Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Add more robust php unit to detect not escaped sql. Fix not escaped sql

Browse Source
This commit is contained in:
Laurent Destailleur
2017-09-15 15:41:07 +02:00
parent 77056d9adb
commit 5e34b121dd
63 changed files with 420 additions and 438 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
htdocs/commande/class/commande.class.php
View File

@@ -775,11 +775,11 @@ class Commande extends CommonOrder
$sql.= ", ".($this->ref_client?"'".$this->db->escape($this->ref_client)."'":"null");
$sql.= ", ".($this->ref_int?"'".$this->db->escape($this->ref_int)."'":"null");
$sql.= ", '".$this->db->escape($this->modelpdf)."'";
$sql.= ", ".($this->cond_reglement_id>0?"'".$this->cond_reglement_id."'":"null");
$sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"null");
$sql.= ", ".($this->cond_reglement_id>0?$this->cond_reglement_id:"null");
$sql.= ", ".($this->mode_reglement_id>0?$this->mode_reglement_id:"null");
$sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL');
$sql.= ", ".($this->availability_id>0?"'".$this->availability_id."'":"null");
$sql.= ", ".($this->demand_reason_id>0?"'".$this->demand_reason_id."'":"null");
$sql.= ", ".($this->availability_id>0?$this->availability_id:"null");
$sql.= ", ".($this->demand_reason_id>0?$this->demand_reason_id:"null");
$sql.= ", ".($this->date_livraison?"'".$this->db->idate($this->date_livraison)."'":"null");
$sql.= ", ".($this->fk_delivery_address>0?$this->fk_delivery_address:'NULL');
$sql.= ", ".($this->shipping_method_id>0?$this->shipping_method_id:'NULL');
@@ -3995,18 +3995,18 @@ class OrderLine extends CommonOrderLine
$sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc';
$sql.= ')';
$sql.= " VALUES (".$this->fk_commande.",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").",";
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " '".price2num($this->qty)."',";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
$sql.= " '".price2num($this->tva_tx)."',";
$sql.= " '".price2num($this->localtax1_tx)."',";
$sql.= " '".price2num($this->localtax2_tx)."',";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").',';
$sql.= " '".$this->product_type."',";
$sql.= " '".$this->db->escape($this->product_type)."',";
$sql.= " '".price2num($this->remise_percent)."',";
$sql.= " ".($this->subprice!=''?"'".price2num($this->subprice)."'":"null").",";
$sql.= " ".($this->price!=''?"'".price2num($this->price)."'":"null").",";
@@ -4016,7 +4016,7 @@ class OrderLine extends CommonOrderLine
$sql.= ' '.$this->rang.',';
$sql.= ' '.(! empty($this->fk_fournprice)?$this->fk_fournprice:"null").',';
$sql.= ' '.price2num($this->pa_ht).',';
$sql.= " '".$this->info_bits."',";
$sql.= " '".$this->db->escape($this->info_bits)."',";
$sql.= " '".price2num($this->total_ht)."',";
$sql.= " '".price2num($this->total_tva)."',";
$sql.= " '".price2num($this->total_localtax1)."',";