diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index cba76d72e6c..09fe25adce3 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -40,7 +40,7 @@ $showbirthday = GETPOST("showbirthday","int")?GETPOST("showbirthday","int"):0; $sortfield = GETPOST("sortfield"); $sortorder = GETPOST("sortorder"); -$page = GETPOST("page"); +$page = GETPOST("page","int"); if ($page == -1) { $page = 0 ; } $limit = $conf->liste_limit; $offset = $limit * $page ; @@ -48,14 +48,14 @@ if (! $sortorder) $sortorder="ASC"; if (! $sortfield) $sortfield="a.datec"; // Security check -$socid = isset($_GET["socid"])?$_GET["socid"]:''; +$socid = GETPOST("socid","int",1); if ($user->societe_id) $socid=$user->societe_id; $result = restrictedArea($user, 'agenda', 0, '', 'myactions'); $canedit=1; if (! $user->rights->agenda->myactions->read) accessforbidden(); if (! $user->rights->agenda->allactions->read) $canedit=0; -if (! $user->rights->agenda->allactions->read || $_GET["filter"]=='mine') // If no permission to see all, we show only affected to me +if (! $user->rights->agenda->allactions->read || GETPOST("filter","",1)=='mine') // If no permission to see all, we show only affected to me { $filtera=$user->id; $filtert=$user->id; diff --git a/htdocs/compta/commande/liste.php b/htdocs/compta/commande/liste.php index dc41aba5062..be0ea37cd3e 100644 --- a/htdocs/compta/commande/liste.php +++ b/htdocs/compta/commande/liste.php @@ -38,14 +38,22 @@ $orderid = isset($_GET["orderid"])?$_GET["orderid"]:''; if ($user->societe_id) $socid=$user->societe_id; $result = restrictedArea($user, 'commande',$orderid,''); -$begin=$_GET["begin"]; -$sortorder=$_GET["sortorder"]; -$sortfield=$_GET["sortfield"]; +// Assign and check variable +$year=GETPOST('year','int',1); +$month=GETPOST('month','int',1); +$status=GETPOST('status','int',1); +$onbill=GETPOST('afacturer','int',1); +$page=GETPOST('page','int',1); +$sf_ref=GETPOST('sf_ref','',2); + +$begin=GETPOST('begin','',1); // TODO used ? +$sortorder=GETPOST('sortorder','',1); +$sortfield=GETPOST('sortfield','',1); if (! $sortfield) $sortfield="c.rowid"; if (! $sortorder) $sortorder="DESC"; $limit = $conf->liste_limit; -$offset = $limit * $_GET["page"] ; +$offset = $limit * $page ; $html = new Form($db); $formfile = new FormFile($db); @@ -69,25 +77,25 @@ $sql.= " WHERE c.fk_soc = s.rowid"; $sql.= " AND s.entity = ".$conf->entity; if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; if ($socid) $sql.= " AND s.rowid = ".$socid; -if ($_GET["month"] > 0) +if ($month > 0) { - $sql.= " AND date_format(c.date_commande, '%Y-%m') = '".$_GET["year"]."-".$_GET["month"]."'"; + $sql.= " AND date_format(c.date_commande, '%Y-%m') = '".$year."-".$month."'"; } -if ($_GET["year"] > 0) +if ($year > 0) { - $sql.= " AND date_format(c.date_commande, '%Y') = '".$_GET["year"]."'"; + $sql.= " AND date_format(c.date_commande, '%Y') = '".$year."'"; } -if (isset($_GET["status"])) +if ($status) { - $sql.= " AND fk_statut = ".$_GET["status"]; + $sql.= " AND fk_statut = ".$status; } -if (isset($_GET["afacturer"]) && $_GET['afacturer'] == 1) +if ($onbill == 1) { $sql.= " AND fk_statut >=1 AND c.facture = 0"; } -if (dol_strlen($_POST["sf_ref"]) > 0) +if (dol_strlen($sf_ref) > 0) { - $sql.= " AND c.ref like '%".$_POST["sf_ref"] . "%'"; + $sql.= " AND c.ref like '%".$sf_ref . "%'"; } $sql.= " ORDER BY $sortfield $sortorder"; $sql.= $db->plimit($limit + 1,$offset); @@ -109,10 +117,10 @@ if ($resql) // Si page des commandes a facturer $link=DOL_URL_ROOT."/compta/commande/fiche.php"; $title.=" - ".$langs->trans("StatusOrderToBill"); - $param="&socid=".$socid."&year=".$_GET["year"]."&month=".$_GET["month"]; + $param="&socid=".$socid."&year=".$year."&month=".$month; $num = $db->num_rows($resql); - print_barre_liste($title, $_GET["page"], "liste.php",$param,$sortfield,$sortorder,'',$num); + print_barre_liste($title, $page, "liste.php",$param,$sortfield,$sortorder,'',$num); $i = 0; print ''; diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php index 388988198fb..0aa1a131d2f 100644 --- a/htdocs/lib/functions.lib.php +++ b/htdocs/lib/functions.lib.php @@ -41,11 +41,16 @@ if (! defined('ADODB_DATE_VERSION')) include_once(DOL_DOCUMENT_ROOT."/includes/a * Return value of a param into get or post variable * @param paramname Name of parameter to found * @param check Type of check (security) + * @param type Type of variable (0 = get or post, 1 = only get, 2 = only post) * @return string Value found */ -function GETPOST($paramname,$check='') +function GETPOST($paramname,$check='',$type=0) { - $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:''); + if ($type=1) $out = isset($_GET[$paramname])?$_GET[$paramname]:''; + else if ($type=2) isset($_POST[$paramname])?$_POST[$paramname]:''; + else $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:''); + + // Clean value $out = trim($out); if (!empty($check))