FIX pgsql compatibility. Add PHPUnit to avoid using dates without quotes

2017-07-26 21:22:53 +02:00
parent 7e0a165131
commit bdfb0b7561
8 changed files with 57 additions and 37 deletions
--- a/htdocs/accountancy/class/accountancysystem.class.php
+++ b/htdocs/accountancy/class/accountancysystem.class.php
@@ -107,7 +107,7 @@ class AccountancySystem

 		$sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_system";
 		$sql .= " (date_creation, fk_user_author, numero, label)";
-		$sql .= " VALUES (" . $this->db->idate($now) . "," . $user->id . ",'" . $this->numero . "','" . $this->label . "')";
+		$sql .= " VALUES ('" . $this->db->idate($now) . "'," . $user->id . ",'" . $this->numero . "','" . $this->label . "')";

 		dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG);
 		$resql = $this->db->query($sql);
--- a/htdocs/comm/mailing/class/advtargetemailing.class.php
+++ b/htdocs/comm/mailing/class/advtargetemailing.class.php
@@ -124,7 +124,7 @@ class AdvanceTargetingMailing extends CommonObject
 		$sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->fk_mailing."'").",";
 		$sql.= " ".(! isset($this->filtervalue)?'NULL':"'".$this->db->escape($this->filtervalue)."'").",";
 		$sql.= " ".$user->id.",";
-		$sql.= " ".$this->db->idate(dol_now()).",";
+		$sql.= " '".$this->db->idate(dol_now())."',";
 		$sql.= " ".$user->id;


--- a/htdocs/compta/bank/class/paymentvarious.class.php
+++ b/htdocs/compta/bank/class/paymentvarious.class.php
@@ -86,9 +86,9 @@ class PaymentVarious extends CommonObject
 		// Update request
 		$sql = "UPDATE ".MAIN_DB_PREFIX."payment_various SET";

-		$sql.= " tms=".$this->db->idate($this->tms).",";
-		$sql.= " datep=".$this->db->idate($this->datep).",";
-		$sql.= " datev=".$this->db->idate($this->datev).",";
+		$sql.= " tms='".$this->db->idate($this->tms)."',";
+		$sql.= " datep='".$this->db->idate($this->datep)."',";
+		$sql.= " datev='".$this->db->idate($this->datev)."',";
 		$sql.= " sens=".$this->sens.",";
 		$sql.= " amount=".price2num($this->amount).",";
 		$sql.= " fk_typepayment=".$this->fk_typepayment."',";
--- a/htdocs/compta/localtax/class/localtax.class.php
+++ b/htdocs/compta/localtax/class/localtax.class.php
@@ -151,9 +151,9 @@ class Localtax extends CommonObject
 		// Update request
        $sql = "UPDATE ".MAIN_DB_PREFIX."localtax SET";
        $sql.= " localtaxtype=".$this->ltt.",";
-		$sql.= " tms=".$this->db->idate($this->tms).",";
-		$sql.= " datep=".$this->db->idate($this->datep).",";
-		$sql.= " datev=".$this->db->idate($this->datev).",";
+		$sql.= " tms='".$this->db->idate($this->tms)."',";
+		$sql.= " datep='".$this->db->idate($this->datep)."',";
+		$sql.= " datev='".$this->db->idate($this->datev)."',";
 		$sql.= " amount=".price2num($this->amount).",";
 		$sql.= " label='".$this->db->escape($this->label)."',";
 		$sql.= " note='".$this->db->escape($this->note)."',";
--- a/htdocs/compta/salaries/class/paymentsalary.class.php
+++ b/htdocs/compta/salaries/class/paymentsalary.class.php
@@ -97,16 +97,16 @@ class PaymentSalary extends CommonObject
 		// Update request
 		$sql = "UPDATE ".MAIN_DB_PREFIX."payment_salary SET";

-		$sql.= " tms=".$this->db->idate($this->tms).",";
+		$sql.= " tms='".$this->db->idate($this->tms)."',";
 		$sql.= " fk_user=".$this->fk_user.",";
-		$sql.= " datep=".$this->db->idate($this->datep).",";
-		$sql.= " datev=".$this->db->idate($this->datev).",";
+		$sql.= " datep='".$this->db->idate($this->datep)."',";
+		$sql.= " datev='".$this->db->idate($this->datev)."',";
 		$sql.= " amount=".price2num($this->amount).",";
 		$sql.= " fk_typepayment=".$this->fk_typepayment."',";
 		$sql.= " num_payment='".$this->db->escape($this->num_payment)."',";
 		$sql.= " label='".$this->db->escape($this->label)."',";
-		$sql.= " datesp=".$this->db->idate($this->datesp).",";
-		$sql.= " dateep=".$this->db->idate($this->dateep).",";
+		$sql.= " datesp='".$this->db->idate($this->datesp)."',";
+		$sql.= " dateep='".$this->db->idate($this->dateep)."',";
 		$sql.= " note='".$this->db->escape($this->note)."',";
 		$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").",";
 		$sql.= " fk_user_author=".$this->fk_user_author.",";
--- a/htdocs/compta/tva/class/tva.class.php
+++ b/htdocs/compta/tva/class/tva.class.php
@@ -173,9 +173,9 @@ class Tva extends CommonObject

 		// Update request
        $sql = "UPDATE ".MAIN_DB_PREFIX."tva SET";
-		$sql.= " tms=".$this->db->idate($this->tms).",";
-		$sql.= " datep=".$this->db->idate($this->datep).",";
-		$sql.= " datev=".$this->db->idate($this->datev).",";
+		$sql.= " tms='".$this->db->idate($this->tms)."',";
+		$sql.= " datep='".$this->db->idate($this->datep)."',";
+		$sql.= " datev='".$this->db->idate($this->datev)."',";
 		$sql.= " amount=".price2num($this->amount).",";
 		$sql.= " label='".$this->db->escape($this->label)."',";
 		$sql.= " note='".$this->db->escape($this->note)."',";
--- a/htdocs/core/class/events.class.php
+++ b/htdocs/core/class/events.class.php
@@ -172,7 +172,7 @@ class Events // extends CommonObject
 		// Update request
 		$sql = "UPDATE ".MAIN_DB_PREFIX."events SET";
 		$sql.= " type='".$this->db->escape($this->type)."',";
-		$sql.= " dateevent=".$this->db->idate($this->dateevent).",";
+		$sql.= " dateevent='".$this->db->idate($this->dateevent)."',";
 		$sql.= " description='".$this->db->escape($this->description)."'";
 		$sql.= " WHERE rowid=".$this->id;

--- a/test/phpunit/CodingPhpTest.php
+++ b/test/phpunit/CodingPhpTest.php
@@ -155,6 +155,25 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
            print 'Check php file '.$file['fullname']."\n";
            $filecontent=file_get_contents($file['fullname']);

+
+            $ok=true;
+            $matches=array();
+            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
+            preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER);
+            foreach($matches as $key => $val)
+            {
+            	if ($val[1] != '\'"' && $val[1] != '\'\'')
+            	{
+            		$ok=false;
+            		break;
+            	}
+            	//if ($reg[0] != 'db') $ok=false;
+            }
+            //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+            $this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['fullname'].' :: '.$val[0]);
+            //exit;
+
+
            $ok=true;
            $matches=array();
            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
@@ -172,6 +191,7 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase
            $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.');
            //exit;

+
            // Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
            $ok=true;
            $matches=array();