Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-05 17:18:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix: compatibility with pgsql, replace all addslashes by $this->db->escape in class

Browse Source
This commit is contained in:
Regis Houssin
2011-02-24 18:11:12 +00:00
parent 0bc8173c8f
commit 3b4ea76538
49 changed files with 277 additions and 277 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
htdocs/adherents/class/adherent.class.php
View File

@@ -388,21 +388,21 @@ class Adherent extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET";
$sql.= " civilite = ".($this->civilite_id?"'".$this->civilite_id."'":"null");
$sql.= ", prenom = ".($this->prenom?"'".addslashes($this->prenom)."'":"null");
$sql.= ", nom=" .($this->nom?"'".addslashes($this->nom)."'":"null");
$sql.= ", login=" .($this->login?"'".addslashes($this->login)."'":"null");
$sql.= ", societe=" .($this->societe?"'".addslashes($this->societe)."'":"null");
$sql.= ", prenom = ".($this->prenom?"'".$this->db->escape($this->prenom)."'":"null");
$sql.= ", nom=" .($this->nom?"'".$this->db->escape($this->nom)."'":"null");
$sql.= ", login=" .($this->login?"'".$this->db->escape($this->login)."'":"null");
$sql.= ", societe=" .($this->societe?"'".$this->db->escape($this->societe)."'":"null");
$sql.= ", fk_soc=" .($this->fk_soc > 0?"'".$this->fk_soc."'":"null");
$sql.= ", adresse=" .($this->adresse?"'".addslashes($this->adresse)."'":"null");
$sql.= ", cp=" .($this->cp?"'".addslashes($this->cp)."'":"null");
$sql.= ", ville=" .($this->ville?"'".addslashes($this->ville)."'":"null");
$sql.= ", adresse=" .($this->adresse?"'".$this->db->escape($this->adresse)."'":"null");
$sql.= ", cp=" .($this->cp?"'".$this->db->escape($this->cp)."'":"null");
$sql.= ", ville=" .($this->ville?"'".$this->db->escape($this->ville)."'":"null");
$sql.= ", pays=" .($this->pays_id>0?"'".$this->pays_id."'":"null");
$sql.= ", fk_departement=".($this->fk_departement>0?"'".$this->fk_departement."'":"null");
$sql.= ", email=" ."'".$this->email."'";
$sql.= ", phone=" .($this->phone?"'".addslashes($this->phone)."'":"null");
$sql.= ", phone_perso=" .($this->phone_perso?"'".addslashes($this->phone_perso)."'":"null");
$sql.= ", phone_mobile=" .($this->phone_mobile?"'".addslashes($this->phone_mobile)."'":"null");
$sql.= ", note=" .($this->note?"'".addslashes($this->note)."'":"null");
$sql.= ", phone=" .($this->phone?"'".$this->db->escape($this->phone)."'":"null");
$sql.= ", phone_perso=" .($this->phone_perso?"'".$this->db->escape($this->phone_perso)."'":"null");
$sql.= ", phone_mobile=" .($this->phone_mobile?"'".$this->db->escape($this->phone_mobile)."'":"null");
$sql.= ", note=" .($this->note?"'".$this->db->escape($this->note)."'":"null");
$sql.= ", photo=" .($this->photo?"'".$this->photo."'":"null");
$sql.= ", public=" ."'".$this->public."'";
$sql.= ", statut=" .$this->statut;
@@ -743,7 +743,7 @@ class Adherent extends CommonObject
}
// Mise a jour
$sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET pass = '".addslashes($password_indatabase)."'";
$sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET pass = '".$this->db->escape($password_indatabase)."'";
$sql.= " WHERE rowid = ".$this->id;
//dol_syslog("Adherent::Password sql=hidden");

4
htdocs/adherents/class/adherent_options.class.php
View File

@@ -135,7 +135,7 @@ class AdherentOptions
{
$sql = "INSERT INTO ".MAIN_DB_PREFIX."adherent_options_label(name, label, type, pos, size, entity)";
$sql.= " VALUES('".$attrname."',";
$sql.= " '".addslashes($label)."',";
$sql.= " '".$this->db->escape($label)."',";
$sql.= " '".$type."',";
$sql.= " '".$pos."',";
$sql.= " '".$size."',";
@@ -292,7 +292,7 @@ class AdherentOptions
$sql.= ") VALUES (";
$sql.= "'".$attrname."',";
$sql.= " ".$conf->entity.",";
$sql.= " '".addslashes($label)."',";
$sql.= " '".$this->db->escape($label)."',";
$sql.= " '".$type."',";
$sql.= " '".$size."'";
$sql.= ")";

8
htdocs/adherents/class/adherent_type.class.php
View File

@@ -89,7 +89,7 @@ class AdherentType extends CommonObject
$sql.= "libelle";
$sql.= ", entity";
$sql.= ") VALUES (";
$sql.= "'".addslashes($this->libelle)."'";
$sql.= "'".$this->db->escape($this->libelle)."'";
$sql.= ", ".$conf->entity;
$sql.= ")";
@@ -119,11 +119,11 @@ class AdherentType extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."adherent_type ";
$sql.= "SET ";
$sql.= "statut = ".$this->statut.",";
$sql.= "libelle = '".addslashes($this->libelle) ."',";
$sql.= "libelle = '".$this->db->escape($this->libelle) ."',";
$sql.= "cotisation = '".$this->cotisation."',";
$sql.= "note = '".addslashes($this->note)."',";
$sql.= "note = '".$this->db->escape($this->note)."',";
$sql.= "vote = '".$this->vote."',";
$sql.= "mail_valid = '".addslashes($this->mail_valid)."'";
$sql.= "mail_valid = '".$this->db->escape($this->mail_valid)."'";
$sql .= " WHERE rowid = $this->id";

4
htdocs/adherents/class/cotisation.class.php
View File

@@ -79,7 +79,7 @@ class Cotisation extends CommonObject
$sql.= " VALUES (".$this->fk_adherent.", ".$this->db->idate(mktime()).",";
$sql.= " ".$this->db->idate($this->dateh).",";
$sql.= " ".$this->db->idate($this->datef).",";
$sql.= " ".$this->amount.",'".addslashes($this->note)."')";
$sql.= " ".$this->amount.",'".$this->db->escape($this->note)."')";
dol_syslog("Cotisation::create sql=".$sql);
$resql = $this->db->query($sql);
@@ -157,7 +157,7 @@ class Cotisation extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."cotisation SET ";
$sql .= " fk_adherent = ".$this->fk_adherent.",";
$sql .= " note=".($this->note ? "'".addslashes($this->note)."'" : 'null').",";
$sql .= " note=".($this->note ? "'".$this->db->escape($this->note)."'" : 'null').",";
$sql .= " cotisation = '".price2num($this->amount)."',";
$sql .= " dateadh='".$this->db->idate($this->dateh)."',";
$sql .= " datef='".$this->db->idate($this->datef)."',";

6
htdocs/bookmarks/class/bookmark.class.php
View File

@@ -111,7 +111,7 @@ class Bookmark
$sql.= ($this->fk_user > 0?"'".$this->fk_user."'":"0").",";
$sql.= " ".$this->db->idate(gmmktime()).",";
$sql.= " '".$this->url."', '".$this->target."',";
$sql.= " '".addslashes($this->title)."', '".$this->favicon."', '".$this->position."'";
$sql.= " '".$this->db->escape($this->title)."', '".$this->favicon."', '".$this->position."'";
if ($this->fk_soc) $sql.=",".$this->fk_soc;
$sql.= ")";
@@ -157,9 +157,9 @@ class Bookmark
$sql = "UPDATE ".MAIN_DB_PREFIX."bookmark";
$sql.= " SET fk_user = ".($this->fk_user > 0?"'".$this->fk_user."'":"0");
$sql.= " ,dateb = '".$this->db->idate($this->datec)."'";
$sql.= " ,url = '".addslashes($this->url)."'";
$sql.= " ,url = '".$this->db->escape($this->url)."'";
$sql.= " ,target = '".$this->target."'";
$sql.= " ,title = '".addslashes($this->title)."'";
$sql.= " ,title = '".$this->db->escape($this->title)."'";
$sql.= " ,favicon = '".$this->favicon."'";
$sql.= " ,position = '".$this->position."'";
$sql.= " WHERE rowid = ".$this->id;

8
htdocs/categories/class/categorie.class.php
View File

@@ -142,7 +142,7 @@ class Categorie
$sql.= "fk_soc,";
}
$sql.= "visible, type) ";
$sql.= "VALUES ('".addslashes($this->label)."', '".addslashes($this->description)."',";
$sql.= "VALUES ('".$this->db->escape($this->label)."', '".$this->db->escape($this->description)."',";
if ($conf->global->CATEGORY_ASSIGNED_TO_A_CUSTOMER)
{
$sql.= ($this->socid != -1 ? $this->socid : 'null').",";
@@ -230,10 +230,10 @@ class Categorie
}
$sql = "UPDATE ".MAIN_DB_PREFIX."categorie";
$sql.= " SET label = '".addslashes($this->label)."'";
$sql.= " SET label = '".$this->db->escape($this->label)."'";
if ($this->description)
{
$sql .= ", description = '".addslashes($this->description)."'";
$sql .= ", description = '".$this->db->escape($this->description)."'";
}
if ($conf->global->CATEGORY_ASSIGNED_TO_A_CUSTOMER)
{
@@ -807,7 +807,7 @@ class Categorie
{
$sql = "SELECT count(c.rowid)";
$sql.= " FROM ".MAIN_DB_PREFIX."categorie as c, ".MAIN_DB_PREFIX."categorie_association as ca";
$sql.= " WHERE c.label = '".addslashes($this -> label)."' AND type=".$this->type;
$sql.= " WHERE c.label = '".$this->db->escape($this -> label)."' AND type=".$this->type;
dol_syslog("Categorie::already_exists sql=".$sql);
$res = $this->db->query($sql);
if ($res)

10
htdocs/comm/action/class/actioncomm.class.php
View File

@@ -188,12 +188,12 @@ class ActionComm extends CommonObject
$sql.= " '".$this->type_id."',";
$sql.= ($this->societe->id>0?" '".$this->societe->id."'":"null").",";
$sql.= ($this->fk_project>0?" '".$this->fk_project."'":"null").",";
$sql.= " '".addslashes($this->note)."',";
$sql.= " '".$this->db->escape($this->note)."',";
$sql.= ($this->contact->id > 0?"'".$this->contact->id."'":"null").",";
$sql.= ($user->id > 0 ? "'".$user->id."'":"null").",";
$sql.= ($this->usertodo->id > 0?"'".$this->usertodo->id."'":"null").",";
$sql.= ($this->userdone->id > 0?"'".$this->userdone->id."'":"null").",";
$sql.= "'".addslashes($this->label)."','".$this->percentage."','".$this->priority."','".$this->fulldayevent."','".addslashes($this->location)."','".$this->punctual."',";
$sql.= "'".$this->db->escape($this->label)."','".$this->percentage."','".$this->priority."','".$this->fulldayevent."','".$this->db->escape($this->location)."','".$this->punctual."',";
$sql.= ($this->facid?$this->facid:"null").",";
$sql.= ($this->propalrowid?$this->propalrowid:"null").",";
$sql.= ($this->orderrowid?$this->orderrowid:"null").",";
@@ -383,18 +383,18 @@ class ActionComm extends CommonObject
//print 'eeea'.$this->datep.'-'.(strval($this->datep) != '').'-'.$this->db->idate($this->datep);
$sql = "UPDATE ".MAIN_DB_PREFIX."actioncomm ";
$sql.= " SET percent='".$this->percentage."'";
$sql.= ", label = ".($this->label ? "'".addslashes($this->label)."'":"null");
$sql.= ", label = ".($this->label ? "'".$this->db->escape($this->label)."'":"null");
$sql.= ", datep = ".(strval($this->datep)!='' ? "'".$this->db->idate($this->datep)."'" : 'null');
$sql.= ", datep2 = ".(strval($this->datef)!='' ? "'".$this->db->idate($this->datef)."'" : 'null');
//$sql.= ", datea = ".(strval($this->date)!='' ? "'".$this->db->idate($this->date)."'" : 'null');
//$sql.= ", datea2 = ".(strval($this->dateend)!='' ? "'".$this->db->idate($this->dateend)."'" : 'null');
$sql.= ", note = ".($this->note ? "'".addslashes($this->note)."'":"null");
$sql.= ", note = ".($this->note ? "'".$this->db->escape($this->note)."'":"null");
$sql.= ", fk_soc =". ($this->societe->id > 0 ? "'".$this->societe->id."'":"null");
$sql.= ", fk_project =". ($this->fk_project > 0 ? "'".$this->fk_project."'":"null");
$sql.= ", fk_contact =". ($this->contact->id > 0 ? "'".$this->contact->id."'":"null");
$sql.= ", priority = '".$this->priority."'";
$sql.= ", fulldayevent = '".$this->fulldayevent."'";
$sql.= ", location = ".($this->location ? "'".addslashes($this->location)."'":"null");
$sql.= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'":"null");
$sql.= ", fk_user_mod = '".$user->id."'";
$sql.= ", fk_user_action=".($this->usertodo->id > 0 ? "'".$this->usertodo->id."'":"null");
$sql.= ", fk_user_done=".($this->userdone->id > 0 ? "'".$this->userdone->id."'":"null");

6
htdocs/comm/mailing/class/mailing.class.php
View File

@@ -143,9 +143,9 @@ class Mailing extends CommonObject
function update($user)
{
$sql = "UPDATE ".MAIN_DB_PREFIX."mailing ";
$sql .= " SET titre = '".addslashes($this->titre)."'";
$sql .= ", sujet = '".addslashes($this->sujet)."'";
$sql .= ", body = '".addslashes($this->body)."'";
$sql .= " SET titre = '".$this->db->escape($this->titre)."'";
$sql .= ", sujet = '".$this->db->escape($this->sujet)."'";
$sql .= ", body = '".$this->db->escape($this->body)."'";
$sql .= ", email_from = '".$this->email_from."'";
$sql .= ", email_replyto = '".$this->email_replyto."'";
$sql .= ", email_errorsto = '".$this->email_errorsto."'";

16
htdocs/comm/propal/class/propal.class.php
View File

@@ -484,7 +484,7 @@ class Propal extends CommonObject
$sql.= " , tva_tx=".price2num($txtva);
$sql.= " , localtax1_tx=".price2num($txlocaltax1);
$sql.= " , localtax2_tx=".price2num($txlocaltax2);
$sql.= " , description='".addslashes($desc)."'";
$sql.= " , description='".$this->db->escape($desc)."'";
$sql.= " , total_ht=".price2num($total_ht);
$sql.= " , total_tva=".price2num($total_tva);
$sql.= " , total_localtax1=".price2num($total_localtax1);
@@ -631,13 +631,13 @@ class Propal extends CommonObject
$sql.= ", '".$this->db->idate($now)."'";
$sql.= ", '(PROV)'";
$sql.= ", ".($user->id > 0 ? "'".$user->id."'":"null");
$sql.= ", '".addslashes($this->note)."'";
$sql.= ", '".addslashes($this->note_public)."'";
$sql.= ", '".$this->db->escape($this->note)."'";
$sql.= ", '".$this->db->escape($this->note_public)."'";
$sql.= ", '".$this->modelpdf."'";
$sql.= ", '".$this->db->idate($this->fin_validite)."'";
$sql.= ", ".$this->cond_reglement_id;
$sql.= ", ".$this->mode_reglement_id;
$sql.= ", '".addslashes($this->ref_client)."'";
$sql.= ", '".$this->db->escape($this->ref_client)."'";
$sql.= ", ".($this->date_livraison!=''?"'".$this->db->idate($this->date_livraison)."'":'null');
$sql.= ", ".$conf->entity;
$sql.= ")";
@@ -1237,7 +1237,7 @@ class Propal extends CommonObject
{
dol_syslog('Propale::set_ref_client this->id='.$this->id.', ref_client='.$ref_client);
$sql = 'UPDATE '.MAIN_DB_PREFIX.'propal SET ref_client = '.(empty($ref_client) ? 'NULL' : '\''.addslashes($ref_client).'\'');
$sql = 'UPDATE '.MAIN_DB_PREFIX.'propal SET ref_client = '.(empty($ref_client) ? 'NULL' : '\''.$this->db->escape($ref_client).'\'');
$sql.= ' WHERE rowid = '.$this->id;
if ($this->db->query($sql) )
{
@@ -1340,7 +1340,7 @@ class Propal extends CommonObject
$this->db->begin();
$sql = "UPDATE ".MAIN_DB_PREFIX."propal";
$sql.= " SET fk_statut = ".$statut.", note = '".addslashes($note)."', date_cloture=".$this->db->idate(mktime()).", fk_user_cloture=".$user->id;
$sql.= " SET fk_statut = ".$statut.", note = '".$this->db->escape($note)."', date_cloture=".$this->db->idate(mktime()).", fk_user_cloture=".$user->id;
$sql.= " WHERE rowid = ".$this->id;
$resql=$this->db->query($sql);
@@ -2315,7 +2315,7 @@ class PropaleLigne
$sql.= ' info_bits, ';
$sql.= ' total_ht, total_tva, total_localtax1, total_localtax2, total_ttc, special_code, rang, marge_tx, marque_tx)';
$sql.= " VALUES (".$this->fk_propal.",";
$sql.= " '".addslashes($this->desc)."',";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " ".($this->fk_product?"'".$this->fk_product."'":"null").",";
$sql.= " '".$this->product_type."',";
$sql.= " ".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").",";
@@ -2379,7 +2379,7 @@ class PropaleLigne
// Mise a jour ligne en base
$sql = "UPDATE ".MAIN_DB_PREFIX."propaldet SET";
$sql.= " description='".addslashes($this->desc)."'";
$sql.= " description='".$this->db->escape($this->desc)."'";
if ($fk_remise_except) $sql.= ",fk_remise_except=".$this->fk_remise_except;
else $sql.= ",fk_remise_except=null";
$sql.= ",tva_tx='".price2num($this->tva_tx)."'";

12
htdocs/commande/class/commande.class.php
View File

@@ -571,9 +571,9 @@ class Commande extends CommonObject
$sql.= " VALUES ('(PROV)',".$this->socid.", ".$this->db->idate(gmmktime()).", ".$user->id.", ".$this->fk_project;
$sql.= ", ".$this->db->idate($this->date_commande);
$sql.= ", ".($this->source>=0 && $this->source != '' ?$this->source:'null');
$sql.= ", '".addslashes($this->note)."'";
$sql.= ", '".addslashes($this->note_public)."'";
$sql.= ", '".addslashes($this->ref_client)."', '".$this->modelpdf."'";
$sql.= ", '".$this->db->escape($this->note)."'";
$sql.= ", '".$this->db->escape($this->note_public)."'";
$sql.= ", '".$this->db->escape($this->ref_client)."', '".$this->modelpdf."'";
$sql.= ", ".($this->cond_reglement_id>0?"'".$this->cond_reglement_id."'":"null");
$sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"null");
$sql.= ", ".($this->date_livraison?"'".$this->db->idate($this->date_livraison)."'":"null");
@@ -1769,7 +1769,7 @@ class Commande extends CommonObject
dol_syslog('Commande::set_ref_client this->id='.$this->id.', ref_client='.$ref_client);
$sql = 'UPDATE '.MAIN_DB_PREFIX.'commande SET';
$sql.= ' ref_client = '.(empty($ref_client) ? 'NULL' : '\''.addslashes($ref_client).'\'');
$sql.= ' ref_client = '.(empty($ref_client) ? 'NULL' : '\''.$this->db->escape($ref_client).'\'');
$sql.= ' WHERE rowid = '.$this->id;
if ($this->db->query($sql) )
@@ -1886,7 +1886,7 @@ class Commande extends CommonObject
// Mise a jour ligne en base
$sql = "UPDATE ".MAIN_DB_PREFIX."commandedet SET";
$sql.= " description='".addslashes($desc)."'";
$sql.= " description='".$this->db->escape($desc)."'";
$sql.= ",price='".price2num($price)."'";
$sql.= ",subprice='".price2num($subprice)."'";
$sql.= ",remise='".price2num($remise)."'";
@@ -2620,7 +2620,7 @@ class OrderLine
$sql.= ' special_code, rang, marge_tx, marque_tx,';
$sql.= ' info_bits, total_ht, total_tva, total_localtax1, total_localtax2, total_ttc, date_start, date_end)';
$sql.= " VALUES (".$this->fk_commande.",";
$sql.= " '".addslashes($this->desc)."',";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " '".price2num($this->qty)."',";
$sql.= " '".price2num($this->tva_tx)."',";
$sql.= " '".price2num($this->localtax1_tx)."',";

32
htdocs/compta/bank/class/account.class.php
View File

@@ -130,7 +130,7 @@ class Account extends CommonObject
$sql.= "'".$line_id."'";
$sql.= ", '".$url_id."'";
$sql.= ", '".$url."'";
$sql.= ", '".addslashes($label)."'";
$sql.= ", '".$this->db->escape($label)."'";
$sql.= ", '".$type."'";
$sql.= ")";
@@ -258,14 +258,14 @@ class Account extends CommonObject
$sql.= "'".$this->db->idate(mktime())."'";
$sql.= ", '".$this->db->idate($date)."'";
$sql.= ", '".$this->db->idate($datev)."'";
$sql.= ", '".addslashes($label)."'";
$sql.= ", '".$this->db->escape($label)."'";
$sql.= ", ".price2num($amount);
$sql.= ", '".$user->id."'";
$sql.= ", ".($num_chq?"'".$num_chq."'":"null");
$sql.= ", '".$this->rowid."'";
$sql.= ", '".$oper."'";
$sql.= ", ".($emetteur?"'".addslashes($emetteur)."'":"null");
$sql.= ", ".($banque?"'".addslashes($banque)."'":"null");
$sql.= ", ".($emetteur?"'".$this->db->escape($emetteur)."'":"null");
$sql.= ", ".($banque?"'".$this->db->escape($banque)."'":"null");
$sql.= ")";
dol_syslog("Account::addline sql=".$sql);
@@ -347,15 +347,15 @@ class Account extends CommonObject
$sql.= ", fk_pays";
$sql.= ") VALUES (";
$sql.= "'".$this->db->idate($now)."'";
$sql.= ", '".addslashes($this->ref)."'";
$sql.= ", '".addslashes($this->label)."'";
$sql.= ", '".$this->db->escape($this->ref)."'";
$sql.= ", '".$this->db->escape($this->label)."'";
$sql.= ", ".$conf->entity;
$sql.= ", '".addslashes($this->account_number)."'";
$sql.= ", '".$this->db->escape($this->account_number)."'";
$sql.= ", '".$this->currency_code."'";
$sql.= ", ".$this->rappro;
$sql.= ", ".price2num($this->min_allowed);
$sql.= ", ".price2num($this->min_desired);
$sql.= ", '".addslashes($this->comment)."'";
$sql.= ", '".$this->db->escape($this->comment)."'";
$sql.= ", ".($this->fk_departement>0?"'".$this->fk_departement."'":"null");
$sql.= ", ".$this->fk_pays;
$sql.= ")";
@@ -438,8 +438,8 @@ class Account extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."bank_account SET ";
$sql.= " ref = '".addslashes($this->ref)."'";
$sql.= ",label = '".addslashes($this->label)."'";
$sql.= " ref = '".$this->db->escape($this->ref)."'";
$sql.= ",label = '".$this->db->escape($this->label)."'";
$sql.= ",courant = ".$this->courant;
$sql.= ",clos = ".$this->clos;
@@ -451,7 +451,7 @@ class Account extends CommonObject
$sql.= ",min_allowed = '".price2num($this->min_allowed)."'";
$sql.= ",min_desired = '".price2num($this->min_desired)."'";
$sql.= ",comment = '".addslashes($this->comment)."'";
$sql.= ",comment = '".$this->db->escape($this->comment)."'";
$sql.= ",fk_departement = ".($this->fk_departement>0?"'".$this->fk_departement."'":"null");
$sql.= ",fk_pays = ".$this->fk_pays;
@@ -496,16 +496,16 @@ class Account extends CommonObject
}
$sql = "UPDATE ".MAIN_DB_PREFIX."bank_account SET ";
$sql.= " bank = '".addslashes($this->bank)."'";
$sql.= " bank = '".$this->db->escape($this->bank)."'";
$sql.= ",code_banque='".$this->code_banque."'";
$sql.= ",code_guichet='".$this->code_guichet."'";
$sql.= ",number='".$this->number."'";
$sql.= ",cle_rib='".$this->cle_rib."'";
$sql.= ",bic='".$this->bic."'";
$sql.= ",iban_prefix = '".$this->iban."'";
$sql.= ",domiciliation='".addslashes($this->domiciliation)."'";
$sql.= ",proprio = '".addslashes($this->proprio)."'";
$sql.= ",adresse_proprio = '".addslashes($this->adresse_proprio)."'";
$sql.= ",domiciliation='".$this->db->escape($this->domiciliation)."'";
$sql.= ",proprio = '".$this->db->escape($this->proprio)."'";
$sql.= ",adresse_proprio = '".$this->db->escape($this->adresse_proprio)."'";
$sql.= ",fk_departement = ".($this->fk_departement>0?"'".$this->fk_departement."'":"null");
$sql.= ",fk_pays = ".$this->fk_pays;
$sql.= " WHERE rowid = ".$this->id;
@@ -548,7 +548,7 @@ class Account extends CommonObject
$sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_departements as d ON ba.fk_departement = d.rowid';
$sql.= " WHERE entity = ".$conf->entity;
if ($id) $sql.= " AND ba.rowid = ".$id;
if ($ref) $sql.= " AND ba.ref = '".addslashes($ref)."'";
if ($ref) $sql.= " AND ba.ref = '".$this->db->escape($ref)."'";
dol_syslog("Account::fetch sql=".$sql);
$result = $this->db->query($sql);

4
htdocs/compta/bank/class/bankcateg.class.php
View File

@@ -83,7 +83,7 @@ class BankCateg // extends CommonObject
$sql.= "label";
$sql.= ", entity";
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->label)?'NULL':"'".addslashes($this->label)."'")."";
$sql.= " ".(! isset($this->label)?'NULL':"'".$this->db->escape($this->label)."'")."";
$sql.= ", ".$conf->entity;
$sql.= ")";
@@ -189,7 +189,7 @@ class BankCateg // extends CommonObject
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."bank_categ SET";
$sql.= " label=".(isset($this->label)?"'".addslashes($this->label)."'":"null")."";
$sql.= " label=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null")."";
$sql.= " WHERE rowid=".$this->id;
$sql.= " AND entity = ".$conf->entity;

8
htdocs/compta/deplacement/class/deplacement.class.php
View File

@@ -103,8 +103,8 @@ class Deplacement extends CommonObject
$sql.= ", ".$user->id;
$sql.= ", ".$this->fk_user;
$sql.= ", '".$this->type."'";
$sql.= ", ".($this->note?"'".addslashes($this->note)."'":"null");
$sql.= ", ".($this->note_public?"'".addslashes($this->note_public)."'":"null");
$sql.= ", ".($this->note?"'".$this->db->escape($this->note)."'":"null");
$sql.= ", ".($this->note_public?"'".$this->db->escape($this->note_public)."'":"null");
$sql.= ", ".($this->fk_project > 0? $this->fk_project : 0);
$sql.= ", ".($this->fk_soc > 0? $this->fk_soc : "null");
$sql.= ")";
@@ -166,8 +166,8 @@ class Deplacement extends CommonObject
$sql .= " , type = '".$this->type."'";
$sql .= " , fk_user = ".$this->fk_user;
$sql .= " , fk_soc = ".($this->socid > 0?$this->socid:'null');
$sql .= " , note = ".($this->note?"'".addslashes($this->note)."'":"null");
$sql .= " , note_public = ".($this->note_public?"'".addslashes($this->note_public)."'":"null");
$sql .= " , note = ".($this->note?"'".$this->db->escape($this->note)."'":"null");
$sql .= " , note_public = ".($this->note_public?"'".$this->db->escape($this->note_public)."'":"null");
$sql .= " , fk_projet = ".($this->fk_project>0?$this->fk_project:0);
$sql .= " WHERE rowid = ".$this->id;

28
htdocs/compta/dons/class/don.class.php
View File

@@ -321,16 +321,16 @@ class Don extends CommonObject
$sql.= ", ".$conf->entity;
$sql.= ", ".price2num($this->amount);
$sql.= ", ".$this->modepaiementid;
$sql.= ", '".addslashes($this->prenom)."'";
$sql.= ", '".addslashes($this->nom)."'";
$sql.= ", '".addslashes($this->societe)."'";
$sql.= ", '".addslashes($this->adresse)."'";
$sql.= ", '".$this->db->escape($this->prenom)."'";
$sql.= ", '".$this->db->escape($this->nom)."'";
$sql.= ", '".$this->db->escape($this->societe)."'";
$sql.= ", '".$this->db->escape($this->adresse)."'";
$sql.= ", '".$this->cp."'";
$sql.= ", '".addslashes($this->ville)."'";
$sql.= ", '".addslashes($this->pays)."'"; // TODO use fk_pays
$sql.= ", '".$this->db->escape($this->ville)."'";
$sql.= ", '".$this->db->escape($this->pays)."'"; // TODO use fk_pays
$sql.= ", ".$this->public;
$sql.= ", ".($this->fk_project > 0?$this->fk_project:"null");
$sql.= ", '".addslashes($this->note)."'";
$sql.= ", '".$this->db->escape($this->note)."'";
$sql.= ", ".$user->id;
$sql.= ", null";
$sql.= ", '".$this->date."'";
@@ -363,16 +363,16 @@ class Don extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."don SET ";
$sql .= "amount = " . price2num($this->amount);
$sql .= ",fk_paiement = ".$this->modepaiementid;
$sql .= ",prenom = '".addslashes($this->prenom)."'";
$sql .= ",nom='".addslashes($this->nom)."'";
$sql .= ",societe='".addslashes($this->societe)."'";
$sql .= ",adresse='".addslashes($this->adresse)."'";
$sql .= ",prenom = '".$this->db->escape($this->prenom)."'";
$sql .= ",nom='".$this->db->escape($this->nom)."'";
$sql .= ",societe='".$this->db->escape($this->societe)."'";
$sql .= ",adresse='".$this->db->escape($this->adresse)."'";
$sql .= ",cp='".$this->cp."'";
$sql .= ",ville='".addslashes($this->ville)."'";
$sql .= ",pays='".addslashes($this->pays)."'"; // TODO use fk_pays
$sql .= ",ville='".$this->db->escape($this->ville)."'";
$sql .= ",pays='".$this->db->escape($this->pays)."'"; // TODO use fk_pays
$sql .= ",public=".$this->public;
$sql .= ",fk_don_projet=".($this->fk_project>0?$this->fk_project:'null');
$sql .= ",note='".addslashes($this->note)."'";
$sql .= ",note='".$this->db->escape($this->note)."'";
$sql .= ",datedon='".$this->date."'";
$sql .= ",email='".$this->email."'";
$sql .= ",fk_statut=".$this->statut;

4
htdocs/compta/facture/class/facture-rec.class.php
View File

@@ -127,7 +127,7 @@ class FactureRec extends Facture
$sql.= ", ".$this->db->idate(mktime());
$sql.= ", '".$facsrc->amount."'";
$sql.= ", '".$facsrc->remise."'";
$sql.= ", '".addslashes($this->note)."'";
$sql.= ", '".$this->db->escape($this->note)."'";
$sql.= ", '".$user->id."'";
$sql.= ", ".($facsrc->fk_project?"'".$facsrc->fk_project."'":"null");
$sql.= ", '".$facsrc->cond_reglement_id."'";
@@ -477,7 +477,7 @@ class FactureRec extends Facture
$sql.= ", special_code";
$sql.= ") VALUES (";
$sql.= "'".$facid."'";
$sql.= ", '".addslashes($desc)."'";
$sql.= ", '".$this->db->escape($desc)."'";
$sql.= ", ".price2num($price);
$sql.= ", ".price2num($qty);
$sql.= ", ".price2num($txtva);

32
htdocs/compta/facture/class/facture.class.php
View File

@@ -860,10 +860,10 @@ class Facture extends CommonObject
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."facture SET";
$sql.= " facnumber=".(isset($this->ref)?"'".addslashes($this->ref)."'":"null").",";
$sql.= " facnumber=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"null").",";
$sql.= " type=".(isset($this->type)?$this->type:"null").",";
$sql.= " ref_client=".(isset($this->ref_client)?"'".addslashes($this->ref_client)."'":"null").",";
$sql.= " increment=".(isset($this->increment)?"'".addslashes($this->increment)."'":"null").",";
$sql.= " ref_client=".(isset($this->ref_client)?"'".$this->db->escape($this->ref_client)."'":"null").",";
$sql.= " increment=".(isset($this->increment)?"'".$this->db->escape($this->increment)."'":"null").",";
$sql.= " fk_soc=".(isset($this->socid)?$this->socid:"null").",";
$sql.= " datec=".(strval($this->date_creation)!='' ? "'".$this->db->idate($this->date_creation)."'" : 'null').",";
$sql.= " datef=".(strval($this->date)!='' ? "'".$this->db->idate($this->date)."'" : 'null').",";
@@ -873,8 +873,8 @@ class Facture extends CommonObject
$sql.= " remise_percent=".(isset($this->remise_percent)?$this->remise_percent:"null").",";
$sql.= " remise_absolue=".(isset($this->remise_absolue)?$this->remise_absolue:"null").",";
$sql.= " remise=".(isset($this->remise)?$this->remise:"null").",";
$sql.= " close_code=".(isset($this->close_code)?"'".addslashes($this->close_code)."'":"null").",";
$sql.= " close_note=".(isset($this->close_note)?"'".addslashes($this->close_note)."'":"null").",";
$sql.= " close_code=".(isset($this->close_code)?"'".$this->db->escape($this->close_code)."'":"null").",";
$sql.= " close_note=".(isset($this->close_note)?"'".$this->db->escape($this->close_note)."'":"null").",";
$sql.= " tva=".(isset($this->total_tva)?$this->total_tva:"null").",";
$sql.= " localtax1=".(isset($this->total_localtax1)?$this->total_localtax1:"null").",";
$sql.= " localtax2=".(isset($this->total_localtax2)?$this->total_localtax2:"null").",";
@@ -888,10 +888,10 @@ class Facture extends CommonObject
$sql.= " fk_cond_reglement=".(isset($this->cond_reglement_id)?$this->cond_reglement_id:"null").",";
$sql.= " fk_mode_reglement=".(isset($this->mode_reglement_id)?$this->mode_reglement_id:"null").",";
$sql.= " date_lim_reglement=".(strval($this->date_lim_reglement)!='' ? "'".$this->db->idate($this->date_lim_reglement)."'" : 'null').",";
$sql.= " note=".(isset($this->note)?"'".addslashes($this->note)."'":"null").",";
$sql.= " note_public=".(isset($this->note_public)?"'".addslashes($this->note_public)."'":"null").",";
$sql.= " model_pdf=".(isset($this->modelpdf)?"'".addslashes($this->modelpdf)."'":"null").",";
$sql.= " import_key=".(isset($this->import_key)?"'".addslashes($this->import_key)."'":"null")."";
$sql.= " note=".(isset($this->note)?"'".$this->db->escape($this->note)."'":"null").",";
$sql.= " note_public=".(isset($this->note_public)?"'".$this->db->escape($this->note_public)."'":"null").",";
$sql.= " model_pdf=".(isset($this->modelpdf)?"'".$this->db->escape($this->modelpdf)."'":"null").",";
$sql.= " import_key=".(isset($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null")."";
$sql.= " WHERE rowid=".$this->id;
@@ -1028,7 +1028,7 @@ class Facture extends CommonObject
if (empty($ref_client))
$sql .= ' SET ref_client = NULL';
else
$sql .= ' SET ref_client = \''.addslashes($ref_client).'\'';
$sql .= ' SET ref_client = \''.$this->db->escape($ref_client).'\'';
$sql .= ' WHERE rowid = '.$this->id;
if ($this->db->query($sql))
{
@@ -1216,8 +1216,8 @@ class Facture extends CommonObject
$sql = 'UPDATE '.MAIN_DB_PREFIX.'facture SET';
$sql.= ' fk_statut=2';
if (! $close_code) $sql.= ', paye=1';
if ($close_code) $sql.= ", close_code='".addslashes($close_code)."'";
if ($close_note) $sql.= ", close_note='".addslashes($close_note)."'";
if ($close_code) $sql.= ", close_code='".$this->db->escape($close_code)."'";
if ($close_note) $sql.= ", close_note='".$this->db->escape($close_note)."'";
$sql.= ' WHERE rowid = '.$this->id;
$resql = $this->db->query($sql);
@@ -1325,8 +1325,8 @@ class Facture extends CommonObject
$sql = 'UPDATE '.MAIN_DB_PREFIX.'facture SET';
$sql.= ' fk_statut=3';
if ($close_code) $sql.= ", close_code='".addslashes($close_code)."'";
if ($close_note) $sql.= ", close_note='".addslashes($close_note)."'";
if ($close_code) $sql.= ", close_code='".$this->db->escape($close_code)."'";
if ($close_note) $sql.= ", close_note='".$this->db->escape($close_note)."'";
$sql.= ' WHERE rowid = '.$this->id;
$resql = $this->db->query($sql);
@@ -3202,7 +3202,7 @@ class FactureLigne
$sql.= ' rang, special_code,';
$sql.= ' info_bits, total_ht, total_tva, total_localtax1, total_localtax2, total_ttc)';
$sql.= " VALUES (".$this->fk_facture.",";
$sql.= " '".addslashes($this->desc)."',";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " ".price2num($this->qty).",";
$sql.= " ".price2num($this->tva_tx).",";
$sql.= " ".price2num($this->localtax1_tx).",";
@@ -3329,7 +3329,7 @@ class FactureLigne
// Mise a jour ligne en base
$sql = "UPDATE ".MAIN_DB_PREFIX."facturedet SET";
$sql.= " description='".addslashes($this->desc)."'";
$sql.= " description='".$this->db->escape($this->desc)."'";
$sql.= ",subprice=".price2num($this->subprice)."";
$sql.= ",price=".price2num($this->price)."";
$sql.= ",remise=".price2num($this->remise)."";

12
htdocs/compta/facture/class/paymentterm.class.php
View File

@@ -113,11 +113,11 @@ class PaymentTerm // extends CommonObject
$sql.= ") VALUES (";
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").",";
$sql.= " ".(! isset($this->code)?'NULL':"'".addslashes($this->code)."'").",";
$sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").",";
$sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->sortorder."'").",";
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").",";
$sql.= " ".(! isset($this->libelle)?'NULL':"'".addslashes($this->libelle)."'").",";
$sql.= " ".(! isset($this->libelle_facture)?'NULL':"'".addslashes($this->libelle_facture)."'").",";
$sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").",";
$sql.= " ".(! isset($this->libelle_facture)?'NULL':"'".$this->db->escape($this->libelle_facture)."'").",";
$sql.= " ".(! isset($this->fdm)?'NULL':"'".$this->fdm."'").",";
$sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->nbjour."'").",";
$sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->decalage."'")."";
@@ -292,11 +292,11 @@ class PaymentTerm // extends CommonObject
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."c_payment_term SET";
$sql.= " code=".(isset($this->code)?"'".addslashes($this->code)."'":"null").",";
$sql.= " code=".(isset($this->code)?"'".$this->db->escape($this->code)."'":"null").",";
$sql.= " sortorder=".(isset($this->sortorder)?$this->sortorder:"null").",";
$sql.= " active=".(isset($this->active)?$this->active:"null").",";
$sql.= " libelle=".(isset($this->libelle)?"'".addslashes($this->libelle)."'":"null").",";
$sql.= " libelle_facture=".(isset($this->libelle_facture)?"'".addslashes($this->libelle_facture)."'":"null").",";
$sql.= " libelle=".(isset($this->libelle)?"'".$this->db->escape($this->libelle)."'":"null").",";
$sql.= " libelle_facture=".(isset($this->libelle_facture)?"'".$this->db->escape($this->libelle_facture)."'":"null").",";
$sql.= " fdm=".(isset($this->fdm)?$this->fdm:"null").",";
$sql.= " nbjour=".(isset($this->nbjour)?$this->nbjour:"null").",";
$sql.= " decalage=".(isset($this->decalage)?$this->decalage:"null")."";

2
htdocs/compta/paiement/cheque/class/remisecheque.class.php
View File

@@ -73,7 +73,7 @@ class RemiseCheque extends CommonObject
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."bank_account as ba ON bc.fk_bank_account = ba.rowid";
$sql.= " WHERE bc.entity = ".$conf->entity;
if ($id) $sql.= " AND bc.rowid = ".$id;
if ($ref) $sql.= " AND bc.number = '".addslashes($ref)."'";
if ($ref) $sql.= " AND bc.number = '".$this->db->escape($ref)."'";
dol_syslog("RemiseCheque::fetch sql=".$sql, LOG_DEBUG);
$resql = $this->db->query($sql);

2
htdocs/compta/paiement/class/paiement.class.php
View File

@@ -150,7 +150,7 @@ class Paiement
$this->db->begin();
$sql = "INSERT INTO ".MAIN_DB_PREFIX."paiement (datec, datep, amount, fk_paiement, num_paiement, note, fk_user_creat)";
$sql.= " VALUES ('".$this->db->idate($now)."', '".$this->db->idate($this->datepaye)."', '".$totalamount."', ".$this->paiementid.", '".$this->num_paiement."', '".addslashes($this->note)."', ".$user->id.")";
$sql.= " VALUES ('".$this->db->idate($now)."', '".$this->db->idate($this->datepaye)."', '".$totalamount."', ".$this->paiementid.", '".$this->num_paiement."', '".$this->db->escape($this->note)."', ".$user->id.")";
dol_syslog(get_class($this)."::Create insert paiement sql=".$sql);
$resql = $this->db->query($sql);

2
htdocs/compta/prelevement/class/bon-prelevement.class.php
View File

@@ -208,7 +208,7 @@ class BonPrelevement extends CommonObject
$sql.= ") VALUES (";
$sql.= $this->id;
$sql.= ", ".$client_id;
$sql.= ", '".addslashes($client_nom)."'";
$sql.= ", '".$this->db->escape($client_nom)."'";
$sql.= ", '".price2num($amount)."'";
$sql.= ", '".$code_banque."'";
$sql.= ", '".$code_guichet."'";

4
htdocs/compta/sociales/class/chargesociales.class.php
View File

@@ -123,7 +123,7 @@ class ChargeSociales extends CommonObject
$this->db->begin();
$sql = "INSERT INTO ".MAIN_DB_PREFIX."chargesociales (fk_type, libelle, date_ech, periode, amount)";
$sql.= " VALUES (".$this->type.",'".addslashes($this->lib)."',";
$sql.= " VALUES (".$this->type.",'".$this->db->escape($this->lib)."',";
$sql.= " '".$this->db->idate($this->date_ech)."','".$this->db->idate($this->periode)."',";
$sql.= " ".price2num($newamount);
$sql.= ")";
@@ -180,7 +180,7 @@ class ChargeSociales extends CommonObject
$this->db->begin();
$sql = "UPDATE ".MAIN_DB_PREFIX."chargesociales";
$sql.= " SET libelle='".addslashes($this->lib)."',";
$sql.= " SET libelle='".$this->db->escape($this->lib)."',";
$sql.= " date_ech='".$this->db->idate($this->date_ech)."',";
$sql.= " periode='".$this->db->idate($this->periode)."'";
$sql.= " WHERE rowid=".$this->id;

6
htdocs/compta/sociales/class/paymentsocialcontribution.class.php
View File

@@ -117,7 +117,7 @@ class PaymentSocialContribution extends CommonObject
$sql.= " VALUES ($this->chid, '".$this->db->idate($now)."',";
$sql.= " '".$this->db->idate($this->datepaye)."',";
$sql.= " ".$totalamount.",";
$sql.= " ".$this->paiementtype.", '".addslashes($this->num_paiement)."', '".addslashes($this->note)."', ".$user->id.",";
$sql.= " ".$this->paiementtype.", '".$this->db->escape($this->num_paiement)."', '".$this->db->escape($this->note)."', ".$user->id.",";
$sql.= " 0)";
dol_syslog(get_class($this)."::create sql=".$sql);
@@ -254,8 +254,8 @@ class PaymentSocialContribution extends CommonObject
$sql.= " datep=".(dol_strlen($this->datep)!=0 ? "'".$this->db->idate($this->datep)."'" : 'null').",";
$sql.= " amount=".(isset($this->amount)?$this->amount:"null").",";
$sql.= " fk_typepaiement=".(isset($this->fk_typepaiement)?$this->fk_typepaiement:"null").",";
$sql.= " num_paiement=".(isset($this->num_paiement)?"'".addslashes($this->num_paiement)."'":"null").",";
$sql.= " note=".(isset($this->note)?"'".addslashes($this->note)."'":"null").",";
$sql.= " num_paiement=".(isset($this->num_paiement)?"'".$this->db->escape($this->num_paiement)."'":"null").",";
$sql.= " note=".(isset($this->note)?"'".$this->db->escape($this->note)."'":"null").",";
$sql.= " fk_bank=".(isset($this->fk_bank)?$this->fk_bank:"null").",";
$sql.= " fk_user_creat=".(isset($this->fk_user_creat)?$this->fk_user_creat:"null").",";
$sql.= " fk_user_modif=".(isset($this->fk_user_modif)?$this->fk_user_modif:"null")."";

8
htdocs/compta/tva/class/tva.class.php
View File

@@ -172,8 +172,8 @@ class Tva extends CommonObject
$sql.= " datep=".$this->db->idate($this->datep).",";
$sql.= " datev=".$this->db->idate($this->datev).",";
$sql.= " amount='".$this->amount."',";
$sql.= " label='".addslashes($this->label)."',";
$sql.= " note='".addslashes($this->note)."',";
$sql.= " label='".$this->db->escape($this->label)."',";
$sql.= " note='".$this->db->escape($this->note)."',";
$sql.= " fk_bank='".$this->fk_bank."',";
$sql.= " fk_user_creat='".$this->fk_user_creat."',";
$sql.= " fk_user_modif='".$this->fk_user_modif."'";
@@ -504,8 +504,8 @@ class Tva extends CommonObject
$sql.= ") ";
$sql.= " VALUES ('".$this->db->idate($this->datep)."',";
$sql.= "'".$this->db->idate($this->datev)."'," . $this->amount;
if ($this->note) $sql.=", '".addslashes($this->note)."'";
if ($this->label) $sql.=", '".addslashes($this->label)."'";
if ($this->note) $sql.=", '".$this->db->escape($this->note)."'";
if ($this->label) $sql.=", '".$this->db->escape($this->label)."'";
$sql.=", '".$user->id."', NULL";
$sql.= ")";

34
htdocs/contact/class/contact.class.php
View File

@@ -112,7 +112,7 @@ class Contact extends CommonObject
$sql.= " VALUES ('".$this->db->idate($now)."',";
if ($this->socid > 0) $sql.= " ".$this->socid.",";
else $sql.= "null,";
$sql.= "'".addslashes($this->name)."',";
$sql.= "'".$this->db->escape($this->name)."',";
$sql.= " ".($user->id > 0 ? "'".$user->id."'":"null").",";
$sql.= " ".$this->priv.",";
$sql.= " ".($this->canvas?"'".$this->canvas."'":"null");
@@ -204,24 +204,24 @@ class Contact extends CommonObject
$this->db->begin();
$sql = "UPDATE ".MAIN_DB_PREFIX."socpeople SET ";
if ($this->socid > 0) $sql .= " fk_soc='".addslashes($this->socid)."',";
if ($this->socid > 0) $sql .= " fk_soc='".$this->db->escape($this->socid)."',";
if ($this->socid == -1) $sql .= " fk_soc=null,";
$sql .= " civilite='".addslashes($this->civilite_id)."'";
$sql .= ", name='".addslashes($this->name)."'";
$sql .= ", firstname='".addslashes($this->firstname)."'";
$sql .= ", address='".addslashes($this->address)."'";
$sql .= ", cp='".addslashes($this->cp)."'";
$sql .= ", ville='".addslashes($this->ville)."'";
$sql .= " civilite='".$this->db->escape($this->civilite_id)."'";
$sql .= ", name='".$this->db->escape($this->name)."'";
$sql .= ", firstname='".$this->db->escape($this->firstname)."'";
$sql .= ", address='".$this->db->escape($this->address)."'";
$sql .= ", cp='".$this->db->escape($this->cp)."'";
$sql .= ", ville='".$this->db->escape($this->ville)."'";
$sql .= ", fk_pays=".($this->fk_pays>0?$this->fk_pays:'NULL');
$sql .= ", fk_departement=".($this->fk_departement>0?$this->fk_departement:'NULL');
$sql .= ", poste='".addslashes($this->poste)."'";
$sql .= ", fax='".addslashes($this->fax)."'";
$sql .= ", email='".addslashes($this->email)."'";
$sql .= ", note='".addslashes($this->note)."'";
$sql .= ", phone = '".addslashes($this->phone_pro)."'";
$sql .= ", phone_perso = '".addslashes($this->phone_perso)."'";
$sql .= ", phone_mobile = '".addslashes($this->phone_mobile)."'";
$sql .= ", jabberid = '".addslashes($this->jabberid)."'";
$sql .= ", poste='".$this->db->escape($this->poste)."'";
$sql .= ", fax='".$this->db->escape($this->fax)."'";
$sql .= ", email='".$this->db->escape($this->email)."'";
$sql .= ", note='".$this->db->escape($this->note)."'";
$sql .= ", phone = '".$this->db->escape($this->phone_pro)."'";
$sql .= ", phone_perso = '".$this->db->escape($this->phone_perso)."'";
$sql .= ", phone_mobile = '".$this->db->escape($this->phone_mobile)."'";
$sql .= ", jabberid = '".$this->db->escape($this->jabberid)."'";
$sql .= ", priv = '".$this->priv."'";
$sql .= ", fk_user_modif=".($user->id > 0 ? "'".$user->id."'":"null");
$sql .= ", default_lang=".($this->default_lang?"'".$this->default_lang."'":"null");
@@ -752,7 +752,7 @@ class Contact extends CommonObject
{
$sql = "SELECT count(mc.email) as nb";
$sql.= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc";
$sql.= " WHERE mc.email = '".addslashes($this->email)."'";
$sql.= " WHERE mc.email = '".$this->db->escape($this->email)."'";
$sql.= " AND mc.statut=1"; // -1 erreur, 0 non envoye, 1 envoye avec succes
$resql=$this->db->query($sql);
if ($resql)

14
htdocs/contrat/class/contrat.class.php
View File

@@ -154,7 +154,7 @@ class Contrat extends CommonObject
$sql.= " date_fin_validite = ".(dol_strlen($date_end)!=0?"'".$this->db->idate($date_end)."'":"null").",";
$sql.= " fk_user_ouverture = ".$user->id.",";
$sql.= " date_cloture = null,";
$sql.= " commentaire = '".addslashes($comment)."'";
$sql.= " commentaire = '".$this->db->escape($comment)."'";
$sql.= " WHERE rowid = ".$line_id . " AND (statut = 0 OR statut = 3 OR statut = 5)";
dol_syslog("Contrat::active_line sql=".$sql);
@@ -200,7 +200,7 @@ class Contrat extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET statut = 5,";
$sql.= " date_cloture = '".$this->db->idate($date_end)."',";
$sql.= " fk_user_cloture = ".$user->id.",";
$sql.= " commentaire = '".addslashes($comment)."'";
$sql.= " commentaire = '".$this->db->escape($comment)."'";
$sql.= " WHERE rowid = ".$line_id . " AND statut = 4";
$resql = $this->db->query($sql) ;
@@ -885,7 +885,7 @@ class Contrat extends CommonObject
$sql.= " price_ht, remise"; // \TODO A virer
if ($date_start > 0) { $sql.= ",date_ouverture_prevue"; }
if ($date_end > 0) { $sql.= ",date_fin_validite"; }
$sql.= ") VALUES ($this->id, '" . addslashes($label) . "','" . addslashes($desc) . "',";
$sql.= ") VALUES ($this->id, '" . $this->db->escape($label) . "','" . $this->db->escape($desc) . "',";
$sql.= ($fk_product>0 ? $fk_product : "null").",";
$sql.= " '".$qty."',";
$sql.= " '".$txtva."',";
@@ -978,7 +978,7 @@ class Contrat extends CommonObject
$this->db->begin();
$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet set description='".addslashes($desc)."'";
$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet set description='".$this->db->escape($desc)."'";
$sql .= ",price_ht='" . price2num($price)."'";
$sql .= ",subprice='" . price2num($subprice)."'";
$sql .= ",remise='" . price2num($remise)."'";
@@ -1794,8 +1794,8 @@ class ContratLigne
$sql.= " fk_contrat='".$this->fk_contrat."',";
$sql.= " fk_product=".($this->fk_product?"'".$this->fk_product."'":'null').",";
$sql.= " statut='".$this->statut."',";
$sql.= " label='".addslashes($this->label)."',";
$sql.= " description='".addslashes($this->description)."',";
$sql.= " label='".$this->db->escape($this->label)."',";
$sql.= " description='".$this->db->escape($this->description)."',";
$sql.= " date_commande=".($this->date_commande!=''?$this->db->idate($this->date_commande):"null").",";
$sql.= " date_ouverture_prevue=".($this->date_ouverture_prevue!=''?$this->db->idate($this->date_ouverture_prevue):"null").",";
$sql.= " date_ouverture=".($this->date_ouverture!=''?$this->db->idate($this->date_ouverture):"null").",";
@@ -1819,7 +1819,7 @@ class ContratLigne
$sql.= " fk_user_author=".($this->fk_user_author >= 0?$this->fk_user_author:"NULL").",";
$sql.= " fk_user_ouverture=".($this->fk_user_ouverture > 0?$this->fk_user_ouverture:"NULL").",";
$sql.= " fk_user_cloture=".($this->fk_user_cloture > 0?$this->fk_user_cloture:"NULL").",";
$sql.= " commentaire='".addslashes($this->commentaire)."'";
$sql.= " commentaire='".$this->db->escape($this->commentaire)."'";
$sql.= " WHERE rowid=".$this->id;
dol_syslog("ContratLigne::update sql=".$sql, LOG_DEBUG);

10
htdocs/core/class/commonobject.class.php
View File

@@ -563,7 +563,7 @@ class CommonObject
$sql.= " FROM ".MAIN_DB_PREFIX.$this->table_element." as te";
if ($this->ismultientitymanaged == 2 || ($this->element != 'societe' && !$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ", ".MAIN_DB_PREFIX."societe as s"; // If we need to link to societe to limit select to entity
if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON ".$alias.".rowid = sc.fk_soc";
$sql.= " WHERE te.".$fieldid." < '".addslashes($this->ref)."'";
$sql.= " WHERE te.".$fieldid." < '".$this->db->escape($this->ref)."'";
if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " AND sc.fk_user = " .$user->id;
if (! empty($filter)) $sql.=" AND ".$filter;
if ($this->ismultientitymanaged == 2 || ($this->element != 'societe' && !$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to entity
@@ -584,7 +584,7 @@ class CommonObject
$sql.= " FROM ".MAIN_DB_PREFIX.$this->table_element." as te";
if ($this->ismultientitymanaged == 2 || ($this->element != 'societe' && !$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ", ".MAIN_DB_PREFIX."societe as s"; // If we need to link to societe to limit select to entity
if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON ".$alias.".rowid = sc.fk_soc";
$sql.= " WHERE te.".$fieldid." > '".addslashes($this->ref)."'";
$sql.= " WHERE te.".$fieldid." > '".$this->db->escape($this->ref)."'";
if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " AND sc.fk_user = " .$user->id;
if (isset($filter)) $sql.=" AND ".$filter;
if ($this->ismultientitymanaged == 2 || ($this->element != 'societe' && !$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to entity
@@ -925,11 +925,11 @@ class CommonObject
// TODO uniformize fields note_private
if ($this->table_element == 'fichinter' || $this->table_element == 'projet' || $this->table_element == 'projet_task')
{
$sql.= " SET note_private = '".addslashes($note)."'";
$sql.= " SET note_private = '".$this->db->escape($note)."'";
}
else
{
$sql.= " SET note = '".addslashes($note)."'";
$sql.= " SET note = '".$this->db->escape($note)."'";
}
$sql.= " WHERE rowid =". $this->id;
@@ -961,7 +961,7 @@ class CommonObject
}
$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
$sql.= " SET note_public = '".addslashes($note_public)."'";
$sql.= " SET note_public = '".$this->db->escape($note_public)."'";
$sql.= " WHERE rowid =". $this->id;
dol_syslog("CommonObject::update_note_public sql=".$sql);

2
htdocs/core/class/discount.class.php
View File

@@ -152,7 +152,7 @@ class DiscountAbsolute
$sql.= " amount_ht, amount_tva, amount_ttc, tva_tx,";
$sql.= " fk_facture_source";
$sql.= ")";
$sql.= " VALUES (".$this->db->idate($this->datec!=''?$this->datec:dol_now()).", ".$this->fk_soc.", ".$user->id.", '".addslashes($this->description)."',";
$sql.= " VALUES (".$this->db->idate($this->datec!=''?$this->datec:dol_now()).", ".$this->fk_soc.", ".$user->id.", '".$this->db->escape($this->description)."',";
$sql.= " ".$this->amount_ht.", ".$this->amount_tva.", ".$this->amount_ttc.", ".$this->tva_tx.",";
$sql.= " ".($this->fk_facture_source?"'".$this->fk_facture_source."'":"null");
$sql.= ")";

4
htdocs/core/class/events.class.php
View File

@@ -98,7 +98,7 @@ class Events // extends CommonObject
$sql.= " ".($_SERVER['HTTP_USER_AGENT']?"'".dol_trunc($_SERVER['HTTP_USER_AGENT'],250)."'":'NULL').",";
$sql.= " ".$this->db->idate($this->dateevent).",";
$sql.= " ".($user->id?"'".$user->id."'":'NULL').",";
$sql.= " '".addslashes($this->description)."'";
$sql.= " '".$this->db->escape($this->description)."'";
$sql.= ")";
dol_syslog("Events::create sql=".$sql, LOG_DEBUG);
@@ -139,7 +139,7 @@ class Events // extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."events SET";
$sql.= " type='".$this->type."',";
$sql.= " dateevent=".$this->db->idate($this->dateevent).",";
$sql.= " description='".addslashes($this->description)."'";
$sql.= " description='".$this->db->escape($this->description)."'";
$sql.= " WHERE rowid=".$this->id;
dol_syslog("Events::update sql=".$sql, LOG_DEBUG);

20
htdocs/core/class/menubase.class.php
View File

@@ -195,20 +195,20 @@ class Menubase
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."menu SET";
$sql.= " menu_handler='".addslashes($this->menu_handler)."',";
$sql.= " module='".addslashes($this->module)."',";
$sql.= " menu_handler='".$this->db->escape($this->menu_handler)."',";
$sql.= " module='".$this->db->escape($this->module)."',";
$sql.= " type='".$this->type."',";
$sql.= " mainmenu='".addslashes($this->mainmenu)."',";
$sql.= " mainmenu='".$this->db->escape($this->mainmenu)."',";
$sql.= " fk_menu='".$this->fk_menu."',";
$sql.= " position='".$this->position."',";
$sql.= " url='".addslashes($this->url)."',";
$sql.= " target='".addslashes($this->target)."',";
$sql.= " titre='".addslashes($this->titre)."',";
$sql.= " langs='".addslashes($this->langs)."',";
$sql.= " url='".$this->db->escape($this->url)."',";
$sql.= " target='".$this->db->escape($this->target)."',";
$sql.= " titre='".$this->db->escape($this->titre)."',";
$sql.= " langs='".$this->db->escape($this->langs)."',";
$sql.= " level='".$this->level."',";
$sql.= " leftmenu='".addslashes($this->leftmenu)."',";
$sql.= " perms='".addslashes($this->perms)."',";
$sql.= " enabled='".addslashes($this->enabled)."',";
$sql.= " leftmenu='".$this->db->escape($this->leftmenu)."',";
$sql.= " perms='".$this->db->escape($this->perms)."',";
$sql.= " enabled='".$this->db->escape($this->enabled)."',";
$sql.= " usertype='".$this->user."'";
$sql.= " WHERE rowid=".$this->id;

2
htdocs/core/class/notify.class.php
View File

@@ -208,7 +208,7 @@ class Notify
$sendto = htmlentities($sendto);
$sql = "INSERT INTO ".MAIN_DB_PREFIX."notify (daten, fk_action, fk_contact, objet_type, objet_id, email)";
$sql.= " VALUES (".$this->db->idate(mktime()).", ".$actiondefid." ,".$obj->cid." , '".$objet_type."', ".$objet_id.", '".addslashes($obj->email)."')";
$sql.= " VALUES (".$this->db->idate(mktime()).", ".$actiondefid." ,".$obj->cid." , '".$objet_type."', ".$objet_id.", '".$this->db->escape($obj->email)."')";
dol_syslog("Notify::send sql=".$sql);
if (! $this->db->query($sql) )
{

8
htdocs/ecm/class/ecmdirectory.class.php
View File

@@ -131,10 +131,10 @@ class EcmDirectory // extends CommonObject
$sql.= "date_c,";
$sql.= "fk_user_c";
$sql.= ") VALUES (";
$sql.= " '".addslashes($this->label)."',";
$sql.= " '".$this->db->escape($this->label)."',";
$sql.= " '".$conf->entity."',";
$sql.= " '".$this->fk_parent."',";
$sql.= " '".addslashes($this->description)."',";
$sql.= " '".$this->db->escape($this->description)."',";
$sql.= " ".($this->cachenbofdoc).",";
$sql.= " '".$this->db->idate($this->date_c)."',";
$sql.= " '".$this->fk_user_c."'";
@@ -201,9 +201,9 @@ class EcmDirectory // extends CommonObject
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."ecm_directories SET";
$sql.= " label='".addslashes($this->label)."',";
$sql.= " label='".$this->db->escape($this->label)."',";
$sql.= " fk_parent='".$this->fk_parent."',";
$sql.= " description='".addslashes($this->description)."'";
$sql.= " description='".$this->db->escape($this->description)."'";
$sql.= " WHERE rowid=".$this->id;
dol_syslog("EcmDirectories::update sql=".$sql, LOG_DEBUG);

12
htdocs/expedition/class/expedition.class.php
View File

@@ -182,7 +182,7 @@ class Expedition extends CommonObject
$sql.= ", ".$this->socid;
$sql.= ", ".($this->fk_delivery_address>0?$this->fk_delivery_address:"null");
$sql.= ", ".($this->expedition_method_id>0?$this->expedition_method_id:"null");
$sql.= ", '".addslashes($this->tracking_number)."'";
$sql.= ", '".$this->db->escape($this->tracking_number)."'";
$sql.= ", ".$this->weight;
$sql.= ", ".$this->sizeS; // TODO Should use this->trueDepth
$sql.= ", ".$this->sizeW; // TODO Should use this->trueWidth
@@ -664,8 +664,8 @@ class Expedition extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."expedition SET";
$sql.= " tms=".(dol_strlen($this->tms)!=0 ? "'".$this->db->idate($this->tms)."'" : 'null').",";
$sql.= " ref=".(isset($this->ref)?"'".addslashes($this->ref)."'":"null").",";
$sql.= " ref_customer=".(isset($this->ref_customer)?"'".addslashes($this->ref_customer)."'":"null").",";
$sql.= " ref=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"null").",";
$sql.= " ref_customer=".(isset($this->ref_customer)?"'".$this->db->escape($this->ref_customer)."'":"null").",";
$sql.= " fk_soc=".(isset($this->socid)?$this->socid:"null").",";
$sql.= " date_creation=".(dol_strlen($this->date_creation)!=0 ? "'".$this->db->idate($this->date_creation)."'" : 'null').",";
$sql.= " fk_user_author=".(isset($this->fk_user_author)?$this->fk_user_author:"null").",";
@@ -675,7 +675,7 @@ class Expedition extends CommonObject
$sql.= " date_delivery=".(dol_strlen($this->date_delivery)!=0 ? "'".$this->db->idate($this->date_delivery)."'" : 'null').",";
$sql.= " fk_address=".(isset($this->fk_adresse_livraison)?$this->fk_adresse_livraison:"null").",";
$sql.= " fk_expedition_methode=".(isset($this->expedition_method_id)?$this->expedition_method_id:"null").",";
$sql.= " tracking_number=".(isset($this->tracking_number)?"'".addslashes($this->tracking_number)."'":"null").",";
$sql.= " tracking_number=".(isset($this->tracking_number)?"'".$this->db->escape($this->tracking_number)."'":"null").",";
$sql.= " fk_statut=".(isset($this->statut)?$this->statut:"null").",";
$sql.= " height=".(isset($this->trueHeight)?$this->trueHeight:"null").",";
$sql.= " width=".(isset($this->trueWidth)?$this->trueWidth:"null").",";
@@ -683,8 +683,8 @@ class Expedition extends CommonObject
$sql.= " size=".(isset($this->trueDepth)?$this->trueDepth:"null").",";
$sql.= " weight_units=".(isset($this->weight_units)?$this->weight_units:"null").",";
$sql.= " weight=".(isset($this->trueWeight)?$this->trueWeight:"null").",";
$sql.= " note=".(isset($this->note)?"'".addslashes($this->note)."'":"null").",";
$sql.= " model_pdf=".(isset($this->model_pdf)?"'".addslashes($this->model_pdf)."'":"null").",";
$sql.= " note=".(isset($this->note)?"'".$this->db->escape($this->note)."'":"null").",";
$sql.= " model_pdf=".(isset($this->model_pdf)?"'".$this->db->escape($this->model_pdf)."'":"null").",";
$sql.= " entity=".$conf->entity;
$sql.= " WHERE rowid=".$this->id;

10
htdocs/fichinter/class/fichinter.class.php
View File

@@ -141,7 +141,7 @@ class Fichinter extends CommonObject
$sql.= ", '".$this->ref."'";
$sql.= ", ".$conf->entity;
$sql.= ", ".$this->author;
$sql.= ", ".($this->description?"'".addslashes($this->description)."'":"null");
$sql.= ", ".($this->description?"'".$this->db->escape($this->description)."'":"null");
$sql.= ", '".$this->modelpdf."'";
$sql.= ", ".($this->fk_project ? $this->fk_project : 0);
$sql.= ", ".$this->statut;
@@ -180,7 +180,7 @@ class Fichinter extends CommonObject
* Insertion dans la base
*/
$sql = "UPDATE ".MAIN_DB_PREFIX."fichinter SET ";
$sql.= ", description = '".addslashes($this->description)."'";
$sql.= ", description = '".$this->db->escape($this->description)."'";
$sql.= ", duree = ".$this->duree;
$sql.= ", fk_projet = ".$this->fk_project;
$sql.= " WHERE rowid = ".$id;
@@ -638,7 +638,7 @@ class Fichinter extends CommonObject
if ($user->rights->ficheinter->creer)
{
$sql = "UPDATE ".MAIN_DB_PREFIX."fichinter ";
$sql.= " SET description = '".addslashes($description)."'";
$sql.= " SET description = '".$this->db->escape($description)."'";
$sql.= " WHERE rowid = ".$this->id;
$sql.= " AND entity = ".$conf->entity;
$sql.= " AND fk_statut = 0";
@@ -895,7 +895,7 @@ class FichinterLigne
$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'fichinterdet';
$sql.= ' (fk_fichinter, description, date, duree, rang)';
$sql.= " VALUES (".$this->fk_fichinter.",";
$sql.= " '".addslashes($this->desc)."',";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " ".$this->db->idate($this->datei).",";
$sql.= " ".$this->duration.",";
$sql.= ' '.$rangToUse;
@@ -938,7 +938,7 @@ class FichinterLigne
// Mise a jour ligne en base
$sql = "UPDATE ".MAIN_DB_PREFIX."fichinterdet SET";
$sql.= " description='".addslashes($this->desc)."'";
$sql.= " description='".$this->db->escape($this->desc)."'";
$sql.= ",date=".$this->db->idate($this->datei);
$sql.= ",duree=".$this->duration;
$sql.= ",rang='".$this->rang."'";

2
htdocs/fourn/class/fournisseur.class.php
View File

@@ -222,7 +222,7 @@ class Fournisseur extends Societe
{
$sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie (label,visible,type)";
$sql.= " VALUES ";
$sql.= " ('".addslashes($name)."',1,1)";
$sql.= " ('".$this->db->escape($name)."',1,1)";
dol_syslog("Fournisseur::CreateCategory sql=".$sql);
$resql = $this->db->query($sql);

12
htdocs/fourn/class/fournisseur.commande.class.php
View File

@@ -232,7 +232,7 @@ class CommandeFournisseur extends Commande
$sql = "INSERT INTO ".MAIN_DB_PREFIX."commande_fournisseur_log (datelog, fk_commande, fk_statut, fk_user, comment)";
$sql.= " VALUES (".$this->db->idate($datelog).",".$this->id.", ".$statut.", ";
$sql.= $user->id.", ";
$sql.= ($comment?"'".addslashes($comment)."'":'null');
$sql.= ($comment?"'".$this->db->escape($comment)."'":'null');
$sql.= ")";
dol_syslog("FournisseurCommande::log sql=".$sql, LOG_DEBUG);
@@ -926,7 +926,7 @@ class CommandeFournisseur extends Commande
$sql.= " qty, tva_tx, localtax1_tx, localtax2_tx, remise_percent, subprice, remise, ref,";
$sql.= " total_ht, total_tva, total_localtax1, total_localtax2, total_ttc";
$sql.= ")";
$sql.= " VALUES (".$this->id.", '" . addslashes($label) . "','" . addslashes($desc) . "',";
$sql.= " VALUES (".$this->id.", '" . $this->db->escape($label) . "','" . $this->db->escape($desc) . "',";
if ($fk_product) { $sql.= $fk_product.","; }
else { $sql.= "null,"; }
$sql.= "'".$product_type."',";
@@ -1230,7 +1230,7 @@ class CommandeFournisseur extends Commande
$sql = "INSERT INTO ".MAIN_DB_PREFIX."commande_fournisseurdet";
$sql .= " (fk_commande,label,description,fk_product, price, qty, tva_tx, localtax1_tx, localtax2_tx, remise_percent, subprice, remise, ref)";
$sql .= " VALUES (".$idc.", '" . addslashes($libelle) . "','" . addslashes($comclient->lines[$i]->desc) . "'";
$sql .= " VALUES (".$idc.", '" . $this->db->escape($libelle) . "','" . $this->db->escape($comclient->lines[$i]->desc) . "'";
$sql .= ",".$comclient->lines[$i]->fk_product.",'".price2num($comclient->lines[$i]->price)."'";
$sql .= ", '".$comclient->lines[$i]->qty."', ".$comclient->lines[$i]->tva_tx.", ".$comclient->lines[$i]->localtax1_tx.", ".$comclient->lines[$i]->localtax2_tx.", ".$comclient->lines[$i]->remise_percent;
$sql .= ", '".price2num($comclient->lines[$i]->subprice)."','0','".$ref."') ;";
@@ -1257,8 +1257,8 @@ class CommandeFournisseur extends Commande
$result = 0;
$sql = "UPDATE ".MAIN_DB_PREFIX."commande_fournisseur";
$sql.= " SET note ='".addslashes($note)."',";
$sql.= " note_public ='".addslashes($note_public)."'";
$sql.= " SET note ='".$this->db->escape($note)."',";
$sql.= " note_public ='".$this->db->escape($note_public)."'";
$sql.= " WHERE rowid = ".$this->id;
dol_syslog("CommandeFournisseur::UpdateNote sql=".$sql);
@@ -1424,7 +1424,7 @@ class CommandeFournisseur extends Commande
// Mise a jour ligne en base
$sql = "UPDATE ".MAIN_DB_PREFIX."commande_fournisseurdet SET";
$sql.= " description='".addslashes($desc)."'";
$sql.= " description='".$this->db->escape($desc)."'";
$sql.= ",subprice='".price2num($subprice)."'";
$sql.= ",remise='".price2num($remise)."'";
$sql.= ",remise_percent='".price2num($remise_percent)."'";

20
htdocs/fourn/class/fournisseur.facture.class.php
View File

@@ -569,19 +569,19 @@ class FactureFournisseur extends Facture
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."facture_fourn SET";
$sql.= " facnumber=".(isset($this->facnumber)?"'".addslashes($this->facnumber)."'":"null").",";
$sql.= " facnumber=".(isset($this->facnumber)?"'".$this->db->escape($this->facnumber)."'":"null").",";
$sql.= " entity=".(isset($this->entity)?$this->entity:"null").",";
$sql.= " type=".(isset($this->type)?$this->type:"null").",";
$sql.= " fk_soc=".(isset($this->fk_soc)?$this->fk_soc:"null").",";
$sql.= " datec=".(dol_strlen($this->datec)!=0 ? "'".$this->db->idate($this->datec)."'" : 'null').",";
$sql.= " datef=".(dol_strlen($this->date)!=0 ? "'".$this->db->idate($this->date)."'" : 'null').",";
$sql.= " tms=".(dol_strlen($this->tms)!=0 ? "'".$this->db->idate($this->tms)."'" : 'null').",";
$sql.= " libelle=".(isset($this->label)?"'".addslashes($this->label)."'":"null").",";
$sql.= " libelle=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " paye=".(isset($this->paye)?$this->paye:"null").",";
$sql.= " amount=".(isset($this->amount)?$this->amount:"null").",";
$sql.= " remise=".(isset($this->remise)?$this->remise:"null").",";
$sql.= " close_code=".(isset($this->close_code)?"'".addslashes($this->close_code)."'":"null").",";
$sql.= " close_note=".(isset($this->close_note)?"'".addslashes($this->close_note)."'":"null").",";
$sql.= " close_code=".(isset($this->close_code)?"'".$this->db->escape($this->close_code)."'":"null").",";
$sql.= " close_note=".(isset($this->close_note)?"'".$this->db->escape($this->close_note)."'":"null").",";
$sql.= " tva=".(isset($this->tva)?$this->tva:"null").",";
$sql.= " localtax1=".(isset($this->localtax1)?$this->localtax1:"null").",";
$sql.= " localtax2=".(isset($this->localtax2)?$this->localtax2:"null").",";
@@ -596,10 +596,10 @@ class FactureFournisseur extends Facture
$sql.= " fk_projet=".(isset($this->fk_project)?$this->fk_project:"null").",";
$sql.= " fk_cond_reglement=".(isset($this->fk_cond_reglement)?$this->fk_cond_reglement:"null").",";
$sql.= " date_lim_reglement=".(dol_strlen($this->date_echeance)!=0 ? "'".$this->db->idate($this->date_echeance)."'" : 'null').",";
$sql.= " note=".(isset($this->note)?"'".addslashes($this->note)."'":"null").",";
$sql.= " note_public=".(isset($this->note_public)?"'".addslashes($this->note_public)."'":"null").",";
$sql.= " model_pdf=".(isset($this->model_pdf)?"'".addslashes($this->model_pdf)."'":"null").",";
$sql.= " import_key=".(isset($this->import_key)?"'".addslashes($this->import_key)."'":"null")."";
$sql.= " note=".(isset($this->note)?"'".$this->db->escape($this->note)."'":"null").",";
$sql.= " note_public=".(isset($this->note_public)?"'".$this->db->escape($this->note_public)."'":"null").",";
$sql.= " model_pdf=".(isset($this->model_pdf)?"'".$this->db->escape($this->model_pdf)."'":"null").",";
$sql.= " import_key=".(isset($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null")."";
$sql.= " WHERE rowid=".$this->id;
$this->db->begin();
@@ -700,7 +700,7 @@ class FactureFournisseur extends Facture
{
if ($user->rights->fournisseur->facture->creer)
{
$sql = 'UPDATE '.MAIN_DB_PREFIX.'facture_fourn SET facnumber = '.(empty($ref_supplier) ? 'NULL' : '\''.addslashes($ref_supplier).'\'');
$sql = 'UPDATE '.MAIN_DB_PREFIX.'facture_fourn SET facnumber = '.(empty($ref_supplier) ? 'NULL' : '\''.$this->db->escape($ref_supplier).'\'');
$sql.= ' WHERE rowid = '.$this->id;
dol_syslog("FactureFournisseur::set_ref_supplier sql=".$sql);
@@ -1096,7 +1096,7 @@ class FactureFournisseur extends Facture
}
$sql = "UPDATE ".MAIN_DB_PREFIX."facture_fourn_det SET";
$sql.= " description ='".addslashes($label)."'";
$sql.= " description ='".$this->db->escape($label)."'";
$sql.= ", pu_ht = ".price2num($pu_ht);
$sql.= ", pu_ttc = ".price2num($pu_ttc);
$sql.= ", qty = ".price2num($qty);

2
htdocs/fourn/class/paiementfourn.class.php
View File

@@ -145,7 +145,7 @@ class PaiementFourn extends Paiement
$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'paiementfourn (';
$sql.= 'datec, datep, amount, fk_paiement, num_paiement, note, fk_user_author, fk_bank)';
$sql.= ' VALUES ('.$this->db->idate(mktime()).',';
$sql.= " ".$this->db->idate($this->datepaye).", '".$this->total."', ".$this->paiementid.", '".$this->num_paiement."', '".addslashes($this->note)."', ".$user->id.", 0)";
$sql.= " ".$this->db->idate($this->datepaye).", '".$this->total."', ".$this->paiementid.", '".$this->num_paiement."', '".$this->db->escape($this->note)."', ".$user->id.", 0)";
dol_syslog("PaiementFourn::create sql=".$sql);
$resql = $this->db->query($sql);

2
htdocs/imports/class/import.class.php
View File

@@ -230,7 +230,7 @@ class Import
$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'import_model (';
$sql.= 'label, type, field)';
$sql.= " VALUES ('".addslashes($this->model_name)."', '".$this->datatoimport."', '".$this->hexa."')";
$sql.= " VALUES ('".$this->db->escape($this->model_name)."', '".$this->datatoimport."', '".$this->hexa."')";
dol_syslog("Import::create sql=".$sql, LOG_DEBUG);
$resql=$this->db->query($sql);

6
htdocs/livraison/class/livraison.class.php
View File

@@ -125,7 +125,7 @@ class Livraison extends CommonObject
$numref = "(PROV".$this->id.")";
$sql = "UPDATE ".MAIN_DB_PREFIX."livraison ";
$sql.= "SET ref = '".addslashes($numref)."'";
$sql.= "SET ref = '".$this->db->escape($numref)."'";
$sql.= " WHERE rowid = ".$this->id;
dol_syslog("Livraison::create sql=".$sql, LOG_DEBUG);
@@ -220,7 +220,7 @@ class Livraison extends CommonObject
$sql.= " fk_product, description, qty)";
$sql.= " VALUES (".$this->id.",".$commande_ligne_id.",";
$sql.= " ".($idprod>0?$idprod:"null").",";
$sql.= " ".($description?"'".addslashes($description)."'":"null").",";
$sql.= " ".($description?"'".$this->db->escape($description)."'":"null").",";
$sql.= $qty.")";
dol_syslog("Livraison::create_line sql=".$sql, LOG_DEBUG);
@@ -365,7 +365,7 @@ class Livraison extends CommonObject
}
$sql = "UPDATE ".MAIN_DB_PREFIX."livraison SET";
$sql.= " ref='".addslashes($this->ref)."'";
$sql.= " ref='".$this->db->escape($this->ref)."'";
$sql.= ", fk_statut = 1";
$sql.= ", date_valid = ".$this->db->idate(mktime());
$sql.= ", fk_user_valid = ".$user->id;

8
htdocs/product/canvas/default/product.default.class.php
View File

@@ -207,7 +207,7 @@ class ProductDefault extends Product
{
if ($field['enabled'])
{
$sql.= $clause." ".$field['name']." LIKE '%".addslashes($sall)."%'";
$sql.= $clause." ".$field['name']." LIKE '%".$this->db->escape($sall)."%'";
if ($clause=='') $clause = ' OR';
}
}
@@ -220,17 +220,17 @@ class ProductDefault extends Product
if ($field['enabled'])
{
$fieldname = "s".$field['alias'];
if (${$fieldname}) $sql.= " AND ".$field['name']." LIKE '%".addslashes(${$fieldname})."%'";
if (${$fieldname}) $sql.= " AND ".$field['name']." LIKE '%".$this->db->escape(${$fieldname})."%'";
}
}
if (isset($_GET["tosell"]) && dol_strlen($_GET["tosell"]) > 0)
{
$sql.= " AND p.tosell = ".addslashes($_GET["tosell"]);
$sql.= " AND p.tosell = ".$this->db->escape($_GET["tosell"]);
}
if (isset($_GET["canvas"]) && dol_strlen($_GET["canvas"]) > 0)
{
$sql.= " AND p.canvas = '".addslashes($_GET["canvas"])."'";
$sql.= " AND p.canvas = '".$this->db->escape($_GET["canvas"])."'";
}
$sql.= $this->db->order($sortfield,$sortorder);
$sql.= $this->db->plimit($limit + 1 ,$offset);

10
htdocs/product/canvas/service/product.service.class.php
View File

@@ -155,18 +155,18 @@ class ProductService extends Product
if (!$user->rights->service->hidden) $sql.=' AND (p.hidden=0 OR p.fk_product_type != 1)';
if ($sall)
{
$sql.= " AND (p.ref like '%".addslashes($sall)."%' OR p.label like '%".addslashes($sall)."%' OR p.description like '%".addslashes($sall)."%' OR p.note like '%".addslashes($sall)."%')";
$sql.= " AND (p.ref like '%".$this->db->escape($sall)."%' OR p.label like '%".$this->db->escape($sall)."%' OR p.description like '%".$this->db->escape($sall)."%' OR p.note like '%".$this->db->escape($sall)."%')";
}
if ($sref) $sql.= " AND p.ref like '%".$sref."%'";
if ($sbarcode) $sql.= " AND p.barcode like '%".$sbarcode."%'";
if ($snom) $sql.= " AND p.label like '%".addslashes($snom)."%'";
if ($snom) $sql.= " AND p.label like '%".$this->db->escape($snom)."%'";
if (isset($_GET["tosell"]) && dol_strlen($_GET["tosell"]) > 0)
{
$sql.= " AND p.tosell = ".addslashes($_GET["tosell"]);
$sql.= " AND p.tosell = ".$this->db->escape($_GET["tosell"]);
}
if (isset($_GET["canvas"]) && dol_strlen($_GET["canvas"]) > 0)
{
$sql.= " AND p.canvas = '".addslashes($_GET["canvas"])."'";
$sql.= " AND p.canvas = '".$this->db->escape($_GET["canvas"])."'";
}
if($catid)
{
@@ -179,7 +179,7 @@ class ProductService extends Product
// Insert categ filter
if ($search_categ)
{
$sql .= " AND cp.fk_categorie = ".addslashes($search_categ);
$sql .= " AND cp.fk_categorie = ".$this->db->escape($search_categ);
}
$sql.= $this->db->order($sortfield,$sortorder);
$sql.= $this->db->plimit($limit + 1 ,$offset);

44
htdocs/product/class/product.class.php
View File

@@ -290,7 +290,7 @@ class Product extends CommonObject
$sql.= ", '".$this->ref."'";
$sql.= ", ".price2num($price_min_ht);
$sql.= ", ".price2num($price_min_ttc);
$sql.= ", ".($this->libelle?"'".addslashes($this->libelle)."'":"null");
$sql.= ", ".($this->libelle?"'".$this->db->escape($this->libelle)."'":"null");
$sql.= ", ".$user->id;
$sql.= ", ".$this->type;
$sql.= ", ".price2num($price_ht);
@@ -448,7 +448,7 @@ class Product extends CommonObject
$this->accountancy_code_sell= trim($this->accountancy_code_sell);
$sql = "UPDATE ".MAIN_DB_PREFIX."product";
$sql.= " SET label = '" . addslashes($this->libelle) ."'";
$sql.= " SET label = '" . $this->db->escape($this->libelle) ."'";
$sql.= ",ref = '" . $this->ref ."'";
$sql.= ",tva_tx = " . $this->tva_tx;
@@ -469,10 +469,10 @@ class Product extends CommonObject
$sql.= ",volume = " . ($this->volume!='' ? "'".$this->volume."'" : 'null');
$sql.= ",volume_units = " . ($this->volume_units!='' ? "'".$this->volume_units."'" : 'null');
$sql.= ",seuil_stock_alerte = " . ((isset($this->seuil_stock_alerte) && $this->seuil_stock_alerte != '') ? "'".$this->seuil_stock_alerte."'" : "null");
$sql.= ",description = '" . addslashes($this->description) ."'";
$sql.= ",customcode = '" . addslashes($this->customcode) ."'";
$sql.= ",description = '" . $this->db->escape($this->description) ."'";
$sql.= ",customcode = '" . $this->db->escape($this->customcode) ."'";
$sql.= ",fk_country = " . ($this->country_id > 0 ? $this->country_id : 'null');
$sql.= ",note = '" . addslashes($this->note) ."'";
$sql.= ",note = '" . $this->db->escape($this->note) ."'";
$sql.= ",duration = '" . $this->duration_value . $this->duration_unit ."'";
$sql.= ",accountancy_code_buy = '" . $this->accountancy_code_buy."'";
$sql.= ",accountancy_code_sell= '" . $this->accountancy_code_sell."'";
@@ -627,17 +627,17 @@ class Product extends CommonObject
if ($this->db->num_rows($result)) // si aucune ligne dans la base
{
$sql2 = "UPDATE ".MAIN_DB_PREFIX."product_lang";
$sql2.= " SET label='".addslashes($this->libelle)."',";
$sql2.= " description='".addslashes($this->description)."',";
$sql2.= " note='".addslashes($this->note)."'";
$sql2.= " SET label='".$this->db->escape($this->libelle)."',";
$sql2.= " description='".$this->db->escape($this->description)."',";
$sql2.= " note='".$this->db->escape($this->note)."'";
$sql2.= " WHERE fk_product=".$this->id." AND lang='".$key."'";
}
else
{
$sql2 = "INSERT INTO ".MAIN_DB_PREFIX."product_lang (fk_product, lang, label, description, note)";
$sql2.= " VALUES(".$this->id.",'".$key."','". addslashes($this->libelle);
$sql2.= "','".addslashes($this->description);
$sql2.= "','".addslashes($this->note)."')";
$sql2.= " VALUES(".$this->id.",'".$key."','". $this->db->escape($this->libelle);
$sql2.= "','".$this->db->escape($this->description);
$sql2.= "','".$this->db->escape($this->note)."')";
}
if (!$this->db->query($sql2)) return -1;
}
@@ -646,17 +646,17 @@ class Product extends CommonObject
if ($this->db->num_rows($result)) // si aucune ligne dans la base
{
$sql2 = "UPDATE ".MAIN_DB_PREFIX."product_lang";
$sql2.= " SET label='".addslashes($this->multilangs["$key"]["libelle"])."',";
$sql2.= " description='".addslashes($this->multilangs["$key"]["description"])."',";
$sql2.= " note='".addslashes($this->multilangs["$key"]["note"])."'";
$sql2.= " SET label='".$this->db->escape($this->multilangs["$key"]["libelle"])."',";
$sql2.= " description='".$this->db->escape($this->multilangs["$key"]["description"])."',";
$sql2.= " note='".$this->db->escape($this->multilangs["$key"]["note"])."'";
$sql2.= " WHERE fk_product=".$this->id." AND lang='".$key."'";
}
else
{
$sql2 = "INSERT INTO ".MAIN_DB_PREFIX."product_lang (fk_product, lang, label, description, note)";
$sql2.= " VALUES(".$this->id.",'".$key."','". addslashes($this->multilangs["$key"]["libelle"]);
$sql2.= "','".addslashes($this->multilangs["$key"]["description"]);
$sql2.= "','".addslashes($this->multilangs["$key"]["note"])."')";
$sql2.= " VALUES(".$this->id.",'".$key."','". $this->db->escape($this->multilangs["$key"]["libelle"]);
$sql2.= "','".$this->db->escape($this->multilangs["$key"]["description"]);
$sql2.= "','".$this->db->escape($this->multilangs["$key"]["note"])."')";
}
// on ne sauvegarde pas des champs vides
@@ -990,7 +990,7 @@ class Product extends CommonObject
$sql.= " import_key";
$sql.= " FROM ".MAIN_DB_PREFIX."product";
if ($id) $sql.= " WHERE rowid = '".$id."'";
if ($ref) $sql.= " WHERE ref = '".addslashes($ref)."'";
if ($ref) $sql.= " WHERE ref = '".$this->db->escape($ref)."'";
dol_syslog("Product::fetch sql=".$sql);
$result = $this->db->query($sql);
@@ -2097,7 +2097,7 @@ class Product extends CommonObject
$prods = array ();
while ($record = $this->db->fetch_array ($res))
{
$prods[addslashes($record['label'])] = array(0=>$record['id']);
$prods[$this->db->escape($record['label'])] = array(0=>$record['id']);
}
return $prods;
}
@@ -2127,12 +2127,12 @@ class Product extends CommonObject
$prods = array();
while ($rec = $this->db->fetch_array($res))
{
//$prods[addslashes($rec['label'])]= array(0=>$rec['id'],1=>$rec['qty'],2=>$rec['fk_product_type']);
$prods[addslashes($rec['label'])]= array(0=>$rec['id'],1=>$rec['qty']);
//$prods[$this->db->escape($rec['label'])]= array(0=>$rec['id'],1=>$rec['qty'],2=>$rec['fk_product_type']);
$prods[$this->db->escape($rec['label'])]= array(0=>$rec['id'],1=>$rec['qty']);
$listofchilds=$this->getChildsArbo($rec['id']);
foreach($listofchilds as $keyChild => $valueChild)
{
$prods[addslashes($rec['label'])][$keyChild] = $valueChild;
$prods[$this->db->escape($rec['label'])][$keyChild] = $valueChild;
}
}
//var_dump($prods);

12
htdocs/product/stock/class/entrepot.class.php
View File

@@ -81,7 +81,7 @@ class Entrepot extends CommonObject
$this->db->begin();
$sql = "INSERT INTO ".MAIN_DB_PREFIX."entrepot (datec, fk_user_author, label)";
$sql .= " VALUES (".$this->db->idate(mktime()).",".$user->id.",'".addslashes($this->libelle)."')";
$sql .= " VALUES (".$this->db->idate(mktime()).",".$user->id.",'".$this->db->escape($this->libelle)."')";
dol_syslog("Entrepot::create sql=".$sql);
$result=$this->db->query($sql);
@@ -127,13 +127,13 @@ class Entrepot extends CommonObject
*/
function update($id, $user)
{
$this->libelle=addslashes(trim($this->libelle));
$this->description=addslashes(trim($this->description));
$this->libelle=$this->db->escape(trim($this->libelle));
$this->description=$this->db->escape(trim($this->description));
$this->lieu=addslashes(trim($this->lieu));
$this->address=addslashes(trim($this->address));
$this->lieu=$this->db->escape(trim($this->lieu));
$this->address=$this->db->escape(trim($this->address));
$this->cp=trim($this->cp);
$this->ville=addslashes(trim($this->ville));
$this->ville=$this->db->escape(trim($this->ville));
$this->pays_id=trim($this->pays_id?$this->pays_id:0);
$sql = "UPDATE ".MAIN_DB_PREFIX."entrepot ";

2
htdocs/product/stock/class/mouvementstock.class.php
View File

@@ -75,7 +75,7 @@ class MouvementStock
$sql.= " (datem, fk_product, fk_entrepot, value, type_mouvement, fk_user_author, label, price)";
$sql.= " VALUES ('".$this->db->idate($now)."', ".$fk_product.", ".$entrepot_id.", ".$qty.", ".$type.",";
$sql.= " ".$user->id.",";
$sql.= " '".addslashes($label)."',";
$sql.= " '".$this->db->escape($label)."',";
$sql.= " '".price2num($price)."')";
dol_syslog("MouvementStock::_create sql=".$sql, LOG_DEBUG);

10
htdocs/projet/class/project.class.php
View File

@@ -103,9 +103,9 @@ class Project extends CommonObject
$sql.= ", dateo";
$sql.= ", datee";
$sql.= ") VALUES (";
$sql.= "'".addslashes($this->ref)."'";
$sql.= ", '".addslashes($this->title)."'";
$sql.= ", '".addslashes($this->description)."'";
$sql.= "'".$this->db->escape($this->ref)."'";
$sql.= ", '".$this->db->escape($this->title)."'";
$sql.= ", '".$this->db->escape($this->description)."'";
$sql.= ", ".($this->socid > 0?$this->socid:"null");
$sql.= ", ".$user->id;
$sql.= ", 0";
@@ -178,8 +178,8 @@ class Project extends CommonObject
{
$sql = "UPDATE ".MAIN_DB_PREFIX."projet SET";
$sql.= " ref='".$this->ref."'";
$sql.= ", title = '".addslashes($this->title)."'";
$sql.= ", description = '".addslashes($this->description)."'";
$sql.= ", title = '".$this->db->escape($this->title)."'";
$sql.= ", description = '".$this->db->escape($this->description)."'";
$sql.= ", fk_soc = ".($this->socid > 0?$this->socid:"null");
$sql.= ", fk_statut = ".$this->statut;
$sql.= ", public = ".($this->public?1:0);

8
htdocs/projet/class/task.class.php
View File

@@ -253,8 +253,8 @@ class Task extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."projet_task SET";
$sql.= " fk_projet=".(isset($this->fk_project)?$this->fk_project:"null").",";
$sql.= " fk_task_parent=".(isset($this->fk_task_parent)?$this->fk_task_parent:"null").",";
$sql.= " label=".(isset($this->label)?"'".addslashes($this->label)."'":"null").",";
$sql.= " description=".(isset($this->description)?"'".addslashes($this->description)."'":"null").",";
$sql.= " label=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " description=".(isset($this->description)?"'".$this->db->escape($this->description)."'":"null").",";
$sql.= " duration_effective=".(isset($this->duration_effective)?$this->duration_effective:"null").",";
$sql.= " dateo=".($this->date_start!=''?$this->db->idate($this->date_start):'null').",";
$sql.= " datee=".($this->date_end!=''?$this->db->idate($this->date_end):'null').",";
@@ -670,7 +670,7 @@ class Task extends CommonObject
$sql.= ", '".$this->db->idate($this->timespent_date)."'";
$sql.= ", ".$this->timespent_duration;
$sql.= ", ".$this->timespent_fk_user;
$sql.= ", ".(isset($this->timespent_note)?"'".addslashes($this->timespent_note)."'":"null");
$sql.= ", ".(isset($this->timespent_note)?"'".$this->db->escape($this->timespent_note)."'":"null");
$sql.= ")";
dol_syslog(get_class($this)."::addTimeSpent sql=".$sql, LOG_DEBUG);
@@ -777,7 +777,7 @@ class Task extends CommonObject
$sql.= " task_date = '".$this->db->idate($this->timespent_date)."',";
$sql.= " task_duration = ".$this->timespent_duration.",";
$sql.= " fk_user = ".$this->timespent_fk_user.",";
$sql.= " note = ".(isset($this->timespent_note)?"'".addslashes($this->timespent_note)."'":"null");
$sql.= " note = ".(isset($this->timespent_note)?"'".$this->db->escape($this->timespent_note)."'":"null");
$sql.= " WHERE rowid = ".$this->timespent_id;
dol_syslog(get_class($this)."::updateTimeSpent sql=".$sql, LOG_DEBUG);

12
htdocs/societe/class/address.class.php
View File

@@ -88,7 +88,7 @@ class Address
if ($result >= 0)
{
$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_address (label, fk_soc, name, datec, fk_user_creat) ";
$sql .= " VALUES ('".addslashes($this->label)."', '".$socid."', '".addslashes($this->name)."', ".$this->db->idate(mktime()).", '".$user->id."')";
$sql .= " VALUES ('".$this->db->escape($this->label)."', '".$socid."', '".$this->db->escape($this->name)."', ".$this->db->idate(mktime()).", '".$user->id."')";
$result=$this->db->query($sql);
if ($result)
@@ -190,18 +190,18 @@ class Address
dol_syslog("Address::Update verify ok");
$sql = "UPDATE ".MAIN_DB_PREFIX."societe_address";
$sql.= " SET label = '" . addslashes($this->label) ."'"; // Champ obligatoire
$sql.= ",name = '" . addslashes($this->name) ."'"; // Champ obligatoire
$sql.= ",address = '" . addslashes($this->address) ."'";
$sql.= " SET label = '" . $this->db->escape($this->label) ."'"; // Champ obligatoire
$sql.= ",name = '" . $this->db->escape($this->name) ."'"; // Champ obligatoire
$sql.= ",address = '" . $this->db->escape($this->address) ."'";
if ($this->cp)
{ $sql .= ",cp = '" . $this->cp ."'"; }
if ($this->ville)
{ $sql .= ",ville = '" . addslashes($this->ville) ."'"; }
{ $sql .= ",ville = '" . $this->db->escape($this->ville) ."'"; }
$sql .= ",fk_pays = '" . ($this->pays_id?$this->pays_id:'0') ."'";
$sql.= ",note = '" . addslashes($this->note) ."'";
$sql.= ",note = '" . $this->db->escape($this->note) ."'";
if ($this->tel)
{ $sql .= ",tel = '" . $this->tel ."'"; }

8
htdocs/societe/class/companybankaccount.class.php
View File

@@ -107,16 +107,16 @@ class CompanyBankAccount
}
$sql = "UPDATE ".MAIN_DB_PREFIX."societe_rib SET ";
$sql .= " bank = '" .addslashes($this->bank)."'";
$sql .= " bank = '" .$this->db->escape($this->bank)."'";
$sql .= ",code_banque='".$this->code_banque."'";
$sql .= ",code_guichet='".$this->code_guichet."'";
$sql .= ",number='".$this->number."'";
$sql .= ",cle_rib='".$this->cle_rib."'";
$sql .= ",bic='".$this->bic."'";
$sql .= ",iban_prefix = '".$this->iban_prefix."'";
$sql .= ",domiciliation='".addslashes($this->domiciliation)."'";
$sql .= ",proprio = '".addslashes($this->proprio)."'";
$sql .= ",adresse_proprio = '".addslashes($this->adresse_proprio)."'";
$sql .= ",domiciliation='".$this->db->escape($this->domiciliation)."'";
$sql .= ",proprio = '".$this->db->escape($this->proprio)."'";
$sql .= ",adresse_proprio = '".$this->db->escape($this->adresse_proprio)."'";
$sql .= " WHERE fk_soc = ".$this->socid;
$result = $this->db->query($sql);

38
htdocs/societe/class/societe.class.php
View File

@@ -429,28 +429,28 @@ class Societe extends CommonObject
dol_syslog("Societe::Update verify ok");
$sql = "UPDATE ".MAIN_DB_PREFIX."societe";
$sql.= " SET nom = '" . addslashes($this->nom) ."'"; // Champ obligatoire
$sql.= " SET nom = '" . $this->db->escape($this->nom) ."'"; // Champ obligatoire
$sql.= ",datea = '".$this->db->idate(mktime())."'";
$sql.= ",address = '" . addslashes($this->address) ."'";
$sql.= ",address = '" . $this->db->escape($this->address) ."'";
$sql.= ",cp = ".($this->cp?"'".$this->cp."'":"null");
$sql.= ",ville = ".($this->ville?"'".addslashes($this->ville)."'":"null");
$sql.= ",ville = ".($this->ville?"'".$this->db->escape($this->ville)."'":"null");
$sql .= ",fk_departement = '" . ($this->departement_id?$this->departement_id:'0') ."'";
$sql .= ",fk_pays = '" . ($this->pays_id?$this->pays_id:'0') ."'";
$sql .= ",tel = ".($this->tel?"'".addslashes($this->tel)."'":"null");
$sql .= ",fax = ".($this->fax?"'".addslashes($this->fax)."'":"null");
$sql .= ",email = ".($this->email?"'".addslashes($this->email)."'":"null");
$sql .= ",url = ".($this->url?"'".addslashes($this->url)."'":"null");
$sql .= ",tel = ".($this->tel?"'".$this->db->escape($this->tel)."'":"null");
$sql .= ",fax = ".($this->fax?"'".$this->db->escape($this->fax)."'":"null");
$sql .= ",email = ".($this->email?"'".$this->db->escape($this->email)."'":"null");
$sql .= ",url = ".($this->url?"'".$this->db->escape($this->url)."'":"null");
$sql .= ",siren = '". addslashes($this->siren) ."'";
$sql .= ",siret = '". addslashes($this->siret) ."'";
$sql .= ",ape = '". addslashes($this->ape) ."'";
$sql .= ",idprof4 = '". addslashes($this->idprof4) ."'";
$sql .= ",siren = '". $this->db->escape($this->siren) ."'";
$sql .= ",siret = '". $this->db->escape($this->siret) ."'";
$sql .= ",ape = '". $this->db->escape($this->ape) ."'";
$sql .= ",idprof4 = '". $this->db->escape($this->idprof4) ."'";
$sql .= ",tva_assuj = ".($this->tva_assuj!=''?"'".$this->tva_assuj."'":"null");
$sql .= ",tva_intra = '" . addslashes($this->tva_intra) ."'";
$sql .= ",tva_intra = '" . $this->db->escape($this->tva_intra) ."'";
// Local taxes
$sql .= ",localtax1_assuj = ".($this->localtax1_assuj!=''?"'".$this->localtax1_assuj."'":"null");
@@ -458,7 +458,7 @@ class Societe extends CommonObject
$sql .= ",capital = ".$this->capital;
$sql .= ",prefix_comm = ".($this->prefix_comm?"'".addslashes($this->prefix_comm)."'":"null");
$sql .= ",prefix_comm = ".($this->prefix_comm?"'".$this->db->escape($this->prefix_comm)."'":"null");
$sql .= ",fk_effectif = ".($this->effectif_id?"'".$this->effectif_id."'":"null");
@@ -476,24 +476,24 @@ class Societe extends CommonObject
{
//$this->check_codeclient();
$sql .= ", code_client = ".($this->code_client?"'".addslashes($this->code_client)."'":"null");
$sql .= ", code_client = ".($this->code_client?"'".$this->db->escape($this->code_client)."'":"null");
// Attention get_codecompta peut modifier le code suivant le module utilise
if (empty($this->code_compta)) $this->get_codecompta('customer');
$sql .= ", code_compta = ".($this->code_compta?"'".addslashes($this->code_compta)."'":"null");
$sql .= ", code_compta = ".($this->code_compta?"'".$this->db->escape($this->code_compta)."'":"null");
}
if ($allowmodcodefournisseur)
{
//$this->check_codefournisseur();
$sql .= ", code_fournisseur = ".($this->code_fournisseur?"'".addslashes($this->code_fournisseur)."'":"null");
$sql .= ", code_fournisseur = ".($this->code_fournisseur?"'".$this->db->escape($this->code_fournisseur)."'":"null");
// Attention get_codecompta peut modifier le code suivant le module utilise
if (empty($this->code_compta_fournisseur)) $this->get_codecompta('supplier');
$sql .= ", code_compta_fournisseur = ".($this->code_compta_fournisseur?"'".addslashes($this->code_compta_fournisseur)."'":"null");
$sql .= ", code_compta_fournisseur = ".($this->code_compta_fournisseur?"'".$this->db->escape($this->code_compta_fournisseur)."'":"null");
}
$sql .= ", fk_user_modif = ".($user->id > 0 ? "'".$user->id."'":"null");
$sql .= " WHERE rowid = '" . $id ."'";
@@ -1135,7 +1135,7 @@ class Societe extends CommonObject
$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_remise ";
$sql.= " (datec, fk_soc, remise_client, note, fk_user_author)";
$sql.= " VALUES (".$this->db->idate(mktime()).", ".$this->id.", '".$remise."',";
$sql.= " '".addslashes($note)."',";
$sql.= " '".$this->db->escape($note)."',";
$sql.= " ".$user->id;
$sql.= ")";
@@ -2147,7 +2147,7 @@ class Societe extends CommonObject
$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_log (datel, fk_soc, fk_statut, fk_user, author, label)";
$sql.= " VALUES ('".$dateaction."', ".$socid.", ".$id_status.",";
$sql.= "'".$user->id."',";
$sql.= "'".addslashes($user->login)."',";
$sql.= "'".$this->db->escape($user->login)."',";
$sql.= "'Change statut from ".$oldstcomm." to ".$stcommid."'";
$sql.= ")";
$result = $thi->db->query($sql);