mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-02-20 13:46:52 +01:00
Fix escape
This commit is contained in:
Laurent Destailleur
parent
d38168f49e
commit
2c660504bb
|
|
@ -192,12 +192,12 @@ if ($action == 'switch')
|
|||
$newsecondnum = preg_replace('/[a-zA-Z]+/', '', $newsecond);
|
||||
$newsecond = sprintf("%s%02d", $newsecondchar ? $newsecondchar : 'A', $newsecondnum + 1);
|
||||
}
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$newfirst."' WHERE rowid=".$objfrom->rowid;
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newfirst)."' WHERE rowid=".$objfrom->rowid;
|
||||
dol_syslog($sql);
|
||||
$resultupdatefrom = $db->query($sql);
|
||||
if (!$resultupdatefrom) { dol_print_error($db); }
|
||||
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$newsecond."' WHERE rowid=".$objto->rowid;
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newsecond)."' WHERE rowid=".$objto->rowid;
|
||||
dol_syslog($sql);
|
||||
$resultupdateto = $db->query($sql);
|
||||
if (!$resultupdateto) { dol_print_error($db); }
|
||||
|
|
@ -261,7 +261,7 @@ if ($resql)
|
|||
// This occurs just after an insert.
|
||||
if ($decalage)
|
||||
{
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$decalage."' WHERE rowid=".$obj->rowid;
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($decalage)."' WHERE rowid=".$obj->rowid;
|
||||
$db->query($sql);
|
||||
}
|
||||
}
|
||||
|
|
@ -286,12 +286,12 @@ if ($resql)
|
|||
if (preg_match("/[13579]{1}/", substr($record['box_order'], -1)))
|
||||
{
|
||||
$box_order = "A0".$record['box_order'];
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'";
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'";
|
||||
$resql = $db->query($sql);
|
||||
} elseif (preg_match("/[02468]{1}/", substr($record['box_order'], -1)))
|
||||
{
|
||||
$box_order = "B0".$record['box_order'];
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'";
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'";
|
||||
$resql = $db->query($sql);
|
||||
}
|
||||
} elseif (dol_strlen($record['box_order']) == 2)
|
||||
|
|
@ -299,12 +299,12 @@ if ($resql)
|
|||
if (preg_match("/[13579]{1}/", substr($record['box_order'], -1)))
|
||||
{
|
||||
$box_order = "A".$record['box_order'];
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'";
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'";
|
||||
$resql = $db->query($sql);
|
||||
} elseif (preg_match("/[02468]{1}/", substr($record['box_order'], -1)))
|
||||
{
|
||||
$box_order = "B".$record['box_order'];
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'";
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'";
|
||||
$resql = $db->query($sql);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -357,7 +357,7 @@ print load_fiche_titre($langs->trans("OrdersModelModule"), '', '');
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -287,7 +287,7 @@ print load_fiche_titre($langs->trans("TemplatePDFContracts"), '', '');
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -296,7 +296,7 @@ $def = array();
|
|||
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
|
||||
$resql = $db->query($sql);
|
||||
|
|
|
|||
|
|
@ -297,7 +297,7 @@ $type = 'expensereport';
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -80,8 +80,8 @@ if ($action == 'add' || GETPOST("modify"))
|
|||
{
|
||||
// Supprime boite box_external_rss de definition des boites
|
||||
/* $sql = "UPDATE ".MAIN_DB_PREFIX."boxes_def";
|
||||
$sql.= " SET name = '".$boxlabel."'";
|
||||
$sql.= " WHERE file ='box_external_rss.php' AND note like '".$_POST["norss"]." %'";
|
||||
$sql.= " SET name = '".$db->escape($boxlabel)."'";
|
||||
$sql.= " WHERE file ='box_external_rss.php' AND note like '".$db->escape($_POST["norss"])." %'";
|
||||
|
||||
$resql=$db->query($sql);
|
||||
if (! $resql)
|
||||
|
|
|
|||
|
|
@ -421,7 +421,7 @@ $type = 'invoice';
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -349,7 +349,7 @@ $type = 'ficheinter';
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -299,7 +299,7 @@ print load_fiche_titre($langs->trans("TemplatePDFHolidays"), '', '');
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -243,7 +243,7 @@ if (empty($mysoc->country_code))
|
|||
|
||||
$sql = "SELECT taux as vat_rate, t.code as vat_code, t.localtax1 as localtax_rate1, t.localtax2 as localtax_rate2";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
|
||||
$sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$mysoc->country_code."' AND (t.taux <> 0 OR t.localtax1 <>0 OR t.localtax2 <>0)";
|
||||
$sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$db->escape($mysoc->country_code)."' AND (t.taux <> 0 OR t.localtax1 <>0 OR t.localtax2 <>0)";
|
||||
$sql .= " ORDER BY t.taux ASC";
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -291,7 +291,7 @@ $def = array();
|
|||
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
|
||||
$resql = $db->query($sql);
|
||||
|
|
|
|||
|
|
@ -341,7 +341,7 @@ if (empty($reshook))
|
|||
$i++;
|
||||
}
|
||||
|
||||
$sql .= " WHERE ".$rowidcol." = '".$rowid."'";
|
||||
$sql .= " WHERE ".$rowidcol." = ".((int) $rowid);
|
||||
//print $sql;exit;
|
||||
dol_syslog("actionmodify", LOG_DEBUG);
|
||||
//print $sql;
|
||||
|
|
@ -359,7 +359,7 @@ if (empty($reshook))
|
|||
{
|
||||
$rowidcol = "rowid";
|
||||
|
||||
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'";
|
||||
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."=".((int) $rowid);
|
||||
|
||||
dol_syslog("delete", LOG_DEBUG);
|
||||
$result = $db->query($sql);
|
||||
|
|
@ -379,7 +379,7 @@ if (empty($reshook))
|
|||
{
|
||||
$rowidcol = "rowid";
|
||||
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."=".((int) $rowid);
|
||||
|
||||
$result = $db->query($sql);
|
||||
if (!$result)
|
||||
|
|
@ -393,7 +393,7 @@ if (empty($reshook))
|
|||
{
|
||||
$rowidcol = "rowid";
|
||||
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
|
||||
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."=".((int) $rowid);
|
||||
|
||||
$result = $db->query($sql);
|
||||
if (!$result)
|
||||
|
|
@ -443,7 +443,7 @@ if (!$user->admin)
|
|||
}
|
||||
if (empty($conf->global->MAIN_MULTILANGS))
|
||||
{
|
||||
$sql .= " AND (lang = '".$langs->defaultlang."' OR lang IS NULL OR lang = '')";
|
||||
$sql .= " AND (lang = '".$db->escape($langs->defaultlang)."' OR lang IS NULL OR lang = '')";
|
||||
}
|
||||
if ($search_label) $sql .= natural_search('label', $search_label);
|
||||
if ($search_type_template != '' && $search_type_template != '-1') $sql .= natural_search('type_template', $search_type_template);
|
||||
|
|
|
|||
|
|
@ -293,7 +293,7 @@ print load_fiche_titre($langs->trans("MOsModelModule"), '', '');
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -210,7 +210,7 @@ print load_fiche_titre($langs->trans("OrdersModelModule"),'','');
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql.= " WHERE type = '".$type."'";
|
||||
$sql.= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql.= " AND entity = ".$conf->entity;
|
||||
$resql=$db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -217,7 +217,7 @@ print load_fiche_titre($langs->trans("OrdersModelModule"),'','');
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql.= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql.= " WHERE type = '".$type."'";
|
||||
$sql.= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql.= " AND entity = ".$conf->entity;
|
||||
$resql=$db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -316,7 +316,7 @@ print load_fiche_titre($langs->trans("ProposalsPDFModules"), '', '');
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -301,7 +301,7 @@ $def = array();
|
|||
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
|
||||
$resql = $db->query($sql);
|
||||
|
|
|
|||
|
|
@ -516,7 +516,7 @@ print load_fiche_titre($langs->trans("WarehouseModelModules"), '', '');
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -179,7 +179,7 @@ print load_fiche_titre($langs->trans("PaymentsNumberingModule"), '', '');
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -310,7 +310,7 @@ print load_fiche_titre($langs->trans("SupplierProposalPDFModules"), '', '');
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -192,7 +192,7 @@ $dirmodels = array_merge(array('/'), (array) $conf->modules_parts['models']);
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -124,7 +124,7 @@ $form = new Form($db);
|
|||
$def = array();
|
||||
$sql = "SELECT nom";
|
||||
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
|
||||
$sql .= " WHERE type = '".$type."'";
|
||||
$sql .= " WHERE type = '".$db->escape($type)."'";
|
||||
$sql .= " AND entity = ".$conf->entity;
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
|
|
|||
|
|
@ -252,7 +252,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha'))
|
|||
else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'";
|
||||
$i++;
|
||||
}
|
||||
$sql .= " WHERE ".$rowidcol." = '".$rowid."'";
|
||||
$sql .= " WHERE ".$rowidcol." = ".((int) $rowid);
|
||||
|
||||
dol_syslog("actionmodify", LOG_DEBUG);
|
||||
//print $sql;
|
||||
|
|
@ -310,16 +310,16 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete
|
|||
|
||||
if ($website->id > 0)
|
||||
{
|
||||
$sql = "DELETE from ".MAIN_DB_PREFIX."website_account WHERE fk_website ='".$rowid."'";
|
||||
$sql = "DELETE from ".MAIN_DB_PREFIX."website_account WHERE fk_website = ".((int) $rowid);
|
||||
$result = $db->query($sql);
|
||||
|
||||
$sql = "DELETE from ".MAIN_DB_PREFIX."website_page WHERE fk_website ='".$rowid."'";
|
||||
$sql = "DELETE from ".MAIN_DB_PREFIX."website_page WHERE fk_website = ".((int) $rowid);
|
||||
$result = $db->query($sql);
|
||||
|
||||
$sql = "DELETE from ".MAIN_DB_PREFIX."website_extrafields WHERE fk_object ='".$rowid."'";
|
||||
$sql = "DELETE from ".MAIN_DB_PREFIX."website_extrafields WHERE fk_object = ".((int) $rowid);
|
||||
$result = $db->query($sql);
|
||||
|
||||
$sql = "DELETE from ".MAIN_DB_PREFIX."website WHERE rowid ='".$rowid."'";
|
||||
$sql = "DELETE from ".MAIN_DB_PREFIX."website WHERE rowid = ".((int) $rowid);
|
||||
$result = $db->query($sql);
|
||||
if (!$result)
|
||||
{
|
||||
|
|
@ -346,7 +346,7 @@ if ($action == $acts[0])
|
|||
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
|
||||
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET status = 1 WHERE rowid ='".$rowid."'";
|
||||
$sql = "UPDATE ".$tabname[$id]." SET status = 1 WHERE rowid = ".((int) $rowid);
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
|
|
@ -362,7 +362,7 @@ if ($action == $acts[1])
|
|||
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
|
||||
|
||||
if ($rowid) {
|
||||
$sql = "UPDATE ".$tabname[$id]." SET status = 0 WHERE rowid ='".$rowid."'";
|
||||
$sql = "UPDATE ".$tabname[$id]." SET status = 0 WHERE rowid = ".((int) $rowid);
|
||||
}
|
||||
|
||||
$result = $db->query($sql);
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user