Fix Sqli
This commit is contained in:
Laurent Destailleur
parent
c3b9c91200
commit
f0f6f71161
@ -1101,7 +1101,7 @@ class BookKeeping extends CommonObject
|
||||
$this->db->begin();
|
||||
|
||||
$sql = "UPDATE " . MAIN_DB_PREFIX . $this->table_element . $mode . " as ab";
|
||||
$sql .= ' SET ab.' . $field . '=' . (is_numeric($value)?$value:"'".$value."'");
|
||||
$sql .= ' SET ab.' . $field . '=' . (is_numeric($value)?$value:"'".$this->db->escape($value)."'");
|
||||
$sql .= ' WHERE ab.piece_num=' . $piece_num ;
|
||||
$resql = $this->db->query($sql);
|
||||
|
||||
@ -1184,7 +1184,7 @@ class BookKeeping extends CommonObject
|
||||
// first check if line not yet in bookkeeping
|
||||
$sql = "DELETE";
|
||||
$sql .= " FROM " . MAIN_DB_PREFIX . $this->table_element;
|
||||
$sql .= " WHERE import_key = '" . $importkey . "'";
|
||||
$sql .= " WHERE import_key = '" . $this->db->escape($importkey) . "'";
|
||||
|
||||
$resql = $this->db->query($sql);
|
||||
|
||||
@ -1222,7 +1222,7 @@ class BookKeeping extends CommonObject
|
||||
$sql.= " FROM " . MAIN_DB_PREFIX . $this->table_element.$mode;
|
||||
$sql.= " WHERE 1 = 1";
|
||||
if (! empty($delyear)) $sql.= " AND YEAR(doc_date) = " . $delyear; // FIXME Must use between
|
||||
if (! empty($journal)) $sql.= " AND code_journal = '".$journal."'";
|
||||
if (! empty($journal)) $sql.= " AND code_journal = '".$this->db->escape($journal)."'";
|
||||
$sql .= " AND entity IN (" . getEntity('accountancy') . ")";
|
||||
$resql = $this->db->query($sql);
|
||||
|
||||
|
||||
@ -222,8 +222,8 @@ class FormCompany
|
||||
$sql .= " ".MAIN_DB_PREFIX ."c_departements as d, ".MAIN_DB_PREFIX."c_regions as r,".MAIN_DB_PREFIX."c_country as c";
|
||||
$sql .= " WHERE d.fk_region=r.code_region and r.fk_pays=c.rowid";
|
||||
$sql .= " AND d.active = 1 AND r.active = 1 AND c.active = 1";
|
||||
if ($country_codeid && is_numeric($country_codeid)) $sql .= " AND c.rowid = '".$country_codeid."'";
|
||||
if ($country_codeid && ! is_numeric($country_codeid)) $sql .= " AND c.code = '".$country_codeid."'";
|
||||
if ($country_codeid && is_numeric($country_codeid)) $sql .= " AND c.rowid = '".$this->db->escape($country_codeid)."'";
|
||||
if ($country_codeid && ! is_numeric($country_codeid)) $sql .= " AND c.code = '".$this->db->escape($country_codeid)."'";
|
||||
$sql .= " ORDER BY c.code, d.code_departement";
|
||||
|
||||
dol_syslog(get_class($this)."::select_departement", LOG_DEBUG);
|
||||
|
||||
@ -895,7 +895,7 @@ class Translate
|
||||
|
||||
$sql = "SELECT ".$fieldlabel." as label";
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX.$tablename;
|
||||
$sql.= " WHERE ".$fieldkey." = '".($keyforselect?$keyforselect:$key)."'";
|
||||
$sql.= " WHERE ".$fieldkey." = '".$this->db->escape($keyforselect?$keyforselect:$key)."'";
|
||||
if ($filteronentity) $sql.= " AND entity IN (" . getEntity($tablename). ')';
|
||||
dol_syslog(get_class($this).'::getLabelFromKey', LOG_DEBUG);
|
||||
$resql = $db->query($sql);
|
||||
@ -977,7 +977,7 @@ class Translate
|
||||
$sql = "SELECT code_iso, label, unicode";
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX."c_currencies";
|
||||
$sql.= " WHERE active = 1";
|
||||
if (! empty($currency_code)) $sql.=" AND code_iso = '".$currency_code."'";
|
||||
if (! empty($currency_code)) $sql.=" AND code_iso = '".$this->db->escape($currency_code)."'";
|
||||
//$sql.= " ORDER BY code_iso ASC"; // Not required, a sort is done later
|
||||
|
||||
dol_syslog(get_class($this).'::loadCacheCurrencies', LOG_DEBUG);
|
||||
|
||||
@ -1002,7 +1002,7 @@ class Societe extends CommonObject
|
||||
$sql .= ", fk_user_modif = ".($user->id > 0 ? $user->id:"null");
|
||||
$sql .= ", fk_multicurrency = ".(int) $this->fk_multicurrency;
|
||||
$sql .= ", multicurrency_code = '".$this->db->escape($this->multicurrency_code)."'";
|
||||
$sql .= " WHERE rowid = '" . $id ."'";
|
||||
$sql .= " WHERE rowid = " . (int) $id;
|
||||
|
||||
$resql=$this->db->query($sql);
|
||||
if ($resql)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user