Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix escape sql params.

Browse Source
This commit is contained in:
Laurent Destailleur
2021-10-25 18:48:44 +02:00
parent dc1226b116
commit 20c874d441
5 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/don/card.php
View File

@@ -787,7 +787,7 @@ if (!empty($id) && $action != 'edit') {
$sql .= " FROM ".MAIN_DB_PREFIX."payment_donation as p";
$sql .= ", ".MAIN_DB_PREFIX."c_paiement as c ";
$sql .= ", ".MAIN_DB_PREFIX."don as d";
$sql .= " WHERE d.rowid = '".$id."'";
$sql .= " WHERE d.rowid = ".((int) $id);
$sql .= " AND p.fk_donation = d.rowid";
$sql .= " AND d.entity IN (".getEntity('donation').")";
$sql .= " AND p.fk_typepayment = c.id";

2
htdocs/expensereport/card.php
View File

@@ -1924,7 +1924,7 @@ if ($action == 'create') {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as c ON p.fk_typepayment = c.id";
$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank as b ON p.fk_bank = b.rowid';
$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank_account as ba ON b.fk_account = ba.rowid';
$sql .= " WHERE e.rowid = '".$id."'";
$sql .= " WHERE e.rowid = ".((int) $id);
$sql .= " AND p.fk_expensereport = e.rowid";
$sql .= ' AND e.entity IN ('.getEntity('expensereport').')';
$sql .= " ORDER BY dp";

2
htdocs/product/ajax/products.php
View File

@@ -144,7 +144,7 @@ if (!empty($action) && $action == 'fetch' && !empty($id)) {
if (!$found && isset($price_level) && $price_level >= 1 && (!empty($conf->global->PRODUIT_MULTIPRICES) || !empty($conf->global->PRODUIT_CUSTOMER_PRICES_BY_QTY_MULTIPRICES))) { // If we need a particular price level (from 1 to 6)
$sql = "SELECT price, price_ttc, price_base_type, tva_tx";
$sql .= " FROM ".MAIN_DB_PREFIX."product_price ";
$sql .= " WHERE fk_product = '".$id."'";
$sql .= " WHERE fk_product = ".((int) $id);
$sql .= " AND entity IN (".getEntity('productprice').")";
$sql .= " AND price_level = ".((int) $price_level);
$sql .= " ORDER BY date_price";

4
test/phpunit/CodingPhpTest.php
View File

@@ -363,9 +363,9 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// Check string sql|set|WHERE|...'".$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request.
$ok=true;
$matches=array();
preg_match_all('/(sql|SET|WHERE|INSERT|VALUES).+\s*\'"\s*\.\s*\$(........)/', $filecontent, $matches, PREG_SET_ORDER);
preg_match_all('/(sql|SET|WHERE|INSERT|VALUES).+\s*\'"\s*\.\s*\$(.......)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if (! in_array($val[2], array('this->db', 'this->es', 'db->esca', 'dbs->esc', 'mydb->es', 'dbsessio', 'db->idat', 'escapedl', 'excludeG', 'includeG'))) {
if (! in_array($val[2], array('this->d', 'this->e', 'db->esc', 'dbs->es', 'mydb->e', 'dbsessi', 'db->ida', 'escaped', 'exclude', 'include'))) {
$ok=false; // This will generate error
break;
}