Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Add more robust php unit to detect not escaped sql. Fix not escaped sql

Browse Source
This commit is contained in:
Laurent Destailleur
2017-09-15 15:41:07 +02:00
parent 77056d9adb
commit 5e34b121dd
63 changed files with 420 additions and 438 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/accountancy/class/accountancysystem.class.php
View File

@@ -107,7 +107,7 @@ class AccountancySystem
$sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_system";
$sql .= " (date_creation, fk_user_author, numero, label)";
$sql .= " VALUES ('" . $this->db->idate($now) . "'," . $user->id . ",'" . $this->numero . "','" . $this->label . "')";
$sql .= " VALUES ('" . $this->db->idate($now) . "'," . $user->id . ",'" . $this->db->escape($this->numero) . "','" . $this->db->escape($this->label) . "')";
dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG);
$resql = $this->db->query($sql);

106
htdocs/accountancy/class/accountingaccount.class.php
View File

@@ -47,7 +47,7 @@ class AccountingAccount extends CommonObject
var $fk_user_modif;
var $active; // duplicate with status
var $status;
/**
* Constructor
*
@@ -56,7 +56,7 @@ class AccountingAccount extends CommonObject
function __construct($db) {
$this->db = $db;
}
/**
* Load record in memory
*
@@ -67,7 +67,7 @@ class AccountingAccount extends CommonObject
*/
function fetch($rowid = null, $account_number = null, $limittocurrentchart = 0) {
global $conf;
if ($rowid || $account_number) {
$sql = "SELECT a.rowid as rowid, a.datec, a.tms, a.fk_pcg_version, a.pcg_type, a.pcg_subtype, a.account_number, a.account_parent, a.label, a.fk_accounting_category, a.fk_user_author, a.fk_user_modif, a.active";
$sql .= ", ca.label as category_label";
@@ -87,7 +87,7 @@ class AccountingAccount extends CommonObject
$result = $this->db->query($sql);
if ($result) {
$obj = $this->db->fetch_object($result);
if ($obj) {
$this->id = $obj->rowid;
$this->rowid = $obj->rowid;
@@ -105,7 +105,7 @@ class AccountingAccount extends CommonObject
$this->fk_user_modif = $obj->fk_user_modif;
$this->active = $obj->active;
$this->status = $obj->active;
return $this->id;
} else {
return 0;
@@ -117,7 +117,7 @@ class AccountingAccount extends CommonObject
}
return - 1;
}
/**
* Insert new accounting account in chart of accounts
*
@@ -129,7 +129,7 @@ class AccountingAccount extends CommonObject
global $conf;
$error = 0;
$now = dol_now();
// Clean parameters
if (isset($this->fk_pcg_version))
$this->fk_pcg_version = trim($this->fk_pcg_version);
@@ -149,7 +149,7 @@ class AccountingAccount extends CommonObject
$this->fk_user_author = trim($this->fk_user_author);
if (isset($this->active))
$this->active = trim($this->active);
if (empty($this->pcg_type) || $this->pcg_type == '-1')
{
$this->pcg_type = 'XXXXXX';
@@ -160,7 +160,7 @@ class AccountingAccount extends CommonObject
}
// Check parameters
// Put here code to add control on parameters values
// Insert request
$sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_account(";
$sql .= "datec";
@@ -179,31 +179,31 @@ class AccountingAccount extends CommonObject
$sql .= ", " . $conf->entity;
$sql .= ", " . (empty($this->fk_pcg_version) ? 'NULL' : "'" . $this->db->escape($this->fk_pcg_version) . "'");
$sql .= ", " . (empty($this->pcg_type) ? 'NULL' : "'" . $this->db->escape($this->pcg_type) . "'");
$sql .= ", " . (empty($this->pcg_subtype) ? 'NULL' : "'" . $this->pcg_subtype . "'");
$sql .= ", " . (empty($this->account_number) ? 'NULL' : "'" . $this->account_number . "'");
$sql .= ", " . (empty($this->pcg_subtype) ? 'NULL' : "'" . $this->db->escape($this->pcg_subtype) . "'");
$sql .= ", " . (empty($this->account_number) ? 'NULL' : "'" . $this->db->escape($this->account_number) . "'");
$sql .= ", " . (empty($this->account_parent) ? 'NULL' : "'" . $this->db->escape($this->account_parent) . "'");
$sql .= ", " . (empty($this->label) ? 'NULL' : "'" . $this->db->escape($this->label) . "'");
$sql .= ", " . (empty($this->account_category) ? 'NULL' : "'" . $this->db->escape($this->account_category) . "'");
$sql .= ", " . $user->id;
$sql .= ", " . (! isset($this->active) ? 'NULL' : $this->db->escape($this->active));
$sql .= ")";
$this->db->begin();
dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG);
$resql = $this->db->query($sql);
if (! $resql) {
$error ++;
$this->errors[] = "Error " . $this->db->lasterror();
}
if (! $error) {
$this->id = $this->db->last_insert_id(MAIN_DB_PREFIX . "accounting_account");
// if (! $notrigger) {
// Uncomment this and change MYOBJECT to your own tag if you
// want this action calls a trigger.
// // Call triggers
// include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php';
// $interface=new Interfaces($this->db);
@@ -212,7 +212,7 @@ class AccountingAccount extends CommonObject
// // End call triggers
// }
}
// Commit or rollback
if ($error) {
foreach ( $this->errors as $errmsg ) {
@@ -226,14 +226,14 @@ class AccountingAccount extends CommonObject
return $this->id;
}
}
/**
* Update record
*
* @param User $user Use making update
* @return int <0 if KO, >0 if OK
*/
function update($user)
function update($user)
{
// Check parameters
if (empty($this->pcg_type) || $this->pcg_type == '-1')
@@ -244,9 +244,9 @@ class AccountingAccount extends CommonObject
{
$this->pcg_subtype = 'XXXXXX';
}
$this->db->begin();
$sql = "UPDATE " . MAIN_DB_PREFIX . "accounting_account ";
$sql .= " SET fk_pcg_version = " . ($this->fk_pcg_version ? "'" . $this->db->escape($this->fk_pcg_version) . "'" : "null");
$sql .= " , pcg_type = " . ($this->pcg_type ? "'" . $this->db->escape($this->pcg_type) . "'" : "null");
@@ -258,7 +258,7 @@ class AccountingAccount extends CommonObject
$sql .= " , fk_user_modif = " . $user->id;
$sql .= " , active = " . $this->active;
$sql .= " WHERE rowid = " . $this->id;
dol_syslog(get_class($this) . "::update sql=" . $sql, LOG_DEBUG);
$result = $this->db->query($sql);
if ($result) {
@@ -270,7 +270,7 @@ class AccountingAccount extends CommonObject
return - 1;
}
}
/**
* Check usage of accounting code
*
@@ -278,16 +278,16 @@ class AccountingAccount extends CommonObject
*/
function checkUsage() {
global $langs;
$sql = "(SELECT fk_code_ventilation FROM " . MAIN_DB_PREFIX . "facturedet";
$sql .= " WHERE fk_code_ventilation=" . $this->id . ")";
$sql .= "UNION";
$sql .= "(SELECT fk_code_ventilation FROM " . MAIN_DB_PREFIX . "facture_fourn_det";
$sql .= " WHERE fk_code_ventilation=" . $this->id . ")";
dol_syslog(get_class($this) . "::checkUsage sql=" . $sql, LOG_DEBUG);
$resql = $this->db->query($sql);
if ($resql) {
$num = $this->db->num_rows($resql);
if ($num > 0) {
@@ -301,7 +301,7 @@ class AccountingAccount extends CommonObject
return - 1;
}
}
/**
* Delete object in database
*
@@ -311,18 +311,18 @@ class AccountingAccount extends CommonObject
*/
function delete($user, $notrigger = 0) {
$error = 0;
$result = $this->checkUsage();
if ($result > 0) {
$this->db->begin();
// if (! $error) {
// if (! $notrigger) {
// Uncomment this and change MYOBJECT to your own tag if you
// want this action calls a trigger.
// // Call triggers
// include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php';
// $interface=new Interfaces($this->db);
@@ -331,11 +331,11 @@ class AccountingAccount extends CommonObject
// // End call triggers
// }
// }
if (! $error) {
$sql = "DELETE FROM " . MAIN_DB_PREFIX . "accounting_account";
$sql .= " WHERE rowid=" . $this->id;
dol_syslog(get_class($this) . "::delete sql=" . $sql);
$resql = $this->db->query($sql);
if (! $resql) {
@@ -343,7 +343,7 @@ class AccountingAccount extends CommonObject
$this->errors[] = "Error " . $this->db->lasterror();
}
}
// Commit or rollback
if ($error) {
foreach ( $this->errors as $errmsg ) {
@@ -360,7 +360,7 @@ class AccountingAccount extends CommonObject
return - 1;
}
}
/**
* Return clicable name (with picto eventually)
*
@@ -375,7 +375,7 @@ class AccountingAccount extends CommonObject
{
global $langs, $conf, $user;
require_once DOL_DOCUMENT_ROOT.'/core/lib/accounting.lib.php';
if (! empty($conf->dol_no_mouse_hover)) $notooltip=1; // Force disable tooltips
$result = '';
@@ -412,7 +412,7 @@ class AccountingAccount extends CommonObject
{
$linkstart = '';
$linkclose = '';
$linkend = '';
$linkend = '';
}
$label_link = length_accountg($this->account_number);
@@ -423,7 +423,7 @@ class AccountingAccount extends CommonObject
if ($withpicto != 2) $result.=$linkstart . $label_link . $linkend;
return $result;
}
/**
* Information on record
*
@@ -434,10 +434,10 @@ class AccountingAccount extends CommonObject
$sql = 'SELECT a.rowid, a.datec, a.fk_user_author, a.fk_user_modif, a.tms';
$sql .= ' FROM ' . MAIN_DB_PREFIX . 'accounting_account as a';
$sql .= ' WHERE a.rowid = ' . $id;
dol_syslog(get_class($this) . '::info sql=' . $sql);
$result = $this->db->query($sql);
if ($result) {
if ($this->db->num_rows($result)) {
$obj = $this->db->fetch_object($result);
@@ -460,7 +460,7 @@ class AccountingAccount extends CommonObject
dol_print_error($this->db);
}
}
/**
* Account desactivate
*
@@ -469,17 +469,17 @@ class AccountingAccount extends CommonObject
*/
function account_desactivate($id) {
$result = $this->checkUsage();
if ($result > 0) {
$this->db->begin();
$sql = "UPDATE " . MAIN_DB_PREFIX . "accounting_account ";
$sql .= "SET active = '0'";
$sql .= " WHERE rowid = " . $this->db->escape($id);
dol_syslog(get_class($this) . "::desactivate sql=" . $sql, LOG_DEBUG);
$result = $this->db->query($sql);
if ($result) {
$this->db->commit();
return 1;
@@ -492,7 +492,7 @@ class AccountingAccount extends CommonObject
return - 1;
}
}
/**
* Account activate
*
@@ -501,11 +501,11 @@ class AccountingAccount extends CommonObject
*/
function account_activate($id) {
$this->db->begin();
$sql = "UPDATE " . MAIN_DB_PREFIX . "accounting_account ";
$sql .= "SET active = '1'";
$sql .= " WHERE rowid = " . $this->db->escape($id);
dol_syslog(get_class($this) . "::activate sql=" . $sql, LOG_DEBUG);
$result = $this->db->query($sql);
if ($result) {
@@ -517,8 +517,8 @@ class AccountingAccount extends CommonObject
return - 1;
}
}
/**
* Retourne le libelle du statut d'un user (actif, inactif)
*
@@ -529,7 +529,7 @@ class AccountingAccount extends CommonObject
{
return $this->LibStatut($this->status,$mode);
}
/**
* Renvoi le libelle d'un statut donne
*
@@ -541,7 +541,7 @@ class AccountingAccount extends CommonObject
{
global $langs;
$langs->load('users');
if ($mode == 0)
{
$prefix='';

16
htdocs/adherents/class/adherent.class.php
View File

@@ -325,10 +325,10 @@ class Adherent extends CommonObject
$sql.= " '".$this->db->idate($this->datec)."'";
$sql.= ", ".($this->login?"'".$this->db->escape($this->login)."'":"null");
$sql.= ", ".($user->id>0?$user->id:"null"); // Can be null because member can be created by a guest or a script
$sql.= ", null, null, '".$this->morphy."'";
$sql.= ", '".$this->typeid."'";
$sql.= ", null, null, '".$this->db->escape($this->morphy)."'";
$sql.= ", ".$this->typeid;
$sql.= ", ".$conf->entity;
$sql.= ", ".(! empty($this->import_key) ? "'".$this->import_key."'":"null");
$sql.= ", ".(! empty($this->import_key) ? "'".$this->db->escape($this->import_key)."'":"null");
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
@@ -447,17 +447,17 @@ class Adherent extends CommonObject
$this->db->begin();
$sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET";
$sql.= " civility = ".(!is_null($this->civility_id)?"'".$this->civility_id."'":"null");
$sql.= " civility = ".(!is_null($this->civility_id)?$this->db->escape($this->civility_id):"null");
$sql.= ", firstname = ".($this->firstname?"'".$this->db->escape($this->firstname)."'":"null");
$sql.= ", lastname=" .($this->lastname?"'".$this->db->escape($this->lastname)."'":"null");
$sql.= ", login=" .($this->login?"'".$this->db->escape($this->login)."'":"null");
$sql.= ", societe=" .($this->societe?"'".$this->db->escape($this->societe)."'":"null");
$sql.= ", fk_soc=" .($this->fk_soc > 0?"'".$this->fk_soc."'":"null");
$sql.= ", fk_soc=" .($this->fk_soc > 0?$this->db->escape($this->fk_soc):"null");
$sql.= ", address=" .($this->address?"'".$this->db->escape($this->address)."'":"null");
$sql.= ", zip=" .($this->zip?"'".$this->db->escape($this->zip)."'":"null");
$sql.= ", town=" .($this->town?"'".$this->db->escape($this->town)."'":"null");
$sql.= ", country=".($this->country_id>0?"'".$this->country_id."'":"null");
$sql.= ", state_id=".($this->state_id>0?"'".$this->state_id."'":"null");
$sql.= ", country=".($this->country_id>0?$this->db->escape($this->country_id):"null");
$sql.= ", state_id=".($this->state_id>0?$this->db->escape($this->state_id):"null");
$sql.= ", email='".$this->db->escape($this->email)."'";
$sql.= ", skype='".$this->db->escape($this->skype)."'";
$sql.= ", phone=" .($this->phone?"'".$this->db->escape($this->phone)."'":"null");
@@ -465,7 +465,7 @@ class Adherent extends CommonObject
$sql.= ", phone_mobile=" .($this->phone_mobile?"'".$this->db->escape($this->phone_mobile)."'":"null");
$sql.= ", note_private=" .($this->note_private?"'".$this->db->escape($this->note_private)."'":"null");
$sql.= ", note_public=" .($this->note_public?"'".$this->db->escape($this->note_public)."'":"null");
$sql.= ", photo=" .($this->photo?"'".$this->photo."'":"null");
$sql.= ", photo=" .($this->photo?"'".$this->db->escape($this->photo)."'":"null");
$sql.= ", public='".$this->db->escape($this->public)."'";
$sql.= ", statut=" .$this->statut;
$sql.= ", fk_adherent_type=".$this->typeid;

10
htdocs/bookmarks/class/bookmark.class.php
View File

@@ -120,11 +120,11 @@ class Bookmark extends CommonObject
$sql.= ",title,favicon,position";
$sql.= ",entity";
$sql.= ") VALUES (";
$sql.= ($this->fk_user > 0?"'".$this->fk_user."'":"0").",";
$sql.= ($this->fk_user > 0 ? $this->fk_user:"0").",";
$sql.= " '".$this->db->idate($now)."',";
$sql.= " '".$this->url."', '".$this->target."',";
$sql.= " '".$this->db->escape($this->title)."', '".$this->favicon."', '".$this->position."'";
$sql.= ", '".$conf->entity."'";
$sql.= " '".$this->db->escape($this->url)."', '".$this->db->escape($this->target)."',";
$sql.= " '".$this->db->escape($this->title)."', '".$this->db->escape($this->favicon)."', '".$this->db->escape($this->position)."'";
$sql.= ", ".$this->db->escape($conf->entity);
$sql.= ")";
dol_syslog("Bookmark::update", LOG_DEBUG);
@@ -168,7 +168,7 @@ class Bookmark extends CommonObject
if (empty($this->position)) $this->position=0;
$sql = "UPDATE ".MAIN_DB_PREFIX."bookmark";
$sql.= " SET fk_user = ".($this->fk_user > 0?"'".$this->fk_user."'":"0");
$sql.= " SET fk_user = ".($this->fk_user > 0 ? $this->fk_user :"0");
$sql.= " ,dateb = '".$this->db->idate($this->datec)."'";
$sql.= " ,url = '".$this->db->escape($this->url)."'";
$sql.= " ,target = '".$this->db->escape($this->target)."'";

8
htdocs/categories/class/categorie.class.php
View File

@@ -311,7 +311,7 @@ class Categorie extends CommonObject
$sql.= " import_key,";
$sql.= " entity";
$sql.= ") VALUES (";
$sql.= $this->fk_parent.",";
$sql.= $this->db->escape($this->fk_parent).",";
$sql.= "'".$this->db->escape($this->label)."',";
$sql.= "'".$this->db->escape($this->description)."',";
$sql.= "'".$this->db->escape($this->color)."',";
@@ -319,10 +319,10 @@ class Categorie extends CommonObject
{
$sql.= ($this->socid != -1 ? $this->socid : 'null').",";
}
$sql.= "'".$this->visible."',";
$sql.= $type.",";
$sql.= "'".$this->db->escape($this->visible)."',";
$sql.= $this->db->escape($type).",";
$sql.= (! empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":'null').",";
$sql.= $conf->entity;
$sql.= $this->db->escape($conf->entity);
$sql.= ")";
$res = $this->db->query($sql);

44
htdocs/comm/action/class/actioncomm.class.php
View File

@@ -296,23 +296,23 @@ class ActionComm extends CommonObject
$sql.= "elementtype,";
$sql.= "entity";
$sql.= ") VALUES (";
$sql.= "'".$this->db->idate($now)."',";
$sql.= (strval($this->datep)!=''?"'".$this->db->idate($this->datep)."'":"null").",";
$sql.= (strval($this->datef)!=''?"'".$this->db->idate($this->datef)."'":"null").",";
$sql.= ((isset($this->durationp) && $this->durationp >= 0 && $this->durationp != '')?"'".$this->durationp."'":"null").","; // deprecated
$sql.= "'".$this->db->idate($now)."', ";
$sql.= (strval($this->datep)!=''?"'".$this->db->idate($this->datep)."'":"null").", ";
$sql.= (strval($this->datef)!=''?"'".$this->db->idate($this->datef)."'":"null").", ";
$sql.= ((isset($this->durationp) && $this->durationp >= 0 && $this->durationp != '')?"'".$this->db->escape($this->durationp)."'":"null").", "; // deprecated
$sql.= (isset($this->type_id)?$this->type_id:"null").",";
$sql.= (isset($this->type_code)?" '".$this->type_code."'":"null").",";
$sql.= ((isset($this->socid) && $this->socid > 0)?" '".$this->socid."'":"null").",";
$sql.= ((isset($this->fk_project) && $this->fk_project > 0)?" '".$this->fk_project."'":"null").",";
$sql.= " '".$this->db->escape($this->note)."',";
$sql.= ((isset($this->contactid) && $this->contactid > 0)?"'".$this->contactid."'":"null").",";
$sql.= (isset($user->id) && $user->id > 0 ? "'".$user->id."'":"null").",";
$sql.= ($userownerid>0?"'".$userownerid."'":"null").",";
$sql.= ($userdoneid>0?"'".$userdoneid."'":"null").",";
$sql.= "'".$this->db->escape($this->label)."','".$this->percentage."','".$this->priority."','".$this->fulldayevent."','".$this->db->escape($this->location)."','".$this->punctual."',";
$sql.= "'".$this->transparency."',";
$sql.= (! empty($this->fk_element)?$this->fk_element:"null").",";
$sql.= (! empty($this->elementtype)?"'".$this->elementtype."'":"null").",";
$sql.= (isset($this->type_code)?" '".$this->db->escape($this->type_code)."'":"null").", ";
$sql.= ((isset($this->socid) && $this->socid > 0) ? $this->socid:"null").", ";
$sql.= ((isset($this->fk_project) && $this->fk_project > 0) ? $this->fk_project:"null").", ";
$sql.= " '".$this->db->escape($this->note)."', ";
$sql.= ((isset($this->contactid) && $this->contactid > 0) ? $this->contactid:"null").", ";
$sql.= (isset($user->id) && $user->id > 0 ? $user->id:"null").", ";
$sql.= ($userownerid>0 ? $userownerid:"null").", ";
$sql.= ($userdoneid>0 ? $userdoneid:"null").", ";
$sql.= "'".$this->db->escape($this->label)."','".$this->db->escape($this->percentage)."','".$this->db->escape($this->priority)."','".$this->db->escape($this->fulldayevent)."','".$this->db->escape($this->location)."','".$this->db->escape($this->punctual)."', ";
$sql.= "'".$this->db->escape($this->transparency)."', ";
$sql.= (! empty($this->fk_element)?$this->fk_element:"null").", ";
$sql.= (! empty($this->elementtype)?"'".$this->db->escape($this->elementtype)."'":"null").", ";
$sql.= $conf->entity;
$sql.= ")";
@@ -758,11 +758,11 @@ class ActionComm extends CommonObject
$sql.= ", label = ".($this->label ? "'".$this->db->escape($this->label)."'":"null");
$sql.= ", datep = ".(strval($this->datep)!='' ? "'".$this->db->idate($this->datep)."'" : 'null');
$sql.= ", datep2 = ".(strval($this->datef)!='' ? "'".$this->db->idate($this->datef)."'" : 'null');
$sql.= ", durationp = ".(isset($this->durationp) && $this->durationp >= 0 && $this->durationp != ''?"'".$this->durationp."'":"null"); // deprecated
$sql.= ", durationp = ".(isset($this->durationp) && $this->durationp >= 0 && $this->durationp != ''?"'".$this->db->escape($this->durationp)."'":"null"); // deprecated
$sql.= ", note = ".($this->note ? "'".$this->db->escape($this->note)."'":"null");
$sql.= ", fk_project =". ($this->fk_project > 0 ? "'".$this->fk_project."'":"null");
$sql.= ", fk_soc =". ($socid > 0 ? "'".$socid."'":"null");
$sql.= ", fk_contact =". ($contactid > 0 ? "'".$contactid."'":"null");
$sql.= ", fk_project =". ($this->fk_project > 0 ? $this->fk_project:"null");
$sql.= ", fk_soc =". ($socid > 0 ? $socid:"null");
$sql.= ", fk_contact =". ($contactid > 0 ? $contactid:"null");
$sql.= ", priority = '".$this->db->escape($this->priority)."'";
$sql.= ", fulldayevent = '".$this->db->escape($this->fulldayevent)."'";
$sql.= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'":"null");
@@ -770,8 +770,8 @@ class ActionComm extends CommonObject
$sql.= ", fk_user_mod = ".$user->id;
$sql.= ", fk_user_action=".($userownerid > 0 ? "'".$userownerid."'":"null");
$sql.= ", fk_user_done=".($userdoneid > 0 ? "'".$userdoneid."'":"null");
if (! empty($this->fk_element)) $sql.= ", fk_element=".($this->fk_element?$this->fk_element:"null");
if (! empty($this->elementtype)) $sql.= ", elementtype=".($this->elementtype?"'".$this->elementtype."'":"null");
if (! empty($this->fk_element)) $sql.= ", fk_element=".($this->fk_element?$this->db->escape($this->fk_element):"null");
if (! empty($this->elementtype)) $sql.= ", elementtype=".($this->elementtype?"'".$this->db->escape($this->elementtype)."'":"null");
$sql.= " WHERE id=".$this->id;
dol_syslog(get_class($this)."::update", LOG_DEBUG);

2
htdocs/comm/mailing/class/advtargetemailing.class.php
View File

@@ -121,7 +121,7 @@ class AdvanceTargetingMailing extends CommonObject
$sql.= " ".(! isset($this->name)?'NULL':"'".$this->db->escape($this->name)."'").",";
$sql.= " ".$conf->entity.",";
$sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->fk_mailing."'").",";
$sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->db->escape($this->fk_mailing)."'").",";
$sql.= " ".(! isset($this->filtervalue)?'NULL':"'".$this->db->escape($this->filtervalue)."'").",";
$sql.= " ".$user->id.",";
$sql.= " '".$this->db->idate(dol_now())."',";

22
htdocs/comm/propal/class/propal.class.php
View File

@@ -938,7 +938,7 @@ class Propal extends CommonObject
$sql.= ", '".$this->db->escape($this->multicurrency_code)."'";
$sql.= ", ".(double) $this->multicurrency_tx;
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
$resql=$this->db->query($sql);
if ($resql)
@@ -3772,28 +3772,28 @@ class PropaleLigne extends CommonObjectLine
$sql.= ' date_start, date_end';
$sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc)';
$sql.= " VALUES (".$this->fk_propal.",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").",";
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " ".($this->fk_product?"'".$this->fk_product."'":"null").",";
$sql.= " '".$this->product_type."',";
$sql.= " ".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").",";
$sql.= " ".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":"null").",";
$sql.= " '".$this->db->escape($this->product_type)."',";
$sql.= " ".($this->fk_remise_except?"'".$this->db->escape($this->fk_remise_except)."'":"null").",";
$sql.= " ".price2num($this->qty).",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
$sql.= " ".price2num($this->tva_tx).",";
$sql.= " ".price2num($this->localtax1_tx).",";
$sql.= " ".price2num($this->localtax2_tx).",";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= " ".($this->subprice?price2num($this->subprice):"null").",";
$sql.= " ".price2num($this->remise_percent).",";
$sql.= " ".(isset($this->info_bits)?"'".$this->info_bits."'":"null").",";
$sql.= " ".(isset($this->info_bits)?"'".$this->db->escape($this->info_bits)."'":"null").",";
$sql.= " ".price2num($this->total_ht).",";
$sql.= " ".price2num($this->total_tva).",";
$sql.= " ".price2num($this->total_localtax1).",";
$sql.= " ".price2num($this->total_localtax2).",";
$sql.= " ".price2num($this->total_ttc).",";
$sql.= " ".(!empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null").",";
$sql.= " ".(!empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null").",";
$sql.= " ".(isset($this->pa_ht)?"'".price2num($this->pa_ht)."'":"null").",";
$sql.= ' '.$this->special_code.',';
$sql.= ' '.$this->rang.',';
@@ -3975,7 +3975,7 @@ class PropaleLigne extends CommonObjectLine
$sql.= ", total_localtax1=".price2num($this->total_localtax1)."";
$sql.= ", total_localtax2=".price2num($this->total_localtax2)."";
}
$sql.= ", fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null");
$sql.= ", fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null");
$sql.= ", buy_price_ht=".price2num($this->pa_ht);
if (strlen($this->special_code)) $sql.= ", special_code=".$this->special_code;
$sql.= ", fk_parent_line=".($this->fk_parent_line>0?$this->fk_parent_line:"null");

20
htdocs/commande/class/commande.class.php
View File

@@ -775,11 +775,11 @@ class Commande extends CommonOrder
$sql.= ", ".($this->ref_client?"'".$this->db->escape($this->ref_client)."'":"null");
$sql.= ", ".($this->ref_int?"'".$this->db->escape($this->ref_int)."'":"null");
$sql.= ", '".$this->db->escape($this->modelpdf)."'";
$sql.= ", ".($this->cond_reglement_id>0?"'".$this->cond_reglement_id."'":"null");
$sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"null");
$sql.= ", ".($this->cond_reglement_id>0?$this->cond_reglement_id:"null");
$sql.= ", ".($this->mode_reglement_id>0?$this->mode_reglement_id:"null");
$sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL');
$sql.= ", ".($this->availability_id>0?"'".$this->availability_id."'":"null");
$sql.= ", ".($this->demand_reason_id>0?"'".$this->demand_reason_id."'":"null");
$sql.= ", ".($this->availability_id>0?$this->availability_id:"null");
$sql.= ", ".($this->demand_reason_id>0?$this->demand_reason_id:"null");
$sql.= ", ".($this->date_livraison?"'".$this->db->idate($this->date_livraison)."'":"null");
$sql.= ", ".($this->fk_delivery_address>0?$this->fk_delivery_address:'NULL');
$sql.= ", ".($this->shipping_method_id>0?$this->shipping_method_id:'NULL');
@@ -3995,18 +3995,18 @@ class OrderLine extends CommonOrderLine
$sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc';
$sql.= ')';
$sql.= " VALUES (".$this->fk_commande.",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").",";
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " '".price2num($this->qty)."',";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
$sql.= " '".price2num($this->tva_tx)."',";
$sql.= " '".price2num($this->localtax1_tx)."',";
$sql.= " '".price2num($this->localtax2_tx)."',";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").',';
$sql.= " '".$this->product_type."',";
$sql.= " '".$this->db->escape($this->product_type)."',";
$sql.= " '".price2num($this->remise_percent)."',";
$sql.= " ".($this->subprice!=''?"'".price2num($this->subprice)."'":"null").",";
$sql.= " ".($this->price!=''?"'".price2num($this->price)."'":"null").",";
@@ -4016,7 +4016,7 @@ class OrderLine extends CommonOrderLine
$sql.= ' '.$this->rang.',';
$sql.= ' '.(! empty($this->fk_fournprice)?$this->fk_fournprice:"null").',';
$sql.= ' '.price2num($this->pa_ht).',';
$sql.= " '".$this->info_bits."',";
$sql.= " '".$this->db->escape($this->info_bits)."',";
$sql.= " '".price2num($this->total_ht)."',";
$sql.= " '".price2num($this->total_tva)."',";
$sql.= " '".price2num($this->total_localtax1)."',";

28
htdocs/compta/bank/class/account.class.php
View File

@@ -573,21 +573,21 @@ class Account extends CommonObject
$sql.= ", '".$this->db->escape($this->account_number)."'";
$sql.= ", ".($this->fk_accountancy_journal > 0 ? $this->db->escape($this->fk_accountancy_journal) : "null");
$sql.= ", '".$this->db->escape($this->bank)."'";
$sql.= ", '".$this->code_banque."'";
$sql.= ", '".$this->code_guichet."'";
$sql.= ", '".$this->number."'";
$sql.= ", '".$this->cle_rib."'";
$sql.= ", '".$this->bic."'";
$sql.= ", '".$this->iban."'";
$sql.= ", '".$this->db->escape($this->code_banque)."'";
$sql.= ", '".$this->db->escape($this->code_guichet)."'";
$sql.= ", '".$this->db->escape($this->number)."'";
$sql.= ", '".$this->db->escape($this->cle_rib)."'";
$sql.= ", '".$this->db->escape($this->bic)."'";
$sql.= ", '".$this->db->escape($this->iban)."'";
$sql.= ", '".$this->db->escape($this->domiciliation)."'";
$sql.= ", '".$this->db->escape($this->proprio)."'";
$sql.= ", '".$this->db->escape($this->owner_address)."'";
$sql.= ", '".$this->currency_code."'";
$sql.= ", '".$this->db->escape($this->currency_code)."'";
$sql.= ", ".$this->rappro;
$sql.= ", ".price2num($this->min_allowed);
$sql.= ", ".price2num($this->min_desired);
$sql.= ", '".$this->db->escape($this->comment)."'";
$sql.= ", ".($this->state_id>0?"'".$this->state_id."'":"null");
$sql.= ", ".($this->state_id>0?$this->state_id:"null");
$sql.= ", ".$this->country_id;
$sql.= ")";
@@ -702,7 +702,7 @@ class Account extends CommonObject
$sql.= ",courant = ".$this->courant;
$sql.= ",clos = ".$this->clos;
$sql.= ",rappro = ".$this->rappro;
$sql.= ",url = ".($this->url?"'".$this->url."'":"null");
$sql.= ",url = ".($this->url?"'".$this->db->escape($this->url)."'":"null");
$sql.= ",account_number = '".$this->db->escape($this->account_number)."'";
$sql.= ",fk_accountancy_journal = ".($this->fk_accountancy_journal > 0 ? $this->db->escape($this->fk_accountancy_journal) : "null");
$sql.= ",bank = '".$this->db->escape($this->bank)."'";
@@ -722,7 +722,7 @@ class Account extends CommonObject
$sql.= ",min_desired = ".($this->min_desired != '' ? price2num($this->min_desired) : "null");
$sql.= ",comment = '".$this->db->escape($this->comment)."'";
$sql.= ",state_id = ".($this->state_id>0?"'".$this->state_id."'":"null");
$sql.= ",state_id = ".($this->state_id>0?$this->state_id:"null");
$sql.= ",fk_pays = ".$this->country_id;
$sql.= " WHERE rowid = ".$this->id;
@@ -807,7 +807,7 @@ class Account extends CommonObject
$sql.= ",domiciliation='".$this->db->escape($this->domiciliation)."'";
$sql.= ",proprio = '".$this->db->escape($this->proprio)."'";
$sql.= ",owner_address = '".$this->db->escape($this->owner_address)."'";
$sql.= ",state_id = ".($this->state_id>0?"'".$this->state_id."'":"null");
$sql.= ",state_id = ".($this->state_id>0?$this->state_id:"null");
$sql.= ",fk_pays = ".$this->country_id;
$sql.= " WHERE rowid = ".$this->id;
$sql.= " AND entity = ".$conf->entity;
@@ -1694,9 +1694,9 @@ class AccountLine extends CommonObject
$sql .= ", '".$this->db->idate($this->datev)."'";
$sql .= ", '".$this->db->escape($this->label)."'";
$sql .= ", ".price2num($this->amount);
$sql .= ", ".($this->fk_user_author > 0 ? "'".$this->fk_user_author."'":"null");
$sql .= ", ".($this->num_chq ? "'".$this->num_chq."'" : "null");
$sql .= ", '".$this->fk_account."'";
$sql .= ", ".($this->fk_user_author > 0 ? $this->fk_user_author :"null");
$sql .= ", ".($this->num_chq ? "'".$this->db->escape($this->num_chq)."'" : "null");
$sql .= ", '".$this->db->escape($this->fk_account)."'";
$sql .= ", '".$this->db->escape($this->fk_type)."'";
$sql .= ", ".($this->emetteur ? "'".$this->db->escape($this->emetteur)."'" : "null");
$sql .= ", ".($this->bank_chq ? "'".$this->db->escape($this->bank_chq)."'" : "null");

2
htdocs/compta/deplacement/class/deplacement.class.php
View File

@@ -107,7 +107,7 @@ class Deplacement extends CommonObject
$sql.= ", ".$conf->entity;
$sql.= ", ".$user->id;
$sql.= ", ".$this->fk_user;
$sql.= ", '".$this->type."'";
$sql.= ", '".$this->db->escape($this->type)."'";
$sql.= ", ".($this->note_private?"'".$this->db->escape($this->note_private)."'":"null");
$sql.= ", ".($this->note_public?"'".$this->db->escape($this->note_public)."'":"null");
$sql.= ", ".($this->fk_project > 0? $this->fk_project : 0);

10
htdocs/compta/facture/class/facture-rec.class.php
View File

@@ -141,7 +141,7 @@ class FactureRec extends CommonInvoice
$sql.= ", nb_gen_max";
$sql.= ", auto_validate";
$sql.= ") VALUES (";
$sql.= "'".$this->titre."'";
$sql.= "'".$this->db->escape($this->titre)."'";
$sql.= ", ".$facsrc->socid;
$sql.= ", ".$conf->entity;
$sql.= ", '".$this->db->idate($now)."'";
@@ -149,11 +149,11 @@ class FactureRec extends CommonInvoice
$sql.= ", ".(!empty($facsrc->remise)?$this->remise:'0');
$sql.= ", ".(!empty($this->note_private)?("'".$this->db->escape($this->note_private)."'"):"NULL");
$sql.= ", ".(!empty($this->note_public)?("'".$this->db->escape($this->note_public)."'"):"NULL");
$sql.= ", '".$user->id."'";
$sql.= ", '".$this->db->escape($user->id)."'";
$sql.= ", ".(! empty($facsrc->fk_project)?"'".$facsrc->fk_project."'":"null");
$sql.= ", ".(! empty($facsrc->fk_account)?"'".$facsrc->fk_account."'":"null");
$sql.= ", '".$facsrc->cond_reglement_id."'";
$sql.= ", '".$facsrc->mode_reglement_id."'";
$sql.= ", '".$this->db->escape($facsrc->cond_reglement_id)."'";
$sql.= ", '".$this->db->escape($facsrc->mode_reglement_id)."'";
$sql.= ", ".$this->usenewprice;
$sql.= ", ".$this->frequency;
$sql.= ", '".$this->db->escape($this->unit_frequency)."'";
@@ -1504,7 +1504,7 @@ class FactureLigneRec extends CommonInvoiceLine
$sql.= ", localtax1_type='".$this->db->escape($this->localtax1_type)."'";
$sql.= ", localtax2_tx=".price2num($this->localtax2_tx);
$sql.= ", localtax2_type='".$this->db->escape($this->localtax2_type)."'";
$sql.= ", fk_product=".(! empty($this->fk_product)?"'".$this->fk_product."'":"null");
$sql.= ", fk_product=".($this->fk_product > 0 ? $this->fk_product :"null");
$sql.= ", product_type=".$this->product_type;
$sql.= ", remise_percent='".price2num($this->remise_percent)."'";
$sql.= ", subprice='".price2num($this->subprice)."'";

10
htdocs/compta/facture/class/facture.class.php
View File

@@ -4446,16 +4446,16 @@ class FactureLigne extends CommonInvoiceLine
$sql.= ' fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc';
$sql.= ')';
$sql.= " VALUES (".$this->fk_facture.",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
$sql.= " ".($this->fk_parent_line>0 ? $this->fk_parent_line:"null").",";
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " ".price2num($this->qty).",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
$sql.= " ".price2num($this->tva_tx).",";
$sql.= " ".price2num($this->localtax1_tx).",";
$sql.= " ".price2num($this->localtax2_tx).",";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").',';
$sql.= " ".$this->product_type.",";
$sql.= " ".price2num($this->remise_percent).",";
@@ -4468,7 +4468,7 @@ class FactureLigne extends CommonInvoiceLine
$sql.= ' '.$this->special_code.',';
$sql.= ' '.(! empty($this->fk_fournprice)?$this->fk_fournprice:"null").',';
$sql.= ' '.price2num($this->pa_ht).',';
$sql.= " '".$this->info_bits."',";
$sql.= " '".$this->db->escape($this->info_bits)."',";
$sql.= " ".price2num($this->total_ht).",";
$sql.= " ".price2num($this->total_tva).",";
$sql.= " ".price2num($this->total_ttc).",";

22
htdocs/compta/facture/class/paymentterm.class.php
View File

@@ -85,13 +85,11 @@ class PaymentTerm // extends CommonObject
if (isset($this->decalage)) $this->decalage=trim($this->decalage);
// Check parameters
// Put here code to add control on parameters values
// Insert request
$sql = "INSERT INTO ".MAIN_DB_PREFIX."c_payment_term(";
$sql.= "rowid,";
$sql.= "code,";
$sql.= "sortorder,";
@@ -101,21 +99,16 @@ class PaymentTerm // extends CommonObject
$sql.= "type_cdr,";
$sql.= "nbjour,";
$sql.= "decalage";
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").",";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").",";
$sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").",";
$sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->sortorder."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").",";
$sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->db->escape($this->sortorder)."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'").",";
$sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").",";
$sql.= " ".(! isset($this->libelle_facture)?'NULL':"'".$this->db->escape($this->libelle_facture)."'").",";
$sql.= " ".(! isset($this->type_cdr)?'NULL':"'".$this->type_cdr."'").",";
$sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->nbjour."'").",";
$sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->decalage."'")."";
$sql.= " ".(! isset($this->type_cdr)?'NULL':"'".$this->db->escape($this->type_cdr)."'").",";
$sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->db->escape($this->nbjour)."'").",";
$sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->db->escape($this->decalage)."'")."";
$sql.= ")";
$this->db->begin();
@@ -285,7 +278,6 @@ class PaymentTerm // extends CommonObject
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."c_payment_term SET";
$sql.= " code=".(isset($this->code)?"'".$this->db->escape($this->code)."'":"null").",";
$sql.= " sortorder=".(isset($this->sortorder)?$this->sortorder:"null").",";
$sql.= " active=".(isset($this->active)?$this->active:"null").",";
@@ -294,8 +286,6 @@ class PaymentTerm // extends CommonObject
$sql.= " type_cdr=".(isset($this->type_cdr)?$this->type_cdr:"null").",";
$sql.= " nbjour=".(isset($this->nbjour)?$this->nbjour:"null").",";
$sql.= " decalage=".(isset($this->decalage)?$this->decalage:"null")."";
$sql.= " WHERE rowid=".$this->id;
$this->db->begin();

12
htdocs/compta/localtax/class/localtax.class.php
View File

@@ -87,12 +87,12 @@ class Localtax extends CommonObject
$sql.= " '".$this->db->idate($this->tms)."',";
$sql.= " '".$this->db->idate($this->datep)."',";
$sql.= " '".$this->db->idate($this->datev)."',";
$sql.= " '".$this->amount."',";
$sql.= " '".$this->label."',";
$sql.= " '".$this->note."',";
$sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->fk_bank."'").",";
$sql.= " '".$this->fk_user_creat."',";
$sql.= " '".$this->fk_user_modif."'";
$sql.= " '".$this->db->escape($this->amount)."',";
$sql.= " '".$this->db->escape($this->label)."',";
$sql.= " '".$this->db->escape($this->note)."',";
$sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->db->escape($this->fk_bank)."'").",";
$sql.= " '".$this->db->escape($this->fk_user_creat)."',";
$sql.= " '".$this->db->escape($this->fk_user_modif)."'";
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);

10
htdocs/compta/salaries/class/paymentsalary.class.php
View File

@@ -108,7 +108,7 @@ class PaymentSalary extends CommonObject
$sql.= " datesp='".$this->db->idate($this->datesp)."',";
$sql.= " dateep='".$this->db->idate($this->dateep)."',";
$sql.= " note='".$this->db->escape($this->note)."',";
$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").",";
$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->db->escape($this->fk_bank)."'":"null").",";
$sql.= " fk_user_author=".$this->fk_user_author.",";
$sql.= " fk_user_modif=".$this->fk_user_modif;
@@ -344,18 +344,18 @@ class PaymentSalary extends CommonObject
$sql.= ", entity";
$sql.= ") ";
$sql.= " VALUES (";
$sql.= "'".$this->fk_user."'";
$sql.= "'".$this->db->escape($this->fk_user)."'";
$sql.= ", '".$this->db->idate($this->datep)."'";
$sql.= ", '".$this->db->idate($this->datev)."'";
$sql.= ", ".$this->amount;
$sql.= ", ".($this->salary > 0 ? $this->salary : "null");
$sql.= ", '".$this->type_payment."'";
$sql.= ", '".$this->num_payment."'";
$sql.= ", '".$this->db->escape($this->type_payment)."'";
$sql.= ", '".$this->db->escape($this->num_payment)."'";
if ($this->note) $sql.= ", '".$this->db->escape($this->note)."'";
$sql.= ", '".$this->db->escape($this->label)."'";
$sql.= ", '".$this->db->idate($this->datesp)."'";
$sql.= ", '".$this->db->idate($this->dateep)."'";
$sql.= ", '".$user->id."'";
$sql.= ", '".$this->db->escape($user->id)."'";
$sql.= ", '".$this->db->idate($now)."'";
$sql.= ", NULL";
$sql.= ", ".$conf->entity;

14
htdocs/compta/sociales/class/chargesociales.class.php
View File

@@ -26,7 +26,7 @@
require_once DOL_DOCUMENT_ROOT.'/core/class/commonobject.class.php';
/**
/**
* Classe permettant la gestion des paiements des charges
* La tva collectee n'est calculee que sur les factures payees.
*/
@@ -36,7 +36,7 @@ class ChargeSociales extends CommonObject
public $table='chargesociales';
public $table_element='chargesociales';
public $picto = 'bill';
/**
* {@inheritdoc}
*/
@@ -110,7 +110,7 @@ class ChargeSociales extends CommonObject
$this->paye = $obj->paye;
$this->periode = $this->db->jdate($obj->periode);
$this->import_key = $this->import_key;
$this->db->free($resql);
return 1;
@@ -171,8 +171,8 @@ class ChargeSociales extends CommonObject
$sql = "INSERT INTO ".MAIN_DB_PREFIX."chargesociales (fk_type, fk_account, fk_mode_reglement, libelle, date_ech, periode, amount, fk_projet, entity, fk_user_author, date_creation)";
$sql.= " VALUES (".$this->type;
$sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL');
$sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"NULL");
$sql.= ", ".($this->fk_account>0 ? $this->fk_account:'NULL');
$sql.= ", ".($this->mode_reglement_id>0 ? $this->mode_reglement_id:"NULL");
$sql.= ", '".$this->db->escape($this->lib)."'";
$sql.= ", '".$this->db->idate($this->date_ech)."'";
$sql.= ", '".$this->db->idate($this->periode)."'";
@@ -378,7 +378,7 @@ class ChargeSociales extends CommonObject
if ($return) return 1;
else return -1;
}
/**
* Retourne le libelle du statut d'une charge (impaye, payee)
*
@@ -445,7 +445,7 @@ class ChargeSociales extends CommonObject
if ($statut == 0 && $alreadypaid > 0) return $langs->trans("BillStatusStarted").' '.img_picto($langs->trans("BillStatusStarted"), 'statut3');
if ($statut == 1) return $langs->trans("Paid").' '.img_picto($langs->trans("Paid"), 'statut6');
}
return "Error, mode/status not found";
}

18
htdocs/compta/tva/class/tva.class.php
View File

@@ -106,12 +106,12 @@ class Tva extends CommonObject
$sql.= " '".$this->db->idate($now)."',";
$sql.= " '".$this->db->idate($this->datep)."',";
$sql.= " '".$this->db->idate($this->datev)."',";
$sql.= " '".$this->amount."',";
$sql.= " '".$this->label."',";
$sql.= " '".$this->note."',";
$sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->fk_bank."'").",";
$sql.= " '".$this->fk_user_creat."',";
$sql.= " '".$this->fk_user_modif."'";
$sql.= " '".$this->db->escape($this->amount)."',";
$sql.= " '".$this->db->escape($this->label)."',";
$sql.= " '".$this->db->escape($this->note)."',";
$sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->db->escape($this->fk_bank)."'").",";
$sql.= " '".$this->db->escape($this->fk_user_creat)."',";
$sql.= " '".$this->db->escape($this->fk_user_modif)."'";
$sql.= ")";
@@ -535,11 +535,11 @@ class Tva extends CommonObject
$sql.= "'".$this->db->idate($this->datep)."'";
$sql.= ", '".$this->db->idate($this->datev)."'";
$sql.= ", ".$this->amount;
$sql.= ", '".$this->type_payment."'";
$sql.= ", '".$this->num_payment."'";
$sql.= ", '".$this->db->escape($this->type_payment)."'";
$sql.= ", '".$this->db->escape($this->num_payment)."'";
if ($this->note) $sql.=", '".$this->db->escape($this->note)."'";
if ($this->label) $sql.=", '".$this->db->escape($this->label)."'";
$sql.= ", '".$user->id."'";
$sql.= ", '".$this->db->escape($user->id)."'";
$sql.= ", NULL";
$sql.= ", ".$conf->entity;
$sql.= ")";

10
htdocs/contact/class/contact.class.php
View File

@@ -200,7 +200,7 @@ class Contact extends CommonObject
$sql.= " ".(! empty($this->canvas)?"'".$this->db->escape($this->canvas)."'":"null").",";
$sql.= " ".$conf->entity.",";
$sql.= "'".$this->db->escape($this->ref_ext)."',";
$sql.= " ".(! empty($this->import_key)?"'".$this->import_key."'":"null");
$sql.= " ".(! empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null");
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
@@ -319,9 +319,9 @@ class Contact extends CommonObject
$sql .= ", jabberid = ".(isset($this->jabberid)?"'".$this->db->escape($this->jabberid)."'":"null");
$sql .= ", priv = '".$this->db->escape($this->priv)."'";
$sql .= ", statut = ".$this->statut;
$sql .= ", fk_user_modif=".($user->id > 0 ? "'".$user->id."'":"NULL");
$sql .= ", default_lang=".($this->default_lang?"'".$this->default_lang."'":"NULL");
$sql .= ", no_email=".($this->no_email?"'".$this->no_email."'":"0");
$sql .= ", fk_user_modif=".($user->id > 0 ? "'".$this->db->escape($user->id)."'":"NULL");
$sql .= ", default_lang=".($this->default_lang?"'".$this->db->escape($this->default_lang)."'":"NULL");
$sql .= ", no_email=".($this->no_email?"'".$this->db->escape($this->no_email)."'":"0");
$sql .= " WHERE rowid=".$this->db->escape($id);
dol_syslog(get_class($this)."::update", LOG_DEBUG);
@@ -492,7 +492,7 @@ class Contact extends CommonObject
// Mis a jour contact
$sql = "UPDATE ".MAIN_DB_PREFIX."socpeople SET";
$sql.= " birthday=".($this->birthday ? "'".$this->db->idate($this->birthday)."'" : "null");
$sql.= ", photo = ".($this->photo? "'".$this->photo."'" : "null");
$sql.= ", photo = ".($this->photo? "'".$this->db->escape($this->photo)."'" : "null");
if ($user) $sql .= ", fk_user_modif=".$user->id;
$sql.= " WHERE rowid=".$this->db->escape($id);

20
htdocs/contrat/class/contrat.class.php
View File

@@ -928,7 +928,7 @@ class Contrat extends CommonObject
$sql.= ",".($this->commercial_signature_id>0?$this->commercial_signature_id:"NULL");
$sql.= ",".($this->commercial_suivi_id>0?$this->commercial_suivi_id:"NULL");
$sql.= ",".($this->fk_project>0?$this->fk_project:"NULL");
$sql.= ", ".(dol_strlen($this->ref)<=0 ? "null" : "'".$this->ref."'");
$sql.= ", ".(dol_strlen($this->ref)<=0 ? "null" : "'".$this->db->escape($this->ref)."'");
$sql.= ", ".$conf->entity;
$sql.= ", ".(!empty($this->note_private)?("'".$this->db->escape($this->note_private)."'"):"NULL");
$sql.= ", ".(!empty($this->note_public)?("'".$this->db->escape($this->note_public)."'"):"NULL");
@@ -2872,7 +2872,7 @@ class ContratLigne extends CommonObjectLine
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET";
$sql.= " fk_contrat=".$this->fk_contrat.",";
$sql.= " fk_product=".($this->fk_product?"'".$this->fk_product."'":'null').",";
$sql.= " fk_product=".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":'null').",";
$sql.= " statut=".$this->statut.",";
$sql.= " label='".$this->db->escape($this->label)."',";
$sql.= " description='".$this->db->escape($this->description)."',";
@@ -3009,16 +3009,16 @@ class ContratLigne extends CommonObjectLine
if ($this->date_fin_validite > 0) { $sql.= ",date_fin_validite"; }
$sql.= ") VALUES ($this->fk_contrat, '', '" . $this->db->escape($this->description) . "',";
$sql.= ($this->fk_product>0 ? $this->fk_product : "null").",";
$sql.= " '".$this->qty."',";
$sql.= " '".$this->vat_src_code."',";
$sql.= " '".$this->tva_tx."',";
$sql.= " '".$this->localtax1_tx."',";
$sql.= " '".$this->localtax2_tx."',";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->qty)."',";
$sql.= " '".$this->db->escape($this->vat_src_code)."',";
$sql.= " '".$this->db->escape($this->tva_tx)."',";
$sql.= " '".$this->db->escape($this->localtax1_tx)."',";
$sql.= " '".$this->db->escape($this->localtax2_tx)."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= " ".price2num($this->remise_percent).",".price2num($this->subprice).",";
$sql.= " ".price2num($this->total_ht).",".price2num($this->total_tva).",".price2num($this->total_localtax1).",".price2num($this->total_localtax2).",".price2num($this->total_ttc).",";
$sql.= " '".$this->info_bits."',";
$sql.= " '".$this->db->escape($this->info_bits)."',";
$sql.= " ".price2num($this->price_ht).",".price2num($this->remise).",";
if ($this->fk_fournprice > 0) $sql.= ' '.$this->fk_fournprice.',';
else $sql.= ' null,';

4
htdocs/core/class/ccountry.class.php
View File

@@ -88,11 +88,11 @@ class Ccountry // extends CommonObject
$sql.= "label,";
$sql.= "active";
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").",";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").",";
$sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").",";
$sql.= " ".(! isset($this->code_iso)?'NULL':"'".$this->db->escape($this->code_iso)."'").",";
$sql.= " ".(! isset($this->label)?'NULL':"'".$this->db->escape($this->label)."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'")."";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'")."";
$sql.= ")";
$this->db->begin();

18
htdocs/core/class/commonobject.class.php
View File

@@ -580,8 +580,8 @@ abstract class CommonObject
$sql = "SELECT tc.rowid";
$sql.= " FROM ".MAIN_DB_PREFIX."c_type_contact as tc";
$sql.= " WHERE tc.element='".$this->db->escape($this->element)."'";
$sql.= " AND tc.source='".$source."'";
$sql.= " AND tc.code='".$type_contact."' AND tc.active=1";
$sql.= " AND tc.source='".$this->db->escape($source)."'";
$sql.= " AND tc.code='".$this->db->escape($type_contact)."' AND tc.active=1";
//print $sql;
$resql=$this->db->query($sql);
if ($resql)
@@ -2475,9 +2475,9 @@ abstract class CommonObject
$sql.= ", targettype";
$sql.= ") VALUES (";
$sql.= $origin_id;
$sql.= ", '".$origin."'";
$sql.= ", '".$this->db->escape($origin)."'";
$sql.= ", ".$this->id;
$sql.= ", '".$this->element."'";
$sql.= ", '".$this->db->escape($this->element)."'";
$sql.= ")";
dol_syslog(get_class($this)."::add_object_linked", LOG_DEBUG);
@@ -3812,11 +3812,11 @@ abstract class CommonObject
$sql.= ", mandatory";
$sql.= ") VALUES (";
$sql.= $resource_id;
$sql.= ", '".$resource_type."'";
$sql.= ", '".$this->id."'";
$sql.= ", '".$this->element."'";
$sql.= ", '".$busy."'";
$sql.= ", '".$mandatory."'";
$sql.= ", '".$this->db->escape($resource_type)."'";
$sql.= ", '".$this->db->escape($this->id)."'";
$sql.= ", '".$this->db->escape($this->element)."'";
$sql.= ", '".$this->db->escape($busy)."'";
$sql.= ", '".$this->db->escape($mandatory)."'";
$sql.= ")";
dol_syslog(get_class($this)."::add_element_resource", LOG_DEBUG);

4
htdocs/core/class/cstate.class.php
View File

@@ -85,10 +85,10 @@ class Cstate // extends CommonObject
$sql.= "nom,";
$sql.= "active";
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").",";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").",";
$sql.= " ".(! isset($this->code_departement)?'NULL':"'".$this->db->escape($this->code_departement)."'").",";
$sql.= " ".(! isset($this->nom)?'NULL':"'".$this->db->escape($this->nom)."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'")."";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'")."";
$sql.= ")";
$this->db->begin();

4
htdocs/core/class/ctypent.class.php
View File

@@ -91,10 +91,10 @@ class Ctypent // extends CommonObject
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->id)?'NULL':"'".$this->id."'").",";
$sql.= " ".(! isset($this->id)?'NULL':"'".$this->db->escape($this->id)."'").",";
$sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").",";
$sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->active($this->active)."'").",";
$sql.= " ".(! isset($this->module)?'NULL':"'".$this->db->escape($this->module)."'")."";

2
htdocs/core/class/discount.class.php
View File

@@ -158,7 +158,7 @@ class DiscountAbsolute
$sql.= ")";
$sql.= " VALUES (".$conf->entity.", '".$this->db->idate($this->datec!=''?$this->datec:dol_now())."', ".$this->fk_soc.", ".$user->id.", '".$this->db->escape($this->description)."',";
$sql.= " ".$this->amount_ht.", ".$this->amount_tva.", ".$this->amount_ttc.", ".$this->tva_tx.",";
$sql.= " ".($this->fk_facture_source?"'".$this->fk_facture_source."'":"null");
$sql.= " ".($this->fk_facture_source ? "'".$this->db->escape($this->fk_facture_source)."'":"null");
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);

8
htdocs/core/class/events.class.php
View File

@@ -126,12 +126,12 @@ class Events // extends CommonObject
$sql.= "fk_user,";
$sql.= "description";
$sql.= ") VALUES (";
$sql.= " '".$this->type."',";
$sql.= " '".$this->db->escape($this->type)."',";
$sql.= " ".$conf->entity.",";
$sql.= " '".$_SERVER['REMOTE_ADDR']."',";
$sql.= " ".($_SERVER['HTTP_USER_AGENT']?"'".dol_trunc($_SERVER['HTTP_USER_AGENT'],250)."'":'NULL').",";
$sql.= " '".$this->db->escape($_SERVER['REMOTE_ADDR'])."',";
$sql.= " ".($_SERVER['HTTP_USER_AGENT']?"'".$this->db->escape(dol_trunc($_SERVER['HTTP_USER_AGENT'],250))."'":'NULL').",";
$sql.= " '".$this->db->idate($this->dateevent)."',";
$sql.= " ".($user->id?"'".$user->id."'":'NULL').",";
$sql.= " ".($user->id?"'".$this->db->escape($user->id)."'":'NULL').",";
$sql.= " '".$this->db->escape(dol_trunc($this->description,250))."'";
$sql.= ")";

16
htdocs/core/class/link.class.php
View File

@@ -89,7 +89,7 @@ class Link extends CommonObject
$sql .= " VALUES ('".$conf->entity."', '".$this->db->idate($this->datea)."'";
$sql .= ", '" . $this->db->escape($this->url) . "'";
$sql .= ", '" . $this->db->escape($this->label) . "'";
$sql .= ", '" . $this->objecttype . "'";
$sql .= ", '" . $this->db->escape($this->objecttype) . "'";
$sql .= ", " . $this->objectid . ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
@@ -100,7 +100,7 @@ class Link extends CommonObject
if ($this->id > 0) {
// Call trigger
$result=$this->call_trigger('LINK_CREATE',$user);
if ($result < 0) $error++;
if ($result < 0) $error++;
// End call triggers
} else {
$error++;
@@ -283,20 +283,20 @@ class Link extends CommonObject
public static function count($db, $objecttype, $objectid)
{
global $conf;
$sql = "SELECT COUNT(rowid) as nb FROM " . MAIN_DB_PREFIX . "links";
$sql .= " WHERE objecttype = '" . $objecttype . "' AND objectid = " . $objectid;
if ($conf->entity != 0) $sql .= " AND entity = " . $conf->entity;
$resql = $db->query($sql);
if ($resql)
{
$obj = $db->fetch_object($resql);
if ($obj) return $obj->nb;
}
}
return -1;
}
/**
* Loads a link from database
*
@@ -354,8 +354,8 @@ class Link extends CommonObject
// Call trigger
$result=$this->call_trigger('LINK_DELETE',$user);
if ($result < 0) return -1;
// End call triggers
if ($result < 0) return -1;
// End call triggers
$this->db->begin();

24
htdocs/core/class/menubase.class.php
View File

@@ -144,15 +144,15 @@ class Menubase
$sql.= "enabled,";
$sql.= "usertype";
$sql.= ") VALUES (";
$sql.= " '".$this->menu_handler."',";
$sql.= " '".$conf->entity."',";
$sql.= " '".$this->module."',";
$sql.= " '".$this->type."',";
$sql.= " ".($this->mainmenu?"'".$this->mainmenu."'":"''").","; // Can't be null
$sql.= " ".($this->leftmenu?"'".$this->leftmenu."'":"null").",";
$sql.= " '".$this->fk_menu."',";
$sql.= " ".($this->fk_mainmenu?"'".$this->fk_mainmenu."'":"null").",";
$sql.= " ".($this->fk_leftmenu?"'".$this->fk_leftmenu."'":"null").",";
$sql.= " '".$this->db->escape($this->menu_handler)."',";
$sql.= " '".$this->db->escape($conf->entity)."',";
$sql.= " '".$this->db->escape($this->module)."',";
$sql.= " '".$this->db->escape($this->type)."',";
$sql.= " ".($this->mainmenu?"'".$this->db->escape($this->mainmenu)."'":"''").","; // Can't be null
$sql.= " ".($this->leftmenu?"'".$this->db->escape($this->leftmenu)."'":"null").",";
$sql.= " '".$this->db->escape($this->fk_menu)."',";
$sql.= " ".($this->fk_mainmenu?"'".$this->db->escape($this->fk_mainmenu)."'":"null").",";
$sql.= " ".($this->fk_leftmenu?"'".$this->db->escape($this->fk_leftmenu)."'":"null").",";
$sql.= " '".(int) $this->position."',";
$sql.= " '".$this->db->escape($this->url)."',";
$sql.= " '".$this->db->escape($this->target)."',";
@@ -160,7 +160,7 @@ class Menubase
$sql.= " '".$this->db->escape($this->langs)."',";
$sql.= " '".$this->db->escape($this->perms)."',";
$sql.= " '".$this->db->escape($this->enabled)."',";
$sql.= " '".$this->user."'";
$sql.= " '".$this->db->escape($this->user)."'";
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
@@ -220,8 +220,8 @@ class Menubase
$sql.= " mainmenu='".$this->db->escape($this->mainmenu)."',";
$sql.= " leftmenu='".$this->db->escape($this->leftmenu)."',";
$sql.= " fk_menu='".$this->db->escape($this->fk_menu)."',";
$sql.= " fk_mainmenu=".($this->fk_mainmenu?"'".$this->fk_mainmenu."'":"null").",";
$sql.= " fk_leftmenu=".($this->fk_leftmenu?"'".$this->fk_leftmenu."'":"null").",";
$sql.= " fk_mainmenu=".($this->fk_mainmenu?"'".$this->db->escape($this->fk_mainmenu)."'":"null").",";
$sql.= " fk_leftmenu=".($this->fk_leftmenu?"'".$this->db->escape($this->fk_leftmenu)."'":"null").",";
$sql.= " position=".($this->position > 0 ? $this->position : 0).",";
$sql.= " url='".$this->db->escape($this->url)."',";
$sql.= " target='".$this->db->escape($this->target)."',";

6
htdocs/core/modules/DolibarrModules.class.php
View File

@@ -1426,7 +1426,7 @@ class DolibarrModules // Can not be abstract, because we need to insta
$err=0;
$sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
$sql.= " WHERE ".$this->db->decrypt('name')." like '".$this->const_name."_TABS_%'";
$sql.= " WHERE ".$this->db->decrypt('name')." like '".$this->db->escape($this->const_name)."_TABS_%'";
$sql.= " AND entity = ".$conf->entity;
dol_syslog(get_class($this)."::delete_tabs", LOG_DEBUG);
@@ -2019,7 +2019,7 @@ class DolibarrModules // Can not be abstract, because we need to insta
$err=0;
$sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
$sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->const_name."_DIR_%'";
$sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->db->escape($this->const_name)."_DIR_%'";
$sql.= " AND entity = ".$conf->entity;
dol_syslog(get_class($this)."::delete_dirs", LOG_DEBUG);
@@ -2128,7 +2128,7 @@ class DolibarrModules // Can not be abstract, because we need to insta
if (is_array($value) && isset($value['entity'])) $entity = $value['entity'];
$sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
$sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->const_name."_".strtoupper($key)."'";
$sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->db->escape($this->const_name)."_".strtoupper($key)."'";
$sql.= " AND entity = ".$entity;
dol_syslog(get_class($this)."::delete_const_".$key."", LOG_DEBUG);

4
htdocs/core/modules/cheque/mod_chequereceipt_mint.php
View File

@@ -73,7 +73,7 @@ class mod_chequereceipt_mint extends ModeleNumRefChequeReceipts
$posindice=9;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."bordereau_cheque";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -107,7 +107,7 @@ class mod_chequereceipt_mint extends ModeleNumRefChequeReceipts
$posindice=9;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."bordereau_cheque";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref like '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/commande/mod_commande_marbre.php
View File

@@ -73,7 +73,7 @@ class mod_commande_marbre extends ModeleNumRefCommandes
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."commande";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -107,7 +107,7 @@ class mod_commande_marbre extends ModeleNumRefCommandes
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."commande";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/contract/mod_contract_serpis.php
View File

@@ -72,7 +72,7 @@ class mod_contract_serpis extends ModelNumRefContracts
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."contrat";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -105,7 +105,7 @@ class mod_contract_serpis extends ModelNumRefContracts
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."contrat";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/expedition/mod_expedition_safor.php
View File

@@ -71,7 +71,7 @@ class mod_expedition_safor extends ModelNumRefExpedition
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."expedition";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -104,7 +104,7 @@ class mod_expedition_safor extends ModelNumRefExpedition
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."expedition";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/expensereport/mod_expensereport_jade.php
View File

@@ -72,7 +72,7 @@ class mod_expensereport_jade extends ModeleNumRefExpenseReport
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."expensereport";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -105,7 +105,7 @@ class mod_expensereport_jade extends ModeleNumRefExpenseReport
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."expensereport";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

8
htdocs/core/modules/facture/mod_facture_mars.php
View File

@@ -37,7 +37,7 @@ class mod_facture_mars extends ModeleNumRefFactures
var $prefixcreditnote='AV';
var $error='';
/**
* Constructor
*/
@@ -48,7 +48,7 @@ class mod_facture_mars extends ModeleNumRefFactures
$this->prefixinvoice = $conf->global->INVOICE_NUMBERING_MARS_FORCE_PREFIX;
}
}
/**
* Renvoi la description du modele de numerotation
*
@@ -89,7 +89,7 @@ class mod_facture_mars extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixinvoice."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixinvoice)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -111,7 +111,7 @@ class mod_facture_mars extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(SUBSTRING(facnumber FROM ".$posindice.")) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixcreditnote."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

10
htdocs/core/modules/facture/mod_facture_terre.php
View File

@@ -35,7 +35,7 @@ class mod_facture_terre extends ModeleNumRefFactures
var $prefixdeposit='AC';
var $error='';
/**
* Constructor
*/
@@ -46,7 +46,7 @@ class mod_facture_terre extends ModeleNumRefFactures
$this->prefixinvoice = $conf->global->INVOICE_NUMBERING_TERRE_FORCE_PREFIX;
}
}
/**
* Renvoi la description du modele de numerotation
*
@@ -87,7 +87,7 @@ class mod_facture_terre extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixinvoice."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixinvoice)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -109,7 +109,7 @@ class mod_facture_terre extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixcreditnote."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -130,7 +130,7 @@ class mod_facture_terre extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixdeposit."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixdeposit)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/fichinter/mod_pacific.php
View File

@@ -74,7 +74,7 @@ class mod_pacific extends ModeleNumRefFicheinter
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."fichinter";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " WHERE entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -110,7 +110,7 @@ class mod_pacific extends ModeleNumRefFicheinter
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."fichinter";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/livraison/mod_livraison_jade.php
View File

@@ -80,7 +80,7 @@ class mod_livraison_jade extends ModeleNumRefDeliveryOrder
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."livraison";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -114,7 +114,7 @@ class mod_livraison_jade extends ModeleNumRefDeliveryOrder
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."livraison";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/payment/mod_payment_cicada.php
View File

@@ -73,7 +73,7 @@ class mod_payment_cicada extends ModeleNumRefPayments
$posindice=9;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."paiement";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -107,7 +107,7 @@ class mod_payment_cicada extends ModeleNumRefPayments
$posindice=9;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."paiement";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/project/mod_project_simple.php
View File

@@ -75,7 +75,7 @@ class mod_project_simple extends ModeleNumRefProjects
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."projet";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
if ($resql)
@@ -111,7 +111,7 @@ class mod_project_simple extends ModeleNumRefProjects
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."projet";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/project/task/mod_task_simple.php
View File

@@ -76,7 +76,7 @@ class mod_task_simple extends ModeleNumRefTask
$sql = "SELECT MAX(CAST(SUBSTRING(task.ref FROM " . $posindice . ") AS SIGNED)) as max";
$sql .= " FROM " . MAIN_DB_PREFIX . "projet_task AS task, ";
$sql .= MAIN_DB_PREFIX . "projet AS project WHERE task.fk_projet=project.rowid";
$sql .= " AND task.ref LIKE '" . $this->prefix . "____-%'";
$sql .= " AND task.ref LIKE '" . $this->db->escape($this->prefix) . "____-%'";
$sql .= " AND project.entity = " . $conf->entity;
$resql=$db->query($sql);
if ($resql)
@@ -112,7 +112,7 @@ class mod_task_simple extends ModeleNumRefTask
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."projet_task";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$resql=$db->query($sql);
if ($resql)

4
htdocs/core/modules/propale/mod_propale_marbre.php
View File

@@ -75,7 +75,7 @@ class mod_propale_marbre extends ModeleNumRefPropales
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."propal";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -112,7 +112,7 @@ class mod_propale_marbre extends ModeleNumRefPropales
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."propal";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

8
htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php
View File

@@ -82,7 +82,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn";
$sql.= " WHERE ref LIKE '".$this->prefixinvoice."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefixinvoice)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
if ($resql)
@@ -103,7 +103,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn";
$sql.= " WHERE ref LIKE '".$this->prefixcreditnote."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -124,7 +124,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn";
$sql.= " WHERE ref LIKE '".$this->prefixdeposit."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefixdeposit)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -202,7 +202,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices
{
$date=$object->date; // This is invoice date (not creation date)
$yymm = strftime("%y%m",$date);
if ($max >= (pow(10, 4) - 1)) $num=$max+1; // If counter > 9999, we do not format on 4 chars, we take number as it is
else $num = sprintf("%04s",$max+1);

4
htdocs/core/modules/supplier_order/mod_commande_fournisseur_muguet.php
View File

@@ -85,7 +85,7 @@ class mod_commande_fournisseur_muguet extends ModeleNumRefSuppliersOrders
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."commande_fournisseur";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
if ($resql)
@@ -120,7 +120,7 @@ class mod_commande_fournisseur_muguet extends ModeleNumRefSuppliersOrders
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."commande_fournisseur";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/supplier_payment/mod_supplier_payment_bronan.php
View File

@@ -73,7 +73,7 @@ class mod_supplier_payment_bronan extends ModeleNumRefSupplierPayments
$posindice=9;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."paiementfourn";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -107,7 +107,7 @@ class mod_supplier_payment_bronan extends ModeleNumRefSupplierPayments
$posindice=10;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."paiementfourn";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/supplier_proposal/mod_supplier_proposal_marbre.php
View File

@@ -75,7 +75,7 @@ class mod_supplier_proposal_marbre extends ModeleNumRefSupplierProposal
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."supplier_proposal";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -112,7 +112,7 @@ class mod_supplier_proposal_marbre extends ModeleNumRefSupplierProposal
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."supplier_proposal";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

2
htdocs/cron/class/cronjob.class.php
View File

@@ -201,7 +201,7 @@ class Cronjob extends CommonObject
$sql.= " ".(! isset($this->lastresult)?'NULL':"'".$this->db->escape($this->lastresult)."'").",";
$sql.= " ".(! isset($this->datelastresult) || dol_strlen($this->datelastresult)==0?'NULL':"'".$this->db->idate($this->datelastresult)."'").",";
$sql.= " ".(! isset($this->lastoutput)?'NULL':"'".$this->db->escape($this->lastoutput)."'").",";
$sql.= " ".(! isset($this->unitfrequency)?'NULL':"'".$this->unitfrequency."'").",";
$sql.= " ".(! isset($this->unitfrequency)?'NULL':"'".$this->db->escape($this->unitfrequency)."'").",";
$sql.= " ".(! isset($this->frequency)?'0':$this->frequency).",";
$sql.= " ".(! isset($this->status)?'0':$this->status).",";
$sql.= " ".$user->id.",";

6
htdocs/ecm/class/ecmdirectory.class.php
View File

@@ -134,12 +134,12 @@ class EcmDirectory // extends CommonObject
$sql.= "fk_user_c";
$sql.= ") VALUES (";
$sql.= " '".$this->db->escape($this->label)."',";
$sql.= " '".$conf->entity."',";
$sql.= " '".$this->fk_parent."',";
$sql.= " '".$this->db->escape($conf->entity)."',";
$sql.= " '".$this->db->escape($this->fk_parent)."',";
$sql.= " '".$this->db->escape($this->description)."',";
$sql.= " ".$this->cachenbofdoc.",";
$sql.= " '".$this->db->idate($this->date_c)."',";
$sql.= " '".$this->fk_user_c."'";
$sql.= " '".$this->db->escape($this->fk_user_c)."'";
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);

2
htdocs/expedition/class/expedition.class.php
View File

@@ -1769,7 +1769,7 @@ class Expedition extends CommonObject
if ($id=='')
{
$sql = "INSERT INTO ".MAIN_DB_PREFIX."c_shipment_mode (code, libelle, description, tracking)";
$sql.=" VALUES ('".$this->update['code']."','".$this->update['libelle']."','".$this->update['description']."','".$this->update['tracking']."')";
$sql.=" VALUES ('".$this->db->escape($this->update['code'])."','".$this->db->escape($this->update['libelle'])."','".$this->db->escape($this->update['description'])."','".$this->db->escape($this->update['tracking'])."')";
$resql = $this->db->query($sql);
}
else

16
htdocs/fourn/class/fournisseur.commande.class.php
View File

@@ -1414,7 +1414,7 @@ class CommandeFournisseur extends CommonOrder
if ($remise_percent == 0 && $prod->remise_percent !=0)
$remise_percent =$prod->remise_percent;
}
if ($result == 0) // If result == 0, we failed to found the supplier reference price
{
@@ -2678,14 +2678,14 @@ class CommandeFournisseur extends CommonOrder
if ($db->num_rows($query))
{
$obj = $db->fetch_object($query);
$string = $langs->trans($obj->code);
if ($string == $obj->code)
{
$string = $obj->label != '-' ? $obj->label : '';
}
return $string;
}
}
}
else dol_print_error($db);
}
@@ -3129,15 +3129,15 @@ class CommandeFournisseurLigne extends CommonOrderLine
$sql.= " ".($this->date_end?"'".$this->db->idate($this->date_end)."'":"null").",";
if ($this->fk_product) { $sql.= $this->fk_product.","; }
else { $sql.= "null,"; }
$sql.= "'".$this->product_type."',";
$sql.= "'".$this->qty."', ";
$sql.= "'".$this->db->escape($this->product_type)."',";
$sql.= "'".$this->db->escape($this->qty)."', ";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
$sql.= " ".$this->tva_tx.", ";
$sql.= " ".$this->localtax1_tx.",";
$sql.= " ".$this->localtax2_tx.",";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= " ".$this->remise_percent.", ".price2num($this->subprice,'MU').", '".$this->db->escape($this->ref_supplier)."',";
$sql.= " ".price2num($this->total_ht).",";
$sql.= " ".price2num($this->total_tva).",";

22
htdocs/fourn/class/fournisseur.commande.dispatch.class.php
View File

@@ -105,14 +105,11 @@ class CommandeFournisseurDispatch extends CommonObject
if (isset($this->status)) $this->status=trim($this->status);
if (isset($this->batch)) $this->batch=trim($this->batch);
// Check parameters
// Put here code to add control on parameters values
// Insert request
$sql = "INSERT INTO ".MAIN_DB_PREFIX.$this->table_element."(";
$sql.= "fk_commande,";
$sql.= "fk_product,";
$sql.= "fk_commandefourndet,";
@@ -125,24 +122,19 @@ class CommandeFournisseurDispatch extends CommonObject
$sql.= "batch,";
$sql.= "eatby,";
$sql.= "sellby";
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->fk_commande)?'NULL':"'".$this->fk_commande."'").",";
$sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->fk_product."'").",";
$sql.= " ".(! isset($this->fk_commandefourndet)?'NULL':"'".$this->fk_commandefourndet."'").",";
$sql.= " ".(! isset($this->qty)?'NULL':"'".$this->qty."'").",";
$sql.= " ".(! isset($this->fk_entrepot)?'NULL':"'".$this->fk_entrepot."'").",";
$sql.= " ".(! isset($this->fk_user)?'NULL':"'".$this->fk_user."'").",";
$sql.= " ".(! isset($this->fk_commande)?'NULL':"'".$this->db->escape($this->fk_commande)."'").",";
$sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->db->escape($this->fk_product)."'").",";
$sql.= " ".(! isset($this->fk_commandefourndet)?'NULL':"'".$this->db->escape($this->fk_commandefourndet)."'").",";
$sql.= " ".(! isset($this->qty)?'NULL':"'".$this->db->escape($this->qty)."'").",";
$sql.= " ".(! isset($this->fk_entrepot)?'NULL':"'".$this->db->escape($this->fk_entrepot)."'").",";
$sql.= " ".(! isset($this->fk_user)?'NULL':"'".$this->db->escape($this->fk_user)."'").",";
$sql.= " ".(! isset($this->datec) || dol_strlen($this->datec)==0?'NULL':"'".$this->db->idate($this->datec)."'").",";
$sql.= " ".(! isset($this->comment)?'NULL':"'".$this->db->escape($this->comment)."'").",";
$sql.= " ".(! isset($this->status)?'NULL':"'".$this->status."'").",";
$sql.= " ".(! isset($this->status)?'NULL':"'".$this->db->escape($this->status)."'").",";
$sql.= " ".(! isset($this->batch)?'NULL':"'".$this->db->escape($this->batch)."'").",";
$sql.= " ".(! isset($this->eatby) || dol_strlen($this->eatby)==0?'NULL':"'".$this->db->idate($this->eatby)."'").",";
$sql.= " ".(! isset($this->sellby) || dol_strlen($this->sellby)==0?'NULL':"'".$this->db->idate($this->sellby)."'")."";
$sql.= ")";
$this->db->begin();

10
htdocs/fourn/class/fournisseur.facture.class.php
View File

@@ -2701,17 +2701,17 @@ class SupplierInvoiceLine extends CommonObjectLine
$sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc';
$sql.= ')';
$sql.= " VALUES (".$this->fk_facture_fourn.",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").",";
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " ".price2num($this->qty).",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
$sql.= " ".price2num($this->tva_tx).",";
$sql.= " ".price2num($this->localtax1_tx).",";
$sql.= " ".price2num($this->localtax2_tx).",";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").',';
$sql.= " ".$this->product_type.",";
$sql.= " ".price2num($this->remise_percent).",";
@@ -2722,7 +2722,7 @@ class SupplierInvoiceLine extends CommonObjectLine
$sql.= ' '.(!empty($this->fk_code_ventilation)?$this->fk_code_ventilation:0).',';
$sql.= ' '.$this->rang.',';
$sql.= ' '.$this->special_code.',';
$sql.= " '".$this->info_bits."',";
$sql.= " '".$this->db->escape($this->info_bits)."',";
$sql.= " ".price2num($this->total_ht).",";
$sql.= " ".price2num($this->total_tva).",";
$sql.= " ".price2num($this->total_ttc).",";

4
htdocs/holiday/class/holiday.class.php
View File

@@ -143,14 +143,14 @@ class Holiday extends CommonObject
$sql.= "fk_user_create,";
$sql.= "entity";
$sql.= ") VALUES (";
$sql.= "'".$this->fk_user."',";
$sql.= "'".$this->db->escape($this->fk_user)."',";
$sql.= " '".$this->db->idate($now)."',";
$sql.= " '".$this->db->escape($this->description)."',";
$sql.= " '".$this->db->idate($this->date_debut)."',";
$sql.= " '".$this->db->idate($this->date_fin)."',";
$sql.= " ".$this->halfday.",";
$sql.= " '1',";
$sql.= " '".$this->fk_validator."',";
$sql.= " '".$this->db->escape($this->fk_validator)."',";
$sql.= " ".$this->fk_type.",";
$sql.= " ".$user->id.",";
$sql.= " ".$conf->entity;

4
htdocs/imports/class/import.class.php
View File

@@ -45,7 +45,7 @@ class Import
var $error;
var $errors;
/**
* Constructor
@@ -242,7 +242,7 @@ class Import
$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'import_model (';
$sql.= 'fk_user, label, type, field';
$sql.= ')';
$sql.= " VALUES (".($user->id > 0 ? $user->id : 0).", '".$this->db->escape($this->model_name)."', '".$this->datatoimport."', '".$this->hexa."')";
$sql.= " VALUES (".($user->id > 0 ? $user->id : 0).", '".$this->db->escape($this->model_name)."', '".$this->db->escape($this->datatoimport)."', '".$this->db->escape($this->hexa)."')";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
$resql=$this->db->query($sql);

42
htdocs/product/class/product.class.php
View File

@@ -536,12 +536,12 @@ class Product extends CommonObject
$sql.= ", ".$this->type;
$sql.= ", ".price2num($price_ht);
$sql.= ", ".price2num($price_ttc);
$sql.= ", '".$this->price_base_type."'";
$sql.= ", '".$this->db->escape($this->price_base_type)."'";
$sql.= ", ".$this->status;
$sql.= ", ".$this->status_buy;
$sql.= ", '".$this->accountancy_code_buy."'";
$sql.= ", '".$this->accountancy_code_sell."'";
$sql.= ", '".$this->canvas."'";
$sql.= ", '".$this->db->escape($this->accountancy_code_buy)."'";
$sql.= ", '".$this->db->escape($this->accountancy_code_sell)."'";
$sql.= ", '".$this->db->escape($this->canvas)."'";
$sql.= ", ".((! isset($this->finished) || $this->finished < 0 || $this->finished == '') ? 'null' : (int) $this->finished);
$sql.= ", ".((empty($this->status_batch) || $this->status_batch < 0)? '0':$this->status_batch);
$sql.= ", ".(!$this->fk_unit ? 'NULL' : $this->fk_unit);
@@ -853,8 +853,8 @@ class Product extends CommonObject
$sql.= ", recuperableonly = " . $this->tva_npr;
$sql.= ", localtax1_tx = " . $this->localtax1_tx;
$sql.= ", localtax2_tx = " . $this->localtax2_tx;
$sql.= ", localtax1_type = " . ($this->localtax1_type!=''?"'".$this->localtax1_type."'":"'0'");
$sql.= ", localtax2_type = " . ($this->localtax2_type!=''?"'".$this->localtax2_type."'":"'0'");
$sql.= ", localtax1_type = " . ($this->localtax1_type!=''?"'".$this->db->escape($this->localtax1_type)."'":"'0'");
$sql.= ", localtax2_type = " . ($this->localtax2_type!=''?"'".$this->db->escape($this->localtax2_type)."'":"'0'");
$sql.= ", barcode = ". (empty($this->barcode)?"null":"'".$this->db->escape($this->barcode)."'");
$sql.= ", fk_barcode_type = ". (empty($this->barcode_type)?"null":$this->db->escape($this->barcode_type));
@@ -863,19 +863,19 @@ class Product extends CommonObject
$sql.= ", tobuy = " . $this->status_buy;
$sql.= ", tobatch = " . ((empty($this->status_batch) || $this->status_batch < 0) ? '0' : $this->status_batch);
$sql.= ", finished = " . ((! isset($this->finished) || $this->finished < 0) ? "null" : (int) $this->finished);
$sql.= ", weight = " . ($this->weight!='' ? "'".$this->weight."'" : 'null');
$sql.= ", weight_units = " . ($this->weight_units!='' ? "'".$this->weight_units."'": 'null');
$sql.= ", length = " . ($this->length!='' ? "'".$this->length."'" : 'null');
$sql.= ", length_units = " . ($this->length_units!='' ? "'".$this->length_units."'" : 'null');
$sql.= ", width= " . ($this->width!='' ? "'".$this->width."'" : 'null');
$sql.= ", width_units = " . ($this->width_units!='' ? "'".$this->width_units."'" : 'null');
$sql.= ", height = " . ($this->height!='' ? "'".$this->height."'" : 'null');
$sql.= ", height_units = " . ($this->height_units!='' ? "'".$this->height_units."'" : 'null');
$sql.= ", surface = " . ($this->surface!='' ? "'".$this->surface."'" : 'null');
$sql.= ", surface_units = " . ($this->surface_units!='' ? "'".$this->surface_units."'" : 'null');
$sql.= ", volume = " . ($this->volume!='' ? "'".$this->volume."'" : 'null');
$sql.= ", volume_units = " . ($this->volume_units!='' ? "'".$this->volume_units."'" : 'null');
$sql.= ", seuil_stock_alerte = " . ((isset($this->seuil_stock_alerte) && $this->seuil_stock_alerte != '') ? "'".$this->seuil_stock_alerte."'" : "null");
$sql.= ", weight = " . ($this->weight!='' ? "'".$this->db->escape($this->weight)."'" : 'null');
$sql.= ", weight_units = " . ($this->weight_units!='' ? "'".$this->db->escape($this->weight_units)."'": 'null');
$sql.= ", length = " . ($this->length!='' ? "'".$this->db->escape($this->length)."'" : 'null');
$sql.= ", length_units = " . ($this->length_units!='' ? "'".$this->db->escape($this->length_units)."'" : 'null');
$sql.= ", width= " . ($this->width!='' ? "'".$this->db->escape($this->width)."'" : 'null');
$sql.= ", width_units = " . ($this->width_units!='' ? "'".$this->db->escape($this->width_units)."'" : 'null');
$sql.= ", height = " . ($this->height!='' ? "'".$this->db->escape($this->height)."'" : 'null');
$sql.= ", height_units = " . ($this->height_units!='' ? "'".$this->db->escape($this->height_units)."'" : 'null');
$sql.= ", surface = " . ($this->surface!='' ? "'".$this->db->escape($this->surface)."'" : 'null');
$sql.= ", surface_units = " . ($this->surface_units!='' ? "'".$this->db->escape($this->surface_units)."'" : 'null');
$sql.= ", volume = " . ($this->volume!='' ? "'".$this->db->escape($this->volume)."'" : 'null');
$sql.= ", volume_units = " . ($this->volume_units!='' ? "'".$this->db->escape($this->volume_units)."'" : 'null');
$sql.= ", seuil_stock_alerte = " . ((isset($this->seuil_stock_alerte) && $this->seuil_stock_alerte != '') ? "'".$this->db->escape($this->seuil_stock_alerte)."'" : "null");
$sql.= ", description = '" . $this->db->escape($this->description) ."'";
$sql.= ", url = " . ($this->url?"'".$this->db->escape($this->url)."'":'null');
$sql.= ", customcode = '" . $this->db->escape($this->customcode) ."'";
@@ -1439,8 +1439,8 @@ class Product extends CommonObject
// Add new price
$sql = "INSERT INTO ".MAIN_DB_PREFIX."product_price(price_level,date_price, fk_product, fk_user_author, price, price_ttc, price_base_type,tosell, tva_tx, default_vat_code, recuperableonly,";
$sql.= " localtax1_tx, localtax2_tx, localtax1_type, localtax2_type, price_min,price_min_ttc,price_by_qty,entity,fk_price_expression) ";
$sql.= " VALUES(".($level?$level:1).", '".$this->db->idate($now)."',".$this->id.",".$user->id.",".$this->price.",".$this->price_ttc.",'".$this->price_base_type."',".$this->status.",".$this->tva_tx.", ".($this->default_vat_code?("'".$this->default_vat_code."'"):"null").",".$this->tva_npr.",";
$sql.= " ".$this->localtax1_tx.", ".$this->localtax2_tx.", '".$this->localtax1_type."', '".$this->localtax2_type."', ".$this->price_min.",".$this->price_min_ttc.",".$this->price_by_qty.",".$conf->entity.",".($this->fk_price_expression > 0?$this->fk_price_expression:'null');
$sql.= " VALUES(".($level?$level:1).", '".$this->db->idate($now)."',".$this->id.",".$user->id.",".$this->price.",".$this->price_ttc.",'".$this->db->escape($this->price_base_type)."',".$this->status.",".$this->tva_tx.", ".($this->default_vat_code?("'".$this->db->escape($this->default_vat_code)."'"):"null").",".$this->tva_npr.",";
$sql.= " ".$this->localtax1_tx.", ".$this->localtax2_tx.", '".$this->db->escape($this->localtax1_type)."', '".$this->db->escape($this->localtax2_type)."', ".$this->price_min.",".$this->price_min_ttc.",".$this->price_by_qty.",".$conf->entity.",".($this->fk_price_expression > 0?$this->fk_price_expression:'null');
$sql.= ")";
dol_syslog(get_class($this)."::_log_price", LOG_DEBUG);

22
htdocs/product/class/productcustomerprice.class.php
View File

@@ -161,19 +161,19 @@ class Productcustomerprice extends CommonObject
$sql .= ") VALUES (";
$sql .= " " . $conf->entity . ",";
$sql .= " '" . $this->db->idate(dol_now()) . "',";
$sql .= " " . (! isset($this->fk_product) ? 'NULL' : "'" . $this->fk_product . "'") . ",";
$sql .= " " . (! isset($this->fk_soc) ? 'NULL' : "'" . $this->fk_soc . "'") . ",";
$sql .= " " . (empty($this->price) ? '0' : "'" . $this->price . "'") . ",";
$sql .= " " . (empty($this->price_ttc) ? '0' : "'" . $this->price_ttc . "'") . ",";
$sql .= " " . (empty($this->price_min) ? '0' : "'" . $this->price_min . "'") . ",";
$sql .= " " . (empty($this->price_min_ttc) ? '0' : "'" . $this->price_min_ttc . "'") . ",";
$sql .= " " . (! isset($this->fk_product) ? 'NULL' : "'" . $this->db->escape($this->fk_product) . "'") . ",";
$sql .= " " . (! isset($this->fk_soc) ? 'NULL' : "'" . $this->db->escape($this->fk_soc) . "'") . ",";
$sql .= " " . (empty($this->price) ? '0' : "'" . $this->db->escape($this->price) . "'") . ",";
$sql .= " " . (empty($this->price_ttc) ? '0' : "'" . $this->db->escape($this->price_ttc) . "'") . ",";
$sql .= " " . (empty($this->price_min) ? '0' : "'" . $this->db->escape($this->price_min) . "'") . ",";
$sql .= " " . (empty($this->price_min_ttc) ? '0' : "'" . $this->db->escape($this->price_min_ttc) . "'") . ",";
$sql .= " " . (! isset($this->price_base_type) ? 'NULL' : "'" . $this->db->escape($this->price_base_type) . "'") . ",";
$sql .= " ".($this->default_vat_code ? "'".$this->db->escape($this->default_vat_code)."'" : "null").",";
$sql .= " " . (! isset($this->tva_tx) ? 'NULL' : (empty($this->tva_tx)?0:$this->tva_tx)) . ",";
$sql .= " " . (! isset($this->recuperableonly) ? 'NULL' : "'" . $this->recuperableonly . "'") . ",";
$sql .= " " . (empty($this->localtax1_type) ? "'0'" : "'" . $this->localtax1_type . "'") . ",";
$sql .= " " . (! isset($this->recuperableonly) ? 'NULL' : "'" . $this->db->escape($this->recuperableonly) . "'") . ",";
$sql .= " " . (empty($this->localtax1_type) ? "'0'" : "'" . $this->db->escape($this->localtax1_type) . "'") . ",";
$sql .= " " . (! isset($this->localtax1_tx) ? 'NULL' : (empty($this->localtax1_tx)?0:$this->localtax1_tx)) . ",";
$sql .= " " . (empty($this->localtax2_type) ? "'0'" : "'" . $this->localtax2_type . "'") . ",";
$sql .= " " . (empty($this->localtax2_type) ? "'0'" : "'" . $this->db->escape($this->localtax2_type) . "'") . ",";
$sql .= " " . (! isset($this->localtax2_tx) ? 'NULL' : (empty($this->localtax2_tx)?0:$this->localtax2_tx)) . ",";
$sql .= " " . $user->id . ",";
$sql .= " " . (! isset($this->import_key) ? 'NULL' : "'" . $this->db->escape($this->import_key) . "'") . "";
@@ -660,8 +660,8 @@ class Productcustomerprice extends CommonObject
$sql .= " recuperableonly=" . (isset($this->recuperableonly) ? $this->recuperableonly : "null") . ",";
$sql .= " localtax1_tx=" . (isset($this->localtax1_tx) ? (empty($this->localtax1_tx)?0:$this->localtax1_tx) : "null") . ",";
$sql .= " localtax2_tx=" . (isset($this->localtax2_tx) ? (empty($this->localtax2_tx)?0:$this->localtax2_tx) : "null") . ",";
$sql .= " localtax1_type=" . (! empty($this->localtax1_type) ? "'".$this->localtax1_type."'": "'0'") . ",";
$sql .= " localtax2_type=" . (! empty($this->localtax2_type) ? "'".$this->localtax2_type."'": "'0'") . ",";
$sql .= " localtax1_type=" . (! empty($this->localtax1_type) ? "'".$this->db->escape($this->localtax1_type)."'": "'0'") . ",";
$sql .= " localtax2_type=" . (! empty($this->localtax2_type) ? "'".$this->db->escape($this->localtax2_type)."'": "'0'") . ",";
$sql .= " fk_user=" . $user->id . ",";
$sql .= " import_key=" . (isset($this->import_key) ? "'" . $this->db->escape($this->import_key) . "'" : "null") . "";

108
htdocs/product/class/propalmergepdfproduct.class.php
View File

@@ -33,7 +33,7 @@ class Propalmergepdfproduct extends CommonObject
{
var $element='propal_merge_pdf_product'; //!< Id that identify managed objects
var $table_element='propal_merge_pdf_product'; //!< Name of table without prefix where object is stored
var $fk_product;
var $file_name;
var $fk_user_author;
@@ -41,10 +41,10 @@ class Propalmergepdfproduct extends CommonObject
var $datec='';
var $tms='';
var $lang;
var $lines=array();
/**
@@ -72,7 +72,7 @@ class Propalmergepdfproduct extends CommonObject
$error=0;
// Clean parameters
if (isset($this->fk_product)) $this->fk_product=trim($this->fk_product);
if (isset($this->file_name)) $this->file_name=trim($this->file_name);
if (isset($this->fk_user_author)) $this->fk_user_author=trim($this->fk_user_author);
@@ -80,14 +80,14 @@ class Propalmergepdfproduct extends CommonObject
if (isset($this->lang)) $this->lang=trim($this->lang);
if (isset($this->import_key)) $this->import_key=trim($this->import_key);
// Check parameters
// Put here code to add control on parameters values
// Insert request
$sql = "INSERT INTO ".MAIN_DB_PREFIX."propal_merge_pdf_product(";
$sql.= "fk_product,";
$sql.= "file_name,";
if ($conf->global->MAIN_MULTILANGS) {
@@ -97,10 +97,10 @@ class Propalmergepdfproduct extends CommonObject
$sql.= "fk_user_mod,";
$sql.= "datec";
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->fk_product."'").",";
$sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->db->escape($this->fk_product)."'").",";
$sql.= " ".(! isset($this->file_name)?'NULL':"'".$this->db->escape($this->file_name)."'").",";
if ($conf->global->MAIN_MULTILANGS) {
$sql.= " ".(! isset($this->lang)?'NULL':"'".$this->db->escape($this->lang)."'").",";
@@ -109,7 +109,7 @@ class Propalmergepdfproduct extends CommonObject
$sql.= " ".$user->id.",";
$sql.= " '".$this->db->idate(dol_now())."'";
$sql.= ")";
$this->db->begin();
@@ -164,10 +164,10 @@ class Propalmergepdfproduct extends CommonObject
function fetch($id)
{
global $langs,$conf;
$sql = "SELECT";
$sql.= " t.rowid,";
$sql.= " t.fk_product,";
$sql.= " t.file_name,";
$sql.= " t.lang,";
@@ -177,7 +177,7 @@ class Propalmergepdfproduct extends CommonObject
$sql.= " t.tms,";
$sql.= " t.import_key";
$sql.= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t";
$sql.= " WHERE t.rowid = ".$id;
@@ -190,7 +190,7 @@ class Propalmergepdfproduct extends CommonObject
$obj = $this->db->fetch_object($resql);
$this->id = $obj->rowid;
$this->fk_product = $obj->fk_product;
$this->file_name = $obj->file_name;
if ($conf->global->MAIN_MULTILANGS) {
@@ -202,7 +202,7 @@ class Propalmergepdfproduct extends CommonObject
$this->tms = $this->db->jdate($obj->tms);
$this->import_key = $obj->import_key;
}
$this->db->free($resql);
@@ -215,7 +215,7 @@ class Propalmergepdfproduct extends CommonObject
return -1;
}
}
/**
* Load object in memory from the database
*
@@ -226,10 +226,10 @@ class Propalmergepdfproduct extends CommonObject
function fetch_by_product($product_id, $lang='')
{
global $langs,$conf;
$sql = "SELECT";
$sql.= " t.rowid,";
$sql.= " t.fk_product,";
$sql.= " t.file_name,";
$sql.= " t.lang,";
@@ -238,14 +238,14 @@ class Propalmergepdfproduct extends CommonObject
$sql.= " t.datec,";
$sql.= " t.tms,";
$sql.= " t.import_key";
$sql.= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t";
$sql.= " WHERE t.fk_product = ".$product_id;
if ($conf->global->MAIN_MULTILANGS && !empty($lang)) {
$sql.= " AND t.lang = '".$lang."'";
}
dol_syslog(get_class($this)."::".__METHOD__, LOG_DEBUG);
$resql=$this->db->query($sql);
if ($resql)
@@ -253,11 +253,11 @@ class Propalmergepdfproduct extends CommonObject
if ($this->db->num_rows($resql))
{
while($obj = $this->db->fetch_object($resql)) {
$line = new PropalmergepdfproductLine();
$line->id = $obj->rowid;
$line->fk_product = $obj->fk_product;
$line->file_name = $obj->file_name;
if ($conf->global->MAIN_MULTILANGS) {
@@ -268,21 +268,21 @@ class Propalmergepdfproduct extends CommonObject
$line->datec = $this->db->jdate($obj->datec);
$line->tms = $this->db->jdate($obj->tms);
$line->import_key = $obj->import_key;
if ($conf->global->MAIN_MULTILANGS) {
$this->lines[$obj->file_name.'_'.$obj->lang]=$line;
}else {
$this->lines[$obj->file_name]=$line;
}
}
}
$this->db->free($resql);
return 1;
}
else
@@ -307,21 +307,21 @@ class Propalmergepdfproduct extends CommonObject
$error=0;
// Clean parameters
if (isset($this->fk_product)) $this->fk_product=trim($this->fk_product);
if (isset($this->file_name)) $this->file_name=trim($this->file_name);
if (isset($this->fk_user_mod)) $this->fk_user_mod=trim($this->fk_user_mod);
if (isset($this->lang)) $this->lang=trim($this->lang);
// Check parameters
// Put here code to add a control on parameters values
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."propal_merge_pdf_product SET";
$sql.= " fk_product=".(isset($this->fk_product)?$this->fk_product:"null").",";
$sql.= " file_name=".(isset($this->file_name)?"'".$this->db->escape($this->file_name)."'":"null").",";
if ($conf->global->MAIN_MULTILANGS) {
@@ -329,7 +329,7 @@ class Propalmergepdfproduct extends CommonObject
}
$sql.= " fk_user_mod=".$user->id;
$sql.= " WHERE rowid=".$this->id;
$this->db->begin();
@@ -430,7 +430,7 @@ class Propalmergepdfproduct extends CommonObject
return 1;
}
}
/**
* Delete object in database
*
@@ -444,16 +444,16 @@ class Propalmergepdfproduct extends CommonObject
{
global $conf, $langs;
$error=0;
$this->db->begin();
if (! $error)
{
if (! $notrigger)
{
// Uncomment this and change MYOBJECT to your own tag if you
// want this action calls a trigger.
//// Call triggers
//include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php';
//$interface=new Interfaces($this->db);
@@ -462,21 +462,21 @@ class Propalmergepdfproduct extends CommonObject
//// End call triggers
}
}
if (! $error)
{
$sql = "DELETE FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product";
$sql.= " WHERE fk_product=".$product_id;
if ($conf->global->MAIN_MULTILANGS && !empty($lang_id)) {
$sql.= " AND lang='".$lang_id."'";
}
dol_syslog(get_class($this)."::".__METHOD__, LOG_DEBUG);
$resql = $this->db->query($sql);
if (! $resql) { $error++; $this->errors[]="Error ".$this->db->lasterror(); }
}
// Commit or rollback
if ($error)
{
@@ -494,7 +494,7 @@ class Propalmergepdfproduct extends CommonObject
return 1;
}
}
/**
* Delete object in database
*
@@ -505,16 +505,16 @@ class Propalmergepdfproduct extends CommonObject
{
global $conf, $langs;
$error=0;
$this->db->begin();
if (! $error)
{
if (! $notrigger)
{
// Uncomment this and change MYOBJECT to your own tag if you
// want this action calls a trigger.
//// Call triggers
//include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php';
//$interface=new Interfaces($this->db);
@@ -523,17 +523,17 @@ class Propalmergepdfproduct extends CommonObject
//// End call triggers
}
}
if (! $error)
{
$sql = "DELETE FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product";
$sql.= " WHERE fk_product=".$this->fk_product." AND file_name='".$this->db->escape($this->file_name)."'";
dol_syslog(get_class($this)."::".__METHOD__, LOG_DEBUG);
$resql = $this->db->query($sql);
if (! $resql) { $error++; $this->errors[]="Error ".$this->db->lasterror(); }
}
// Commit or rollback
if ($error)
{
@@ -617,7 +617,7 @@ class Propalmergepdfproduct extends CommonObject
function initAsSpecimen()
{
$this->id=0;
$this->fk_product='';
$this->file_name='';
$this->fk_user_author='';
@@ -626,7 +626,7 @@ class Propalmergepdfproduct extends CommonObject
$this->tms='';
$this->import_key='';
}
}
@@ -637,7 +637,7 @@ class Propalmergepdfproduct extends CommonObject
class PropalmergepdfproductLine
{
var $id;
var $fk_product;
var $file_name;
var $lang;

10
htdocs/projet/class/task.class.php
View File

@@ -301,7 +301,7 @@ class Task extends CommonObject
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."projet_task SET";
$sql.= " fk_projet=".(isset($this->fk_project)?$this->fk_project:"null").",";
$sql.= " ref=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"'".$this->id."'").",";
$sql.= " ref=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"'".$this->db->escape($this->id)."'").",";
$sql.= " fk_task_parent=".(isset($this->fk_task_parent)?$this->fk_task_parent:"null").",";
$sql.= " label=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " description=".(isset($this->description)?"'".$this->db->escape($this->description)."'":"null").",";
@@ -1251,7 +1251,7 @@ class Task extends CommonObject
$newDuration = $this->timespent_duration - $this->timespent_old_duration;
$sql = "UPDATE ".MAIN_DB_PREFIX."projet_task";
$sql.= " SET duration_effective = (SELECT SUM(task_duration) FROM ".MAIN_DB_PREFIX."projet_task_time as ptt where ptt.fk_task = ".$this->id.")";
$sql.= " SET duration_effective = (SELECT SUM(task_duration) FROM ".MAIN_DB_PREFIX."projet_task_time as ptt where ptt.fk_task = ".$this->db->escape($this->id).")";
$sql.= " WHERE rowid = ".$this->id;
dol_syslog(get_class($this)."::updateTimeSpent", LOG_DEBUG);
@@ -1303,7 +1303,7 @@ class Task extends CommonObject
if (! $error)
{
$sql = "UPDATE ".MAIN_DB_PREFIX."projet_task";
$sql.= " SET duration_effective = duration_effective - '".$this->timespent_duration."'";
$sql.= " SET duration_effective = duration_effective - ".$this->db->escape($this->timespent_duration?$this->timespent_duration:0);
$sql.= " WHERE rowid = ".$this->id;
dol_syslog(get_class($this)."::delTimeSpent", LOG_DEBUG);
@@ -1899,7 +1899,7 @@ class TaskComment extends CommonObject
$sql.= ", '".(isset($this->fk_task)?$this->fk_task:"null")."'";
$sql.= ", '".(isset($this->fk_user)?$this->fk_user:"null")."'";
$sql.= ", ".(!empty($this->entity)?$this->entity:'1');
$sql.= ", ".(!empty($this->import_key)?"'".$this->import_key."'":"null");
$sql.= ", ".(!empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null");
$sql.= ")";
//var_dump($this->db);
@@ -2024,7 +2024,7 @@ class TaskComment extends CommonObject
$sql.= " fk_task=".(isset($this->fk_task)?$this->fk_task:"null").",";
$sql.= " fk_user=".(isset($this->fk_user)?$this->fk_user:"null").",";
$sql.= " entity=".(!empty($this->entity)?$this->entity:'1').",";
$sql.= " import_key=".(!empty($this->import_key)?"'".$this->import_key."'":"null");
$sql.= " import_key=".(!empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null");
$sql.= " WHERE rowid=".$this->id;
$this->db->begin();

14
htdocs/resource/class/dolresource.class.php
View File

@@ -33,7 +33,7 @@ class Dolresource extends CommonObject
public $element='dolresource'; //!< Id that identify managed objects
public $table_element='resource'; //!< Name of table without prefix where object is stored
public $picto = 'resource';
public $resource_id;
public $resource_type;
public $element_id;
@@ -843,7 +843,7 @@ class Dolresource extends CommonObject
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."element_resources SET";
$sql.= " resource_id=".(isset($this->resource_id)?"'".$this->db->escape($this->resource_id)."'":"null").",";
$sql.= " resource_type=".(isset($this->resource_type)?"'".$this->resource_type."'":"null").",";
$sql.= " resource_type=".(isset($this->resource_type)?"'".$this->db->escape($this->resource_type)."'":"null").",";
$sql.= " element_id=".(isset($this->element_id)?$this->element_id:"null").",";
$sql.= " element_type=".(isset($this->element_type)?"'".$this->db->escape($this->element_type)."'":"null").",";
$sql.= " busy=".(isset($this->busy)?$this->busy:"null").",";
@@ -1019,8 +1019,8 @@ class Dolresource extends CommonObject
$result.=$link.$this->ref.$linkend;
return $result;
}
/**
* Retourne le libelle du status d'un user (actif, inactif)
*
@@ -1031,7 +1031,7 @@ class Dolresource extends CommonObject
{
return $this->LibStatut($this->status,$mode);
}
/**
* Return the status
*
@@ -1042,7 +1042,7 @@ class Dolresource extends CommonObject
static function LibStatut($status,$mode=0)
{
global $langs;
return '';
}
}
}

18
htdocs/societe/class/societe.class.php
View File

@@ -859,13 +859,13 @@ class Societe extends CommonObject
$sql .= ",idprof5 = '". $this->db->escape($this->idprof5) ."'";
$sql .= ",idprof6 = '". $this->db->escape($this->idprof6) ."'";
$sql .= ",tva_assuj = ".($this->tva_assuj!=''?"'".$this->tva_assuj."'":"null");
$sql .= ",tva_assuj = ".($this->tva_assuj!=''?"'".$this->db->escape($this->tva_assuj)."'":"null");
$sql .= ",tva_intra = '" . $this->db->escape($this->tva_intra) ."'";
$sql .= ",status = " .$this->status;
// Local taxes
$sql .= ",localtax1_assuj = ".($this->localtax1_assuj!=''?"'".$this->localtax1_assuj."'":"null");
$sql .= ",localtax2_assuj = ".($this->localtax2_assuj!=''?"'".$this->localtax2_assuj."'":"null");
$sql .= ",localtax1_assuj = ".($this->localtax1_assuj!=''?"'".$this->db->escape($this->localtax1_assuj)."'":"null");
$sql .= ",localtax2_assuj = ".($this->localtax2_assuj!=''?"'".$this->db->escape($this->localtax2_assuj)."'":"null");
if($this->localtax1_assuj==1)
{
if($this->localtax1_value!='')
@@ -1565,7 +1565,7 @@ class Societe extends CommonObject
// Positionne remise courante
$sql = "UPDATE ".MAIN_DB_PREFIX."societe ";
$sql.= " SET remise_client = '".$this->db->escape($remise)."'";
$sql.= " WHERE rowid = " . $this->id .";";
$sql.= " WHERE rowid = " . $this->id;
$resql=$this->db->query($sql);
if (! $resql)
{
@@ -1698,7 +1698,7 @@ class Societe extends CommonObject
else
$sql.= " WHERE entity in (0, ".$conf->entity.")";
$sql.= " AND u.rowid = sc.fk_user AND sc.fk_soc =".$this->id;
$sql.= " AND u.rowid = sc.fk_user AND sc.fk_soc = ".$this->id;
$resql = $this->db->query($sql);
if ($resql)
@@ -1751,7 +1751,7 @@ class Societe extends CommonObject
$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_prices";
$sql .= " (datec, fk_soc, price_level, fk_user_author)";
$sql .= " VALUES ('".$this->db->idate($now)."',".$this->id.",'".$this->db->escape($price_level)."',".$user->id.")";
$sql .= " VALUES ('".$this->db->idate($now)."', ".$this->id.", '".$this->db->escape($price_level)."', ".$user->id.")";
if (! $this->db->query($sql))
{
@@ -2947,17 +2947,17 @@ class Societe extends CommonObject
}
/**
* Charge la liste des categories fournisseurs
* Insert link supplier - category
*
* @param int $categorie_id Id of category
* @return int 0 if success, <> 0 if error
*/
function AddFournisseurInCategory($categorie_id)
{
if ($categorie_id > 0)
if ($categorie_id > 0 && $this->id > 0)
{
$sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie_fournisseur (fk_categorie, fk_soc) ";
$sql.= " VALUES ('".$categorie_id."','".$this->id."');";
$sql.= " VALUES (".$categorie_id.", ".$this->id.")";
if ($resql=$this->db->query($sql)) return 0;
}

18
htdocs/supplier_proposal/class/supplier_proposal.class.php
View File

@@ -2829,27 +2829,27 @@ class SupplierProposalLine extends CommonObjectLine
$sql.= ' ref_fourn,';
$sql.= ' fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc, fk_unit)';
$sql.= " VALUES (".$this->fk_supplier_proposal.",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").",";
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " ".($this->fk_product?"'".$this->fk_product."'":"null").",";
$sql.= " '".$this->product_type."',";
$sql.= " ".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").",";
$sql.= " ".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":"null").",";
$sql.= " '".$this->db->escape($this->product_type)."',";
$sql.= " ".($this->fk_remise_except?"'".$this->db->escape($this->fk_remise_except)."'":"null").",";
$sql.= " ".price2num($this->qty).",";
$sql.= " ".price2num($this->tva_tx).",";
$sql.= " ".price2num($this->localtax1_tx).",";
$sql.= " ".price2num($this->localtax2_tx).",";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= " ".(!empty($this->subprice)?price2num($this->subprice):"null").",";
$sql.= " ".price2num($this->remise_percent).",";
$sql.= " ".(isset($this->info_bits)?"'".$this->info_bits."'":"null").",";
$sql.= " ".(isset($this->info_bits)?"'".$this->db->escape($this->info_bits)."'":"null").",";
$sql.= " ".price2num($this->total_ht).",";
$sql.= " ".price2num($this->total_tva).",";
$sql.= " ".price2num($this->total_localtax1).",";
$sql.= " ".price2num($this->total_localtax2).",";
$sql.= " ".price2num($this->total_ttc).",";
$sql.= " ".(!empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null").",";
$sql.= " ".(!empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null").",";
$sql.= " ".(isset($this->pa_ht)?"'".price2num($this->pa_ht)."'":"null").",";
$sql.= ' '.$this->special_code.',';
$sql.= ' '.$this->rang.',';
@@ -3025,7 +3025,7 @@ class SupplierProposalLine extends CommonObjectLine
$sql.= " , total_localtax1=".price2num($this->total_localtax1)."";
$sql.= " , total_localtax2=".price2num($this->total_localtax2)."";
}
$sql.= " , fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null");
$sql.= " , fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null");
$sql.= " , buy_price_ht=".price2num($this->pa_ht);
if (strlen($this->special_code)) $sql.= " , special_code=".$this->special_code;
$sql.= " , fk_parent_line=".($this->fk_parent_line>0?$this->fk_parent_line:"null");

2
htdocs/websites/class/website.class.php
View File

@@ -140,7 +140,7 @@ class Website extends CommonObject
$sql .= ' '.(! isset($this->description)?'NULL':"'".$this->db->escape($this->description)."'").',';
$sql .= ' '.(! isset($this->status)?'NULL':$this->status).',';
$sql .= ' '.(! isset($this->fk_default_home)?'NULL':$this->fk_default_home).',';
$sql .= ' '.(! isset($this->virtualhost)?'NULL':"'".$this->virtualhost)."',";
$sql .= ' '.(! isset($this->virtualhost)?'NULL':"'".$this->db->escape($this->virtualhost)."'").",";
$sql .= ' '.(! isset($this->fk_user_create)?$user->id:$this->fk_user_create).',';
$sql .= ' '.(! isset($this->date_creation) || dol_strlen($this->date_creation)==0?'NULL':"'".$this->db->idate($this->date_creation)."'").",";
$sql .= ' '.(! isset($this->date_modification) || dol_strlen($this->date_modification)==0?'NULL':"'".$this->db->idate($this->date_creation)."'");

4
test/phpunit/CodingPhpTest.php
View File

@@ -177,10 +177,10 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
$ok=true;
$matches=array();
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
preg_match_all('/(=|sql.+)\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
foreach($matches as $key => $val)
{
if ($val[1] != 'db->' && $val[1] != 'esca')
if ($val[2] != 'db->' && $val[2] != 'esca')
{
$ok=false;
break;