) { $sql .= " AND (a.fk_soc IS NULL OR sc.fk_user = ".((int) $user->id).")"; } if ($socid > 0) { - $sql .= ' AND a.fk_soc = '.$socid; + $sql .= " AND a.fk_soc = ".((int) $socid); } // We must filter on assignement table if ($filtert > 0 || $usergroup > 0) { diff --git a/htdocs/contact/consumption.php b/htdocs/contact/consumption.php index bb610baa4b0..c7013d5570f 100644 --- a/htdocs/contact/consumption.php +++ b/htdocs/contact/consumption.php @@ -20,7 +20,7 @@ */ /** - * \file htdocs/societe/consumption.php + * \file htdocs/contact/consumption.php * \ingroup societe * \brief Add a tab on thirpdarty view to list all products/services bought or sells by thirdparty */ @@ -32,10 +32,10 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.class.php'; require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php'; -// Security check +$optioncss = GETPOST('optioncss', 'aZ'); // Option for the css output (always '' except when 'print') + $id = GETPOST('id', 'int'); -$result = restrictedArea($user, 'contact', $id, 'socpeople&societe'); $object = new Contact($db); if ($id > 0) { $object->fetch($id); @@ -86,6 +86,8 @@ $langs->loadLangs(array("companies", "bills", "orders", "suppliers", "propal", " // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context $hookmanager->initHooks(array('consumptioncontact')); +$result = restrictedArea($user, 'contact', $object->id, 'socpeople&societe'); + /* * Actions @@ -196,7 +198,7 @@ if ($type_element == 'fichinter') { // Customer : show products from invoices $sql_select = 'SELECT f.rowid as doc_id, f.ref as doc_number, \'1\' as doc_type, f.datec as dateprint, f.fk_statut as status, tc.libelle as type_contact_label, '; $tables_from = MAIN_DB_PREFIX.'fichinterdet d'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'fichinter as f ON d.fk_fichinter=f.rowid'; - $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=f.rowid AND ec.fk_socpeople='.$object->id; + $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=f.rowid AND ec.fk_socpeople = '.((int) $object->id); $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX."c_type_contact tc ON (ec.fk_c_type_contact=tc.rowid and tc.element='fichinter' and tc.source='external' and tc.active=1)"; $where = ' WHERE f.entity IN ('.getEntity('ficheinter').')'; $dateprint = 'f.datec'; @@ -208,7 +210,7 @@ if ($type_element == 'fichinter') { // Customer : show products from invoices $tables_from = MAIN_DB_PREFIX.'facturedet d'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'facture as f ON d.fk_facture=f.rowid'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product p ON d.fk_product=p.rowid'; - $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=f.rowid AND ec.fk_socpeople='.$object->id; + $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=f.rowid AND ec.fk_socpeople = '.((int) $object->id); $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX."c_type_contact tc ON (ec.fk_c_type_contact=tc.rowid and tc.element='facture' and tc.source='external' and tc.active=1)"; $where = " WHERE f.entity IN (".getEntity('invoice').")"; $dateprint = 'f.datef'; @@ -221,7 +223,7 @@ if ($type_element == 'fichinter') { // Customer : show products from invoices $tables_from = MAIN_DB_PREFIX.'propaldet d'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'propal as c ON d.fk_propal=c.rowid'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product p ON d.fk_product=p.rowid'; - $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=c.rowid AND ec.fk_socpeople='.$object->id; + $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=c.rowid AND ec.fk_socpeople = '.((int) $object->id); $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX."c_type_contact tc ON (ec.fk_c_type_contact=tc.rowid and tc.element='propal' and tc.source='external' and tc.active=1)"; $where = ' WHERE c.entity IN ('.getEntity('propal').')'; $datePrint = 'c.datep'; @@ -234,7 +236,7 @@ if ($type_element == 'fichinter') { // Customer : show products from invoices $tables_from = MAIN_DB_PREFIX.'commandedet d'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'commande as c ON d.fk_commande=c.rowid'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product p ON d.fk_product=p.rowid'; - $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=c.rowid AND ec.fk_socpeople='.$object->id; + $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=c.rowid AND ec.fk_socpeople = '.((int) $object->id); $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX."c_type_contact tc ON (ec.fk_c_type_contact=tc.rowid and tc.element='commande' and tc.source='external' and tc.active=1)"; $where = ' WHERE c.entity IN ('.getEntity('order').')'; $dateprint = 'c.date_commande'; @@ -247,7 +249,7 @@ if ($type_element == 'fichinter') { // Customer : show products from invoices $tables_from = MAIN_DB_PREFIX.'facture_fourn_det d'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'facture_fourn as f ON d.fk_facture_fourn=f.rowid'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product p ON d.fk_product=p.rowid'; - $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=f.rowid AND ec.fk_socpeople='.$object->id; + $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=f.rowid AND ec.fk_socpeople = '.((int) $object->id); $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX."c_type_contact tc ON (ec.fk_c_type_contact=tc.rowid and tc.element='invoice_supplier' and tc.source='external' and tc.active=1)"; $where = ' WHERE f.entity IN ('.getEntity($documentstatic->element).')'; $dateprint = 'f.datef'; @@ -272,7 +274,7 @@ if ($type_element == 'fichinter') { // Customer : show products from invoices $tables_from = MAIN_DB_PREFIX.'commande_fournisseurdet d'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'commande_fournisseur as c ON d.fk_commande=c.rowid'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product p ON d.fk_product=p.rowid'; - $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=c.rowid AND ec.fk_socpeople='.$object->id; + $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=c.rowid AND ec.fk_socpeople = '.((int) $object->id); $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX."c_type_contact tc ON (ec.fk_c_type_contact=tc.rowid and tc.element='order_supplier' and tc.source='external' and tc.active=1)"; $where = ' WHERE c.entity IN ('.getEntity($documentstatic->element).')'; $dateprint = 'c.date_valid'; @@ -286,7 +288,7 @@ if ($type_element == 'fichinter') { // Customer : show products from invoices $tables_from = MAIN_DB_PREFIX.'contratdet d'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'contrat as c ON d.fk_contrat=c.rowid'; $tables_from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product p ON d.fk_product=p.rowid'; - $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=c.rowid AND ec.fk_socpeople='.$object->id; + $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX.'element_contact ec ON ec.element_id=c.rowid AND ec.fk_socpeople = '.((int) $object->id); $tables_from .= ' INNER JOIN '.MAIN_DB_PREFIX."c_type_contact tc ON (ec.fk_c_type_contact=tc.rowid and tc.element='contrat' and tc.source='external' and tc.active=1)"; $where = ' WHERE c.entity IN ('.getEntity('contrat').')'; $dateprint = 'c.date_valid'; diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index dd0022b09dc..955724c6f9c 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -2090,7 +2090,7 @@ class Expedition extends CommonObject { // phpcs:enable $sql = 'UPDATE '.MAIN_DB_PREFIX.'c_shipment_mode SET active=1'; - $sql .= ' WHERE rowid='.$id; + $sql .= " WHERE rowid = ".((int) $id); $resql = $this->db->query($sql); } @@ -2107,7 +2107,7 @@ class Expedition extends CommonObject { // phpcs:enable $sql = 'UPDATE '.MAIN_DB_PREFIX.'c_shipment_mode SET active=0'; - $sql .= ' WHERE rowid='.$id; + $sql .= " WHERE rowid= ".((int) $id); $resql = $this->db->query($sql); } diff --git a/htdocs/expedition/list.php b/htdocs/expedition/list.php index 8d0a5e40cc6..81fbdd651db 100644 --- a/htdocs/expedition/list.php +++ b/htdocs/expedition/list.php @@ -295,7 +295,7 @@ if ($search_product_category > 0) { $sql .= " AND cp.fk_categorie = ".((int) $search_product_category); } if ($socid > 0) { - $sql .= ' AND s.rowid = '.$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if (empty($user->rights->societe->client->voir) && !$socid) { // Internal user with no permission to see all $sql .= " AND e.fk_soc = sc.fk_soc"; diff --git a/htdocs/fichinter/class/fichinter.class.php b/htdocs/fichinter/class/fichinter.class.php index 297e03fa379..7a532998b1f 100644 --- a/htdocs/fichinter/class/fichinter.class.php +++ b/htdocs/fichinter/class/fichinter.class.php @@ -430,9 +430,9 @@ class Fichinter extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."fichinter as f"; if ($ref) { $sql .= " WHERE f.entity IN (".getEntity('intervention').")"; - $sql .= " AND f.ref='".$this->db->escape($ref)."'"; + $sql .= " AND f.ref = '".$this->db->escape($ref)."'"; } else { - $sql .= " WHERE f.rowid=".((int) $rowid); + $sql .= " WHERE f.rowid = ".((int) $rowid); } dol_syslog(get_class($this)."::fetch", LOG_DEBUG); diff --git a/htdocs/fichinter/class/fichinterrec.class.php b/htdocs/fichinter/class/fichinterrec.class.php index d5690265028..ee385cbc7a4 100644 --- a/htdocs/fichinter/class/fichinterrec.class.php +++ b/htdocs/fichinter/class/fichinterrec.class.php @@ -279,9 +279,9 @@ class FichinterRec extends Fichinter $sql .= ', f.note_private, f.note_public, f.fk_user_author'; $sql .= ' FROM '.MAIN_DB_PREFIX.'fichinter_rec as f'; if ($rowid > 0) { - $sql .= ' WHERE f.rowid='.$rowid; + $sql .= " WHERE f.rowid = ".((int) $rowid); } elseif ($ref) { - $sql .= " WHERE f.titre='".$this->db->escape($ref)."'"; + $sql .= " WHERE f.titre = '".$this->db->escape($ref)."'"; } dol_syslog(get_class($this)."::fetch rowid=".$rowid, LOG_DEBUG); diff --git a/htdocs/install/step5.php b/htdocs/install/step5.php index 6effe4316a5..5eba9856c06 100644 --- a/htdocs/install/step5.php +++ b/htdocs/install/step5.php @@ -166,7 +166,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) { $objMod = new $modName($db); $result = $objMod->init(); if (!$result) { - print 'ERROR in activating module file='.$file; + print "ERROR: failed to init module file = ".$file; } if ($db->connected) { @@ -286,7 +286,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) { $res = activateModule($modtoactivatenew, 1); if (!empty($res['errors'])) { - print 'ERROR in activating module file='.$file; + print 'ERROR: failed to activateModule() file='.$file; } } } diff --git a/htdocs/reception/class/reception.class.php b/htdocs/reception/class/reception.class.php index 8024bac4f36..382cc5be9b6 100644 --- a/htdocs/reception/class/reception.class.php +++ b/htdocs/reception/class/reception.class.php @@ -658,7 +658,7 @@ class Reception extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref) + 1).")), filepath = 'reception/".$this->db->escape($this->newref)."'"; - $sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'reception/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; + $sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'reception/".$this->db->escape($this->ref)."' AND entity = ".((int) $conf->entity); $resql = $this->db->query($sql); if (!$resql) { $error++; $this->error = $this->db->lasterror(); @@ -869,9 +869,8 @@ class Reception extends CommonObject $sql .= " weight=".(($this->trueWeight != '') ? $this->trueWeight : "null").","; $sql .= " note_private=".(isset($this->note_private) ? "'".$this->db->escape($this->note_private)."'" : "null").","; $sql .= " note_public=".(isset($this->note_public) ? "'".$this->db->escape($this->note_public)."'" : "null").","; - $sql .= " model_pdf=".(isset($this->modelpdf) ? "'".$this->db->escape($this->modelpdf)."'" : "null").","; - $sql .= " entity=".$conf->entity; - + $sql .= " model_pdf=".(isset($this->model_pdf) ? "'".$this->db->escape($this->model_pdf)."'" : "null").","; + $sql .= " entity = ".((int) $conf->entity); $sql .= " WHERE rowid=".((int) $this->id); $this->db->begin(); @@ -1400,7 +1399,7 @@ class Reception extends CommonObject { // phpcs:enable $sql = 'UPDATE '.MAIN_DB_PREFIX.'c_shipment_mode SET active=1'; - $sql .= ' WHERE rowid='.$id; + $sql .= " WHERE rowid = ".((int) $id); $resql = $this->db->query($sql); } @@ -1417,7 +1416,7 @@ class Reception extends CommonObject { // phpcs:enable $sql = 'UPDATE '.MAIN_DB_PREFIX.'c_shipment_mode SET active=0'; - $sql .= ' WHERE rowid='.$id; + $sql .= " WHERE rowid = ".((int) $id); $resql = $this->db->query($sql); } diff --git a/htdocs/salaries/class/salariesstats.class.php b/htdocs/salaries/class/salariesstats.class.php index a1109e071e5..a1e701ed87e 100644 --- a/htdocs/salaries/class/salariesstats.class.php +++ b/htdocs/salaries/class/salariesstats.class.php @@ -69,7 +69,7 @@ class SalariesStats extends Stats if (is_array($this->userid) && count($this->userid) > 0) { $this->where .= ' AND fk_user IN ('.$this->db->sanitize(join(',', $this->userid)).')'; } elseif ($this->userid > 0) { - $this->where .= ' AND fk_user = '.$this->userid; + $this->where .= " AND fk_user = ".((int) $this->userid); } } diff --git a/htdocs/ticket/class/ticketstats.class.php b/htdocs/ticket/class/ticketstats.class.php index 9f8122b0b9a..2af0b789c3d 100644 --- a/htdocs/ticket/class/ticketstats.class.php +++ b/htdocs/ticket/class/ticketstats.class.php @@ -62,14 +62,14 @@ class TicketStats extends Stats $this->field = 'timing'; $this->where = " fk_statut > 0"; - $this->where .= " AND entity = ".$conf->entity; + $this->where .= " AND entity = ".((int) $conf->entity); if ($this->socid > 0) { $this->where .= " AND fk_soc = ".((int) $this->socid); } if (is_array($this->userid) && count($this->userid) > 0) { $this->where .= ' AND fk_user_create IN ('.$this->db->sanitize(join(',', $this->userid)).')'; } elseif ($this->userid > 0) { - $this->where .= ' AND fk_user_create = '.$this->userid; + $this->where .= " AND fk_user_create = ".((int) $this->userid); } } diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index b069140f420..7f894fe8b29 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -278,15 +278,15 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase // with xxx that is not 'thi' (for $this->db->sanitize) and 'db-' (for $db->sanitize). It means we forget a ' if string, or an (int) if int, when forging sql request. $ok=true; $matches=array(); - preg_match_all('/(DELETE|OR|AND|WHERE|INSERT)\s.*([^\s][^\s][^\s])\s*=\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER); + preg_match_all('/(DELETE|OR|AND|WHERE|INSERT)\s.*([^\s][^\s][^\s])\s*=\s*(\'|")\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { - if ($val[2] == 'ity' && $val[3] == 'con') { // exclude entity = ".$conf->entity + if ($val[2] == 'ity' && $val[4] == 'con') { // exclude entity = ".$conf->entity continue; } - if ($val[2] == 'ame' && $val[3] == 'db-' && preg_match('/WHERE name/', $val[0])) { // exclude name = ".$db->encrypt( + if ($val[2] == 'ame' && $val[4] == 'db-' && preg_match('/WHERE name/', $val[0])) { // exclude name = ".$db->encrypt( continue; } - if ($val[2] == 'ame' && $val[3] == 'thi' && preg_match('/WHERE name/', $val[0])) { // exclude name = ".$this->db->encrypt( + if ($val[2] == 'ame' && $val[4] == 'thi' && preg_match('/WHERE name/', $val[0])) { // exclude name = ".$this->db->encrypt( continue; } var_dump($matches);