forked from Wavyzz/dolibarr
Fix sql injection when forging requests with IN
This commit is contained in:
Laurent Destailleur
@@ -664,13 +664,13 @@ class AdvanceTargetingMailing extends CommonObject
|
||||
$sqlwhere[] = $this->transformToSQL('t.firstname', $arrayquery['contact_firstname']);
|
||||
}
|
||||
if (!empty($arrayquery['contact_country']) && count($arrayquery['contact_country'])) {
|
||||
$sqlwhere[] = " (t.fk_pays IN (".$this->db->escape(implode(',', $arrayquery['contact_country']))."))";
|
||||
$sqlwhere[] = " (t.fk_pays IN (".$this->db->sanitize($this->db->escape(implode(',', $arrayquery['contact_country'])))."))";
|
||||
}
|
||||
if (!empty($arrayquery['contact_status']) && count($arrayquery['contact_status']) > 0) {
|
||||
$sqlwhere[] = " (t.statut IN (".$this->db->escape(implode(',', $arrayquery['contact_status']))."))";
|
||||
$sqlwhere[] = " (t.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $arrayquery['contact_status'])))."))";
|
||||
}
|
||||
if (!empty($arrayquery['contact_civility']) && count($arrayquery['contact_civility']) > 0) {
|
||||
$sqlwhere[] = " (t.civility IN ('".$this->db->escape(implode("','", $arrayquery['contact_civility']))."'))";
|
||||
$sqlwhere[] = " (t.civility IN ('".$this->db->sanitize($this->db->escape(implode("','", $arrayquery['contact_civility'])))."'))";
|
||||
}
|
||||
if ($arrayquery['contact_no_email'] != '') {
|
||||
$tmpwhere = '';
|
||||
|
||||
@@ -333,13 +333,13 @@ if (!$user->rights->societe->client->voir && !$socid) //restriction
|
||||
if ($search_town) $sql .= natural_search('s.town', $search_town);
|
||||
if ($search_zip) $sql .= natural_search("s.zip", $search_zip);
|
||||
if ($search_state) $sql .= natural_search("state.nom", $search_state);
|
||||
if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')';
|
||||
if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')';
|
||||
if ($search_country) $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')';
|
||||
if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->sanitize($db->escape($search_type_thirdparty)).')';
|
||||
if ($search_ref) $sql .= natural_search('p.ref', $search_ref);
|
||||
if ($search_refcustomer) $sql .= natural_search('p.ref_client', $search_refcustomer);
|
||||
if ($search_refproject) $sql .= natural_search('pr.ref', $search_refproject);
|
||||
if ($search_project) $sql .= natural_search('pr.title', $search_project);
|
||||
if ($search_availability) $sql .= " AND p.fk_availability IN (".$db->escape($search_availability).')';
|
||||
if ($search_availability) $sql .= " AND p.fk_availability IN (".$db->sanitize($db->escape($search_availability)).')';
|
||||
|
||||
if ($search_societe) $sql .= natural_search('s.nom', $search_societe);
|
||||
if ($search_login) $sql .= natural_search("u.login", $search_login);
|
||||
|
||||
@@ -91,7 +91,7 @@ $sql .= " WHERE b.fk_account = ba.rowid";
|
||||
$sql .= " AND ba.entity IN (".getEntity('bank_account').")";
|
||||
$sql .= " AND b.amount >= 0";
|
||||
if (!empty($id))
|
||||
$sql .= " AND b.fk_account IN (".$db->escape($id).")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($db->escape($id)).")";
|
||||
$sql .= " GROUP BY dm";
|
||||
|
||||
$resql = $db->query($sql);
|
||||
@@ -117,7 +117,7 @@ $sql .= " WHERE b.fk_account = ba.rowid";
|
||||
$sql .= " AND ba.entity IN (".getEntity('bank_account').")";
|
||||
$sql .= " AND b.amount <= 0";
|
||||
if (!empty($id))
|
||||
$sql .= " AND b.fk_account IN (".$db->escape($id).")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($db->escape($id)).")";
|
||||
$sql .= " GROUP BY dm";
|
||||
|
||||
$resql = $db->query($sql);
|
||||
@@ -240,7 +240,7 @@ $sql .= ", ".MAIN_DB_PREFIX."bank_account as ba";
|
||||
$sql .= " WHERE b.fk_account = ba.rowid";
|
||||
$sql .= " AND ba.entity IN (".getEntity('bank_account').")";
|
||||
if (!empty($id))
|
||||
$sql .= " AND b.fk_account IN (".$db->escape($id).")";
|
||||
$sql .= " AND b.fk_account IN (".$db->sanitize($db->escape($id)).")";
|
||||
|
||||
$resql = $db->query($sql);
|
||||
if ($resql)
|
||||
|
||||
@@ -478,15 +478,15 @@ if ($filtre)
|
||||
}
|
||||
if ($search_ref) $sql .= natural_search('f.ref', $search_ref);
|
||||
if ($search_refcustomer) $sql .= natural_search('f.ref_client', $search_refcustomer);
|
||||
if ($search_type != '' && $search_type != '-1') $sql .= " AND f.type IN (".$db->escape($search_type).")";
|
||||
if ($search_type != '' && $search_type != '-1') $sql .= " AND f.type IN (".$db->sanitize($db->escape($search_type)).")";
|
||||
if ($search_project_ref) $sql .= natural_search('p.ref', $search_project_ref);
|
||||
if ($search_project) $sql .= natural_search('p.title', $search_project);
|
||||
if ($search_societe) $sql .= natural_search('s.nom', $search_societe);
|
||||
if ($search_town) $sql .= natural_search('s.town', $search_town);
|
||||
if ($search_zip) $sql .= natural_search("s.zip", $search_zip);
|
||||
if ($search_state) $sql .= natural_search("state.nom", $search_state);
|
||||
if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')';
|
||||
if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')';
|
||||
if ($search_country) $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')';
|
||||
if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->sanitize($db->escape($search_type_thirdparty)).')';
|
||||
if ($search_company) $sql .= natural_search('s.nom', $search_company);
|
||||
if ($search_montant_ht != '') $sql .= natural_search('f.total', $search_montant_ht, 1);
|
||||
if ($search_montant_vat != '') $sql .= natural_search('f.tva', $search_montant_vat, 1);
|
||||
@@ -510,7 +510,7 @@ if ($search_status != '-1' && $search_status != '')
|
||||
if ($search_status == '2') $sql .= " AND f.fk_statut = 2"; // payed Not that some corrupted data may contains f.fk_statut = 1 AND f.paye = 1 (it means payed too but should not happend. If yes, reopen and reclassify billed)
|
||||
if ($search_status == '3') $sql .= " AND f.fk_statut = 3"; // abandonned
|
||||
} else {
|
||||
$sql .= " AND f.fk_statut IN (".$db->escape($search_status).")"; // When search_status is '1,2' for example
|
||||
$sql .= " AND f.fk_statut IN (".$db->sanitize($db->escape($search_status)).")"; // When search_status is '1,2' for example
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -95,7 +95,7 @@ function getEntity($element, $shared = 1, $currentobject = null)
|
||||
$out = '';
|
||||
$addzero = array('user', 'usergroup', 'c_email_templates', 'email_template', 'default_values');
|
||||
if (in_array($element, $addzero)) $out .= '0,';
|
||||
$out .= $conf->entity;
|
||||
$out .= ((int) $conf->entity);
|
||||
return $out;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -96,7 +96,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."don as d LEFT JOIN ".MAIN_DB_PREFIX."projet AS
|
||||
$sql .= " ON p.rowid = d.fk_projet WHERE d.entity IN (".getEntity('donation').")";
|
||||
if ($search_status != '' && $search_status != '-4')
|
||||
{
|
||||
$sql .= " AND d.fk_statut IN (".$db->escape($search_status).")";
|
||||
$sql .= " AND d.fk_statut IN (".$db->sanitize($db->escape($search_status)).")";
|
||||
}
|
||||
if (trim($search_ref) != '')
|
||||
{
|
||||
|
||||
@@ -302,7 +302,7 @@ if ($search_amount_ttc != '') $sql .= natural_search('d.total_ttc', $search_amou
|
||||
// User
|
||||
if ($search_user != '' && $search_user >= 0) $sql .= " AND u.rowid = '".$db->escape($search_user)."'";
|
||||
// Status
|
||||
if ($search_status != '' && $search_status >= 0) $sql .= " AND d.fk_statut IN (".$db->escape($search_status).")";
|
||||
if ($search_status != '' && $search_status >= 0) $sql .= " AND d.fk_statut IN (".$db->sanitize($db->escape($search_status)).")";
|
||||
// RESTRICT RIGHTS
|
||||
if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)
|
||||
&& (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance)))
|
||||
|
||||
@@ -595,10 +595,10 @@ if ($object->id > 0)
|
||||
// Show orders we can bill
|
||||
if (empty($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS))
|
||||
{
|
||||
$sql2 .= " AND c.fk_statut IN (".CommandeFournisseur::STATUS_RECEIVED_COMPLETELY.")"; // Must match filter in htdocs/fourn/orderstoinvoice.php
|
||||
$sql2 .= " AND c.fk_statut IN (".$db->sanitize(CommandeFournisseur::STATUS_RECEIVED_COMPLETELY)).")"; // Must match filter in htdocs/fourn/orderstoinvoice.php
|
||||
} else {
|
||||
// CommandeFournisseur::STATUS_ORDERSENT.", ".CommandeFournisseur::STATUS_RECEIVED_PARTIALLY.", ".CommandeFournisseur::STATUS_RECEIVED_COMPLETELY
|
||||
$sql2 .= " AND c.fk_statut IN (".$db->escape($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS).")";
|
||||
$sql2 .= " AND c.fk_statut IN (".$db->sanitize($db->escape($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS)).")";
|
||||
}
|
||||
$sql2 .= " AND c.billed = 0";
|
||||
// Find order that are not already invoiced
|
||||
|
||||
@@ -535,16 +535,16 @@ if ($search_billed != '' && $search_billed >= 0) $sql .= " AND cf.billed = ".$db
|
||||
if ($search_product_category > 0) $sql .= " AND cp.fk_categorie = ".$search_product_category;
|
||||
//Required triple check because statut=0 means draft filter
|
||||
if (GETPOST('statut', 'intcomma') !== '')
|
||||
$sql .= " AND cf.fk_statut IN (".$db->escape($db->escape(GETPOST('statut', 'intcomma'))).")";
|
||||
$sql .= " AND cf.fk_statut IN (".$db->sanitize($db->escape(GETPOST('statut', 'intcomma'))).")";
|
||||
if ($search_status != '' && $search_status >= 0)
|
||||
$sql .= " AND cf.fk_statut IN (".$db->escape($search_status).")";
|
||||
$sql .= " AND cf.fk_statut IN (".$db->sanitize($db->escape($search_status)).")";
|
||||
$sql .= dolSqlDateFilter("cf.date_commande", $search_orderday, $search_ordermonth, $search_orderyear);
|
||||
$sql .= dolSqlDateFilter("cf.date_livraison", $search_deliveryday, $search_deliverymonth, $search_deliveryyear);
|
||||
if ($search_town) $sql .= natural_search('s.town', $search_town);
|
||||
if ($search_zip) $sql .= natural_search("s.zip", $search_zip);
|
||||
if ($search_state) $sql .= natural_search("state.nom", $search_state);
|
||||
if ($search_country) $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')';
|
||||
if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->escape($search_type_thirdparty).')';
|
||||
if ($search_country) $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')';
|
||||
if ($search_type_thirdparty) $sql .= " AND s.fk_typent IN (".$db->sanitize($db->escape($search_type_thirdparty)).')';
|
||||
if ($search_company) $sql .= natural_search('s.nom', $search_company);
|
||||
if ($search_sale > 0) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$db->escape($search_sale);
|
||||
if ($search_user > 0) $sql .= " AND ec.fk_c_type_contact = tc.rowid AND tc.element='supplier_order' AND tc.source='internal' AND ec.element_id = cf.rowid AND ec.fk_socpeople = ".$db->escape($search_user);
|
||||
|
||||
@@ -445,10 +445,10 @@ if (($action != 'create' && $action != 'add') && !$error) {
|
||||
// Show orders we can bill
|
||||
if (empty($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS))
|
||||
{
|
||||
$sql .= " AND c.fk_statut IN (".CommandeFournisseur::STATUS_RECEIVED_COMPLETELY.")"; // Must match filter in htdocs/fourn/card.php
|
||||
$sql .= " AND c.fk_statut IN (".$db->sanitize($db->escape(CommandeFournisseur::STATUS_RECEIVED_COMPLETELY)).")"; // Must match filter in htdocs/fourn/card.php
|
||||
} else {
|
||||
// CommandeFournisseur::STATUS_ORDERSENT.", ".CommandeFournisseur::STATUS_RECEIVED_PARTIALLY.", ".CommandeFournisseur::STATUS_RECEIVED_COMPLETELY
|
||||
$sql .= " AND c.fk_statut IN (".$db->escape($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS).")";
|
||||
$sql .= " AND c.fk_statut IN (".$db->sanitize($db->escape($conf->global->SUPPLIER_ORDER_TO_INVOICE_STATUS)).")";
|
||||
}
|
||||
|
||||
$sql .= " AND c.billed = 0";
|
||||
|
||||
@@ -1122,7 +1122,7 @@ class Holiday extends CommonObject
|
||||
$sql .= " WHERE cp.entity IN (".getEntity('holiday').")";
|
||||
$sql .= " AND cp.fk_user = ".(int) $fk_user;
|
||||
$sql .= " AND cp.date_debut <= '".$this->db->idate($timestamp)."' AND cp.date_fin >= '".$this->db->idate($timestamp)."'";
|
||||
if ($status != '-1') $sql .= " AND cp.statut IN (".$this->db->escape($status).")";
|
||||
if ($status != '-1') $sql .= " AND cp.statut IN (".$this->db->sanitize($this->db->escape($status)).")";
|
||||
|
||||
$resql = $this->db->query($sql);
|
||||
if ($resql)
|
||||
|
||||
@@ -121,7 +121,7 @@ class FormProduct
|
||||
$sql .= " WHERE e.entity IN (".getEntity('stock').")";
|
||||
if (count($warehouseStatus))
|
||||
{
|
||||
$sql .= " AND e.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")";
|
||||
$sql .= " AND e.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")";
|
||||
} else {
|
||||
$sql .= " AND e.statut = 1";
|
||||
}
|
||||
|
||||
@@ -4698,7 +4698,7 @@ class Product extends CommonObject
|
||||
$sql .= " AND w.rowid = ps.fk_entrepot";
|
||||
$sql .= " AND ps.fk_product = ".$this->id;
|
||||
if ($conf->global->ENTREPOT_EXTRA_STATUS && count($warehouseStatus)) {
|
||||
$sql .= " AND w.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")";
|
||||
$sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")";
|
||||
}
|
||||
|
||||
dol_syslog(get_class($this)."::load_stock", LOG_DEBUG);
|
||||
|
||||
@@ -124,7 +124,7 @@ if ($date && $dateIsValid) { // Avoid heavy sql if mandatory date is not defined
|
||||
$sql .= " WHERE w.entity IN (".getEntity('stock').")";
|
||||
$sql .= " AND w.rowid = ps.fk_entrepot";
|
||||
if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) {
|
||||
$sql .= " AND w.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")";
|
||||
$sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")";
|
||||
}
|
||||
if ($productid > 0) {
|
||||
$sql .= " AND ps.fk_product = ".$productid;
|
||||
@@ -175,7 +175,7 @@ if ($date && $dateIsValid) {
|
||||
$sql .= " WHERE w.entity IN (".getEntity('stock').")";
|
||||
$sql .= " AND w.rowid = sm.fk_entrepot";
|
||||
if (! empty($conf->global->ENTREPOT_EXTRA_STATUS) && count($warehouseStatus)) {
|
||||
$sql .= " AND w.statut IN (".$this->db->escape(implode(',', $warehouseStatus)).")";
|
||||
$sql .= " AND w.statut IN (".$this->db->sanitize($this->db->escape(implode(',', $warehouseStatus))).")";
|
||||
}
|
||||
if ($mode == 'future') {
|
||||
$sql .= " AND sm.datem <= '".$db->idate($dateendofday)."'";
|
||||
|
||||
@@ -457,7 +457,7 @@ if ($search_town) $sql .= natural_search("s.town", $search_town);
|
||||
if (strlen($search_zip)) $sql .= natural_search("s.zip", $search_zip);
|
||||
if ($search_state) $sql .= natural_search("state.nom", $search_state);
|
||||
if ($search_region) $sql .= natural_search("region.nom", $search_region);
|
||||
if ($search_country && $search_country != '-1') $sql .= " AND s.fk_pays IN (".$db->escape($search_country).')';
|
||||
if ($search_country && $search_country != '-1') $sql .= " AND s.fk_pays IN (".$db->sanitize($db->escape($search_country)).')';
|
||||
if ($search_email) $sql .= natural_search("s.email", $search_email);
|
||||
if (strlen($search_phone)) $sql .= natural_search("s.phone", $search_phone);
|
||||
if (strlen($search_fax)) $sql .= natural_search("s.fax", $search_fax);
|
||||
@@ -470,7 +470,7 @@ if (strlen($search_idprof5)) $sql .= natural_search("s.idprof5", $search_idprof5
|
||||
if (strlen($search_idprof6)) $sql .= natural_search("s.idprof6", $search_idprof6);
|
||||
if (strlen($search_vat)) $sql .= natural_search("s.tva_intra", $search_vat);
|
||||
// Filter on type of thirdparty
|
||||
if ($search_type > 0 && in_array($search_type, array('1,3', '2,3'))) $sql .= " AND s.client IN (".$db->escape($search_type).")";
|
||||
if ($search_type > 0 && in_array($search_type, array('1,3', '2,3'))) $sql .= " AND s.client IN (".$db->sanitize($db->escape($search_type)).")";
|
||||
if ($search_type > 0 && in_array($search_type, array('4'))) $sql .= " AND s.fournisseur = 1";
|
||||
if ($search_type == '0') $sql .= " AND s.client = 0 AND s.fournisseur = 0";
|
||||
if ($search_status != '' && $search_status >= 0) $sql .= natural_search("s.status", $search_status, 2);
|
||||
|
||||
@@ -224,7 +224,7 @@ if ($reshook > 0) {
|
||||
}
|
||||
if ($socid > 0) $sql .= " AND u.fk_soc = ".$socid;
|
||||
//if ($search_user != '') $sql.=natural_search(array('u.login', 'u.lastname', 'u.firstname'), $search_user);
|
||||
if ($search_supervisor > 0) $sql .= " AND u.fk_user IN (".$db->escape($search_supervisor).")";
|
||||
if ($search_supervisor > 0) $sql .= " AND u.fk_user IN (".$db->sanitize($db->escape($search_supervisor)).")";
|
||||
if ($search_thirdparty != '') $sql .= natural_search(array('s.nom'), $search_thirdparty);
|
||||
if ($search_login != '') $sql .= natural_search("u.login", $search_login);
|
||||
if ($search_lastname != '') $sql .= natural_search("u.lastname", $search_lastname);
|
||||
@@ -236,9 +236,9 @@ if (is_numeric($search_employee) && $search_employee >= 0) {
|
||||
if ($search_accountancy_code != '') $sql .= natural_search("u.accountancy_code", $search_accountancy_code);
|
||||
if ($search_email != '') $sql .= natural_search("u.email", $search_email);
|
||||
if ($search_api_key != '') $sql .= natural_search("u.api_key", $search_api_key);
|
||||
if ($search_statut != '' && $search_statut >= 0) $sql .= " AND u.statut IN (".$db->escape($search_statut).")";
|
||||
if ($search_statut != '' && $search_statut >= 0) $sql .= " AND u.statut IN (".$db->sanitize($db->escape($search_statut)).")";
|
||||
if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall);
|
||||
if ($catid > 0) $sql .= " AND cu.fk_categorie = ".$catid;
|
||||
if ($catid > 0) $sql .= " AND cu.fk_categorie = ".((int) $catid);
|
||||
if ($catid == -2) $sql .= " AND cu.fk_categorie IS NULL";
|
||||
if ($search_categ > 0) $sql .= " AND cu.fk_categorie = ".$db->escape($search_categ);
|
||||
if ($search_categ == -2) $sql .= " AND cu.fk_categorie IS NULL";
|
||||
|
||||
Reference in New Issue
Block a user