lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fight against $_POST

Browse Source
This commit is contained in:
Laurent Destailleur 2020-02-16 19:33:58 +01:00
parent 52aebce789
commit f4f3efec62
41 changed files with 117 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -15,6 +15,9 @@ WARNING:
Following changes may create regressions for some external modules, but were necessary to make Dolibarr better:
* PHP 5.5 is no more supported. Minimum PHP is now 5.6+.
* Default mode for GETPOST function is now 'alphanohtml' instead of 'none'. So check when you make POST or GET requests
with HTML content that you make a GETPOST('myparam', 'restricthtml') or GETPOST('myparam', 'none') if you really need posted content without sanitizing
the HTML into content (in such a case, sanitize data later)

8
htdocs/accountancy/admin/accountmodel.php
View File

@ -157,7 +157,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha'))
foreach ($listfield as $f => $value)
{
if ($value == 'country_id' && in_array($tablib[$id], array('Pcg_version'))) continue; // For some pages, country is not mandatory
if ((! isset($_POST[$value]) || $_POST[$value]==''))
if ((! GETPOSTISSET($value)) || GETPOST($value) == '')
{
$ok=0;
$fieldnamekey=$listfield[$f];
@ -170,13 +170,13 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha'))
}
}
// Other checks
if ($tabname[$id] == MAIN_DB_PREFIX."c_actioncomm" && isset($_POST["type"]) && in_array($_POST["type"], array('system','systemauto'))) {
if ($tabname[$id] == MAIN_DB_PREFIX."c_actioncomm" && GETPOSTISSET("type") && in_array($_POST["type"], array('system','systemauto'))) {
$ok=0;
setEventMessages($langs->transnoentities('ErrorReservedTypeSystemSystemAuto'), null, 'errors');
}
if (isset($_POST["pcg_version"]))
if (GETPOSTISSET("pcg_version"))
{
if ($_POST["pcg_version"]=='0')
if (GETPOST("pcg_version") == '0')
{
$ok=0;
setEventMessages($langs->transnoentities('ErrorCodeCantContainZero'), null, 'errors');

2
htdocs/accountancy/admin/categories_list.php
View File

@ -153,7 +153,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha'))
if ($value == 'formula' && empty($_POST['formula'])) continue;
if ($value == 'range_account' && empty($_POST['range_account'])) continue;
if ($value == 'country' || $value == 'country_id') continue;
if (!isset($_POST[$value]) || $_POST[$value] == '')
if (! GETPOSTISSET($value) || GETPOST($value) == '')
{
$ok = 0;
$fieldnamekey = $listfield[$f];

4
htdocs/accountancy/admin/journals_list.php
View File

@ -165,9 +165,9 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha'))
if ($fieldnamekey == 'nature') $fieldnamekey = 'NatureOfJournal';
}
// Other checks
if (isset($_POST["code"]))
if (GETPOSTISSET("code"))
{
if ($_POST["code"] == '0')
if (GETPOST("code") == '0')
{
$ok = 0;
setEventMessages($langs->transnoentities('ErrorCodeCantContainZero'), null, 'errors');

2
htdocs/adherents/subscription/card.php
View File

@ -214,7 +214,7 @@ if ($user->rights->adherent->cotisation->creer && $action == 'edit')
// Type
print '<tr>';
print '<td>'.$langs->trans("Type").'</td><td class="valeur" colspan="3">';
print $form->selectarray("typeid", $adht->liste_array(), (isset($_POST["typeid"]) ? $_POST["typeid"] : $object->fk_type));
print $form->selectarray("typeid", $adht->liste_array(), (GETPOSTISSET("typeid") ? GETPOST("typeid") : $object->fk_type));
print'</td></tr>';
// Date start subscription

2
htdocs/adherents/type.php
View File

@ -792,7 +792,7 @@ if ($rowid > 0)
$morphys["phy"] = $langs->trans("Physical");
$morphys["mor"] = $langs->trans("Moral");
print '<tr><td><span>'.$langs->trans("MemberNature").'</span></td><td>';
print $form->selectarray("morphy", $morphys, isset($_POST["morphy"]) ? $_POST["morphy"] : $object->morphy);
print $form->selectarray("morphy", $morphys, GETPOSTISSET("morphy") ? GETPOST("morphy") : $object->morphy);
print "</td></tr>";
print '<tr><td>'.$langs->trans("SubscriptionRequired").'</td><td>';

6
htdocs/admin/dict.php
View File

@ -678,9 +678,9 @@ if (GETPOST('actionadd') || GETPOST('actionmodify'))
$ok = 0;
setEventMessages($langs->transnoentities('ErrorReservedTypeSystemSystemAuto'), null, 'errors');
}
if (isset($_POST["code"]))
if (GETPOSTISSET("code"))
{
if ($_POST["code"] == '0')
if (GETPOST("code") == '0')
{
$ok = 0;
setEventMessages($langs->transnoentities('ErrorCodeCantContainZero'), null, 'errors');
@ -691,7 +691,7 @@ if (GETPOST('actionadd') || GETPOST('actionmodify'))
$msg .= $langs->transnoentities('ErrorFieldFormat', $langs->transnoentities('Code')).'<br>';
}*/
}
if (isset($_POST["country"]) && ($_POST["country"] == '0') && ($id != 2))
if (GETPOSTISSET("country") && ($_POST["country"] == '0') && ($id != 2))
{
if (in_array($tablib[$id], array('DictionaryCompanyType', 'DictionaryHolidayTypes'))) // Field country is no mandatory for such dictionaries
{

3
htdocs/admin/events.php
View File

@ -53,8 +53,7 @@ if ($action == "save")
foreach ($eventstolog as $key => $arr)
{
$param='MAIN_LOGEVENTS_'.$arr['id'];
//print "param=".$param." - ".$_POST[$param];
if (! empty($_POST[$param])) dolibarr_set_const($db, $param, $_POST[$param], 'chaine', 0, '', $conf->entity);
if (GETPOST($param, 'alphanohtml')) dolibarr_set_const($db, $param, GETPOST($param, 'alphanohtml'), 'chaine', 0, '', $conf->entity);
else dolibarr_del_const($db, $param, $conf->entity);
}

7
htdocs/admin/fckeditor.php
View File

@ -239,13 +239,6 @@ else
jsdump(CKEDITOR.env, "divforlog");
</script>';
}
/*
print '<!-- Result -->';
print $_POST["formtestfield"];
print '<!-- Result -->';
print $conf->global->FCKEDITOR_TEST;
*/
}
// End of page

14
htdocs/admin/ldap_groups.php
View File

@ -51,14 +51,14 @@ if ($action == 'setvalue' && $user->admin)
$error = 0;
$db->begin();
if (!dolibarr_set_const($db, 'LDAP_GROUP_DN', GETPOST("group"), 'chaine', 0, '', $conf->entity)) $error++;
if (!dolibarr_set_const($db, 'LDAP_GROUP_OBJECT_CLASS', GETPOST("objectclass"), 'chaine', 0, '', $conf->entity)) $error++;
if (!dolibarr_set_const($db, 'LDAP_GROUP_DN', GETPOST("group", 'alphanohtml'), 'chaine', 0, '', $conf->entity)) $error++;
if (!dolibarr_set_const($db, 'LDAP_GROUP_OBJECT_CLASS', GETPOST("objectclass", 'alphanohtml'), 'chaine', 0, '', $conf->entity)) $error++;
if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_FULLNAME', GETPOST("fieldfullname"), 'chaine', 0, '', $conf->entity)) $error++;
//if (! dolibarr_set_const($db, 'LDAP_GROUP_FIELD_NAME',$_POST["fieldname"],'chaine',0,'',$conf->entity)) $error++;
if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_DESCRIPTION', GETPOST("fielddescription"), 'chaine', 0, '', $conf->entity)) $error++;
if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_GROUPMEMBERS', GETPOST("fieldgroupmembers"), 'chaine', 0, '', $conf->entity)) $error++;
if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_GROUPID', GETPOST("fieldgroupid"), 'chaine', 0, '', $conf->entity)) $error++;
if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_FULLNAME', GETPOST("fieldfullname", 'alphanohtml'), 'chaine', 0, '', $conf->entity)) $error++;
//if (! dolibarr_set_const($db, 'LDAP_GROUP_FIELD_NAME',GETPOST("fieldname", 'alphanohtml'),'chaine',0,'',$conf->entity)) $error++;
if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_DESCRIPTION', GETPOST("fielddescription", 'alphanohtml'), 'chaine', 0, '', $conf->entity)) $error++;
if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_GROUPMEMBERS', GETPOST("fieldgroupmembers", 'alphanohtml'), 'chaine', 0, '', $conf->entity)) $error++;
if (!dolibarr_set_const($db, 'LDAP_GROUP_FIELD_GROUPID', GETPOST("fieldgroupid", 'alphanohtml'), 'chaine', 0, '', $conf->entity)) $error++;
// This one must be after the others
$valkey = '';

10
htdocs/admin/menus/edit.php
View File

@ -31,6 +31,8 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/menubase.class.php';
// Load translation files required by the page
$langs->loadLangs(array("other", "admin"));
$cancel = GETPOST('cancel', 'alpha'); // We click on a Cancel button
if (!$user->admin) accessforbidden();
$dirstandard = array();
@ -64,12 +66,12 @@ if (GETPOST("menu_handler")) $menu_handler = GETPOST("menu_handler");
if ($action == 'update')
{
if (!$_POST['cancel'])
if (! $cancel)
{
$leftmenu = ''; $mainmenu = '';
if (!empty($_POST['menuIdParent']) && !is_numeric($_POST['menuIdParent']))
if (GETPOST('menuIdParent', 'alpha') && !is_numeric(GETPOST('menuIdParent', 'alpha')))
{
$tmp = explode('&', $_POST['menuIdParent']);
$tmp = explode('&', GETPOST('menuIdParent', 'alpha'));
foreach ($tmp as $s)
{
if (preg_match('/fk_mainmenu=/', $s))
@ -138,7 +140,7 @@ if ($action == 'update')
if ($action == 'add')
{
if ($_POST['cancel'])
if ($cancel)
{
header("Location: ".DOL_URL_ROOT."/admin/menus/index.php?menu_handler=".$menu_handler);
exit;

13
htdocs/admin/oauthlogintokens.php
View File

@ -59,9 +59,18 @@ if ($action == 'setconst' && $user->admin)
{
$error = 0;
$db->begin();
foreach ($_POST['setupdriver'] as $setupconst) {
$setupconstarray = GETPOST('setupdriver', 'array');
foreach ($setupconstarray as $setupconst) {
//print '<pre>'.print_r($setupconst, true).'</pre>';
$result = dolibarr_set_const($db, $setupconst['varname'], $setupconst['value'], 'chaine', 0, '', $conf->entity);
$constname = dol_escape_htmltag($setupconst['varname']);
$constvalue = dol_escape_htmltag($setupconst['value']);
$consttype = dol_escape_htmltag($setupconst['type']);
$constnote = dol_escape_htmltag($setupconst['note']);
$result = dolibarr_set_const($db, $constname, $constvalue, $consttype, 0, $constnote, $conf->entity);
if (!$result > 0) $error++;
}

4
htdocs/admin/security_other.php
View File

@ -70,8 +70,8 @@ if (preg_match('/set_([a-z0-9_\-]+)/i', $action, $reg))
elseif ($action == 'updateform')
{
$res1=dolibarr_set_const($db, "MAIN_APPLICATION_TITLE", $_POST["MAIN_APPLICATION_TITLE"], 'chaine', 0, '', $conf->entity);
$res2=dolibarr_set_const($db, "MAIN_SESSION_TIMEOUT", $_POST["MAIN_SESSION_TIMEOUT"], 'chaine', 0, '', $conf->entity);
$res1=dolibarr_set_const($db, "MAIN_APPLICATION_TITLE", GETPOST("MAIN_APPLICATION_TITLE", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
$res2=dolibarr_set_const($db, "MAIN_SESSION_TIMEOUT", GETPOST("MAIN_SESSION_TIMEOUT", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
if ($res1 && $res2) setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs');
}

29
htdocs/admin/sms.php
View File

@ -28,6 +28,8 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
// Load translation files required by the page
$langs->loadLangs(array("companies", "admin", "products", "sms", "other", "errors"));
$cancel = GETPOST('cancel', 'alpha'); // We click on a Cancel button
if (!$user->admin)
accessforbidden();
@ -46,14 +48,13 @@ $action = GETPOST('action', 'aZ09');
* Actions
*/
if ($action == 'update' && empty($_POST["cancel"]))
if ($action == 'update' && !$cancel)
{
dolibarr_set_const($db, "MAIN_DISABLE_ALL_SMS", $_POST["MAIN_DISABLE_ALL_SMS"], 'chaine', 0, '', $conf->entity);
dolibarr_set_const($db, "MAIN_DISABLE_ALL_SMS", GETPOST("MAIN_DISABLE_ALL_SMS", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
dolibarr_set_const($db, "MAIN_SMS_SENDMODE", $_POST["MAIN_SMS_SENDMODE"], 'chaine', 0, '', $conf->entity);
dolibarr_set_const($db, "MAIN_SMS_SENDMODE", GETPOST("MAIN_SMS_SENDMODE", 'alphahtml'), 'chaine', 0, '', $conf->entity);
dolibarr_set_const($db, "MAIN_MAIL_SMS_FROM", $_POST["MAIN_MAIL_SMS_FROM"], 'chaine', 0, '', $conf->entity);
//dolibarr_set_const($db, "MAIN_MAIL_AUTOCOPY_TO", $_POST["MAIN_MAIL_AUTOCOPY_TO"], 'chaine', 0, '', $conf->entity);
dolibarr_set_const($db, "MAIN_MAIL_SMS_FROM", GETPOST("MAIN_MAIL_SMS_FROM", 'alphanohtml'), 'chaine', 0, '', $conf->entity);
header("Location: ".$_SERVER["PHP_SELF"]."?mainmenu=home&leftmenu=setup");
exit;
@ -68,15 +69,15 @@ if ($action == 'send' && !$_POST['cancel'])
$error = 0;
$smsfrom = '';
if (!empty($_POST["fromsms"])) $smsfrom = GETPOST("fromsms");
if (empty($smsfrom)) $smsfrom = GETPOST("fromname");
$sendto = GETPOST("sendto");
$body = GETPOST('message');
$deliveryreceipt = GETPOST("deliveryreceipt");
$deferred = GETPOST('deferred');
$priority = GETPOST('priority');
$class = GETPOST('class');
$errors_to = GETPOST("errorstosms");
if (!empty($_POST["fromsms"])) $smsfrom = GETPOST("fromsms", 'alphanohtml');
if (empty($smsfrom)) $smsfrom = GETPOST("fromname", 'alphanohtml');
$sendto = GETPOST("sendto", 'alphanohtml');
$body = GETPOST('message', 'alphanohtml');
$deliveryreceipt = GETPOST("deliveryreceipt", 'alphanohtml');
$deferred = GETPOST('deferred', 'alphanohtml');
$priority = GETPOST('priority', 'alphanohtml');
$class = GETPOST('class', 'alphanohtml');
$errors_to = GETPOST("errorstosms", 'alphanohtml');
// Create form object
include_once DOL_DOCUMENT_ROOT.'/core/class/html.formsms.class.php';

16
htdocs/admin/spip.php
View File

@ -50,18 +50,20 @@ $action = GETPOST('action', 'aZ09');
// Action mise a jour ou ajout d'une constante
if ($action == 'update' || $action == 'add')
{
$constname=GETPOST("constname");
$constvalue=GETPOST("constvalue");
$constnamearray = GETPOST("constname", 'array');
$constvaluearray = GETPOST("constvalue", 'array');
$consttypearray = GETPOST("consttype", 'array');
$constnotearray = GETPOST("constnote", 'array');
// Action mise a jour ou ajout d'une constante
if ($action == 'update' || $action == 'add')
{
foreach($_POST['constname'] as $key => $val)
foreach($constnamearray as $key => $val)
{
$constname=$_POST["constname"][$key];
$constvalue=$_POST["constvalue"][$key];
$consttype=$_POST["consttype"][$key];
$constnote=$_POST["constnote"][$key];
$constname = dol_escape_htmltag($constnamearray[$key]);
$constvalue = dol_escape_htmltag($constvaluearray[$key]);
$consttype = dol_escape_htmltag($consttypearray[$key]);
$constnote = dol_escape_htmltag($constnotearray[$key]);
$res=dolibarr_set_const($db, $constname, $constvalue, $type[$consttype], 0, $constnote, $conf->entity);

2
htdocs/admin/supplier_invoice.php
View File

@ -171,7 +171,7 @@ if ($action == 'setmod')
if ($action == 'addcat')
{
$fourn = new Fournisseur($db);
$fourn->CreateCategory($user, $_POST["cat"]);
$fourn->CreateCategory($user, GETPOST('cat', 'alphanohtml'));
}
if ($action == 'set_SUPPLIER_INVOICE_FREE_TEXT')

2
htdocs/admin/supplier_order.php
View File

@ -165,7 +165,7 @@ elseif ($action == 'setmod')
elseif ($action == 'addcat')
{
$fourn = new Fournisseur($db);
$fourn->CreateCategory($user, $_POST["cat"]);
$fourn->CreateCategory($user, GETPOST('cat', 'alphanohtml'));
}
elseif ($action == 'set_SUPPLIER_ORDER_OTHER')

2
htdocs/admin/website.php
View File

@ -132,7 +132,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha'))
$ok=1;
foreach ($listfield as $f => $value)
{
if ($value == 'ref' && (! isset($_POST[$value]) || $_POST[$value]==''))
if ($value == 'ref' && (! GETPOSTISSET($value) || GETPOST($value) == ''))
{
$ok=0;
$fieldnamekey=$listfield[$f];

32
htdocs/asset/type.php
View File

@ -609,37 +609,15 @@ if ($rowid > 0)
print $object->showOptionals($extrafields, 'edit', $parameters);
}
print '</table>';
// Other attributes
include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_edit.tpl.php';
// Extra field
if (empty($reshook))
{
print '<br><br><table class="border centpercent">';
foreach ($extrafields->attributes[$object->element]['label'] as $key=>$label)
{
if (isset($_POST["options_".$key])) {
if (is_array($_POST["options_".$key])) {
// $_POST["options"] is an array but following code expects a comma separated string
$value = implode(",", $_POST["options_".$key]);
} else {
$value = $_POST["options_".$key];
}
} else {
$value = $adht->array_options["options_".$key];
}
print '<tr><td width="30%">'.$label.'</td><td>';
print $extrafields->showInputField($key, $value);
print "</td></tr>\n";
}
print '</table><br><br>';
}
print '</table>';
dol_fiche_end();
print '<div class="center">';
print '<input type="submit" class="button" value="'.$langs->trans("Save").'">';
print '&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;';
print '<input type="submit" name="cancel" class="button" value="'.$langs->trans("Cancel").'">';
print '<div class="center"><input type="submit" class="button" name="save" value="'.$langs->trans("Save").'">';
print ' &nbsp; <input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
print '</div>';
print "</form>";

2
htdocs/bom/tpl/objectline_create.tpl.php
View File

@ -109,7 +109,7 @@ if (!empty($conf->product->enabled) || !empty($conf->service->enabled))
}
$coldisplay++;
print '<td class="bordertop nobottom linecolqty right"><input type="text" size="2" name="qty" id="qty" class="flat right" value="'.(isset($_POST["qty"]) ?GETPOST("qty", 'alpha', 2) : 1).'">';
print '<td class="bordertop nobottom linecolqty right"><input type="text" size="2" name="qty" id="qty" class="flat right" value="'.(GETPOSTISSET("qty") ? GETPOST("qty", 'alpha', 2) : 1).'">';
print '</td>';
if ($conf->global->PRODUCT_USE_UNITS)

2
htdocs/cashdesk/tpl/facturation1.tpl.php
View File

@ -117,7 +117,7 @@ for ($i = 0; $i < $nbtoshow; $i++)
$buyer = new Societe($db);
if ($_SESSION["CASHDESK_ID_THIRDPARTY"] > 0) $buyer->fetch($_SESSION["CASHDESK_ID_THIRDPARTY"]);
echo $form->load_tva('selTva', (isset($_POST["selTva"])?GETPOST("selTva", 'alpha', 2):$vatrate), $mysoc, $buyer, 0, 0, '', false, -1);
echo $form->load_tva('selTva', (GETPOSTISSET("selTva") ? GETPOST("selTva", 'alpha', 2) : $vatrate), $mysoc, $buyer, 0, 0, '', false, -1);
?>
</td>
<td></td>

4
htdocs/compta/facture/card.php
View File

@ -3351,8 +3351,8 @@ if ($action == 'create')
print '</td></tr>';
// Bank Account
if (isset($_POST['fk_account'])) {
$fk_account = $_POST['fk_account'];
if (GETPOSTISSET('fk_account')) {
$fk_account = GETPOST('fk_account');
}
print '<tr><td>'.$langs->trans('BankAccount').'</td><td colspan="2">';

2
htdocs/core/class/commonobject.class.php
View File

@ -4967,7 +4967,7 @@ abstract class CommonObject
global $conf, $_POST;
// If param here has been posted, we use this value first.
if (isset($_POST[$fieldname])) return GETPOST($fieldname, 2);
if (GETPOSTISSET($fieldname)) return GETPOST($fieldname, 'alphanohtml', 3);
if (isset($alternatevalue)) return $alternatevalue;

12
htdocs/core/class/coreobject.class.php
View File

@ -416,24 +416,20 @@ class CoreObject extends CommonObject
{
foreach ($Tab as $key => $value)
{
if($this->checkFieldType($key, 'date'))
if ($this->checkFieldType($key, 'date'))
{
$this->setDate($key, $value);
}
elseif( $this->checkFieldType($key, 'array'))
{
$this->{$key} = $value;
}
elseif( $this->checkFieldType($key, 'float') )
elseif ($this->checkFieldType($key, 'float'))
{
$this->{$key} = (double) price2num($value);
}
elseif( $this->checkFieldType($key, 'int') ) {
elseif ($this->checkFieldType($key, 'int')) {
$this->{$key} = (int) price2num($value);
}
else
{
$this->{$key} = $value;
$this->{$key} = dol_string_nohtmltag($value);
}
}

3
htdocs/core/lib/functions.lib.php
View File

@ -291,6 +291,7 @@ function GETPOSTISSET($paramname)
* 'array'=check it's array
* 'san_alpha'=Use filter_var with FILTER_SANITIZE_STRING (do not use this for free text string)
* 'nohtml', 'alphanohtml'=check there is no html content
* 'restricthtml'=check html content is restricted to some tags only
* 'custom'= custom filter specify $filter and $options)
* @param int $method Type of method (0 = get then post, 1 = only get, 2 = only post, 3 = post then get)
* @param int $filter Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails)
@ -298,7 +299,7 @@ function GETPOSTISSET($paramname)
* @param string $noreplace Force disable of replacement of __xxx__ strings.
* @return string|string[] Value found (string or array), or '' if check fails
*/
function GETPOST($paramname, $check = 'none', $method = 0, $filter = null, $options = null, $noreplace = 0)
function GETPOST($paramname, $check = 'alphanohtml', $method = 0, $filter = null, $options = null, $noreplace = 0)
{
global $mysoc, $user, $conf;

2
htdocs/core/login/functions_googleoauth.php
View File

@ -48,7 +48,7 @@ function check_user_password_googleoauth($usertotest, $passwordtotest, $entityto
$login = '';
// Get identity from user and redirect browser to Google OAuth Server
if (isset($_POST['username']))
if (GETPOSTISSET('username'))
{
/*$openid = new SimpleOpenID();
$openid->SetIdentity($_POST['username']);

2
htdocs/core/login/functions_openid.php
View File

@ -43,7 +43,7 @@ function check_user_password_openid($usertotest, $passwordtotest, $entitytotest)
$login='';
// Get identity from user and redirect browser to OpenID Server
if (isset($_POST['username']))
if (GETPOSISSET('username'))
{
$openid = new SimpleOpenID();
$openid->SetIdentity($_POST['username']);

4
htdocs/don/payment/payment.php
View File

@ -197,14 +197,14 @@ if ($action == 'create')
print '</tr>';
print '<tr><td class="fieldrequired">'.$langs->trans("PaymentMode").'</td><td colspan="2">';
$form->select_types_paiements(isset($_POST["paymenttype"])?$_POST["paymenttype"]:$object->paymenttype, "paymenttype");
$form->select_types_paiements(GETPOSTISSET("paymenttype") ? GETPOST("paymenttype") : $object->paymenttype, "paymenttype");
print "</td>\n";
print '</tr>';
print '<tr>';
print '<td class="fieldrequired">'.$langs->trans('AccountToCredit').'</td>';
print '<td colspan="2">';
$form->select_comptes(isset($_POST["accountid"])?$_POST["accountid"]:$object->accountid, "accountid", 0, '', 1); // Show open bank account list
$form->select_comptes(GETPOSTISSET("accountid") ? GETPOST("accountid") : $object->accountid, "accountid", 0, '', 1); // Show open bank account list
print '</td></tr>';
// Number

8
htdocs/expedition/card.php
View File

@ -241,11 +241,11 @@ if (empty($reshook))
if ($objectsrc->lines[$i]->product_tobatch) // If product need a batch number
{
if (isset($_POST[$batch]))
if (GETPOSTISSET($batch))
{
//shipment line with batch-enable product
$qty .= '_'.$j;
while (isset($_POST[$batch]))
while (GETPOSTISSET($batch))
{
// save line of detail into sub_qty
$sub_qty[$j]['q'] = GETPOST($qty, 'int'); // the qty we want to move for this stock record
@ -277,11 +277,11 @@ if (empty($reshook))
}
}
}
elseif (isset($_POST[$stockLocation]))
elseif (GETPOSTISSET($stockLocation))
{
//shipment line from multiple stock locations
$qty .= '_'.$j;
while (isset($_POST[$stockLocation]))
while (GETPOSTISSET($stockLocation))
{
// save sub line of warehouse
$stockLine[$i][$j]['qty'] = GETPOST($qty, 'int');

2
htdocs/expensereport/class/expensereport_ik.class.php
View File

@ -72,7 +72,7 @@ class ExpenseReportIk extends CoreObject
* Attribute object linked with database
* @var array
*/
protected $fields=array(
public $fields=array(
'rowid'=>array('type'=>'integer','index'=>true)
,'fk_c_exp_tax_cat'=>array('type'=>'integer','index'=>true)
,'fk_range'=>array('type'=>'integer','index'=>true)

2
htdocs/expensereport/class/expensereport_rule.class.php
View File

@ -111,7 +111,7 @@ class ExpenseReportRule extends CoreObject
* Attribute object linked with database
* @var array
*/
protected $fields=array(
public $fields=array(
'rowid'=>array('type'=>'integer','index'=>true)
,'dates'=>array('type'=>'date')
,'datee'=>array('type'=>'date')

6
htdocs/exports/export.php
View File

@ -411,12 +411,12 @@ if ($step == 4 && $action == 'submitFormField')
$newcode = (string) preg_replace('/\./', '_', $code);
//print 'xxx'.$code."=".$newcode."=".$type."=".$_POST[$newcode]."\n<br>";
$filterqualified = 1;
if (!isset($_POST[$newcode]) || $_POST[$newcode] == '') $filterqualified = 0;
elseif (preg_match('/^List/', $type) && (is_numeric($_POST[$newcode]) && $_POST[$newcode] <= 0)) $filterqualified = 0;
if (! GETPOSTISSET($newcode) || GETPOST($newcode, 'restricthtml') == '') $filterqualified = 0;
elseif (preg_match('/^List/', $type) && (is_numeric(GETPOST($newcode, 'restricthtml')) && GETPOST($newcode, 'restricthtml') <= 0)) $filterqualified = 0;
if ($filterqualified)
{
//print 'Filter on '.$newcode.' type='.$type.' value='.$_POST[$newcode]."\n";
$objexport->array_export_FilterValue[0][$code] = $_POST[$newcode];
$objexport->array_export_FilterValue[0][$code] = GETPOST($newcode, 'restricthtml');
}
}
$array_filtervalue = (!empty($objexport->array_export_FilterValue[0]) ? $objexport->array_export_FilterValue[0] : '');

2
htdocs/fourn/commande/dispatch.php
View File

@ -273,7 +273,7 @@ if ($action == 'dispatch' && $user->rights->fournisseur->commande->receptionner)
if (empty($conf->multicurrency->enabled) && empty($conf->dynamicprices->enabled)) {
$dto = GETPOST("dto_".$reg[1].'_'.$reg[2]);
//update supplier price
if (isset($_POST[$saveprice])) {
if (GETPOSTISSET($saveprice)) {
// TODO Use class
$sql = "UPDATE ".MAIN_DB_PREFIX."product_fournisseur_price";
$sql .= " SET unitprice='".GETPOST($pu)."'";

2
htdocs/langs/en_US/oauth.lang
View File

@ -28,3 +28,5 @@ OAUTH_GITHUB_NAME=OAuth GitHub service
OAUTH_GITHUB_ID=OAuth GitHub Id
OAUTH_GITHUB_SECRET=OAuth GitHub Secret
OAUTH_GITHUB_DESC=Go to <a class="notasortlink" href="https://github.com/settings/developers" target="_blank">this page</a> then "Register a new application" to create OAuth credentials
OAUTH_STRIPE_TEST_NAME=OAuth Stripe Test
OAUTH_STRIPE_LIVE_NAME=OAuth Stripe Live

1
htdocs/main.inc.php
View File

@ -565,6 +565,7 @@ if (!defined('NOLOGIN'))
$dol_tz_string = preg_replace('/,/', '/', $dol_tz_string);
$dol_tz_string = preg_replace('/\s/', '_', $dol_tz_string);
$dol_dst = 0;
// Keep $_POST here. Do not use GETPOSTISSET
if (isset($_POST["dst_first"]) && isset($_POST["dst_second"]))
{
include_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';

2
htdocs/master.inc.php
View File

@ -170,7 +170,7 @@ elseif (!empty($_ENV["dol_entity"])) // Entity inside a CLI script
{
$conf->entity = $_ENV["dol_entity"];
}
elseif (isset($_POST["loginfunction"]) && GETPOST("entity", 'int')) // Just after a login page
elseif (GETPOSTISSET("loginfunction") && GETPOST("entity", 'int')) // Just after a login page
{
$conf->entity = GETPOST("entity", 'int');
}

2
htdocs/modulebuilder/template/core/modules/mailings/mailinglist_mymodule_myobject.modules.php
View File

@ -112,7 +112,7 @@ class mailing_mailinglist_mymodule_myobject extends MailingTargets
$sql = " select rowid as id, email, firstname, lastname, plan, partner";
$sql.= " from ".MAIN_DB_PREFIX."myobject";
$sql.= " where email IS NOT NULL AND email != ''";
if (! empty($_POST['filter']) && $_POST['filter'] != 'none') $sql.= " AND status = '".$this->db->escape($_POST['filter'])."'";
if (GETPOSTISSET('filter') && GETPOST('filter', 'alphanohtml') != 'none') $sql.= " AND status = '".$this->db->escape(GETPOST('filter', 'alphanohtml'))."'";
$sql.= " ORDER BY email";
// Stocke destinataires dans target

16
htdocs/product/admin/dynamic_prices.php
View File

@ -63,9 +63,9 @@ if ($action == 'edit_updater') {
if (!empty($action) && empty($cancel)) {
//Global variable actions
if ($action == 'create_variable' || $action == 'edit_variable') {
$price_globals->code = isset($_POST['code'])?GETPOST('code', 'alpha'):$price_globals->code;
$price_globals->description = isset($_POST['description'])?GETPOST('description', 'alpha'):$price_globals->description;
$price_globals->value = isset($_POST['value'])?GETPOST('value', 'int'):$price_globals->value;
$price_globals->code = GETPOSTISSET('code')?GETPOST('code', 'alpha'):$price_globals->code;
$price_globals->description = GETPOSTISSET('description')?GETPOST('description', 'alpha'):$price_globals->description;
$price_globals->value = GETPOSTISSET('value')?GETPOST('value', 'int'):$price_globals->value;
//Check if record already exists only when saving
if (!empty($save)) {
foreach ($price_globals->listGlobalVariables() as $entry) {
@ -101,11 +101,11 @@ if (!empty($action) && empty($cancel)) {
//Updaters actions
if ($action == 'create_updater' || $action == 'edit_updater') {
$price_updaters->type = isset($_POST['type'])?GETPOST('type', 'int'):$price_updaters->type;
$price_updaters->description = isset($_POST['description'])?GETPOST('description', 'alpha'):$price_updaters->description;
$price_updaters->parameters = isset($_POST['parameters'])?GETPOST('parameters'):$price_updaters->parameters;
$price_updaters->fk_variable = isset($_POST['fk_variable'])?GETPOST('fk_variable', 'int'):$price_updaters->fk_variable;
$price_updaters->update_interval = isset($_POST['update_interval'])?GETPOST('update_interval', 'int'):$price_updaters->update_interval;
$price_updaters->type = GETPOSTISSET('type')?GETPOST('type', 'int'):$price_updaters->type;
$price_updaters->description = GETPOSTISSET('description')?GETPOST('description', 'alpha'):$price_updaters->description;
$price_updaters->parameters = GETPOSTISSET('parameters')?GETPOST('parameters'):$price_updaters->parameters;
$price_updaters->fk_variable = GETPOSTISSET('fk_variable')?GETPOST('fk_variable', 'int'):$price_updaters->fk_variable;
$price_updaters->update_interval = GETPOSTISSET('update_interval')?GETPOST('update_interval', 'int'):$price_updaters->update_interval;
}
if ($action == 'create_updater' && !empty($save)) {
//Verify if process() works

2
htdocs/product/card.php
View File

@ -331,7 +331,7 @@ if (empty($reshook))
{
for ($i = 2; $i <= $conf->global->PRODUIT_MULTIPRICES_LIMIT; $i++)
{
if (isset($_POST["price_".$i]))
if (GETPOSTISSET("price_".$i))
{
$object->multiprices["$i"] = price2num($_POST["price_".$i], 'MU');
$object->multiprices_base_type["$i"] = $_POST["multiprices_base_type_".$i];

2
htdocs/societe/paymentmodes.php
View File

@ -1874,7 +1874,7 @@ if ($socid && $action == 'create' && $user->rights->societe->creer)
print '<tr><td>'.$langs->trans("WithdrawMode").'</td><td>';
$tblArraychoice = array("FRST" => $langs->trans("FRST"), "RECUR" => $langs->trans("RECUR"));
print $form->selectarray("frstrecur", $tblArraychoice, (isset($_POST['frstrecur']) ?GETPOST('frstrecur') : 'FRST'), 0);
print $form->selectarray("frstrecur", $tblArraychoice, (GETPOSTISSET('frstrecur') ? GETPOST('frstrecur') : 'FRST'), 0);
print '</td></tr>';
print '</table>';

3
htdocs/variants/ajax/orderAttribute.php
View File

@ -33,13 +33,14 @@ require '../../main.inc.php';
top_httphead();
// Registering the location of boxes
if (isset($_POST['roworder'])) {
if (GETPOSTISSET('roworder')) {
$roworder=GETPOST('roworder', 'alpha', 2);
dol_syslog("AjaxOrderAttribute roworder=".$roworder, LOG_DEBUG);
$rowordertab = explode(',', $roworder);
$newrowordertab = array();
foreach ($rowordertab as $value) {
if (!empty($value)) {
$newrowordertab[] = $value;