diff --git a/htdocs/bom/class/bom.class.php b/htdocs/bom/class/bom.class.php index dd861d5dc47..40b4e89dfc5 100644 --- a/htdocs/bom/class/bom.class.php +++ b/htdocs/bom/class/bom.class.php @@ -584,8 +584,8 @@ class BOM extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'bom/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'bom/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'bom/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'bom/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 5de2c9b23f5..d957235d967 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -1809,8 +1809,8 @@ class Propal extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'propale/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'propale/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'propale/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'propale/".$this->db->escape($this-ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index d0e0addbc94..15156688603 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -425,8 +425,8 @@ class Commande extends CommonOrder if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'commande/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'commande/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'commande/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'commande/".$this->db->escape($this-ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 2a9a4f5686d..216282d369e 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -2419,8 +2419,8 @@ class Facture extends CommonInvoice if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'facture/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'facture/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'facture/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'facture/".$this->db->escape($this-ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index 0b08d3723da..bfc18faf123 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -487,8 +487,8 @@ class Contrat extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'contract/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'contract/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'contract/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'contract/".$this->db->escape($this-ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index 37f191a0ab0..3205a245285 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -814,8 +814,8 @@ class Expedition extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'expedition/sending/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'expedition/sending/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'expedition/sending/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'expedition/sending/".$this->db->escape($this-ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/expensereport/class/expensereport.class.php b/htdocs/expensereport/class/expensereport.class.php index 2d9795e6f59..63b0b798a29 100644 --- a/htdocs/expensereport/class/expensereport.class.php +++ b/htdocs/expensereport/class/expensereport.class.php @@ -1152,8 +1152,8 @@ class ExpenseReport extends CommonObject require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'expensereport/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'expensereport/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'expensereport/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'expensereport/".$this->db->escape($this-ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/fichinter/class/fichinter.class.php b/htdocs/fichinter/class/fichinter.class.php index ce066fc8c11..c987e6ffc58 100644 --- a/htdocs/fichinter/class/fichinter.class.php +++ b/htdocs/fichinter/class/fichinter.class.php @@ -577,8 +577,8 @@ class Fichinter extends CommonObject require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'ficheinter/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'ficheinter/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'ficheinter/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'ficheinter/".$this->db->escape($this-ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php index b32e90c311d..c85bfaaf2d3 100644 --- a/htdocs/fourn/class/fournisseur.commande.class.php +++ b/htdocs/fourn/class/fournisseur.commande.class.php @@ -552,8 +552,8 @@ class CommandeFournisseur extends CommonOrder if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'fournisseur/commande/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'fournisseur/commande/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'fournisseur/commande/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'fournisseur/commande/".$this->db->escape($this-ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index b13925bf29d..31780d33ed5 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -1420,8 +1420,8 @@ class FactureFournisseur extends CommonInvoice if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'fournisseur/facture/".get_exdir($this->id, 2, 0, 0, $this, 'invoice_supplier').$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'fournisseur/facture/".get_exdir($this->id, 2, 0, 0, $this, 'invoice_supplier').$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'fournisseur/facture/".get_exdir($this->id, 2, 0, 0, $this, 'invoice_supplier').$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'fournisseur/facture/".get_exdir($this->id, 2, 0, 0, $this, 'invoice_supplier').$this->db->escape($this-ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/livraison/class/livraison.class.php b/htdocs/livraison/class/livraison.class.php index f24a2aee713..88cf4e1355a 100644 --- a/htdocs/livraison/class/livraison.class.php +++ b/htdocs/livraison/class/livraison.class.php @@ -442,8 +442,8 @@ class Livraison extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'expedition/receipt/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'expedition/receipt/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'expedition/receipt/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'expedition/receipt/".$this->db->escape($this-ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/reception/class/reception.class.php b/htdocs/reception/class/reception.class.php index 84f95e40b9a..e89eb2c595b 100644 --- a/htdocs/reception/class/reception.class.php +++ b/htdocs/reception/class/reception.class.php @@ -644,8 +644,8 @@ class Reception extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'reception/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'reception/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'reception/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'reception/".$this->db->escape($this-ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); } diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php index 786485ad6dd..cb4f774a951 100644 --- a/htdocs/supplier_proposal/class/supplier_proposal.class.php +++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php @@ -1485,8 +1485,8 @@ class SupplierProposal extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index - $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->newref."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'supplier_proposal/".$this->newref."'"; - $sql.= " WHERE filename LIKE '".$this->ref."%' AND filepath = 'supplier_proposal/".$this->ref."' and entity = ".$conf->entity; + $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref)+1).")), filepath = 'supplier_proposal/".$this->db->escape($this->newref)."'"; + $sql.= " WHERE filename LIKE '".$this->db->escape($this-ref)."%' AND filepath = 'supplier_proposal/".$this->db->escape($this-ref)."' and entity = ".$conf->entity; $resql = $this->db->query($sql); if (! $resql) { $error++; $this->error = $this->db->lasterror(); }