diff --git a/htdocs/core/boxes/box_last_modified_ticket.php b/htdocs/core/boxes/box_last_modified_ticket.php index 33d2bab0485..57e54594255 100644 --- a/htdocs/core/boxes/box_last_modified_ticket.php +++ b/htdocs/core/boxes/box_last_modified_ticket.php @@ -94,14 +94,14 @@ class box_last_modified_ticket extends ModeleBoxes $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_ticket_severity as severity ON severity.code=t.severity_code"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid=t.fk_soc"; - $sql .= " WHERE t.entity = ".$conf->entity; + $sql .= " WHERE t.entity IN (".getEntity('ticket').')'; // $sql.= " AND e.rowid = er.fk_event"; - //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " WHERE s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " WHERE s.rowid = sc.fk_soc AND sc.fk_user = " .((int) $user->id); if ($user->socid) { - $sql .= " AND t.fk_soc= ".$user->socid; + $sql .= " AND t.fk_soc = ".((int) $user->socid); } - $sql .= " ORDER BY t.tms DESC, t.rowid DESC "; + $sql .= " ORDER BY t.tms DESC, t.rowid DESC"; $sql .= $this->db->plimit($max, 0); $resql = $this->db->query($sql); diff --git a/htdocs/core/boxes/box_last_ticket.php b/htdocs/core/boxes/box_last_ticket.php index e08a54f1c87..39086464f73 100644 --- a/htdocs/core/boxes/box_last_ticket.php +++ b/htdocs/core/boxes/box_last_ticket.php @@ -93,12 +93,11 @@ class box_last_ticket extends ModeleBoxes $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_ticket_category as category ON category.code=t.category_code"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_ticket_severity as severity ON severity.code=t.severity_code"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid=t.fk_soc"; - - $sql .= " WHERE t.entity = ".$conf->entity; + $sql .= " WHERE t.entity IN (".getEntity('ticket').")"; // $sql.= " AND e.rowid = er.fk_event"; - //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " WHERE s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " WHERE s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); if ($user->socid) { - $sql .= " AND t.fk_soc= ".$user->socid; + $sql .= " AND t.fk_soc= ".((int) $user->socid); } //$sql.= " AND t.fk_statut > 9"; diff --git a/htdocs/core/boxes/box_project.php b/htdocs/core/boxes/box_project.php index 9f1204c4dc4..f14ab699690 100644 --- a/htdocs/core/boxes/box_project.php +++ b/htdocs/core/boxes/box_project.php @@ -136,8 +136,9 @@ class box_project extends ModeleBoxes $sql = "SELECT count(*) as nb, sum(progress) as totprogress"; $sql .= " FROM ".MAIN_DB_PREFIX."projet as p LEFT JOIN ".MAIN_DB_PREFIX."projet_task as pt on pt.fk_projet = p.rowid"; - $sql .= " WHERE p.entity IN (".getEntity('project').')'; - $sql .= " AND p.rowid = ".$objp->rowid; + $sql .= " WHERE p.entity IN (".getEntity('project').')'; + $sql .= " AND p.rowid = ".((int) $objp->rowid); + $resultTask = $this->db->query($sql); if ($resultTask) { $objTask = $this->db->fetch_object($resultTask); diff --git a/htdocs/core/boxes/box_validated_projects.php b/htdocs/core/boxes/box_validated_projects.php index 66a4f76f1b3..f1fb55878aa 100644 --- a/htdocs/core/boxes/box_validated_projects.php +++ b/htdocs/core/boxes/box_validated_projects.php @@ -118,7 +118,7 @@ class box_validated_projects extends ModeleBoxes if ($projectsListId) { $sql .= ' AND p.rowid IN ('.$this->db->sanitize($projectsListId).')'; // Only project we ara allowed } - $sql .= " AND t.rowid NOT IN (SELECT fk_task FROM ".MAIN_DB_PREFIX."projet_task_time WHERE fk_user =".$user->id.")"; + $sql .= " AND t.rowid NOT IN (SELECT fk_task FROM ".MAIN_DB_PREFIX."projet_task_time WHERE fk_user = ".((int) $user->id).")"; $sql .= " GROUP BY p.rowid, p.ref, p.fk_soc, p.dateo"; $sql .= " ORDER BY p.dateo ASC"; diff --git a/htdocs/core/class/commoninvoice.class.php b/htdocs/core/class/commoninvoice.class.php index 81f2b529f1d..605ffec63bd 100644 --- a/htdocs/core/class/commoninvoice.class.php +++ b/htdocs/core/class/commoninvoice.class.php @@ -462,7 +462,7 @@ abstract class CommonInvoice extends CommonObject $type = 'supplier_invoice'; } - $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id; + $sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".((int) $this->id); $resql = $this->db->query($sql); if ($resql) { $obj = $this->db->fetch_object($resql); diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index bed73be9d46..fccbfa6ed7f 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -1834,7 +1834,7 @@ abstract class CommonObject if (!empty($element)) { $sql .= " AND entity IN (".getEntity($element).")"; } else { - $sql .= " AND entity = ".$conf->entity; + $sql .= " AND entity = ".((int) $conf->entity); } dol_syslog(get_class($this).'::fetchObjectFrom', LOG_DEBUG); @@ -3886,14 +3886,14 @@ abstract class CommonObject $sql = "UPDATE " . MAIN_DB_PREFIX . "element_element SET "; if ($updatesource) { - $sql .= "fk_source = " . $sourceid; + $sql .= "fk_source = " . ((int) $sourceid); $sql .= ", sourcetype = '" . $this->db->escape($sourcetype) . "'"; - $sql .= " WHERE fk_target = " . $this->id; + $sql .= " WHERE fk_target = " . ((int) $this->id); $sql .= " AND targettype = '" . $this->db->escape($this->element) . "'"; } elseif ($updatetarget) { - $sql .= "fk_target = " . $targetid; + $sql .= "fk_target = " . ((int) $targetid); $sql .= ", targettype = '" . $this->db->escape($targettype) . "'"; - $sql .= " WHERE fk_source = " . $this->id; + $sql .= " WHERE fk_source = " . ((int) $this->id); $sql .= " AND sourcetype = '" . $this->db->escape($this->element) . "'"; } @@ -3979,15 +3979,15 @@ abstract class CommonObject $sql .= " rowid = " . ((int) $rowid); } else { if ($deletesource) { - $sql .= " fk_source = " . $sourceid . " AND sourcetype = '" . $this->db->escape($sourcetype) . "'"; - $sql .= " AND fk_target = " . $this->id . " AND targettype = '" . $this->db->escape($this->element) . "'"; + $sql .= " fk_source = " . ((int) $sourceid) . " AND sourcetype = '" . $this->db->escape($sourcetype) . "'"; + $sql .= " AND fk_target = " . ((int) $this->id) . " AND targettype = '" . $this->db->escape($this->element) . "'"; } elseif ($deletetarget) { - $sql .= " fk_target = " . $targetid . " AND targettype = '" . $this->db->escape($targettype) . "'"; - $sql .= " AND fk_source = " . $this->id . " AND sourcetype = '" . $this->db->escape($this->element) . "'"; + $sql .= " fk_target = " . ((int) $targetid) . " AND targettype = '" . $this->db->escape($targettype) . "'"; + $sql .= " AND fk_source = " . ((int) $this->id) . " AND sourcetype = '" . $this->db->escape($this->element) . "'"; } else { - $sql .= " (fk_source = " . $this->id . " AND sourcetype = '" . $this->db->escape($this->element) . "')"; + $sql .= " (fk_source = " . ((int) $this->id) . " AND sourcetype = '" . $this->db->escape($this->element) . "')"; $sql .= " OR"; - $sql .= " (fk_target = " . $this->id . " AND targettype = '" . $this->db->escape($this->element) . "')"; + $sql .= " (fk_target = " . ((int) $this->id) . " AND targettype = '" . $this->db->escape($this->element) . "')"; } } @@ -5488,7 +5488,7 @@ abstract class CommonObject $sql = "SELECT rowid, property, lang , value"; $sql .= " FROM ".MAIN_DB_PREFIX."object_lang"; $sql .= " WHERE type_object = '".$this->db->escape($element)."'"; - $sql .= " AND fk_object = ".$this->id; + $sql .= " AND fk_object = ".((int) $this->id); //dol_syslog(get_class($this)."::fetch_optionals get extrafields data for ".$this->table_element, LOG_DEBUG); // Too verbose $resql = $this->db->query($sql); @@ -9248,7 +9248,7 @@ abstract class CommonObject // Delete ecm_files extrafields $sql = "DELETE FROM ".MAIN_DB_PREFIX."ecm_files_extrafields WHERE fk_object IN ("; $sql .= " SELECT rowid FROM ".MAIN_DB_PREFIX."ecm_files WHERE filename LIKE '".$this->db->escape($this->ref)."%'"; - $sql .= " AND filepath = '".$this->db->escape($element)."/".$this->db->escape($this->ref)."' AND entity = ".$conf->entity; // No need of getEntity here + $sql .= " AND filepath = '".$this->db->escape($element)."/".$this->db->escape($this->ref)."' AND entity = ".((int) $conf->entity); // No need of getEntity here $sql .= ")"; if (!$this->db->query($sql)) { @@ -9260,7 +9260,7 @@ abstract class CommonObject // Delete ecm_files $sql = "DELETE FROM ".MAIN_DB_PREFIX."ecm_files"; $sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%'"; - $sql .= " AND filepath = '".$this->db->escape($element)."/".$this->db->escape($this->ref)."' AND entity = ".$conf->entity; // No need of getEntity here + $sql .= " AND filepath = '".$this->db->escape($element)."/".$this->db->escape($this->ref)."' AND entity = ".((int) $conf->entity); // No need of getEntity here if (!$this->db->query($sql)) { $this->error = $this->db->lasterror(); @@ -9272,7 +9272,7 @@ abstract class CommonObject // Delete in database with mode 1 if ($mode == 1) { $sql = 'DELETE FROM '.MAIN_DB_PREFIX."ecm_files_extrafields"; - $sql .= " WHERE fk_object IN (SELECT rowid FROM ".MAIN_DB_PREFIX."ecm_files WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? '' : '@'.$this->module))."' AND src_object_id = ".$this->id.")"; + $sql .= " WHERE fk_object IN (SELECT rowid FROM ".MAIN_DB_PREFIX."ecm_files WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? '' : '@'.$this->module))."' AND src_object_id = ".((int) $this->id).")"; $resql = $this->db->query($sql); if (!$resql) { $this->error = $this->db->lasterror(); diff --git a/htdocs/core/class/discount.class.php b/htdocs/core/class/discount.class.php index 46658851179..eaf4bc511c8 100644 --- a/htdocs/core/class/discount.class.php +++ b/htdocs/core/class/discount.class.php @@ -144,7 +144,7 @@ class DiscountAbsolute $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."facture_fourn as fsup ON sr.fk_invoice_supplier_source = fsup.rowid"; $sql .= " WHERE sr.entity IN (".getEntity('invoice').")"; if ($rowid) { - $sql .= " AND sr.rowid=".((int) $rowid); + $sql .= " AND sr.rowid = ".((int) $rowid); } if ($fk_facture_source) { $sql .= " AND sr.fk_facture_source = ".((int) $fk_facture_source); @@ -315,7 +315,7 @@ class DiscountAbsolute $sql .= " FROM ".MAIN_DB_PREFIX."societe_remise_except"; $sql .= " WHERE (fk_invoice_supplier_line IS NOT NULL"; // Not used as absolute simple discount $sql .= " OR fk_invoice_supplier IS NOT NULL)"; // Not used as credit note and not used as deposit - $sql .= " AND fk_invoice_supplier_source = ".$this->fk_invoice_supplier_source; + $sql .= " AND fk_invoice_supplier_source = ".((int) $this->fk_invoice_supplier_source); //$sql.=" AND rowid != ".$this->id; dol_syslog(get_class($this)."::delete Check if we can remove discount", LOG_DEBUG); @@ -355,7 +355,7 @@ class DiscountAbsolute if ($this->fk_facture_source) { $sql = "UPDATE ".MAIN_DB_PREFIX."facture"; $sql .= " set paye=0, fk_statut=1"; - $sql .= " WHERE (type = 2 or type = 3) AND rowid=".$this->fk_facture_source; + $sql .= " WHERE (type = 2 or type = 3) AND rowid = ".((int) $this->fk_facture_source); dol_syslog(get_class($this)."::delete Update credit note or deposit invoice statut", LOG_DEBUG); $result = $this->db->query($sql); @@ -370,7 +370,7 @@ class DiscountAbsolute } elseif ($this->fk_invoice_supplier_source) { $sql = "UPDATE ".MAIN_DB_PREFIX."facture_fourn"; $sql .= " set paye=0, fk_statut=1"; - $sql .= " WHERE (type = 2 or type = 3) AND rowid=".$this->fk_invoice_supplier_source; + $sql .= " WHERE (type = 2 or type = 3) AND rowid = ".((int) $this->fk_invoice_supplier_source); dol_syslog(get_class($this)."::delete Update credit note or deposit invoice statut", LOG_DEBUG); $result = $this->db->query($sql); diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 19a53921819..4ff3dacb537 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -1663,7 +1663,7 @@ class Form } $sql .= " WHERE sp.entity IN (".getEntity('socpeople').")"; if ($socid > 0 || $socid == -1) { - $sql .= " AND sp.fk_soc=".$socid; + $sql .= " AND sp.fk_soc = ".((int) $socid); } if (!empty($conf->global->CONTACT_HIDE_INACTIVE_IN_COMBOBOX)) { $sql .= " AND sp.statut <> 0"; @@ -2445,13 +2445,13 @@ class Form if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES_BY_QTY) || !empty($conf->global->PRODUIT_CUSTOMER_PRICES_BY_QTY_MULTIPRICES)) { $sql .= ", (SELECT pp.rowid FROM ".MAIN_DB_PREFIX."product_price as pp WHERE pp.fk_product = p.rowid"; if ($price_level >= 1 && !empty($conf->global->PRODUIT_CUSTOMER_PRICES_BY_QTY_MULTIPRICES)) { - $sql .= " AND price_level=".$price_level; + $sql .= " AND price_level = ".((int) $price_level); } $sql .= " ORDER BY date_price"; $sql .= " DESC LIMIT 1) as price_rowid"; $sql .= ", (SELECT pp.price_by_qty FROM ".MAIN_DB_PREFIX."product_price as pp WHERE pp.fk_product = p.rowid"; // price_by_qty is 1 if some prices by qty exists in subtable if ($price_level >= 1 && !empty($conf->global->PRODUIT_CUSTOMER_PRICES_BY_QTY_MULTIPRICES)) { - $sql .= " AND price_level=".$price_level; + $sql .= " AND price_level = ".((int) $price_level); } $sql .= " ORDER BY date_price"; $sql .= " DESC LIMIT 1) as price_by_qty"; @@ -2471,7 +2471,7 @@ class Form //Price by customer if (!empty($conf->global->PRODUIT_CUSTOMER_PRICES) && !empty($socid)) { - $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_customer_price as pcp ON pcp.fk_soc=".$socid." AND pcp.fk_product=p.rowid"; + $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_customer_price as pcp ON pcp.fk_soc=".((int) $socid)." AND pcp.fk_product=p.rowid"; } // Units if (!empty($conf->global->PRODUCT_USE_UNITS)) { @@ -3461,7 +3461,7 @@ class Form $sql .= " WHERE pfp.entity IN (".getEntity('productsupplierprice').")"; $sql .= " AND p.tobuy = 1"; $sql .= " AND s.fournisseur = 1"; - $sql .= " AND p.rowid = ".$productid; + $sql .= " AND p.rowid = ".((int) $productid); $sql .= " ORDER BY s.nom, pfp.ref_fourn DESC"; dol_syslog(get_class($this)."::select_product_fourn_price", LOG_DEBUG); @@ -8814,7 +8814,7 @@ class Form $sql .= " AND f.fk_projet = p.rowid AND f.fk_statut=0"; //Brouillons seulement //if ($projectsListId) $sql.= " AND p.rowid IN (".$this->db->sanitize($projectsListId).")"; //if ($socid == 0) $sql.= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)"; - //if ($socid > 0) $sql.= " AND (p.fk_soc=".$socid." OR p.fk_soc IS NULL)"; + //if ($socid > 0) $sql.= " AND (p.fk_soc=".((int) $socid)." OR p.fk_soc IS NULL)"; $sql .= " ORDER BY p.ref, f.ref ASC"; $resql = $this->db->query($sql); diff --git a/htdocs/core/class/html.formcontract.class.php b/htdocs/core/class/html.formcontract.class.php index eb0f1baaef1..5db615f4654 100644 --- a/htdocs/core/class/html.formcontract.class.php +++ b/htdocs/core/class/html.formcontract.class.php @@ -80,7 +80,7 @@ class FormContract if ($socid > 0) { // CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY is 'all' or a list of ids separated by coma. if (empty($conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY)) { - $sql .= " AND (c.fk_soc=".$socid." OR c.fk_soc IS NULL)"; + $sql .= " AND (c.fk_soc=".((int) $socid)." OR c.fk_soc IS NULL)"; } elseif ($conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY != 'all') { $sql .= " AND (c.fk_soc IN (".$this->db->sanitize($socid.", ".$conf->global->CONTRACT_ALLOW_TO_LINK_FROM_OTHER_COMPANY).") "; $sql .= " OR c.fk_soc IS NULL)"; diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index dbeef627375..038f93d34c6 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -494,7 +494,7 @@ class FormOther } if (empty($user->rights->user->user->lire)) { - $sql_usr .= " AND u.rowid = ".$user->id; + $sql_usr .= " AND u.rowid = ".((int) $user->id); } if (!empty($user->socid)) { $sql_usr .= " AND u.fk_soc = ".((int) $user->socid); @@ -521,7 +521,7 @@ class FormOther $sql_usr .= " WHERE u2.entity IN (".getEntity('user').")"; } - $sql_usr .= " AND u2.rowid = sc.fk_user AND sc.fk_soc=".$user->socid; + $sql_usr .= " AND u2.rowid = sc.fk_user AND sc.fk_soc = ".((int) $user->socid); //Add hook to filter on user (for exemple on usergroup define in custom modules) if (!empty($reshook)) { diff --git a/htdocs/core/class/html.formprojet.class.php b/htdocs/core/class/html.formprojet.class.php index 4177c4237b8..9696dca7183 100644 --- a/htdocs/core/class/html.formprojet.class.php +++ b/htdocs/core/class/html.formprojet.class.php @@ -350,7 +350,7 @@ class FormProjets $sql .= " AND (p.fk_soc=0 OR p.fk_soc IS NULL)"; } if ($socid > 0) { - $sql .= " AND (p.fk_soc=".$socid." OR p.fk_soc IS NULL)"; + $sql .= " AND (p.fk_soc=".((int) $socid)." OR p.fk_soc IS NULL)"; } $sql .= " ORDER BY p.ref, t.ref ASC"; diff --git a/htdocs/core/class/notify.class.php b/htdocs/core/class/notify.class.php index 557d76b05f1..e865f9bd0e8 100644 --- a/htdocs/core/class/notify.class.php +++ b/htdocs/core/class/notify.class.php @@ -398,7 +398,7 @@ class Notify $sql .= " WHERE n.fk_user = c.rowid AND a.rowid = n.fk_action"; $sql .= " AND c.statut = 1"; if (is_numeric($notifcode)) { - $sql .= " AND n.fk_action = ".$notifcode; // Old usage + $sql .= " AND n.fk_action = ".((int) $notifcode); // Old usage } else { $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage } diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index 7ada15bcaeb..4b536ccb2ad 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -1085,7 +1085,7 @@ function show_contacts($conf, $langs, $db, $object, $backtopage = '') $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."socpeople_extrafields as ef on (t.rowid = ef.fk_object)"; $sql .= " WHERE t.fk_soc = ".$object->id; if ($search_status != '' && $search_status != '-1') { - $sql .= " AND t.statut = ".$db->escape($search_status); + $sql .= " AND t.statut = ".((int) $search_status); } if ($search_name) { $sql .= natural_search(array('t.lastname', 't.firstname'), $search_name); diff --git a/htdocs/core/lib/project.lib.php b/htdocs/core/lib/project.lib.php index 93c061310a5..5432ff18095 100644 --- a/htdocs/core/lib/project.lib.php +++ b/htdocs/core/lib/project.lib.php @@ -100,7 +100,7 @@ function project_prepare_head(Project $project) //$sql .= " WHERE t.fk_user = u.rowid AND t.fk_task = pt.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."projet_task_time as t, ".MAIN_DB_PREFIX."projet_task as pt"; $sql .= " WHERE t.fk_task = pt.rowid"; - $sql .= " AND pt.fk_projet =".$project->id; + $sql .= " AND pt.fk_projet =".((int) $project->id); $resql = $db->query($sql); if ($resql) { $obj = $db->fetch_object($resql); @@ -113,7 +113,7 @@ function project_prepare_head(Project $project) } } - $head[$h][0] = DOL_URL_ROOT.'/projet/tasks/time.php?withproject=1&projectid='.$project->id; + $head[$h][0] = DOL_URL_ROOT.'/projet/tasks/time.php?withproject=1&projectid='.urlencode($project->id); $head[$h][1] = $langs->trans("TimeSpent"); if ($nbTimeSpent > 0) { $head[$h][1] .= '...'; @@ -2407,7 +2407,7 @@ function print_projecttasks_array($db, $form, $socid, $projectsListId, $mytasks if ($mytasks) { $sql .= " AND p.rowid = t.fk_projet"; $sql .= " AND ec.element_id = t.rowid"; - $sql .= " AND ec.fk_socpeople = ".$user->id; + $sql .= " AND ec.fk_socpeople = ".((int) $user->id); $sql .= " AND ec.fk_c_type_contact = ctc.rowid"; // Replace the 2 lines with ec.fk_c_type_contact in $arrayidtypeofcontact $sql .= " AND ctc.element = 'project_task'"; } diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 318cebd0249..b297c81035e 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -754,7 +754,7 @@ function checkUserAccessToObject($user, array $featuresarray, $objectid = 0, $ta $sql = "SELECT COUNT(dbt.".$dbt_keyfield.") as nb"; $sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt"; $sql .= " WHERE dbt.rowid IN (".$db->sanitize($objectid, 1).")"; - $sql .= " AND dbt.".$dbt_keyfield." = ".$user->socid; + $sql .= " AND dbt.".$dbt_keyfield." = ".((int) $user->socid); } elseif (!empty($conf->societe->enabled) && !$user->rights->societe->client->voir) { // If internal user: Check permission for internal users that are restricted on their objects if ($feature != 'ticket') { diff --git a/htdocs/core/lib/ticket.lib.php b/htdocs/core/lib/ticket.lib.php index c7eb8ed6cb0..3aededf6a81 100644 --- a/htdocs/core/lib/ticket.lib.php +++ b/htdocs/core/lib/ticket.lib.php @@ -351,7 +351,7 @@ function show_ticket_messaging($conf, $langs, $db, $filterobj, $objcon = '', $no $sql .= " INNER JOIN ".MAIN_DB_PREFIX."element_resources as er"; $sql .= " ON er.resource_type = 'dolresource'"; $sql .= " AND er.element_id = a.id"; - $sql .= " AND er.resource_id = ".$filterobj->id; + $sql .= " AND er.resource_id = ".((int) $filterobj->id); } elseif (is_object($filterobj) && get_class($filterobj) == 'Adherent') { $sql .= ", ".MAIN_DB_PREFIX."adherent as m"; } elseif (is_object($filterobj) && get_class($filterobj) == 'CommandeFournisseur') { diff --git a/htdocs/core/modules/facture/doc/pdf_crabe.modules.php b/htdocs/core/modules/facture/doc/pdf_crabe.modules.php index a01fab1dacf..b172cb3b5cf 100644 --- a/htdocs/core/modules/facture/doc/pdf_crabe.modules.php +++ b/htdocs/core/modules/facture/doc/pdf_crabe.modules.php @@ -854,7 +854,7 @@ class pdf_crabe extends ModelePDFFactures $sql .= " re.description, re.fk_facture_source,"; $sql .= " f.type, f.datef"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_remise_except as re, ".MAIN_DB_PREFIX."facture as f"; - $sql .= " WHERE re.fk_facture_source = f.rowid AND re.fk_facture = ".$object->id; + $sql .= " WHERE re.fk_facture_source = f.rowid AND re.fk_facture = ".((int) $object->id); $resql = $this->db->query($sql); if ($resql) { $num = $this->db->num_rows($resql); @@ -914,7 +914,7 @@ class pdf_crabe extends ModelePDFFactures $sql .= " cp.code"; $sql .= " FROM ".MAIN_DB_PREFIX."paiement_facture as pf, ".MAIN_DB_PREFIX."paiement as p"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as cp ON p.fk_paiement = cp.id"; - $sql .= " WHERE pf.fk_paiement = p.rowid AND pf.fk_facture = ".$object->id; + $sql .= " WHERE pf.fk_paiement = p.rowid AND pf.fk_facture = ".((int) $object->id); //$sql.= " WHERE pf.fk_paiement = p.rowid AND pf.fk_facture = 1"; $sql .= " ORDER BY p.datep"; diff --git a/htdocs/core/modules/facture/doc/pdf_sponge.modules.php b/htdocs/core/modules/facture/doc/pdf_sponge.modules.php index 401309c22e5..bc4c536a2e6 100644 --- a/htdocs/core/modules/facture/doc/pdf_sponge.modules.php +++ b/htdocs/core/modules/facture/doc/pdf_sponge.modules.php @@ -1015,7 +1015,7 @@ class pdf_sponge extends ModelePDFFactures $sql .= " re.description, re.fk_facture_source,"; $sql .= " f.type, f.datef"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_remise_except as re, ".MAIN_DB_PREFIX."facture as f"; - $sql .= " WHERE re.fk_facture_source = f.rowid AND re.fk_facture = ".$object->id; + $sql .= " WHERE re.fk_facture_source = f.rowid AND re.fk_facture = ".((int) $object->id); $resql = $this->db->query($sql); if ($resql) { $num = $this->db->num_rows($resql); @@ -1061,7 +1061,7 @@ class pdf_sponge extends ModelePDFFactures $sql .= " cp.code"; $sql .= " FROM ".MAIN_DB_PREFIX."paiement_facture as pf, ".MAIN_DB_PREFIX."paiement as p"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as cp ON p.fk_paiement = cp.id"; - $sql .= " WHERE pf.fk_paiement = p.rowid AND pf.fk_facture = ".$object->id; + $sql .= " WHERE pf.fk_paiement = p.rowid AND pf.fk_facture = ".((int) $object->id); //$sql.= " WHERE pf.fk_paiement = p.rowid AND pf.fk_facture = 1"; $sql .= " ORDER BY p.datep"; diff --git a/htdocs/core/modules/mailings/contacts1.modules.php b/htdocs/core/modules/mailings/contacts1.modules.php index 0ca62392c82..2d41dfd9725 100644 --- a/htdocs/core/modules/mailings/contacts1.modules.php +++ b/htdocs/core/modules/mailings/contacts1.modules.php @@ -395,7 +395,7 @@ class mailing_contacts1 extends MailingTargets $sql .= " AND (SELECT count(*) FROM ".MAIN_DB_PREFIX."mailing_unsubscribe WHERE email = sp.email) = 0"; // Exclude unsubscribed email adresses $sql .= " AND sp.statut = 1"; - $sql .= " AND sp.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".$mailing_id.")"; + $sql .= " AND sp.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".((int) $mailing_id).")"; // Filter on category if ($filter_category <> 'all') { $sql .= " AND cs.fk_categorie = c.rowid AND cs.fk_socpeople = sp.rowid"; diff --git a/htdocs/core/modules/mailings/fraise.modules.php b/htdocs/core/modules/mailings/fraise.modules.php index 34a5bd34a1e..09445264dc7 100644 --- a/htdocs/core/modules/mailings/fraise.modules.php +++ b/htdocs/core/modules/mailings/fraise.modules.php @@ -252,7 +252,7 @@ class mailing_fraise extends MailingTargets } $sql .= " , ".MAIN_DB_PREFIX."adherent_type as ta"; $sql .= " WHERE a.entity IN (".getEntity('member').") AND a.email <> ''"; // Note that null != '' is false - $sql .= " AND a.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".$this->db->escape($mailing_id).")"; + $sql .= " AND a.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".((int) $mailing_id).")"; // Filter on status if (GETPOST("filter") == '-1') { $sql .= " AND a.statut=-1"; diff --git a/htdocs/core/modules/printing/printgcp.modules.php b/htdocs/core/modules/printing/printgcp.modules.php index ace8a5da188..ec53b523336 100644 --- a/htdocs/core/modules/printing/printgcp.modules.php +++ b/htdocs/core/modules/printing/printgcp.modules.php @@ -334,7 +334,7 @@ class printing_printgcp extends PrintingDriver $fileprint .= '/'.$file; $mimetype = dol_mimetype($fileprint); // select printer uri for module order, propal,... - $sql = "SELECT rowid, printer_id, copy FROM ".MAIN_DB_PREFIX."printing WHERE module='".$this->db->escape($module)."' AND driver='printgcp' AND userid=".$user->id; + $sql = "SELECT rowid, printer_id, copy FROM ".MAIN_DB_PREFIX."printing WHERE module='".$this->db->escape($module)."' AND driver='printgcp' AND userid=".((int) $user->id); $result = $this->db->query($sql); if ($result) { $obj = $this->db->fetch_object($result); diff --git a/htdocs/core/modules/printing/printipp.modules.php b/htdocs/core/modules/printing/printipp.modules.php index b4d4c89b47f..6c4403e2593 100644 --- a/htdocs/core/modules/printing/printipp.modules.php +++ b/htdocs/core/modules/printing/printipp.modules.php @@ -148,7 +148,7 @@ class printing_printipp extends PrintingDriver } // select printer uri for module order, propal,... - $sql = "SELECT rowid,printer_id,copy FROM ".MAIN_DB_PREFIX."printing WHERE module = '".$this->db->escape($module)."' AND driver = 'printipp' AND userid = ".$user->id; + $sql = "SELECT rowid,printer_id,copy FROM ".MAIN_DB_PREFIX."printing WHERE module = '".$this->db->escape($module)."' AND driver = 'printipp' AND userid = ".((int) $user->id); $result = $this->db->query($sql); if ($result) { $obj = $this->db->fetch_object($result); diff --git a/htdocs/core/modules/rapport/pdf_paiement.class.php b/htdocs/core/modules/rapport/pdf_paiement.class.php index cfbddcd8206..5904db84398 100644 --- a/htdocs/core/modules/rapport/pdf_paiement.class.php +++ b/htdocs/core/modules/rapport/pdf_paiement.class.php @@ -241,13 +241,13 @@ class pdf_paiement if (!empty($conf->banque->enabled)) { $sql .= " AND p.fk_bank = b.rowid AND b.fk_account = ba.rowid "; } - $sql .= " AND f.entity = ".$conf->entity; + $sql .= " AND f.entity IN (".getEntity('invoice').")"; $sql .= " AND p.datep BETWEEN '".$this->db->idate(dol_get_first_day($year, $month))."' AND '".$this->db->idate(dol_get_last_day($year, $month))."'"; if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } if (!empty($socid)) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } // If global param PAYMENTS_FOURN_REPORT_GROUP_BY_MOD is set, payement fourn are ordered by paiement_code if (!empty($conf->global->PAYMENTS_FOURN_REPORT_GROUP_BY_MOD)) { diff --git a/htdocs/delivery/class/delivery.class.php b/htdocs/delivery/class/delivery.class.php index 18887a99e28..019187fca28 100644 --- a/htdocs/delivery/class/delivery.class.php +++ b/htdocs/delivery/class/delivery.class.php @@ -273,10 +273,10 @@ class Delivery extends CommonObject $sql = "INSERT INTO ".MAIN_DB_PREFIX."deliverydet (fk_delivery, fk_origin_line,"; $sql .= " fk_product, description, qty)"; - $sql .= " VALUES (".$this->id.",".$origin_id.","; - $sql .= " ".($idprod > 0 ? $idprod : "null").","; + $sql .= " VALUES (".$this->id.",".((int) $origin_id).","; + $sql .= " ".($idprod > 0 ? ((int) $idprod) : "null").","; $sql .= " ".($description ? "'".$this->db->escape($description)."'" : "null").","; - $sql .= $qty.")"; + $sql .= (price2num($qty, 'MS')).")"; dol_syslog(get_class($this)."::create_line", LOG_DEBUG); if (!$this->db->query($sql)) { @@ -412,7 +412,7 @@ class Delivery extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."delivery"; $sql .= " WHERE ref = '".$this->db->escape($numref)."'"; $sql .= " AND fk_statut <> 0"; - $sql .= " AND entity = ".$conf->entity; + $sql .= " AND entity = ".((int) $conf->entity); $resql = $this->db->query($sql); if ($resql) { @@ -453,7 +453,7 @@ class Delivery extends CommonObject if (preg_match('/^[\(]?PROV/i', $this->ref)) { // Now we rename also files into index $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref) + 1).")), filepath = 'expedition/receipt/".$this->db->escape($this->newref)."'"; - $sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'expedition/receipt/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; + $sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'expedition/receipt/".$this->db->escape($this->ref)."' and entity = ".((int) $conf->entity); $resql = $this->db->query($sql); if (!$resql) { $error++; $this->error = $this->db->lasterror(); @@ -641,7 +641,7 @@ class Delivery extends CommonObject $error = 0; $sql = "DELETE FROM ".MAIN_DB_PREFIX."deliverydet"; - $sql .= " WHERE fk_delivery = ".$this->id; + $sql .= " WHERE fk_delivery = ".((int) $this->id); if ($this->db->query($sql)) { // Delete linked object $res = $this->deleteObjectLinked(); @@ -761,7 +761,7 @@ class Delivery extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."commandedet as cd, ".MAIN_DB_PREFIX."deliverydet as ld"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p on p.rowid = ld.fk_product"; $sql .= " WHERE ld.fk_origin_line = cd.rowid"; - $sql .= " AND ld.fk_delivery = ".$this->id; + $sql .= " AND ld.fk_delivery = ".((int) $this->id); dol_syslog(get_class($this)."::fetch_lines", LOG_DEBUG); $resql = $this->db->query($sql); @@ -958,8 +958,8 @@ class Delivery extends CommonObject $sql .= " WHERE ld.fk_delivery = l.rowid"; $sql .= " AND ld.fk_origin_line = cd.rowid"; $sql .= " AND cd.fk_".$this->linked_object[0]['type']." = c.rowid"; - $sql .= " AND cd.fk_".$this->linked_object[0]['type']." = ".$this->linked_object[0]['linkid']; - $sql .= " AND ld.fk_origin_line = ".$objSourceLine->rowid; + $sql .= " AND cd.fk_".$this->linked_object[0]['type']." = ".((int) $this->linked_object[0]['linkid']); + $sql .= " AND ld.fk_origin_line = ".((int) $objSourceLine->rowid); $sql .= " GROUP BY ld.fk_origin_line"; $result = $this->db->query($sql); diff --git a/htdocs/eventorganization/eventorganizationindex.php b/htdocs/eventorganization/eventorganizationindex.php index ebeaa11e659..d708883c249 100644 --- a/htdocs/eventorganization/eventorganizationindex.php +++ b/htdocs/eventorganization/eventorganizationindex.php @@ -83,7 +83,7 @@ if (! empty($conf->eventorganization->enabled) && $user->rights->eventorganizati $sql.= " WHERE c.fk_soc = s.rowid"; $sql.= " AND c.fk_statut = 0"; $sql.= " AND c.entity IN (".getEntity('commande').")"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .((int) $user->id); if ($socid) $sql.= " AND c.fk_soc = ".((int) $socid); $resql = $db->query($sql); @@ -158,7 +158,7 @@ if (! empty($conf->eventorganization->enabled) && $user->rights->eventorganizati $sql.= " FROM ".MAIN_DB_PREFIX."eventorganization_myobject as s"; //if (! $user->rights->societe->client->voir && ! $socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE s.entity IN (".getEntity($myobjectstatic->element).")"; - //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .((int) $user->id); //if ($socid) $sql.= " AND s.rowid = $socid"; $sql .= " ORDER BY s.tms DESC"; $sql .= $db->plimit($max, 0); diff --git a/htdocs/expedition/list.php b/htdocs/expedition/list.php index 3661661d357..fd056a75056 100644 --- a/htdocs/expedition/list.php +++ b/htdocs/expedition/list.php @@ -326,7 +326,7 @@ if ($search_sale > 0) { } if ($search_user > 0) { // The contact on a shipment is also the contact of the order. - $sql .= " AND ec.fk_c_type_contact = tc.rowid AND tc.element='commande' AND tc.source='internal' AND ec.element_id = eesource.fk_source AND ec.fk_socpeople = ".$db->escape($search_user); + $sql .= " AND ec.fk_c_type_contact = tc.rowid AND tc.element='commande' AND tc.source='internal' AND ec.element_id = eesource.fk_source AND ec.fk_socpeople = ".((int) $search_user); } if ($search_ref_exp) { $sql .= natural_search('e.ref', $search_ref_exp); diff --git a/htdocs/expensereport/class/paymentexpensereport.class.php b/htdocs/expensereport/class/paymentexpensereport.class.php index 6e3e8d34137..48adeab929d 100644 --- a/htdocs/expensereport/class/paymentexpensereport.class.php +++ b/htdocs/expensereport/class/paymentexpensereport.class.php @@ -359,7 +359,7 @@ class PaymentExpenseReport extends CommonObject if (!$error) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."bank_url"; - $sql .= " WHERE type='payment_expensereport' AND url_id=".$this->id; + $sql .= " WHERE type='payment_expensereport' AND url_id=".((int) $this->id); dol_syslog(get_class($this)."::delete", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/exports/class/export.class.php b/htdocs/exports/class/export.class.php index b8960572255..483935c7fdf 100644 --- a/htdocs/exports/class/export.class.php +++ b/htdocs/exports/class/export.class.php @@ -297,20 +297,23 @@ class Export * @param string $TypeField Type of Field to filter * @param string $NameField Name of the field to filter * @param string $ValueField Value of the field for filter. Must not be '' - * @return string sql string of then field ex : "field='xxx'>" + * @return string SQL string of then field ex : "field='xxx'" */ public function build_filterQuery($TypeField, $NameField, $ValueField) { // phpcs:enable + $NameField = checkVal($NameField, 'aZ09'); + $szFilterQuery = ''; + //print $TypeField." ".$NameField." ".$ValueField; $InfoFieldList = explode(":", $TypeField); // build the input field on depend of the type of file switch ($InfoFieldList[0]) { case 'Text': if (!(strpos($ValueField, '%') === false)) { - $szFilterQuery .= " ".$NameField." LIKE '".$ValueField."'"; + $szFilterQuery = " ".$NameField." LIKE '".$this->db->escape($ValueField)."'"; } else { - $szFilterQuery .= " ".$NameField." = '".$ValueField."'"; + $szFilterQuery = " ".$NameField." = '".$this->db->escape($ValueField)."'"; } break; case 'Date': @@ -330,17 +333,17 @@ class Export case 'Duree': break; case 'Numeric': - // si le signe - + // if there is a signe + if (strpos($ValueField, "+") > 0) { // mode plage $ValueArray = explode("+", $ValueField); - $szFilterQuery = "(".$NameField.">=".$ValueArray[0]; - $szFilterQuery .= " AND ".$NameField."<=".$ValueArray[1].")"; + $szFilterQuery = "(".$NameField." >= ".((float) $ValueArray[0]); + $szFilterQuery .= " AND ".$NameField." <= ".((float) $ValueArray[1]).")"; } else { if (is_numeric(substr($ValueField, 0, 1))) { - $szFilterQuery = " ".$NameField."=".$ValueField; + $szFilterQuery = " ".$NameField." = ".((float) $ValueField); } else { - $szFilterQuery = " ".$NameField.substr($ValueField, 0, 1).substr($ValueField, 1); + $szFilterQuery = " ".$NameField.substr($ValueField, 0, 1).((float) substr($ValueField, 1)); } } break; @@ -350,12 +353,12 @@ class Export case 'Status': case 'List': if (is_numeric($ValueField)) { - $szFilterQuery = " ".$NameField."=".$ValueField; + $szFilterQuery = " ".$NameField." = ".((float) $ValueField); } else { if (!(strpos($ValueField, '%') === false)) { - $szFilterQuery = " ".$NameField." LIKE '".$ValueField."'"; + $szFilterQuery = " ".$NameField." LIKE '".$this->db->escape($ValueField)."'"; } else { - $szFilterQuery = " ".$NameField." = '".$ValueField."'"; + $szFilterQuery = " ".$NameField." = '".$this->db->escape($ValueField)."'"; } } break; diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php index 4605510d539..94015875599 100644 --- a/htdocs/fourn/class/fournisseur.commande.class.php +++ b/htdocs/fourn/class/fournisseur.commande.class.php @@ -2236,7 +2236,7 @@ class CommandeFournisseur extends CommonOrder $sql .= " WHERE cfd.fk_commande = ".$this->id; $sql .= " AND cfd.fk_product = p.rowid"; if ($status >= 0) { - $sql .= " AND cfd.status = ".$status; + $sql .= " AND cfd.status = ".((int) $status); } $sql .= " ORDER BY cfd.rowid ASC"; @@ -2961,7 +2961,7 @@ class CommandeFournisseur extends CommonOrder $sql .= " WHERE sc.fk_user = ".((int) $user->id); $clause = "AND"; } - $sql .= " ".$clause." co.entity = ".$conf->entity; + $sql .= " ".$clause." co.entity IN (".getEntity('supplier_order').")"; $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/fourn/commande/index.php b/htdocs/fourn/commande/index.php index 0717c0b74f4..866063382bb 100644 --- a/htdocs/fourn/commande/index.php +++ b/htdocs/fourn/commande/index.php @@ -287,7 +287,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; } $sql .= " WHERE c.fk_soc = s.rowid"; -$sql .= " AND c.entity = ".$conf->entity; +$sql .= " AND c.entity IN (".getEntity('supplier_order').")"; //$sql.= " AND c.fk_statut > 2"; if (!empty($socid)) { $sql .= " AND c.fk_soc = ".((int) $socid); @@ -350,17 +350,17 @@ if ($resql) { /* * Orders to process -*/ + */ /* $sql = "SELECT c.rowid, c.ref, c.fk_statut, s.nom as name, s.rowid as socid"; $sql.=" FROM ".MAIN_DB_PREFIX."commande_fournisseur as c"; $sql.= ", ".MAIN_DB_PREFIX."societe as s"; if (!$user->rights->societe->client->voir && !$socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE c.fk_soc = s.rowid"; -$sql.= " AND c.entity = ".$conf->entity; +$sql.= " AND c.entity IN (".getEntity("supplier_order").")"; $sql.= " AND c.fk_statut = 1"; if ($socid) $sql.= " AND c.fk_soc = ".((int) $socid); -if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; +if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .((int) $user->id); $sql.= " ORDER BY c.rowid DESC"; $resql=$db->query($sql); diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php index be47df4631d..5d16f779090 100644 --- a/htdocs/fourn/commande/list.php +++ b/htdocs/fourn/commande/list.php @@ -708,7 +708,7 @@ if ($search_sale > 0) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $search_sale); } if ($search_user > 0) { - $sql .= " AND ec.fk_c_type_contact = tc.rowid AND tc.element='supplier_order' AND tc.source='internal' AND ec.element_id = cf.rowid AND ec.fk_socpeople = ".$db->escape($search_user); + $sql .= " AND ec.fk_c_type_contact = tc.rowid AND tc.element='supplier_order' AND tc.source='internal' AND ec.element_id = cf.rowid AND ec.fk_socpeople = ".((int) $search_user); } if ($search_total_ht != '') { $sql .= natural_search('cf.total_ht', $search_total_ht, 1); diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php index f6052fceffe..d92cdd8ce05 100644 --- a/htdocs/fourn/facture/list.php +++ b/htdocs/fourn/facture/list.php @@ -594,7 +594,7 @@ if ($search_label) { $sql .= natural_search('f.libelle', $search_label); } if ($search_categ_sup > 0) { - $sql .= " AND cs.fk_categorie = ".$db->escape($search_categ_sup); + $sql .= " AND cs.fk_categorie = ".((int) $search_categ_sup); } if ($search_categ_sup == -2) { $sql .= " AND cs.fk_categorie IS NULL"; @@ -606,14 +606,14 @@ if ($filter && $filter != -1) { $aFilter = explode(',', $filter); foreach ($aFilter as $fil) { $filt = explode(':', $fil); - $sql .= ' AND '.$db->escape(trim($filt[0])).' = '.$db->escape(trim($filt[1])); + $sql .= ' AND '.$db->escape(trim($filt[0]))." = '".$db->escape(trim($filt[1]))."'"; } } if ($search_sale > 0) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $search_sale); } if ($search_user > 0) { - $sql .= " AND ec.fk_c_type_contact = tc.rowid AND tc.element='invoice_supplier' AND tc.source='internal' AND ec.element_id = f.rowid AND ec.fk_socpeople = ".$search_user; + $sql .= " AND ec.fk_c_type_contact = tc.rowid AND tc.element='invoice_supplier' AND tc.source='internal' AND ec.element_id = f.rowid AND ec.fk_socpeople = ".((int) $search_user); } // Add where from extra fields include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php'; diff --git a/htdocs/hrm/index.php b/htdocs/hrm/index.php index ca02c1d776a..68bcd78636b 100644 --- a/htdocs/hrm/index.php +++ b/htdocs/hrm/index.php @@ -189,7 +189,7 @@ if (!empty($conf->holiday->enabled) && $user->rights->holiday->read) { if (empty($user->rights->holiday->readall)) { $sql .= ' AND x.fk_user IN ('.$db->sanitize(join(',', $childids)).')'; } - //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " AND x.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " AND x.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); //if (!empty($socid)) $sql.= " AND x.fk_soc = ".((int) $socid); $sql .= $db->order("x.tms", "DESC"); $sql .= $db->plimit($max, 0); @@ -270,7 +270,7 @@ if (!empty($conf->expensereport->enabled) && $user->rights->expensereport->lire) if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)) { $sql .= ' AND x.fk_user_author IN ('.$db->sanitize(join(',', $childids)).')'; } - //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " AND x.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + //if (!$user->rights->societe->client->voir && !$user->socid) $sql.= " AND x.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); //if (!empty($socid)) $sql.= " AND x.fk_soc = ".((int) $socid); $sql .= $db->order("x.tms", "DESC"); $sql .= $db->plimit($max, 0); diff --git a/htdocs/install/repair.php b/htdocs/install/repair.php index ed4fb8dab13..5cfe9f66846 100644 --- a/htdocs/install/repair.php +++ b/htdocs/install/repair.php @@ -366,20 +366,20 @@ if ($ok && GETPOST('standard', 'alpha')) { $sql2 = "SELECT COUNT(*) as nb"; $sql2 .= " FROM ".MAIN_DB_PREFIX."const as c"; $sql2 .= " WHERE name = 'MAIN_MODULE_".$name."'"; - $sql2 .= " AND entity = ".$obj->entity; + $sql2 .= " AND entity = ".((int) $obj->entity); $resql2 = $db->query($sql2); if ($resql2) { $obj2 = $db->fetch_object($resql2); if ($obj2 && $obj2->nb == 0) { // Module not found, so we can remove entry - $sqldelete = "DELETE FROM ".MAIN_DB_PREFIX."const WHERE name = '".$db->escape($obj->name)."' AND entity = ".$obj->entity; + $sqldelete = "DELETE FROM ".MAIN_DB_PREFIX."const WHERE name = '".$db->escape($obj->name)."' AND entity = ".((int) $obj->entity); if (GETPOST('standard', 'alpha') == 'confirmed') { $db->query($sqldelete); - print 'Widget '.$obj->name.' set in entity '.$obj->entity.' with value '.$obj->value.' -> Module '.$name.' not enabled in entity '.$obj->entity.', we delete record'; + print 'Widget '.$obj->name.' set in entity '.$obj->entity.' with value '.$obj->value.' -> Module '.$name.' not enabled in entity '.((int) $obj->entity).', we delete record'; } else { - print 'Widget '.$obj->name.' set in entity '.$obj->entity.' with value '.$obj->value.' -> Module '.$name.' not enabled in entity '.$obj->entity.', we should delete record (not done, mode test)'; + print 'Widget '.$obj->name.' set in entity '.$obj->entity.' with value '.$obj->value.' -> Module '.$name.' not enabled in entity '.((int) $obj->entity).', we should delete record (not done, mode test)'; } } else { //print 'Constant '.$obj->name.' set in entity '.$obj->entity.' with value '.$obj->value.' -> Module found in entity '.$obj->entity.', we keep record'; @@ -424,23 +424,23 @@ if ($ok && GETPOST('standard', 'alpha')) { $sql2 = "SELECT COUNT(*) as nb"; $sql2 .= " FROM ".MAIN_DB_PREFIX."const as c"; $sql2 .= " WHERE name = 'MAIN_MODULE_".strtoupper($module)."'"; - $sql2 .= " AND entity = ".$obj->entity; + $sql2 .= " AND entity = ".((int) $obj->entity); $sql2 .= " AND value <> 0"; $resql2 = $db->query($sql2); if ($resql2) { $obj2 = $db->fetch_object($resql2); if ($obj2 && $obj2->nb == 0) { // Module not found, so we canremove entry - $sqldeletea = "DELETE FROM ".MAIN_DB_PREFIX."boxes WHERE entity = ".$obj->entity." AND box_id IN (SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def WHERE file = '".$db->escape($obj->file)."' AND entity = ".$obj->entity.")"; - $sqldeleteb = "DELETE FROM ".MAIN_DB_PREFIX."boxes_def WHERE file = '".$db->escape($obj->file)."' AND entity = ".$obj->entity; + $sqldeletea = "DELETE FROM ".MAIN_DB_PREFIX."boxes WHERE entity = ".((int) $obj->entity)." AND box_id IN (SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def WHERE file = '".$db->escape($obj->file)."' AND entity = ".((int) $obj->entity).")"; + $sqldeleteb = "DELETE FROM ".MAIN_DB_PREFIX."boxes_def WHERE file = '".$db->escape($obj->file)."' AND entity = ".((int) $obj->entity); if (GETPOST('standard', 'alpha') == 'confirmed') { $db->query($sqldeletea); $db->query($sqldeleteb); - print 'Constant '.$obj->file.' set in boxes_def for entity '.$obj->entity.' but MAIN_MODULE_'.strtoupper($module).' not defined in entity '.$obj->entity.', we delete record'; + print 'Constant '.$obj->file.' set in boxes_def for entity '.$obj->entity.' but MAIN_MODULE_'.strtoupper($module).' not defined in entity '.((int) $obj->entity).', we delete record'; } else { - print 'Constant '.$obj->file.' set in boxes_def for entity '.$obj->entity.' but MAIN_MODULE_'.strtoupper($module).' not defined in entity '.$obj->entity.', we should delete record (not done, mode test)'; + print 'Constant '.$obj->file.' set in boxes_def for entity '.$obj->entity.' but MAIN_MODULE_'.strtoupper($module).' not defined in entity '.((int) $obj->entity).', we should delete record (not done, mode test)'; } } else { //print 'Constant '.$obj->name.' set in entity '.$obj->entity.' with value '.$obj->value.' -> Module found in entity '.$obj->entity.', we keep record'; diff --git a/htdocs/install/upgrade2.php b/htdocs/install/upgrade2.php index 6b0b9c69134..83be835b64a 100644 --- a/htdocs/install/upgrade2.php +++ b/htdocs/install/upgrade2.php @@ -790,7 +790,7 @@ function migrate_paiements_orphelins_1($db, $langs, $conf) // On cherche facture sans lien paiement et du meme montant et pour meme societe. $sql = " SELECT distinct f.rowid from ".MAIN_DB_PREFIX."facture as f"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."paiement_facture as pf ON f.rowid = pf.fk_facture"; - $sql .= " WHERE f.fk_statut in (2,3) AND fk_soc = ".((int) $row[$i]['socid'])." AND total_ttc = ".$row[$i]['pamount']; + $sql .= " WHERE f.fk_statut in (2,3) AND fk_soc = ".((int) $row[$i]['socid'])." AND total_ttc = ".((float) $row[$i]['pamount']); $sql .= " AND pf.fk_facture IS NULL"; $sql .= " ORDER BY f.fk_statut"; //print $sql.'
'; @@ -803,7 +803,7 @@ function migrate_paiements_orphelins_1($db, $langs, $conf) $facid = $obj->rowid; $sql = "INSERT INTO ".MAIN_DB_PREFIX."paiement_facture (fk_facture, fk_paiement, amount)"; - $sql .= " VALUES (".$facid.",".$row[$i]['paymentid'].",".$row[$i]['pamount'].")"; + $sql .= " VALUES (".((int) $facid).",".((int) $row[$i]['paymentid']).",".$row[$i]['pamount'].")"; $res += $db->query($sql); @@ -895,13 +895,13 @@ function migrate_paiements_orphelins_2($db, $langs, $conf) $res = 0; for ($i = 0; $i < $num; $i++) { if ($conf->global->MAIN_FEATURES_LEVEL == 2) { - print '* '.$row[$i]['datec'].' paymentid='.$row[$i]['paymentid'].' '.$row[$i]['pamount'].' fk_bank='.$row[$i]['fk_bank'].' '.$row[$i]['bamount'].' socid='.$row[$i]['socid'].'
'; + print '* '.$row[$i]['datec'].' paymentid='.$row[$i]['paymentid'].' pamount='.$row[$i]['pamount'].' fk_bank='.$row[$i]['fk_bank'].' '.$row[$i]['bamount'].' socid='.$row[$i]['socid'].'
'; } // On cherche facture sans lien paiement et du meme montant et pour meme societe. $sql = " SELECT distinct f.rowid from ".MAIN_DB_PREFIX."facture as f"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."paiement_facture as pf ON f.rowid = pf.fk_facture"; - $sql .= " WHERE f.fk_statut in (2,3) AND fk_soc = ".((int) $row[$i]['socid'])." AND total_ttc = ".$row[$i]['pamount']; + $sql .= " WHERE f.fk_statut in (2,3) AND fk_soc = ".((int) $row[$i]['socid'])." AND total_ttc = ".((float) $row[$i]['pamount']); $sql .= " AND pf.fk_facture IS NULL"; $sql .= " ORDER BY f.fk_statut"; //print $sql.'
'; @@ -914,7 +914,8 @@ function migrate_paiements_orphelins_2($db, $langs, $conf) $facid = $obj->rowid; $sql = "INSERT INTO ".MAIN_DB_PREFIX."paiement_facture (fk_facture, fk_paiement, amount)"; - $sql .= " VALUES (".$facid.",".$row[$i]['paymentid'].",".$row[$i]['pamount'].")"; + $sql .= " VALUES (".((int) $facid).",".((int) $row[$i]['paymentid']).",".$row[$i]['pamount'].")"; + $res += $db->query($sql); print $langs->trans('MigrationProcessPaymentUpdate', 'facid='.$facid.'-paymentid='.$row[$i]['paymentid'].'-amount='.$row[$i]['pamount'])."
\n"; diff --git a/htdocs/knowledgemanagement/knowledgemanagementindex.php b/htdocs/knowledgemanagement/knowledgemanagementindex.php index adb7052316f..d9b1f07e6e0 100644 --- a/htdocs/knowledgemanagement/knowledgemanagementindex.php +++ b/htdocs/knowledgemanagement/knowledgemanagementindex.php @@ -84,7 +84,7 @@ if (! empty($conf->knowledgemanagement->enabled) && $user->rights->knowledgemana $sql.= " WHERE c.fk_soc = s.rowid"; $sql.= " AND c.fk_statut = 0"; $sql.= " AND c.entity IN (".getEntity('commande').")"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); if ($socid) $sql.= " AND c.fk_soc = ".((int) $socid); $resql = $db->query($sql); @@ -158,7 +158,7 @@ if (! empty($conf->knowledgemanagement->enabled) && $user->rights->knowledgemana $sql.= " FROM ".MAIN_DB_PREFIX."knowledgemanagement_myobject as s"; //if (! $user->rights->societe->client->voir && ! $socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE s.entity IN (".getEntity($myobjectstatic->element).")"; - //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); //if ($socid) $sql.= " AND s.rowid = $socid"; $sql .= " ORDER BY s.tms DESC"; $sql .= $db->plimit($max, 0); diff --git a/htdocs/loan/class/paymentloan.class.php b/htdocs/loan/class/paymentloan.class.php index fd4dbf42081..8139e25c87c 100644 --- a/htdocs/loan/class/paymentloan.class.php +++ b/htdocs/loan/class/paymentloan.class.php @@ -389,7 +389,7 @@ class PaymentLoan extends CommonObject if (!$error) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."bank_url"; - $sql .= " WHERE type='payment_loan' AND url_id=".$this->id; + $sql .= " WHERE type='payment_loan' AND url_id=".((int) $this->id); dol_syslog(get_class($this)."::delete", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/modulebuilder/template/mymoduleindex.php b/htdocs/modulebuilder/template/mymoduleindex.php index 990a6d91bfa..c0c98d88e8f 100644 --- a/htdocs/modulebuilder/template/mymoduleindex.php +++ b/htdocs/modulebuilder/template/mymoduleindex.php @@ -112,7 +112,7 @@ if (! empty($conf->mymodule->enabled) && $user->rights->mymodule->read) $sql.= " WHERE c.fk_soc = s.rowid"; $sql.= " AND c.fk_statut = 0"; $sql.= " AND c.entity IN (".getEntity('commande').")"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); if ($socid) $sql.= " AND c.fk_soc = ".((int) $socid); $resql = $db->query($sql); @@ -187,7 +187,7 @@ if (! empty($conf->mymodule->enabled) && $user->rights->mymodule->read) $sql.= " FROM ".MAIN_DB_PREFIX."mymodule_myobject as s"; //if (! $user->rights->societe->client->voir && ! $socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE s.entity IN (".getEntity($myobjectstatic->element).")"; - //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); //if ($socid) $sql.= " AND s.rowid = $socid"; $sql .= " ORDER BY s.tms DESC"; $sql .= $db->plimit($max, 0); diff --git a/htdocs/partnership/partnershipindex.php b/htdocs/partnership/partnershipindex.php index 264134c67d9..f1a9f8c507b 100644 --- a/htdocs/partnership/partnershipindex.php +++ b/htdocs/partnership/partnershipindex.php @@ -83,7 +83,7 @@ if (! empty($conf->partnership->enabled) && $user->rights->partnership->read) { $sql.= " WHERE c.fk_soc = s.rowid"; $sql.= " AND c.fk_statut = 0"; $sql.= " AND c.entity IN (".getEntity('commande').")"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); if ($socid) $sql.= " AND c.fk_soc = ".((int) $socid); $resql = $db->query($sql); @@ -146,7 +146,7 @@ if (! empty($conf->partnership->enabled) && $user->rights->partnership->read) { $sql.= " FROM ".MAIN_DB_PREFIX."partnership_myobject as s"; //if (! $user->rights->societe->client->voir && ! $socid) $sql.= ", ".MAIN_DB_PREFIX."societe_commerciaux as sc"; $sql.= " WHERE s.entity IN (".getEntity($myobjectstatic->element).")"; - //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); //if ($socid) $sql.= " AND s.rowid = $socid"; $sql .= " ORDER BY s.tms DESC"; $sql .= $db->plimit($max, 0); diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index ae925e8824b..bb80dcba862 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -763,7 +763,7 @@ class Product extends CommonObject // update accountancy for this entity if (!$error && !empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) { - $this->db->query("DELETE FROM " . MAIN_DB_PREFIX . "product_perentity WHERE fk_product = " . $this->id . " AND entity = " . $conf->entity); + $this->db->query("DELETE FROM " . MAIN_DB_PREFIX . "product_perentity WHERE fk_product = " .((int) $this->id) . " AND entity = " . ((int) $conf->entity)); $sql = "INSERT INTO " . MAIN_DB_PREFIX . "product_perentity ("; $sql .= " fk_product"; @@ -1044,7 +1044,7 @@ class Product extends CommonObject foreach ($ObjW->detail_batch as $detail) { // Each lines of detail in product_batch of the current $ObjW = product_stock if ($detail->batch == $valueforundefinedlot || $detail->batch == 'Undefined') { // We discard this line, we will create it later - $sqlclean = "DELETE FROM ".MAIN_DB_PREFIX."product_batch WHERE batch in('Undefined', '".$this->db->escape($valueforundefinedlot)."') AND fk_product_stock = ".$ObjW->id; + $sqlclean = "DELETE FROM ".MAIN_DB_PREFIX."product_batch WHERE batch in('Undefined', '".$this->db->escape($valueforundefinedlot)."') AND fk_product_stock = ".((int) $ObjW->id); $result = $this->db->query($sqlclean); if (!$result) { dol_print_error($this->db); @@ -1163,7 +1163,7 @@ class Product extends CommonObject // update accountancy for this entity if (!$error && !empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) { - $this->db->query("DELETE FROM " . MAIN_DB_PREFIX . "product_perentity WHERE fk_product = " . $this->id . " AND entity = " . $conf->entity); + $this->db->query("DELETE FROM " . MAIN_DB_PREFIX . "product_perentity WHERE fk_product = " . ((int) $this->id) . " AND entity = " . ((int) $conf->entity)); $sql = "INSERT INTO " . MAIN_DB_PREFIX . "product_perentity ("; $sql .= " fk_product"; @@ -1311,7 +1311,7 @@ class Product extends CommonObject $sql = "DELETE FROM ".MAIN_DB_PREFIX.'product_batch'; $sql .= " WHERE fk_product_stock IN ("; $sql .= "SELECT rowid FROM ".MAIN_DB_PREFIX.'product_stock'; - $sql .= " WHERE fk_product = ".(int) $this->id.")"; + $sql .= " WHERE fk_product = ".((int) $this->id).")"; $result = $this->db->query($sql); if (!$result) { @@ -2544,7 +2544,7 @@ class Product extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."product_price"; $sql .= " WHERE entity IN (".getEntity('productprice').")"; $sql .= " AND price_level=".((int) $i); - $sql .= " AND fk_product = ".$this->id; + $sql .= " AND fk_product = ".((int) $this->id); $sql .= " ORDER BY date_price DESC, rowid DESC"; $sql .= " LIMIT 1"; $resql = $this->db->query($sql); @@ -2652,7 +2652,7 @@ class Product extends CommonObject $sql .= " WHERE "; $sql .= " c.entity IN (".getEntity('mo').")"; - $sql .= " AND mp.fk_product =".$this->id; + $sql .= " AND mp.fk_product = ".((int) $this->id); $sql .= " AND mp.role ='".$this->db->escape($role)."'"; if ($socid > 0) { $sql .= " AND c.fk_soc = ".((int) $socid); @@ -2775,7 +2775,7 @@ class Product extends CommonObject $sql .= " WHERE p.rowid = pd.fk_propal"; $sql .= " AND p.fk_soc = s.rowid"; $sql .= " AND p.entity IN (".getEntity('propal').")"; - $sql .= " AND pd.fk_product = ".$this->id; + $sql .= " AND pd.fk_product = ".((int) $this->id); if (empty($user->rights->societe->client->voir) && !$socid) { $sql .= " AND p.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } @@ -2850,7 +2850,7 @@ class Product extends CommonObject $sql .= " WHERE p.rowid = pd.fk_supplier_proposal"; $sql .= " AND p.fk_soc = s.rowid"; $sql .= " AND p.entity IN (".getEntity('supplier_proposal').")"; - $sql .= " AND pd.fk_product = ".$this->id; + $sql .= " AND pd.fk_product = ".((int) $this->id); if (empty($user->rights->societe->client->voir) && !$socid) { $sql .= " AND p.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } @@ -2906,7 +2906,7 @@ class Product extends CommonObject $sql .= " WHERE c.rowid = cd.fk_commande"; $sql .= " AND c.fk_soc = s.rowid"; $sql .= " AND c.entity IN (".getEntity($forVirtualStock && !empty($conf->global->STOCK_CALCULATE_VIRTUAL_STOCK_TRANSVERSE_MODE) ? 'stock' : 'commande').")"; - $sql .= " AND cd.fk_product = ".$this->id; + $sql .= " AND cd.fk_product = ".((int) $this->id); if (empty($user->rights->societe->client->voir) && !$socid && !$forVirtualStock) { $sql .= " AND c.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } @@ -3008,7 +3008,7 @@ class Product extends CommonObject $sql .= " WHERE c.rowid = cd.fk_commande"; $sql .= " AND c.fk_soc = s.rowid"; $sql .= " AND c.entity IN (".getEntity($forVirtualStock && !empty($conf->global->STOCK_CALCULATE_VIRTUAL_STOCK_TRANSVERSE_MODE) ? 'stock' : 'supplier_order').")"; - $sql .= " AND cd.fk_product = ".$this->id; + $sql .= " AND cd.fk_product = ".((int) $this->id); if (empty($user->rights->societe->client->voir) && !$socid && !$forVirtualStock) { $sql .= " AND c.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } @@ -3070,7 +3070,7 @@ class Product extends CommonObject $sql .= " AND e.fk_soc = s.rowid"; $sql .= " AND e.entity IN (".getEntity($forVirtualStock && !empty($conf->global->STOCK_CALCULATE_VIRTUAL_STOCK_TRANSVERSE_MODE) ? 'stock' : 'expedition').")"; $sql .= " AND ed.fk_origin_line = cd.rowid"; - $sql .= " AND cd.fk_product = ".$this->id; + $sql .= " AND cd.fk_product = ".((int) $this->id); if (empty($user->rights->societe->client->voir) && !$socid && !$forVirtualStock) { $sql .= " AND e.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } @@ -3151,7 +3151,7 @@ class Product extends CommonObject $sql .= " WHERE cf.rowid = fd.fk_commande"; $sql .= " AND cf.fk_soc = s.rowid"; $sql .= " AND cf.entity IN (".getEntity($forVirtualStock && !empty($conf->global->STOCK_CALCULATE_VIRTUAL_STOCK_TRANSVERSE_MODE) ? 'stock' : 'supplier_order').")"; - $sql .= " AND fd.fk_product = ".$this->id; + $sql .= " AND fd.fk_product = ".((int) $this->id); if (empty($user->rights->societe->client->voir) && !$socid && !$forVirtualStock) { $sql .= " AND cf.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } @@ -3207,7 +3207,7 @@ class Product extends CommonObject } $sql .= " WHERE m.rowid = mp.fk_mo"; $sql .= " AND m.entity IN (".getEntity($forVirtualStock && !empty($conf->global->STOCK_CALCULATE_VIRTUAL_STOCK_TRANSVERSE_MODE) ? 'stock' : 'mrp').")"; - $sql .= " AND mp.fk_product = ".$this->id; + $sql .= " AND mp.fk_product = ".((int) $this->id); if (empty($user->rights->societe->client->voir) && !$socid && !$forVirtualStock) { $sql .= " AND m.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } @@ -3301,7 +3301,7 @@ class Product extends CommonObject $sql .= " WHERE c.rowid = cd.fk_contrat"; $sql .= " AND c.fk_soc = s.rowid"; $sql .= " AND c.entity IN (".getEntity('contract').")"; - $sql .= " AND cd.fk_product = ".$this->id; + $sql .= " AND cd.fk_product = ".((int) $this->id); if (empty($user->rights->societe->client->voir) && !$socid) { $sql .= " AND c.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } @@ -3375,7 +3375,7 @@ class Product extends CommonObject $sql .= " WHERE f.rowid = fd.fk_facture"; $sql .= " AND f.fk_soc = s.rowid"; $sql .= " AND f.entity IN (".getEntity('invoice').")"; - $sql .= " AND fd.fk_product = ".$this->id; + $sql .= " AND fd.fk_product = ".((int) $this->id); if (empty($user->rights->societe->client->voir) && !$socid) { $sql .= " AND f.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } @@ -3449,7 +3449,7 @@ class Product extends CommonObject $sql .= " WHERE f.rowid = fd.fk_facture_fourn"; $sql .= " AND f.fk_soc = s.rowid"; $sql .= " AND f.entity IN (".getEntity('facture_fourn').")"; - $sql .= " AND fd.fk_product = ".$this->id; + $sql .= " AND fd.fk_product = ".((int) $this->id); if (empty($user->rights->societe->client->voir) && !$socid) { $sql .= " AND f.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id); } @@ -3580,7 +3580,7 @@ class Product extends CommonObject } $sql .= " WHERE f.rowid = d.fk_facture"; if ($this->id > 0) { - $sql .= " AND d.fk_product =".$this->id; + $sql .= " AND d.fk_product = ".((int) $this->id); } else { $sql .= " AND d.fk_product > 0"; } @@ -3633,7 +3633,7 @@ class Product extends CommonObject } $sql .= " WHERE f.rowid = d.fk_facture_fourn"; if ($this->id > 0) { - $sql .= " AND d.fk_product =".$this->id; + $sql .= " AND d.fk_product = ".((int) $this->id); } else { $sql .= " AND d.fk_product > 0"; } @@ -3684,7 +3684,7 @@ class Product extends CommonObject } $sql .= " WHERE p.rowid = d.fk_propal"; if ($this->id > 0) { - $sql .= " AND d.fk_product =".$this->id; + $sql .= " AND d.fk_product = ".((int) $this->id); } else { $sql .= " AND d.fk_product > 0"; } @@ -3736,7 +3736,7 @@ class Product extends CommonObject } $sql .= " WHERE p.rowid = d.fk_supplier_proposal"; if ($this->id > 0) { - $sql .= " AND d.fk_product =".$this->id; + $sql .= " AND d.fk_product = ".((int) $this->id); } else { $sql .= " AND d.fk_product > 0"; } @@ -3787,7 +3787,7 @@ class Product extends CommonObject } $sql .= " WHERE c.rowid = d.fk_commande"; if ($this->id > 0) { - $sql .= " AND d.fk_product =".$this->id; + $sql .= " AND d.fk_product = ".((int) $this->id); } else { $sql .= " AND d.fk_product > 0"; } @@ -3838,7 +3838,7 @@ class Product extends CommonObject } $sql .= " WHERE c.rowid = d.fk_commande"; if ($this->id > 0) { - $sql .= " AND d.fk_product =".$this->id; + $sql .= " AND d.fk_product = ".((int) $this->id); } else { $sql .= " AND d.fk_product > 0"; } @@ -3892,7 +3892,7 @@ class Product extends CommonObject $sql .= " AND c.rowid = d.fk_contrat"; if ($this->id > 0) { - $sql .= " AND d.fk_product =".$this->id; + $sql .= " AND d.fk_product = ".((int) $this->id); } else { $sql .= " AND d.fk_product > 0"; } @@ -3946,7 +3946,7 @@ class Product extends CommonObject $sql .= " AND d.status > 0"; if ($this->id > 0) { - $sql .= " AND d.fk_product =".$this->id; + $sql .= " AND d.fk_product = ".((int) $this->id); } else { $sql .= " AND d.fk_product > 0"; } @@ -4246,8 +4246,8 @@ class Product extends CommonObject $sql = "SELECT DISTINCT p.fk_soc"; $sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price as p"; - $sql .= " WHERE p.fk_product = ".$this->id; - $sql .= " AND p.entity = ".$conf->entity; + $sql .= " WHERE p.fk_product = ".((int) $this->id); + $sql .= " AND p.entity = ".((int) $conf->entity); $result = $this->db->query($sql); if ($result) { @@ -4530,11 +4530,11 @@ class Product extends CommonObject $sql = "SELECT COUNT(pa.rowid) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX."product_association as pa"; if ($mode == 0) { - $sql .= " WHERE pa.fk_product_fils = ".$this->id." OR pa.fk_product_pere = ".$this->id; + $sql .= " WHERE pa.fk_product_fils = ".((int) $this->id)." OR pa.fk_product_pere = ".((int) $this->id); } elseif ($mode == -1) { - $sql .= " WHERE pa.fk_product_fils = ".$this->id; // We are a child, so we found lines that link to parents (can have several parents) + $sql .= " WHERE pa.fk_product_fils = ".((int) $this->id); // We are a child, so we found lines that link to parents (can have several parents) } elseif ($mode == 1) { - $sql .= " WHERE pa.fk_product_pere = ".$this->id; // We are a parent, so we found lines that link to children (can have several children) + $sql .= " WHERE pa.fk_product_pere = ".((int) $this->id); // We are a parent, so we found lines that link to children (can have several children) } $resql = $this->db->query($sql); @@ -4613,7 +4613,7 @@ class Product extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."product_association as pa,"; $sql .= " ".MAIN_DB_PREFIX."product as p"; $sql .= " WHERE p.rowid = pa.fk_product_pere"; - $sql .= " AND pa.fk_product_fils = ".$this->id; + $sql .= " AND pa.fk_product_fils = ".((int) $this->id); $res = $this->db->query($sql); if ($res) { @@ -5189,7 +5189,7 @@ class Product extends CommonObject $sql .= ", ".MAIN_DB_PREFIX."entrepot as w"; $sql .= " WHERE w.entity IN (".getEntity('stock').")"; $sql .= " AND w.rowid = ps.fk_entrepot"; - $sql .= " AND ps.fk_product = ".$this->id; + $sql .= " AND ps.fk_product = ".((int) $this->id); if (count($warehouseStatus)) { $sql .= " AND w.statut IN (".$this->db->sanitize(implode(',', $warehouseStatus)).")"; } @@ -5350,7 +5350,7 @@ class Product extends CommonObject $result = array(); $sql = "SELECT pb.batch, pb.eatby, pb.sellby, SUM(pb.qty) AS qty FROM ".MAIN_DB_PREFIX."product_batch as pb, ".MAIN_DB_PREFIX."product_stock as ps"; - $sql .= " WHERE pb.fk_product_stock = ps.rowid AND ps.fk_product = ".$this->id." AND pb.batch = '".$this->db->escape($batch)."'"; + $sql .= " WHERE pb.fk_product_stock = ps.rowid AND ps.fk_product = ".((int) $this->id)." AND pb.batch = '".$this->db->escape($batch)."'"; $sql .= " GROUP BY pb.batch, pb.eatby, pb.sellby"; dol_syslog(get_class($this)."::loadBatchInfo load first entry found for lot/serial = ".$batch, LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/product/class/productbatch.class.php b/htdocs/product/class/productbatch.class.php index 4408afd9ff1..f7f604b5399 100644 --- a/htdocs/product/class/productbatch.class.php +++ b/htdocs/product/class/productbatch.class.php @@ -530,12 +530,12 @@ class Productbatch extends CommonObject $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch AS pb ON pl.batch = pb.batch"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock AS ps ON ps.rowid = pb.fk_product_stock"; $sql .= " WHERE p.entity IN (".getEntity('product').")"; - $sql .= " AND pl.fk_product = ".$fk_product; + $sql .= " AND pl.fk_product = ".((int) $fk_product); if ($fk_warehouse > 0) { - $sql .= " AND ps.fk_entrepot = ".$fk_warehouse; + $sql .= " AND ps.fk_entrepot = ".((int) $fk_warehouse); } if ($qty_min !== null) { - $sql .= " AND pb.qty > ".$qty_min; + $sql .= " AND pb.qty > ".((float) price2num($qty_min, 'MS')); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/price.php b/htdocs/product/price.php index 03867bb65e9..13f946df9a4 100644 --- a/htdocs/product/price.php +++ b/htdocs/product/price.php @@ -304,7 +304,7 @@ if (empty($reshook)) { $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; - $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; + $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -527,7 +527,7 @@ if (empty($reshook)) { $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; - $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; + $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { @@ -620,7 +620,7 @@ if (empty($reshook)) { $sql = "SELECT t.rowid, t.code, t.recuperableonly, t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type"; $sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c"; $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($mysoc->country_code)."'"; - $sql .= " AND t.taux = ".$tva_tx." AND t.active = 1"; + $sql .= " AND t.taux = ".((float) $tva_tx)." AND t.active = 1"; $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; $resql = $db->query($sql); if ($resql) { diff --git a/htdocs/product/stock/class/api_warehouses.class.php b/htdocs/product/stock/class/api_warehouses.class.php index 806114b73ec..3bddbaff8f9 100644 --- a/htdocs/product/stock/class/api_warehouses.class.php +++ b/htdocs/product/stock/class/api_warehouses.class.php @@ -111,7 +111,7 @@ class Warehouses extends DolibarrApi $sql .= ' WHERE t.entity IN ('.getEntity('stock').')'; // Select warehouses of given category if ($category > 0) { - $sql .= " AND c.fk_categorie = ".$this->db->escape($category); + $sql .= " AND c.fk_categorie = ".((int) $category); $sql .= " AND c.fk_warehouse = t.rowid "; } // Add sql filters diff --git a/htdocs/product/stock/replenish.php b/htdocs/product/stock/replenish.php index 824d667e934..935103ec2fa 100644 --- a/htdocs/product/stock/replenish.php +++ b/htdocs/product/stock/replenish.php @@ -229,7 +229,7 @@ if ($action == 'order' && GETPOST('valid')) { // Check if an order for the supplier exists $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."commande_fournisseur"; $sql .= " WHERE fk_soc = ".((int) $suppliersid[$i]); - $sql .= " AND source = ".((int) $order::SOURCE_ID_REPLENISHMENT)." AND fk_statut = ".$order::STATUS_DRAFT; + $sql .= " AND source = ".((int) $order::SOURCE_ID_REPLENISHMENT)." AND fk_statut = ".((int) $order::STATUS_DRAFT); $sql .= " AND entity IN (".getEntity('commande_fournisseur').")"; $sql .= " ORDER BY date_creation DESC"; $resql = $db->query($sql); diff --git a/htdocs/projet/activity/index.php b/htdocs/projet/activity/index.php index eb9985b4de5..bdce4353faf 100644 --- a/htdocs/projet/activity/index.php +++ b/htdocs/projet/activity/index.php @@ -122,7 +122,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."projet as p"; $sql .= ", ".MAIN_DB_PREFIX."projet_task as t"; $sql .= ", ".MAIN_DB_PREFIX."projet_task_time as tt"; $sql .= " WHERE t.fk_projet = p.rowid"; -$sql .= " AND p.entity = ".$conf->entity; +$sql .= " AND p.entity = ".((int) $conf->entity); $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".((int) $user->id); $sql .= " AND task_date BETWEEN '".$db->idate(dol_mktime(0, 0, 0, $month, $day, $year))."' AND '".$db->idate(dol_mktime(23, 59, 59, $month, $day, $year))."'"; @@ -175,7 +175,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."projet as p"; $sql .= ", ".MAIN_DB_PREFIX."projet_task as t"; $sql .= ", ".MAIN_DB_PREFIX."projet_task_time as tt"; $sql .= " WHERE t.fk_projet = p.rowid"; -$sql .= " AND p.entity = ".$conf->entity; +$sql .= " AND p.entity = ".((int) $conf->entity); $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".((int) $user->id); $sql .= " AND task_date BETWEEN '".$db->idate(dol_time_plus_duree(dol_mktime(0, 0, 0, $month, $day, $year), -1, 'd'))."' AND '".$db->idate(dol_time_plus_duree(dol_mktime(23, 59, 59, $month, $day, $year), -1, 'd'))."'"; @@ -231,7 +231,7 @@ if ($db->type != 'pgsql') $sql.= " , ".MAIN_DB_PREFIX."projet_task as t"; $sql.= " , ".MAIN_DB_PREFIX."projet_task_time as tt"; $sql.= " WHERE t.fk_projet = p.rowid"; - $sql.= " AND p.entity = ".$conf->entity; + $sql.= " AND p.entity = ".((int) $conf->entity); $sql.= " AND tt.fk_task = t.rowid"; $sql.= " AND tt.fk_user = ".((int) $user->id); $sql.= " AND task_date >= '".$db->idate(dol_get_first_day($year, $month)).'" AND ..."; @@ -287,7 +287,7 @@ if (!empty($conf->global->PROJECT_TASK_TIME_MONTH)) { $sql .= ", ".MAIN_DB_PREFIX."projet_task as t"; $sql .= ", ".MAIN_DB_PREFIX."projet_task_time as tt"; $sql .= " WHERE t.fk_projet = p.rowid"; - $sql .= " AND p.entity = ".$conf->entity; + $sql .= " AND p.entity = ".((int) $conf->entity); $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".((int) $user->id); $sql .= " AND task_date BETWEEN '".$db->idate(dol_get_first_day($year, $month))."' AND '".$db->idate(dol_get_last_day($year, $month))."'"; @@ -333,7 +333,7 @@ if (!empty($conf->global->PROJECT_TASK_TIME_YEAR)) { $sql .= ", ".MAIN_DB_PREFIX."projet_task as t"; $sql .= ", ".MAIN_DB_PREFIX."projet_task_time as tt"; $sql .= " WHERE t.fk_projet = p.rowid"; - $sql .= " AND p.entity = ".$conf->entity; + $sql .= " AND p.entity = ".((int) $conf->entity); $sql .= " AND tt.fk_task = t.rowid"; $sql .= " AND tt.fk_user = ".((int) $user->id); $sql .= " AND YEAR(task_date) = '".strftime("%Y", $now)."'"; @@ -422,7 +422,7 @@ if (empty($conf->global->PROJECT_HIDE_TASKS) && !empty($conf->global->PROJECT_SH $sql .= " AND p.rowid IN (".$db->sanitize($projectsListId).")"; // project i have permission on } if ($mine) { // this may duplicate record if we are contact twice - $sql .= " AND ect.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listoftaskcontacttype))).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$user->id; + $sql .= " AND ect.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listoftaskcontacttype))).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".((int) $user->id); } if ($socid) { $sql .= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php index 3d5c89b9dc7..60928ccd23f 100644 --- a/htdocs/projet/class/project.class.php +++ b/htdocs/projet/class/project.class.php @@ -947,7 +947,7 @@ class Project extends CommonObject } elseif ($type == 'expensereport') { $sql = "SELECT COUNT(ed.rowid) as nb FROM ".MAIN_DB_PREFIX."expensereport as e, ".MAIN_DB_PREFIX."expensereport_det as ed WHERE e.rowid = ed.fk_expensereport AND e.entity IN (".getEntity('expensereport').") AND ed.fk_projet = ".((int) $this->id); } elseif ($type == 'project_task') { - $sql = "SELECT DISTINCT COUNT(pt.rowid) as nb FROM ".MAIN_DB_PREFIX."projet_task as pt WHERE pt.fk_projet = ".$this->id; + $sql = "SELECT DISTINCT COUNT(pt.rowid) as nb FROM ".MAIN_DB_PREFIX."projet_task as pt WHERE pt.fk_projet = ".((int) $this->id); } elseif ($type == 'project_task_time') { // Case we want to duplicate line foreach user $sql = "SELECT DISTINCT COUNT(pt.rowid) as nb FROM ".MAIN_DB_PREFIX."projet_task as pt, ".MAIN_DB_PREFIX."projet_task_time as ptt WHERE pt.rowid = ptt.fk_task AND pt.fk_projet = ".((int) $this->id); } elseif ($type == 'stock_mouvement') { @@ -1027,8 +1027,8 @@ class Project extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."projet"; $sql .= " SET fk_statut = 1"; - $sql .= " WHERE rowid = ".$this->id; - $sql .= " AND entity = ".$conf->entity; + $sql .= " WHERE rowid = ".((int) $this->id); + $sql .= " AND entity = ".((int) $conf->entity); dol_syslog(get_class($this)."::setValid", LOG_DEBUG); $resql = $this->db->query($sql); @@ -1432,13 +1432,13 @@ class Project extends CommonObject if ($mode == 0) { $sql .= " AND ( p.public = 1"; $sql .= " OR ( ec.fk_c_type_contact IN (".$this->db->sanitize(join(',', array_keys($listofprojectcontacttype))).")"; - $sql .= " AND ec.fk_socpeople = ".$user->id.")"; + $sql .= " AND ec.fk_socpeople = ".((int) $user->id).")"; $sql .= " )"; } elseif ($mode == 1) { $sql .= " AND ec.element_id = p.rowid"; $sql .= " AND ("; $sql .= " ( ec.fk_c_type_contact IN (".$this->db->sanitize(join(',', array_keys($listofprojectcontacttype))).")"; - $sql .= " AND ec.fk_socpeople = ".$user->id.")"; + $sql .= " AND ec.fk_socpeople = ".((int) $user->id).")"; $sql .= " )"; } elseif ($mode == 2) { // No filter. Use this if user has permission to see all project @@ -1886,7 +1886,7 @@ class Project extends CommonObject $sql = "SELECT ptt.rowid as taskid, ptt.task_duration, ptt.task_date, ptt.task_datehour, ptt.fk_task"; $sql .= " FROM ".MAIN_DB_PREFIX."projet_task_time AS ptt, ".MAIN_DB_PREFIX."projet_task as pt"; $sql .= " WHERE ptt.fk_task = pt.rowid"; - $sql .= " AND pt.fk_projet = ".$this->id; + $sql .= " AND pt.fk_projet = ".((int) $this->id); $sql .= " AND (ptt.task_date >= '".$this->db->idate($datestart)."' "; $sql .= " AND ptt.task_date <= '".$this->db->idate(dol_time_plus_duree($datestart, 1, 'w') - 1)."')"; if ($taskid) { @@ -1949,7 +1949,7 @@ class Project extends CommonObject $sql = "SELECT ptt.rowid as taskid, ptt.task_duration, ptt.task_date, ptt.task_datehour, ptt.fk_task"; $sql .= " FROM ".MAIN_DB_PREFIX."projet_task_time AS ptt, ".MAIN_DB_PREFIX."projet_task as pt"; $sql .= " WHERE ptt.fk_task = pt.rowid"; - $sql .= " AND pt.fk_projet = ".$this->id; + $sql .= " AND pt.fk_projet = ".((int) $this->id); $sql .= " AND (ptt.task_date >= '".$this->db->idate($datestart)."' "; $sql .= " AND ptt.task_date <= '".$this->db->idate(dol_time_plus_duree($datestart, 1, 'm') - 1)."')"; if ($task_id) { @@ -2027,7 +2027,7 @@ class Project extends CommonObject // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser //if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; // For external user, no check is done on company permission because readability is managed by public status of project and assignement. - //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))"; + //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id).") OR (s.rowid IS NULL))"; //print $sql; $resql = $this->db->query($sql); diff --git a/htdocs/projet/class/projectstats.class.php b/htdocs/projet/class/projectstats.class.php index 1845e303704..f437c8a5e10 100644 --- a/htdocs/projet/class/projectstats.class.php +++ b/htdocs/projet/class/projectstats.class.php @@ -64,13 +64,13 @@ class ProjectStats extends Stats $sql .= " FROM ".MAIN_DB_PREFIX."projet as t"; // No check is done on company permission because readability is managed by public status of project and assignement. //if (! $user->rights->societe->client->voir && ! $user->socid) - // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; + // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user = ".((int) $user->id); $sql .= ", ".MAIN_DB_PREFIX."c_lead_status as cls"; $sql .= $this->buildWhere(); // For external user, no check is done on company permission because readability is managed by public status of project and assignement. //if ($socid > 0) $sql.= " AND t.fk_soc = ".((int) $socid); // No check is done on company permission because readability is managed by public status of project and assignement. - //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))"; + //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id).") OR (s.rowid IS NULL))"; $sql .= " AND t.fk_opp_status = cls.rowid"; $sql .= " AND t.fk_statut <> 0"; // We want historic also, so all projects not draft $sql .= " GROUP BY t.fk_opp_status, cls.code, cls.label"; @@ -130,12 +130,12 @@ class ProjectStats extends Stats $sql .= " FROM ".MAIN_DB_PREFIX."projet as t LEFT JOIN ".MAIN_DB_PREFIX."c_lead_status as cls ON cls.rowid = t.fk_opp_status"; // No check is done on company permission because readability is managed by public status of project and assignement. //if (! $user->rights->societe->client->voir && ! $user->soc_id) - // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; + // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user = ".((int) $user->id); $sql .= $this->buildWhere(); // For external user, no check is done on company permission because readability is managed by public status of project and assignement. //if ($socid > 0) $sql.= " AND t.fk_soc = ".((int) $socid); // No check is done on company permission because readability is managed by public status of project and assignement. - //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))"; + //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id).") OR (s.rowid IS NULL))"; $sql .= " GROUP BY year"; $sql .= $this->db->order('year', 'DESC'); @@ -211,7 +211,7 @@ class ProjectStats extends Stats $sql .= " FROM ".MAIN_DB_PREFIX."projet as t"; // No check is done on company permission because readability is managed by public status of project and assignement. //if (! $user->rights->societe->client->voir && ! $user->soc_id) - // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; + // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user = ".((int) $user->id); $sql .= $this->buildWhere(); $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -240,7 +240,7 @@ class ProjectStats extends Stats $sql .= " FROM ".MAIN_DB_PREFIX."projet as t"; // No check is done on company permission because readability is managed by public status of project and assignement. //if (! $user->rights->societe->client->voir && ! $user->soc_id) - // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; + // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user = ".((int) $user->id); $sql .= $this->buildWhere(); $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -358,7 +358,7 @@ class ProjectStats extends Stats $sql .= " FROM ".MAIN_DB_PREFIX."projet as t LEFT JOIN ".MAIN_DB_PREFIX.'c_lead_status as cls ON t.fk_opp_status = cls.rowid'; // No check is done on company permission because readability is managed by public status of project and assignement. //if (! $user->rights->societe->client->voir && ! $user->soc_id) - // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; + // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user = ".((int) $user->id); $sql .= $this->buildWhere(); $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -470,7 +470,7 @@ class ProjectStats extends Stats $sql .= " FROM ".MAIN_DB_PREFIX."projet as t"; // No check is done on company permission because readability is managed by public status of project and assignement. //if (! $user->rights->societe->client->voir && ! $user->soc_id) - // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; + // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user = ".((int) $user->id); $sql .= $this->buildWhere(); $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); @@ -483,7 +483,7 @@ class ProjectStats extends Stats $sql .= " FROM ".MAIN_DB_PREFIX."projet as t"; // No check is done on company permission because readability is managed by public status of project and assignement. //if (! $user->rights->societe->client->voir && ! $user->soc_id) - // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=" . $user->id; + // $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user = ".((int) $user->id); $sql .= $this->buildWhere(); $sql .= " GROUP BY dm"; $sql .= $this->db->order('dm', 'DESC'); diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php index 9a80eb060e9..8ea6d0c78a3 100644 --- a/htdocs/projet/class/task.class.php +++ b/htdocs/projet/class/task.class.php @@ -1044,10 +1044,10 @@ class Task extends CommonObject $sql .= ", ".MAIN_DB_PREFIX."c_type_contact as ctc"; $sql .= " WHERE pt.rowid = ec.element_id"; if ($userp && $filteronprojstatus > -1) { - $sql .= " AND pt.fk_statut = ".$filteronprojstatus; + $sql .= " AND pt.fk_statut = ".((int) $filteronprojstatus); } if ($usert && $filteronprojstatus > -1) { - $sql .= " AND pt.fk_projet = p.rowid AND p.fk_statut = ".$filteronprojstatus; + $sql .= " AND pt.fk_projet = p.rowid AND p.fk_statut = ".((int) $filteronprojstatus); } if ($userp) { $sql .= " AND ctc.element = 'project'"; @@ -1057,10 +1057,10 @@ class Task extends CommonObject } $sql .= " AND ctc.rowid = ec.fk_c_type_contact"; if ($userp) { - $sql .= " AND ec.fk_socpeople = ".$userp->id; + $sql .= " AND ec.fk_socpeople = ".((int) $userp->id); } if ($usert) { - $sql .= " AND ec.fk_socpeople = ".$usert->id; + $sql .= " AND ec.fk_socpeople = ".((int) $usert->id); } $sql .= " AND ec.statut = 4"; $sql .= " AND ctc.source = 'internal'"; @@ -2028,7 +2028,7 @@ class Task extends CommonObject // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser //if ($socid || ! $user->rights->societe->client->voir) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".((int) $socid).")"; // No need to check company, as filtering of projects must be done by getProjectsAuthorizedForUser - // if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))"; + // if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id).") OR (s.rowid IS NULL))"; //print $sql; $resql = $this->db->query($sql); diff --git a/htdocs/projet/class/taskstats.class.php b/htdocs/projet/class/taskstats.class.php index 8a5234b956f..d60868b5ebb 100644 --- a/htdocs/projet/class/taskstats.class.php +++ b/htdocs/projet/class/taskstats.class.php @@ -60,7 +60,7 @@ class TaskStats extends Stats $sql .= " COUNT(t.rowid), t.priority"; $sql .= " FROM ".MAIN_DB_PREFIX."projet_task as t INNER JOIN ".MAIN_DB_PREFIX."projet as p ON p.rowid = t.fk_projet"; if (!$user->rights->societe->client->voir && !$user->soc_id) { - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=".$user->id; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=".((int) $user->id); } $sql .= $this->buildWhere(); //$sql .= " AND t.fk_statut <> 0"; // We want historic also, so all task not draft @@ -119,7 +119,7 @@ class TaskStats extends Stats $sql = "SELECT date_format(t.datec,'%Y') as year, COUNT(t.rowid) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX."projet_task as t INNER JOIN ".MAIN_DB_PREFIX."projet as p ON p.rowid = t.fk_projet"; if (!$user->rights->societe->client->voir && !$user->soc_id) { - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=".$user->id; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=".((int) $user->id); } $sql .= $this->buildWhere(); $sql .= " GROUP BY year"; @@ -181,7 +181,7 @@ class TaskStats extends Stats $sql = "SELECT date_format(t.datec,'%m') as dm, COUNT(t.rowid) as nb"; $sql .= " FROM ".MAIN_DB_PREFIX."projet_task as t INNER JOIN ".MAIN_DB_PREFIX."projet as p ON p.rowid = t.fk_projet"; if (!$user->rights->societe->client->voir && !$user->soc_id) { - $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=".$user->id; + $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON sc.fk_soc=t.fk_soc AND sc.fk_user=".((int) $user->id); } $sql .= $this->buildWhere(); $sql .= " GROUP BY dm"; diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index 6d7ec7d351e..43f5bd6ff2f 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -444,9 +444,9 @@ if ($search_sale > 0) { $sql .= " AND sc.fk_user = ".((int) $search_sale); } // No check is done on company permission because readability is managed by public status of project and assignement. -//if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))"; +//if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id).") OR (s.rowid IS NULL))"; if ($search_project_user > 0) { - $sql .= " AND ecp.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listofprojectcontacttype))).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user; + $sql .= " AND ecp.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listofprojectcontacttype))).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".((int) $search_project_user); } if ($search_opp_amount != '') { $sql .= natural_search('p.opp_amount', $search_opp_amount, 1); diff --git a/htdocs/projet/tasks/list.php b/htdocs/projet/tasks/list.php index d053866fd62..1963f500349 100644 --- a/htdocs/projet/tasks/list.php +++ b/htdocs/projet/tasks/list.php @@ -387,10 +387,10 @@ if ($search_projectstatus >= 0) { } } if ($search_project_user > 0) { - $sql .= " AND ecp.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listofprojectcontacttype))).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".$search_project_user; + $sql .= " AND ecp.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listofprojectcontacttype))).") AND ecp.element_id = p.rowid AND ecp.fk_socpeople = ".((int) $search_project_user); } if ($search_task_user > 0) { - $sql .= " AND ect.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listoftaskcontacttype))).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".$search_task_user; + $sql .= " AND ect.fk_c_type_contact IN (".$db->sanitize(join(',', array_keys($listoftaskcontacttype))).") AND ect.element_id = t.rowid AND ect.fk_socpeople = ".((int) $search_task_user); } // Add where from extra fields include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php'; diff --git a/htdocs/recruitment/recruitmentindex.php b/htdocs/recruitment/recruitmentindex.php index 8c3e2f236a5..5473572f842 100644 --- a/htdocs/recruitment/recruitmentindex.php +++ b/htdocs/recruitment/recruitmentindex.php @@ -254,7 +254,7 @@ if (! empty($conf->recruitment->enabled) && $user->rights->recruitment->read) $sql.= " WHERE c.fk_soc = s.rowid"; $sql.= " AND c.fk_statut = 0"; $sql.= " AND c.entity IN (".getEntity('commande').")"; - if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id; + if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id); if ($socid) $sql.= " AND c.fk_soc = ".((int) $socid); $resql = $db->query($sql); diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 018585f64e6..c5eab1c4e1c 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -293,11 +293,12 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase if ($val[1] == 'ity' && $val[2] == 'con') { continue; } -// $ok=false; + var_dump($matches); + $ok=false; break; } //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; -// $this->assertTrue($ok, 'Found non quoted or not casted var into sql request '.$file['relativename'].' - Bad.'); + $this->assertTrue($ok, 'Found non quoted or not casted var into sql request '.$file['relativename'].' - Bad.'); //exit;