Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix SQL injections #3300

Browse Source
This commit is contained in:
Laurent Destailleur
2015-09-12 11:23:44 +02:00
parent 75eae394f1
commit 36632593c0
9 changed files with 38 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/commande/class/commande.class.php
View File

@@ -745,13 +745,13 @@ class Commande extends CommonOrder
$sql.= " VALUES ('(PROV)',".$this->socid.", '".$this->db->idate($now)."', ".$user->id;
$sql.= ", ".($this->fk_project>0?$this->fk_project:"null");
$sql.= ", '".$this->db->idate($date)."'";
$sql.= ", ".($this->source>=0 && $this->source != '' ?$this->source:'null');
$sql.= ", ".($this->source>=0 && $this->source != '' ?$this->db->escape($this->source):'null');
$sql.= ", '".$this->db->escape($this->note_private)."'";
$sql.= ", '".$this->db->escape($this->note_public)."'";
$sql.= ", ".($this->ref_ext?"'".$this->db->escape($this->ref_ext)."'":"null");
$sql.= ", ".($this->ref_client?"'".$this->db->escape($this->ref_client)."'":"null");
$sql.= ", ".($this->ref_int?"'".$this->db->escape($this->ref_int)."'":"null");
$sql.= ", '".$this->modelpdf."'";
$sql.= ", '".$this->db->escape($this->modelpdf)."'";
$sql.= ", ".($this->cond_reglement_id>0?"'".$this->cond_reglement_id."'":"null");
$sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"null");
$sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL');
@@ -760,8 +760,8 @@ class Commande extends CommonOrder
$sql.= ", ".($this->date_livraison?"'".$this->db->idate($this->date_livraison)."'":"null");
$sql.= ", ".($this->fk_delivery_address>0?$this->fk_delivery_address:'NULL');
$sql.= ", ".($this->shipping_method_id>0?$this->shipping_method_id:'NULL');
$sql.= ", ".($this->remise_absolue>0?$this->remise_absolue:'NULL');
$sql.= ", ".($this->remise_percent>0?$this->remise_percent:0);
$sql.= ", ".($this->remise_absolue>0?$this->db->escape($this->remise_absolue):'NULL');
$sql.= ", ".($this->remise_percent>0?$this->db->escape($this->remise_percent):0);
$sql.= ", ".(int) $this->fk_incoterms;
$sql.= ", '".$this->db->escape($this->location_incoterms)."'";
$sql.= ", ".$conf->entity;