Code is using the Universal Filter Syntax
This commit is contained in:
Laurent Destailleur
parent
3065b9ca6a
commit
f44c97d3c6
@ -590,7 +590,7 @@ if ($type == Categorie::TYPE_CUSTOMER) {
|
||||
print '<table class="noborder centpercent">';
|
||||
print '<tr class="liste_titre"><td>';
|
||||
print $langs->trans("AddCustomerIntoCategory").' ';
|
||||
$filter = 's.client IN (1,3)';
|
||||
$filter = '(s.client:IN:1,3)';
|
||||
print $form->select_company('', 'elemid', $filter);
|
||||
print '<input type="submit" class="button buttongen" value="'.$langs->trans("ClassifyInCategory").'"></td>';
|
||||
print '</tr>';
|
||||
@ -671,7 +671,7 @@ if ($type == Categorie::TYPE_SUPPLIER) {
|
||||
print '<table class="noborder centpercent">';
|
||||
print '<tr class="liste_titre"><td>';
|
||||
print $langs->trans("AddSupplierIntoCategory").' ';
|
||||
$filter ='s.fournisseur = 1';
|
||||
$filter ='(s.fournisseur:=:1)';
|
||||
print $form->select_company('', 'elemid', $filter);
|
||||
print '<input type="submit" class="button buttongen" value="'.$langs->trans("ClassifyInCategory").'"></td>';
|
||||
print '</tr>';
|
||||
|
||||
@ -1810,7 +1810,7 @@ if ($action == 'create') {
|
||||
//$warehouse_id = $soc->warehouse_id;
|
||||
} else {
|
||||
print '<td class="valuefieldcreate">';
|
||||
$filter = '((s.client = 1 OR s.client = 2 OR s.client = 3) AND status=1)';
|
||||
$filter = '((s.client:IN:1,2,3) AND (s.status:=:1))';
|
||||
print img_picto('', 'company', 'class="pictofixedwidth"').$form->select_company('', 'socid', $filter, 'SelectThirdParty', 1, 0, null, 0, 'minwidth300 maxwidth500 widthcentpercentminusxx');
|
||||
// reload page to retrieve customer informations
|
||||
if (empty($conf->global->RELOAD_PAGE_ON_CUSTOMER_CHANGE_DISABLED)) {
|
||||
@ -2134,7 +2134,7 @@ if ($action == 'create') {
|
||||
// Clone confirmation
|
||||
if ($action == 'clone') {
|
||||
// Create an array for form
|
||||
$filter = '(s.client=1 OR s.client=2 OR s.client=3)';
|
||||
$filter = '(s.client:IN:1,2,3)';
|
||||
$formquestion = array(
|
||||
// 'text' => $langs->trans("ConfirmClone"),
|
||||
// array('type' => 'checkbox', 'name' => 'clone_content', 'label' => $langs->trans("CloneMainAttributes"), 'value' => 1),
|
||||
|
||||
@ -264,7 +264,7 @@ print '<tr class="liste_titre"><td class="liste_titre" colspan="2">'.$langs->tra
|
||||
// Company
|
||||
print '<tr><td class="left">'.$langs->trans("ThirdParty").'</td><td class="left">';
|
||||
print img_picto('', 'company', 'class="pictofixedwidth"');
|
||||
$filter = 's.client IN (1,2,3)';
|
||||
$filter = '(s.client:IN:1,2,3)';
|
||||
print $form->select_company($socid, 'socid', $filter, 1, 0, 0, array(), 0, 'widthcentpercentminusx maxwidth300', '');
|
||||
print '</td></tr>';
|
||||
// ThirdParty Type
|
||||
|
||||
@ -1787,8 +1787,8 @@ if ($action == 'create' && $usercancreate) {
|
||||
print '<input type="hidden" name="socid" value="'.$soc->id.'">';
|
||||
print '</td>';
|
||||
} else {
|
||||
print '<td>';
|
||||
$filter = '((s.client = 1 OR s.client = 2 OR s.client = 3) AND s.status=1)';
|
||||
print '<td class="valuefieldcreate">';
|
||||
$filter = '((s.client:IN:1,2,3) AND (s.status:=:1))';
|
||||
print img_picto('', 'company', 'class="pictofixedwidth"').$form->select_company('', 'socid', $filter, 'SelectThirdParty', 1, 0, null, 0, 'minwidth175 maxwidth500 widthcentpercentminusxx');
|
||||
// reload page to retrieve customer informations
|
||||
if (empty($conf->global->RELOAD_PAGE_ON_CUSTOMER_CHANGE_DISABLED)) {
|
||||
@ -2338,7 +2338,7 @@ if ($action == 'create' && $usercancreate) {
|
||||
|
||||
// Clone confirmation
|
||||
if ($action == 'clone') {
|
||||
$filter = '(s.client=1 OR s.client = 2 OR s.client=3)';
|
||||
$filter = '(s.client:IN:1,2,3)';
|
||||
// Create an array for form
|
||||
$formquestion = array(
|
||||
array('type' => 'other', 'name' => 'socid', 'label' => $langs->trans("SelectThirdParty"), 'value' => $form->select_company(GETPOST('socid', 'int'), 'socid', $filter, '', 0, 0, null, 0, 'maxwidth300'))
|
||||
|
||||
@ -297,10 +297,10 @@ print '<tr class="liste_titre"><td class="liste_titre" colspan="2">'.$langs->tra
|
||||
print '<tr><td class="left">'.$langs->trans("ThirdParty").'</td><td class="left">';
|
||||
$filter = '';
|
||||
if ($mode == 'customer') {
|
||||
$filter = 's.client IN (1,2,3)';
|
||||
$filter = '(s.client:IN:1,2,3)';
|
||||
}
|
||||
if ($mode == 'supplier') {
|
||||
$filter = 's.fournisseur = 1';
|
||||
$filter = '(s.fournisseur:=:1)';
|
||||
}
|
||||
print img_picto('', 'company', 'class="pictofixedwidth"');
|
||||
print $form->select_company($socid, 'socid', $filter, 1, 0, 0, array(), 0, 'widthcentpercentminusx maxwidth300');
|
||||
|
||||
@ -3205,7 +3205,7 @@ if ($action == 'create') {
|
||||
} else {
|
||||
print '<tr><td class="fieldrequired">'.$langs->trans('Customer').'</td>';
|
||||
print '<td colspan="2">';
|
||||
$filter = '((s.client = 1 OR s.client = 3) AND s.status = 1)';
|
||||
$filter = '((s.client:=:1,3) AND (s.status:=:1))';
|
||||
print img_picto('', 'company', 'class="pictofixedwidth"').$form->select_company($soc->id, 'socid', $filter, 'SelectThirdParty', 1, 0, null, 0, 'minwidth300 widthcentpercentminusxx maxwidth500');
|
||||
// Option to reload page to retrieve customer informations.
|
||||
if (empty($conf->global->RELOAD_PAGE_ON_CUSTOMER_CHANGE_DISABLED)) {
|
||||
@ -4320,7 +4320,7 @@ if ($action == 'create') {
|
||||
|
||||
// Clone confirmation
|
||||
if ($action == 'clone') {
|
||||
$filter = '(s.client=1 OR s.client=2 OR s.client=3)';
|
||||
$filter = '(s.client:IN:1,2,3)';
|
||||
// Create an array for form
|
||||
$formquestion = array(
|
||||
array('type' => 'other', 'name' => 'socid', 'label' => $langs->trans("SelectThirdParty"), 'value' => $form->select_company($object->socid, 'socid', $filter, 1)),
|
||||
|
||||
@ -279,10 +279,10 @@ print '<tr class="liste_titre"><td class="liste_titre" colspan="2">'.$langs->tra
|
||||
print '<tr><td>'.$langs->trans("ThirdParty").'</td><td>';
|
||||
$filter = '';
|
||||
if ($mode == 'customer') {
|
||||
$filter = 's.client in (1,2,3)';
|
||||
$filter = '(s.client:IN:1,2,3)';
|
||||
}
|
||||
if ($mode == 'supplier') {
|
||||
$filter = 's.fournisseur = 1';
|
||||
$filter = '(s.fournisseur:=:1)';
|
||||
}
|
||||
print img_picto('', 'company', 'class="pictofixedwidth"');
|
||||
print $form->select_company($socid, 'socid', $filter, 1, 0, 0, array(), 0, 'widthcentpercentminusx maxwidth300');
|
||||
|
||||
@ -1332,7 +1332,7 @@ if ($action == 'create') {
|
||||
);
|
||||
$formconfirm = $form->formconfirm($_SERVER['PHP_SELF']."?id=".$object->id, $langs->trans("ActivateAllOnContract"), $langs->trans("ConfirmActivateAllOnContract"), "confirm_activate", $formquestion, 'yes', 1, 280);
|
||||
} elseif ($action == 'clone') {
|
||||
$filter = '(s.client=1 OR s.client=2 OR s.client=3)';
|
||||
$filter = '(s.client:IN:1,2,3)';
|
||||
// Clone confirmation
|
||||
$formquestion = array(array('type' => 'other', 'name' => 'socid', 'label' => $langs->trans("SelectThirdParty"), 'value' => $form->select_company(GETPOST('socid', 'int'), 'socid', $filter)));
|
||||
$formconfirm = $form->formconfirm($_SERVER["PHP_SELF"].'?id='.$object->id, $langs->trans('ToClone'), $langs->trans('ConfirmCloneContract', $object->ref), 'confirm_clone', $formquestion, 'yes', 1);
|
||||
|
||||
@ -1368,7 +1368,9 @@ class Form
|
||||
*
|
||||
* @param string $selected Preselected type
|
||||
* @param string $htmlname Name of field in form
|
||||
* @param string $filter Optional filters criteras. WARNING: To avoid SQL injection, only few chars [.a-z0-9 =<>()] are allowed here (example: 's.rowid <> x', 's.client IN (1,3)'). Do not use a filter coming from input of users.
|
||||
* @param string $filter Optional filters criteras. WARNING: To avoid SQL injection, only few chars [.a-z0-9 =<>] are allowed here, example: 's.rowid <> x'
|
||||
* If you need parenthesis, use the Universal Filter Syntax, example: '(s.client:in:(1,3))'
|
||||
* Do not use a filter coming from input of users.
|
||||
* @param string $showempty Add an empty field (Can be '1' or text to use on empty line like 'SelectThirdParty')
|
||||
* @param int $showtype Show third party type in combolist (customer, prospect or supplier)
|
||||
* @param int $forcecombo Force to use standard HTML select component without beautification
|
||||
@ -1407,8 +1409,23 @@ class Form
|
||||
}
|
||||
}
|
||||
|
||||
//$errormsg = '';
|
||||
//$filter = forgeSQLFromUniversalSearchCriteria($filter, $errormsg);
|
||||
if (preg_match('/[\(\)]/', $filter)) {
|
||||
// If there is one parenthesis inside the criteria, we assume it is an Universal Filter Syntax.
|
||||
$errormsg = '';
|
||||
$filter = forgeSQLFromUniversalSearchCriteria($filter, $errormsg, 1);
|
||||
|
||||
// Redo clean $filter that may contains sql conditions so sql code
|
||||
if (function_exists('testSqlAndScriptInject')) {
|
||||
if (testSqlAndScriptInject($filter, 3) > 0) {
|
||||
$filter = '';
|
||||
return 'SQLInjectionTryDetected';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// If not, we do nothing. We already no that there is no parenthesis
|
||||
// TODO Disallow this case in a future.
|
||||
dol_syslog("Warning, select_thirdparty_list was called with a filter criteria not using the Universal Search Syntax.", LOG_WARNING);
|
||||
}
|
||||
|
||||
// We search companies
|
||||
$sql = "SELECT s.rowid, s.nom as name, s.name_alias, s.tva_intra, s.client, s.fournisseur, s.code_client, s.code_fournisseur";
|
||||
@ -1428,6 +1445,8 @@ class Form
|
||||
$sql .= " AND s.rowid = " . ((int) $user->socid);
|
||||
}
|
||||
if ($filter) {
|
||||
// $filter is safe because, if it contains '(' or ')', it has been sanitized by testSqlAndScriptInject() and forgeSQLFromUniversalSearchCriteria()
|
||||
// if not, by testSqlAndScriptInject() only.
|
||||
$sql .= " AND (" . $filter . ")";
|
||||
}
|
||||
if (empty($user->rights->societe->client->voir) && !$user->socid) {
|
||||
|
||||
@ -11789,9 +11789,10 @@ function jsonOrUnserialize($stringtodecode)
|
||||
* aaa is a field name (with alias or not) and
|
||||
* bbb is one of this operator '=', '<', '>', '<=', '>=', '!=', 'in', 'notin', 'like', 'notlike', 'is', 'isnot'.
|
||||
* @param string $error Error message
|
||||
* @param int $noand 0=Default, 1=Do not add the AND before the condition string.
|
||||
* @return string Return forged SQL string
|
||||
*/
|
||||
function forgeSQLFromUniversalSearchCriteria($filter, &$error = '')
|
||||
function forgeSQLFromUniversalSearchCriteria($filter, &$error = '', $noand = 0)
|
||||
{
|
||||
$regexstring = '\(([a-zA-Z0-9_\.]+:[<>!=insotlke]+:[^\(\)]+)\)'; // Must be (aaa:bbb:...) with aaa is a field name (with alias or not) and bbb is one of this operator '=', '<', '>', '<=', '>=', '!=', 'in', 'notin', 'like', 'notlike', 'is', 'isnot'
|
||||
|
||||
@ -11808,7 +11809,7 @@ function forgeSQLFromUniversalSearchCriteria($filter, &$error = '')
|
||||
return 'Filter syntax error'; // Bad syntax of the search string, we force a SQL not found
|
||||
}
|
||||
|
||||
return " AND (".preg_replace_callback('/'.$regexstring.'/i', 'dolForgeCriteriaCallback', $filter).")";
|
||||
return ($noand ? "" : " AND ")."(".preg_replace_callback('/'.$regexstring.'/i', 'dolForgeCriteriaCallback', $filter).")";
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -440,7 +440,7 @@ if ($action == 'create') {
|
||||
} else {
|
||||
print '<td class="fieldrequired">'.$langs->trans('ThirdParty').'</td>';
|
||||
print '<td>';
|
||||
$filter = '(s.client = 1 OR s.client = 3) AND status=1';
|
||||
$filter = '((s.client:IN:1,3) AND (status:=:1))';
|
||||
print $form->select_company($soc->id, 'socid', $filter, 'SelectThirdParty', 0, 0, null, 0, 'minwidth300');
|
||||
// Option to reload page to retrieve customer informations. Note, this clear other input
|
||||
if (!empty($conf->global->RELOAD_PAGE_ON_CUSTOMER_CHANGE_DISABLED)) {
|
||||
|
||||
@ -220,7 +220,7 @@ print '<table class="noborder centpercent">';
|
||||
print '<tr class="liste_titre"><td class="liste_titre" colspan="2">'.$langs->trans("Filter").'</td></tr>';
|
||||
// Company
|
||||
print '<tr><td class="left">'.$langs->trans("ThirdParty").'</td><td class="left">';
|
||||
$filter = 's.client IN (1,2,3)';
|
||||
$filter = '(s.client:IN:1,2,3)';
|
||||
print img_picto('', 'company', 'class="pictofixedwidth"');
|
||||
print $form->select_company($socid, 'socid', $filter, 1, 0, 0, array(), 0, 'widthcentpercentminusx maxwidth300', '');
|
||||
print '</td></tr>';
|
||||
|
||||
@ -1694,7 +1694,7 @@ if ($action == 'create') {
|
||||
print $societe->getNomUrl(1, 'supplier');
|
||||
print '<input type="hidden" name="socid" value="'.$societe->id.'">';
|
||||
} else {
|
||||
$filter = '(s.fournisseur=1 AND s.status=1)';
|
||||
$filter = '((s.fournisseur:=:1) AND (s.status:=:1))';
|
||||
print img_picto('', 'company', 'class="pictofixedwidth"').$form->select_company((empty($socid) ? '' : $socid), 'socid', $filter, 'SelectThirdParty', 1, 0, null, 0, 'minwidth175 maxwidth500 widthcentpercentminusxx');
|
||||
// reload page to retrieve customer informations
|
||||
if (empty($conf->global->RELOAD_PAGE_ON_SUPPLIER_CHANGE_DISABLED)) {
|
||||
@ -1899,7 +1899,7 @@ if ($action == 'create') {
|
||||
|
||||
// Clone confirmation
|
||||
if ($action == 'clone') {
|
||||
$filter = '(s.fournisseur=1)';
|
||||
$filter = '(s.fournisseur:=:1)';
|
||||
// Create an array for form
|
||||
$formquestion = array(
|
||||
array('type' => 'other', 'name' => 'socid', 'label' => $langs->trans("SelectThirdParty"), 'value' => $form->select_company(GETPOST('socid', 'int'), 'socid', $filter))
|
||||
@ -2036,7 +2036,7 @@ if ($action == 'create') {
|
||||
$morehtmlref .= '<form method="post" action="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'">';
|
||||
$morehtmlref .= '<input type="hidden" name="action" value="set_thirdparty">';
|
||||
$morehtmlref .= '<input type="hidden" name="token" value="'.newToken().'">';
|
||||
$filter = 's.fournisseur=1';
|
||||
$filter = '(s.fournisseur:=:1)';
|
||||
$morehtmlref .= $form->select_company($object->thirdparty->id, 'new_socid', $filter, '', 0, 0, array(), 0, 'minwidth300');
|
||||
$morehtmlref .= '<input type="submit" class="button valignmiddle" value="'.$langs->trans("Modify").'">';
|
||||
$morehtmlref .= '</form>';
|
||||
|
||||
@ -2199,7 +2199,7 @@ if ($action == 'create') {
|
||||
print $societe->getNomUrl(1, 'supplier');
|
||||
print '<input type="hidden" name="socid" value="'.$societe->id.'">';
|
||||
} else {
|
||||
$filter = '(s.fournisseur = 1 AND s.status = 1)';
|
||||
$filter = '((s.fournisseur:=:1) AND (s.status:=:1))';
|
||||
print img_picto('', 'company', 'class="pictofixedwidth"').$form->select_company(empty($societe->id) ? 0 : $societe->id, 'socid', $filter, 'SelectThirdParty', 1, 0, null, 0, 'minwidth175 widthcentpercentminusxx maxwidth500');
|
||||
// reload page to retrieve supplier informations
|
||||
if (empty($conf->global->RELOAD_PAGE_ON_SUPPLIER_CHANGE_DISABLED)) {
|
||||
|
||||
@ -110,7 +110,7 @@ if ($socid > 0) {
|
||||
if ($soc->client) {
|
||||
print '<tr><td class="titlefield">'.$langs->trans('ThirdPartyName').'</td>';
|
||||
print '<td class="maxwidthonsmartphone" colspan="4">';
|
||||
$filter = '(client=1 OR client=3)';
|
||||
$filter = '(client:IN:1,3)';
|
||||
print img_picto('', 'company').$form->select_company($socid, 'socid', $filter, 1, 0, 0);
|
||||
print '</td></tr>';
|
||||
|
||||
|
||||
@ -501,7 +501,7 @@ if ($id > 0 || $ref) {
|
||||
} else {
|
||||
$events = array();
|
||||
$events[] = array('method' => 'getVatRates', 'url' => dol_buildpath('/core/ajax/vatrates.php', 1), 'htmlname' => 'tva_tx', 'params' => array());
|
||||
$filter = 'fournisseur=1';
|
||||
$filter = '(fournisseur:=:1)';
|
||||
print img_picto('', 'company', 'class="pictofixedwidth"').$form->select_company(GETPOST("id_fourn", 'alpha'), 'id_fourn', $filter, 'SelectThirdParty', 0, 0, $events);
|
||||
|
||||
$parameters = array('filtre'=>"fournisseur=1", 'html_name'=>'id_fourn', 'selected'=>GETPOST("id_fourn"), 'showempty'=>1, 'prod_id'=>$object->id);
|
||||
|
||||
@ -1944,7 +1944,7 @@ if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES)) {
|
||||
print '<tr>';
|
||||
print '<td class="fieldrequired">'.$langs->trans('ThirdParty').'</td>';
|
||||
print '<td>';
|
||||
$filter = 's.client IN (1,2,3)';
|
||||
$filter = '(s.client:IN:1,2,3)';
|
||||
print img_picto('', 'company').$form->select_company('', 'socid', $filter, 'SelectThirdParty', 0, 0, array(), 0, 'minwidth300');
|
||||
print '</td>';
|
||||
print '</tr>';
|
||||
|
||||
@ -615,7 +615,7 @@ if (!empty($conf->global->STOCK_ALLOW_ADD_LIMIT_STOCK_BY_WAREHOUSE)) {
|
||||
print '</div>';
|
||||
}
|
||||
print '<div class="inline-block valignmiddle" style="padding-right: 20px;">';
|
||||
$filter = 'fournisseur=1';
|
||||
$filter = '(fournisseur:=:1)';
|
||||
print $langs->trans('Supplier').' '.$form->select_company($fk_supplier, 'fk_supplier', $filter, 1);
|
||||
print '</div>';
|
||||
|
||||
|
||||
@ -1273,7 +1273,7 @@ if ($action == 'create') {
|
||||
print '</td>';
|
||||
} else {
|
||||
print '<td colspan="2">';
|
||||
$filter = 's.fournisseur=1';
|
||||
$filter = '(s.fournisseur:=:1)';
|
||||
print img_picto('', 'company', 'class="pictofixedwidth"').$form->select_company('', 'socid', $filter, 'SelectThirdParty', 0, 0, null, 0, 'minwidth300');
|
||||
// reload page to retrieve customer informations
|
||||
if (!empty($conf->global->RELOAD_PAGE_ON_SUPPLIER_CHANGE)) {
|
||||
@ -1526,7 +1526,7 @@ if ($action == 'create') {
|
||||
|
||||
// Clone confirmation
|
||||
if ($action == 'clone') {
|
||||
$filter = 's.fournisseur=1';
|
||||
$filter = '(s.fournisseur:=:1)';
|
||||
// Create an array for form
|
||||
$formquestion = array(
|
||||
// 'text' => $langs->trans("ConfirmClone"),
|
||||
|
||||
@ -159,7 +159,7 @@ print '</td></tr>';
|
||||
|
||||
print '<tr class="oddeven"><td class="fieldrequired">'.$langs->trans("CashDeskThirdPartyForSell").'</td>';
|
||||
print '<td>';
|
||||
$filter = '(s.client IN (1, 3) AND s.status = 1)';
|
||||
$filter = '((s.client:IN:1,3) AND (s.status:=:1))';
|
||||
print $form->select_company(getDolGlobalInt('CASHDESK_ID_THIRDPARTY'.$terminaltouse), 'socid', $filter, 1, 0, 0, array(), 0);
|
||||
print '</td></tr>';
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user