forked from Wavyzz/dolibarr
FIX pgsql compatibility. Add PHPUnit to avoid using dates without quotes
This commit is contained in:
Laurent Destailleur
@@ -37,7 +37,7 @@ class AccountancySystem
|
|||||||
var $label;
|
var $label;
|
||||||
var $account_number;
|
var $account_number;
|
||||||
var $account_parent;
|
var $account_parent;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Constructor
|
* Constructor
|
||||||
*
|
*
|
||||||
@@ -46,8 +46,8 @@ class AccountancySystem
|
|||||||
function __construct($db) {
|
function __construct($db) {
|
||||||
$this->db = $db;
|
$this->db = $db;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Load record in memory
|
* Load record in memory
|
||||||
*
|
*
|
||||||
@@ -55,11 +55,11 @@ class AccountancySystem
|
|||||||
* @param string $ref ref
|
* @param string $ref ref
|
||||||
* @return int <0 if KO, Id of record if OK and found
|
* @return int <0 if KO, Id of record if OK and found
|
||||||
*/
|
*/
|
||||||
function fetch($rowid = 0, $ref = '')
|
function fetch($rowid = 0, $ref = '')
|
||||||
{
|
{
|
||||||
global $conf;
|
global $conf;
|
||||||
|
|
||||||
if ($rowid > 0 || $ref)
|
if ($rowid > 0 || $ref)
|
||||||
{
|
{
|
||||||
$sql = "SELECT a.pcg_version, a.label, a.active";
|
$sql = "SELECT a.pcg_version, a.label, a.active";
|
||||||
$sql .= " FROM " . MAIN_DB_PREFIX . "accounting_system as a";
|
$sql .= " FROM " . MAIN_DB_PREFIX . "accounting_system as a";
|
||||||
@@ -69,12 +69,12 @@ class AccountancySystem
|
|||||||
} elseif ($ref) {
|
} elseif ($ref) {
|
||||||
$sql .= " a.pcg_version = '" . $ref . "'";
|
$sql .= " a.pcg_version = '" . $ref . "'";
|
||||||
}
|
}
|
||||||
|
|
||||||
dol_syslog(get_class($this) . "::fetch sql=" . $sql, LOG_DEBUG);
|
dol_syslog(get_class($this) . "::fetch sql=" . $sql, LOG_DEBUG);
|
||||||
$result = $this->db->query($sql);
|
$result = $this->db->query($sql);
|
||||||
if ($result) {
|
if ($result) {
|
||||||
$obj = $this->db->fetch_object($result);
|
$obj = $this->db->fetch_object($result);
|
||||||
|
|
||||||
if ($obj) {
|
if ($obj) {
|
||||||
$this->id = $obj->rowid;
|
$this->id = $obj->rowid;
|
||||||
$this->rowid = $obj->rowid;
|
$this->rowid = $obj->rowid;
|
||||||
@@ -82,7 +82,7 @@ class AccountancySystem
|
|||||||
$this->ref = $obj->pcg_version;
|
$this->ref = $obj->pcg_version;
|
||||||
$this->label = $obj->label;
|
$this->label = $obj->label;
|
||||||
$this->active = $obj->active;
|
$this->active = $obj->active;
|
||||||
|
|
||||||
return $this->id;
|
return $this->id;
|
||||||
} else {
|
} else {
|
||||||
return 0;
|
return 0;
|
||||||
@@ -94,8 +94,8 @@ class AccountancySystem
|
|||||||
}
|
}
|
||||||
return - 1;
|
return - 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Insert accountancy system name into database
|
* Insert accountancy system name into database
|
||||||
*
|
*
|
||||||
@@ -104,16 +104,16 @@ class AccountancySystem
|
|||||||
*/
|
*/
|
||||||
function create($user) {
|
function create($user) {
|
||||||
$now = dol_now();
|
$now = dol_now();
|
||||||
|
|
||||||
$sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_system";
|
$sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_system";
|
||||||
$sql .= " (date_creation, fk_user_author, numero, label)";
|
$sql .= " (date_creation, fk_user_author, numero, label)";
|
||||||
$sql .= " VALUES (" . $this->db->idate($now) . "," . $user->id . ",'" . $this->numero . "','" . $this->label . "')";
|
$sql .= " VALUES ('" . $this->db->idate($now) . "'," . $user->id . ",'" . $this->numero . "','" . $this->label . "')";
|
||||||
|
|
||||||
dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG);
|
dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG);
|
||||||
$resql = $this->db->query($sql);
|
$resql = $this->db->query($sql);
|
||||||
if ($resql) {
|
if ($resql) {
|
||||||
$id = $this->db->last_insert_id(MAIN_DB_PREFIX . "accounting_system");
|
$id = $this->db->last_insert_id(MAIN_DB_PREFIX . "accounting_system");
|
||||||
|
|
||||||
if ($id > 0) {
|
if ($id > 0) {
|
||||||
$this->rowid = $id;
|
$this->rowid = $id;
|
||||||
$result = $this->rowid;
|
$result = $this->rowid;
|
||||||
@@ -127,7 +127,7 @@ class AccountancySystem
|
|||||||
$this->error = "AccountancySystem::Create Erreur $result";
|
$this->error = "AccountancySystem::Create Erreur $result";
|
||||||
dol_syslog($this->error, LOG_ERR);
|
dol_syslog($this->error, LOG_ERR);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -124,7 +124,7 @@ class AdvanceTargetingMailing extends CommonObject
|
|||||||
$sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->fk_mailing."'").",";
|
$sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->fk_mailing."'").",";
|
||||||
$sql.= " ".(! isset($this->filtervalue)?'NULL':"'".$this->db->escape($this->filtervalue)."'").",";
|
$sql.= " ".(! isset($this->filtervalue)?'NULL':"'".$this->db->escape($this->filtervalue)."'").",";
|
||||||
$sql.= " ".$user->id.",";
|
$sql.= " ".$user->id.",";
|
||||||
$sql.= " ".$this->db->idate(dol_now()).",";
|
$sql.= " '".$this->db->idate(dol_now())."',";
|
||||||
$sql.= " ".$user->id;
|
$sql.= " ".$user->id;
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -86,9 +86,9 @@ class PaymentVarious extends CommonObject
|
|||||||
// Update request
|
// Update request
|
||||||
$sql = "UPDATE ".MAIN_DB_PREFIX."payment_various SET";
|
$sql = "UPDATE ".MAIN_DB_PREFIX."payment_various SET";
|
||||||
|
|
||||||
$sql.= " tms=".$this->db->idate($this->tms).",";
|
$sql.= " tms='".$this->db->idate($this->tms)."',";
|
||||||
$sql.= " datep=".$this->db->idate($this->datep).",";
|
$sql.= " datep='".$this->db->idate($this->datep)."',";
|
||||||
$sql.= " datev=".$this->db->idate($this->datev).",";
|
$sql.= " datev='".$this->db->idate($this->datev)."',";
|
||||||
$sql.= " sens=".$this->sens.",";
|
$sql.= " sens=".$this->sens.",";
|
||||||
$sql.= " amount=".price2num($this->amount).",";
|
$sql.= " amount=".price2num($this->amount).",";
|
||||||
$sql.= " fk_typepayment=".$this->fk_typepayment."',";
|
$sql.= " fk_typepayment=".$this->fk_typepayment."',";
|
||||||
|
|||||||
@@ -151,9 +151,9 @@ class Localtax extends CommonObject
|
|||||||
// Update request
|
// Update request
|
||||||
$sql = "UPDATE ".MAIN_DB_PREFIX."localtax SET";
|
$sql = "UPDATE ".MAIN_DB_PREFIX."localtax SET";
|
||||||
$sql.= " localtaxtype=".$this->ltt.",";
|
$sql.= " localtaxtype=".$this->ltt.",";
|
||||||
$sql.= " tms=".$this->db->idate($this->tms).",";
|
$sql.= " tms='".$this->db->idate($this->tms)."',";
|
||||||
$sql.= " datep=".$this->db->idate($this->datep).",";
|
$sql.= " datep='".$this->db->idate($this->datep)."',";
|
||||||
$sql.= " datev=".$this->db->idate($this->datev).",";
|
$sql.= " datev='".$this->db->idate($this->datev)."',";
|
||||||
$sql.= " amount=".price2num($this->amount).",";
|
$sql.= " amount=".price2num($this->amount).",";
|
||||||
$sql.= " label='".$this->db->escape($this->label)."',";
|
$sql.= " label='".$this->db->escape($this->label)."',";
|
||||||
$sql.= " note='".$this->db->escape($this->note)."',";
|
$sql.= " note='".$this->db->escape($this->note)."',";
|
||||||
|
|||||||
@@ -34,7 +34,7 @@ class PaymentSalary extends CommonObject
|
|||||||
//public $element='payment_salary'; //!< Id that identify managed objects
|
//public $element='payment_salary'; //!< Id that identify managed objects
|
||||||
//public $table_element='payment_salary'; //!< Name of table without prefix where object is stored
|
//public $table_element='payment_salary'; //!< Name of table without prefix where object is stored
|
||||||
public $picto='payment';
|
public $picto='payment';
|
||||||
|
|
||||||
public $tms;
|
public $tms;
|
||||||
public $fk_user;
|
public $fk_user;
|
||||||
public $datep;
|
public $datep;
|
||||||
@@ -97,16 +97,16 @@ class PaymentSalary extends CommonObject
|
|||||||
// Update request
|
// Update request
|
||||||
$sql = "UPDATE ".MAIN_DB_PREFIX."payment_salary SET";
|
$sql = "UPDATE ".MAIN_DB_PREFIX."payment_salary SET";
|
||||||
|
|
||||||
$sql.= " tms=".$this->db->idate($this->tms).",";
|
$sql.= " tms='".$this->db->idate($this->tms)."',";
|
||||||
$sql.= " fk_user=".$this->fk_user.",";
|
$sql.= " fk_user=".$this->fk_user.",";
|
||||||
$sql.= " datep=".$this->db->idate($this->datep).",";
|
$sql.= " datep='".$this->db->idate($this->datep)."',";
|
||||||
$sql.= " datev=".$this->db->idate($this->datev).",";
|
$sql.= " datev='".$this->db->idate($this->datev)."',";
|
||||||
$sql.= " amount=".price2num($this->amount).",";
|
$sql.= " amount=".price2num($this->amount).",";
|
||||||
$sql.= " fk_typepayment=".$this->fk_typepayment."',";
|
$sql.= " fk_typepayment=".$this->fk_typepayment."',";
|
||||||
$sql.= " num_payment='".$this->db->escape($this->num_payment)."',";
|
$sql.= " num_payment='".$this->db->escape($this->num_payment)."',";
|
||||||
$sql.= " label='".$this->db->escape($this->label)."',";
|
$sql.= " label='".$this->db->escape($this->label)."',";
|
||||||
$sql.= " datesp=".$this->db->idate($this->datesp).",";
|
$sql.= " datesp='".$this->db->idate($this->datesp)."',";
|
||||||
$sql.= " dateep=".$this->db->idate($this->dateep).",";
|
$sql.= " dateep='".$this->db->idate($this->dateep)."',";
|
||||||
$sql.= " note='".$this->db->escape($this->note)."',";
|
$sql.= " note='".$this->db->escape($this->note)."',";
|
||||||
$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").",";
|
$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").",";
|
||||||
$sql.= " fk_user_author=".$this->fk_user_author.",";
|
$sql.= " fk_user_author=".$this->fk_user_author.",";
|
||||||
@@ -548,7 +548,7 @@ class PaymentSalary extends CommonObject
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Retourne le libelle du statut d'une facture (brouillon, validee, abandonnee, payee)
|
* Retourne le libelle du statut d'une facture (brouillon, validee, abandonnee, payee)
|
||||||
*
|
*
|
||||||
@@ -559,7 +559,7 @@ class PaymentSalary extends CommonObject
|
|||||||
{
|
{
|
||||||
return $this->LibStatut($this->statut,$mode);
|
return $this->LibStatut($this->statut,$mode);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Renvoi le libelle d'un statut donne
|
* Renvoi le libelle d'un statut donne
|
||||||
*
|
*
|
||||||
@@ -570,7 +570,7 @@ class PaymentSalary extends CommonObject
|
|||||||
function LibStatut($status,$mode=0)
|
function LibStatut($status,$mode=0)
|
||||||
{
|
{
|
||||||
global $langs; // TODO Renvoyer le libelle anglais et faire traduction a affichage
|
global $langs; // TODO Renvoyer le libelle anglais et faire traduction a affichage
|
||||||
|
|
||||||
$langs->load('compta');
|
$langs->load('compta');
|
||||||
/*if ($mode == 0)
|
/*if ($mode == 0)
|
||||||
{
|
{
|
||||||
@@ -609,5 +609,5 @@ class PaymentSalary extends CommonObject
|
|||||||
}*/
|
}*/
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -173,9 +173,9 @@ class Tva extends CommonObject
|
|||||||
|
|
||||||
// Update request
|
// Update request
|
||||||
$sql = "UPDATE ".MAIN_DB_PREFIX."tva SET";
|
$sql = "UPDATE ".MAIN_DB_PREFIX."tva SET";
|
||||||
$sql.= " tms=".$this->db->idate($this->tms).",";
|
$sql.= " tms='".$this->db->idate($this->tms)."',";
|
||||||
$sql.= " datep=".$this->db->idate($this->datep).",";
|
$sql.= " datep='".$this->db->idate($this->datep)."',";
|
||||||
$sql.= " datev=".$this->db->idate($this->datev).",";
|
$sql.= " datev='".$this->db->idate($this->datev)."',";
|
||||||
$sql.= " amount=".price2num($this->amount).",";
|
$sql.= " amount=".price2num($this->amount).",";
|
||||||
$sql.= " label='".$this->db->escape($this->label)."',";
|
$sql.= " label='".$this->db->escape($this->label)."',";
|
||||||
$sql.= " note='".$this->db->escape($this->note)."',";
|
$sql.= " note='".$this->db->escape($this->note)."',";
|
||||||
|
|||||||
@@ -172,7 +172,7 @@ class Events // extends CommonObject
|
|||||||
// Update request
|
// Update request
|
||||||
$sql = "UPDATE ".MAIN_DB_PREFIX."events SET";
|
$sql = "UPDATE ".MAIN_DB_PREFIX."events SET";
|
||||||
$sql.= " type='".$this->db->escape($this->type)."',";
|
$sql.= " type='".$this->db->escape($this->type)."',";
|
||||||
$sql.= " dateevent=".$this->db->idate($this->dateevent).",";
|
$sql.= " dateevent='".$this->db->idate($this->dateevent)."',";
|
||||||
$sql.= " description='".$this->db->escape($this->description)."'";
|
$sql.= " description='".$this->db->escape($this->description)."'";
|
||||||
$sql.= " WHERE rowid=".$this->id;
|
$sql.= " WHERE rowid=".$this->id;
|
||||||
|
|
||||||
|
|||||||
@@ -155,6 +155,25 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
|
|||||||
print 'Check php file '.$file['fullname']."\n";
|
print 'Check php file '.$file['fullname']."\n";
|
||||||
$filecontent=file_get_contents($file['fullname']);
|
$filecontent=file_get_contents($file['fullname']);
|
||||||
|
|
||||||
|
|
||||||
|
$ok=true;
|
||||||
|
$matches=array();
|
||||||
|
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
|
||||||
|
preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER);
|
||||||
|
foreach($matches as $key => $val)
|
||||||
|
{
|
||||||
|
if ($val[1] != '\'"' && $val[1] != '\'\'')
|
||||||
|
{
|
||||||
|
$ok=false;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
//if ($reg[0] != 'db') $ok=false;
|
||||||
|
}
|
||||||
|
//print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
|
||||||
|
$this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['fullname'].' :: '.$val[0]);
|
||||||
|
//exit;
|
||||||
|
|
||||||
|
|
||||||
$ok=true;
|
$ok=true;
|
||||||
$matches=array();
|
$matches=array();
|
||||||
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
|
// Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
|
||||||
@@ -172,6 +191,7 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
|
|||||||
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.');
|
$this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.');
|
||||||
//exit;
|
//exit;
|
||||||
|
|
||||||
|
|
||||||
// Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
|
// Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
|
||||||
$ok=true;
|
$ok=true;
|
||||||
$matches=array();
|
$matches=array();
|
||||||
|
|||||||
Reference in New Issue
Block a user