diff --git a/htdocs/adherents/type.php b/htdocs/adherents/type.php index 016fc5e0499..a0f36c409de 100644 --- a/htdocs/adherents/type.php +++ b/htdocs/adherents/type.php @@ -390,13 +390,13 @@ if ($rowid > 0) } if ($status != '') { - $sql.= " AND d.statut IN (".$status.")"; // Peut valoir un nombre ou liste de nombre separes par virgules + $sql.= " AND d.statut IN (".$db->escape($status).")"; // Peut valoir un nombre ou liste de nombre separes par virgules } if ($action == 'search') { if (GETPOST('search')) { - $sql.= natural_search(array("d.firstname","d.lastname"), GETPOST('search')); + $sql.= natural_search(array("d.firstname","d.lastname"), GETPOST('search','alpha')); } } if (! empty($search_lastname)) diff --git a/htdocs/comm/mailing/class/advtargetemailing.class.php b/htdocs/comm/mailing/class/advtargetemailing.class.php index a0744fcfa04..ce6a9cf9896 100644 --- a/htdocs/comm/mailing/class/advtargetemailing.class.php +++ b/htdocs/comm/mailing/class/advtargetemailing.class.php @@ -640,16 +640,16 @@ class AdvanceTargetingMailing extends CommonObject $sqlwhere[]=$this->transformToSQL('t.firstname',$arrayquery['contact_firstname']); } if (!empty($arrayquery['contact_country']) && count($arrayquery['contact_country'])) { - $sqlwhere[]= " (t.fk_pays IN (".implode(',',$arrayquery['contact_country'])."))"; + $sqlwhere[]= " (t.fk_pays IN (".$db->escape(implode(',',$arrayquery['contact_country']))."))"; } if (!empty($arrayquery['contact_status']) && count($arrayquery['contact_status'])>0) { - $sqlwhere[]= " (t.statut IN (".implode(',',$arrayquery['contact_status'])."))"; + $sqlwhere[]= " (t.statut IN (".$db->escape(implode(',',$arrayquery['contact_status']))."))"; } if (!empty($arrayquery['contact_civility']) && count($arrayquery['contact_civility'])>0) { - $sqlwhere[]= " (t.civility IN ('".implode("','",$arrayquery['contact_civility'])."'))"; + $sqlwhere[]= " (t.civility IN ('".$db->escape(implode("','",$arrayquery['contact_civility']))."'))"; } if ($arrayquery['contact_no_email']!='') { - $sqlwhere[]= " (t.no_email='".$arrayquery['contact_no_email']."')"; + $sqlwhere[]= " (t.no_email='".$db->escape($arrayquery['contact_no_email'])."')"; } if ($arrayquery['contact_update_st_dt']!='') { $sqlwhere[]= " (t.tms >= '".$this->db->idate($arrayquery['contact_update_st_dt'])."' AND t.tms <= '".$this->db->idate($arrayquery['contact_update_end_dt'])."')"; @@ -658,7 +658,7 @@ class AdvanceTargetingMailing extends CommonObject $sqlwhere[]= " (t.datec >= '".$this->db->idate($arrayquery['contact_create_st_dt'])."' AND t.datec <= '".$this->db->idate($arrayquery['contact_create_end_dt'])."')"; } if (!empty($arrayquery['contact_categ']) && count($arrayquery['contact_categ'])>0) { - $sqlwhere[]= " (contactcateg.fk_categorie IN (".implode(",",$arrayquery['contact_categ'])."))"; + $sqlwhere[]= " (contactcateg.fk_categorie IN (".$db->escape(implode(",",$arrayquery['contact_categ']))."))"; } //Standard Extrafield feature diff --git a/htdocs/comm/propal/stats/index.php b/htdocs/comm/propal/stats/index.php index 5c74c8374a0..273862f68bf 100644 --- a/htdocs/comm/propal/stats/index.php +++ b/htdocs/comm/propal/stats/index.php @@ -92,7 +92,7 @@ dol_mkdir($dir); $stats = new PropaleStats($db, $socid, ($userid>0?$userid:0), $mode); -if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$object_status.')'; +if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$db->escape($object_status).')'; // Build graphic number of object $data = $stats->getNbByMonthWithPrevYear($endyear,$startyear); @@ -299,7 +299,7 @@ foreach ($data as $val) while (! empty($year) && $oldyear > $year+1) { // If we have empty year $oldyear--; - + print ''; print '0?'&userid='.$userid:'').'">'.$oldyear.''; print '0'; diff --git a/htdocs/commande/stats/index.php b/htdocs/commande/stats/index.php index ed9f8906804..6a8b57e3707 100644 --- a/htdocs/commande/stats/index.php +++ b/htdocs/commande/stats/index.php @@ -88,11 +88,11 @@ dol_mkdir($dir); $stats = new CommandeStats($db, $socid, $mode, ($userid>0?$userid:0)); if ($mode == 'customer') { - if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$object_status.')'; + if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')'; } if ($mode == 'supplier') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$object_status.')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')'; } diff --git a/htdocs/compta/facture/stats/index.php b/htdocs/compta/facture/stats/index.php index 55ff4dad6e3..bf54e4f58ab 100644 --- a/htdocs/compta/facture/stats/index.php +++ b/htdocs/compta/facture/stats/index.php @@ -84,11 +84,11 @@ dol_mkdir($dir); $stats = new FactureStats($db, $socid, $mode, ($userid>0?$userid:0)); if ($mode == 'customer') { - if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND f.fk_statut IN ('.$object_status.')'; + if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')'; } if ($mode == 'supplier') { - if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$object_status.')'; + if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')'; } // Build graphic number of object @@ -299,7 +299,7 @@ foreach ($data as $val) while ($year && $oldyear > $year+1) { // If we have empty year $oldyear--; - + print ''; print '0?'&userid='.$userid:'').'">'.$oldyear.''; print '0'; @@ -310,7 +310,7 @@ foreach ($data as $val) print ''; print ''; } - + print ''; print '0?'&userid='.$userid:'').'">'.$year.''; print ''.$val['nb'].''; diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index b7a2b46dfc0..c8ea494ad3a 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1918,7 +1918,7 @@ class Form $sql.= ' WHERE p.entity IN ('.getEntity('product').')'; if (count($warehouseStatusArray)) { - $sql.= ' AND (p.fk_product_type = 1 OR e.statut IN ('.implode(',',$warehouseStatusArray).'))'; + $sql.= ' AND (p.fk_product_type = 1 OR e.statut IN ('.$db->escape(implode(',',$warehouseStatusArray)).'))'; } if (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD)) { diff --git a/htdocs/don/list.php b/htdocs/don/list.php index 5521b233a28..9602b69a615 100644 --- a/htdocs/don/list.php +++ b/htdocs/don/list.php @@ -92,11 +92,11 @@ $sql.= " FROM ".MAIN_DB_PREFIX."don as d LEFT JOIN ".MAIN_DB_PREFIX."projet AS p $sql.= " ON p.rowid = d.fk_projet WHERE 1 = 1"; if ($statut != '' && $statut != '-1') { - $sql .= " AND d.fk_statut IN (".$statut.")"; + $sql .= " AND d.fk_statut IN (".$db->escape($statut).")"; } if (trim($search_ref) != '') { - $sql.= natural_search('d.ref',$search_ref); + $sql.= natural_search('d.ref', $search_ref); } if (trim($search_all) != '') { diff --git a/htdocs/expensereport/stats/index.php b/htdocs/expensereport/stats/index.php index e158e4728a8..d0e3a1164bc 100644 --- a/htdocs/expensereport/stats/index.php +++ b/htdocs/expensereport/stats/index.php @@ -74,7 +74,7 @@ print load_fiche_titre($title, $mesg); dol_mkdir($dir); $stats = new ExpenseReportStats($db, $socid, $userid); -if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$object_status.')'; +if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$db->escape($object_status).')'; // Build graphic number of object // $data = array(array('Lib',val1,val2,val3),...) @@ -262,7 +262,7 @@ foreach ($data as $val) while ($year && $oldyear > $year+1) { // If we have empty year $oldyear--; - + print ''; print ''.$oldyear.''; print '0'; @@ -271,7 +271,7 @@ foreach ($data as $val) print ''; } - + print ''; print ''.$year.''; print ''.$val['nb'].''; diff --git a/htdocs/fichinter/stats/index.php b/htdocs/fichinter/stats/index.php index 4daa0b7e00d..1c0ba5764ed 100644 --- a/htdocs/fichinter/stats/index.php +++ b/htdocs/fichinter/stats/index.php @@ -75,7 +75,7 @@ print load_fiche_titre($title,'','title_commercial.png'); dol_mkdir($dir); $stats = new FichinterStats($db, $socid, $mode, ($userid>0?$userid:0)); -if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$object_status.')'; +if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')'; // Build graphic number of object $data = $stats->getNbByMonthWithPrevYear($endyear,$startyear); @@ -291,7 +291,7 @@ foreach ($data as $val) while (! empty($year) && $oldyear > $year+1) { // If we have empty year $oldyear--; - + print ''; print '0?'&userid='.$userid:'').'">'.$oldyear.''; @@ -304,7 +304,7 @@ foreach ($data as $val) print ''; } - + print ''; print '0?'&userid='.$userid:'').'">'.$year.''; print ''.$val['nb'].''; diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php index ee9a6b3e490..ac67d256824 100644 --- a/htdocs/fourn/commande/list.php +++ b/htdocs/fourn/commande/list.php @@ -535,9 +535,9 @@ if ($search_request_author) $sql.=natural_search(array('u.lastname','u.firstname if ($billed != '' && $billed >= 0) $sql .= " AND cf.billed = ".$billed; //Required triple check because statut=0 means draft filter -if (GETPOST('statut', 'alpha') !== '') +if (GETPOST('statut', 'intcomma') !== '') { - $sql .= " AND cf.fk_statut IN (".$db->escape(GETPOST('statut', 'alpha')).")"; + $sql .= " AND cf.fk_statut IN (".$db->escape($db->escape(GETPOST('statut', 'intcomma'))).")"; } if ($search_status != '' && $search_status >= 0) { diff --git a/htdocs/product/class/html.formproduct.class.php b/htdocs/product/class/html.formproduct.class.php index 1dbfbc7662f..c526e7ae52b 100644 --- a/htdocs/product/class/html.formproduct.class.php +++ b/htdocs/product/class/html.formproduct.class.php @@ -57,7 +57,7 @@ class FormProduct * @param string $batch Add quantity of batch stock in label for product with batch name batch, batch name precedes batch_id. Nothing if ''. * @param string $status warehouse status filter, following comma separated filter options can be used * 'warehouseopen' = select products from open warehouses, - * 'warehouseclosed' = select products from closed warehouses, + * 'warehouseclosed' = select products from closed warehouses, * 'warehouseinternal' = select products from warehouses for internal correct/transfer only * @param boolean $sumStock sum total stock of a warehouse, default true * @param array $exclude warehouses ids to exclude @@ -68,28 +68,28 @@ class FormProduct global $conf, $langs; if (empty($fk_product) && count($this->cache_warehouses)) return 0; // Cache already loaded and we do not want a list with information specific to a product - + if (is_array($exclude)) $excludeGroups = implode("','",$exclude); $warehouseStatus = array(); - if (preg_match('/warehouseclosed/', $status)) + if (preg_match('/warehouseclosed/', $status)) { $warehouseStatus[] = Entrepot::STATUS_CLOSED; } - if (preg_match('/warehouseopen/', $status)) + if (preg_match('/warehouseopen/', $status)) { $warehouseStatus[] = Entrepot::STATUS_OPEN_ALL; } - if (preg_match('/warehouseinternal/', $status)) + if (preg_match('/warehouseinternal/', $status)) { $warehouseStatus[] = Entrepot::STATUS_OPEN_INTERNAL; } - + $sql = "SELECT e.rowid, e.label, e.description, e.fk_parent"; - if (!empty($fk_product)) + if (!empty($fk_product)) { - if (!empty($batch)) + if (!empty($batch)) { $sql.= ", pb.qty as stock"; } @@ -107,7 +107,7 @@ class FormProduct if (!empty($fk_product)) { $sql.= " AND ps.fk_product = '".$fk_product."'"; - if (!empty($batch)) + if (!empty($batch)) { $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$batch."'"; } @@ -115,15 +115,15 @@ class FormProduct $sql.= " WHERE e.entity IN (".getEntity('stock').")"; if (count($warehouseStatus)) { - $sql.= " AND e.statut IN (".implode(',',$warehouseStatus).")"; + $sql.= " AND e.statut IN (".$db->escape(implode(',',$warehouseStatus)).")"; } else { $sql.= " AND e.statut = 1"; } - - if(!empty($exclude)) $sql.= ' AND e.rowid NOT IN('.implode(',', $exclude).')'; - + + if(!empty($exclude)) $sql.= ' AND e.rowid NOT IN('.$db->escape(implode(',', $exclude)).')'; + if ($sumStock && empty($fk_product)) $sql.= " GROUP BY e.rowid, e.label, e.description, e.fk_parent"; $sql.= " ORDER BY e.label"; @@ -144,7 +144,7 @@ class FormProduct $this->cache_warehouses[$obj->rowid]['stock'] = $obj->stock; $i++; } - + // Full label init foreach($this->cache_warehouses as $obj_rowid=>$tab) { $this->cache_warehouses[$obj_rowid]['full_label'] = $this->get_parent_path($tab); @@ -158,18 +158,18 @@ class FormProduct return -1; } } - + /** * Return full path to current warehouse in $tab (recursive function) - * + * * @param array $tab warehouse data in $this->cache_warehouses line * @param String $final_label full label with all parents, separated by ' >> ' (completed on each call) * @return String full label with all parents, separated by ' >> ' */ private function get_parent_path($tab, $final_label='') { - + if(empty($final_label)) $final_label = $tab['label']; - + if(empty($tab['parent_id'])) return $final_label; else { if(!empty($this->cache_warehouses[$tab['parent_id']])) { @@ -177,9 +177,9 @@ class FormProduct return $this->get_parent_path($this->cache_warehouses[$tab['parent_id']], $final_label); } } - + return $final_label; - + } /** @@ -189,7 +189,7 @@ class FormProduct * @param string $htmlname Name of html select html * @param string $filterstatus warehouse status filter, following comma separated filter options can be used * 'warehouseopen' = select products from open warehouses, - * 'warehouseclosed' = select products from closed warehouses, + * 'warehouseclosed' = select products from closed warehouses, * 'warehouseinternal' = select products from warehouses for internal correct/transfer only * @param int $empty 1=Can be empty, 0 if not * @param int $disabled 1=Select is disabled @@ -208,7 +208,7 @@ class FormProduct global $conf,$langs,$user; dol_syslog(get_class($this)."::selectWarehouses $selected, $htmlname, $filterstatus, $empty, $disabled, $fk_product, $empty_label, $showstock, $forcecombo, $morecss",LOG_DEBUG); - + $out=''; if (empty($conf->global->ENTREPOT_EXTRA_STATUS)) $filterstatus = ''; $this->loadWarehouses($fk_product, '', $filterstatus, true, $exclude); @@ -221,7 +221,7 @@ class FormProduct $out.= $comboenhancement; $nodatarole=($comboenhancement?' data-role="none"':''); } - + $out.='