diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php index 0f4d538cfac..6aacda28677 100644 --- a/htdocs/accountancy/admin/accountmodel.php +++ b/htdocs/accountancy/admin/accountmodel.php @@ -553,16 +553,16 @@ if ($id) { $num = $db->num_rows($resql); $i = 0; - $param = '&id='.$id; + $param = '&id='.urlencode($id); if ($search_country_id > 0) { - $param .= '&search_country_id='.$search_country_id; + $param .= '&search_country_id='.urlencode($search_country_id); } $paramwithsearch = $param; if ($sortorder) { - $paramwithsearch .= '&sortorder='.$sortorder; + $paramwithsearch .= '&sortorder='.urlencode($sortorder); } if ($sortfield) { - $paramwithsearch .= '&sortfield='.$sortfield; + $paramwithsearch .= '&sortfield='.urlencode($sortfield); } // There is several pages diff --git a/htdocs/accountancy/admin/categories_list.php b/htdocs/accountancy/admin/categories_list.php index 9a8a84893fe..53a1d75129b 100644 --- a/htdocs/accountancy/admin/categories_list.php +++ b/htdocs/accountancy/admin/categories_list.php @@ -580,7 +580,7 @@ if ($resql) { $param = '&id='.$id; if ($search_country_id > 0) { - $param .= '&search_country_id='.$search_country_id; + $param .= '&search_country_id='.urlencode($search_country_id); } $paramwithsearch = $param; if ($sortorder) { diff --git a/htdocs/accountancy/admin/journals_list.php b/htdocs/accountancy/admin/journals_list.php index 9ba9d8a6e20..49103716387 100644 --- a/htdocs/accountancy/admin/journals_list.php +++ b/htdocs/accountancy/admin/journals_list.php @@ -512,7 +512,7 @@ if ($id) { $param = '&id='.$id; if ($search_country_id > 0) { - $param .= '&search_country_id='.$search_country_id; + $param .= '&search_country_id='.urlencode($search_country_id); } $paramwithsearch = $param; if ($sortorder) { diff --git a/htdocs/accountancy/bookkeeping/balance.php b/htdocs/accountancy/bookkeeping/balance.php index b84fe255760..126f61e272c 100644 --- a/htdocs/accountancy/bookkeeping/balance.php +++ b/htdocs/accountancy/bookkeeping/balance.php @@ -40,6 +40,7 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php'; $langs->loadLangs(array("accountancy", "compta")); $action = GETPOST('action', 'aZ09'); +$contextpage = GETPOST('contextpage', 'aZ09'); // Load variable for pagination $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit; @@ -120,19 +121,19 @@ if ($limit > 0 && $limit != $conf->liste_limit) { $filter = array(); if (!empty($search_date_start)) { $filter['t.doc_date>='] = $search_date_start; - $param .= '&date_startmonth='.GETPOST('date_startmonth', 'int').'&date_startday='.GETPOST('date_startday', 'int').'&date_startyear='.GETPOST('date_startyear', 'int'); + $param .= '&date_startmonth='.GETPOST('date_startmonth', 'int').'&date_startday='.GETPOST('date_startday', 'int').'&date_startyear='.GETPOST('date_startyear', 'int'); } if (!empty($search_date_end)) { $filter['t.doc_date<='] = $search_date_end; - $param .= '&date_endmonth='.GETPOST('date_endmonth', 'int').'&date_endday='.GETPOST('date_endday', 'int').'&date_endyear='.GETPOST('date_endyear', 'int'); + $param .= '&date_endmonth='.GETPOST('date_endmonth', 'int').'&date_endday='.GETPOST('date_endday', 'int').'&date_endyear='.GETPOST('date_endyear', 'int'); } if (!empty($search_accountancy_code_start)) { $filter['t.numero_compte>='] = $search_accountancy_code_start; - $param .= '&search_accountancy_code_start='.$search_accountancy_code_start; + $param .= '&search_accountancy_code_start='.urlencode($search_accountancy_code_start); } if (!empty($search_accountancy_code_end)) { $filter['t.numero_compte<='] = $search_accountancy_code_end; - $param .= '&search_accountancy_code_end='.$search_accountancy_code_end; + $param .= '&search_accountancy_code_end='.urlencode($search_accountancy_code_end); } if (!empty($search_ledger_code)) { $filter['t.code_journal'] = $search_ledger_code; diff --git a/htdocs/adherents/ldap.php b/htdocs/adherents/ldap.php index 44d5ee5399b..d714e3d9a32 100644 --- a/htdocs/adherents/ldap.php +++ b/htdocs/adherents/ldap.php @@ -204,7 +204,7 @@ if ($result > 0) { $result = show_ldap_content($records, 0, $records['count'], true); } } else { - print ''.$langs->trans("LDAPRecordNotFound").' (dn='.$dn.' - search='.$search.')'; + print ''.$langs->trans("LDAPRecordNotFound").' (dn='.dol_escape_htmltag($dn).' - search='.dol_escape_htmltag($search).')'; } } diff --git a/htdocs/adherents/type_ldap.php b/htdocs/adherents/type_ldap.php index 87a952a68b4..a695f84bb81 100644 --- a/htdocs/adherents/type_ldap.php +++ b/htdocs/adherents/type_ldap.php @@ -166,7 +166,7 @@ if ($result > 0) { $result = show_ldap_content($records, 0, $records['count'], true); } } else { - print ''.$langs->trans("LDAPRecordNotFound").' (dn='.$dn.' - search='.$search.')'; + print ''.$langs->trans("LDAPRecordNotFound").' (dn='.dol_escape_htmltag($dn).' - search='.dol_escape_htmltag($search).')'; } $ldap->unbind(); diff --git a/htdocs/admin/modules.php b/htdocs/admin/modules.php index 77c070ad573..e3448d19702 100644 --- a/htdocs/admin/modules.php +++ b/htdocs/admin/modules.php @@ -789,16 +789,16 @@ if ($mode == 'common' || $mode == 'commonkanban') { if (!empty($objMod->config_page_url) && !$disableSetup) { $backtourlparam = ''; if ($search_keyword != '') { - $backtourlparam .= ($backtourlparam ? '&' : '?').'search_keyword='.$search_keyword; // No urlencode here, done later + $backtourlparam .= ($backtourlparam ? '&' : '?').'search_keyword='.urlencode($search_keyword); // No urlencode here, done later } if ($search_nature > -1) { - $backtourlparam .= ($backtourlparam ? '&' : '?').'search_nature='.$search_nature; // No urlencode here, done later + $backtourlparam .= ($backtourlparam ? '&' : '?').'search_nature='.urlencode($search_nature); // No urlencode here, done later } if ($search_version > -1) { - $backtourlparam .= ($backtourlparam ? '&' : '?').'search_version='.$search_version; // No urlencode here, done later + $backtourlparam .= ($backtourlparam ? '&' : '?').'search_version='.urlencode($search_version); // No urlencode here, done later } if ($search_status > -1) { - $backtourlparam .= ($backtourlparam ? '&' : '?').'search_status='.$search_status; // No urlencode here, done later + $backtourlparam .= ($backtourlparam ? '&' : '?').'search_status='.urlencode($search_status); // No urlencode here, done later } $backtourl = $_SERVER["PHP_SELF"].$backtourlparam; diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 2d304f9b1a8..d92638d7347 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -2284,8 +2284,8 @@ class Propal extends CommonObject $this->db->begin(); - $sql = 'UPDATE '.MAIN_DB_PREFIX.'propal SET ref_client = '.(empty($ref_client) ? 'NULL' : '\''.$this->db->escape($ref_client).'\''); - $sql .= ' WHERE rowid = '.$this->id; + $sql = "UPDATE ".MAIN_DB_PREFIX."propal SET ref_client = ".(empty($ref_client) ? 'NULL' : "'".$this->db->escape($ref_client)."'"); + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(__METHOD__.' $this->id='.$this->id.', ref_client='.$ref_client, LOG_DEBUG); $resql = $this->db->query($sql); @@ -2627,8 +2627,8 @@ class Propal extends CommonObject $newprivatenote = dol_concatdesc($this->note_private, $note); $sql = 'UPDATE '.MAIN_DB_PREFIX.'propal SET fk_statut = '.self::STATUS_BILLED.", "; - $sql .= " note_private = '".$this->db->escape($newprivatenote)."', date_cloture='".$this->db->idate($now)."', fk_user_cloture=".$user->id; - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut = '.self::STATUS_SIGNED; + $sql .= " note_private = '".$this->db->escape($newprivatenote)."', date_cloture='".$this->db->idate($now)."', fk_user_cloture=".((int) $user->id); + $sql .= ' WHERE rowid = '.((int) $this->id).' AND fk_statut = '.((int) self::STATUS_SIGNED); dol_syslog(__METHOD__, LOG_DEBUG); $resql = $this->db->query($sql); @@ -4087,7 +4087,7 @@ class PropaleLigne extends CommonObjectLine $sql .= " ".price2num($this->localtax2_tx).","; $sql .= " '".$this->db->escape($this->localtax1_type)."',"; $sql .= " '".$this->db->escape($this->localtax2_type)."',"; - $sql .= " ".(price2num($this->subprice) !== '' ?price2num($this->subprice) : "null").","; + $sql .= " ".(price2num($this->subprice) !== '' ? price2num($this->subprice) : "null").","; $sql .= " ".price2num($this->remise_percent).","; $sql .= " ".(isset($this->info_bits) ? "'".$this->db->escape($this->info_bits)."'" : "null").","; $sql .= " ".price2num($this->total_ht).","; @@ -4097,12 +4097,12 @@ class PropaleLigne extends CommonObjectLine $sql .= " ".price2num($this->total_ttc).","; $sql .= " ".(!empty($this->fk_fournprice) ? "'".$this->db->escape($this->fk_fournprice)."'" : "null").","; $sql .= " ".(isset($this->pa_ht) ? "'".price2num($this->pa_ht)."'" : "null").","; - $sql .= ' '.$this->special_code.','; - $sql .= ' '.$this->rang.','; - $sql .= ' '.(!$this->fk_unit ? 'NULL' : $this->fk_unit).','; + $sql .= ' '.((int) $this->special_code).','; + $sql .= ' '.((int) $this->rang).','; + $sql .= ' '.(empty($this->fk_unit) ? 'NULL' : ((int) $this->fk_unit)).','; $sql .= " ".(!empty($this->date_start) ? "'".$this->db->idate($this->date_start)."'" : "null").','; $sql .= " ".(!empty($this->date_end) ? "'".$this->db->idate($this->date_end)."'" : "null"); - $sql .= ", ".($this->fk_multicurrency > 0 ? $this->fk_multicurrency : 'null'); + $sql .= ", ".($this->fk_multicurrency > 0 ? ((int) $this->fk_multicurrency) : 'null'); $sql .= ", '".$this->db->escape($this->multicurrency_code)."'"; $sql .= ", ".$this->multicurrency_subprice; $sql .= ", ".$this->multicurrency_total_ht; diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index bf06a27e620..095b6770fe7 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -581,7 +581,7 @@ if ($search_warehouse != '' && $search_warehouse > 0) { $sql .= natural_search("p.fk_warehouse", $search_warehouse, 1); } if ($search_multicurrency_code != '') { - $sql .= ' AND p.multicurrency_code = "'.$db->escape($search_multicurrency_code).'"'; + $sql .= " AND p.multicurrency_code = '".$db->escape($search_multicurrency_code)."'"; } if ($search_multicurrency_tx != '') { $sql .= natural_search('p.multicurrency_tx', $search_multicurrency_tx, 1); diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 837683c3800..daf55e81605 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -698,7 +698,7 @@ class Commande extends CommonOrder $sql = 'UPDATE '.MAIN_DB_PREFIX.'commande'; $sql .= ' SET fk_statut='.self::STATUS_VALIDATED.', facture=0'; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::set_reopen", LOG_DEBUG); $resql = $this->db->query($sql); @@ -757,9 +757,9 @@ class Commande extends CommonOrder $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; $sql .= ' SET fk_statut = '.self::STATUS_CLOSED.','; - $sql .= ' fk_user_cloture = '.$user->id.','; + $sql .= ' fk_user_cloture = '.((int) $user->id).','; $sql .= " date_cloture = '".$this->db->idate($now)."'"; - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut > '.self::STATUS_DRAFT; + $sql .= " WHERE rowid = ".((int) $this->id).' AND fk_statut > '.self::STATUS_DRAFT; if ($this->db->query($sql)) { if (!$notrigger) { @@ -2026,7 +2026,7 @@ class Commande extends CommonOrder $sql .= ' p.weight, p.weight_units, p.volume, p.volume_units'; $sql .= ' FROM '.MAIN_DB_PREFIX.'commandedet as l'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p ON (p.rowid = l.fk_product)'; - $sql .= ' WHERE l.fk_commande = '.$this->id; + $sql .= ' WHERE l.fk_commande = '.((int) $this->id); if ($only_product) { $sql .= ' AND p.fk_product_type = 0'; } @@ -2180,7 +2180,7 @@ class Commande extends CommonOrder $sql .= ' '.MAIN_DB_PREFIX.'commandedet as cd'; $sql .= ' WHERE'; $sql .= ' ed.fk_origin_line = cd.rowid'; - $sql .= ' AND cd.fk_commande ='.$this->id; + $sql .= ' AND cd.fk_commande = '.((int) $this->id); //print $sql; dol_syslog(get_class($this)."::getNbOfShipments", LOG_DEBUG); @@ -2222,12 +2222,12 @@ class Commande extends CommonOrder $sql .= ' ed.fk_expedition = e.rowid AND'; } $sql .= ' ed.fk_origin_line = cd.rowid'; - $sql .= ' AND cd.fk_commande ='.$this->id; + $sql .= ' AND cd.fk_commande = '.((int) $this->id); if ($this->fk_product > 0) { - $sql .= ' AND cd.fk_product = '.$this->fk_product; + $sql .= ' AND cd.fk_product = '.((int) $this->fk_product); } if ($filtre_statut >= 0) { - $sql .= ' AND e.fk_statut >= '.$filtre_statut; + $sql .= ' AND e.fk_statut >= '.((int) $filtre_statut); } $sql .= ' GROUP BY cd.rowid, cd.fk_product'; //print $sql; @@ -2264,7 +2264,7 @@ class Commande extends CommonOrder $sql = 'SELECT count(*)'; $sql .= ' FROM '.MAIN_DB_PREFIX.'expedition as e'; $sql .= ', '.MAIN_DB_PREFIX.'element_element as el'; - $sql .= ' WHERE el.fk_source = '.$this->id; + $sql .= ' WHERE el.fk_source = '.((int) $this->id); $sql .= " AND el.sourcetype = 'commande'"; $sql .= " AND el.fk_target = e.rowid"; $sql .= " AND el.targettype = 'shipping'"; @@ -2421,7 +2421,7 @@ class Commande extends CommonOrder $sql = 'UPDATE '.MAIN_DB_PREFIX.'commande'; $sql .= ' SET remise_percent = '.((float) $remise); - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut = '.self::STATUS_DRAFT; + $sql .= ' WHERE rowid = '.((int) $this->id).' AND fk_statut = '.((int) self::STATUS_DRAFT); dol_syslog(__METHOD__, LOG_DEBUG); $resql = $this->db->query($sql); @@ -2485,7 +2485,7 @@ class Commande extends CommonOrder $sql = 'UPDATE '.MAIN_DB_PREFIX.'commande'; $sql .= ' SET remise_absolue = '.((float) $remise); - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut = '.self::STATUS_DRAFT; + $sql .= ' WHERE rowid = '.((int) $this->id).' AND fk_statut = '.self::STATUS_DRAFT; dol_syslog(__METHOD__, LOG_DEBUG); $resql = $this->db->query($sql); @@ -2874,7 +2874,7 @@ class Commande extends CommonOrder $sql = 'UPDATE '.MAIN_DB_PREFIX.'commande SET'; $sql .= ' ref_client = '.(empty($ref_client) ? 'NULL' : "'".$this->db->escape($ref_client)."'"); - $sql .= ' WHERE rowid = '.$this->id; + $sql .= ' WHERE rowid = '.((int) $this->id); dol_syslog(__METHOD__.' this->id='.$this->id.', ref_client='.$ref_client, LOG_DEBUG); $resql = $this->db->query($sql); @@ -2930,7 +2930,7 @@ class Commande extends CommonOrder $this->db->begin(); $sql = 'UPDATE '.MAIN_DB_PREFIX.'commande SET facture = 1'; - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut > '.self::STATUS_DRAFT; + $sql .= " WHERE rowid = ".((int) $this->id).' AND fk_statut > '.self::STATUS_DRAFT; dol_syslog(get_class($this)."::classifyBilled", LOG_DEBUG); if ($this->db->query($sql)) { @@ -2980,7 +2980,7 @@ class Commande extends CommonOrder $this->db->begin(); $sql = 'UPDATE '.MAIN_DB_PREFIX.'commande SET facture = 0'; - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut > '.self::STATUS_DRAFT; + $sql .= " WHERE rowid = ".((int) $this->id).' AND fk_statut > '.self::STATUS_DRAFT; dol_syslog(get_class($this)."::classifyUnBilled", LOG_DEBUG); if ($this->db->query($sql)) { @@ -4396,8 +4396,8 @@ class OrderLine extends CommonOrderLine $sql .= " ".($this->price != '' ? "'".price2num($this->price)."'" : "null").","; $sql .= " '".price2num($this->remise)."',"; $sql .= ' '.(!empty($this->fk_remise_except) ? $this->fk_remise_except : "null").','; - $sql .= ' '.$this->special_code.','; - $sql .= ' '.$this->rang.','; + $sql .= ' '.((int) $this->special_code).','; + $sql .= ' '.((int) $this->rang).','; $sql .= ' '.(!empty($this->fk_fournprice) ? $this->fk_fournprice : "null").','; $sql .= ' '.price2num($this->pa_ht).','; $sql .= " '".$this->db->escape($this->info_bits)."',"; diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php index 6f6643336f6..5f3568701e5 100644 --- a/htdocs/commande/list.php +++ b/htdocs/commande/list.php @@ -505,7 +505,7 @@ if ($search_status <> '') { if ($search_status == 1 && empty($conf->expedition->enabled)) { $sql .= ' AND c.fk_statut IN (1,2)'; // If module expedition disabled, we include order with status 'sending in process' into 'validated' } else { - $sql .= ' AND c.fk_statut = '.$search_status; // brouillon, validee, en cours, annulee + $sql .= ' AND c.fk_statut = '.((int) $search_status); // brouillon, validee, en cours, annulee } } if ($search_status == 4) { @@ -585,7 +585,7 @@ if ($search_warehouse != '' && $search_warehouse > 0) { $sql .= natural_search('c.fk_warehouse', $search_warehouse, 1); } if ($search_multicurrency_code != '') { - $sql .= ' AND c.multicurrency_code = "'.$db->escape($search_multicurrency_code).'"'; + $sql .= " AND c.multicurrency_code = '".$db->escape($search_multicurrency_code)."'"; } if ($search_multicurrency_tx != '') { $sql .= natural_search('c.multicurrency_tx', $search_multicurrency_tx, 1); diff --git a/htdocs/compta/bank/bankentries_list.php b/htdocs/compta/bank/bankentries_list.php index 51ff5a5b5c4..e5e264a12f5 100644 --- a/htdocs/compta/bank/bankentries_list.php +++ b/htdocs/compta/bank/bankentries_list.php @@ -929,7 +929,7 @@ if ($resql) { if ($action != 'addline' && $action != 'reconcile') { if (empty($conf->global->BANK_DISABLE_DIRECT_INPUT)) { if (empty($conf->global->BANK_USE_OLD_VARIOUS_PAYMENT)) { // Default is to record miscellaneous direct entries using miscellaneous payments - $newcardbutton = dolGetButtonTitle($langs->trans('AddBankRecord'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/compta/bank/various_payment/card.php?action=create&accountid='.$search_account.'&backtopage='.urlencode($_SERVER['PHP_SELF'].'?id='.urlencode($search_account)), '', $user->rights->banque->modifier); + $newcardbutton = dolGetButtonTitle($langs->trans('AddBankRecord'), '', 'fa fa-plus-circle', DOL_URL_ROOT.'/compta/bank/various_payment/card.php?action=create&accountid='.urlencode($search_account).'&backtopage='.urlencode($_SERVER['PHP_SELF'].'?id='.urlencode($search_account)), '', $user->rights->banque->modifier); } else // If direct entries is not done using miscellaneous payments { $newcardbutton = dolGetButtonTitle($langs->trans('AddBankRecord'), '', 'fa fa-plus-circle', $_SERVER["PHP_SELF"].'?action=addline&page='.$page.$param, '', $user->rights->banque->modifier); diff --git a/htdocs/compta/bank/class/paymentvarious.class.php b/htdocs/compta/bank/class/paymentvarious.class.php index cdb2c0596f5..5a6aa81d663 100644 --- a/htdocs/compta/bank/class/paymentvarious.class.php +++ b/htdocs/compta/bank/class/paymentvarious.class.php @@ -573,7 +573,7 @@ class PaymentVarious extends CommonObject { // phpcs:enable $sql = 'UPDATE '.MAIN_DB_PREFIX.'payment_various SET fk_bank = '.((int) $id_bank); - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); $result = $this->db->query($sql); if ($result) { return 1; diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index 374de5cca4d..4a693977263 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -708,7 +708,7 @@ if (empty($reshook)) { // On verifie si la facture a des paiements $sql = 'SELECT pf.amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf'; - $sql .= ' WHERE pf.fk_facture = '.$object->id; + $sql .= ' WHERE pf.fk_facture = '.((int) $object->id); $result = $db->query($sql); if ($result) { @@ -873,7 +873,7 @@ if (empty($reshook)) { $sql = 'SELECT SUM(pf.amount) as total_paiements'; $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf, '.MAIN_DB_PREFIX.'paiement as p'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_paiement as c ON p.fk_paiement = c.id'; - $sql .= ' WHERE pf.fk_facture = '.$object->id; + $sql .= ' WHERE pf.fk_facture = '.((int) $object->id); $sql .= ' AND pf.fk_paiement = p.rowid'; $sql .= ' AND p.entity IN ('.getEntity('invoice').')'; $resql = $db->query($sql); @@ -2596,10 +2596,10 @@ if (empty($reshook)) { $errors = 0; if (count($linkedCreditNotesList) > 0) { // now, credit note must follow - $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture '; - $sql .= ' SET situation_cycle_ref='.$newCycle; + $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture'; + $sql .= ' SET situation_cycle_ref = '.((int) $newCycle); $sql .= ' , situation_final=0'; - $sql .= ' , situation_counter='.$object->situation_counter; + $sql .= ' , situation_counter='.((int) $object->situation_counter); $sql .= ' WHERE rowid IN ('.$db->sanitize(implode(',', $linkedCreditNotesList)).')'; $resql = $db->query($sql); @@ -4884,7 +4884,7 @@ if ($action == 'create') { $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_paiement as c ON p.fk_paiement = c.id'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank as b ON p.fk_bank = b.rowid'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank_account as ba ON b.fk_account = ba.rowid'; - $sql .= ' WHERE pf.fk_facture = '.$object->id.' AND pf.fk_paiement = p.rowid'; + $sql .= ' WHERE pf.fk_facture = '.((int) $object->id).' AND pf.fk_paiement = p.rowid'; $sql .= ' AND p.entity IN ('.getEntity('invoice').')'; $sql .= ' ORDER BY p.datep, p.tms'; diff --git a/htdocs/compta/facture/class/api_invoices.class.php b/htdocs/compta/facture/class/api_invoices.class.php index 3dfa5f70603..2708c9e8386 100644 --- a/htdocs/compta/facture/class/api_invoices.class.php +++ b/htdocs/compta/facture/class/api_invoices.class.php @@ -1138,7 +1138,7 @@ class Invoices extends DolibarrApi $sql = 'SELECT SUM(pf.amount) as total_payments'; $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf, '.MAIN_DB_PREFIX.'paiement as p'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_paiement as c ON p.fk_paiement = c.id'; - $sql .= ' WHERE pf.fk_facture = '.$this->invoice->id; + $sql .= ' WHERE pf.fk_facture = '.((int) $this->invoice->id); $sql .= ' AND pf.fk_paiement = p.rowid'; $sql .= ' AND p.entity IN ('.getEntity('invoice').')'; $resql = $this->db->query($sql); diff --git a/htdocs/compta/facture/class/facture-rec.class.php b/htdocs/compta/facture/class/facture-rec.class.php index 6b9837e77bd..a0509774998 100644 --- a/htdocs/compta/facture/class/facture-rec.class.php +++ b/htdocs/compta/facture/class/facture-rec.class.php @@ -665,7 +665,7 @@ class FactureRec extends CommonInvoice $sql .= ' p.ref as product_ref, p.fk_product_type as fk_product_type, p.label as product_label, p.description as product_desc'; $sql .= ' FROM '.MAIN_DB_PREFIX.'facturedet_rec as l'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p ON l.fk_product = p.rowid'; - $sql .= ' WHERE l.fk_facture = '.$this->id; + $sql .= ' WHERE l.fk_facture = '.((int) $this->id); $sql .= ' ORDER BY l.rang'; dol_syslog('FactureRec::fetch_lines', LOG_DEBUG); @@ -1752,7 +1752,7 @@ class FactureRec extends CommonInvoice if (!empty($unit)) { $sql .= ', unit_frequency = \''.$this->db->escape($unit).'\''; } - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::setFrequencyAndUnit", LOG_DEBUG); if ($this->db->query($sql)) { @@ -1785,7 +1785,7 @@ class FactureRec extends CommonInvoice if ($increment_nb_gen_done > 0) { $sql .= ', nb_gen_done = nb_gen_done + 1'; } - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::setNextDate", LOG_DEBUG); if ($this->db->query($sql)) { @@ -1819,7 +1819,7 @@ class FactureRec extends CommonInvoice $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; $sql .= ' SET nb_gen_max = '.((int) $nb); - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::setMaxPeriod", LOG_DEBUG); if ($this->db->query($sql)) { @@ -1846,7 +1846,7 @@ class FactureRec extends CommonInvoice $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; $sql .= ' SET auto_validate = '.((int) $validate); - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::setAutoValidate", LOG_DEBUG); if ($this->db->query($sql)) { @@ -1873,7 +1873,7 @@ class FactureRec extends CommonInvoice $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; $sql .= ' SET generate_pdf = '.((int) $validate); - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::setGeneratePdf", LOG_DEBUG); if ($this->db->query($sql)) { @@ -1899,8 +1899,8 @@ class FactureRec extends CommonInvoice } $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' SET modelpdf = "'.$model.'"'; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " SET modelpdf = '".$this->db->escape($model)."'"; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::setModelPdf", LOG_DEBUG); if ($this->db->query($sql)) { diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 67d59ceb531..abb52560d24 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -1769,7 +1769,7 @@ class Facture extends CommonInvoice $sql .= ' p.ref as product_ref, p.fk_product_type as fk_product_type, p.label as product_label, p.description as product_desc'; $sql .= ' FROM '.MAIN_DB_PREFIX.'facturedet as l'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p ON l.fk_product = p.rowid'; - $sql .= ' WHERE l.fk_facture = '.$this->id; + $sql .= ' WHERE l.fk_facture = '.((int) $this->id); $sql .= ' ORDER BY l.rang, l.rowid'; dol_syslog(get_class($this).'::fetch_lines', LOG_DEBUG); @@ -1876,8 +1876,8 @@ class Facture extends CommonInvoice $this->tab_next_situation_invoice = array(); $sql = 'SELECT rowid, type, situation_cycle_ref, situation_counter FROM '.MAIN_DB_PREFIX.'facture'; - $sql .= ' WHERE rowid <> '.$this->id; - $sql .= ' AND entity = '.$this->entity; + $sql .= " WHERE rowid <> ".((int) $this->id); + $sql .= ' AND entity = '.((int) $this->entity); $sql .= ' AND situation_cycle_ref = '.(int) $this->situation_cycle_ref; $sql .= ' ORDER BY situation_counter ASC'; @@ -2152,7 +2152,7 @@ class Facture extends CommonInvoice } else { $sql .= ' SET ref_client = \''.$this->db->escape($ref_client).'\''; } - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(__METHOD__.' this->id='.$this->id.', ref_client='.$ref_client, LOG_DEBUG); $resql = $this->db->query($sql); @@ -2408,9 +2408,9 @@ class Facture extends CommonInvoice if ($close_note) { $sql .= ", close_note='".$this->db->escape($close_note)."'"; } - $sql .= ', fk_user_closing = '.$user->id; + $sql .= ', fk_user_closing = '.((int) $user->id); $sql .= ", date_closing = '".$this->db->idate($now)."'"; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); $resql = $this->db->query($sql); if ($resql) { @@ -2474,7 +2474,7 @@ class Facture extends CommonInvoice $sql .= ' SET paye=0, fk_statut='.self::STATUS_VALIDATED.', close_code=null, close_note=null,'; $sql .= ' date_closing=null,'; $sql .= ' fk_user_closing=null'; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::set_unpaid", LOG_DEBUG); $resql = $this->db->query($sql); @@ -2545,7 +2545,7 @@ class Facture extends CommonInvoice if ($close_note) { $sql .= ", close_note='".$this->db->escape($close_note)."'"; } - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); $resql = $this->db->query($sql); if ($resql) { @@ -2553,7 +2553,7 @@ class Facture extends CommonInvoice // as they have not been used since the invoice is abandoned. $sql = 'UPDATE '.MAIN_DB_PREFIX.'societe_remise_except'; $sql .= ' SET fk_facture = NULL'; - $sql .= ' WHERE fk_facture = '.$this->id; + $sql .= ' WHERE fk_facture = '.((int) $this->id); $resql = $this->db->query($sql); if ($resql) { @@ -2693,7 +2693,7 @@ class Facture extends CommonInvoice $sql .= ", datef='".$this->db->idate($this->date)."'"; $sql .= ", date_lim_reglement='".$this->db->idate($this->date_lim_reglement)."'"; } - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::validate", LOG_DEBUG); $resql = $this->db->query($sql); @@ -3755,7 +3755,7 @@ class Facture extends CommonInvoice $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture'; $sql .= ' SET remise_percent = '.((float) $remise); - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); $sql .= ' AND fk_statut = '.self::STATUS_DRAFT; dol_syslog(__METHOD__, LOG_DEBUG); @@ -3817,7 +3817,7 @@ class Facture extends CommonInvoice $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture'; $sql .= ' SET remise_absolue = '.((float) $remise); - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); $sql .= ' AND fk_statut = '.self::STATUS_DRAFT; dol_syslog(__METHOD__, LOG_DEBUG); @@ -4598,7 +4598,7 @@ class Facture extends CommonInvoice $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'facture'; $sql .= ' WHERE situation_cycle_ref = '.((int) $this->situation_cycle_ref); - $sql .= ' AND situation_counter < '.$this->situation_counter; + $sql .= ' AND situation_counter < '.((int) $this->situation_counter); $sql .= ' AND entity = '.($this->entity > 0 ? $this->entity : $conf->entity); $resql = $this->db->query($sql); $res = array(); @@ -4631,7 +4631,7 @@ class Facture extends CommonInvoice $this->db->begin(); - $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture SET situation_final = '.$this->situation_final.' where rowid = '.((int) $this->id); + $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture SET situation_final = '.((int) $this->situation_final).' WHERE rowid = '.((int) $this->id); dol_syslog(__METHOD__, LOG_DEBUG); $resql = $this->db->query($sql); @@ -4849,10 +4849,11 @@ class Facture extends CommonInvoice public function setRetainedWarranty($value) { dol_syslog(get_class($this).'::setRetainedWarranty('.$value.')'); + if ($this->statut >= 0) { $fieldname = 'retained_warranty'; $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' SET '.$fieldname.' = '.floatval($value); + $sql .= " SET ".$fieldname." = ".((float) $value); $sql .= ' WHERE rowid='.((int) $this->id); if ($this->db->query($sql)) { @@ -5385,9 +5386,9 @@ class FactureLigne extends CommonInvoiceLine $sql .= ' '.(!empty($this->fk_remise_except) ? $this->fk_remise_except : "null").','; $sql .= " ".(!empty($this->date_start) ? "'".$this->db->idate($this->date_start)."'" : "null").","; $sql .= " ".(!empty($this->date_end) ? "'".$this->db->idate($this->date_end)."'" : "null").","; - $sql .= ' '.$this->fk_code_ventilation.','; - $sql .= ' '.$this->rang.','; - $sql .= ' '.$this->special_code.','; + $sql .= ' '.((int) $this->fk_code_ventilation).','; + $sql .= ' '.((int) $this->rang).','; + $sql .= ' '.((int) $this->special_code).','; $sql .= ' '.(!empty($this->fk_fournprice) ? $this->fk_fournprice : "null").','; $sql .= ' '.price2num($this->pa_ht).','; $sql .= " '".$this->db->escape($this->info_bits)."',"; @@ -5396,11 +5397,11 @@ class FactureLigne extends CommonInvoiceLine $sql .= " ".price2num($this->total_ttc).","; $sql .= " ".price2num($this->total_localtax1).","; $sql .= " ".price2num($this->total_localtax2); - $sql .= ", ".$this->situation_percent; + $sql .= ", ".((float) $this->situation_percent); $sql .= ", ".(!empty($this->fk_prev_id) ? $this->fk_prev_id : "null"); $sql .= ", ".(!$this->fk_unit ? 'NULL' : $this->fk_unit); - $sql .= ", ".$user->id; - $sql .= ", ".$user->id; + $sql .= ", ".((int) $user->id); + $sql .= ", ".((int) $user->id); $sql .= ", ".(int) $this->fk_multicurrency; $sql .= ", '".$this->db->escape($this->multicurrency_code)."'"; $sql .= ", ".price2num($this->multicurrency_subprice); @@ -5759,7 +5760,7 @@ class FactureLigne extends CommonInvoiceLine return 0; } - $sql = 'SELECT situation_percent FROM '.MAIN_DB_PREFIX.'facturedet WHERE rowid='.$this->fk_prev_id; + $sql = 'SELECT situation_percent FROM '.MAIN_DB_PREFIX.'facturedet WHERE rowid='.((int) $this->fk_prev_id); $resql = $this->db->query($sql); if ($resql && $resql->num_rows > 0) { $res = $this->db->fetch_array($resql); diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index 76cddb2d909..2b8a65445ba 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -680,7 +680,7 @@ if ($search_montant_ttc != '') { $sql .= natural_search('f.total_ttc', $search_montant_ttc, 1); } if ($search_multicurrency_code != '') { - $sql .= ' AND f.multicurrency_code = "'.$db->escape($search_multicurrency_code).'"'; + $sql .= " AND f.multicurrency_code = '".$db->escape($search_multicurrency_code)."'"; } if ($search_multicurrency_tx != '') { $sql .= natural_search('f.multicurrency_tx', $search_multicurrency_tx, 1); @@ -803,7 +803,7 @@ if (!$sall) { // Add HAVING from hooks $parameters = array(); $reshook = $hookmanager->executeHooks('printFieldListHaving', $parameters, $object); // Note that $action and $object may have been modified by hook -$sql .= !empty($hookmanager->resPrint) ? (' HAVING 1=1 ' . $hookmanager->resPrint) : ''; +$sql .= !empty($hookmanager->resPrint) ? (" HAVING 1=1 " . $hookmanager->resPrint) : ""; $sql .= ' ORDER BY '; $listfield = explode(',', $sortfield); diff --git a/htdocs/compta/paiement.php b/htdocs/compta/paiement.php index 03acd9d88eb..0f49b8d5823 100644 --- a/htdocs/compta/paiement.php +++ b/htdocs/compta/paiement.php @@ -529,14 +529,14 @@ if ($action == 'create' || $action == 'confirm_paiement' || $action == 'add_paie $sql .= ' f.datef as df, f.fk_soc as socid, f.date_lim_reglement as dlr'; $sql .= ' FROM '.MAIN_DB_PREFIX.'facture as f'; $sql .= ' WHERE f.entity IN ('.getEntity('facture').')'; - $sql .= ' AND (f.fk_soc = '.$facture->socid; + $sql .= ' AND (f.fk_soc = '.((int) $facture->socid); // Can pay invoices of all child of parent company if (!empty($conf->global->FACTURE_PAYMENTS_ON_DIFFERENT_THIRDPARTIES_BILLS) && !empty($facture->thirdparty->parent)) { - $sql .= ' OR f.fk_soc IN (SELECT rowid FROM '.MAIN_DB_PREFIX.'societe WHERE parent = '.$facture->thirdparty->parent.')'; + $sql .= ' OR f.fk_soc IN (SELECT rowid FROM '.MAIN_DB_PREFIX.'societe WHERE parent = '.((int) $facture->thirdparty->parent).')'; } // Can pay invoices of all child of myself if (!empty($conf->global->FACTURE_PAYMENTS_ON_SUBSIDIARY_COMPANIES)) { - $sql .= ' OR f.fk_soc IN (SELECT rowid FROM '.MAIN_DB_PREFIX.'societe WHERE parent = '.$facture->thirdparty->id.')'; + $sql .= ' OR f.fk_soc IN (SELECT rowid FROM '.MAIN_DB_PREFIX.'societe WHERE parent = '.((int) $facture->thirdparty->id).')'; } $sql .= ') AND f.paye = 0'; $sql .= ' AND f.fk_statut = 1'; // Statut=0 => not validated, Statut=2 => canceled @@ -875,7 +875,7 @@ if (!GETPOST('action', 'aZ09')) { $sql .= ' AND f.fk_soc = '.((int) $socid); } - $sql .= ' ORDER BY '.$sortfield.' '.$sortorder; + $sql .= $db->order($sortfield, $sortorder); $sql .= $db->plimit($limit + 1, $offset); $resql = $db->query($sql); diff --git a/htdocs/compta/paiement/card.php b/htdocs/compta/paiement/card.php index 2b65ad4a84a..ed8ec522aea 100644 --- a/htdocs/compta/paiement/card.php +++ b/htdocs/compta/paiement/card.php @@ -126,7 +126,7 @@ if ($action == 'confirm_validate' && $confirm == 'yes' && $user->rights->facture $sql .= ' WHERE pf.fk_facture = f.rowid'; $sql .= ' AND f.fk_soc = s.rowid'; $sql .= ' AND f.entity IN ('.getEntity('invoice').')'; - $sql .= ' AND pf.fk_paiement = '.$object->id; + $sql .= ' AND pf.fk_paiement = '.((int) $object->id); $resql = $db->query($sql); if ($resql) { $i = 0; @@ -342,7 +342,7 @@ $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf,'.MAIN_DB_PREFIX.'factur $sql .= ' WHERE pf.fk_facture = f.rowid'; $sql .= ' AND f.fk_soc = s.rowid'; $sql .= ' AND f.entity IN ('.getEntity('invoice').')'; -$sql .= ' AND pf.fk_paiement = '.$object->id; +$sql .= ' AND pf.fk_paiement = '.((int) $object->id); $resql = $db->query($sql); if ($resql) { $num = $db->num_rows($resql); diff --git a/htdocs/compta/paiement/class/cpaiement.class.php b/htdocs/compta/paiement/class/cpaiement.class.php index e9623f55c11..1c7abf71c3b 100644 --- a/htdocs/compta/paiement/class/cpaiement.class.php +++ b/htdocs/compta/paiement/class/cpaiement.class.php @@ -273,7 +273,7 @@ class Cpaiement $sql .= ' active = '.(isset($this->active) ? $this->active : "null").','; $sql .= ' accountancy_code = '.(isset($this->accountancy_code) ? "'".$this->db->escape($this->accountancy_code)."'" : "null").','; $sql .= ' module = '.(isset($this->module) ? "'".$this->db->escape($this->module)."'" : "null"); - $sql .= ' WHERE id='.$this->id; + $sql .= ' WHERE id = '.((int) $this->id); $this->db->begin(); @@ -334,7 +334,7 @@ class Cpaiement if (!$error) { $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' WHERE id='.$this->id; + $sql .= ' WHERE id = '.((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index 8c8a563f418..3e1dc59a52e 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -533,12 +533,12 @@ class Paiement extends CommonObject // Delete payment (into paiement_facture and paiement) $sql = 'DELETE FROM '.MAIN_DB_PREFIX.'paiement_facture'; - $sql .= ' WHERE fk_paiement = '.$this->id; + $sql .= ' WHERE fk_paiement = '.((int) $this->id); dol_syslog($sql); $result = $this->db->query($sql); if ($result) { $sql = 'DELETE FROM '.MAIN_DB_PREFIX.'paiement'; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog($sql); $result = $this->db->query($sql); if (!$result) { @@ -756,7 +756,7 @@ class Paiement extends CommonObject { // phpcs:enable $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element.' set fk_bank = '.((int) $id_bank); - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this).'::update_fk_bank', LOG_DEBUG); $result = $this->db->query($sql); @@ -956,7 +956,7 @@ class Paiement extends CommonObject { $sql = 'SELECT pf.fk_facture'; $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf, '.MAIN_DB_PREFIX.'facture as f'; // We keep link on invoice to allow use of some filters on invoice - $sql .= ' WHERE pf.fk_facture = f.rowid AND pf.fk_paiement = '.$this->id; + $sql .= ' WHERE pf.fk_facture = f.rowid AND pf.fk_paiement = '.((int) $this->id); if ($filter) { $sql .= ' AND '.$filter; } @@ -989,7 +989,7 @@ class Paiement extends CommonObject { $sql = 'SELECT pf.fk_facture, pf.amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf'; - $sql .= ' WHERE pf.fk_paiement = '.$this->id; + $sql .= ' WHERE pf.fk_paiement = '.((int) $this->id); $resql = $this->db->query($sql); if ($resql) { $i = 0; diff --git a/htdocs/compta/payment_sc/card.php b/htdocs/compta/payment_sc/card.php index c75974077c3..27a35e83352 100644 --- a/htdocs/compta/payment_sc/card.php +++ b/htdocs/compta/payment_sc/card.php @@ -170,7 +170,7 @@ $sql = 'SELECT f.rowid as scid, f.libelle as label, f.paye, f.amount as sc_amoun $sql .= ' FROM '.MAIN_DB_PREFIX.'paiementcharge as pf,'.MAIN_DB_PREFIX.'chargesociales as f, '.MAIN_DB_PREFIX.'c_chargesociales as pc'; $sql .= ' WHERE pf.fk_charge = f.rowid AND f.fk_type = pc.id'; $sql .= ' AND f.entity = '.$conf->entity; -$sql .= ' AND pf.rowid = '.$object->id; +$sql .= ' AND pf.rowid = '.((int) $object->id); dol_syslog("compta/payment_sc/card.php", LOG_DEBUG); $resql = $db->query($sql); diff --git a/htdocs/compta/payment_vat/card.php b/htdocs/compta/payment_vat/card.php index 1b615bcbb8d..bfa14009380 100644 --- a/htdocs/compta/payment_vat/card.php +++ b/htdocs/compta/payment_vat/card.php @@ -227,7 +227,7 @@ $sql .= ' FROM '.MAIN_DB_PREFIX.'payment_vat as pf,'.MAIN_DB_PREFIX.'tva as f'; $sql .= ' WHERE pf.fk_tva = f.rowid'; //$sql .= ' AND f.fk_type = pc.id'; $sql .= ' AND f.entity = '.$conf->entity; -$sql .= ' AND pf.rowid = '.$object->id; +$sql .= ' AND pf.rowid = '.((int) $object->id); dol_syslog("compta/payment_vat/card.php", LOG_DEBUG); $resql = $db->query($sql); diff --git a/htdocs/compta/sociales/class/cchargesociales.class.php b/htdocs/compta/sociales/class/cchargesociales.class.php index ee9a270b283..d03132b04f7 100644 --- a/htdocs/compta/sociales/class/cchargesociales.class.php +++ b/htdocs/compta/sociales/class/cchargesociales.class.php @@ -329,7 +329,7 @@ class Cchargesociales if (!$error) { $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' WHERE id='.$this->id; + $sql .= ' WHERE id = '.((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { diff --git a/htdocs/compta/sociales/class/chargesociales.class.php b/htdocs/compta/sociales/class/chargesociales.class.php index 2b80e1bb4f4..a7c6ab2c593 100644 --- a/htdocs/compta/sociales/class/chargesociales.class.php +++ b/htdocs/compta/sociales/class/chargesociales.class.php @@ -642,7 +642,7 @@ class ChargeSociales extends CommonObject $sql = 'SELECT sum(amount) as amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.$table; - $sql .= ' WHERE '.$field.' = '.$this->id; + $sql .= " WHERE ".$field." = ".((int) $this->id); dol_syslog(get_class($this)."::getSommePaiement", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/compta/sociales/list.php b/htdocs/compta/sociales/list.php index a4deec56715..388d0f5a7bf 100644 --- a/htdocs/compta/sociales/list.php +++ b/htdocs/compta/sociales/list.php @@ -209,10 +209,10 @@ if (!empty($search_users)) { $sql .= ' AND cs.fk_user IN('.implode(', ', $search_users).')'; } if (!empty($search_type) && $search_type > 0) { - $sql .= ' AND cs.fk_mode_reglement='.$search_type; + $sql .= ' AND cs.fk_mode_reglement='.((int) $search_type); } if (!empty($search_account) && $search_account > 0) { - $sql .= ' AND cs.fk_account='.$search_account; + $sql .= ' AND cs.fk_account='.((int) $search_account); } if ($search_amount) { $sql .= natural_search("cs.amount", $search_amount, 1); diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index c412072ec89..25fcee08e57 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -768,7 +768,7 @@ class Tva extends CommonObject $sql = 'SELECT sum(amount) as amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.$table; - $sql .= ' WHERE '.$field.' = '.$this->id; + $sql .= ' WHERE '.$field.' = '.((int) $this->id); dol_syslog(get_class($this)."::getSommePaiement", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/contact/ldap.php b/htdocs/contact/ldap.php index 6677a7b17d7..79696d12997 100644 --- a/htdocs/contact/ldap.php +++ b/htdocs/contact/ldap.php @@ -178,7 +178,7 @@ if ($result > 0) { $result = show_ldap_content($records, 0, $records['count'], true); } } else { - print ''.$langs->trans("LDAPRecordNotFound").' (dn='.$dn.' - search='.$search.')'; + print ''.$langs->trans("LDAPRecordNotFound").' (dn='.dol_escape_htmltag($dn).' - search='.dol_escape_htmltag($search).')'; } $ldap->unbind(); diff --git a/htdocs/core/ajax/ajaxdirpreview.php b/htdocs/core/ajax/ajaxdirpreview.php index 09292dd4991..810a23957fd 100644 --- a/htdocs/core/ajax/ajaxdirpreview.php +++ b/htdocs/core/ajax/ajaxdirpreview.php @@ -328,7 +328,7 @@ if ($type == 'directory') { if ($section) { $param .= '§ion='.$section; if (isset($search_doc_ref) && $search_doc_ref != '') { - $param .= '&search_doc_ref='.$search_doc_ref; + $param .= '&search_doc_ref='.urlencode($search_doc_ref); } $textifempty = $langs->trans('NoFileFound'); diff --git a/htdocs/core/class/commoninvoice.class.php b/htdocs/core/class/commoninvoice.class.php index 605ffec63bd..65988c9cdf0 100644 --- a/htdocs/core/class/commoninvoice.class.php +++ b/htdocs/core/class/commoninvoice.class.php @@ -132,7 +132,7 @@ abstract class CommonInvoice extends CommonObject $sql = 'SELECT sum(amount) as amount, sum(multicurrency_amount) as multicurrency_amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.$table; - $sql .= ' WHERE '.$field.' = '.$this->id; + $sql .= ' WHERE '.$field.' = '.((int) $this->id); dol_syslog(get_class($this)."::getSommePaiement", LOG_DEBUG); $resql = $this->db->query($sql); @@ -227,7 +227,7 @@ abstract class CommonInvoice extends CommonObject $sql = 'SELECT rowid'; $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' WHERE fk_facture_source = '.$this->id; + $sql .= ' WHERE fk_facture_source = '.((int) $this->id); $sql .= ' AND type = 2'; $resql = $this->db->query($sql); if ($resql) { @@ -254,7 +254,7 @@ abstract class CommonInvoice extends CommonObject { $sql = 'SELECT rowid'; $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' WHERE fk_facture_source = '.$this->id; + $sql .= ' WHERE fk_facture_source = '.((int) $this->id); $sql .= ' AND type < 2'; if ($option == 'validated') { $sql .= ' AND fk_statut = 1'; @@ -308,7 +308,7 @@ abstract class CommonInvoice extends CommonObject $sql = 'SELECT p.ref, pf.amount, pf.multicurrency_amount, p.fk_paiement, p.datep, p.num_paiement as num, t.code'.$field3; $sql .= ' FROM '.MAIN_DB_PREFIX.$table.' as pf, '.MAIN_DB_PREFIX.$table2.' as p, '.MAIN_DB_PREFIX.'c_paiement as t'; - $sql .= ' WHERE pf.'.$field.' = '.$this->id; + $sql .= ' WHERE pf.'.$field.' = '.((int) $this->id); //$sql.= ' WHERE pf.'.$field.' = 1'; $sql .= ' AND pf.'.$field2.' = p.rowid'; $sql .= ' AND p.fk_paiement = t.id'; @@ -338,12 +338,12 @@ abstract class CommonInvoice extends CommonObject if ($this->element == 'facture' || $this->element == 'invoice') { $sql = 'SELECT rc.amount_ttc as amount, rc.multicurrency_amount_ttc as multicurrency_amount, rc.datec as date, f.ref as ref, rc.description as type'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture as f'; - $sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.$this->id; + $sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.((int) $this->id); $sql .= ' AND (f.type = 2 OR f.type = 0 OR f.type = 3)'; // Find discount coming from credit note or excess received or deposits (payments from deposits are always null except if FACTURE_DEPOSITS_ARE_JUST_PAYMENTS is set) } elseif ($this->element == 'facture_fourn' || $this->element == 'invoice_supplier') { $sql = 'SELECT rc.amount_ttc as amount, rc.multicurrency_amount_ttc as multicurrency_amount, rc.datec as date, f.ref as ref, rc.description as type'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture_fourn as f'; - $sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.$this->id; + $sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.((int) $this->id); $sql .= ' AND (f.type = 2 OR f.type = 0 OR f.type = 3)'; // Find discount coming from credit note or excess received or deposits (payments from deposits are always null except if FACTURE_DEPOSITS_ARE_JUST_PAYMENTS is set) } @@ -700,9 +700,9 @@ abstract class CommonInvoice extends CommonObject $sql = 'SELECT count(*)'; $sql .= ' FROM '.MAIN_DB_PREFIX.'prelevement_facture_demande'; if ($type == 'bank-transfer') { - $sql .= ' WHERE fk_facture_fourn = '.$this->id; + $sql .= ' WHERE fk_facture_fourn = '.((int) $this->id); } else { - $sql .= ' WHERE fk_facture = '.$this->id; + $sql .= ' WHERE fk_facture = '.((int) $this->id); } $sql .= ' AND ext_payment_id IS NULL'; // To exclude record done for some online payments $sql .= ' AND traite = 0'; @@ -735,16 +735,16 @@ abstract class CommonInvoice extends CommonObject $sql .= 'fk_facture, '; } $sql .= ' amount, date_demande, fk_user_demande, code_banque, code_guichet, number, cle_rib, sourcetype, entity)'; - $sql .= ' VALUES ('.$this->id; - $sql .= ",'".price2num($amount)."'"; - $sql .= ",'".$this->db->idate($now)."'"; - $sql .= ",".$fuser->id; - $sql .= ",'".$this->db->escape($bac->code_banque)."'"; - $sql .= ",'".$this->db->escape($bac->code_guichet)."'"; - $sql .= ",'".$this->db->escape($bac->number)."'"; - $sql .= ",'".$this->db->escape($bac->cle_rib)."'"; - $sql .= ",'".$this->db->escape($sourcetype)."'"; - $sql .= ",".$conf->entity; + $sql .= ' VALUES ('.((int) $this->id); + $sql .= ", ".((float) price2num($amount)); + $sql .= ", '".$this->db->idate($now)."'"; + $sql .= ", ".((int) $fuser->id); + $sql .= ", '".$this->db->escape($bac->code_banque)."'"; + $sql .= ", '".$this->db->escape($bac->code_guichet)."'"; + $sql .= ", '".$this->db->escape($bac->number)."'"; + $sql .= ", '".$this->db->escape($bac->cle_rib)."'"; + $sql .= ", '".$this->db->escape($sourcetype)."'"; + $sql .= ", ".((int) $conf->entity); $sql .= ")"; dol_syslog(get_class($this)."::demande_prelevement", LOG_DEBUG); diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index a60e0680536..a4a98da9690 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -2228,7 +2228,7 @@ abstract class CommonObject } else { $sql .= ' SET fk_projet = NULL'; } - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); } dol_syslog(get_class($this)."::setProject", LOG_DEBUG); @@ -2884,7 +2884,7 @@ abstract class CommonObject // Count number of lines to reorder (according to choice $renum) $nl = 0; $sql = 'SELECT count(rowid) FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.'='.$this->id; + $sql .= ' WHERE '.$this->fk_element.'='.((int) $this->id); if (!$renum) { $sql .= ' AND rang = 0'; } @@ -2906,11 +2906,11 @@ abstract class CommonObject // We first search all lines that are parent lines (for multilevel details lines) $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.' = '.$this->id; + $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); if ($fk_parent_line) { $sql .= ' AND fk_parent_line IS NULL'; } - $sql .= ' ORDER BY rang ASC, rowid '.$rowidorder; + $sql .= " ORDER BY rang ASC, rowid ".$rowidorder; dol_syslog(get_class($this)."::line_order search all parent lines", LOG_DEBUG); $resql = $this->db->query($sql); @@ -2954,11 +2954,11 @@ abstract class CommonObject $rows = array(); $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.' = '.$this->id; - $sql .= ' AND fk_parent_line = '.$id; + $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql .= ' AND fk_parent_line = '.((int) $id); $sql .= ' ORDER BY rang ASC'; - dol_syslog(get_class($this)."::getChildrenOfLine search children lines for line ".$id."", LOG_DEBUG); + dol_syslog(get_class($this)."::getChildrenOfLine search children lines for line ".$id, LOG_DEBUG); $resql = $this->db->query($sql); if ($resql) { if ($this->db->num_rows($resql) > 0) { @@ -3075,8 +3075,8 @@ abstract class CommonObject } $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) $rang); - $sql .= ' WHERE '.$this->fk_element.' = '.$this->id; - $sql .= ' AND rang = '.($rang - 1); + $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql .= ' AND rang = '.((int) ($rang - 1)); if ($this->db->query($sql)) { $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) ($rang - 1)); $sql .= ' WHERE rowid = '.((int) $rowid); @@ -3106,7 +3106,7 @@ abstract class CommonObject } $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) $rang); - $sql .= ' WHERE '.$this->fk_element.' = '.$this->id; + $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); $sql .= ' AND rang = '.((int) ($rang + 1)); if ($this->db->query($sql)) { $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) ($rang + 1)); @@ -3148,7 +3148,7 @@ abstract class CommonObject public function getIdOfLine($rang) { $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.' = '.$this->id; + $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); $sql .= ' AND rang = '.((int) $rang); $resql = $this->db->query($sql); if ($resql) { @@ -3175,8 +3175,8 @@ abstract class CommonObject // Search the last rang with fk_parent_line if ($fk_parent_line) { $sql = 'SELECT max('.$positionfield.') FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.' = '.$this->id; - $sql .= ' AND fk_parent_line = '.$fk_parent_line; + $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql .= ' AND fk_parent_line = '.((int) $fk_parent_line); dol_syslog(get_class($this)."::line_max", LOG_DEBUG); $resql = $this->db->query($sql); @@ -3393,7 +3393,7 @@ abstract class CommonObject } $sql .= ', multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc'; $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.' = '.$this->id; + $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); if ($exclspec) { $product_field = 'product_type'; if ($this->table_element_line == 'contratdet') { @@ -3561,7 +3561,7 @@ abstract class CommonObject $sql .= ", multicurrency_total_ht = ".price2num($this->multicurrency_total_ht, 'MT', 1); $sql .= ", multicurrency_total_tva = ".price2num($this->multicurrency_total_tva, 'MT', 1); $sql .= ", multicurrency_total_ttc = ".price2num($this->multicurrency_total_ttc, 'MT', 1); - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::update_price", LOG_DEBUG); $resql = $this->db->query($sql); @@ -5318,7 +5318,7 @@ abstract class CommonObject } if ($update_main_doc_field && !empty($this->table_element)) { $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element." SET last_main_doc = '".$this->db->escape($ecmfile->filepath.'/'.$ecmfile->filename)."'"; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { @@ -8827,7 +8827,7 @@ abstract class CommonObject $sql = 'SELECT '.$objectline->getFieldList('l'); $sql .= ' FROM '.MAIN_DB_PREFIX.$objectline->table_element.' as l'; - $sql .= ' WHERE l.fk_'.$this->element.' = '.$this->id; + $sql .= ' WHERE l.fk_'.$this->element.' = '.((int) $this->id); if ($morewhere) { $sql .= $morewhere; } @@ -8973,7 +8973,7 @@ abstract class CommonObject if ($forcechilddeletion) { // Force also delete of childtables that should lock deletion in standard case when option force is off foreach ($this->childtables as $table) { - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$table.' WHERE '.$this->fk_element.' = '.$this->id; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$table.' WHERE '.$this->fk_element.' = '.((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { $this->error = $this->db->lasterror(); @@ -9022,7 +9022,7 @@ abstract class CommonObject } } else { // Delete record in child table - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$table.' WHERE '.$this->fk_element.' = '.$this->id; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$table.' WHERE '.$this->fk_element.' = '.((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { diff --git a/htdocs/core/class/coreobject.class.php b/htdocs/core/class/coreobject.class.php index 45018cb1d8f..150ace90875 100644 --- a/htdocs/core/class/coreobject.class.php +++ b/htdocs/core/class/coreobject.class.php @@ -183,7 +183,7 @@ class CoreObject extends CommonObject $this->{$className} = array(); - $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$childTable.' WHERE '.$this->fk_element.' = '.$this->id; + $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$childTable.' WHERE '.$this->fk_element.' = '.((int) $this->id); $res = $this->db->query($sql); if ($res) { diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index ddfad586e7c..ea245e82487 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -5274,8 +5274,9 @@ function price($amount, $form = 0, $outlangs = '', $trunc = 1, $rounding = -1, $ * Put 2 if you know that number is a user input (so we know we don't have to fix decimal separator). * @return string Amount with universal numeric format (Example: '99.99999'). * If conversion fails to return a numeric, it returns: - * text unchanged or partial if ($rounding = ''): price2num('W9ç', '', 0) => '9ç', price2num('W9ç', '', 1) => 'W9ç', price2num('W9ç', '', 2) => '9ç' - * '0' if ($rounding is defined): price2num('W9ç', 'MT', 0) => '9', price2num('W9ç', 'MT', 1) => '0', price2num('W9ç', 'MT', 2) => '9' + * - text unchanged or partial if ($rounding = ''): price2num('W9ç', '', 0) => '9ç', price2num('W9ç', '', 1) => 'W9ç', price2num('W9ç', '', 2) => '9ç' + * - '0' if ($rounding is defined): price2num('W9ç', 'MT', 0) => '9', price2num('W9ç', 'MT', 1) => '0', price2num('W9ç', 'MT', 2) => '9' + * Note: The best way to guarantee a numeric value is to add a cast (float) before the price2num(). * If amount is null or '', it returns '' if $rounding = '' or '0' if $rounding is defined. * * @see price() Opposite function of price2num diff --git a/htdocs/core/lib/ticket.lib.php b/htdocs/core/lib/ticket.lib.php index 3aededf6a81..ac3f80e00bc 100644 --- a/htdocs/core/lib/ticket.lib.php +++ b/htdocs/core/lib/ticket.lib.php @@ -959,7 +959,7 @@ function getTicketActionCommEcmList($object) $sql = 'SELECT ecm.rowid as id, ecm.src_object_type, ecm.src_object_id, ecm.filepath, ecm.filename'; $sql .= ' FROM '.MAIN_DB_PREFIX.'ecm_files ecm'; $sql .= ' WHERE ecm.filepath = \'agenda/'.$object->id.'\''; - //$sql.= ' ecm.src_object_type = \''.$object->element.'\' AND ecm.src_object_id = '.$object->id; // Actually upload file doesn't add type + //$sql.= ' ecm.src_object_type = \''.$object->element.'\' AND ecm.src_object_id = '.((int) $object->id); // Actually upload file doesn't add type $sql .= ' ORDER BY ecm.position ASC'; $resql = $db->query($sql); diff --git a/htdocs/don/class/don.class.php b/htdocs/don/class/don.class.php index 6bb4c99b86d..85a95905073 100644 --- a/htdocs/don/class/don.class.php +++ b/htdocs/don/class/don.class.php @@ -1116,7 +1116,7 @@ class Don extends CommonObject return -1; } - $sql = 'SELECT SUM(amount) as sum_amount FROM '.MAIN_DB_PREFIX.'payment_donation WHERE fk_donation = '.$this->id; + $sql = 'SELECT SUM(amount) as sum_amount FROM '.MAIN_DB_PREFIX.'payment_donation WHERE fk_donation = '.((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { dol_print_error($this->db); diff --git a/htdocs/emailcollector/class/emailcollector.class.php b/htdocs/emailcollector/class/emailcollector.class.php index 16df7774470..2a062dcb1f1 100644 --- a/htdocs/emailcollector/class/emailcollector.class.php +++ b/htdocs/emailcollector/class/emailcollector.class.php @@ -675,7 +675,7 @@ class EmailCollector extends CommonObject $sql = 'SELECT rowid, type, rulevalue, status'; $sql .= ' FROM '.MAIN_DB_PREFIX.'emailcollector_emailcollectorfilter'; - $sql .= ' WHERE fk_emailcollector = '.$this->id; + $sql .= ' WHERE fk_emailcollector = '.((int) $this->id); //$sql.= ' ORDER BY position'; $resql = $this->db->query($sql); @@ -707,7 +707,7 @@ class EmailCollector extends CommonObject $sql = 'SELECT rowid, type, actionparam, status'; $sql .= ' FROM '.MAIN_DB_PREFIX.'emailcollector_emailcollectoraction'; - $sql .= ' WHERE fk_emailcollector = '.$this->id; + $sql .= ' WHERE fk_emailcollector = '.((int) $this->id); $sql .= ' ORDER BY position'; $resql = $this->db->query($sql); diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index 42d290aa02f..049ef7832b0 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -2162,7 +2162,7 @@ class Expedition extends CommonObject $this->db->begin(); $sql = 'UPDATE '.MAIN_DB_PREFIX.'expedition SET fk_statut='.self::STATUS_CLOSED; - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut > 0'; + $sql .= " WHERE rowid = ".((int) $this->id).' AND fk_statut > 0'; $resql = $this->db->query($sql); if ($resql) { @@ -2307,7 +2307,7 @@ class Expedition extends CommonObject $this->db->begin(); $sql = 'UPDATE '.MAIN_DB_PREFIX.'expedition SET fk_statut=2, billed=1'; // TODO Update only billed - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut > 0'; + $sql .= " WHERE rowid = ".((int) $this->id).' AND fk_statut > 0'; $resql = $this->db->query($sql); if ($resql) { @@ -2356,7 +2356,7 @@ class Expedition extends CommonObject $oldbilled = $this->billed; $sql = 'UPDATE '.MAIN_DB_PREFIX.'expedition SET fk_statut=1'; - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut > 0'; + $sql .= " WHERE rowid = ".((int) $this->id).' AND fk_statut > 0'; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/expensereport/class/expensereport.class.php b/htdocs/expensereport/class/expensereport.class.php index c2b63f9393e..22f29bb1d9e 100644 --- a/htdocs/expensereport/class/expensereport.class.php +++ b/htdocs/expensereport/class/expensereport.class.php @@ -1031,7 +1031,7 @@ class ExpenseReport extends CommonObject $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element_line.' as de'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_type_fees as ctf ON de.fk_c_type_fees = ctf.id'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'projet as p ON de.fk_projet = p.rowid'; - $sql .= ' WHERE de.'.$this->fk_element.' = '.$this->id; + $sql .= ' WHERE de.'.$this->fk_element.' = '.((int) $this->id); if (!empty($conf->global->EXPENSEREPORT_LINES_SORTED_BY_ROWID)) { $sql .= ' ORDER BY de.rang ASC, de.rowid ASC'; } else { @@ -1340,7 +1340,7 @@ class ExpenseReport extends CommonObject // Sélection de la date de début de la NDF $sql = 'SELECT date_debut'; $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); $result = $this->db->query($sql); @@ -1351,7 +1351,7 @@ class ExpenseReport extends CommonObject if ($this->status != self::STATUS_VALIDATED) { $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; $sql .= " SET fk_statut = ".self::STATUS_VALIDATED; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::set_save_from_refuse", LOG_DEBUG); @@ -1386,7 +1386,7 @@ class ExpenseReport extends CommonObject $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; $sql .= " SET ref = '".$this->db->escape($this->ref)."', fk_statut = ".self::STATUS_APPROVED.", fk_user_approve = ".((int) $fuser->id).","; $sql .= " date_approve='".$this->db->idate($this->date_approve)."'"; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); if ($this->db->query($sql)) { if (!$notrigger) { // Call trigger @@ -1438,7 +1438,7 @@ class ExpenseReport extends CommonObject $sql .= " date_refuse='".$this->db->idate($now)."',"; $sql .= " detail_refuse='".$this->db->escape($details)."',"; $sql .= " fk_user_approve = NULL"; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); if ($this->db->query($sql)) { $this->fk_statut = 99; // deprecated $this->status = 99; @@ -1507,7 +1507,7 @@ class ExpenseReport extends CommonObject $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; $sql .= " SET paid = 0, fk_statut = ".self::STATUS_APPROVED; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::set_unpaid", LOG_DEBUG); @@ -1561,7 +1561,7 @@ class ExpenseReport extends CommonObject $sql .= " SET fk_statut = ".self::STATUS_CANCELED.", fk_user_cancel = ".((int) $fuser->id); $sql .= ", date_cancel='".$this->db->idate($this->date_cancel)."'"; $sql .= " ,detail_cancel='".$this->db->escape($detail)."'"; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::set_cancel", LOG_DEBUG); @@ -2525,7 +2525,7 @@ class ExpenseReport extends CommonObject $sql = 'SELECT sum(amount) as amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.$table; - $sql .= ' WHERE '.$field.' = '.$this->id; + $sql .= ' WHERE '.$field.' = '.((int) $this->id); dol_syslog(get_class($this)."::getSumPayments", LOG_DEBUG); $resql = $this->db->query($sql); @@ -2759,15 +2759,15 @@ class ExpenseReportLine $sql .= ' INNER JOIN '.MAIN_DB_PREFIX.'expensereport e ON (d.fk_expensereport = e.rowid)'; $sql .= ' WHERE e.fk_user_author = '.((int) $fk_user); if (!empty($this->id)) { - $sql .= ' AND d.rowid <> '.$this->id; + $sql .= ' AND d.rowid <> '.((int) $this->id); } $sql .= ' AND d.fk_c_type_fees = '.((int) $rule->fk_c_type_fees); if ($mode == 'day' || $mode == 'EX_DAY') { $sql .= " AND d.date = '".dol_print_date($this->date, '%Y-%m-%d')."'"; } elseif ($mode == 'mon' || $mode == 'EX_MON') { - $sql .= ' AND DATE_FORMAT(d.date, \'%Y-%m\') = \''.dol_print_date($this->date, '%Y-%m').'\''; // @todo DATE_FORMAT is forbidden + $sql .= " AND DATE_FORMAT(d.date, '%Y-%m') = '".dol_print_date($this->date, '%Y-%m')."'"; // @todo DATE_FORMAT is forbidden } elseif ($mode == 'year' || $mode == 'EX_YEA') { - $sql .= ' AND DATE_FORMAT(d.date, \'%Y\') = \''.dol_print_date($this->date, '%Y').'\''; // @todo DATE_FORMAT is forbidden + $sql .= " AND DATE_FORMAT(d.date, '%Y') = '".dol_print_date($this->date, '%Y')."'"; // @todo DATE_FORMAT is forbidden } dol_syslog('ExpenseReportLine::getExpAmount'); diff --git a/htdocs/fichinter/card.php b/htdocs/fichinter/card.php index 1b647af00a6..243545dd14b 100644 --- a/htdocs/fichinter/card.php +++ b/htdocs/fichinter/card.php @@ -1279,7 +1279,7 @@ if ($action == 'create') { $sql = 'SELECT ft.rowid, ft.description, ft.fk_fichinter, ft.duree, ft.rang,'; $sql .= ' ft.date as date_intervention'; $sql .= ' FROM '.MAIN_DB_PREFIX.'fichinterdet as ft'; - $sql .= ' WHERE ft.fk_fichinter = '.$object->id; + $sql .= ' WHERE ft.fk_fichinter = '.((int) $object->id); if (!empty($conf->global->FICHINTER_HIDE_EMPTY_DURATION)) { $sql .= ' AND ft.duree <> 0'; } diff --git a/htdocs/fichinter/class/fichinterrec.class.php b/htdocs/fichinter/class/fichinterrec.class.php index 9aec232cf0a..d23c25253ac 100644 --- a/htdocs/fichinter/class/fichinterrec.class.php +++ b/htdocs/fichinter/class/fichinterrec.class.php @@ -356,7 +356,7 @@ class FichinterRec extends Fichinter $sql .= ' p.label as product_label, p.description as product_desc'; $sql .= ' FROM '.MAIN_DB_PREFIX.'fichinterdet_rec as l'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p ON l.fk_product = p.rowid'; - $sql .= ' WHERE l.fk_fichinter = '.$this->id; + $sql .= ' WHERE l.fk_fichinter = '.((int) $this->id); dol_syslog('FichInter-rec::fetch_lines', LOG_DEBUG); $result = $this->db->query($sql); @@ -718,7 +718,7 @@ class FichinterRec extends Fichinter if (!empty($unit)) { $sql .= ', unit_frequency = "'.$this->db->escape($unit).'"'; } - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::setFrequencyAndUnit", LOG_DEBUG); if ($this->db->query($sql)) { @@ -751,7 +751,7 @@ class FichinterRec extends Fichinter if ($increment_nb_gen_done > 0) { $sql .= ', nb_gen_done = nb_gen_done + 1'; } - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::setNextDate", LOG_DEBUG); if ($this->db->query($sql)) { @@ -844,7 +844,7 @@ class FichinterRec extends Fichinter $sql .= ' , statut = 1'; } - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::setAutoValidate", LOG_DEBUG); if ($this->db->query($sql)) { diff --git a/htdocs/fourn/card.php b/htdocs/fourn/card.php index f37e96ba602..599242375d2 100644 --- a/htdocs/fourn/card.php +++ b/htdocs/fourn/card.php @@ -519,7 +519,7 @@ if ($object->id > 0) { $sql .= ' FROM '.MAIN_DB_PREFIX.'product_fournisseur_price as pfp'; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = pfp.fk_product"; $sql .= ' WHERE p.entity IN ('.getEntity('product').')'; - $sql .= ' AND pfp.fk_soc = '.$object->id; + $sql .= ' AND pfp.fk_soc = '.((int) $object->id); $sql .= $db->order('pfp.tms', 'desc'); $sql .= $db->plimit($MAXLIST); @@ -658,7 +658,7 @@ if ($object->id > 0) { $sql2 .= ', '.MAIN_DB_PREFIX.'commande_fournisseur as c'; $sql2 .= ' WHERE c.fk_soc = s.rowid'; $sql2 .= " AND c.entity IN (".getEntity('commande_fournisseur').")"; - $sql2 .= ' AND s.rowid = '.$object->id; + $sql2 .= ' AND s.rowid = '.((int) $object->id); // Show orders we can bill if (empty($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS)) { $sql2 .= " AND c.fk_statut IN (".$db->sanitize(CommandeFournisseur::STATUS_RECEIVED_COMPLETELY).")"; // Must match filter in htdocs/fourn/commande/list.php @@ -758,7 +758,7 @@ if ($object->id > 0) { $sql .= ' SUM(pf.amount) as am'; $sql .= ' FROM '.MAIN_DB_PREFIX.'facture_fourn as f'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'paiementfourn_facturefourn as pf ON f.rowid=pf.fk_facturefourn'; - $sql .= ' WHERE f.fk_soc = '.$object->id; + $sql .= ' WHERE f.fk_soc = '.((int) $object->id); $sql .= " AND f.entity IN (".getEntity('facture_fourn').")"; $sql .= ' GROUP BY f.rowid,f.libelle,f.ref,f.ref_supplier,f.fk_statut,f.datef,f.total_ht,f.total_tva,f.total_ttc,f.paye'; $sql .= ' ORDER BY f.datef DESC'; diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php index 4b74b596be5..9d965ee034e 100644 --- a/htdocs/fourn/class/fournisseur.commande.class.php +++ b/htdocs/fourn/class/fournisseur.commande.class.php @@ -930,7 +930,7 @@ class CommandeFournisseur extends CommonOrder $this->db->begin(); $sql = 'UPDATE '.MAIN_DB_PREFIX.'commande_fournisseur SET billed = 1'; - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut > '.self::STATUS_DRAFT; + $sql .= " WHERE rowid = ".((int) $this->id).' AND fk_statut > '.self::STATUS_DRAFT; if ($this->db->query($sql)) { if (!$error) { @@ -3399,12 +3399,12 @@ class CommandeFournisseur extends CommonOrder $sql .= ' cfd.fk_reception = e.rowid AND'; } $sql .= ' cfd.fk_commandefourndet = cd.rowid'; - $sql .= ' AND cd.fk_commande ='.$this->id; + $sql .= ' AND cd.fk_commande ='.((int) $this->id); if ($this->fk_product > 0) { - $sql .= ' AND cd.fk_product = '.$this->fk_product; + $sql .= ' AND cd.fk_product = '.((int) $this->fk_product); } if ($filtre_statut >= 0) { - $sql .= ' AND e.fk_statut >= '.$filtre_statut; + $sql .= ' AND e.fk_statut >= '.((int) $filtre_statut); } $sql .= ' GROUP BY cd.rowid, cd.fk_product'; diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index e8ec417edd7..b97bf5485fa 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -818,7 +818,7 @@ class FactureFournisseur extends CommonInvoice $sql .= ', f.fk_code_ventilation, f.fk_multicurrency, f.multicurrency_code, f.multicurrency_subprice, f.multicurrency_total_ht, f.multicurrency_total_tva, f.multicurrency_total_ttc'; $sql .= ' FROM '.MAIN_DB_PREFIX.'facture_fourn_det as f'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p ON f.fk_product = p.rowid'; - $sql .= ' WHERE fk_facture_fourn='.$this->id; + $sql .= ' WHERE fk_facture_fourn='.((int) $this->id); $sql .= ' ORDER BY f.rang, f.rowid'; dol_syslog(get_class($this)."::fetch_lines", LOG_DEBUG); @@ -1491,7 +1491,7 @@ class FactureFournisseur extends CommonInvoice if ($close_note) { $sql .= ", close_note='".$this->db->escape($close_note)."'"; } - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); $resql = $this->db->query($sql); if ($resql) { @@ -1499,7 +1499,7 @@ class FactureFournisseur extends CommonInvoice // as they have not been used since the invoice is abandoned. $sql = 'UPDATE '.MAIN_DB_PREFIX.'societe_remise_except'; $sql .= ' SET fk_invoice_supplier = NULL'; - $sql .= ' WHERE fk_invoice_supplier = '.$this->id; + $sql .= ' WHERE fk_invoice_supplier = '.((int) $this->id); $resql = $this->db->query($sql); if ($resql) { @@ -3317,7 +3317,7 @@ class SupplierInvoiceLine extends CommonObjectLine if (!$error) { // Supprime ligne $sql = 'DELETE FROM '.MAIN_DB_PREFIX.'facture_fourn_det '; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::delete", LOG_DEBUG); $resql = $this->db->query($sql); if (!$resql) { diff --git a/htdocs/fourn/class/paiementfourn.class.php b/htdocs/fourn/class/paiementfourn.class.php index 28ef8025a98..2227e2b8c0a 100644 --- a/htdocs/fourn/class/paiementfourn.class.php +++ b/htdocs/fourn/class/paiementfourn.class.php @@ -398,11 +398,11 @@ class PaiementFourn extends Paiement // Efface la ligne de paiement (dans paiement_facture et paiement) $sql = 'DELETE FROM '.MAIN_DB_PREFIX.'paiementfourn_facturefourn'; - $sql .= ' WHERE fk_paiementfourn = '.$this->id; + $sql .= ' WHERE fk_paiementfourn = '.((int) $this->id); $resql = $this->db->query($sql); if ($resql) { $sql = 'DELETE FROM '.MAIN_DB_PREFIX.'paiementfourn'; - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); $result = $this->db->query($sql); if (!$result) { $this->error = $this->db->error(); @@ -484,16 +484,16 @@ class PaiementFourn extends Paiement /** * Return list of supplier invoices the payment point to * - * @param string $filter SQL filter + * @param string $filter SQL filter. Warning: This value must not come from a user input. * @return array Array of supplier invoice id */ public function getBillsArray($filter = '') { $sql = 'SELECT fk_facturefourn'; $sql .= ' FROM '.MAIN_DB_PREFIX.'paiementfourn_facturefourn as pf, '.MAIN_DB_PREFIX.'facture_fourn as f'; - $sql .= ' WHERE pf.fk_facturefourn = f.rowid AND fk_paiementfourn = '.$this->id; + $sql .= ' WHERE pf.fk_facturefourn = f.rowid AND fk_paiementfourn = '.((int) $this->id); if ($filter) { - $sql .= ' AND '.$filter; + $sql .= " AND ".$filter; } dol_syslog(get_class($this).'::getBillsArray', LOG_DEBUG); diff --git a/htdocs/fourn/commande/card.php b/htdocs/fourn/commande/card.php index 6ea356e189e..b981d46b764 100644 --- a/htdocs/fourn/commande/card.php +++ b/htdocs/fourn/commande/card.php @@ -337,14 +337,14 @@ if (empty($reshook)) { // Currently the "Re-open" also remove the billed flag because there is no button "Set unpaid" yet. $sql = 'UPDATE '.MAIN_DB_PREFIX.'commande_fournisseur'; $sql .= ' SET billed = 0'; - $sql .= ' WHERE rowid = '.$object->id; + $sql .= ' WHERE rowid = '.((int) $object->id); $resql = $db->query($sql); if ($newstatus == 0) { $sql = 'UPDATE '.MAIN_DB_PREFIX.'commande_fournisseur'; $sql .= ' SET fk_user_approve = null, fk_user_approve2 = null, date_approve = null, date_approve2 = null'; - $sql .= ' WHERE rowid = '.$object->id; + $sql .= ' WHERE rowid = '.((int) $object->id); $resql = $db->query($sql); } diff --git a/htdocs/fourn/facture/card.php b/htdocs/fourn/facture/card.php index 2f3fb2b0078..4912419d979 100644 --- a/htdocs/fourn/facture/card.php +++ b/htdocs/fourn/facture/card.php @@ -578,7 +578,7 @@ if (empty($reshook)) { $sql = 'SELECT SUM(pf.amount) as total_paiements'; $sql .= ' FROM '.MAIN_DB_PREFIX.'paiementfourn_facturefourn as pf, '.MAIN_DB_PREFIX.'paiementfourn as p'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_paiement as c ON p.fk_paiement = c.id AND c.entity IN ('.getEntity('c_paiement').')'; - $sql .= ' WHERE pf.fk_facturefourn = '.$object->id; + $sql .= ' WHERE pf.fk_facturefourn = '.((int) $object->id); $sql .= ' AND pf.fk_paiementfourn = p.rowid'; $sql .= ' AND p.entity IN ('.getEntity('invoice').')'; @@ -3018,7 +3018,7 @@ if ($action == 'create') { $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank_account as ba ON b.fk_account = ba.rowid'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_paiement as c ON p.fk_paiement = c.id'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'paiementfourn_facturefourn as pf ON pf.fk_paiementfourn = p.rowid'; - $sql .= ' WHERE pf.fk_facturefourn = '.$object->id; + $sql .= ' WHERE pf.fk_facturefourn = '.((int) $object->id); $sql .= ' ORDER BY p.datep, p.tms'; $result = $db->query($sql); diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php index d6f07426a04..527cd851709 100644 --- a/htdocs/fourn/facture/list.php +++ b/htdocs/fourn/facture/list.php @@ -549,7 +549,7 @@ if ($search_montant_ttc != '') { $sql .= natural_search('f.total_ttc', $search_montant_ttc, 1); } if ($search_multicurrency_code != '') { - $sql .= ' AND f.multicurrency_code = "'.$db->escape($search_multicurrency_code).'"'; + $sql .= " AND f.multicurrency_code = '".$db->escape($search_multicurrency_code)."'"; } if ($search_multicurrency_tx != '') { $sql .= natural_search('f.multicurrency_tx', $search_multicurrency_tx, 1); diff --git a/htdocs/fourn/paiement/card.php b/htdocs/fourn/paiement/card.php index ccc29105e4f..708fa266f0a 100644 --- a/htdocs/fourn/paiement/card.php +++ b/htdocs/fourn/paiement/card.php @@ -259,7 +259,7 @@ if ($result > 0) { $sql .= ' pf.amount, s.nom as name, s.rowid as socid'; $sql .= ' FROM '.MAIN_DB_PREFIX.'paiementfourn_facturefourn as pf,'.MAIN_DB_PREFIX.'facture_fourn as f,'.MAIN_DB_PREFIX.'societe as s'; $sql .= ' WHERE pf.fk_facturefourn = f.rowid AND f.fk_soc = s.rowid'; - $sql .= ' AND pf.fk_paiementfourn = '.$object->id; + $sql .= ' AND pf.fk_paiementfourn = '.((int) $object->id); $resql = $db->query($sql); if ($resql) { $num = $db->num_rows($resql); diff --git a/htdocs/loan/class/loan.class.php b/htdocs/loan/class/loan.class.php index 2e51b3871a9..ffd745e263f 100644 --- a/htdocs/loan/class/loan.class.php +++ b/htdocs/loan/class/loan.class.php @@ -651,7 +651,7 @@ class Loan extends CommonObject $sql = 'SELECT sum(amount_capital) as amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.$table; - $sql .= ' WHERE '.$field.' = '.$this->id; + $sql .= ' WHERE '.$field.' = '.((int) $this->id); dol_syslog(get_class($this)."::getSumPayment", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/modulebuilder/template/myobject_list.php b/htdocs/modulebuilder/template/myobject_list.php index 2eee13fd879..3319ca1909d 100644 --- a/htdocs/modulebuilder/template/myobject_list.php +++ b/htdocs/modulebuilder/template/myobject_list.php @@ -345,6 +345,13 @@ $sql .= $hookmanager->resPrint; $sql = preg_replace('/,\s*$/', '', $sql); */ +// Add HAVING from hooks +/* +$parameters = array(); +$reshook = $hookmanager->executeHooks('printFieldListHaving', $parameters, $object); // Note that $action and $object may have been modified by hook +$sql .= !empty($hookmanager->resPrint) ? (" HAVING 1=1 " . $hookmanager->resPrint) : ""; +*/ + // Count total nb of records $nbtotalofrecords = ''; if (empty($conf->global->MAIN_DISABLE_FULL_SCANLIST)) { diff --git a/htdocs/mrp/class/mo.class.php b/htdocs/mrp/class/mo.class.php index bc5e8eca58a..7176d574dab 100644 --- a/htdocs/mrp/class/mo.class.php +++ b/htdocs/mrp/class/mo.class.php @@ -502,7 +502,7 @@ class Mo extends CommonObject if ($lineid > 0) { $sql .= ' AND t.fk_mrp_production = '.((int) $lineid); } else { - $sql .= 'AND t.fk_mo = '.$this->id; + $sql .= 'AND t.fk_mo = '.((int) $this->id); } $resql = $this->db->query($sql); @@ -627,7 +627,7 @@ class Mo extends CommonObject if (!$error) { // TODO Check that production has not started. If yes, we stop here. - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.'mrp_production WHERE fk_mo = '.$this->id; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.'mrp_production WHERE fk_mo = '.((int) $this->id); $this->db->query($sql); $moline = new MoLine($this->db); diff --git a/htdocs/multicurrency/class/multicurrency.class.php b/htdocs/multicurrency/class/multicurrency.class.php index 5067a6e91d5..8c2e01f9ceb 100644 --- a/htdocs/multicurrency/class/multicurrency.class.php +++ b/htdocs/multicurrency/class/multicurrency.class.php @@ -245,7 +245,7 @@ class MultiCurrency extends CommonObject { $sql = 'SELECT cr.rowid'; $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element_line.' as cr'; - $sql .= ' WHERE cr.fk_multicurrency = '.$this->id; + $sql .= ' WHERE cr.fk_multicurrency = '.((int) $this->id); $sql .= ' ORDER BY cr.date_sync DESC'; $this->rates = array(); @@ -479,8 +479,8 @@ class MultiCurrency extends CommonObject { $sql = 'SELECT cr.rowid'; $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element_line.' as cr'; - $sql .= ' WHERE cr.fk_multicurrency = '.$this->id; - $sql .= ' AND cr.date_sync = (SELECT MAX(cr2.date_sync) FROM '.MAIN_DB_PREFIX.$this->table_element_line.' AS cr2 WHERE cr2.fk_multicurrency = '.$this->id.')'; + $sql .= ' WHERE cr.fk_multicurrency = '.((int) $this->id); + $sql .= ' AND cr.date_sync = (SELECT MAX(cr2.date_sync) FROM '.MAIN_DB_PREFIX.$this->table_element_line.' AS cr2 WHERE cr2.fk_multicurrency = '.((int) $this->id).')'; dol_syslog(__METHOD__, LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/product/inventory/class/inventory.class.php b/htdocs/product/inventory/class/inventory.class.php index 9fb74c96f83..e17a1fd418f 100644 --- a/htdocs/product/inventory/class/inventory.class.php +++ b/htdocs/product/inventory/class/inventory.class.php @@ -266,7 +266,7 @@ class Inventory extends CommonObject if ($this->status == self::STATUS_DRAFT) { // Delete inventory - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.'inventorydet WHERE fk_inventory = '.$this->id; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.'inventorydet WHERE fk_inventory = '.((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { $this->error = $this->db->lasterror(); @@ -349,7 +349,7 @@ class Inventory extends CommonObject $this->db->begin(); // Delete inventory - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.'inventorydet WHERE fk_inventory = '.$this->id; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX.'inventorydet WHERE fk_inventory = '.((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { $this->error = $this->db->lasterror(); diff --git a/htdocs/product/inventory/inventory.php b/htdocs/product/inventory/inventory.php index 01968855836..1147869a716 100644 --- a/htdocs/product/inventory/inventory.php +++ b/htdocs/product/inventory/inventory.php @@ -116,7 +116,7 @@ if ($action == 'update' && !empty($user->rights->stock->mouvement->creer)) { $sql = 'SELECT id.rowid, id.datec as date_creation, id.tms as date_modification, id.fk_inventory, id.fk_warehouse,'; $sql .= ' id.fk_product, id.batch, id.qty_stock, id.qty_view, id.qty_regulated'; $sql .= ' FROM '.MAIN_DB_PREFIX.'inventorydet as id'; - $sql .= ' WHERE id.fk_inventory = '.$object->id; + $sql .= ' WHERE id.fk_inventory = '.((int) $object->id); $resql = $db->query($sql); if ($resql) { $num = $db->num_rows($resql); @@ -168,7 +168,7 @@ if ($action =='updateinventorylines' && $permissiontoadd) { $sql = 'SELECT id.rowid, id.datec as date_creation, id.tms as date_modification, id.fk_inventory, id.fk_warehouse,'; $sql .= ' id.fk_product, id.batch, id.qty_stock, id.qty_view, id.qty_regulated'; $sql .= ' FROM '.MAIN_DB_PREFIX.'inventorydet as id'; - $sql .= ' WHERE id.fk_inventory = '.$object->id; + $sql .= ' WHERE id.fk_inventory = '.((int) $object->id); $db->begin(); diff --git a/htdocs/projet/activity/perday.php b/htdocs/projet/activity/perday.php index 8897f9550a3..29a3c40209c 100644 --- a/htdocs/projet/activity/perday.php +++ b/htdocs/projet/activity/perday.php @@ -310,7 +310,7 @@ if ($action == 'addtime' && $user->rights->projet->lire && GETPOST('formfilterac setEventMessages($langs->trans("RecordSaved"), null, 'mesgs'); // Redirect to avoid submit twice on back - header('Location: '.$_SERVER["PHP_SELF"].'?'.($projectid ? 'id='.$projectid : '').($search_usertoprocessid ? '&search_usertoprocessid='.$search_usertoprocessid : '').($mode ? '&mode='.$mode : '').'&year='.$yearofday.'&month='.$monthofday.'&day='.$dayofday); + header('Location: '.$_SERVER["PHP_SELF"].'?'.($projectid ? 'id='.$projectid : '').($search_usertoprocessid ? '&search_usertoprocessid='.urlencode($search_usertoprocessid) : '').($mode ? '&mode='.$mode : '').'&year='.$yearofday.'&month='.$monthofday.'&day='.$dayofday); exit; } } else { diff --git a/htdocs/projet/activity/permonth.php b/htdocs/projet/activity/permonth.php index 97c54b73675..1fae2fe0300 100644 --- a/htdocs/projet/activity/permonth.php +++ b/htdocs/projet/activity/permonth.php @@ -334,12 +334,12 @@ llxHeader("", $title, "", '', '', '', array('/core/js/timesheet.js')); //print_barre_liste($title, $page, $_SERVER["PHP_SELF"], "", $sortfield, $sortorder, "", $num, '', 'title_project'); $param = ''; -$param .= ($mode ? '&mode='.$mode : ''); -$param .= ($search_project_ref ? '&search_project_ref='.$search_project_ref : ''); -$param .= ($search_usertoprocessid > 0 ? '&search_usertoprocessid='.$search_usertoprocessid : ''); -$param .= ($search_thirdparty ? '&search_thirdparty='.$search_thirdparty : ''); -$param .= ($search_task_ref ? '&search_task_ref='.$search_task_ref : ''); -$param .= ($search_task_label ? '&search_task_label='.$search_task_label : ''); +$param .= ($mode ? '&mode='.urlencode($mode) : ''); +$param .= ($search_project_ref ? '&search_project_ref='.urlencode($search_project_ref) : ''); +$param .= ($search_usertoprocessid > 0 ? '&search_usertoprocessid='.urlencode($search_usertoprocessid) : ''); +$param .= ($search_thirdparty ? '&search_thirdparty='.urlencode($search_thirdparty) : ''); +$param .= ($search_task_ref ? '&search_task_ref='.urlencode($search_task_ref) : ''); +$param .= ($search_task_label ? '&search_task_label='.urlencode($search_task_label) : ''); // Show navigation bar $nav = ''.img_previous($langs->trans("Previous"))."\n"; diff --git a/htdocs/reception/class/reception.class.php b/htdocs/reception/class/reception.class.php index 948822c1983..6a4301d86df 100644 --- a/htdocs/reception/class/reception.class.php +++ b/htdocs/reception/class/reception.class.php @@ -1034,7 +1034,7 @@ class Reception extends CommonObject { // phpcs:enable dol_include_once('/fourn/class/fournisseur.commande.dispatch.class.php'); - $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'commande_fournisseur_dispatch WHERE fk_reception='.$this->id; + $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.'commande_fournisseur_dispatch WHERE fk_reception='.((int) $this->id); $resql = $this->db->query($sql); if (!empty($resql)) { @@ -1445,7 +1445,7 @@ class Reception extends CommonObject $this->db->begin(); $sql = 'UPDATE '.MAIN_DB_PREFIX.'reception SET fk_statut='.self::STATUS_CLOSED; - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut > 0'; + $sql .= " WHERE rowid = ".((int) $this->id).' AND fk_statut > 0'; $resql = $this->db->query($sql); if ($resql) { @@ -1590,7 +1590,7 @@ class Reception extends CommonObject $this->setClosed(); $sql = 'UPDATE '.MAIN_DB_PREFIX.'reception SET billed=1'; - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut > 0'; + $sql .= " WHERE rowid = ".((int) $this->id).' AND fk_statut > 0'; $resql = $this->db->query($sql); if ($resql) { @@ -1630,7 +1630,7 @@ class Reception extends CommonObject $this->db->begin(); $sql = 'UPDATE '.MAIN_DB_PREFIX.'reception SET fk_statut=1, billed=0'; - $sql .= ' WHERE rowid = '.$this->id.' AND fk_statut > 0'; + $sql .= " WHERE rowid = ".((int) $this->id).' AND fk_statut > 0'; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/salaries/class/salary.class.php b/htdocs/salaries/class/salary.class.php index 17274813ef5..c434e73ec08 100644 --- a/htdocs/salaries/class/salary.class.php +++ b/htdocs/salaries/class/salary.class.php @@ -468,7 +468,7 @@ class Salary extends CommonObject { // phpcs:enable $sql = 'UPDATE '.MAIN_DB_PREFIX.'salary SET fk_bank = '.((int) $id_bank); - $sql .= ' WHERE rowid = '.$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); $result = $this->db->query($sql); if ($result) { return 1; @@ -570,7 +570,7 @@ class Salary extends CommonObject $sql = 'SELECT sum(amount) as amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.$table; - $sql .= ' WHERE '.$field.' = '.$this->id; + $sql .= ' WHERE '.$field.' = '.((int) $this->id); dol_syslog(get_class($this)."::getSommePaiement", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/salaries/payment_salary/card.php b/htdocs/salaries/payment_salary/card.php index 5f05c1d98b7..e4364f6727f 100644 --- a/htdocs/salaries/payment_salary/card.php +++ b/htdocs/salaries/payment_salary/card.php @@ -180,7 +180,7 @@ $sql = 'SELECT f.rowid as scid, f.label, f.paye, f.amount as sc_amount, ps.amoun $sql .= ' FROM '.MAIN_DB_PREFIX.'payment_salary as ps,'.MAIN_DB_PREFIX.'salary as f'; $sql .= ' WHERE ps.fk_salary = f.rowid'; $sql .= ' AND f.entity = '.$conf->entity; -$sql .= ' AND ps.rowid = '.$object->id; +$sql .= ' AND ps.rowid = '.((int) $object->id); dol_syslog("payment_salary/card.php", LOG_DEBUG); $resql = $db->query($sql); diff --git a/htdocs/stripe/class/actions_stripe.class.php b/htdocs/stripe/class/actions_stripe.class.php index e44f3480042..f1a7a5c7877 100644 --- a/htdocs/stripe/class/actions_stripe.class.php +++ b/htdocs/stripe/class/actions_stripe.class.php @@ -173,7 +173,7 @@ class ActionsStripeconnect // On verifie si la facture a des paiements $sql = 'SELECT pf.amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'paiement_facture as pf'; - $sql .= ' WHERE pf.fk_facture = '.$object->id; + $sql .= ' WHERE pf.fk_facture = '.((int) $object->id); $result = $this->db->query($sql); if ($result) { diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php index 6b76cf23af6..e35051829cb 100644 --- a/htdocs/supplier_proposal/class/supplier_proposal.class.php +++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php @@ -2565,7 +2565,7 @@ class SupplierProposal extends CommonObject $sql .= ' pt.fk_multicurrency, pt.multicurrency_code, pt.multicurrency_subprice, pt.multicurrency_total_ht, pt.multicurrency_total_tva, pt.multicurrency_total_ttc, pt.fk_unit'; $sql .= ' FROM '.MAIN_DB_PREFIX.'supplier_proposaldet as pt'; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product as p ON pt.fk_product=p.rowid'; - $sql .= ' WHERE pt.fk_supplier_proposal = '.$this->id; + $sql .= ' WHERE pt.fk_supplier_proposal = '.((int) $this->id); $sql .= ' ORDER BY pt.rang ASC, pt.rowid'; dol_syslog(get_class($this).'::getLinesArray', LOG_DEBUG); @@ -3045,8 +3045,8 @@ class SupplierProposalLine extends CommonObjectLine $sql .= " ".price2num($this->total_ttc).","; $sql .= " ".(!empty($this->fk_fournprice) ? "'".$this->db->escape($this->fk_fournprice)."'" : "null").","; $sql .= " ".(isset($this->pa_ht) ? "'".price2num($this->pa_ht)."'" : "null").","; - $sql .= ' '.$this->special_code.','; - $sql .= ' '.$this->rang.','; + $sql .= ' '.((int) $this->special_code).','; + $sql .= ' '.((int) $this->rang).','; $sql .= " '".$this->db->escape($this->ref_fourn)."'"; $sql .= ", ".($this->fk_multicurrency > 0 ? $this->fk_multicurrency : 'null'); $sql .= ", '".$this->db->escape($this->multicurrency_code)."'"; diff --git a/htdocs/user/group/ldap.php b/htdocs/user/group/ldap.php index 458978d25ea..e02eb3e25d0 100644 --- a/htdocs/user/group/ldap.php +++ b/htdocs/user/group/ldap.php @@ -189,7 +189,7 @@ if ($result > 0) { $result = show_ldap_content($records, 0, $records['count'], true); } } else { - print ''.$langs->trans("LDAPRecordNotFound").' (dn='.$dn.' - search='.$search.')'; + print ''.$langs->trans("LDAPRecordNotFound").' (dn='.dol_escape_htmltag($dn).' - search='.dol_escape_htmltag($search).')'; } $ldap->unbind(); $ldap->close(); diff --git a/htdocs/user/ldap.php b/htdocs/user/ldap.php index e6cee6f6f73..e8ceef77b0a 100644 --- a/htdocs/user/ldap.php +++ b/htdocs/user/ldap.php @@ -194,7 +194,7 @@ if ($result > 0) { $result = show_ldap_content($records, 0, $records['count'], true); } } else { - print ''.$langs->trans("LDAPRecordNotFound").' (dn='.$dn.' - search='.$search.')'; + print ''.$langs->trans("LDAPRecordNotFound").' (dn='.dol_escape_htmltag($dn).' - search='.dol_escape_htmltag($search).')'; } $ldap->unbind(); diff --git a/htdocs/website/class/website.class.php b/htdocs/website/class/website.class.php index 4e19c057fd0..0c9ced5e68f 100644 --- a/htdocs/website/class/website.class.php +++ b/htdocs/website/class/website.class.php @@ -1252,7 +1252,7 @@ class Website extends CommonObject // Read record of website that has been updated by the run_sql function previously called so we can get the // value of fk_default_home that is ID of home page - $sql = 'SELECT fk_default_home FROM '.MAIN_DB_PREFIX.'website WHERE rowid = '.$object->id; + $sql = 'SELECT fk_default_home FROM '.MAIN_DB_PREFIX.'website WHERE rowid = '.((int) $object->id); $resql = $this->db->query($sql); if ($resql) { $obj = $this->db->fetch_object($resql); diff --git a/htdocs/website/index.php b/htdocs/website/index.php index 23be98a3b8c..ffda0802c51 100644 --- a/htdocs/website/index.php +++ b/htdocs/website/index.php @@ -2857,7 +2857,7 @@ if (!GETPOST('hide_websitemenu')) { $pagepreviousid = 0; $pagenextid = 0; if ($pageid) { - $sql = 'SELECT MAX(rowid) as pagepreviousid FROM '.MAIN_DB_PREFIX.'website_page WHERE rowid < '.$pageid.' AND fk_website = '.$object->id; + $sql = 'SELECT MAX(rowid) as pagepreviousid FROM '.MAIN_DB_PREFIX.'website_page WHERE rowid < '.$pageid.' AND fk_website = '.((int) $object->id); $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql); @@ -2867,7 +2867,7 @@ if (!GETPOST('hide_websitemenu')) { } else { dol_print_error($db); } - $sql = 'SELECT MIN(rowid) as pagenextid FROM '.MAIN_DB_PREFIX.'website_page WHERE rowid > '.$pageid.' AND fk_website = '.$object->id; + $sql = 'SELECT MIN(rowid) as pagenextid FROM '.MAIN_DB_PREFIX.'website_page WHERE rowid > '.$pageid.' AND fk_website = '.((int) $object->id); $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql);