Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Add more robust php unit to detect not escaped sql. Fix not escaped sql

Browse Source
This commit is contained in:
Laurent Destailleur
2017-09-15 15:41:07 +02:00
parent 77056d9adb
commit 5e34b121dd
63 changed files with 420 additions and 438 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htdocs/accountancy/class/accountancysystem.class.php
View File

@@ -107,7 +107,7 @@ class AccountancySystem
$sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_system";
$sql .= " (date_creation, fk_user_author, numero, label)";
$sql .= " VALUES ('" . $this->db->idate($now) . "'," . $user->id . ",'" . $this->numero . "','" . $this->label . "')";
$sql .= " VALUES ('" . $this->db->idate($now) . "'," . $user->id . ",'" . $this->db->escape($this->numero) . "','" . $this->db->escape($this->label) . "')";
dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG);
$resql = $this->db->query($sql);

4
htdocs/accountancy/class/accountingaccount.class.php
View File

@@ -179,8 +179,8 @@ class AccountingAccount extends CommonObject
$sql .= ", " . $conf->entity;
$sql .= ", " . (empty($this->fk_pcg_version) ? 'NULL' : "'" . $this->db->escape($this->fk_pcg_version) . "'");
$sql .= ", " . (empty($this->pcg_type) ? 'NULL' : "'" . $this->db->escape($this->pcg_type) . "'");
$sql .= ", " . (empty($this->pcg_subtype) ? 'NULL' : "'" . $this->pcg_subtype . "'");
$sql .= ", " . (empty($this->account_number) ? 'NULL' : "'" . $this->account_number . "'");
$sql .= ", " . (empty($this->pcg_subtype) ? 'NULL' : "'" . $this->db->escape($this->pcg_subtype) . "'");
$sql .= ", " . (empty($this->account_number) ? 'NULL' : "'" . $this->db->escape($this->account_number) . "'");
$sql .= ", " . (empty($this->account_parent) ? 'NULL' : "'" . $this->db->escape($this->account_parent) . "'");
$sql .= ", " . (empty($this->label) ? 'NULL' : "'" . $this->db->escape($this->label) . "'");
$sql .= ", " . (empty($this->account_category) ? 'NULL' : "'" . $this->db->escape($this->account_category) . "'");

16
htdocs/adherents/class/adherent.class.php
View File

@@ -325,10 +325,10 @@ class Adherent extends CommonObject
$sql.= " '".$this->db->idate($this->datec)."'";
$sql.= ", ".($this->login?"'".$this->db->escape($this->login)."'":"null");
$sql.= ", ".($user->id>0?$user->id:"null"); // Can be null because member can be created by a guest or a script
$sql.= ", null, null, '".$this->morphy."'";
$sql.= ", '".$this->typeid."'";
$sql.= ", null, null, '".$this->db->escape($this->morphy)."'";
$sql.= ", ".$this->typeid;
$sql.= ", ".$conf->entity;
$sql.= ", ".(! empty($this->import_key) ? "'".$this->import_key."'":"null");
$sql.= ", ".(! empty($this->import_key) ? "'".$this->db->escape($this->import_key)."'":"null");
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
@@ -447,17 +447,17 @@ class Adherent extends CommonObject
$this->db->begin();
$sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET";
$sql.= " civility = ".(!is_null($this->civility_id)?"'".$this->civility_id."'":"null");
$sql.= " civility = ".(!is_null($this->civility_id)?$this->db->escape($this->civility_id):"null");
$sql.= ", firstname = ".($this->firstname?"'".$this->db->escape($this->firstname)."'":"null");
$sql.= ", lastname=" .($this->lastname?"'".$this->db->escape($this->lastname)."'":"null");
$sql.= ", login=" .($this->login?"'".$this->db->escape($this->login)."'":"null");
$sql.= ", societe=" .($this->societe?"'".$this->db->escape($this->societe)."'":"null");
$sql.= ", fk_soc=" .($this->fk_soc > 0?"'".$this->fk_soc."'":"null");
$sql.= ", fk_soc=" .($this->fk_soc > 0?$this->db->escape($this->fk_soc):"null");
$sql.= ", address=" .($this->address?"'".$this->db->escape($this->address)."'":"null");
$sql.= ", zip=" .($this->zip?"'".$this->db->escape($this->zip)."'":"null");
$sql.= ", town=" .($this->town?"'".$this->db->escape($this->town)."'":"null");
$sql.= ", country=".($this->country_id>0?"'".$this->country_id."'":"null");
$sql.= ", state_id=".($this->state_id>0?"'".$this->state_id."'":"null");
$sql.= ", country=".($this->country_id>0?$this->db->escape($this->country_id):"null");
$sql.= ", state_id=".($this->state_id>0?$this->db->escape($this->state_id):"null");
$sql.= ", email='".$this->db->escape($this->email)."'";
$sql.= ", skype='".$this->db->escape($this->skype)."'";
$sql.= ", phone=" .($this->phone?"'".$this->db->escape($this->phone)."'":"null");
@@ -465,7 +465,7 @@ class Adherent extends CommonObject
$sql.= ", phone_mobile=" .($this->phone_mobile?"'".$this->db->escape($this->phone_mobile)."'":"null");
$sql.= ", note_private=" .($this->note_private?"'".$this->db->escape($this->note_private)."'":"null");
$sql.= ", note_public=" .($this->note_public?"'".$this->db->escape($this->note_public)."'":"null");
$sql.= ", photo=" .($this->photo?"'".$this->photo."'":"null");
$sql.= ", photo=" .($this->photo?"'".$this->db->escape($this->photo)."'":"null");
$sql.= ", public='".$this->db->escape($this->public)."'";
$sql.= ", statut=" .$this->statut;
$sql.= ", fk_adherent_type=".$this->typeid;

10
htdocs/bookmarks/class/bookmark.class.php
View File

@@ -120,11 +120,11 @@ class Bookmark extends CommonObject
$sql.= ",title,favicon,position";
$sql.= ",entity";
$sql.= ") VALUES (";
$sql.= ($this->fk_user > 0?"'".$this->fk_user."'":"0").",";
$sql.= ($this->fk_user > 0 ? $this->fk_user:"0").",";
$sql.= " '".$this->db->idate($now)."',";
$sql.= " '".$this->url."', '".$this->target."',";
$sql.= " '".$this->db->escape($this->title)."', '".$this->favicon."', '".$this->position."'";
$sql.= ", '".$conf->entity."'";
$sql.= " '".$this->db->escape($this->url)."', '".$this->db->escape($this->target)."',";
$sql.= " '".$this->db->escape($this->title)."', '".$this->db->escape($this->favicon)."', '".$this->db->escape($this->position)."'";
$sql.= ", ".$this->db->escape($conf->entity);
$sql.= ")";
dol_syslog("Bookmark::update", LOG_DEBUG);
@@ -168,7 +168,7 @@ class Bookmark extends CommonObject
if (empty($this->position)) $this->position=0;
$sql = "UPDATE ".MAIN_DB_PREFIX."bookmark";
$sql.= " SET fk_user = ".($this->fk_user > 0?"'".$this->fk_user."'":"0");
$sql.= " SET fk_user = ".($this->fk_user > 0 ? $this->fk_user :"0");
$sql.= " ,dateb = '".$this->db->idate($this->datec)."'";
$sql.= " ,url = '".$this->db->escape($this->url)."'";
$sql.= " ,target = '".$this->db->escape($this->target)."'";

8
htdocs/categories/class/categorie.class.php
View File

@@ -311,7 +311,7 @@ class Categorie extends CommonObject
$sql.= " import_key,";
$sql.= " entity";
$sql.= ") VALUES (";
$sql.= $this->fk_parent.",";
$sql.= $this->db->escape($this->fk_parent).",";
$sql.= "'".$this->db->escape($this->label)."',";
$sql.= "'".$this->db->escape($this->description)."',";
$sql.= "'".$this->db->escape($this->color)."',";
@@ -319,10 +319,10 @@ class Categorie extends CommonObject
{
$sql.= ($this->socid != -1 ? $this->socid : 'null').",";
}
$sql.= "'".$this->visible."',";
$sql.= $type.",";
$sql.= "'".$this->db->escape($this->visible)."',";
$sql.= $this->db->escape($type).",";
$sql.= (! empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":'null').",";
$sql.= $conf->entity;
$sql.= $this->db->escape($conf->entity);
$sql.= ")";
$res = $this->db->query($sql);

44
htdocs/comm/action/class/actioncomm.class.php
View File

@@ -296,23 +296,23 @@ class ActionComm extends CommonObject
$sql.= "elementtype,";
$sql.= "entity";
$sql.= ") VALUES (";
$sql.= "'".$this->db->idate($now)."',";
$sql.= (strval($this->datep)!=''?"'".$this->db->idate($this->datep)."'":"null").",";
$sql.= (strval($this->datef)!=''?"'".$this->db->idate($this->datef)."'":"null").",";
$sql.= ((isset($this->durationp) && $this->durationp >= 0 && $this->durationp != '')?"'".$this->durationp."'":"null").","; // deprecated
$sql.= "'".$this->db->idate($now)."', ";
$sql.= (strval($this->datep)!=''?"'".$this->db->idate($this->datep)."'":"null").", ";
$sql.= (strval($this->datef)!=''?"'".$this->db->idate($this->datef)."'":"null").", ";
$sql.= ((isset($this->durationp) && $this->durationp >= 0 && $this->durationp != '')?"'".$this->db->escape($this->durationp)."'":"null").", "; // deprecated
$sql.= (isset($this->type_id)?$this->type_id:"null").",";
$sql.= (isset($this->type_code)?" '".$this->type_code."'":"null").",";
$sql.= ((isset($this->socid) && $this->socid > 0)?" '".$this->socid."'":"null").",";
$sql.= ((isset($this->fk_project) && $this->fk_project > 0)?" '".$this->fk_project."'":"null").",";
$sql.= " '".$this->db->escape($this->note)."',";
$sql.= ((isset($this->contactid) && $this->contactid > 0)?"'".$this->contactid."'":"null").",";
$sql.= (isset($user->id) && $user->id > 0 ? "'".$user->id."'":"null").",";
$sql.= ($userownerid>0?"'".$userownerid."'":"null").",";
$sql.= ($userdoneid>0?"'".$userdoneid."'":"null").",";
$sql.= "'".$this->db->escape($this->label)."','".$this->percentage."','".$this->priority."','".$this->fulldayevent."','".$this->db->escape($this->location)."','".$this->punctual."',";
$sql.= "'".$this->transparency."',";
$sql.= (! empty($this->fk_element)?$this->fk_element:"null").",";
$sql.= (! empty($this->elementtype)?"'".$this->elementtype."'":"null").",";
$sql.= (isset($this->type_code)?" '".$this->db->escape($this->type_code)."'":"null").", ";
$sql.= ((isset($this->socid) && $this->socid > 0) ? $this->socid:"null").", ";
$sql.= ((isset($this->fk_project) && $this->fk_project > 0) ? $this->fk_project:"null").", ";
$sql.= " '".$this->db->escape($this->note)."', ";
$sql.= ((isset($this->contactid) && $this->contactid > 0) ? $this->contactid:"null").", ";
$sql.= (isset($user->id) && $user->id > 0 ? $user->id:"null").", ";
$sql.= ($userownerid>0 ? $userownerid:"null").", ";
$sql.= ($userdoneid>0 ? $userdoneid:"null").", ";
$sql.= "'".$this->db->escape($this->label)."','".$this->db->escape($this->percentage)."','".$this->db->escape($this->priority)."','".$this->db->escape($this->fulldayevent)."','".$this->db->escape($this->location)."','".$this->db->escape($this->punctual)."', ";
$sql.= "'".$this->db->escape($this->transparency)."', ";
$sql.= (! empty($this->fk_element)?$this->fk_element:"null").", ";
$sql.= (! empty($this->elementtype)?"'".$this->db->escape($this->elementtype)."'":"null").", ";
$sql.= $conf->entity;
$sql.= ")";
@@ -758,11 +758,11 @@ class ActionComm extends CommonObject
$sql.= ", label = ".($this->label ? "'".$this->db->escape($this->label)."'":"null");
$sql.= ", datep = ".(strval($this->datep)!='' ? "'".$this->db->idate($this->datep)."'" : 'null');
$sql.= ", datep2 = ".(strval($this->datef)!='' ? "'".$this->db->idate($this->datef)."'" : 'null');
$sql.= ", durationp = ".(isset($this->durationp) && $this->durationp >= 0 && $this->durationp != ''?"'".$this->durationp."'":"null"); // deprecated
$sql.= ", durationp = ".(isset($this->durationp) && $this->durationp >= 0 && $this->durationp != ''?"'".$this->db->escape($this->durationp)."'":"null"); // deprecated
$sql.= ", note = ".($this->note ? "'".$this->db->escape($this->note)."'":"null");
$sql.= ", fk_project =". ($this->fk_project > 0 ? "'".$this->fk_project."'":"null");
$sql.= ", fk_soc =". ($socid > 0 ? "'".$socid."'":"null");
$sql.= ", fk_contact =". ($contactid > 0 ? "'".$contactid."'":"null");
$sql.= ", fk_project =". ($this->fk_project > 0 ? $this->fk_project:"null");
$sql.= ", fk_soc =". ($socid > 0 ? $socid:"null");
$sql.= ", fk_contact =". ($contactid > 0 ? $contactid:"null");
$sql.= ", priority = '".$this->db->escape($this->priority)."'";
$sql.= ", fulldayevent = '".$this->db->escape($this->fulldayevent)."'";
$sql.= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'":"null");
@@ -770,8 +770,8 @@ class ActionComm extends CommonObject
$sql.= ", fk_user_mod = ".$user->id;
$sql.= ", fk_user_action=".($userownerid > 0 ? "'".$userownerid."'":"null");
$sql.= ", fk_user_done=".($userdoneid > 0 ? "'".$userdoneid."'":"null");
if (! empty($this->fk_element)) $sql.= ", fk_element=".($this->fk_element?$this->fk_element:"null");
if (! empty($this->elementtype)) $sql.= ", elementtype=".($this->elementtype?"'".$this->elementtype."'":"null");
if (! empty($this->fk_element)) $sql.= ", fk_element=".($this->fk_element?$this->db->escape($this->fk_element):"null");
if (! empty($this->elementtype)) $sql.= ", elementtype=".($this->elementtype?"'".$this->db->escape($this->elementtype)."'":"null");
$sql.= " WHERE id=".$this->id;
dol_syslog(get_class($this)."::update", LOG_DEBUG);

2
htdocs/comm/mailing/class/advtargetemailing.class.php
View File

@@ -121,7 +121,7 @@ class AdvanceTargetingMailing extends CommonObject
$sql.= " ".(! isset($this->name)?'NULL':"'".$this->db->escape($this->name)."'").",";
$sql.= " ".$conf->entity.",";
$sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->fk_mailing."'").",";
$sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->db->escape($this->fk_mailing)."'").",";
$sql.= " ".(! isset($this->filtervalue)?'NULL':"'".$this->db->escape($this->filtervalue)."'").",";
$sql.= " ".$user->id.",";
$sql.= " '".$this->db->idate(dol_now())."',";

20
htdocs/comm/propal/class/propal.class.php
View File

@@ -3772,28 +3772,28 @@ class PropaleLigne extends CommonObjectLine
$sql.= ' date_start, date_end';
$sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc)';
$sql.= " VALUES (".$this->fk_propal.",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").",";
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " ".($this->fk_product?"'".$this->fk_product."'":"null").",";
$sql.= " '".$this->product_type."',";
$sql.= " ".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").",";
$sql.= " ".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":"null").",";
$sql.= " '".$this->db->escape($this->product_type)."',";
$sql.= " ".($this->fk_remise_except?"'".$this->db->escape($this->fk_remise_except)."'":"null").",";
$sql.= " ".price2num($this->qty).",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
$sql.= " ".price2num($this->tva_tx).",";
$sql.= " ".price2num($this->localtax1_tx).",";
$sql.= " ".price2num($this->localtax2_tx).",";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= " ".($this->subprice?price2num($this->subprice):"null").",";
$sql.= " ".price2num($this->remise_percent).",";
$sql.= " ".(isset($this->info_bits)?"'".$this->info_bits."'":"null").",";
$sql.= " ".(isset($this->info_bits)?"'".$this->db->escape($this->info_bits)."'":"null").",";
$sql.= " ".price2num($this->total_ht).",";
$sql.= " ".price2num($this->total_tva).",";
$sql.= " ".price2num($this->total_localtax1).",";
$sql.= " ".price2num($this->total_localtax2).",";
$sql.= " ".price2num($this->total_ttc).",";
$sql.= " ".(!empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null").",";
$sql.= " ".(!empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null").",";
$sql.= " ".(isset($this->pa_ht)?"'".price2num($this->pa_ht)."'":"null").",";
$sql.= ' '.$this->special_code.',';
$sql.= ' '.$this->rang.',';
@@ -3975,7 +3975,7 @@ class PropaleLigne extends CommonObjectLine
$sql.= ", total_localtax1=".price2num($this->total_localtax1)."";
$sql.= ", total_localtax2=".price2num($this->total_localtax2)."";
}
$sql.= ", fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null");
$sql.= ", fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null");
$sql.= ", buy_price_ht=".price2num($this->pa_ht);
if (strlen($this->special_code)) $sql.= ", special_code=".$this->special_code;
$sql.= ", fk_parent_line=".($this->fk_parent_line>0?$this->fk_parent_line:"null");

20
htdocs/commande/class/commande.class.php
View File

@@ -775,11 +775,11 @@ class Commande extends CommonOrder
$sql.= ", ".($this->ref_client?"'".$this->db->escape($this->ref_client)."'":"null");
$sql.= ", ".($this->ref_int?"'".$this->db->escape($this->ref_int)."'":"null");
$sql.= ", '".$this->db->escape($this->modelpdf)."'";
$sql.= ", ".($this->cond_reglement_id>0?"'".$this->cond_reglement_id."'":"null");
$sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"null");
$sql.= ", ".($this->cond_reglement_id>0?$this->cond_reglement_id:"null");
$sql.= ", ".($this->mode_reglement_id>0?$this->mode_reglement_id:"null");
$sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL');
$sql.= ", ".($this->availability_id>0?"'".$this->availability_id."'":"null");
$sql.= ", ".($this->demand_reason_id>0?"'".$this->demand_reason_id."'":"null");
$sql.= ", ".($this->availability_id>0?$this->availability_id:"null");
$sql.= ", ".($this->demand_reason_id>0?$this->demand_reason_id:"null");
$sql.= ", ".($this->date_livraison?"'".$this->db->idate($this->date_livraison)."'":"null");
$sql.= ", ".($this->fk_delivery_address>0?$this->fk_delivery_address:'NULL');
$sql.= ", ".($this->shipping_method_id>0?$this->shipping_method_id:'NULL');
@@ -3995,18 +3995,18 @@ class OrderLine extends CommonOrderLine
$sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc';
$sql.= ')';
$sql.= " VALUES (".$this->fk_commande.",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").",";
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " '".price2num($this->qty)."',";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
$sql.= " '".price2num($this->tva_tx)."',";
$sql.= " '".price2num($this->localtax1_tx)."',";
$sql.= " '".price2num($this->localtax2_tx)."',";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").',';
$sql.= " '".$this->product_type."',";
$sql.= " '".$this->db->escape($this->product_type)."',";
$sql.= " '".price2num($this->remise_percent)."',";
$sql.= " ".($this->subprice!=''?"'".price2num($this->subprice)."'":"null").",";
$sql.= " ".($this->price!=''?"'".price2num($this->price)."'":"null").",";
@@ -4016,7 +4016,7 @@ class OrderLine extends CommonOrderLine
$sql.= ' '.$this->rang.',';
$sql.= ' '.(! empty($this->fk_fournprice)?$this->fk_fournprice:"null").',';
$sql.= ' '.price2num($this->pa_ht).',';
$sql.= " '".$this->info_bits."',";
$sql.= " '".$this->db->escape($this->info_bits)."',";
$sql.= " '".price2num($this->total_ht)."',";
$sql.= " '".price2num($this->total_tva)."',";
$sql.= " '".price2num($this->total_localtax1)."',";

28
htdocs/compta/bank/class/account.class.php
View File

@@ -573,21 +573,21 @@ class Account extends CommonObject
$sql.= ", '".$this->db->escape($this->account_number)."'";
$sql.= ", ".($this->fk_accountancy_journal > 0 ? $this->db->escape($this->fk_accountancy_journal) : "null");
$sql.= ", '".$this->db->escape($this->bank)."'";
$sql.= ", '".$this->code_banque."'";
$sql.= ", '".$this->code_guichet."'";
$sql.= ", '".$this->number."'";
$sql.= ", '".$this->cle_rib."'";
$sql.= ", '".$this->bic."'";
$sql.= ", '".$this->iban."'";
$sql.= ", '".$this->db->escape($this->code_banque)."'";
$sql.= ", '".$this->db->escape($this->code_guichet)."'";
$sql.= ", '".$this->db->escape($this->number)."'";
$sql.= ", '".$this->db->escape($this->cle_rib)."'";
$sql.= ", '".$this->db->escape($this->bic)."'";
$sql.= ", '".$this->db->escape($this->iban)."'";
$sql.= ", '".$this->db->escape($this->domiciliation)."'";
$sql.= ", '".$this->db->escape($this->proprio)."'";
$sql.= ", '".$this->db->escape($this->owner_address)."'";
$sql.= ", '".$this->currency_code."'";
$sql.= ", '".$this->db->escape($this->currency_code)."'";
$sql.= ", ".$this->rappro;
$sql.= ", ".price2num($this->min_allowed);
$sql.= ", ".price2num($this->min_desired);
$sql.= ", '".$this->db->escape($this->comment)."'";
$sql.= ", ".($this->state_id>0?"'".$this->state_id."'":"null");
$sql.= ", ".($this->state_id>0?$this->state_id:"null");
$sql.= ", ".$this->country_id;
$sql.= ")";
@@ -702,7 +702,7 @@ class Account extends CommonObject
$sql.= ",courant = ".$this->courant;
$sql.= ",clos = ".$this->clos;
$sql.= ",rappro = ".$this->rappro;
$sql.= ",url = ".($this->url?"'".$this->url."'":"null");
$sql.= ",url = ".($this->url?"'".$this->db->escape($this->url)."'":"null");
$sql.= ",account_number = '".$this->db->escape($this->account_number)."'";
$sql.= ",fk_accountancy_journal = ".($this->fk_accountancy_journal > 0 ? $this->db->escape($this->fk_accountancy_journal) : "null");
$sql.= ",bank = '".$this->db->escape($this->bank)."'";
@@ -722,7 +722,7 @@ class Account extends CommonObject
$sql.= ",min_desired = ".($this->min_desired != '' ? price2num($this->min_desired) : "null");
$sql.= ",comment = '".$this->db->escape($this->comment)."'";
$sql.= ",state_id = ".($this->state_id>0?"'".$this->state_id."'":"null");
$sql.= ",state_id = ".($this->state_id>0?$this->state_id:"null");
$sql.= ",fk_pays = ".$this->country_id;
$sql.= " WHERE rowid = ".$this->id;
@@ -807,7 +807,7 @@ class Account extends CommonObject
$sql.= ",domiciliation='".$this->db->escape($this->domiciliation)."'";
$sql.= ",proprio = '".$this->db->escape($this->proprio)."'";
$sql.= ",owner_address = '".$this->db->escape($this->owner_address)."'";
$sql.= ",state_id = ".($this->state_id>0?"'".$this->state_id."'":"null");
$sql.= ",state_id = ".($this->state_id>0?$this->state_id:"null");
$sql.= ",fk_pays = ".$this->country_id;
$sql.= " WHERE rowid = ".$this->id;
$sql.= " AND entity = ".$conf->entity;
@@ -1694,9 +1694,9 @@ class AccountLine extends CommonObject
$sql .= ", '".$this->db->idate($this->datev)."'";
$sql .= ", '".$this->db->escape($this->label)."'";
$sql .= ", ".price2num($this->amount);
$sql .= ", ".($this->fk_user_author > 0 ? "'".$this->fk_user_author."'":"null");
$sql .= ", ".($this->num_chq ? "'".$this->num_chq."'" : "null");
$sql .= ", '".$this->fk_account."'";
$sql .= ", ".($this->fk_user_author > 0 ? $this->fk_user_author :"null");
$sql .= ", ".($this->num_chq ? "'".$this->db->escape($this->num_chq)."'" : "null");
$sql .= ", '".$this->db->escape($this->fk_account)."'";
$sql .= ", '".$this->db->escape($this->fk_type)."'";
$sql .= ", ".($this->emetteur ? "'".$this->db->escape($this->emetteur)."'" : "null");
$sql .= ", ".($this->bank_chq ? "'".$this->db->escape($this->bank_chq)."'" : "null");

2
htdocs/compta/deplacement/class/deplacement.class.php
View File

@@ -107,7 +107,7 @@ class Deplacement extends CommonObject
$sql.= ", ".$conf->entity;
$sql.= ", ".$user->id;
$sql.= ", ".$this->fk_user;
$sql.= ", '".$this->type."'";
$sql.= ", '".$this->db->escape($this->type)."'";
$sql.= ", ".($this->note_private?"'".$this->db->escape($this->note_private)."'":"null");
$sql.= ", ".($this->note_public?"'".$this->db->escape($this->note_public)."'":"null");
$sql.= ", ".($this->fk_project > 0? $this->fk_project : 0);

10
htdocs/compta/facture/class/facture-rec.class.php
View File

@@ -141,7 +141,7 @@ class FactureRec extends CommonInvoice
$sql.= ", nb_gen_max";
$sql.= ", auto_validate";
$sql.= ") VALUES (";
$sql.= "'".$this->titre."'";
$sql.= "'".$this->db->escape($this->titre)."'";
$sql.= ", ".$facsrc->socid;
$sql.= ", ".$conf->entity;
$sql.= ", '".$this->db->idate($now)."'";
@@ -149,11 +149,11 @@ class FactureRec extends CommonInvoice
$sql.= ", ".(!empty($facsrc->remise)?$this->remise:'0');
$sql.= ", ".(!empty($this->note_private)?("'".$this->db->escape($this->note_private)."'"):"NULL");
$sql.= ", ".(!empty($this->note_public)?("'".$this->db->escape($this->note_public)."'"):"NULL");
$sql.= ", '".$user->id."'";
$sql.= ", '".$this->db->escape($user->id)."'";
$sql.= ", ".(! empty($facsrc->fk_project)?"'".$facsrc->fk_project."'":"null");
$sql.= ", ".(! empty($facsrc->fk_account)?"'".$facsrc->fk_account."'":"null");
$sql.= ", '".$facsrc->cond_reglement_id."'";
$sql.= ", '".$facsrc->mode_reglement_id."'";
$sql.= ", '".$this->db->escape($facsrc->cond_reglement_id)."'";
$sql.= ", '".$this->db->escape($facsrc->mode_reglement_id)."'";
$sql.= ", ".$this->usenewprice;
$sql.= ", ".$this->frequency;
$sql.= ", '".$this->db->escape($this->unit_frequency)."'";
@@ -1504,7 +1504,7 @@ class FactureLigneRec extends CommonInvoiceLine
$sql.= ", localtax1_type='".$this->db->escape($this->localtax1_type)."'";
$sql.= ", localtax2_tx=".price2num($this->localtax2_tx);
$sql.= ", localtax2_type='".$this->db->escape($this->localtax2_type)."'";
$sql.= ", fk_product=".(! empty($this->fk_product)?"'".$this->fk_product."'":"null");
$sql.= ", fk_product=".($this->fk_product > 0 ? $this->fk_product :"null");
$sql.= ", product_type=".$this->product_type;
$sql.= ", remise_percent='".price2num($this->remise_percent)."'";
$sql.= ", subprice='".price2num($this->subprice)."'";

10
htdocs/compta/facture/class/facture.class.php
View File

@@ -4446,16 +4446,16 @@ class FactureLigne extends CommonInvoiceLine
$sql.= ' fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc';
$sql.= ')';
$sql.= " VALUES (".$this->fk_facture.",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
$sql.= " ".($this->fk_parent_line>0 ? $this->fk_parent_line:"null").",";
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " ".price2num($this->qty).",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
$sql.= " ".price2num($this->tva_tx).",";
$sql.= " ".price2num($this->localtax1_tx).",";
$sql.= " ".price2num($this->localtax2_tx).",";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").',';
$sql.= " ".$this->product_type.",";
$sql.= " ".price2num($this->remise_percent).",";
@@ -4468,7 +4468,7 @@ class FactureLigne extends CommonInvoiceLine
$sql.= ' '.$this->special_code.',';
$sql.= ' '.(! empty($this->fk_fournprice)?$this->fk_fournprice:"null").',';
$sql.= ' '.price2num($this->pa_ht).',';
$sql.= " '".$this->info_bits."',";
$sql.= " '".$this->db->escape($this->info_bits)."',";
$sql.= " ".price2num($this->total_ht).",";
$sql.= " ".price2num($this->total_tva).",";
$sql.= " ".price2num($this->total_ttc).",";

22
htdocs/compta/facture/class/paymentterm.class.php
View File

@@ -85,13 +85,11 @@ class PaymentTerm // extends CommonObject
if (isset($this->decalage)) $this->decalage=trim($this->decalage);
// Check parameters
// Put here code to add control on parameters values
// Insert request
$sql = "INSERT INTO ".MAIN_DB_PREFIX."c_payment_term(";
$sql.= "rowid,";
$sql.= "code,";
$sql.= "sortorder,";
@@ -101,21 +99,16 @@ class PaymentTerm // extends CommonObject
$sql.= "type_cdr,";
$sql.= "nbjour,";
$sql.= "decalage";
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").",";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").",";
$sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").",";
$sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->sortorder."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").",";
$sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->db->escape($this->sortorder)."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'").",";
$sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").",";
$sql.= " ".(! isset($this->libelle_facture)?'NULL':"'".$this->db->escape($this->libelle_facture)."'").",";
$sql.= " ".(! isset($this->type_cdr)?'NULL':"'".$this->type_cdr."'").",";
$sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->nbjour."'").",";
$sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->decalage."'")."";
$sql.= " ".(! isset($this->type_cdr)?'NULL':"'".$this->db->escape($this->type_cdr)."'").",";
$sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->db->escape($this->nbjour)."'").",";
$sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->db->escape($this->decalage)."'")."";
$sql.= ")";
$this->db->begin();
@@ -285,7 +278,6 @@ class PaymentTerm // extends CommonObject
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."c_payment_term SET";
$sql.= " code=".(isset($this->code)?"'".$this->db->escape($this->code)."'":"null").",";
$sql.= " sortorder=".(isset($this->sortorder)?$this->sortorder:"null").",";
$sql.= " active=".(isset($this->active)?$this->active:"null").",";
@@ -294,8 +286,6 @@ class PaymentTerm // extends CommonObject
$sql.= " type_cdr=".(isset($this->type_cdr)?$this->type_cdr:"null").",";
$sql.= " nbjour=".(isset($this->nbjour)?$this->nbjour:"null").",";
$sql.= " decalage=".(isset($this->decalage)?$this->decalage:"null")."";
$sql.= " WHERE rowid=".$this->id;
$this->db->begin();

12
htdocs/compta/localtax/class/localtax.class.php
View File

@@ -87,12 +87,12 @@ class Localtax extends CommonObject
$sql.= " '".$this->db->idate($this->tms)."',";
$sql.= " '".$this->db->idate($this->datep)."',";
$sql.= " '".$this->db->idate($this->datev)."',";
$sql.= " '".$this->amount."',";
$sql.= " '".$this->label."',";
$sql.= " '".$this->note."',";
$sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->fk_bank."'").",";
$sql.= " '".$this->fk_user_creat."',";
$sql.= " '".$this->fk_user_modif."'";
$sql.= " '".$this->db->escape($this->amount)."',";
$sql.= " '".$this->db->escape($this->label)."',";
$sql.= " '".$this->db->escape($this->note)."',";
$sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->db->escape($this->fk_bank)."'").",";
$sql.= " '".$this->db->escape($this->fk_user_creat)."',";
$sql.= " '".$this->db->escape($this->fk_user_modif)."'";
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);

10
htdocs/compta/salaries/class/paymentsalary.class.php
View File

@@ -108,7 +108,7 @@ class PaymentSalary extends CommonObject
$sql.= " datesp='".$this->db->idate($this->datesp)."',";
$sql.= " dateep='".$this->db->idate($this->dateep)."',";
$sql.= " note='".$this->db->escape($this->note)."',";
$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").",";
$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->db->escape($this->fk_bank)."'":"null").",";
$sql.= " fk_user_author=".$this->fk_user_author.",";
$sql.= " fk_user_modif=".$this->fk_user_modif;
@@ -344,18 +344,18 @@ class PaymentSalary extends CommonObject
$sql.= ", entity";
$sql.= ") ";
$sql.= " VALUES (";
$sql.= "'".$this->fk_user."'";
$sql.= "'".$this->db->escape($this->fk_user)."'";
$sql.= ", '".$this->db->idate($this->datep)."'";
$sql.= ", '".$this->db->idate($this->datev)."'";
$sql.= ", ".$this->amount;
$sql.= ", ".($this->salary > 0 ? $this->salary : "null");
$sql.= ", '".$this->type_payment."'";
$sql.= ", '".$this->num_payment."'";
$sql.= ", '".$this->db->escape($this->type_payment)."'";
$sql.= ", '".$this->db->escape($this->num_payment)."'";
if ($this->note) $sql.= ", '".$this->db->escape($this->note)."'";
$sql.= ", '".$this->db->escape($this->label)."'";
$sql.= ", '".$this->db->idate($this->datesp)."'";
$sql.= ", '".$this->db->idate($this->dateep)."'";
$sql.= ", '".$user->id."'";
$sql.= ", '".$this->db->escape($user->id)."'";
$sql.= ", '".$this->db->idate($now)."'";
$sql.= ", NULL";
$sql.= ", ".$conf->entity;

4
htdocs/compta/sociales/class/chargesociales.class.php
View File

@@ -171,8 +171,8 @@ class ChargeSociales extends CommonObject
$sql = "INSERT INTO ".MAIN_DB_PREFIX."chargesociales (fk_type, fk_account, fk_mode_reglement, libelle, date_ech, periode, amount, fk_projet, entity, fk_user_author, date_creation)";
$sql.= " VALUES (".$this->type;
$sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL');
$sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"NULL");
$sql.= ", ".($this->fk_account>0 ? $this->fk_account:'NULL');
$sql.= ", ".($this->mode_reglement_id>0 ? $this->mode_reglement_id:"NULL");
$sql.= ", '".$this->db->escape($this->lib)."'";
$sql.= ", '".$this->db->idate($this->date_ech)."'";
$sql.= ", '".$this->db->idate($this->periode)."'";

18
htdocs/compta/tva/class/tva.class.php
View File

@@ -106,12 +106,12 @@ class Tva extends CommonObject
$sql.= " '".$this->db->idate($now)."',";
$sql.= " '".$this->db->idate($this->datep)."',";
$sql.= " '".$this->db->idate($this->datev)."',";
$sql.= " '".$this->amount."',";
$sql.= " '".$this->label."',";
$sql.= " '".$this->note."',";
$sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->fk_bank."'").",";
$sql.= " '".$this->fk_user_creat."',";
$sql.= " '".$this->fk_user_modif."'";
$sql.= " '".$this->db->escape($this->amount)."',";
$sql.= " '".$this->db->escape($this->label)."',";
$sql.= " '".$this->db->escape($this->note)."',";
$sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->db->escape($this->fk_bank)."'").",";
$sql.= " '".$this->db->escape($this->fk_user_creat)."',";
$sql.= " '".$this->db->escape($this->fk_user_modif)."'";
$sql.= ")";
@@ -535,11 +535,11 @@ class Tva extends CommonObject
$sql.= "'".$this->db->idate($this->datep)."'";
$sql.= ", '".$this->db->idate($this->datev)."'";
$sql.= ", ".$this->amount;
$sql.= ", '".$this->type_payment."'";
$sql.= ", '".$this->num_payment."'";
$sql.= ", '".$this->db->escape($this->type_payment)."'";
$sql.= ", '".$this->db->escape($this->num_payment)."'";
if ($this->note) $sql.=", '".$this->db->escape($this->note)."'";
if ($this->label) $sql.=", '".$this->db->escape($this->label)."'";
$sql.= ", '".$user->id."'";
$sql.= ", '".$this->db->escape($user->id)."'";
$sql.= ", NULL";
$sql.= ", ".$conf->entity;
$sql.= ")";

10
htdocs/contact/class/contact.class.php
View File

@@ -200,7 +200,7 @@ class Contact extends CommonObject
$sql.= " ".(! empty($this->canvas)?"'".$this->db->escape($this->canvas)."'":"null").",";
$sql.= " ".$conf->entity.",";
$sql.= "'".$this->db->escape($this->ref_ext)."',";
$sql.= " ".(! empty($this->import_key)?"'".$this->import_key."'":"null");
$sql.= " ".(! empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null");
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
@@ -319,9 +319,9 @@ class Contact extends CommonObject
$sql .= ", jabberid = ".(isset($this->jabberid)?"'".$this->db->escape($this->jabberid)."'":"null");
$sql .= ", priv = '".$this->db->escape($this->priv)."'";
$sql .= ", statut = ".$this->statut;
$sql .= ", fk_user_modif=".($user->id > 0 ? "'".$user->id."'":"NULL");
$sql .= ", default_lang=".($this->default_lang?"'".$this->default_lang."'":"NULL");
$sql .= ", no_email=".($this->no_email?"'".$this->no_email."'":"0");
$sql .= ", fk_user_modif=".($user->id > 0 ? "'".$this->db->escape($user->id)."'":"NULL");
$sql .= ", default_lang=".($this->default_lang?"'".$this->db->escape($this->default_lang)."'":"NULL");
$sql .= ", no_email=".($this->no_email?"'".$this->db->escape($this->no_email)."'":"0");
$sql .= " WHERE rowid=".$this->db->escape($id);
dol_syslog(get_class($this)."::update", LOG_DEBUG);
@@ -492,7 +492,7 @@ class Contact extends CommonObject
// Mis a jour contact
$sql = "UPDATE ".MAIN_DB_PREFIX."socpeople SET";
$sql.= " birthday=".($this->birthday ? "'".$this->db->idate($this->birthday)."'" : "null");
$sql.= ", photo = ".($this->photo? "'".$this->photo."'" : "null");
$sql.= ", photo = ".($this->photo? "'".$this->db->escape($this->photo)."'" : "null");
if ($user) $sql .= ", fk_user_modif=".$user->id;
$sql.= " WHERE rowid=".$this->db->escape($id);

20
htdocs/contrat/class/contrat.class.php
View File

@@ -928,7 +928,7 @@ class Contrat extends CommonObject
$sql.= ",".($this->commercial_signature_id>0?$this->commercial_signature_id:"NULL");
$sql.= ",".($this->commercial_suivi_id>0?$this->commercial_suivi_id:"NULL");
$sql.= ",".($this->fk_project>0?$this->fk_project:"NULL");
$sql.= ", ".(dol_strlen($this->ref)<=0 ? "null" : "'".$this->ref."'");
$sql.= ", ".(dol_strlen($this->ref)<=0 ? "null" : "'".$this->db->escape($this->ref)."'");
$sql.= ", ".$conf->entity;
$sql.= ", ".(!empty($this->note_private)?("'".$this->db->escape($this->note_private)."'"):"NULL");
$sql.= ", ".(!empty($this->note_public)?("'".$this->db->escape($this->note_public)."'"):"NULL");
@@ -2872,7 +2872,7 @@ class ContratLigne extends CommonObjectLine
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET";
$sql.= " fk_contrat=".$this->fk_contrat.",";
$sql.= " fk_product=".($this->fk_product?"'".$this->fk_product."'":'null').",";
$sql.= " fk_product=".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":'null').",";
$sql.= " statut=".$this->statut.",";
$sql.= " label='".$this->db->escape($this->label)."',";
$sql.= " description='".$this->db->escape($this->description)."',";
@@ -3009,16 +3009,16 @@ class ContratLigne extends CommonObjectLine
if ($this->date_fin_validite > 0) { $sql.= ",date_fin_validite"; }
$sql.= ") VALUES ($this->fk_contrat, '', '" . $this->db->escape($this->description) . "',";
$sql.= ($this->fk_product>0 ? $this->fk_product : "null").",";
$sql.= " '".$this->qty."',";
$sql.= " '".$this->vat_src_code."',";
$sql.= " '".$this->tva_tx."',";
$sql.= " '".$this->localtax1_tx."',";
$sql.= " '".$this->localtax2_tx."',";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->qty)."',";
$sql.= " '".$this->db->escape($this->vat_src_code)."',";
$sql.= " '".$this->db->escape($this->tva_tx)."',";
$sql.= " '".$this->db->escape($this->localtax1_tx)."',";
$sql.= " '".$this->db->escape($this->localtax2_tx)."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= " ".price2num($this->remise_percent).",".price2num($this->subprice).",";
$sql.= " ".price2num($this->total_ht).",".price2num($this->total_tva).",".price2num($this->total_localtax1).",".price2num($this->total_localtax2).",".price2num($this->total_ttc).",";
$sql.= " '".$this->info_bits."',";
$sql.= " '".$this->db->escape($this->info_bits)."',";
$sql.= " ".price2num($this->price_ht).",".price2num($this->remise).",";
if ($this->fk_fournprice > 0) $sql.= ' '.$this->fk_fournprice.',';
else $sql.= ' null,';

4
htdocs/core/class/ccountry.class.php
View File

@@ -88,11 +88,11 @@ class Ccountry // extends CommonObject
$sql.= "label,";
$sql.= "active";
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").",";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").",";
$sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").",";
$sql.= " ".(! isset($this->code_iso)?'NULL':"'".$this->db->escape($this->code_iso)."'").",";
$sql.= " ".(! isset($this->label)?'NULL':"'".$this->db->escape($this->label)."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'")."";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'")."";
$sql.= ")";
$this->db->begin();

18
htdocs/core/class/commonobject.class.php
View File

@@ -580,8 +580,8 @@ abstract class CommonObject
$sql = "SELECT tc.rowid";
$sql.= " FROM ".MAIN_DB_PREFIX."c_type_contact as tc";
$sql.= " WHERE tc.element='".$this->db->escape($this->element)."'";
$sql.= " AND tc.source='".$source."'";
$sql.= " AND tc.code='".$type_contact."' AND tc.active=1";
$sql.= " AND tc.source='".$this->db->escape($source)."'";
$sql.= " AND tc.code='".$this->db->escape($type_contact)."' AND tc.active=1";
//print $sql;
$resql=$this->db->query($sql);
if ($resql)
@@ -2475,9 +2475,9 @@ abstract class CommonObject
$sql.= ", targettype";
$sql.= ") VALUES (";
$sql.= $origin_id;
$sql.= ", '".$origin."'";
$sql.= ", '".$this->db->escape($origin)."'";
$sql.= ", ".$this->id;
$sql.= ", '".$this->element."'";
$sql.= ", '".$this->db->escape($this->element)."'";
$sql.= ")";
dol_syslog(get_class($this)."::add_object_linked", LOG_DEBUG);
@@ -3812,11 +3812,11 @@ abstract class CommonObject
$sql.= ", mandatory";
$sql.= ") VALUES (";
$sql.= $resource_id;
$sql.= ", '".$resource_type."'";
$sql.= ", '".$this->id."'";
$sql.= ", '".$this->element."'";
$sql.= ", '".$busy."'";
$sql.= ", '".$mandatory."'";
$sql.= ", '".$this->db->escape($resource_type)."'";
$sql.= ", '".$this->db->escape($this->id)."'";
$sql.= ", '".$this->db->escape($this->element)."'";
$sql.= ", '".$this->db->escape($busy)."'";
$sql.= ", '".$this->db->escape($mandatory)."'";
$sql.= ")";
dol_syslog(get_class($this)."::add_element_resource", LOG_DEBUG);

4
htdocs/core/class/cstate.class.php
View File

@@ -85,10 +85,10 @@ class Cstate // extends CommonObject
$sql.= "nom,";
$sql.= "active";
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").",";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").",";
$sql.= " ".(! isset($this->code_departement)?'NULL':"'".$this->db->escape($this->code_departement)."'").",";
$sql.= " ".(! isset($this->nom)?'NULL':"'".$this->db->escape($this->nom)."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'")."";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'")."";
$sql.= ")";
$this->db->begin();

4
htdocs/core/class/ctypent.class.php
View File

@@ -91,10 +91,10 @@ class Ctypent // extends CommonObject
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->id)?'NULL':"'".$this->id."'").",";
$sql.= " ".(! isset($this->id)?'NULL':"'".$this->db->escape($this->id)."'").",";
$sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").",";
$sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->active($this->active)."'").",";
$sql.= " ".(! isset($this->module)?'NULL':"'".$this->db->escape($this->module)."'")."";

2
htdocs/core/class/discount.class.php
View File

@@ -158,7 +158,7 @@ class DiscountAbsolute
$sql.= ")";
$sql.= " VALUES (".$conf->entity.", '".$this->db->idate($this->datec!=''?$this->datec:dol_now())."', ".$this->fk_soc.", ".$user->id.", '".$this->db->escape($this->description)."',";
$sql.= " ".$this->amount_ht.", ".$this->amount_tva.", ".$this->amount_ttc.", ".$this->tva_tx.",";
$sql.= " ".($this->fk_facture_source?"'".$this->fk_facture_source."'":"null");
$sql.= " ".($this->fk_facture_source ? "'".$this->db->escape($this->fk_facture_source)."'":"null");
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);

8
htdocs/core/class/events.class.php
View File

@@ -126,12 +126,12 @@ class Events // extends CommonObject
$sql.= "fk_user,";
$sql.= "description";
$sql.= ") VALUES (";
$sql.= " '".$this->type."',";
$sql.= " '".$this->db->escape($this->type)."',";
$sql.= " ".$conf->entity.",";
$sql.= " '".$_SERVER['REMOTE_ADDR']."',";
$sql.= " ".($_SERVER['HTTP_USER_AGENT']?"'".dol_trunc($_SERVER['HTTP_USER_AGENT'],250)."'":'NULL').",";
$sql.= " '".$this->db->escape($_SERVER['REMOTE_ADDR'])."',";
$sql.= " ".($_SERVER['HTTP_USER_AGENT']?"'".$this->db->escape(dol_trunc($_SERVER['HTTP_USER_AGENT'],250))."'":'NULL').",";
$sql.= " '".$this->db->idate($this->dateevent)."',";
$sql.= " ".($user->id?"'".$user->id."'":'NULL').",";
$sql.= " ".($user->id?"'".$this->db->escape($user->id)."'":'NULL').",";
$sql.= " '".$this->db->escape(dol_trunc($this->description,250))."'";
$sql.= ")";

2
htdocs/core/class/link.class.php
View File

@@ -89,7 +89,7 @@ class Link extends CommonObject
$sql .= " VALUES ('".$conf->entity."', '".$this->db->idate($this->datea)."'";
$sql .= ", '" . $this->db->escape($this->url) . "'";
$sql .= ", '" . $this->db->escape($this->label) . "'";
$sql .= ", '" . $this->objecttype . "'";
$sql .= ", '" . $this->db->escape($this->objecttype) . "'";
$sql .= ", " . $this->objectid . ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);

24
htdocs/core/class/menubase.class.php
View File

@@ -144,15 +144,15 @@ class Menubase
$sql.= "enabled,";
$sql.= "usertype";
$sql.= ") VALUES (";
$sql.= " '".$this->menu_handler."',";
$sql.= " '".$conf->entity."',";
$sql.= " '".$this->module."',";
$sql.= " '".$this->type."',";
$sql.= " ".($this->mainmenu?"'".$this->mainmenu."'":"''").","; // Can't be null
$sql.= " ".($this->leftmenu?"'".$this->leftmenu."'":"null").",";
$sql.= " '".$this->fk_menu."',";
$sql.= " ".($this->fk_mainmenu?"'".$this->fk_mainmenu."'":"null").",";
$sql.= " ".($this->fk_leftmenu?"'".$this->fk_leftmenu."'":"null").",";
$sql.= " '".$this->db->escape($this->menu_handler)."',";
$sql.= " '".$this->db->escape($conf->entity)."',";
$sql.= " '".$this->db->escape($this->module)."',";
$sql.= " '".$this->db->escape($this->type)."',";
$sql.= " ".($this->mainmenu?"'".$this->db->escape($this->mainmenu)."'":"''").","; // Can't be null
$sql.= " ".($this->leftmenu?"'".$this->db->escape($this->leftmenu)."'":"null").",";
$sql.= " '".$this->db->escape($this->fk_menu)."',";
$sql.= " ".($this->fk_mainmenu?"'".$this->db->escape($this->fk_mainmenu)."'":"null").",";
$sql.= " ".($this->fk_leftmenu?"'".$this->db->escape($this->fk_leftmenu)."'":"null").",";
$sql.= " '".(int) $this->position."',";
$sql.= " '".$this->db->escape($this->url)."',";
$sql.= " '".$this->db->escape($this->target)."',";
@@ -160,7 +160,7 @@ class Menubase
$sql.= " '".$this->db->escape($this->langs)."',";
$sql.= " '".$this->db->escape($this->perms)."',";
$sql.= " '".$this->db->escape($this->enabled)."',";
$sql.= " '".$this->user."'";
$sql.= " '".$this->db->escape($this->user)."'";
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
@@ -220,8 +220,8 @@ class Menubase
$sql.= " mainmenu='".$this->db->escape($this->mainmenu)."',";
$sql.= " leftmenu='".$this->db->escape($this->leftmenu)."',";
$sql.= " fk_menu='".$this->db->escape($this->fk_menu)."',";
$sql.= " fk_mainmenu=".($this->fk_mainmenu?"'".$this->fk_mainmenu."'":"null").",";
$sql.= " fk_leftmenu=".($this->fk_leftmenu?"'".$this->fk_leftmenu."'":"null").",";
$sql.= " fk_mainmenu=".($this->fk_mainmenu?"'".$this->db->escape($this->fk_mainmenu)."'":"null").",";
$sql.= " fk_leftmenu=".($this->fk_leftmenu?"'".$this->db->escape($this->fk_leftmenu)."'":"null").",";
$sql.= " position=".($this->position > 0 ? $this->position : 0).",";
$sql.= " url='".$this->db->escape($this->url)."',";
$sql.= " target='".$this->db->escape($this->target)."',";

6
htdocs/core/modules/DolibarrModules.class.php
View File

@@ -1426,7 +1426,7 @@ class DolibarrModules // Can not be abstract, because we need to insta
$err=0;
$sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
$sql.= " WHERE ".$this->db->decrypt('name')." like '".$this->const_name."_TABS_%'";
$sql.= " WHERE ".$this->db->decrypt('name')." like '".$this->db->escape($this->const_name)."_TABS_%'";
$sql.= " AND entity = ".$conf->entity;
dol_syslog(get_class($this)."::delete_tabs", LOG_DEBUG);
@@ -2019,7 +2019,7 @@ class DolibarrModules // Can not be abstract, because we need to insta
$err=0;
$sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
$sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->const_name."_DIR_%'";
$sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->db->escape($this->const_name)."_DIR_%'";
$sql.= " AND entity = ".$conf->entity;
dol_syslog(get_class($this)."::delete_dirs", LOG_DEBUG);
@@ -2128,7 +2128,7 @@ class DolibarrModules // Can not be abstract, because we need to insta
if (is_array($value) && isset($value['entity'])) $entity = $value['entity'];
$sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
$sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->const_name."_".strtoupper($key)."'";
$sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->db->escape($this->const_name)."_".strtoupper($key)."'";
$sql.= " AND entity = ".$entity;
dol_syslog(get_class($this)."::delete_const_".$key."", LOG_DEBUG);

4
htdocs/core/modules/cheque/mod_chequereceipt_mint.php
View File

@@ -73,7 +73,7 @@ class mod_chequereceipt_mint extends ModeleNumRefChequeReceipts
$posindice=9;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."bordereau_cheque";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -107,7 +107,7 @@ class mod_chequereceipt_mint extends ModeleNumRefChequeReceipts
$posindice=9;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."bordereau_cheque";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref like '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/commande/mod_commande_marbre.php
View File

@@ -73,7 +73,7 @@ class mod_commande_marbre extends ModeleNumRefCommandes
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."commande";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -107,7 +107,7 @@ class mod_commande_marbre extends ModeleNumRefCommandes
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."commande";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/contract/mod_contract_serpis.php
View File

@@ -72,7 +72,7 @@ class mod_contract_serpis extends ModelNumRefContracts
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."contrat";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -105,7 +105,7 @@ class mod_contract_serpis extends ModelNumRefContracts
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."contrat";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/expedition/mod_expedition_safor.php
View File

@@ -71,7 +71,7 @@ class mod_expedition_safor extends ModelNumRefExpedition
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."expedition";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -104,7 +104,7 @@ class mod_expedition_safor extends ModelNumRefExpedition
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."expedition";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/expensereport/mod_expensereport_jade.php
View File

@@ -72,7 +72,7 @@ class mod_expensereport_jade extends ModeleNumRefExpenseReport
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."expensereport";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -105,7 +105,7 @@ class mod_expensereport_jade extends ModeleNumRefExpenseReport
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."expensereport";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/facture/mod_facture_mars.php
View File

@@ -89,7 +89,7 @@ class mod_facture_mars extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixinvoice."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixinvoice)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -111,7 +111,7 @@ class mod_facture_mars extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(SUBSTRING(facnumber FROM ".$posindice.")) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixcreditnote."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

6
htdocs/core/modules/facture/mod_facture_terre.php
View File

@@ -87,7 +87,7 @@ class mod_facture_terre extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixinvoice."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixinvoice)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -109,7 +109,7 @@ class mod_facture_terre extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixcreditnote."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -130,7 +130,7 @@ class mod_facture_terre extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixdeposit."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixdeposit)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/fichinter/mod_pacific.php
View File

@@ -74,7 +74,7 @@ class mod_pacific extends ModeleNumRefFicheinter
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."fichinter";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " WHERE entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -110,7 +110,7 @@ class mod_pacific extends ModeleNumRefFicheinter
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."fichinter";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/livraison/mod_livraison_jade.php
View File

@@ -80,7 +80,7 @@ class mod_livraison_jade extends ModeleNumRefDeliveryOrder
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."livraison";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -114,7 +114,7 @@ class mod_livraison_jade extends ModeleNumRefDeliveryOrder
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."livraison";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/payment/mod_payment_cicada.php
View File

@@ -73,7 +73,7 @@ class mod_payment_cicada extends ModeleNumRefPayments
$posindice=9;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."paiement";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -107,7 +107,7 @@ class mod_payment_cicada extends ModeleNumRefPayments
$posindice=9;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."paiement";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/project/mod_project_simple.php
View File

@@ -75,7 +75,7 @@ class mod_project_simple extends ModeleNumRefProjects
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."projet";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
if ($resql)
@@ -111,7 +111,7 @@ class mod_project_simple extends ModeleNumRefProjects
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."projet";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/project/task/mod_task_simple.php
View File

@@ -76,7 +76,7 @@ class mod_task_simple extends ModeleNumRefTask
$sql = "SELECT MAX(CAST(SUBSTRING(task.ref FROM " . $posindice . ") AS SIGNED)) as max";
$sql .= " FROM " . MAIN_DB_PREFIX . "projet_task AS task, ";
$sql .= MAIN_DB_PREFIX . "projet AS project WHERE task.fk_projet=project.rowid";
$sql .= " AND task.ref LIKE '" . $this->prefix . "____-%'";
$sql .= " AND task.ref LIKE '" . $this->db->escape($this->prefix) . "____-%'";
$sql .= " AND project.entity = " . $conf->entity;
$resql=$db->query($sql);
if ($resql)
@@ -112,7 +112,7 @@ class mod_task_simple extends ModeleNumRefTask
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."projet_task";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$resql=$db->query($sql);
if ($resql)

4
htdocs/core/modules/propale/mod_propale_marbre.php
View File

@@ -75,7 +75,7 @@ class mod_propale_marbre extends ModeleNumRefPropales
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."propal";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -112,7 +112,7 @@ class mod_propale_marbre extends ModeleNumRefPropales
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."propal";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

6
htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php
View File

@@ -82,7 +82,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn";
$sql.= " WHERE ref LIKE '".$this->prefixinvoice."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefixinvoice)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
if ($resql)
@@ -103,7 +103,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn";
$sql.= " WHERE ref LIKE '".$this->prefixcreditnote."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -124,7 +124,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn";
$sql.= " WHERE ref LIKE '".$this->prefixdeposit."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefixdeposit)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/supplier_order/mod_commande_fournisseur_muguet.php
View File

@@ -85,7 +85,7 @@ class mod_commande_fournisseur_muguet extends ModeleNumRefSuppliersOrders
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."commande_fournisseur";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
if ($resql)
@@ -120,7 +120,7 @@ class mod_commande_fournisseur_muguet extends ModeleNumRefSuppliersOrders
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."commande_fournisseur";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/supplier_payment/mod_supplier_payment_bronan.php
View File

@@ -73,7 +73,7 @@ class mod_supplier_payment_bronan extends ModeleNumRefSupplierPayments
$posindice=9;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."paiementfourn";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -107,7 +107,7 @@ class mod_supplier_payment_bronan extends ModeleNumRefSupplierPayments
$posindice=10;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."paiementfourn";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/supplier_proposal/mod_supplier_proposal_marbre.php
View File

@@ -75,7 +75,7 @@ class mod_supplier_proposal_marbre extends ModeleNumRefSupplierProposal
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."supplier_proposal";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -112,7 +112,7 @@ class mod_supplier_proposal_marbre extends ModeleNumRefSupplierProposal
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."supplier_proposal";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

2
htdocs/cron/class/cronjob.class.php
View File

@@ -201,7 +201,7 @@ class Cronjob extends CommonObject
$sql.= " ".(! isset($this->lastresult)?'NULL':"'".$this->db->escape($this->lastresult)."'").",";
$sql.= " ".(! isset($this->datelastresult) || dol_strlen($this->datelastresult)==0?'NULL':"'".$this->db->idate($this->datelastresult)."'").",";
$sql.= " ".(! isset($this->lastoutput)?'NULL':"'".$this->db->escape($this->lastoutput)."'").",";
$sql.= " ".(! isset($this->unitfrequency)?'NULL':"'".$this->unitfrequency."'").",";
$sql.= " ".(! isset($this->unitfrequency)?'NULL':"'".$this->db->escape($this->unitfrequency)."'").",";
$sql.= " ".(! isset($this->frequency)?'0':$this->frequency).",";
$sql.= " ".(! isset($this->status)?'0':$this->status).",";
$sql.= " ".$user->id.",";

6
htdocs/ecm/class/ecmdirectory.class.php
View File

@@ -134,12 +134,12 @@ class EcmDirectory // extends CommonObject
$sql.= "fk_user_c";
$sql.= ") VALUES (";
$sql.= " '".$this->db->escape($this->label)."',";
$sql.= " '".$conf->entity."',";
$sql.= " '".$this->fk_parent."',";
$sql.= " '".$this->db->escape($conf->entity)."',";
$sql.= " '".$this->db->escape($this->fk_parent)."',";
$sql.= " '".$this->db->escape($this->description)."',";
$sql.= " ".$this->cachenbofdoc.",";
$sql.= " '".$this->db->idate($this->date_c)."',";
$sql.= " '".$this->fk_user_c."'";
$sql.= " '".$this->db->escape($this->fk_user_c)."'";
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);

2
htdocs/expedition/class/expedition.class.php
View File

@@ -1769,7 +1769,7 @@ class Expedition extends CommonObject
if ($id=='')
{
$sql = "INSERT INTO ".MAIN_DB_PREFIX."c_shipment_mode (code, libelle, description, tracking)";
$sql.=" VALUES ('".$this->update['code']."','".$this->update['libelle']."','".$this->update['description']."','".$this->update['tracking']."')";
$sql.=" VALUES ('".$this->db->escape($this->update['code'])."','".$this->db->escape($this->update['libelle'])."','".$this->db->escape($this->update['description'])."','".$this->db->escape($this->update['tracking'])."')";
$resql = $this->db->query($sql);
}
else

10
htdocs/fourn/class/fournisseur.commande.class.php
View File

@@ -3129,15 +3129,15 @@ class CommandeFournisseurLigne extends CommonOrderLine
$sql.= " ".($this->date_end?"'".$this->db->idate($this->date_end)."'":"null").",";
if ($this->fk_product) { $sql.= $this->fk_product.","; }
else { $sql.= "null,"; }
$sql.= "'".$this->product_type."',";
$sql.= "'".$this->qty."', ";
$sql.= "'".$this->db->escape($this->product_type)."',";
$sql.= "'".$this->db->escape($this->qty)."', ";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
$sql.= " ".$this->tva_tx.", ";
$sql.= " ".$this->localtax1_tx.",";
$sql.= " ".$this->localtax2_tx.",";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= " ".$this->remise_percent.", ".price2num($this->subprice,'MU').", '".$this->db->escape($this->ref_supplier)."',";
$sql.= " ".price2num($this->total_ht).",";
$sql.= " ".price2num($this->total_tva).",";

22
htdocs/fourn/class/fournisseur.commande.dispatch.class.php
View File

@@ -105,14 +105,11 @@ class CommandeFournisseurDispatch extends CommonObject
if (isset($this->status)) $this->status=trim($this->status);
if (isset($this->batch)) $this->batch=trim($this->batch);
// Check parameters
// Put here code to add control on parameters values
// Insert request
$sql = "INSERT INTO ".MAIN_DB_PREFIX.$this->table_element."(";
$sql.= "fk_commande,";
$sql.= "fk_product,";
$sql.= "fk_commandefourndet,";
@@ -125,24 +122,19 @@ class CommandeFournisseurDispatch extends CommonObject
$sql.= "batch,";
$sql.= "eatby,";
$sql.= "sellby";
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->fk_commande)?'NULL':"'".$this->fk_commande."'").",";
$sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->fk_product."'").",";
$sql.= " ".(! isset($this->fk_commandefourndet)?'NULL':"'".$this->fk_commandefourndet."'").",";
$sql.= " ".(! isset($this->qty)?'NULL':"'".$this->qty."'").",";
$sql.= " ".(! isset($this->fk_entrepot)?'NULL':"'".$this->fk_entrepot."'").",";
$sql.= " ".(! isset($this->fk_user)?'NULL':"'".$this->fk_user."'").",";
$sql.= " ".(! isset($this->fk_commande)?'NULL':"'".$this->db->escape($this->fk_commande)."'").",";
$sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->db->escape($this->fk_product)."'").",";
$sql.= " ".(! isset($this->fk_commandefourndet)?'NULL':"'".$this->db->escape($this->fk_commandefourndet)."'").",";
$sql.= " ".(! isset($this->qty)?'NULL':"'".$this->db->escape($this->qty)."'").",";
$sql.= " ".(! isset($this->fk_entrepot)?'NULL':"'".$this->db->escape($this->fk_entrepot)."'").",";
$sql.= " ".(! isset($this->fk_user)?'NULL':"'".$this->db->escape($this->fk_user)."'").",";
$sql.= " ".(! isset($this->datec) || dol_strlen($this->datec)==0?'NULL':"'".$this->db->idate($this->datec)."'").",";
$sql.= " ".(! isset($this->comment)?'NULL':"'".$this->db->escape($this->comment)."'").",";
$sql.= " ".(! isset($this->status)?'NULL':"'".$this->status."'").",";
$sql.= " ".(! isset($this->status)?'NULL':"'".$this->db->escape($this->status)."'").",";
$sql.= " ".(! isset($this->batch)?'NULL':"'".$this->db->escape($this->batch)."'").",";
$sql.= " ".(! isset($this->eatby) || dol_strlen($this->eatby)==0?'NULL':"'".$this->db->idate($this->eatby)."'").",";
$sql.= " ".(! isset($this->sellby) || dol_strlen($this->sellby)==0?'NULL':"'".$this->db->idate($this->sellby)."'")."";
$sql.= ")";
$this->db->begin();

10
htdocs/fourn/class/fournisseur.facture.class.php
View File

@@ -2701,17 +2701,17 @@ class SupplierInvoiceLine extends CommonObjectLine
$sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc';
$sql.= ')';
$sql.= " VALUES (".$this->fk_facture_fourn.",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").",";
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " ".price2num($this->qty).",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
$sql.= " ".price2num($this->tva_tx).",";
$sql.= " ".price2num($this->localtax1_tx).",";
$sql.= " ".price2num($this->localtax2_tx).",";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").',';
$sql.= " ".$this->product_type.",";
$sql.= " ".price2num($this->remise_percent).",";
@@ -2722,7 +2722,7 @@ class SupplierInvoiceLine extends CommonObjectLine
$sql.= ' '.(!empty($this->fk_code_ventilation)?$this->fk_code_ventilation:0).',';
$sql.= ' '.$this->rang.',';
$sql.= ' '.$this->special_code.',';
$sql.= " '".$this->info_bits."',";
$sql.= " '".$this->db->escape($this->info_bits)."',";
$sql.= " ".price2num($this->total_ht).",";
$sql.= " ".price2num($this->total_tva).",";
$sql.= " ".price2num($this->total_ttc).",";

4
htdocs/holiday/class/holiday.class.php
View File

@@ -143,14 +143,14 @@ class Holiday extends CommonObject
$sql.= "fk_user_create,";
$sql.= "entity";
$sql.= ") VALUES (";
$sql.= "'".$this->fk_user."',";
$sql.= "'".$this->db->escape($this->fk_user)."',";
$sql.= " '".$this->db->idate($now)."',";
$sql.= " '".$this->db->escape($this->description)."',";
$sql.= " '".$this->db->idate($this->date_debut)."',";
$sql.= " '".$this->db->idate($this->date_fin)."',";
$sql.= " ".$this->halfday.",";
$sql.= " '1',";
$sql.= " '".$this->fk_validator."',";
$sql.= " '".$this->db->escape($this->fk_validator)."',";
$sql.= " ".$this->fk_type.",";
$sql.= " ".$user->id.",";
$sql.= " ".$conf->entity;

2
htdocs/imports/class/import.class.php
View File

@@ -242,7 +242,7 @@ class Import
$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'import_model (';
$sql.= 'fk_user, label, type, field';
$sql.= ')';
$sql.= " VALUES (".($user->id > 0 ? $user->id : 0).", '".$this->db->escape($this->model_name)."', '".$this->datatoimport."', '".$this->hexa."')";
$sql.= " VALUES (".($user->id > 0 ? $user->id : 0).", '".$this->db->escape($this->model_name)."', '".$this->db->escape($this->datatoimport)."', '".$this->db->escape($this->hexa)."')";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
$resql=$this->db->query($sql);

42
htdocs/product/class/product.class.php
View File

@@ -536,12 +536,12 @@ class Product extends CommonObject
$sql.= ", ".$this->type;
$sql.= ", ".price2num($price_ht);
$sql.= ", ".price2num($price_ttc);
$sql.= ", '".$this->price_base_type."'";
$sql.= ", '".$this->db->escape($this->price_base_type)."'";
$sql.= ", ".$this->status;
$sql.= ", ".$this->status_buy;
$sql.= ", '".$this->accountancy_code_buy."'";
$sql.= ", '".$this->accountancy_code_sell."'";
$sql.= ", '".$this->canvas."'";
$sql.= ", '".$this->db->escape($this->accountancy_code_buy)."'";
$sql.= ", '".$this->db->escape($this->accountancy_code_sell)."'";
$sql.= ", '".$this->db->escape($this->canvas)."'";
$sql.= ", ".((! isset($this->finished) || $this->finished < 0 || $this->finished == '') ? 'null' : (int) $this->finished);
$sql.= ", ".((empty($this->status_batch) || $this->status_batch < 0)? '0':$this->status_batch);
$sql.= ", ".(!$this->fk_unit ? 'NULL' : $this->fk_unit);
@@ -853,8 +853,8 @@ class Product extends CommonObject
$sql.= ", recuperableonly = " . $this->tva_npr;
$sql.= ", localtax1_tx = " . $this->localtax1_tx;
$sql.= ", localtax2_tx = " . $this->localtax2_tx;
$sql.= ", localtax1_type = " . ($this->localtax1_type!=''?"'".$this->localtax1_type."'":"'0'");
$sql.= ", localtax2_type = " . ($this->localtax2_type!=''?"'".$this->localtax2_type."'":"'0'");
$sql.= ", localtax1_type = " . ($this->localtax1_type!=''?"'".$this->db->escape($this->localtax1_type)."'":"'0'");
$sql.= ", localtax2_type = " . ($this->localtax2_type!=''?"'".$this->db->escape($this->localtax2_type)."'":"'0'");
$sql.= ", barcode = ". (empty($this->barcode)?"null":"'".$this->db->escape($this->barcode)."'");
$sql.= ", fk_barcode_type = ". (empty($this->barcode_type)?"null":$this->db->escape($this->barcode_type));
@@ -863,19 +863,19 @@ class Product extends CommonObject
$sql.= ", tobuy = " . $this->status_buy;
$sql.= ", tobatch = " . ((empty($this->status_batch) || $this->status_batch < 0) ? '0' : $this->status_batch);
$sql.= ", finished = " . ((! isset($this->finished) || $this->finished < 0) ? "null" : (int) $this->finished);
$sql.= ", weight = " . ($this->weight!='' ? "'".$this->weight."'" : 'null');
$sql.= ", weight_units = " . ($this->weight_units!='' ? "'".$this->weight_units."'": 'null');
$sql.= ", length = " . ($this->length!='' ? "'".$this->length."'" : 'null');
$sql.= ", length_units = " . ($this->length_units!='' ? "'".$this->length_units."'" : 'null');
$sql.= ", width= " . ($this->width!='' ? "'".$this->width."'" : 'null');
$sql.= ", width_units = " . ($this->width_units!='' ? "'".$this->width_units."'" : 'null');
$sql.= ", height = " . ($this->height!='' ? "'".$this->height."'" : 'null');
$sql.= ", height_units = " . ($this->height_units!='' ? "'".$this->height_units."'" : 'null');
$sql.= ", surface = " . ($this->surface!='' ? "'".$this->surface."'" : 'null');
$sql.= ", surface_units = " . ($this->surface_units!='' ? "'".$this->surface_units."'" : 'null');
$sql.= ", volume = " . ($this->volume!='' ? "'".$this->volume."'" : 'null');
$sql.= ", volume_units = " . ($this->volume_units!='' ? "'".$this->volume_units."'" : 'null');
$sql.= ", seuil_stock_alerte = " . ((isset($this->seuil_stock_alerte) && $this->seuil_stock_alerte != '') ? "'".$this->seuil_stock_alerte."'" : "null");
$sql.= ", weight = " . ($this->weight!='' ? "'".$this->db->escape($this->weight)."'" : 'null');
$sql.= ", weight_units = " . ($this->weight_units!='' ? "'".$this->db->escape($this->weight_units)."'": 'null');
$sql.= ", length = " . ($this->length!='' ? "'".$this->db->escape($this->length)."'" : 'null');
$sql.= ", length_units = " . ($this->length_units!='' ? "'".$this->db->escape($this->length_units)."'" : 'null');
$sql.= ", width= " . ($this->width!='' ? "'".$this->db->escape($this->width)."'" : 'null');
$sql.= ", width_units = " . ($this->width_units!='' ? "'".$this->db->escape($this->width_units)."'" : 'null');
$sql.= ", height = " . ($this->height!='' ? "'".$this->db->escape($this->height)."'" : 'null');
$sql.= ", height_units = " . ($this->height_units!='' ? "'".$this->db->escape($this->height_units)."'" : 'null');
$sql.= ", surface = " . ($this->surface!='' ? "'".$this->db->escape($this->surface)."'" : 'null');
$sql.= ", surface_units = " . ($this->surface_units!='' ? "'".$this->db->escape($this->surface_units)."'" : 'null');
$sql.= ", volume = " . ($this->volume!='' ? "'".$this->db->escape($this->volume)."'" : 'null');
$sql.= ", volume_units = " . ($this->volume_units!='' ? "'".$this->db->escape($this->volume_units)."'" : 'null');
$sql.= ", seuil_stock_alerte = " . ((isset($this->seuil_stock_alerte) && $this->seuil_stock_alerte != '') ? "'".$this->db->escape($this->seuil_stock_alerte)."'" : "null");
$sql.= ", description = '" . $this->db->escape($this->description) ."'";
$sql.= ", url = " . ($this->url?"'".$this->db->escape($this->url)."'":'null');
$sql.= ", customcode = '" . $this->db->escape($this->customcode) ."'";
@@ -1439,8 +1439,8 @@ class Product extends CommonObject
// Add new price
$sql = "INSERT INTO ".MAIN_DB_PREFIX."product_price(price_level,date_price, fk_product, fk_user_author, price, price_ttc, price_base_type,tosell, tva_tx, default_vat_code, recuperableonly,";
$sql.= " localtax1_tx, localtax2_tx, localtax1_type, localtax2_type, price_min,price_min_ttc,price_by_qty,entity,fk_price_expression) ";
$sql.= " VALUES(".($level?$level:1).", '".$this->db->idate($now)."',".$this->id.",".$user->id.",".$this->price.",".$this->price_ttc.",'".$this->price_base_type."',".$this->status.",".$this->tva_tx.", ".($this->default_vat_code?("'".$this->default_vat_code."'"):"null").",".$this->tva_npr.",";
$sql.= " ".$this->localtax1_tx.", ".$this->localtax2_tx.", '".$this->localtax1_type."', '".$this->localtax2_type."', ".$this->price_min.",".$this->price_min_ttc.",".$this->price_by_qty.",".$conf->entity.",".($this->fk_price_expression > 0?$this->fk_price_expression:'null');
$sql.= " VALUES(".($level?$level:1).", '".$this->db->idate($now)."',".$this->id.",".$user->id.",".$this->price.",".$this->price_ttc.",'".$this->db->escape($this->price_base_type)."',".$this->status.",".$this->tva_tx.", ".($this->default_vat_code?("'".$this->db->escape($this->default_vat_code)."'"):"null").",".$this->tva_npr.",";
$sql.= " ".$this->localtax1_tx.", ".$this->localtax2_tx.", '".$this->db->escape($this->localtax1_type)."', '".$this->db->escape($this->localtax2_type)."', ".$this->price_min.",".$this->price_min_ttc.",".$this->price_by_qty.",".$conf->entity.",".($this->fk_price_expression > 0?$this->fk_price_expression:'null');
$sql.= ")";
dol_syslog(get_class($this)."::_log_price", LOG_DEBUG);

22
htdocs/product/class/productcustomerprice.class.php
View File

@@ -161,19 +161,19 @@ class Productcustomerprice extends CommonObject
$sql .= ") VALUES (";
$sql .= " " . $conf->entity . ",";
$sql .= " '" . $this->db->idate(dol_now()) . "',";
$sql .= " " . (! isset($this->fk_product) ? 'NULL' : "'" . $this->fk_product . "'") . ",";
$sql .= " " . (! isset($this->fk_soc) ? 'NULL' : "'" . $this->fk_soc . "'") . ",";
$sql .= " " . (empty($this->price) ? '0' : "'" . $this->price . "'") . ",";
$sql .= " " . (empty($this->price_ttc) ? '0' : "'" . $this->price_ttc . "'") . ",";
$sql .= " " . (empty($this->price_min) ? '0' : "'" . $this->price_min . "'") . ",";
$sql .= " " . (empty($this->price_min_ttc) ? '0' : "'" . $this->price_min_ttc . "'") . ",";
$sql .= " " . (! isset($this->fk_product) ? 'NULL' : "'" . $this->db->escape($this->fk_product) . "'") . ",";
$sql .= " " . (! isset($this->fk_soc) ? 'NULL' : "'" . $this->db->escape($this->fk_soc) . "'") . ",";
$sql .= " " . (empty($this->price) ? '0' : "'" . $this->db->escape($this->price) . "'") . ",";
$sql .= " " . (empty($this->price_ttc) ? '0' : "'" . $this->db->escape($this->price_ttc) . "'") . ",";
$sql .= " " . (empty($this->price_min) ? '0' : "'" . $this->db->escape($this->price_min) . "'") . ",";
$sql .= " " . (empty($this->price_min_ttc) ? '0' : "'" . $this->db->escape($this->price_min_ttc) . "'") . ",";
$sql .= " " . (! isset($this->price_base_type) ? 'NULL' : "'" . $this->db->escape($this->price_base_type) . "'") . ",";
$sql .= " ".($this->default_vat_code ? "'".$this->db->escape($this->default_vat_code)."'" : "null").",";
$sql .= " " . (! isset($this->tva_tx) ? 'NULL' : (empty($this->tva_tx)?0:$this->tva_tx)) . ",";
$sql .= " " . (! isset($this->recuperableonly) ? 'NULL' : "'" . $this->recuperableonly . "'") . ",";
$sql .= " " . (empty($this->localtax1_type) ? "'0'" : "'" . $this->localtax1_type . "'") . ",";
$sql .= " " . (! isset($this->recuperableonly) ? 'NULL' : "'" . $this->db->escape($this->recuperableonly) . "'") . ",";
$sql .= " " . (empty($this->localtax1_type) ? "'0'" : "'" . $this->db->escape($this->localtax1_type) . "'") . ",";
$sql .= " " . (! isset($this->localtax1_tx) ? 'NULL' : (empty($this->localtax1_tx)?0:$this->localtax1_tx)) . ",";
$sql .= " " . (empty($this->localtax2_type) ? "'0'" : "'" . $this->localtax2_type . "'") . ",";
$sql .= " " . (empty($this->localtax2_type) ? "'0'" : "'" . $this->db->escape($this->localtax2_type) . "'") . ",";
$sql .= " " . (! isset($this->localtax2_tx) ? 'NULL' : (empty($this->localtax2_tx)?0:$this->localtax2_tx)) . ",";
$sql .= " " . $user->id . ",";
$sql .= " " . (! isset($this->import_key) ? 'NULL' : "'" . $this->db->escape($this->import_key) . "'") . "";
@@ -660,8 +660,8 @@ class Productcustomerprice extends CommonObject
$sql .= " recuperableonly=" . (isset($this->recuperableonly) ? $this->recuperableonly : "null") . ",";
$sql .= " localtax1_tx=" . (isset($this->localtax1_tx) ? (empty($this->localtax1_tx)?0:$this->localtax1_tx) : "null") . ",";
$sql .= " localtax2_tx=" . (isset($this->localtax2_tx) ? (empty($this->localtax2_tx)?0:$this->localtax2_tx) : "null") . ",";
$sql .= " localtax1_type=" . (! empty($this->localtax1_type) ? "'".$this->localtax1_type."'": "'0'") . ",";
$sql .= " localtax2_type=" . (! empty($this->localtax2_type) ? "'".$this->localtax2_type."'": "'0'") . ",";
$sql .= " localtax1_type=" . (! empty($this->localtax1_type) ? "'".$this->db->escape($this->localtax1_type)."'": "'0'") . ",";
$sql .= " localtax2_type=" . (! empty($this->localtax2_type) ? "'".$this->db->escape($this->localtax2_type)."'": "'0'") . ",";
$sql .= " fk_user=" . $user->id . ",";
$sql .= " import_key=" . (isset($this->import_key) ? "'" . $this->db->escape($this->import_key) . "'" : "null") . "";

2
htdocs/product/class/propalmergepdfproduct.class.php
View File

@@ -100,7 +100,7 @@ class Propalmergepdfproduct extends CommonObject
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->fk_product."'").",";
$sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->db->escape($this->fk_product)."'").",";
$sql.= " ".(! isset($this->file_name)?'NULL':"'".$this->db->escape($this->file_name)."'").",";
if ($conf->global->MAIN_MULTILANGS) {
$sql.= " ".(! isset($this->lang)?'NULL':"'".$this->db->escape($this->lang)."'").",";

10
htdocs/projet/class/task.class.php
View File

@@ -301,7 +301,7 @@ class Task extends CommonObject
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."projet_task SET";
$sql.= " fk_projet=".(isset($this->fk_project)?$this->fk_project:"null").",";
$sql.= " ref=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"'".$this->id."'").",";
$sql.= " ref=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"'".$this->db->escape($this->id)."'").",";
$sql.= " fk_task_parent=".(isset($this->fk_task_parent)?$this->fk_task_parent:"null").",";
$sql.= " label=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " description=".(isset($this->description)?"'".$this->db->escape($this->description)."'":"null").",";
@@ -1251,7 +1251,7 @@ class Task extends CommonObject
$newDuration = $this->timespent_duration - $this->timespent_old_duration;
$sql = "UPDATE ".MAIN_DB_PREFIX."projet_task";
$sql.= " SET duration_effective = (SELECT SUM(task_duration) FROM ".MAIN_DB_PREFIX."projet_task_time as ptt where ptt.fk_task = ".$this->id.")";
$sql.= " SET duration_effective = (SELECT SUM(task_duration) FROM ".MAIN_DB_PREFIX."projet_task_time as ptt where ptt.fk_task = ".$this->db->escape($this->id).")";
$sql.= " WHERE rowid = ".$this->id;
dol_syslog(get_class($this)."::updateTimeSpent", LOG_DEBUG);
@@ -1303,7 +1303,7 @@ class Task extends CommonObject
if (! $error)
{
$sql = "UPDATE ".MAIN_DB_PREFIX."projet_task";
$sql.= " SET duration_effective = duration_effective - '".$this->timespent_duration."'";
$sql.= " SET duration_effective = duration_effective - ".$this->db->escape($this->timespent_duration?$this->timespent_duration:0);
$sql.= " WHERE rowid = ".$this->id;
dol_syslog(get_class($this)."::delTimeSpent", LOG_DEBUG);
@@ -1899,7 +1899,7 @@ class TaskComment extends CommonObject
$sql.= ", '".(isset($this->fk_task)?$this->fk_task:"null")."'";
$sql.= ", '".(isset($this->fk_user)?$this->fk_user:"null")."'";
$sql.= ", ".(!empty($this->entity)?$this->entity:'1');
$sql.= ", ".(!empty($this->import_key)?"'".$this->import_key."'":"null");
$sql.= ", ".(!empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null");
$sql.= ")";
//var_dump($this->db);
@@ -2024,7 +2024,7 @@ class TaskComment extends CommonObject
$sql.= " fk_task=".(isset($this->fk_task)?$this->fk_task:"null").",";
$sql.= " fk_user=".(isset($this->fk_user)?$this->fk_user:"null").",";
$sql.= " entity=".(!empty($this->entity)?$this->entity:'1').",";
$sql.= " import_key=".(!empty($this->import_key)?"'".$this->import_key."'":"null");
$sql.= " import_key=".(!empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null");
$sql.= " WHERE rowid=".$this->id;
$this->db->begin();

2
htdocs/resource/class/dolresource.class.php
View File

@@ -843,7 +843,7 @@ class Dolresource extends CommonObject
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."element_resources SET";
$sql.= " resource_id=".(isset($this->resource_id)?"'".$this->db->escape($this->resource_id)."'":"null").",";
$sql.= " resource_type=".(isset($this->resource_type)?"'".$this->resource_type."'":"null").",";
$sql.= " resource_type=".(isset($this->resource_type)?"'".$this->db->escape($this->resource_type)."'":"null").",";
$sql.= " element_id=".(isset($this->element_id)?$this->element_id:"null").",";
$sql.= " element_type=".(isset($this->element_type)?"'".$this->db->escape($this->element_type)."'":"null").",";
$sql.= " busy=".(isset($this->busy)?$this->busy:"null").",";

18
htdocs/societe/class/societe.class.php
View File

@@ -859,13 +859,13 @@ class Societe extends CommonObject
$sql .= ",idprof5 = '". $this->db->escape($this->idprof5) ."'";
$sql .= ",idprof6 = '". $this->db->escape($this->idprof6) ."'";
$sql .= ",tva_assuj = ".($this->tva_assuj!=''?"'".$this->tva_assuj."'":"null");
$sql .= ",tva_assuj = ".($this->tva_assuj!=''?"'".$this->db->escape($this->tva_assuj)."'":"null");
$sql .= ",tva_intra = '" . $this->db->escape($this->tva_intra) ."'";
$sql .= ",status = " .$this->status;
// Local taxes
$sql .= ",localtax1_assuj = ".($this->localtax1_assuj!=''?"'".$this->localtax1_assuj."'":"null");
$sql .= ",localtax2_assuj = ".($this->localtax2_assuj!=''?"'".$this->localtax2_assuj."'":"null");
$sql .= ",localtax1_assuj = ".($this->localtax1_assuj!=''?"'".$this->db->escape($this->localtax1_assuj)."'":"null");
$sql .= ",localtax2_assuj = ".($this->localtax2_assuj!=''?"'".$this->db->escape($this->localtax2_assuj)."'":"null");
if($this->localtax1_assuj==1)
{
if($this->localtax1_value!='')
@@ -1565,7 +1565,7 @@ class Societe extends CommonObject
// Positionne remise courante
$sql = "UPDATE ".MAIN_DB_PREFIX."societe ";
$sql.= " SET remise_client = '".$this->db->escape($remise)."'";
$sql.= " WHERE rowid = " . $this->id .";";
$sql.= " WHERE rowid = " . $this->id;
$resql=$this->db->query($sql);
if (! $resql)
{
@@ -1698,7 +1698,7 @@ class Societe extends CommonObject
else
$sql.= " WHERE entity in (0, ".$conf->entity.")";
$sql.= " AND u.rowid = sc.fk_user AND sc.fk_soc =".$this->id;
$sql.= " AND u.rowid = sc.fk_user AND sc.fk_soc = ".$this->id;
$resql = $this->db->query($sql);
if ($resql)
@@ -1751,7 +1751,7 @@ class Societe extends CommonObject
$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_prices";
$sql .= " (datec, fk_soc, price_level, fk_user_author)";
$sql .= " VALUES ('".$this->db->idate($now)."',".$this->id.",'".$this->db->escape($price_level)."',".$user->id.")";
$sql .= " VALUES ('".$this->db->idate($now)."', ".$this->id.", '".$this->db->escape($price_level)."', ".$user->id.")";
if (! $this->db->query($sql))
{
@@ -2947,17 +2947,17 @@ class Societe extends CommonObject
}
/**
* Charge la liste des categories fournisseurs
* Insert link supplier - category
*
* @param int $categorie_id Id of category
* @return int 0 if success, <> 0 if error
*/
function AddFournisseurInCategory($categorie_id)
{
if ($categorie_id > 0)
if ($categorie_id > 0 && $this->id > 0)
{
$sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie_fournisseur (fk_categorie, fk_soc) ";
$sql.= " VALUES ('".$categorie_id."','".$this->id."');";
$sql.= " VALUES (".$categorie_id.", ".$this->id.")";
if ($resql=$this->db->query($sql)) return 0;
}

18
htdocs/supplier_proposal/class/supplier_proposal.class.php
View File

@@ -2829,27 +2829,27 @@ class SupplierProposalLine extends CommonObjectLine
$sql.= ' ref_fourn,';
$sql.= ' fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc, fk_unit)';
$sql.= " VALUES (".$this->fk_supplier_proposal.",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").",";
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " ".($this->fk_product?"'".$this->fk_product."'":"null").",";
$sql.= " '".$this->product_type."',";
$sql.= " ".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").",";
$sql.= " ".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":"null").",";
$sql.= " '".$this->db->escape($this->product_type)."',";
$sql.= " ".($this->fk_remise_except?"'".$this->db->escape($this->fk_remise_except)."'":"null").",";
$sql.= " ".price2num($this->qty).",";
$sql.= " ".price2num($this->tva_tx).",";
$sql.= " ".price2num($this->localtax1_tx).",";
$sql.= " ".price2num($this->localtax2_tx).",";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= " ".(!empty($this->subprice)?price2num($this->subprice):"null").",";
$sql.= " ".price2num($this->remise_percent).",";
$sql.= " ".(isset($this->info_bits)?"'".$this->info_bits."'":"null").",";
$sql.= " ".(isset($this->info_bits)?"'".$this->db->escape($this->info_bits)."'":"null").",";
$sql.= " ".price2num($this->total_ht).",";
$sql.= " ".price2num($this->total_tva).",";
$sql.= " ".price2num($this->total_localtax1).",";
$sql.= " ".price2num($this->total_localtax2).",";
$sql.= " ".price2num($this->total_ttc).",";
$sql.= " ".(!empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null").",";
$sql.= " ".(!empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null").",";
$sql.= " ".(isset($this->pa_ht)?"'".price2num($this->pa_ht)."'":"null").",";
$sql.= ' '.$this->special_code.',';
$sql.= ' '.$this->rang.',';
@@ -3025,7 +3025,7 @@ class SupplierProposalLine extends CommonObjectLine
$sql.= " , total_localtax1=".price2num($this->total_localtax1)."";
$sql.= " , total_localtax2=".price2num($this->total_localtax2)."";
}
$sql.= " , fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null");
$sql.= " , fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null");
$sql.= " , buy_price_ht=".price2num($this->pa_ht);
if (strlen($this->special_code)) $sql.= " , special_code=".$this->special_code;
$sql.= " , fk_parent_line=".($this->fk_parent_line>0?$this->fk_parent_line:"null");

2
htdocs/websites/class/website.class.php
View File

@@ -140,7 +140,7 @@ class Website extends CommonObject
$sql .= ' '.(! isset($this->description)?'NULL':"'".$this->db->escape($this->description)."'").',';
$sql .= ' '.(! isset($this->status)?'NULL':$this->status).',';
$sql .= ' '.(! isset($this->fk_default_home)?'NULL':$this->fk_default_home).',';
$sql .= ' '.(! isset($this->virtualhost)?'NULL':"'".$this->virtualhost)."',";
$sql .= ' '.(! isset($this->virtualhost)?'NULL':"'".$this->db->escape($this->virtualhost)."'").",";
$sql .= ' '.(! isset($this->fk_user_create)?$user->id:$this->fk_user_create).',';
$sql .= ' '.(! isset($this->date_creation) || dol_strlen($this->date_creation)==0?'NULL':"'".$this->db->idate($this->date_creation)."'").",";
$sql .= ' '.(! isset($this->date_modification) || dol_strlen($this->date_modification)==0?'NULL':"'".$this->db->idate($this->date_creation)."'");

4
test/phpunit/CodingPhpTest.php
View File

@@ -177,10 +177,10 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
$ok=true;
$matches=array();
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
preg_match_all('/(=|sql.+)\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
foreach($matches as $key => $val)
{
if ($val[1] != 'db->' && $val[1] != 'esca')
if ($val[2] != 'db->' && $val[2] != 'esca')
{
$ok=false;
break;