diff --git a/htdocs/admin/index.php b/htdocs/admin/index.php index d18218b9960..cbcf5559245 100644 --- a/htdocs/admin/index.php +++ b/htdocs/admin/index.php @@ -37,19 +37,19 @@ if (!$user->admin) if ( (isset($_POST["action"]) && $_POST["action"] == 'update') || (isset($_POST["action"]) && $_POST["action"] == 'updateedit') ) { - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOM",$_POST["nom"]); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ADRESSE",$_POST["address"]); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_PAYS",$_POST["pays_id"]); - dolibarr_set_const($db, "MAIN_MONNAIE",$_POST["currency"]); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_NOM",stripslashes($_POST["nom"])); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ADRESSE",stripslashes($_POST["address"])); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_PAYS",stripslashes($_POST["pays_id"])); + dolibarr_set_const($db, "MAIN_MONNAIE",stripslashes($_POST["currency"])); - dolibarr_set_const($db, "MAIN_INFO_CAPITAL",$_POST["capital"]); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE",$_POST["forme_juridique_code"]); - dolibarr_set_const($db, "MAIN_INFO_SIREN",$_POST["siren"]); - dolibarr_set_const($db, "MAIN_INFO_SIRET",$_POST["siret"]); - dolibarr_set_const($db, "MAIN_INFO_APE",$_POST["ape"]); - dolibarr_set_const($db, "MAIN_INFO_RCS",$_POST["rcs"]); - dolibarr_set_const($db, "MAIN_INFO_TVAINTRA",$_POST["tva"]); - dolibarr_set_const($db, "FACTURE_TVAOPTION",$_POST["optiontva"]); + dolibarr_set_const($db, "MAIN_INFO_CAPITAL",stripslashes($_POST["capital"])); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE",stripslashes($_POST["forme_juridique_code"])); + dolibarr_set_const($db, "MAIN_INFO_SIREN",stripslashes($_POST["siren"])); + dolibarr_set_const($db, "MAIN_INFO_SIRET",stripslashes($_POST["siret"])); + dolibarr_set_const($db, "MAIN_INFO_APE",stripslashes($_POST["ape"])); + dolibarr_set_const($db, "MAIN_INFO_RCS",stripslashes($_POST["rcs"])); + dolibarr_set_const($db, "MAIN_INFO_TVAINTRA",stripslashes($_POST["tva"])); + dolibarr_set_const($db, "FACTURE_TVAOPTION",stripslashes($_POST["optiontva"])); if ($_POST['action'] != 'updateedit') { @@ -131,9 +131,9 @@ if ((isset($_GET["action"]) && $_GET["action"] == 'edit') { $sql = "SELECT code from ".MAIN_DB_PREFIX."c_pays"; $sql .= " WHERE rowid = ".$conf->global->MAIN_INFO_SOCIETE_PAYS; - $result=$db->query($sql); - if ($result) { - $obj = $db->fetch_object(); + $resql=$db->query($sql); + if ($resql) { + $obj = $db->fetch_object($resql); if ($obj->code) $code_pays=$obj->code; } else { diff --git a/htdocs/lib/functions.inc.php b/htdocs/lib/functions.inc.php index 122a2cc8915..5e3f5590b32 100644 --- a/htdocs/lib/functions.inc.php +++ b/htdocs/lib/functions.inc.php @@ -227,7 +227,7 @@ function dolibarr_get_const($db, $name) if ($resql) { $obj=$db->fetch_object($resql); - $value=$obj->value; + $value=stripslashes($obj->value); } return $value; } @@ -278,11 +278,12 @@ function dolibarr_set_const($db, $name, $value, $type='chaine', $visible=0, $not $db->begin(); + //dolibarr_syslog("dolibarr_set_const name=$name, value=$value"); $sql = "DELETE FROM llx_const WHERE name = '$name';"; $resql=$db->query($sql); $sql = "INSERT INTO llx_const(name,value,type,visible,note)"; - $sql.= " VALUES ('$name','".addslashes($value)."','$type',$visible,'$note');"; + $sql.= " VALUES ('$name','".addslashes($value)."','$type',$visible,'".addslashes($note)."');"; $resql=$db->query($sql); if ($resql)