diff --git a/htdocs/admin/company.php b/htdocs/admin/company.php index 0021cac68b4..59fa9eeae2f 100644 --- a/htdocs/admin/company.php +++ b/htdocs/admin/company.php @@ -80,7 +80,7 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) dolibarr_set_const($db, "MAIN_INFO_SOCIETE_ZIP", GETPOST("zipcode",'alpha'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_STATE", GETPOST("state_id",'alpha'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_REGION", GETPOST("region_code",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_MONNAIE", GETPOST("currency",'aZ09'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_TEL", GETPOST("tel",'alpha'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FAX", GETPOST("fax",'alpha'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MAIL", GETPOST("mail",'alpha'),'chaine',0,'',$conf->entity); @@ -156,26 +156,26 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) } } - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_MANAGERS", GETPOST("MAIN_INFO_SOCIETE_MANAGERS",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_CAPITAL", GETPOST("capital",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SOCIETE_FORME_JURIDIQUE", GETPOST("forme_juridique_code",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SIREN", GETPOST("siren",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_SIRET", GETPOST("siret",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_APE", GETPOST("ape",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_RCS", GETPOST("rcs",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_PROFID5", GETPOST("MAIN_INFO_PROFID5",'nohtml'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_PROFID6", GETPOST("MAIN_INFO_PROFID6",'nohtml'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_TVAINTRA", GETPOST("tva",'nohtml'),'chaine',0,'',$conf->entity); dolibarr_set_const($db, "MAIN_INFO_SOCIETE_OBJECT", GETPOST("object",'nohtml'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("SOCIETE_FISCAL_MONTH_START",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "SOCIETE_FISCAL_MONTH_START", GETPOST("SOCIETE_FISCAL_MONTH_START",'int'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FACTURE_TVAOPTION", GETPOST("optiontva",'aZ09'),'chaine',0,'',$conf->entity); // Local taxes - dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'alpha'),'chaine',0,'',$conf->entity); - dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FACTURE_LOCAL_TAX1_OPTION", GETPOST("optionlocaltax1",'aZ09'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "FACTURE_LOCAL_TAX2_OPTION", GETPOST("optionlocaltax2",'aZ09'),'chaine',0,'',$conf->entity); if($_POST["optionlocaltax1"]=="localtax1on") { @@ -185,9 +185,9 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) } else { - dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX1", GETPOST('lt1','aZ09'),'chaine',0,'',$conf->entity); } - dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC1", GETPOST("clt1",'aZ09'),'chaine',0,'',$conf->entity); } if($_POST["optionlocaltax2"]=="localtax2on") { @@ -197,9 +197,9 @@ if ( ($action == 'update' && ! GETPOST("cancel",'alpha')) } else { - dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db, "MAIN_INFO_VALUE_LOCALTAX2", GETPOST('lt2','aZ09'),'chaine',0,'',$conf->entity); } - dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", GETPOST("clt2",'alpha'),'chaine',0,'',$conf->entity); + dolibarr_set_const($db,"MAIN_INFO_LOCALTAX_CALC2", GETPOST("clt2",'aZ09'),'chaine',0,'',$conf->entity); } if ($action != 'updateedit' && ! $error) @@ -415,7 +415,7 @@ if ($action == 'edit' || $action == 'updateedit') // IDs of the company (country-specific) print ''; - print ''; + print ''; $langs->load("companies"); @@ -568,7 +568,7 @@ if ($action == 'edit' || $action == 'updateedit') print '
'; print '
'.$langs->trans("CompanyIds").''.$langs->trans("Value").'
'.$langs->trans("CompanyIds").''.$langs->trans("Value").'
'; print ''; - print ''; + print ''; print ''; print "\n"; @@ -601,7 +601,7 @@ if ($action == 'edit' || $action == 'updateedit') print '
'; print '
'.$langs->trans("VATManagement").''.$langs->trans("Description").''.$langs->trans("VATManagement").''.$langs->trans("Description").' 
'; print ''; - print ''; + print ''; print ''; print "\n"; diff --git a/htdocs/comm/action/class/api_agendaevents.class.php b/htdocs/comm/action/class/api_agendaevents.class.php index 7fd76b5d1a9..b507d9c72b9 100644 --- a/htdocs/comm/action/class/api_agendaevents.class.php +++ b/htdocs/comm/action/class/api_agendaevents.class.php @@ -115,13 +115,17 @@ class AgendaEvents extends DolibarrApi // If the internal user must only see his customers, force searching by him $search_sale = 0; if (! DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) $search_sale = DolibarrApiAccess::$user->id; + if (empty($conf->societe->enabled)) $search_sale = 0; // If module thirdparty not enabled, sale representative is something that does not exists $sql = "SELECT t.id as rowid"; - if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects) + if (! empty($conf->societe->enabled)) + if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql .= ", sc.fk_soc, sc.fk_user"; // We need these fields in order to filter by sale (including the case where the user can only see his prospects) $sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as t"; - if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale + if (! empty($conf->societe->enabled)) + if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; // We need this table joined to the select in order to filter by sale $sql.= ' WHERE t.entity IN ('.getEntity('agenda').')'; - if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= " AND t.fk_soc = sc.fk_soc"; + if (! empty($conf->societe->enabled)) + if ((!DolibarrApiAccess::$user->rights->societe->client->voir && !$socid) || $search_sale > 0) $sql.= " AND t.fk_soc = sc.fk_soc"; if ($user_ids) $sql.=" AND t.fk_user_action IN (".$user_ids.")"; if ($socid > 0) $sql.= " AND t.fk_soc = ".$socid; // Insert sale filter diff --git a/htdocs/comm/action/list.php b/htdocs/comm/action/list.php index a200c6571b2..9221c7d2ede 100644 --- a/htdocs/comm/action/list.php +++ b/htdocs/comm/action/list.php @@ -234,7 +234,7 @@ $sql.= ' a.fk_user_author,a.fk_user_action,'; $sql.= " a.fk_contact, a.note, a.percent as percent,"; $sql.= " a.fk_element, a.elementtype,"; $sql.= " c.code as type_code, c.libelle as type_label,"; -$sql.= " sp.lastname, sp.firstname"; +$sql.= " sp.lastname, sp.firstname, sp.email, sp.phone, sp.address, sp.phone as phone_pro, sp.phone_mobile, sp.phone_perso, sp.fk_pays as country_id"; // Add fields from extrafields foreach ($extrafields->attribute_label as $key => $val) $sql.=($extrafields->attribute_type[$key] != 'separate' ? ",ef.".$key.' as options_'.$key : ''); $sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as a"; @@ -602,9 +602,14 @@ if ($resql) print '\n"; print "\n"; -print ''; -print ''; -print ''; +print ''; +print ''; +print ''; print "
'.$langs->transcountry("LocalTax1Management",$mysoc->country_code).''.$langs->trans("Description").''.$langs->transcountry("LocalTax1Management",$mysoc->country_code).''.$langs->trans("Description").' 
'; if ($obj->fk_contact > 0) { + $contactstatic->id=$obj->fk_contact; + $contactstatic->email=$obj->email; $contactstatic->lastname=$obj->lastname; $contactstatic->firstname=$obj->firstname; - $contactstatic->id=$obj->fk_contact; + $contactstatic->phone_pro=$obj->phone_pro; + $contactstatic->phone_mobile=$obj->phone_mobile; + $contactstatic->phone_perso=$obj->phone_perso; + $contactstatic->country_id=$obj->country_id; print $contactstatic->getNomUrl(1,'',28); } else diff --git a/htdocs/compta/bank/transfer.php b/htdocs/compta/bank/transfer.php index 61a4f524a1a..e50d4822da7 100644 --- a/htdocs/compta/bank/transfer.php +++ b/htdocs/compta/bank/transfer.php @@ -49,8 +49,8 @@ if ($action == 'add') $dateo = dol_mktime(12,0,0,GETPOST('remonth','int'),GETPOST('reday','int'),GETPOST('reyear','int')); $label = GETPOST('label','alpha'); - $amount= GETPOST('amount'); - $amountto= GETPOST('amountto'); + $amount= GETPOST('amount','alpha'); + $amountto= GETPOST('amountto','alpha'); if (! $label) { @@ -125,7 +125,7 @@ if ($action == 'add') if (! $error) { - $mesgs = $langs->trans("TransferFromToDone",''.$accountfrom->label."",''.$accountto->label."",$amount,$langs->transnoentities("Currency".$conf->currency)); + $mesgs = $langs->trans("TransferFromToDone", ''.$accountfrom->label."", ''.$accountto->label."", $amount, $langs->transnoentities("Currency".$conf->currency)); setEventMessages($mesgs, null, 'mesgs'); $db->commit(); } @@ -153,6 +153,12 @@ llxHeader(); print ' '; @@ -210,12 +218,12 @@ $account_to=''; $label=''; $amount=''; -if($error) +if ($error) { $account_from = GETPOST('account_from','int'); $account_to = GETPOST('account_to','int'); $label = GETPOST('label','alpha'); - $amount = GETPOST('amount','int'); + $amount = GETPOST('amount','alpha'); } print load_fiche_titre($langs->trans("MenuBankInternalTransfer"), '', 'title_bank.png'); @@ -246,9 +254,9 @@ print ""; $form->select_date((! empty($dateo)?$dateo:''),'','','','','add'); print "
"; diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index 7d024e6f096..560acabaee9 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -176,26 +176,26 @@ if (empty($reshook)) $object->entity = (GETPOSTISSET('entity')?GETPOST('entity', 'int'):$conf->entity); $object->socid = GETPOST("socid",'int'); - $object->lastname = GETPOST("lastname"); - $object->firstname = GETPOST("firstname"); - $object->civility_id = GETPOST("civility_id",'alpha'); - $object->poste = GETPOST("poste"); - $object->address = GETPOST("address"); - $object->zip = GETPOST("zipcode"); - $object->town = GETPOST("town"); + $object->lastname = GETPOST("lastname",'alpha'); + $object->firstname = GETPOST("firstname",'alpha'); + $object->civility_id = GETPOST("civility_id",'alpha'); + $object->poste = GETPOST("poste",'alpha'); + $object->address = GETPOST("address",'alpha'); + $object->zip = GETPOST("zipcode",'alpha'); + $object->town = GETPOST("town",'alpha'); $object->country_id = GETPOST("country_id",'int'); $object->state_id = GETPOST("state_id",'int'); - $object->skype = GETPOST("skype"); + $object->skype = GETPOST("skype",'alpha'); $object->email = GETPOST("email",'alpha'); - $object->phone_pro = GETPOST("phone_pro"); - $object->phone_perso = GETPOST("phone_perso"); - $object->phone_mobile = GETPOST("phone_mobile"); - $object->fax = GETPOST("fax"); + $object->phone_pro = GETPOST("phone_pro",'alpha'); + $object->phone_perso = GETPOST("phone_perso",'alpha'); + $object->phone_mobile = GETPOST("phone_mobile",'alpha'); + $object->fax = GETPOST("fax",'alpha'); $object->jabberid = GETPOST("jabberid",'alpha'); $object->no_email = GETPOST("no_email",'int'); $object->priv = GETPOST("priv",'int'); - $object->note_public = GETPOST("note_public"); - $object->note_private = GETPOST("note_private"); + $object->note_public = GETPOST("note_public",'none'); + $object->note_private = GETPOST("note_private",'none'); $object->statut = 1; //Defult status to Actif // Note: Correct date should be completed with location to have exact GM time of birth. @@ -340,33 +340,33 @@ if (empty($reshook)) $object->oldcopy = clone $object; - $object->old_lastname = GETPOST("old_lastname"); - $object->old_firstname = GETPOST("old_firstname"); + $object->old_lastname = GETPOST("old_lastname",'alpha'); + $object->old_firstname = GETPOST("old_firstname",'alpha'); $object->socid = GETPOST("socid",'int'); - $object->lastname = GETPOST("lastname"); - $object->firstname = GETPOST("firstname"); - $object->civility_id = GETPOST("civility_id",'alpha'); - $object->poste = GETPOST("poste"); + $object->lastname = GETPOST("lastname",'alpha'); + $object->firstname = GETPOST("firstname",'alpha'); + $object->civility_id = GETPOST("civility_id",'alpha'); + $object->poste = GETPOST("poste",'alpha'); - $object->address = GETPOST("address"); - $object->zip = GETPOST("zipcode"); - $object->town = GETPOST("town"); - $object->state_id = GETPOST("state_id",'int'); + $object->address = GETPOST("address",'alpha'); + $object->zip = GETPOST("zipcode",'alpha'); + $object->town = GETPOST("town",'alpha'); + $object->state_id = GETPOST("state_id",'int'); $object->fk_departement = GETPOST("state_id",'int'); // For backward compatibility $object->country_id = GETPOST("country_id",'int'); $object->email = GETPOST("email",'alpha'); $object->skype = GETPOST("skype",'alpha'); - $object->phone_pro = GETPOST("phone_pro"); - $object->phone_perso = GETPOST("phone_perso"); - $object->phone_mobile = GETPOST("phone_mobile"); - $object->fax = GETPOST("fax"); + $object->phone_pro = GETPOST("phone_pro",'alpha'); + $object->phone_perso = GETPOST("phone_perso",'alpha'); + $object->phone_mobile = GETPOST("phone_mobile",'alpha'); + $object->fax = GETPOST("fax",'alpha'); $object->jabberid = GETPOST("jabberid",'alpha'); $object->no_email = GETPOST("no_email",'int'); $object->priv = GETPOST("priv",'int'); - $object->note_public = GETPOST("note_public"); - $object->note_private = GETPOST("note_private"); + $object->note_public = GETPOST("note_public",'none'); + $object->note_private = GETPOST("note_private",'none'); // Fill array 'array_options' with data from add form $ret = $extrafields->setOptionalsFromPost($extralabels,$object); @@ -541,9 +541,9 @@ else // Name print ''; - print 'lastname).'" autofocus="autofocus">'; + print 'lastname).'" autofocus="autofocus">'; print ''; - print 'firstname).'">'; + print 'firstname).'">'; // Company if (empty($conf->global->SOCIETE_DISABLE_CONTACTS)) @@ -595,8 +595,8 @@ else if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->zip)) == 0) $object->zip = $objsoc->zip; // Predefined with third party if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->town)) == 0) $object->town = $objsoc->town; // Predefined with third party print ' / '; - print $formcompany->select_ziptown((GETPOST("zipcode")?GETPOST("zipcode"):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).' '; - print $formcompany->select_ziptown((GETPOST("town")?GETPOST("town"):$object->town),'town',array('zipcode','selectcountry_id','state_id')); + print $formcompany->select_ziptown((GETPOST("zipcode",'alpha')?GETPOST("zipcode",'alpha'):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6).' '; + print $formcompany->select_ziptown((GETPOST("town",'alpha')?GETPOST("town",'alpha'):$object->town),'town',array('zipcode','selectcountry_id','state_id')); print ''; // Country @@ -644,7 +644,7 @@ else // EMail if (($objsoc->typent_code == 'TE_PRIVATE' || ! empty($conf->global->CONTACT_USE_COMPANY_ADDRESS)) && dol_strlen(trim($object->email)) == 0) $object->email = $objsoc->email; // Predefined with third party print ''; - print 'email).'">'; + print 'email).'">'; if (! empty($conf->mailing->enabled)) { print ''; @@ -658,13 +658,13 @@ else // Instant message and no email print ''; - print 'jabberid).'">'; + print 'jabberid).'">'; // Skype if (! empty($conf->skype->enabled)) { print ''; - print 'skype).'">'; + print 'skype).'">'; } // Visibility diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php index 6e5ac327e9b..297f7821599 100644 --- a/htdocs/core/actions_linkedfiles.inc.php +++ b/htdocs/core/actions_linkedfiles.inc.php @@ -27,7 +27,7 @@ // Submit file/link -if (GETPOST('sendit','none') && ! empty($conf->global->MAIN_UPLOAD_DOC)) +if (GETPOST('sendit','alpha') && ! empty($conf->global->MAIN_UPLOAD_DOC)) { if (! empty($_FILES)) { diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 538fa9defa6..a1b9c2d2c2c 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -545,10 +545,10 @@ function GETPOST($paramname, $check='none', $method=0, $filter=NULL, $options=NU case 'array': if (! is_array($out) || empty($out)) $out=array(); break; - case 'nohtml': + case 'nohtml': // Recommended for most scalar parameters $out=dol_string_nohtmltag($out, 0); break; - case 'alphanohtml': // Recommended for search params + case 'alphanohtml': // Recommended for search parameters if (! is_array($out)) { $out=trim($out); diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php index 54565932521..2944220458d 100644 --- a/htdocs/expensereport/list.php +++ b/htdocs/expensereport/list.php @@ -73,7 +73,7 @@ $search_user = GETPOST('search_user','int'); $search_amount_ht = GETPOST('search_amount_ht','alpha'); $search_amount_vat = GETPOST('search_amount_vat','alpha'); $search_amount_ttc = GETPOST('search_amount_ttc','alpha'); -$search_status = (GETPOST('search_status','alpha')!=''?GETPOST('search_status','alpha'):GETPOST('statut','alpha')); +$search_status = (GETPOST('search_status','intcomma')!=''?GETPOST('search_status','intcomma'):GETPOST('statut','intcomma')); $month_start = GETPOST("month_start","int"); $year_start = GETPOST("year_start","int"); $month_end = GETPOST("month_end","int"); @@ -304,11 +304,7 @@ if ($search_amount_ttc != '') $sql.= natural_search('d.total_ttc', $search_amoun // User if ($search_user != '' && $search_user >= 0) $sql.= " AND u.rowid = '".$db->escape($search_user)."'"; // Status -if ($search_status != '' && $search_status >= 0) -{ - if (strstr($search_status, ',')) $sql.=" AND d.fk_statut IN (".$db->escape($search_status).")"; - else $sql.=" AND d.fk_statut = ".$search_status; -} +if ($search_status != '' && $search_status >= 0) $sql.=" AND d.fk_statut IN (".$db->escape($search_status).")"; // RESTRICT RIGHTS if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous) && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance))) diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index 0637afe8ff1..3ba0089070c 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -151,13 +151,23 @@ if (empty($dolibarr_strict_mode)) $dolibarr_strict_mode=0; // For debug in php s // Note about $_SERVER[HTTP_HOST/SERVER_NAME]: http://shiflett.org/blog/2006/mar/server-name-versus-http-host if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)) { - if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST']) - && (empty($_SERVER['HTTP_REFERER']) || ! preg_match('/'.preg_quote($_SERVER['HTTP_HOST'],'/').'/i', $_SERVER['HTTP_REFERER']))) + if (! empty($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] != 'GET' && ! empty($_SERVER['HTTP_HOST'])) { - //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_POST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; - print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n"; - print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n"; - die; + $csrfattack=false; + if (empty($_SERVER['HTTP_REFERER'])) $csrfattack=true; // An evil browser was used + else + { + $tmpa=parse_url($_SERVER['HTTP_HOST']); + $tmpb=parse_url($_SERVER['HTTP_REFERER']); + if ((empty($tmpa['host'])?$tmpa['path']:$tmpa['host']) != (empty($tmpb['host'])?$tmpb['path']:$tmpb['host'])) $csrfattack=true; + } + if ($csrfattack) + { + //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_HOST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; + print "Access refused by CSRF protection in main.inc.php. Referer of form is outside server that serve the POST.\n"; + print "If you access your server behind a proxy using url rewriting, you might check that all HTTP header is propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file).\n"; + die; + } } // Another test is done later on token if option MAIN_SECURITY_CSRF_WITH_TOKEN is on. } diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php index cc5bb9bb55b..3397e6fced8 100644 --- a/htdocs/holiday/list.php +++ b/htdocs/holiday/list.php @@ -85,7 +85,7 @@ if (! $sortorder) $sortorder="DESC"; $sall = trim((GETPOST('search_all', 'alphanohtml')!='')?GETPOST('search_all', 'alphanohtml'):GETPOST('sall', 'alphanohtml')); -$search_ref = GETPOST('search_ref','alpha'); +$search_ref = GETPOST('search_ref','alphanohtml'); $search_day_create = GETPOST('search_day_create','int'); $search_month_create = GETPOST('search_month_create','int'); $search_year_create = GETPOST('search_year_create','int'); @@ -185,7 +185,7 @@ $order = $db->order($sortfield,$sortorder).$db->plimit($limit + 1, $offset); // Ref if(!empty($search_ref)) { - $filter.= " AND cp.rowid = ".$db->escape($search_ref); + $filter.= " AND cp.rowid = ".(int) $db->escape($search_ref); } // Start date diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 0289fed4e14..168de0c8f57 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -73,7 +73,7 @@ if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* deprecated in PHP * * @param string $val Value * @param string $type 1=GET, 0=POST, 2=PHP_SELF - * @return int >0 if there is an injection + * @return int >0 if there is an injection, 0 if none */ function test_sql_and_script_inject($val, $type) { @@ -101,6 +101,7 @@ function test_sql_and_script_inject($val, $type) // More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet $inj += preg_match('/