Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix escape

Browse Source
This commit is contained in:
Laurent Destailleur 2020-09-19 20:11:04 +02:00
parent 14aa9c01da
commit 7dd69a2b2b
25 changed files with 111 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/accountancy/admin/account.php
View File

@ -230,8 +230,8 @@ if (strlen(trim($search_account))) {
$search_account_tmp_clean = preg_replace('/^\^/', '', $search_account_tmp);
$search_account_clean = preg_replace('/^\^/', '', $search_account);
}
$sql .= " AND (aa.account_number LIKE '".$startchar.$search_account_tmp_clean."'";
$sql .= " OR aa.account_number LIKE '".$startchar.$search_account_clean."%')";
$sql .= " AND (aa.account_number LIKE '".$db->escape($startchar.$search_account_tmp_clean)."'";
$sql .= " OR aa.account_number LIKE '".$db->escape($startchar.$search_account_clean)."%')";
} else $sql .= natural_search("aa.account_number", $search_account_tmp);
}
}
@ -264,14 +264,14 @@ if ($resql)
$num = $db->num_rows($resql);
$param = '';
if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.$contextpage;
if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.$limit;
if (!empty($contextpage) && $contextpage != $_SERVER["PHP_SELF"]) $param .= '&contextpage='.urlencode($contextpage);
if ($limit > 0 && $limit != $conf->liste_limit) $param .= '&limit='.urlencode($limit);
if ($search_account) $param .= '&search_account='.urlencode($search_account);
if ($search_label) $param .= '&search_label='.urlencode($search_label);
if ($search_labelshort) $param .= '&search_labelshort='.urlencode($search_labelshort);
if ($search_accountparent > 0 || $search_accountparent == '0') $param .= '&search_accountparent='.urlencode($search_accountparent);
if ($search_pcgtype) $param .= '&search_pcgtype='.urlencode($search_pcgtype);
if ($optioncss != '') $param .= '&optioncss='.$optioncss;
if ($optioncss != '') $param .= '&optioncss='.urlencode($optioncss);
if (!empty($conf->use_javascript_ajax))
{

20
htdocs/accountancy/admin/accountmodel.php
View File

@ -280,7 +280,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha'))
else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'";
$i++;
}
$sql .= " WHERE ".$rowidcol." = '".$rowid."'";
$sql .= " WHERE ".$rowidcol." = ".((int) $rowid);
dol_syslog("actionmodify", LOG_DEBUG);
//print $sql;
@ -302,7 +302,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete
{
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'";
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid);
dol_syslog("delete", LOG_DEBUG);
$result = $db->query($sql);
@ -323,9 +323,9 @@ if ($action == $acts[0])
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$db->escape($code)."'";
}
$result = $db->query($sql);
@ -341,9 +341,9 @@ if ($action == $acts[1])
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$db->escape($code)."'";
}
$result = $db->query($sql);
@ -359,9 +359,9 @@ if ($action == 'activate_favorite')
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol."='".$rowid."'";
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$code."'";
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code='".$db->escape($code)."'";
}
$result = $db->query($sql);
@ -377,9 +377,9 @@ if ($action == 'disable_favorite')
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol."='".$rowid."'";
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$code."'";
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code='".$db->escape($code)."'";
}
$result = $db->query($sql);

12
htdocs/accountancy/admin/categories_list.php
View File

@ -271,7 +271,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha'))
else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'";
$i++;
}
$sql .= " WHERE ".$rowidcol." = '".$rowid."'";
$sql .= " WHERE ".$rowidcol." = ".((int) $rowid);
dol_syslog("actionmodify", LOG_DEBUG);
//print $sql;
@ -293,7 +293,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete
{
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid);
dol_syslog("delete", LOG_DEBUG);
$result = $db->query($sql);
@ -314,7 +314,7 @@ if ($action == $acts[0])
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$db->escape($code)."'";
}
@ -332,7 +332,7 @@ if ($action == $acts[1])
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$db->escape($code)."'";
}
@ -350,7 +350,7 @@ if ($action == 'activate_favorite')
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$db->escape($code)."'";
}
@ -368,7 +368,7 @@ if ($action == 'disable_favorite')
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$db->escape($code)."'";
}

12
htdocs/accountancy/admin/journals_list.php
View File

@ -274,7 +274,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha'))
else $sql .= "'".$db->escape($_POST[$listfieldvalue[$i]])."'";
$i++;
}
$sql .= " WHERE ".$rowidcol." = '".$rowid."'";
$sql .= " WHERE ".$rowidcol." = ".((int) $rowid);
$sql .= " AND entity = ".$conf->entity;
dol_syslog("actionmodify", LOG_DEBUG);
@ -297,7 +297,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete
{
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol."='".$rowid."'";
$sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = ".((int) $rowid);
$sql .= " AND entity = ".$conf->entity;
dol_syslog("delete", LOG_DEBUG);
@ -319,9 +319,9 @@ if ($action == $acts[0])
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol."='".$rowid."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$code."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code='".$db->escape($code)."'";
}
$sql .= " AND entity = ".$conf->entity;
@ -338,9 +338,9 @@ if ($action == $acts[1])
if ($tabrowid[$id]) { $rowidcol = $tabrowid[$id]; } else { $rowidcol = "rowid"; }
if ($rowid) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol."='".$rowid."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = ".((int) $rowid);
} elseif ($code) {
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$code."'";
$sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code='".$db->escape($code)."'";
}
$sql .= " AND entity = ".$conf->entity;

14
htdocs/accountancy/admin/productaccount.php
View File

@ -176,7 +176,7 @@ if ($action == 'update') {
if ($accounting_product_mode == 'ACCOUNTANCY_SELL_EXPORT') {
$sql .= " SET accountancy_code_sell_export = ".$accounting->account_number;
}
$sql .= " WHERE rowid = ".$productid;
$sql .= " WHERE rowid = ".((int) $productid);
dol_syslog("/accountancy/admin/productaccount.php sql=".$sql, LOG_DEBUG);
if ($db->query($sql))
@ -251,21 +251,21 @@ $sql .= " aa.rowid as aaid";
$sql .= " FROM ".MAIN_DB_PREFIX."product as p";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON";
if ($accounting_product_mode == 'ACCOUNTANCY_BUY') {
$sql .= " p.accountancy_code_buy = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'";
$sql .= " p.accountancy_code_buy = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'";
} elseif ($accounting_product_mode == 'ACCOUNTANCY_BUY_INTRA')
{
$sql .= " p.accountancy_code_buy_intra = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'";
$sql .= " p.accountancy_code_buy_intra = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'";
} elseif ($accounting_product_mode == 'ACCOUNTANCY_BUY_EXPORT')
{
$sql .= " p.accountancy_code_buy_export = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'";
$sql .= " p.accountancy_code_buy_export = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'";
} elseif ($accounting_product_mode == 'ACCOUNTANCY_SELL')
{
$sql .= " p.accountancy_code_sell = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'";
$sql .= " p.accountancy_code_sell = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'";
} elseif ($accounting_product_mode == 'ACCOUNTANCY_SELL_INTRA')
{
$sql .= " p.accountancy_code_sell_intra = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'";
$sql .= " p.accountancy_code_sell_intra = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'";
} else {
$sql .= " p.accountancy_code_sell_export = aa.account_number AND aa.fk_pcg_version = '".$pcgvercode."'";
$sql .= " p.accountancy_code_sell_export = aa.account_number AND aa.fk_pcg_version = '".$db->escape($pcgvercode)."'";
}
$sql .= ' WHERE p.entity IN ('.getEntity('product').')';
if ($accounting_product_mode == 'ACCOUNTANCY_BUY') {

2
htdocs/accountancy/bookkeeping/thirdparty_lettering_customer.php
View File

@ -147,7 +147,7 @@ $sql = "SELECT bk.rowid, bk.doc_date, bk.doc_type, bk.doc_ref, ";
$sql .= " bk.subledger_account, bk.numero_compte , bk.label_compte, bk.debit, ";
$sql .= " bk.credit, bk.montant , bk.sens , bk.code_journal , bk.piece_num, bk.lettering_code ";
$sql .= " FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as bk";
$sql .= " WHERE (bk.subledger_account = '".$object->code_compta."' AND bk.numero_compte = '".$conf->global->ACCOUNTING_ACCOUNT_CUSTOMER."' )";
$sql .= " WHERE (bk.subledger_account = '".$db->escape($object->code_compta)."' AND bk.numero_compte = '".$db->escape($conf->global->ACCOUNTING_ACCOUNT_CUSTOMER)."' )";
/*
if (dol_strlen($search_date_start) || dol_strlen($search_date_end)) {

2
htdocs/accountancy/bookkeeping/thirdparty_lettering_supplier.php
View File

@ -146,7 +146,7 @@ $sql = "SELECT bk.rowid, bk.doc_date, bk.doc_type, bk.doc_ref, ";
$sql .= " bk.subledger_account, bk.numero_compte , bk.label_compte, bk.debit, ";
$sql .= " bk.credit, bk.montant , bk.sens , bk.code_journal , bk.piece_num, bk.lettering_code, bk.date_validated ";
$sql .= " FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as bk";
$sql .= " WHERE (bk.subledger_account = '".$object->code_compta_fournisseur."' AND bk.numero_compte = '".$conf->global->ACCOUNTING_ACCOUNT_SUPPLIER."' )";
$sql .= " WHERE (bk.subledger_account = '".$db->escape($object->code_compta_fournisseur)."' AND bk.numero_compte = '".$db->escape($conf->global->ACCOUNTING_ACCOUNT_SUPPLIER)."' )";
if (dol_strlen($search_date_start) || dol_strlen($search_date_end)) {
$sql .= " AND (bk.doc_date BETWEEN '".$db->idate($search_date_start)."' AND '".$db->idate($search_date_end)."' )";
}

3
htdocs/accountancy/class/accountancyexport.class.php
View File

@ -1160,7 +1160,8 @@ class AccountancyExport
// TYPE C
if ($last_codeinvoice != $line->doc_ref) {
//recherche societe en fonction de son code client
$sql = "SELECT code_client, fk_forme_juridique, nom, address, zip, town, fk_pays, phone, siret FROM ".MAIN_DB_PREFIX."societe WHERE code_client = '".$line->thirdparty_code."'";
$sql = "SELECT code_client, fk_forme_juridique, nom, address, zip, town, fk_pays, phone, siret FROM ".MAIN_DB_PREFIX."societe";
$sql .= " WHERE code_client = '".$this->db->escape($line->thirdparty_code)."'";
$resql = $this->db->query($sql);
if ($resql && $this->db->num_rows($resql) > 0)

2
htdocs/accountancy/class/accountancysystem.class.php
View File

@ -101,7 +101,7 @@ class AccountancySystem
$sql .= " FROM ".MAIN_DB_PREFIX."accounting_system as a";
$sql .= " WHERE";
if ($rowid) {
$sql .= " a.rowid = '".$rowid."'";
$sql .= " a.rowid = ".((int) $rowid);
} elseif ($ref) {
$sql .= " a.pcg_version = '".$this->db->escape($ref)."'";
}

2
htdocs/accountancy/class/accountingjournal.class.php
View File

@ -108,7 +108,7 @@ class AccountingJournal extends CommonObject
$sql .= " FROM ".MAIN_DB_PREFIX."accounting_journal";
$sql .= " WHERE";
if ($rowid) {
$sql .= " rowid = ".(int) $rowid;
$sql .= " rowid = ".((int) $rowid);
} elseif ($journal_code)
{
$sql .= " code = '".$this->db->escape($journal_code)."'";

16
htdocs/accountancy/class/bookkeeping.class.php
View File

@ -1755,14 +1755,14 @@ class BookKeeping extends CommonObject
$sql .= ' doc_ref, fk_doc, fk_docdet, entity, thirdparty_code, subledger_account, subledger_label,';
$sql .= ' numero_compte, label_compte, label_operation, debit, credit,';
$sql .= ' montant, sens, fk_user_author, import_key, code_journal, journal_label, '.$next_piecenum.", '".$this->db->idate($now)."'";
$sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$this->db->escape($piece_num);
$sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num);
$resql = $this->db->query($sql);
if (!$resql) {
$error++;
$this->errors[] = 'Error '.$this->db->lasterror();
dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR);
}
$sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$this->db->escape($piece_num);
$sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num);
$resql = $this->db->query($sql);
if (!$resql) {
$error++;
@ -1770,7 +1770,7 @@ class BookKeeping extends CommonObject
dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR);
}
} elseif ($direction == 1) {
$sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$piece_num;
$sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num);
$resql = $this->db->query($sql);
if (!$resql) {
$error++;
@ -1785,14 +1785,14 @@ class BookKeeping extends CommonObject
$sql .= ' doc_ref, fk_doc, fk_docdet, thirdparty_code, subledger_account, subledger_label,';
$sql .= ' numero_compte, label_compte, label_operation, debit, credit,';
$sql .= ' montant, sens, fk_user_author, import_key, code_journal, journal_label, piece_num';
$sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' WHERE piece_num = '.$piece_num;
$sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' WHERE piece_num = '.((int) $piece_num);
$resql = $this->db->query($sql);
if (!$resql) {
$error++;
$this->errors[] = 'Error '.$this->db->lasterror();
dol_syslog(__METHOD__.' '.join(',', $this->errors), LOG_ERR);
}
$sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.$piece_num;
$sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element.'_tmp WHERE piece_num = '.((int) $piece_num);
$resql = $this->db->query($sql);
if (!$resql) {
$error++;
@ -1910,7 +1910,7 @@ class BookKeeping extends CommonObject
$sql .= " AND asy.rowid = ".$pcgver;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as parent ON aa.account_parent = parent.rowid";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as root ON parent.account_parent = root.rowid";
$sql .= " WHERE aa.account_number = '".$account."'";
$sql .= " WHERE aa.account_number = '".$this->db->escape($account)."'";
$sql .= " AND parent.active = 1";
$sql .= " AND root.active = 1";
$sql .= " AND aa.entity IN (".getEntity('accountancy').")";
@ -1948,8 +1948,8 @@ class BookKeeping extends CommonObject
$sql = "SELECT aa.account_number, aa.label, aa.rowid, aa.fk_pcg_version, cat.label as category";
$sql .= " FROM ".MAIN_DB_PREFIX."accounting_account as aa ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_system as asy ON aa.fk_pcg_version = asy.pcg_version";
$sql .= " AND aa.account_number = '".$account."'";
$sql .= " AND asy.rowid = ".$pcgver;
$sql .= " AND aa.account_number = '".$this->db->escape($account)."'";
$sql .= " AND asy.rowid = ".((int) $pcgver);
$sql .= " AND aa.active = 1";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_accounting_category as cat ON aa.fk_accounting_category = cat.rowid";
$sql .= " WHERE aa.entity IN (".getEntity('accountancy').")";

34
htdocs/accountancy/class/lettering.class.php
View File

@ -68,11 +68,11 @@ class Lettering extends BookKeeping
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank_url as bu ON(bk.fk_doc = bu.fk_bank AND bu.type IN ('payment', 'payment_supplier') ) ";
$sql .= " WHERE ( ";
if ($object->code_compta != "")
$sql .= " bk.subledger_account = '".$object->code_compta."' ";
$sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' ";
if ($object->code_compta != "" && $object->code_compta_fournisseur != "")
$sql .= " OR ";
if ($object->code_compta_fournisseur != "")
$sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' ";
$sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' ";
$sql .= " ) AND (bk.date_lettering ='' OR bk.date_lettering IS NULL) ";
$sql .= " AND (bk.lettering_code != '' OR bk.lettering_code IS NULL) ";
@ -95,19 +95,19 @@ class Lettering extends BookKeeping
$sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn facf ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiementfourn_facturefourn as payfacf ON payfacf.fk_facturefourn=facf.rowid";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiementfourn as payf ON payfacf.fk_paiementfourn=payf.rowid";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = payf.fk_bank AND bk.code_journal='".$obj->code_journal."')";
$sql .= " WHERE payfacf.fk_paiementfourn = '".$obj->url_id."' ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = payf.fk_bank AND bk.code_journal='".$this->db->escape($obj->code_journal)."')";
$sql .= " WHERE payfacf.fk_paiementfourn = '".$this->db->escape($obj->url_id)."' ";
$sql .= " AND facf.entity = ".$conf->entity;
$sql .= " AND code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=4 AND entity=".$conf->entity.") ";
$sql .= " AND ( ";
if ($object->code_compta != "") {
$sql .= " bk.subledger_account = '".$object->code_compta."' ";
$sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' ";
}
if ($object->code_compta != "" && $object->code_compta_fournisseur != "") {
$sql .= " OR ";
}
if ($object->code_compta_fournisseur != "") {
$sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' ";
$sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' ";
}
$sql .= " ) ";
@ -129,13 +129,13 @@ class Lettering extends BookKeeping
$sql .= " AND facf.entity = ".$conf->entity;
$sql .= " AND ( ";
if ($object->code_compta != "") {
$sql .= " bk.subledger_account = '".$object->code_compta."' ";
$sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' ";
}
if ($object->code_compta != "" && $object->code_compta_fournisseur != "") {
$sql .= " OR ";
}
if ($object->code_compta_fournisseur != "") {
$sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' ";
$sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' ";
}
$sql .= ") ";
@ -154,19 +154,19 @@ class Lettering extends BookKeeping
$sql .= " FROM ".MAIN_DB_PREFIX."facture fac ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiement_facture as payfac ON payfac.fk_facture=fac.rowid";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."paiement as pay ON payfac.fk_paiement=pay.rowid";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = pay.fk_bank AND bk.code_journal='".$obj->code_journal."')";
$sql .= " WHERE payfac.fk_paiement = '".$obj->url_id."' ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_bookkeeping as bk ON (bk.fk_doc = pay.fk_bank AND bk.code_journal='".$this->db->escape($obj->code_journal)."')";
$sql .= " WHERE payfac.fk_paiement = '".$this->db->escape($obj->url_id)."' ";
$sql .= " AND bk.code_journal IN (SELECT code FROM ".MAIN_DB_PREFIX."accounting_journal WHERE nature=4 AND entity=".$conf->entity.") ";
$sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy
$sql .= " AND ( ";
if ($object->code_compta != "") {
$sql .= " bk.subledger_account = '".$object->code_compta."' ";
$sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' ";
}
if ($object->code_compta != "" && $object->code_compta_fournisseur != "") {
$sql .= " OR ";
}
if ($object->code_compta_fournisseur != "") {
$sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' ";
$sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' ";
}
$sql .= " )";
@ -188,13 +188,13 @@ class Lettering extends BookKeeping
$sql .= " AND fac.entity IN (".getEntity('invoice', 0).")"; // We don't share object for accountancy
$sql .= " AND ( ";
if ($object->code_compta != "") {
$sql .= " bk.subledger_account = '".$object->code_compta."' ";
$sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta)."' ";
}
if ($object->code_compta != "" && $object->code_compta_fournisseur != "") {
$sql .= " OR ";
}
if ($object->code_compta_fournisseur != "") {
$sql .= " bk.subledger_account = '".$object->code_compta_fournisseur."' ";
$sql .= " bk.subledger_account = '".$this->db->escape($object->code_compta_fournisseur)."' ";
}
$sql .= " ) ";
@ -238,7 +238,7 @@ class Lettering extends BookKeeping
$lettre = 'AAA';
$sql = "SELECT DISTINCT lettering_code FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE ";
$sql .= " lettering_code != '' ORDER BY lettering_code DESC limit 1; ";
$sql .= " lettering_code != '' ORDER BY lettering_code DESC limit 1";
$result = $this->db->query($sql);
if ($result) {
@ -252,7 +252,7 @@ class Lettering extends BookKeeping
}
$sql = "SELECT SUM(ABS(debit)) as deb, SUM(ABS(credit)) as cred FROM ".MAIN_DB_PREFIX."accounting_bookkeeping WHERE ";
$sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL ";
$sql .= " rowid IN (".implode(',', $ids).") AND date_validated IS NULL";
$result = $this->db->query($sql);
if ($result) {
$obj = $this->db->fetch_object($result);
@ -272,7 +272,7 @@ class Lettering extends BookKeeping
if (!$error)
{
$sql = "UPDATE ".MAIN_DB_PREFIX."accounting_bookkeeping SET";
$sql .= " lettering_code='".$lettre."'";
$sql .= " lettering_code='".$this->db->escape($lettre)."'";
$sql .= " , date_lettering = '".$this->db->idate($now)."'"; // todo correct date it's false
$sql .= " WHERE rowid IN (".implode(',', $ids).") AND date_validated IS NULL ";
$this->db->begin();

10
htdocs/accountancy/customer/index.php
View File

@ -131,9 +131,9 @@ if ($action == 'validatehistory') {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as l ON f.rowid = l.fk_facture";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
$sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0";
$sql .= " AND l.product_type <= 2";
@ -402,7 +402,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange.
}
print '<td width="60" class="right"><b>'.$langs->trans("Total").'</b></td></tr>';
$sql = "SELECT '".$langs->trans("TotalVente")."' AS total,";
$sql = "SELECT '".$db->escape($langs->trans("TotalVente"))."' AS total,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
if ($j > 12) $j -= 12;
@ -459,7 +459,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange.
}
print '<td width="60" class="right"><b>'.$langs->trans("Total").'</b></td></tr>';
$sql = "SELECT '".$langs->trans("Vide")."' AS marge,";
$sql = "SELECT '".$db->escape($langs->trans("Vide"))."' AS marge,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
if ($j > 12) $j -= 12;

10
htdocs/accountancy/customer/list.php
View File

@ -161,8 +161,8 @@ if ($massaction == 'ventil') {
$ko++;
} else {
$sql = " UPDATE ".MAIN_DB_PREFIX."facturedet";
$sql .= " SET fk_code_ventilation = ".$monCompte;
$sql .= " WHERE rowid = ".$monId;
$sql .= " SET fk_code_ventilation = ".((int) $monCompte);
$sql .= " WHERE rowid = ".((int) $monId);
$accountventilated = new AccountingAccount($db);
$accountventilated->fetch($monCompte, '');
@ -222,9 +222,9 @@ $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as l ON f.rowid = l.fk_facture";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_sell = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_sell_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
$sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0";
$sql .= " AND l.product_type <= 2";
// Define begin binding date

6
htdocs/accountancy/expensereport/index.php
View File

@ -161,7 +161,7 @@ for ($i = 1; $i <= 12; $i++) {
}
print '<td width="60" class="right"><b>'.$langs->trans("Total").'</b></td></tr>';
$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
$sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
@ -234,7 +234,7 @@ for ($i = 1; $i <= 12; $i++) {
}
print '<td width="60" class="right"><b>'.$langs->trans("Total").'</b></td></tr>';
$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
$sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
@ -309,7 +309,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange.
}
print '<td width="60" class="right"><b>'.$langs->trans("Total").'</b></td></tr>';
$sql = "SELECT '".$langs->trans("TotalExpenseReport")."' AS label,";
$sql = "SELECT '".$db->escape($langs->trans("TotalExpenseReport"))."' AS label,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
if ($j > 12) $j -= 12;

2
htdocs/accountancy/expensereport/list.php
View File

@ -196,7 +196,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."expensereport as er";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."expensereport_det as erd ON er.rowid = erd.fk_expensereport";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_type_fees as f ON f.id = erd.fk_c_type_fees";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON u.rowid = er.fk_user_author";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON f.accountancy_code = aa.account_number AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON f.accountancy_code = aa.account_number AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
$sql .= " WHERE er.fk_statut IN (".ExpenseReport::STATUS_APPROVED.", ".ExpenseReport::STATUS_CLOSED.") AND erd.fk_code_ventilation <= 0";
// Define begin binding date
if (!empty($conf->global->ACCOUNTING_DATE_START_BINDING)) {

12
htdocs/accountancy/supplier/index.php
View File

@ -128,9 +128,9 @@ if ($action == 'validatehistory') {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture_fourn_det as l ON f.rowid = l.fk_facture_fourn";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
$sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0";
$sql .= " AND l.product_type <= 2";
@ -232,7 +232,7 @@ for ($i = 1; $i <= 12; $i++) {
}
print '<td width="60" class="right"><b>'.$langs->trans("Total").'</b></td></tr>';
$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
$sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
@ -305,7 +305,7 @@ for ($i = 1; $i <= 12; $i++) {
}
print '<td width="60" class="right"><b>'.$langs->trans("Total").'</b></td></tr>';
$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
$sql = "SELECT ".$db->ifsql('aa.account_number IS NULL', "'tobind'", 'aa.account_number')." AS codecomptable,";
$sql .= " ".$db->ifsql('aa.label IS NULL', "'tobind'", 'aa.label')." AS intitule,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
@ -380,7 +380,7 @@ if ($conf->global->MAIN_FEATURES_LEVEL > 0) // This part of code looks strange.
}
print '<td width="60" class="right"><b>'.$langs->trans("Total").'</b></td></tr>';
$sql = "SELECT '".$langs->trans("CAHTF")."' AS label,";
$sql = "SELECT '".$db->escape($langs->trans("CAHTF"))."' AS label,";
for ($i = 1; $i <= 12; $i++) {
$j = $i + ($conf->global->SOCIETE_FISCAL_MONTH_START ? $conf->global->SOCIETE_FISCAL_MONTH_START : 1) - 1;
if ($j > 12) $j -= 12;

6
htdocs/accountancy/supplier/list.php
View File

@ -226,9 +226,9 @@ $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture_fourn_det as l ON f.rowid = l.fk_facture_fourn";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$chartaccountcode."' AND aa.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$chartaccountcode."' AND aa2.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$chartaccountcode."' AND aa3.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON p.accountancy_code_buy = aa.account_number AND aa.active = 1 AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON p.accountancy_code_buy_intra = aa2.account_number AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON p.accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
$sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0";
$sql .= " AND l.product_type <= 2";
// Define begin binding date

2
htdocs/adherents/card.php
View File

@ -152,7 +152,7 @@ if (empty($reshook)) {
if (!$error) {
if ($socid != $object->socid) { // If link differs from currently in database
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."adherent";
$sql .= " WHERE socid = '".$socid."'";
$sql .= " WHERE socid = ".((int) $socid);
$sql .= " AND entity = ".$conf->entity;
$resql = $db->query($sql);
if ($resql) {

2
htdocs/adherents/class/adherent.class.php
View File

@ -1117,7 +1117,7 @@ class Adherent extends CommonObject
// Remove link to third party onto any other members
if ($thirdpartyid > 0) {
$sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET fk_soc = null";
$sql .= " WHERE fk_soc = '".$thirdpartyid."'";
$sql .= " WHERE fk_soc = ".((int) $thirdpartyid);
$sql .= " AND entity = ".$conf->entity;
dol_syslog(get_class($this)."::setThirdPartyId", LOG_DEBUG);
$resql = $this->db->query($sql);

6
htdocs/adherents/class/adherentstats.class.php
View File

@ -92,7 +92,7 @@ class AdherentStats extends Stats
$sql = "SELECT date_format(p.dateadh,'%m') as dm, count(*)";
$sql .= " FROM ".$this->from;
//if (!$user->rights->societe->client->voir && !$user->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
$sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'";
$sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year);
$sql .= " AND ".$this->where;
$sql .= " GROUP BY dm";
$sql .= $this->db->order('dm', 'DESC');
@ -133,7 +133,7 @@ class AdherentStats extends Stats
$sql = "SELECT date_format(p.dateadh,'%m') as dm, sum(p.".$this->field.")";
$sql .= " FROM ".$this->from;
//if (!$user->rights->societe->client->voir && !$user->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
$sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'";
$sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year);
$sql .= " AND ".$this->where;
$sql .= " GROUP BY dm";
$sql .= $this->db->order('dm', 'DESC');
@ -154,7 +154,7 @@ class AdherentStats extends Stats
$sql = "SELECT date_format(p.dateadh,'%m') as dm, avg(p.".$this->field.")";
$sql .= " FROM ".$this->from;
//if (!$user->rights->societe->client->voir && !$this->socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
$sql .= " WHERE date_format(p.dateadh,'%Y') = '".$year."'";
$sql .= " WHERE date_format(p.dateadh,'%Y') = ".((int) $year);
$sql .= " AND ".$this->where;
$sql .= " GROUP BY dm";
$sql .= $this->db->order('dm', 'DESC');

16
htdocs/adherents/list.php
View File

@ -281,7 +281,7 @@ if ($search_ref) {
if ($search_civility) $sql .= natural_search("d.civility", $search_civility);
if ($search_firstname) $sql .= natural_search("d.firstname", $search_firstname);
if ($search_lastname) $sql .= natural_search(array("d.firstname", "d.lastname", "d.societe"), $search_lastname);
if ($search_gender != '' && $search_gender != '-1') $sql .= " AND d.gender = '".$search_gender."'";
if ($search_gender != '' && $search_gender != '-1') $sql .= natural_search("d.gender", $search_gender);
if ($search_login) $sql .= natural_search("d.login", $search_login);
if ($search_company) $sql .= natural_search("s.nom", $search_company);
if ($search_email) $sql .= natural_search("d.email", $search_email);
@ -502,16 +502,16 @@ if (!empty($arrayfields['t.libelle']['checked'])) {
if (!empty($arrayfields['d.address']['checked'])) {
print '<td class="liste_titre left">';
print '<input class="flat maxwidth75imp" type="text" name="search_address" value="'.$search_address.'"></td>';
print '<input class="flat maxwidth75imp" type="text" name="search_address" value="'.dol_escape_htmltag($search_address).'"></td>';
}
if (!empty($arrayfields['d.zip']['checked'])) {
print '<td class="liste_titre left">';
print '<input class="flat maxwidth50imp" type="text" name="search_zip" value="'.$search_zip.'"></td>';
print '<input class="flat maxwidth50imp" type="text" name="search_zip" value="'.dol_escape_htmltag($search_zip).'"></td>';
}
if (!empty($arrayfields['d.town']['checked'])) {
print '<td class="liste_titre left">';
print '<input class="flat maxwidth75imp" type="text" name="search_town" value="'.$search_town.'"></td>';
print '<input class="flat maxwidth75imp" type="text" name="search_town" value="'.dol_escape_htmltag($search_town).'"></td>';
}
// State
if (!empty($arrayfields['state.nom']['checked'])) {
@ -528,22 +528,22 @@ if (!empty($arrayfields['country.code_iso']['checked'])) {
// Phone pro
if (!empty($arrayfields['d.phone']['checked'])) {
print '<td class="liste_titre left">';
print '<input class="flat maxwidth75imp" type="text" name="search_phone" value="'.$search_phone.'"></td>';
print '<input class="flat maxwidth75imp" type="text" name="search_phone" value="'.dol_escape_htmltag($search_phone).'"></td>';
}
// Phone perso
if (!empty($arrayfields['d.phone_perso']['checked'])) {
print '<td class="liste_titre left">';
print '<input class="flat maxwidth50" type="text" name="search_phone_perso" value="'.$search_phone_perso.'"></td>';
print '<input class="flat maxwidth50" type="text" name="search_phone_perso" value="'.dol_escape_htmltag($search_phone_perso).'"></td>';
}
// Phone mobile
if (!empty($arrayfields['d.phone_mobile']['checked'])) {
print '<td class="liste_titre left">';
print '<input class="flat maxwidth75imp" type="text" name="search_phone_mobile" value="'.$search_phone_mobile.'"></td>';
print '<input class="flat maxwidth75imp" type="text" name="search_phone_mobile" value="'.dol_escape_htmltag($search_phone_mobile).'"></td>';
}
// Email
if (!empty($arrayfields['d.email']['checked'])) {
print '<td class="liste_titre left">';
print '<input class="flat maxwidth75imp" type="text" name="search_email" value="'.$search_email.'"></td>';
print '<input class="flat maxwidth75imp" type="text" name="search_email" value="'.dol_escape_htmltag($search_email).'"></td>';
}
if (!empty($arrayfields['d.datefin']['checked'])) {

4
htdocs/adherents/subscription/list.php
View File

@ -154,8 +154,8 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank as b ON c.fk_bank=b.rowid";
$sql .= " WHERE d.entity IN (".getEntity('adherent').")";
if (isset($date_select) && $date_select != '')
{
$sql .= " AND c.dateadh >= '".$date_select."-01-01 00:00:00'";
$sql .= " AND c.dateadh < '".($date_select + 1)."-01-01 00:00:00'";
$sql .= " AND c.dateadh >= '".((int) $date_select)."-01-01 00:00:00'";
$sql .= " AND c.dateadh < '".((int) $date_select + 1)."-01-01 00:00:00'";
}
if ($search_ref) {
if (is_numeric($search_ref)) $sql .= " AND (c.rowid = ".$db->escape($search_ref).")";

4
htdocs/compta/paiement/cheque/card.php
View File

@ -152,10 +152,10 @@ if ($action == 'create' && $_POST["accountid"] > 0 && $user->rights->banque->che
}
}
if ($action == 'remove' && $id > 0 && $_GET["lineid"] > 0 && $user->rights->banque->cheque)
if ($action == 'remove' && $id > 0 && GETPOST("lineid", 'int') > 0 && $user->rights->banque->cheque)
{
$object->id = $id;
$result = $object->removeCheck($_GET["lineid"]);
$result = $object->removeCheck(GETPOST("lineid", "int"));
if ($result === 0)
{
header("Location: ".$_SERVER["PHP_SELF"]."?id=".$object->id);

11
htdocs/compta/paiement/cheque/class/remisecheque.class.php
View File

@ -358,7 +358,7 @@ class RemiseCheque extends CommonObject
if ($this->errno == 0 && $numref)
{
$sql = "UPDATE ".MAIN_DB_PREFIX."bordereau_cheque";
$sql .= " SET statut = 1, ref = '".$numref."'";
$sql .= " SET statut = 1, ref = '".$this->db->escape($numref)."'";
$sql .= " WHERE rowid = ".$this->id;
$sql .= " AND entity = ".$conf->entity;
$sql .= " AND statut = 0";
@ -662,6 +662,7 @@ class RemiseCheque extends CommonObject
global $conf;
$this->errno = 0;
$this->db->begin();
$total = 0;
$nb = 0;
@ -681,8 +682,8 @@ class RemiseCheque extends CommonObject
$this->db->free($resql);
$sql = "UPDATE ".MAIN_DB_PREFIX."bordereau_cheque";
$sql .= " SET amount = '".price2num($total)."'";
$sql .= ", nbcheque = ".$nb;
$sql .= " SET amount = ".price2num($total);
$sql .= ", nbcheque = ".((int) $nb);
$sql .= " WHERE rowid = ".$this->id;
$sql .= " AND entity = ".$conf->entity;
@ -722,8 +723,8 @@ class RemiseCheque extends CommonObject
{
$sql = "UPDATE ".MAIN_DB_PREFIX."bank";
$sql .= " SET fk_bordereau = 0";
$sql .= " WHERE rowid = '".$account_id."'";
$sql .= " AND fk_bordereau = ".$this->id;
$sql .= " WHERE rowid = ".((int) $account_id);
$sql .= " AND fk_bordereau = ".((int) $this->id);
$resql = $this->db->query($sql);
if ($resql)