From 0e4d3c19ddd88d9237a119f7f3b19a1d3cd8110a Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sun, 20 Sep 2020 02:57:15 +0200 Subject: [PATCH] Fix escaping --- htdocs/imports/import.php | 2 +- htdocs/modulebuilder/template/admin/setup.php | 2 +- .../class/multicurrency.class.php | 12 ++++----- htdocs/product/admin/product.php | 2 +- htdocs/product/admin/product_tools.php | 2 +- htdocs/product/card.php | 5 ++-- .../product/class/html.formproduct.class.php | 4 +-- htdocs/product/class/product.class.php | 26 +++++++++---------- .../class/propalmergepdfproduct.class.php | 4 +-- htdocs/product/index.php | 2 +- htdocs/product/list.php | 2 +- htdocs/product/popuprop.php | 2 +- htdocs/product/price.php | 22 ++++++++-------- htdocs/product/reassortlot.php | 2 +- htdocs/product/stock/card.php | 4 +-- .../stock/class/mouvementstock.class.php | 2 +- htdocs/product/stock/movement_card.php | 2 +- htdocs/product/stock/movement_list.php | 4 +-- htdocs/product/stock/product.php | 2 +- htdocs/product/stock/stockatdate.php | 4 +-- test/phpunit/CodingPhpTest.php | 6 +++-- 21 files changed, 58 insertions(+), 55 deletions(-) diff --git a/htdocs/imports/import.php b/htdocs/imports/import.php index d886796f7b0..93d3139ca90 100644 --- a/htdocs/imports/import.php +++ b/htdocs/imports/import.php @@ -1147,7 +1147,7 @@ if ($step == 4 && $datatoimport) // List of existing import profils $sql = "SELECT rowid, label"; $sql .= " FROM ".MAIN_DB_PREFIX."import_model"; - $sql .= " WHERE type = '".$datatoimport."'"; + $sql .= " WHERE type = '".$db->escape($datatoimport)."'"; $sql .= " ORDER BY rowid"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/modulebuilder/template/admin/setup.php b/htdocs/modulebuilder/template/admin/setup.php index 9653f05d4b3..b0ef752707c 100644 --- a/htdocs/modulebuilder/template/admin/setup.php +++ b/htdocs/modulebuilder/template/admin/setup.php @@ -374,7 +374,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) { $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; - $sql .= " WHERE type = '".$type."'"; + $sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/multicurrency/class/multicurrency.class.php b/htdocs/multicurrency/class/multicurrency.class.php index 3641c6abf0f..2ce3277ae89 100644 --- a/htdocs/multicurrency/class/multicurrency.class.php +++ b/htdocs/multicurrency/class/multicurrency.class.php @@ -427,11 +427,11 @@ class MultiCurrency extends CommonObject { global $db, $user; - $currency = new MultiCurrency($db); + $currency = new MultiCurrency($this->db); $currency->code = $code; $currency->name = $code; - $sql = 'SELECT label FROM '.MAIN_DB_PREFIX.'c_currencies WHERE code_iso = \''.$db->escape($code).'\''; + $sql = 'SELECT label FROM '.MAIN_DB_PREFIX."c_currencies WHERE code_iso = '".$this->db->escape($code)."'"; dol_syslog(__METHOD__, LOG_DEBUG); $resql = $db->query($sql); @@ -486,15 +486,15 @@ class MultiCurrency extends CommonObject * Get id of currency from code * * @param DoliDB $db object db - * @param string $code code value search + * @param string $code code value search * * @return int 0 if not found, >0 if OK */ - public static function getIdFromCode(&$db, $code) + public static function getIdFromCode($db, $code) { global $conf; - $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'multicurrency WHERE code = \''.$db->escape($code).'\' AND entity = '.$conf->entity; + $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX."multicurrency WHERE code = '".$db->escape($code)."' AND entity = ".$conf->entity; dol_syslog(__METHOD__, LOG_DEBUG); $resql = $db->query($sql); @@ -512,7 +512,7 @@ class MultiCurrency extends CommonObject * @return array [0] => id currency * [1] => rate */ - public static function getIdAndTxFromCode(&$db, $code, $date_document = '') + public static function getIdAndTxFromCode($db, $code, $date_document = '') { global $conf; diff --git a/htdocs/product/admin/product.php b/htdocs/product/admin/product.php index 905821535c1..f037dfb3d6f 100644 --- a/htdocs/product/admin/product.php +++ b/htdocs/product/admin/product.php @@ -378,7 +378,7 @@ print ''; $def = array(); $sql = "SELECT nom"; $sql .= " FROM ".MAIN_DB_PREFIX."document_model"; -$sql .= " WHERE type = '".$type."'"; +$sql .= " WHERE type = '".$db->escape($type)."'"; $sql .= " AND entity = ".$conf->entity; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/product/admin/product_tools.php b/htdocs/product/admin/product_tools.php index 46a9af57153..592dd89baaa 100644 --- a/htdocs/product/admin/product_tools.php +++ b/htdocs/product/admin/product_tools.php @@ -184,7 +184,7 @@ if ($action == 'convert') $sql .= " AND tva_tx = '".$db->escape($oldvatrate)."'"; if ($vat_src_code_old) $sql .= " AND default_vat_code = '".$db->escape($vat_src_code_old)."'"; else " AND default_vat_code = IS NULL"; - $sql .= " AND s.fk_pays = '".$country_id."'"; + $sql .= " AND s.fk_pays = ".((int) $country_id); //print $sql; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/product/card.php b/htdocs/product/card.php index c4b46113d7f..f86b94f314e 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -234,6 +234,7 @@ if (empty($reshook)) $npr = preg_match('/\*/', $tva_tx_txt) ? 1 : 0; $localtax1 = 0; $localtax2 = 0; $localtax1_type = '0'; $localtax2_type = '0'; // If value contains the unique code of vat line (new recommanded method), we use it to find npr and local taxes + $reg = array(); if (preg_match('/\((.*)\)/', $tva_tx_txt, $reg)) { // We look into database using code (we can't use get_localtax() because it depends on buyer that is not known). Same in update price. @@ -241,9 +242,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code = '".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/product/class/html.formproduct.class.php b/htdocs/product/class/html.formproduct.class.php index 4e1a45a4c59..a0fd2bdb10c 100644 --- a/htdocs/product/class/html.formproduct.class.php +++ b/htdocs/product/class/html.formproduct.class.php @@ -112,10 +112,10 @@ class FormProduct $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps on ps.fk_entrepot = e.rowid"; if (!empty($fk_product)) { - $sql .= " AND ps.fk_product = '".$fk_product."'"; + $sql .= " AND ps.fk_product = ".((int) $fk_product); if (!empty($batch)) { - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$batch."'"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$this->db->escape($batch)."'"; } } $sql .= " WHERE e.entity IN (".getEntity('stock').")"; diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 15572e1ae73..18565347072 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -929,7 +929,7 @@ class Product extends CommonObject { if ($detail->batch == $valueforundefinedlot || $detail->batch == 'Undefined') { // We discard this line, we will create it later - $sqlclean = "DELETE FROM ".MAIN_DB_PREFIX."product_batch WHERE batch in('Undefined', '".$valueforundefinedlot."') AND fk_product_stock = ".$ObjW->id; + $sqlclean = "DELETE FROM ".MAIN_DB_PREFIX."product_batch WHERE batch in('Undefined', '".$this->db->escape($valueforundefinedlot)."') AND fk_product_stock = ".$ObjW->id; $result = $this->db->query($sqlclean); if (!$result) { dol_print_error($this->db); @@ -1612,7 +1612,7 @@ class Product extends CommonObject // If price per customer require_once DOL_DOCUMENT_ROOT.'/product/class/productcustomerprice.class.php'; - $prodcustprice = new Productcustomerprice($db); + $prodcustprice = new Productcustomerprice($this->db); $filter = array('t.fk_product' => $this->id, 't.fk_soc' => $thirdparty_buyer->id); @@ -1749,7 +1749,7 @@ class Product extends CommonObject if (!empty($conf->global->PRODUCT_USE_SUPPLIER_PACKAGING)) $sql .= ", pfp.packaging"; $sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price as pfp"; $sql .= " WHERE pfp.fk_product = ".$product_id; - if ($fourn_ref != 'none') { $sql .= " AND pfp.ref_fourn = '".$fourn_ref."'"; + if ($fourn_ref != 'none') { $sql .= " AND pfp.ref_fourn = '".$this->db->escape($fourn_ref)."'"; } if ($fk_soc > 0) { $sql .= " AND pfp.fk_soc = ".$fk_soc; } @@ -1922,18 +1922,18 @@ class Product extends CommonObject // Ne pas mettre de quote sur les numeriques decimaux. // Ceci provoque des stockages avec arrondis en base au lieu des valeurs exactes. $sql = "UPDATE ".MAIN_DB_PREFIX."product SET"; - $sql .= " price_base_type='".$newpricebase."',"; + $sql .= " price_base_type='".$this->db->escape($newpricebase)."',"; $sql .= " price=".$price.","; $sql .= " price_ttc=".$price_ttc.","; $sql .= " price_min=".$price_min.","; $sql .= " price_min_ttc=".$price_min_ttc.","; $sql .= " localtax1_tx=".($localtax1 >= 0 ? $localtax1 : 'NULL').","; $sql .= " localtax2_tx=".($localtax2 >= 0 ? $localtax2 : 'NULL').","; - $sql .= " localtax1_type=".($localtaxtype1 != '' ? "'".$localtaxtype1."'" : "'0'").","; - $sql .= " localtax2_type=".($localtaxtype2 != '' ? "'".$localtaxtype2."'" : "'0'").","; + $sql .= " localtax1_type=".($localtaxtype1 != '' ? "'".$this->db->escape($localtaxtype1)."'" : "'0'").","; + $sql .= " localtax2_type=".($localtaxtype2 != '' ? "'".$this->db->escape($localtaxtype2)."'" : "'0'").","; $sql .= " default_vat_code=".($newdefaultvatcode ? "'".$this->db->escape($newdefaultvatcode)."'" : "null").","; $sql .= " tva_tx='".price2num($newvat)."',"; - $sql .= " recuperableonly='".$newnpr."'"; + $sql .= " recuperableonly='".$this->db->escape($newnpr)."'"; $sql .= " WHERE rowid = ".$id; dol_syslog(get_class($this)."::update_price", LOG_DEBUG); @@ -2942,7 +2942,7 @@ class Product extends CommonObject global $db, $conf, $user, $hookmanager; $sql = "SELECT COUNT(DISTINCT f.fk_soc) as nb_customers, COUNT(DISTINCT f.rowid) as nb,"; - $sql .= " COUNT(fd.rowid) as nb_rows, SUM(".$db->ifsql('f.type != 2', 'fd.qty', 'fd.qty * -1').") as qty"; + $sql .= " COUNT(fd.rowid) as nb_rows, SUM(".$this->db->ifsql('f.type != 2', 'fd.qty', 'fd.qty * -1').") as qty"; $sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd"; $sql .= ", ".MAIN_DB_PREFIX."facture as f"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; @@ -3672,8 +3672,8 @@ class Product extends CommonObject // phpcs:enable $sql = "SELECT fk_product_pere, qty, incdec"; $sql .= " FROM ".MAIN_DB_PREFIX."product_association"; - $sql .= " WHERE fk_product_pere = '".$fk_parent."'"; - $sql .= " AND fk_product_fils = '".$fk_child."'"; + $sql .= " WHERE fk_product_pere = ".((int) $fk_parent); + $sql .= " AND fk_product_fils = ".((int) $fk_child); $result = $this->db->query($sql); if ($result) { @@ -5371,17 +5371,17 @@ class Product extends CommonObject global $conf, $db; $sql = "SELECT rowid, level, fk_level, var_percent, var_min_percent FROM ".MAIN_DB_PREFIX."product_pricerules"; - $query = $db->query($sql); + $query = $this->db->query($sql); $rules = array(); - while ($result = $db->fetch_object($query)) { + while ($result = $this->db->fetch_object($query)) { $rules[$result->level] = $result; } //Because prices can be based on other level's prices, we temporarily store them $prices = array( - 1 => $baseprice + 1 => $baseprice ); for ($i = 1; $i <= $conf->global->PRODUIT_MULTIPRICES_LIMIT; $i++) { diff --git a/htdocs/product/class/propalmergepdfproduct.class.php b/htdocs/product/class/propalmergepdfproduct.class.php index 331708ff096..30ed73d8c77 100644 --- a/htdocs/product/class/propalmergepdfproduct.class.php +++ b/htdocs/product/class/propalmergepdfproduct.class.php @@ -232,7 +232,7 @@ class Propalmergepdfproduct extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t"; $sql .= " WHERE t.fk_product = ".$product_id; if ($conf->global->MAIN_MULTILANGS && !empty($lang)) { - $sql .= " AND t.lang = '".$lang."'"; + $sql .= " AND t.lang = '".$this->db->escape($lang)."'"; } dol_syslog(__METHOD__, LOG_DEBUG); @@ -398,7 +398,7 @@ class Propalmergepdfproduct extends CommonObject $sql .= " WHERE fk_product=".$product_id; if ($conf->global->MAIN_MULTILANGS && !empty($lang_id)) { - $sql .= " AND lang='".$lang_id."'"; + $sql .= " AND lang='".$this->db->escape($lang_id)."'"; } dol_syslog(__METHOD__, LOG_DEBUG); diff --git a/htdocs/product/index.php b/htdocs/product/index.php index 6dcc5799c26..53136237eca 100644 --- a/htdocs/product/index.php +++ b/htdocs/product/index.php @@ -327,7 +327,7 @@ if ((!empty($conf->product->enabled) || !empty($conf->service->enabled)) && ($us $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $resultd = $db->query($sql); if ($resultd) diff --git a/htdocs/product/list.php b/htdocs/product/list.php index 50d59168342..7f1711b13bb 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -353,7 +353,7 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count if (!empty($searchCategoryProductList) || !empty($catid)) $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX."categorie_product as cp ON p.rowid = cp.fk_product"; // We'll need this table joined to the select in order to filter by categ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_fournisseur_price as pfp ON p.rowid = pfp.fk_product"; // multilang -if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang = '".$langs->getDefaultLang()."'"; +if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang = '".$db->escape($langs->getDefaultLang())."'"; if (!empty($conf->variants->enabled) && (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD) && !$show_childproducts)) { $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_attribute_combination pac ON pac.fk_product_child = p.rowid"; diff --git a/htdocs/product/popuprop.php b/htdocs/product/popuprop.php index affd5a8b3f2..7e5015b7813 100644 --- a/htdocs/product/popuprop.php +++ b/htdocs/product/popuprop.php @@ -203,7 +203,7 @@ if ($mode && $mode != '-1') { $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$prodid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $resultp = $db->query($sql); diff --git a/htdocs/product/price.php b/htdocs/product/price.php index 668777cb6c3..c73e43dc6f0 100644 --- a/htdocs/product/price.php +++ b/htdocs/product/price.php @@ -127,9 +127,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -243,9 +243,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -296,9 +296,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -436,7 +436,7 @@ if (empty($reshook)) // Ajout / mise à jour if ($rowid > 0) { $sql = "UPDATE ".MAIN_DB_PREFIX."product_price_by_qty SET"; - $sql .= " price='".$price."',"; + $sql .= " price='".$db->escape($price)."',"; $sql .= " unitprice=".$unitPrice.","; $sql .= " quantity=".$quantity.","; $sql .= " remise_percent=".$remise_percent.","; @@ -525,9 +525,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -625,9 +625,9 @@ if (empty($reshook)) // Get record from code $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'"; + $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; - $sql .= " AND t.code ='".$vatratecode."'"; + $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php index 2dfb423c5f8..cc37d930280 100644 --- a/htdocs/product/reassortlot.php +++ b/htdocs/product/reassortlot.php @@ -335,7 +335,7 @@ if ($resql) $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $result = $db->query($sql); diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php index 21be487993f..e2cf02ce3c7 100644 --- a/htdocs/product/stock/card.php +++ b/htdocs/product/stock/card.php @@ -432,7 +432,7 @@ if ($action == 'create') if (!empty($user->rights->stock->mouvement->lire)) { $sql = "SELECT max(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_entrepot = '".$object->id."'"; + $sql .= " WHERE m.fk_entrepot = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { $obj = $db->fetch_object($resqlbis); @@ -555,7 +555,7 @@ if ($action == 'create') $sql = "SELECT label"; $sql .= " FROM ".MAIN_DB_PREFIX."product_lang"; $sql .= " WHERE fk_product=".$objp->rowid; - $sql .= " AND lang='".$langs->getDefaultLang()."'"; + $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'"; $sql .= " LIMIT 1"; $result = $db->query($sql); diff --git a/htdocs/product/stock/class/mouvementstock.class.php b/htdocs/product/stock/class/mouvementstock.class.php index bfdfb14f6e8..ca6e39c2b07 100644 --- a/htdocs/product/stock/class/mouvementstock.class.php +++ b/htdocs/product/stock/class/mouvementstock.class.php @@ -418,7 +418,7 @@ class MouvementStock extends CommonObject $sql .= " fk_entrepot, value, type_mouvement, fk_user_author, label, inventorycode, price, fk_origin, origintype, fk_projet"; $sql .= ")"; $sql .= " VALUES ('".$this->db->idate($now)."', ".$this->product_id.", "; - $sql .= " ".($batch ? "'".$batch."'" : "null").", "; + $sql .= " ".($batch ? "'".$this->db->escape($batch)."'" : "null").", "; $sql .= " ".($eatby ? "'".$this->db->idate($eatby)."'" : "null").", "; $sql .= " ".($sellby ? "'".$this->db->idate($sellby)."'" : "null").", "; $sql .= " ".$this->entrepot_id.", ".$this->qty.", ".((int) $this->type).","; diff --git a/htdocs/product/stock/movement_card.php b/htdocs/product/stock/movement_card.php index 2000ab4cdec..6d0eb0dc24c 100644 --- a/htdocs/product/stock/movement_card.php +++ b/htdocs/product/stock/movement_card.php @@ -457,7 +457,7 @@ $sql .= " AND e.entity IN (".getEntity('stock').")"; if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) $sql .= " AND p.fk_product_type = 0"; if ($id > 0) $sql .= " AND e.rowid ='".$id."'"; $sql .= dolSqlDateFilter('m.datem', 0, $month, $year); -if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'"; +if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct); if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1); if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement); if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode); diff --git a/htdocs/product/stock/movement_list.php b/htdocs/product/stock/movement_list.php index e47c0664142..b533d4407a6 100644 --- a/htdocs/product/stock/movement_list.php +++ b/htdocs/product/stock/movement_list.php @@ -483,7 +483,7 @@ $sql .= " AND e.entity IN (".getEntity('stock').")"; if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) $sql .= " AND p.fk_product_type = 0"; if ($id > 0) $sql .= " AND e.rowid ='".$id."'"; $sql .= dolSqlDateFilter('m.datem', 0, $month, $year); -if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'"; +if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct); if (!empty($search_ref)) $sql .= natural_search('m.rowid', $search_ref, 1); if (!empty($search_movement)) $sql .= natural_search('m.label', $search_movement); if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode); @@ -624,7 +624,7 @@ if ($resql) // Last movement $sql = "SELECT MAX(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_entrepot = '".$object->id."'"; + $sql .= " WHERE m.fk_entrepot = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { diff --git a/htdocs/product/stock/product.php b/htdocs/product/stock/product.php index cd83f2c19c8..858058ef684 100644 --- a/htdocs/product/stock/product.php +++ b/htdocs/product/stock/product.php @@ -710,7 +710,7 @@ if ($id > 0 || $ref) { $sql = "SELECT max(m.datem) as datem"; $sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m"; - $sql .= " WHERE m.fk_product = '".$object->id."'"; + $sql .= " WHERE m.fk_product = ".((int) $object->id); $resqlbis = $db->query($sql); if ($resqlbis) { $obj = $db->fetch_object($resqlbis); diff --git a/htdocs/product/stock/stockatdate.php b/htdocs/product/stock/stockatdate.php index b4ae04d6ae3..f581242c9f2 100644 --- a/htdocs/product/stock/stockatdate.php +++ b/htdocs/product/stock/stockatdate.php @@ -124,7 +124,7 @@ if ($date && $dateIsValid) { // Avoid heavy sql if mandatory date is not defined $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = ps.fk_entrepot"; if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; + $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")"; } if ($productid > 0) { $sql .= " AND ps.fk_product = ".$productid; @@ -175,7 +175,7 @@ if ($date && $dateIsValid) { $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = sm.fk_entrepot"; if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) { - $sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")"; + $sql .= " AND w.statut IN (".$db->sanitize($db->escape(implode(',', $warehouseStatus))).")"; } if ($mode == 'future') { $sql .= " AND sm.datem <= '".$db->idate($dateendofday)."'"; diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 1a03699c2bc..41ab46d0c9f 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -152,7 +152,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $db=$this->savdb; include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; - $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/holiday', 'files', 1, '\.php', null, 'fullname'); + $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/product', 'files', 1, '\.php', null, 'fullname'); //$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); foreach ($filesarray as $key => $file) @@ -186,7 +186,9 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase 'TraceableDB.php', 'expeditionbatch.class.php', 'expensereport_ik.class.php', - 'expensereport_rule.class.php' + 'expensereport_rule.class.php', + 'multicurrency.class.php', + 'productbatch.class.php' ))) { // Must must not found $db-> $ok=true;