diff --git a/ChangeLog b/ChangeLog index c64bec0d881..69005b0c492 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ English Dolibarr ChangeLog ***** ChangeLog for 7.0.0 compared to 6.0.* ***** +For developers: +NEW: Add hook addAdminLdapOptions and doAction in ldap admin page +NEW: complete_head_from_modules() in ldap_prepare_head() + WARNING: Following changes may create regression for some external modules, but were necessary to make Dolibarr better: diff --git a/htdocs/accountancy/admin/account.php b/htdocs/accountancy/admin/account.php index acd9eba2c9d..5c4e836986e 100644 --- a/htdocs/accountancy/admin/account.php +++ b/htdocs/accountancy/admin/account.php @@ -37,7 +37,7 @@ $langs->load("salaries"); $mesg = ''; $action = GETPOST('action','aZ09'); -$cancel = GETPOST('cancel'); +$cancel = GETPOST('cancel','alpha'); $id = GETPOST('id', 'int'); $rowid = GETPOST('rowid', 'int'); @@ -84,8 +84,8 @@ $contextpage=GETPOST('contextpage','aZ')?GETPOST('contextpage','aZ'):'accounting * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction')) { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha')) { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/accountancy/admin/card.php b/htdocs/accountancy/admin/card.php index ef707bbc43a..79a8a531ec9 100644 --- a/htdocs/accountancy/admin/card.php +++ b/htdocs/accountancy/admin/card.php @@ -37,10 +37,10 @@ $langs->load("accountancy"); $mesg = ''; $action = GETPOST('action','aZ09'); -$backtopage = GETPOST('backtopage'); +$backtopage = GETPOST('backtopage','alpha'); $id = GETPOST('id', 'int'); $rowid = GETPOST('rowid', 'int'); -$cancel = GETPOST('cancel'); +$cancel = GETPOST('cancel','alpha'); // Security check @@ -52,7 +52,7 @@ $object = new AccountingAccount($db); * Action */ -if (GETPOST('cancel')) +if (GETPOST('cancel','alpha')) { $urltogo=$backtopage?$backtopage:dol_buildpath('/accountancy/admin/account.php',1); header("Location: ".$urltogo); diff --git a/htdocs/accountancy/admin/categories.php b/htdocs/accountancy/admin/categories.php index ec2602568fb..b281078a6bf 100644 --- a/htdocs/accountancy/admin/categories.php +++ b/htdocs/accountancy/admin/categories.php @@ -35,7 +35,7 @@ $langs->load("accountancy"); $mesg = ''; $id = GETPOST('id', 'int'); $rowid = GETPOST('rowid', 'int'); -$cancel = GETPOST('cancel'); +$cancel = GETPOST('cancel','alpha'); $action = GETPOST('action','aZ09'); $cat_id = GETPOST('account_category'); $selectcpt = GETPOST('cpt_bk', 'array'); diff --git a/htdocs/accountancy/admin/fiscalyear_card.php b/htdocs/accountancy/admin/fiscalyear_card.php index 420246411c8..78c6510469b 100644 --- a/htdocs/accountancy/admin/fiscalyear_card.php +++ b/htdocs/accountancy/admin/fiscalyear_card.php @@ -20,6 +20,7 @@ * \ingroup Advanced accountancy * \brief Page to show a fiscal year */ + require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT . '/core/lib/fiscalyear.lib.php'; diff --git a/htdocs/accountancy/admin/productaccount.php b/htdocs/accountancy/admin/productaccount.php index ec77bde58b1..bebca87404c 100644 --- a/htdocs/accountancy/admin/productaccount.php +++ b/htdocs/accountancy/admin/productaccount.php @@ -90,8 +90,8 @@ $arrayfields=array(); * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/accountancy/bookkeeping/list.php b/htdocs/accountancy/bookkeeping/list.php index 0bb24f116d3..c87b906f45e 100644 --- a/htdocs/accountancy/bookkeeping/list.php +++ b/htdocs/accountancy/bookkeeping/list.php @@ -108,8 +108,8 @@ if ($action != 'export_file' && ! isset($_POST['begin']) && ! isset($_GET['begin * Action */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } if (GETPOST('button_removefilter_x','alpha') || GETPOST('button_removefilter.x','alpha') || GETPOST('button_removefilter','alpha')) // All tests are required to be compatible with all browsers { diff --git a/htdocs/accountancy/class/accountancysystem.class.php b/htdocs/accountancy/class/accountancysystem.class.php index 68beff8d043..f14a3e7f761 100644 --- a/htdocs/accountancy/class/accountancysystem.class.php +++ b/htdocs/accountancy/class/accountancysystem.class.php @@ -107,7 +107,7 @@ class AccountancySystem $sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_system"; $sql .= " (date_creation, fk_user_author, numero, label)"; - $sql .= " VALUES ('" . $this->db->idate($now) . "'," . $user->id . ",'" . $this->numero . "','" . $this->label . "')"; + $sql .= " VALUES ('" . $this->db->idate($now) . "'," . $user->id . ",'" . $this->db->escape($this->numero) . "','" . $this->db->escape($this->label) . "')"; dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/accountancy/class/accountingaccount.class.php b/htdocs/accountancy/class/accountingaccount.class.php index 1dad83512e3..137c4f5fe37 100644 --- a/htdocs/accountancy/class/accountingaccount.class.php +++ b/htdocs/accountancy/class/accountingaccount.class.php @@ -47,7 +47,7 @@ class AccountingAccount extends CommonObject var $fk_user_modif; var $active; // duplicate with status var $status; - + /** * Constructor * @@ -56,7 +56,7 @@ class AccountingAccount extends CommonObject function __construct($db) { $this->db = $db; } - + /** * Load record in memory * @@ -67,7 +67,7 @@ class AccountingAccount extends CommonObject */ function fetch($rowid = null, $account_number = null, $limittocurrentchart = 0) { global $conf; - + if ($rowid || $account_number) { $sql = "SELECT a.rowid as rowid, a.datec, a.tms, a.fk_pcg_version, a.pcg_type, a.pcg_subtype, a.account_number, a.account_parent, a.label, a.fk_accounting_category, a.fk_user_author, a.fk_user_modif, a.active"; $sql .= ", ca.label as category_label"; @@ -87,7 +87,7 @@ class AccountingAccount extends CommonObject $result = $this->db->query($sql); if ($result) { $obj = $this->db->fetch_object($result); - + if ($obj) { $this->id = $obj->rowid; $this->rowid = $obj->rowid; @@ -105,7 +105,7 @@ class AccountingAccount extends CommonObject $this->fk_user_modif = $obj->fk_user_modif; $this->active = $obj->active; $this->status = $obj->active; - + return $this->id; } else { return 0; @@ -117,7 +117,7 @@ class AccountingAccount extends CommonObject } return - 1; } - + /** * Insert new accounting account in chart of accounts * @@ -129,7 +129,7 @@ class AccountingAccount extends CommonObject global $conf; $error = 0; $now = dol_now(); - + // Clean parameters if (isset($this->fk_pcg_version)) $this->fk_pcg_version = trim($this->fk_pcg_version); @@ -149,7 +149,7 @@ class AccountingAccount extends CommonObject $this->fk_user_author = trim($this->fk_user_author); if (isset($this->active)) $this->active = trim($this->active); - + if (empty($this->pcg_type) || $this->pcg_type == '-1') { $this->pcg_type = 'XXXXXX'; @@ -160,7 +160,7 @@ class AccountingAccount extends CommonObject } // Check parameters // Put here code to add control on parameters values - + // Insert request $sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_account("; $sql .= "datec"; @@ -179,31 +179,31 @@ class AccountingAccount extends CommonObject $sql .= ", " . $conf->entity; $sql .= ", " . (empty($this->fk_pcg_version) ? 'NULL' : "'" . $this->db->escape($this->fk_pcg_version) . "'"); $sql .= ", " . (empty($this->pcg_type) ? 'NULL' : "'" . $this->db->escape($this->pcg_type) . "'"); - $sql .= ", " . (empty($this->pcg_subtype) ? 'NULL' : "'" . $this->pcg_subtype . "'"); - $sql .= ", " . (empty($this->account_number) ? 'NULL' : "'" . $this->account_number . "'"); + $sql .= ", " . (empty($this->pcg_subtype) ? 'NULL' : "'" . $this->db->escape($this->pcg_subtype) . "'"); + $sql .= ", " . (empty($this->account_number) ? 'NULL' : "'" . $this->db->escape($this->account_number) . "'"); $sql .= ", " . (empty($this->account_parent) ? 'NULL' : "'" . $this->db->escape($this->account_parent) . "'"); $sql .= ", " . (empty($this->label) ? 'NULL' : "'" . $this->db->escape($this->label) . "'"); $sql .= ", " . (empty($this->account_category) ? 'NULL' : "'" . $this->db->escape($this->account_category) . "'"); $sql .= ", " . $user->id; $sql .= ", " . (! isset($this->active) ? 'NULL' : $this->db->escape($this->active)); $sql .= ")"; - + $this->db->begin(); - + dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG); $resql = $this->db->query($sql); if (! $resql) { $error ++; $this->errors[] = "Error " . $this->db->lasterror(); } - + if (! $error) { $this->id = $this->db->last_insert_id(MAIN_DB_PREFIX . "accounting_account"); - + // if (! $notrigger) { // Uncomment this and change MYOBJECT to your own tag if you // want this action calls a trigger. - + // // Call triggers // include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php'; // $interface=new Interfaces($this->db); @@ -212,7 +212,7 @@ class AccountingAccount extends CommonObject // // End call triggers // } } - + // Commit or rollback if ($error) { foreach ( $this->errors as $errmsg ) { @@ -226,14 +226,14 @@ class AccountingAccount extends CommonObject return $this->id; } } - + /** * Update record * * @param User $user Use making update * @return int <0 if KO, >0 if OK */ - function update($user) + function update($user) { // Check parameters if (empty($this->pcg_type) || $this->pcg_type == '-1') @@ -244,9 +244,9 @@ class AccountingAccount extends CommonObject { $this->pcg_subtype = 'XXXXXX'; } - + $this->db->begin(); - + $sql = "UPDATE " . MAIN_DB_PREFIX . "accounting_account "; $sql .= " SET fk_pcg_version = " . ($this->fk_pcg_version ? "'" . $this->db->escape($this->fk_pcg_version) . "'" : "null"); $sql .= " , pcg_type = " . ($this->pcg_type ? "'" . $this->db->escape($this->pcg_type) . "'" : "null"); @@ -258,7 +258,7 @@ class AccountingAccount extends CommonObject $sql .= " , fk_user_modif = " . $user->id; $sql .= " , active = " . $this->active; $sql .= " WHERE rowid = " . $this->id; - + dol_syslog(get_class($this) . "::update sql=" . $sql, LOG_DEBUG); $result = $this->db->query($sql); if ($result) { @@ -270,7 +270,7 @@ class AccountingAccount extends CommonObject return - 1; } } - + /** * Check usage of accounting code * @@ -278,16 +278,16 @@ class AccountingAccount extends CommonObject */ function checkUsage() { global $langs; - + $sql = "(SELECT fk_code_ventilation FROM " . MAIN_DB_PREFIX . "facturedet"; $sql .= " WHERE fk_code_ventilation=" . $this->id . ")"; $sql .= "UNION"; $sql .= "(SELECT fk_code_ventilation FROM " . MAIN_DB_PREFIX . "facture_fourn_det"; $sql .= " WHERE fk_code_ventilation=" . $this->id . ")"; - + dol_syslog(get_class($this) . "::checkUsage sql=" . $sql, LOG_DEBUG); $resql = $this->db->query($sql); - + if ($resql) { $num = $this->db->num_rows($resql); if ($num > 0) { @@ -301,7 +301,7 @@ class AccountingAccount extends CommonObject return - 1; } } - + /** * Delete object in database * @@ -311,18 +311,18 @@ class AccountingAccount extends CommonObject */ function delete($user, $notrigger = 0) { $error = 0; - + $result = $this->checkUsage(); - + if ($result > 0) { - + $this->db->begin(); - + // if (! $error) { // if (! $notrigger) { // Uncomment this and change MYOBJECT to your own tag if you // want this action calls a trigger. - + // // Call triggers // include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php'; // $interface=new Interfaces($this->db); @@ -331,11 +331,11 @@ class AccountingAccount extends CommonObject // // End call triggers // } // } - + if (! $error) { $sql = "DELETE FROM " . MAIN_DB_PREFIX . "accounting_account"; $sql .= " WHERE rowid=" . $this->id; - + dol_syslog(get_class($this) . "::delete sql=" . $sql); $resql = $this->db->query($sql); if (! $resql) { @@ -343,7 +343,7 @@ class AccountingAccount extends CommonObject $this->errors[] = "Error " . $this->db->lasterror(); } } - + // Commit or rollback if ($error) { foreach ( $this->errors as $errmsg ) { @@ -360,7 +360,7 @@ class AccountingAccount extends CommonObject return - 1; } } - + /** * Return clicable name (with picto eventually) * @@ -375,7 +375,7 @@ class AccountingAccount extends CommonObject { global $langs, $conf, $user; require_once DOL_DOCUMENT_ROOT.'/core/lib/accounting.lib.php'; - + if (! empty($conf->dol_no_mouse_hover)) $notooltip=1; // Force disable tooltips $result = ''; @@ -412,7 +412,7 @@ class AccountingAccount extends CommonObject { $linkstart = ''; $linkclose = ''; - $linkend = ''; + $linkend = ''; } $label_link = length_accountg($this->account_number); @@ -423,7 +423,7 @@ class AccountingAccount extends CommonObject if ($withpicto != 2) $result.=$linkstart . $label_link . $linkend; return $result; } - + /** * Information on record * @@ -434,10 +434,10 @@ class AccountingAccount extends CommonObject $sql = 'SELECT a.rowid, a.datec, a.fk_user_author, a.fk_user_modif, a.tms'; $sql .= ' FROM ' . MAIN_DB_PREFIX . 'accounting_account as a'; $sql .= ' WHERE a.rowid = ' . $id; - + dol_syslog(get_class($this) . '::info sql=' . $sql); $result = $this->db->query($sql); - + if ($result) { if ($this->db->num_rows($result)) { $obj = $this->db->fetch_object($result); @@ -460,7 +460,7 @@ class AccountingAccount extends CommonObject dol_print_error($this->db); } } - + /** * Account desactivate * @@ -469,17 +469,17 @@ class AccountingAccount extends CommonObject */ function account_desactivate($id) { $result = $this->checkUsage(); - + if ($result > 0) { $this->db->begin(); - + $sql = "UPDATE " . MAIN_DB_PREFIX . "accounting_account "; $sql .= "SET active = '0'"; $sql .= " WHERE rowid = " . $this->db->escape($id); - + dol_syslog(get_class($this) . "::desactivate sql=" . $sql, LOG_DEBUG); $result = $this->db->query($sql); - + if ($result) { $this->db->commit(); return 1; @@ -492,7 +492,7 @@ class AccountingAccount extends CommonObject return - 1; } } - + /** * Account activate * @@ -501,11 +501,11 @@ class AccountingAccount extends CommonObject */ function account_activate($id) { $this->db->begin(); - + $sql = "UPDATE " . MAIN_DB_PREFIX . "accounting_account "; $sql .= "SET active = '1'"; $sql .= " WHERE rowid = " . $this->db->escape($id); - + dol_syslog(get_class($this) . "::activate sql=" . $sql, LOG_DEBUG); $result = $this->db->query($sql); if ($result) { @@ -517,8 +517,8 @@ class AccountingAccount extends CommonObject return - 1; } } - - + + /** * Retourne le libelle du statut d'un user (actif, inactif) * @@ -529,7 +529,7 @@ class AccountingAccount extends CommonObject { return $this->LibStatut($this->status,$mode); } - + /** * Renvoi le libelle d'un statut donne * @@ -541,7 +541,7 @@ class AccountingAccount extends CommonObject { global $langs; $langs->load('users'); - + if ($mode == 0) { $prefix=''; diff --git a/htdocs/accountancy/customer/list.php b/htdocs/accountancy/customer/list.php index 0288ee872d7..51f62ecabf6 100644 --- a/htdocs/accountancy/customer/list.php +++ b/htdocs/accountancy/customer/list.php @@ -101,8 +101,8 @@ $aarowid_p = $accounting->fetch('', $conf->global->ACCOUNTING_PRODUCT_SOLD_ACCOU * Action */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } // Purge search criteria if (GETPOST('button_removefilter_x','alpha') || GETPOST('button_removefilter.x','alpha') || GETPOST('button_removefilter','alpha')) // All test are required to be compatible with all browsers diff --git a/htdocs/accountancy/expensereport/list.php b/htdocs/accountancy/expensereport/list.php index 6bf18f0da20..ee17976ca30 100644 --- a/htdocs/accountancy/expensereport/list.php +++ b/htdocs/accountancy/expensereport/list.php @@ -97,8 +97,8 @@ $accounting = new AccountingAccount($db); * Action */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } // Purge search criteria if (GETPOST('button_removefilter_x','alpha') || GETPOST('button_removefilter.x','alpha') || GETPOST('button_removefilter','alpha')) // All test are required to be compatible with all browsers diff --git a/htdocs/accountancy/index.php b/htdocs/accountancy/index.php index 304fbdc1af1..86026f69f09 100644 --- a/htdocs/accountancy/index.php +++ b/htdocs/accountancy/index.php @@ -87,8 +87,13 @@ print "
\n"; print "
\n"; $step++; -print img_picto('', 'puce').' '.$langs->trans("AccountancyAreaDescMisc", $step, ''.$langs->transnoentitiesnoconv("MenuAccountancy").'-'.$langs->transnoentitiesnoconv("Setup")."-".$langs->transnoentitiesnoconv("MenuDefaultAccounts").'')."\n"; +print img_picto('', 'puce').' '.$langs->trans("AccountancyAreaDescProd", $step, ''.$langs->transnoentitiesnoconv("MenuAccountancy").'-'.$langs->transnoentitiesnoconv("Setup")."-".$langs->transnoentitiesnoconv("MenuDefaultAccounts").''); print "
\n"; + +$step++; +print img_picto('', 'puce').' '.$langs->trans("AccountancyAreaDescBank", $step, ''.$langs->transnoentitiesnoconv("MenuAccountancy").'-'.$langs->transnoentitiesnoconv("Setup")."-".$langs->transnoentitiesnoconv("MenuBankAccounts").'')."\n"; +print "
\n"; + $step++; $textlink = ''.$langs->transnoentitiesnoconv("MenuAccountancy").'-'.$langs->transnoentitiesnoconv("Setup").'-'.$langs->transnoentitiesnoconv("MenuVatAccounts").''; print img_picto('', 'puce').' '.$langs->trans("AccountancyAreaDescVat", $step, $textlink); @@ -132,11 +137,6 @@ $step++; print img_picto('', 'puce').' '.$langs->trans("AccountancyAreaDescProd", $step, ''.$langs->transnoentitiesnoconv("MenuAccountancy").'-'.$langs->transnoentitiesnoconv("Setup")."-".$langs->transnoentitiesnoconv("ProductsBinding").''); print "
\n"; -$step++; -$textlink=''.$langs->transnoentitiesnoconv("MenuBankCash").''; -print img_picto('', 'puce').' '.$langs->trans("AccountancyAreaDescBank", $step, $textlink); -print "
\n"; - print '
'; diff --git a/htdocs/accountancy/supplier/list.php b/htdocs/accountancy/supplier/list.php index ba5ecfe6bb7..0ebf66f1215 100644 --- a/htdocs/accountancy/supplier/list.php +++ b/htdocs/accountancy/supplier/list.php @@ -102,8 +102,8 @@ $aarowid_p = $accounting->fetch('', $conf->global->ACCOUNTING_PRODUCT_BUY_ACCOUN * Action */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } // Purge search criteria if (GETPOST('button_removefilter_x','alpha') || GETPOST('button_removefilter.x','alpha') || GETPOST('button_removefilter','alpha')) // All test are required to be compatible with all browsers diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index a7ffafcbb79..85665280275 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -325,10 +325,10 @@ class Adherent extends CommonObject $sql.= " '".$this->db->idate($this->datec)."'"; $sql.= ", ".($this->login?"'".$this->db->escape($this->login)."'":"null"); $sql.= ", ".($user->id>0?$user->id:"null"); // Can be null because member can be created by a guest or a script - $sql.= ", null, null, '".$this->morphy."'"; - $sql.= ", '".$this->typeid."'"; + $sql.= ", null, null, '".$this->db->escape($this->morphy)."'"; + $sql.= ", ".$this->typeid; $sql.= ", ".$conf->entity; - $sql.= ", ".(! empty($this->import_key) ? "'".$this->import_key."'":"null"); + $sql.= ", ".(! empty($this->import_key) ? "'".$this->db->escape($this->import_key)."'":"null"); $sql.= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); @@ -447,17 +447,17 @@ class Adherent extends CommonObject $this->db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET"; - $sql.= " civility = ".(!is_null($this->civility_id)?"'".$this->civility_id."'":"null"); + $sql.= " civility = ".(!is_null($this->civility_id)?$this->db->escape($this->civility_id):"null"); $sql.= ", firstname = ".($this->firstname?"'".$this->db->escape($this->firstname)."'":"null"); $sql.= ", lastname=" .($this->lastname?"'".$this->db->escape($this->lastname)."'":"null"); $sql.= ", login=" .($this->login?"'".$this->db->escape($this->login)."'":"null"); $sql.= ", societe=" .($this->societe?"'".$this->db->escape($this->societe)."'":"null"); - $sql.= ", fk_soc=" .($this->fk_soc > 0?"'".$this->fk_soc."'":"null"); + $sql.= ", fk_soc=" .($this->fk_soc > 0?$this->db->escape($this->fk_soc):"null"); $sql.= ", address=" .($this->address?"'".$this->db->escape($this->address)."'":"null"); $sql.= ", zip=" .($this->zip?"'".$this->db->escape($this->zip)."'":"null"); $sql.= ", town=" .($this->town?"'".$this->db->escape($this->town)."'":"null"); - $sql.= ", country=".($this->country_id>0?"'".$this->country_id."'":"null"); - $sql.= ", state_id=".($this->state_id>0?"'".$this->state_id."'":"null"); + $sql.= ", country=".($this->country_id>0?$this->db->escape($this->country_id):"null"); + $sql.= ", state_id=".($this->state_id>0?$this->db->escape($this->state_id):"null"); $sql.= ", email='".$this->db->escape($this->email)."'"; $sql.= ", skype='".$this->db->escape($this->skype)."'"; $sql.= ", phone=" .($this->phone?"'".$this->db->escape($this->phone)."'":"null"); @@ -465,7 +465,7 @@ class Adherent extends CommonObject $sql.= ", phone_mobile=" .($this->phone_mobile?"'".$this->db->escape($this->phone_mobile)."'":"null"); $sql.= ", note_private=" .($this->note_private?"'".$this->db->escape($this->note_private)."'":"null"); $sql.= ", note_public=" .($this->note_public?"'".$this->db->escape($this->note_public)."'":"null"); - $sql.= ", photo=" .($this->photo?"'".$this->photo."'":"null"); + $sql.= ", photo=" .($this->photo?"'".$this->db->escape($this->photo)."'":"null"); $sql.= ", public='".$this->db->escape($this->public)."'"; $sql.= ", statut=" .$this->statut; $sql.= ", fk_adherent_type=".$this->typeid; diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index cf98099fb7a..3dc5439f47f 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -138,8 +138,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/adherents/subscription/card.php b/htdocs/adherents/subscription/card.php index 5cd4704ae37..f86da6d8fcc 100644 --- a/htdocs/adherents/subscription/card.php +++ b/htdocs/adherents/subscription/card.php @@ -39,7 +39,7 @@ $errmsg=''; $action=GETPOST("action",'alpha'); $rowid=GETPOST("rowid","int")?GETPOST("rowid","int"):GETPOST("id","int"); $typeid=GETPOST("typeid","int"); -$cancel=GETPOST('cancel'); +$cancel=GETPOST('cancel','alpha'); $confirm=GETPOST('confirm'); if (! $user->rights->adherent->cotisation->lire) diff --git a/htdocs/adherents/subscription/list.php b/htdocs/adherents/subscription/list.php index 1fee5ac545c..4d22ec1f6a6 100644 --- a/htdocs/adherents/subscription/list.php +++ b/htdocs/adherents/subscription/list.php @@ -75,8 +75,8 @@ $result=restrictedArea($user,'adherent','','','cotisation'); * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/admin/defaultvalues.php b/htdocs/admin/defaultvalues.php index 3565a2f5f20..b758506f8b5 100644 --- a/htdocs/admin/defaultvalues.php +++ b/htdocs/admin/defaultvalues.php @@ -69,8 +69,8 @@ $hookmanager->initHooks(array('admindefaultvalues','globaladmin')); * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/admin/dolistore/class/PSWebServiceLibrary.class.php b/htdocs/admin/dolistore/class/PSWebServiceLibrary.class.php index 4b8978462fb..85783ae197d 100644 --- a/htdocs/admin/dolistore/class/PSWebServiceLibrary.class.php +++ b/htdocs/admin/dolistore/class/PSWebServiceLibrary.class.php @@ -387,48 +387,6 @@ class PrestaShopWebservice self::checkStatusCode($request['status_code']);// check the response validity return self::parseXML($request['response']); } - - /** - * Delete (DELETE) a resource. - * Unique parameter must take :

- * 'resource' => Resource name
- * 'id' => ID or array which contains IDs of a resource(s) you want to delete

- * - * delete(array('resource' => 'orders', 'id' => 1)); - * // Following code will not be executed if an exception is thrown. - * echo 'Successfully deleted.'; - * } - * catch (PrestaShopWebserviceException $ex) - * { - * echo 'Error : '.$ex->getMessage(); - * } - * ?> - * - * @param array $options Array representing resource to delete. - * @return boolean true - */ - public function delete($options) - { - if (isset($options['url'])) - $url = $options['url']; - elseif (isset($options['resource']) && isset($options['id'])) - if (is_array($options['id'])) - $url = $this->url.'/api/'.$options['resource'].'/?id=['.implode(',', $options['id']).']'; - else - $url = $this->url.'/api/'.$options['resource'].'/'.$options['id']; - if (isset($options['id_shop'])) - $url .= '&id_shop='.$options['id_shop']; - if (isset($options['id_group_shop'])) - $url .= '&id_group_shop='.$options['id_group_shop']; - $request = self::executeRequest($url, array(CURLOPT_CUSTOMREQUEST => 'DELETE')); - self::checkStatusCode($request['status_code']);// check the response validity - return true; - } } /** diff --git a/htdocs/admin/ihm.php b/htdocs/admin/ihm.php index f764f40c054..56efe2b5d7d 100644 --- a/htdocs/admin/ihm.php +++ b/htdocs/admin/ihm.php @@ -55,7 +55,7 @@ if (! defined("MAIN_MOTD")) define("MAIN_MOTD",""); * Action */ -if (GETPOST('cancel')) +if (GETPOST('cancel','alpha')) { $action=''; } diff --git a/htdocs/admin/ldap.php b/htdocs/admin/ldap.php index dd084894b3d..d5720835f3c 100644 --- a/htdocs/admin/ldap.php +++ b/htdocs/admin/ldap.php @@ -1,10 +1,10 @@ - * Copyright (C) 2004 Sebastien Di Cintio - * Copyright (C) 2004 Benoit Mortier - * Copyright (C) 2005 Regis Houssin - * Copyright (C) 2006-2011 Laurent Destailleur - * Copyright (C) 2011-2013 Juanjo Menent +/* Copyright (C) 2004 Rodolphe Quiedeville + * Copyright (C) 2004 Sebastien Di Cintio + * Copyright (C) 2004 Benoit Mortier + * Copyright (C) 2005-2017 Regis Houssin + * Copyright (C) 2006-2011 Laurent Destailleur + * Copyright (C) 2011-2013 Juanjo Menent * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -34,46 +34,54 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/ldap.lib.php'; $langs->load("admin"); if (!$user->admin) - accessforbidden(); + accessforbidden(); - $action = GETPOST('action','aZ09'); +$action = GETPOST('action','aZ09'); + +// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context +$hookmanager->initHooks(array('adminldap','globaladmin')); /* * Actions */ -if ($action == 'setvalue' && $user->admin) +$parameters=array(); +$reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks +if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); + +if (empty($reshook)) { - $error=0; + if ($action == 'setvalue' && $user->admin) + { + $error=0; - $db->begin(); - if (! dolibarr_set_const($db, 'LDAP_SERVER_TYPE',GETPOST("type"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SERVER_PROTOCOLVERSION',GETPOST("LDAP_SERVER_PROTOCOLVERSION"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SERVER_HOST',GETPOST("host"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SERVER_HOST_SLAVE',GETPOST("slave"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SERVER_PORT',GETPOST("port"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SERVER_DN',GETPOST("dn"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_ADMIN_DN',GETPOST("admin"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_ADMIN_PASS',GETPOST("pass"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SERVER_USE_TLS',GETPOST("usetls"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_SYNCHRO_ACTIVE',GETPOST("activesynchro"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_CONTACT_ACTIVE',GETPOST("activecontact"),'chaine',0,'',$conf->entity)) $error++; - if (! dolibarr_set_const($db, 'LDAP_MEMBER_ACTIVE',GETPOST("activemembers"),'chaine',0,'',$conf->entity)) $error++; + $db->begin(); + if (! dolibarr_set_const($db, 'LDAP_SERVER_TYPE',GETPOST("type"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SERVER_PROTOCOLVERSION',GETPOST("LDAP_SERVER_PROTOCOLVERSION"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SERVER_HOST',GETPOST("host"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SERVER_HOST_SLAVE',GETPOST("slave"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SERVER_PORT',GETPOST("port"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SERVER_DN',GETPOST("dn"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_ADMIN_DN',GETPOST("admin"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_ADMIN_PASS',GETPOST("pass"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SERVER_USE_TLS',GETPOST("usetls"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_SYNCHRO_ACTIVE',GETPOST("activesynchro"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_CONTACT_ACTIVE',GETPOST("activecontact"),'chaine',0,'',$conf->entity)) $error++; + if (! dolibarr_set_const($db, 'LDAP_MEMBER_ACTIVE',GETPOST("activemembers"),'chaine',0,'',$conf->entity)) $error++; - if (! $error) - { - $db->commit(); - setEventMessages($langs->trans("SetupSaved"), null, 'mesgs'); - } - else - { - $db->rollback(); - dol_print_error($db); - } + if (! $error) + { + $db->commit(); + setEventMessages($langs->trans("SetupSaved"), null, 'mesgs'); + } + else + { + $db->rollback(); + dol_print_error($db); + } + } } - - /* * View */ @@ -149,6 +157,11 @@ if (! empty($conf->adherent->enabled)) print ''.$langs->trans("LDAPDnMemberActiveExample").''; } +// Fields from hook +$parameters=array(); +$reshook=$hookmanager->executeHooks('addAdminLdapOptions',$parameters); // Note that $action and $object may have been modified by hook +print $hookmanager->resPrint; + print ''; print ''.$langs->trans("Parameter").''; print ''.$langs->trans("Value").''; @@ -193,11 +206,11 @@ print ''.$langs->trans("LDAPServerExample").''; print ''.$langs->trans("LDAPServerPort").''; if (! empty($conf->global->LDAP_SERVER_PORT)) { - print ''; + print ''; } else { - print ''; + print ''; } print ''.$langs->trans("LDAPServerPortExample").''; diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php index d4862e2a7b3..c9b8120bd0f 100644 --- a/htdocs/admin/mails_templates.php +++ b/htdocs/admin/mails_templates.php @@ -179,8 +179,8 @@ $id = 25; * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/admin/modules.php b/htdocs/admin/modules.php index 53c497c74fe..ce67595a0f7 100644 --- a/htdocs/admin/modules.php +++ b/htdocs/admin/modules.php @@ -51,9 +51,9 @@ $search_version=GETPOST('search_version','alpha'); // For dolistore search $options = array(); $options['per_page'] = 20; -$options['categorie'] = GETPOST('categorie', 'int') + 0; -$options['start'] = GETPOST('start', 'int') + 0; -$options['end'] = GETPOST('end', 'int') + 0; +$options['categorie'] = ((GETPOST('categorie', 'int')?GETPOST('categorie', 'int'):0) + 0); +$options['start'] = ((GETPOST('start', 'int')?GETPOST('start', 'int'):0) + 0); +$options['end'] = ((GETPOST('end', 'int')?GETPOST('end', 'int'):0) + 0); $options['search'] = GETPOST('search_keyword', 'alpha'); $dolistore = new Dolistore($options); diff --git a/htdocs/admin/translation.php b/htdocs/admin/translation.php index bffa9be01b6..e2d2db9e659 100644 --- a/htdocs/admin/translation.php +++ b/htdocs/admin/translation.php @@ -64,8 +64,8 @@ $hookmanager->initHooks(array('admintranslation','globaladmin')); * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/bookmarks/card.php b/htdocs/bookmarks/card.php index e9722669e7d..2c3b200b4e4 100644 --- a/htdocs/bookmarks/card.php +++ b/htdocs/bookmarks/card.php @@ -63,7 +63,7 @@ if ($action == 'add' || $action == 'addproduct' || $action == 'update') $error = 0; - if (GETPOST("cancel")) + if (GETPOST('cancel','alpha')) { if (empty($backtopage)) $backtopage=($urlsource?$urlsource:((! empty($url))?$url:DOL_URL_ROOT.'/bookmarks/list.php')); header("Location: ".$backtopage); diff --git a/htdocs/bookmarks/class/bookmark.class.php b/htdocs/bookmarks/class/bookmark.class.php index 55302e103f7..b72089e61b8 100644 --- a/htdocs/bookmarks/class/bookmark.class.php +++ b/htdocs/bookmarks/class/bookmark.class.php @@ -120,11 +120,11 @@ class Bookmark extends CommonObject $sql.= ",title,favicon,position"; $sql.= ",entity"; $sql.= ") VALUES ("; - $sql.= ($this->fk_user > 0?"'".$this->fk_user."'":"0").","; + $sql.= ($this->fk_user > 0 ? $this->fk_user:"0").","; $sql.= " '".$this->db->idate($now)."',"; - $sql.= " '".$this->url."', '".$this->target."',"; - $sql.= " '".$this->db->escape($this->title)."', '".$this->favicon."', '".$this->position."'"; - $sql.= ", '".$conf->entity."'"; + $sql.= " '".$this->db->escape($this->url)."', '".$this->db->escape($this->target)."',"; + $sql.= " '".$this->db->escape($this->title)."', '".$this->db->escape($this->favicon)."', '".$this->db->escape($this->position)."'"; + $sql.= ", ".$this->db->escape($conf->entity); $sql.= ")"; dol_syslog("Bookmark::update", LOG_DEBUG); @@ -168,7 +168,7 @@ class Bookmark extends CommonObject if (empty($this->position)) $this->position=0; $sql = "UPDATE ".MAIN_DB_PREFIX."bookmark"; - $sql.= " SET fk_user = ".($this->fk_user > 0?"'".$this->fk_user."'":"0"); + $sql.= " SET fk_user = ".($this->fk_user > 0 ? $this->fk_user :"0"); $sql.= " ,dateb = '".$this->db->idate($this->datec)."'"; $sql.= " ,url = '".$this->db->escape($this->url)."'"; $sql.= " ,target = '".$this->db->escape($this->target)."'"; diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index 7a1a3985dd9..5cbe56554dd 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -311,7 +311,7 @@ class Categorie extends CommonObject $sql.= " import_key,"; $sql.= " entity"; $sql.= ") VALUES ("; - $sql.= $this->fk_parent.","; + $sql.= $this->db->escape($this->fk_parent).","; $sql.= "'".$this->db->escape($this->label)."',"; $sql.= "'".$this->db->escape($this->description)."',"; $sql.= "'".$this->db->escape($this->color)."',"; @@ -319,10 +319,10 @@ class Categorie extends CommonObject { $sql.= ($this->socid != -1 ? $this->socid : 'null').","; } - $sql.= "'".$this->visible."',"; - $sql.= $type.","; + $sql.= "'".$this->db->escape($this->visible)."',"; + $sql.= $this->db->escape($type).","; $sql.= (! empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":'null').","; - $sql.= $conf->entity; + $sql.= $this->db->escape($conf->entity); $sql.= ")"; $res = $this->db->query($sql); diff --git a/htdocs/categories/edit.php b/htdocs/categories/edit.php index 59bee88b75b..4ccd9116d74 100644 --- a/htdocs/categories/edit.php +++ b/htdocs/categories/edit.php @@ -36,7 +36,7 @@ $ref=GETPOST('ref'); $type=GETPOST('type'); $action=GETPOST('action','aZ09'); $confirm=GETPOST('confirm'); -$cancel=GETPOST('cancel'); +$cancel=GETPOST('cancel','alpha'); $socid=GETPOST('socid','int'); $label=GETPOST('label'); diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index c337616ed41..b59d47adb9e 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -296,23 +296,23 @@ class ActionComm extends CommonObject $sql.= "elementtype,"; $sql.= "entity"; $sql.= ") VALUES ("; - $sql.= "'".$this->db->idate($now)."',"; - $sql.= (strval($this->datep)!=''?"'".$this->db->idate($this->datep)."'":"null").","; - $sql.= (strval($this->datef)!=''?"'".$this->db->idate($this->datef)."'":"null").","; - $sql.= ((isset($this->durationp) && $this->durationp >= 0 && $this->durationp != '')?"'".$this->durationp."'":"null").","; // deprecated + $sql.= "'".$this->db->idate($now)."', "; + $sql.= (strval($this->datep)!=''?"'".$this->db->idate($this->datep)."'":"null").", "; + $sql.= (strval($this->datef)!=''?"'".$this->db->idate($this->datef)."'":"null").", "; + $sql.= ((isset($this->durationp) && $this->durationp >= 0 && $this->durationp != '')?"'".$this->db->escape($this->durationp)."'":"null").", "; // deprecated $sql.= (isset($this->type_id)?$this->type_id:"null").","; - $sql.= (isset($this->type_code)?" '".$this->type_code."'":"null").","; - $sql.= ((isset($this->socid) && $this->socid > 0)?" '".$this->socid."'":"null").","; - $sql.= ((isset($this->fk_project) && $this->fk_project > 0)?" '".$this->fk_project."'":"null").","; - $sql.= " '".$this->db->escape($this->note)."',"; - $sql.= ((isset($this->contactid) && $this->contactid > 0)?"'".$this->contactid."'":"null").","; - $sql.= (isset($user->id) && $user->id > 0 ? "'".$user->id."'":"null").","; - $sql.= ($userownerid>0?"'".$userownerid."'":"null").","; - $sql.= ($userdoneid>0?"'".$userdoneid."'":"null").","; - $sql.= "'".$this->db->escape($this->label)."','".$this->percentage."','".$this->priority."','".$this->fulldayevent."','".$this->db->escape($this->location)."','".$this->punctual."',"; - $sql.= "'".$this->transparency."',"; - $sql.= (! empty($this->fk_element)?$this->fk_element:"null").","; - $sql.= (! empty($this->elementtype)?"'".$this->elementtype."'":"null").","; + $sql.= (isset($this->type_code)?" '".$this->db->escape($this->type_code)."'":"null").", "; + $sql.= ((isset($this->socid) && $this->socid > 0) ? $this->socid:"null").", "; + $sql.= ((isset($this->fk_project) && $this->fk_project > 0) ? $this->fk_project:"null").", "; + $sql.= " '".$this->db->escape($this->note)."', "; + $sql.= ((isset($this->contactid) && $this->contactid > 0) ? $this->contactid:"null").", "; + $sql.= (isset($user->id) && $user->id > 0 ? $user->id:"null").", "; + $sql.= ($userownerid>0 ? $userownerid:"null").", "; + $sql.= ($userdoneid>0 ? $userdoneid:"null").", "; + $sql.= "'".$this->db->escape($this->label)."','".$this->db->escape($this->percentage)."','".$this->db->escape($this->priority)."','".$this->db->escape($this->fulldayevent)."','".$this->db->escape($this->location)."','".$this->db->escape($this->punctual)."', "; + $sql.= "'".$this->db->escape($this->transparency)."', "; + $sql.= (! empty($this->fk_element)?$this->fk_element:"null").", "; + $sql.= (! empty($this->elementtype)?"'".$this->db->escape($this->elementtype)."'":"null").", "; $sql.= $conf->entity; $sql.= ")"; @@ -758,11 +758,11 @@ class ActionComm extends CommonObject $sql.= ", label = ".($this->label ? "'".$this->db->escape($this->label)."'":"null"); $sql.= ", datep = ".(strval($this->datep)!='' ? "'".$this->db->idate($this->datep)."'" : 'null'); $sql.= ", datep2 = ".(strval($this->datef)!='' ? "'".$this->db->idate($this->datef)."'" : 'null'); - $sql.= ", durationp = ".(isset($this->durationp) && $this->durationp >= 0 && $this->durationp != ''?"'".$this->durationp."'":"null"); // deprecated + $sql.= ", durationp = ".(isset($this->durationp) && $this->durationp >= 0 && $this->durationp != ''?"'".$this->db->escape($this->durationp)."'":"null"); // deprecated $sql.= ", note = ".($this->note ? "'".$this->db->escape($this->note)."'":"null"); - $sql.= ", fk_project =". ($this->fk_project > 0 ? "'".$this->fk_project."'":"null"); - $sql.= ", fk_soc =". ($socid > 0 ? "'".$socid."'":"null"); - $sql.= ", fk_contact =". ($contactid > 0 ? "'".$contactid."'":"null"); + $sql.= ", fk_project =". ($this->fk_project > 0 ? $this->fk_project:"null"); + $sql.= ", fk_soc =". ($socid > 0 ? $socid:"null"); + $sql.= ", fk_contact =". ($contactid > 0 ? $contactid:"null"); $sql.= ", priority = '".$this->db->escape($this->priority)."'"; $sql.= ", fulldayevent = '".$this->db->escape($this->fulldayevent)."'"; $sql.= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'":"null"); @@ -770,8 +770,8 @@ class ActionComm extends CommonObject $sql.= ", fk_user_mod = ".$user->id; $sql.= ", fk_user_action=".($userownerid > 0 ? "'".$userownerid."'":"null"); $sql.= ", fk_user_done=".($userdoneid > 0 ? "'".$userdoneid."'":"null"); - if (! empty($this->fk_element)) $sql.= ", fk_element=".($this->fk_element?$this->fk_element:"null"); - if (! empty($this->elementtype)) $sql.= ", elementtype=".($this->elementtype?"'".$this->elementtype."'":"null"); + if (! empty($this->fk_element)) $sql.= ", fk_element=".($this->fk_element?$this->db->escape($this->fk_element):"null"); + if (! empty($this->elementtype)) $sql.= ", elementtype=".($this->elementtype?"'".$this->db->escape($this->elementtype)."'":"null"); $sql.= " WHERE id=".$this->id; dol_syslog(get_class($this)."::update", LOG_DEBUG); diff --git a/htdocs/comm/address.php b/htdocs/comm/address.php index 72e2dbadff4..6547f453b21 100644 --- a/htdocs/comm/address.php +++ b/htdocs/comm/address.php @@ -52,7 +52,7 @@ $object = new Address($db); */ // Cancel -if (GETPOST("cancel") && ! empty($backtopage)) +if (GETPOST('cancel','alpha') && ! empty($backtopage)) { header("Location: ".$backtopage); exit; diff --git a/htdocs/comm/card.php b/htdocs/comm/card.php index 376745c3d55..1b3d231382c 100644 --- a/htdocs/comm/card.php +++ b/htdocs/comm/card.php @@ -73,7 +73,7 @@ $pageprev = $page - 1; $pagenext = $page + 1; if (! $sortorder) $sortorder="ASC"; if (! $sortfield) $sortfield="nom"; -$cancelbutton = GETPOST('cancel'); +$cancelbutton = GETPOST('cancel','alpha'); $object = new Client($db); $extrafields = new ExtraFields($db); @@ -331,25 +331,27 @@ if ($id > 0) print ""; print ''; - // Compte bancaire par défaut - print ''; - print ''; - print '
'; - print $langs->trans('PaymentBankAccount'); - print ''; - if (($action != 'editbankaccount') && $user->rights->societe->creer) print 'id.'">'.img_edit($langs->trans('SetBankAccount'),1).'
'; - print ''; - if ($action == 'editbankaccount') + if (! empty($conf->banque->enabled)) { - $form->formSelectAccount($_SERVER['PHP_SELF'].'?socid='.$object->id,$object->fk_account,'fk_account',1); + // Compte bancaire par défaut + print ''; + print ''; + print '
'; + print $langs->trans('PaymentBankAccount'); + print ''; + if (($action != 'editbankaccount') && $user->rights->societe->creer) print 'id.'">'.img_edit($langs->trans('SetBankAccount'),1).'
'; + print ''; + if ($action == 'editbankaccount') + { + $form->formSelectAccount($_SERVER['PHP_SELF'].'?socid='.$object->id,$object->fk_account,'fk_account',1); + } + else + { + $form->formSelectAccount($_SERVER['PHP_SELF'].'?socid='.$object->id,$object->fk_account,'none'); + } + print ""; + print ''; } - else - { - $form->formSelectAccount($_SERVER['PHP_SELF'].'?socid='.$object->id,$object->fk_account,'none'); - } - print ""; - print ''; - // Relative discounts (Discounts-Drawbacks-Rebates) print ''; diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php index 86a5504d409..b2b7e9cf5cf 100644 --- a/htdocs/comm/mailing/card.php +++ b/htdocs/comm/mailing/card.php @@ -189,8 +189,9 @@ if (empty($reshook)) while ($i < $num && $i < $conf->global->MAILING_LIMIT_SENDBYWEB) { - + // Here code is common with same loop ino mailing-send.php $res=1; + $now=dol_now(); $obj = $db->fetch_object($resql); @@ -222,6 +223,27 @@ if (empty($reshook)) '__CHECK_READ__' => '', '__UNSUBSCRIBE__' => ''.$langs->trans("MailUnsubcribe").'' ); + $onlinepaymentenabled = 0; + if (! empty($conf->paypal->enabled)) $onlinepaymentenabled++; + if (! empty($conf->paybox->enabled)) $onlinepaymentenabled++; + if (! empty($conf->stripe->enabled)) $onlinepaymentenabled++; + if ($onlinepaymentenabled && ! empty($conf->global->PAYMENT_SECURITY_TOKEN)) + { + $substitutionarray['__SECUREKEYPAYMENT__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2); + + if (empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) $substitutionarray['__SECUREKEYPAYMENT_MEMBER__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2); + else $substitutionarray['__SECUREKEYPAYMENT_MEMBER__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . 'membersubscription' . $obj->source_id, 2); + + if (empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) $substitutionarray['__SECUREKEYPAYMENT_ORDER__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2); + else $substitutionarray['__SECUREKEYPAYMENT_ORDER__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . 'order' . $obj->source_id, 2); + + if (empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) $substitutionarray['__SECUREKEYPAYMENT_INVOICE__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2); + else $substitutionarray['__SECUREKEYPAYMENT_INVOICE__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . 'invoice' . $obj->source_id, 2); + + if (empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) $substitutionarray['__SECUREKEYPAYMENT_CONTRACTLINE__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2); + else $substitutionarray['__SECUREKEYPAYMENT_CONTRACTLINE__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . 'contractline' . $obj->source_id, 2); + } + /* For backward compatibility */ if (! empty($conf->paypal->enabled) && ! empty($conf->global->PAYPAL_SECURITY_TOKEN)) { $substitutionarray['__SECUREKEYPAYPAL__']=dol_hash($conf->global->PAYPAL_SECURITY_TOKEN, 2); @@ -738,7 +760,7 @@ if ($action == 'create') print ''; print ''; print ''; print '
'.$langs->trans("MailTopic").'
'.$langs->trans("BackgroundColorByDefault").''; - print $htmlother->selectColor($_POST['bgcolor'],'bgcolor','new_mailing',0); + print $htmlother->selectColor($_POST['bgcolor'],'bgcolor','',0); print '
'; @@ -930,7 +952,7 @@ else * Boutons d'action */ - if (GETPOST("cancel") || $confirm=='no' || $action == '' || in_array($action,array('settodraft', 'valid','delete','sendall','clone'))) + if (GETPOST('cancel','alpha') || $confirm=='no' || $action == '' || in_array($action,array('settodraft', 'valid','delete','sendall','clone'))) { print "\n\n
\n"; @@ -941,7 +963,14 @@ else if (($object->statut == 0 || $object->statut == 1) && $user->rights->mailing->creer) { - print ''.$langs->trans("EditWithEditor").''; + if (! empty($conf->fckeditor->enabled) && ! empty($conf->global->FCKEDITOR_ENABLE_MAILING)) + { + print ''.$langs->trans("EditWithEditor").''; + } + else + { + print ''.$langs->trans("EditWithTextEditor").''; + } if (! empty($conf->use_javascript_ajax)) print ''.$langs->trans("EditHTMLSource").''; } @@ -1091,19 +1120,19 @@ else // Background color /*print ''.$langs->trans("BackgroundColorByDefault").''; - print $htmlother->selectColor($object->bgcolor,'bgcolor','edit_mailing',0); + print $htmlother->selectColor($object->bgcolor,'bgcolor','',0); print '';*/ print ''; // Message - print '
'; - if (empty($object->bgcolor) || strtolower($object->bgcolor) == 'ffffff') + print '
'; + if (empty($object->bgcolor) || strtolower($object->bgcolor) == 'ffffff') // CKEditor does not apply the color of the div into its content area { $readonly=1; // Editeur wysiwyg require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; - $doleditor=new DolEditor('bodyemail',$object->body,'',600,'dolibarr_mailings','',false,true,empty($conf->global->FCKEDITOR_ENABLE_MAILING)?0:1,20,120,$readonly); + $doleditor=new DolEditor('bodyemail',$object->body,'',600,'dolibarr_mailings','',false,true,empty($conf->global->FCKEDITOR_ENABLE_MAILING)?0:1,20,'90%',$readonly); $doleditor->Create(); } else print dol_htmlentitiesbr($object->body); @@ -1245,7 +1274,7 @@ else // Background color print ''.$langs->trans("BackgroundColorByDefault").''; - print $htmlother->selectColor($object->bgcolor,'bgcolor','edit_mailing',0); + print $htmlother->selectColor($object->bgcolor,'bgcolor','',0); print ''; print ''; diff --git a/htdocs/comm/mailing/class/advtargetemailing.class.php b/htdocs/comm/mailing/class/advtargetemailing.class.php index ea2569b863e..b8f5bddc4e3 100644 --- a/htdocs/comm/mailing/class/advtargetemailing.class.php +++ b/htdocs/comm/mailing/class/advtargetemailing.class.php @@ -121,7 +121,7 @@ class AdvanceTargetingMailing extends CommonObject $sql.= " ".(! isset($this->name)?'NULL':"'".$this->db->escape($this->name)."'").","; $sql.= " ".$conf->entity.","; - $sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->fk_mailing."'").","; + $sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->db->escape($this->fk_mailing)."'").","; $sql.= " ".(! isset($this->filtervalue)?'NULL':"'".$this->db->escape($this->filtervalue)."'").","; $sql.= " ".$user->id.","; $sql.= " '".$this->db->idate(dol_now())."',"; @@ -658,7 +658,7 @@ class AdvanceTargetingMailing extends CommonObject $sqlwhere[]= " (t.datec >= '".$this->db->idate($arrayquery['contact_create_st_dt'])."' AND t.datec <= '".$this->db->idate($arrayquery['contact_create_end_dt'])."')"; } if (!empty($arrayquery['contact_categ']) && count($arrayquery['contact_categ'])>0) { - $sqlwhere[]= " (contactcateg.fk_categorie IN (".$db->escape(implode(",",$arrayquery['contact_categ']))."))"; + $sqlwhere[]= " (contactcateg.fk_categorie IN (".$this->db->escape(implode(",",$arrayquery['contact_categ']))."))"; } //Standard Extrafield feature diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index 49bab4faa71..7987555e569 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -602,7 +602,7 @@ if (empty($reshook)) } // Close proposal - else if ($action == 'setstatut' && $user->rights->propal->cloturer && ! GETPOST('cancel')) + else if ($action == 'setstatut' && $user->rights->propal->cloturer && ! GETPOST('cancel','alpha')) { if (! GETPOST('statut')) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentitiesnoconv("CloseAs")), null, 'errors'); @@ -622,7 +622,7 @@ if (empty($reshook)) } // Reopen proposal - else if ($action == 'confirm_reopen' && $user->rights->propal->cloturer && ! GETPOST('cancel')) + else if ($action == 'confirm_reopen' && $user->rights->propal->cloturer && ! GETPOST('cancel','alpha')) { // prevent browser refresh from reopening proposal several times if ($object->statut == Propal::STATUS_SIGNED || $object->statut == Propal::STATUS_NOTSIGNED || $object->statut == Propal::STATUS_BILLED) @@ -1106,7 +1106,7 @@ if (empty($reshook)) } } - else if ($action == 'updateligne' && $user->rights->propal->creer && GETPOST('cancel')) + else if ($action == 'updateligne' && $user->rights->propal->creer && GETPOST('cancel','alpha')) { header('Location: ' . $_SERVER['PHP_SELF'] . '?id=' . $object->id); // Pour reaffichage de la fiche en cours d'edition exit(); diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 1e992649531..cd51b0f9fa6 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -938,7 +938,7 @@ class Propal extends CommonObject $sql.= ", '".$this->db->escape($this->multicurrency_code)."'"; $sql.= ", ".(double) $this->multicurrency_tx; $sql.= ")"; - + dol_syslog(get_class($this)."::create", LOG_DEBUG); $resql=$this->db->query($sql); if ($resql) @@ -3772,28 +3772,28 @@ class PropaleLigne extends CommonObjectLine $sql.= ' date_start, date_end'; $sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc)'; $sql.= " VALUES (".$this->fk_propal.","; - $sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").","; + $sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").","; $sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " '".$this->db->escape($this->desc)."',"; - $sql.= " ".($this->fk_product?"'".$this->fk_product."'":"null").","; - $sql.= " '".$this->product_type."',"; - $sql.= " ".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").","; + $sql.= " ".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":"null").","; + $sql.= " '".$this->db->escape($this->product_type)."',"; + $sql.= " ".($this->fk_remise_except?"'".$this->db->escape($this->fk_remise_except)."'":"null").","; $sql.= " ".price2num($this->qty).","; - $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").","; + $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").","; $sql.= " ".price2num($this->tva_tx).","; $sql.= " ".price2num($this->localtax1_tx).","; $sql.= " ".price2num($this->localtax2_tx).","; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= " ".($this->subprice?price2num($this->subprice):"null").","; $sql.= " ".price2num($this->remise_percent).","; - $sql.= " ".(isset($this->info_bits)?"'".$this->info_bits."'":"null").","; + $sql.= " ".(isset($this->info_bits)?"'".$this->db->escape($this->info_bits)."'":"null").","; $sql.= " ".price2num($this->total_ht).","; $sql.= " ".price2num($this->total_tva).","; $sql.= " ".price2num($this->total_localtax1).","; $sql.= " ".price2num($this->total_localtax2).","; $sql.= " ".price2num($this->total_ttc).","; - $sql.= " ".(!empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null").","; + $sql.= " ".(!empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null").","; $sql.= " ".(isset($this->pa_ht)?"'".price2num($this->pa_ht)."'":"null").","; $sql.= ' '.$this->special_code.','; $sql.= ' '.$this->rang.','; @@ -3975,7 +3975,7 @@ class PropaleLigne extends CommonObjectLine $sql.= ", total_localtax1=".price2num($this->total_localtax1).""; $sql.= ", total_localtax2=".price2num($this->total_localtax2).""; } - $sql.= ", fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null"); + $sql.= ", fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null"); $sql.= ", buy_price_ht=".price2num($this->pa_ht); if (strlen($this->special_code)) $sql.= ", special_code=".$this->special_code; $sql.= ", fk_parent_line=".($this->fk_parent_line>0?$this->fk_parent_line:"null"); diff --git a/htdocs/comm/propal/list.php b/htdocs/comm/propal/list.php index 4939d7e83f7..909b0f3ebc8 100644 --- a/htdocs/comm/propal/list.php +++ b/htdocs/comm/propal/list.php @@ -169,8 +169,8 @@ $object = new Propal($db); // To be passed as parameter of executeHooks that nee * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks @@ -420,7 +420,7 @@ if ($resql) { $langs->load("mails"); - if (! GETPOST('cancel')) + if (! GETPOST('cancel','alpha')) { $objecttmp=new Propal($db); $listofselectedid=array(); diff --git a/htdocs/comm/remise.php b/htdocs/comm/remise.php index bca371977a7..1ad4612d879 100644 --- a/htdocs/comm/remise.php +++ b/htdocs/comm/remise.php @@ -46,7 +46,7 @@ $backtopage = GETPOST('backtopage','alpha'); * Actions */ -if (GETPOST('cancel') && ! empty($backtopage)) +if (GETPOST('cancel','alpha') && ! empty($backtopage)) { header("Location: ".$backtopage); exit; diff --git a/htdocs/comm/remx.php b/htdocs/comm/remx.php index 9964db9ecde..04eb2583fb5 100644 --- a/htdocs/comm/remx.php +++ b/htdocs/comm/remx.php @@ -49,7 +49,7 @@ if ($user->societe_id > 0) * Actions */ -if (GETPOST('cancel') && ! empty($backtopage)) +if (GETPOST('cancel','alpha') && ! empty($backtopage)) { header("Location: ".$backtopage); exit; diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index 1a9f4997ec4..040b1e200d8 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -1061,7 +1061,7 @@ if (empty($reshook)) } } - else if ($action == 'updateline' && $user->rights->commande->creer && GETPOST('cancel') == $langs->trans('Cancel')) { + else if ($action == 'updateline' && $user->rights->commande->creer && GETPOST('cancel','alpha') == $langs->trans('Cancel')) { header('Location: ' . $_SERVER['PHP_SELF'] . '?id=' . $object->id); // Pour reaffichage de la fiche en cours d'edition exit(); } @@ -1441,7 +1441,6 @@ if ($action == 'create' && $user->rights->commande->creer) $note_private = $object->getDefaultCreateValueFor('note_private'); $note_public = $object->getDefaultCreateValueFor('note_public'); } - $absolute_discount=$soc->getAvailableDiscounts(); print '
'; @@ -1478,7 +1477,7 @@ if ($action == 'create' && $user->rights->commande->creer) print ''; } else { print ''; - print $form->select_company('', 'socid', 's.client = 1 OR s.client = 3', 'SelectThirdParty', 0, 0, null, 0, 'minwidth300'); + print $form->select_company('', 'socid', '(s.client = 1 OR s.client = 3)', 'SelectThirdParty', 0, 0, null, 0, 'minwidth300'); // reload page to retrieve customer informations if (!empty($conf->global->RELOAD_PAGE_ON_CUSTOMER_CHANGE)) { diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 78c53904202..3104ec7f975 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -775,11 +775,11 @@ class Commande extends CommonOrder $sql.= ", ".($this->ref_client?"'".$this->db->escape($this->ref_client)."'":"null"); $sql.= ", ".($this->ref_int?"'".$this->db->escape($this->ref_int)."'":"null"); $sql.= ", '".$this->db->escape($this->modelpdf)."'"; - $sql.= ", ".($this->cond_reglement_id>0?"'".$this->cond_reglement_id."'":"null"); - $sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"null"); + $sql.= ", ".($this->cond_reglement_id>0?$this->cond_reglement_id:"null"); + $sql.= ", ".($this->mode_reglement_id>0?$this->mode_reglement_id:"null"); $sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL'); - $sql.= ", ".($this->availability_id>0?"'".$this->availability_id."'":"null"); - $sql.= ", ".($this->demand_reason_id>0?"'".$this->demand_reason_id."'":"null"); + $sql.= ", ".($this->availability_id>0?$this->availability_id:"null"); + $sql.= ", ".($this->demand_reason_id>0?$this->demand_reason_id:"null"); $sql.= ", ".($this->date_livraison?"'".$this->db->idate($this->date_livraison)."'":"null"); $sql.= ", ".($this->fk_delivery_address>0?$this->fk_delivery_address:'NULL'); $sql.= ", ".($this->shipping_method_id>0?$this->shipping_method_id:'NULL'); @@ -2234,7 +2234,7 @@ class Commande extends CommonOrder $this->db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."commande"; - $sql.= " SET date_commande = ".($date ? $this->db->idate($date) : 'null'); + $sql.= " SET date_commande = ".($date ? "'".$this->db->idate($date)."'" : 'null'); $sql.= " WHERE rowid = ".$this->id." AND fk_statut = ".self::STATUS_DRAFT; dol_syslog(__METHOD__, LOG_DEBUG); @@ -3995,18 +3995,18 @@ class OrderLine extends CommonOrderLine $sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc'; $sql.= ')'; $sql.= " VALUES (".$this->fk_commande.","; - $sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").","; + $sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").","; $sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " '".$this->db->escape($this->desc)."',"; $sql.= " '".price2num($this->qty)."',"; - $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").","; + $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").","; $sql.= " '".price2num($this->tva_tx)."',"; $sql.= " '".price2num($this->localtax1_tx)."',"; $sql.= " '".price2num($this->localtax2_tx)."',"; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").','; - $sql.= " '".$this->product_type."',"; + $sql.= " '".$this->db->escape($this->product_type)."',"; $sql.= " '".price2num($this->remise_percent)."',"; $sql.= " ".($this->subprice!=''?"'".price2num($this->subprice)."'":"null").","; $sql.= " ".($this->price!=''?"'".price2num($this->price)."'":"null").","; @@ -4016,7 +4016,7 @@ class OrderLine extends CommonOrderLine $sql.= ' '.$this->rang.','; $sql.= ' '.(! empty($this->fk_fournprice)?$this->fk_fournprice:"null").','; $sql.= ' '.price2num($this->pa_ht).','; - $sql.= " '".$this->info_bits."',"; + $sql.= " '".$this->db->escape($this->info_bits)."',"; $sql.= " '".price2num($this->total_ht)."',"; $sql.= " '".price2num($this->total_tva)."',"; $sql.= " '".price2num($this->total_localtax1)."',"; diff --git a/htdocs/commande/list.php b/htdocs/commande/list.php index 8810a1be986..13841b108d9 100644 --- a/htdocs/commande/list.php +++ b/htdocs/commande/list.php @@ -149,8 +149,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks @@ -666,7 +666,7 @@ if ($resql) { $langs->load("mails"); - if (! GETPOST('cancel')) + if (! GETPOST('cancel','alpha')) { $objecttmp=new Commande($db); $listofselectedid=array(); diff --git a/htdocs/compta/bank/bankentries.php b/htdocs/compta/bank/bankentries.php index 3d4ee78e73c..5a96f4d52ae 100644 --- a/htdocs/compta/bank/bankentries.php +++ b/htdocs/compta/bank/bankentries.php @@ -161,8 +161,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index bc0fca719d6..56fb9c90278 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -574,21 +574,21 @@ class Account extends CommonObject $sql.= ", '".$this->db->escape($this->account_number)."'"; $sql.= ", ".($this->fk_accountancy_journal > 0 ? $this->db->escape($this->fk_accountancy_journal) : "null"); $sql.= ", '".$this->db->escape($this->bank)."'"; - $sql.= ", '".$this->code_banque."'"; - $sql.= ", '".$this->code_guichet."'"; - $sql.= ", '".$this->number."'"; - $sql.= ", '".$this->cle_rib."'"; - $sql.= ", '".$this->bic."'"; - $sql.= ", '".$this->iban."'"; + $sql.= ", '".$this->db->escape($this->code_banque)."'"; + $sql.= ", '".$this->db->escape($this->code_guichet)."'"; + $sql.= ", '".$this->db->escape($this->number)."'"; + $sql.= ", '".$this->db->escape($this->cle_rib)."'"; + $sql.= ", '".$this->db->escape($this->bic)."'"; + $sql.= ", '".$this->db->escape($this->iban)."'"; $sql.= ", '".$this->db->escape($this->domiciliation)."'"; $sql.= ", '".$this->db->escape($this->proprio)."'"; $sql.= ", '".$this->db->escape($this->owner_address)."'"; - $sql.= ", '".$this->currency_code."'"; + $sql.= ", '".$this->db->escape($this->currency_code)."'"; $sql.= ", ".$this->rappro; $sql.= ", ".price2num($this->min_allowed); $sql.= ", ".price2num($this->min_desired); $sql.= ", '".$this->db->escape($this->comment)."'"; - $sql.= ", ".($this->state_id>0?"'".$this->state_id."'":"null"); + $sql.= ", ".($this->state_id>0?$this->state_id:"null"); $sql.= ", ".$this->country_id; $sql.= ")"; @@ -703,7 +703,7 @@ class Account extends CommonObject $sql.= ",courant = ".$this->courant; $sql.= ",clos = ".$this->clos; $sql.= ",rappro = ".$this->rappro; - $sql.= ",url = ".($this->url?"'".$this->url."'":"null"); + $sql.= ",url = ".($this->url?"'".$this->db->escape($this->url)."'":"null"); $sql.= ",account_number = '".$this->db->escape($this->account_number)."'"; $sql.= ",fk_accountancy_journal = ".($this->fk_accountancy_journal > 0 ? $this->db->escape($this->fk_accountancy_journal) : "null"); $sql.= ",bank = '".$this->db->escape($this->bank)."'"; @@ -723,7 +723,7 @@ class Account extends CommonObject $sql.= ",min_desired = ".($this->min_desired != '' ? price2num($this->min_desired) : "null"); $sql.= ",comment = '".$this->db->escape($this->comment)."'"; - $sql.= ",state_id = ".($this->state_id>0?"'".$this->state_id."'":"null"); + $sql.= ",state_id = ".($this->state_id>0?$this->state_id:"null"); $sql.= ",fk_pays = ".$this->country_id; $sql.= " WHERE rowid = ".$this->id; @@ -808,7 +808,7 @@ class Account extends CommonObject $sql.= ",domiciliation='".$this->db->escape($this->domiciliation)."'"; $sql.= ",proprio = '".$this->db->escape($this->proprio)."'"; $sql.= ",owner_address = '".$this->db->escape($this->owner_address)."'"; - $sql.= ",state_id = ".($this->state_id>0?"'".$this->state_id."'":"null"); + $sql.= ",state_id = ".($this->state_id>0?$this->state_id:"null"); $sql.= ",fk_pays = ".$this->country_id; $sql.= " WHERE rowid = ".$this->id; $sql.= " AND entity = ".$conf->entity; @@ -1695,9 +1695,9 @@ class AccountLine extends CommonObject $sql .= ", '".$this->db->idate($this->datev)."'"; $sql .= ", '".$this->db->escape($this->label)."'"; $sql .= ", ".price2num($this->amount); - $sql .= ", ".($this->fk_user_author > 0 ? "'".$this->fk_user_author."'":"null"); - $sql .= ", ".($this->num_chq ? "'".$this->num_chq."'" : "null"); - $sql .= ", '".$this->fk_account."'"; + $sql .= ", ".($this->fk_user_author > 0 ? $this->fk_user_author :"null"); + $sql .= ", ".($this->num_chq ? "'".$this->db->escape($this->num_chq)."'" : "null"); + $sql .= ", '".$this->db->escape($this->fk_account)."'"; $sql .= ", '".$this->db->escape($this->fk_type)."'"; $sql .= ", ".($this->emetteur ? "'".$this->db->escape($this->emetteur)."'" : "null"); $sql .= ", ".($this->bank_chq ? "'".$this->db->escape($this->bank_chq)."'" : "null"); diff --git a/htdocs/compta/bank/index.php b/htdocs/compta/bank/index.php index 177e576b5d7..80bf9d6f50c 100644 --- a/htdocs/compta/bank/index.php +++ b/htdocs/compta/bank/index.php @@ -111,8 +111,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/compta/bank/ligne.php b/htdocs/compta/bank/ligne.php index 525b7a72e12..c88220192ab 100644 --- a/htdocs/compta/bank/ligne.php +++ b/htdocs/compta/bank/ligne.php @@ -48,8 +48,8 @@ $action=GETPOST('action','alpha'); $confirm=GETPOST('confirm','alpha'); $rowid=GETPOST("rowid",'int'); $orig_account=GETPOST("orig_account"); -$backtopage=GETPOST('backtopage'); -$cancel=GETPOST('cancel'); +$backtopage=GETPOST('backtopage','alpha'); +$cancel=GETPOST('cancel','alpha'); // Security check $fieldvalue = (! empty($id) ? $id : (! empty($ref) ? $ref :'')); diff --git a/htdocs/compta/deplacement/class/deplacement.class.php b/htdocs/compta/deplacement/class/deplacement.class.php index ea8b85c55af..c0a4ef94613 100644 --- a/htdocs/compta/deplacement/class/deplacement.class.php +++ b/htdocs/compta/deplacement/class/deplacement.class.php @@ -107,7 +107,7 @@ class Deplacement extends CommonObject $sql.= ", ".$conf->entity; $sql.= ", ".$user->id; $sql.= ", ".$this->fk_user; - $sql.= ", '".$this->type."'"; + $sql.= ", '".$this->db->escape($this->type)."'"; $sql.= ", ".($this->note_private?"'".$this->db->escape($this->note_private)."'":"null"); $sql.= ", ".($this->note_public?"'".$this->db->escape($this->note_public)."'":"null"); $sql.= ", ".($this->fk_project > 0? $this->fk_project : 0); diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index 72fbb507921..db8c2a0f071 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -1766,7 +1766,7 @@ if (empty($reshook)) } } - elseif ($action == 'updateligne' && $user->rights->facture->creer && ! GETPOST('cancel')) + elseif ($action == 'updateligne' && $user->rights->facture->creer && ! GETPOST('cancel','alpha')) { if (! $object->fetch($id) > 0) dol_print_error($db); $object->fetch_thirdparty(); diff --git a/htdocs/compta/facture/class/facture-rec.class.php b/htdocs/compta/facture/class/facture-rec.class.php index 60c5f591a26..2bd5e9750b3 100644 --- a/htdocs/compta/facture/class/facture-rec.class.php +++ b/htdocs/compta/facture/class/facture-rec.class.php @@ -141,7 +141,7 @@ class FactureRec extends CommonInvoice $sql.= ", nb_gen_max"; $sql.= ", auto_validate"; $sql.= ") VALUES ("; - $sql.= "'".$this->titre."'"; + $sql.= "'".$this->db->escape($this->titre)."'"; $sql.= ", ".$facsrc->socid; $sql.= ", ".$conf->entity; $sql.= ", '".$this->db->idate($now)."'"; @@ -149,11 +149,11 @@ class FactureRec extends CommonInvoice $sql.= ", ".(!empty($facsrc->remise)?$this->remise:'0'); $sql.= ", ".(!empty($this->note_private)?("'".$this->db->escape($this->note_private)."'"):"NULL"); $sql.= ", ".(!empty($this->note_public)?("'".$this->db->escape($this->note_public)."'"):"NULL"); - $sql.= ", '".$user->id."'"; + $sql.= ", '".$this->db->escape($user->id)."'"; $sql.= ", ".(! empty($facsrc->fk_project)?"'".$facsrc->fk_project."'":"null"); $sql.= ", ".(! empty($facsrc->fk_account)?"'".$facsrc->fk_account."'":"null"); - $sql.= ", '".$facsrc->cond_reglement_id."'"; - $sql.= ", '".$facsrc->mode_reglement_id."'"; + $sql.= ", '".$this->db->escape($facsrc->cond_reglement_id)."'"; + $sql.= ", '".$this->db->escape($facsrc->mode_reglement_id)."'"; $sql.= ", ".$this->usenewprice; $sql.= ", ".$this->frequency; $sql.= ", '".$this->db->escape($this->unit_frequency)."'"; @@ -1504,7 +1504,7 @@ class FactureLigneRec extends CommonInvoiceLine $sql.= ", localtax1_type='".$this->db->escape($this->localtax1_type)."'"; $sql.= ", localtax2_tx=".price2num($this->localtax2_tx); $sql.= ", localtax2_type='".$this->db->escape($this->localtax2_type)."'"; - $sql.= ", fk_product=".(! empty($this->fk_product)?"'".$this->fk_product."'":"null"); + $sql.= ", fk_product=".($this->fk_product > 0 ? $this->fk_product :"null"); $sql.= ", product_type=".$this->product_type; $sql.= ", remise_percent='".price2num($this->remise_percent)."'"; $sql.= ", subprice='".price2num($this->subprice)."'"; diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 6ce3914d996..22d47de44b3 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -4447,16 +4447,16 @@ class FactureLigne extends CommonInvoiceLine $sql.= ' fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc'; $sql.= ')'; $sql.= " VALUES (".$this->fk_facture.","; - $sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").","; + $sql.= " ".($this->fk_parent_line>0 ? $this->fk_parent_line:"null").","; $sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " '".$this->db->escape($this->desc)."',"; $sql.= " ".price2num($this->qty).","; - $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").","; + $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").","; $sql.= " ".price2num($this->tva_tx).","; $sql.= " ".price2num($this->localtax1_tx).","; $sql.= " ".price2num($this->localtax2_tx).","; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").','; $sql.= " ".$this->product_type.","; $sql.= " ".price2num($this->remise_percent).","; @@ -4469,7 +4469,7 @@ class FactureLigne extends CommonInvoiceLine $sql.= ' '.$this->special_code.','; $sql.= ' '.(! empty($this->fk_fournprice)?$this->fk_fournprice:"null").','; $sql.= ' '.price2num($this->pa_ht).','; - $sql.= " '".$this->info_bits."',"; + $sql.= " '".$this->db->escape($this->info_bits)."',"; $sql.= " ".price2num($this->total_ht).","; $sql.= " ".price2num($this->total_tva).","; $sql.= " ".price2num($this->total_ttc).","; diff --git a/htdocs/compta/facture/class/paymentterm.class.php b/htdocs/compta/facture/class/paymentterm.class.php index 3f0c2bcf732..b08594fd09a 100644 --- a/htdocs/compta/facture/class/paymentterm.class.php +++ b/htdocs/compta/facture/class/paymentterm.class.php @@ -85,13 +85,11 @@ class PaymentTerm // extends CommonObject if (isset($this->decalage)) $this->decalage=trim($this->decalage); - // Check parameters // Put here code to add control on parameters values // Insert request $sql = "INSERT INTO ".MAIN_DB_PREFIX."c_payment_term("; - $sql.= "rowid,"; $sql.= "entity,"; $sql.= "code,"; @@ -102,22 +100,17 @@ class PaymentTerm // extends CommonObject $sql.= "type_cdr,"; $sql.= "nbjour,"; $sql.= "decalage"; - - $sql.= ") VALUES ("; - - $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").","; - $sql.= " ".(! isset($this->entity)?getEntity('c_payment_term', 2):"'".$this->entity."'").","; + $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").","; + $sql.= " ".(! isset($this->entity)?getEntity('c_payment_term', 2):"'".$this->db->escape($this->entity)."'").","; $sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").","; - $sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->sortorder."'").","; - $sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").","; + $sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->db->escape($this->sortorder)."'").","; + $sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'").","; $sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").","; $sql.= " ".(! isset($this->libelle_facture)?'NULL':"'".$this->db->escape($this->libelle_facture)."'").","; - $sql.= " ".(! isset($this->type_cdr)?'NULL':"'".$this->type_cdr."'").","; - $sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->nbjour."'").","; - $sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->decalage."'").""; - - + $sql.= " ".(! isset($this->type_cdr)?'NULL':"'".$this->db->escape($this->type_cdr)."'").","; + $sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->db->escape($this->nbjour)."'").","; + $sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->db->escape($this->decalage)."'").""; $sql.= ")"; $this->db->begin(); @@ -290,7 +283,6 @@ class PaymentTerm // extends CommonObject // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."c_payment_term SET"; - $sql.= " code=".(isset($this->code)?"'".$this->db->escape($this->code)."'":"null").","; $sql.= " sortorder=".(isset($this->sortorder)?$this->sortorder:"null").","; $sql.= " active=".(isset($this->active)?$this->active:"null").","; @@ -299,10 +291,14 @@ class PaymentTerm // extends CommonObject $sql.= " type_cdr=".(isset($this->type_cdr)?$this->type_cdr:"null").","; $sql.= " nbjour=".(isset($this->nbjour)?$this->nbjour:"null").","; $sql.= " decalage=".(isset($this->decalage)?$this->decalage:"null").""; +<<<<<<< HEAD $sql.= " WHERE rowid = " . $this->id; $sql.= " AND entity = " . getEntity('c_payment_term', 2); +======= + $sql.= " WHERE rowid=".$this->id; +>>>>>>> branch 'develop' of https://github.com/Dolibarr/dolibarr.git $this->db->begin(); diff --git a/htdocs/compta/facture/fiche-rec.php b/htdocs/compta/facture/fiche-rec.php index 80ffffdfb39..98fc2cd2f62 100644 --- a/htdocs/compta/facture/fiche-rec.php +++ b/htdocs/compta/facture/fiche-rec.php @@ -139,8 +139,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters = array('socid' => $socid); $reshook = $hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks @@ -148,7 +148,7 @@ if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'e if (empty($reshook)) { - if (GETPOST('cancel')) $action=''; + if (GETPOST('cancel','alpha')) $action=''; // Selection of new fields include DOL_DOCUMENT_ROOT.'/core/actions_changeselectedfields.inc.php'; @@ -728,7 +728,7 @@ if (empty($reshook)) } } - elseif ($action == 'updateligne' && $user->rights->facture->creer && ! GETPOST('cancel')) + elseif ($action == 'updateligne' && $user->rights->facture->creer && ! GETPOST('cancel','alpha')) { if (! $object->fetch($id) > 0) dol_print_error($db); $object->fetch_thirdparty(); diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index 3ffd0af9cd3..15a79d7fdd9 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -181,8 +181,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks @@ -612,7 +612,7 @@ if ($resql) { $langs->load("mails"); - if (! GETPOST('cancel')) + if (! GETPOST('cancel','alpha')) { $objecttmp=new Facture($db); $listofselectedid=array(); diff --git a/htdocs/compta/localtax/class/localtax.class.php b/htdocs/compta/localtax/class/localtax.class.php index 870c123b468..570942590c2 100644 --- a/htdocs/compta/localtax/class/localtax.class.php +++ b/htdocs/compta/localtax/class/localtax.class.php @@ -87,12 +87,12 @@ class Localtax extends CommonObject $sql.= " '".$this->db->idate($this->tms)."',"; $sql.= " '".$this->db->idate($this->datep)."',"; $sql.= " '".$this->db->idate($this->datev)."',"; - $sql.= " '".$this->amount."',"; - $sql.= " '".$this->label."',"; - $sql.= " '".$this->note."',"; - $sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->fk_bank."'").","; - $sql.= " '".$this->fk_user_creat."',"; - $sql.= " '".$this->fk_user_modif."'"; + $sql.= " '".$this->db->escape($this->amount)."',"; + $sql.= " '".$this->db->escape($this->label)."',"; + $sql.= " '".$this->db->escape($this->note)."',"; + $sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->db->escape($this->fk_bank)."'").","; + $sql.= " '".$this->db->escape($this->fk_user_creat)."',"; + $sql.= " '".$this->db->escape($this->fk_user_modif)."'"; $sql.= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); diff --git a/htdocs/compta/paiement/cheque/class/remisecheque.class.php b/htdocs/compta/paiement/cheque/class/remisecheque.class.php index 45d64cf547e..46e50fba56e 100644 --- a/htdocs/compta/paiement/cheque/class/remisecheque.class.php +++ b/htdocs/compta/paiement/cheque/class/remisecheque.class.php @@ -861,7 +861,7 @@ class RemiseCheque extends CommonObject if ($user->rights->banque->cheque) { $sql = "UPDATE ".MAIN_DB_PREFIX."bordereau_cheque"; - $sql.= " SET date_bordereau = ".($date ? $this->db->idate($date) : 'null'); + $sql.= " SET date_bordereau = ".($date ? "'".$this->db->idate($date)."'" : 'null'); $sql.= " WHERE rowid = ".$this->id; dol_syslog("RemiseCheque::set_date", LOG_DEBUG); diff --git a/htdocs/compta/salaries/class/paymentsalary.class.php b/htdocs/compta/salaries/class/paymentsalary.class.php index ee2832cb08e..7fbbaf43d48 100644 --- a/htdocs/compta/salaries/class/paymentsalary.class.php +++ b/htdocs/compta/salaries/class/paymentsalary.class.php @@ -108,7 +108,7 @@ class PaymentSalary extends CommonObject $sql.= " datesp='".$this->db->idate($this->datesp)."',"; $sql.= " dateep='".$this->db->idate($this->dateep)."',"; $sql.= " note='".$this->db->escape($this->note)."',"; - $sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").","; + $sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->db->escape($this->fk_bank)."'":"null").","; $sql.= " fk_user_author=".$this->fk_user_author.","; $sql.= " fk_user_modif=".$this->fk_user_modif; @@ -344,18 +344,18 @@ class PaymentSalary extends CommonObject $sql.= ", entity"; $sql.= ") "; $sql.= " VALUES ("; - $sql.= "'".$this->fk_user."'"; + $sql.= "'".$this->db->escape($this->fk_user)."'"; $sql.= ", '".$this->db->idate($this->datep)."'"; $sql.= ", '".$this->db->idate($this->datev)."'"; $sql.= ", ".$this->amount; $sql.= ", ".($this->salary > 0 ? $this->salary : "null"); - $sql.= ", '".$this->type_payment."'"; - $sql.= ", '".$this->num_payment."'"; + $sql.= ", '".$this->db->escape($this->type_payment)."'"; + $sql.= ", '".$this->db->escape($this->num_payment)."'"; if ($this->note) $sql.= ", '".$this->db->escape($this->note)."'"; $sql.= ", '".$this->db->escape($this->label)."'"; $sql.= ", '".$this->db->idate($this->datesp)."'"; $sql.= ", '".$this->db->idate($this->dateep)."'"; - $sql.= ", '".$user->id."'"; + $sql.= ", '".$this->db->escape($user->id)."'"; $sql.= ", '".$this->db->idate($now)."'"; $sql.= ", NULL"; $sql.= ", ".$conf->entity; diff --git a/htdocs/compta/sociales/class/chargesociales.class.php b/htdocs/compta/sociales/class/chargesociales.class.php index 9d1205c1cb0..15774c04ed3 100644 --- a/htdocs/compta/sociales/class/chargesociales.class.php +++ b/htdocs/compta/sociales/class/chargesociales.class.php @@ -171,8 +171,8 @@ class ChargeSociales extends CommonObject $sql = "INSERT INTO ".MAIN_DB_PREFIX."chargesociales (fk_type, fk_account, fk_mode_reglement, libelle, date_ech, periode, amount, fk_projet, entity, fk_user_author, date_creation)"; $sql.= " VALUES (".$this->type; - $sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL'); - $sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"NULL"); + $sql.= ", ".($this->fk_account>0 ? $this->fk_account:'NULL'); + $sql.= ", ".($this->mode_reglement_id>0 ? $this->mode_reglement_id:"NULL"); $sql.= ", '".$this->db->escape($this->lib)."'"; $sql.= ", '".$this->db->idate($this->date_ech)."'"; $sql.= ", '".$this->db->idate($this->periode)."'"; diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php index df1bc8c03cf..5d170faf67e 100644 --- a/htdocs/compta/tva/class/tva.class.php +++ b/htdocs/compta/tva/class/tva.class.php @@ -106,12 +106,12 @@ class Tva extends CommonObject $sql.= " '".$this->db->idate($now)."',"; $sql.= " '".$this->db->idate($this->datep)."',"; $sql.= " '".$this->db->idate($this->datev)."',"; - $sql.= " '".$this->amount."',"; - $sql.= " '".$this->label."',"; - $sql.= " '".$this->note."',"; - $sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->fk_bank."'").","; - $sql.= " '".$this->fk_user_creat."',"; - $sql.= " '".$this->fk_user_modif."'"; + $sql.= " '".$this->db->escape($this->amount)."',"; + $sql.= " '".$this->db->escape($this->label)."',"; + $sql.= " '".$this->db->escape($this->note)."',"; + $sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->db->escape($this->fk_bank)."'").","; + $sql.= " '".$this->db->escape($this->fk_user_creat)."',"; + $sql.= " '".$this->db->escape($this->fk_user_modif)."'"; $sql.= ")"; @@ -535,11 +535,11 @@ class Tva extends CommonObject $sql.= "'".$this->db->idate($this->datep)."'"; $sql.= ", '".$this->db->idate($this->datev)."'"; $sql.= ", ".$this->amount; - $sql.= ", '".$this->type_payment."'"; - $sql.= ", '".$this->num_payment."'"; + $sql.= ", '".$this->db->escape($this->type_payment)."'"; + $sql.= ", '".$this->db->escape($this->num_payment)."'"; if ($this->note) $sql.=", '".$this->db->escape($this->note)."'"; if ($this->label) $sql.=", '".$this->db->escape($this->label)."'"; - $sql.= ", '".$user->id."'"; + $sql.= ", '".$this->db->escape($user->id)."'"; $sql.= ", NULL"; $sql.= ", ".$conf->entity; $sql.= ")"; diff --git a/htdocs/contact/agenda.php b/htdocs/contact/agenda.php index cc7f36261cc..04c62107e83 100644 --- a/htdocs/contact/agenda.php +++ b/htdocs/contact/agenda.php @@ -115,7 +115,7 @@ if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'e if (empty($reshook)) { // Cancel - if (GETPOST("cancel") && ! empty($backtopage)) + if (GETPOST('cancel','alpha') && ! empty($backtopage)) { header("Location: ".$backtopage); exit; diff --git a/htdocs/contact/card.php b/htdocs/contact/card.php index d5854297f43..7dffd99f8bf 100644 --- a/htdocs/contact/card.php +++ b/htdocs/contact/card.php @@ -91,7 +91,7 @@ if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'e if (empty($reshook)) { // Cancel - if (GETPOST("cancel") && ! empty($backtopage)) + if (GETPOST('cancel','alpha') && ! empty($backtopage)) { header("Location: ".$backtopage); exit; diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php index 3b7ce848731..2329ae63685 100644 --- a/htdocs/contact/class/contact.class.php +++ b/htdocs/contact/class/contact.class.php @@ -200,7 +200,7 @@ class Contact extends CommonObject $sql.= " ".(! empty($this->canvas)?"'".$this->db->escape($this->canvas)."'":"null").","; $sql.= " ".$conf->entity.","; $sql.= "'".$this->db->escape($this->ref_ext)."',"; - $sql.= " ".(! empty($this->import_key)?"'".$this->import_key."'":"null"); + $sql.= " ".(! empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null"); $sql.= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); @@ -319,9 +319,9 @@ class Contact extends CommonObject $sql .= ", jabberid = ".(isset($this->jabberid)?"'".$this->db->escape($this->jabberid)."'":"null"); $sql .= ", priv = '".$this->db->escape($this->priv)."'"; $sql .= ", statut = ".$this->statut; - $sql .= ", fk_user_modif=".($user->id > 0 ? "'".$user->id."'":"NULL"); - $sql .= ", default_lang=".($this->default_lang?"'".$this->default_lang."'":"NULL"); - $sql .= ", no_email=".($this->no_email?"'".$this->no_email."'":"0"); + $sql .= ", fk_user_modif=".($user->id > 0 ? "'".$this->db->escape($user->id)."'":"NULL"); + $sql .= ", default_lang=".($this->default_lang?"'".$this->db->escape($this->default_lang)."'":"NULL"); + $sql .= ", no_email=".($this->no_email?"'".$this->db->escape($this->no_email)."'":"0"); $sql .= " WHERE rowid=".$this->db->escape($id); dol_syslog(get_class($this)."::update", LOG_DEBUG); @@ -492,7 +492,7 @@ class Contact extends CommonObject // Mis a jour contact $sql = "UPDATE ".MAIN_DB_PREFIX."socpeople SET"; $sql.= " birthday=".($this->birthday ? "'".$this->db->idate($this->birthday)."'" : "null"); - $sql.= ", photo = ".($this->photo? "'".$this->photo."'" : "null"); + $sql.= ", photo = ".($this->photo? "'".$this->db->escape($this->photo)."'" : "null"); if ($user) $sql .= ", fk_user_modif=".$user->id; $sql.= " WHERE rowid=".$this->db->escape($id); diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index 6d89cd07cd4..ebf7bc611f9 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -176,8 +176,8 @@ if (($id > 0 || ! empty($ref)) && $action != 'add') * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters, $object, $action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/contrat/card.php b/htdocs/contrat/card.php index 26f9d0f6eae..5b109c7b0d7 100644 --- a/htdocs/contrat/card.php +++ b/htdocs/contrat/card.php @@ -636,7 +636,7 @@ if (empty($reshook)) } } - else if ($action == 'updateline' && $user->rights->contrat->creer && ! GETPOST('cancel')) + else if ($action == 'updateline' && $user->rights->contrat->creer && ! GETPOST('cancel','alpha')) { $objectline = new ContratLigne($db); if ($objectline->fetch(GETPOST('elrowid'))) @@ -822,7 +822,7 @@ if (empty($reshook)) } elseif ($action=='setref_supplier') { - $cancelbutton = GETPOST('cancel'); + $cancelbutton = GETPOST('cancel','alpha'); if (!$cancelbutton) { $result = $object->fetch($id); @@ -846,7 +846,7 @@ if (empty($reshook)) } elseif ($action=='setref_customer') { - $cancelbutton = GETPOST('cancel'); + $cancelbutton = GETPOST('cancel','alpha'); if (!$cancelbutton) { @@ -871,7 +871,7 @@ if (empty($reshook)) } elseif ($action=='setref') { - $cancelbutton = GETPOST('cancel'); + $cancelbutton = GETPOST('cancel','alpha'); if (!$cancelbutton) { $result = $object->fetch($id); @@ -895,7 +895,7 @@ if (empty($reshook)) } elseif ($action=='setdate_contrat') { - $cancelbutton = GETPOST('cancel'); + $cancelbutton = GETPOST('cancel','alpha'); if (!$cancelbutton) { $result = $object->fetch($id); diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index cb9466e26f6..6e9fc443e03 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -928,7 +928,7 @@ class Contrat extends CommonObject $sql.= ",".($this->commercial_signature_id>0?$this->commercial_signature_id:"NULL"); $sql.= ",".($this->commercial_suivi_id>0?$this->commercial_suivi_id:"NULL"); $sql.= ",".($this->fk_project>0?$this->fk_project:"NULL"); - $sql.= ", ".(dol_strlen($this->ref)<=0 ? "null" : "'".$this->ref."'"); + $sql.= ", ".(dol_strlen($this->ref)<=0 ? "null" : "'".$this->db->escape($this->ref)."'"); $sql.= ", ".$conf->entity; $sql.= ", ".(!empty($this->note_private)?("'".$this->db->escape($this->note_private)."'"):"NULL"); $sql.= ", ".(!empty($this->note_public)?("'".$this->db->escape($this->note_public)."'"):"NULL"); @@ -2872,7 +2872,7 @@ class ContratLigne extends CommonObjectLine // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET"; $sql.= " fk_contrat=".$this->fk_contrat.","; - $sql.= " fk_product=".($this->fk_product?"'".$this->fk_product."'":'null').","; + $sql.= " fk_product=".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":'null').","; $sql.= " statut=".$this->statut.","; $sql.= " label='".$this->db->escape($this->label)."',"; $sql.= " description='".$this->db->escape($this->description)."',"; @@ -3009,16 +3009,16 @@ class ContratLigne extends CommonObjectLine if ($this->date_fin_validite > 0) { $sql.= ",date_fin_validite"; } $sql.= ") VALUES ($this->fk_contrat, '', '" . $this->db->escape($this->description) . "',"; $sql.= ($this->fk_product>0 ? $this->fk_product : "null").","; - $sql.= " '".$this->qty."',"; - $sql.= " '".$this->vat_src_code."',"; - $sql.= " '".$this->tva_tx."',"; - $sql.= " '".$this->localtax1_tx."',"; - $sql.= " '".$this->localtax2_tx."',"; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->qty)."',"; + $sql.= " '".$this->db->escape($this->vat_src_code)."',"; + $sql.= " '".$this->db->escape($this->tva_tx)."',"; + $sql.= " '".$this->db->escape($this->localtax1_tx)."',"; + $sql.= " '".$this->db->escape($this->localtax2_tx)."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= " ".price2num($this->remise_percent).",".price2num($this->subprice).","; $sql.= " ".price2num($this->total_ht).",".price2num($this->total_tva).",".price2num($this->total_localtax1).",".price2num($this->total_localtax2).",".price2num($this->total_ttc).","; - $sql.= " '".$this->info_bits."',"; + $sql.= " '".$this->db->escape($this->info_bits)."',"; $sql.= " ".price2num($this->price_ht).",".price2num($this->remise).","; if ($this->fk_fournprice > 0) $sql.= ' '.$this->fk_fournprice.','; else $sql.= ' null,'; diff --git a/htdocs/contrat/list.php b/htdocs/contrat/list.php index 17246751600..beba40103af 100644 --- a/htdocs/contrat/list.php +++ b/htdocs/contrat/list.php @@ -136,8 +136,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Action */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/contrat/services.php b/htdocs/contrat/services.php index aaf0d0cd796..e5a5c21c00b 100644 --- a/htdocs/contrat/services.php +++ b/htdocs/contrat/services.php @@ -140,8 +140,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks @@ -237,6 +237,20 @@ if (! empty($filter_opouvertureprevue) && $filter_opouvertureprevue != -1 && $fi if (! empty($filter_op1) && $filter_op1 != -1 && $filter_date1 != '') $sql.= " AND cd.date_ouverture ".$filter_op1." '".$db->idate($filter_date1)."'"; if (! empty($filter_op2) && $filter_op2 != -1 && $filter_date2 != '') $sql.= " AND cd.date_fin_validite ".$filter_op2." '".$db->idate($filter_date2)."'"; if (! empty($filter_opcloture) && $filter_opcloture != -1 && $filter_datecloture != '') $sql.= " AND cd.date_cloture ".$filter_opcloture." '".$db->idate($filter_datecloture)."'"; +// Add where from extra fields +foreach ($search_array_options as $key => $val) +{ + $crit=$val; + $tmpkey=preg_replace('/search_options_/','',$key); + $typ=$extrafields->attribute_type[$tmpkey]; + $mode_search=0; + if (in_array($typ, array('int','double','real'))) $mode_search=1; // Search on a numeric + if (in_array($typ, array('sellist')) && $crit != '0' && $crit != '-1') $mode_search=2; // Search on a foreign key int + if ($crit != '' && (! in_array($typ, array('select','sellist')) || $crit != '0')) + { + $sql .= natural_search('ef.'.$tmpkey, $crit, $mode_search); + } +} $sql .= $db->order($sortfield,$sortorder); $nbtotalofrecords = ''; @@ -464,7 +478,7 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab $align=$extrafields->getAlignFlag($key); $typeofextrafield=$extrafields->attribute_type[$key]; print ''; - if (in_array($typeofextrafield, array('varchar', 'int', 'double', 'select'))) + if (in_array($typeofextrafield, array('varchar', 'int', 'double', 'select')) && empty($extrafields->attribute_computed[$key])) { $crit=$val; $tmpkey=preg_replace('/search_options_/','',$key); @@ -473,6 +487,11 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab if (in_array($typeofextrafield, array('int', 'double'))) $searchclass='searchnum'; print ''; } + else + { + // for the type as 'checkbox', 'chkbxlst', 'sellist' we should use code instead of id (example: I declare a 'chkbxlst' to have a link with dictionnairy, I have to extend it with the 'code' instead 'rowid') + echo $extrafields->showInputField($key, $search_array_options['search_options_'.$key], '', '', 'search_'); + } print ''; } } diff --git a/htdocs/core/actions_setnotes.inc.php b/htdocs/core/actions_setnotes.inc.php index 3fa76891124..39f63683575 100644 --- a/htdocs/core/actions_setnotes.inc.php +++ b/htdocs/core/actions_setnotes.inc.php @@ -28,7 +28,7 @@ // $id must be defined (object is loaded in this file with fetch) // Set public note -if ($action == 'setnote_public' && ! empty($permissionnote) && ! GETPOST('cancel')) +if ($action == 'setnote_public' && ! empty($permissionnote) && ! GETPOST('cancel','alpha')) { if (empty($action) || ! is_object($object) || empty($id)) dol_print_error('','Include of actions_setnotes.inc.php was done but required variable was not set before'); if (empty($object->id)) $object->fetch($id); // Fetch may not be already done @@ -36,7 +36,7 @@ if ($action == 'setnote_public' && ! empty($permissionnote) && ! GETPOST('cancel if ($result < 0) setEventMessages($object->error, $object->errors, 'errors'); } // Set public note -else if ($action == 'setnote_private' && ! empty($permissionnote) && ! GETPOST('cancel')) +else if ($action == 'setnote_private' && ! empty($permissionnote) && ! GETPOST('cancel','alpha')) { if (empty($action) || ! is_object($object) || empty($id)) dol_print_error('','Include of actions_setnotes.inc.php was done but required variable was not set before'); if (empty($object->id)) $object->fetch($id); // Fetch may not be already done diff --git a/htdocs/core/class/ccountry.class.php b/htdocs/core/class/ccountry.class.php index d0e6dfe190a..7964510c91c 100644 --- a/htdocs/core/class/ccountry.class.php +++ b/htdocs/core/class/ccountry.class.php @@ -88,11 +88,11 @@ class Ccountry // extends CommonObject $sql.= "label,"; $sql.= "active"; $sql.= ") VALUES ("; - $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").","; + $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").","; $sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").","; $sql.= " ".(! isset($this->code_iso)?'NULL':"'".$this->db->escape($this->code_iso)."'").","; $sql.= " ".(! isset($this->label)?'NULL':"'".$this->db->escape($this->label)."'").","; - $sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").""; + $sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'").""; $sql.= ")"; $this->db->begin(); diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 1dc910d373f..54a907a3c0f 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -580,8 +580,8 @@ abstract class CommonObject $sql = "SELECT tc.rowid"; $sql.= " FROM ".MAIN_DB_PREFIX."c_type_contact as tc"; $sql.= " WHERE tc.element='".$this->db->escape($this->element)."'"; - $sql.= " AND tc.source='".$source."'"; - $sql.= " AND tc.code='".$type_contact."' AND tc.active=1"; + $sql.= " AND tc.source='".$this->db->escape($source)."'"; + $sql.= " AND tc.code='".$this->db->escape($type_contact)."' AND tc.active=1"; //print $sql; $resql=$this->db->query($sql); if ($resql) @@ -2475,9 +2475,9 @@ abstract class CommonObject $sql.= ", targettype"; $sql.= ") VALUES ("; $sql.= $origin_id; - $sql.= ", '".$origin."'"; + $sql.= ", '".$this->db->escape($origin)."'"; $sql.= ", ".$this->id; - $sql.= ", '".$this->element."'"; + $sql.= ", '".$this->db->escape($this->element)."'"; $sql.= ")"; dol_syslog(get_class($this)."::add_object_linked", LOG_DEBUG); @@ -3812,11 +3812,11 @@ abstract class CommonObject $sql.= ", mandatory"; $sql.= ") VALUES ("; $sql.= $resource_id; - $sql.= ", '".$resource_type."'"; - $sql.= ", '".$this->id."'"; - $sql.= ", '".$this->element."'"; - $sql.= ", '".$busy."'"; - $sql.= ", '".$mandatory."'"; + $sql.= ", '".$this->db->escape($resource_type)."'"; + $sql.= ", '".$this->db->escape($this->id)."'"; + $sql.= ", '".$this->db->escape($this->element)."'"; + $sql.= ", '".$this->db->escape($busy)."'"; + $sql.= ", '".$this->db->escape($mandatory)."'"; $sql.= ")"; dol_syslog(get_class($this)."::add_element_resource", LOG_DEBUG); diff --git a/htdocs/core/class/cstate.class.php b/htdocs/core/class/cstate.class.php index a2a84d3b9ed..ae2adde87d4 100644 --- a/htdocs/core/class/cstate.class.php +++ b/htdocs/core/class/cstate.class.php @@ -85,10 +85,10 @@ class Cstate // extends CommonObject $sql.= "nom,"; $sql.= "active"; $sql.= ") VALUES ("; - $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").","; + $sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").","; $sql.= " ".(! isset($this->code_departement)?'NULL':"'".$this->db->escape($this->code_departement)."'").","; $sql.= " ".(! isset($this->nom)?'NULL':"'".$this->db->escape($this->nom)."'").","; - $sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").""; + $sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'").""; $sql.= ")"; $this->db->begin(); diff --git a/htdocs/core/class/ctypent.class.php b/htdocs/core/class/ctypent.class.php index c7894c7c848..b3bb750bd80 100644 --- a/htdocs/core/class/ctypent.class.php +++ b/htdocs/core/class/ctypent.class.php @@ -91,10 +91,10 @@ class Ctypent // extends CommonObject $sql.= ") VALUES ("; - $sql.= " ".(! isset($this->id)?'NULL':"'".$this->id."'").","; + $sql.= " ".(! isset($this->id)?'NULL':"'".$this->db->escape($this->id)."'").","; $sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").","; $sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").","; - $sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").","; + $sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->active($this->active)."'").","; $sql.= " ".(! isset($this->module)?'NULL':"'".$this->db->escape($this->module)."'").""; diff --git a/htdocs/core/class/discount.class.php b/htdocs/core/class/discount.class.php index 443534eb1b3..16cb219f718 100644 --- a/htdocs/core/class/discount.class.php +++ b/htdocs/core/class/discount.class.php @@ -158,7 +158,7 @@ class DiscountAbsolute $sql.= ")"; $sql.= " VALUES (".$conf->entity.", '".$this->db->idate($this->datec!=''?$this->datec:dol_now())."', ".$this->fk_soc.", ".$user->id.", '".$this->db->escape($this->description)."',"; $sql.= " ".$this->amount_ht.", ".$this->amount_tva.", ".$this->amount_ttc.", ".$this->tva_tx.","; - $sql.= " ".($this->fk_facture_source?"'".$this->fk_facture_source."'":"null"); + $sql.= " ".($this->fk_facture_source ? "'".$this->db->escape($this->fk_facture_source)."'":"null"); $sql.= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); diff --git a/htdocs/core/class/doleditor.class.php b/htdocs/core/class/doleditor.class.php index 918956d7b32..723ae0d47b1 100644 --- a/htdocs/core/class/doleditor.class.php +++ b/htdocs/core/class/doleditor.class.php @@ -170,7 +170,8 @@ class DolEditor if (in_array($this->tool,array('textarea','ckeditor'))) { $found=1; - //$out.= ''; diff --git a/htdocs/core/class/events.class.php b/htdocs/core/class/events.class.php index 68f033870c2..5a88956e5bc 100644 --- a/htdocs/core/class/events.class.php +++ b/htdocs/core/class/events.class.php @@ -126,12 +126,12 @@ class Events // extends CommonObject $sql.= "fk_user,"; $sql.= "description"; $sql.= ") VALUES ("; - $sql.= " '".$this->type."',"; + $sql.= " '".$this->db->escape($this->type)."',"; $sql.= " ".$conf->entity.","; - $sql.= " '".$_SERVER['REMOTE_ADDR']."',"; - $sql.= " ".($_SERVER['HTTP_USER_AGENT']?"'".dol_trunc($_SERVER['HTTP_USER_AGENT'],250)."'":'NULL').","; + $sql.= " '".$this->db->escape($_SERVER['REMOTE_ADDR'])."',"; + $sql.= " ".($_SERVER['HTTP_USER_AGENT']?"'".$this->db->escape(dol_trunc($_SERVER['HTTP_USER_AGENT'],250))."'":'NULL').","; $sql.= " '".$this->db->idate($this->dateevent)."',"; - $sql.= " ".($user->id?"'".$user->id."'":'NULL').","; + $sql.= " ".($user->id?"'".$this->db->escape($user->id)."'":'NULL').","; $sql.= " '".$this->db->escape(dol_trunc($this->description,250))."'"; $sql.= ")"; diff --git a/htdocs/core/class/fiscalyear.class.php b/htdocs/core/class/fiscalyear.class.php index a273443ef7c..38804442033 100644 --- a/htdocs/core/class/fiscalyear.class.php +++ b/htdocs/core/class/fiscalyear.class.php @@ -86,7 +86,7 @@ class Fiscalyear extends CommonObject $sql.= ", datec"; $sql.= ", fk_user_author"; $sql.= ") VALUES ("; - $sql.= " '".$this->label."'"; + $sql.= " '".$this->db->escape($this->label)."'"; $sql.= ", '".$this->db->idate($this->date_start)."'"; $sql.= ", ".($this->date_end ? "'".$this->db->idate($this->date_end)."'":"null"); $sql.= ", 0"; diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index fd0a3f7dab1..6089c9a11ff 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1919,7 +1919,7 @@ class Form $sql.= ' WHERE p.entity IN ('.getEntity('product').')'; if (count($warehouseStatusArray)) { - $sql.= ' AND (p.fk_product_type = 1 OR e.statut IN ('.$db->escape(implode(',',$warehouseStatusArray)).'))'; + $sql.= ' AND (p.fk_product_type = 1 OR e.statut IN ('.$this->db->escape(implode(',',$warehouseStatusArray)).'))'; } if (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD)) { @@ -4299,7 +4299,7 @@ class Form */ function select_currency($selected='',$htmlname='currency_id') { - print $this->selectcurrency($selected,$htmlname); + print $this->selectCurrency($selected,$htmlname); } /** @@ -4309,35 +4309,40 @@ class Form * @param string $htmlname name of HTML select list * @return string */ - function selectCurrency($selected='',$htmlname='currency_id') - { - global $conf,$langs,$user; + function selectCurrency($selected='',$htmlname='currency_id') + { + global $conf,$langs,$user; - $langs->loadCacheCurrencies(''); + $langs->loadCacheCurrencies(''); - $out=''; + $out=''; - if ($selected=='euro' || $selected=='euros') $selected='EUR'; // Pour compatibilite + if ($selected=='euro' || $selected=='euros') $selected='EUR'; // Pour compatibilite - $out.= ''; - if ($user->admin) $out.= info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1); - return $out; - } + $out.= ''; + if ($user->admin) $out.= info_admin($langs->trans("YouCanChangeValuesForThisListFromDictionarySetup"),1); + + // Make select dynamic + include_once DOL_DOCUMENT_ROOT . '/core/lib/ajax.lib.php'; + $out .= ajax_combobox($htmlname); + + return $out; + } /** * Return array of currencies in user language diff --git a/htdocs/core/class/html.formmail.class.php b/htdocs/core/class/html.formmail.class.php index 26ad86fc845..932cc211d12 100644 --- a/htdocs/core/class/html.formmail.class.php +++ b/htdocs/core/class/html.formmail.class.php @@ -1131,6 +1131,35 @@ class FormMail extends Form '__UNSUBSCRIBE__' => 'TagUnsubscribe' //,'__PERSONALIZED__' => 'Personalized' // Hidden because not used yet in mass emailing ); + + $onlinepaymentenabled = 0; + if (! empty($conf->paypal->enabled)) $onlinepaymentenabled++; + if (! empty($conf->paybox->enabled)) $onlinepaymentenabled++; + if (! empty($conf->stripe->enabled)) $onlinepaymentenabled++; + if ($onlinepaymentenabled && ! empty($conf->global->PAYMENT_SECURITY_TOKEN)) + { + $vars['__SECUREKEYPAYMENT__']=$conf->global->PAYMENT_SECURITY_TOKEN; + if (! empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) + { + if ($conf->adherent->enabled) $vars['__SECUREKEYPAYMENT_MEMBER__']='SecureKeyPAYMENTUniquePerMember'; + if ($conf->facture->enabled) $vars['__SECUREKEYPAYMENT_INVOICE__']='SecureKeyPAYMENTUniquePerInvoice'; + if ($conf->commande->enabled) $vars['__SECUREKEYPAYMENT_ORDER__']='SecureKeyPAYMENTUniquePerOrder'; + if ($conf->contrat->enabled) $vars['__SECUREKEYPAYMENT_CONTRACTLINE__']='SecureKeyPAYMENTUniquePerContractLine'; + } + } + else + { + /* No need to show into tooltip help, option is not enabled + $vars['__SECUREKEYPAYMENT__']=''; + $vars['__SECUREKEYPAYMENT_MEMBER__']=''; + $vars['__SECUREKEYPAYMENT_INVOICE__']=''; + $vars['__SECUREKEYPAYMENT_ORDER__']=''; + $vars['__SECUREKEYPAYMENT_CONTRACTLINE__']=''; + */ + } + + // Old vars removed from doc + /* if (! empty($conf->paypal->enabled) && ! empty($conf->global->PAYPAL_SECURITY_TOKEN)) { $vars['__SECUREKEYPAYPAL__']='SecureKeyPaypal'; @@ -1146,7 +1175,7 @@ class FormMail extends Form { $vars['__SECUREKEYPAYPAL__']=''; $vars['__SECUREKEYPAYPAL_MEMBER__']=''; - } + }*/ } $parameters=array('mode'=>$mode); diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index 1908d04c312..049ec0c5d75 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -601,29 +601,9 @@ class FormOther static function showColor($color, $textifnotdefined='') { $textcolor='FFF'; - if ($color) - { - $tmp=explode(',', $color); - if (count($tmp) > 1) // This is a comma RGB ('255','255','255') - { - $r = $tmp[0]; - $g = $tmp[1]; - $b = $tmp[2]; - } - else - { - $hexr=$color[0].$color[1]; - $hexg=$color[2].$color[3]; - $hexb=$color[4].$color[5]; - $r = hexdec($hexr); - $g = hexdec($hexg); - $b = hexdec($hexb); - } - $bright = (max($r, $g, $b) + min($r, $g, $b)) / 510.0; // HSL algorithm - if ($bright > 0.6) $textcolor='000'; - } - include_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; + if(colorIsLight($color)) $textcolor='000'; + $color = colorArrayToHex(colorStringToArray($color,array()),''); if ($color) print ''; diff --git a/htdocs/core/class/link.class.php b/htdocs/core/class/link.class.php index f604e85e11d..0441c04a86e 100644 --- a/htdocs/core/class/link.class.php +++ b/htdocs/core/class/link.class.php @@ -89,7 +89,7 @@ class Link extends CommonObject $sql .= " VALUES ('".$conf->entity."', '".$this->db->idate($this->datea)."'"; $sql .= ", '" . $this->db->escape($this->url) . "'"; $sql .= ", '" . $this->db->escape($this->label) . "'"; - $sql .= ", '" . $this->objecttype . "'"; + $sql .= ", '" . $this->db->escape($this->objecttype) . "'"; $sql .= ", " . $this->objectid . ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); @@ -100,7 +100,7 @@ class Link extends CommonObject if ($this->id > 0) { // Call trigger $result=$this->call_trigger('LINK_CREATE',$user); - if ($result < 0) $error++; + if ($result < 0) $error++; // End call triggers } else { $error++; @@ -283,20 +283,20 @@ class Link extends CommonObject public static function count($db, $objecttype, $objectid) { global $conf; - + $sql = "SELECT COUNT(rowid) as nb FROM " . MAIN_DB_PREFIX . "links"; $sql .= " WHERE objecttype = '" . $objecttype . "' AND objectid = " . $objectid; if ($conf->entity != 0) $sql .= " AND entity = " . $conf->entity; - + $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql); if ($obj) return $obj->nb; - } + } return -1; } - + /** * Loads a link from database * @@ -354,8 +354,8 @@ class Link extends CommonObject // Call trigger $result=$this->call_trigger('LINK_DELETE',$user); - if ($result < 0) return -1; - // End call triggers + if ($result < 0) return -1; + // End call triggers $this->db->begin(); diff --git a/htdocs/core/class/menubase.class.php b/htdocs/core/class/menubase.class.php index 431c5d19eeb..f011119e08e 100644 --- a/htdocs/core/class/menubase.class.php +++ b/htdocs/core/class/menubase.class.php @@ -144,15 +144,15 @@ class Menubase $sql.= "enabled,"; $sql.= "usertype"; $sql.= ") VALUES ("; - $sql.= " '".$this->menu_handler."',"; - $sql.= " '".$conf->entity."',"; - $sql.= " '".$this->module."',"; - $sql.= " '".$this->type."',"; - $sql.= " ".($this->mainmenu?"'".$this->mainmenu."'":"''").","; // Can't be null - $sql.= " ".($this->leftmenu?"'".$this->leftmenu."'":"null").","; - $sql.= " '".$this->fk_menu."',"; - $sql.= " ".($this->fk_mainmenu?"'".$this->fk_mainmenu."'":"null").","; - $sql.= " ".($this->fk_leftmenu?"'".$this->fk_leftmenu."'":"null").","; + $sql.= " '".$this->db->escape($this->menu_handler)."',"; + $sql.= " '".$this->db->escape($conf->entity)."',"; + $sql.= " '".$this->db->escape($this->module)."',"; + $sql.= " '".$this->db->escape($this->type)."',"; + $sql.= " ".($this->mainmenu?"'".$this->db->escape($this->mainmenu)."'":"''").","; // Can't be null + $sql.= " ".($this->leftmenu?"'".$this->db->escape($this->leftmenu)."'":"null").","; + $sql.= " '".$this->db->escape($this->fk_menu)."',"; + $sql.= " ".($this->fk_mainmenu?"'".$this->db->escape($this->fk_mainmenu)."'":"null").","; + $sql.= " ".($this->fk_leftmenu?"'".$this->db->escape($this->fk_leftmenu)."'":"null").","; $sql.= " '".(int) $this->position."',"; $sql.= " '".$this->db->escape($this->url)."',"; $sql.= " '".$this->db->escape($this->target)."',"; @@ -160,7 +160,7 @@ class Menubase $sql.= " '".$this->db->escape($this->langs)."',"; $sql.= " '".$this->db->escape($this->perms)."',"; $sql.= " '".$this->db->escape($this->enabled)."',"; - $sql.= " '".$this->user."'"; + $sql.= " '".$this->db->escape($this->user)."'"; $sql.= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); @@ -220,8 +220,8 @@ class Menubase $sql.= " mainmenu='".$this->db->escape($this->mainmenu)."',"; $sql.= " leftmenu='".$this->db->escape($this->leftmenu)."',"; $sql.= " fk_menu='".$this->db->escape($this->fk_menu)."',"; - $sql.= " fk_mainmenu=".($this->fk_mainmenu?"'".$this->fk_mainmenu."'":"null").","; - $sql.= " fk_leftmenu=".($this->fk_leftmenu?"'".$this->fk_leftmenu."'":"null").","; + $sql.= " fk_mainmenu=".($this->fk_mainmenu?"'".$this->db->escape($this->fk_mainmenu)."'":"null").","; + $sql.= " fk_leftmenu=".($this->fk_leftmenu?"'".$this->db->escape($this->fk_leftmenu)."'":"null").","; $sql.= " position=".($this->position > 0 ? $this->position : 0).","; $sql.= " url='".$this->db->escape($this->url)."',"; $sql.= " target='".$this->db->escape($this->target)."',"; diff --git a/htdocs/core/lib/agenda.lib.php b/htdocs/core/lib/agenda.lib.php index 0a4ad9ffcc9..d50e9f572ad 100644 --- a/htdocs/core/lib/agenda.lib.php +++ b/htdocs/core/lib/agenda.lib.php @@ -221,8 +221,8 @@ function show_array_actions_to_do($max=5) $sql = "SELECT a.id, a.label, a.datep as dp, a.datep2 as dp2, a.fk_user_author, a.percent,"; $sql.= " c.code, c.libelle as type_label,"; $sql.= " s.nom as sname, s.rowid, s.client"; - $sql.= " FROM ".MAIN_DB_PREFIX."c_actioncomm as c LEFT JOIN "; - $sql.= " ".MAIN_DB_PREFIX."actioncomm as a ON c.id = a.fk_action"; + $sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as a LEFT JOIN "; + $sql.= " ".MAIN_DB_PREFIX."c_actioncomm as c ON c.id = a.fk_action"; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON a.fk_soc = s.rowid"; if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE a.entity = ".$conf->entity; @@ -318,8 +318,8 @@ function show_array_last_actions_done($max=5) $sql = "SELECT a.id, a.percent, a.datep as da, a.datep2 as da2, a.fk_user_author, a.label,"; $sql.= " c.code, c.libelle,"; $sql.= " s.rowid, s.nom as sname, s.client"; - $sql.= " FROM ".MAIN_DB_PREFIX."c_actioncomm as c LEFT JOIN "; - $sql.= " ".MAIN_DB_PREFIX."actioncomm as a ON c.id = a.fk_action "; + $sql.= " FROM ".MAIN_DB_PREFIX."actioncomm as a LEFT JOIN "; + $sql.= " ".MAIN_DB_PREFIX."c_actioncomm as c ON c.id = a.fk_action "; $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON a.fk_soc = s.rowid"; if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE a.entity = ".$conf->entity; diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index fbb4e9523c8..a50c62e9c0e 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -262,14 +262,18 @@ function dol_shutdown() * @param int $filter Filter to apply when $check is set to 'custom'. (See http://php.net/manual/en/filter.filters.php for détails) * @param mixed $options Options to pass to filter_var when $check is set to 'custom'. * @return string|string[] Value found (string or array), or '' if check fails - * - * @TODO Set default value for check to alpha. Check all WYSIWYG edition (email and description...) is still ok with rich text. */ -function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL) +function GETPOST($paramname, $check='alpha', $method=0, $filter=NULL, $options=NULL) { global $mysoc,$user,$conf; if (empty($paramname)) return 'BadFirstParameterForGETPOST'; + if (empty($check)) + { + dol_syslog("Deprecated use of GETPOST, called with 1st param = ".$paramname." and 2nd param is '', when calling page ".$_SERVER["PHP_SELF"], LOG_WARNING); + // Enable this line to know who call the GETPOST with '' $check parameter. + //var_dump(debug_backtrace()[0]); + } if (empty($method)) $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:''); elseif ($method==1) $out = isset($_GET[$paramname])?$_GET[$paramname]:''; @@ -423,15 +427,6 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL) } - if (empty($check) && ! empty($conf->global->MAIN_FEATURES_LEVEL) && $conf->global->MAIN_FEATURES_LEVEL >= 2) - { - dol_syslog("Deprecated use of GETPOST, called with 1st param = ".$paramname." and 2nd param not defined, when calling page ".$_SERVER["PHP_SELF"], LOG_WARNING); - // Enable this line to know who call the GETPOST with empty $check parameter. - //var_dump(debug_backtrace()[0]); - } - - if (! empty($check)) - { // Substitution variables for GETPOST (used to get final url with variable parameters or final default value with variable paramaters) // Example of variables: __DAY__, __MONTH__, __YEAR__, __MYCOUNTRYID__, __USERID__, __ENTITYID__, ... // We do this only if var is a GET. If it is a POST, may be we want to post the text with vars as the setup text. @@ -521,7 +516,6 @@ function GETPOST($paramname, $check='', $method=0, $filter=NULL, $options=NULL) $out=filter_var($out, $filter, $options); break; } - } // Code for search criteria persistence. // Save data into session if key start with 'search_' or is 'smonth', 'syear', 'month', 'year' @@ -6343,29 +6337,39 @@ function natural_search($fields, $value, $mode=0, $nofirstand=0) $i3 = 0; foreach($tmpcrits as $tmpcrit) { - $newres .= (($i2 > 0 || $i3 > 0) ? ' OR ' : '') . $field . " LIKE '"; + $newres .= (($i2 > 0 || $i3 > 0) ? ' OR ' : ''); + + if (preg_match('/\.(id|rowid)$/', $field)) // Special cas for rowid that is sometimes a ref so used as a search field + { + $newres .= $field . " = " . (is_numeric(trim($tmpcrit))?trim($tmpcrit):'0'); + } + else + { + $newres .= $field . " LIKE '"; + + $tmpcrit=trim($tmpcrit); + $tmpcrit2=$tmpcrit; + $tmpbefore='%'; $tmpafter='%'; + if (preg_match('/^[\^\$]/', $tmpcrit)) + { + $tmpbefore=''; + $tmpcrit2 = preg_replace('/^[\^\$]/', '', $tmpcrit2); + } + if (preg_match('/[\^\$]$/', $tmpcrit)) + { + $tmpafter=''; + $tmpcrit2 = preg_replace('/[\^\$]$/', '', $tmpcrit2); + } + $newres .= $tmpbefore; + $newres .= $db->escape($tmpcrit2); + $newres .= $tmpafter; + $newres .= "'"; + if ($tmpcrit2 == '') + { + $newres .= ' OR ' . $field . " IS NULL"; + } + } - $tmpcrit=trim($tmpcrit); - $tmpcrit2=$tmpcrit; - $tmpbefore='%'; $tmpafter='%'; - if (preg_match('/^[\^\$]/', $tmpcrit)) - { - $tmpbefore=''; - $tmpcrit2 = preg_replace('/^[\^\$]/', '', $tmpcrit2); - } - if (preg_match('/[\^\$]$/', $tmpcrit)) - { - $tmpafter=''; - $tmpcrit2 = preg_replace('/[\^\$]$/', '', $tmpcrit2); - } - $newres .= $tmpbefore; - $newres .= $db->escape($tmpcrit2); - $newres .= $tmpafter; - $newres .= "'"; - if ($tmpcrit2 == '') - { - $newres .= ' OR ' . $field . " IS NULL"; - } $i3++; } $i2++; // a criteria was added to string diff --git a/htdocs/core/lib/functions2.lib.php b/htdocs/core/lib/functions2.lib.php index 483e3e5b46e..3d4b7352dc3 100644 --- a/htdocs/core/lib/functions2.lib.php +++ b/htdocs/core/lib/functions2.lib.php @@ -2150,6 +2150,40 @@ function colorStringToArray($stringcolor,$colorifnotfound=array(88,88,88)) return array(hexdec($reg[1]),hexdec($reg[2]),hexdec($reg[3])); } +/** + * Return true if the color is light + * + * @param string $stringcolor String with hex (FFFFFF) or comma RGB ('255,255,255') + * @return int -1 : Error with argument passed |0 : color is dark | 1 : color is light + */ +function colorIsLight($stringcolor) +{ + $res = -1; + if (!empty($stringcolor)) + { + $res = 0; + $tmp=explode(',', $stringcolor); + if (count($tmp) > 1) // This is a comma RGB ('255','255','255') + { + $r = $tmp[0]; + $g = $tmp[1]; + $b = $tmp[2]; + } + else + { + $hexr=$stringcolor[0].$stringcolor[1]; + $hexg=$stringcolor[2].$stringcolor[3]; + $hexb=$stringcolor[4].$stringcolor[5]; + $r = hexdec($hexr); + $g = hexdec($hexg); + $b = hexdec($hexb); + } + $bright = (max($r, $g, $b) + min($r, $g, $b)) / 510.0; // HSL algorithm + if ($bright > 0.6) $res = 1; + } + return $res; +} + /** * Applies the Cartesian product algorithm to an array * Source: http://stackoverflow.com/a/15973172 diff --git a/htdocs/core/lib/ldap.lib.php b/htdocs/core/lib/ldap.lib.php index d4ef7a2ed7a..f684af594e5 100644 --- a/htdocs/core/lib/ldap.lib.php +++ b/htdocs/core/lib/ldap.lib.php @@ -1,5 +1,6 @@ +/* Copyright (C) 2006 Laurent Destailleur + * Copyright (C) 2006-2017 Regis Houssin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -30,6 +31,7 @@ function ldap_prepare_head() { global $langs, $conf, $user; + $langs->load("ldap"); // Onglets @@ -73,6 +75,12 @@ function ldap_prepare_head() $h++; } + // Show more tabs from modules + // Entries must be declared in modules descriptor with line + // $this->tabs = array('entity:+tabname:Title:@mymodule:/mymodule/mypage.php?id=__ID__'); to add new tab + // $this->tabs = array('entity:-tabname); to remove a tab + complete_head_from_modules($conf,$langs,'',$head,$h,'ldap'); + return $head; } @@ -147,7 +155,7 @@ function show_ldap_content($result,$level,$count,$var,$hide=0,$subcount=0) $hide=0; if (! is_numeric($key)) { - + print ''; print ''; print $key; diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php index d0def9d5627..3876dc0e2cd 100644 --- a/htdocs/core/lib/security2.lib.php +++ b/htdocs/core/lib/security2.lib.php @@ -189,7 +189,7 @@ function dol_loginfunction($langs,$conf,$mysoc) if (GETPOST('urlfrom','alpha')) $_SESSION["urlfrom"]=GETPOST('urlfrom','alpha'); else unset($_SESSION["urlfrom"]); - if (! GETPOST("username")) $focus_element='username'; + if (! GETPOST("username",'alpha')) $focus_element='username'; else $focus_element='password'; $demologin=''; diff --git a/htdocs/core/menus/init_menu_auguria.sql b/htdocs/core/menus/init_menu_auguria.sql index e51e6469fe6..47ec0741127 100644 --- a/htdocs/core/menus/init_menu_auguria.sql +++ b/htdocs/core/menus/init_menu_auguria.sql @@ -222,10 +222,13 @@ insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, left insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $leftmenu=="accountancy_admin"', __HANDLER__, 'left', 2456__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_chart', 2451__+MAX_llx_menu__, '/accountancy/admin/account.php?mainmenu=accountancy&leftmenu=accountancy_admin', 'Chartofaccounts', 2, 'accountancy', '$user->rights->accounting->chartofaccount', '', 0, 30, __ENTITY__); insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $leftmenu=="accountancy_admin"', __HANDLER__, 'left', 2457__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_chart_group', 2451__+MAX_llx_menu__, '/accountancy/admin/categories_list.php?id=32&mainmenu=accountancy&leftmenu=accountancy_admin', 'AccountingCategory', 2, 'accountancy', '$user->rights->accounting->chartofaccount', '', 0, 40, __ENTITY__); insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $leftmenu=="accountancy_admin"', __HANDLER__, 'left', 2458__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_default', 2451__+MAX_llx_menu__, '/accountancy/admin/defaultaccounts.php?mainmenu=accountancy&leftmenu=accountancy_admin', 'MenuDefaultAccounts', 2, 'accountancy', '$user->rights->accounting->chartofaccount', '', 0, 50, __ENTITY__); - insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $leftmenu=="accountancy_admin"', __HANDLER__, 'left', 2459__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_vat', 2451__+MAX_llx_menu__, '/admin/dict.php?id=10&from=accountancy&search_country_id=__MYCOUNTRYID__&mainmenu=accountancy&leftmenu=accountancy_admin', 'MenuVatAccounts', 2, 'accountancy', '$user->rights->accounting->chartofaccount', '', 0, 60, __ENTITY__); - insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $leftmenu=="accountancy_admin"', __HANDLER__, 'left', 2460__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_tax', 2451__+MAX_llx_menu__, '/admin/dict.php?id=7&from=accountancy&search_country_id=__MYCOUNTRYID__&mainmenu=accountancy&leftmenu=accountancy_admin', 'MenuTaxAccounts', 2, 'accountancy', '$user->rights->accounting->chartofaccount', '', 0, 70, __ENTITY__); - insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $conf->expensereport->enabled && $leftmenu=="accountancy_admin"', __HANDLER__, 'left', 2461__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_expensereport', 2451__+MAX_llx_menu__, '/admin/dict.php?id=17&from=accountancy&mainmenu=accountancy&leftmenu=accountancy_admin', 'MenuExpenseReportAccounts', 2, 'accountancy', '$user->rights->accounting->chartofaccount', '', 0, 80, __ENTITY__); - insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $leftmenu=="accountancy_admin"', __HANDLER__, 'left', 2462__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_product', 2451__+MAX_llx_menu__, '/accountancy/admin/productaccount.php?mainmenu=accountancy&leftmenu=accountancy_admin', 'MenuProductsAccounts', 2, 'accountancy', '$user->rights->accounting->chartofaccount', '', 0, 90, __ENTITY__); + + insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $leftmenu=="accountancy_admin"', __HANDLER__, 'left', 2459__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_vat', 2451__+MAX_llx_menu__, '/compta/bank/index.php?mainmenu=accountancy&leftmenu=accountancy_admin', 'MenuBankAccounts', 2, 'accountancy', '$user->rights->accounting->chartofaccount', '', 0, 52, __ENTITY__); + + insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $leftmenu=="accountancy_admin"', __HANDLER__, 'left', 2460__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_vat', 2451__+MAX_llx_menu__, '/admin/dict.php?id=10&from=accountancy&search_country_id=__MYCOUNTRYID__&mainmenu=accountancy&leftmenu=accountancy_admin', 'MenuVatAccounts', 2, 'accountancy', '$user->rights->accounting->chartofaccount', '', 0, 60, __ENTITY__); + insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $leftmenu=="accountancy_admin"', __HANDLER__, 'left', 2461__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_tax', 2451__+MAX_llx_menu__, '/admin/dict.php?id=7&from=accountancy&search_country_id=__MYCOUNTRYID__&mainmenu=accountancy&leftmenu=accountancy_admin', 'MenuTaxAccounts', 2, 'accountancy', '$user->rights->accounting->chartofaccount', '', 0, 70, __ENTITY__); + insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $conf->expensereport->enabled && $leftmenu=="accountancy_admin"', __HANDLER__, 'left', 2462__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_expensereport', 2451__+MAX_llx_menu__, '/admin/dict.php?id=17&from=accountancy&mainmenu=accountancy&leftmenu=accountancy_admin', 'MenuExpenseReportAccounts', 2, 'accountancy', '$user->rights->accounting->chartofaccount', '', 0, 80, __ENTITY__); + insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $leftmenu=="accountancy_admin"', __HANDLER__, 'left', 2463__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_product', 2451__+MAX_llx_menu__, '/accountancy/admin/productaccount.php?mainmenu=accountancy&leftmenu=accountancy_admin', 'MenuProductsAccounts', 2, 'accountancy', '$user->rights->accounting->chartofaccount', '', 0, 90, __ENTITY__); -- Accounting period insert into llx_menu (module, enabled, menu_handler, type, rowid, mainmenu, leftmenu, fk_menu, url, titre, level, langs, perms, target, usertype, position, entity) values ('', '$conf->accounting->enabled && $leftmenu=="accountancy_admin" && $conf->global->MAIN_FEATURES_LEVEL > 0', __HANDLER__, 'left', 2450__+MAX_llx_menu__, 'accountancy', 'accountancy_admin_period', 2451__+MAX_llx_menu__, '/accountancy/admin/fiscalyear.php?mainmenu=accountancy&leftmenu=accountancy_admin', 'FiscalPeriod', 1, 'admin', '', '', 2, 80, __ENTITY__); -- Binding diff --git a/htdocs/core/menus/standard/eldy.lib.php b/htdocs/core/menus/standard/eldy.lib.php index 5bb5385d142..26047336644 100644 --- a/htdocs/core/menus/standard/eldy.lib.php +++ b/htdocs/core/menus/standard/eldy.lib.php @@ -974,6 +974,10 @@ function print_left_eldy_menu($db,$menu_array_before,$menu_array_after,&$tabMenu if ($usemenuhider || empty($leftmenu) || preg_match('/accountancy_admin/',$leftmenu)) $newmenu->add("/accountancy/admin/account.php?mainmenu=accountancy&leftmenu=accountancy_admin", $langs->trans("Chartofaccounts"),2, $user->rights->accounting->chartofaccount, '', $mainmenu, 'accountancy_admin_chart', 30); if ($usemenuhider || empty($leftmenu) || preg_match('/accountancy_admin/',$leftmenu)) $newmenu->add("/accountancy/admin/categories_list.php?id=32&search_country_id=".$mysoc->country_id."&mainmenu=accountancy&leftmenu=accountancy_admin", $langs->trans("AccountingCategory"),2, $user->rights->accounting->chartofaccount, '', $mainmenu, 'accountancy_admin_chart', 31); if ($usemenuhider || empty($leftmenu) || preg_match('/accountancy_admin/',$leftmenu)) $newmenu->add("/accountancy/admin/defaultaccounts.php?mainmenu=accountancy&leftmenu=accountancy_admin", $langs->trans("MenuDefaultAccounts"),2, $user->rights->accounting->chartofaccount, '', $mainmenu, 'accountancy_admin_default', 40); + if (! empty($conf->banque->enabled)) + { + if ($usemenuhider || empty($leftmenu) || preg_match('/accountancy_admin/',$leftmenu)) $newmenu->add("/compta/bank/index.php?mainmenu=accountancy&leftmenu=accountancy_admin", $langs->trans("MenuBankAccounts"),2, $user->rights->accounting->chartofaccount, '', $mainmenu, 'accountancy_admin_bank', 42); + } if (! empty($conf->facture->enabled) || ! empty($conf->fournisseur->enabled)) { if ($usemenuhider || empty($leftmenu) || preg_match('/accountancy_admin/',$leftmenu)) $newmenu->add("/admin/dict.php?id=10&from=accountancy&search_country_id=".$mysoc->country_id."&mainmenu=accountancy&leftmenu=accountancy_admin", $langs->trans("MenuVatAccounts"),2, $user->rights->accounting->chartofaccount, '', $mainmenu, 'accountancy_admin_default', 50); diff --git a/htdocs/core/modules/DolibarrModules.class.php b/htdocs/core/modules/DolibarrModules.class.php index c41a889d10e..bdf8effe23c 100644 --- a/htdocs/core/modules/DolibarrModules.class.php +++ b/htdocs/core/modules/DolibarrModules.class.php @@ -1426,7 +1426,7 @@ class DolibarrModules // Can not be abstract, because we need to insta $err=0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; - $sql.= " WHERE ".$this->db->decrypt('name')." like '".$this->const_name."_TABS_%'"; + $sql.= " WHERE ".$this->db->decrypt('name')." like '".$this->db->escape($this->const_name)."_TABS_%'"; $sql.= " AND entity = ".$conf->entity; dol_syslog(get_class($this)."::delete_tabs", LOG_DEBUG); @@ -2019,7 +2019,7 @@ class DolibarrModules // Can not be abstract, because we need to insta $err=0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; - $sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->const_name."_DIR_%'"; + $sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->db->escape($this->const_name)."_DIR_%'"; $sql.= " AND entity = ".$conf->entity; dol_syslog(get_class($this)."::delete_dirs", LOG_DEBUG); @@ -2128,7 +2128,7 @@ class DolibarrModules // Can not be abstract, because we need to insta if (is_array($value) && isset($value['entity'])) $entity = $value['entity']; $sql = "DELETE FROM ".MAIN_DB_PREFIX."const"; - $sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->const_name."_".strtoupper($key)."'"; + $sql.= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->db->escape($this->const_name)."_".strtoupper($key)."'"; $sql.= " AND entity = ".$entity; dol_syslog(get_class($this)."::delete_const_".$key."", LOG_DEBUG); diff --git a/htdocs/core/modules/cheque/mod_chequereceipt_mint.php b/htdocs/core/modules/cheque/mod_chequereceipt_mint.php index 2656ffa23d5..1c028559ddc 100644 --- a/htdocs/core/modules/cheque/mod_chequereceipt_mint.php +++ b/htdocs/core/modules/cheque/mod_chequereceipt_mint.php @@ -73,7 +73,7 @@ class mod_chequereceipt_mint extends ModeleNumRefChequeReceipts $posindice=9; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."bordereau_cheque"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -107,7 +107,7 @@ class mod_chequereceipt_mint extends ModeleNumRefChequeReceipts $posindice=9; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."bordereau_cheque"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref like '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/commande/mod_commande_marbre.php b/htdocs/core/modules/commande/mod_commande_marbre.php index 92c8f55581c..fdea573f584 100644 --- a/htdocs/core/modules/commande/mod_commande_marbre.php +++ b/htdocs/core/modules/commande/mod_commande_marbre.php @@ -73,7 +73,7 @@ class mod_commande_marbre extends ModeleNumRefCommandes $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."commande"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -107,7 +107,7 @@ class mod_commande_marbre extends ModeleNumRefCommandes $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."commande"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/contract/mod_contract_serpis.php b/htdocs/core/modules/contract/mod_contract_serpis.php index b909b762541..a76d61a04ae 100644 --- a/htdocs/core/modules/contract/mod_contract_serpis.php +++ b/htdocs/core/modules/contract/mod_contract_serpis.php @@ -72,7 +72,7 @@ class mod_contract_serpis extends ModelNumRefContracts $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."contrat"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -105,7 +105,7 @@ class mod_contract_serpis extends ModelNumRefContracts $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."contrat"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/expedition/mod_expedition_safor.php b/htdocs/core/modules/expedition/mod_expedition_safor.php index 581657c6547..6d2b115d6b3 100644 --- a/htdocs/core/modules/expedition/mod_expedition_safor.php +++ b/htdocs/core/modules/expedition/mod_expedition_safor.php @@ -71,7 +71,7 @@ class mod_expedition_safor extends ModelNumRefExpedition $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."expedition"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -104,7 +104,7 @@ class mod_expedition_safor extends ModelNumRefExpedition $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."expedition"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/expensereport/mod_expensereport_jade.php b/htdocs/core/modules/expensereport/mod_expensereport_jade.php index ae70a60dbf3..e6da5fab7eb 100644 --- a/htdocs/core/modules/expensereport/mod_expensereport_jade.php +++ b/htdocs/core/modules/expensereport/mod_expensereport_jade.php @@ -72,7 +72,7 @@ class mod_expensereport_jade extends ModeleNumRefExpenseReport $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."expensereport"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -105,7 +105,7 @@ class mod_expensereport_jade extends ModeleNumRefExpenseReport $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."expensereport"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/facture/mod_facture_mars.php b/htdocs/core/modules/facture/mod_facture_mars.php index 15d3ce53fa8..f31d5a7f451 100644 --- a/htdocs/core/modules/facture/mod_facture_mars.php +++ b/htdocs/core/modules/facture/mod_facture_mars.php @@ -37,7 +37,7 @@ class mod_facture_mars extends ModeleNumRefFactures var $prefixcreditnote='AV'; var $error=''; - + /** * Constructor */ @@ -48,7 +48,7 @@ class mod_facture_mars extends ModeleNumRefFactures $this->prefixinvoice = $conf->global->INVOICE_NUMBERING_MARS_FORCE_PREFIX; } } - + /** * Renvoi la description du modele de numerotation * @@ -89,7 +89,7 @@ class mod_facture_mars extends ModeleNumRefFactures $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture"; - $sql.= " WHERE facnumber LIKE '".$this->prefixinvoice."____-%'"; + $sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixinvoice)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -111,7 +111,7 @@ class mod_facture_mars extends ModeleNumRefFactures $posindice=8; $sql = "SELECT MAX(SUBSTRING(facnumber FROM ".$posindice.")) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture"; - $sql.= " WHERE facnumber LIKE '".$this->prefixcreditnote."____-%'"; + $sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/facture/mod_facture_terre.php b/htdocs/core/modules/facture/mod_facture_terre.php index b2a2f22cd12..cf2ea28f162 100644 --- a/htdocs/core/modules/facture/mod_facture_terre.php +++ b/htdocs/core/modules/facture/mod_facture_terre.php @@ -35,7 +35,7 @@ class mod_facture_terre extends ModeleNumRefFactures var $prefixdeposit='AC'; var $error=''; - + /** * Constructor */ @@ -46,7 +46,7 @@ class mod_facture_terre extends ModeleNumRefFactures $this->prefixinvoice = $conf->global->INVOICE_NUMBERING_TERRE_FORCE_PREFIX; } } - + /** * Renvoi la description du modele de numerotation * @@ -87,7 +87,7 @@ class mod_facture_terre extends ModeleNumRefFactures $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture"; - $sql.= " WHERE facnumber LIKE '".$this->prefixinvoice."____-%'"; + $sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixinvoice)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -109,7 +109,7 @@ class mod_facture_terre extends ModeleNumRefFactures $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture"; - $sql.= " WHERE facnumber LIKE '".$this->prefixcreditnote."____-%'"; + $sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -130,7 +130,7 @@ class mod_facture_terre extends ModeleNumRefFactures $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture"; - $sql.= " WHERE facnumber LIKE '".$this->prefixdeposit."____-%'"; + $sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixdeposit)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/fichinter/doc/pdf_soleil.modules.php b/htdocs/core/modules/fichinter/doc/pdf_soleil.modules.php index c4f930a0db7..93e5aa11182 100644 --- a/htdocs/core/modules/fichinter/doc/pdf_soleil.modules.php +++ b/htdocs/core/modules/fichinter/doc/pdf_soleil.modules.php @@ -302,7 +302,7 @@ class pdf_soleil extends ModelePDFFicheinter $pageposafter=$pageposbefore; //print $pageposafter.'-'.$pageposbefore;exit; $pdf->setPageOrientation('', 1, $heightforfooter); // The only function to edit the bottom margin of current page to set it. - $pdf->writeHTMLCell(0, 0, $curX, $curY, $txt.'
'.$desc, LR, 1, 0); + $pdf->writeHTMLCell(0, 0, $curX, $curY, dol_concatdesc($txt,$desc), 0, 1, 0); $pageposafter=$pdf->getPage(); $posyafter=$pdf->GetY(); //var_dump($posyafter); var_dump(($this->page_hauteur - ($heightforfooter+$heightforfreetext+$heightforinfotot))); exit; diff --git a/htdocs/core/modules/fichinter/mod_pacific.php b/htdocs/core/modules/fichinter/mod_pacific.php index 65e5aa979b9..c9f42f12949 100644 --- a/htdocs/core/modules/fichinter/mod_pacific.php +++ b/htdocs/core/modules/fichinter/mod_pacific.php @@ -74,7 +74,7 @@ class mod_pacific extends ModeleNumRefFicheinter $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."fichinter"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " WHERE entity = ".$conf->entity; $resql=$db->query($sql); @@ -110,7 +110,7 @@ class mod_pacific extends ModeleNumRefFicheinter $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."fichinter"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/livraison/mod_livraison_jade.php b/htdocs/core/modules/livraison/mod_livraison_jade.php index 3480bb6d609..cbb630543c7 100644 --- a/htdocs/core/modules/livraison/mod_livraison_jade.php +++ b/htdocs/core/modules/livraison/mod_livraison_jade.php @@ -80,7 +80,7 @@ class mod_livraison_jade extends ModeleNumRefDeliveryOrder $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."livraison"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -114,7 +114,7 @@ class mod_livraison_jade extends ModeleNumRefDeliveryOrder $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."livraison"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/payment/mod_payment_cicada.php b/htdocs/core/modules/payment/mod_payment_cicada.php index 482261e9fe1..6c75557864b 100644 --- a/htdocs/core/modules/payment/mod_payment_cicada.php +++ b/htdocs/core/modules/payment/mod_payment_cicada.php @@ -73,7 +73,7 @@ class mod_payment_cicada extends ModeleNumRefPayments $posindice=9; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."paiement"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -107,7 +107,7 @@ class mod_payment_cicada extends ModeleNumRefPayments $posindice=9; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."paiement"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/project/mod_project_simple.php b/htdocs/core/modules/project/mod_project_simple.php index 49e4586d07b..fca1954c48a 100644 --- a/htdocs/core/modules/project/mod_project_simple.php +++ b/htdocs/core/modules/project/mod_project_simple.php @@ -75,7 +75,7 @@ class mod_project_simple extends ModeleNumRefProjects $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."projet"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); if ($resql) @@ -111,7 +111,7 @@ class mod_project_simple extends ModeleNumRefProjects $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."projet"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/project/task/mod_task_simple.php b/htdocs/core/modules/project/task/mod_task_simple.php index 97203d402d5..fe4087cbd15 100644 --- a/htdocs/core/modules/project/task/mod_task_simple.php +++ b/htdocs/core/modules/project/task/mod_task_simple.php @@ -76,7 +76,7 @@ class mod_task_simple extends ModeleNumRefTask $sql = "SELECT MAX(CAST(SUBSTRING(task.ref FROM " . $posindice . ") AS SIGNED)) as max"; $sql .= " FROM " . MAIN_DB_PREFIX . "projet_task AS task, "; $sql .= MAIN_DB_PREFIX . "projet AS project WHERE task.fk_projet=project.rowid"; - $sql .= " AND task.ref LIKE '" . $this->prefix . "____-%'"; + $sql .= " AND task.ref LIKE '" . $this->db->escape($this->prefix) . "____-%'"; $sql .= " AND project.entity = " . $conf->entity; $resql=$db->query($sql); if ($resql) @@ -112,7 +112,7 @@ class mod_task_simple extends ModeleNumRefTask $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."projet_task"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $resql=$db->query($sql); if ($resql) diff --git a/htdocs/core/modules/propale/mod_propale_marbre.php b/htdocs/core/modules/propale/mod_propale_marbre.php index 28260de97d8..0e434fb1e38 100644 --- a/htdocs/core/modules/propale/mod_propale_marbre.php +++ b/htdocs/core/modules/propale/mod_propale_marbre.php @@ -75,7 +75,7 @@ class mod_propale_marbre extends ModeleNumRefPropales $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."propal"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -112,7 +112,7 @@ class mod_propale_marbre extends ModeleNumRefPropales $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."propal"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php b/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php index 6e875af78f2..fafde547659 100644 --- a/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php +++ b/htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php @@ -82,7 +82,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn"; - $sql.= " WHERE ref LIKE '".$this->prefixinvoice."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefixinvoice)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); if ($resql) @@ -103,7 +103,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn"; - $sql.= " WHERE ref LIKE '".$this->prefixcreditnote."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -124,7 +124,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."facture_fourn"; - $sql.= " WHERE ref LIKE '".$this->prefixdeposit."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefixdeposit)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -202,7 +202,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices { $date=$object->date; // This is invoice date (not creation date) $yymm = strftime("%y%m",$date); - + if ($max >= (pow(10, 4) - 1)) $num=$max+1; // If counter > 9999, we do not format on 4 chars, we take number as it is else $num = sprintf("%04s",$max+1); diff --git a/htdocs/core/modules/supplier_order/mod_commande_fournisseur_muguet.php b/htdocs/core/modules/supplier_order/mod_commande_fournisseur_muguet.php index 0a017e3bc51..9788ac4c887 100644 --- a/htdocs/core/modules/supplier_order/mod_commande_fournisseur_muguet.php +++ b/htdocs/core/modules/supplier_order/mod_commande_fournisseur_muguet.php @@ -85,7 +85,7 @@ class mod_commande_fournisseur_muguet extends ModeleNumRefSuppliersOrders $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."commande_fournisseur"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); if ($resql) @@ -120,7 +120,7 @@ class mod_commande_fournisseur_muguet extends ModeleNumRefSuppliersOrders $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."commande_fournisseur"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/supplier_payment/mod_supplier_payment_bronan.php b/htdocs/core/modules/supplier_payment/mod_supplier_payment_bronan.php index c94ef4296c0..b7eee9a3544 100644 --- a/htdocs/core/modules/supplier_payment/mod_supplier_payment_bronan.php +++ b/htdocs/core/modules/supplier_payment/mod_supplier_payment_bronan.php @@ -73,7 +73,7 @@ class mod_supplier_payment_bronan extends ModeleNumRefSupplierPayments $posindice=9; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."paiementfourn"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -107,7 +107,7 @@ class mod_supplier_payment_bronan extends ModeleNumRefSupplierPayments $posindice=10; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."paiementfourn"; - $sql.= " WHERE ref like '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/modules/supplier_proposal/mod_supplier_proposal_marbre.php b/htdocs/core/modules/supplier_proposal/mod_supplier_proposal_marbre.php index 07d027a68dd..26ccb038dda 100644 --- a/htdocs/core/modules/supplier_proposal/mod_supplier_proposal_marbre.php +++ b/htdocs/core/modules/supplier_proposal/mod_supplier_proposal_marbre.php @@ -75,7 +75,7 @@ class mod_supplier_proposal_marbre extends ModeleNumRefSupplierProposal $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; $sql.= " FROM ".MAIN_DB_PREFIX."supplier_proposal"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); @@ -112,7 +112,7 @@ class mod_supplier_proposal_marbre extends ModeleNumRefSupplierProposal $posindice=8; $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL $sql.= " FROM ".MAIN_DB_PREFIX."supplier_proposal"; - $sql.= " WHERE ref LIKE '".$this->prefix."____-%'"; + $sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'"; $sql.= " AND entity = ".$conf->entity; $resql=$db->query($sql); diff --git a/htdocs/core/photos_resize.php b/htdocs/core/photos_resize.php index 5b29d25202e..69056ff02be 100644 --- a/htdocs/core/photos_resize.php +++ b/htdocs/core/photos_resize.php @@ -36,7 +36,7 @@ $action=GETPOST('action','alpha'); $modulepart=GETPOST('modulepart','alpha')?GETPOST('modulepart','alpha'):'produit|service'; $original_file = GETPOST("file"); $backtourl=GETPOST('backtourl'); -$cancel=GETPOST("cancel"); +$cancel=GETPOST('cancel','alpha'); // Security check if (empty($modulepart)) accessforbidden('Bad value for modulepart'); diff --git a/htdocs/core/tpl/onlinepaymentlinks.tpl.php b/htdocs/core/tpl/onlinepaymentlinks.tpl.php new file mode 100644 index 00000000000..8650ab4110d --- /dev/null +++ b/htdocs/core/tpl/onlinepaymentlinks.tpl.php @@ -0,0 +1,135 @@ + + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +require_once DOL_DOCUMENT_ROOT.'/core/lib/payments.lib.php'; + +print ''; + +// Url list +print ''.$langs->trans("FollowingUrlAreAvailableToMakePayments").':

'; +print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnFreeAmount",$servicename).':
'; +print ''.getOnlinePaymentUrl(1,'free')."

\n"; +if (! empty($conf->commande->enabled)) +{ + print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnOrder",$servicename).':
'; + print ''.getOnlinePaymentUrl(1,'order')."
\n"; + if (! empty($conf->global->PAYMENT_SECURITY_TOKEN) && ! empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) + { + $langs->load("orders"); + print ''; + print $langs->trans("EnterRefToBuildUrl",$langs->transnoentitiesnoconv("Order")).': '; + print ''; + print ''; + if (GETPOST('generate_order_ref','alpha')) + { + print '
-> '; + $url=getOnlinePaymentUrl(0,'order',GETPOST('generate_order_ref','alpha')); + print $url; + print "
\n"; + } + print ''; + } + print '
'; +} +if (! empty($conf->facture->enabled)) +{ + print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnInvoice",$servicename).':
'; + print ''.getOnlinePaymentUrl(1,'invoice')."
\n"; + if (! empty($conf->global->PAYMENT_SECURITY_TOKEN) && ! empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) + { + $langs->load("bills"); + print '
'; + print $langs->trans("EnterRefToBuildUrl",$langs->transnoentitiesnoconv("Invoice")).': '; + print ''; + print ''; + if (GETPOST('generate_invoice_ref','alpha')) + { + print '
-> '; + $url=getOnlinePaymentUrl(0,'invoice',GETPOST('generate_invoice_ref','alpha')); + print $url; + print "
\n"; + } + print '
'; + } + print '
'; +} +if (! empty($conf->contrat->enabled)) +{ + print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnContractLine",$servicename).':
'; + print ''.getOnlinePaymentUrl(1,'contractline')."
\n"; + if (! empty($conf->global->PAYMENT_SECURITY_TOKEN) && ! empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) + { + $langs->load("contract"); + print '
'; + print $langs->trans("EnterRefToBuildUrl",$langs->transnoentitiesnoconv("Contract")).': '; + print ''; + print ''; + if (GETPOST('generate_contract_ref')) + { + print '
-> '; + $url=getOnlinePaymentUrl(0,'contractline',GETPOST('generate_contract_ref','alpha')); + print $url; + print "
\n"; + } + print '
'; + } + print '
'; +} +if (! empty($conf->adherent->enabled)) +{ + print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnMemberSubscription",$servicename).':
'; + print ''.getOnlinePaymentUrl(1,'membersubscription')."
\n"; + if (! empty($conf->global->PAYMENT_SECURITY_TOKEN) && ! empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) + { + $langs->load("members"); + print '
'; + print $langs->trans("EnterRefToBuildUrl",$langs->transnoentitiesnoconv("Member")).': '; + print ''; + print ''; + if (GETPOST('generate_member_ref')) + { + print '
-> '; + $url=getOnlinePaymentUrl(0,'membersubscription',GETPOST('generate_member_ref','alpha')); + print $url; + print "
\n"; + } + print '
'; + } + print '
'; +} + +if (! empty($conf->use_javascript_ajax)) +{ + print "\n".''; +} + +print info_admin($langs->trans("YouCanAddTagOnUrl")); + +print ''; + diff --git a/htdocs/cron/card.php b/htdocs/cron/card.php index dce56ff5468..a1255954014 100644 --- a/htdocs/cron/card.php +++ b/htdocs/cron/card.php @@ -41,7 +41,7 @@ if (!$user->rights->cron->create) accessforbidden(); $id=GETPOST('id','int'); $action=GETPOST('action','alpha'); $confirm=GETPOST('confirm','alpha'); -$cancel=GETPOST('cancel'); +$cancel=GETPOST('cancel','alpha'); $backtourl=GETPOST('backtourl','alpha'); $securitykey = GETPOST('securitykey','alpha'); diff --git a/htdocs/cron/class/cronjob.class.php b/htdocs/cron/class/cronjob.class.php index 00f8d5d6ae0..5ba542c6945 100644 --- a/htdocs/cron/class/cronjob.class.php +++ b/htdocs/cron/class/cronjob.class.php @@ -201,7 +201,7 @@ class Cronjob extends CommonObject $sql.= " ".(! isset($this->lastresult)?'NULL':"'".$this->db->escape($this->lastresult)."'").","; $sql.= " ".(! isset($this->datelastresult) || dol_strlen($this->datelastresult)==0?'NULL':"'".$this->db->idate($this->datelastresult)."'").","; $sql.= " ".(! isset($this->lastoutput)?'NULL':"'".$this->db->escape($this->lastoutput)."'").","; - $sql.= " ".(! isset($this->unitfrequency)?'NULL':"'".$this->unitfrequency."'").","; + $sql.= " ".(! isset($this->unitfrequency)?'NULL':"'".$this->db->escape($this->unitfrequency)."'").","; $sql.= " ".(! isset($this->frequency)?'0':$this->frequency).","; $sql.= " ".(! isset($this->status)?'0':$this->status).","; $sql.= " ".$user->id.","; diff --git a/htdocs/don/card.php b/htdocs/don/card.php index 90f5c328ffc..c711aad8397 100644 --- a/htdocs/don/card.php +++ b/htdocs/don/card.php @@ -46,7 +46,7 @@ $langs->load("bills"); $id=GETPOST('rowid')?GETPOST('rowid','int'):GETPOST('id','int'); $action=GETPOST('action','alpha'); -$cancel=GETPOST('cancel'); +$cancel=GETPOST('cancel','alpha'); $amount=GETPOST('amount'); $donation_date=dol_mktime(12, 0, 0, GETPOST('remonth'), GETPOST('reday'), GETPOST('reyear')); $projectid = (GETPOST('projectid') ? GETPOST('projectid', 'int') : 0); diff --git a/htdocs/ecm/class/ecmdirectory.class.php b/htdocs/ecm/class/ecmdirectory.class.php index 5f713bdab91..07c8b0aff00 100644 --- a/htdocs/ecm/class/ecmdirectory.class.php +++ b/htdocs/ecm/class/ecmdirectory.class.php @@ -134,12 +134,12 @@ class EcmDirectory // extends CommonObject $sql.= "fk_user_c"; $sql.= ") VALUES ("; $sql.= " '".$this->db->escape($this->label)."',"; - $sql.= " '".$conf->entity."',"; - $sql.= " '".$this->fk_parent."',"; + $sql.= " '".$this->db->escape($conf->entity)."',"; + $sql.= " '".$this->db->escape($this->fk_parent)."',"; $sql.= " '".$this->db->escape($this->description)."',"; $sql.= " ".$this->cachenbofdoc.","; $sql.= " '".$this->db->idate($this->date_c)."',"; - $sql.= " '".$this->fk_user_c."'"; + $sql.= " '".$this->db->escape($this->fk_user_c)."'"; $sql.= ")"; dol_syslog(get_class($this)."::create", LOG_DEBUG); diff --git a/htdocs/ecm/docfile.php b/htdocs/ecm/docfile.php index 61cce03cc1d..192240b4943 100644 --- a/htdocs/ecm/docfile.php +++ b/htdocs/ecm/docfile.php @@ -61,7 +61,7 @@ $pagenext = $page + 1; if (! $sortorder) $sortorder="ASC"; if (! $sortfield) $sortfield="label"; -$cancel=GETPOST('cancel'); +$cancel=GETPOST('cancel','alpha'); $action=GETPOST('action','aZ09'); $section=GETPOST("section"); if (! $section) diff --git a/htdocs/ecm/docmine.php b/htdocs/ecm/docmine.php index f418627d1be..c722ba9a208 100644 --- a/htdocs/ecm/docmine.php +++ b/htdocs/ecm/docmine.php @@ -138,7 +138,7 @@ if ($action == 'confirm_deletedir' && $confirm == 'yes') } // Update description -if ($action == 'update' && ! GETPOST('cancel')) +if ($action == 'update' && ! GETPOST('cancel','alpha')) { $error=0; diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index 9e057106dd8..6c54c2e6615 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -1769,7 +1769,7 @@ class Expedition extends CommonObject if ($id=='') { $sql = "INSERT INTO ".MAIN_DB_PREFIX."c_shipment_mode (code, libelle, description, tracking)"; - $sql.=" VALUES ('".$this->update['code']."','".$this->update['libelle']."','".$this->update['description']."','".$this->update['tracking']."')"; + $sql.=" VALUES ('".$this->db->escape($this->update['code'])."','".$this->db->escape($this->update['libelle'])."','".$this->db->escape($this->update['description'])."','".$this->db->escape($this->update['tracking'])."')"; $resql = $this->db->query($sql); } else diff --git a/htdocs/expedition/list.php b/htdocs/expedition/list.php index ab5fa27b13f..a5b693aa3f9 100644 --- a/htdocs/expedition/list.php +++ b/htdocs/expedition/list.php @@ -119,8 +119,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction')) { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha')) { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/expensereport/card.php b/htdocs/expensereport/card.php index 3043ee3d592..df6c188a030 100644 --- a/htdocs/expensereport/card.php +++ b/htdocs/expensereport/card.php @@ -49,7 +49,7 @@ $langs->load("bills"); $langs->load("mails"); $action=GETPOST('action','aZ09'); -$cancel=GETPOST('cancel'); +$cancel=GETPOST('cancel','alpha'); $confirm = GETPOST('confirm', 'alpha'); $date_start = dol_mktime(0, 0, 0, GETPOST('date_debutmonth'), GETPOST('date_debutday'), GETPOST('date_debutyear')); diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php index 28fcdefcf62..a02e23c3123 100644 --- a/htdocs/expensereport/list.php +++ b/htdocs/expensereport/list.php @@ -130,8 +130,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/fichinter/list.php b/htdocs/fichinter/list.php index 866d8cab17c..9dca5d1badb 100644 --- a/htdocs/fichinter/list.php +++ b/htdocs/fichinter/list.php @@ -128,8 +128,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/fourn/card.php b/htdocs/fourn/card.php index a413820cbe0..02e0749d8c5 100644 --- a/htdocs/fourn/card.php +++ b/htdocs/fourn/card.php @@ -45,7 +45,7 @@ $langs->load('orders'); $langs->load('commercial'); $action = GETPOST('action','aZ09'); -$cancelbutton = GETPOST('cancel'); +$cancelbutton = GETPOST('cancel','alpha'); // Security check $id = (GETPOST('socid','int') ? GETPOST('socid','int') : GETPOST('id','int')); @@ -707,27 +707,58 @@ if ($object->id > 0) print '
'.$langs->trans("ThirdPartyIsClosed").'
'; } - if ($conf->supplier_proposal->enabled && $user->rights->supplier_proposal->creer && $object->status==1) + if ($conf->supplier_proposal->enabled && $user->rights->supplier_proposal->creer) { $langs->load("supplier_proposal"); - print ''.$langs->trans("AddSupplierProposal").''; + if ($object->status == 1) + { + print ''.$langs->trans("AddSupplierProposal").''; + } + else + { + print ''.$langs->trans("AddSupplierProposal").''; + } } - if ($user->rights->fournisseur->commande->creer && $object->status==1) + if ($user->rights->fournisseur->commande->creer) { $langs->load("orders"); - print ''.$langs->trans("AddOrder").''; + if ($object->status == 1) + { + print ''.$langs->trans("AddOrder").''; + } + else + { + print ''.$langs->trans("AddOrder").''; + } } - if ($user->rights->fournisseur->facture->creer && $object->status==1) + if ($user->rights->fournisseur->facture->creer) { $langs->load("bills"); - print ''.$langs->trans("AddBill").''; + if ($object->status == 1) + { + print ''.$langs->trans("AddBill").''; + } + else + { + print ''.$langs->trans("AddBill").''; + } } - if ($user->rights->fournisseur->facture->creer && $object->status==1) + if ($user->rights->fournisseur->facture->creer) { - if (! empty($orders2invoice) && $orders2invoice > 0) print '
'.$langs->trans("CreateInvoiceForThisCustomer").'
'; + if (! empty($orders2invoice) && $orders2invoice > 0) + { + if ($object->status == 1) + { + print '
'.$langs->trans("CreateInvoiceForThisCustomer").'
'; + } + else + { + print '
'.$langs->trans("CreateInvoiceForThisCustomer").'
'; + } + } else print '
'.$langs->trans("CreateInvoiceForThisCustomer").'
'; } diff --git a/htdocs/fourn/class/api_supplier_invoices.class.php b/htdocs/fourn/class/api_supplier_invoices.class.php index 26ae936d5a0..92792428a38 100644 --- a/htdocs/fourn/class/api_supplier_invoices.class.php +++ b/htdocs/fourn/class/api_supplier_invoices.class.php @@ -351,7 +351,7 @@ class SupplierInvoices extends DolibarrApi function _validate($data) { $invoice = array(); - foreach (Invoices::$FIELDS as $field) { + foreach (SupplierInvoices::$FIELDS as $field) { if (!isset($data[$field])) throw new RestException(400, "$field field missing"); $invoice[$field] = $data[$field]; diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php index 6ca854bf319..95f573530bf 100644 --- a/htdocs/fourn/class/fournisseur.commande.class.php +++ b/htdocs/fourn/class/fournisseur.commande.class.php @@ -3129,15 +3129,15 @@ class CommandeFournisseurLigne extends CommonOrderLine $sql.= " ".($this->date_end?"'".$this->db->idate($this->date_end)."'":"null").","; if ($this->fk_product) { $sql.= $this->fk_product.","; } else { $sql.= "null,"; } - $sql.= "'".$this->product_type."',"; - $sql.= "'".$this->qty."', "; + $sql.= "'".$this->db->escape($this->product_type)."',"; + $sql.= "'".$this->db->escape($this->qty)."', "; - $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").","; + $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").","; $sql.= " ".$this->tva_tx.", "; $sql.= " ".$this->localtax1_tx.","; $sql.= " ".$this->localtax2_tx.","; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= " ".$this->remise_percent.", ".price2num($this->subprice,'MU').", '".$this->db->escape($this->ref_supplier)."',"; $sql.= " ".price2num($this->total_ht).","; $sql.= " ".price2num($this->total_tva).","; diff --git a/htdocs/fourn/class/fournisseur.commande.dispatch.class.php b/htdocs/fourn/class/fournisseur.commande.dispatch.class.php index 7fd56f81aac..a72e225b535 100644 --- a/htdocs/fourn/class/fournisseur.commande.dispatch.class.php +++ b/htdocs/fourn/class/fournisseur.commande.dispatch.class.php @@ -105,14 +105,11 @@ class CommandeFournisseurDispatch extends CommonObject if (isset($this->status)) $this->status=trim($this->status); if (isset($this->batch)) $this->batch=trim($this->batch); - - // Check parameters // Put here code to add control on parameters values // Insert request $sql = "INSERT INTO ".MAIN_DB_PREFIX.$this->table_element."("; - $sql.= "fk_commande,"; $sql.= "fk_product,"; $sql.= "fk_commandefourndet,"; @@ -125,24 +122,19 @@ class CommandeFournisseurDispatch extends CommonObject $sql.= "batch,"; $sql.= "eatby,"; $sql.= "sellby"; - - $sql.= ") VALUES ("; - - $sql.= " ".(! isset($this->fk_commande)?'NULL':"'".$this->fk_commande."'").","; - $sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->fk_product."'").","; - $sql.= " ".(! isset($this->fk_commandefourndet)?'NULL':"'".$this->fk_commandefourndet."'").","; - $sql.= " ".(! isset($this->qty)?'NULL':"'".$this->qty."'").","; - $sql.= " ".(! isset($this->fk_entrepot)?'NULL':"'".$this->fk_entrepot."'").","; - $sql.= " ".(! isset($this->fk_user)?'NULL':"'".$this->fk_user."'").","; + $sql.= " ".(! isset($this->fk_commande)?'NULL':"'".$this->db->escape($this->fk_commande)."'").","; + $sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->db->escape($this->fk_product)."'").","; + $sql.= " ".(! isset($this->fk_commandefourndet)?'NULL':"'".$this->db->escape($this->fk_commandefourndet)."'").","; + $sql.= " ".(! isset($this->qty)?'NULL':"'".$this->db->escape($this->qty)."'").","; + $sql.= " ".(! isset($this->fk_entrepot)?'NULL':"'".$this->db->escape($this->fk_entrepot)."'").","; + $sql.= " ".(! isset($this->fk_user)?'NULL':"'".$this->db->escape($this->fk_user)."'").","; $sql.= " ".(! isset($this->datec) || dol_strlen($this->datec)==0?'NULL':"'".$this->db->idate($this->datec)."'").","; $sql.= " ".(! isset($this->comment)?'NULL':"'".$this->db->escape($this->comment)."'").","; - $sql.= " ".(! isset($this->status)?'NULL':"'".$this->status."'").","; + $sql.= " ".(! isset($this->status)?'NULL':"'".$this->db->escape($this->status)."'").","; $sql.= " ".(! isset($this->batch)?'NULL':"'".$this->db->escape($this->batch)."'").","; $sql.= " ".(! isset($this->eatby) || dol_strlen($this->eatby)==0?'NULL':"'".$this->db->idate($this->eatby)."'").","; $sql.= " ".(! isset($this->sellby) || dol_strlen($this->sellby)==0?'NULL':"'".$this->db->idate($this->sellby)."'").""; - - $sql.= ")"; $this->db->begin(); diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index 4d24d2f920b..78c08478321 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -2701,17 +2701,17 @@ class SupplierInvoiceLine extends CommonObjectLine $sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc'; $sql.= ')'; $sql.= " VALUES (".$this->fk_facture_fourn.","; - $sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").","; + $sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").","; $sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " '".$this->db->escape($this->desc)."',"; $sql.= " ".price2num($this->qty).","; - $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").","; + $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").","; $sql.= " ".price2num($this->tva_tx).","; $sql.= " ".price2num($this->localtax1_tx).","; $sql.= " ".price2num($this->localtax2_tx).","; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").','; $sql.= " ".$this->product_type.","; $sql.= " ".price2num($this->remise_percent).","; @@ -2722,7 +2722,7 @@ class SupplierInvoiceLine extends CommonObjectLine $sql.= ' '.(!empty($this->fk_code_ventilation)?$this->fk_code_ventilation:0).','; $sql.= ' '.$this->rang.','; $sql.= ' '.$this->special_code.','; - $sql.= " '".$this->info_bits."',"; + $sql.= " '".$this->db->escape($this->info_bits)."',"; $sql.= " ".price2num($this->total_ht).","; $sql.= " ".price2num($this->total_tva).","; $sql.= " ".price2num($this->total_ttc).","; diff --git a/htdocs/fourn/commande/card.php b/htdocs/fourn/commande/card.php index 754e34e0d97..e92a7c25de3 100644 --- a/htdocs/fourn/commande/card.php +++ b/htdocs/fourn/commande/card.php @@ -542,7 +542,7 @@ if (empty($reshook)) /* * Updating a line in the order */ - if ($action == 'updateline' && $user->rights->fournisseur->commande->creer && ! GETPOST('cancel')) + if ($action == 'updateline' && $user->rights->fournisseur->commande->creer && ! GETPOST('cancel','alpha')) { $tva_tx = GETPOST('tva_tx'); @@ -1170,7 +1170,7 @@ if (empty($reshook)) include DOL_DOCUMENT_ROOT.'/core/actions_sendmails.inc.php'; - if ($action == 'webservice' && GETPOST('mode', 'alpha') == "send" && ! GETPOST('cancel')) + if ($action == 'webservice' && GETPOST('mode', 'alpha') == "send" && ! GETPOST('cancel','alpha')) { $ws_url = $object->thirdparty->webservices_url; $ws_key = $object->thirdparty->webservices_key; @@ -2269,7 +2269,7 @@ elseif (! empty($object->id)) /* * Action webservice */ - elseif ($action == 'webservice' && GETPOST('mode', 'alpha') != "send" && ! GETPOST('cancel')) + elseif ($action == 'webservice' && GETPOST('mode', 'alpha') != "send" && ! GETPOST('cancel','alpha')) { $mode = GETPOST('mode', 'alpha'); $ws_url = $object->thirdparty->webservices_url; diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php index ac67d256824..4794d72da6a 100644 --- a/htdocs/fourn/commande/list.php +++ b/htdocs/fourn/commande/list.php @@ -172,8 +172,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction')) { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha')) { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks @@ -689,7 +689,7 @@ if ($resql) { $langs->load("mails"); - if (! GETPOST('cancel')) + if (! GETPOST('cancel','alpha')) { $objecttmp=new CommandeFournisseur($db); $listofselectedid=array(); diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php index ec785c5e206..96473dd6e6e 100644 --- a/htdocs/fourn/facture/list.php +++ b/htdocs/fourn/facture/list.php @@ -183,8 +183,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks @@ -493,7 +493,7 @@ if ($resql) { $langs->load("mails"); - if (! GETPOST('cancel')) + if (! GETPOST('cancel','alpha')) { $objecttmp=new FactureFournisseur($db); $listofselectedid=array(); diff --git a/htdocs/fourn/product/list.php b/htdocs/fourn/product/list.php index 5707c0bff30..c6a8f24f98f 100644 --- a/htdocs/fourn/product/list.php +++ b/htdocs/fourn/product/list.php @@ -69,8 +69,8 @@ $extrafields = new ExtraFields($db); * Put here all code to do according to value of "action" parameter */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/holiday/class/holiday.class.php b/htdocs/holiday/class/holiday.class.php index 4815bee4b00..ad9ead401dd 100644 --- a/htdocs/holiday/class/holiday.class.php +++ b/htdocs/holiday/class/holiday.class.php @@ -143,14 +143,14 @@ class Holiday extends CommonObject $sql.= "fk_user_create,"; $sql.= "entity"; $sql.= ") VALUES ("; - $sql.= "'".$this->fk_user."',"; + $sql.= "'".$this->db->escape($this->fk_user)."',"; $sql.= " '".$this->db->idate($now)."',"; $sql.= " '".$this->db->escape($this->description)."',"; $sql.= " '".$this->db->idate($this->date_debut)."',"; $sql.= " '".$this->db->idate($this->date_fin)."',"; $sql.= " ".$this->halfday.","; $sql.= " '1',"; - $sql.= " '".$this->fk_validator."',"; + $sql.= " '".$this->db->escape($this->fk_validator)."',"; $sql.= " ".$this->fk_type.","; $sql.= " ".$user->id.","; $sql.= " ".$conf->entity; diff --git a/htdocs/holiday/define_holiday.php b/htdocs/holiday/define_holiday.php index 66e490ae420..de8a7147267 100644 --- a/htdocs/holiday/define_holiday.php +++ b/htdocs/holiday/define_holiday.php @@ -71,8 +71,8 @@ $holiday = new Holiday($db); * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/imports/class/import.class.php b/htdocs/imports/class/import.class.php index 828e0f53719..2235812bae8 100644 --- a/htdocs/imports/class/import.class.php +++ b/htdocs/imports/class/import.class.php @@ -45,7 +45,7 @@ class Import var $error; var $errors; - + /** * Constructor @@ -242,7 +242,7 @@ class Import $sql = 'INSERT INTO '.MAIN_DB_PREFIX.'import_model ('; $sql.= 'fk_user, label, type, field'; $sql.= ')'; - $sql.= " VALUES (".($user->id > 0 ? $user->id : 0).", '".$this->db->escape($this->model_name)."', '".$this->datatoimport."', '".$this->hexa."')"; + $sql.= " VALUES (".($user->id > 0 ? $user->id : 0).", '".$this->db->escape($this->model_name)."', '".$this->db->escape($this->datatoimport)."', '".$this->db->escape($this->hexa)."')"; dol_syslog(get_class($this)."::create", LOG_DEBUG); $resql=$this->db->query($sql); diff --git a/htdocs/install/check.php b/htdocs/install/check.php index ebf1de7f552..2b09d1c9813 100644 --- a/htdocs/install/check.php +++ b/htdocs/install/check.php @@ -306,7 +306,19 @@ else } else { - require_once $dolibarr_main_document_root.'/core/lib/admin.lib.php'; + require_once $dolibarr_main_document_root.'/core/lib/admin.lib.php'; + + // If password is encoded, we decode it + if (preg_match('/crypted:/i',$dolibarr_main_db_pass) || ! empty($dolibarr_main_db_encrypted_pass)) + { + require_once $dolibarr_main_document_root.'/core/lib/security.lib.php'; + if (preg_match('/crypted:/i',$dolibarr_main_db_pass)) + { + $dolibarr_main_db_encrypted_pass = preg_replace('/crypted:/i', '', $dolibarr_main_db_pass); // We need to set this as it is used to know the password was initially crypted + $dolibarr_main_db_pass = dol_decode($dolibarr_main_db_encrypted_pass); + } + else $dolibarr_main_db_pass = dol_decode($dolibarr_main_db_encrypted_pass); + } // $conf is already instancied inside inc.php $conf->db->type = $dolibarr_main_db_type; @@ -315,12 +327,12 @@ else $conf->db->name = $dolibarr_main_db_name; $conf->db->user = $dolibarr_main_db_user; $conf->db->pass = $dolibarr_main_db_pass; - $db=getDoliDBInstance($conf->db->type,$conf->db->host,$conf->db->user,$conf->db->pass,$conf->db->name,$conf->db->port); + $db=getDoliDBInstance($conf->db->type,$conf->db->host,$conf->db->user,$conf->db->pass,$conf->db->name,$conf->db->port); if ($db->connected && $db->database_selected) { $ok=true; } - } + } } } diff --git a/htdocs/install/mysql/migration/4.0.0-5.0.0.sql b/htdocs/install/mysql/migration/4.0.0-5.0.0.sql index 86421894fec..25a92f1e265 100644 --- a/htdocs/install/mysql/migration/4.0.0-5.0.0.sql +++ b/htdocs/install/mysql/migration/4.0.0-5.0.0.sql @@ -61,6 +61,8 @@ ALTER TABLE llx_user DROP COLUMN phenix_login; ALTER TABLE llx_user DROP COLUMN phenix_pass; ALTER TABLE llx_user ADD COLUMN dateemployment datetime; +ALTER TABLE llx_user MODIFY login varchar(50) NOT NULL; + ALTER TABLE llx_societe ADD COLUMN fk_account integer; ALTER TABLE llx_commandedet ADD COLUMN fk_commandefourndet integer DEFAULT NULL after import_key; -- link to detail line of commande fourn (resplenish) diff --git a/htdocs/install/mysql/migration/6.0.0-7.0.0.sql b/htdocs/install/mysql/migration/6.0.0-7.0.0.sql index 75462abe6b5..53400d9806b 100644 --- a/htdocs/install/mysql/migration/6.0.0-7.0.0.sql +++ b/htdocs/install/mysql/migration/6.0.0-7.0.0.sql @@ -25,6 +25,9 @@ -- -- VMYSQL4.1 DELETE FROM llx_usergroup_user WHERE fk_usergroup NOT IN (SELECT rowid from llx_usergroup); +-- Missing in 5.0 +ALTER TABLE llx_user MODIFY login varchar(50) NOT NULL; + -- Missing in 6.0 ? ALTER TABLE llx_product_price ADD COLUMN fk_multicurrency integer; ALTER TABLE llx_product_price ADD COLUMN multicurrency_code varchar(255); diff --git a/htdocs/langs/en_US/accountancy.lang b/htdocs/langs/en_US/accountancy.lang index f81e689260c..9e1efae59bb 100644 --- a/htdocs/langs/en_US/accountancy.lang +++ b/htdocs/langs/en_US/accountancy.lang @@ -57,7 +57,7 @@ AccountancyAreaDescContrib=STEP %s: Define default accounting accounts for speci AccountancyAreaDescDonation=STEP %s: Define default accounting accounts for donation. For this, use the menu entry %s. AccountancyAreaDescMisc=STEP %s: Define mandatory default account and default accounting accounts for miscellaneous transactions. For this, use the menu entry %s. AccountancyAreaDescLoan=STEP %s: Define default accounting accounts for loans. For this, use the menu entry %s. -AccountancyAreaDescBank=STEP %s: Define accounting accounts and journal code for each bank and financial accounts. For this, go on the card of each financial account. You can start from page %s. +AccountancyAreaDescBank=STEP %s: Define accounting accounts and journal code for each bank and financial accounts. For this, use the menu entry %s. AccountancyAreaDescProd=STEP %s: Define accounting accounts on your products/services. For this, use the menu entry %s. AccountancyAreaDescBind=STEP %s: Check the binding between existing %s lines and accounting account is done, so application will be able to journalize transactions in Ledger in one click. Complete missing bindings. For this, use the menu entry %s. @@ -78,6 +78,7 @@ ShowAccountingAccount=Show accounting account ShowAccountingJournal=Show accounting journal AccountAccountingSuggest=Accounting account suggested MenuDefaultAccounts=Default accounts +MenuBankAccounts=Bank accounts MenuVatAccounts=Vat accounts MenuTaxAccounts=Tax accounts MenuExpenseReportAccounts=Expense report accounts diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index f1aa542d7ae..0fe1040b389 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -1,6 +1,7 @@ # Dolibarr language file - Source file is en_US - admin Foundation=Foundation Version=Version +Publisher=Publisher VersionProgram=Version program VersionLastInstall=Initial install version VersionLastUpgrade=Latest version upgrade diff --git a/htdocs/langs/en_US/main.lang b/htdocs/langs/en_US/main.lang index e7171fb94b1..0cea69200dc 100644 --- a/htdocs/langs/en_US/main.lang +++ b/htdocs/langs/en_US/main.lang @@ -714,6 +714,7 @@ CreateDraft=Create draft SetToDraft=Back to draft ClickToEdit=Click to edit EditWithEditor=Edit with CKEditor +EditWithTextEditor=Edit with Text editor EditHTMLSource=Edit HTML Source ObjectDeleted=Object %s deleted ByCountry=By country diff --git a/htdocs/langs/en_US/projects.lang b/htdocs/langs/en_US/projects.lang index e6f38971e01..408c3db5e7a 100644 --- a/htdocs/langs/en_US/projects.lang +++ b/htdocs/langs/en_US/projects.lang @@ -213,3 +213,5 @@ AllowCommentOnTask=Allow user comments on tasks TaskCommentLinks=Comments TaskNbComments=Number of comments TaskComment=Task's comments space +CommentAdded=Comment added +CommentDeleted=Comment deleted diff --git a/htdocs/langs/fr_FR/projects.lang b/htdocs/langs/fr_FR/projects.lang index ece3272c743..154c1138ab9 100644 --- a/htdocs/langs/fr_FR/projects.lang +++ b/htdocs/langs/fr_FR/projects.lang @@ -212,3 +212,5 @@ AllowCommentOnTask=Autoriser les commentaires entre utilisateurs sur les tâches TaskCommentLinks=Commentaires TaskNbComments=Nombre de commentaires TaskComment=Tâches espace commentaires +CommentAdded=Commentaire ajouté avec succès +CommentDeleted=Commentaire supprimé avec succès diff --git a/htdocs/livraison/card.php b/htdocs/livraison/card.php index 02b126306f2..81237d39782 100644 --- a/htdocs/livraison/card.php +++ b/htdocs/livraison/card.php @@ -54,7 +54,7 @@ if (!empty($conf->incoterm->enabled)) $langs->load('incoterm'); $action=GETPOST('action', 'alpha'); $confirm=GETPOST('confirm', 'alpha'); -$backtopage=GETPOST('backtopage'); +$backtopage=GETPOST('backtopage','alpha'); // Security check $id = GETPOST('id', 'int'); diff --git a/htdocs/margin/checkMargins.php b/htdocs/margin/checkMargins.php index df44c6e6399..9b043766c78 100644 --- a/htdocs/margin/checkMargins.php +++ b/htdocs/margin/checkMargins.php @@ -38,7 +38,7 @@ $action = GETPOST('action','alpha'); $massaction = GETPOST('massaction','alpha'); $toselect = GETPOST('toselect', 'array'); $contextpage= GETPOST('contextpage','aZ')?GETPOST('contextpage','aZ'):'margindetail'; // To manage different context of search -$backtopage = GETPOST('backtopage'); +$backtopage = GETPOST('backtopage','alpha'); $optioncss = GETPOST('optioncss','alpha'); // Load variable for pagination @@ -75,8 +75,8 @@ if (GETPOST("button_search_x") || GETPOST("button_search")) { * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters, $object, $action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php index a8d068cfd7d..ce3080e32e4 100644 --- a/htdocs/master.inc.php +++ b/htdocs/master.inc.php @@ -152,7 +152,7 @@ else if (! empty($_ENV["dol_entity"])) // Entity inside a CLI script { $conf->entity = $_ENV["dol_entity"]; } -else if (isset($_POST["loginfunction"]) && GETPOST("entity")) // Just after a login page +else if (isset($_POST["loginfunction"]) && GETPOST("entity",'int')) // Just after a login page { $conf->entity = GETPOST("entity",'int'); } diff --git a/htdocs/modulebuilder/template/myobject_agenda.php b/htdocs/modulebuilder/template/myobject_agenda.php index 8db9f0877c2..d6ccb79eea8 100644 --- a/htdocs/modulebuilder/template/myobject_agenda.php +++ b/htdocs/modulebuilder/template/myobject_agenda.php @@ -106,7 +106,7 @@ if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'e if (empty($reshook)) { // Cancel - if (GETPOST("cancel") && ! empty($backtopage)) + if (GETPOST('cancel','alpha') && ! empty($backtopage)) { header("Location: ".$backtopage); exit; diff --git a/htdocs/modulebuilder/template/myobject_list.php b/htdocs/modulebuilder/template/myobject_list.php index b89491b5d48..a605e765290 100644 --- a/htdocs/modulebuilder/template/myobject_list.php +++ b/htdocs/modulebuilder/template/myobject_list.php @@ -143,8 +143,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Put here all code to do according to value of "$action" parameter */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions', $parameters, $object, $action); // Note that $action and $object may have been modified by some hooks @@ -216,8 +216,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab $sql.= " WHERE t.entity IN (".getEntity('myobject').")"; foreach($search as $key => $val) { - $mode=(($object->isInt($object->fields[$key]) || $object->isFloat($object->fields[$key]))?1:0); - if ($search[$key] != '') $sql.=natural_search($key, $search[$key], (($key == 'status')?2:$mode)); + $mode_search=(($object->isInt($object->fields[$key]) || $object->isFloat($object->fields[$key]))?1:0); + if ($search[$key] != '') $sql.=natural_search($key, $search[$key], (($key == 'status')?2:$mode_search)); } if ($search_all) $sql.= natural_search(array_keys($fieldstosearchall), $search_all); // Add where from extra fields @@ -226,12 +226,12 @@ foreach ($search_array_options as $key => $val) $crit=$val; $tmpkey=preg_replace('/search_options_/','',$key); $typ=$extrafields->attribute_type[$tmpkey]; - $mode=0; - if (in_array($typ, array('int','double','real'))) $mode=1; // Search on a numeric - if (in_array($typ, array('sellist')) && $crit != '0' && $crit != '-1') $mode=2; // Search on a foreign key int + $mode_search=0; + if (in_array($typ, array('int','double','real'))) $mode_search=1; // Search on a numeric + if (in_array($typ, array('sellist')) && $crit != '0' && $crit != '-1') $mode_search=2; // Search on a foreign key int if ($crit != '' && (! in_array($typ, array('select','sellist')) || $crit != '0')) { - $sql .= natural_search('ef.'.$tmpkey, $crit, $mode); + $sql .= natural_search('ef.'.$tmpkey, $crit, $mode_search); } } // Add where from hooks diff --git a/htdocs/opensurvey/card.php b/htdocs/opensurvey/card.php index c634ca1ceaa..4d71efe6395 100644 --- a/htdocs/opensurvey/card.php +++ b/htdocs/opensurvey/card.php @@ -35,7 +35,7 @@ if (!$user->rights->opensurvey->read) accessforbidden(); // Initialisation des variables $action=GETPOST('action','aZ09'); -$cancel=GETPOST('cancel'); +$cancel=GETPOST('cancel','alpha'); $numsondage = ''; diff --git a/htdocs/opensurvey/results.php b/htdocs/opensurvey/results.php index 9bfb15b2c24..2ce78a2f8c7 100644 --- a/htdocs/opensurvey/results.php +++ b/htdocs/opensurvey/results.php @@ -520,7 +520,7 @@ if (GETPOST('ajoutsujet')) if (!$user->rights->opensurvey->write) accessforbidden(); print '
'."\n"; - print ''; + print ''; print '
'."\n"; print "

"."\n"; diff --git a/htdocs/paybox/admin/paybox.php b/htdocs/paybox/admin/paybox.php index 991c1511694..b5049becbdb 100644 --- a/htdocs/paybox/admin/paybox.php +++ b/htdocs/paybox/admin/paybox.php @@ -32,6 +32,7 @@ $servicename='PayBox'; $langs->load("admin"); $langs->load("other"); $langs->load("paybox"); +$langs->load("paypal"); if (!$user->admin) accessforbidden(); @@ -65,6 +66,11 @@ if ($action == 'setvalue' && $user->admin) if (! $result > 0) $error++; $result=dolibarr_set_const($db, "ONLINE_PAYMENT_SENDEMAIL",GETPOST('ONLINE_PAYMENT_SENDEMAIL'),'chaine',0,'',$conf->entity); if (! $result > 0) $error++; + // Payment token for URL + $result=dolibarr_set_const($db, "PAYMENT_SECURITY_TOKEN",GETPOST('PAYMENT_SECURITY_TOKEN','alpha'),'chaine',0,'',$conf->entity); + if (! $result > 0) $error++; + $result=dolibarr_set_const($db, "PAYMENT_SECURITY_TOKEN_UNIQUE",GETPOST('PAYMENT_SECURITY_TOKEN_UNIQUE','alpha'),'chaine',0,'',$conf->entity); + if (! $result > 0) $error++; if (! $error) { @@ -210,6 +216,19 @@ print ''; +// Payment token for URL +print ''; +print $langs->trans("SecurityToken").''; +print ''; +if (! empty($conf->use_javascript_ajax)) + print ' '.img_picto($langs->trans('Generate'), 'refresh', 'id="generate_token" class="linkobject"'); +print ''; + +print ''; +print $langs->trans("SecurityTokenIsUnique").''; +print $form->selectyesno("PAYMENT_SECURITY_TOKEN_UNIQUE",(empty($conf->global->PAYMENT_SECURITY_TOKEN)?0:$conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE),1); +print ''; + print ''; dol_fiche_end(); @@ -220,33 +239,7 @@ print ''; print '

'; -print ''.$langs->trans("FollowingUrlAreAvailableToMakePayments").':

'; -print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnFreeAmount",$servicename).':
'; -print ''.DOL_MAIN_URL_ROOT.'/public/paybox/newpayment.php?amount=9.99&tag=your_free_tag'."
\n"; -if (! empty($conf->commande->enabled)) -{ - print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnOrder",$servicename).':
'; - print ''.DOL_MAIN_URL_ROOT.'/public/paybox/newpayment.php?source=order&ref=order_ref'."
\n"; -} -if (! empty($conf->facture->enabled)) -{ - print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnInvoice",$servicename).':
'; - print ''.DOL_MAIN_URL_ROOT.'/public/paybox/newpayment.php?source=invoice&ref=invoice_ref'."
\n"; -// print $langs->trans("SetupPayBoxToHavePaymentCreatedAutomatically",$langs->transnoentitiesnoconv("FeatureNotYetAvailable"))."
\n"; -} -if (! empty($conf->contrat->enabled)) -{ - print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnContractLine",$servicename).':
'; - print ''.DOL_MAIN_URL_ROOT.'/public/paybox/newpayment.php?source=contractline&ref=contractline_ref'."
\n"; -} -if (! empty($conf->adherent->enabled)) -{ - print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnMemberSubscription",$servicename).':
'; - print ''.DOL_MAIN_URL_ROOT.'/public/paybox/newpayment.php?source=membersubscription&ref=member_ref'."
\n"; -} - -print info_admin($langs->trans("YouCanAddTagOnUrl")); +include DOL_DOCUMENT_ROOT.'/core/tpl/onlinepaymentlinks.tpl.php'; llxFooter(); - $db->close(); diff --git a/htdocs/paypal/admin/paypal.php b/htdocs/paypal/admin/paypal.php index 0b11b34c872..3647ea7a4d5 100644 --- a/htdocs/paypal/admin/paypal.php +++ b/htdocs/paypal/admin/paypal.php @@ -26,6 +26,7 @@ require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/paypal/lib/paypal.lib.php'; +require_once DOL_DOCUMENT_ROOT.'/core/lib/payments.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/doleditor.class.php'; @@ -58,10 +59,6 @@ if ($action == 'setvalue' && $user->admin) if (! $result > 0) $error++; $result=dolibarr_set_const($db, "ONLINE_PAYMENT_CSS_URL",GETPOST('ONLINE_PAYMENT_CSS_URL','alpha'),'chaine',0,'',$conf->entity); if (! $result > 0) $error++; - $result=dolibarr_set_const($db, "PAYPAL_SECURITY_TOKEN",GETPOST('PAYPAL_SECURITY_TOKEN','alpha'),'chaine',0,'',$conf->entity); - if (! $result > 0) $error++; - $result=dolibarr_set_const($db, "PAYPAL_SECURITY_TOKEN_UNIQUE",GETPOST('PAYPAL_SECURITY_TOKEN_UNIQUE','alpha'),'chaine',0,'',$conf->entity); - if (! $result > 0) $error++; $result=dolibarr_set_const($db, "PAYPAL_ADD_PAYMENT_URL",GETPOST('PAYPAL_ADD_PAYMENT_URL','alpha'),'chaine',0,'',$conf->entity); if (! $result > 0) $error++; $result=dolibarr_set_const($db, "ONLINE_PAYMENT_MESSAGE_FORM",GETPOST('ONLINE_PAYMENT_MESSAGE_FORM'),'chaine',0,'',$conf->entity); @@ -72,6 +69,11 @@ if ($action == 'setvalue' && $user->admin) if (! $result > 0) $error++; $result=dolibarr_set_const($db, "ONLINE_PAYMENT_SENDEMAIL",GETPOST('ONLINE_PAYMENT_SENDEMAIL'),'chaine',0,'',$conf->entity); if (! $result > 0) $error++; + // Payment token for URL + $result=dolibarr_set_const($db, "PAYMENT_SECURITY_TOKEN",GETPOST('PAYMENT_SECURITY_TOKEN','alpha'),'chaine',0,'',$conf->entity); + if (! $result > 0) $error++; + $result=dolibarr_set_const($db, "PAYMENT_SECURITY_TOKEN_UNIQUE",GETPOST('PAYMENT_SECURITY_TOKEN_UNIQUE','alpha'),'chaine',0,'',$conf->entity); + if (! $result > 0) $error++; if (! $error) { @@ -254,19 +256,18 @@ print ''.$langs->trans("UrlGenerationParameters").''; print ''.$langs->trans("Value").''; print "\n"; - +// Payment token for URL print ''; print $langs->trans("SecurityToken").''; -print ''; +print ''; if (! empty($conf->use_javascript_ajax)) print ' '.img_picto($langs->trans('Generate'), 'refresh', 'id="generate_token" class="linkobject"'); -print ''; + print ''; - -print ''; -print $langs->trans("SecurityTokenIsUnique").''; -print $form->selectyesno("PAYPAL_SECURITY_TOKEN_UNIQUE",(empty($conf->global->PAYPAL_SECURITY_TOKEN)?0:$conf->global->PAYPAL_SECURITY_TOKEN_UNIQUE),1); -print ''; + print ''; + print $langs->trans("SecurityTokenIsUnique").''; + print $form->selectyesno("PAYMENT_SECURITY_TOKEN_UNIQUE",(empty($conf->global->PAYMENT_SECURITY_TOKEN)?0:$conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE),1); + print ''; print ''; @@ -281,7 +282,7 @@ print '

'; // Help doc print ''.$langs->trans("InformationToFindParameters","Paypal").':
'; if (! empty($conf->use_javascript_ajax)) - print ''.$langs->trans("ClickHere").'...'; + print ''.$langs->trans("ClickHere").'...'; $realpaypalurl='www.paypal.com'; $sandboxpaypalurl='developer.paypal.com'; @@ -299,128 +300,24 @@ print 'Your API authentication information can be found with following steps. We '; print '
'; -print '

'; - -$token=''; - - -// Url list -print ''.$langs->trans("FollowingUrlAreAvailableToMakePayments").':

'; -print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnFreeAmount",$servicename).':
'; -print ''.getPaypalPaymentUrl(1,'free')."

\n"; -if (! empty($conf->commande->enabled)) -{ - print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnOrder",$servicename).':
'; - print ''.getPaypalPaymentUrl(1,'order')."
\n"; - if (! empty($conf->global->PAYPAL_SECURITY_TOKEN) && ! empty($conf->global->PAYPAL_SECURITY_TOKEN_UNIQUE)) - { - $langs->load("orders"); - print '
'; - print $langs->trans("EnterRefToBuildUrl",$langs->transnoentitiesnoconv("Order")).': '; - print ''; - print ''; - if (GETPOST('generate_order_ref','alpha')) - { - print '
-> '; - $url=getPaypalPaymentUrl(0,'order',GETPOST('generate_order_ref','alpha')); - print $url; - print "
\n"; - } - print '
'; - } - print '
'; -} -if (! empty($conf->facture->enabled)) -{ - print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnInvoice",$servicename).':
'; - print ''.getPaypalPaymentUrl(1,'invoice')."
\n"; - if (! empty($conf->global->PAYPAL_SECURITY_TOKEN) && ! empty($conf->global->PAYPAL_SECURITY_TOKEN_UNIQUE)) - { - $langs->load("bills"); - print '
'; - print $langs->trans("EnterRefToBuildUrl",$langs->transnoentitiesnoconv("Invoice")).': '; - print ''; - print ''; - if (GETPOST('generate_invoice_ref','alpha')) - { - print '
-> '; - $url=getPaypalPaymentUrl(0,'invoice',GETPOST('generate_invoice_ref','alpha')); - print $url; - print "
\n"; - } - print '
'; - } - print '
'; -} -if (! empty($conf->contrat->enabled)) -{ - print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnContractLine",$servicename).':
'; - print ''.getPaypalPaymentUrl(1,'contractline')."
\n"; - if (! empty($conf->global->PAYPAL_SECURITY_TOKEN) && ! empty($conf->global->PAYPAL_SECURITY_TOKEN_UNIQUE)) - { - $langs->load("contract"); - print '
'; - print $langs->trans("EnterRefToBuildUrl",$langs->transnoentitiesnoconv("Contract")).': '; - print ''; - print ''; - if (GETPOST('generate_contract_ref')) - { - print '
-> '; - $url=getPaypalPaymentUrl(0,'contractline',GETPOST('generate_contract_ref','alpha')); - print $url; - print "
\n"; - } - print '
'; - } - print '
'; -} -if (! empty($conf->adherent->enabled)) -{ - print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnMemberSubscription",$servicename).':
'; - print ''.getPaypalPaymentUrl(1,'membersubscription')."
\n"; - if (! empty($conf->global->PAYPAL_SECURITY_TOKEN) && ! empty($conf->global->PAYPAL_SECURITY_TOKEN_UNIQUE)) - { - $langs->load("members"); - print '
'; - print $langs->trans("EnterRefToBuildUrl",$langs->transnoentitiesnoconv("Member")).': '; - print ''; - print ''; - if (GETPOST('generate_member_ref')) - { - print '
-> '; - $url=getPaypalPaymentUrl(0,'membersubscription',GETPOST('generate_member_ref','alpha')); - print $url; - print "
\n"; - } - print '
'; - } - print '
'; -} - -print info_admin($langs->trans("YouCanAddTagOnUrl")); - if (! empty($conf->use_javascript_ajax)) { print "\n".''; } +print '

'; + +$token=''; + +include DOL_DOCUMENT_ROOT.'/core/tpl/onlinepaymentlinks.tpl.php'; + llxFooter(); $db->close(); diff --git a/htdocs/product/card.php b/htdocs/product/card.php index 53d553aca16..54afc80691f 100644 --- a/htdocs/product/card.php +++ b/htdocs/product/card.php @@ -69,7 +69,7 @@ $id=GETPOST('id', 'int'); $ref=GETPOST('ref', 'alpha'); $type=GETPOST('type','int'); $action=(GETPOST('action','alpha') ? GETPOST('action','alpha') : 'view'); -$cancel=GETPOST('cancel'); +$cancel=GETPOST('cancel','alpha'); $confirm=GETPOST('confirm','alpha'); $socid=GETPOST('socid','int'); $duration_value = GETPOST('duration_value'); @@ -358,7 +358,7 @@ if (empty($reshook)) // Update a product or service if ($action == 'update' && ($user->rights->produit->creer || $user->rights->service->creer)) { - if (GETPOST('cancel')) + if (GETPOST('cancel','alpha')) { $action = ''; } diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 7aecf127fea..d3347557332 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -536,12 +536,12 @@ class Product extends CommonObject $sql.= ", ".$this->type; $sql.= ", ".price2num($price_ht); $sql.= ", ".price2num($price_ttc); - $sql.= ", '".$this->price_base_type."'"; + $sql.= ", '".$this->db->escape($this->price_base_type)."'"; $sql.= ", ".$this->status; $sql.= ", ".$this->status_buy; - $sql.= ", '".$this->accountancy_code_buy."'"; - $sql.= ", '".$this->accountancy_code_sell."'"; - $sql.= ", '".$this->canvas."'"; + $sql.= ", '".$this->db->escape($this->accountancy_code_buy)."'"; + $sql.= ", '".$this->db->escape($this->accountancy_code_sell)."'"; + $sql.= ", '".$this->db->escape($this->canvas)."'"; $sql.= ", ".((! isset($this->finished) || $this->finished < 0 || $this->finished == '') ? 'null' : (int) $this->finished); $sql.= ", ".((empty($this->status_batch) || $this->status_batch < 0)? '0':$this->status_batch); $sql.= ", ".(!$this->fk_unit ? 'NULL' : $this->fk_unit); @@ -853,8 +853,8 @@ class Product extends CommonObject $sql.= ", recuperableonly = " . $this->tva_npr; $sql.= ", localtax1_tx = " . $this->localtax1_tx; $sql.= ", localtax2_tx = " . $this->localtax2_tx; - $sql.= ", localtax1_type = " . ($this->localtax1_type!=''?"'".$this->localtax1_type."'":"'0'"); - $sql.= ", localtax2_type = " . ($this->localtax2_type!=''?"'".$this->localtax2_type."'":"'0'"); + $sql.= ", localtax1_type = " . ($this->localtax1_type!=''?"'".$this->db->escape($this->localtax1_type)."'":"'0'"); + $sql.= ", localtax2_type = " . ($this->localtax2_type!=''?"'".$this->db->escape($this->localtax2_type)."'":"'0'"); $sql.= ", barcode = ". (empty($this->barcode)?"null":"'".$this->db->escape($this->barcode)."'"); $sql.= ", fk_barcode_type = ". (empty($this->barcode_type)?"null":$this->db->escape($this->barcode_type)); @@ -863,19 +863,19 @@ class Product extends CommonObject $sql.= ", tobuy = " . $this->status_buy; $sql.= ", tobatch = " . ((empty($this->status_batch) || $this->status_batch < 0) ? '0' : $this->status_batch); $sql.= ", finished = " . ((! isset($this->finished) || $this->finished < 0) ? "null" : (int) $this->finished); - $sql.= ", weight = " . ($this->weight!='' ? "'".$this->weight."'" : 'null'); - $sql.= ", weight_units = " . ($this->weight_units!='' ? "'".$this->weight_units."'": 'null'); - $sql.= ", length = " . ($this->length!='' ? "'".$this->length."'" : 'null'); - $sql.= ", length_units = " . ($this->length_units!='' ? "'".$this->length_units."'" : 'null'); - $sql.= ", width= " . ($this->width!='' ? "'".$this->width."'" : 'null'); - $sql.= ", width_units = " . ($this->width_units!='' ? "'".$this->width_units."'" : 'null'); - $sql.= ", height = " . ($this->height!='' ? "'".$this->height."'" : 'null'); - $sql.= ", height_units = " . ($this->height_units!='' ? "'".$this->height_units."'" : 'null'); - $sql.= ", surface = " . ($this->surface!='' ? "'".$this->surface."'" : 'null'); - $sql.= ", surface_units = " . ($this->surface_units!='' ? "'".$this->surface_units."'" : 'null'); - $sql.= ", volume = " . ($this->volume!='' ? "'".$this->volume."'" : 'null'); - $sql.= ", volume_units = " . ($this->volume_units!='' ? "'".$this->volume_units."'" : 'null'); - $sql.= ", seuil_stock_alerte = " . ((isset($this->seuil_stock_alerte) && $this->seuil_stock_alerte != '') ? "'".$this->seuil_stock_alerte."'" : "null"); + $sql.= ", weight = " . ($this->weight!='' ? "'".$this->db->escape($this->weight)."'" : 'null'); + $sql.= ", weight_units = " . ($this->weight_units!='' ? "'".$this->db->escape($this->weight_units)."'": 'null'); + $sql.= ", length = " . ($this->length!='' ? "'".$this->db->escape($this->length)."'" : 'null'); + $sql.= ", length_units = " . ($this->length_units!='' ? "'".$this->db->escape($this->length_units)."'" : 'null'); + $sql.= ", width= " . ($this->width!='' ? "'".$this->db->escape($this->width)."'" : 'null'); + $sql.= ", width_units = " . ($this->width_units!='' ? "'".$this->db->escape($this->width_units)."'" : 'null'); + $sql.= ", height = " . ($this->height!='' ? "'".$this->db->escape($this->height)."'" : 'null'); + $sql.= ", height_units = " . ($this->height_units!='' ? "'".$this->db->escape($this->height_units)."'" : 'null'); + $sql.= ", surface = " . ($this->surface!='' ? "'".$this->db->escape($this->surface)."'" : 'null'); + $sql.= ", surface_units = " . ($this->surface_units!='' ? "'".$this->db->escape($this->surface_units)."'" : 'null'); + $sql.= ", volume = " . ($this->volume!='' ? "'".$this->db->escape($this->volume)."'" : 'null'); + $sql.= ", volume_units = " . ($this->volume_units!='' ? "'".$this->db->escape($this->volume_units)."'" : 'null'); + $sql.= ", seuil_stock_alerte = " . ((isset($this->seuil_stock_alerte) && $this->seuil_stock_alerte != '') ? "'".$this->db->escape($this->seuil_stock_alerte)."'" : "null"); $sql.= ", description = '" . $this->db->escape($this->description) ."'"; $sql.= ", url = " . ($this->url?"'".$this->db->escape($this->url)."'":'null'); $sql.= ", customcode = '" . $this->db->escape($this->customcode) ."'"; @@ -1439,8 +1439,8 @@ class Product extends CommonObject // Add new price $sql = "INSERT INTO ".MAIN_DB_PREFIX."product_price(price_level,date_price, fk_product, fk_user_author, price, price_ttc, price_base_type,tosell, tva_tx, default_vat_code, recuperableonly,"; $sql.= " localtax1_tx, localtax2_tx, localtax1_type, localtax2_type, price_min,price_min_ttc,price_by_qty,entity,fk_price_expression) "; - $sql.= " VALUES(".($level?$level:1).", '".$this->db->idate($now)."',".$this->id.",".$user->id.",".$this->price.",".$this->price_ttc.",'".$this->price_base_type."',".$this->status.",".$this->tva_tx.", ".($this->default_vat_code?("'".$this->default_vat_code."'"):"null").",".$this->tva_npr.","; - $sql.= " ".$this->localtax1_tx.", ".$this->localtax2_tx.", '".$this->localtax1_type."', '".$this->localtax2_type."', ".$this->price_min.",".$this->price_min_ttc.",".$this->price_by_qty.",".$conf->entity.",".($this->fk_price_expression > 0?$this->fk_price_expression:'null'); + $sql.= " VALUES(".($level?$level:1).", '".$this->db->idate($now)."',".$this->id.",".$user->id.",".$this->price.",".$this->price_ttc.",'".$this->db->escape($this->price_base_type)."',".$this->status.",".$this->tva_tx.", ".($this->default_vat_code?("'".$this->db->escape($this->default_vat_code)."'"):"null").",".$this->tva_npr.","; + $sql.= " ".$this->localtax1_tx.", ".$this->localtax2_tx.", '".$this->db->escape($this->localtax1_type)."', '".$this->db->escape($this->localtax2_type)."', ".$this->price_min.",".$this->price_min_ttc.",".$this->price_by_qty.",".$conf->entity.",".($this->fk_price_expression > 0?$this->fk_price_expression:'null'); $sql.= ")"; dol_syslog(get_class($this)."::_log_price", LOG_DEBUG); diff --git a/htdocs/product/class/productbatch.class.php b/htdocs/product/class/productbatch.class.php index 5ab70506693..64a43485604 100644 --- a/htdocs/product/class/productbatch.class.php +++ b/htdocs/product/class/productbatch.class.php @@ -154,7 +154,7 @@ class Productbatch extends CommonObject $sql.= " pl.sellby"; $sql.= " FROM ".MAIN_DB_PREFIX."product_batch as t INNER JOIN ".MAIN_DB_PREFIX."product_stock w on t.fk_product_stock = w.rowid"; - $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."product_lot as pl on pl.fk_product = w.fk_product and pl.batch = t.batch"; + $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."product_lot as pl on pl.fk_product = w.fk_product and pl.batch = t.batch"; $sql.= " WHERE t.rowid = ".$id; dol_syslog(get_class($this)."::fetch", LOG_DEBUG); @@ -205,9 +205,9 @@ class Productbatch extends CommonObject // TODO Check qty is ok for stock move. Negative may not be allowed. if ($this->qty < 0) { - + } - + // Update request $sql = "UPDATE ".MAIN_DB_PREFIX.self::$_table_element." SET"; $sql.= " fk_product_stock=".(isset($this->fk_product_stock)?$this->fk_product_stock:"null").","; @@ -435,7 +435,7 @@ class Productbatch extends CommonObject if (! empty($eatby)) array_push($where," eatby = '".$this->db->idate($eatby)."'"); // deprecated if (! empty($sellby)) array_push($where," sellby = '".$this->db->idate($sellby)."'"); // deprecated - + if (! empty($batch_number)) $sql.= " AND batch = '".$this->db->escape($batch_number)."'"; if (! empty($where)) $sql.= " AND (".implode(" OR ",$where).")"; @@ -493,7 +493,7 @@ class Productbatch extends CommonObject $sql.= " t.import_key"; if ($fk_product > 0) { - $sql.= ", pl.eatby as eatby, pl.sellby as sellby"; + $sql.= ", pl.rowid as lotid, pl.eatby as eatby, pl.sellby as sellby"; // TODO May add extrafields to ? } $sql.= " FROM ".MAIN_DB_PREFIX."product_batch as t"; @@ -517,6 +517,7 @@ class Productbatch extends CommonObject $tmp = new Productbatch($db); $tmp->id = $obj->rowid; + $tmp->lotid = $obj->lotid; $tmp->tms = $db->jdate($obj->tms); $tmp->fk_product_stock = $obj->fk_product_stock; $tmp->sellby = $db->jdate($obj->sellby ? $obj->sellby : $obj->oldsellby); diff --git a/htdocs/product/class/productcustomerprice.class.php b/htdocs/product/class/productcustomerprice.class.php index f8ca6366ddc..3b83ae6b858 100644 --- a/htdocs/product/class/productcustomerprice.class.php +++ b/htdocs/product/class/productcustomerprice.class.php @@ -161,19 +161,19 @@ class Productcustomerprice extends CommonObject $sql .= ") VALUES ("; $sql .= " " . $conf->entity . ","; $sql .= " '" . $this->db->idate(dol_now()) . "',"; - $sql .= " " . (! isset($this->fk_product) ? 'NULL' : "'" . $this->fk_product . "'") . ","; - $sql .= " " . (! isset($this->fk_soc) ? 'NULL' : "'" . $this->fk_soc . "'") . ","; - $sql .= " " . (empty($this->price) ? '0' : "'" . $this->price . "'") . ","; - $sql .= " " . (empty($this->price_ttc) ? '0' : "'" . $this->price_ttc . "'") . ","; - $sql .= " " . (empty($this->price_min) ? '0' : "'" . $this->price_min . "'") . ","; - $sql .= " " . (empty($this->price_min_ttc) ? '0' : "'" . $this->price_min_ttc . "'") . ","; + $sql .= " " . (! isset($this->fk_product) ? 'NULL' : "'" . $this->db->escape($this->fk_product) . "'") . ","; + $sql .= " " . (! isset($this->fk_soc) ? 'NULL' : "'" . $this->db->escape($this->fk_soc) . "'") . ","; + $sql .= " " . (empty($this->price) ? '0' : "'" . $this->db->escape($this->price) . "'") . ","; + $sql .= " " . (empty($this->price_ttc) ? '0' : "'" . $this->db->escape($this->price_ttc) . "'") . ","; + $sql .= " " . (empty($this->price_min) ? '0' : "'" . $this->db->escape($this->price_min) . "'") . ","; + $sql .= " " . (empty($this->price_min_ttc) ? '0' : "'" . $this->db->escape($this->price_min_ttc) . "'") . ","; $sql .= " " . (! isset($this->price_base_type) ? 'NULL' : "'" . $this->db->escape($this->price_base_type) . "'") . ","; $sql .= " ".($this->default_vat_code ? "'".$this->db->escape($this->default_vat_code)."'" : "null").","; $sql .= " " . (! isset($this->tva_tx) ? 'NULL' : (empty($this->tva_tx)?0:$this->tva_tx)) . ","; - $sql .= " " . (! isset($this->recuperableonly) ? 'NULL' : "'" . $this->recuperableonly . "'") . ","; - $sql .= " " . (empty($this->localtax1_type) ? "'0'" : "'" . $this->localtax1_type . "'") . ","; + $sql .= " " . (! isset($this->recuperableonly) ? 'NULL' : "'" . $this->db->escape($this->recuperableonly) . "'") . ","; + $sql .= " " . (empty($this->localtax1_type) ? "'0'" : "'" . $this->db->escape($this->localtax1_type) . "'") . ","; $sql .= " " . (! isset($this->localtax1_tx) ? 'NULL' : (empty($this->localtax1_tx)?0:$this->localtax1_tx)) . ","; - $sql .= " " . (empty($this->localtax2_type) ? "'0'" : "'" . $this->localtax2_type . "'") . ","; + $sql .= " " . (empty($this->localtax2_type) ? "'0'" : "'" . $this->db->escape($this->localtax2_type) . "'") . ","; $sql .= " " . (! isset($this->localtax2_tx) ? 'NULL' : (empty($this->localtax2_tx)?0:$this->localtax2_tx)) . ","; $sql .= " " . $user->id . ","; $sql .= " " . (! isset($this->import_key) ? 'NULL' : "'" . $this->db->escape($this->import_key) . "'") . ""; @@ -660,8 +660,8 @@ class Productcustomerprice extends CommonObject $sql .= " recuperableonly=" . (isset($this->recuperableonly) ? $this->recuperableonly : "null") . ","; $sql .= " localtax1_tx=" . (isset($this->localtax1_tx) ? (empty($this->localtax1_tx)?0:$this->localtax1_tx) : "null") . ","; $sql .= " localtax2_tx=" . (isset($this->localtax2_tx) ? (empty($this->localtax2_tx)?0:$this->localtax2_tx) : "null") . ","; - $sql .= " localtax1_type=" . (! empty($this->localtax1_type) ? "'".$this->localtax1_type."'": "'0'") . ","; - $sql .= " localtax2_type=" . (! empty($this->localtax2_type) ? "'".$this->localtax2_type."'": "'0'") . ","; + $sql .= " localtax1_type=" . (! empty($this->localtax1_type) ? "'".$this->db->escape($this->localtax1_type)."'": "'0'") . ","; + $sql .= " localtax2_type=" . (! empty($this->localtax2_type) ? "'".$this->db->escape($this->localtax2_type)."'": "'0'") . ","; $sql .= " fk_user=" . $user->id . ","; $sql .= " import_key=" . (isset($this->import_key) ? "'" . $this->db->escape($this->import_key) . "'" : "null") . ""; diff --git a/htdocs/product/class/propalmergepdfproduct.class.php b/htdocs/product/class/propalmergepdfproduct.class.php index 865589692fb..87fdd132878 100644 --- a/htdocs/product/class/propalmergepdfproduct.class.php +++ b/htdocs/product/class/propalmergepdfproduct.class.php @@ -33,7 +33,7 @@ class Propalmergepdfproduct extends CommonObject { var $element='propal_merge_pdf_product'; //!< Id that identify managed objects var $table_element='propal_merge_pdf_product'; //!< Name of table without prefix where object is stored - + var $fk_product; var $file_name; var $fk_user_author; @@ -41,10 +41,10 @@ class Propalmergepdfproduct extends CommonObject var $datec=''; var $tms=''; var $lang; - + var $lines=array(); - + /** @@ -72,7 +72,7 @@ class Propalmergepdfproduct extends CommonObject $error=0; // Clean parameters - + if (isset($this->fk_product)) $this->fk_product=trim($this->fk_product); if (isset($this->file_name)) $this->file_name=trim($this->file_name); if (isset($this->fk_user_author)) $this->fk_user_author=trim($this->fk_user_author); @@ -80,14 +80,14 @@ class Propalmergepdfproduct extends CommonObject if (isset($this->lang)) $this->lang=trim($this->lang); if (isset($this->import_key)) $this->import_key=trim($this->import_key); - + // Check parameters // Put here code to add control on parameters values // Insert request $sql = "INSERT INTO ".MAIN_DB_PREFIX."propal_merge_pdf_product("; - + $sql.= "fk_product,"; $sql.= "file_name,"; if ($conf->global->MAIN_MULTILANGS) { @@ -97,10 +97,10 @@ class Propalmergepdfproduct extends CommonObject $sql.= "fk_user_mod,"; $sql.= "datec"; - + $sql.= ") VALUES ("; - - $sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->fk_product."'").","; + + $sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->db->escape($this->fk_product)."'").","; $sql.= " ".(! isset($this->file_name)?'NULL':"'".$this->db->escape($this->file_name)."'").","; if ($conf->global->MAIN_MULTILANGS) { $sql.= " ".(! isset($this->lang)?'NULL':"'".$this->db->escape($this->lang)."'").","; @@ -109,7 +109,7 @@ class Propalmergepdfproduct extends CommonObject $sql.= " ".$user->id.","; $sql.= " '".$this->db->idate(dol_now())."'"; - + $sql.= ")"; $this->db->begin(); @@ -164,10 +164,10 @@ class Propalmergepdfproduct extends CommonObject function fetch($id) { global $langs,$conf; - + $sql = "SELECT"; $sql.= " t.rowid,"; - + $sql.= " t.fk_product,"; $sql.= " t.file_name,"; $sql.= " t.lang,"; @@ -177,7 +177,7 @@ class Propalmergepdfproduct extends CommonObject $sql.= " t.tms,"; $sql.= " t.import_key"; - + $sql.= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t"; $sql.= " WHERE t.rowid = ".$id; @@ -190,7 +190,7 @@ class Propalmergepdfproduct extends CommonObject $obj = $this->db->fetch_object($resql); $this->id = $obj->rowid; - + $this->fk_product = $obj->fk_product; $this->file_name = $obj->file_name; if ($conf->global->MAIN_MULTILANGS) { @@ -202,7 +202,7 @@ class Propalmergepdfproduct extends CommonObject $this->tms = $this->db->jdate($obj->tms); $this->import_key = $obj->import_key; - + } $this->db->free($resql); @@ -215,7 +215,7 @@ class Propalmergepdfproduct extends CommonObject return -1; } } - + /** * Load object in memory from the database * @@ -226,10 +226,10 @@ class Propalmergepdfproduct extends CommonObject function fetch_by_product($product_id, $lang='') { global $langs,$conf; - + $sql = "SELECT"; $sql.= " t.rowid,"; - + $sql.= " t.fk_product,"; $sql.= " t.file_name,"; $sql.= " t.lang,"; @@ -238,14 +238,14 @@ class Propalmergepdfproduct extends CommonObject $sql.= " t.datec,"; $sql.= " t.tms,"; $sql.= " t.import_key"; - - + + $sql.= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t"; $sql.= " WHERE t.fk_product = ".$product_id; if ($conf->global->MAIN_MULTILANGS && !empty($lang)) { $sql.= " AND t.lang = '".$lang."'"; } - + dol_syslog(get_class($this)."::".__METHOD__, LOG_DEBUG); $resql=$this->db->query($sql); if ($resql) @@ -253,11 +253,11 @@ class Propalmergepdfproduct extends CommonObject if ($this->db->num_rows($resql)) { while($obj = $this->db->fetch_object($resql)) { - + $line = new PropalmergepdfproductLine(); - + $line->id = $obj->rowid; - + $line->fk_product = $obj->fk_product; $line->file_name = $obj->file_name; if ($conf->global->MAIN_MULTILANGS) { @@ -268,21 +268,21 @@ class Propalmergepdfproduct extends CommonObject $line->datec = $this->db->jdate($obj->datec); $line->tms = $this->db->jdate($obj->tms); $line->import_key = $obj->import_key; - - + + if ($conf->global->MAIN_MULTILANGS) { $this->lines[$obj->file_name.'_'.$obj->lang]=$line; }else { $this->lines[$obj->file_name]=$line; } - - + + } - - + + } $this->db->free($resql); - + return 1; } else @@ -307,21 +307,21 @@ class Propalmergepdfproduct extends CommonObject $error=0; // Clean parameters - + if (isset($this->fk_product)) $this->fk_product=trim($this->fk_product); if (isset($this->file_name)) $this->file_name=trim($this->file_name); if (isset($this->fk_user_mod)) $this->fk_user_mod=trim($this->fk_user_mod); if (isset($this->lang)) $this->lang=trim($this->lang); - - + + // Check parameters // Put here code to add a control on parameters values // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."propal_merge_pdf_product SET"; - + $sql.= " fk_product=".(isset($this->fk_product)?$this->fk_product:"null").","; $sql.= " file_name=".(isset($this->file_name)?"'".$this->db->escape($this->file_name)."'":"null").","; if ($conf->global->MAIN_MULTILANGS) { @@ -329,7 +329,7 @@ class Propalmergepdfproduct extends CommonObject } $sql.= " fk_user_mod=".$user->id; - + $sql.= " WHERE rowid=".$this->id; $this->db->begin(); @@ -430,7 +430,7 @@ class Propalmergepdfproduct extends CommonObject return 1; } } - + /** * Delete object in database * @@ -444,16 +444,16 @@ class Propalmergepdfproduct extends CommonObject { global $conf, $langs; $error=0; - + $this->db->begin(); - + if (! $error) { if (! $notrigger) { // Uncomment this and change MYOBJECT to your own tag if you // want this action calls a trigger. - + //// Call triggers //include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php'; //$interface=new Interfaces($this->db); @@ -462,21 +462,21 @@ class Propalmergepdfproduct extends CommonObject //// End call triggers } } - + if (! $error) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product"; $sql.= " WHERE fk_product=".$product_id; - + if ($conf->global->MAIN_MULTILANGS && !empty($lang_id)) { $sql.= " AND lang='".$lang_id."'"; } - + dol_syslog(get_class($this)."::".__METHOD__, LOG_DEBUG); $resql = $this->db->query($sql); if (! $resql) { $error++; $this->errors[]="Error ".$this->db->lasterror(); } } - + // Commit or rollback if ($error) { @@ -494,7 +494,7 @@ class Propalmergepdfproduct extends CommonObject return 1; } } - + /** * Delete object in database * @@ -505,16 +505,16 @@ class Propalmergepdfproduct extends CommonObject { global $conf, $langs; $error=0; - + $this->db->begin(); - + if (! $error) { if (! $notrigger) { // Uncomment this and change MYOBJECT to your own tag if you // want this action calls a trigger. - + //// Call triggers //include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php'; //$interface=new Interfaces($this->db); @@ -523,17 +523,17 @@ class Propalmergepdfproduct extends CommonObject //// End call triggers } } - + if (! $error) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product"; $sql.= " WHERE fk_product=".$this->fk_product." AND file_name='".$this->db->escape($this->file_name)."'"; - + dol_syslog(get_class($this)."::".__METHOD__, LOG_DEBUG); $resql = $this->db->query($sql); if (! $resql) { $error++; $this->errors[]="Error ".$this->db->lasterror(); } } - + // Commit or rollback if ($error) { @@ -617,7 +617,7 @@ class Propalmergepdfproduct extends CommonObject function initAsSpecimen() { $this->id=0; - + $this->fk_product=''; $this->file_name=''; $this->fk_user_author=''; @@ -626,7 +626,7 @@ class Propalmergepdfproduct extends CommonObject $this->tms=''; $this->import_key=''; - + } } @@ -637,7 +637,7 @@ class Propalmergepdfproduct extends CommonObject class PropalmergepdfproductLine { var $id; - + var $fk_product; var $file_name; var $lang; diff --git a/htdocs/product/inventory/list.php b/htdocs/product/inventory/list.php index 162567878d1..6f443324f6b 100644 --- a/htdocs/product/inventory/list.php +++ b/htdocs/product/inventory/list.php @@ -69,7 +69,7 @@ $toselect = GETPOST('toselect', 'array'); $contextpage= GETPOST('contextpage','aZ')?GETPOST('contextpage','aZ'):'inventorylist'; // To manage different context of search $id = GETPOST('id','int'); -$backtopage = GETPOST('backtopage'); +$backtopage = GETPOST('backtopage','alpha'); $optioncss = GETPOST('optioncss','alpha'); // Load variable for pagination @@ -143,8 +143,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Put here all code to do according to value of "$action" parameter */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/product/list.php b/htdocs/product/list.php index 4f994660052..7d2b1a22b68 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -193,8 +193,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters, $object, $action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php index 5c89aa4845f..cf4e889e89e 100644 --- a/htdocs/product/reassortlot.php +++ b/htdocs/product/reassortlot.php @@ -28,6 +28,7 @@ require '../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; +require_once DOL_DOCUMENT_ROOT.'/product/stock/class/productlot.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/html.formother.class.php'; require_once DOL_DOCUMENT_ROOT.'/categories/class/categorie.class.php'; require_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php'; @@ -115,7 +116,7 @@ $sql.= ' p.duration, p.tosell as statut, p.tobuy, p.seuil_stock_alerte, p.desire $sql.= ' ps.fk_entrepot,'; $sql.= ' e.label as warehouse_ref, e.lieu as warehouse_lieu, e.fk_parent as warehouse_parent,'; $sql.= ' pb.batch, pb.eatby as oldeatby, pb.sellby as oldsellby,'; -$sql.= ' pl.eatby, pl.sellby,'; +$sql.= ' pl.rowid as lotid, pl.eatby, pl.sellby,'; $sql.= ' SUM(pb.qty) as stock_physique, COUNT(pb.rowid) as nbinbatchtable'; $sql.= ' FROM '.MAIN_DB_PREFIX.'product as p'; $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'product_stock as ps on p.rowid = ps.fk_product'; // Detail for each warehouse @@ -157,7 +158,7 @@ $sql.= " p.duration, p.tosell, p.tobuy, p.seuil_stock_alerte, p.desiredstock, p. $sql.= " ps.fk_entrepot,"; $sql.= " e.label, e.lieu, e.fk_parent,"; $sql.= " pb.batch, pb.eatby, pb.sellby,"; -$sql.= " pl.eatby, pl.sellby"; +$sql.= " pl.rowid, pl.eatby, pl.sellby"; if ($toolowstock) $sql.= " HAVING SUM(".$db->ifsql('ps.reel IS NULL', '0', 'ps.reel').") < p.seuil_stock_alerte"; // Not used yet $sql.= $db->order($sortfield,$sortorder); @@ -306,6 +307,7 @@ if ($resql) print "\n"; $product_static=new Product($db); + $product_lot_static=new Productlot($db); $warehousetmp=new Entrepot($db); while ($i < min($num,$limit)) @@ -336,6 +338,13 @@ if ($resql) $product_static->type=$objp->fk_product_type; $product_static->entity=$objp->entity; + $product_lot_static->batch=$objp->batch; + $product_lot_static->product_id=$objp->rowid; + $product_lot_static->id=$objp->lotid; + $product_lot_static->eatby=$objp->eatby; + $product_lot_static->sellby=$objp->sellby; + + $warehousetmp->id=$objp->fk_entrepot; $warehousetmp->ref=$objp->warehouse_ref; $warehousetmp->label=$objp->warehouse_ref; @@ -372,7 +381,15 @@ if ($resql) print $warehousetmp->getNomUrl(1); } print ''; - print ''.$objp->batch.''; + + // Lot + print ''; + if ($product_lot_static->batch) + { + print $product_lot_static->getNomUrl(1); + } + print ''; + print ''.dol_print_date($db->jdate($objp->eatby), 'day').''; print ''.dol_print_date($db->jdate($objp->sellby), 'day').''; print ''; diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php index 0f843e97b61..c95e805c3f5 100644 --- a/htdocs/product/stock/card.php +++ b/htdocs/product/stock/card.php @@ -39,7 +39,7 @@ $langs->load("companies"); $langs->load("categories"); $action=GETPOST('action','aZ09'); -$cancel=GETPOST('cancel'); +$cancel=GETPOST('cancel','alpha'); $confirm=GETPOST('confirm'); $sortfield = GETPOST("sortfield",'alpha'); @@ -48,7 +48,7 @@ $id = GETPOST("id",'int'); if (! $sortfield) $sortfield="p.ref"; if (! $sortorder) $sortorder="DESC"; -$backtopage=GETPOST("backtopage"); +$backtopage=GETPOST('backtopage','alpha'); // Security check $result=restrictedArea($user,'stock'); diff --git a/htdocs/product/stock/mouvement.php b/htdocs/product/stock/mouvement.php index 8659dfe8461..4b878c03260 100644 --- a/htdocs/product/stock/mouvement.php +++ b/htdocs/product/stock/mouvement.php @@ -51,7 +51,7 @@ $id=GETPOST('id','int'); $msid=GETPOST('msid','int'); $product_id=GETPOST("product_id"); $action=GETPOST('action','aZ09'); -$cancel=GETPOST('cancel'); +$cancel=GETPOST('cancel','alpha'); $idproduct = GETPOST('idproduct','int'); $year = GETPOST("year"); $month = GETPOST("month"); @@ -112,8 +112,8 @@ $object = new MouvementStock($db); // To be passed as parameter of executeHooks * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/product/stock/product.php b/htdocs/product/stock/product.php index 87a218bb672..01df409361c 100644 --- a/htdocs/product/stock/product.php +++ b/htdocs/product/stock/product.php @@ -32,6 +32,7 @@ require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php'; require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php'; +require_once DOL_DOCUMENT_ROOT.'/product/stock/class/productlot.class.php'; require_once DOL_DOCUMENT_ROOT.'/fourn/class/fournisseur.product.class.php'; require_once DOL_DOCUMENT_ROOT.'/core/lib/product.lib.php'; require_once DOL_DOCUMENT_ROOT.'/product/class/html.formproduct.class.php'; @@ -50,15 +51,15 @@ $langs->load("stocks"); $langs->load("sendings"); if (! empty($conf->productbatch->enabled)) $langs->load("productbatch"); -$backtopage=GETPOST('backtopage'); +$backtopage=GETPOST('backtopage','alpha'); $action=GETPOST('action','aZ09'); -$cancel=GETPOST('cancel'); +$cancel=GETPOST('cancel','alpha'); $id=GETPOST('id', 'int'); $ref=GETPOST('ref', 'alpha'); $stocklimit = GETPOST('seuil_stock_alerte'); $desiredstock = GETPOST('desiredstock'); -$cancel = GETPOST('cancel'); +$cancel = GETPOST('cancel','alpha'); $fieldid = isset($_GET["ref"])?'ref':'rowid'; $d_eatby=dol_mktime(0, 0, 0, $_POST['eatbymonth'], $_POST['eatbyday'], $_POST['eatbyyear']); $d_sellby=dol_mktime(0, 0, 0, $_POST['sellbymonth'], $_POST['sellbyday'], $_POST['sellbyyear']); @@ -823,6 +824,8 @@ $sql.= " AND ps.fk_product = ".$object->id; $sql.= " ORDER BY e.label"; $entrepotstatic=new Entrepot($db); +$product_lot_static=new Productlot($db); + $total=0; $totalvalue=$totalvaluesell=0; @@ -867,6 +870,11 @@ if ($resql) if ($details<0) dol_print_error($db); foreach ($details as $pdluo) { + $product_lot_static->id = $pdluo->lotid; + $product_lot_static->batch = $pdluo->batch; + $product_lot_static->eatby = $pdluo->eatby; + $product_lot_static->sellby = $pdluo->sellby; + if ($action == 'editline' && GETPOST('lineid','int') == $pdluo->id) { //Current line edit print "\n".''; @@ -896,7 +904,9 @@ if ($resql) // Do not use this, or data will be wrong (bad tracking of movement label, inventory code, ... //print 'id.'#'.$pdluo->id.'">'; //print img_edit().''; - print ''.$pdluo->batch.''; + print ''; + print $product_lot_static->getNomUrl(1); + print ''; print ''. dol_print_date($pdluo->eatby,'day') .''; print ''. dol_print_date($pdluo->sellby,'day') .''; print ''.$pdluo->qty.($pdluo->qty<0?' '.img_warning():'').''; diff --git a/htdocs/product/stock/productlot_card.php b/htdocs/product/stock/productlot_card.php index 77466ead2c8..70d907ae5e9 100644 --- a/htdocs/product/stock/productlot_card.php +++ b/htdocs/product/stock/productlot_card.php @@ -45,7 +45,7 @@ $langs->load("productbatch"); // Get parameters $id = GETPOST('id','int'); $action = GETPOST('action','alpha'); -$backtopage = GETPOST('backtopage'); +$backtopage = GETPOST('backtopage','alpha'); $batch = GETPOST('batch','alpha'); $productid = GETPOST('productid','int'); $ref = GETPOST('ref','alpha'); // ref is productid_batch @@ -150,7 +150,7 @@ if (empty($reshook)) // Action to add record if ($action == 'add') { - if (GETPOST('cancel')) + if (GETPOST('cancel','alpha')) { $urltogo=$backtopage?$backtopage:dol_buildpath('/stock/list.php',1); header("Location: ".$urltogo); @@ -198,10 +198,10 @@ if (empty($reshook)) } // Cancel - if ($action == 'update' && GETPOST('cancel')) $action='view'; + if ($action == 'update' && GETPOST('cancel','alpha')) $action='view'; // Action to update record - if ($action == 'update' && ! GETPOST('cancel')) + if ($action == 'update' && ! GETPOST('cancel','alpha')) { $error=0; @@ -284,7 +284,6 @@ if ($action == 'create') print ''."\n"; // print ''; // - print ''; print ''; print ''; print ''; diff --git a/htdocs/product/stock/productlot_list.php b/htdocs/product/stock/productlot_list.php index 3cf1e022e7f..567d60911ae 100644 --- a/htdocs/product/stock/productlot_list.php +++ b/htdocs/product/stock/productlot_list.php @@ -45,7 +45,7 @@ $langs->load("users"); // Get parameters $id = GETPOST('id','int'); $action = GETPOST('action','alpha'); -$backtopage = GETPOST('backtopage'); +$backtopage = GETPOST('backtopage','alpha'); $myparam = GETPOST('myparam','alpha'); @@ -132,8 +132,8 @@ if (($id > 0 || ! empty($ref)) && $action != 'add') * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php index 910583782b9..10a78e017c8 100644 --- a/htdocs/projet/class/task.class.php +++ b/htdocs/projet/class/task.class.php @@ -301,7 +301,7 @@ class Task extends CommonObject // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."projet_task SET"; $sql.= " fk_projet=".(isset($this->fk_project)?$this->fk_project:"null").","; - $sql.= " ref=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"'".$this->id."'").","; + $sql.= " ref=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"'".$this->db->escape($this->id)."'").","; $sql.= " fk_task_parent=".(isset($this->fk_task_parent)?$this->fk_task_parent:"null").","; $sql.= " label=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " description=".(isset($this->description)?"'".$this->db->escape($this->description)."'":"null").","; @@ -1251,7 +1251,7 @@ class Task extends CommonObject $newDuration = $this->timespent_duration - $this->timespent_old_duration; $sql = "UPDATE ".MAIN_DB_PREFIX."projet_task"; - $sql.= " SET duration_effective = (SELECT SUM(task_duration) FROM ".MAIN_DB_PREFIX."projet_task_time as ptt where ptt.fk_task = ".$this->id.")"; + $sql.= " SET duration_effective = (SELECT SUM(task_duration) FROM ".MAIN_DB_PREFIX."projet_task_time as ptt where ptt.fk_task = ".$this->db->escape($this->id).")"; $sql.= " WHERE rowid = ".$this->id; dol_syslog(get_class($this)."::updateTimeSpent", LOG_DEBUG); @@ -1303,7 +1303,7 @@ class Task extends CommonObject if (! $error) { $sql = "UPDATE ".MAIN_DB_PREFIX."projet_task"; - $sql.= " SET duration_effective = duration_effective - '".$this->timespent_duration."'"; + $sql.= " SET duration_effective = duration_effective - ".$this->db->escape($this->timespent_duration?$this->timespent_duration:0); $sql.= " WHERE rowid = ".$this->id; dol_syslog(get_class($this)."::delTimeSpent", LOG_DEBUG); @@ -1899,7 +1899,7 @@ class TaskComment extends CommonObject $sql.= ", '".(isset($this->fk_task)?$this->fk_task:"null")."'"; $sql.= ", '".(isset($this->fk_user)?$this->fk_user:"null")."'"; $sql.= ", ".(!empty($this->entity)?$this->entity:'1'); - $sql.= ", ".(!empty($this->import_key)?"'".$this->import_key."'":"null"); + $sql.= ", ".(!empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null"); $sql.= ")"; //var_dump($this->db); @@ -2024,7 +2024,7 @@ class TaskComment extends CommonObject $sql.= " fk_task=".(isset($this->fk_task)?$this->fk_task:"null").","; $sql.= " fk_user=".(isset($this->fk_user)?$this->fk_user:"null").","; $sql.= " entity=".(!empty($this->entity)?$this->entity:'1').","; - $sql.= " import_key=".(!empty($this->import_key)?"'".$this->import_key."'":"null"); + $sql.= " import_key=".(!empty($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null"); $sql.= " WHERE rowid=".$this->id; $this->db->begin(); diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index 5d0af329952..657e6d610d3 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -148,8 +148,8 @@ $object = new Project($db); * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/projet/tasks.php b/htdocs/projet/tasks.php index c00e93e239f..41413645906 100644 --- a/htdocs/projet/tasks.php +++ b/htdocs/projet/tasks.php @@ -39,7 +39,7 @@ $id = GETPOST('id', 'int'); $ref = GETPOST('ref', 'alpha'); $taskref = GETPOST('taskref', 'alpha'); $backtopage=GETPOST('backtopage','alpha'); -$cancel=GETPOST('cancel'); +$cancel=GETPOST('cancel','alpha'); $search_user_id = GETPOST('search_user_id', 'int'); diff --git a/htdocs/projet/tasks/comment.php b/htdocs/projet/tasks/comment.php index 3f0cbe0bf47..3ee3cf2593b 100644 --- a/htdocs/projet/tasks/comment.php +++ b/htdocs/projet/tasks/comment.php @@ -81,6 +81,7 @@ if ($action == 'addcomment') $object->entity = $conf->entity; if ($object->create($user) > 0) { + setEventMessages($langs->trans("CommentAdded"), null, 'mesgs'); header('Location: '.DOL_URL_ROOT.'/projet/tasks/comment.php?id='.$id.($withproject?'&withproject=1':'')); exit; } @@ -97,6 +98,7 @@ if ($action == 'deletecomment') { if ($object->delete($user) > 0) { + setEventMessages($langs->trans("CommentDeleted"), null, 'mesgs'); header('Location: '.DOL_URL_ROOT.'/projet/tasks/comment.php?id='.$id.($withproject?'&withproject=1':'')); exit; } @@ -348,35 +350,53 @@ if ($id > 0 || ! empty($ref)) // List of comments if(!empty($task->comments)) { // Default color for current user - $TColors = array($user->id => 'efefef'); + $TColors = array($user->id => array('bgcolor'=>'efefef','color'=>'555')); $first = true; foreach($task->comments as $comment) { $fk_user = $comment->fk_user; $userstatic->fetch($fk_user); if(empty($TColors[$fk_user])) { - $TColors[$fk_user] = random_color(180,240); + $bgcolor = random_color(180,240); + if(!empty($userstatic->color)) { + $bgcolor = $userstatic->color; + } + $color = (colorIsLight($bgcolor))?'555':'fff'; + $TColors[$fk_user] = array('bgcolor'=>$bgcolor,'color'=>$color); } - print '
'; + print '
'; if($comment->fk_user == $user->id) { print '
 
'; } - print '
'; - print '
'; - print $comment->description; - print '
'; - print '
'; + print '
'; + print '
'; + if (! empty($user->photo)) + { + print Form::showphoto('userphoto', $userstatic, 80, 0, 0, '', 'small', 0, 1).'
'; + } print $langs->trans('User').' : '.$userstatic->getNomUrl().'
'; print $langs->trans('Date').' : '.dol_print_date($comment->datec,'dayhoursec'); + print '
'; // End comment-info + + print '
'; + print '
'; + print '
'; + print $comment->description; + print '
'; // End comment-description if(($first && $fk_user == $user->id) || $user->admin == 1) { - print '
'.$langs->trans('Delete').''; + print ''; + print img_picto('', 'delete.png'); + print ''; } - print '
'; - print '
'; + print '
'; // End comment-table + print '
'; // End comment-right + print '
'; // End comment if($comment->fk_user != $user->id) { print '
 
'; } + print '
'; + print '
'; // end 100p $first = false; } diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php index 3d239921c60..c730fd074d5 100644 --- a/htdocs/projet/tasks/list.php +++ b/htdocs/projet/tasks/list.php @@ -138,8 +138,8 @@ $object = new Task($db); * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/public/members/new.php b/htdocs/public/members/new.php index 03c44514b01..2869d2254e7 100644 --- a/htdocs/public/members/new.php +++ b/htdocs/public/members/new.php @@ -546,13 +546,13 @@ if (empty($conf->global->SOCIETE_DISABLE_STATE)) print ''; } // EMail -print '
'."\n"; +print ''."\n"; // Login if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED)) { - print ''."\n"; - print ''."\n"; - print ''."\n"; + print ''."\n"; + print ''."\n"; + print ''."\n"; } // Birthday print ''; +// Payment token for URL +print ''; + +print ''; + print '
'.$langs->trans("Label").'
'.$langs->trans("Fieldentity").'
'.$langs->trans("Fieldfk_product").'
'.$langs->trans("Fieldbatch").'
'.$langs->trans("Fieldfk_user_creat").'
'.$langs->trans("Email").' *
'.$langs->trans("Email").' *
'.$langs->trans("Login").' *
'.$langs->trans("Password").' *
'.$langs->trans("PasswordAgain").' *
'.$langs->trans("Login").' *
'.$langs->trans("Password").' *
'.$langs->trans("PasswordAgain").' *
'.$langs->trans("DateToBirth").''; diff --git a/htdocs/public/payment/newpayment.php b/htdocs/public/payment/newpayment.php index 1a1d36f9fb1..72ad0390cce 100644 --- a/htdocs/public/payment/newpayment.php +++ b/htdocs/public/payment/newpayment.php @@ -1164,14 +1164,29 @@ if ($source == 'membersubscription') print '
'.$langs->trans("Amount"); if (empty($amount)) { - print ' ('.$langs->trans("ToComplete"); + if (empty($conf->global->MEMBER_NEWFORM_AMOUNT)) print ' ('.$langs->trans("ToComplete"); if (! empty($conf->global->MEMBER_EXT_URL_SUBSCRIPTION_INFO)) print ' - '.$langs->trans("SeeHere").''; - print ')'; + if (empty($conf->global->MEMBER_NEWFORM_AMOUNT)) print ')'; } print ''; if (empty($amount) || ! is_numeric($amount)) { - $valtoshow=GETPOST("newamount",'int'); + $valtoshow=GETPOST("newamount",'int'); + // force default subscription amount to value defined into constant... + if (! empty($conf->global->MEMBER_NEWFORM_EDITAMOUNT)) { + if (! empty($conf->global->MEMBER_NEWFORM_AMOUNT)) { + $valtoshow = $conf->global->MEMBER_NEWFORM_AMOUNT; + } + } + else { + if (! empty($conf->global->MEMBER_NEWFORM_AMOUNT)) { + $amount = $conf->global->MEMBER_NEWFORM_AMOUNT; + } + } + } + if (empty($amount) || ! is_numeric($amount)) + { + //$valtoshow=GETPOST("newamount",'int'); if (! empty($conf->global->MEMBER_MIN_AMOUNT) && $valtoshow) $valtoshow=max($conf->global->MEMBER_MIN_AMOUNT,$valtoshow); print ''; print ''; diff --git a/htdocs/resource/class/dolresource.class.php b/htdocs/resource/class/dolresource.class.php index 10485dda4be..6dc093f6142 100644 --- a/htdocs/resource/class/dolresource.class.php +++ b/htdocs/resource/class/dolresource.class.php @@ -33,7 +33,7 @@ class Dolresource extends CommonObject public $element='dolresource'; //!< Id that identify managed objects public $table_element='resource'; //!< Name of table without prefix where object is stored public $picto = 'resource'; - + public $resource_id; public $resource_type; public $element_id; @@ -843,7 +843,7 @@ class Dolresource extends CommonObject // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."element_resources SET"; $sql.= " resource_id=".(isset($this->resource_id)?"'".$this->db->escape($this->resource_id)."'":"null").","; - $sql.= " resource_type=".(isset($this->resource_type)?"'".$this->resource_type."'":"null").","; + $sql.= " resource_type=".(isset($this->resource_type)?"'".$this->db->escape($this->resource_type)."'":"null").","; $sql.= " element_id=".(isset($this->element_id)?$this->element_id:"null").","; $sql.= " element_type=".(isset($this->element_type)?"'".$this->db->escape($this->element_type)."'":"null").","; $sql.= " busy=".(isset($this->busy)?$this->busy:"null").","; @@ -1019,8 +1019,8 @@ class Dolresource extends CommonObject $result.=$link.$this->ref.$linkend; return $result; } - - + + /** * Retourne le libelle du status d'un user (actif, inactif) * @@ -1031,7 +1031,7 @@ class Dolresource extends CommonObject { return $this->LibStatut($this->status,$mode); } - + /** * Return the status * @@ -1042,7 +1042,7 @@ class Dolresource extends CommonObject static function LibStatut($status,$mode=0) { global $langs; - + return ''; - } + } } diff --git a/htdocs/resource/element_resource.php b/htdocs/resource/element_resource.php index a886dcf475b..9c89b516eff 100644 --- a/htdocs/resource/element_resource.php +++ b/htdocs/resource/element_resource.php @@ -108,7 +108,7 @@ if ($action == 'add_element_resource' && ! $cancel) } // Update ressource -if ($action == 'update_linked_resource' && $user->rights->resource->write && !GETPOST('cancel') ) +if ($action == 'update_linked_resource' && $user->rights->resource->write && !GETPOST('cancel','alpha') ) { $res = $object->fetch_element_resource($lineid); if($res) diff --git a/htdocs/societe/agenda.php b/htdocs/societe/agenda.php index 497b9593142..0dea66946ec 100644 --- a/htdocs/societe/agenda.php +++ b/htdocs/societe/agenda.php @@ -76,7 +76,7 @@ if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'e if (empty($reshook)) { // Cancel - if (GETPOST("cancel") && ! empty($backtopage)) + if (GETPOST('cancel','alpha') && ! empty($backtopage)) { header("Location: ".$backtopage); exit; diff --git a/htdocs/societe/card.php b/htdocs/societe/card.php index bc51fb39375..45101a79d45 100644 --- a/htdocs/societe/card.php +++ b/htdocs/societe/card.php @@ -56,7 +56,7 @@ if (! empty($conf->notification->enabled)) $langs->load("mails"); $mesg=''; $error=0; $errors=array(); $action = (GETPOST('action','aZ09') ? GETPOST('action','aZ09') : 'view'); -$cancel = GETPOST('cancel'); +$cancel = GETPOST('cancel','alpha'); $backtopage = GETPOST('backtopage','alpha'); $confirm = GETPOST('confirm'); $socid = GETPOST('socid','int'); @@ -421,7 +421,7 @@ if (empty($reshook)) else if (! empty($_FILES['photo']['name'])) $object->logo = dol_sanitizeFileName($_FILES['photo']['name']); // Check parameters - if (! GETPOST("cancel")) + if (! GETPOST('cancel','alpha')) { if (! empty($object->email) && ! isValidEMail($object->email)) { @@ -580,7 +580,7 @@ if (empty($reshook)) if ($action == 'update') { - if (GETPOST("cancel")) + if (GETPOST('cancel','alpha')) { if (! empty($backtopage)) { diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index d702e4beb14..8fa7081acad 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -859,13 +859,13 @@ class Societe extends CommonObject $sql .= ",idprof5 = '". $this->db->escape($this->idprof5) ."'"; $sql .= ",idprof6 = '". $this->db->escape($this->idprof6) ."'"; - $sql .= ",tva_assuj = ".($this->tva_assuj!=''?"'".$this->tva_assuj."'":"null"); + $sql .= ",tva_assuj = ".($this->tva_assuj!=''?"'".$this->db->escape($this->tva_assuj)."'":"null"); $sql .= ",tva_intra = '" . $this->db->escape($this->tva_intra) ."'"; $sql .= ",status = " .$this->status; // Local taxes - $sql .= ",localtax1_assuj = ".($this->localtax1_assuj!=''?"'".$this->localtax1_assuj."'":"null"); - $sql .= ",localtax2_assuj = ".($this->localtax2_assuj!=''?"'".$this->localtax2_assuj."'":"null"); + $sql .= ",localtax1_assuj = ".($this->localtax1_assuj!=''?"'".$this->db->escape($this->localtax1_assuj)."'":"null"); + $sql .= ",localtax2_assuj = ".($this->localtax2_assuj!=''?"'".$this->db->escape($this->localtax2_assuj)."'":"null"); if($this->localtax1_assuj==1) { if($this->localtax1_value!='') @@ -1565,7 +1565,7 @@ class Societe extends CommonObject // Positionne remise courante $sql = "UPDATE ".MAIN_DB_PREFIX."societe "; $sql.= " SET remise_client = '".$this->db->escape($remise)."'"; - $sql.= " WHERE rowid = " . $this->id .";"; + $sql.= " WHERE rowid = " . $this->id; $resql=$this->db->query($sql); if (! $resql) { @@ -1698,7 +1698,7 @@ class Societe extends CommonObject else $sql.= " WHERE entity in (0, ".$conf->entity.")"; - $sql.= " AND u.rowid = sc.fk_user AND sc.fk_soc =".$this->id; + $sql.= " AND u.rowid = sc.fk_user AND sc.fk_soc = ".$this->id; $resql = $this->db->query($sql); if ($resql) @@ -1751,7 +1751,7 @@ class Societe extends CommonObject $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_prices"; $sql .= " (datec, fk_soc, price_level, fk_user_author)"; - $sql .= " VALUES ('".$this->db->idate($now)."',".$this->id.",'".$this->db->escape($price_level)."',".$user->id.")"; + $sql .= " VALUES ('".$this->db->idate($now)."', ".$this->id.", '".$this->db->escape($price_level)."', ".$user->id.")"; if (! $this->db->query($sql)) { @@ -2947,17 +2947,17 @@ class Societe extends CommonObject } /** - * Charge la liste des categories fournisseurs + * Insert link supplier - category * * @param int $categorie_id Id of category * @return int 0 if success, <> 0 if error */ function AddFournisseurInCategory($categorie_id) { - if ($categorie_id > 0) + if ($categorie_id > 0 && $this->id > 0) { $sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie_fournisseur (fk_categorie, fk_soc) "; - $sql.= " VALUES ('".$categorie_id."','".$this->id."');"; + $sql.= " VALUES (".$categorie_id.", ".$this->id.")"; if ($resql=$this->db->query($sql)) return 0; } diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php index 02b717feb9b..e23a457cea5 100644 --- a/htdocs/societe/list.php +++ b/htdocs/societe/list.php @@ -208,8 +208,8 @@ $object = new Societe($db); * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters, $object, $action); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/stripe/admin/stripe.php b/htdocs/stripe/admin/stripe.php index 4abf52fe0e0..de3c4db8987 100644 --- a/htdocs/stripe/admin/stripe.php +++ b/htdocs/stripe/admin/stripe.php @@ -67,6 +67,11 @@ if ($action == 'setvalue' && $user->admin) if (! $result > 0) $error++; $result=dolibarr_set_const($db, "ONLINE_PAYMENT_SENDEMAIL",GETPOST('ONLINE_PAYMENT_SENDEMAIL'),'chaine',0,'',$conf->entity); if (! $result > 0) $error++; + // Payment token for URL + $result=dolibarr_set_const($db, "PAYMENT_SECURITY_TOKEN",GETPOST('PAYMENT_SECURITY_TOKEN','alpha'),'chaine',0,'',$conf->entity); + if (! $result > 0) $error++; + $result=dolibarr_set_const($db, "PAYMENT_SECURITY_TOKEN_UNIQUE",GETPOST('PAYMENT_SECURITY_TOKEN_UNIQUE','alpha'),'chaine',0,'',$conf->entity); + if (! $result > 0) $error++; if (! $error) { @@ -220,6 +225,19 @@ print '
'; +print $langs->trans("SecurityToken").''; +print ''; +if (! empty($conf->use_javascript_ajax)) + print ' '.img_picto($langs->trans('Generate'), 'refresh', 'id="generate_token" class="linkobject"'); +print '
'; +print $langs->trans("SecurityTokenIsUnique").''; +print $form->selectyesno("PAYMENT_SECURITY_TOKEN_UNIQUE",(empty($conf->global->PAYMENT_SECURITY_TOKEN)?0:$conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE),1); +print '
'; dol_fiche_end(); @@ -233,121 +251,17 @@ print '

'; $token=''; - -// Url list -print ''.$langs->trans("FollowingUrlAreAvailableToMakePayments").':

'; -print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnFreeAmount",$servicename).':
'; -print ''.getStripePaymentUrl(1,'free')."

\n"; -if (! empty($conf->commande->enabled)) -{ - print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnOrder",$servicename).':
'; - print ''.getStripePaymentUrl(1,'order')."
\n"; - if (! empty($conf->global->STRIPE_SECURITY_TOKEN) && ! empty($conf->global->STRIPE_SECURITY_TOKEN_UNIQUE)) - { - $langs->load("orders"); - print '
'; - print $langs->trans("EnterRefToBuildUrl",$langs->transnoentitiesnoconv("Order")).': '; - print ''; - print ''; - if (GETPOST('generate_order_ref','alpha')) - { - print '
-> '; - $url=getStripePaymentUrl(0,'order',GETPOST('generate_order_ref','alpha')); - print $url; - print "
\n"; - } - print '
'; - } - print '
'; -} -if (! empty($conf->facture->enabled)) -{ - print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnInvoice",$servicename).':
'; - print ''.getStripePaymentUrl(1,'invoice')."
\n"; - if (! empty($conf->global->STRIPE_SECURITY_TOKEN) && ! empty($conf->global->STRIPE_SECURITY_TOKEN_UNIQUE)) - { - $langs->load("bills"); - print '
'; - print $langs->trans("EnterRefToBuildUrl",$langs->transnoentitiesnoconv("Invoice")).': '; - print ''; - print ''; - if (GETPOST('generate_invoice_ref','alpha')) - { - print '
-> '; - $url=getPaypalPaymentUrl(0,'invoice',GETPOST('generate_invoice_ref','alpha')); - print $url; - print "
\n"; - } - print '
'; - } - print '
'; -} -if (! empty($conf->contrat->enabled)) -{ - print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnContractLine",$servicename).':
'; - print ''.getStripePaymentUrl(1,'contractline')."
\n"; - if (! empty($conf->global->STRIPE_SECURITY_TOKEN) && ! empty($conf->global->STRIPE_SECURITY_TOKEN_UNIQUE)) - { - $langs->load("contract"); - print '
'; - print $langs->trans("EnterRefToBuildUrl",$langs->transnoentitiesnoconv("Contract")).': '; - print ''; - print ''; - if (GETPOST('generate_contract_ref')) - { - print '
-> '; - $url=getPaypalPaymentUrl(0,'contractline',GETPOST('generate_contract_ref','alpha')); - print $url; - print "
\n"; - } - print '
'; - } - print '
'; -} -if (! empty($conf->adherent->enabled)) -{ - print img_picto('','object_globe.png').' '.$langs->trans("ToOfferALinkForOnlinePaymentOnMemberSubscription",$servicename).':
'; - print ''.getStripePaymentUrl(1,'membersubscription')."
\n"; - if (! empty($conf->global->STRIPE_SECURITY_TOKEN) && ! empty($conf->global->STRIPE_SECURITY_TOKEN_UNIQUE)) - { - $langs->load("members"); - print '
'; - print $langs->trans("EnterRefToBuildUrl",$langs->transnoentitiesnoconv("Member")).': '; - print ''; - print ''; - if (GETPOST('generate_member_ref')) - { - print '
-> '; - $url=getPaypalPaymentUrl(0,'membersubscription',GETPOST('generate_member_ref','alpha')); - print $url; - print "
\n"; - } - print '
'; - } - print '
'; -} - -print info_admin($langs->trans("YouCanAddTagOnUrl")); +include DOL_DOCUMENT_ROOT.'/core/tpl/onlinepaymentlinks.tpl.php'; if (! empty($conf->use_javascript_ajax)) { print "\n".''; } diff --git a/htdocs/supplier_proposal/card.php b/htdocs/supplier_proposal/card.php index 04d0a09a804..fda4eea65ea 100644 --- a/htdocs/supplier_proposal/card.php +++ b/htdocs/supplier_proposal/card.php @@ -434,7 +434,7 @@ if (empty($reshook)) } // Reopen proposal - else if ($action == 'confirm_reopen' && $user->rights->supplier_proposal->cloturer && ! GETPOST('cancel')) { + else if ($action == 'confirm_reopen' && $user->rights->supplier_proposal->cloturer && ! GETPOST('cancel','alpha')) { // prevent browser refresh from reopening proposal several times if ($object->statut == SupplierProposal::STATUS_SIGNED || $object->statut == SupplierProposal::STATUS_NOTSIGNED || $object->statut == SupplierProposal::STATUS_CLOSE) { $object->reopen($user, SupplierProposal::STATUS_VALIDATED); @@ -442,7 +442,7 @@ if (empty($reshook)) } // Close proposal - else if ($action == 'close' && $user->rights->supplier_proposal->cloturer && ! GETPOST('cancel')) { + else if ($action == 'close' && $user->rights->supplier_proposal->cloturer && ! GETPOST('cancel','alpha')) { // prevent browser refresh from reopening proposal several times if ($object->statut == SupplierProposal::STATUS_SIGNED) { $object->setStatut(SupplierProposal::STATUS_CLOSE); @@ -450,7 +450,7 @@ if (empty($reshook)) } // Set accepted/refused - else if ($action == 'setstatut' && $user->rights->supplier_proposal->cloturer && ! GETPOST('cancel')) { + else if ($action == 'setstatut' && $user->rights->supplier_proposal->cloturer && ! GETPOST('cancel','alpha')) { if (! GETPOST('statut')) { setEventMessages($langs->trans("ErrorFieldRequired", $langs->transnoentities("CloseAs")), null, 'errors'); $action = 'statut'; @@ -871,7 +871,7 @@ if (empty($reshook)) } } - else if ($action == 'updateligne' && $user->rights->supplier_proposal->creer && GETPOST('cancel') == $langs->trans('Cancel')) { + else if ($action == 'updateligne' && $user->rights->supplier_proposal->creer && GETPOST('cancel','alpha') == $langs->trans('Cancel')) { header('Location: ' . $_SERVER['PHP_SELF'] . '?id=' . $object->id); // Pour reaffichage de la fiche en cours d'edition exit(); } diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php index 142fcc413e5..b6166124af0 100644 --- a/htdocs/supplier_proposal/class/supplier_proposal.class.php +++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php @@ -2829,27 +2829,27 @@ class SupplierProposalLine extends CommonObjectLine $sql.= ' ref_fourn,'; $sql.= ' fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc, fk_unit)'; $sql.= " VALUES (".$this->fk_supplier_proposal.","; - $sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").","; + $sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").","; $sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").","; $sql.= " '".$this->db->escape($this->desc)."',"; - $sql.= " ".($this->fk_product?"'".$this->fk_product."'":"null").","; - $sql.= " '".$this->product_type."',"; - $sql.= " ".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").","; + $sql.= " ".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":"null").","; + $sql.= " '".$this->db->escape($this->product_type)."',"; + $sql.= " ".($this->fk_remise_except?"'".$this->db->escape($this->fk_remise_except)."'":"null").","; $sql.= " ".price2num($this->qty).","; $sql.= " ".price2num($this->tva_tx).","; $sql.= " ".price2num($this->localtax1_tx).","; $sql.= " ".price2num($this->localtax2_tx).","; - $sql.= " '".$this->localtax1_type."',"; - $sql.= " '".$this->localtax2_type."',"; + $sql.= " '".$this->db->escape($this->localtax1_type)."',"; + $sql.= " '".$this->db->escape($this->localtax2_type)."',"; $sql.= " ".(!empty($this->subprice)?price2num($this->subprice):"null").","; $sql.= " ".price2num($this->remise_percent).","; - $sql.= " ".(isset($this->info_bits)?"'".$this->info_bits."'":"null").","; + $sql.= " ".(isset($this->info_bits)?"'".$this->db->escape($this->info_bits)."'":"null").","; $sql.= " ".price2num($this->total_ht).","; $sql.= " ".price2num($this->total_tva).","; $sql.= " ".price2num($this->total_localtax1).","; $sql.= " ".price2num($this->total_localtax2).","; $sql.= " ".price2num($this->total_ttc).","; - $sql.= " ".(!empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null").","; + $sql.= " ".(!empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null").","; $sql.= " ".(isset($this->pa_ht)?"'".price2num($this->pa_ht)."'":"null").","; $sql.= ' '.$this->special_code.','; $sql.= ' '.$this->rang.','; @@ -3025,7 +3025,7 @@ class SupplierProposalLine extends CommonObjectLine $sql.= " , total_localtax1=".price2num($this->total_localtax1).""; $sql.= " , total_localtax2=".price2num($this->total_localtax2).""; } - $sql.= " , fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null"); + $sql.= " , fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null"); $sql.= " , buy_price_ht=".price2num($this->pa_ht); if (strlen($this->special_code)) $sql.= " , special_code=".$this->special_code; $sql.= " , fk_parent_line=".($this->fk_parent_line>0?$this->fk_parent_line:"null"); diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php index f92c0e6305d..96d1079b92a 100644 --- a/htdocs/supplier_proposal/list.php +++ b/htdocs/supplier_proposal/list.php @@ -168,8 +168,8 @@ if (is_array($extrafields->attribute_label) && count($extrafields->attribute_lab * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend') { $massaction=''; } $parameters=array('socid'=>$socid); $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); // Note that $action and $object may have been modified by some hooks @@ -420,7 +420,7 @@ if ($resql) { $langs->load("mails"); - if (! GETPOST('cancel')) + if (! GETPOST('cancel','alpha')) { $objecttmp=new SupplierProposal($db); $listofselectedid=array(); diff --git a/htdocs/theme/eldy/style.css.php b/htdocs/theme/eldy/style.css.php index f89dc060489..3d58211fbde 100644 --- a/htdocs/theme/eldy/style.css.php +++ b/htdocs/theme/eldy/style.css.php @@ -3818,16 +3818,45 @@ pre#editfilecontentaceeditorid { #comment div { box-sizing:border-box; } - #comment .comment { border-radius:7px; - padding:7px 10px; margin-bottom:10px; + overflow:hidden; +} +#comment .comment-table { + display:table; + height:100%; +} +#comment .comment-cell { + display:table-cell; } #comment .comment-info { font-size:0.8em; - color:#555; - margin-top:5px; + border-right:1px solid #dedede; + margin-right:10px; + width:160px; + text-align:center; + background:rgba(255,255,255,0.5); + vertical-align:middle; + padding:10px 2px; +} +#comment .comment-info a { + color:inherit; +} +#comment .comment-right { + vertical-align:top; +} +#comment .comment-description { + padding:10px; + vertical-align:top; +} +#comment .comment-delete { + width: 100px; + text-align:center; + vertical-align:middle; +} +#comment .comment-delete:hover { + background:rgba(250,20,20,0.8); } #comment textarea { width: 100%; diff --git a/htdocs/user/card.php b/htdocs/user/card.php index 0eac875046b..a495290f47a 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -55,7 +55,7 @@ $mode = GETPOST('mode','alpha'); $confirm = GETPOST('confirm','alpha'); $subaction = GETPOST('subaction','alpha'); $group = GETPOST("group","int",3); -$cancel = GETPOST('cancel'); +$cancel = GETPOST('cancel','alpha'); // Users/Groups management only in master entity if transverse mode if (($action == 'create' || $action == 'adduserldap') && ! empty($conf->multicompany->enabled) && $conf->entity > 1 && $conf->global->MULTICOMPANY_TRANSVERSE_MODE) diff --git a/htdocs/user/class/usergroup.class.php b/htdocs/user/class/usergroup.class.php index 5240605c25c..1dac2e1672b 100644 --- a/htdocs/user/class/usergroup.class.php +++ b/htdocs/user/class/usergroup.class.php @@ -75,7 +75,7 @@ class UserGroup extends CommonObject * @param string $groupname name du groupe a charger * @return int <0 if KO, >0 if OK */ - function fetch($id='', $groupname='') + function fetch($id='', $groupname='', $load_members = true) { global $conf; @@ -107,7 +107,8 @@ class UserGroup extends CommonObject $this->datec = $obj->datec; $this->datem = $obj->datem; - $this->members=$this->listUsersForGroup(); + if($load_members) + $this->members=$this->listUsersForGroup(); // Retreive all extrafield for group @@ -138,7 +139,7 @@ class UserGroup extends CommonObject * @param int $userid User id to search * @return array Array of groups objects */ - function listGroupsForUser($userid) + function listGroupsForUser($userid, $load_members = true) { global $conf, $user; @@ -168,7 +169,7 @@ class UserGroup extends CommonObject if (! array_key_exists($obj->rowid, $ret)) { $newgroup=new UserGroup($this->db); - $newgroup->fetch($obj->rowid); + $newgroup->fetch($obj->rowid, '', $load_members); $ret[$obj->rowid]=$newgroup; } diff --git a/htdocs/user/clicktodial.php b/htdocs/user/clicktodial.php index 2ba3c67d0b4..64919029536 100644 --- a/htdocs/user/clicktodial.php +++ b/htdocs/user/clicktodial.php @@ -53,7 +53,7 @@ $reshook=$hookmanager->executeHooks('doActions',$parameters,$object,$action); if ($reshook < 0) setEventMessages($hookmanager->error, $hookmanager->errors, 'errors'); if (empty($reshook)) { - if ($action == 'update' && !GETPOST('cancel')) { + if ($action == 'update' && !GETPOST('cancel','alpha')) { $edituser = new User($db); $edituser->fetch($id); diff --git a/htdocs/user/group/index.php b/htdocs/user/group/index.php index 9624e462a71..f4b962fb86f 100644 --- a/htdocs/user/group/index.php +++ b/htdocs/user/group/index.php @@ -68,8 +68,8 @@ $fieldstosearchall = array( * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/user/index.php b/htdocs/user/index.php index f9989827021..04bbbcf8b81 100644 --- a/htdocs/user/index.php +++ b/htdocs/user/index.php @@ -135,8 +135,8 @@ if ($mode == 'employee') $search_employee=1; * Actions */ -if (GETPOST('cancel')) { $action='list'; $massaction=''; } -if (! GETPOST('confirmmassaction') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } +if (GETPOST('cancel','alpha')) { $action='list'; $massaction=''; } +if (! GETPOST('confirmmassaction','alpha') && $massaction != 'presend' && $massaction != 'confirm_presend' && $massaction != 'confirm_createbills') { $massaction=''; } $parameters=array(); $reshook=$hookmanager->executeHooks('doActions',$parameters); // Note that $action and $object may have been modified by some hooks diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php index 9c2aabd3654..43cb5097bba 100644 --- a/htdocs/user/passwordforgotten.php +++ b/htdocs/user/passwordforgotten.php @@ -48,19 +48,19 @@ $action=GETPOST('action', 'alpha'); $mode=$dolibarr_main_authentication; if (! $mode) $mode='http'; -$username = GETPOST('username'); -$passwordhash = GETPOST('passwordhash'); -$conf->entity = (GETPOST('entity') ? GETPOST('entity') : 1); +$username = GETPOST('username','alpha'); +$passwordhash = GETPOST('passwordhash','alpha'); +$conf->entity = (GETPOST('entity','int') ? GETPOST('entity','int') : 1); // Instantiate hooks of thirdparty module only if not already define $hookmanager->initHooks(array('passwordforgottenpage')); -if (GETPOST('dol_hide_leftmenu') || ! empty($_SESSION['dol_hide_leftmenu'])) $conf->dol_hide_leftmenu=1; -if (GETPOST('dol_hide_topmenu') || ! empty($_SESSION['dol_hide_topmenu'])) $conf->dol_hide_topmenu=1; -if (GETPOST('dol_optimize_smallscreen') || ! empty($_SESSION['dol_optimize_smallscreen'])) $conf->dol_optimize_smallscreen=1; -if (GETPOST('dol_no_mouse_hover') || ! empty($_SESSION['dol_no_mouse_hover'])) $conf->dol_no_mouse_hover=1; -if (GETPOST('dol_use_jmobile') || ! empty($_SESSION['dol_use_jmobile'])) $conf->dol_use_jmobile=1; +if (GETPOST('dol_hide_leftmenu','alpha') || ! empty($_SESSION['dol_hide_leftmenu'])) $conf->dol_hide_leftmenu=1; +if (GETPOST('dol_hide_topmenu','alpha') || ! empty($_SESSION['dol_hide_topmenu'])) $conf->dol_hide_topmenu=1; +if (GETPOST('dol_optimize_smallscreen','alpha') || ! empty($_SESSION['dol_optimize_smallscreen'])) $conf->dol_optimize_smallscreen=1; +if (GETPOST('dol_no_mouse_hover','alpha') || ! empty($_SESSION['dol_no_mouse_hover'])) $conf->dol_no_mouse_hover=1; +if (GETPOST('dol_use_jmobile','alpha') || ! empty($_SESSION['dol_use_jmobile'])) $conf->dol_use_jmobile=1; /** diff --git a/htdocs/variants/combinations.php b/htdocs/variants/combinations.php index 0ec1bf07b68..f5feba2e606 100644 --- a/htdocs/variants/combinations.php +++ b/htdocs/variants/combinations.php @@ -41,7 +41,7 @@ $massaction=GETPOST('massaction','alpha'); $show_files=GETPOST('show_files','int'); $confirm=GETPOST('confirm','alpha'); $toselect = GETPOST('toselect', 'array'); -$cancel = GETPOST('cancel'); +$cancel = GETPOST('cancel','alpha'); // Security check $fieldvalue = (! empty($id) ? $id : $ref); diff --git a/htdocs/websites/class/website.class.php b/htdocs/websites/class/website.class.php index 2fd86208934..8a1b30d936d 100644 --- a/htdocs/websites/class/website.class.php +++ b/htdocs/websites/class/website.class.php @@ -140,7 +140,7 @@ class Website extends CommonObject $sql .= ' '.(! isset($this->description)?'NULL':"'".$this->db->escape($this->description)."'").','; $sql .= ' '.(! isset($this->status)?'NULL':$this->status).','; $sql .= ' '.(! isset($this->fk_default_home)?'NULL':$this->fk_default_home).','; - $sql .= ' '.(! isset($this->virtualhost)?'NULL':"'".$this->virtualhost)."',"; + $sql .= ' '.(! isset($this->virtualhost)?'NULL':"'".$this->db->escape($this->virtualhost)."'").","; $sql .= ' '.(! isset($this->fk_user_create)?$user->id:$this->fk_user_create).','; $sql .= ' '.(! isset($this->date_creation) || dol_strlen($this->date_creation)==0?'NULL':"'".$this->db->idate($this->date_creation)."'").","; $sql .= ' '.(! isset($this->date_modification) || dol_strlen($this->date_modification)==0?'NULL':"'".$this->db->idate($this->date_creation)."'"); diff --git a/scripts/emailings/mailing-send.php b/scripts/emailings/mailing-send.php index 6465e765cfe..0de6ca4f5fd 100755 --- a/scripts/emailings/mailing-send.php +++ b/scripts/emailings/mailing-send.php @@ -64,7 +64,7 @@ print "***** ".$script_file." (".$version.") pid=".dol_getmypid()." *****\n"; if ($conf->global->MAILING_LIMIT_SENDBYCLI == '-1') { - + } $user = new User($db); @@ -98,7 +98,7 @@ if ($resql) $emailing = new Mailing($db); $emailing->fetch($obj->rowid); - + $id = $emailing->id; $subject = $emailing->sujet; $message = $emailing->body; @@ -120,7 +120,7 @@ if ($resql) { $sql2.= " LIMIT ".$conf->global->MAILING_LIMIT_SENDBYCLI; } - + $resql2=$db->query($sql2); if ($resql2) { @@ -145,6 +145,7 @@ if ($resql) $i = 0; while ($i < $num2) { + // Here code is common with same loop ino card.php $res=1; $now=dol_now(); @@ -178,13 +179,43 @@ if ($resql) '__CHECK_READ__' => '', '__UNSUBSCRIBE__' => ''.$langs->trans("MailUnsubcribe").'' ); + $onlinepaymentenabled = 0; + if (! empty($conf->paypal->enabled)) $onlinepaymentenabled++; + if (! empty($conf->paybox->enabled)) $onlinepaymentenabled++; + if (! empty($conf->stripe->enabled)) $onlinepaymentenabled++; + if ($onlinepaymentenabled && ! empty($conf->global->PAYMENT_SECURITY_TOKEN)) + { + $substitutionarray['__SECUREKEYPAYMENT__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2); + + if (empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) $substitutionarray['__SECUREKEYPAYMENT_MEMBER__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2); + else $substitutionarray['__SECUREKEYPAYMENT_MEMBER__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . 'membersubscription' . $obj->source_id, 2); + + if (empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) $substitutionarray['__SECUREKEYPAYMENT_ORDER__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2); + else $substitutionarray['__SECUREKEYPAYMENT_ORDER__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . 'order' . $obj->source_id, 2); + + if (empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) $substitutionarray['__SECUREKEYPAYMENT_INVOICE__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2); + else $substitutionarray['__SECUREKEYPAYMENT_INVOICE__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . 'invoice' . $obj->source_id, 2); + + if (empty($conf->global->PAYMENT_SECURITY_TOKEN_UNIQUE)) $substitutionarray['__SECUREKEYPAYMENT_CONTRACTLINE__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN, 2); + else $substitutionarray['__SECUREKEYPAYMENT_CONTRACTLINE__']=dol_hash($conf->global->PAYMENT_SECURITY_TOKEN . 'contractline' . $obj->source_id, 2); + } + /* For backward compatibility */ if (! empty($conf->paypal->enabled) && ! empty($conf->global->PAYPAL_SECURITY_TOKEN)) { $substitutionarray['__SECUREKEYPAYPAL__']=dol_hash($conf->global->PAYPAL_SECURITY_TOKEN, 2); + if (empty($conf->global->PAYPAL_SECURITY_TOKEN_UNIQUE)) $substitutionarray['__SECUREKEYPAYPAL_MEMBER__']=dol_hash($conf->global->PAYPAL_SECURITY_TOKEN, 2); else $substitutionarray['__SECUREKEYPAYPAL_MEMBER__']=dol_hash($conf->global->PAYPAL_SECURITY_TOKEN . 'membersubscription' . $obj->source_id, 2); - } + if (empty($conf->global->PAYPAL_SECURITY_TOKEN_UNIQUE)) $substitutionarray['__SECUREKEYPAYPAL_ORDER__']=dol_hash($conf->global->PAYPAL_SECURITY_TOKEN, 2); + else $substitutionarray['__SECUREKEYPAYPAL_ORDER__']=dol_hash($conf->global->PAYPAL_SECURITY_TOKEN . 'order' . $obj->source_id, 2); + + if (empty($conf->global->PAYPAL_SECURITY_TOKEN_UNIQUE)) $substitutionarray['__SECUREKEYPAYPAL_INVOICE__']=dol_hash($conf->global->PAYPAL_SECURITY_TOKEN, 2); + else $substitutionarray['__SECUREKEYPAYPAL_INVOICE__']=dol_hash($conf->global->PAYPAL_SECURITY_TOKEN . 'invoice' . $obj->source_id, 2); + + if (empty($conf->global->PAYPAL_SECURITY_TOKEN_UNIQUE)) $substitutionarray['__SECUREKEYPAYPAL_CONTRACTLINE__']=dol_hash($conf->global->PAYPAL_SECURITY_TOKEN, 2); + else $substitutionarray['__SECUREKEYPAYPAL_CONTRACTLINE__']=dol_hash($conf->global->PAYPAL_SECURITY_TOKEN . 'contractline' . $obj->source_id, 2); + } complete_substitutions_array($substitutionarray,$langs); $newsubject=make_substitutions($subject,$substitutionarray); $newmessage=make_substitutions($message,$substitutionarray); @@ -252,7 +283,7 @@ if ($resql) if ($result < 0) $error++; // End call triggers */ - + $sqlok ="UPDATE ".MAIN_DB_PREFIX."mailing_cibles"; $sqlok.=" SET statut=1, date_envoi='".$db->idate($now)."' WHERE rowid=".$obj2->rowid; $resqlok=$db->query($sqlok); diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 7deb7f9e655..073adc8ef9a 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -177,10 +177,10 @@ class CodingPhpTest extends PHPUnit_Framework_TestCase $ok=true; $matches=array(); // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request. - preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER); + preg_match_all('/(=|sql.+)\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER); foreach($matches as $key => $val) { - if ($val[1] != 'db->' && $val[1] != 'esca') + if ($val[2] != 'db->' && $val[2] != 'esca') { $ok=false; break;