diff --git a/htdocs/core/class/conf.class.php b/htdocs/core/class/conf.class.php index 60ee78bbff5..ec145f89f43 100644 --- a/htdocs/core/class/conf.class.php +++ b/htdocs/core/class/conf.class.php @@ -215,26 +215,33 @@ class Conf // modules_parts['login'], modules_parts['menus'], modules_parts['substitutions'], modules_parts['triggers'], modules_parts['tpl'], // modules_parts['models'], modules_parts['theme'] // modules_parts['sms'], - // modules_parts['css'], ... + // modules_parts['css'], modules_parts['js'],... $modulename = strtolower($reg[1]); $partname = strtolower($reg[2]); if (!isset($this->modules_parts[$partname]) || !is_array($this->modules_parts[$partname])) { $this->modules_parts[$partname] = array(); } + $arrValue = json_decode($value, true); - if (is_array($arrValue) && !empty($arrValue)) { - $value = $arrValue; + + if (is_array($arrValue)) { + $newvalue = $arrValue; } elseif (in_array($partname, array('login', 'menus', 'substitutions', 'triggers', 'tpl'))) { - $value = '/'.$modulename.'/core/'.$partname.'/'; + $newvalue = '/'.$modulename.'/core/'.$partname.'/'; } elseif (in_array($partname, array('models', 'theme'))) { - $value = '/'.$modulename.'/'; + $newvalue = '/'.$modulename.'/'; } elseif (in_array($partname, array('sms'))) { - $value = '/'.$modulename.'/'; + $newvalue = '/'.$modulename.'/'; } elseif ($value == 1) { - $value = '/'.$modulename.'/core/modules/'.$partname.'/'; // ex: partname = societe + $newvalue = '/'.$modulename.'/core/modules/'.$partname.'/'; // ex: partname = societe + } else { + $newvalue = $value; + } + + if (!empty($newvalue)) { + $this->modules_parts[$partname] = array_merge($this->modules_parts[$partname], array($modulename => $newvalue)); // $value may be a string or an array } - $this->modules_parts[$partname] = array_merge($this->modules_parts[$partname], array($modulename => $value)); // $value may be a string or an array } elseif (preg_match('/^MAIN_MODULE_([0-9A-Z_]+)$/i', $key, $reg)) { // If this is a module constant (must be at end) $modulename = strtolower($reg[1]); diff --git a/htdocs/core/db/Database.interface.php b/htdocs/core/db/Database.interface.php index 50e013ce8b7..9b812df8dc2 100644 --- a/htdocs/core/db/Database.interface.php +++ b/htdocs/core/db/Database.interface.php @@ -432,13 +432,13 @@ interface Database /** * Encrypt sensitive data in database - * Warning: This function includes the escape, so it must use direct value + * Warning: This function includes the escape and add the SQL simple quotes on strings. * - * @param string $fieldorvalue Field name or value to encrypt - * @param int $withQuotes Return string with quotes - * @return string XXX(field) or XXX('value') or field or 'value' + * @param string $fieldorvalue Field name or value to encrypt + * @param int $withQuotes Return string including the SQL simple quotes. This param must always be 1 (Value 0 is bugged and deprecated). + * @return string XXX(field) or XXX('value') or field or 'value' */ - public function encrypt($fieldorvalue, $withQuotes = 0); + public function encrypt($fieldorvalue, $withQuotes = 1); /** * Validate a database transaction diff --git a/htdocs/core/db/mysqli.class.php b/htdocs/core/db/mysqli.class.php index bef1209dd84..02a1e5d13d3 100644 --- a/htdocs/core/db/mysqli.class.php +++ b/htdocs/core/db/mysqli.class.php @@ -522,15 +522,14 @@ class DoliDBMysqli extends DoliDB } /** - * Encrypt sensitive data in database - * Warning: This function includes the escape, so it must use direct value - * - * @param string $fieldorvalue Field name or value to encrypt - * @param int $withQuotes Return string with quotes - * @return string XXX(field) or XXX('value') or field or 'value' + * Encrypt sensitive data in database + * Warning: This function includes the escape and add the SQL simple quotes on strings. * + * @param string $fieldorvalue Field name or value to encrypt + * @param int $withQuotes Return string including the SQL simple quotes. This param must always be 1 (Value 0 is bugged and deprecated). + * @return string XXX(field) or XXX('value') or field or 'value' */ - public function encrypt($fieldorvalue, $withQuotes = 0) + public function encrypt($fieldorvalue, $withQuotes = 1) { global $conf; @@ -540,17 +539,17 @@ class DoliDBMysqli extends DoliDB //Encryption key $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey) ? $conf->db->dolibarr_main_db_cryptkey : ''); - $return = ($withQuotes ? "'" : "").$this->escape($fieldorvalue).($withQuotes ? "'" : ""); + $escapedstringwithquotes = ($withQuotes ? "'" : "").$this->escape($fieldorvalue).($withQuotes ? "'" : ""); if ($cryptType && !empty($cryptKey)) { if ($cryptType == 2) { - $return = 'AES_ENCRYPT('.$return.',\''.$cryptKey.'\')'; + $escapedstringwithquotes = "AES_ENCRYPT(".$escapedstringwithquotes.", '".$this->escape($cryptKey)."')"; } elseif ($cryptType == 1) { - $return = 'DES_ENCRYPT('.$return.',\''.$cryptKey.'\')'; + $escapedstringwithquotes = "DES_ENCRYPT(".$escapedstringwithquotes.", '".$this->escape($cryptKey)."')"; } } - return $return; + return $escapedstringwithquotes; } /** diff --git a/htdocs/core/db/pgsql.class.php b/htdocs/core/db/pgsql.class.php index 55d5f18dd00..9d17d4b9099 100644 --- a/htdocs/core/db/pgsql.class.php +++ b/htdocs/core/db/pgsql.class.php @@ -823,22 +823,22 @@ class DoliDBPgsql extends DoliDB } /** - * Encrypt sensitive data in database - * Warning: This function includes the escape, so it must use direct value + * Encrypt sensitive data in database + * Warning: This function includes the escape and add the SQL simple quotes on strings. * - * @param string $fieldorvalue Field name or value to encrypt - * @param int $withQuotes Return string with quotes - * @return string XXX(field) or XXX('value') or field or 'value' + * @param string $fieldorvalue Field name or value to encrypt + * @param int $withQuotes Return string including the SQL simple quotes. This param must always be 1 (Value 0 is bugged and deprecated). + * @return string XXX(field) or XXX('value') or field or 'value' */ - public function encrypt($fieldorvalue, $withQuotes = 0) + public function encrypt($fieldorvalue, $withQuotes = 1) { global $conf; // Type of encryption (2: AES (recommended), 1: DES , 0: no encryption) - $cryptType = ($conf->db->dolibarr_main_db_encryption ? $conf->db->dolibarr_main_db_encryption : 0); + //$cryptType = ($conf->db->dolibarr_main_db_encryption ? $conf->db->dolibarr_main_db_encryption : 0); //Encryption key - $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey) ? $conf->db->dolibarr_main_db_cryptkey : ''); + //$cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey) ? $conf->db->dolibarr_main_db_cryptkey : ''); $return = $fieldorvalue; return ($withQuotes ? "'" : "").$this->escape($return).($withQuotes ? "'" : ""); diff --git a/htdocs/core/db/sqlite3.class.php b/htdocs/core/db/sqlite3.class.php index 072d5f0c4b3..e2a2c124737 100644 --- a/htdocs/core/db/sqlite3.class.php +++ b/htdocs/core/db/sqlite3.class.php @@ -744,34 +744,34 @@ class DoliDBSqlite3 extends DoliDB } /** - * Encrypt sensitive data in database - * Warning: This function includes the escape, so it must use direct value + * Encrypt sensitive data in database + * Warning: This function includes the escape and add the SQL simple quotes on strings. * - * @param string $fieldorvalue Field name or value to encrypt - * @param int $withQuotes Return string with quotes - * @return string XXX(field) or XXX('value') or field or 'value' + * @param string $fieldorvalue Field name or value to encrypt + * @param int $withQuotes Return string including the SQL simple quotes. This param must always be 1 (Value 0 is bugged and deprecated). + * @return string XXX(field) or XXX('value') or field or 'value' */ - public function encrypt($fieldorvalue, $withQuotes = 0) + public function encrypt($fieldorvalue, $withQuotes = 1) { global $conf; // Type of encryption (2: AES (recommended), 1: DES , 0: no encryption) - $cryptType = ($conf->db->dolibarr_main_db_encryption ? $conf->db->dolibarr_main_db_encryption : 0); + $cryptType = (!empty($conf->db->dolibarr_main_db_encryption) ? $conf->db->dolibarr_main_db_encryption : 0); //Encryption key $cryptKey = (!empty($conf->db->dolibarr_main_db_cryptkey) ? $conf->db->dolibarr_main_db_cryptkey : ''); - $return = ($withQuotes ? "'" : "").$this->escape($fieldorvalue).($withQuotes ? "'" : ""); + $escapedstringwithquotes = ($withQuotes ? "'" : "").$this->escape($fieldorvalue).($withQuotes ? "'" : ""); if ($cryptType && !empty($cryptKey)) { if ($cryptType == 2) { - $return = 'AES_ENCRYPT('.$return.',\''.$cryptKey.'\')'; + $escapedstringwithquotes = "AES_ENCRYPT(".$escapedstringwithquotes.", '".$this->escape($cryptKey)."')"; } elseif ($cryptType == 1) { - $return = 'DES_ENCRYPT('.$return.',\''.$cryptKey.'\')'; + $escapedstringwithquotes = "DES_ENCRYPT(".$escapedstringwithquotes.", '".$this->escape($cryptKey)."')"; } } - return $return; + return $escapedstringwithquotes; } /** diff --git a/htdocs/core/lib/admin.lib.php b/htdocs/core/lib/admin.lib.php index 531af9017b3..45b7e3b2096 100644 --- a/htdocs/core/lib/admin.lib.php +++ b/htdocs/core/lib/admin.lib.php @@ -345,7 +345,7 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle for ($j = 0; $j < $num; $j++) { $from = $reg[0][$j]; - $to = $db->encrypt($reg[1][$j], 1); + $to = $db->encrypt($reg[1][$j]); $newsql = str_replace($from, $to, $newsql); } $sqlmodified++; @@ -481,10 +481,10 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle /** - * Effacement d'une constante dans la base de donnees + * Delete a constant * * @param DoliDB $db Database handler - * @param string $name Name of constant or rowid of line + * @param string|int $name Name of constant or rowid of line * @param int $entity Multi company id, -1 for all entities * @return int <0 if KO, >0 if OK * @@ -502,7 +502,7 @@ function dolibarr_del_const($db, $name, $entity = 1) $sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; $sql .= " WHERE (".$db->decrypt('name')." = '".$db->escape($name)."'"; if (is_numeric($name)) { - $sql .= " OR rowid = '".$db->escape($name)."'"; + $sql .= " OR rowid = ".((int) $name); } $sql .= ")"; if ($entity >= 0) { @@ -536,7 +536,7 @@ function dolibarr_get_const($db, $name, $entity = 1) $sql = "SELECT ".$db->decrypt('value')." as value"; $sql .= " FROM ".MAIN_DB_PREFIX."const"; - $sql .= " WHERE name = '".$db->escape($db->encrypt($name))."'"; + $sql .= " WHERE name = ".$db->encrypt($name); $sql .= " AND entity = ".((int) $entity); dol_syslog("admin.lib::dolibarr_get_const", LOG_DEBUG); @@ -583,7 +583,7 @@ function dolibarr_set_const($db, $name, $value, $type = 'chaine', $visible = 0, $db->begin(); $sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; - $sql .= " WHERE name = '".$db->escape($db->encrypt($name))."'"; + $sql .= " WHERE name = ".$db->encrypt($name); if ($entity >= 0) { $sql .= " AND entity = ".((int) $entity); } @@ -594,8 +594,8 @@ function dolibarr_set_const($db, $name, $value, $type = 'chaine', $visible = 0, if (strcmp($value, '')) { // true if different. Must work for $value='0' or $value=0 $sql = "INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity)"; $sql .= " VALUES ("; - $sql .= $db->encrypt($name, 1); - $sql .= ", ".$db->encrypt($value, 1); + $sql .= $db->encrypt($name); + $sql .= ", ".$db->encrypt($value); $sql .= ",'".$db->escape($type)."',".((int) $visible).",'".$db->escape($note)."',".((int) $entity).")"; //print "sql".$value."-".pg_escape_string($value)."-".$sql;exit; @@ -753,7 +753,7 @@ function security_prepare_head() $sql = "SELECT COUNT(r.id) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX."rights_def as r"; $sql .= " WHERE r.libelle NOT LIKE 'tou%'"; // On ignore droits "tous" - $sql .= " AND entity = ".$conf->entity; + $sql .= " AND entity = ".((int) $conf->entity); $sql .= " AND bydefault = 1"; if (empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { $sql .= " AND r.perms NOT LIKE '%_advance'"; // Hide advanced perms if option is not enabled @@ -1839,7 +1839,7 @@ function delDocumentModel($name, $type) $sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model"; $sql .= " WHERE nom = '".$db->escape($name)."'"; $sql .= " AND type = '".$db->escape($type)."'"; - $sql .= " AND entity = ".$conf->entity; + $sql .= " AND entity = ".((int) $conf->entity); dol_syslog("admin.lib::delDocumentModel", LOG_DEBUG); $resql = $db->query($sql); diff --git a/htdocs/core/modules/DolibarrModules.class.php b/htdocs/core/modules/DolibarrModules.class.php index e9688daf28e..4191a3492ca 100644 --- a/htdocs/core/modules/DolibarrModules.class.php +++ b/htdocs/core/modules/DolibarrModules.class.php @@ -994,9 +994,9 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it $note = json_encode(array('authorid'=>(is_object($user) ? $user->id : 0), 'ip'=>(empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR']))); $sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name, value, visible, entity, note) VALUES"; - $sql .= " (".$this->db->encrypt($this->const_name, 1); - $sql .= ", ".$this->db->encrypt('1', 1); - $sql .= ", 0, ".$entity; + $sql .= " (".$this->db->encrypt($this->const_name); + $sql .= ", ".$this->db->encrypt('1'); + $sql .= ", 0, ".((int) $entity); $sql .= ", '".$this->db->escape($note)."')"; dol_syslog(get_class($this)."::_active insert activation constant", LOG_DEBUG); @@ -1555,9 +1555,9 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it $sql .= ", entity"; $sql .= ")"; $sql .= " VALUES ("; - $sql .= $this->db->encrypt($this->const_name."_TABS_".$i, 1); + $sql .= $this->db->encrypt($this->const_name."_TABS_".$i); $sql .= ", 'chaine'"; - $sql .= ", ".$this->db->encrypt($newvalue, 1); + $sql .= ", ".$this->db->encrypt($newvalue); $sql .= ", null"; $sql .= ", '0'"; $sql .= ", ".$entity; @@ -1627,9 +1627,9 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it if ($row[0] == 0) { // If not found $sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name,type,value,note,visible,entity)"; $sql .= " VALUES ("; - $sql .= $this->db->encrypt($name, 1); + $sql .= $this->db->encrypt($name); $sql .= ",'".$this->db->escape($type)."'"; - $sql .= ",".(($val != '') ? $this->db->encrypt($val, 1) : "''"); + $sql .= ",".(($val != '') ? $this->db->encrypt($val) : "''"); $sql .= ",".($note ? "'".$this->db->escape($note)."'" : "null"); $sql .= ",'".$this->db->escape($visible)."'"; $sql .= ",".$entity; @@ -2064,8 +2064,8 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it $row = $this->db->fetch_row($result); if ($row[0] == 0) { - $sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name,type,value,note,visible,entity)"; - $sql .= " VALUES ('".$this->db->escape($this->db->encrypt($name))."', 'chaine', '".$this->db->escape($this->db->encrypt($dir))."', 'Directory for module ".$this->name."', '0', ".((int) $conf->entity).")"; + $sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name, type, value, note, visible, entity)"; + $sql .= " VALUES (".$this->db->encrypt($name).", 'chaine', ".$this->db->encrypt($dir).", '".$this->db->escape("Directory for module ".$this->name)."', '0', ".((int) $conf->entity).")"; dol_syslog(get_class($this)."::insert_dirs", LOG_DEBUG); $this->db->query($sql); @@ -2126,7 +2126,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it $entity = $conf->entity; // Reset the current entity $newvalue = $value; - + var_dump($newvalue); // Serialize array parameters if (is_array($value)) { // Can defined other parameters @@ -2141,11 +2141,12 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it if (isset($value['entity'])) { $entity = $value['entity']; } - } else // when hook is declared with syntax 'hook'=>array('hookcontext1','hookcontext2',...) - { + } else { // when hook is declared with syntax 'hook'=>array('hookcontext1','hookcontext2',...) $newvalue = json_encode($value); } } + var_dump($newvalue); + var_dump($this->db->escape($newvalue)); $sql = "INSERT INTO ".MAIN_DB_PREFIX."const ("; $sql .= "name"; @@ -2156,14 +2157,14 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it $sql .= ", entity"; $sql .= ")"; $sql .= " VALUES ("; - $sql .= "'".$this->db->escape($this->db->encrypt($this->const_name."_".strtoupper($key)))."'"; + $sql .= " ".$this->db->encrypt($this->const_name."_".strtoupper($key)); $sql .= ", 'chaine'"; - $sql .= ", '".$this->db->escape($this->db->encrypt($newvalue))."'"; + $sql .= ", ".$this->db->encrypt($newvalue); $sql .= ", null"; $sql .= ", '0'"; $sql .= ", ".((int) $entity); $sql .= ")"; - + print $sql; dol_syslog(get_class($this)."::insert_module_parts for key=".$this->const_name."_".strtoupper($key), LOG_DEBUG); $resql = $this->db->query($sql, 1); diff --git a/htdocs/core/modules/modApi.class.php b/htdocs/core/modules/modApi.class.php index bf7fc2777ae..ffd274c7096 100644 --- a/htdocs/core/modules/modApi.class.php +++ b/htdocs/core/modules/modApi.class.php @@ -245,8 +245,8 @@ class modApi extends DolibarrModules { // Remove old constants with entity fields different of 0 $sql = array( - "DELETE FROM ".MAIN_DB_PREFIX."const WHERE name = '".$this->db->escape($this->db->encrypt('MAIN_MODULE_API'))."'", - "DELETE FROM ".MAIN_DB_PREFIX."const WHERE name = '".$this->db->escape($this->db->encrypt('API_PRODUCTION_MODE'))."'" + "DELETE FROM ".MAIN_DB_PREFIX."const WHERE name = ".$this->db->encrypt('MAIN_MODULE_API'), // API can't be enabled per environment. Why ? + "DELETE FROM ".MAIN_DB_PREFIX."const WHERE name = ".$this->db->encrypt('API_PRODUCTION_MODE') // Not in production mode by default at activation ); return $this->_remove($sql, $options); diff --git a/htdocs/debugbar/class/TraceableDB.php b/htdocs/debugbar/class/TraceableDB.php index 85dd3080512..267c79ab08e 100644 --- a/htdocs/debugbar/class/TraceableDB.php +++ b/htdocs/debugbar/class/TraceableDB.php @@ -596,13 +596,13 @@ class TraceableDB extends DoliDB /** * Encrypt sensitive data in database - * Warning: This function includes the escape, so it must use direct value + * Warning: This function includes the escape and add the SQL simple quotes on strings. * - * @param string $fieldorvalue Field name or value to encrypt - * @param int $withQuotes Return string with quotes - * @return string XXX(field) or XXX('value') or field or 'value' + * @param string $fieldorvalue Field name or value to encrypt + * @param int $withQuotes Return string including the SQL simple quotes. This param must always be 1 (Value 0 is bugged and deprecated). + * @return string XXX(field) or XXX('value') or field or 'value' */ - public function encrypt($fieldorvalue, $withQuotes = 0) + public function encrypt($fieldorvalue, $withQuotes = 1) { return $this->db->encrypt($fieldorvalue, $withQuotes); } diff --git a/htdocs/install/step5.php b/htdocs/install/step5.php index b434612afcd..f9424f51a32 100644 --- a/htdocs/install/step5.php +++ b/htdocs/install/step5.php @@ -234,7 +234,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) { // Insert MAIN_VERSION_FIRST_INSTALL in a dedicated transaction. So if it fails (when first install was already done), we can do other following requests. $db->begin(); dolibarr_install_syslog('step5: set MAIN_VERSION_FIRST_INSTALL const to '.$targetversion, LOG_DEBUG); - $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name, value, type, visible, note, entity) values('".$db->escape($db->encrypt('MAIN_VERSION_FIRST_INSTALL'))."', '".$db->escape($db->encrypt($targetversion))."', 'chaine', 0, 'Dolibarr version when first install', 0)"); + $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name, value, type, visible, note, entity) values(".$db->encrypt('MAIN_VERSION_FIRST_INSTALL').", ".$db->encrypt($targetversion).", 'chaine', 0, 'Dolibarr version when first install', 0)"); if ($resql) { $conf->global->MAIN_VERSION_FIRST_INSTALL = $targetversion; $db->commit(); @@ -250,7 +250,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) { if (!$resql) { dol_print_error($db, 'Error in setup program'); } - $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values('".$db->escape($db->encrypt('MAIN_VERSION_LAST_INSTALL'))."', '".$db->escape($db->encrypt($targetversion))."', 'chaine', 0, 'Dolibarr version when last install', 0)"); + $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_VERSION_LAST_INSTALL').", ".$db->encrypt($targetversion).", 'chaine', 0, 'Dolibarr version when last install', 0)"); if (!$resql) { dol_print_error($db, 'Error in setup program'); } @@ -262,7 +262,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) { if (!$resql) { dol_print_error($db, 'Error in setup program'); } - $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values('".$db->escape($db->encrypt('MAIN_REMOVE_INSTALL_WARNING'))."', '".$db->escape($db->encrypt(1))."', 'chaine', 1, 'Disable install warnings', 0)"); + $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) values(".$db->encrypt('MAIN_REMOVE_INSTALL_WARNING').", ".$db->encrypt(1).", 'chaine', 1, 'Disable install warnings', 0)"); if (!$resql) { dol_print_error($db, 'Error in setup program'); } @@ -330,7 +330,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) { if (!$resql) { dol_print_error($db, 'Error in setup program'); } - $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name, value, type, visible, note, entity) VALUES ('".$db->escape($db->encrypt('MAIN_VERSION_LAST_UPGRADE'))."', '".$db->escape($db->encrypt($targetversion))."', 'chaine', 0, 'Dolibarr version for last upgrade', 0)"); + $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name, value, type, visible, note, entity) VALUES (".$db->encrypt('MAIN_VERSION_LAST_UPGRADE').", ".$db->encrypt($targetversion).", 'chaine', 0, 'Dolibarr version for last upgrade', 0)"); if (!$resql) { dol_print_error($db, 'Error in setup program'); } @@ -346,7 +346,7 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i', $action)) { } // May fail if parameter already defined - $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) VALUES ('".$db->escape($db->encrypt('MAIN_LANG_DEFAULT'))."', '".$db->escape($db->encrypt($setuplang))."', 'chaine', 0, 'Default language', 1)"); + $resql = $db->query("INSERT INTO ".MAIN_DB_PREFIX."const(name,value,type,visible,note,entity) VALUES (".$db->encrypt('MAIN_LANG_DEFAULT').", ".$db->encrypt($setuplang).", 'chaine', 0, 'Default language', 1)"); //if (! $resql) dol_print_error($db,'Error in setup program'); $db->close(); diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index a9f6221ea58..6855451d3ac 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -290,7 +290,13 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase // with xxx that is not 'thi' (for $this->db->sanitize) and 'db-' (for $db->sanitize). It means we forget a ' if string, or an (int) if int, when forging sql request. preg_match_all('/(DELETE|OR|AND|WHERE|INSERT)\s.*([^\s][^\s][^\s])\s*=\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { - if ($val[2] == 'ity' && $val[3] == 'con') { // exclude entity = $conf->entity + if ($val[2] == 'ity' && $val[3] == 'con') { // exclude entity = ".$conf->entity + continue; + } + if ($val[2] == 'ame' && $val[3] == 'db-' && preg_match('/WHERE name/', $val[0])) { // exclude name = ".$db->encrypt( + continue; + } + if ($val[2] == 'ame' && $val[3] == 'thi' && preg_match('/WHERE name/', $val[0])) { // exclude name = ".$this->db->encrypt( continue; } var_dump($matches); @@ -305,7 +311,10 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase // with xxx that is not 'db-' (for $db->escape). It means we forget a ' if string, or an (int) if int, when forging sql request. preg_match_all('/(VALUES).*,\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER); foreach ($matches as $key => $val) { - if ($val[2] == 'VALUES' && $val[3] == 'db-') { // exclude $db->escape( + if ($val[1] == 'VALUES' && $val[2] == 'db-') { // exclude $db->escape( + continue; + } + if ($val[1] == 'VALUES' && $val[2] == 'thi' && preg_match('/this->db->encrypt/', $val[0])) { // exclude ".$this->db->encrypt( continue; } var_dump($matches);