diff --git a/htdocs/comm/propal/stats/index.php b/htdocs/comm/propal/stats/index.php
index add31f13f08..da3c24f6f01 100644
--- a/htdocs/comm/propal/stats/index.php
+++ b/htdocs/comm/propal/stats/index.php
@@ -37,11 +37,11 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php';
$WIDTH = DolGraph::getDefaultGraphSizeForStats('width');
$HEIGHT = DolGraph::getDefaultGraphSizeForStats('height');
-$mode = GETPOST("mode") ?GETPOST("mode") : 'customer';
+$mode = GETPOSTISSET("mode") ? GETPOST("mode", 'aZ09') : 'customer';
if ($mode == 'customer' && !$user->rights->propale->lire) accessforbidden();
if ($mode == 'supplier' && !$user->rights->supplier_proposal->lire) accessforbidden();
-$object_status = GETPOST('object_status');
+$object_status = GETPOST('object_status', 'intcomma');
$typent_id = GETPOST('typent_id', 'int');
$categ_id = GETPOST('categ_id', 'categ_id');
@@ -55,7 +55,7 @@ if ($user->socid > 0)
}
$nowyear = strftime("%Y", dol_now());
-$year = GETPOST('year') > 0 ?GETPOST('year') : $nowyear;
+$year = GETPOST('year') > 0 ? GETPOST('year', 'int') : $nowyear;
//$startyear=$year-2;
$startyear = $year - 1;
$endyear = $year;
diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php
index 4175509eb28..8ba4620b108 100644
--- a/htdocs/commande/card.php
+++ b/htdocs/commande/card.php
@@ -460,26 +460,15 @@ if (empty($reshook))
if (!$error)
{
$object_id = $object->create($user);
-
- // If some invoice's lines already known
- $NBLINES = 8;
- for ($i = 1; $i <= $NBLINES; $i++) {
- if ($_POST['idprod'.$i]) {
- $xid = 'idprod'.$i;
- $xqty = 'qty'.$i;
- $xremise = 'remise_percent'.$i;
- $object->add_product($_POST[$xid], $_POST[$xqty], $_POST[$xremise]);
- }
- }
}
}
// Insert default contacts if defined
if ($object_id > 0)
{
- if (GETPOST('contactid'))
+ if (GETPOST('contactid', 'int'))
{
- $result = $object->add_contact(GETPOST('contactid'), 'CUSTOMER', 'external');
+ $result = $object->add_contact(GETPOST('contactid', 'int'), 'CUSTOMER', 'external');
if ($result < 0) {
setEventMessages($langs->trans("ErrorFailedToAddContact"), null, 'errors');
$error++;
diff --git a/htdocs/commande/stats/index.php b/htdocs/commande/stats/index.php
index 4e7ed481882..d89559af113 100644
--- a/htdocs/commande/stats/index.php
+++ b/htdocs/commande/stats/index.php
@@ -38,11 +38,11 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/dolgraph.class.php';
$WIDTH = DolGraph::getDefaultGraphSizeForStats('width');
$HEIGHT = DolGraph::getDefaultGraphSizeForStats('height');
-$mode = GETPOST("mode") ?GETPOST("mode") : 'customer';
+$mode = GETPOSTISSET("mode") ? GETPOST("mode", 'aZ09') : 'customer';
if ($mode == 'customer' && !$user->rights->commande->lire) accessforbidden();
if ($mode == 'supplier' && !$user->rights->fournisseur->commande->lire) accessforbidden();
-$object_status = GETPOST('object_status');
+$object_status = GETPOST('object_status', 'intcomma');
$typent_id = GETPOST('typent_id', 'int');
$categ_id = GETPOST('categ_id', 'categ_id');
@@ -308,11 +308,11 @@ if ($mode == 'customer')
Commande::STATUS_CLOSED=>$langs->trans("StatusOrderDelivered"),
Commande::STATUS_CANCELED=>$langs->trans("StatusOrderCanceled")
);
- print $form->selectarray('object_status', $liststatus, GETPOST('object_status', 'int'), -4);
+ print $form->selectarray('object_status', $liststatus, GETPOST('object_status', 'intcomma'), -4);
}
if ($mode == 'supplier')
{
- $formorder->selectSupplierOrderStatus((strstr($object_status, ',') ?-1 : $object_status), 0, 'object_status');
+ $formorder->selectSupplierOrderStatus((strstr($object_status, ',') ? -1 : $object_status), 0, 'object_status');
}
print '';
// Year
diff --git a/htdocs/compta/facture/stats/index.php b/htdocs/compta/facture/stats/index.php
index 284186b73ce..49f9be88ac6 100644
--- a/htdocs/compta/facture/stats/index.php
+++ b/htdocs/compta/facture/stats/index.php
@@ -44,7 +44,7 @@ $mode = GETPOST("mode") ?GETPOST("mode") : 'customer';
if ($mode == 'customer' && !$user->rights->facture->lire) accessforbidden();
if ($mode == 'supplier' && !$user->rights->fournisseur->facture->lire) accessforbidden();
-$object_status = GETPOST('object_status');
+$object_status = GETPOST('object_status', 'intcomma');
$typent_id = GETPOST('typent_id', 'int');
$categ_id = GETPOST('categ_id', 'categ_id');
@@ -59,7 +59,7 @@ if ($user->socid > 0)
}
$nowyear = strftime("%Y", dol_now());
-$year = GETPOST('year') > 0 ?GETPOST('year') : $nowyear;
+$year = GETPOST('year') > 0 ? GETPOST('year', 'int') : $nowyear;
if(!empty($conf->global->INVOICE_STATS_GRAPHS_SHOW_2_YEARS)) $startyear=$year-2;
else $startyear=$year-1;
$endyear = $year;
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 24ec5645ffd..02a78b87c92 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -4723,6 +4723,7 @@ function price2num($amount, $rounding = '', $option = 0)
// Convert value to universal number format (no thousand separator, '.' as decimal separator)
if ($option != 1) { // If not a PHP number or unknown, we change or clean format
//print 'PP'.$amount.' - '.$dec.' - '.$thousand.' - '.intval($amount).'
';
+ $amount = preg_replace('/[a-zA-Z\/\\\*\(\)\<\>\-]/', '', $amount);
if ($option == 2 && $thousand == '.' && preg_match('/\.(\d\d\d)$/', (string) $amount)) { // It means the . is used as a thousand separator and string come frominput data, so 1.123 is 1123
$amount = str_replace($thousand, '', $amount);
diff --git a/htdocs/expensereport/stats/index.php b/htdocs/expensereport/stats/index.php
index 3b931bd4418..5a781942095 100644
--- a/htdocs/expensereport/stats/index.php
+++ b/htdocs/expensereport/stats/index.php
@@ -34,8 +34,8 @@ $langs->loadLangs(array('trips', 'companies'));
$WIDTH = DolGraph::getDefaultGraphSizeForStats('width');
$HEIGHT = DolGraph::getDefaultGraphSizeForStats('height');
-$mode = GETPOST("mode") ?GETPOST("mode") : 'customer';
-$object_status = GETPOST('object_status');
+$mode = GETPOSTISSET("mode") ? GETPOST("mode", 'aZ09') : 'customer';
+$object_status = GETPOST('object_status', 'intcomma');
$userid = GETPOST('userid', 'int');
$socid = GETPOST('socid', 'int'); if ($socid < 0) $socid = 0;
@@ -51,7 +51,7 @@ if ($user->socid) $socid = $user->socid;
$result = restrictedArea($user, 'expensereport', $id, '');
$nowyear = strftime("%Y", dol_now());
-$year = GETPOST('year') > 0 ?GETPOST('year') : $nowyear;
+$year = GETPOST('year') > 0 ? GETPOST('year', 'int') : $nowyear;
//$startyear=$year-2;
$startyear = $year - 1;
$endyear = $year;
@@ -231,7 +231,7 @@ print '';
// Status
print '| '.$langs->trans("Status").' | ';
$liststatus = $tmpexpensereport->statuts;
-print $form->selectarray('object_status', $liststatus, GETPOST('object_status', 'int'), -4, 0, 0, '', 1);
+print $form->selectarray('object_status', $liststatus, GETPOST('object_status', 'intcomma'), -4, 0, 0, '', 1);
print ' |
';
// Year
print '| ';
diff --git a/htdocs/fichinter/stats/index.php b/htdocs/fichinter/stats/index.php
index 0ca948312c6..8e385ebb5d7 100644
--- a/htdocs/fichinter/stats/index.php
+++ b/htdocs/fichinter/stats/index.php
@@ -42,12 +42,12 @@ if ($user->socid > 0)
}
$nowyear = strftime("%Y", dol_now());
-$year = GETPOST('year') > 0 ?GETPOST('year') : $nowyear;
+$year = GETPOST('year') > 0 ? GETPOST('year', 'int') : $nowyear;
//$startyear=$year-2;
$startyear = $year - 1;
$endyear = $year;
-$object_status = GETPOST('object_status');
+$object_status = GETPOST('object_status', 'intcomma');
// Load translation files required by the page
$langs->loadLangs(array('interventions', 'companies', 'other', 'suppliers'));
diff --git a/htdocs/ticket/stats/index.php b/htdocs/ticket/stats/index.php
index b39ba0fd366..e48c0147fad 100644
--- a/htdocs/ticket/stats/index.php
+++ b/htdocs/ticket/stats/index.php
@@ -32,7 +32,7 @@ $HEIGHT = DolGraph::getDefaultGraphSizeForStats('height');
if (!$user->rights->ticket->read) accessforbidden();
-$object_status = GETPOST('object_status');
+$object_status = GETPOST('object_status', 'intcomma');
$userid = GETPOST('userid', 'int');
$socid = GETPOST('socid', 'int');
@@ -44,7 +44,7 @@ if ($user->socid > 0)
}
$nowyear = strftime("%Y", dol_now());
-$year = GETPOST('year') > 0 ?GETPOST('year') : $nowyear;
+$year = GETPOST('year') > 0 ? GETPOST('year', 'int') : $nowyear;
//$startyear=$year-2;
$startyear = $year - 1;
$endyear = $year;
@@ -241,7 +241,7 @@ print $form->select_dolusers($userid, 'userid', 1, '', 0, '', '', 0, 0, 0, '', 0
// Status
print ' |
| '.$langs->trans("Status").' | ';
$liststatus = $object->fields['fk_statut']['arrayofkeyval'];
-print $form->selectarray('object_status', $liststatus, GETPOST('object_status', 'int'), -4, 0, 0, '', 1);
+print $form->selectarray('object_status', $liststatus, GETPOST('object_status', 'intcomma'), -4, 0, 0, '', 1);
print ' |
';
// Year
print '| '.$langs->trans("Year").' | ';
diff --git a/test/phpunit/FunctionsLibTest.php b/test/phpunit/FunctionsLibTest.php
index a987f28c7ed..3d098131f21 100644
--- a/test/phpunit/FunctionsLibTest.php
+++ b/test/phpunit/FunctionsLibTest.php
@@ -1234,7 +1234,9 @@ class FunctionsLibTest extends PHPUnit\Framework\TestCase
$newlangs->load("main");
$langs = $newlangs;
- $this->assertEquals(1000, price2num('1 000.0'));
+ $this->assertEquals(150, price2num('(SELECT/**/CASE/**/WHEN/**/(0<1)/**/THEN/**/SLEEP(5)/**/ELSE/**/SLEEP(0)/**/END)'));
+
+ $this->assertEquals(1000, price2num('1 000.0'));
$this->assertEquals(1000, price2num('1 000', 'MT'));
$this->assertEquals(1000, price2num('1 000', 'MU'));
@@ -1252,7 +1254,7 @@ class FunctionsLibTest extends PHPUnit\Framework\TestCase
// Text can't be converted
$this->assertEquals('12.4$', price2num('12.4$'));
- $this->assertEquals('12r.4$', price2num('12r.4$'));
+ $this->assertEquals('12.4$', price2num('12r.4$'));
// For spanish language
$newlangs2 = new Translate('', $conf);
|