diff --git a/htdocs/adherents/class/api_members.class.php b/htdocs/adherents/class/api_members.class.php index 990e21dd08b..230b839f726 100644 --- a/htdocs/adherents/class/api_members.class.php +++ b/htdocs/adherents/class/api_members.class.php @@ -227,7 +227,7 @@ class Members extends DolibarrApi } // Select members of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$db->escape($category); + $sql .= " AND c.fk_categorie = ".$this->db->escape($category); $sql .= " AND c.fk_member = t.rowid "; } // Add sql filters @@ -239,23 +239,23 @@ class Members extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $member = new Adherent($this->db); if ($member->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($member); @@ -263,7 +263,7 @@ class Members extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve member list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve member list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No member found'); diff --git a/htdocs/adherents/class/api_memberstypes.class.php b/htdocs/adherents/class/api_memberstypes.class.php index a5923914187..682fb9d707c 100644 --- a/htdocs/adherents/class/api_memberstypes.class.php +++ b/htdocs/adherents/class/api_memberstypes.class.php @@ -109,23 +109,23 @@ class MembersTypes extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $membertype = new AdherentType($this->db); if ($membertype->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($membertype); @@ -133,7 +133,7 @@ class MembersTypes extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve member type list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve member type list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No member type found'); diff --git a/htdocs/adherents/class/api_subscriptions.class.php b/htdocs/adherents/class/api_subscriptions.class.php index 502a855657c..d5adbb0bc5b 100644 --- a/htdocs/adherents/class/api_subscriptions.class.php +++ b/htdocs/adherents/class/api_subscriptions.class.php @@ -107,22 +107,22 @@ class Subscriptions extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { $page = 0; } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); while ($i < min($limit, $num)) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $subscription = new Subscription($this->db); if ($subscription->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($subscription); @@ -130,7 +130,7 @@ class Subscriptions extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve subscription list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve subscription list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No Subscription found'); diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php index fbed05a1dbe..92373d7c01e 100644 --- a/htdocs/admin/menus/edit.php +++ b/htdocs/admin/menus/edit.php @@ -233,24 +233,25 @@ if ($action == 'add') // delete if ($action == 'confirm_delete' && $_POST["confirm"] == 'yes') { - $this->db->begin(); + $db->begin(); $sql = "DELETE FROM ".MAIN_DB_PREFIX."menu WHERE rowid = ".GETPOST('menuId', 'int'); $result = $db->query($sql); if ($result == 0) { - $this->db->commit(); + $db->commit(); llxHeader(); setEventMessages($langs->trans("MenuDeleted"), null, 'mesgs'); llxFooter(); exit; } else { - $this->db->rollback(); + $db->rollback(); $reload = 0; $_GET["action"] = ''; + $action = ''; } } diff --git a/htdocs/api/class/api_access.class.php b/htdocs/api/class/api_access.class.php index a6d0d72b8de..84f7bf303e7 100644 --- a/htdocs/api/class/api_access.class.php +++ b/htdocs/api/class/api_access.class.php @@ -59,6 +59,16 @@ class DolibarrApiAccess implements iAuthenticate */ public static $user = ''; + + /** + * Constructor + */ + public function __construct() + { + global $db; + $this->db = $db; + } + // phpcs:disable PEAR.NamingConventions.ValidFunctionName /** * Check access @@ -107,15 +117,15 @@ class DolibarrApiAccess implements iAuthenticate $sql = "SELECT u.login, u.datec, u.api_key, "; $sql .= " u.tms as date_modification, u.entity"; $sql .= " FROM ".MAIN_DB_PREFIX."user as u"; - $sql .= " WHERE u.api_key = '".$db->escape($api_key)."'"; + $sql .= " WHERE u.api_key = '".$this->db->escape($api_key)."'"; // TODO Check if 2 users has same API key. - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - if ($db->num_rows($result)) + if ($this->db->num_rows($result)) { - $obj = $db->fetch_object($result); + $obj = $this->db->fetch_object($result); $login = $obj->login; $stored_key = $obj->api_key; $userentity = $obj->entity; @@ -125,11 +135,11 @@ class DolibarrApiAccess implements iAuthenticate $conf->entity = ($obj->entity ? $obj->entity : 1); // We must also reload global conf to get params from the entity dol_syslog("Entity was not set on http header with HTTP_DOLAPIENTITY (recommanded for performance purpose), so we switch now on entity of user (".$conf->entity.") and we have to reload configuration.", LOG_WARNING); - $conf->setValues($db); + $conf->setValues($this->db); } } } else { - throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg); + throw new RestException(503, 'Error when fetching user api_key :'.$this->db->error_msg); } if ($stored_key != $api_key) { // This should not happen since we did a search on api_key @@ -141,7 +151,7 @@ class DolibarrApiAccess implements iAuthenticate { throw new RestException(503, 'Error when searching login user from api key'); } - $fuser = new User($db); + $fuser = new User($this->db); $result = $fuser->fetch('', $login, '', 0, (empty($userentity) ? -1 : $conf->entity)); // If user is not entity 0, we search in working entity $conf->entity (that may have been forced to a different value than user entity) if ($result <= 0) { throw new RestException(503, 'Error when fetching user :'.$fuser->error.' (conf->entity='.$conf->entity.')'); diff --git a/htdocs/bom/class/api_boms.class.php b/htdocs/bom/class/api_boms.class.php index a6295d12589..b9123b8c226 100644 --- a/htdocs/bom/class/api_boms.class.php +++ b/htdocs/bom/class/api_boms.class.php @@ -99,7 +99,7 @@ class Boms extends DolibarrApi global $db, $conf; $obj_ret = array(); - $tmpobject = new BOM($db); + $tmpobject = new BOM($this->db); $socid = DolibarrApiAccess::$user->socid ? DolibarrApiAccess::$user->socid : ''; @@ -139,7 +139,7 @@ class Boms extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -147,18 +147,18 @@ class Boms extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $i = 0; while ($i < $num) { - $obj = $db->fetch_object($result); - $bom_static = new BOM($db); + $obj = $this->db->fetch_object($result); + $bom_static = new BOM($this->db); if ($bom_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($bom_static); } diff --git a/htdocs/categories/class/api_categories.class.php b/htdocs/categories/class/api_categories.class.php index 4a84a25e5ca..5f0a28340f9 100644 --- a/htdocs/categories/class/api_categories.class.php +++ b/htdocs/categories/class/api_categories.class.php @@ -155,7 +155,7 @@ class Categories extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -163,19 +163,19 @@ class Categories extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $category_static = new Categorie($db); + $obj = $this->db->fetch_object($result); + $category_static = new Categorie($this->db); if ($category_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($category_static); } @@ -183,7 +183,7 @@ class Categories extends DolibarrApi } } else { - throw new RestException(503, 'Error when retrieve category list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve category list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No category found'); diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 43d880b3866..473c87e22a0 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -148,7 +148,7 @@ class AgendaEvents extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -156,27 +156,27 @@ class AgendaEvents extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $actioncomm_static = new ActionComm($db); + $obj = $this->db->fetch_object($result); + $actioncomm_static = new ActionComm($this->db); if ($actioncomm_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($actioncomm_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve Agenda Event list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve Agenda Event list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No Agenda Event found'); diff --git a/htdocs/comm/propal/class/api_proposals.class.php b/htdocs/comm/propal/class/api_proposals.class.php index 8efc4aa5c19..0f157396f35 100644 --- a/htdocs/comm/propal/class/api_proposals.class.php +++ b/htdocs/comm/propal/class/api_proposals.class.php @@ -190,7 +190,7 @@ class Proposals extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -198,21 +198,21 @@ class Proposals extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $proposal_static = new Propal($db); + $obj = $this->db->fetch_object($result); + $proposal_static = new Propal($this->db); if ($proposal_static->fetch($obj->rowid)) { // Add external contacts ids $proposal_static->contacts_ids = $proposal_static->liste_contact(-1, 'external', 1); @@ -221,7 +221,7 @@ class Proposals extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve propal list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve propal list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No proposal found'); diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index d4bf2e392f3..074d00443bd 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -361,7 +361,7 @@ if ($search_product_category > 0) $sql .= " AND cp.fk_categorie = ".$db->escape( if ($socid > 0) $sql .= ' AND s.rowid = '.$socid; if ($search_status != '' && $search_status != '-1') { - $sql .= ' AND p.fk_statut IN ('.$this->db->sanitize($db->escape($search_status)).')'; + $sql .= ' AND p.fk_statut IN ('.$db->sanitize($db->escape($search_status)).')'; } if ($search_date_start) $sql .= " AND p.datep >= '".$db->idate($search_date_start)."'"; if ($search_date_end) $sql .= " AND p.datep <= '".$db->idate($search_date_end)."'"; diff --git a/htdocs/comm/propal/stats/index.php b/htdocs/comm/propal/stats/index.php index 6cf14e92d50..49e1141fec1 100644 --- a/htdocs/comm/propal/stats/index.php +++ b/htdocs/comm/propal/stats/index.php @@ -101,7 +101,7 @@ dol_mkdir($dir); $stats = new PropaleStats($db, $socid, ($userid > 0 ? $userid : 0), $mode, ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); -if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; +if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; // Build graphic number of object $data = $stats->getNbByMonthWithPrevYear($endyear, $startyear); diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index d48e990e7e8..b447a00c404 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -417,7 +417,7 @@ if (empty($reshook)) $originidforcontact=$srcobject->origin_id; } $sqlcontact = "SELECT code, fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$db->escape($originforcontact)."'"; $resqlcontact = $db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index f62c00ee81b..2202ad5b67e 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -193,7 +193,7 @@ class Orders extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -201,21 +201,21 @@ class Orders extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $commande_static = new Commande($db); + $obj = $this->db->fetch_object($result); + $commande_static = new Commande($this->db); if ($commande_static->fetch($obj->rowid)) { // Add external contacts ids $commande_static->contacts_ids = $commande_static->liste_contact(-1, 'external', 1); @@ -224,7 +224,7 @@ class Orders extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve commande list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve commande list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No order found'); diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 1bd919fd470..5c314226214 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -1122,7 +1122,7 @@ class Commande extends CommonOrder } $sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'"; $resqlcontact = $this->db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/commande/orderstoinvoice.php b/htdocs/commande/orderstoinvoice.php index 7b8e31ce7a4..a4d4ed07dee 100644 --- a/htdocs/commande/orderstoinvoice.php +++ b/htdocs/commande/orderstoinvoice.php @@ -199,9 +199,9 @@ if (($action == 'create' || $action == 'add') && !$error) $sql .= ", targettype"; $sql .= ") VALUES ("; $sql .= $origin_id; - $sql .= ", '".$object->origin."'"; + $sql .= ", '".$db->escape($object->origin)."'"; $sql .= ", ".$id; - $sql .= ", '".$object->element."'"; + $sql .= ", '".$db->escape($object->element)."'"; $sql .= ")"; if ($db->query($sql)) diff --git a/htdocs/commande/stats/index.php b/htdocs/commande/stats/index.php index 8ef736ca333..346b5549bfd 100644 --- a/htdocs/commande/stats/index.php +++ b/htdocs/commande/stats/index.php @@ -94,11 +94,11 @@ dol_mkdir($dir); $stats = new CommandeStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { - if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; + if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; } if ($mode == 'supplier') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; } diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index 4ce4ef3bb3b..675e462047f 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -390,11 +390,11 @@ class Account extends CommonObject $sql .= ", label"; $sql .= ", type"; $sql .= ") VALUES ("; - $sql .= "'".$line_id."'"; - $sql .= ", '".$url_id."'"; - $sql .= ", '".$url."'"; + $sql .= " ".((int) $line_id); + $sql .= ", '".$this->db->escape($url_id)."'"; + $sql .= ", '".$this->db->escape($url)."'"; $sql .= ", '".$this->db->escape($label)."'"; - $sql .= ", '".$type."'"; + $sql .= ", '".$this->db->escape($type)."'"; $sql .= ")"; dol_syslog(get_class($this)."::add_url_line", LOG_DEBUG); @@ -434,7 +434,7 @@ class Account extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."bank_url"; if ($fk_bank > 0) { $sql .= " WHERE fk_bank = ".$fk_bank; - } else { $sql .= " WHERE url_id = ".$url_id." AND type = '".$type."'"; + } else { $sql .= " WHERE url_id = ".$url_id." AND type = '".$this->db->escape($type)."'"; } $sql .= " ORDER BY type, label"; @@ -1315,7 +1315,7 @@ class Account extends CommonObject * * @return int Nb of account we can reconciliate */ - public static function countAccountToReconcile() + public function countAccountToReconcile() { global $db, $conf, $user; @@ -1331,12 +1331,12 @@ class Account extends CommonObject $sql .= " WHERE ba.rappro > 0 and ba.clos = 0"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if (empty($conf->global->BANK_CAN_RECONCILIATE_CASHACCOUNT)) $sql .= " AND ba.courant != 2"; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $obj = $db->fetch_object($resql); + $obj = $this->db->fetch_object($resql); $nb = $obj->nb; - } else dol_print_error($db); + } else dol_print_error($this->db); return $nb; } @@ -2421,7 +2421,7 @@ class AccountLine extends CommonObject $type = 'bank'; - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$this->id; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/compta/bank/class/paymentvarious.class.php b/htdocs/compta/bank/class/paymentvarious.class.php index bfb522b6e3a..14466915d76 100644 --- a/htdocs/compta/bank/class/paymentvarious.class.php +++ b/htdocs/compta/bank/class/paymentvarious.class.php @@ -710,7 +710,7 @@ class PaymentVarious extends CommonObject $type = 'bank'; - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$banklineid; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$banklineid; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/compta/bank/graph.php b/htdocs/compta/bank/graph.php index 296211bf35c..686122f4d56 100644 --- a/htdocs/compta/bank/graph.php +++ b/htdocs/compta/bank/graph.php @@ -130,8 +130,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-".$month."-01 00:00:00'"; - $sql .= " AND b.datev < '".$yearnext."-".$monthnext."-01 00:00:00'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; + $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -159,7 +159,7 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev < '".$year."-".sprintf("%02s", $month)."-01'"; + $sql .= " AND b.datev < '".$db->escape($year)."-".sprintf("%02s", $month)."-01'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $resql = $db->query($sql); @@ -267,8 +267,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-01-01 00:00:00'"; - $sql .= " AND b.datev <= '".$year."-12-31 23:59:59'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; + $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%Y%m%d')"; @@ -296,7 +296,7 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev < '".$year."-01-01'"; + $sql .= " AND b.datev < '".$db->escape($year)."-01-01'"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $resql = $db->query($sql); @@ -519,8 +519,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-".$month."-01 00:00:00'"; - $sql .= " AND b.datev < '".$yearnext."-".$monthnext."-01 00:00:00'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; + $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; $sql .= " AND b.amount > 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%d')"; @@ -555,8 +555,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-".$month."-01 00:00:00'"; - $sql .= " AND b.datev < '".$yearnext."-".$monthnext."-01 00:00:00'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-".$db->escape($month)."-01 00:00:00'"; + $sql .= " AND b.datev < '".$db->escape($yearnext)."-".$db->escape($monthnext)."-01 00:00:00'"; $sql .= " AND b.amount < 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%d')"; @@ -632,8 +632,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-01-01 00:00:00'"; - $sql .= " AND b.datev <= '".$year."-12-31 23:59:59'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; + $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; $sql .= " AND b.amount > 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%m');"; @@ -659,8 +659,8 @@ if ($result < 0) $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba"; $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; - $sql .= " AND b.datev >= '".$year."-01-01 00:00:00'"; - $sql .= " AND b.datev <= '".$year."-12-31 23:59:59'"; + $sql .= " AND b.datev >= '".$db->escape($year)."-01-01 00:00:00'"; + $sql .= " AND b.datev <= '".$db->escape($year)."-12-31 23:59:59'"; $sql .= " AND b.amount < 0"; if ($account && $_GET["option"] != 'all') $sql .= " AND b.fk_account IN (".$account.")"; $sql .= " GROUP BY date_format(b.datev,'%m')"; diff --git a/htdocs/compta/bank/line.php b/htdocs/compta/bank/line.php index 0da5a557647..2677f8d8c3f 100644 --- a/htdocs/compta/bank/line.php +++ b/htdocs/compta/bank/line.php @@ -138,15 +138,15 @@ if ($user->rights->banque->modifier && $action == "update") $sql = "UPDATE ".MAIN_DB_PREFIX."bank"; $sql .= " SET "; // Always opened - if (isset($_POST['value'])) $sql .= " fk_type='".$db->escape($_POST['value'])."',"; - if (isset($_POST['num_chq'])) $sql .= " num_chq='".$db->escape($_POST["num_chq"])."',"; - if (isset($_POST['banque'])) $sql .= " banque='".$db->escape($_POST["banque"])."',"; - if (isset($_POST['emetteur'])) $sql .= " emetteur='".$db->escape($_POST["emetteur"])."',"; + if (isset($_POST['value'])) $sql .= " fk_type='".$db->escape(GETPOST('value'))."',"; + if (isset($_POST['num_chq'])) $sql .= " num_chq='".$db->escape(GETPOST("num_chq"))."',"; + if (isset($_POST['banque'])) $sql .= " banque='".$db->escape(GETPOST("banque"))."',"; + if (isset($_POST['emetteur'])) $sql .= " emetteur='".$db->escape(GETPOST("emetteur"))."',"; // Blocked when conciliated if (!$acline->rappro) { - if (isset($_POST['label'])) $sql .= " label='".$db->escape($_POST["label"])."',"; - if (isset($_POST['amount'])) $sql .= " amount='".$amount."',"; + if (isset($_POST['label'])) $sql .= " label = '".$db->escape(GETPOST("label"))."',"; + if (isset($_POST['amount'])) $sql .= " amount= '".$db->escape($amount)."',"; if (isset($_POST['dateomonth'])) $sql .= " dateo = '".$db->idate($dateop)."',"; if (isset($_POST['datevmonth'])) $sql .= " datev = '".$db->idate($dateval)."',"; } @@ -212,7 +212,7 @@ if ($user->rights->banque->consolidate && ($action == 'num_releve' || $action == $db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."bank"; - $sql .= " SET num_releve=".($num_rel ? "'".$num_rel."'" : "null"); + $sql .= " SET num_releve=".($num_rel ? "'".$db->escape($num_rel)."'" : "null"); if (empty($num_rel)) $sql .= ", rappro = 0"; else $sql .= ", rappro = ".$rappro; $sql .= " WHERE rowid = ".$rowid; diff --git a/htdocs/compta/cashcontrol/report.php b/htdocs/compta/cashcontrol/report.php index f2d8e38fb15..02299788794 100644 --- a/htdocs/compta/cashcontrol/report.php +++ b/htdocs/compta/cashcontrol/report.php @@ -297,8 +297,8 @@ if ($resql) /* $sql = "UPDATE ".MAIN_DB_PREFIX."pos_cash_fence "; $sql .= "SET"; - $sql .= " cash='".$cash."'"; - $sql .= ", card='".$bank."'"; + $sql .= " cash='".$db->escape($cash)."'"; + $sql .= ", card='".$db->escape($bank)."'"; $sql .= " where rowid=".$id; $db->query($sql); */ diff --git a/htdocs/compta/clients.php b/htdocs/compta/clients.php index 5632e8ebc1a..1b4e86bbb4c 100644 --- a/htdocs/compta/clients.php +++ b/htdocs/compta/clients.php @@ -66,7 +66,7 @@ $thirdpartystatic = new Societe($db); if ($action == 'note') { - $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".$note."' WHERE rowid=".$socid; + $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".$db->escape($note)."' WHERE rowid=".$socid; $result = $db->query($sql); } diff --git a/htdocs/compta/deplacement/class/deplacementstats.class.php b/htdocs/compta/deplacement/class/deplacementstats.class.php index 6fdd54095a2..953ee78a3d6 100644 --- a/htdocs/compta/deplacement/class/deplacementstats.class.php +++ b/htdocs/compta/deplacement/class/deplacementstats.class.php @@ -122,7 +122,7 @@ class DeplacementStats extends Stats { $sql = "SELECT date_format(dated,'%m') as dm, sum(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(dated,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(dated,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -142,7 +142,7 @@ class DeplacementStats extends Stats { $sql = "SELECT date_format(dated,'%m') as dm, avg(".$this->field.")"; $sql .= " FROM ".$this->from; - $sql .= " WHERE date_format(dated,'%Y') = '".$year."'"; + $sql .= " WHERE date_format(dated,'%Y') = '".$this->db->escape($year)."'"; $sql .= " AND ".$this->where; $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index b19ee852db6..87a3a3c8be2 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -1664,7 +1664,7 @@ if (empty($reshook)) $originidforcontact=$srcobject->origin_id; } $sqlcontact = "SELECT code, fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$db->escape($originforcontact)."'"; $resqlcontact = $db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php index 1828493d89f..cc1b7fe57ed 100644 --- a/htdocs/compta/facture/class/api_invoices.class.php +++ b/htdocs/compta/facture/class/api_invoices.class.php @@ -207,7 +207,7 @@ class Invoices extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) @@ -216,19 +216,19 @@ class Invoices extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { $i = 0; - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); while ($i < $min) { - $obj = $db->fetch_object($result); - $invoice_static = new Facture($db); + $obj = $this->db->fetch_object($result); + $invoice_static = new Facture($this->db); if ($invoice_static->fetch($obj->rowid)) { // Get payment details @@ -245,7 +245,7 @@ class Invoices extends DolibarrApi $i++; } } else { - throw new RestException(503, 'Error when retrieve invoice list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve invoice list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No invoice found'); diff --git a/htdocs/compta/facture/class/facture-rec.class.php b/htdocs/compta/facture/class/facture-rec.class.php index c5e93bc41ad..67dd4e304ea 100644 --- a/htdocs/compta/facture/class/facture-rec.class.php +++ b/htdocs/compta/facture/class/facture-rec.class.php @@ -277,8 +277,8 @@ class FactureRec extends CommonInvoice $sql .= ", ".(!empty($this->note_public) ? ("'".$this->db->escape($this->note_public)."'") : "NULL"); $sql .= ", ".(!empty($this->modelpdf) ? ("'".$this->db->escape($this->modelpdf)."'") : "NULL"); $sql .= ", '".$this->db->escape($user->id)."'"; - $sql .= ", ".(!empty($facsrc->fk_project) ? "'".$facsrc->fk_project."'" : "null"); - $sql .= ", ".(!empty($facsrc->fk_account) ? "'".$facsrc->fk_account."'" : "null"); + $sql .= ", ".(!empty($facsrc->fk_project) ? "'".$this->db->escape($facsrc->fk_project)."'" : "null"); + $sql .= ", ".(!empty($facsrc->fk_account) ? "'".$this->db->escape($facsrc->fk_account)."'" : "null"); $sql .= ", ".($facsrc->cond_reglement_id > 0 ? $this->db->escape($facsrc->cond_reglement_id) : "null"); $sql .= ", ".($facsrc->mode_reglement_id > 0 ? $this->db->escape($facsrc->mode_reglement_id) : "null"); $sql .= ", ".$this->usenewprice; @@ -921,7 +921,7 @@ class FactureRec extends CommonInvoice $sql .= ", fk_unit"; $sql .= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc'; $sql .= ") VALUES ("; - $sql .= "'".$facid."'"; + $sql .= " ".((int) $facid); $sql .= ", ".(!empty($label) ? "'".$this->db->escape($label)."'" : "null"); $sql .= ", '".$this->db->escape($desc)."'"; $sql .= ", ".price2num($pu_ht); @@ -932,7 +932,7 @@ class FactureRec extends CommonInvoice $sql .= ", '".$this->db->escape($localtaxes_type[0])."'"; $sql .= ", ".price2num($txlocaltax2); $sql .= ", '".$this->db->escape($localtaxes_type[2])."'"; - $sql .= ", ".(!empty($fk_product) ? "'".$fk_product."'" : "null"); + $sql .= ", ".(!empty($fk_product) ? "'".$this->db->escape($fk_product)."'" : "null"); $sql .= ", ".$product_type; $sql .= ", ".price2num($remise_percent); $sql .= ", ".price2num($pu_ht); @@ -1083,7 +1083,7 @@ class FactureRec extends CommonInvoice } $sql = "UPDATE ".MAIN_DB_PREFIX."facturedet_rec SET "; - $sql .= "fk_facture = '".$facid."'"; + $sql .= "fk_facture = ".((int) $facid); $sql .= ", label=".(!empty($label) ? "'".$this->db->escape($label)."'" : "null"); $sql .= ", description='".$this->db->escape($desc)."'"; $sql .= ", price=".price2num($pu_ht); @@ -1094,7 +1094,7 @@ class FactureRec extends CommonInvoice $sql .= ", localtax1_type='".$this->db->escape($localtaxes_type[0])."'"; $sql .= ", localtax2_tx=".$txlocaltax2; $sql .= ", localtax2_type='".$this->db->escape($localtaxes_type[2])."'"; - $sql .= ", fk_product=".(!empty($fk_product) ? "'".$fk_product."'" : "null"); + $sql .= ", fk_product=".(!empty($fk_product) ? "'".$this->db->escape($fk_product)."'" : "null"); $sql .= ", product_type=".$product_type; $sql .= ", remise_percent='".price2num($remise_percent)."'"; $sql .= ", subprice='".price2num($pu_ht)."'"; @@ -1194,13 +1194,13 @@ class FactureRec extends CommonInvoice $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'facture_rec'; $sql .= ' WHERE frequency > 0'; // A recurring invoice is an invoice with a frequency - $sql .= " AND (date_when IS NULL OR date_when <= '".$db->idate($today)."')"; + $sql .= " AND (date_when IS NULL OR date_when <= '".$this->db->idate($today)."')"; $sql .= ' AND (nb_gen_done < nb_gen_max OR nb_gen_max = 0)'; $sql .= ' AND suspended = 0'; $sql .= ' AND entity = '.$conf->entity; // MUST STAY = $conf->entity here if ($restrictioninvoiceid > 0) $sql .= ' AND rowid = '.$restrictioninvoiceid; - $sql .= $db->order('entity', 'ASC'); + $sql .= $this->db->order('entity', 'ASC'); //print $sql;exit; $parameters = array( 'restrictioninvoiceid' => $restrictioninvoiceid, @@ -1208,11 +1208,11 @@ class FactureRec extends CommonInvoice ); $reshook = $hookmanager->executeHooks('beforeCreationOfRecurringInvoices', $parameters, $sql); // note that $sql might be modified by hooks - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { $i = 0; - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) $this->output .= $langs->trans("FoundXQualifiedRecurringInvoiceTemplate", $num)."\n"; @@ -1222,14 +1222,14 @@ class FactureRec extends CommonInvoice while ($i < $num) // Loop on each template invoice. If $num = 0, test is false at first pass. { - $line = $db->fetch_object($resql); + $line = $this->db->fetch_object($resql); - $db->begin(); + $this->db->begin(); $invoiceidgenerated = 0; $facture = null; - $facturerec = new FactureRec($db); + $facturerec = new FactureRec($this->db); $facturerec->fetch($line->rowid); if ($facturerec->id > 0) @@ -1239,7 +1239,7 @@ class FactureRec extends CommonInvoice dol_syslog("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref.", entity=".$facturerec->entity); - $facture = new Facture($db); + $facture = new Facture($this->db); $facture->fac_rec = $facturerec->id; // We will create $facture from this recurring invoice $facture->fk_fac_rec_source = $facturerec->id; // We will create $facture from this recurring invoice @@ -1286,12 +1286,12 @@ class FactureRec extends CommonInvoice if (!$error && $invoiceidgenerated >= 0) { - $db->commit("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); + $this->db->commit("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); dol_syslog("createRecurringInvoices Process invoice template ".$facturerec->ref." is finished with a success generation"); $nb_create++; $this->output .= $langs->trans("InvoiceGeneratedFromTemplate", $facture->ref, $facturerec->ref)."\n"; } else { - $db->rollback("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); + $this->db->rollback("createRecurringInvoices Process invoice template id=".$facturerec->id.", ref=".$facturerec->ref); } $parameters = array( @@ -1308,7 +1308,7 @@ class FactureRec extends CommonInvoice } $conf->entity = $saventity; // Restore entity context - } else dol_print_error($db); + } else dol_print_error($this->db); $this->output = trim($this->output); diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index be0888e4c79..4110e5ad26d 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -612,7 +612,7 @@ class Facture extends CommonInvoice $sql .= ", ".setEntity($this); $sql .= ", ".($this->ref_ext ? "'".$this->db->escape($this->ref_ext)."'" : "null"); $sql .= ", '".$this->db->escape($this->type)."'"; - $sql .= ", '".$socid."'"; + $sql .= ", ".((int) $socid); $sql .= ", '".$this->db->idate($now)."'"; $sql .= ", ".($this->remise_absolue > 0 ? $this->remise_absolue : 'NULL'); $sql .= ", ".($this->remise_percent > 0 ? $this->remise_percent : 'NULL'); @@ -627,7 +627,7 @@ class Facture extends CommonInvoice $sql .= ", ".($this->pos_source != '' ? "'".$this->db->escape($this->pos_source)."'" : "null"); $sql .= ", ".($this->fk_fac_rec_source ? "'".$this->db->escape($this->fk_fac_rec_source)."'" : "null"); $sql .= ", ".($this->fk_facture_source ? "'".$this->db->escape($this->fk_facture_source)."'" : "null"); - $sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "null"); + $sql .= ", ".($user->id > 0 ? (int) $user->id : "null"); $sql .= ", ".($this->fk_project ? $this->fk_project : "null"); $sql .= ", ".$this->cond_reglement_id; $sql .= ", ".$this->mode_reglement_id; @@ -715,7 +715,7 @@ class Facture extends CommonInvoice } $sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'"; $resqlcontact = $this->db->query($sqlcontact); if ($resqlcontact) diff --git a/htdocs/compta/facture/stats/index.php b/htdocs/compta/facture/stats/index.php index 543585ddbb0..81466651856 100644 --- a/htdocs/compta/facture/stats/index.php +++ b/htdocs/compta/facture/stats/index.php @@ -94,7 +94,7 @@ dol_mkdir($dir); $stats = new FactureStats($db, $socid, $mode, ($userid > 0 ? $userid : 0), ($typent_id > 0 ? $typent_id : 0), ($categ_id > 0 ? $categ_id : 0)); if ($mode == 'customer') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; if (is_array($custcats) && !empty($custcats)) { $stats->from .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie_societe as cat ON (f.fk_soc = cat.fk_soc)'; $stats->where .= ' AND cat.fk_categorie IN ('.implode(',', $custcats).')'; @@ -102,7 +102,7 @@ if ($mode == 'customer') } if ($mode == 'supplier') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$this->db->sanitize($db->escape($object_status)).')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->sanitize($db->escape($object_status)).')'; } // Build graphic number of object diff --git a/htdocs/compta/journal/purchasesjournal.php b/htdocs/compta/journal/purchasesjournal.php index 78ef32072d6..d754760dd57 100644 --- a/htdocs/compta/journal/purchasesjournal.php +++ b/htdocs/compta/journal/purchasesjournal.php @@ -106,7 +106,7 @@ $sql .= " s.rowid as socid, s.nom as name, s.code_compta_fournisseur,"; $sql .= " p.rowid as pid, p.ref as ref, p.accountancy_code_buy,"; $sql .= " ct.accountancy_code_buy as account_tva, ct.recuperableonly"; $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn_det as fd"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva as ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = '".$idpays."'"; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva as ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = ".((int) $idpays); $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = fd.fk_product"; $sql .= " JOIN ".MAIN_DB_PREFIX."facture_fourn as f ON f.rowid = fd.fk_facture_fourn"; $sql .= " JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; diff --git a/htdocs/compta/journal/sellsjournal.php b/htdocs/compta/journal/sellsjournal.php index bd44f6c47cc..62e8c77a133 100644 --- a/htdocs/compta/journal/sellsjournal.php +++ b/htdocs/compta/journal/sellsjournal.php @@ -109,7 +109,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = fd.fk_product"; $sql .= " JOIN ".MAIN_DB_PREFIX."facture as f ON f.rowid = fd.fk_facture"; $sql .= " JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc"; -$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = '".$idpays."'"; +$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_tva ct ON fd.tva_tx = ct.taux AND fd.info_bits = ct.recuperableonly AND ct.fk_pays = ".((int) $idpays); $sql .= " WHERE f.entity IN (".getEntity('invoice').")"; $sql .= " AND f.fk_statut > 0"; if (!empty($conf->global->FACTURE_DEPOSITS_ARE_JUST_PAYMENTS)) { diff --git a/htdocs/compta/paiement/cheque/card.php b/htdocs/compta/paiement/cheque/card.php index 2d42fc14a37..463e95f953e 100644 --- a/htdocs/compta/paiement/cheque/card.php +++ b/htdocs/compta/paiement/cheque/card.php @@ -57,7 +57,7 @@ $offset = $limit * $page; $dir = $conf->bank->dir_output.'/checkdeposits/'; $filterdate = dol_mktime(0, 0, 0, GETPOST('fdmonth'), GETPOST('fdday'), GETPOST('fdyear')); -$filteraccountid = GETPOST('accountid'); +$filteraccountid = GETPOST('accountid', 'int'); $object = new RemiseCheque($db); @@ -394,7 +394,7 @@ if ($action == 'new') $sql .= " AND b.fk_bordereau = 0"; $sql .= " AND b.amount > 0"; if ($filterdate) $sql .= " AND b.dateo = '".$db->idate($filterdate)."'"; - if ($filteraccountid > 0) $sql .= " AND ba.rowid= '".$filteraccountid."'"; + if ($filteraccountid > 0) $sql .= " AND ba.rowid = ".((int) $filteraccountid); $sql .= $db->order("b.dateo,b.rowid", "ASC"); $resql = $db->query($sql); diff --git a/htdocs/compta/paiement/cheque/class/remisecheque.class.php b/htdocs/compta/paiement/cheque/class/remisecheque.class.php index 56d12872cd2..00815c90f7d 100644 --- a/htdocs/compta/paiement/cheque/class/remisecheque.class.php +++ b/htdocs/compta/paiement/cheque/class/remisecheque.class.php @@ -211,7 +211,7 @@ class RemiseCheque extends CommonObject $sql .= " WHERE b.fk_type = 'CHQ'"; $sql .= " AND b.amount > 0"; $sql .= " AND b.fk_bordereau = 0"; - $sql .= " AND b.fk_account='".$account_id."'"; + $sql .= " AND b.fk_account = ".((int) $account_id); if ($limit) $sql .= $this->db->plimit($limit); dol_syslog("RemiseCheque::Create", LOG_DEBUG); @@ -775,18 +775,18 @@ class RemiseCheque extends CommonObject $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf'; $sql .= ' WHERE pf.fk_paiement = '.$payment->id; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $rejectedPayment = new Paiement($db); + $rejectedPayment = new Paiement($this->db); $rejectedPayment->amounts = array(); $rejectedPayment->datepaye = $rejection_date; $rejectedPayment->paiementid = dol_getIdFromCode($this->db, 'CHQ', 'c_paiement', 'code', 'id', 1); $rejectedPayment->num_payment = $payment->num_payment; - while ($obj = $db->fetch_object($resql)) + while ($obj = $this->db->fetch_object($resql)) { - $invoice = new Facture($db); + $invoice = new Facture($this->db); $invoice->fetch($obj->fk_facture); $invoice->set_unpaid($user); diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index f2dc613175f..5cb16bdcbe3 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -800,7 +800,7 @@ class Paiement extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX.'bank'; $sql .= " SET dateo = '".$this->db->idate($date)."', datev = '".$this->db->idate($date)."'"; - $sql .= " WHERE rowid IN (SELECT fk_bank FROM ".MAIN_DB_PREFIX."bank_url WHERE type = '".$type."' AND url_id = ".$this->id.")"; + $sql .= " WHERE rowid IN (SELECT fk_bank FROM ".MAIN_DB_PREFIX."bank_url WHERE type = '".$this->db->escape($type)."' AND url_id = ".$this->id.")"; $sql .= " AND rappro = 0"; $result = $this->db->query($sql); diff --git a/htdocs/compta/prelevement/class/bonprelevement.class.php b/htdocs/compta/prelevement/class/bonprelevement.class.php index 067dd33cd81..9d3c5bef7a8 100644 --- a/htdocs/compta/prelevement/class/bonprelevement.class.php +++ b/htdocs/compta/prelevement/class/bonprelevement.class.php @@ -205,9 +205,9 @@ class BonPrelevement extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_lignes"; $sql .= " WHERE fk_prelevement_bons = ".$this->id; $sql .= " AND fk_soc =".$client_id; - $sql .= " AND code_banque ='".$code_banque."'"; - $sql .= " AND code_guichet ='".$code_guichet."'"; - $sql .= " AND number ='".$number."'"; + $sql .= " AND code_banque = '".$this->db->escape($code_banque)."'"; + $sql .= " AND code_guichet = '".$this->db->escape($code_guichet)."'"; + $sql .= " AND number = '".$this->db->escape($number)."'"; $resql = $this->db->query($sql); if ($resql) @@ -234,10 +234,10 @@ class BonPrelevement extends CommonObject $sql .= ", ".$client_id; $sql .= ", '".$this->db->escape($client_nom)."'"; $sql .= ", '".price2num($amount)."'"; - $sql .= ", '".$code_banque."'"; - $sql .= ", '".$code_guichet."'"; - $sql .= ", '".$number."'"; - $sql .= ", '".$number_key."'"; + $sql .= ", '".$this->db->escape($code_banque)."'"; + $sql .= ", '".$this->db->escape($code_guichet)."'"; + $sql .= ", '".$this->db->escape($number)."'"; + $sql .= ", '".$this->db->escape($number_key)."'"; $sql .= ")"; if ($this->db->query($sql)) @@ -1380,7 +1380,7 @@ class BonPrelevement extends CommonObject $result = 0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def"; - $sql .= " WHERE rowid = '".$rowid."'"; + $sql .= " WHERE rowid = ".((int) $rowid); if ($this->db->query($sql)) { @@ -1404,7 +1404,7 @@ class BonPrelevement extends CommonObject $result = 0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def"; - $sql .= " WHERE fk_user=".$user." AND fk_action='".$action."'"; + $sql .= " WHERE fk_user=".$user." AND fk_action='".$this->db->escape($action)."'"; if ($this->db->query($sql)) { @@ -1433,7 +1433,7 @@ class BonPrelevement extends CommonObject $now = dol_now(); $sql = "INSERT INTO ".MAIN_DB_PREFIX."notify_def (datec,fk_user, fk_soc, fk_contact, fk_action)"; - $sql .= " VALUES (".$db->idate($now).",".$user.", 'NULL', 'NULL', '".$action."')"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$user.", 'NULL', 'NULL', '".$this->db->escape($action)."')"; dol_syslog("adnotiff: ".$sql); if ($this->db->query($sql)) diff --git a/htdocs/compta/sociales/list.php b/htdocs/compta/sociales/list.php index 341799a686a..52d3b9b7fa3 100644 --- a/htdocs/compta/sociales/list.php +++ b/htdocs/compta/sociales/list.php @@ -138,8 +138,8 @@ if ($year > 0) $sql .= " AND ("; // Si period renseignee on l'utilise comme critere de date, sinon on prend date echeance, // ceci afin d'etre compatible avec les cas ou la periode n'etait pas obligatoire - $sql .= " (cs.periode IS NOT NULL AND date_format(cs.periode, '%Y') = '".$year."') "; - $sql .= "OR (cs.periode IS NULL AND date_format(cs.date_ech, '%Y') = '".$year."')"; + $sql .= " (cs.periode IS NOT NULL AND date_format(cs.periode, '%Y') = '".$db->escape($year)."') "; + $sql .= "OR (cs.periode IS NULL AND date_format(cs.date_ech, '%Y') = '".$db->escape($year)."')"; $sql .= ")"; } if ($filtre) { diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index b4201d0bc36..5f661609e52 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -384,7 +384,7 @@ class Tva extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."facture as f WHERE f.paye = 1"; if ($year) { - $sql .= " AND f.datef >= '".$year."-01-01' AND f.datef <= '".$year."-12-31' "; + $sql .= " AND f.datef >= '".$this->db->escape($year)."-01-01' AND f.datef <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql); @@ -421,7 +421,7 @@ class Tva extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f"; if ($year) { - $sql .= " WHERE f.datef >= '".$year."-01-01' AND f.datef <= '".$year."-12-31' "; + $sql .= " WHERE f.datef >= '".$this->db->escape($year)."-01-01' AND f.datef <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql); @@ -460,7 +460,7 @@ class Tva extends CommonObject if ($year) { - $sql .= " WHERE f.datev >= '".$year."-01-01' AND f.datev <= '".$year."-12-31' "; + $sql .= " WHERE f.datev >= '".$this->db->escape($year)."-01-01' AND f.datev <= '".$this->db->escape($year)."-12-31' "; } $result = $this->db->query($sql); diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index 3922dc9069f..0c2c3bf56ce 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -1649,7 +1649,7 @@ class Contact extends CommonObject $sql .= ", ".MAIN_DB_PREFIX."societe_contacts sc"; $sql .= " WHERE sc.fk_soc =".$this->socid; $sql .= " AND sc.fk_c_type_contact=tc.rowid"; - $sql .= " AND tc.element='".$element."'"; + $sql .= " AND tc.element='".$this->db->escape($element)."'"; $sql .= " AND tc.active=1"; dol_syslog(__METHOD__, LOG_DEBUG); diff --git a/htdocs/contrat/class/api_contracts.class.php b/htdocs/contrat/class/api_contracts.class.php index ffe66208afe..671ac1177f6 100644 --- a/htdocs/contrat/class/api_contracts.class.php +++ b/htdocs/contrat/class/api_contracts.class.php @@ -141,7 +141,7 @@ class Contracts extends DolibarrApi $sql .= " AND (".preg_replace_callback('/'.$regexstring.'/', 'DolibarrApi::_forge_criteria_callback', $sqlfilters).")"; } - $sql .= $db->order($sortfield, $sortorder); + $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { if ($page < 0) { @@ -149,28 +149,28 @@ class Contracts extends DolibarrApi } $offset = $limit * $page; - $sql .= $db->plimit($limit + 1, $offset); + $sql .= $this->db->plimit($limit + 1, $offset); } dol_syslog("API Rest request"); - $result = $db->query($sql); + $result = $this->db->query($sql); if ($result) { - $num = $db->num_rows($result); + $num = $this->db->num_rows($result); $min = min($num, ($limit <= 0 ? $num : $limit)); $i = 0; while ($i < $min) { - $obj = $db->fetch_object($result); - $contrat_static = new Contrat($db); + $obj = $this->db->fetch_object($result); + $contrat_static = new Contrat($this->db); if ($contrat_static->fetch($obj->rowid)) { $obj_ret[] = $this->_cleanObjectDatas($contrat_static); } $i++; } } else { - throw new RestException(503, 'Error when retrieve contrat list : '.$db->lasterror()); + throw new RestException(503, 'Error when retrieve contrat list : '.$this->db->lasterror()); } if (!count($obj_ret)) { throw new RestException(404, 'No contract found'); diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index b555917e2f3..f94b19c30b9 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -510,7 +510,7 @@ class Contrat extends CommonObject if ($num) { - $sql = "UPDATE ".MAIN_DB_PREFIX."contrat SET ref = '".$num."', statut = 1"; + $sql = "UPDATE ".MAIN_DB_PREFIX."contrat SET ref = '".$this->db->escape($num)."', statut = 1"; //$sql.= ", fk_user_valid = ".$user->id.", date_valid = '".$this->db->idate($now)."'"; $sql .= " WHERE rowid = ".$this->id." AND statut = 0"; @@ -1093,7 +1093,7 @@ class Contrat extends CommonObject } $sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc"; - $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$originforcontact."'"; + $sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'"; $resqlcontact = $this->db->query($sqlcontact); if ($resqlcontact) @@ -1541,15 +1541,15 @@ class Contrat extends CommonObject $sql .= ($fk_product > 0 ? $fk_product : "null").","; $sql .= " ".$qty.","; $sql .= " ".$txtva.","; - $sql .= " ".($vat_src_code ? "'".$vat_src_code."'" : "null").","; + $sql .= " ".($vat_src_code ? "'".$this->db->escape($vat_src_code)."'" : "null").","; $sql .= " ".$txlocaltax1.","; $sql .= " ".$txlocaltax2.","; - $sql .= " '".$localtax1_type."',"; - $sql .= " '".$localtax2_type."',"; + $sql .= " '".$this->db->escape($localtax1_type)."',"; + $sql .= " '".$this->db->escape($localtax2_type)."',"; $sql .= " ".price2num($remise_percent).","; $sql .= " ".price2num($pu_ht).","; $sql .= " ".price2num($total_ht).",".price2num($total_tva).",".price2num($total_localtax1).",".price2num($total_localtax2).",".price2num($total_ttc).","; - $sql .= " '".$info_bits."',"; + $sql .= " '".$this->db->escape($info_bits)."',"; $sql .= " ".price2num($price).",".price2num($remise).","; if (isset($fk_fournprice)) $sql .= ' '.$fk_fournprice.','; else $sql .= ' null,'; @@ -1717,8 +1717,8 @@ class Contrat extends CommonObject $sql .= ",tva_tx='".price2num($tvatx)."'"; $sql .= ",localtax1_tx='".price2num($localtax1tx)."'"; $sql .= ",localtax2_tx='".price2num($localtax2tx)."'"; - $sql .= ",localtax1_type='".$localtax1_type."'"; - $sql .= ",localtax2_type='".$localtax2_type."'"; + $sql .= ",localtax1_type='".$this->db->escape($localtax1_type)."'"; + $sql .= ",localtax2_type='".$this->db->escape($localtax2_type)."'"; $sql .= ", total_ht='".price2num($total_ht)."'"; $sql .= ", total_tva='".price2num($total_tva)."'"; $sql .= ", total_localtax1='".price2num($total_localtax1)."'"; diff --git a/htdocs/core/class/comment.class.php b/htdocs/core/class/comment.class.php index 91fba374181..a083576aacb 100644 --- a/htdocs/core/class/comment.class.php +++ b/htdocs/core/class/comment.class.php @@ -349,25 +349,25 @@ class Comment extends CommonObject $sql .= " c.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX.$this->table_element." as c"; $sql .= " WHERE c.fk_element = ".$fk_element; - $sql .= " AND c.element_type = '".$db->escape($element_type)."'"; + $sql .= " AND c.element_type = '".$this->db->escape($element_type)."'"; $sql .= " AND c.entity = ".$conf->entity; $sql .= " ORDER BY c.tms DESC"; dol_syslog(get_class($this).'::'.__METHOD__, LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num_rows = $db->num_rows($resql); + $num_rows = $this->db->num_rows($resql); if ($num_rows > 0) { - while ($obj = $db->fetch_object($resql)) + while ($obj = $this->db->fetch_object($resql)) { $comment = new self($db); $comment->fetch($obj->rowid); $this->comments[] = $comment; } } - $db->free($resql); + $this->db->free($resql); } else { $this->errors[] = "Error ".$this->db->lasterror(); return -1; diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 601d0b6f78a..9cd56c3b29a 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -2108,9 +2108,9 @@ class Form $selectFields = " p.rowid, p.ref, p.label, p.description, p.barcode, p.fk_country, p.fk_product_type, p.price, p.price_ttc, p.price_base_type, p.tva_tx, p.duration, p.fk_price_expression"; if (count($warehouseStatusArray)) { - $selectFieldsGrouped = ", sum(".$db->ifsql("e.statut IS NULL", "0", "ps.reel").") as stock"; // e.statut is null if there is no record in stock + $selectFieldsGrouped = ", sum(".$this->db->ifsql("e.statut IS NULL", "0", "ps.reel").") as stock"; // e.statut is null if there is no record in stock } else { - $selectFieldsGrouped = ", ".$db->ifsql("p.stock IS NULL", 0, "p.stock")." AS stock"; + $selectFieldsGrouped = ", ".$this->db->ifsql("p.stock IS NULL", 0, "p.stock")." AS stock"; } $sql = "SELECT "; @@ -2226,19 +2226,19 @@ class Form foreach ($scrit as $crit) { if ($i > 0) $sql .= " AND "; - $sql .= "(p.ref LIKE '".$db->escape($prefix.$crit)."%' OR p.label LIKE '".$db->escape($prefix.$crit)."%'"; - if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.label LIKE '".$db->escape($prefix.$crit)."%'"; + $sql .= "(p.ref LIKE '".$this->db->escape($prefix.$crit)."%' OR p.label LIKE '".$this->db->escape($prefix.$crit)."%'"; + if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.label LIKE '".$this->db->escape($prefix.$crit)."%'"; if (!empty($conf->global->PRODUCT_AJAX_SEARCH_ON_DESCRIPTION)) { - $sql .= " OR p.description LIKE '".$db->escape($prefix.$crit)."%'"; - if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.description LIKE '".$db->escape($prefix.$crit)."%'"; + $sql .= " OR p.description LIKE '".$this->db->escape($prefix.$crit)."%'"; + if (!empty($conf->global->MAIN_MULTILANGS)) $sql .= " OR pl.description LIKE '".$this->db->escape($prefix.$crit)."%'"; } - if (!empty($conf->global->MAIN_SEARCH_PRODUCT_BY_FOURN_REF)) $sql .= " OR pfp.ref_fourn LIKE '".$db->escape($prefix.$crit)."%'"; + if (!empty($conf->global->MAIN_SEARCH_PRODUCT_BY_FOURN_REF)) $sql .= " OR pfp.ref_fourn LIKE '".$this->db->escape($prefix.$crit)."%'"; $sql .= ")"; $i++; } if (count($scrit) > 1) $sql .= ")"; - if (!empty($conf->barcode->enabled)) $sql .= " OR p.barcode LIKE '".$db->escape($prefix.$filterkey)."%'"; + if (!empty($conf->barcode->enabled)) $sql .= " OR p.barcode LIKE '".$this->db->escape($prefix.$filterkey)."%'"; $sql .= ')'; } if (count($warehouseStatusArray)) @@ -2253,10 +2253,10 @@ class Form //ASC OR DESC order ($conf->global->PRODUCT_SORT_BY_CATEGORY == 1) ? $sql .= "ASC" : $sql .= "DESC"; } else { - $sql .= $db->order("p.ref"); + $sql .= $this->db->order("p.ref"); } - $sql .= $db->plimit($limit, 0); + $sql .= $this->db->plimit($limit, 0); // Build output string dol_syslog(get_class($this)."::select_produits_list search product", LOG_DEBUG); @@ -2770,7 +2770,7 @@ class Form $sql .= ')'; } $sql .= " ORDER BY pfp.ref_fourn DESC, pfp.quantity ASC"; - $sql .= $db->plimit($limit, 0); + $sql .= $this->db->plimit($limit, 0); // Build output string @@ -4913,10 +4913,10 @@ class Form $sql = 'SELECT code FROM '.MAIN_DB_PREFIX.'multicurrency'; $sql .= " WHERE entity IN ('".getEntity('mutlicurrency')."')"; - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - while ($obj = $db->fetch_object($resql)) $TCurrency[$obj->code] = $obj->code; + while ($obj = $this->db->fetch_object($resql)) $TCurrency[$obj->code] = $obj->code; } $out = ''; diff --git a/htdocs/core/class/html.formaccounting.class.php b/htdocs/core/class/html.formaccounting.class.php index 874bb3719e4..f48e9b8eb74 100644 --- a/htdocs/core/class/html.formaccounting.class.php +++ b/htdocs/core/class/html.formaccounting.class.php @@ -179,10 +179,10 @@ class FormAccounting extends Form } dol_syslog(get_class($this).'::'.__METHOD__, LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) { $out = ''; if ($showempty) print ''; - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); $i = 0; if ($num) { while ($i < $num) { - $obj = $db->fetch_object($resql); + $obj = $this->db->fetch_object($resql); // If we ask to filter on a company and user has no permission to see all companies and project is linked to another company, we hide project. if ($socid > 0 && (empty($obj->fk_soc) || $obj->fk_soc == $socid) && !$user->rights->societe->lire) { @@ -150,7 +150,7 @@ class FormContract } } print ''; - $db->free($resql); + $this->db->free($resql); if (!empty($conf->use_javascript_ajax)) { @@ -161,7 +161,7 @@ class FormContract return $num; } else { - dol_print_error($db); + dol_print_error($this->db); return -1; } } diff --git a/htdocs/core/class/html.formintervention.class.php b/htdocs/core/class/html.formintervention.class.php index 37073e8d3a5..dccbe50333a 100644 --- a/htdocs/core/class/html.formintervention.class.php +++ b/htdocs/core/class/html.formintervention.class.php @@ -80,18 +80,18 @@ class FormIntervention } dol_syslog(get_class($this)."::select_intervention", LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { $out .= ''; - $db->free($resql); + $this->db->free($resql); return $out; } else { - dol_print_error($db); + dol_print_error($this->db); return ''; } } diff --git a/htdocs/core/class/html.formmargin.class.php b/htdocs/core/class/html.formmargin.class.php index 7a6c3d9c13a..cf159819764 100644 --- a/htdocs/core/class/html.formmargin.class.php +++ b/htdocs/core/class/html.formmargin.class.php @@ -87,7 +87,7 @@ class FormMargin if (empty($line->pa_ht) && isset($line->fk_fournprice) && !$force_price) { require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.product.class.php'; - $product = new ProductFournisseur($db); + $product = new ProductFournisseur($this->db); if ($product->fetch_product_fournisseur_price($line->fk_fournprice)) $line->pa_ht = $product->fourn_unitprice * (1 - $product->fourn_remise_percent / 100); } diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index 08eaa77ac3e..38d75177b90 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -1012,7 +1012,7 @@ class FormOther // $boxidactivatedforuser will be array of boxes choosed by user $selectboxlist = ''; - $boxactivated = InfoBox::listBoxes($db, 'activated', $areacode, (empty($user->conf->$confuserzone) ?null:$user), array(), 0); // Search boxes of common+user (or common only if user has no specific setup) + $boxactivated = InfoBox::listBoxes($this->db, 'activated', $areacode, (empty($user->conf->$confuserzone) ?null:$user), array(), 0); // Search boxes of common+user (or common only if user has no specific setup) $boxidactivatedforuser = array(); foreach ($boxactivated as $box) @@ -1141,7 +1141,7 @@ class FormOther // Load translation files required by the page $langs->loadLangs(array("boxes", "projects")); - $emptybox = new ModeleBoxes($db); + $emptybox = new ModeleBoxes($this->db); $boxlista .= "\n\n"; diff --git a/htdocs/core/class/html.formsocialcontrib.class.php b/htdocs/core/class/html.formsocialcontrib.class.php index b9da780f02d..b5adfdba82f 100644 --- a/htdocs/core/class/html.formsocialcontrib.class.php +++ b/htdocs/core/class/html.formsocialcontrib.class.php @@ -88,10 +88,10 @@ class FormSocialContrib } dol_syslog("Form::select_type_socialcontrib", LOG_DEBUG); - $resql = $db->query($sql); + $resql = $this->db->query($sql); if ($resql) { - $num = $db->num_rows($resql); + $num = $this->db->num_rows($resql); if ($num) { print '