lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix escaping

Browse Source
This commit is contained in:
Laurent Destailleur 2020-09-20 02:30:53 +02:00
parent fa86b62198
commit f57b4fd2fd
19 changed files with 74 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/debugbar/class/TraceableDB.php
View File

@ -46,7 +46,7 @@ class TraceableDB extends DoliDB
public function __construct($db) public function __construct($db)
{ {
$this->db = $db; $this->db = $db;
$this->type = $db->type; $this->type = $this->db->type;
$this->queries = array(); $this->queries = array();
} }

2
htdocs/don/admin/donation.php
View File

@ -196,7 +196,7 @@ $type = 'donation';
$def = array(); $def = array();
$sql = "SELECT nom"; $sql = "SELECT nom";
$sql .= " FROM ".MAIN_DB_PREFIX."document_model"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model";
$sql .= " WHERE type = '".$type."'"; $sql .= " WHERE type = '".$db->escape($type)."'";
$resql = $db->query($sql); $resql = $db->query($sql);
if ($resql) if ($resql)
{ {

2
htdocs/ecm/class/ecmfiles.class.php
View File

@ -242,7 +242,7 @@ class EcmFiles extends CommonObject
$sql .= 'src_object_type,'; $sql .= 'src_object_type,';
$sql .= 'src_object_id'; $sql .= 'src_object_id';
$sql .= ') VALUES ('; $sql .= ') VALUES (';
$sql .= " '".$ref."', "; $sql .= " '".$this->db->escape($ref)."', ";
$sql .= ' '.(!isset($this->label) ? 'NULL' : "'".$this->db->escape($this->label)."'").','; $sql .= ' '.(!isset($this->label) ? 'NULL' : "'".$this->db->escape($this->label)."'").',';
$sql .= ' '.(!isset($this->share) ? 'NULL' : "'".$this->db->escape($this->share)."'").','; $sql .= ' '.(!isset($this->share) ? 'NULL' : "'".$this->db->escape($this->share)."'").',';
$sql .= ' '.$this->entity.','; $sql .= ' '.$this->entity.',';

2
htdocs/expedition/class/expedition.class.php
View File

@ -702,7 +702,7 @@ class Expedition extends CommonObject
// Validate // Validate
$sql = "UPDATE ".MAIN_DB_PREFIX."expedition SET"; $sql = "UPDATE ".MAIN_DB_PREFIX."expedition SET";
$sql .= " ref='".$numref."'"; $sql .= " ref='".$this->db->escape($numref)."'";
$sql .= ", fk_statut = 1"; $sql .= ", fk_statut = 1";
$sql .= ", date_valid = '".$this->db->idate($now)."'"; $sql .= ", date_valid = '".$this->db->idate($now)."'";
$sql .= ", fk_user_valid = ".$user->id; $sql .= ", fk_user_valid = ".$user->id;

30
htdocs/expensereport/class/expensereport.class.php
View File

@ -461,7 +461,7 @@ class ExpenseReport extends CommonObject
$sql .= " , date_fin = '".$this->db->idate($this->date_fin)."'"; $sql .= " , date_fin = '".$this->db->idate($this->date_fin)."'";
if ($userofexpensereport && is_object($userofexpensereport)) if ($userofexpensereport && is_object($userofexpensereport))
{ {
$sql .= " , fk_user_author = ".($userofexpensereport->id > 0 ? "'".$userofexpensereport->id."'" : "null"); // Note fk_user_author is not the 'author' but the guy the expense report is for. $sql .= " , fk_user_author = ".($userofexpensereport->id > 0 ? $userofexpensereport->id : "null"); // Note fk_user_author is not the 'author' but the guy the expense report is for.
} }
$sql .= " , fk_user_validator = ".($this->fk_user_validator > 0 ? $this->fk_user_validator : "null"); $sql .= " , fk_user_validator = ".($this->fk_user_validator > 0 ? $this->fk_user_validator : "null");
$sql .= " , fk_user_valid = ".($this->fk_user_valid > 0 ? $this->fk_user_valid : "null"); $sql .= " , fk_user_valid = ".($this->fk_user_valid > 0 ? $this->fk_user_valid : "null");
@ -845,24 +845,24 @@ class ExpenseReport extends CommonObject
$sql .= " WHERE de.fk_projet = ".$projectid; $sql .= " WHERE de.fk_projet = ".$projectid;
dol_syslog(get_class($this)."::fetch sql=".$sql, LOG_DEBUG); dol_syslog(get_class($this)."::fetch sql=".$sql, LOG_DEBUG);
$result = $db->query($sql); $result = $this->db->query($sql);
if ($result) if ($result)
{ {
$num = $db->num_rows($result); $num = $this->db->num_rows($result);
$i = 0; $i = 0;
$total_HT = 0; $total_HT = 0;
$total_TTC = 0; $total_TTC = 0;
while ($i < $num) while ($i < $num)
{ {
$objp = $db->fetch_object($result); $objp = $this->db->fetch_object($result);
$sql2 = "SELECT d.rowid, d.fk_user_author, d.ref, d.fk_statut"; $sql2 = "SELECT d.rowid, d.fk_user_author, d.ref, d.fk_statut";
$sql2 .= " FROM ".MAIN_DB_PREFIX."expensereport as d"; $sql2 .= " FROM ".MAIN_DB_PREFIX."expensereport as d";
$sql2 .= " WHERE d.rowid = '".$objp->fk_expensereport."'"; $sql2 .= " WHERE d.rowid = ".((int) $objp->fk_expensereport);
$result2 = $db->query($sql2); $result2 = $this->db->query($sql2);
$obj = $db->fetch_object($result2); $obj = $this->db->fetch_object($result2);
$objp->fk_user_author = $obj->fk_user_author; $objp->fk_user_author = $obj->fk_user_author;
$objp->ref = $obj->ref; $objp->ref = $obj->ref;
@ -871,7 +871,7 @@ class ExpenseReport extends CommonObject
$total_HT = $total_HT + $objp->total_ht; $total_HT = $total_HT + $objp->total_ht;
$total_TTC = $total_TTC + $objp->total_ttc; $total_TTC = $total_TTC + $objp->total_ttc;
$author = new User($db); $author = new User($this->db);
$author->fetch($objp->fk_user_author); $author->fetch($objp->fk_user_author);
print '<tr>'; print '<tr>';
@ -920,7 +920,7 @@ class ExpenseReport extends CommonObject
print '<td>&nbsp;</td>'; print '<td>&nbsp;</td>';
print '</tr>'; print '</tr>';
} else { } else {
$this->error = $db->lasterror(); $this->error = $this->db->lasterror();
return -1; return -1;
} }
} }
@ -1130,7 +1130,7 @@ class ExpenseReport extends CommonObject
// Validate // Validate
$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element; $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element;
$sql .= " SET ref = '".$num."',"; $sql .= " SET ref = '".$this->db->escape($num)."',";
$sql .= " fk_statut = ".self::STATUS_VALIDATED.","; $sql .= " fk_statut = ".self::STATUS_VALIDATED.",";
$sql .= " date_valid='".$this->db->idate($this->date_valid)."',"; $sql .= " date_valid='".$this->db->idate($this->date_valid)."',";
$sql .= " fk_user_valid = ".$user->id; $sql .= " fk_user_valid = ".$user->id;
@ -2354,7 +2354,7 @@ class ExpenseReport extends CommonObject
$type = 'expense_report'; $type = 'expense_report';
$sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$this->id; $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id;
$resql = $this->db->query($sql); $resql = $this->db->query($sql);
if ($resql) if ($resql)
{ {
@ -2740,7 +2740,7 @@ function select_expensereport_statut($selected = '', $htmlname = 'fk_statut', $u
{ {
global $db, $langs; global $db, $langs;
$tmpep = new ExpenseReport($db); $tmpep = new ExpenseReport($this->db);
print '<select class="flat" name="'.$htmlname.'">'; print '<select class="flat" name="'.$htmlname.'">';
if ($useempty) print '<option value="-1">&nbsp;</option>'; if ($useempty) print '<option value="-1">&nbsp;</option>';
@ -2787,15 +2787,15 @@ function select_type_fees_id($selected = '', $htmlname = 'type', $showempty = 0,
$sql = "SELECT c.id, c.code, c.label as type FROM ".MAIN_DB_PREFIX."c_type_fees as c"; $sql = "SELECT c.id, c.code, c.label as type FROM ".MAIN_DB_PREFIX."c_type_fees as c";
if ($active >= 0) $sql .= " WHERE c.active = ".$active; if ($active >= 0) $sql .= " WHERE c.active = ".$active;
$sql .= " ORDER BY c.label ASC"; $sql .= " ORDER BY c.label ASC";
$resql = $db->query($sql); $resql = $this->db->query($sql);
if ($resql) if ($resql)
{ {
$num = $db->num_rows($resql); $num = $this->db->num_rows($resql);
$i = 0; $i = 0;
while ($i < $num) while ($i < $num)
{ {
$obj = $db->fetch_object($resql); $obj = $this->db->fetch_object($resql);
$out .= '<option value="'.$obj->id.'"'; $out .= '<option value="'.$obj->id.'"';
if ($obj->code == $selected || $obj->id == $selected) $out .= ' selected'; if ($obj->code == $selected || $obj->id == $selected) $out .= ' selected';
$out .= '>'; $out .= '>';

4
htdocs/expensereport/class/expensereportstats.class.php
View File

@ -136,7 +136,7 @@ class ExpenseReportStats extends Stats
{ {
$sql = "SELECT date_format(".$this->db->ifsql('e.'.$this->datetouse.' IS NULL', 'e.date_create', 'e.'.$this->datetouse).",'%m') as dm, sum(".$this->field.")"; $sql = "SELECT date_format(".$this->db->ifsql('e.'.$this->datetouse.' IS NULL', 'e.date_create', 'e.'.$this->datetouse).",'%m') as dm, sum(".$this->field.")";
$sql .= " FROM ".$this->from; $sql .= " FROM ".$this->from;
$sql .= " WHERE date_format(".$this->db->ifsql('e.'.$this->datetouse.' IS NULL', 'e.date_create', 'e.'.$this->datetouse).",'%Y') = '".$year."'"; $sql .= " WHERE date_format(".$this->db->ifsql('e.'.$this->datetouse.' IS NULL', 'e.date_create', 'e.'.$this->datetouse).",'%Y') = '".$this->db->escape($year)."'";
$sql .= " AND ".$this->where; $sql .= " AND ".$this->where;
$sql .= " GROUP BY dm"; $sql .= " GROUP BY dm";
$sql .= $this->db->order('dm', 'DESC'); $sql .= $this->db->order('dm', 'DESC');
@ -156,7 +156,7 @@ class ExpenseReportStats extends Stats
{ {
$sql = "SELECT date_format(".$this->db->ifsql('e.'.$this->datetouse.' IS NULL', 'e.date_create', 'e.'.$this->datetouse).",'%m') as dm, avg(".$this->field.")"; $sql = "SELECT date_format(".$this->db->ifsql('e.'.$this->datetouse.' IS NULL', 'e.date_create', 'e.'.$this->datetouse).",'%m') as dm, avg(".$this->field.")";
$sql .= " FROM ".$this->from; $sql .= " FROM ".$this->from;
$sql .= " WHERE date_format(".$this->db->ifsql('e.'.$this->datetouse.' IS NULL', 'e.date_create', 'e.'.$this->datetouse).",'%Y') = '".$year."'"; $sql .= " WHERE date_format(".$this->db->ifsql('e.'.$this->datetouse.' IS NULL', 'e.date_create', 'e.'.$this->datetouse).",'%Y') = '".$this->db->escape($year)."'";
$sql .= " AND ".$this->where; $sql .= " AND ".$this->where;
$sql .= " GROUP BY dm"; $sql .= " GROUP BY dm";
$sql .= $this->db->order('dm', 'DESC'); $sql .= $this->db->order('dm', 'DESC');

10
htdocs/exports/class/export.class.php
View File

@ -338,7 +338,7 @@ class Export
} }
break; break;
default: default:
dol_syslog("Error we try to forge an sql export request with a condition on a field with type '".$InfoFieldList[0]."' (defined into module descriptor) but this type is unknown/not supported. It looks like a bug into module descriptor.", LOG_ERR); dol_syslog("Error we try to forge an sql export request with a condition on a field with type ".$InfoFieldList[0]." (defined into module descriptor) but this type is unknown/not supported. It looks like a bug into module descriptor.", LOG_ERR);
} }
return $szFilterQuery; return $szFilterQuery;
@ -705,10 +705,10 @@ class Export
$sql .= 'filter'; $sql .= 'filter';
$sql .= ') VALUES ('; $sql .= ') VALUES (';
$sql .= "'".$this->db->escape($this->model_name)."',"; $sql .= "'".$this->db->escape($this->model_name)."',";
$sql .= "'".$this->db->escape($this->datatoexport)."',"; $sql .= " '".$this->db->escape($this->datatoexport)."',";
$sql .= "'".$this->db->escape($this->hexa)."',"; $sql .= " '".$this->db->escape($this->hexa)."',";
$sql .= "'".$user->id."',"; $sql .= ' '.($user->id > 0 ? $user->id : 'null').",";
$sql .= "'".$this->db->escape($this->hexafiltervalue)."'"; $sql .= " '".$this->db->escape($this->hexafiltervalue)."'";
$sql .= ")"; $sql .= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG); dol_syslog(get_class($this)."::create", LOG_DEBUG);

2
htdocs/exports/export.php
View File

@ -1060,7 +1060,7 @@ if ($step == 4 && $datatoexport)
// List of existing export profils // List of existing export profils
$sql = "SELECT rowid, label"; $sql = "SELECT rowid, label";
$sql .= " FROM ".MAIN_DB_PREFIX."export_model"; $sql .= " FROM ".MAIN_DB_PREFIX."export_model";
$sql .= " WHERE type = '".$datatoexport."'"; $sql .= " WHERE type = '".$db->escape($datatoexport)."'";
if (empty($conf->global->EXPORTS_SHARE_MODELS))$sql .= " AND fk_user=".$user->id; if (empty($conf->global->EXPORTS_SHARE_MODELS))$sql .= " AND fk_user=".$user->id;
$sql .= " ORDER BY rowid"; $sql .= " ORDER BY rowid";
$resql = $db->query($sql); $resql = $db->query($sql);

2
htdocs/fichinter/class/fichinter.class.php
View File

@ -1132,7 +1132,7 @@ class Fichinter extends CommonObject
if ($user->rights->ficheinter->creer) if ($user->rights->ficheinter->creer)
{ {
$sql = "UPDATE ".MAIN_DB_PREFIX."fichinter "; $sql = "UPDATE ".MAIN_DB_PREFIX."fichinter ";
$sql .= " SET fk_contrat = '".$contractid."'"; $sql .= " SET fk_contrat = ".((int) $contractid);
$sql .= " WHERE rowid = ".$this->id; $sql .= " WHERE rowid = ".$this->id;
if ($this->db->query($sql)) if ($this->db->query($sql))

2
htdocs/fichinter/class/fichinterrec.class.php
View File

@ -168,7 +168,7 @@ class FichinterRec extends Fichinter
$sql .= ", ".(!empty($this->description) ? ("'".$this->db->escape($this->description)."'") : "null"); $sql .= ", ".(!empty($this->description) ? ("'".$this->db->escape($this->description)."'") : "null");
$sql .= ", ".(!empty($fichintsrc->note_private) ? ("'".$this->db->escape($fichintsrc->note_private)."'") : "null"); $sql .= ", ".(!empty($fichintsrc->note_private) ? ("'".$this->db->escape($fichintsrc->note_private)."'") : "null");
$sql .= ", ".(!empty($fichintsrc->note_public) ? ("'".$this->db->escape($fichintsrc->note_public)."'") : "null"); $sql .= ", ".(!empty($fichintsrc->note_public) ? ("'".$this->db->escape($fichintsrc->note_public)."'") : "null");
$sql .= ", '".$user->id."'"; $sql .= ", ".$user->id;
// si c'est la même société on conserve les liens vers le projet et le contrat // si c'est la même société on conserve les liens vers le projet et le contrat
if ($this->socid == $fichintsrc->socid) { if ($this->socid == $fichintsrc->socid) {
$sql .= ", ".(!empty($fichintsrc->fk_project) ? $fichintsrc->fk_project : "null"); $sql .= ", ".(!empty($fichintsrc->fk_project) ? $fichintsrc->fk_project : "null");

2
htdocs/fichinter/stats/index.php
View File

@ -70,7 +70,7 @@ print load_fiche_titre($title, '', 'intervention');
dol_mkdir($dir); dol_mkdir($dir);
$stats = new FichinterStats($db, $socid, $mode, ($userid > 0 ? $userid : 0)); $stats = new FichinterStats($db, $socid, $mode, ($userid > 0 ? $userid : 0));
if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')';
// Build graphic number of object // Build graphic number of object
$data = $stats->getNbByMonthWithPrevYear($endyear, $startyear); $data = $stats->getNbByMonthWithPrevYear($endyear, $startyear);

22
htdocs/fourn/class/fournisseur.commande.class.php
View File

@ -1297,7 +1297,7 @@ class CommandeFournisseur extends CommonOrder
$sql .= ", ".$user->id; $sql .= ", ".$user->id;
$sql .= ", ".self::STATUS_DRAFT; $sql .= ", ".self::STATUS_DRAFT;
$sql .= ", ".$this->db->escape($this->source); $sql .= ", ".$this->db->escape($this->source);
$sql .= ", '".$conf->global->COMMANDE_SUPPLIER_ADDON_PDF."'"; $sql .= ", '".$this->db->escape($conf->global->COMMANDE_SUPPLIER_ADDON_PDF)."'";
$sql .= ", ".($this->mode_reglement_id > 0 ? $this->mode_reglement_id : 'null'); $sql .= ", ".($this->mode_reglement_id > 0 ? $this->mode_reglement_id : 'null');
$sql .= ", ".($this->cond_reglement_id > 0 ? $this->cond_reglement_id : 'null'); $sql .= ", ".($this->cond_reglement_id > 0 ? $this->cond_reglement_id : 'null');
$sql .= ", ".($this->fk_account > 0 ? $this->fk_account : 'NULL'); $sql .= ", ".($this->fk_account > 0 ? $this->fk_account : 'NULL');
@ -1843,7 +1843,7 @@ class CommandeFournisseur extends CommonOrder
$sql = "INSERT INTO ".MAIN_DB_PREFIX."commande_fournisseur_dispatch"; $sql = "INSERT INTO ".MAIN_DB_PREFIX."commande_fournisseur_dispatch";
$sql .= " (fk_commande, fk_product, qty, fk_entrepot, fk_user, datec, fk_commandefourndet, status, comment, eatby, sellby, batch) VALUES"; $sql .= " (fk_commande, fk_product, qty, fk_entrepot, fk_user, datec, fk_commandefourndet, status, comment, eatby, sellby, batch) VALUES";
$sql .= " ('".$this->id."','".$product."','".$qty."',".($entrepot > 0 ? "'".$entrepot."'" : "null").",'".$user->id."','".$this->db->idate($now)."','".$fk_commandefourndet."', ".$dispatchstatus.", '".$this->db->escape($comment)."', "; $sql .= " ('".$this->id."','".$product."','".$qty."',".($entrepot > 0 ? "'".$entrepot."'" : "null").",'".$user->id."','".$this->db->idate($now)."','".$fk_commandefourndet."', ".$dispatchstatus.", '".$this->db->escape($comment)."', ";
$sql .= ($eatby ? "'".$this->db->idate($eatby)."'" : "null").", ".($sellby ? "'".$this->db->idate($sellby)."'" : "null").", ".($batch ? "'".$batch."'" : "null"); $sql .= ($eatby ? "'".$this->db->idate($eatby)."'" : "null").", ".($sellby ? "'".$this->db->idate($sellby)."'" : "null").", ".($batch ? "'".$this->db->escape($batch)."'" : "null");
$sql .= ")"; $sql .= ")";
dol_syslog(get_class($this)."::dispatchProduct", LOG_DEBUG); dol_syslog(get_class($this)."::dispatchProduct", LOG_DEBUG);
@ -2414,10 +2414,10 @@ class CommandeFournisseur extends CommonOrder
$sql = "INSERT INTO ".MAIN_DB_PREFIX."commande_fournisseurdet"; $sql = "INSERT INTO ".MAIN_DB_PREFIX."commande_fournisseurdet";
$sql .= " (fk_commande, label, description, fk_product, price, qty, tva_tx, localtax1_tx, localtax2_tx, remise_percent, subprice, remise, ref)"; $sql .= " (fk_commande, label, description, fk_product, price, qty, tva_tx, localtax1_tx, localtax2_tx, remise_percent, subprice, remise, ref)";
$sql .= " VALUES (".$idc.", '".$this->db->escape($label)."','".$this->db->escape($comclient->lines[$i]->desc)."'"; $sql .= " VALUES (".$idc.", '".$this->db->escape($label)."', ".$this->db->escape($comclient->lines[$i]->desc);
$sql .= ",".$comclient->lines[$i]->fk_product.",'".price2num($comclient->lines[$i]->price)."'"; $sql .= ",".$comclient->lines[$i]->fk_product.", ".price2num($comclient->lines[$i]->price);
$sql .= ", '".$comclient->lines[$i]->qty."', ".$comclient->lines[$i]->tva_tx.", ".$comclient->lines[$i]->localtax1_tx.", ".$comclient->lines[$i]->localtax2_tx.", ".$comclient->lines[$i]->remise_percent; $sql .= ", ".$comclient->lines[$i]->qty.", ".$comclient->lines[$i]->tva_tx.", ".$comclient->lines[$i]->localtax1_tx.", ".$comclient->lines[$i]->localtax2_tx.", ".$comclient->lines[$i]->remise_percent;
$sql .= ", '".price2num($comclient->lines[$i]->subprice)."','0','".$ref."');"; $sql .= ", '".price2num($comclient->lines[$i]->subprice)."','0', '".$this->db->escape($ref)."');";
if ($this->db->query($sql)) if ($this->db->query($sql))
{ {
$this->update_price(); $this->update_price();
@ -2927,14 +2927,14 @@ class CommandeFournisseur extends CommonOrder
{ {
$sql = "SELECT rowid, code, libelle as label"; $sql = "SELECT rowid, code, libelle as label";
$sql .= " FROM ".MAIN_DB_PREFIX.'c_input_method'; $sql .= " FROM ".MAIN_DB_PREFIX.'c_input_method';
$sql .= " WHERE active=1 AND rowid = ".$db->escape($this->methode_commande_id); $sql .= " WHERE active=1 AND rowid = ".$this->db->escape($this->methode_commande_id);
$resql = $db->query($sql); $resql = $this->db->query($sql);
if ($resql) if ($resql)
{ {
if ($db->num_rows($resql)) if ($this->db->num_rows($resql))
{ {
$obj = $db->fetch_object($resql); $obj = $this->db->fetch_object($resql);
$string = $langs->trans($obj->code); $string = $langs->trans($obj->code);
if ($string == $obj->code) if ($string == $obj->code)
@ -2943,7 +2943,7 @@ class CommandeFournisseur extends CommonOrder
} }
return $string; return $string;
} }
} else dol_print_error($db); } else dol_print_error($this->db);
} }
return ''; return '';

9
htdocs/fourn/class/fournisseur.facture.class.php
View File

@ -2392,7 +2392,6 @@ class FactureFournisseur extends CommonInvoice
return $numref; return $numref;
} else { } else {
$this->error = $obj->error; $this->error = $obj->error;
//dol_print_error($db,get_class($this)."::getNextNumRef ".$obj->error);
return false; return false;
} }
} }
@ -2714,15 +2713,13 @@ class FactureFournisseur extends CommonInvoice
*/ */
public function isCreditNoteUsed() public function isCreditNoteUsed()
{ {
global $db;
$isUsed = false; $isUsed = false;
$sql = "SELECT fk_invoice_supplier FROM ".MAIN_DB_PREFIX."societe_remise_except WHERE fk_invoice_supplier_source=".$this->id; $sql = "SELECT fk_invoice_supplier FROM ".MAIN_DB_PREFIX."societe_remise_except WHERE fk_invoice_supplier_source=".$this->id;
$resql = $db->query($sql); $resql = $this->db->query($sql);
if (!empty($resql)) { if (!empty($resql)) {
$obj = $db->fetch_object($resql); $obj = $this->db->fetch_object($resql);
if (!empty($obj->fk_invoice_supplier))$isUsed = true; if (!empty($obj->fk_invoice_supplier)) $isUsed = true;
} }
return $isUsed; return $isUsed;

4
htdocs/fourn/class/fournisseur.product.class.php
View File

@ -349,8 +349,8 @@ class ProductFournisseur extends Product
// TODO Add localtax1 and localtax2 // TODO Add localtax1 and localtax2
//$sql.= " localtax1_tx=".($localtax1>=0?$localtax1:'NULL').","; //$sql.= " localtax1_tx=".($localtax1>=0?$localtax1:'NULL').",";
//$sql.= " localtax2_tx=".($localtax2>=0?$localtax2:'NULL').","; //$sql.= " localtax2_tx=".($localtax2>=0?$localtax2:'NULL').",";
//$sql.= " localtax1_type=".($localtaxtype1!=''?"'".$localtaxtype1."'":"'0'").","; //$sql.= " localtax1_type=".($localtaxtype1!=''?"'".$this->db->escape($localtaxtype1)."'":"'0'").",";
//$sql.= " localtax2_type=".($localtaxtype2!=''?"'".$localtaxtype2."'":"'0'").","; //$sql.= " localtax2_type=".($localtaxtype2!=''?"'".$this->db->escape($localtaxtype2)."'":"'0'").",";
$sql .= " default_vat_code=".($newdefaultvatcode ? "'".$this->db->escape($newdefaultvatcode)."'" : "null").","; $sql .= " default_vat_code=".($newdefaultvatcode ? "'".$this->db->escape($newdefaultvatcode)."'" : "null").",";
$sql .= " info_bits = ".$newnpr.","; $sql .= " info_bits = ".$newnpr.",";
$sql .= " charges = ".$charges.","; // deprecated $sql .= " charges = ".$charges.","; // deprecated

4
htdocs/fourn/commande/list.php
View File

@ -294,9 +294,9 @@ if (empty($reshook))
$sql .= ", targettype"; $sql .= ", targettype";
$sql .= ") VALUES ("; $sql .= ") VALUES (";
$sql .= $id_order; $sql .= $id_order;
$sql .= ", '".$object->origin."'"; $sql .= ", '".$db->escape($object->origin)."'";
$sql .= ", ".$object->id; $sql .= ", ".$object->id;
$sql .= ", '".$object->element."'"; $sql .= ", '".$db->escape($object->element)."'";
$sql .= ")"; $sql .= ")";
if (!$db->query($sql)) if (!$db->query($sql))

10
htdocs/fourn/facture/impayees.php
View File

@ -116,26 +116,26 @@ if ($user->rights->fournisseur->facture->lire)
if ($search_ref) if ($search_ref)
{ {
$sql .= " AND f.ref LIKE '%".$search_ref."%'"; $sql .= " AND f.ref LIKE '%".$db->escape($search_ref)."%'";
} }
if ($search_ref_supplier) if ($search_ref_supplier)
{ {
$sql .= " AND f.ref_supplier LIKE '%".$search_ref_supplier."%'"; $sql .= " AND f.ref_supplier LIKE '%".$db->escape($search_ref_supplier)."%'";
} }
if ($search_company) if ($search_company)
{ {
$sql .= " AND s.nom LIKE '%".$search_company."%'"; $sql .= " AND s.nom LIKE '%".$db->escape($search_company)."%'";
} }
if ($search_amount_no_tax) if ($search_amount_no_tax)
{ {
$sql .= " AND f.total_ht = '".$search_amount_no_tax."'"; $sql .= " AND f.total_ht = '".$db->escape($search_amount_no_tax)."'";
} }
if ($search_amount_all_tax) if ($search_amount_all_tax)
{ {
$sql .= " AND f.total_ttc = '".$search_amount_all_tax."'"; $sql .= " AND f.total_ttc = '".$db->escape($search_amount_all_tax)."'";
} }
if (dol_strlen(GETPOST('sf_re')) > 0) if (dol_strlen(GETPOST('sf_re')) > 0)

22
htdocs/holiday/class/holiday.class.php
View File

@ -1302,8 +1302,8 @@ class Holiday extends CommonObject
{ {
$sql = "UPDATE ".MAIN_DB_PREFIX."holiday_config SET"; $sql = "UPDATE ".MAIN_DB_PREFIX."holiday_config SET";
$sql .= " value = '".$value."'"; $sql .= " value = '".$this->db->escape($value)."'";
$sql .= " WHERE name = '".$name."'"; $sql .= " WHERE name = '".$this->db->escape($name)."'";
dol_syslog(get_class($this).'::updateConfCP name='.$name.'', LOG_DEBUG); dol_syslog(get_class($this).'::updateConfCP name='.$name.'', LOG_DEBUG);
$result = $this->db->query($sql); $result = $this->db->query($sql);
@ -1498,7 +1498,7 @@ class Holiday extends CommonObject
$sql = "SELECT value"; $sql = "SELECT value";
$sql .= " FROM ".MAIN_DB_PREFIX."holiday_config"; $sql .= " FROM ".MAIN_DB_PREFIX."holiday_config";
$sql .= " WHERE name = '".$name."'"; $sql .= " WHERE name = '".$this->db->escape($name)."'";
$result = $this->db->query($sql); $result = $this->db->query($sql);
@ -1522,7 +1522,7 @@ class Holiday extends CommonObject
*/ */
public function createCPusers($single = false, $userid = '') public function createCPusers($single = false, $userid = '')
{ {
// Si c'est l'ensemble des utilisateurs à ajouter // do we have to add balance for all users ?
if (!$single) if (!$single)
{ {
dol_syslog(get_class($this).'::createCPusers'); dol_syslog(get_class($this).'::createCPusers');
@ -1532,7 +1532,7 @@ class Holiday extends CommonObject
{ {
$sql = "INSERT INTO ".MAIN_DB_PREFIX."holiday_users"; $sql = "INSERT INTO ".MAIN_DB_PREFIX."holiday_users";
$sql .= " (fk_user, nb_holiday)"; $sql .= " (fk_user, nb_holiday)";
$sql .= " VALUES ('".$users['rowid']."','0')"; $sql .= " VALUES (".((int) $users['rowid'])."', '0')";
$resql = $this->db->query($sql); $resql = $this->db->query($sql);
if (!$resql) dol_print_error($this->db); if (!$resql) dol_print_error($this->db);
@ -1540,7 +1540,7 @@ class Holiday extends CommonObject
} else { } else {
$sql = "INSERT INTO ".MAIN_DB_PREFIX."holiday_users"; $sql = "INSERT INTO ".MAIN_DB_PREFIX."holiday_users";
$sql .= " (fk_user, nb_holiday)"; $sql .= " (fk_user, nb_holiday)";
$sql .= " VALUES ('".$userid."','0')"; $sql .= " VALUES (".((int) $userid)."', '0')";
$resql = $this->db->query($sql); $resql = $this->db->query($sql);
if (!$resql) dol_print_error($this->db); if (!$resql) dol_print_error($this->db);
@ -1557,7 +1557,7 @@ class Holiday extends CommonObject
{ {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."holiday_users"; $sql = "DELETE FROM ".MAIN_DB_PREFIX."holiday_users";
$sql .= " WHERE fk_user = '".$user_id."'"; $sql .= " WHERE fk_user = ".((int) $user_id);
$this->db->query($sql); $this->db->query($sql);
} }
@ -1925,11 +1925,11 @@ class Holiday extends CommonObject
$sql .= "fk_type"; $sql .= "fk_type";
$sql .= ") VALUES ("; $sql .= ") VALUES (";
$sql .= " '".$this->db->idate(dol_now())."',"; $sql .= " '".$this->db->idate(dol_now())."',";
$sql .= " '".$fk_user_action."',"; $sql .= " '".$this->db->escape($fk_user_action)."',";
$sql .= " '".$fk_user_update."',"; $sql .= " '".$this->db->escape($fk_user_update)."',";
$sql .= " '".$this->db->escape($label)."',"; $sql .= " '".$this->db->escape($label)."',";
$sql .= " '".$prev_solde."',"; $sql .= " '".$this->db->escape($prev_solde)."',";
$sql .= " '".$new_solde."',"; $sql .= " '".$this->db->escape($new_solde)."',";
$sql .= " ".$fk_type; $sql .= " ".$fk_type;
$sql .= ")"; $sql .= ")";

2
htdocs/holiday/list.php
View File

@ -311,7 +311,7 @@ if (!empty($search_valideur) && $search_valideur != -1) {
} }
// Type // Type
if (!empty($search_type) && $search_type != -1) { if (!empty($search_type) && $search_type != -1) {
$sql .= ' AND cp.fk_type IN ('.$this->db->sanitize($db->escape($search_type)).')'; $sql .= ' AND cp.fk_type IN ('.$db->sanitize($db->escape($search_type)).')';
} }
// Status // Status
if (!empty($search_status) && $search_status != -1) { if (!empty($search_status) && $search_status != -1) {

13
test/phpunit/CodingPhpTest.php
View File

@ -152,7 +152,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
$db=$this->savdb; $db=$this->savdb;
include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/holiday', 'files', 1, '\.php', null, 'fullname');
//$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); //$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
foreach ($filesarray as $key => $file) foreach ($filesarray as $key => $file)
@ -170,7 +170,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|| preg_match('/boxes\/box_/', $file['relativename']) || preg_match('/boxes\/box_/', $file['relativename'])
|| preg_match('/modules\/.*\/doc\/(doc|pdf)_/', $file['relativename']) || preg_match('/modules\/.*\/doc\/(doc|pdf)_/', $file['relativename'])
|| preg_match('/modules\/(import|mailings|printing)\//', $file['relativename']) || preg_match('/modules\/(import|mailings|printing)\//', $file['relativename'])
|| in_array($file['name'], array('modules_boxes.php', 'rapport.pdf.php'))) { || in_array($file['name'], array('modules_boxes.php', 'rapport.pdf.php', 'TraceableDB.php'))) {
if (! in_array($file['name'], array( if (! in_array($file['name'], array(
'api.class.php', 'api.class.php',
'commonobject.class.php', 'commonobject.class.php',
@ -182,7 +182,11 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
'translate.class.php', 'translate.class.php',
'utils.class.php', 'utils.class.php',
'modules_product.class.php', 'modules_product.class.php',
'modules_societe.class.php' 'modules_societe.class.php',
'TraceableDB.php',
'expeditionbatch.class.php',
'expensereport_ik.class.php',
'expensereport_rule.class.php'
))) { ))) {
// Must must not found $db-> // Must must not found $db->
$ok=true; $ok=true;
@ -200,7 +204,8 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
} }
} else { } else {
if (! in_array($file['name'], array( if (! in_array($file['name'], array(
'extrafieldsinexport.inc.php' 'extrafieldsinexport.inc.php',
'DolQueryCollector.php'
))) { ))) {
// Must must not found $this->db-> // Must must not found $this->db->
$ok=true; $ok=true;