Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix escaping

Browse Source
This commit is contained in:
Laurent Destailleur 2020-09-20 03:32:43 +02:00
parent 0e4d3c19dd
commit e5cca13ea0
25 changed files with 79 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/compta/bank/class/account.class.php
View File

@ -1825,7 +1825,7 @@ class AccountLine extends CommonObject
$sql .= " AND ba.entity IN (".getEntity('bank_account').")";
if ($num) $sql .= " AND b.num_chq='".$this->db->escape($num)."'";
elseif ($ref) $sql .= " AND b.rowid='".$this->db->escape($ref)."'";
else $sql .= " AND b.rowid=".$rowid;
else $sql .= " AND b.rowid = ".((int) $rowid);
dol_syslog(get_class($this)."::fetch", LOG_DEBUG);
$result = $this->db->query($sql);

2
htdocs/compta/paiement/cheque/card.php
View File

@ -206,7 +206,7 @@ if ($action == 'confirm_valide' && $confirm == 'yes' && $user->rights->banque->c
if ($action == 'confirm_reject_check' && $confirm == 'yes' && $user->rights->banque->cheque)
{
$reject_date = dol_mktime(0, 0, 0, GETPOST('rejectdate_month'), GETPOST('rejectdate_day'), GETPOST('rejectdate_year'));
$rejected_check = GETPOST('bankid');
$rejected_check = GETPOST('bankid', 'int');
$object->fetch($id);
$paiement_id = $object->rejectCheck($rejected_check, $reject_date);

16
htdocs/projet/activity/index.php
View File

@ -145,7 +145,7 @@ $sql .= " AND p.entity = ".$conf->entity;
$sql .= " AND tt.fk_task = t.rowid";
$sql .= " AND tt.fk_user = ".$user->id;
$sql .= " AND task_date BETWEEN '".$db->idate(dol_mktime(0, 0, 0, $month, $day, $year))."' AND '".$db->idate(dol_mktime(23, 59, 59, $month, $day, $year))."'";
$sql .= " AND p.rowid in (".$projectsListId.")";
$sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")";
$sql .= " GROUP BY p.rowid, p.ref, p.title, p.public";
$resql = $db->query($sql);
@ -200,7 +200,7 @@ $sql .= " AND p.entity = ".$conf->entity;
$sql .= " AND tt.fk_task = t.rowid";
$sql .= " AND tt.fk_user = ".$user->id;
$sql .= " AND task_date BETWEEN '".$db->idate(dol_time_plus_duree(dol_mktime(0, 0, 0, $month, $day, $year), -1, 'd'))."' AND '".$db->idate(dol_time_plus_duree(dol_mktime(23, 59, 59, $month, $day, $year), -1, 'd'))."'";
$sql .= " AND p.rowid in (".$projectsListId.")";
$sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")";
$sql .= " GROUP BY p.rowid, p.ref, p.title, p.public";
$resql = $db->query($sql);
@ -258,7 +258,7 @@ if ($db->type != 'pgsql')
$sql.= " AND tt.fk_task = t.rowid";
$sql.= " AND tt.fk_user = ".$user->id;
$sql.= " AND task_date >= '".$db->idate(dol_get_first_day($year, $month)).'" AND ...";
$sql.= " AND p.rowid in (".$projectsListId.")";
$sql.= " AND p.rowid in (".$db->sanitize($projectsListId).")";
$sql.= " GROUP BY p.rowid, p.ref, p.title";
$resql = $db->query($sql);
@ -315,7 +315,7 @@ if (!empty($conf->global->PROJECT_TASK_TIME_MONTH))
$sql .= " AND tt.fk_task = t.rowid";
$sql .= " AND tt.fk_user = ".$user->id;
$sql .= " AND task_date BETWEEN '".$db->idate(dol_get_first_day($year, $month))."' AND '".$db->idate(dol_get_last_day($year, $month))."'";
$sql .= " AND p.rowid in (".$projectsListId.")";
$sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")";
$sql .= " GROUP BY p.rowid, p.ref, p.title, p.public";
$resql = $db->query($sql);
@ -364,7 +364,7 @@ if (!empty($conf->global->PROJECT_TASK_TIME_YEAR))
$sql .= " AND tt.fk_task = t.rowid";
$sql .= " AND tt.fk_user = ".$user->id;
$sql .= " AND YEAR(task_date) = '".strftime("%Y", $now)."'";
$sql .= " AND p.rowid in (".$projectsListId.")";
$sql .= " AND p.rowid in (".$db->sanitize($projectsListId).")";
$sql .= " GROUP BY p.rowid, p.ref, p.title, p.public";
$resql = $db->query($sql);
@ -400,7 +400,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH
// Get id of types of contacts for projects (This list never contains a lot of elements)
$listofprojectcontacttype = array();
$sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc";
$sql .= " WHERE ctc.element = '".$projectstatic->element."'";
$sql .= " WHERE ctc.element = '".$db->escape($projectstatic->element)."'";
$sql .= " AND ctc.source = 'internal'";
$resql = $db->query($sql);
if ($resql)
@ -414,7 +414,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH
// Get id of types of contacts for tasks (This list never contains a lot of elements)
$listoftaskcontacttype = array();
$sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc";
$sql .= " WHERE ctc.element = '".$taskstatic->element."'";
$sql .= " WHERE ctc.element = '".$db->escape($taskstatic->element)."'";
$sql .= " AND ctc.source = 'internal'";
$resql = $db->query($sql);
if ($resql)
@ -445,7 +445,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH
$sql .= ", ".MAIN_DB_PREFIX."element_contact as ect";
}
$sql .= " WHERE p.entity IN (".getEntity('project').")";
if ($mine || empty($user->rights->projet->all->lire)) $sql .= " AND p.rowid IN (".$projectsListId.")"; // project i have permission on
if ($mine || empty($user->rights->projet->all->lire)) $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // project i have permission on
if ($mine) // this may duplicate record if we are contact twice
{
$sql .= " AND ect.fk_c_type_contact IN (".join(',', array_keys($listoftaskcontacttype)).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$user->id;

4
htdocs/projet/admin/project.php
View File

@ -508,7 +508,7 @@ $def = array();
$sql = "SELECT nom";
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
$sql .= " WHERE type = '".$type."'";
$sql .= " WHERE type = '".$db->escape($type)."'";
$sql .= " AND entity = ".$conf->entity;
$resql = $db->query($sql);
@ -657,7 +657,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS))
$sql = "SELECT nom";
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
$sql .= " WHERE type = '".$type."'";
$sql .= " WHERE type = '".$db->escape($type)."'";
$sql .= " AND entity = ".$conf->entity;
$resql = $db->query($sql);

2
htdocs/projet/list.php
View File

@ -282,7 +282,7 @@ if (!$user->rights->projet->all->lire) $projectsListId = $object->getProjectsAut
// Get id of types of contacts for projects (This list never contains a lot of elements)
$listofprojectcontacttype = array();
$sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc";
$sql .= " WHERE ctc.element = '".$object->element."'";
$sql .= " WHERE ctc.element = '".$db->escape($object->element)."'";
$sql .= " AND ctc.source = 'internal'";
$resql = $db->query($sql);
if ($resql)

4
htdocs/projet/tasks/list.php
View File

@ -239,7 +239,7 @@ if (!$user->rights->projet->all->lire) $projectsListId = $projectstatic->getProj
// Get id of types of contacts for projects (This list never contains a lot of elements)
$listofprojectcontacttype = array();
$sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc";
$sql .= " WHERE ctc.element = '".$projectstatic->element."'";
$sql .= " WHERE ctc.element = '".$db->escape($projectstatic->element)."'";
$sql .= " AND ctc.source = 'internal'";
$resql = $db->query($sql);
if ($resql)
@ -253,7 +253,7 @@ if (count($listofprojectcontacttype) == 0) $listofprojectcontacttype[0] = '0'; /
// Get id of types of contacts for tasks (This list never contains a lot of elements)
$listoftaskcontacttype = array();
$sql = "SELECT ctc.rowid, ctc.code FROM ".MAIN_DB_PREFIX."c_type_contact as ctc";
$sql .= " WHERE ctc.element = '".$object->element."'";
$sql .= " WHERE ctc.element = '".$db->escape($object->element)."'";
$sql .= " AND ctc.source = 'internal'";
$resql = $db->query($sql);
if ($resql)

7
htdocs/reception/class/reception.class.php
View File

@ -1012,21 +1012,20 @@ class Reception extends CommonObject
public function fetch_lines()
{
// phpcs:enable
global $db;
dol_include_once('/fourn/class/fournisseur.commande.dispatch.class.php');
$sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'commande_fournisseur_dispatch WHERE fk_reception='.$this->id;
$resql = $db->query($sql);
$resql = $this->db->query($sql);
if (!empty($resql)) {
$this->lines = array();
while ($obj = $resql->fetch_object()) {
$line = new CommandeFournisseurDispatch($db);
$line = new CommandeFournisseurDispatch($this->db);
$line->fetch($obj->rowid);
$line->fetch_product();
$sql_commfourndet = 'SELECT qty, ref, label, tva_tx, vat_src_code, subprice, multicurrency_subprice, remise_percent FROM llx_commande_fournisseurdet WHERE rowid='.$line->fk_commandefourndet;
$resql_commfourndet = $db->query($sql_commfourndet);
if (!empty($resql_commfourndet)) {
$obj = $db->fetch_object($resql_commfourndet);
$obj = $this->db->fetch_object($resql_commfourndet);
$line->qty_asked = $obj->qty;
$line->description = $line->comment;
$line->desc = $line->comment;

2
htdocs/recruitment/admin/setup.php
View File

@ -372,7 +372,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) {
$def = array();
$sql = "SELECT nom";
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
$sql .= " WHERE type = '".$type."'";
$sql .= " WHERE type = '".$db->escape($type)."'";
$sql .= " AND entity = ".$conf->entity;
$resql = $db->query($sql);
if ($resql)

2
htdocs/recruitment/admin/setup_candidatures.php
View File

@ -372,7 +372,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) {
$def = array();
$sql = "SELECT nom";
$sql .= " FROM ".MAIN_DB_PREFIX."document_model";
$sql .= " WHERE type = '".$type."'";
$sql .= " WHERE type = '".$db->escape($type)."'";
$sql .= " AND entity = ".$conf->entity;
$resql = $db->query($sql);
if ($resql)

4
htdocs/salaries/class/salariesstats.class.php
View File

@ -119,7 +119,7 @@ class SalariesStats extends Stats
{
$sql = "SELECT date_format(datep,'%m') as dm, sum(".$this->field.")";
$sql .= " FROM ".$this->from;
$sql .= " WHERE date_format(datep,'%Y') = '".$year."'";
$sql .= " WHERE date_format(datep,'%Y') = '".$this->db->escape($year)."'";
$sql .= " AND ".$this->where;
$sql .= " GROUP BY dm";
$sql .= $this->db->order('dm', 'DESC');
@ -140,7 +140,7 @@ class SalariesStats extends Stats
{
$sql = "SELECT date_format(datep,'%m') as dm, avg(".$this->field.")";
$sql .= " FROM ".$this->from;
$sql .= " WHERE date_format(datep,'%Y') = '".$year."'";
$sql .= " WHERE date_format(datep,'%Y') = '".$this->db->escape($year)."'";
$sql .= " AND ".$this->where;
$sql .= " GROUP BY dm";
$sql .= $this->db->order('dm', 'DESC');

8
htdocs/societe/admin/societe.php
View File

@ -119,7 +119,7 @@ if ($action == 'set')
$type = 'company';
$sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
$sql .= " VALUES ('".$db->escape($value)."','".$type."',".$conf->entity.", ";
$sql .= " VALUES ('".$db->escape($value)."','".$db->escape($type)."',".$conf->entity.", ";
$sql .= ($label ? "'".$db->escape($label)."'" : 'null').", ";
$sql .= (!empty($scandir) ? "'".$db->escape($scandir)."'" : "null");
$sql .= ")";
@ -133,7 +133,7 @@ if ($action == 'del')
{
$type = 'company';
$sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model";
$sql .= " WHERE nom='".$db->escape($value)."' AND type='".$type."' AND entity=".$conf->entity;
$sql .= " WHERE nom='".$db->escape($value)."' AND type='".$db->escape($type)."' AND entity=".$conf->entity;
$resql = $db->query($sql);
if (!$resql) dol_print_error($db);
}
@ -152,13 +152,13 @@ if ($action == 'setdoc')
$type = 'company';
$sql_del = "DELETE FROM ".MAIN_DB_PREFIX."document_model";
$sql_del .= " WHERE nom = '".$db->escape(GETPOST('value', 'alpha'))."'";
$sql_del .= " AND type = '".$type."'";
$sql_del .= " AND type = '".$db->escape($type)."'";
$sql_del .= " AND entity = ".$conf->entity;
dol_syslog("societe.php ".$sql);
$result1 = $db->query($sql_del);
$sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
$sql .= " VALUES ('".$db->escape($value)."', '".$type."', ".$conf->entity.", ";
$sql .= " VALUES ('".$db->escape($value)."', '".$db->escape($type)."', ".$conf->entity.", ";
$sql .= ($label ? "'".$db->escape($label)."'" : 'null').", ";
$sql .= (!empty($scandir) ? "'".$db->escape($scandir)."'" : "null");
$sql .= ")";

2
htdocs/societe/class/api_thirdparties.class.php
View File

@ -1588,7 +1588,7 @@ class Thirdparties extends DolibarrApi
// We found an existing SocieteAccount entity, we are replacing it
} else {
if (isset($request_data['site']) && $request_data['site'] !== $site) {
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$request_data['site']."' ";
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id." AND site = '".$this->db->escape($request_data['site'])."' ";
$result = $this->db->query($sql);
if ($result->num_rows !== 0) {

9
htdocs/societe/class/societe.class.php
View File

@ -820,12 +820,11 @@ class Societe extends CommonObject
{
$this->entity = ((isset($this->entity) && is_numeric($this->entity)) ? $this->entity : $conf->entity);
$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe (nom, name_alias, entity, datec, fk_user_creat, canvas, status, ref_int, ref_ext, fk_stcomm, fk_incoterms, location_incoterms ,import_key, fk_multicurrency, multicurrency_code)";
$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe (nom, name_alias, entity, datec, fk_user_creat, canvas, status, ref_ext, fk_stcomm, fk_incoterms, location_incoterms ,import_key, fk_multicurrency, multicurrency_code)";
$sql .= " VALUES ('".$this->db->escape($this->name)."', '".$this->db->escape($this->name_alias)."', ".$this->db->escape($this->entity).", '".$this->db->idate($now)."'";
$sql .= ", ".(!empty($user->id) ? "'".$user->id."'" : "null");
$sql .= ", ".(!empty($user->id) ? ((int) $user->id) : "null");
$sql .= ", ".(!empty($this->canvas) ? "'".$this->db->escape($this->canvas)."'" : "null");
$sql .= ", ".$this->status;
$sql .= ", ".(!empty($this->ref_int) ? "'".$this->db->escape($this->ref_int)."'" : "null");
$sql .= ", ".(!empty($this->ref_ext) ? "'".$this->db->escape($this->ref_ext)."'" : "null");
$sql .= ", 0";
$sql .= ", ".(int) $this->fk_incoterms;
@ -2742,7 +2741,7 @@ class Societe extends CommonObject
$sql = "SELECT rowid, email, phone_mobile, lastname, firstname";
$sql .= " FROM ".MAIN_DB_PREFIX."socpeople";
$sql .= " WHERE rowid = '".$rowid."'";
$sql .= " WHERE rowid = ".((int) $rowid);
$resql = $this->db->query($sql);
if ($resql)
@ -3186,7 +3185,7 @@ class Societe extends CommonObject
}
//Verify duplicate entries
$sql = "SELECT COUNT(*) as idprof FROM ".MAIN_DB_PREFIX."societe WHERE ".$field." = '".$value."' AND entity IN (".getEntity('societe').")";
$sql = "SELECT COUNT(*) as idprof FROM ".MAIN_DB_PREFIX."societe WHERE ".$field." = '".$this->db->escape($value)."' AND entity IN (".getEntity('societe').")";
if ($socid) $sql .= " AND rowid <> ".$socid;
$resql = $this->db->query($sql);
if ($resql)

18
htdocs/societe/paymentmodes.php
View File

@ -551,10 +551,10 @@ if (empty($reshook))
$db->begin();
if (empty($newcu)) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_account WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity;
$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_account WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity;
} else {
$sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX."societe_account";
$sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified !
$sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified !
}
$resql = $db->query($sql);
@ -577,8 +577,8 @@ if (empty($reshook))
}
} else {
$sql = 'UPDATE '.MAIN_DB_PREFIX."societe_account";
$sql .= " SET key_account = '".$db->escape(GETPOST('key_account', 'alpha'))."', site_account = '".$site_account."'";
$sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified !
$sql .= " SET key_account = '".$db->escape(GETPOST('key_account', 'alpha'))."', site_account = '".$db->escape($site_account)."'";
$sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified !
$resql = $db->query($sql);
}
}
@ -602,9 +602,9 @@ if (empty($reshook))
$db->begin();
if (empty($newsup)) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity;
$sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity;
// TODO Add site and site_account on oauth_token table
//$sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity;
//$sql = "DELETE FROM ".MAIN_DB_PREFIX."oauth_token WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity;
} else {
try {
$stripesup = \Stripe\Account::retrieve($db->escape(GETPOST('key_account_supplier', 'alpha')));
@ -612,9 +612,9 @@ if (empty($reshook))
$tokenstring['type'] = $stripesup->type;
$sql = "UPDATE ".MAIN_DB_PREFIX."oauth_token";
$sql .= " SET tokenstring = '".dol_json_encode($tokenstring)."'";
$sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$site_account."') AND fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified !
$sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified !
// TODO Add site and site_account on oauth_token table
$sql .= " WHERE fk_soc = ".$object->id." AND service = '".$service."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified !
$sql .= " WHERE fk_soc = ".$object->id." AND service = '".$db->escape($service)."' AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified !
} catch (Exception $e) {
$error++;
setEventMessages($e->getMessage(), null, 'errors');
@ -630,7 +630,7 @@ if (empty($reshook))
$tokenstring['stripe_user_id'] = $stripesup->id;
$tokenstring['type'] = $stripesup->type;
$sql = "INSERT INTO ".MAIN_DB_PREFIX."oauth_token (service, fk_soc, entity, tokenstring)";
$sql .= " VALUES ('".$service."', ".$object->id.", ".$conf->entity.", '".dol_json_encode($tokenstring)."')";
$sql .= " VALUES ('".$db->escape($service)."', ".$object->id.", ".$conf->entity.", '".dol_json_encode($tokenstring)."')";
// TODO Add site and site_account on oauth_token table
} catch (Exception $e) {
$error++;

4
htdocs/societe/price.php
View File

@ -105,9 +105,9 @@ if (empty($reshook))
// Get record from code
$sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$mysoc->country_code."'";
$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'";
$sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1";
$sql .= " AND t.code ='".$vatratecode."'";
$sql .= " AND t.code ='".$db->escape($vatratecode)."'";
$resql = $db->query($sql);
if ($resql)
{

18
htdocs/stripe/class/actions_stripe.class.php
View File

@ -98,7 +98,7 @@ class ActionsStripeconnect
$this->resprints .= '</td></tr></table>';
$this->resprints .= '</td>';
$this->resprints .= '<td colspan="3">';
$stripe = new Stripe($db);
$stripe = new Stripe($this->db);
if ($stripe->getStripeAccount($service) && $object->client != 0) {
$customer = $stripe->customerStripe($object, $stripe->getStripeAccount($service));
$this->resprints .= $customer->id;
@ -114,7 +114,7 @@ class ActionsStripeconnect
$this->resprints .= '</td></tr></table>';
$this->resprints .= '</td>';
$this->resprints .= '<td colspan="3">';
$stripe = new Stripe($db);
$stripe = new Stripe($this->db);
if ($stripe->getStripeAccount($service) && $object->fk_soc > 0) {
$object->fetch_thirdparty();
$customer = $stripe->customerStripe($object->thirdparty, $stripe->getStripeAccount($service));
@ -131,7 +131,7 @@ class ActionsStripeconnect
$this->resprints .= '</td></tr></table>';
$this->resprints .= '</td>';
$this->resprints .= '<td colspan="3">';
$stripe = new Stripe($db);
$stripe = new Stripe($this->db);
if (7 == 4) {
$object->fetch_thirdparty();
$customer = $stripe->customerStripe($object, $stripe->getStripeAccount($service));
@ -149,7 +149,7 @@ class ActionsStripeconnect
$this->resprints .= '</td></tr></table>';
$this->resprints .= '</td>';
$this->resprints .= '<td colspan="3">';
$stripe = new Stripe($db);
$stripe = new Stripe($this->db);
if (7 == 4) {
$object->fetch_thirdparty();
$customer = $stripe->customerStripe($object, $stripe->getStripeAccount($service));
@ -179,25 +179,25 @@ class ActionsStripeconnect
$sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf';
$sql .= ' WHERE pf.fk_facture = '.$object->id;
$result = $db->query($sql);
$result = $this->db->query($sql);
if ($result) {
$i = 0;
$num = $db->num_rows($result);
$num = $this->db->num_rows($result);
while ($i < $num) {
$objp = $db->fetch_object($result);
$objp = $this->db->fetch_object($result);
$totalpaye += $objp->amount;
$i++;
}
} else {
dol_print_error($db, '');
dol_print_error($this->db, '');
}
$resteapayer = $object->total_ttc - $totalpaye;
// Request a direct debit order
if ($object->statut > Facture::STATUS_DRAFT && $object->statut < Facture::STATUS_ABANDONED && $object->paye == 0)
{
$stripe = new Stripe($db);
$stripe = new Stripe($this->db);
if ($resteapayer > 0)
{
if ($stripe->getStripeAccount($conf->entity)) // a modifier avec droit stripe

14
htdocs/stripe/class/stripe.class.php
View File

@ -92,7 +92,7 @@ class Stripe extends CommonObject
$sql = "SELECT tokenstring";
$sql .= " FROM ".MAIN_DB_PREFIX."oauth_token";
$sql .= " WHERE entity = ".$conf->entity;
$sql .= " AND service = '".$mode."'";
$sql .= " AND service = '".$this->db->escape($mode)."'";
if ($fk_soc > 0) {
$sql .= " AND fk_soc = ".$fk_soc;
} else {
@ -356,9 +356,9 @@ class Stripe extends CommonObject
$sql = "SELECT pi.ext_payment_id, pi.entity, pi.fk_facture, pi.sourcetype, pi.ext_payment_site";
$sql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pi";
$sql .= " WHERE pi.fk_facture = ".$object->id;
$sql .= " AND pi.sourcetype = '".$object->element."'";
$sql .= " AND pi.sourcetype = '".$this->db->escape($object->element)."'";
$sql .= " AND pi.entity IN (".getEntity('societe').")";
$sql .= " AND pi.ext_payment_site = '".$service."'";
$sql .= " AND pi.ext_payment_site = '".$this->db->escape($service)."'";
dol_syslog(get_class($this)."::getPaymentIntent search stripe payment intent for object id = ".$object->id, LOG_DEBUG);
$resql = $this->db->query($sql);
@ -465,7 +465,7 @@ class Stripe extends CommonObject
$sql = "SELECT pi.rowid";
$sql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pi";
$sql .= " WHERE pi.entity IN (".getEntity('societe').")";
$sql .= " AND pi.ext_payment_site = '".$service."'";
$sql .= " AND pi.ext_payment_site = '".$this->db->escape($service)."'";
$sql .= " AND pi.ext_payment_id = '".$this->db->escape($paymentintent->id)."'";
dol_syslog(get_class($this)."::getPaymentIntent search if payment intent already in prelevement_facture_demande", LOG_DEBUG);
@ -484,7 +484,7 @@ class Stripe extends CommonObject
{
$now = dol_now();
$sql = "INSERT INTO ".MAIN_DB_PREFIX."prelevement_facture_demande (date_demande, fk_user_demande, ext_payment_id, fk_facture, sourcetype, entity, ext_payment_site, amount)";
$sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($paymentintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', ".$conf->entity.", '".$service."', ".$amount.")";
$sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($paymentintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', ".$conf->entity.", '".$this->db->escape($service)."', ".$amount.")";
$resql = $this->db->query($sql);
if (!$resql)
{
@ -617,7 +617,7 @@ class Stripe extends CommonObject
$sql = "SELECT pi.rowid";
$sql.= " FROM " . MAIN_DB_PREFIX . "prelevement_facture_demande as pi";
$sql.= " WHERE pi.entity IN (".getEntity('societe').")";
$sql.= " AND pi.ext_payment_site = '" . $service . "'";
$sql.= " AND pi.ext_payment_site = '" . $this->db->escape($service) . "'";
$sql.= " AND pi.ext_payment_id = '".$this->db->escape($setupintent->id)."'";
dol_syslog(get_class($this) . "::getPaymentIntent search if payment intent already in prelevement_facture_demande", LOG_DEBUG);
@ -637,7 +637,7 @@ class Stripe extends CommonObject
{
$now=dol_now();
$sql = "INSERT INTO " . MAIN_DB_PREFIX . "prelevement_facture_demande (date_demande, fk_user_demande, ext_payment_id, fk_facture, sourcetype, entity, ext_payment_site)";
$sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($setupintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', " . $conf->entity . ", '" . $service . "', ".$amount.")";
$sql .= " VALUES ('".$this->db->idate($now)."', ".$user->id.", '".$this->db->escape($setupintent->id)."', ".$object->id.", '".$this->db->escape($object->element)."', " . $conf->entity . ", '" . $this->db->escape($service) . "', ".$amount.")";
$resql = $this->db->query($sql);
if (! $resql)
{

2
htdocs/supplier_proposal/class/supplier_proposal.class.php
View File

@ -918,7 +918,7 @@ class SupplierProposal extends CommonObject
$sql .= ", 0";
$sql .= ", '".$this->db->idate($now)."'";
$sql .= ", '(PROV)'";
$sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "null");
$sql .= ", ".($user->id > 0 ? ((int) $user->id) : "null");
$sql .= ", '".$this->db->escape($this->note_private)."'";
$sql .= ", '".$this->db->escape($this->note_public)."'";
$sql .= ", '".$this->db->escape($this->model_pdf)."'";

2
htdocs/supplier_proposal/list.php
View File

@ -314,7 +314,7 @@ if ($search_multicurrency_montant_vat != '') $sql .= natural_search('sp.multicur
if ($search_multicurrency_montant_ttc != '') $sql .= natural_search('sp.multicurrency_total_ttc', $search_multicurrency_montant_ttc, 1);
if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall);
if ($socid) $sql .= ' AND s.rowid = '.$socid;
if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$this->db->sanitize($db->escape($search_status)).')';
if ($search_status >= 0 && $search_status != '') $sql .= ' AND sp.fk_statut IN ('.$db->sanitize($db->escape($search_status)).')';
$sql .= dolSqlDateFilter("sp.date_livraison", $day, $month, $year);
$sql .= dolSqlDateFilter("sp.date_valid", $dayvalid, $monthvalid, $yearvalid);
if ($search_sale > 0) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale;

14
htdocs/takepos/invoice.php
View File

@ -169,11 +169,11 @@ if ($action == 'valid' && $user->rights->facture->creer)
if ($invoice->total_ttc < 0) {
$invoice->type = $invoice::TYPE_CREDIT_NOTE;
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."facture WHERE ";
$sql .= "fk_soc = '".$invoice->socid."' ";
$sql .= "AND type <> ".Facture::TYPE_CREDIT_NOTE." ";
$sql .= "AND fk_statut >= ".$invoice::STATUS_VALIDATED." ";
$sql .= "ORDER BY rowid DESC";
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."facture WHERE";
$sql .= " fk_soc = ".((int) $invoice->socid);
$sql .= " AND type <> ".Facture::TYPE_CREDIT_NOTE;
$sql .= " AND fk_statut >= ".$invoice::STATUS_VALIDATED;
$sql .= " ORDER BY rowid DESC";
$resql = $db->query($sql);
if ($resql) {
$obj = $db->fetch_object($resql);
@ -394,7 +394,7 @@ if ($action == "deleteline") {
$invoice->deleteline($idline);
$invoice->fetch($placeid);
} elseif ($placeid > 0) { // If invoice exists but no line selected, proceed to delete last line.
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."facturedet where fk_facture='".$placeid."' order by rowid DESC";
$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."facturedet where fk_facture = ".((int) $placeid)." ORDER BY rowid DESC";
$resql = $db->query($sql);
$row = $db->fetch_array($resql);
$deletelineid = $row[0];
@ -427,7 +427,7 @@ if ($action == "delete") {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."facturedet where fk_facture = ".$placeid;
$resql2 = $db->query($sql);
$sql = "UPDATE ".MAIN_DB_PREFIX."facture set fk_soc=".$conf->global->{'CASHDESK_ID_THIRDPARTY'.$_SESSION["takeposterminal"]};
$sql .= " WHERE ref='(PROV-POS".$_SESSION["takeposterminal"]."-".$place.")'";
$sql .= " WHERE ref='(PROV-POS".$db->escape($_SESSION["takeposterminal"])."-".$db->escape($place).")'";
$resql3 = $db->query($sql);
$invoice->update_price(1);

4
htdocs/ticket/class/ticket.class.php
View File

@ -664,7 +664,7 @@ class Ticket extends CommonObject
if (!empty($filter)) {
foreach ($filter as $key => $value) {
if (strpos($key, 'date')) { // To allow $filter['YEAR(s.dated)']=>$year
$sql .= ' AND '.$key.' = \''.$value.'\'';
$sql .= ' AND '.$key." = '".$this->db->scape($value)."'";
} elseif (($key == 't.fk_user_assign') || ($key == 't.type_code') || ($key == 't.category_code') || ($key == 't.severity_code') || ($key == 't.fk_soc')) {
$sql .= " AND ".$key." = '".$this->db->escape($value)."'";
} elseif ($key == 't.fk_statut') {
@ -2242,7 +2242,7 @@ class Ticket extends CommonObject
$sql .= " AND tc.active=1";
if ($status >= 0) {
$sql .= " AND ec.statut = '".$status."'";
$sql .= " AND ec.statut = ".((int) $status);
}
$sql .= " ORDER BY t.lastname ASC";

4
htdocs/ticket/class/ticketstats.class.php
View File

@ -118,7 +118,7 @@ class TicketStats extends Stats
{
$sql = "SELECT date_format(datec,'%m') as dm, sum(".$this->field.")";
$sql .= " FROM ".$this->from;
$sql .= " WHERE date_format(datec,'%Y') = '".$year."'";
$sql .= " WHERE date_format(datec,'%Y') = '".$this->db->escape($year)."'";
$sql .= " AND ".$this->where;
$sql .= " GROUP BY dm";
$sql .= $this->db->order('dm', 'DESC');
@ -138,7 +138,7 @@ class TicketStats extends Stats
{
$sql = "SELECT date_format(datec,'%m') as dm, avg(".$this->field.")";
$sql .= " FROM ".$this->from;
$sql .= " WHERE date_format(datec,'%Y') = '".$year."'";
$sql .= " WHERE date_format(datec,'%Y') = '".$this->db->escape($year)."'";
$sql .= " AND ".$this->where;
$sql .= " GROUP BY dm";
$sql .= $this->db->order('dm', 'DESC');

6
htdocs/ticket/index.php
View File

@ -142,11 +142,11 @@ if (!$user->rights->societe->client->voir && !$socid) {
// External users restriction
if ($user->socid > 0) {
$sql .= " AND t.fk_soc='".$user->socid."'";
$sql .= " AND t.fk_soc= ".((int) $user->socid);
} else {
// For internals users,
if (!empty($conf->global->TICKET_LIMIT_VIEW_ASSIGNED_ONLY) && !$user->rights->ticket->manage) {
$sql .= " AND t.fk_user_assign=".$user->id;
$sql .= " AND t.fk_user_assign = ".$user->id;
}
}
$sql .= " GROUP BY t.fk_statut";
@ -305,7 +305,7 @@ if (!$user->rights->societe->client->voir && !$socid) {
}
if ($user->socid > 0) {
$sql .= " AND t.fk_soc='".$user->socid."'";
$sql .= " AND t.fk_soc= ".((int) $user->socid);
} else {
// Restricted to assigned user only
if ($conf->global->TICKET_LIMIT_VIEW_ASSIGNED_ONLY && !$user->rights->ticket->manage) {

2
htdocs/ticket/stats/index.php
View File

@ -70,7 +70,7 @@ print load_fiche_titre($title, '', 'ticket');
dol_mkdir($dir);
$stats = new TicketStats($db, $socid, ($userid > 0 ? $userid : 0));
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')';
if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND fk_statut IN ('.$db->sanitize($db->escape($object_status)).')';
// Build graphic number of object

6
test/phpunit/CodingPhpTest.php
View File

@ -152,7 +152,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
$db=$this->savdb;
include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/product', 'files', 1, '\.php', null, 'fullname');
$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/ticket', 'files', 1, '\.php', null, 'fullname');
//$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
foreach ($filesarray as $key => $file)
@ -188,7 +188,9 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
'expensereport_ik.class.php',
'expensereport_rule.class.php',
'multicurrency.class.php',
'productbatch.class.php'
'productbatch.class.php',
'reception.class.php',
'societe.class.php'
))) {
// Must must not found $db->
$ok=true;