Fix sql injection
This commit is contained in:
Laurent Destailleur
parent
8debefa8ad
commit
f3a5975cf8
@ -161,7 +161,7 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab
|
||||
}
|
||||
}
|
||||
|
||||
$object = new Propal($db); // To be passed as parameter of executeHooks that need
|
||||
$object = new Propal($db); // To be passed as parameter of executeHooks that need
|
||||
|
||||
|
||||
/*
|
||||
@ -273,25 +273,25 @@ if (! $user->rights->societe->client->voir && ! $socid) //restriction
|
||||
$sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
||||
}
|
||||
if ($search_town) $sql.= natural_search('s.town', $search_town);
|
||||
if ($search_zip) $sql.= natural_search("s.zip",$search_zip);
|
||||
if ($search_state) $sql.= natural_search("state.nom",$search_state);
|
||||
if ($search_country) $sql .= " AND s.fk_pays IN (".$search_country.')';
|
||||
if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$search_type_thirdparty.')';
|
||||
if ($search_ref) $sql .= natural_search('p.ref', $search_ref);
|
||||
if ($search_zip) $sql.= natural_search("s.zip", $search_zip);
|
||||
if ($search_state) $sql.= natural_search("state.nom", $search_state);
|
||||
if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')';
|
||||
if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')';
|
||||
if ($search_ref) $sql .= natural_search('p.ref', $search_ref);
|
||||
if ($search_refcustomer) $sql .= natural_search('p.ref_client', $search_refcustomer);
|
||||
if ($search_societe) $sql .= natural_search('s.nom', $search_societe);
|
||||
if ($search_login) $sql.= " AND u.login LIKE '%".$db->escape(trim($search_login))."%'";
|
||||
if ($search_societe) $sql .= natural_search('s.nom', $search_societe);
|
||||
if ($search_login) $sql .= natural_search("u.login", $search_login);
|
||||
if ($search_montant_ht != '') $sql.= natural_search("p.total_ht", $search_montant_ht, 1);
|
||||
if ($search_montant_vat != '') $sql.= natural_search("p.tva", $search_montant_vat, 1);
|
||||
if ($search_montant_ttc != '') $sql.= natural_search("p.total", $search_montant_ttc, 1);
|
||||
if ($sall) {
|
||||
$sql .= natural_search(array_keys($fieldstosearchall), $sall);
|
||||
}
|
||||
if ($search_product_category > 0) $sql.=" AND cp.fk_categorie = ".$search_product_category;
|
||||
if ($search_product_category > 0) $sql.=" AND cp.fk_categorie = ".$db->escape($search_product_category);
|
||||
if ($socid > 0) $sql.= ' AND s.rowid = '.$socid;
|
||||
if ($viewstatut != '' && $viewstatut != '-1')
|
||||
{
|
||||
$sql.= ' AND p.fk_statut IN ('.$viewstatut.')';
|
||||
$sql.= ' AND p.fk_statut IN ('.$db->escape($viewstatut).')';
|
||||
}
|
||||
if ($month > 0)
|
||||
{
|
||||
@ -300,16 +300,16 @@ if ($month > 0)
|
||||
else if ($year > 0 && ! empty($day))
|
||||
$sql.= " AND p.datep BETWEEN '".$db->idate(dol_mktime(0, 0, 0, $month, $day, $year))."' AND '".$db->idate(dol_mktime(23, 59, 59, $month, $day, $year))."'";
|
||||
else
|
||||
$sql.= " AND date_format(p.datep, '%m') = '".$month."'";
|
||||
$sql.= " AND date_format(p.datep, '%m') = '".$db->escape($month)."'";
|
||||
}
|
||||
else if ($year > 0)
|
||||
{
|
||||
$sql.= " AND p.datep BETWEEN '".$db->idate(dol_get_first_day($year,1,false))."' AND '".$db->idate(dol_get_last_day($year,12,false))."'";
|
||||
}
|
||||
if ($search_sale > 0) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$search_sale;
|
||||
if ($search_sale > 0) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$db->escape($search_sale);
|
||||
if ($search_user > 0)
|
||||
{
|
||||
$sql.= " AND c.fk_c_type_contact = tc.rowid AND tc.element='propal' AND tc.source='internal' AND c.element_id = p.rowid AND c.fk_socpeople = ".$search_user;
|
||||
$sql.= " AND c.fk_c_type_contact = tc.rowid AND tc.element='propal' AND tc.source='internal' AND c.element_id = p.rowid AND c.fk_socpeople = ".$db->escape($search_user);
|
||||
}
|
||||
// Add where from extra fields
|
||||
foreach ($search_array_options as $key => $val)
|
||||
@ -357,12 +357,12 @@ if ($resql)
|
||||
else
|
||||
{
|
||||
$title = $langs->trans('ListOfProposals');
|
||||
}
|
||||
}
|
||||
|
||||
$num = $db->num_rows($resql);
|
||||
|
||||
|
||||
$arrayofselected=is_array($toselect)?$toselect:array();
|
||||
|
||||
|
||||
$param='&viewstatut='.$viewstatut;
|
||||
if (! empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param.='&contextpage='.$contextpage;
|
||||
if ($limit > 0 && $limit != $conf->liste_limit) $param.='&limit='.$limit;
|
||||
@ -386,7 +386,7 @@ if ($resql)
|
||||
$tmpkey=preg_replace('/search_options_/','',$key);
|
||||
if ($val != '') $param.='&search_options_'.$tmpkey.'='.urlencode($val);
|
||||
}
|
||||
|
||||
|
||||
// List of mass actions available
|
||||
$arrayofmassactions = array(
|
||||
'presend'=>$langs->trans("SendByMail"),
|
||||
@ -395,7 +395,7 @@ if ($resql)
|
||||
if ($user->rights->propal->supprimer) $arrayofmassactions['delete']=$langs->trans("Delete");
|
||||
if ($massaction == 'presend') $arrayofmassactions=array();
|
||||
$massactionbutton=$form->selectMassAction('', $arrayofmassactions);
|
||||
|
||||
|
||||
// Lignes des champs de filtre
|
||||
print '<form method="POST" id="searchFormList" action="'.$_SERVER["PHP_SELF"].'">';
|
||||
if ($optioncss != '') print '<input type="hidden" name="optioncss" value="'.$optioncss.'">';
|
||||
@ -406,11 +406,11 @@ if ($resql)
|
||||
print '<input type="hidden" name="sortorder" value="'.$sortorder.'">';
|
||||
|
||||
print_barre_liste($title, $page, $_SERVER["PHP_SELF"], $param, $sortfield, $sortorder, $massactionbutton, $num, $nbtotalofrecords, 'title_commercial.png', 0, '', '', $limit);
|
||||
|
||||
|
||||
if ($massaction == 'presend')
|
||||
{
|
||||
$langs->load("mails");
|
||||
|
||||
|
||||
if (! GETPOST('cancel'))
|
||||
{
|
||||
$objecttmp=new Propal($db);
|
||||
@ -429,17 +429,17 @@ if ($resql)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
print '<input type="hidden" name="massaction" value="confirm_presend">';
|
||||
|
||||
|
||||
include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php';
|
||||
$formmail = new FormMail($db);
|
||||
|
||||
|
||||
dol_fiche_head(null, '', '');
|
||||
|
||||
|
||||
$topicmail="SendSupplierProposalRef";
|
||||
$modelmail="supplier_proposal_send";
|
||||
|
||||
|
||||
// Cree l'objet formulaire mail
|
||||
include_once DOL_DOCUMENT_ROOT.'/core/class/html.formmail.class.php';
|
||||
$formmail = new FormMail($db);
|
||||
@ -492,25 +492,25 @@ if ($resql)
|
||||
$formmail->substit['__REFCLIENT__']='__REFCLIENT__'; // We want to keep the tag
|
||||
$formmail->substit['__PERSONALIZED__']='';
|
||||
$formmail->substit['__CONTACTCIVNAME__']='';
|
||||
|
||||
|
||||
// Tableau des parametres complementaires du post
|
||||
$formmail->param['action']=$action;
|
||||
$formmail->param['models']=$modelmail;
|
||||
$formmail->param['models_id']=GETPOST('modelmailselected','int');
|
||||
$formmail->param['id']=join(',',$arrayofselected);
|
||||
//$formmail->param['returnurl']=$_SERVER["PHP_SELF"].'?id='.$object->id;
|
||||
|
||||
|
||||
print $formmail->get_form();
|
||||
|
||||
|
||||
dol_fiche_end();
|
||||
}
|
||||
|
||||
|
||||
if ($sall)
|
||||
{
|
||||
foreach($fieldstosearchall as $key => $val) $fieldstosearchall[$key]=$langs->trans($val);
|
||||
print $langs->trans("FilterOnInto", $sall) . join(', ',$fieldstosearchall);
|
||||
}
|
||||
|
||||
|
||||
$i = 0;
|
||||
|
||||
$moreforfilter='';
|
||||
@ -546,7 +546,7 @@ if ($resql)
|
||||
$reshook=$hookmanager->executeHooks('printFieldPreListTitle',$parameters); // Note that $action and $object may have been modified by hook
|
||||
if (empty($reshook)) $moreforfilter .= $hookmanager->resPrint;
|
||||
else $moreforfilter = $hookmanager->resPrint;
|
||||
|
||||
|
||||
if (! empty($moreforfilter))
|
||||
{
|
||||
print '<div class="liste_titre liste_titre_bydiv centpercent">';
|
||||
@ -556,10 +556,10 @@ if ($resql)
|
||||
|
||||
$varpage=empty($contextpage)?$_SERVER["PHP_SELF"]:$contextpage;
|
||||
$selectedfields=$form->multiSelectArrayWithCheckbox('selectedfields', $arrayfields, $varpage); // This also change content of $arrayfields
|
||||
|
||||
|
||||
print '<div class="div-table-responsive">';
|
||||
print '<table class="tagtable liste'.($moreforfilter?" listwithfilterbefore":"").'">'."\n";
|
||||
|
||||
|
||||
// Fields title
|
||||
print '<tr class="liste_titre">';
|
||||
if (! empty($arrayfields['p.ref']['checked'])) print_liste_field_titre($arrayfields['p.ref']['label'],$_SERVER["PHP_SELF"],'p.ref','',$param,'',$sortfield,$sortorder);
|
||||
@ -579,9 +579,9 @@ if ($resql)
|
||||
// Extra fields
|
||||
if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label))
|
||||
{
|
||||
foreach($extrafields->attribute_label as $key => $val)
|
||||
foreach($extrafields->attribute_label as $key => $val)
|
||||
{
|
||||
if (! empty($arrayfields["ef.".$key]['checked']))
|
||||
if (! empty($arrayfields["ef.".$key]['checked']))
|
||||
{
|
||||
$align=$extrafields->getAlignFlag($key);
|
||||
print_liste_field_titre($extralabels[$key],$_SERVER["PHP_SELF"],"ef.".$key,"",$param,($align?'align="'.$align.'"':''),$sortfield,$sortorder);
|
||||
@ -597,9 +597,9 @@ if ($resql)
|
||||
if (! empty($arrayfields['p.fk_statut']['checked'])) print_liste_field_titre($arrayfields['p.fk_statut']['label'],$_SERVER["PHP_SELF"],"p.fk_statut","",$param,'align="right"',$sortfield,$sortorder);
|
||||
print_liste_field_titre($selectedfields, $_SERVER["PHP_SELF"],"",'','','align="right"',$sortfield,$sortorder,'maxwidthsearch ');
|
||||
print '</tr>'."\n";
|
||||
|
||||
|
||||
print '<tr class="liste_titre">';
|
||||
if (! empty($arrayfields['p.ref']['checked']))
|
||||
if (! empty($arrayfields['p.ref']['checked']))
|
||||
{
|
||||
print '<td class="liste_titre">';
|
||||
print '<input class="flat" size="6" type="text" name="search_ref" value="'.$search_ref.'">';
|
||||
@ -641,7 +641,7 @@ if ($resql)
|
||||
print '</td>';
|
||||
}
|
||||
// Date
|
||||
if (! empty($arrayfields['p.date']['checked']))
|
||||
if (! empty($arrayfields['p.date']['checked']))
|
||||
{
|
||||
print '<td class="liste_titre" colspan="1" align="center">';
|
||||
//print $langs->trans('Month').': ';
|
||||
@ -653,7 +653,7 @@ if ($resql)
|
||||
print '</td>';
|
||||
}
|
||||
// Date end
|
||||
if (! empty($arrayfields['p.fin_validite']['checked']))
|
||||
if (! empty($arrayfields['p.fin_validite']['checked']))
|
||||
{
|
||||
print '<td class="liste_titre" colspan="1"> </td>';
|
||||
}
|
||||
@ -736,7 +736,7 @@ if ($resql)
|
||||
$searchpitco=$form->showFilterAndCheckAddButtons($massactionbutton?1:0, 'checkforselect', 1);
|
||||
print $searchpitco;
|
||||
print '</td>';
|
||||
|
||||
|
||||
print "</tr>\n";
|
||||
|
||||
$now = dol_now();
|
||||
@ -747,16 +747,16 @@ if ($resql)
|
||||
{
|
||||
$obj = $db->fetch_object($resql);
|
||||
$var=!$var;
|
||||
|
||||
|
||||
$objectstatic->id=$obj->rowid;
|
||||
$objectstatic->ref=$obj->ref;
|
||||
|
||||
|
||||
print '<tr '.$bc[$var].'>';
|
||||
|
||||
|
||||
if (! empty($arrayfields['p.ref']['checked']))
|
||||
{
|
||||
print '<td class="nowrap">';
|
||||
|
||||
|
||||
print '<table class="nobordernopadding"><tr class="nocellnopadd">';
|
||||
// Picto + Ref
|
||||
print '<td class="nobordernopadding nowrap">';
|
||||
@ -785,11 +785,11 @@ if ($resql)
|
||||
$urlsource=$_SERVER['PHP_SELF'].'?id='.$obj->rowid;
|
||||
print $formfile->getDocumentsLink($objectstatic->element, $filename, $filedir);
|
||||
print '</td></tr></table>';
|
||||
|
||||
|
||||
print "</td>\n";
|
||||
if (! $i) $totalarray['nbfield']++;
|
||||
}
|
||||
|
||||
|
||||
if (! empty($arrayfields['p.ref_client']['checked']))
|
||||
{
|
||||
// Customer ref
|
||||
@ -798,12 +798,12 @@ if ($resql)
|
||||
print '</td>';
|
||||
if (! $i) $totalarray['nbfield']++;
|
||||
}
|
||||
|
||||
|
||||
$companystatic->id=$obj->socid;
|
||||
$companystatic->name=$obj->name;
|
||||
$companystatic->client=$obj->client;
|
||||
$companystatic->code_client=$obj->code_client;
|
||||
|
||||
|
||||
// Thirdparty
|
||||
if (! empty($arrayfields['s.nom']['checked']))
|
||||
{
|
||||
@ -812,7 +812,7 @@ if ($resql)
|
||||
print '</td>';
|
||||
if (! $i) $totalarray['nbfield']++;
|
||||
}
|
||||
|
||||
|
||||
// Town
|
||||
if (! empty($arrayfields['s.town']['checked']))
|
||||
{
|
||||
@ -853,7 +853,7 @@ if ($resql)
|
||||
print '</td>';
|
||||
if (! $i) $totalarray['nbfield']++;
|
||||
}
|
||||
|
||||
|
||||
// Date proposal
|
||||
if (! empty($arrayfields['p.date']['checked']))
|
||||
{
|
||||
@ -862,7 +862,7 @@ if ($resql)
|
||||
print "</td>\n";
|
||||
if (! $i) $totalarray['nbfield']++;
|
||||
}
|
||||
|
||||
|
||||
// Date end validity
|
||||
if (! empty($arrayfields['p.fin_validite']['checked']))
|
||||
{
|
||||
@ -877,7 +877,7 @@ if ($resql)
|
||||
}
|
||||
if (! $i) $totalarray['nbfield']++;
|
||||
}
|
||||
|
||||
|
||||
// Amount HT
|
||||
if (! empty($arrayfields['p.total_ht']['checked']))
|
||||
{
|
||||
@ -902,7 +902,7 @@ if ($resql)
|
||||
if (! $i) $totalarray['totalttcfield']=$totalarray['nbfield'];
|
||||
$totalarray['totalttc'] += $obj->total_ttc;
|
||||
}
|
||||
|
||||
|
||||
$userstatic->id=$obj->fk_user_author;
|
||||
$userstatic->login=$obj->login;
|
||||
|
||||
@ -915,7 +915,7 @@ if ($resql)
|
||||
print "</td>\n";
|
||||
if (! $i) $totalarray['nbfield']++;
|
||||
}
|
||||
|
||||
|
||||
// Extra fields
|
||||
if (is_array($extrafields->attribute_label) && count($extrafields->attribute_label))
|
||||
{
|
||||
@ -1000,20 +1000,20 @@ if ($resql)
|
||||
else print '<td></td>';
|
||||
}
|
||||
print '</tr>';
|
||||
|
||||
|
||||
}
|
||||
|
||||
$db->free($resql);
|
||||
|
||||
|
||||
$parameters=array('arrayfields'=>$arrayfields, 'sql'=>$sql);
|
||||
$reshook=$hookmanager->executeHooks('printFieldListFooter',$parameters); // Note that $action and $object may have been modified by hook
|
||||
print $hookmanager->resPrint;
|
||||
|
||||
|
||||
print '</table>'."\n";
|
||||
print '</div>'."\n";
|
||||
|
||||
print '</form>'."\n";
|
||||
|
||||
|
||||
if ($massaction == 'builddoc' || $action == 'remove_file' || $show_files)
|
||||
{
|
||||
/*
|
||||
@ -1021,18 +1021,18 @@ if ($resql)
|
||||
*/
|
||||
$urlsource=$_SERVER['PHP_SELF'].'?sortfield='.$sortfield.'&sortorder='.$sortorder;
|
||||
$urlsource.=str_replace('&','&',$param);
|
||||
|
||||
|
||||
$filedir=$diroutputmassaction;
|
||||
$genallowed=$user->rights->propal->lire;
|
||||
$delallowed=$user->rights->propal->lire;
|
||||
|
||||
|
||||
print $formfile->showdocuments('massfilesarea_proposals','',$filedir,$urlsource,0,$delallowed,'',1,1,0,48,1,$param,'','');
|
||||
}
|
||||
else
|
||||
{
|
||||
print '<br><a name="show_files"></a><a href="'.$_SERVER["PHP_SELF"].'?show_files=1'.$param.'#show_files">'.$langs->trans("ShowTempMassFilesArea").'</a>';
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
Loading…
Reference in New Issue
Block a user