forked from Wavyzz/dolibarr
Fix #ygosha5698
This commit is contained in:
Laurent Destailleur
@@ -597,12 +597,12 @@ class DiscountAbsolute
|
|||||||
$sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount';
|
$sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount';
|
||||||
$sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture as f';
|
$sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture as f';
|
||||||
$sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.$invoice->id;
|
$sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.$invoice->id;
|
||||||
$sql .= ' AND f.type IN ('.$invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE.', '.$invoice::TYPE_SITUATION.')'; // Find discount coming from credit note or excess received
|
$sql .= ' AND f.type IN ('.$this->db->sanitize($invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE.', '.$invoice::TYPE_SITUATION).')'; // Find discount coming from credit note or excess received
|
||||||
} elseif ($invoice->element == 'invoice_supplier') {
|
} elseif ($invoice->element == 'invoice_supplier') {
|
||||||
$sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount';
|
$sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount';
|
||||||
$sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture_fourn as f';
|
$sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture_fourn as f';
|
||||||
$sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.$invoice->id;
|
$sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.$invoice->id;
|
||||||
$sql .= ' AND f.type IN ('.$invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE.')'; // Find discount coming from credit note or excess paid
|
$sql .= ' AND f.type IN ('.$this->db->sanitize($invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE).')'; // Find discount coming from credit note or excess paid
|
||||||
} else {
|
} else {
|
||||||
$this->error = get_class($this)."::getSumCreditNotesUsed was called with a bad object as a first parameter";
|
$this->error = get_class($this)."::getSumCreditNotesUsed was called with a bad object as a first parameter";
|
||||||
dol_print_error($this->error);
|
dol_print_error($this->error);
|
||||||
|
|||||||
@@ -1887,7 +1887,7 @@ class Form
|
|||||||
if (!empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity) {
|
if (!empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity) {
|
||||||
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entity as e ON e.rowid=u.entity";
|
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entity as e ON e.rowid=u.entity";
|
||||||
if ($force_entity) {
|
if ($force_entity) {
|
||||||
$sql .= " WHERE u.entity IN (0,".$force_entity.")";
|
$sql .= " WHERE u.entity IN (0, ".$force_entity.")";
|
||||||
} else {
|
} else {
|
||||||
$sql .= " WHERE u.entity IS NOT NULL";
|
$sql .= " WHERE u.entity IS NOT NULL";
|
||||||
}
|
}
|
||||||
@@ -1897,7 +1897,7 @@ class Form
|
|||||||
$sql .= " ON ug.fk_user = u.rowid";
|
$sql .= " ON ug.fk_user = u.rowid";
|
||||||
$sql .= " WHERE ug.entity = ".$conf->entity;
|
$sql .= " WHERE ug.entity = ".$conf->entity;
|
||||||
} else {
|
} else {
|
||||||
$sql .= " WHERE u.entity IN (0,".$conf->entity.")";
|
$sql .= " WHERE u.entity IN (0, ".$conf->entity.")";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (!empty($user->socid)) {
|
if (!empty($user->socid)) {
|
||||||
@@ -8314,11 +8314,11 @@ class Form
|
|||||||
|
|
||||||
// Permettre l'exclusion de groupes
|
// Permettre l'exclusion de groupes
|
||||||
if (is_array($exclude)) {
|
if (is_array($exclude)) {
|
||||||
$excludeGroups = implode("','", $exclude);
|
$excludeGroups = implode(",", $exclude);
|
||||||
}
|
}
|
||||||
// Permettre l'inclusion de groupes
|
// Permettre l'inclusion de groupes
|
||||||
if (is_array($include)) {
|
if (is_array($include)) {
|
||||||
$includeGroups = implode("','", $include);
|
$includeGroups = implode(",", $include);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!is_array($selected)) {
|
if (!is_array($selected)) {
|
||||||
@@ -8344,10 +8344,10 @@ class Form
|
|||||||
$sql .= " WHERE ug.entity IN (0, ".$conf->entity.")";
|
$sql .= " WHERE ug.entity IN (0, ".$conf->entity.")";
|
||||||
}
|
}
|
||||||
if (is_array($exclude) && $excludeGroups) {
|
if (is_array($exclude) && $excludeGroups) {
|
||||||
$sql .= " AND ug.rowid NOT IN ('".$excludeGroups."')";
|
$sql .= " AND ug.rowid NOT IN (".$this->db->sanitize($excludeGroups).")";
|
||||||
}
|
}
|
||||||
if (is_array($include) && $includeGroups) {
|
if (is_array($include) && $includeGroups) {
|
||||||
$sql .= " AND ug.rowid IN ('".$includeGroups."')";
|
$sql .= " AND ug.rowid IN (".$this->db->sanitize($includeGroups).")";
|
||||||
}
|
}
|
||||||
$sql .= " ORDER BY ug.nom ASC";
|
$sql .= " ORDER BY ug.nom ASC";
|
||||||
|
|
||||||
@@ -8709,7 +8709,7 @@ class Form
|
|||||||
$sql .= ' '.MAIN_DB_PREFIX.'facture as f';
|
$sql .= ' '.MAIN_DB_PREFIX.'facture as f';
|
||||||
$sql .= " WHERE p.entity IN (".getEntity('project').")";
|
$sql .= " WHERE p.entity IN (".getEntity('project').")";
|
||||||
$sql .= " AND f.fk_projet = p.rowid AND f.fk_statut=0"; //Brouillons seulement
|
$sql .= " AND f.fk_projet = p.rowid AND f.fk_statut=0"; //Brouillons seulement
|
||||||
//if ($projectsListId) $sql.= " AND p.rowid IN (".$projectsListId.")";
|
//if ($projectsListId) $sql.= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")";
|
||||||
//if ($socid == 0) $sql.= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)";
|
//if ($socid == 0) $sql.= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)";
|
||||||
//if ($socid > 0) $sql.= " AND (p.fk_soc=".$socid." OR p.fk_soc IS NULL)";
|
//if ($socid > 0) $sql.= " AND (p.fk_soc=".$socid." OR p.fk_soc IS NULL)";
|
||||||
$sql .= " GROUP BY f.ref ORDER BY p.ref, f.ref ASC";
|
$sql .= " GROUP BY f.ref ORDER BY p.ref, f.ref ASC";
|
||||||
|
|||||||
@@ -76,7 +76,7 @@ class FormContract
|
|||||||
$sql .= ' c.ref_customer, c.ref_supplier';
|
$sql .= ' c.ref_customer, c.ref_supplier';
|
||||||
$sql .= ' FROM '.MAIN_DB_PREFIX.'contrat as c';
|
$sql .= ' FROM '.MAIN_DB_PREFIX.'contrat as c';
|
||||||
$sql .= " WHERE c.entity = ".$conf->entity;
|
$sql .= " WHERE c.entity = ".$conf->entity;
|
||||||
//if ($contratListId) $sql.= " AND c.rowid IN (".$contratListId.")";
|
//if ($contratListId) $sql.= " AND c.rowid IN (".$this->db->sanitize($contratListId).")";
|
||||||
if ($socid > 0) {
|
if ($socid > 0) {
|
||||||
// CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY is 'all' or a list of ids separated by coma.
|
// CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY is 'all' or a list of ids separated by coma.
|
||||||
if (empty($conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY)) {
|
if (empty($conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY)) {
|
||||||
|
|||||||
@@ -175,7 +175,7 @@ class FormProjets
|
|||||||
if (empty($conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY)) {
|
if (empty($conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY)) {
|
||||||
$sql .= " AND (p.fk_soc=".((int) $socid)." OR p.fk_soc IS NULL)";
|
$sql .= " AND (p.fk_soc=".((int) $socid)." OR p.fk_soc IS NULL)";
|
||||||
} elseif ($conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY != 'all') { // PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY is 'all' or a list of ids separated by coma.
|
} elseif ($conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY != 'all') { // PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY is 'all' or a list of ids separated by coma.
|
||||||
$sql .= " AND (p.fk_soc IN (".((int) $socid).", ".((int) $conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY).") OR p.fk_soc IS NULL)";
|
$sql .= " AND (p.fk_soc IN (".$this->db->sanitize(((int) $socid).", ".$conf->global->PROJECT_ALLOW_TO_LINK_FROM_OTHER_COMPANY).") OR p.fk_soc IS NULL)";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (!empty($filterkey)) {
|
if (!empty($filterkey)) {
|
||||||
|
|||||||
@@ -79,7 +79,7 @@ class mailing_advthirdparties extends MailingTargets
|
|||||||
$sql = "SELECT s.rowid as id, s.email as email, s.nom as name, null as fk_contact";
|
$sql = "SELECT s.rowid as id, s.email as email, s.nom as name, null as fk_contact";
|
||||||
$sql .= " FROM ".MAIN_DB_PREFIX."societe as s LEFT OUTER JOIN ".MAIN_DB_PREFIX."societe_extrafields se ON se.fk_object=s.rowid";
|
$sql .= " FROM ".MAIN_DB_PREFIX."societe as s LEFT OUTER JOIN ".MAIN_DB_PREFIX."societe_extrafields se ON se.fk_object=s.rowid";
|
||||||
$sql .= " WHERE s.entity IN (".getEntity('societe').")";
|
$sql .= " WHERE s.entity IN (".getEntity('societe').")";
|
||||||
$sql .= " AND s.rowid IN (".implode(',', $socid).")";
|
$sql .= " AND s.rowid IN (".$this->db->sanitize(implode(',', $socid)).")";
|
||||||
$sql .= " ORDER BY email";
|
$sql .= " ORDER BY email";
|
||||||
|
|
||||||
// Stock recipients emails into targets table
|
// Stock recipients emails into targets table
|
||||||
|
|||||||
@@ -265,7 +265,7 @@ if ($projectid > 0) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->project->all->lire) {
|
if (!$user->rights->project->all->lire) {
|
||||||
$objectsListId = $project->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $project->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$project->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$project->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($project, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($project, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
|
|||||||
@@ -479,7 +479,7 @@ class Holiday extends CommonObject
|
|||||||
$sql .= " FROM ".MAIN_DB_PREFIX."holiday as cp, ".MAIN_DB_PREFIX."user as uu, ".MAIN_DB_PREFIX."user as ua";
|
$sql .= " FROM ".MAIN_DB_PREFIX."holiday as cp, ".MAIN_DB_PREFIX."user as uu, ".MAIN_DB_PREFIX."user as ua";
|
||||||
$sql .= " WHERE cp.entity IN (".getEntity('holiday').")";
|
$sql .= " WHERE cp.entity IN (".getEntity('holiday').")";
|
||||||
$sql .= " AND cp.fk_user = uu.rowid AND cp.fk_validator = ua.rowid"; // Hack pour la recherche sur le tableau
|
$sql .= " AND cp.fk_user = uu.rowid AND cp.fk_validator = ua.rowid"; // Hack pour la recherche sur le tableau
|
||||||
$sql .= " AND cp.fk_user IN (".$user_id.")";
|
$sql .= " AND cp.fk_user IN (".$this->db->sanitize($user_id).")";
|
||||||
|
|
||||||
// Selection filter
|
// Selection filter
|
||||||
if (!empty($filter)) {
|
if (!empty($filter)) {
|
||||||
|
|||||||
@@ -154,7 +154,7 @@ if (!empty($search_employee)) {
|
|||||||
$sql .= " AND cp.fk_user = '".$db->escape($search_employee)."'";
|
$sql .= " AND cp.fk_user = '".$db->escape($search_employee)."'";
|
||||||
}
|
}
|
||||||
if (!empty($search_type)) {
|
if (!empty($search_type)) {
|
||||||
$sql .= ' AND cp.fk_type IN ('.$db->escape($search_type).')';
|
$sql .= ' AND cp.fk_type IN ('.$db->sanitize($search_type).')';
|
||||||
}
|
}
|
||||||
if (!empty($search_description)) {
|
if (!empty($search_description)) {
|
||||||
$sql .= natural_search('cp.description', $search_description);
|
$sql .= natural_search('cp.description', $search_description);
|
||||||
|
|||||||
@@ -182,7 +182,7 @@ if (!empty($conf->holiday->enabled) && $user->rights->holiday->read) {
|
|||||||
$sql .= " WHERE u.rowid = x.fk_user";
|
$sql .= " WHERE u.rowid = x.fk_user";
|
||||||
$sql .= " AND x.entity = ".$conf->entity;
|
$sql .= " AND x.entity = ".$conf->entity;
|
||||||
if (empty($user->rights->holiday->readall)) {
|
if (empty($user->rights->holiday->readall)) {
|
||||||
$sql .= ' AND x.fk_user IN ('.join(',', $childids).')';
|
$sql .= ' AND x.fk_user IN ('.$db->sanitize(join(',', $childids)).')';
|
||||||
}
|
}
|
||||||
//if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " AND x.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
//if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " AND x.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
||||||
//if (!empty($socid)) $sql.= " AND x.fk_soc = ".$socid;
|
//if (!empty($socid)) $sql.= " AND x.fk_soc = ".$socid;
|
||||||
@@ -263,7 +263,7 @@ if (!empty($conf->expensereport->enabled) && $user->rights->expensereport->lire)
|
|||||||
$sql .= " WHERE u.rowid = x.fk_user_author";
|
$sql .= " WHERE u.rowid = x.fk_user_author";
|
||||||
$sql .= " AND x.entity = ".$conf->entity;
|
$sql .= " AND x.entity = ".$conf->entity;
|
||||||
if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)) {
|
if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)) {
|
||||||
$sql .= ' AND x.fk_user_author IN ('.join(',', $childids).')';
|
$sql .= ' AND x.fk_user_author IN ('.$db->sanitize(join(',', $childids)).')';
|
||||||
}
|
}
|
||||||
//if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " AND x.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
//if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " AND x.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
|
||||||
//if (!empty($socid)) $sql.= " AND x.fk_soc = ".$socid;
|
//if (!empty($socid)) $sql.= " AND x.fk_soc = ".$socid;
|
||||||
|
|||||||
@@ -1175,7 +1175,7 @@ if ($ok && GETPOST('clean_perm_table', 'alpha')) {
|
|||||||
foreach ($conf->modules as $key => $val) {
|
foreach ($conf->modules as $key => $val) {
|
||||||
$listofmods .= ($listofmods ? ',' : '')."'".$val."'";
|
$listofmods .= ($listofmods ? ',' : '')."'".$val."'";
|
||||||
}
|
}
|
||||||
$sql = 'SELECT id, libelle as label, module from '.MAIN_DB_PREFIX.'rights_def WHERE module not in ('.$listofmods.') AND id > 100000';
|
$sql = 'SELECT id, libelle as label, module from '.MAIN_DB_PREFIX.'rights_def WHERE module NOT IN ('.$db->sanitize($listofmods).') AND id > 100000';
|
||||||
$resql = $db->query($sql);
|
$resql = $db->query($sql);
|
||||||
if ($resql) {
|
if ($resql) {
|
||||||
$num = $db->num_rows($resql);
|
$num = $db->num_rows($resql);
|
||||||
|
|||||||
@@ -978,7 +978,7 @@ if ($action == 'create' && $user->rights->projet->creer) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
|
|||||||
@@ -2055,7 +2055,7 @@ class Project extends CommonObject
|
|||||||
$sql .= " p.entity IN (".getEntity('project').")";
|
$sql .= " p.entity IN (".getEntity('project').")";
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$projectsListId = $this->getProjectsAuthorizedForUser($user, 0, 1);
|
$projectsListId = $this->getProjectsAuthorizedForUser($user, 0, 1);
|
||||||
$sql .= "AND p.rowid IN (".$projectsListId.")";
|
$sql .= "AND p.rowid IN (".$this->db->sanitize($projectsListId).")";
|
||||||
}
|
}
|
||||||
|
|
||||||
$resql = $this->db->query($sql);
|
$resql = $this->db->query($sql);
|
||||||
|
|||||||
@@ -868,13 +868,13 @@ class Task extends CommonObject
|
|||||||
$sql .= " AND p.fk_soc = ".$socid;
|
$sql .= " AND p.fk_soc = ".$socid;
|
||||||
}
|
}
|
||||||
if ($projectid) {
|
if ($projectid) {
|
||||||
$sql .= " AND p.rowid in (".$projectid.")";
|
$sql .= " AND p.rowid IN (".$this->db->sanitize($projectid).")";
|
||||||
}
|
}
|
||||||
if ($filteronproj) {
|
if ($filteronproj) {
|
||||||
$sql .= natural_search(array("p.ref", "p.title"), $filteronproj);
|
$sql .= natural_search(array("p.ref", "p.title"), $filteronproj);
|
||||||
}
|
}
|
||||||
if ($filteronprojstatus && $filteronprojstatus != '-1') {
|
if ($filteronprojstatus && $filteronprojstatus != '-1') {
|
||||||
$sql .= " AND p.fk_statut IN (".$filteronprojstatus.")";
|
$sql .= " AND p.fk_statut IN (".$this->db->sanitize($filteronprojstatus).")";
|
||||||
}
|
}
|
||||||
if ($morewherefilter) {
|
if ($morewherefilter) {
|
||||||
$sql .= $morewherefilter;
|
$sql .= $morewherefilter;
|
||||||
@@ -1062,10 +1062,10 @@ class Task extends CommonObject
|
|||||||
$sql .= " AND ctc.source = 'internal'";
|
$sql .= " AND ctc.source = 'internal'";
|
||||||
if ($projectid) {
|
if ($projectid) {
|
||||||
if ($userp) {
|
if ($userp) {
|
||||||
$sql .= " AND pt.rowid in (".$projectid.")";
|
$sql .= " AND pt.rowid IN (".$this->db->sanitize($projectid).")";
|
||||||
}
|
}
|
||||||
if ($usert) {
|
if ($usert) {
|
||||||
$sql .= " AND pt.fk_projet in (".$projectid.")";
|
$sql .= " AND pt.fk_projet IN (".$this->db->sanitize($projectid).")";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ($taskid) {
|
if ($taskid) {
|
||||||
@@ -1073,7 +1073,7 @@ class Task extends CommonObject
|
|||||||
$sql .= " ERROR SHOULD NOT HAPPENS";
|
$sql .= " ERROR SHOULD NOT HAPPENS";
|
||||||
}
|
}
|
||||||
if ($usert) {
|
if ($usert) {
|
||||||
$sql .= " AND pt.rowid = ".$taskid;
|
$sql .= " AND pt.rowid = ".((int) $taskid);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
//print $sql;
|
//print $sql;
|
||||||
|
|||||||
@@ -112,7 +112,7 @@ $morehtmlref .= '</div>';
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$object->next_prev_filter = " rowid in (".(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")";
|
$object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($object, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($object, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
|
|||||||
@@ -300,7 +300,7 @@ if ($id > 0 || !empty($ref)) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
|
|||||||
@@ -141,7 +141,7 @@ if ($object->id > 0) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
|
|||||||
@@ -222,7 +222,7 @@ $morehtmlref .= '</div>';
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$object->next_prev_filter = " te.rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$object->next_prev_filter = " te.rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
|
|||||||
@@ -123,7 +123,7 @@ if (($id > 0 && is_numeric($id)) || !empty($ref)) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
|
|||||||
@@ -136,7 +136,7 @@ $morehtmlref .= '</div>';
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
|
|||||||
@@ -414,7 +414,7 @@ if ($search_opp_status) {
|
|||||||
$sql .= " AND p.fk_opp_status IS NOT NULL AND p.fk_opp_status <> -1 AND p.fk_opp_status NOT IN (SELECT rowid FROM ".MAIN_DB_PREFIX."c_lead_status WHERE code IN ('WON','LOST'))";
|
$sql .= " AND p.fk_opp_status IS NOT NULL AND p.fk_opp_status <> -1 AND p.fk_opp_status NOT IN (SELECT rowid FROM ".MAIN_DB_PREFIX."c_lead_status WHERE code IN ('WON','LOST'))";
|
||||||
}
|
}
|
||||||
if ($search_opp_status == 'notopenedopp') {
|
if ($search_opp_status == 'notopenedopp') {
|
||||||
$sql .= " AND (p.fk_opp_status IS NULL OR p.fk_opp_status = -1 OR p.fk_opp_status IN (SELECT rowid FROM ".MAIN_DB_PREFIX."c_lead_status WHERE code IN ('WON')))";
|
$sql .= " AND (p.fk_opp_status IS NULL OR p.fk_opp_status = -1 OR p.fk_opp_status IN (SELECT rowid FROM ".MAIN_DB_PREFIX."c_lead_status WHERE code = 'WON'))";
|
||||||
}
|
}
|
||||||
if ($search_opp_status == 'none') {
|
if ($search_opp_status == 'none') {
|
||||||
$sql .= " AND (p.fk_opp_status IS NULL OR p.fk_opp_status = -1)";
|
$sql .= " AND (p.fk_opp_status IS NULL OR p.fk_opp_status = -1)";
|
||||||
@@ -431,7 +431,7 @@ if ($search_sale > 0) {
|
|||||||
// No check is done on company permission because readability is managed by public status of project and assignement.
|
// No check is done on company permission because readability is managed by public status of project and assignement.
|
||||||
//if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))";
|
//if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))";
|
||||||
if ($search_project_user > 0) {
|
if ($search_project_user > 0) {
|
||||||
$sql .= " AND ecp.fk_c_type_contact IN (".join(',', array_keys($listofprojectcontacttype)).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user;
|
$sql .= " AND ecp.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listofprojectcontacttype))).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user;
|
||||||
}
|
}
|
||||||
if ($search_opp_amount != '') {
|
if ($search_opp_amount != '') {
|
||||||
$sql .= natural_search('p.opp_amount', $search_opp_amount, 1);
|
$sql .= natural_search('p.opp_amount', $search_opp_amount, 1);
|
||||||
|
|||||||
@@ -101,7 +101,7 @@ if ($id > 0 || !empty($ref)) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
|
|||||||
@@ -450,7 +450,7 @@ if ($id > 0 || !empty($ref)) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
|
|||||||
@@ -135,7 +135,7 @@ if ($id > 0 || !empty($ref)) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
@@ -289,7 +289,7 @@ if ($id > 0 || !empty($ref)) {
|
|||||||
|
|
||||||
if (!GETPOST('withproject') || empty($projectstatic->id)) {
|
if (!GETPOST('withproject') || empty($projectstatic->id)) {
|
||||||
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1);
|
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1);
|
||||||
$object->next_prev_filter = " fk_projet in (".$projectsListId.")";
|
$object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")";
|
||||||
} else {
|
} else {
|
||||||
$object->next_prev_filter = " fk_projet = ".$projectstatic->id;
|
$object->next_prev_filter = " fk_projet = ".$projectstatic->id;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -197,7 +197,7 @@ if ($id > 0 || !empty($ref)) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
@@ -320,7 +320,7 @@ if ($id > 0 || !empty($ref)) {
|
|||||||
|
|
||||||
if (!GETPOST('withproject') || empty($projectstatic->id)) {
|
if (!GETPOST('withproject') || empty($projectstatic->id)) {
|
||||||
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1);
|
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1);
|
||||||
$object->next_prev_filter = " fk_projet in (".$projectsListId.")";
|
$object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")";
|
||||||
} else {
|
} else {
|
||||||
$object->next_prev_filter = " fk_projet = ".$projectstatic->id;
|
$object->next_prev_filter = " fk_projet = ".$projectstatic->id;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -154,7 +154,7 @@ if ($object->id > 0) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
@@ -278,7 +278,7 @@ if ($object->id > 0) {
|
|||||||
|
|
||||||
if (!GETPOST('withproject') || empty($projectstatic->id)) {
|
if (!GETPOST('withproject') || empty($projectstatic->id)) {
|
||||||
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1);
|
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1);
|
||||||
$object->next_prev_filter = " fk_projet in (".$projectsListId.")";
|
$object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")";
|
||||||
} else {
|
} else {
|
||||||
$object->next_prev_filter = " fk_projet = ".$projectstatic->id;
|
$object->next_prev_filter = " fk_projet = ".$projectstatic->id;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -129,7 +129,7 @@ if ($object->id > 0) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
@@ -247,7 +247,7 @@ if ($object->id > 0) {
|
|||||||
|
|
||||||
if (!GETPOST('withproject') || empty($projectstatic->id)) {
|
if (!GETPOST('withproject') || empty($projectstatic->id)) {
|
||||||
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1);
|
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1);
|
||||||
$object->next_prev_filter = " fk_projet in (".$projectsListId.")";
|
$object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")";
|
||||||
} else {
|
} else {
|
||||||
$object->next_prev_filter = " fk_projet = ".$projectstatic->id;
|
$object->next_prev_filter = " fk_projet = ".$projectstatic->id;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -240,7 +240,7 @@ if ($id > 0 || !empty($ref)) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
@@ -479,7 +479,7 @@ if ($id > 0 || !empty($ref)) {
|
|||||||
|
|
||||||
if (!GETPOST('withproject') || empty($projectstatic->id)) {
|
if (!GETPOST('withproject') || empty($projectstatic->id)) {
|
||||||
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1);
|
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1);
|
||||||
$object->next_prev_filter = " fk_projet in (".$projectsListId.")";
|
$object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")";
|
||||||
} else {
|
} else {
|
||||||
$object->next_prev_filter = " fk_projet = ".$projectstatic->id;
|
$object->next_prev_filter = " fk_projet = ".$projectstatic->id;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -429,7 +429,7 @@ if ($action == 'confirm_generateinvoice') {
|
|||||||
|
|
||||||
// Update lineid into line of timespent
|
// Update lineid into line of timespent
|
||||||
$sql = 'UPDATE '.MAIN_DB_PREFIX.'projet_task_time SET invoice_line_id = '.$lineid.', invoice_id = '.$tmpinvoice->id;
|
$sql = 'UPDATE '.MAIN_DB_PREFIX.'projet_task_time SET invoice_line_id = '.$lineid.', invoice_id = '.$tmpinvoice->id;
|
||||||
$sql .= ' WHERE rowid in ('.join(',', $toselect).') AND fk_user = '.$userid;
|
$sql .= ' WHERE rowid IN ('.$db->sanitize(join(',', $toselect)).') AND fk_user = '.((int) $userid);
|
||||||
$result = $db->query($sql);
|
$result = $db->query($sql);
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
$error++;
|
$error++;
|
||||||
@@ -468,7 +468,7 @@ if ($action == 'confirm_generateinvoice') {
|
|||||||
|
|
||||||
// Update lineid into line of timespent
|
// Update lineid into line of timespent
|
||||||
$sql = 'UPDATE '.MAIN_DB_PREFIX.'projet_task_time SET invoice_line_id = '.$lineid.', invoice_id = '.$tmpinvoice->id;
|
$sql = 'UPDATE '.MAIN_DB_PREFIX.'projet_task_time SET invoice_line_id = '.$lineid.', invoice_id = '.$tmpinvoice->id;
|
||||||
$sql .= ' WHERE rowid in ('.join(',', $toselect).') AND fk_user = '.$userid;
|
$sql .= ' WHERE rowid IN ('.$db->sanitize(join(',', $toselect)).') AND fk_user = '.((int) $userid);
|
||||||
$result = $db->query($sql);
|
$result = $db->query($sql);
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
$error++;
|
$error++;
|
||||||
@@ -504,7 +504,7 @@ if ($action == 'confirm_generateinvoice') {
|
|||||||
|
|
||||||
// Update lineid into line of timespent
|
// Update lineid into line of timespent
|
||||||
$sql = 'UPDATE '.MAIN_DB_PREFIX.'projet_task_time SET invoice_line_id = '.$lineid.', invoice_id = '.$tmpinvoice->id;
|
$sql = 'UPDATE '.MAIN_DB_PREFIX.'projet_task_time SET invoice_line_id = '.$lineid.', invoice_id = '.$tmpinvoice->id;
|
||||||
$sql .= ' WHERE rowid in ('.join(',', $toselect).')';
|
$sql .= ' WHERE rowid IN ('.$db->sanitize(join(',', $toselect)).')';
|
||||||
$result = $db->query($sql);
|
$result = $db->query($sql);
|
||||||
if (!$result) {
|
if (!$result) {
|
||||||
$error++;
|
$error++;
|
||||||
@@ -600,7 +600,7 @@ if (($id > 0 || !empty($ref)) || $projectidforalltimes > 0) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$projectstatic->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$projectstatic->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($projectstatic, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
@@ -761,7 +761,7 @@ if (($id > 0 || !empty($ref)) || $projectidforalltimes > 0) {
|
|||||||
|
|
||||||
if (!GETPOST('withproject') || empty($projectstatic->id)) {
|
if (!GETPOST('withproject') || empty($projectstatic->id)) {
|
||||||
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1);
|
$projectsListId = $projectstatic->getProjectsAuthorizedForUser($user, 0, 1);
|
||||||
$object->next_prev_filter = " fk_projet in (".$projectsListId.")";
|
$object->next_prev_filter = " fk_projet IN (".$db->sanitize($projectsListId).")";
|
||||||
} else {
|
} else {
|
||||||
$object->next_prev_filter = " fk_projet = ".$projectstatic->id;
|
$object->next_prev_filter = " fk_projet = ".$projectstatic->id;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -67,7 +67,7 @@ class SalariesStats extends Stats
|
|||||||
$this->where .= " AND fk_soc = ".$this->socid;
|
$this->where .= " AND fk_soc = ".$this->socid;
|
||||||
}
|
}
|
||||||
if (is_array($this->userid) && count($this->userid) > 0) {
|
if (is_array($this->userid) && count($this->userid) > 0) {
|
||||||
$this->where .= ' AND fk_user IN ('.$db->sanitize(join(',', $this->userid)).')';
|
$this->where .= ' AND fk_user IN ('.$this->db->sanitize(join(',', $this->userid)).')';
|
||||||
} elseif ($this->userid > 0) {
|
} elseif ($this->userid > 0) {
|
||||||
$this->where .= ' AND fk_user = '.$this->userid;
|
$this->where .= ' AND fk_user = '.$this->userid;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -804,7 +804,7 @@ if ($action == 'create' || $action == 'presend') {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $projectstat->getProjectsAuthorizedForUser($user, $mine, 0);
|
$objectsListId = $projectstat->getProjectsAuthorizedForUser($user, $mine, 0);
|
||||||
$projectstat->next_prev_filter = " rowid in (".(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")";
|
$projectstat->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
print $form->showrefnav($projectstat, 'ref', $linkback, 1, 'ref', 'ref', '');
|
print $form->showrefnav($projectstat, 'ref', $linkback, 1, 'ref', 'ref', '');
|
||||||
print '</td></tr>';
|
print '</td></tr>';
|
||||||
|
|||||||
@@ -555,7 +555,7 @@ if ($projectid > 0 || $project_ref) {
|
|||||||
// Define a complementary filter for search of next/prev ref.
|
// Define a complementary filter for search of next/prev ref.
|
||||||
if (!$user->rights->projet->all->lire) {
|
if (!$user->rights->projet->all->lire) {
|
||||||
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
$objectsListId = $object->getProjectsAuthorizedForUser($user, 0, 0);
|
||||||
$object->next_prev_filter = " rowid in (".(count($objectsListId) ?join(',', array_keys($objectsListId)) : '0').")";
|
$object->next_prev_filter = " rowid IN (".$db->sanitize(count($objectsListId) ? join(',', array_keys($objectsListId)) : '0').")";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_banner_tab($object, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
dol_banner_tab($object, 'project_ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
|
||||||
|
|||||||
@@ -411,7 +411,7 @@ if ($search_categ == -2) {
|
|||||||
$sql .= " AND cu.fk_categorie IS NULL";
|
$sql .= " AND cu.fk_categorie IS NULL";
|
||||||
}
|
}
|
||||||
if ($mode == 'employee' && empty($user->rights->salaries->readall)) {
|
if ($mode == 'employee' && empty($user->rights->salaries->readall)) {
|
||||||
$sql .= " AND u.fk_user IN (".join(',', $childids).")";
|
$sql .= " AND u.fk_user IN (".$db->sanitize(join(',', $childids)).")";
|
||||||
}
|
}
|
||||||
// Add where from extra fields
|
// Add where from extra fields
|
||||||
include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php';
|
include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php';
|
||||||
|
|||||||
@@ -171,7 +171,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
|||||||
$db=$this->savdb;
|
$db=$this->savdb;
|
||||||
|
|
||||||
include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
|
include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
|
||||||
$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
|
$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname', SORT_ASC, 0, 0, '', 1);
|
||||||
//$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
|
//$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
|
||||||
|
|
||||||
foreach ($filesarray as $key => $file) {
|
foreach ($filesarray as $key => $file) {
|
||||||
@@ -314,7 +314,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
|
|||||||
// Check string IN (".xxx with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request.
|
// Check string IN (".xxx with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request.
|
||||||
preg_match_all('/ IN \([\'"]\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER);
|
preg_match_all('/ IN \([\'"]\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER);
|
||||||
foreach ($matches as $key => $val) {
|
foreach ($matches as $key => $val) {
|
||||||
if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'self::STA', 'Commande:', 'CommandeF', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::'))) {
|
if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'WON\',\'L', 'self::STA', 'Commande:', 'CommandeF', 'Entrepot:', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::', 'Ticket::S'))) {
|
||||||
$ok=false;
|
$ok=false;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user