diff --git a/htdocs/bom/class/bom.class.php b/htdocs/bom/class/bom.class.php index ea4b306ac12..e6ae5c78ae5 100644 --- a/htdocs/bom/class/bom.class.php +++ b/htdocs/bom/class/bom.class.php @@ -1299,7 +1299,7 @@ class BOMLine extends CommonObjectLine } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/core/class/cproductnature.class.php b/htdocs/core/class/cproductnature.class.php index 2f523d4cda7..5b343b21dbc 100644 --- a/htdocs/core/class/cproductnature.class.php +++ b/htdocs/core/class/cproductnature.class.php @@ -219,7 +219,7 @@ class CProductNature // extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' WHERE ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' WHERE ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/core/class/ctyperesource.class.php b/htdocs/core/class/ctyperesource.class.php index 5b22e4e2033..891bf6bea10 100644 --- a/htdocs/core/class/ctyperesource.class.php +++ b/htdocs/core/class/ctyperesource.class.php @@ -239,12 +239,12 @@ class Ctyperesource $sqlwhere = array(); if (count($filter) > 0) { foreach ($filter as $key => $value) { - $sqlwhere [] = $key." LIKE '%".$this->db->escape($value)."%'"; + $sqlwhere[] = $key." LIKE '%".$this->db->escape($value)."%'"; } } if (count($sqlwhere) > 0) { - $sql .= ' WHERE '.implode(' '.$filtermode.' ', $sqlwhere); + $sql .= ' WHERE '.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere); } if (!empty($sortfield)) { $sql .= $this->db->order($sortfield, $sortorder); diff --git a/htdocs/core/class/cunits.class.php b/htdocs/core/class/cunits.class.php index 6fd9b7a05cf..f2a672ec1a7 100644 --- a/htdocs/core/class/cunits.class.php +++ b/htdocs/core/class/cunits.class.php @@ -262,7 +262,7 @@ class CUnits // extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' WHERE ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' WHERE ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/core/class/defaultvalues.class.php b/htdocs/core/class/defaultvalues.class.php index bad30901594..ad69982357c 100644 --- a/htdocs/core/class/defaultvalues.class.php +++ b/htdocs/core/class/defaultvalues.class.php @@ -279,7 +279,7 @@ class DefaultValues extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/ecm/class/ecmfiles.class.php b/htdocs/ecm/class/ecmfiles.class.php index 15cfba4c03e..6c2b8fc4023 100644 --- a/htdocs/ecm/class/ecmfiles.class.php +++ b/htdocs/ecm/class/ecmfiles.class.php @@ -542,7 +542,7 @@ class EcmFiles extends CommonObject $sql .= " AND entity IN (" . getEntity('ecmfiles') . ")"; }*/ if (count($sqlwhere) > 0) { - $sql .= ' AND '.implode(' '.$filtermode.' ', $sqlwhere); + $sql .= ' AND '.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere); } if (!empty($sortfield)) { $sql .= $this->db->order($sortfield, $sortorder); diff --git a/htdocs/eventorganization/class/conferenceorbooth.class.php b/htdocs/eventorganization/class/conferenceorbooth.class.php index f7369bd6166..d3e30f8e8b9 100644 --- a/htdocs/eventorganization/class/conferenceorbooth.class.php +++ b/htdocs/eventorganization/class/conferenceorbooth.class.php @@ -306,7 +306,7 @@ class ConferenceOrBooth extends ActionComm } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/eventorganization/class/conferenceorboothattendee.class.php b/htdocs/eventorganization/class/conferenceorboothattendee.class.php index 5169058d41c..45e241bd1c1 100644 --- a/htdocs/eventorganization/class/conferenceorboothattendee.class.php +++ b/htdocs/eventorganization/class/conferenceorboothattendee.class.php @@ -427,7 +427,7 @@ class ConferenceOrBoothAttendee extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/fourn/class/fournisseur.commande.dispatch.class.php b/htdocs/fourn/class/fournisseur.commande.dispatch.class.php index 686583cab65..a83795996e4 100644 --- a/htdocs/fourn/class/fournisseur.commande.dispatch.class.php +++ b/htdocs/fourn/class/fournisseur.commande.dispatch.class.php @@ -677,7 +677,7 @@ class CommandeFournisseurDispatch extends CommonObjectLine } } if (count($sqlwhere) > 0) { - $sql .= ' WHERE '.implode(' '.$filtermode.' ', $sqlwhere); + $sql .= ' WHERE '.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere); } if (!empty($sortfield)) { diff --git a/htdocs/knowledgemanagement/class/knowledgerecord.class.php b/htdocs/knowledgemanagement/class/knowledgerecord.class.php index 559e6f21cf0..8182a962b50 100644 --- a/htdocs/knowledgemanagement/class/knowledgerecord.class.php +++ b/htdocs/knowledgemanagement/class/knowledgerecord.class.php @@ -400,7 +400,7 @@ class KnowledgeRecord extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/mrp/class/mo.class.php b/htdocs/mrp/class/mo.class.php index c88f0f44b48..535cd23cfa5 100644 --- a/htdocs/mrp/class/mo.class.php +++ b/htdocs/mrp/class/mo.class.php @@ -448,7 +448,7 @@ class Mo extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { @@ -1557,7 +1557,7 @@ class MoLine extends CommonObjectLine } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/partnership/class/partnership.class.php b/htdocs/partnership/class/partnership.class.php index 121b53007df..82a5ee65171 100644 --- a/htdocs/partnership/class/partnership.class.php +++ b/htdocs/partnership/class/partnership.class.php @@ -496,7 +496,7 @@ class Partnership extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/product/class/productfournisseurprice.class.php b/htdocs/product/class/productfournisseurprice.class.php index 7597b32f21a..550b0e5db36 100644 --- a/htdocs/product/class/productfournisseurprice.class.php +++ b/htdocs/product/class/productfournisseurprice.class.php @@ -339,7 +339,7 @@ class ProductFournisseurPrice extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/product/stock/class/productstockentrepot.class.php b/htdocs/product/stock/class/productstockentrepot.class.php index 0a9636c0290..9b32fe1fe5e 100644 --- a/htdocs/product/stock/class/productstockentrepot.class.php +++ b/htdocs/product/stock/class/productstockentrepot.class.php @@ -277,7 +277,7 @@ class ProductStockEntrepot extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND '.implode(' '.$filtermode.' ', $sqlwhere); + $sql .= ' AND '.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere); } if (!empty($fk_product) && $fk_product > 0) { diff --git a/htdocs/recruitment/class/recruitmentcandidature.class.php b/htdocs/recruitment/class/recruitmentcandidature.class.php index e0008d1a694..37635d27048 100644 --- a/htdocs/recruitment/class/recruitmentcandidature.class.php +++ b/htdocs/recruitment/class/recruitmentcandidature.class.php @@ -388,7 +388,7 @@ class RecruitmentCandidature extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/recruitment/class/recruitmentjobposition.class.php b/htdocs/recruitment/class/recruitmentjobposition.class.php index 94ce1f8683d..cbfd11fd431 100644 --- a/htdocs/recruitment/class/recruitmentjobposition.class.php +++ b/htdocs/recruitment/class/recruitmentjobposition.class.php @@ -397,7 +397,7 @@ class RecruitmentJobPosition extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/ticket/class/cticketcategory.class.php b/htdocs/ticket/class/cticketcategory.class.php index 34321b5b898..efd9b84330b 100644 --- a/htdocs/ticket/class/cticketcategory.class.php +++ b/htdocs/ticket/class/cticketcategory.class.php @@ -408,7 +408,7 @@ class CTicketCategory extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index db2d4583177..f229cd80637 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -3526,7 +3526,7 @@ class User extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } $sql .= $this->db->order($sortfield, $sortorder); if ($limit) { diff --git a/htdocs/website/class/website.class.php b/htdocs/website/class/website.class.php index ff06eff74b6..f80a705c3f2 100644 --- a/htdocs/website/class/website.class.php +++ b/htdocs/website/class/website.class.php @@ -419,7 +419,7 @@ class Website extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND '.implode(' '.$filtermode.' ', $sqlwhere); + $sql .= ' AND '.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere); } if (!empty($sortfield)) { diff --git a/htdocs/website/class/websitepage.class.php b/htdocs/website/class/websitepage.class.php index 275c3c94afe..19fa8b8d12d 100644 --- a/htdocs/website/class/websitepage.class.php +++ b/htdocs/website/class/websitepage.class.php @@ -441,7 +441,7 @@ class WebsitePage extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= " AND (".implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= " AND (".implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { @@ -543,7 +543,7 @@ class WebsitePage extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } $resql = $this->db->query($sql); diff --git a/htdocs/workstation/class/workstation.class.php b/htdocs/workstation/class/workstation.class.php index 8b550add124..aae74e3804c 100755 --- a/htdocs/workstation/class/workstation.class.php +++ b/htdocs/workstation/class/workstation.class.php @@ -440,7 +440,7 @@ class Workstation extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/htdocs/zapier/class/hook.class.php b/htdocs/zapier/class/hook.class.php index fc03942d978..b27959a24c6 100644 --- a/htdocs/zapier/class/hook.class.php +++ b/htdocs/zapier/class/hook.class.php @@ -430,7 +430,7 @@ class Hook extends CommonObject } } if (count($sqlwhere) > 0) { - $sql .= ' AND ('.implode(' '.$filtermode.' ', $sqlwhere).')'; + $sql .= ' AND ('.implode(' '.$this->db->escape($filtermode).' ', $sqlwhere).')'; } if (!empty($sortfield)) { diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 6855451d3ac..40ca07c441f 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -354,7 +354,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase // Check string sql|set...'.$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request. preg_match_all('/(\$sql|SET\s|WHERE\s|INSERT\s|VALUES\s|VALUES\().+\s*\'\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { - if (! in_array($val[2], array('this->db-', 'db->sanit', 'conf->ent', 'key : \'\')', 'key])."\')', 'excludefi', 'regexstri', 'filtermod'))) { + if (! in_array($val[2], array('this->db-', 'db->sanit', 'conf->ent', 'key : \'\')', 'key])."\')', 'excludefi', 'regexstri', ''))) { $ok=false; var_dump($matches); break;