Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-12 10:52:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix escape

Browse Source
This commit is contained in:
Laurent Destailleur
2020-09-19 23:11:38 +02:00
parent d38168f49e
commit 2c660504bb
23 changed files with 40 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
htdocs/admin/boxes.php
View File

@@ -192,12 +192,12 @@ if ($action == 'switch')
$newsecondnum = preg_replace('/[a-zA-Z]+/', '', $newsecond);
$newsecond = sprintf("%s%02d", $newsecondchar ? $newsecondchar : 'A', $newsecondnum + 1);
}
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$newfirst."' WHERE rowid=".$objfrom->rowid;
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newfirst)."' WHERE rowid=".$objfrom->rowid;
dol_syslog($sql);
$resultupdatefrom = $db->query($sql);
if (!$resultupdatefrom) { dol_print_error($db); }
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$newsecond."' WHERE rowid=".$objto->rowid;
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newsecond)."' WHERE rowid=".$objto->rowid;
dol_syslog($sql);
$resultupdateto = $db->query($sql);
if (!$resultupdateto) { dol_print_error($db); }
@@ -261,7 +261,7 @@ if ($resql)
// This occurs just after an insert.
if ($decalage)
{
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$decalage."' WHERE rowid=".$obj->rowid;
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($decalage)."' WHERE rowid=".$obj->rowid;
$db->query($sql);
}
}
@@ -286,12 +286,12 @@ if ($resql)
if (preg_match("/[13579]{1}/", substr($record['box_order'], -1)))
{
$box_order = "A0".$record['box_order'];
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'";
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'";
$resql = $db->query($sql);
} elseif (preg_match("/[02468]{1}/", substr($record['box_order'], -1)))
{
$box_order = "B0".$record['box_order'];
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'";
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'";
$resql = $db->query($sql);
}
} elseif (dol_strlen($record['box_order']) == 2)
@@ -299,12 +299,12 @@ if ($resql)
if (preg_match("/[13579]{1}/", substr($record['box_order'], -1)))
{
$box_order = "A".$record['box_order'];
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'";
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'";
$resql = $db->query($sql);
} elseif (preg_match("/[02468]{1}/", substr($record['box_order'], -1)))
{
$box_order = "B".$record['box_order'];
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$box_order."' WHERE entity = ".$conf->entity." AND box_order = '".$record['box_order']."'";
$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order = '".$db->escape($box_order)."' WHERE entity = ".$conf->entity." AND box_order = '".$db->escape($record['box_order'])."'";
$resql = $db->query($sql);
}
}