diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index abb52560d24..bab9be7670c 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -4890,8 +4890,8 @@ class Facture extends CommonInvoice if ($this->statut >= 0) { $fieldname = 'retained_warranty_date_limit'; $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' SET '.$fieldname.' = '.(strval($timestamp) != '' ? '\''.$this->db->idate($timestamp).'\'' : 'null'); - $sql .= ' WHERE rowid='.((int) $this->id); + $sql .= " SET ".$fieldname." = ".(strval($timestamp) != '' ? "'".$this->db->idate($timestamp)."'" : 'null'); + $sql .= ' WHERE rowid = '.((int) $this->id); if ($this->db->query($sql)) { $this->retained_warranty_date_limit = $timestamp; diff --git a/htdocs/compta/stats/byratecountry.php b/htdocs/compta/stats/byratecountry.php index 9a9ba40b56a..afc56532fdf 100644 --- a/htdocs/compta/stats/byratecountry.php +++ b/htdocs/compta/stats/byratecountry.php @@ -306,7 +306,7 @@ if ($modecompta == 'CREANCES-DETTES') { $sql .= " fd.product_type AS product_type,"; $sql .= " cc.code, cc.label AS country,"; for ($i = 1; $i <= 12; $i++) { - $sql .= " SUM(".$db->ifsql('MONTH(f.datef)='.$i, 'fd.total_ht', '0').") AS month".str_pad($i, 2, '0', STR_PAD_LEFT).","; + $sql .= " SUM(".$db->ifsql("MONTH(f.datef)=".$i, "fd.total_ht", "0").") AS month".str_pad($i, 2, "0", STR_PAD_LEFT).","; } $sql .= " SUM(fd.total_ht) as total"; $sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd"; @@ -393,7 +393,7 @@ if ($modecompta == 'CREANCES-DETTES') { $sql2 .= " ffd.product_type AS product_type,"; $sql2 .= " cc.code, cc.label AS country,"; for ($i = 1; $i <= 12; $i++) { - $sql2 .= " SUM(".$db->ifsql('MONTH(ff.datef)='.$i, 'ffd.total_ht', '0').") AS month".str_pad($i, 2, '0', STR_PAD_LEFT).","; + $sql2 .= " SUM(".$db->ifsql("MONTH(ff.datef)=".$i, "ffd.total_ht", "0").") AS month".str_pad($i, 2, "0", STR_PAD_LEFT).","; } $sql2 .= " SUM(ffd.total_ht) as total"; $sql2 .= " FROM ".MAIN_DB_PREFIX."facture_fourn_det as ffd"; diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index 25fcee08e57..38da3c21eae 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -768,7 +768,7 @@ class Tva extends CommonObject $sql = 'SELECT sum(amount) as amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.$table; - $sql .= ' WHERE '.$field.' = '.((int) $this->id); + $sql .= " WHERE ".$field." = ".((int) $this->id); dol_syslog(get_class($this)."::getSommePaiement", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/compta/tva/list.php b/htdocs/compta/tva/list.php index 1dc0180bd60..8c12dbfd704 100644 --- a/htdocs/compta/tva/list.php +++ b/htdocs/compta/tva/list.php @@ -161,16 +161,16 @@ if (!empty($search_label)) { $sql .= natural_search('t.label', $search_label); } if (!empty($search_dateend_start)) { - $sql .= ' AND t.datev >= "'.$db->idate($search_dateend_start).'"'; + $sql .= " AND t.datev >= '".$db->idate($search_dateend_start)."'"; } if (!empty($search_dateend_end)) { - $sql .= ' AND t.datev <= "'.$db->idate($search_dateend_end).'"'; + $sql .= " AND t.datev <= '".$db->idate($search_dateend_end)."'"; } if (!empty($search_datepayment_start)) { - $sql .= ' AND t.datep >= "'.$db->idate($search_datepayment_start).'"'; + $sql .= " AND t.datep >= '".$db->idate($search_datepayment_start)."'"; } if (!empty($search_datepayment_end)) { - $sql .= ' AND t.datep <= "'.$db->idate($search_datepayment_end).'"'; + $sql .= " AND t.datep <= '".$db->idate($search_datepayment_end)."'"; } if (!empty($search_type) && $search_type > 0) { $sql .= ' AND t.fk_typepayment = '.((int) $search_type); diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index fd9830f36ca..066ee681f7a 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -388,8 +388,8 @@ class Contact extends CommonObject $sql .= " WHERE sp.fk_soc = s.rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); $clause = "AND"; } - $sql .= ' '.$clause.' sp.entity IN ('.getEntity($this->element).')'; - $sql .= " AND (sp.priv='0' OR (sp.priv='1' AND sp.fk_user_creat=".((int) $user->id)."))"; + $sql .= " ".$clause." sp.entity IN (".getEntity($this->element).")"; + $sql .= " AND (sp.priv='0' OR (sp.priv='1' AND sp.fk_user_creat = ".((int) $user->id)."))"; if ($user->socid > 0) { $sql .= " AND sp.fk_soc = ".((int) $user->socid); } diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index 3f98f556cb7..7a9bfefb11f 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -478,7 +478,7 @@ if (strlen($search_fax)) { if (!empty($conf->socialnetworks->enabled)) { foreach ($socialnetworks as $key => $value) { if ($value['active'] && strlen($search_[$key])) { - $sql .= ' AND p.socialnetworks LIKE \'%"'.$key.'":"'.$search_[$key].'%\''; + $sql .= " AND p.socialnetworks LIKE '%\"".$key."\":\"".$search_[$key]."%'"; } } } diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index 1ce51af2d90..a7a42ca7350 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -1222,7 +1222,7 @@ class Contrat extends CommonObject // Delete llx_ecm_files if (!$error) { - $sql = 'DELETE FROM '.MAIN_DB_PREFIX."ecm_files WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? '' : '@'.$this->module))."' AND src_object_id = ".((int) $this->id); + $sql = 'DELETE FROM '.MAIN_DB_PREFIX."ecm_files WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? "" : "@".$this->module))."' AND src_object_id = ".((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { $this->error = $this->db->lasterror(); @@ -3257,12 +3257,12 @@ class ContratLigne extends CommonObjectLine $sql .= " '".$this->db->escape($this->info_bits)."',"; $sql .= " ".price2num($this->price_ht).",".price2num($this->remise).","; if ($this->fk_fournprice > 0) { - $sql .= ' '.$this->fk_fournprice.','; + $sql .= ' '.((int) $this->fk_fournprice).','; } else { $sql .= ' null,'; } if ($this->pa_ht > 0) { - $sql .= ' '.price2num($this->pa_ht); + $sql .= ' '.((float) price2num($this->pa_ht)); } else { $sql .= ' null'; } diff --git a/htdocs/contrat/index.php b/htdocs/contrat/index.php index cc3bc87ca54..b85cda094f3 100644 --- a/htdocs/contrat/index.php +++ b/htdocs/contrat/index.php @@ -99,7 +99,7 @@ $sql .= " WHERE cd.fk_contrat = c.rowid AND c.fk_soc = s.rowid"; $sql .= " AND (cd.statut != 4 OR (cd.statut = 4 AND (cd.date_fin_validite is null or cd.date_fin_validite >= '".$db->idate($now)."')))"; $sql .= " AND c.entity IN (".getEntity('contract', 0).")"; if ($user->socid) { - $sql .= ' AND c.fk_soc = '.$user->socid; + $sql .= ' AND c.fk_soc = '.((int) $user->socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); @@ -136,7 +136,7 @@ $sql .= " WHERE cd.fk_contrat = c.rowid AND c.fk_soc = s.rowid"; $sql .= " AND (cd.statut = 4 AND cd.date_fin_validite < '".$db->idate($now)."')"; $sql .= " AND c.entity IN (".getEntity('contract', 0).")"; if ($user->socid) { - $sql .= ' AND c.fk_soc = '.$user->socid; + $sql .= ' AND c.fk_soc = '.((int) $user->socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); @@ -304,11 +304,11 @@ print '
'; // Last modified contracts $max = 5; $sql = 'SELECT '; -$sql .= ' sum('.$db->ifsql("cd.statut=0", 1, 0).') as nb_initial,'; -$sql .= ' sum('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NULL OR cd.date_fin_validite >= '".$db->idate($now)."')", 1, 0).') as nb_running,'; -$sql .= ' sum('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now)."')", 1, 0).') as nb_expired,'; -$sql .= ' sum('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now - $conf->contrat->services->expires->warning_delay)."')", 1, 0).') as nb_late,'; -$sql .= ' sum('.$db->ifsql("cd.statut=5", 1, 0).') as nb_closed,'; +$sql .= " sum(".$db->ifsql("cd.statut=0", 1, 0).') as nb_initial,'; +$sql .= " sum(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NULL OR cd.date_fin_validite >= '".$db->idate($now)."')", 1, 0).') as nb_running,'; +$sql .= " sum(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now)."')", 1, 0).') as nb_expired,'; +$sql .= " sum(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now - $conf->contrat->services->expires->warning_delay)."')", 1, 0).') as nb_late,'; +$sql .= " sum(".$db->ifsql("cd.statut=5", 1, 0).') as nb_closed,'; $sql .= " c.rowid as cid, c.ref, c.datec, c.tms, c.statut, s.nom as name, s.rowid as socid"; $sql .= " FROM ".MAIN_DB_PREFIX."societe as s,"; if (!$user->rights->societe->client->voir && !$socid) { diff --git a/htdocs/contrat/list.php b/htdocs/contrat/list.php index 596e86df53e..66d84874d76 100644 --- a/htdocs/contrat/list.php +++ b/htdocs/contrat/list.php @@ -236,11 +236,11 @@ $sql .= ' s.rowid as socid, s.nom as name, s.name_alias, s.email, s.town, s.zip, $sql .= " typent.code as typent_code,"; $sql .= " state.code_departement as state_code, state.nom as state_name,"; $sql .= " MIN(".$db->ifsql("cd.statut=4", "cd.date_fin_validite", "null").") as lower_planned_end_date,"; -$sql .= ' SUM('.$db->ifsql("cd.statut=0", 1, 0).') as nb_initial,'; -$sql .= ' SUM('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NULL OR cd.date_fin_validite >= '".$db->idate($now)."')", 1, 0).') as nb_running,'; -$sql .= ' SUM('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now)."')", 1, 0).') as nb_expired,'; -$sql .= ' SUM('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now - $conf->contrat->services->expires->warning_delay)."')", 1, 0).') as nb_late,'; -$sql .= ' SUM('.$db->ifsql("cd.statut=5", 1, 0).') as nb_closed'; +$sql .= " SUM(".$db->ifsql("cd.statut=0", 1, 0).') as nb_initial,'; +$sql .= " SUM(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NULL OR cd.date_fin_validite >= '".$db->idate($now)."')", 1, 0).') as nb_running,'; +$sql .= " SUM(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now)."')", 1, 0).') as nb_expired,'; +$sql .= " SUM(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now - $conf->contrat->services->expires->warning_delay)."')", 1, 0).') as nb_late,'; +$sql .= " SUM(".$db->ifsql("cd.statut=5", 1, 0).') as nb_closed'; // Add fields from extrafields if (!empty($extrafields->attributes[$object->table_element]['label'])) { foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) { diff --git a/htdocs/core/ajax/check_notifications.php b/htdocs/core/ajax/check_notifications.php index 35d10af49b6..bbbc95a19c5 100644 --- a/htdocs/core/ajax/check_notifications.php +++ b/htdocs/core/ajax/check_notifications.php @@ -75,12 +75,9 @@ if ($action == 'stopreminder') { $listofreminderid = GETPOST('listofreminderids', 'intcomma'); // Set the reminder as done - //foreach ($listofreminderidsarray as $listofreminderid) { - // if (empty($listofreminderid)) continue; - //$sql = 'DELETE FROM '.MAIN_DB_PREFIX.'action_reminder WHERE rowid = '.$listofreminderid.' AND fk_user = '.$user->id; $sql = 'UPDATE '.MAIN_DB_PREFIX.'actioncomm_reminder SET status = 1'; $sql .= ' WHERE status = 0 AND rowid IN ('.$db->sanitize($db->escape($listofreminderid)).')'; - $sql .= ' AND fk_user = '.$user->id.' AND entity = '.$conf->entity; + $sql .= ' AND fk_user = '.((int) $user->id).' AND entity = '.((int) $conf->entity); $resql = $db->query($sql); if (!$resql) { dol_print_error($db); @@ -149,13 +146,13 @@ if (empty($_SESSION['auto_check_events_not_before']) || $time >= $_SESSION['auto $sql = 'SELECT a.id as id_agenda, a.code, a.datep, a.label, a.location, ar.rowid as id_reminder, ar.dateremind, ar.fk_user as id_user_reminder'; $sql .= ' FROM '.MAIN_DB_PREFIX.'actioncomm as a'; if (!empty($user->conf->MAIN_USER_WANT_ALL_EVENTS_NOTIFICATIONS)) { - $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.$user->id; + $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.((int) $user->id); $sql .= ' WHERE a.code <> "AC_OTH_AUTO"'; $sql .= ' AND ('; $sql .= " (ar.typeremind = 'browser' AND ar.dateremind < '".$db->idate(dol_now())."' AND ar.status = 0 AND ar.entity = ".$conf->entity; $sql .= ' )'; } else { - $sql .= ' JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.$user->id; + $sql .= ' JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.((int) $user->id); $sql .= " AND ar.typeremind = 'browser' AND ar.dateremind < '".$db->idate(dol_now())."' AND ar.status = 0 AND ar.entity = ".$conf->entity; } $sql .= $db->order('datep', 'ASC'); diff --git a/htdocs/core/boxes/box_services_expired.php b/htdocs/core/boxes/box_services_expired.php index 95086cdf2a3..433c566ad31 100644 --- a/htdocs/core/boxes/box_services_expired.php +++ b/htdocs/core/boxes/box_services_expired.php @@ -93,7 +93,7 @@ class box_services_expired extends ModeleBoxes $sql .= " AND c.entity = ".$conf->entity; $sql .= " AND c.fk_soc=s.rowid AND cd.fk_contrat=c.rowid AND c.statut > 0"; if ($user->socid) { - $sql .= ' AND c.fk_soc = '.$user->socid; + $sql .= ' AND c.fk_soc = '.((int) $user->socid); } if (!$user->rights->societe->client->voir && !$user->socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); diff --git a/htdocs/core/boxes/box_validated_projects.php b/htdocs/core/boxes/box_validated_projects.php index f1fb55878aa..0c4155da6c7 100644 --- a/htdocs/core/boxes/box_validated_projects.php +++ b/htdocs/core/boxes/box_validated_projects.php @@ -157,7 +157,7 @@ class box_validated_projects extends ModeleBoxes ); if ($objp->fk_soc > 0) { - $sql = 'SELECT rowid, nom as name FROM '.MAIN_DB_PREFIX.'societe WHERE rowid ='.$objp->fk_soc; + $sql = 'SELECT rowid, nom as name FROM '.MAIN_DB_PREFIX.'societe WHERE rowid = '.((int) $objp->fk_soc); $resql = $this->db->query($sql); //$socstatic = new Societe($this->db); $obj2 = $this->db->fetch_object($resql); @@ -165,7 +165,7 @@ class box_validated_projects extends ModeleBoxes 'td' => 'class="tdoverflowmax150 maxwidth200onsmartphone"', 'text' => $obj2->name, 'asis' => 1, - 'url' => DOL_URL_ROOT.'/societe/card.php?socid='.$obj2->rowid + 'url' => DOL_URL_ROOT.'/societe/card.php?socid='.urlencode($obj2->rowid) ); } else { $this->info_box_contents[$i][] = array( diff --git a/htdocs/core/class/commoninvoice.class.php b/htdocs/core/class/commoninvoice.class.php index 65988c9cdf0..dfabfd24ebe 100644 --- a/htdocs/core/class/commoninvoice.class.php +++ b/htdocs/core/class/commoninvoice.class.php @@ -132,7 +132,7 @@ abstract class CommonInvoice extends CommonObject $sql = 'SELECT sum(amount) as amount, sum(multicurrency_amount) as multicurrency_amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.$table; - $sql .= ' WHERE '.$field.' = '.((int) $this->id); + $sql .= " WHERE ".$field." = ".((int) $this->id); dol_syslog(get_class($this)."::getSommePaiement", LOG_DEBUG); $resql = $this->db->query($sql); @@ -308,9 +308,8 @@ abstract class CommonInvoice extends CommonObject $sql = 'SELECT p.ref, pf.amount, pf.multicurrency_amount, p.fk_paiement, p.datep, p.num_paiement as num, t.code'.$field3; $sql .= ' FROM '.MAIN_DB_PREFIX.$table.' as pf, '.MAIN_DB_PREFIX.$table2.' as p, '.MAIN_DB_PREFIX.'c_paiement as t'; - $sql .= ' WHERE pf.'.$field.' = '.((int) $this->id); - //$sql.= ' WHERE pf.'.$field.' = 1'; - $sql .= ' AND pf.'.$field2.' = p.rowid'; + $sql .= " WHERE pf.".$field." = ".((int) $this->id); + $sql .= " AND pf.".$field2." = p.rowid"; $sql .= ' AND p.fk_paiement = t.id'; $sql .= ' AND p.entity IN ('.getEntity($sharedentity).')'; if ($filtertype) { diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index a4a98da9690..fce86b080bd 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -2054,7 +2054,7 @@ abstract class CommonObject } if (isset($this->ismultientitymanaged) && !is_numeric($this->ismultientitymanaged)) { $tmparray = explode('@', $this->ismultientitymanaged); - $sql .= ' AND te.'.$tmparray[0].' = '.($tmparray[1] == 'societe' ? 's' : 'parenttable').'.rowid'; // If we need to link to this table to limit select to entity + $sql .= " AND te.".$tmparray[0]." = ".($tmparray[1] == "societe" ? "s" : "parenttable").".rowid"; // If we need to link to this table to limit select to entity } elseif ($restrictiononfksoc == 1 && $this->element != 'societe' && !$user->rights->societe->client->voir && !$socid) { $sql .= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to socid } @@ -2075,13 +2075,13 @@ abstract class CommonObject $sql .= ' AND parenttable.entity IN ('.getEntity($tmparray[1]).')'; } if ($restrictiononfksoc == 1 && $socid && $this->element != 'societe') { - $sql .= ' AND te.fk_soc = '.$socid; + $sql .= ' AND te.fk_soc = '.((int) $socid); } if ($restrictiononfksoc == 2 && $socid && $this->element != 'societe') { - $sql .= ' AND (te.fk_soc = '.$socid.' OR te.fk_soc IS NULL)'; + $sql .= ' AND (te.fk_soc = '.((int) $socid).' OR te.fk_soc IS NULL)'; } if ($restrictiononfksoc && $socid && $this->element == 'societe') { - $sql .= ' AND te.rowid = '.$socid; + $sql .= ' AND te.rowid = '.((int) $socid); } //print 'socid='.$socid.' restrictiononfksoc='.$restrictiononfksoc.' ismultientitymanaged = '.$this->ismultientitymanaged.' filter = '.$filter.' -> '.$sql."
"; @@ -2124,7 +2124,7 @@ abstract class CommonObject } if (isset($this->ismultientitymanaged) && !is_numeric($this->ismultientitymanaged)) { $tmparray = explode('@', $this->ismultientitymanaged); - $sql .= ' AND te.'.$tmparray[0].' = '.($tmparray[1] == 'societe' ? 's' : 'parenttable').'.rowid'; // If we need to link to this table to limit select to entity + $sql .= " AND te.".$tmparray[0]." = ".($tmparray[1] == "societe" ? "s" : "parenttable").".rowid"; // If we need to link to this table to limit select to entity } elseif ($restrictiononfksoc == 1 && $this->element != 'societe' && !$user->rights->societe->client->voir && !$socid) { $sql .= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to socid } @@ -2145,13 +2145,13 @@ abstract class CommonObject $sql .= ' AND parenttable.entity IN ('.getEntity($tmparray[1]).')'; } if ($restrictiononfksoc == 1 && $socid && $this->element != 'societe') { - $sql .= ' AND te.fk_soc = '.$socid; + $sql .= ' AND te.fk_soc = '.((int) $socid); } if ($restrictiononfksoc == 2 && $socid && $this->element != 'societe') { - $sql .= ' AND (te.fk_soc = '.$socid.' OR te.fk_soc IS NULL)'; + $sql .= ' AND (te.fk_soc = '.((int) $socid).' OR te.fk_soc IS NULL)'; } if ($restrictiononfksoc && $socid && $this->element == 'societe') { - $sql .= ' AND te.rowid = '.$socid; + $sql .= ' AND te.rowid = '.((int) $socid); } //print 'socid='.$socid.' restrictiononfksoc='.$restrictiononfksoc.' ismultientitymanaged = '.$this->ismultientitymanaged.' filter = '.$filter.' -> '.$sql."
"; // Rem: Bug in some mysql version: SELECT MIN(rowid) FROM llx_socpeople WHERE rowid > 1 when one row in database with rowid=1, returns 1 instead of null @@ -2206,19 +2206,19 @@ abstract class CommonObject return -1; } - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; + $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element; if (!empty($this->fields['fk_project'])) { // Common case if ($projectid) { - $sql .= ' SET fk_project = '.((int) $projectid); + $sql .= " SET fk_project = ".((int) $projectid); } else { - $sql .= ' SET fk_project = NULL'; + $sql .= " SET fk_project = NULL"; } $sql .= ' WHERE rowid = '.((int) $this->id); } elseif ($this->table_element == 'actioncomm') { // Special case for actioncomm if ($projectid) { - $sql .= ' SET fk_project = '.((int) $projectid); + $sql .= " SET fk_project = ".((int) $projectid); } else { - $sql .= ' SET fk_project = NULL'; + $sql .= " SET fk_project = NULL"; } $sql .= ' WHERE id = '.((int) $this->id); } else // Special case for old architecture objects @@ -2266,8 +2266,8 @@ abstract class CommonObject $fieldname = 'fk_typepayment'; } - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' SET '.$fieldname.' = '.(($id > 0 || $id == '0') ? $id : 'NULL'); + $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element; + $sql .= " SET ".$fieldname." = ".(($id > 0 || $id == '0') ? ((int) $id) : 'NULL'); $sql .= ' WHERE rowid='.((int) $this->id); if ($this->db->query($sql)) { @@ -2278,7 +2278,7 @@ abstract class CommonObject } return 1; } else { - dol_syslog(get_class($this).'::setPaymentMethods Error '.$sql.' - '.$this->db->error()); + dol_syslog(get_class($this).'::setPaymentMethods Error '.$this->db->error()); $this->error = $this->db->error(); return -1; } @@ -2302,7 +2302,7 @@ abstract class CommonObject $fieldname = 'multicurrency_code'; $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' SET '.$fieldname." = '".$this->db->escape($code)."'"; + $sql .= " SET ".$fieldname." = '".$this->db->escape($code)."'"; $sql .= ' WHERE rowid='.((int) $this->id); if ($this->db->query($sql)) { @@ -2340,7 +2340,7 @@ abstract class CommonObject $fieldname = 'multicurrency_tx'; $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' SET '.$fieldname.' = '.((float) $rate); + $sql .= " SET ".$fieldname." = ".((float) $rate); $sql .= ' WHERE rowid='.((int) $this->id); if ($this->db->query($sql)) { @@ -2548,7 +2548,7 @@ abstract class CommonObject } $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' SET '.$fieldname.' = '.(($id > 0 || $id == '0') ? $id : 'NULL'); + $sql .= " SET ".$fieldname." = ".(($id > 0 || $id == '0') ? ((int) $id) : 'NULL'); $sql .= ' WHERE rowid='.((int) $this->id); if ($this->db->query($sql)) { @@ -2590,7 +2590,7 @@ abstract class CommonObject } $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' SET '.$fieldname.' = '.(($id > 0 || $id == '0') ? $id : 'NULL'); + $sql .= " SET ".$fieldname." = ".(($id > 0 || $id == '0') ? ((int) $id) : 'NULL'); $sql .= ' WHERE rowid='.((int) $this->id); if ($this->db->query($sql)) { @@ -2625,7 +2625,7 @@ abstract class CommonObject $fieldname = 'retained_warranty_fk_cond_reglement'; $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; - $sql .= ' SET '.$fieldname.' = '.((int) $id); + $sql .= " SET ".$fieldname." = ".((int) $id); $sql .= ' WHERE rowid='.((int) $this->id); if ($this->db->query($sql)) { @@ -2665,7 +2665,7 @@ abstract class CommonObject return 1; } else { $this->error = $this->db->error(); - dol_syslog(get_class($this).'::setDeliveryAddress Error '.$sql.' - '.$this->error); + dol_syslog(get_class($this).'::setDeliveryAddress Error '.$this->error); return -1; } } @@ -2884,7 +2884,7 @@ abstract class CommonObject // Count number of lines to reorder (according to choice $renum) $nl = 0; $sql = 'SELECT count(rowid) FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.'='.((int) $this->id); + $sql .= " WHERE ".$this->fk_element." = ".((int) $this->id); if (!$renum) { $sql .= ' AND rang = 0'; } @@ -2906,7 +2906,7 @@ abstract class CommonObject // We first search all lines that are parent lines (for multilevel details lines) $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql .= " WHERE ".$this->fk_element." = ".((int) $this->id); if ($fk_parent_line) { $sql .= ' AND fk_parent_line IS NULL'; } @@ -2954,7 +2954,7 @@ abstract class CommonObject $rows = array(); $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql .= " WHERE ".$this->fk_element." = ".((int) $this->id); $sql .= ' AND fk_parent_line = '.((int) $id); $sql .= ' ORDER BY rang ASC'; @@ -3031,7 +3031,7 @@ abstract class CommonObject $fieldposition = 'position'; } - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) $rang); + $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldposition." = ".((int) $rang); $sql .= ' WHERE rowid = '.((int) $rowid); dol_syslog(get_class($this)."::updateRangOfLine", LOG_DEBUG); @@ -3074,11 +3074,11 @@ abstract class CommonObject $fieldposition = 'position'; } - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) $rang); - $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldposition." = ".((int) $rang); + $sql .= " WHERE ".$this->fk_element." = ".((int) $this->id); $sql .= ' AND rang = '.((int) ($rang - 1)); if ($this->db->query($sql)) { - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) ($rang - 1)); + $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldposition." = ".((int) ($rang - 1)); $sql .= ' WHERE rowid = '.((int) $rowid); if (!$this->db->query($sql)) { dol_print_error($this->db); @@ -3105,11 +3105,11 @@ abstract class CommonObject $fieldposition = 'position'; } - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) $rang); - $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldposition." = ".((int) $rang); + $sql .= " WHERE ".$this->fk_element." = ".((int) $this->id); $sql .= ' AND rang = '.((int) ($rang + 1)); if ($this->db->query($sql)) { - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) ($rang + 1)); + $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldposition." = ".((int) ($rang + 1)); $sql .= ' WHERE rowid = '.((int) $rowid); if (!$this->db->query($sql)) { dol_print_error($this->db); @@ -3148,7 +3148,7 @@ abstract class CommonObject public function getIdOfLine($rang) { $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql .= " WHERE ".$this->fk_element." = ".((int) $this->id); $sql .= ' AND rang = '.((int) $rang); $resql = $this->db->query($sql); if ($resql) { @@ -3174,8 +3174,8 @@ abstract class CommonObject // Search the last rang with fk_parent_line if ($fk_parent_line) { - $sql = 'SELECT max('.$positionfield.') FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql = "SELECT max(".$positionfield.") FROM ".MAIN_DB_PREFIX.$this->table_element_line; + $sql .= " WHERE ".$this->fk_element." = ".((int) $this->id); $sql .= ' AND fk_parent_line = '.((int) $fk_parent_line); dol_syslog(get_class($this)."::line_max", LOG_DEBUG); @@ -3190,8 +3190,8 @@ abstract class CommonObject } } else { // If not, search the last rang of element - $sql = 'SELECT max('.$positionfield.') FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.' = '.$this->id; + $sql = "SELECT max(".$positionfield.") FROM ".MAIN_DB_PREFIX.$this->table_element_line; + $sql .= " WHERE ".$this->fk_element." = ".((int) $this->id); dol_syslog(get_class($this)."::line_max", LOG_DEBUG); $resql = $this->db->query($sql); @@ -3217,7 +3217,7 @@ abstract class CommonObject return -1; } - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; + $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element; $sql .= " SET ref_ext = '".$this->db->escape($ref_ext)."'"; $sql .= " WHERE ".(isset($this->table_rowid) ? $this->table_rowid : 'rowid')." = ".((int) $this->id); @@ -3268,7 +3268,7 @@ abstract class CommonObject } else { $fieldusermod = "fk_user_modif"; } - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element; + $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element; $sql .= " SET note".$newsuffix." = ".(!empty($note) ? ("'".$this->db->escape($note)."'") : "NULL"); $sql .= ", ".$fieldusermod." = ".((int) $user->id); $sql .= " WHERE rowid = ".((int) $this->id); @@ -3386,21 +3386,21 @@ abstract class CommonObject $fieldup = 'value_unit'; } - $sql = 'SELECT rowid, qty, '.$fieldup.' as up, remise_percent, total_ht, '.$fieldtva.' as total_tva, total_ttc, '.$fieldlocaltax1.' as total_localtax1, '.$fieldlocaltax2.' as total_localtax2,'; + $sql = "SELECT rowid, qty, ".$fieldup." as up, remise_percent, total_ht, ".$fieldtva." as total_tva, total_ttc, ".$fieldlocaltax1." as total_localtax1, ".$fieldlocaltax2." as total_localtax2,"; $sql .= ' tva_tx as vatrate, localtax1_tx, localtax2_tx, localtax1_type, localtax2_type, info_bits, product_type'; if ($this->table_element_line == 'facturedet') { $sql .= ', situation_percent'; } $sql .= ', multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc'; $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element_line; - $sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql .= " WHERE ".$this->fk_element." = ".((int) $this->id); if ($exclspec) { $product_field = 'product_type'; if ($this->table_element_line == 'contratdet') { $product_field = ''; // contratdet table has no product_type field } if ($product_field) { - $sql .= ' AND '.$product_field.' <> 9'; + $sql .= " AND ".$product_field." <> 9"; } } $sql .= ' ORDER by rowid'; // We want to be sure to always use same order of line to not change lines differently when option MAIN_ROUNDOFTOTAL_NOT_TOTALOFROUND is used @@ -3553,14 +3553,14 @@ abstract class CommonObject if (empty($nodatabaseupdate)) { $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element.' SET'; - $sql .= " ".$fieldht." = ".price2num($this->total_ht).","; - $sql .= " ".$fieldtva." = ".price2num($this->total_tva).","; - $sql .= " ".$fieldlocaltax1." = ".price2num($this->total_localtax1).","; - $sql .= " ".$fieldlocaltax2." = ".price2num($this->total_localtax2).","; - $sql .= " ".$fieldttc." = ".price2num($this->total_ttc); - $sql .= ", multicurrency_total_ht = ".price2num($this->multicurrency_total_ht, 'MT', 1); - $sql .= ", multicurrency_total_tva = ".price2num($this->multicurrency_total_tva, 'MT', 1); - $sql .= ", multicurrency_total_ttc = ".price2num($this->multicurrency_total_ttc, 'MT', 1); + $sql .= " ".$fieldht." = ".((float) price2num($this->total_ht)).","; + $sql .= " ".$fieldtva." = ".((float) price2num($this->total_tva)).","; + $sql .= " ".$fieldlocaltax1." = ".((float) price2num($this->total_localtax1)).","; + $sql .= " ".$fieldlocaltax2." = ".((float) price2num($this->total_localtax2)).","; + $sql .= " ".$fieldttc." = ".((float) price2num($this->total_ttc)); + $sql .= ", multicurrency_total_ht = ".((float) price2num($this->multicurrency_total_ht, 'MT', 1)); + $sql .= ", multicurrency_total_tva = ".((float) price2num($this->multicurrency_total_tva, 'MT', 1)); + $sql .= ", multicurrency_total_ttc = ".((float) price2num($this->multicurrency_total_ttc, 'MT', 1)); $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::update_price", LOG_DEBUG); @@ -4038,7 +4038,7 @@ abstract class CommonObject global $db; - $sql = 'SELECT '.$field_select.' FROM '.MAIN_DB_PREFIX.$table_element.' WHERE '.$field_where.' = '.((int) $fk_object_where); + $sql = "SELECT ".$field_select." FROM ".MAIN_DB_PREFIX.$table_element." WHERE ".$field_where." = ".((int) $fk_object_where); $resql = $db->query($sql); $TRes = array(); @@ -4067,7 +4067,7 @@ abstract class CommonObject global $db; - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$table_element.' WHERE '.$field_where.' = '.((int) $fk_object_where); + $sql = "DELETE FROM ".MAIN_DB_PREFIX.$table_element." WHERE ".$field_where." = ".((int) $fk_object_where); $resql = $db->query($sql); if (empty($resql)) { @@ -5317,7 +5317,7 @@ abstract class CommonObject $update_main_doc_field = 1; } if ($update_main_doc_field && !empty($this->table_element)) { - $sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element." SET last_main_doc = '".$this->db->escape($ecmfile->filepath.'/'.$ecmfile->filename)."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element." SET last_main_doc = '".$this->db->escape($ecmfile->filepath."/".$ecmfile->filename)."'"; $sql .= " WHERE rowid = ".((int) $this->id); $resql = $this->db->query($sql); @@ -6677,17 +6677,17 @@ abstract class CommonObject //We have to join on extrafield table if (strpos($InfoFieldList[4], 'extra') !== false) { - $sql .= ' as main, '.MAIN_DB_PREFIX.$InfoFieldList[0].'_extrafields as extra'; - $sqlwhere .= ' WHERE extra.fk_object=main.'.$InfoFieldList[2].' AND '.$InfoFieldList[4]; + $sql .= " as main, ".MAIN_DB_PREFIX.$InfoFieldList[0]."_extrafields as extra"; + $sqlwhere .= " WHERE extra.fk_object=main.".$InfoFieldList[2]." AND ".$InfoFieldList[4]; } else { - $sqlwhere .= ' WHERE '.$InfoFieldList[4]; + $sqlwhere .= " WHERE ".$InfoFieldList[4]; } } else { $sqlwhere .= ' WHERE 1=1'; } // Some tables may have field, some other not. For the moment we disable it. if (in_array($InfoFieldList[0], array('tablewithentity'))) { - $sqlwhere .= ' AND entity = '.$conf->entity; + $sqlwhere .= " AND entity = ".((int) $conf->entity); } $sql .= $sqlwhere; //print $sql; @@ -6830,16 +6830,16 @@ abstract class CommonObject // We have to join on extrafield table if (strpos($InfoFieldList[4], 'extra') !== false) { $sql .= ' as main, '.MAIN_DB_PREFIX.$InfoFieldList[0].'_extrafields as extra'; - $sqlwhere .= ' WHERE extra.fk_object=main.'.$InfoFieldList[2].' AND '.$InfoFieldList[4]; + $sqlwhere .= " WHERE extra.fk_object=main.".$InfoFieldList[2]." AND ".$InfoFieldList[4]; } else { - $sqlwhere .= ' WHERE '.$InfoFieldList[4]; + $sqlwhere .= " WHERE ".$InfoFieldList[4]; } } else { $sqlwhere .= ' WHERE 1=1'; } // Some tables may have field, some other not. For the moment we disable it. if (in_array($InfoFieldList[0], array('tablewithentity'))) { - $sqlwhere .= ' AND entity = '.$conf->entity; + $sqlwhere .= " AND entity = ".((int) $conf->entity); } // $sql.=preg_replace('/^ AND /','',$sqlwhere); // print $sql; @@ -8770,8 +8770,8 @@ abstract class CommonObject return 0; } - $sql = 'SELECT '.$fieldlist; - $sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' as t'; + $sql = "SELECT ".$fieldlist; + $sql .= " FROM ".MAIN_DB_PREFIX.$this->table_element.' as t'; if (!empty($id)) { $sql .= ' WHERE t.rowid = '.((int) $id); @@ -8825,9 +8825,9 @@ abstract class CommonObject $objectline = new $objectlineclassname($this->db); - $sql = 'SELECT '.$objectline->getFieldList('l'); - $sql .= ' FROM '.MAIN_DB_PREFIX.$objectline->table_element.' as l'; - $sql .= ' WHERE l.fk_'.$this->element.' = '.((int) $this->id); + $sql = "SELECT ".$objectline->getFieldList('l'); + $sql .= " FROM ".MAIN_DB_PREFIX.$objectline->table_element." as l"; + $sql .= " WHERE l.fk_".$this->element." = ".((int) $this->id); if ($morewhere) { $sql .= $morewhere; } @@ -8973,7 +8973,7 @@ abstract class CommonObject if ($forcechilddeletion) { // Force also delete of childtables that should lock deletion in standard case when option force is off foreach ($this->childtables as $table) { - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$table.' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql = "DELETE FROM ".MAIN_DB_PREFIX.$table." WHERE ".$this->fk_element." = ".((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { $this->error = $this->db->lasterror(); @@ -9022,7 +9022,7 @@ abstract class CommonObject } } else { // Delete record in child table - $sql = 'DELETE FROM '.MAIN_DB_PREFIX.$table.' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql = "DELETE FROM ".MAIN_DB_PREFIX.$table." WHERE ".$this->fk_element." = ".((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { @@ -9100,7 +9100,7 @@ abstract class CommonObject $this->db->begin(); $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX.$this->table_element; - $sql .= ' WHERE '.$parentField.' = '.(int) $parentId; + $sql .= " WHERE ".$parentField." = ".(int) $parentId; $resql = $this->db->query($sql); if (!$resql) { @@ -9533,7 +9533,7 @@ abstract class CommonObject // Delete in database with mode 1 if ($mode == 1) { $sql = 'DELETE FROM '.MAIN_DB_PREFIX."ecm_files_extrafields"; - $sql .= " WHERE fk_object IN (SELECT rowid FROM ".MAIN_DB_PREFIX."ecm_files WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? '' : '@'.$this->module))."' AND src_object_id = ".((int) $this->id).")"; + $sql .= " WHERE fk_object IN (SELECT rowid FROM ".MAIN_DB_PREFIX."ecm_files WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? "" : "@".$this->module))."' AND src_object_id = ".((int) $this->id).")"; $resql = $this->db->query($sql); if (!$resql) { $this->error = $this->db->lasterror(); @@ -9542,7 +9542,7 @@ abstract class CommonObject } $sql = 'DELETE FROM '.MAIN_DB_PREFIX."ecm_files"; - $sql .= " WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? '' : '@'.$this->module))."' AND src_object_id = ".((int) $this->id); + $sql .= " WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? "" : "@".$this->module))."' AND src_object_id = ".((int) $this->id); $resql = $this->db->query($sql); if (!$resql) { $this->error = $this->db->lasterror(); diff --git a/htdocs/core/class/commonobjectline.class.php b/htdocs/core/class/commonobjectline.class.php index f821e5050b1..6d5573b9d76 100644 --- a/htdocs/core/class/commonobjectline.class.php +++ b/htdocs/core/class/commonobjectline.class.php @@ -86,7 +86,7 @@ abstract class CommonObjectLine extends CommonObject $label_type = 'code'; } - $sql = 'select '.$label_type.', code from '.MAIN_DB_PREFIX.'c_units where rowid='.$this->fk_unit; + $sql = "SELECT ".$label_type.", code from ".MAIN_DB_PREFIX."c_units where rowid = ".((int) $this->fk_unit); $resql = $this->db->query($sql); if ($resql && $this->db->num_rows($resql) > 0) { $res = $this->db->fetch_array($resql); @@ -98,7 +98,7 @@ abstract class CommonObjectLine extends CommonObject $this->db->free($resql); return $label; } else { - $this->error = $this->db->error().' sql='.$sql; + $this->error = $this->db->lasterror(); dol_syslog(get_class($this)."::getLabelOfUnit Error ".$this->error, LOG_ERR); return -1; } diff --git a/htdocs/core/class/coreobject.class.php b/htdocs/core/class/coreobject.class.php index 150ace90875..33510186646 100644 --- a/htdocs/core/class/coreobject.class.php +++ b/htdocs/core/class/coreobject.class.php @@ -183,7 +183,7 @@ class CoreObject extends CommonObject $this->{$className} = array(); - $sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$childTable.' WHERE '.$this->fk_element.' = '.((int) $this->id); + $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX.$childTable." WHERE ".$this->fk_element." = ".((int) $this->id); $res = $this->db->query($sql); if ($res) { diff --git a/htdocs/core/class/discount.class.php b/htdocs/core/class/discount.class.php index 07c6a509815..46789352bd7 100644 --- a/htdocs/core/class/discount.class.php +++ b/htdocs/core/class/discount.class.php @@ -516,10 +516,10 @@ class DiscountAbsolute $sql .= " AND rc.fk_user = ".((int) $user->id); } if ($filter) { - $sql .= ' AND ('.$filter.')'; + $sql .= " AND (".$filter.")"; } if ($maxvalue) { - $sql .= ' AND rc.amount_ttc <= '.price2num($maxvalue); + $sql .= ' AND rc.amount_ttc <= '.((float) price2num($maxvalue)); } $resql = $this->db->query($sql); @@ -555,12 +555,12 @@ class DiscountAbsolute if ($invoice->element == 'facture' || $invoice->element == 'invoice') { $sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture as f'; - $sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.$invoice->id; + $sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.((int) $invoice->id); $sql .= ' AND f.type = 3'; } elseif ($invoice->element == 'invoice_supplier') { $sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture_fourn as f'; - $sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.$invoice->id; + $sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.((int) $invoice->id); $sql .= ' AND f.type = 3'; } else { $this->error = get_class($this)."::getSumDepositsUsed was called with a bad object as a first parameter"; @@ -596,13 +596,13 @@ class DiscountAbsolute if ($invoice->element == 'facture' || $invoice->element == 'invoice') { $sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture as f'; - $sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.$invoice->id; - $sql .= ' AND f.type IN ('.$this->db->sanitize($invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE.', '.$invoice::TYPE_SITUATION).')'; // Find discount coming from credit note or excess received + $sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.((int) $invoice->id); + $sql .= " AND f.type IN (".$this->db->sanitize($invoice::TYPE_STANDARD.", ".$invoice::TYPE_CREDIT_NOTE.", ".$invoice::TYPE_SITUATION).')'; // Find discount coming from credit note or excess received } elseif ($invoice->element == 'invoice_supplier') { $sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture_fourn as f'; - $sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.$invoice->id; - $sql .= ' AND f.type IN ('.$this->db->sanitize($invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE).')'; // Find discount coming from credit note or excess paid + $sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.((int) $invoice->id); + $sql .= " AND f.type IN (".$this->db->sanitize($invoice::TYPE_STANDARD.", ".$invoice::TYPE_CREDIT_NOTE).')'; // Find discount coming from credit note or excess paid } else { $this->error = get_class($this)."::getSumCreditNotesUsed was called with a bad object as a first parameter"; dol_print_error($this->error); @@ -636,11 +636,11 @@ class DiscountAbsolute if ($invoice->element == 'facture' || $invoice->element == 'invoice') { $sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc'; - $sql .= ' WHERE rc.fk_facture IS NULL AND rc.fk_facture_source = '.$invoice->id; + $sql .= ' WHERE rc.fk_facture IS NULL AND rc.fk_facture_source = '.((int) $invoice->id); } elseif ($invoice->element == 'invoice_supplier') { $sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc'; - $sql .= ' WHERE rc.fk_invoice_supplier IS NULL AND rc.fk_invoice_supplier_source = '.$invoice->id; + $sql .= ' WHERE rc.fk_invoice_supplier IS NULL AND rc.fk_invoice_supplier_source = '.((int) $invoice->id); } else { $this->error = get_class($this)."::getSumCreditNotesUsed was called with a bad object as a first parameter"; dol_print_error($this->error); diff --git a/htdocs/core/class/dolreceiptprinter.class.php b/htdocs/core/class/dolreceiptprinter.class.php index a3ddb3d7c7f..9813876c031 100644 --- a/htdocs/core/class/dolreceiptprinter.class.php +++ b/htdocs/core/class/dolreceiptprinter.class.php @@ -867,7 +867,7 @@ class dolReceiptPrinter extends Printer $error = 0; $sql = 'SELECT template'; $sql .= ' FROM '.MAIN_DB_PREFIX.'printer_receipt_template'; - $sql .= ' WHERE rowid='.$templateid; + $sql .= ' WHERE rowid = '.((int) $templateid); $sql .= ' AND entity = '.$conf->entity; $resql = $this->db->query($sql); if ($resql) { @@ -905,7 +905,7 @@ class dolReceiptPrinter extends Printer $sql = 'SELECT rowid, name, fk_type, fk_profile, parameter'; $sql .= ' FROM '.MAIN_DB_PREFIX.'printer_receipt'; $sql .= ' WHERE rowid = '.((int) $printerid); - $sql .= ' AND entity = '.$conf->entity; + $sql .= ' AND entity = '.((int) $conf->entity); $resql = $this->db->query($sql); if ($resql) { $obj = $this->db->fetch_array($resql); diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php index f6a5ba93d61..4e4a199600f 100644 --- a/htdocs/core/class/extrafields.class.php +++ b/htdocs/core/class/extrafields.class.php @@ -1273,16 +1273,16 @@ class ExtraFields //We have to join on extrafield table if (strpos($InfoFieldList[4], 'extra') !== false) { $sql .= ' as main, '.MAIN_DB_PREFIX.$InfoFieldList[0].'_extrafields as extra'; - $sqlwhere .= ' WHERE extra.fk_object=main.'.$InfoFieldList[2].' AND '.$InfoFieldList[4]; + $sqlwhere .= " WHERE extra.fk_object=main.".$InfoFieldList[2]." AND ".$InfoFieldList[4]; } else { - $sqlwhere .= ' WHERE '.$InfoFieldList[4]; + $sqlwhere .= " WHERE ".$InfoFieldList[4]; } } else { $sqlwhere .= ' WHERE 1=1'; } // Some tables may have field, some other not. For the moment we disable it. if (in_array($InfoFieldList[0], array('tablewithentity'))) { - $sqlwhere .= ' AND entity = '.$conf->entity; + $sqlwhere .= ' AND entity = '.((int) $conf->entity); } $sql .= $sqlwhere; //print $sql; @@ -1485,16 +1485,16 @@ class ExtraFields // We have to join on extrafield table if (strpos($InfoFieldList[4], 'extra.') !== false) { $sql .= ' as main, '.MAIN_DB_PREFIX.$InfoFieldList[0].'_extrafields as extra'; - $sqlwhere .= ' WHERE extra.fk_object=main.'.$InfoFieldList[2].' AND '.$InfoFieldList[4]; + $sqlwhere .= " WHERE extra.fk_object=main.".$InfoFieldList[2]." AND ".$InfoFieldList[4]; } else { - $sqlwhere .= ' WHERE '.$InfoFieldList[4]; + $sqlwhere .= " WHERE ".$InfoFieldList[4]; } } else { $sqlwhere .= ' WHERE 1=1'; } // Some tables may have field, some other not. For the moment we disable it. if (in_array($InfoFieldList[0], array('tablewithentity'))) { - $sqlwhere .= ' AND entity = '.$conf->entity; + $sqlwhere .= " AND entity = ".((int) $conf->entity); } // $sql.=preg_replace('/^ AND /','',$sqlwhere); // print $sql; diff --git a/htdocs/core/class/hookmanager.class.php b/htdocs/core/class/hookmanager.class.php index 345de3f5be5..d243e67697b 100644 --- a/htdocs/core/class/hookmanager.class.php +++ b/htdocs/core/class/hookmanager.class.php @@ -172,6 +172,7 @@ class HookManager 'addSearchEntry', 'addStatisticLine', 'addSectionECMAuto', + 'checkSecureAccess', 'createDictionaryFieldlist', 'editDictionaryFieldlist', 'getFormMail', diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 8f3c92a3c43..74f6ed83ee2 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -2565,7 +2565,7 @@ class Form $sql .= ')'; } if (count($warehouseStatusArray)) { - $sql .= ' GROUP BY'.$selectFields; + $sql .= " GROUP BY ".$selectFields; } //Sort by category @@ -6988,7 +6988,7 @@ class Form if (isset($objecttmp->ismultientitymanaged)) { if (!is_numeric($objecttmp->ismultientitymanaged)) { $tmparray = explode('@', $objecttmp->ismultientitymanaged); - $sql .= ' INNER JOIN '.MAIN_DB_PREFIX.$tmparray[1].' as parenttable ON parenttable.rowid = t.'.$tmparray[0]; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$tmparray[1]." as parenttable ON parenttable.rowid = t.".$tmparray[0]; } if ($objecttmp->ismultientitymanaged == 'fk_soc@societe') { if (!$user->rights->societe->client->voir && !$user->socid) { @@ -7009,7 +7009,7 @@ class Form $sql .= " AND t.entity IN (".getEntity($objecttmp->table_element).")"; } if (!is_numeric($objecttmp->ismultientitymanaged)) { - $sql .= ' AND parenttable.entity = t.'.$tmparray[0]; + $sql .= " AND parenttable.entity = t.".$tmparray[0]; } if ($objecttmp->ismultientitymanaged == 1 && !empty($user->socid)) { if ($objecttmp->element == 'societe') { diff --git a/htdocs/core/class/html.formmail.class.php b/htdocs/core/class/html.formmail.class.php index 3dc2743adf1..f5b13671a44 100644 --- a/htdocs/core/class/html.formmail.class.php +++ b/htdocs/core/class/html.formmail.class.php @@ -601,7 +601,7 @@ class FormMail extends Form // Add also email aliases from the c_email_senderprofile table $sql = 'SELECT rowid, label, email FROM '.MAIN_DB_PREFIX.'c_email_senderprofile'; - $sql .= ' WHERE active = 1 AND (private = 0 OR private = '.$user->id.')'; + $sql .= ' WHERE active = 1 AND (private = 0 OR private = '.((int) $user->id).')'; $sql .= ' ORDER BY position'; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/core/class/utils.class.php b/htdocs/core/class/utils.class.php index 5371d917022..fd89a00a810 100644 --- a/htdocs/core/class/utils.class.php +++ b/htdocs/core/class/utils.class.php @@ -1088,11 +1088,11 @@ class Utils fwrite($handle, "/*!40000 ALTER TABLE `".$table."` DISABLE KEYS */;\n"); } - $sql = 'SELECT * FROM '.$table; // Here SELECT * is allowed because we don't have definition of columns to take + $sql = "SELECT * FROM ".$table; // Here SELECT * is allowed because we don't have definition of columns to take $result = $db->query($sql); while ($row = $db->fetch_row($result)) { // For each row of data we print a line of INSERT - fwrite($handle, 'INSERT '.$delayed.$ignore.'INTO `'.$table.'` VALUES ('); + fwrite($handle, "INSERT ".$delayed.$ignore."INTO ".$table." VALUES ("); $columns = count($row); for ($j = 0; $j < $columns; $j++) { // Processing each columns of the row to ensure that we correctly save the value (eg: add quotes for string - in fact we add quotes for everything, it's easier) diff --git a/htdocs/core/class/validate.class.php b/htdocs/core/class/validate.class.php index 1738034545d..61b8931179e 100644 --- a/htdocs/core/class/validate.class.php +++ b/htdocs/core/class/validate.class.php @@ -263,7 +263,7 @@ class Validate } foreach ($value_arr as $val) { - $sql = 'SELECT ' . $col . ' FROM ' . MAIN_DB_PREFIX . $table . " WHERE " . $col ." = '" . $this->db->escape($val) . "'"; // nore quick than count(*) to check existing of a row + $sql = "SELECT ".$col." FROM ".MAIN_DB_PREFIX.$table." WHERE ".$col." = '".$this->db->escape($val)."'"; // nore quick than count(*) to check existing of a row $resql = $this->db->getRow($sql); if ($resql) { continue; diff --git a/htdocs/core/customreports.php b/htdocs/core/customreports.php index ca6e61e3b1c..3693b52cc74 100644 --- a/htdocs/core/customreports.php +++ b/htdocs/core/customreports.php @@ -239,13 +239,14 @@ if (is_array($search_groupby) && count($search_groupby)) { $fieldtocount = $search_groupby[$gkey]; } - $sql = 'SELECT DISTINCT '.$fieldtocount.' as val'; + $sql = "SELECT DISTINCT ".$fieldtocount." as val"; if (strpos($fieldtocount, 'te.') === 0) { $sql .= ' FROM '.MAIN_DB_PREFIX.$object->table_element.'_extrafields as te'; } else { $sql .= ' FROM '.MAIN_DB_PREFIX.$object->table_element.' as t'; } // TODO Add the where here + // ... $sql .= ' LIMIT '.($MAXUNIQUEVALFORGROUP + 1); @@ -469,60 +470,60 @@ if (!empty($search_measures) && !empty($search_xaxis)) { foreach ($search_xaxis as $key => $val) { if (preg_match('/\-year$/', $val)) { $tmpval = preg_replace('/\-year$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y') as x_".$key.', '; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y') as x_".$key.', '; } elseif (preg_match('/\-month$/', $val)) { $tmpval = preg_replace('/\-month$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m') as x_".$key.', '; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m') as x_".$key.', '; } elseif (preg_match('/\-day$/', $val)) { $tmpval = preg_replace('/\-day$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m-%d') as x_".$key.', '; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m-%d') as x_".$key.', '; } else { - $sql .= $val.' as x_'.$key.', '; + $sql .= $val." as x_".$key.", "; } } foreach ($search_groupby as $key => $val) { if (preg_match('/\-year$/', $val)) { $tmpval = preg_replace('/\-year$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y') as g_".$key.', '; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y') as g_".$key.', '; } elseif (preg_match('/\-month$/', $val)) { $tmpval = preg_replace('/\-month$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m') as g_".$key.', '; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m') as g_".$key.', '; } elseif (preg_match('/\-day$/', $val)) { $tmpval = preg_replace('/\-day$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m-%d') as g_".$key.', '; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m-%d') as g_".$key.', '; } else { - $sql .= $val.' as g_'.$key.', '; + $sql .= $val." as g_".$key.", "; } } foreach ($search_measures as $key => $val) { if ($val == 't.count') { - $sql .= 'COUNT(t.'.$fieldid.') as y_'.$key.', '; + $sql .= "COUNT(t.".$fieldid.") as y_".$key.', '; } elseif (preg_match('/\-sum$/', $val)) { $tmpval = preg_replace('/\-sum$/', '', $val); - $sql .= 'SUM('.$db->ifsql($tmpval.' IS NULL', '0', $tmpval).') as y_'.$key.', '; + $sql .= "SUM(".$db->ifsql($tmpval.' IS NULL', '0', $tmpval).") as y_".$key.", "; } elseif (preg_match('/\-average$/', $val)) { $tmpval = preg_replace('/\-average$/', '', $val); - $sql .= 'AVG('.$db->ifsql($tmpval.' IS NULL', '0', $tmpval).') as y_'.$key.', '; + $sql .= "AVG(".$db->ifsql($tmpval.' IS NULL', '0', $tmpval).") as y_".$key.", "; } elseif (preg_match('/\-min$/', $val)) { $tmpval = preg_replace('/\-min$/', '', $val); - $sql .= 'MIN('.$db->ifsql($tmpval.' IS NULL', '0', $tmpval).') as y_'.$key.', '; + $sql .= "MIN(".$db->ifsql($tmpval.' IS NULL', '0', $tmpval).") as y_".$key.", "; } elseif (preg_match('/\-max$/', $val)) { $tmpval = preg_replace('/\-max$/', '', $val); - $sql .= 'MAX('.$db->ifsql($tmpval.' IS NULL', '0', $tmpval).') as y_'.$key.', '; + $sql .= "MAX(".$db->ifsql($tmpval.' IS NULL', '0', $tmpval).") as y_".$key.", "; } } $sql = preg_replace('/,\s*$/', '', $sql); $sql .= ' FROM '.MAIN_DB_PREFIX.$object->table_element.' as t'; // Add measure from extrafields if ($object->isextrafieldmanaged) { - $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.$object->table_element.'_extrafields as te ON te.fk_object = t.'.$fieldid; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX.$object->table_element."_extrafields as te ON te.fk_object = t.".$fieldid; } if ($object->ismultientitymanaged) { if ($object->ismultientitymanaged == 1) { // Nothing here } else { $tmparray = explode('@', $object->ismultientitymanaged); - $sql .= ' INNER JOIN '.MAIN_DB_PREFIX.$tmparray[1].' as parenttable ON t.'.$tmparray[0].' = parenttable.rowid'; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX.$tmparray[1]." as parenttable ON t.".$tmparray[0]." = parenttable.rowid"; $sql .= ' AND parenttable.entity IN ('.getEntity($tmparray[1]).')'; } } @@ -537,27 +538,27 @@ if (!empty($search_measures) && !empty($search_xaxis)) { foreach ($search_xaxis as $key => $val) { if (preg_match('/\-year$/', $val)) { $tmpval = preg_replace('/\-year$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y'), "; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y'), "; } elseif (preg_match('/\-month$/', $val)) { $tmpval = preg_replace('/\-month$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m'), "; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m'), "; } elseif (preg_match('/\-day$/', $val)) { $tmpval = preg_replace('/\-day$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m-%d'), "; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m-%d'), "; } else { - $sql .= $val.', '; + $sql .= $val.", "; } } foreach ($search_groupby as $key => $val) { if (preg_match('/\-year$/', $val)) { $tmpval = preg_replace('/\-year$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y'), "; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y'), "; } elseif (preg_match('/\-month$/', $val)) { $tmpval = preg_replace('/\-month$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m'), "; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m'), "; } elseif (preg_match('/\-day$/', $val)) { $tmpval = preg_replace('/\-day$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m-%d'), "; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m-%d'), "; } else { $sql .= $val.', '; } @@ -567,13 +568,13 @@ if (!empty($search_measures) && !empty($search_xaxis)) { foreach ($search_xaxis as $key => $val) { if (preg_match('/\-year$/', $val)) { $tmpval = preg_replace('/\-year$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y'), "; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y'), "; } elseif (preg_match('/\-month$/', $val)) { $tmpval = preg_replace('/\-month$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m'), "; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m'), "; } elseif (preg_match('/\-day$/', $val)) { $tmpval = preg_replace('/\-day$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m-%d'), "; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m-%d'), "; } else { $sql .= $val.', '; } @@ -581,13 +582,13 @@ if (!empty($search_measures) && !empty($search_xaxis)) { foreach ($search_groupby as $key => $val) { if (preg_match('/\-year$/', $val)) { $tmpval = preg_replace('/\-year$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y'), "; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y'), "; } elseif (preg_match('/\-month$/', $val)) { $tmpval = preg_replace('/\-month$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m'), "; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m'), "; } elseif (preg_match('/\-day$/', $val)) { $tmpval = preg_replace('/\-day$/', '', $val); - $sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m-%d'), "; + $sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m-%d'), "; } else { $sql .= $val.', '; } diff --git a/htdocs/core/db/pgsql.class.php b/htdocs/core/db/pgsql.class.php index 6e9a4f54db6..55d5f18dd00 100644 --- a/htdocs/core/db/pgsql.class.php +++ b/htdocs/core/db/pgsql.class.php @@ -905,7 +905,7 @@ class DoliDBPgsql extends DoliDB // Test charset match LC_TYPE (pgsql error otherwise) //print $charset.' '.setlocale(LC_CTYPE,'0'); exit; - $sql = 'CREATE DATABASE "'.$database.'" OWNER "'.$owner.'" ENCODING \''.$charset.'\''; + $sql = "CREATE DATABASE '".$this->escape($database)."' OWNER '".$this->escape($owner)."' ENCODING '".$this->escape($charset)."'"; dol_syslog($sql, LOG_DEBUG); $ret = $this->query($sql); return $ret; diff --git a/htdocs/core/db/sqlite3.class.php b/htdocs/core/db/sqlite3.class.php index 53bcb6806dc..072d5f0c4b3 100644 --- a/htdocs/core/db/sqlite3.class.php +++ b/htdocs/core/db/sqlite3.class.php @@ -421,7 +421,7 @@ class DoliDBSqlite3 extends DoliDB $descTable = $this->db->querySingle("SELECT sql FROM sqlite_master WHERE name='".$this->escape($tablename)."'"); // 1- Renommer la table avec un nom temporaire - $this->query('ALTER TABLE '.$tablename.' RENAME TO tmp_'.$tablename); + $this->query("ALTER TABLE ".$tablename." RENAME TO tmp_".$tablename); // 2- Recréer la table avec la contrainte ajoutée @@ -436,10 +436,10 @@ class DoliDBSqlite3 extends DoliDB $this->query($descTable); // 3- Transférer les données - $this->query('INSERT INTO '.$tablename.' SELECT * FROM tmp_'.$tablename); + $this->query("INSERT INTO ".$tablename." SELECT * FROM tmp_".$tablename); // 4- Supprimer la table temporaire - $this->query('DROP TABLE tmp_'.$tablename); + $this->query("DROP TABLE tmp_".$tablename); // dummy statement $query = "SELECT 0"; @@ -840,17 +840,12 @@ class DoliDBSqlite3 extends DoliDB } // ALTER DATABASE dolibarr_db DEFAULT CHARACTER SET latin DEFAULT COLLATE latin1_swedish_ci - $sql = 'CREATE DATABASE '.$database; - $sql .= ' DEFAULT CHARACTER SET '.$charset.' DEFAULT COLLATE '.$collation; + $sql = "CREATE DATABASE ".$this->escape($database); + $sql .= " DEFAULT CHARACTER SET ".$this->escape($charset)." DEFAULT COLLATE ".$this->escape($collation); dol_syslog($sql, LOG_DEBUG); $ret = $this->query($sql); - if (!$ret) { - // We try again for compatibility with Mysql < 4.1.1 - $sql = 'CREATE DATABASE '.$database; - $ret = $this->query($sql); - dol_syslog($sql, LOG_DEBUG); - } + return $ret; } diff --git a/htdocs/core/lib/admin.lib.php b/htdocs/core/lib/admin.lib.php index 3df3e7ee182..531af9017b3 100644 --- a/htdocs/core/lib/admin.lib.php +++ b/htdocs/core/lib/admin.lib.php @@ -306,8 +306,8 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle // with // 'INSERT INTO llx_accounting_account (entity, rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (__ENTITY__, 1401 + 200100000, 'PCG99-ABREGE','CAPIT', '1234', 1400 + 200100000,...' // Note: string with 'PCG99-ABREGE','CAPIT', 1234 instead of 'PCG99-ABREGE','CAPIT', '1234' is also supported - $newsql = preg_replace('/VALUES\s*\(__ENTITY__, \s*(\d+)\s*,(\s*\'[^\',]*\'\s*,\s*\'[^\',]*\'\s*,\s*\'?[^\',]*\'?\s*),\s*\'?([^\',]*)\'?/ims', 'VALUES (__ENTITY__, \1 + '.$offsetforchartofaccount.', \2, \3 + '.$offsetforchartofaccount, $newsql); - $newsql = preg_replace('/([,\s])0 \+ '.$offsetforchartofaccount.'/ims', '\1 0', $newsql); + $newsql = preg_replace('/VALUES\s*\(__ENTITY__, \s*(\d+)\s*,(\s*\'[^\',]*\'\s*,\s*\'[^\',]*\'\s*,\s*\'?[^\',]*\'?\s*),\s*\'?([^\',]*)\'?/ims', 'VALUES (__ENTITY__, \1 + '.((int) $offsetforchartofaccount).', \2, \3 + '.((int) $offsetforchartofaccount), $newsql); + $newsql = preg_replace('/([,\s])0 \+ '.((int) $offsetforchartofaccount).'/ims', '\1 0', $newsql); //var_dump($newsql); $arraysql[$i] = $newsql; diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index 8806bcc8b92..7a10d2d4ff8 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -1526,7 +1526,7 @@ function show_actions_done($conf, $langs, $db, $filterobj, $objcon = '', $noprin } } elseif (is_object($filterobj) && is_array($filterobj->fields) && is_array($filterobj->fields['rowid']) && is_array($filterobj->fields['ref']) && $filterobj->table_element && $filterobj->element) { // Generic case - $sql .= " AND a.fk_element = o.rowid AND a.elementtype = '".$db->escape($filterobj->element).($module ? '@'.$module : '')."'"; + $sql .= " AND a.fk_element = o.rowid AND a.elementtype = '".$db->escape($filterobj->element).($module ? "@".$module : "")."'"; if ($filterobj->id) { $sql .= " AND a.fk_element = ".((int) $filterobj->id); } diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php index ba4b115e830..350c2334915 100644 --- a/htdocs/core/lib/files.lib.php +++ b/htdocs/core/lib/files.lib.php @@ -2945,25 +2945,6 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity, $sqlprotectagainstexternals = $hookmanager->resArray['sqlprotectagainstexternals']; } } - - /* - // For modules who wants to manage different levels of permissions for documents - $subPermCategoryConstName = strtoupper($modulepart).'_SUBPERMCATEGORY_FOR_DOCUMENTS'; - if (!empty($conf->global->$subPermCategoryConstName)) { - $subPermCategory = $conf->global->$subPermCategoryConstName; - if (!empty($subPermCategory) && (($fuser->rights->$modulepart->$subPermCategory->{$lire}) || ($fuser->rights->$modulepart->$subPermCategory->{$read}) || ($fuser->rights->$modulepart->$subPermCategory->{$download}))) { - $accessallowed = 1; - } - } - - // Define $sqlprotectagainstexternals for modules who want to protect access using a SQL query. - $sqlProtectConstName = strtoupper($modulepart).'_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS'; - if (!empty($conf->global->$sqlProtectConstName)) { // If module want to define its own $sqlprotectagainstexternals - // Example: mymodule_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS = "SELECT fk_soc FROM ".MAIN_DB_PREFIX.$modulepart." WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity; - // TODO Replace this with a hook - eval('$sqlprotectagainstexternals = "'.$conf->global->$sqlProtectConstName.'";'); - } - */ } $ret = array( diff --git a/htdocs/core/lib/invoice.lib.php b/htdocs/core/lib/invoice.lib.php index 1f797c67d1b..e3337c4266f 100644 --- a/htdocs/core/lib/invoice.lib.php +++ b/htdocs/core/lib/invoice.lib.php @@ -239,7 +239,7 @@ function getCustomerInvoicePieChart($socid = 0) $sql .= " WHERE f.fk_soc = s.rowid"; $sql .= " AND f.entity IN (".getEntity('facture').")"; if ($user->socid) { - $sql .= ' AND f.fk_soc = '.$user->socid; + $sql .= ' AND f.fk_soc = '.((int) $user->socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); @@ -359,7 +359,7 @@ function getPurchaseInvoicePieChart($socid = 0) $sql .= " WHERE f.fk_soc = s.rowid"; $sql .= " AND f.entity IN (".getEntity('facture_fourn').")"; if ($user->socid) { - $sql .= ' AND f.fk_soc = '.$user->socid; + $sql .= ' AND f.fk_soc = '.((int) $user->socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); diff --git a/htdocs/core/lib/order.lib.php b/htdocs/core/lib/order.lib.php index 6dcb40e1cc7..f264eadaf58 100644 --- a/htdocs/core/lib/order.lib.php +++ b/htdocs/core/lib/order.lib.php @@ -205,7 +205,7 @@ function getCustomerOrderPieChart($socid = 0) $sql .= " WHERE c.fk_soc = s.rowid"; $sql .= " AND c.entity IN (".getEntity('societe').")"; if ($user->socid) { - $sql .= ' AND c.fk_soc = '.$user->socid; + $sql .= ' AND c.fk_soc = '.((int) $user->socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); diff --git a/htdocs/core/lib/propal.lib.php b/htdocs/core/lib/propal.lib.php index f7dc3970dcb..038ab2a7911 100644 --- a/htdocs/core/lib/propal.lib.php +++ b/htdocs/core/lib/propal.lib.php @@ -184,7 +184,7 @@ function getCustomerProposalPieChart($socid = 0) $sql .= " WHERE p.entity IN (".getEntity($propalstatic->element).")"; $sql .= " AND p.fk_soc = s.rowid"; if ($user->socid) { - $sql .= ' AND p.fk_soc = '.$user->socid; + $sql .= ' AND p.fk_soc = '.((int) $user->socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); diff --git a/htdocs/core/modules/modFournisseur.class.php b/htdocs/core/modules/modFournisseur.class.php index baa983fc7cf..a36f219007b 100644 --- a/htdocs/core/modules/modFournisseur.class.php +++ b/htdocs/core/modules/modFournisseur.class.php @@ -353,7 +353,7 @@ class modFournisseur extends DolibarrModules $this->export_sql_end[$r] .= ' WHERE f.fk_soc = s.rowid AND f.rowid = fd.fk_facture_fourn'; $this->export_sql_end[$r] .= ' AND f.entity IN ('.getEntity('supplier_invoice').')'; if (is_object($user) && empty($user->rights->societe->client->voir)) { - $this->export_sql_end[$r] .= ' AND sc.fk_user = '.$user->id; + $this->export_sql_end[$r] .= ' AND sc.fk_user = '.((int) $user->id); } $r++; @@ -417,7 +417,7 @@ class modFournisseur extends DolibarrModules $this->export_sql_end[$r] .= ' WHERE f.fk_soc = s.rowid'; $this->export_sql_end[$r] .= ' AND f.entity IN ('.getEntity('supplier_invoice').')'; if (is_object($user) && empty($user->rights->societe->client->voir)) { - $this->export_sql_end[$r] .= ' AND sc.fk_user = '.$user->id; + $this->export_sql_end[$r] .= ' AND sc.fk_user = '.((int) $user->id); } // Order @@ -493,7 +493,7 @@ class modFournisseur extends DolibarrModules $this->export_sql_end[$r] .= ' WHERE f.fk_soc = s.rowid AND f.rowid = fd.fk_commande'; $this->export_sql_end[$r] .= ' AND f.entity IN ('.getEntity('supplier_order').')'; if (is_object($user) && empty($user->rights->societe->client->voir)) { - $this->export_sql_end[$r] .= ' AND sc.fk_user = '.$user->id; + $this->export_sql_end[$r] .= ' AND sc.fk_user = '.((int) $user->id); } //Import Supplier Invoice diff --git a/htdocs/core/modules/modSociete.class.php b/htdocs/core/modules/modSociete.class.php index af4fb9e64b8..eed6871c465 100644 --- a/htdocs/core/modules/modSociete.class.php +++ b/htdocs/core/modules/modSociete.class.php @@ -340,7 +340,7 @@ class modSociete extends DolibarrModules $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_incoterms as incoterm ON s.fk_incoterms = incoterm.rowid'; $this->export_sql_end[$r] .= ' WHERE s.entity IN ('.getEntity('societe').')'; if (is_object($user) && empty($user->rights->societe->client->voir)) { - $this->export_sql_end[$r] .= ' AND (sc.fk_user = '.$user->id.' '; + $this->export_sql_end[$r] .= ' AND (sc.fk_user = '.((int) $user->id).' '; if (!empty($conf->global->SOCIETE_EXPORT_SUBORDINATES_CHILDS)) { $subordinatesids = $user->getAllChildIds(); $this->export_sql_end[$r] .= count($subordinatesids) > 0 ? ' OR (sc.fk_user IN ('.$this->db->sanitize(implode(',', $subordinatesids)).')' : ''; @@ -410,7 +410,7 @@ class modSociete extends DolibarrModules $this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_typent as t ON s.fk_typent = t.id'; $this->export_sql_end[$r] .= ' WHERE c.entity IN ('.getEntity('socpeople').')'; if (is_object($user) && empty($user->rights->societe->client->voir)) { - $this->export_sql_end[$r] .= ' AND (sc.fk_user = '.$user->id.' '; + $this->export_sql_end[$r] .= ' AND (sc.fk_user = '.((int) $user->id).' '; if (!empty($conf->global->SOCIETE_EXPORT_SUBORDINATES_CHILDS)) { $subordinatesids = $user->getAllChildIds(); $this->export_sql_end[$r] .= count($subordinatesids) > 0 ? ' OR (sc.fk_user IN ('.$this->db->sanitize(implode(',', $subordinatesids)).')' : ''; diff --git a/htdocs/expensereport/class/expensereport.class.php b/htdocs/expensereport/class/expensereport.class.php index 22f29bb1d9e..fdbd1e5ab55 100644 --- a/htdocs/expensereport/class/expensereport.class.php +++ b/htdocs/expensereport/class/expensereport.class.php @@ -2525,7 +2525,7 @@ class ExpenseReport extends CommonObject $sql = 'SELECT sum(amount) as amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.$table; - $sql .= ' WHERE '.$field.' = '.((int) $this->id); + $sql .= " WHERE ".$field." = ".((int) $this->id); dol_syslog(get_class($this)."::getSumPayments", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/fichinter/index.php b/htdocs/fichinter/index.php index 8513238b385..8eca043ef40 100644 --- a/htdocs/fichinter/index.php +++ b/htdocs/fichinter/index.php @@ -80,7 +80,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " WHERE f.entity IN (".getEntity('intervention').")"; $sql .= " AND f.fk_soc = s.rowid"; if ($user->socid) { - $sql .= ' AND f.fk_soc = '.$user->socid; + $sql .= ' AND f.fk_soc = '.((int) $user->socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index b97bf5485fa..eab1d445558 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -2411,7 +2411,7 @@ class FactureFournisseur extends CommonInvoice $sql .= ' AND ff.fk_statut > 0'; $sql .= " AND ff.entity = ".$conf->entity; if ($user->socid) { - $sql .= ' AND ff.fk_soc = '.$user->socid; + $sql .= ' AND ff.fk_soc = '.((int) $user->socid); } if (!$user->rights->societe->client->voir && !$user->socid) { $sql .= " AND ff.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); diff --git a/htdocs/fourn/commande/index.php b/htdocs/fourn/commande/index.php index 866063382bb..b4956ea706f 100644 --- a/htdocs/fourn/commande/index.php +++ b/htdocs/fourn/commande/index.php @@ -73,7 +73,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " WHERE cf.fk_soc = s.rowid"; $sql .= " AND cf.entity IN (".getEntity('supplier_order').")"; if ($user->socid) { - $sql .= ' AND cf.fk_soc = '.$user->socid; + $sql .= ' AND cf.fk_soc = '.((int) $user->socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); diff --git a/htdocs/fourn/paiement/list.php b/htdocs/fourn/paiement/list.php index f02c872fb0e..8534ad8bac1 100644 --- a/htdocs/fourn/paiement/list.php +++ b/htdocs/fourn/paiement/list.php @@ -192,7 +192,7 @@ if (!$user->rights->societe->client->voir) { $sql .= ' WHERE f.entity = '.$conf->entity; if (!$user->rights->societe->client->voir) { - $sql .= ' AND s.rowid = sc.fk_soc AND sc.fk_user = '.$user->id; + $sql .= ' AND s.rowid = sc.fk_soc AND sc.fk_user = '.((int) $user->id); } if ($socid > 0) { $sql .= ' AND f.fk_soc = '.((int) $socid); diff --git a/htdocs/loan/class/loan.class.php b/htdocs/loan/class/loan.class.php index ffd745e263f..0ec7786fc20 100644 --- a/htdocs/loan/class/loan.class.php +++ b/htdocs/loan/class/loan.class.php @@ -651,7 +651,7 @@ class Loan extends CommonObject $sql = 'SELECT sum(amount_capital) as amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.$table; - $sql .= ' WHERE '.$field.' = '.((int) $this->id); + $sql .= " WHERE ".$field." = ".((int) $this->id); dol_syslog(get_class($this)."::getSumPayment", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/product/stock/replenishorders.php b/htdocs/product/stock/replenishorders.php index 17490e330bb..01a7e2dd1a3 100644 --- a/htdocs/product/stock/replenishorders.php +++ b/htdocs/product/stock/replenishorders.php @@ -135,7 +135,7 @@ if ($conf->global->STOCK_CALCULATE_ON_SUPPLIER_VALIDATE_ORDER) { $sql .= ' AND cf.fk_statut < 5'; } if (!$user->rights->societe->client->voir && !$socid) { - $sql .= ' AND s.rowid = sc.fk_soc AND sc.fk_user = '.$user->id; + $sql .= ' AND s.rowid = sc.fk_soc AND sc.fk_user = '.((int) $user->id); } if ($sref) { $sql .= natural_search('cf.ref', $sref); diff --git a/htdocs/salaries/class/salary.class.php b/htdocs/salaries/class/salary.class.php index c434e73ec08..8fdd741efee 100644 --- a/htdocs/salaries/class/salary.class.php +++ b/htdocs/salaries/class/salary.class.php @@ -570,7 +570,7 @@ class Salary extends CommonObject $sql = 'SELECT sum(amount) as amount'; $sql .= ' FROM '.MAIN_DB_PREFIX.$table; - $sql .= ' WHERE '.$field.' = '.((int) $this->id); + $sql .= " WHERE ".$field." = ".((int) $this->id); dol_syslog(get_class($this)."::getSommePaiement", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/supplier_proposal/index.php b/htdocs/supplier_proposal/index.php index 45501ed9b2b..ac937fe480d 100644 --- a/htdocs/supplier_proposal/index.php +++ b/htdocs/supplier_proposal/index.php @@ -72,7 +72,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " WHERE p.fk_soc = s.rowid"; $sql .= " AND p.entity IN (".getEntity('supplier_proposal').")"; if ($user->socid) { - $sql .= ' AND p.fk_soc = '.$user->socid; + $sql .= ' AND p.fk_soc = '.((int) $user->socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);