diff --git a/htdocs/admin/mails.php b/htdocs/admin/mails.php
index 0252f149d10..8fcbc898844 100644
--- a/htdocs/admin/mails.php
+++ b/htdocs/admin/mails.php
@@ -719,7 +719,7 @@ if ($action == 'edit') {
$liste['user'] = $langs->trans('UserEmail');
$liste['company'] = $langs->trans('CompanyEmail').' ('.(empty($conf->global->MAIN_INFO_SOCIETE_MAIL) ? $langs->trans("NotDefined") : $conf->global->MAIN_INFO_SOCIETE_MAIL).')';
$sql = 'SELECT rowid, label, email FROM '.MAIN_DB_PREFIX.'c_email_senderprofile';
- $sql .= ' WHERE active = 1 AND (private = 0 OR private = '.$user->id.')';
+ $sql .= ' WHERE active = 1 AND (private = 0 OR private = '.((int) $user->id).')';
$resql = $db->query($sql);
if ($resql) {
$num = $db->num_rows($resql);
diff --git a/htdocs/admin/system/filecheck.php b/htdocs/admin/system/filecheck.php
index 0f77b9d9d41..b506231a59b 100644
--- a/htdocs/admin/system/filecheck.php
+++ b/htdocs/admin/system/filecheck.php
@@ -124,7 +124,7 @@ if ($enableremotecheck) {
print ' = ';
print '
';
} else {
- print ' '.$langs->trans("RemoteSignature").' = '.$xmlremote;
+ print ' '.$langs->trans("RemoteSignature").' = '.dol_escape_htmltag($xmlremote);
if (!GETPOST('xmlremote')) {
print ' ('.$langs->trans("FeatureAvailableOnlyOnStable").')';
}
diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php
index 51079636d4f..5f30a96c9c1 100644
--- a/htdocs/categories/class/categorie.class.php
+++ b/htdocs/categories/class/categorie.class.php
@@ -897,6 +897,8 @@ class Categorie extends CommonObject
$categories = array();
+ $type = checkVal($type, 'aZ09');
+
$sub_type = $type;
$subcol_name = "fk_".$type;
if ($type == "customer") {
@@ -917,9 +919,9 @@ class Categorie extends CommonObject
$sql .= " FROM ".MAIN_DB_PREFIX."categorie as s";
$sql .= " , ".MAIN_DB_PREFIX."categorie_".$sub_type." as sub ";
$sql .= ' WHERE s.entity IN ('.getEntity('category').')';
- $sql .= ' AND s.type='.$idoftype;
+ $sql .= ' AND s.type='.((int) $idoftype);
$sql .= ' AND s.rowid = sub.fk_categorie';
- $sql .= ' AND sub.'.$subcol_name.' = '.$id;
+ $sql .= ' AND sub.'.$subcol_name.' = '.((int) $id);
$sql .= $this->db->order($sortfield, $sortorder);
diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php
index be0884a5556..d5457447100 100644
--- a/htdocs/comm/action/index.php
+++ b/htdocs/comm/action/index.php
@@ -874,10 +874,10 @@ if ($showbirthday) {
$sql .= ' WHERE (priv=0 OR (priv=1 AND fk_user_creat='.$user->id.'))';
$sql .= " AND sp.entity IN (".getEntity('socpeople').")";
if ($action == 'show_day') {
- $sql .= ' AND MONTH(birthday) = '.$month;
- $sql .= ' AND DAY(birthday) = '.$day;
+ $sql .= ' AND MONTH(birthday) = '.((int) $month);
+ $sql .= ' AND DAY(birthday) = '.((int) $day);
} else {
- $sql .= ' AND MONTH(birthday) = '.$month;
+ $sql .= ' AND MONTH(birthday) = '.((int) $month);
}
$sql .= ' ORDER BY birthday';
diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php
index db6bba130b1..d59983925ce 100644
--- a/htdocs/commande/list.php
+++ b/htdocs/commande/list.php
@@ -359,7 +359,7 @@ if ($search_product_category > 0) {
$sql .= " AND cp.fk_categorie = ".$search_product_category;
}
if ($socid > 0) {
- $sql .= ' AND s.rowid = '.$socid;
+ $sql .= ' AND s.rowid = '.((int) $socid);
}
if (!$user->rights->societe->client->voir && !$socid) {
$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
@@ -374,7 +374,7 @@ if ($sall) {
$sql .= natural_search(array_keys($fieldstosearchall), $sall);
}
if ($search_billed != '' && $search_billed >= 0) {
- $sql .= ' AND c.facture = '.$search_billed;
+ $sql .= ' AND c.facture = '.((int) $search_billed);
}
if ($search_status <> '') {
if ($search_status < 4 && $search_status > -3) {
diff --git a/htdocs/compta/facture/class/facture-rec.class.php b/htdocs/compta/facture/class/facture-rec.class.php
index ee4d1a48397..367523084e2 100644
--- a/htdocs/compta/facture/class/facture-rec.class.php
+++ b/htdocs/compta/facture/class/facture-rec.class.php
@@ -1153,14 +1153,14 @@ class FactureRec extends CommonInvoice
$sql .= ", date_end_fill=".((int) $date_end_fill);
$sql .= ", fk_product_fournisseur_price=".($fk_fournprice > 0 ? $fk_fournprice : 'null');
$sql .= ", buy_price_ht=".($pa_ht ? price2num($pa_ht) : 0);
- $sql .= ", info_bits=".$info_bits;
- $sql .= ", rang=".$rang;
- $sql .= ", special_code=".$special_code;
+ $sql .= ", info_bits=".((int) $info_bits);
+ $sql .= ", rang=".((int) $rang);
+ $sql .= ", special_code=".((int) $special_code);
$sql .= ", fk_unit=".($fk_unit ? "'".$this->db->escape($fk_unit)."'" : "null");
- $sql .= ', multicurrency_subprice = '.$pu_ht_devise;
- $sql .= ', multicurrency_total_ht = '.$multicurrency_total_ht;
- $sql .= ', multicurrency_total_tva = '.$multicurrency_total_tva;
- $sql .= ', multicurrency_total_ttc = '.$multicurrency_total_ttc;
+ $sql .= ', multicurrency_subprice = '.price2num($pu_ht_devise);
+ $sql .= ', multicurrency_total_ht = '.price2num($multicurrency_total_ht);
+ $sql .= ', multicurrency_total_tva = '.price2num($multicurrency_total_tva);
+ $sql .= ', multicurrency_total_ttc = '.price2num($multicurrency_total_ttc);
$sql .= " WHERE rowid = ".((int) $rowid);
dol_syslog(get_class($this)."::updateline", LOG_DEBUG);
@@ -1248,7 +1248,7 @@ class FactureRec extends CommonInvoice
$sql .= ' AND suspended = 0';
$sql .= ' AND entity = '.$conf->entity; // MUST STAY = $conf->entity here
if ($restrictioninvoiceid > 0) {
- $sql .= ' AND rowid = '.$restrictioninvoiceid;
+ $sql .= ' AND rowid = '.((int) $restrictioninvoiceid);
}
$sql .= $this->db->order('entity', 'ASC');
//print $sql;exit;
diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php
index 26a5d862457..dfb2d5a3b52 100644
--- a/htdocs/compta/facture/class/facture.class.php
+++ b/htdocs/compta/facture/class/facture.class.php
@@ -5739,8 +5739,8 @@ class FactureLigne extends CommonInvoiceLine
if ($include_credit_note) {
$sql = 'SELECT fd.situation_percent FROM '.MAIN_DB_PREFIX.'facturedet fd';
$sql .= ' JOIN '.MAIN_DB_PREFIX.'facture f ON (f.rowid = fd.fk_facture) ';
- $sql .= ' WHERE fd.fk_prev_id ='.$this->fk_prev_id;
- $sql .= ' AND f.situation_cycle_ref = '.$invoicecache[$invoiceid]->situation_cycle_ref; // Prevent cycle outed
+ $sql .= ' WHERE fd.fk_prev_id = '.((int) $this->fk_prev_id);
+ $sql .= ' AND f.situation_cycle_ref = '.((int) $invoicecache[$invoiceid]->situation_cycle_ref); // Prevent cycle outed
$sql .= ' AND f.type = '.Facture::TYPE_CREDIT_NOTE;
$res = $this->db->query($sql);
diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php
index db666d1b1ae..14b0383fa8d 100644
--- a/htdocs/compta/facture/list.php
+++ b/htdocs/compta/facture/list.php
@@ -550,7 +550,7 @@ if ($search_product_category > 0) {
$sql .= " AND cp.fk_categorie = ".$db->escape($search_product_category);
}
if ($socid > 0) {
- $sql .= ' AND s.rowid = '.$socid;
+ $sql .= ' AND s.rowid = '.((int) $socid);
}
if ($userid) {
if ($userid == -1) {
diff --git a/htdocs/compta/paiement.php b/htdocs/compta/paiement.php
index 94b114c03d8..12a6eb97d13 100644
--- a/htdocs/compta/paiement.php
+++ b/htdocs/compta/paiement.php
@@ -873,7 +873,7 @@ if (!GETPOST('action', 'aZ09')) {
$sql .= ' WHERE p.fk_facture = f.rowid';
$sql .= ' AND f.entity IN ('.getEntity('invoice').')';
if ($socid) {
- $sql .= ' AND f.fk_soc = '.$socid;
+ $sql .= ' AND f.fk_soc = '.((int) $socid);
}
$sql .= ' ORDER BY '.$sortfield.' '.$sortorder;
diff --git a/htdocs/compta/stats/supplier_turnover_by_thirdparty.php b/htdocs/compta/stats/supplier_turnover_by_thirdparty.php
index 32b85b9aea9..b1b1f219f53 100644
--- a/htdocs/compta/stats/supplier_turnover_by_thirdparty.php
+++ b/htdocs/compta/stats/supplier_turnover_by_thirdparty.php
@@ -296,7 +296,7 @@ if (!empty($search_town)) {
$sql .= natural_search('s.town', $search_town);
}
if ($search_country > 0) {
- $sql .= ' AND s.fk_pays = '.$search_country.'';
+ $sql .= ' AND s.fk_pays = '.((int) $search_country);
}
$sql .= " AND f.entity IN (".getEntity('supplier_invoice').")";
if ($socid) {
diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php
index 4aa20d8f41a..3f189a43943 100644
--- a/htdocs/core/class/commonobject.class.php
+++ b/htdocs/core/class/commonobject.class.php
@@ -3117,7 +3117,7 @@ abstract class CommonObject
public function getRangOfLine($rowid)
{
$sql = 'SELECT rang FROM '.MAIN_DB_PREFIX.$this->table_element_line;
- $sql .= ' WHERE rowid ='.$rowid;
+ $sql .= ' WHERE rowid ='.((int) $rowid);
dol_syslog(get_class($this)."::getRangOfLine", LOG_DEBUG);
$resql = $this->db->query($sql);
@@ -3137,7 +3137,7 @@ abstract class CommonObject
{
$sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$this->table_element_line;
$sql .= ' WHERE '.$this->fk_element.' = '.$this->id;
- $sql .= ' AND rang = '.$rang;
+ $sql .= ' AND rang = '.((int) $rang);
$resql = $this->db->query($sql);
if ($resql) {
$row = $this->db->fetch_row($resql);
diff --git a/htdocs/core/modules/supplier_payment/doc/pdf_standard.modules.php b/htdocs/core/modules/supplier_payment/doc/pdf_standard.modules.php
index 138a6210904..a0191a3dd08 100644
--- a/htdocs/core/modules/supplier_payment/doc/pdf_standard.modules.php
+++ b/htdocs/core/modules/supplier_payment/doc/pdf_standard.modules.php
@@ -220,7 +220,7 @@ class pdf_standard extends ModelePDFSuppliersPayments
$sql .= ', f.fk_statut, s.nom as name, s.rowid as socid';
$sql .= ' FROM '.MAIN_DB_PREFIX.'paiementfourn_facturefourn as pf,'.MAIN_DB_PREFIX.'facture_fourn as f,'.MAIN_DB_PREFIX.'societe as s';
$sql .= ' WHERE pf.fk_facturefourn = f.rowid AND f.fk_soc = s.rowid';
- $sql .= ' AND pf.fk_paiementfourn = '.$object->id;
+ $sql .= ' AND pf.fk_paiementfourn = '.((int) $object->id);
$resql = $this->db->query($sql);
if ($resql) {
if ($this->db->num_rows($resql) > 0) {
diff --git a/htdocs/cron/class/cronjob.class.php b/htdocs/cron/class/cronjob.class.php
index 2af3b39789e..f54f7c40c4c 100644
--- a/htdocs/cron/class/cronjob.class.php
+++ b/htdocs/cron/class/cronjob.class.php
@@ -553,11 +553,11 @@ class Cronjob extends CommonObject
} elseif ($status == 2) {
$sql .= " AND t.status = 2";
}
- //Manage filter
+ // Manage filter
if (is_array($filter) && count($filter) > 0) {
foreach ($filter as $key => $value) {
if ($key == 't.rowid') {
- $sql .= ' AND '.$key.' = '.$this->db->escape($value);
+ $sql .= ' AND '.$key.' = '.((int) $value);
} else {
$sql .= ' AND '.$key.' LIKE \'%'.$this->db->escape($value).'%\'';
}
diff --git a/htdocs/ecm/class/ecmfiles.class.php b/htdocs/ecm/class/ecmfiles.class.php
index e5e7ce8549b..485551cbe13 100644
--- a/htdocs/ecm/class/ecmfiles.class.php
+++ b/htdocs/ecm/class/ecmfiles.class.php
@@ -428,7 +428,7 @@ class EcmFiles extends CommonObject
$sql .= " AND t.src_object_type ='".$this->db->escape($src_object_type)."' AND t.src_object_id = ".$this->db->escape($src_object_id);
$sql .= " AND t.entity = ".$conf->entity;
} else {
- $sql .= ' AND t.rowid = '.$this->db->escape($id); // rowid already unique
+ $sql .= ' AND t.rowid = '.((int) $id); // rowid already unique
}
$this->db->plimit(1); // When we search on src or on hash of content (hashforfile) to solve hash conflict when several files has same content, we take first one only
diff --git a/htdocs/expedition/list.php b/htdocs/expedition/list.php
index 427efb02475..49675c263f9 100644
--- a/htdocs/expedition/list.php
+++ b/htdocs/expedition/list.php
@@ -295,13 +295,13 @@ if ($socid) {
$sql .= " AND e.fk_soc = ".$socid;
}
if ($search_status <> '' && $search_status >= 0) {
- $sql .= " AND e.fk_statut = ".$search_status;
+ $sql .= " AND e.fk_statut = ".((int) $search_status);
}
if ($search_ref_customer != '') {
$sql .= natural_search('e.ref_customer', $search_ref_customer);
}
if ($search_billed != '' && $search_billed >= 0) {
- $sql .= ' AND e.billed = '.$search_billed;
+ $sql .= ' AND e.billed = '.((int) $search_billed);
}
if ($search_town) {
$sql .= natural_search('s.town', $search_town);
diff --git a/htdocs/expensereport/class/expensereport.class.php b/htdocs/expensereport/class/expensereport.class.php
index 8ec99aa1007..be09b670d84 100644
--- a/htdocs/expensereport/class/expensereport.class.php
+++ b/htdocs/expensereport/class/expensereport.class.php
@@ -2761,9 +2761,9 @@ class ExpenseReportLine
if (!empty($this->id)) {
$sql .= ' AND d.rowid <> '.$this->id;
}
- $sql .= ' AND d.fk_c_type_fees = '.$rule->fk_c_type_fees;
+ $sql .= ' AND d.fk_c_type_fees = '.((int) $rule->fk_c_type_fees);
if ($mode == 'day' || $mode == 'EX_DAY') {
- $sql .= ' AND d.date = \''.dol_print_date($this->date, '%Y-%m-%d').'\'';
+ $sql .= " AND d.date = '".dol_print_date($this->date, '%Y-%m-%d')."'";
} elseif ($mode == 'mon' || $mode == 'EX_MON') {
$sql .= ' AND DATE_FORMAT(d.date, \'%Y-%m\') = \''.dol_print_date($this->date, '%Y-%m').'\''; // @todo DATE_FORMAT is forbidden
} elseif ($mode == 'year' || $mode == 'EX_YEA') {
diff --git a/htdocs/expensereport/class/expensereport_ik.class.php b/htdocs/expensereport/class/expensereport_ik.class.php
index 6c6623c30c7..358a2fe06ca 100644
--- a/htdocs/expensereport/class/expensereport_ik.class.php
+++ b/htdocs/expensereport/class/expensereport_ik.class.php
@@ -248,7 +248,7 @@ class ExpenseReportIk extends CoreObject
$sql .= ' FROM '.MAIN_DB_PREFIX.'c_exp_tax_range r';
$sql .= ' WHERE r.entity IN (0, '.$conf->entity.')';
if ($default_c_exp_tax_cat > 0) {
- $sql .= ' AND r.fk_c_exp_tax_cat = '.$default_c_exp_tax_cat;
+ $sql .= ' AND r.fk_c_exp_tax_cat = '.((int) $default_c_exp_tax_cat);
}
$sql .= ' GROUP BY r.fk_c_exp_tax_cat';
$sql .= ') as counts';
diff --git a/htdocs/expensereport/class/expensereport_rule.class.php b/htdocs/expensereport/class/expensereport_rule.class.php
index 653f030b6d2..03ecab10f6a 100644
--- a/htdocs/expensereport/class/expensereport_rule.class.php
+++ b/htdocs/expensereport/class/expensereport_rule.class.php
@@ -160,13 +160,12 @@ class ExpenseReportRule extends CoreObject
$sql .= ' AND er.fk_c_type_fees IN (-1, '.$fk_c_type_fees.')';
}
if (!empty($date)) {
- $date = dol_print_date($date, '%Y-%m-%d');
- $sql .= ' AND er.dates <= \''.$date.'\'';
- $sql .= ' AND er.datee >= \''.$date.'\'';
+ $sql .= " AND er.dates <= '".dol_print_date($date, '%Y-%m-%d')."'";
+ $sql .= " AND er.datee >= '".dol_print_date($date, '%Y-%m-%d')."'";
}
if ($fk_user > 0) {
$sql .= ' AND (er.is_for_all = 1';
- $sql .= ' OR er.fk_user = '.$fk_user;
+ $sql .= ' OR er.fk_user = '.((int) $fk_user);
$sql .= ' OR er.fk_usergroup IN (SELECT ugu.fk_usergroup FROM '.MAIN_DB_PREFIX.'usergroup_user ugu WHERE ugu.fk_user = '.((int) $fk_user).') )';
}
$sql .= ' ORDER BY er.is_for_all, er.fk_usergroup, er.fk_user';
diff --git a/htdocs/fourn/facture/paiement.php b/htdocs/fourn/facture/paiement.php
index 1efb8fce26b..c7a2149c441 100644
--- a/htdocs/fourn/facture/paiement.php
+++ b/htdocs/fourn/facture/paiement.php
@@ -369,7 +369,7 @@ if ($action == 'create' || $action == 'confirm_paiement' || $action == 'add_paie
$sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc";
}
$sql .= ' WHERE f.fk_soc = s.rowid';
- $sql .= ' AND f.rowid = '.$facid;
+ $sql .= ' AND f.rowid = '.((int) $facid);
if (!$user->rights->societe->client->voir && !$socid) {
$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
}
diff --git a/htdocs/fourn/paiement/list.php b/htdocs/fourn/paiement/list.php
index ecd572e1046..6a38ae2033d 100644
--- a/htdocs/fourn/paiement/list.php
+++ b/htdocs/fourn/paiement/list.php
@@ -182,7 +182,7 @@ if (!$user->rights->societe->client->voir) {
$sql .= ' AND s.rowid = sc.fk_soc AND sc.fk_user = '.$user->id;
}
if ($socid > 0) {
- $sql .= ' AND f.fk_soc = '.$socid;
+ $sql .= ' AND f.fk_soc = '.((int) $socid);
}
if ($search_ref) {
$sql .= natural_search('p.ref', $search_ref);
diff --git a/htdocs/includes/restler/framework/Luracast/Restler/explorer/explorer.html b/htdocs/includes/restler/framework/Luracast/Restler/explorer/explorer.html
new file mode 100644
index 00000000000..7fedb694c17
--- /dev/null
+++ b/htdocs/includes/restler/framework/Luracast/Restler/explorer/explorer.html
@@ -0,0 +1,144 @@
+
+
+
+
+
+ Swagger UI
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/htdocs/margin/customerMargins.php b/htdocs/margin/customerMargins.php
index 67639acb745..7fed219ffcd 100644
--- a/htdocs/margin/customerMargins.php
+++ b/htdocs/margin/customerMargins.php
@@ -234,7 +234,7 @@ if (!$user->rights->societe->client->voir && !$socid) {
}
$sql .= " WHERE f.fk_soc = s.rowid";
if ($socid > 0) {
- $sql .= ' AND s.rowid = '.$socid;
+ $sql .= ' AND s.rowid = '.((int) $socid);
}
if (!$user->rights->societe->client->voir && !$socid) {
$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
diff --git a/htdocs/mrp/class/mo.class.php b/htdocs/mrp/class/mo.class.php
index d7635b9a78e..b357fd8a5b5 100644
--- a/htdocs/mrp/class/mo.class.php
+++ b/htdocs/mrp/class/mo.class.php
@@ -500,7 +500,7 @@ class Mo extends CommonObject
$sql .= ' FROM '.MAIN_DB_PREFIX.$mostatic->table_element.' as t';
$sql .= " WHERE t.role = '".$this->db->escape($role)."'";
if ($lineid > 0) {
- $sql .= ' AND t.fk_mrp_production = '.$lineid;
+ $sql .= ' AND t.fk_mrp_production = '.((int) $lineid);
} else {
$sql .= 'AND t.fk_mo = '.$this->id;
}
diff --git a/htdocs/product/stock/lib/replenishment.lib.php b/htdocs/product/stock/lib/replenishment.lib.php
index 1faa67ad860..a7354c1d001 100644
--- a/htdocs/product/stock/lib/replenishment.lib.php
+++ b/htdocs/product/stock/lib/replenishment.lib.php
@@ -126,7 +126,7 @@ function ordered($product_id)
} else {
$sql .= ' cf.fk_statut < 5';
}
- $sql .= ' AND cfd.fk_product = '.$product_id;
+ $sql .= ' AND cfd.fk_product = '.((int) $product_id);
$sql .= ' GROUP BY cfd.fk_product';
$resql = $db->query($sql);
diff --git a/htdocs/product/stock/replenishorders.php b/htdocs/product/stock/replenishorders.php
index f5978313a1e..17490e330bb 100644
--- a/htdocs/product/stock/replenishorders.php
+++ b/htdocs/product/stock/replenishorders.php
@@ -154,7 +154,7 @@ if ($sall) {
$sql .= natural_search(array('cf.ref', 'cf.note'), $sall);
}
if (!empty($socid)) {
- $sql .= ' AND s.rowid = '.$socid;
+ $sql .= ' AND s.rowid = '.((int) $socid);
}
if (GETPOST('statut', 'int')) {
$sql .= ' AND fk_statut = '.GETPOST('statut', 'int');
diff --git a/htdocs/product/stock/stockatdate.php b/htdocs/product/stock/stockatdate.php
index e5eb2751109..788c75f1141 100644
--- a/htdocs/product/stock/stockatdate.php
+++ b/htdocs/product/stock/stockatdate.php
@@ -258,7 +258,7 @@ $sql .= $hookmanager->resPrint;
$sql .= ' FROM '.MAIN_DB_PREFIX.'product as p';
if ($fk_warehouse > 0) {
- $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '.$fk_warehouse;
+ $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '.((int) $fk_warehouse);
}
// Add fields from hooks
$parameters = array();
diff --git a/htdocs/projet/activity/perday.php b/htdocs/projet/activity/perday.php
index 5b238d96b92..3c67673ad49 100644
--- a/htdocs/projet/activity/perday.php
+++ b/htdocs/projet/activity/perday.php
@@ -201,7 +201,7 @@ if ($action == 'addtime' && $user->rights->projet->lire && GETPOST('assigntask')
if ($result >= 0 || $result == -2) { // Contact add ok or already contact of task
// Test if we are already contact of the project (should be rare but sometimes we can add as task contact without being contact of project, like when admin user has been removed from contact of project)
$sql = 'SELECT ec.rowid FROM '.MAIN_DB_PREFIX.'element_contact as ec, '.MAIN_DB_PREFIX.'c_type_contact as tc WHERE tc.rowid = ec.fk_c_type_contact';
- $sql .= ' AND ec.fk_socpeople = '.$idfortaskuser." AND ec.element_id = '.$object->fk_project.' AND tc.element = 'project' AND source = 'internal'";
+ $sql .= ' AND ec.fk_socpeople = '.((int) $idfortaskuser)." AND ec.element_id = '.$object->fk_project.' AND tc.element = 'project' AND source = 'internal'";
$resql = $db->query($sql);
if ($resql) {
$obj = $db->fetch_object($resql);
diff --git a/htdocs/projet/activity/permonth.php b/htdocs/projet/activity/permonth.php
index 43cdfa863f5..087fe5b8f0b 100644
--- a/htdocs/projet/activity/permonth.php
+++ b/htdocs/projet/activity/permonth.php
@@ -156,7 +156,7 @@ if ($action == 'addtime' && $user->rights->projet->lire && GETPOST('assigntask')
if ($result >= 0 || $result == -2) { // Contact add ok or already contact of task
// Test if we are already contact of the project (should be rare but sometimes we can add as task contact without being contact of project, like when admin user has been removed from contact of project)
$sql = 'SELECT ec.rowid FROM '.MAIN_DB_PREFIX.'element_contact as ec, '.MAIN_DB_PREFIX.'c_type_contact as tc WHERE tc.rowid = ec.fk_c_type_contact';
- $sql .= ' AND ec.fk_socpeople = '.$idfortaskuser." AND ec.element_id = '.$object->fk_project.' AND tc.element = 'project' AND source = 'internal'";
+ $sql .= ' AND ec.fk_socpeople = '.((int) $idfortaskuser)." AND ec.element_id = '.$object->fk_project.' AND tc.element = 'project' AND source = 'internal'";
$resql = $db->query($sql);
if ($resql) {
$obj = $db->fetch_object($resql);
diff --git a/htdocs/projet/activity/perweek.php b/htdocs/projet/activity/perweek.php
index 62f26a881b7..3d380ab7f4e 100644
--- a/htdocs/projet/activity/perweek.php
+++ b/htdocs/projet/activity/perweek.php
@@ -214,7 +214,7 @@ if ($action == 'addtime' && $user->rights->projet->lire && GETPOST('assigntask')
if ($result >= 0 || $result == -2) { // Contact add ok or already contact of task
// Test if we are already contact of the project (should be rare but sometimes we can add as task contact without being contact of project, like when admin user has been removed from contact of project)
$sql = 'SELECT ec.rowid FROM '.MAIN_DB_PREFIX.'element_contact as ec, '.MAIN_DB_PREFIX.'c_type_contact as tc WHERE tc.rowid = ec.fk_c_type_contact';
- $sql .= ' AND ec.fk_socpeople = '.$idfortaskuser." AND ec.element_id = '.$object->fk_project.' AND tc.element = 'project' AND source = 'internal'";
+ $sql .= ' AND ec.fk_socpeople = '.((int) $idfortaskuser)." AND ec.element_id = '.$object->fk_project.' AND tc.element = 'project' AND source = 'internal'";
$resql = $db->query($sql);
if ($resql) {
$obj = $db->fetch_object($resql);
diff --git a/htdocs/public/payment/newpayment.php b/htdocs/public/payment/newpayment.php
index 40c742d562a..7f9835069bf 100644
--- a/htdocs/public/payment/newpayment.php
+++ b/htdocs/public/payment/newpayment.php
@@ -802,7 +802,7 @@ if ($urllogo) {
print ''."\n";
-print ''."\n";
+print ''."\n";
// Additionnal information for each payment system
if (!empty($conf->paypal->enabled)) {
print ''."\n";
diff --git a/htdocs/public/recruitment/index.php b/htdocs/public/recruitment/index.php
index 5118f7ebfc0..7d4ec0223f1 100644
--- a/htdocs/public/recruitment/index.php
+++ b/htdocs/public/recruitment/index.php
@@ -258,15 +258,15 @@ if ($display_ticket_list) {
if (!empty($filter)) {
foreach ($filter as $key => $value) {
if (strpos($key, 'date')) { // To allow $filter['YEAR(s.dated)']=>$year
- $sql .= ' AND '.$key.' = \''.$value.'\'';
+ $sql .= ' AND '.$key.' = \''.$db->escape($value).'\'';
} elseif ($key == 't.fk_statut') {
if (is_array($value) && count($value) > 0) {
$sql .= 'AND '.$key.' IN ('.$db->sanitize(implode(',', $value)).')';
} else {
- $sql .= ' AND '.$key.' = '.$db->escape($value);
+ $sql .= ' AND '.$key.' = '.((int) $value);
}
} else {
- $sql .= ' AND '.$key.' LIKE \'%'.$value.'%\'';
+ $sql .= ' AND '.$key.' LIKE \'%'.$db->escape($value).'%\'';
}
}
}
diff --git a/htdocs/public/ticket/list.php b/htdocs/public/ticket/list.php
index 92962732a68..1e1eb08dd5e 100644
--- a/htdocs/public/ticket/list.php
+++ b/htdocs/public/ticket/list.php
@@ -359,17 +359,17 @@ if ($action == "view_ticketlist") {
if (!empty($filter)) {
foreach ($filter as $key => $value) {
if (strpos($key, 'date')) { // To allow $filter['YEAR(s.dated)']=>$year
- $sql .= ' AND '.$key.' = \''.$value.'\'';
+ $sql .= ' AND '.$key.' = \''.$db->escape($value).'\'';
} elseif (($key == 't.fk_user_assign') || ($key == 't.type_code') || ($key == 't.category_code') || ($key == 't.severity_code')) {
$sql .= " AND ".$key." = '".$db->escape($value)."'";
} elseif ($key == 't.fk_statut') {
if (is_array($value) && count($value) > 0) {
$sql .= 'AND '.$key.' IN ('.$db->sanitize(implode(',', $value)).')';
} else {
- $sql .= ' AND '.$key.' = '.$db->escape($value);
+ $sql .= ' AND '.$key.' = '.((int) $value);
}
} else {
- $sql .= ' AND '.$key.' LIKE \'%'.$value.'%\'';
+ $sql .= ' AND '.$key.' LIKE \'%'.$db->escape($value).'%\'';
}
}
}
diff --git a/htdocs/reception/list.php b/htdocs/reception/list.php
index 44d4cf32a5c..7295b3df75a 100644
--- a/htdocs/reception/list.php
+++ b/htdocs/reception/list.php
@@ -460,7 +460,7 @@ if ($search_status <> '' && $search_status >= 0) {
$sql .= " AND e.fk_statut = ".$search_status;
}
if ($search_billed != '' && $search_billed >= 0) {
- $sql .= ' AND e.billed = '.$search_billed;
+ $sql .= ' AND e.billed = '.((int) $search_billed);
}
if ($search_town) {
$sql .= natural_search('s.town', $search_town);
diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php
index 2c7ba7694dd..3b9a7892310 100644
--- a/htdocs/supplier_proposal/list.php
+++ b/htdocs/supplier_proposal/list.php
@@ -371,7 +371,7 @@ if ($sall) {
$sql .= natural_search(array_keys($fieldstosearchall), $sall);
}
if ($socid) {
- $sql .= ' AND s.rowid = '.$socid;
+ $sql .= ' AND s.rowid = '.((int) $socid);
}
if ($search_status >= 0 && $search_status != '') {
$sql .= ' AND sp.fk_statut IN ('.$db->sanitize($db->escape($search_status)).')';
@@ -379,7 +379,7 @@ if ($search_status >= 0 && $search_status != '') {
$sql .= dolSqlDateFilter("sp.date_livraison", $day, $month, $year);
$sql .= dolSqlDateFilter("sp.date_valid", $dayvalid, $monthvalid, $yearvalid);
if ($search_sale > 0) {
- $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale;
+ $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $search_sale);
}
if ($search_user > 0) {
$sql .= " AND c.fk_c_type_contact = tc.rowid AND tc.element='supplier_proposal' AND tc.source='internal' AND c.element_id = sp.rowid AND c.fk_socpeople = ".$search_user;
diff --git a/htdocs/ticket/class/ticket.class.php b/htdocs/ticket/class/ticket.class.php
index c16817ad7a5..6d5f7022a41 100644
--- a/htdocs/ticket/class/ticket.class.php
+++ b/htdocs/ticket/class/ticket.class.php
@@ -719,10 +719,10 @@ class Ticket extends CommonObject
if (is_array($value) && count($value) > 0) {
$sql .= 'AND '.$key.' IN ('.$this->db->sanitize(implode(',', $value)).')';
} else {
- $sql .= ' AND '.$key.' = '.$this->db->escape($value);
+ $sql .= ' AND '.$key.' = '.((int) $value);
}
} else {
- $sql .= ' AND '.$key.' LIKE \'%'.$value.'%\'';
+ $sql .= ' AND '.$key.' LIKE \'%'.$this->db->escape($value).'%\'';
}
}
}
diff --git a/htdocs/website/class/websitepage.class.php b/htdocs/website/class/websitepage.class.php
index f22a5200148..2fd363c7965 100644
--- a/htdocs/website/class/websitepage.class.php
+++ b/htdocs/website/class/websitepage.class.php
@@ -413,7 +413,7 @@ class WebsitePage extends CommonObject
if (count($filter) > 0) {
foreach ($filter as $key => $value) {
if ($key == 't.rowid' || $key == 't.fk_website' || $key == 'status') {
- $sqlwhere[] = $key.' = '.$value;
+ $sqlwhere[] = $key.' = '.((int) $value);
} elseif ($key == 'type_container') {
$sqlwhere[] = $key." = '".$this->db->escape($value)."'";
} elseif ($key == 'lang' || $key == 't.lang') {
@@ -515,7 +515,7 @@ class WebsitePage extends CommonObject
if (count($filter) > 0) {
foreach ($filter as $key => $value) {
if ($key == 't.rowid' || $key == 't.fk_website' || $key == 'status') {
- $sqlwhere[] = $key.' = '.$value;
+ $sqlwhere[] = $key.' = '.((int) $value);
} elseif ($key == 'type_container') {
$sqlwhere[] = $key." = '".$this->db->escape($value)."'";
} elseif ($key == 'lang' || $key == 't.lang') {
@@ -528,7 +528,7 @@ class WebsitePage extends CommonObject
}
$listoflang[] = "'".$this->db->escape(substr(str_replace("'", '', $tmpvalue), 0, 2))."'";
}
- $stringtouse = $key." IN (".$this->db->sanitize(join(',', $listoflang)).")";
+ $stringtouse = $key." IN (".$this->db->sanitize(join(',', $listoflang), 1).")";
if ($foundnull) {
$stringtouse = '('.$stringtouse.' OR '.$key.' IS NULL)';
}
diff --git a/htdocs/website/websiteaccount_card.php b/htdocs/website/websiteaccount_card.php
index 957173335c0..2074873a031 100644
--- a/htdocs/website/websiteaccount_card.php
+++ b/htdocs/website/websiteaccount_card.php
@@ -281,7 +281,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea
$morehtmlref .= '';
if ($socid > 0) {
- $object->next_prev_filter = 'te.fk_soc = '.$socid;
+ $object->next_prev_filter = 'te.fk_soc = '.((int) $socid);
}
dol_banner_tab($object, 'id', $linkback, 1, 'rowid', 'rowid', $morehtmlref);