forked from Wavyzz/dolibarr
FIX pgsql compatibility. Add PHPUnit to avoid using dates without quotes
This commit is contained in:
Laurent Destailleur
@@ -107,7 +107,7 @@ class AccountancySystem
|
|||||||
|
|
||||||
$sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_system";
|
$sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_system";
|
||||||
$sql .= " (date_creation, fk_user_author, numero, label)";
|
$sql .= " (date_creation, fk_user_author, numero, label)";
|
||||||
$sql .= " VALUES (" . $this->db->idate($now) . "," . $user->id . ",'" . $this->numero . "','" . $this->label . "')";
|
$sql .= " VALUES ('" . $this->db->idate($now) . "'," . $user->id . ",'" . $this->numero . "','" . $this->label . "')";
|
||||||
|
|
||||||
dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG);
|
dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG);
|
||||||
$resql = $this->db->query($sql);
|
$resql = $this->db->query($sql);
|
||||||
|
|||||||
@@ -124,7 +124,7 @@ class AdvanceTargetingMailing extends CommonObject
|
|||||||
$sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->fk_mailing."'").",";
|
$sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->fk_mailing."'").",";
|
||||||
$sql.= " ".(! isset($this->filtervalue)?'NULL':"'".$this->db->escape($this->filtervalue)."'").",";
|
$sql.= " ".(! isset($this->filtervalue)?'NULL':"'".$this->db->escape($this->filtervalue)."'").",";
|
||||||
$sql.= " ".$user->id.",";
|
$sql.= " ".$user->id.",";
|
||||||
$sql.= " ".$this->db->idate(dol_now()).",";
|
$sql.= " '".$this->db->idate(dol_now())."',";
|
||||||
$sql.= " ".$user->id;
|
$sql.= " ".$user->id;
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -86,9 +86,9 @@ class PaymentVarious extends CommonObject
|
|||||||
// Update request
|
// Update request
|
||||||
$sql = "UPDATE ".MAIN_DB_PREFIX."payment_various SET";
|
$sql = "UPDATE ".MAIN_DB_PREFIX."payment_various SET";
|
||||||
|
|
||||||
$sql.= " tms=".$this->db->idate($this->tms).",";
|
$sql.= " tms='".$this->db->idate($this->tms)."',";
|
||||||
$sql.= " datep=".$this->db->idate($this->datep).",";
|
$sql.= " datep='".$this->db->idate($this->datep)."',";
|
||||||
$sql.= " datev=".$this->db->idate($this->datev).",";
|
$sql.= " datev='".$this->db->idate($this->datev)."',";
|
||||||
$sql.= " sens=".$this->sens.",";
|
$sql.= " sens=".$this->sens.",";
|
||||||
$sql.= " amount=".price2num($this->amount).",";
|
$sql.= " amount=".price2num($this->amount).",";
|
||||||
$sql.= " fk_typepayment=".$this->fk_typepayment."',";
|
$sql.= " fk_typepayment=".$this->fk_typepayment."',";
|
||||||
|
|||||||
@@ -151,9 +151,9 @@ class Localtax extends CommonObject
|
|||||||
// Update request
|
// Update request
|
||||||
$sql = "UPDATE ".MAIN_DB_PREFIX."localtax SET";
|
$sql = "UPDATE ".MAIN_DB_PREFIX."localtax SET";
|
||||||
$sql.= " localtaxtype=".$this->ltt.",";
|
$sql.= " localtaxtype=".$this->ltt.",";
|
||||||
$sql.= " tms=".$this->db->idate($this->tms).",";
|
$sql.= " tms='".$this->db->idate($this->tms)."',";
|
||||||
$sql.= " datep=".$this->db->idate($this->datep).",";
|
$sql.= " datep='".$this->db->idate($this->datep)."',";
|
||||||
$sql.= " datev=".$this->db->idate($this->datev).",";
|
$sql.= " datev='".$this->db->idate($this->datev)."',";
|
||||||
$sql.= " amount=".price2num($this->amount).",";
|
$sql.= " amount=".price2num($this->amount).",";
|
||||||
$sql.= " label='".$this->db->escape($this->label)."',";
|
$sql.= " label='".$this->db->escape($this->label)."',";
|
||||||
$sql.= " note='".$this->db->escape($this->note)."',";
|
$sql.= " note='".$this->db->escape($this->note)."',";
|
||||||
|
|||||||
@@ -97,16 +97,16 @@ class PaymentSalary extends CommonObject
|
|||||||
// Update request
|
// Update request
|
||||||
$sql = "UPDATE ".MAIN_DB_PREFIX."payment_salary SET";
|
$sql = "UPDATE ".MAIN_DB_PREFIX."payment_salary SET";
|
||||||
|
|
||||||
$sql.= " tms=".$this->db->idate($this->tms).",";
|
$sql.= " tms='".$this->db->idate($this->tms)."',";
|
||||||
$sql.= " fk_user=".$this->fk_user.",";
|
$sql.= " fk_user=".$this->fk_user.",";
|
||||||
$sql.= " datep=".$this->db->idate($this->datep).",";
|
$sql.= " datep='".$this->db->idate($this->datep)."',";
|
||||||
$sql.= " datev=".$this->db->idate($this->datev).",";
|
$sql.= " datev='".$this->db->idate($this->datev)."',";
|
||||||
$sql.= " amount=".price2num($this->amount).",";
|
$sql.= " amount=".price2num($this->amount).",";
|
||||||
$sql.= " fk_typepayment=".$this->fk_typepayment."',";
|
$sql.= " fk_typepayment=".$this->fk_typepayment."',";
|
||||||
$sql.= " num_payment='".$this->db->escape($this->num_payment)."',";
|
$sql.= " num_payment='".$this->db->escape($this->num_payment)."',";
|
||||||
$sql.= " label='".$this->db->escape($this->label)."',";
|
$sql.= " label='".$this->db->escape($this->label)."',";
|
||||||
$sql.= " datesp=".$this->db->idate($this->datesp).",";
|
$sql.= " datesp='".$this->db->idate($this->datesp)."',";
|
||||||
$sql.= " dateep=".$this->db->idate($this->dateep).",";
|
$sql.= " dateep='".$this->db->idate($this->dateep)."',";
|
||||||
$sql.= " note='".$this->db->escape($this->note)."',";
|
$sql.= " note='".$this->db->escape($this->note)."',";
|
||||||
$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").",";
|
$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").",";
|
||||||
$sql.= " fk_user_author=".$this->fk_user_author.",";
|
$sql.= " fk_user_author=".$this->fk_user_author.",";
|
||||||
|
|||||||
@@ -173,9 +173,9 @@ class Tva extends CommonObject
|
|||||||
|
|
||||||
// Update request
|
// Update request
|
||||||
$sql = "UPDATE ".MAIN_DB_PREFIX."tva SET";
|
$sql = "UPDATE ".MAIN_DB_PREFIX."tva SET";
|
||||||
$sql.= " tms=".$this->db->idate($this->tms).",";
|
$sql.= " tms='".$this->db->idate($this->tms)."',";
|
||||||
$sql.= " datep=".$this->db->idate($this->datep).",";
|
$sql.= " datep='".$this->db->idate($this->datep)."',";
|
||||||
$sql.= " datev=".$this->db->idate($this->datev).",";
|
$sql.= " datev='".$this->db->idate($this->datev)."',";
|
||||||
$sql.= " amount=".price2num($this->amount).",";
|
$sql.= " amount=".price2num($this->amount).",";
|
||||||
$sql.= " label='".$this->db->escape($this->label)."',";
|
$sql.= " label='".$this->db->escape($this->label)."',";
|
||||||
$sql.= " note='".$this->db->escape($this->note)."',";
|
$sql.= " note='".$this->db->escape($this->note)."',";
|
||||||
|
|||||||
@@ -172,7 +172,7 @@ class Events // extends CommonObject
|
|||||||
// Update request
|
// Update request
|
||||||
$sql = "UPDATE ".MAIN_DB_PREFIX."events SET";
|
$sql = "UPDATE ".MAIN_DB_PREFIX."events SET";
|
||||||
$sql.= " type='".$this->db->escape($this->type)."',";
|
$sql.= " type='".$this->db->escape($this->type)."',";
|
||||||
$sql.= " dateevent=".$this->db->idate($this->dateevent).",";
|
$sql.= " dateevent='".$this->db->idate($this->dateevent)."',";
|
||||||
$sql.= " description='".$this->db->escape($this->description)."'";
|
$sql.= " description='".$this->db->escape($this->description)."'";
|
||||||
$sql.= " WHERE rowid=".$this->id;
|
$sql.= " WHERE rowid=".$this->id;
|
||||||
|
|
||||||
|
|||||||
@@ -155,6 +155,25 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
|
|||||||
print 'Check php file '.$file['fullname']."\n";
|
print 'Check php file '.$file['fullname']."\n";
|
||||||
$filecontent=file_get_contents($file['fullname']);
|
$filecontent=file_get_contents($file['fullname']);
|
||||||
|
|
||||||
|
|
||||||
|
$ok=true;
|
||||||
|
$matches=array();
|
||||||
|
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
|
||||||
|
preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER);
|
||||||
|
foreach($matches as $key => $val)
|
||||||
|
{
|
||||||
|
if ($val[1] != '\'"' && $val[1] != '\'\'')
|
||||||
|
{
|
||||||
|
$ok=false;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
//if ($reg[0] != 'db') $ok=false;
|
||||||
|
}
|
||||||
|
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
|
||||||
|
$this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['fullname'].' :: '.$val[0]);
|
||||||
|
//exit;
|
||||||
|
|
||||||
|
|
||||||
$ok=true;
|
$ok=true;
|
||||||
$matches=array();
|
$matches=array();
|
||||||
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
|
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
|
||||||
@@ -172,6 +191,7 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
|
|||||||
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.');
|
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.');
|
||||||
//exit;
|
//exit;
|
||||||
|
|
||||||
|
|
||||||
// Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
|
// Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
|
||||||
$ok=true;
|
$ok=true;
|
||||||
$matches=array();
|
$matches=array();
|
||||||
|
|||||||
Reference in New Issue
Block a user