Fix: compatibility with pgsql, replace all addslashes by $this->db->escape in class

htdocs/adherents/class/adherent.class.php

@@ -388,21 +388,21 @@ class Adherent extends CommonObject
 
         $sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET";
         $sql.= " civilite = ".($this->civilite_id?"'".$this->civilite_id."'":"null");
-        $sql.= ", prenom = ".($this->prenom?"'".addslashes($this->prenom)."'":"null");
+        $sql.= ", prenom = ".($this->prenom?"'".$this->db->escape($this->prenom)."'":"null");
-        $sql.= ", nom="     .($this->nom?"'".addslashes($this->nom)."'":"null");
+        $sql.= ", nom="     .($this->nom?"'".$this->db->escape($this->nom)."'":"null");
-        $sql.= ", login="   .($this->login?"'".addslashes($this->login)."'":"null");
+        $sql.= ", login="   .($this->login?"'".$this->db->escape($this->login)."'":"null");
-        $sql.= ", societe=" .($this->societe?"'".addslashes($this->societe)."'":"null");
+        $sql.= ", societe=" .($this->societe?"'".$this->db->escape($this->societe)."'":"null");
         $sql.= ", fk_soc="  .($this->fk_soc > 0?"'".$this->fk_soc."'":"null");
-        $sql.= ", adresse=" .($this->adresse?"'".addslashes($this->adresse)."'":"null");
+        $sql.= ", adresse=" .($this->adresse?"'".$this->db->escape($this->adresse)."'":"null");
-        $sql.= ", cp="      .($this->cp?"'".addslashes($this->cp)."'":"null");
+        $sql.= ", cp="      .($this->cp?"'".$this->db->escape($this->cp)."'":"null");
-        $sql.= ", ville="   .($this->ville?"'".addslashes($this->ville)."'":"null");
+        $sql.= ", ville="   .($this->ville?"'".$this->db->escape($this->ville)."'":"null");
         $sql.= ", pays="          .($this->pays_id>0?"'".$this->pays_id."'":"null");
         $sql.= ", fk_departement=".($this->fk_departement>0?"'".$this->fk_departement."'":"null");
         $sql.= ", email="   ."'".$this->email."'";
-        $sql.= ", phone="   .($this->phone?"'".addslashes($this->phone)."'":"null");
+        $sql.= ", phone="   .($this->phone?"'".$this->db->escape($this->phone)."'":"null");
-        $sql.= ", phone_perso="  .($this->phone_perso?"'".addslashes($this->phone_perso)."'":"null");
+        $sql.= ", phone_perso="  .($this->phone_perso?"'".$this->db->escape($this->phone_perso)."'":"null");
-        $sql.= ", phone_mobile=" .($this->phone_mobile?"'".addslashes($this->phone_mobile)."'":"null");
+        $sql.= ", phone_mobile=" .($this->phone_mobile?"'".$this->db->escape($this->phone_mobile)."'":"null");
-        $sql.= ", note="    .($this->note?"'".addslashes($this->note)."'":"null");
+        $sql.= ", note="    .($this->note?"'".$this->db->escape($this->note)."'":"null");
         $sql.= ", photo="   .($this->photo?"'".$this->photo."'":"null");
         $sql.= ", public="  ."'".$this->public."'";
         $sql.= ", statut="  .$this->statut;
@@ -743,7 +743,7 @@ class Adherent extends CommonObject
         }
 
         // Mise a jour
-        $sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET pass = '".addslashes($password_indatabase)."'";
+        $sql = "UPDATE ".MAIN_DB_PREFIX."adherent SET pass = '".$this->db->escape($password_indatabase)."'";
         $sql.= " WHERE rowid = ".$this->id;
 
         //dol_syslog("Adherent::Password sql=hidden");

htdocs/adherents/class/adherent_options.class.php

@@ -135,7 +135,7 @@ class AdherentOptions
 		{
 			$sql = "INSERT INTO ".MAIN_DB_PREFIX."adherent_options_label(name, label, type, pos, size, entity)";
 			$sql.= " VALUES('".$attrname."',";
-			$sql.= " '".addslashes($label)."',";
+			$sql.= " '".$this->db->escape($label)."',";
 			$sql.= " '".$type."',";
 			$sql.= " '".$pos."',";
 			$sql.= " '".$size."',";
@@ -292,7 +292,7 @@ class AdherentOptions
 			$sql.= ") VALUES (";
 			$sql.= "'".$attrname."',";
 			$sql.= " ".$conf->entity.",";
-			$sql.= " '".addslashes($label)."',";
+			$sql.= " '".$this->db->escape($label)."',";
 			$sql.= " '".$type."',";
 			$sql.= " '".$size."'";
 			$sql.= ")";

htdocs/adherents/class/adherent_type.class.php

@@ -89,7 +89,7 @@ class AdherentType extends CommonObject
         $sql.= "libelle";
         $sql.= ", entity";
         $sql.= ") VALUES (";
-        $sql.= "'".addslashes($this->libelle)."'";
+        $sql.= "'".$this->db->escape($this->libelle)."'";
         $sql.= ", ".$conf->entity;
         $sql.= ")";
 
@@ -119,11 +119,11 @@ class AdherentType extends CommonObject
         $sql = "UPDATE ".MAIN_DB_PREFIX."adherent_type ";
         $sql.= "SET ";
         $sql.= "statut = ".$this->statut.",";
-        $sql.= "libelle = '".addslashes($this->libelle) ."',";
+        $sql.= "libelle = '".$this->db->escape($this->libelle) ."',";
         $sql.= "cotisation = '".$this->cotisation."',";
-        $sql.= "note = '".addslashes($this->note)."',";
+        $sql.= "note = '".$this->db->escape($this->note)."',";
         $sql.= "vote = '".$this->vote."',";
-        $sql.= "mail_valid = '".addslashes($this->mail_valid)."'";
+        $sql.= "mail_valid = '".$this->db->escape($this->mail_valid)."'";
 
         $sql .= " WHERE rowid = $this->id";
 

htdocs/adherents/class/cotisation.class.php

@@ -79,7 +79,7 @@ class Cotisation extends CommonObject
         $sql.= " VALUES (".$this->fk_adherent.", ".$this->db->idate(mktime()).",";
 		$sql.= " ".$this->db->idate($this->dateh).",";
 		$sql.= " ".$this->db->idate($this->datef).",";
-		$sql.= " ".$this->amount.",'".addslashes($this->note)."')";
+		$sql.= " ".$this->amount.",'".$this->db->escape($this->note)."')";
 
 		dol_syslog("Cotisation::create sql=".$sql);
 		$resql = $this->db->query($sql);
@@ -157,7 +157,7 @@ class Cotisation extends CommonObject
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."cotisation SET ";
 		$sql .= " fk_adherent = ".$this->fk_adherent.",";
-		$sql .= " note=".($this->note ? "'".addslashes($this->note)."'" : 'null').",";
+		$sql .= " note=".($this->note ? "'".$this->db->escape($this->note)."'" : 'null').",";
 		$sql .= " cotisation = '".price2num($this->amount)."',";
 		$sql .= " dateadh='".$this->db->idate($this->dateh)."',";
 		$sql .= " datef='".$this->db->idate($this->datef)."',";

htdocs/bookmarks/class/bookmark.class.php

@@ -111,7 +111,7 @@ class Bookmark
         $sql.= ($this->fk_user > 0?"'".$this->fk_user."'":"0").",";
         $sql.= " ".$this->db->idate(gmmktime()).",";
         $sql.= " '".$this->url."', '".$this->target."',";
-        $sql.= " '".addslashes($this->title)."', '".$this->favicon."', '".$this->position."'";
+        $sql.= " '".$this->db->escape($this->title)."', '".$this->favicon."', '".$this->position."'";
         if ($this->fk_soc) $sql.=",".$this->fk_soc;
         $sql.= ")";
 
@@ -157,9 +157,9 @@ class Bookmark
     	$sql = "UPDATE ".MAIN_DB_PREFIX."bookmark";
         $sql.= " SET fk_user = ".($this->fk_user > 0?"'".$this->fk_user."'":"0");
         $sql.= " ,dateb = '".$this->db->idate($this->datec)."'";
-        $sql.= " ,url = '".addslashes($this->url)."'";
+        $sql.= " ,url = '".$this->db->escape($this->url)."'";
         $sql.= " ,target = '".$this->target."'";
-        $sql.= " ,title = '".addslashes($this->title)."'";
+        $sql.= " ,title = '".$this->db->escape($this->title)."'";
         $sql.= " ,favicon = '".$this->favicon."'";
         $sql.= " ,position = '".$this->position."'";
         $sql.= " WHERE rowid = ".$this->id;

htdocs/categories/class/categorie.class.php

@@ -142,7 +142,7 @@ class Categorie
 			$sql.= "fk_soc,";
 		}
 		$sql.=  "visible, type) ";
-		$sql.= "VALUES ('".addslashes($this->label)."', '".addslashes($this->description)."',";
+		$sql.= "VALUES ('".$this->db->escape($this->label)."', '".$this->db->escape($this->description)."',";
 		if ($conf->global->CATEGORY_ASSIGNED_TO_A_CUSTOMER)
 		{
 			$sql.= ($this->socid != -1 ? $this->socid : 'null').",";
@@ -230,10 +230,10 @@ class Categorie
 		}
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."categorie";
-		$sql.= " SET label = '".addslashes($this->label)."'";
+		$sql.= " SET label = '".$this->db->escape($this->label)."'";
 		if ($this->description)
 		{
-			$sql .= ", description = '".addslashes($this->description)."'";
+			$sql .= ", description = '".$this->db->escape($this->description)."'";
 		}
 		if ($conf->global->CATEGORY_ASSIGNED_TO_A_CUSTOMER)
 		{
@@ -807,7 +807,7 @@ class Categorie
 	{
 		$sql = "SELECT count(c.rowid)";
 		$sql.= " FROM ".MAIN_DB_PREFIX."categorie as c, ".MAIN_DB_PREFIX."categorie_association as ca";
-		$sql.= " WHERE c.label = '".addslashes($this -> label)."' AND type=".$this->type;
+		$sql.= " WHERE c.label = '".$this->db->escape($this -> label)."' AND type=".$this->type;
 		dol_syslog("Categorie::already_exists sql=".$sql);
 		$res  = $this->db->query($sql);
 		if ($res)

htdocs/comm/action/class/actioncomm.class.php

@@ -188,12 +188,12 @@ class ActionComm extends CommonObject
         $sql.= " '".$this->type_id."',";
         $sql.= ($this->societe->id>0?" '".$this->societe->id."'":"null").",";
         $sql.= ($this->fk_project>0?" '".$this->fk_project."'":"null").",";
-        $sql.= " '".addslashes($this->note)."',";
+        $sql.= " '".$this->db->escape($this->note)."',";
         $sql.= ($this->contact->id > 0?"'".$this->contact->id."'":"null").",";
         $sql.= ($user->id > 0 ? "'".$user->id."'":"null").",";
 		$sql.= ($this->usertodo->id > 0?"'".$this->usertodo->id."'":"null").",";
 		$sql.= ($this->userdone->id > 0?"'".$this->userdone->id."'":"null").",";
-		$sql.= "'".addslashes($this->label)."','".$this->percentage."','".$this->priority."','".$this->fulldayevent."','".addslashes($this->location)."','".$this->punctual."',";
+		$sql.= "'".$this->db->escape($this->label)."','".$this->percentage."','".$this->priority."','".$this->fulldayevent."','".$this->db->escape($this->location)."','".$this->punctual."',";
         $sql.= ($this->facid?$this->facid:"null").",";
         $sql.= ($this->propalrowid?$this->propalrowid:"null").",";
         $sql.= ($this->orderrowid?$this->orderrowid:"null").",";
@@ -383,18 +383,18 @@ class ActionComm extends CommonObject
 		//print 'eeea'.$this->datep.'-'.(strval($this->datep) != '').'-'.$this->db->idate($this->datep);
 		$sql = "UPDATE ".MAIN_DB_PREFIX."actioncomm ";
         $sql.= " SET percent='".$this->percentage."'";
-        $sql.= ", label = ".($this->label ? "'".addslashes($this->label)."'":"null");
+        $sql.= ", label = ".($this->label ? "'".$this->db->escape($this->label)."'":"null");
         $sql.= ", datep = ".(strval($this->datep)!='' ? "'".$this->db->idate($this->datep)."'" : 'null');
         $sql.= ", datep2 = ".(strval($this->datef)!='' ? "'".$this->db->idate($this->datef)."'" : 'null');
         //$sql.= ", datea = ".(strval($this->date)!='' ? "'".$this->db->idate($this->date)."'" : 'null');
         //$sql.= ", datea2 = ".(strval($this->dateend)!='' ? "'".$this->db->idate($this->dateend)."'" : 'null');
-        $sql.= ", note = ".($this->note ? "'".addslashes($this->note)."'":"null");
+        $sql.= ", note = ".($this->note ? "'".$this->db->escape($this->note)."'":"null");
         $sql.= ", fk_soc =". ($this->societe->id > 0 ? "'".$this->societe->id."'":"null");
         $sql.= ", fk_project =". ($this->fk_project > 0 ? "'".$this->fk_project."'":"null");
         $sql.= ", fk_contact =". ($this->contact->id > 0 ? "'".$this->contact->id."'":"null");
         $sql.= ", priority = '".$this->priority."'";
         $sql.= ", fulldayevent = '".$this->fulldayevent."'";
-        $sql.= ", location = ".($this->location ? "'".addslashes($this->location)."'":"null");
+        $sql.= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'":"null");
         $sql.= ", fk_user_mod = '".$user->id."'";
 		$sql.= ", fk_user_action=".($this->usertodo->id > 0 ? "'".$this->usertodo->id."'":"null");
 		$sql.= ", fk_user_done=".($this->userdone->id > 0 ? "'".$this->userdone->id."'":"null");

htdocs/comm/mailing/class/mailing.class.php

@@ -143,9 +143,9 @@ class Mailing extends CommonObject
 	function update($user)
 	{
 		$sql = "UPDATE ".MAIN_DB_PREFIX."mailing ";
-		$sql .= " SET titre = '".addslashes($this->titre)."'";
+		$sql .= " SET titre = '".$this->db->escape($this->titre)."'";
-		$sql .= ", sujet = '".addslashes($this->sujet)."'";
+		$sql .= ", sujet = '".$this->db->escape($this->sujet)."'";
-		$sql .= ", body = '".addslashes($this->body)."'";
+		$sql .= ", body = '".$this->db->escape($this->body)."'";
 		$sql .= ", email_from = '".$this->email_from."'";
 		$sql .= ", email_replyto = '".$this->email_replyto."'";
 		$sql .= ", email_errorsto = '".$this->email_errorsto."'";

htdocs/comm/propal/class/propal.class.php

@@ -484,7 +484,7 @@ class Propal extends CommonObject
 			$sql.= " , tva_tx=".price2num($txtva);
 			$sql.= " , localtax1_tx=".price2num($txlocaltax1);
 			$sql.= " , localtax2_tx=".price2num($txlocaltax2);
-			$sql.= " , description='".addslashes($desc)."'";
+			$sql.= " , description='".$this->db->escape($desc)."'";
 			$sql.= " , total_ht=".price2num($total_ht);
 			$sql.= " , total_tva=".price2num($total_tva);
 			$sql.= " , total_localtax1=".price2num($total_localtax1);
@@ -631,13 +631,13 @@ class Propal extends CommonObject
 		$sql.= ", '".$this->db->idate($now)."'";
 		$sql.= ", '(PROV)'";
 		$sql.= ", ".($user->id > 0 ? "'".$user->id."'":"null");
-		$sql.= ", '".addslashes($this->note)."'";
+		$sql.= ", '".$this->db->escape($this->note)."'";
-		$sql.= ", '".addslashes($this->note_public)."'";
+		$sql.= ", '".$this->db->escape($this->note_public)."'";
 		$sql.= ", '".$this->modelpdf."'";
 		$sql.= ", '".$this->db->idate($this->fin_validite)."'";
 		$sql.= ", ".$this->cond_reglement_id;
 		$sql.= ", ".$this->mode_reglement_id;
-		$sql.= ", '".addslashes($this->ref_client)."'";
+		$sql.= ", '".$this->db->escape($this->ref_client)."'";
 		$sql.= ", ".($this->date_livraison!=''?"'".$this->db->idate($this->date_livraison)."'":'null');
 		$sql.= ", ".$conf->entity;
 		$sql.= ")";
@@ -1237,7 +1237,7 @@ class Propal extends CommonObject
 		{
 			dol_syslog('Propale::set_ref_client this->id='.$this->id.', ref_client='.$ref_client);
 
-			$sql = 'UPDATE '.MAIN_DB_PREFIX.'propal SET ref_client = '.(empty($ref_client) ? 'NULL' : '\''.addslashes($ref_client).'\'');
+			$sql = 'UPDATE '.MAIN_DB_PREFIX.'propal SET ref_client = '.(empty($ref_client) ? 'NULL' : '\''.$this->db->escape($ref_client).'\'');
 			$sql.= ' WHERE rowid = '.$this->id;
 			if ($this->db->query($sql) )
 			{
@@ -1340,7 +1340,7 @@ class Propal extends CommonObject
 		$this->db->begin();
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."propal";
-		$sql.= " SET fk_statut = ".$statut.", note = '".addslashes($note)."', date_cloture=".$this->db->idate(mktime()).", fk_user_cloture=".$user->id;
+		$sql.= " SET fk_statut = ".$statut.", note = '".$this->db->escape($note)."', date_cloture=".$this->db->idate(mktime()).", fk_user_cloture=".$user->id;
 		$sql.= " WHERE rowid = ".$this->id;
 
 		$resql=$this->db->query($sql);
@@ -2315,7 +2315,7 @@ class PropaleLigne
 		$sql.= ' info_bits, ';
 		$sql.= ' total_ht, total_tva, total_localtax1, total_localtax2, total_ttc, special_code, rang, marge_tx, marque_tx)';
 		$sql.= " VALUES (".$this->fk_propal.",";
-		$sql.= " '".addslashes($this->desc)."',";
+		$sql.= " '".$this->db->escape($this->desc)."',";
 		$sql.= " ".($this->fk_product?"'".$this->fk_product."'":"null").",";
 		$sql.= " '".$this->product_type."',";
 		$sql.= " ".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").",";
@@ -2379,7 +2379,7 @@ class PropaleLigne
 
 		// Mise a jour ligne en base
 		$sql = "UPDATE ".MAIN_DB_PREFIX."propaldet SET";
-		$sql.= " description='".addslashes($this->desc)."'";
+		$sql.= " description='".$this->db->escape($this->desc)."'";
 		if ($fk_remise_except) $sql.= ",fk_remise_except=".$this->fk_remise_except;
 		else $sql.= ",fk_remise_except=null";
 		$sql.= ",tva_tx='".price2num($this->tva_tx)."'";

htdocs/commande/class/commande.class.php

@@ -571,9 +571,9 @@ class Commande extends CommonObject
 		$sql.= " VALUES ('(PROV)',".$this->socid.", ".$this->db->idate(gmmktime()).", ".$user->id.", ".$this->fk_project;
 		$sql.= ", ".$this->db->idate($this->date_commande);
 		$sql.= ", ".($this->source>=0 && $this->source != '' ?$this->source:'null');
-		$sql.= ", '".addslashes($this->note)."'";
+		$sql.= ", '".$this->db->escape($this->note)."'";
-		$sql.= ", '".addslashes($this->note_public)."'";
+		$sql.= ", '".$this->db->escape($this->note_public)."'";
-		$sql.= ", '".addslashes($this->ref_client)."', '".$this->modelpdf."'";
+		$sql.= ", '".$this->db->escape($this->ref_client)."', '".$this->modelpdf."'";
 		$sql.= ", ".($this->cond_reglement_id>0?"'".$this->cond_reglement_id."'":"null");
 		$sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"null");
 		$sql.= ", ".($this->date_livraison?"'".$this->db->idate($this->date_livraison)."'":"null");
@@ -1769,7 +1769,7 @@ class Commande extends CommonObject
 			dol_syslog('Commande::set_ref_client this->id='.$this->id.', ref_client='.$ref_client);
 
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.'commande SET';
-			$sql.= ' ref_client = '.(empty($ref_client) ? 'NULL' : '\''.addslashes($ref_client).'\'');
+			$sql.= ' ref_client = '.(empty($ref_client) ? 'NULL' : '\''.$this->db->escape($ref_client).'\'');
 			$sql.= ' WHERE rowid = '.$this->id;
 
 			if ($this->db->query($sql) )
@@ -1886,7 +1886,7 @@ class Commande extends CommonObject
 
 			// Mise a jour ligne en base
 			$sql = "UPDATE ".MAIN_DB_PREFIX."commandedet SET";
-			$sql.= " description='".addslashes($desc)."'";
+			$sql.= " description='".$this->db->escape($desc)."'";
 			$sql.= ",price='".price2num($price)."'";
 			$sql.= ",subprice='".price2num($subprice)."'";
 			$sql.= ",remise='".price2num($remise)."'";
@@ -2620,7 +2620,7 @@ class OrderLine
 		$sql.= ' special_code, rang, marge_tx, marque_tx,';
 		$sql.= ' info_bits, total_ht, total_tva, total_localtax1, total_localtax2, total_ttc, date_start, date_end)';
 		$sql.= " VALUES (".$this->fk_commande.",";
-		$sql.= " '".addslashes($this->desc)."',";
+		$sql.= " '".$this->db->escape($this->desc)."',";
 		$sql.= " '".price2num($this->qty)."',";
 		$sql.= " '".price2num($this->tva_tx)."',";
 		$sql.= " '".price2num($this->localtax1_tx)."',";

htdocs/compta/bank/class/account.class.php

@@ -130,7 +130,7 @@ class Account extends CommonObject
         $sql.= "'".$line_id."'";
         $sql.= ", '".$url_id."'";
         $sql.= ", '".$url."'";
-        $sql.= ", '".addslashes($label)."'";
+        $sql.= ", '".$this->db->escape($label)."'";
         $sql.= ", '".$type."'";
         $sql.= ")";
 
@@ -258,14 +258,14 @@ class Account extends CommonObject
         $sql.= "'".$this->db->idate(mktime())."'";
         $sql.= ", '".$this->db->idate($date)."'";
         $sql.= ", '".$this->db->idate($datev)."'";
-        $sql.= ", '".addslashes($label)."'";
+        $sql.= ", '".$this->db->escape($label)."'";
         $sql.= ", ".price2num($amount);
         $sql.= ", '".$user->id."'";
         $sql.= ", ".($num_chq?"'".$num_chq."'":"null");
         $sql.= ", '".$this->rowid."'";
         $sql.= ", '".$oper."'";
-        $sql.= ", ".($emetteur?"'".addslashes($emetteur)."'":"null");
+        $sql.= ", ".($emetteur?"'".$this->db->escape($emetteur)."'":"null");
-        $sql.= ", ".($banque?"'".addslashes($banque)."'":"null");
+        $sql.= ", ".($banque?"'".$this->db->escape($banque)."'":"null");
         $sql.= ")";
 
         dol_syslog("Account::addline sql=".$sql);
@@ -347,15 +347,15 @@ class Account extends CommonObject
         $sql.= ", fk_pays";
         $sql.= ") VALUES (";
         $sql.= "'".$this->db->idate($now)."'";
-        $sql.= ", '".addslashes($this->ref)."'";
+        $sql.= ", '".$this->db->escape($this->ref)."'";
-        $sql.= ", '".addslashes($this->label)."'";
+        $sql.= ", '".$this->db->escape($this->label)."'";
         $sql.= ", ".$conf->entity;
-        $sql.= ", '".addslashes($this->account_number)."'";
+        $sql.= ", '".$this->db->escape($this->account_number)."'";
         $sql.= ", '".$this->currency_code."'";
         $sql.= ", ".$this->rappro;
         $sql.= ", ".price2num($this->min_allowed);
         $sql.= ", ".price2num($this->min_desired);
-        $sql.= ", '".addslashes($this->comment)."'";
+        $sql.= ", '".$this->db->escape($this->comment)."'";
         $sql.= ", ".($this->fk_departement>0?"'".$this->fk_departement."'":"null");
         $sql.= ", ".$this->fk_pays;
         $sql.= ")";
@@ -438,8 +438,8 @@ class Account extends CommonObject
 
         $sql = "UPDATE ".MAIN_DB_PREFIX."bank_account SET ";
 
-        $sql.= " ref   = '".addslashes($this->ref)."'";
+        $sql.= " ref   = '".$this->db->escape($this->ref)."'";
-        $sql.= ",label = '".addslashes($this->label)."'";
+        $sql.= ",label = '".$this->db->escape($this->label)."'";
 
         $sql.= ",courant = ".$this->courant;
         $sql.= ",clos = ".$this->clos;
@@ -451,7 +451,7 @@ class Account extends CommonObject
 
         $sql.= ",min_allowed = '".price2num($this->min_allowed)."'";
         $sql.= ",min_desired = '".price2num($this->min_desired)."'";
-        $sql.= ",comment     = '".addslashes($this->comment)."'";
+        $sql.= ",comment     = '".$this->db->escape($this->comment)."'";
 
         $sql.= ",fk_departement = ".($this->fk_departement>0?"'".$this->fk_departement."'":"null");
         $sql.= ",fk_pays = ".$this->fk_pays;
@@ -496,16 +496,16 @@ class Account extends CommonObject
         }
 
         $sql = "UPDATE ".MAIN_DB_PREFIX."bank_account SET ";
-        $sql.= " bank  = '".addslashes($this->bank)."'";
+        $sql.= " bank  = '".$this->db->escape($this->bank)."'";
         $sql.= ",code_banque='".$this->code_banque."'";
         $sql.= ",code_guichet='".$this->code_guichet."'";
         $sql.= ",number='".$this->number."'";
         $sql.= ",cle_rib='".$this->cle_rib."'";
         $sql.= ",bic='".$this->bic."'";
         $sql.= ",iban_prefix = '".$this->iban."'";
-        $sql.= ",domiciliation='".addslashes($this->domiciliation)."'";
+        $sql.= ",domiciliation='".$this->db->escape($this->domiciliation)."'";
-        $sql.= ",proprio = '".addslashes($this->proprio)."'";
+        $sql.= ",proprio = '".$this->db->escape($this->proprio)."'";
-        $sql.= ",adresse_proprio = '".addslashes($this->adresse_proprio)."'";
+        $sql.= ",adresse_proprio = '".$this->db->escape($this->adresse_proprio)."'";
         $sql.= ",fk_departement = ".($this->fk_departement>0?"'".$this->fk_departement."'":"null");
         $sql.= ",fk_pays = ".$this->fk_pays;
         $sql.= " WHERE rowid = ".$this->id;
@@ -548,7 +548,7 @@ class Account extends CommonObject
         $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_departements as d ON ba.fk_departement = d.rowid';
         $sql.= " WHERE entity = ".$conf->entity;
         if ($id)  $sql.= " AND ba.rowid  = ".$id;
-        if ($ref) $sql.= " AND ba.ref = '".addslashes($ref)."'";
+        if ($ref) $sql.= " AND ba.ref = '".$this->db->escape($ref)."'";
 
         dol_syslog("Account::fetch sql=".$sql);
         $result = $this->db->query($sql);

htdocs/compta/bank/class/bankcateg.class.php

@@ -83,7 +83,7 @@ class BankCateg // extends CommonObject
     	$sql.= "label";
     	$sql.= ", entity";
     	$sql.= ") VALUES (";
-    	$sql.= " ".(! isset($this->label)?'NULL':"'".addslashes($this->label)."'")."";
+    	$sql.= " ".(! isset($this->label)?'NULL':"'".$this->db->escape($this->label)."'")."";
     	$sql.= ", ".$conf->entity;
     	$sql.= ")";
 
@@ -189,7 +189,7 @@ class BankCateg // extends CommonObject
 
       // Update request
       $sql = "UPDATE ".MAIN_DB_PREFIX."bank_categ SET";
-      $sql.= " label=".(isset($this->label)?"'".addslashes($this->label)."'":"null")."";
+      $sql.= " label=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null")."";
       $sql.= " WHERE rowid=".$this->id;
       $sql.= " AND entity = ".$conf->entity;
 

htdocs/compta/deplacement/class/deplacement.class.php

@@ -103,8 +103,8 @@ class Deplacement extends CommonObject
 		$sql.= ", ".$user->id;
 		$sql.= ", ".$this->fk_user;
 		$sql.= ", '".$this->type."'";
-		$sql.= ", ".($this->note?"'".addslashes($this->note)."'":"null");
+		$sql.= ", ".($this->note?"'".$this->db->escape($this->note)."'":"null");
-		$sql.= ", ".($this->note_public?"'".addslashes($this->note_public)."'":"null");
+		$sql.= ", ".($this->note_public?"'".$this->db->escape($this->note_public)."'":"null");
 		$sql.= ", ".($this->fk_project > 0? $this->fk_project : 0);
 		$sql.= ", ".($this->fk_soc > 0? $this->fk_soc : "null");
 		$sql.= ")";
@@ -166,8 +166,8 @@ class Deplacement extends CommonObject
 		$sql .= " , type = '".$this->type."'";
 		$sql .= " , fk_user = ".$this->fk_user;
 		$sql .= " , fk_soc = ".($this->socid > 0?$this->socid:'null');
-		$sql .= " , note = ".($this->note?"'".addslashes($this->note)."'":"null");
+		$sql .= " , note = ".($this->note?"'".$this->db->escape($this->note)."'":"null");
-		$sql .= " , note_public = ".($this->note_public?"'".addslashes($this->note_public)."'":"null");
+		$sql .= " , note_public = ".($this->note_public?"'".$this->db->escape($this->note_public)."'":"null");
 		$sql .= " , fk_projet = ".($this->fk_project>0?$this->fk_project:0);
 		$sql .= " WHERE rowid = ".$this->id;
 

htdocs/compta/dons/class/don.class.php

@@ -321,16 +321,16 @@ class Don extends CommonObject
 		$sql.= ", ".$conf->entity;
 		$sql.= ", ".price2num($this->amount);
 		$sql.= ", ".$this->modepaiementid;
-		$sql.= ", '".addslashes($this->prenom)."'";
+		$sql.= ", '".$this->db->escape($this->prenom)."'";
-		$sql.= ", '".addslashes($this->nom)."'";
+		$sql.= ", '".$this->db->escape($this->nom)."'";
-		$sql.= ", '".addslashes($this->societe)."'";
+		$sql.= ", '".$this->db->escape($this->societe)."'";
-		$sql.= ", '".addslashes($this->adresse)."'";
+		$sql.= ", '".$this->db->escape($this->adresse)."'";
 		$sql.= ", '".$this->cp."'";
-		$sql.= ", '".addslashes($this->ville)."'";
+		$sql.= ", '".$this->db->escape($this->ville)."'";
-		$sql.= ", '".addslashes($this->pays)."'"; // TODO use fk_pays
+		$sql.= ", '".$this->db->escape($this->pays)."'"; // TODO use fk_pays
 		$sql.= ", ".$this->public;
 		$sql.= ", ".($this->fk_project > 0?$this->fk_project:"null");
-		$sql.= ", '".addslashes($this->note)."'";
+		$sql.= ", '".$this->db->escape($this->note)."'";
 		$sql.= ", ".$user->id;
 		$sql.= ", null";
 		$sql.= ", '".$this->date."'";
@@ -363,16 +363,16 @@ class Don extends CommonObject
 		$sql = "UPDATE ".MAIN_DB_PREFIX."don SET ";
 		$sql .= "amount = " . price2num($this->amount);
 		$sql .= ",fk_paiement = ".$this->modepaiementid;
-		$sql .= ",prenom = '".addslashes($this->prenom)."'";
+		$sql .= ",prenom = '".$this->db->escape($this->prenom)."'";
-		$sql .= ",nom='".addslashes($this->nom)."'";
+		$sql .= ",nom='".$this->db->escape($this->nom)."'";
-		$sql .= ",societe='".addslashes($this->societe)."'";
+		$sql .= ",societe='".$this->db->escape($this->societe)."'";
-		$sql .= ",adresse='".addslashes($this->adresse)."'";
+		$sql .= ",adresse='".$this->db->escape($this->adresse)."'";
 		$sql .= ",cp='".$this->cp."'";
-		$sql .= ",ville='".addslashes($this->ville)."'";
+		$sql .= ",ville='".$this->db->escape($this->ville)."'";
-		$sql .= ",pays='".addslashes($this->pays)."'"; // TODO use fk_pays
+		$sql .= ",pays='".$this->db->escape($this->pays)."'"; // TODO use fk_pays
 		$sql .= ",public=".$this->public;
 		$sql .= ",fk_don_projet=".($this->fk_project>0?$this->fk_project:'null');
-		$sql .= ",note='".addslashes($this->note)."'";
+		$sql .= ",note='".$this->db->escape($this->note)."'";
 		$sql .= ",datedon='".$this->date."'";
 		$sql .= ",email='".$this->email."'";
 		$sql .= ",fk_statut=".$this->statut;

htdocs/compta/facture/class/facture-rec.class.php

@@ -127,7 +127,7 @@ class FactureRec extends Facture
 			$sql.= ", ".$this->db->idate(mktime());
 			$sql.= ", '".$facsrc->amount."'";
 			$sql.= ", '".$facsrc->remise."'";
-			$sql.= ", '".addslashes($this->note)."'";
+			$sql.= ", '".$this->db->escape($this->note)."'";
 			$sql.= ", '".$user->id."'";
 			$sql.= ", ".($facsrc->fk_project?"'".$facsrc->fk_project."'":"null");
 			$sql.= ", '".$facsrc->cond_reglement_id."'";
@@ -477,7 +477,7 @@ class FactureRec extends Facture
 			$sql.= ", special_code";
 			$sql.= ") VALUES (";
 			$sql.= "'".$facid."'";
-			$sql.= ", '".addslashes($desc)."'";
+			$sql.= ", '".$this->db->escape($desc)."'";
 			$sql.= ", ".price2num($price);
 			$sql.= ", ".price2num($qty);
 			$sql.= ", ".price2num($txtva);

htdocs/compta/facture/class/facture.class.php

@@ -860,10 +860,10 @@ class Facture extends CommonObject
         // Update request
         $sql = "UPDATE ".MAIN_DB_PREFIX."facture SET";
 
-        $sql.= " facnumber=".(isset($this->ref)?"'".addslashes($this->ref)."'":"null").",";
+        $sql.= " facnumber=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"null").",";
         $sql.= " type=".(isset($this->type)?$this->type:"null").",";
-        $sql.= " ref_client=".(isset($this->ref_client)?"'".addslashes($this->ref_client)."'":"null").",";
+        $sql.= " ref_client=".(isset($this->ref_client)?"'".$this->db->escape($this->ref_client)."'":"null").",";
-        $sql.= " increment=".(isset($this->increment)?"'".addslashes($this->increment)."'":"null").",";
+        $sql.= " increment=".(isset($this->increment)?"'".$this->db->escape($this->increment)."'":"null").",";
         $sql.= " fk_soc=".(isset($this->socid)?$this->socid:"null").",";
         $sql.= " datec=".(strval($this->date_creation)!='' ? "'".$this->db->idate($this->date_creation)."'" : 'null').",";
         $sql.= " datef=".(strval($this->date)!='' ? "'".$this->db->idate($this->date)."'" : 'null').",";
@@ -873,8 +873,8 @@ class Facture extends CommonObject
         $sql.= " remise_percent=".(isset($this->remise_percent)?$this->remise_percent:"null").",";
         $sql.= " remise_absolue=".(isset($this->remise_absolue)?$this->remise_absolue:"null").",";
         $sql.= " remise=".(isset($this->remise)?$this->remise:"null").",";
-        $sql.= " close_code=".(isset($this->close_code)?"'".addslashes($this->close_code)."'":"null").",";
+        $sql.= " close_code=".(isset($this->close_code)?"'".$this->db->escape($this->close_code)."'":"null").",";
-        $sql.= " close_note=".(isset($this->close_note)?"'".addslashes($this->close_note)."'":"null").",";
+        $sql.= " close_note=".(isset($this->close_note)?"'".$this->db->escape($this->close_note)."'":"null").",";
         $sql.= " tva=".(isset($this->total_tva)?$this->total_tva:"null").",";
         $sql.= " localtax1=".(isset($this->total_localtax1)?$this->total_localtax1:"null").",";
         $sql.= " localtax2=".(isset($this->total_localtax2)?$this->total_localtax2:"null").",";
@@ -888,10 +888,10 @@ class Facture extends CommonObject
         $sql.= " fk_cond_reglement=".(isset($this->cond_reglement_id)?$this->cond_reglement_id:"null").",";
         $sql.= " fk_mode_reglement=".(isset($this->mode_reglement_id)?$this->mode_reglement_id:"null").",";
         $sql.= " date_lim_reglement=".(strval($this->date_lim_reglement)!='' ? "'".$this->db->idate($this->date_lim_reglement)."'" : 'null').",";
-        $sql.= " note=".(isset($this->note)?"'".addslashes($this->note)."'":"null").",";
+        $sql.= " note=".(isset($this->note)?"'".$this->db->escape($this->note)."'":"null").",";
-        $sql.= " note_public=".(isset($this->note_public)?"'".addslashes($this->note_public)."'":"null").",";
+        $sql.= " note_public=".(isset($this->note_public)?"'".$this->db->escape($this->note_public)."'":"null").",";
-        $sql.= " model_pdf=".(isset($this->modelpdf)?"'".addslashes($this->modelpdf)."'":"null").",";
+        $sql.= " model_pdf=".(isset($this->modelpdf)?"'".$this->db->escape($this->modelpdf)."'":"null").",";
-        $sql.= " import_key=".(isset($this->import_key)?"'".addslashes($this->import_key)."'":"null")."";
+        $sql.= " import_key=".(isset($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null")."";
 
         $sql.= " WHERE rowid=".$this->id;
 
@@ -1028,7 +1028,7 @@ class Facture extends CommonObject
         if (empty($ref_client))
         $sql .= ' SET ref_client = NULL';
         else
-        $sql .= ' SET ref_client = \''.addslashes($ref_client).'\'';
+        $sql .= ' SET ref_client = \''.$this->db->escape($ref_client).'\'';
         $sql .= ' WHERE rowid = '.$this->id;
         if ($this->db->query($sql))
         {
@@ -1216,8 +1216,8 @@ class Facture extends CommonObject
             $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture SET';
             $sql.= ' fk_statut=2';
             if (! $close_code) $sql.= ', paye=1';
-            if ($close_code) $sql.= ", close_code='".addslashes($close_code)."'";
+            if ($close_code) $sql.= ", close_code='".$this->db->escape($close_code)."'";
-            if ($close_note) $sql.= ", close_note='".addslashes($close_note)."'";
+            if ($close_note) $sql.= ", close_note='".$this->db->escape($close_note)."'";
             $sql.= ' WHERE rowid = '.$this->id;
 
             $resql = $this->db->query($sql);
@@ -1325,8 +1325,8 @@ class Facture extends CommonObject
 
         $sql = 'UPDATE '.MAIN_DB_PREFIX.'facture SET';
         $sql.= ' fk_statut=3';
-        if ($close_code) $sql.= ", close_code='".addslashes($close_code)."'";
+        if ($close_code) $sql.= ", close_code='".$this->db->escape($close_code)."'";
-        if ($close_note) $sql.= ", close_note='".addslashes($close_note)."'";
+        if ($close_note) $sql.= ", close_note='".$this->db->escape($close_note)."'";
         $sql.= ' WHERE rowid = '.$this->id;
 
         $resql = $this->db->query($sql);
@@ -3202,7 +3202,7 @@ class FactureLigne
         $sql.= ' rang, special_code,';
         $sql.= ' info_bits, total_ht, total_tva, total_localtax1, total_localtax2, total_ttc)';
         $sql.= " VALUES (".$this->fk_facture.",";
-        $sql.= " '".addslashes($this->desc)."',";
+        $sql.= " '".$this->db->escape($this->desc)."',";
         $sql.= " ".price2num($this->qty).",";
         $sql.= " ".price2num($this->tva_tx).",";
         $sql.= " ".price2num($this->localtax1_tx).",";
@@ -3329,7 +3329,7 @@ class FactureLigne
 
         // Mise a jour ligne en base
         $sql = "UPDATE ".MAIN_DB_PREFIX."facturedet SET";
-        $sql.= " description='".addslashes($this->desc)."'";
+        $sql.= " description='".$this->db->escape($this->desc)."'";
         $sql.= ",subprice=".price2num($this->subprice)."";
         $sql.= ",price=".price2num($this->price)."";
         $sql.= ",remise=".price2num($this->remise)."";

htdocs/compta/facture/class/paymentterm.class.php

@@ -113,11 +113,11 @@ class PaymentTerm // extends CommonObject
         $sql.= ") VALUES (";
 
 		$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").",";
-		$sql.= " ".(! isset($this->code)?'NULL':"'".addslashes($this->code)."'").",";
+		$sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").",";
 		$sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->sortorder."'").",";
 		$sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").",";
-		$sql.= " ".(! isset($this->libelle)?'NULL':"'".addslashes($this->libelle)."'").",";
+		$sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").",";
-		$sql.= " ".(! isset($this->libelle_facture)?'NULL':"'".addslashes($this->libelle_facture)."'").",";
+		$sql.= " ".(! isset($this->libelle_facture)?'NULL':"'".$this->db->escape($this->libelle_facture)."'").",";
 		$sql.= " ".(! isset($this->fdm)?'NULL':"'".$this->fdm."'").",";
 		$sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->nbjour."'").",";
 		$sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->decalage."'")."";
@@ -292,11 +292,11 @@ class PaymentTerm // extends CommonObject
         // Update request
         $sql = "UPDATE ".MAIN_DB_PREFIX."c_payment_term SET";
 
-		$sql.= " code=".(isset($this->code)?"'".addslashes($this->code)."'":"null").",";
+		$sql.= " code=".(isset($this->code)?"'".$this->db->escape($this->code)."'":"null").",";
 		$sql.= " sortorder=".(isset($this->sortorder)?$this->sortorder:"null").",";
 		$sql.= " active=".(isset($this->active)?$this->active:"null").",";
-		$sql.= " libelle=".(isset($this->libelle)?"'".addslashes($this->libelle)."'":"null").",";
+		$sql.= " libelle=".(isset($this->libelle)?"'".$this->db->escape($this->libelle)."'":"null").",";
-		$sql.= " libelle_facture=".(isset($this->libelle_facture)?"'".addslashes($this->libelle_facture)."'":"null").",";
+		$sql.= " libelle_facture=".(isset($this->libelle_facture)?"'".$this->db->escape($this->libelle_facture)."'":"null").",";
 		$sql.= " fdm=".(isset($this->fdm)?$this->fdm:"null").",";
 		$sql.= " nbjour=".(isset($this->nbjour)?$this->nbjour:"null").",";
 		$sql.= " decalage=".(isset($this->decalage)?$this->decalage:"null")."";

htdocs/compta/paiement/cheque/class/remisecheque.class.php

@@ -73,7 +73,7 @@ class RemiseCheque extends CommonObject
 		$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."bank_account as ba ON bc.fk_bank_account = ba.rowid";
 		$sql.= " WHERE bc.entity = ".$conf->entity;
 		if ($id)  $sql.= " AND bc.rowid = ".$id;
-		if ($ref) $sql.= " AND bc.number = '".addslashes($ref)."'";
+		if ($ref) $sql.= " AND bc.number = '".$this->db->escape($ref)."'";
 
 		dol_syslog("RemiseCheque::fetch sql=".$sql, LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/compta/paiement/class/paiement.class.php

@@ -150,7 +150,7 @@ class Paiement
 		$this->db->begin();
 
 		$sql = "INSERT INTO ".MAIN_DB_PREFIX."paiement (datec, datep, amount, fk_paiement, num_paiement, note, fk_user_creat)";
-		$sql.= " VALUES ('".$this->db->idate($now)."', '".$this->db->idate($this->datepaye)."', '".$totalamount."', ".$this->paiementid.", '".$this->num_paiement."', '".addslashes($this->note)."', ".$user->id.")";
+		$sql.= " VALUES ('".$this->db->idate($now)."', '".$this->db->idate($this->datepaye)."', '".$totalamount."', ".$this->paiementid.", '".$this->num_paiement."', '".$this->db->escape($this->note)."', ".$user->id.")";
 
 		dol_syslog(get_class($this)."::Create insert paiement sql=".$sql);
 		$resql = $this->db->query($sql);

htdocs/compta/prelevement/class/bon-prelevement.class.php

@@ -208,7 +208,7 @@ class BonPrelevement extends CommonObject
             $sql.= ") VALUES (";
             $sql.= $this->id;
             $sql.= ", ".$client_id;
-            $sql.= ", '".addslashes($client_nom)."'";
+            $sql.= ", '".$this->db->escape($client_nom)."'";
             $sql.= ", '".price2num($amount)."'";
             $sql.= ", '".$code_banque."'";
             $sql.= ", '".$code_guichet."'";

htdocs/compta/sociales/class/chargesociales.class.php

@@ -123,7 +123,7 @@ class ChargeSociales extends CommonObject
 		$this->db->begin();
 
 		$sql = "INSERT INTO ".MAIN_DB_PREFIX."chargesociales (fk_type, libelle, date_ech, periode, amount)";
-		$sql.= " VALUES (".$this->type.",'".addslashes($this->lib)."',";
+		$sql.= " VALUES (".$this->type.",'".$this->db->escape($this->lib)."',";
 		$sql.= " '".$this->db->idate($this->date_ech)."','".$this->db->idate($this->periode)."',";
 		$sql.= " ".price2num($newamount);
 		$sql.= ")";
@@ -180,7 +180,7 @@ class ChargeSociales extends CommonObject
 		$this->db->begin();
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."chargesociales";
-		$sql.= " SET libelle='".addslashes($this->lib)."',";
+		$sql.= " SET libelle='".$this->db->escape($this->lib)."',";
 		$sql.= " date_ech='".$this->db->idate($this->date_ech)."',";
 		$sql.= " periode='".$this->db->idate($this->periode)."'";
 		$sql.= " WHERE rowid=".$this->id;

htdocs/compta/sociales/class/paymentsocialcontribution.class.php

@@ -117,7 +117,7 @@ class PaymentSocialContribution extends CommonObject
 			$sql.= " VALUES ($this->chid, '".$this->db->idate($now)."',";
 			$sql.= " '".$this->db->idate($this->datepaye)."',";
 			$sql.= " ".$totalamount.",";
-			$sql.= " ".$this->paiementtype.", '".addslashes($this->num_paiement)."', '".addslashes($this->note)."', ".$user->id.",";
+			$sql.= " ".$this->paiementtype.", '".$this->db->escape($this->num_paiement)."', '".$this->db->escape($this->note)."', ".$user->id.",";
 			$sql.= " 0)";
 
 			dol_syslog(get_class($this)."::create sql=".$sql);
@@ -254,8 +254,8 @@ class PaymentSocialContribution extends CommonObject
 		$sql.= " datep=".(dol_strlen($this->datep)!=0 ? "'".$this->db->idate($this->datep)."'" : 'null').",";
 		$sql.= " amount=".(isset($this->amount)?$this->amount:"null").",";
 		$sql.= " fk_typepaiement=".(isset($this->fk_typepaiement)?$this->fk_typepaiement:"null").",";
-		$sql.= " num_paiement=".(isset($this->num_paiement)?"'".addslashes($this->num_paiement)."'":"null").",";
+		$sql.= " num_paiement=".(isset($this->num_paiement)?"'".$this->db->escape($this->num_paiement)."'":"null").",";
-		$sql.= " note=".(isset($this->note)?"'".addslashes($this->note)."'":"null").",";
+		$sql.= " note=".(isset($this->note)?"'".$this->db->escape($this->note)."'":"null").",";
 		$sql.= " fk_bank=".(isset($this->fk_bank)?$this->fk_bank:"null").",";
 		$sql.= " fk_user_creat=".(isset($this->fk_user_creat)?$this->fk_user_creat:"null").",";
 		$sql.= " fk_user_modif=".(isset($this->fk_user_modif)?$this->fk_user_modif:"null")."";

htdocs/compta/tva/class/tva.class.php

@@ -172,8 +172,8 @@ class Tva extends CommonObject
 		$sql.= " datep=".$this->db->idate($this->datep).",";
 		$sql.= " datev=".$this->db->idate($this->datev).",";
 		$sql.= " amount='".$this->amount."',";
-		$sql.= " label='".addslashes($this->label)."',";
+		$sql.= " label='".$this->db->escape($this->label)."',";
-		$sql.= " note='".addslashes($this->note)."',";
+		$sql.= " note='".$this->db->escape($this->note)."',";
 		$sql.= " fk_bank='".$this->fk_bank."',";
 		$sql.= " fk_user_creat='".$this->fk_user_creat."',";
 		$sql.= " fk_user_modif='".$this->fk_user_modif."'";
@@ -504,8 +504,8 @@ class Tva extends CommonObject
 		$sql.= ") ";
         $sql.= " VALUES ('".$this->db->idate($this->datep)."',";
         $sql.= "'".$this->db->idate($this->datev)."'," . $this->amount;
-        if ($this->note)  $sql.=", '".addslashes($this->note)."'";
+        if ($this->note)  $sql.=", '".$this->db->escape($this->note)."'";
-        if ($this->label) $sql.=", '".addslashes($this->label)."'";
+        if ($this->label) $sql.=", '".$this->db->escape($this->label)."'";
         $sql.=", '".$user->id."', NULL";
         $sql.= ")";
 

htdocs/contact/class/contact.class.php

@@ -112,7 +112,7 @@ class Contact extends CommonObject
 		$sql.= " VALUES ('".$this->db->idate($now)."',";
 		if ($this->socid > 0) $sql.= " ".$this->socid.",";
 		else $sql.= "null,";
-		$sql.= "'".addslashes($this->name)."',";
+		$sql.= "'".$this->db->escape($this->name)."',";
 		$sql.= " ".($user->id > 0 ? "'".$user->id."'":"null").",";
 		$sql.= " ".$this->priv.",";
         $sql.= " ".($this->canvas?"'".$this->canvas."'":"null");
@@ -204,24 +204,24 @@ class Contact extends CommonObject
 		$this->db->begin();
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."socpeople SET ";
-		if ($this->socid > 0) $sql .= " fk_soc='".addslashes($this->socid)."',";
+		if ($this->socid > 0) $sql .= " fk_soc='".$this->db->escape($this->socid)."',";
 		if ($this->socid == -1) $sql .= " fk_soc=null,";
-		$sql .= "  civilite='".addslashes($this->civilite_id)."'";
+		$sql .= "  civilite='".$this->db->escape($this->civilite_id)."'";
-		$sql .= ", name='".addslashes($this->name)."'";
+		$sql .= ", name='".$this->db->escape($this->name)."'";
-		$sql .= ", firstname='".addslashes($this->firstname)."'";
+		$sql .= ", firstname='".$this->db->escape($this->firstname)."'";
-		$sql .= ", address='".addslashes($this->address)."'";
+		$sql .= ", address='".$this->db->escape($this->address)."'";
-		$sql .= ", cp='".addslashes($this->cp)."'";
+		$sql .= ", cp='".$this->db->escape($this->cp)."'";
-		$sql .= ", ville='".addslashes($this->ville)."'";
+		$sql .= ", ville='".$this->db->escape($this->ville)."'";
 		$sql .= ", fk_pays=".($this->fk_pays>0?$this->fk_pays:'NULL');
 		$sql .= ", fk_departement=".($this->fk_departement>0?$this->fk_departement:'NULL');
-		$sql .= ", poste='".addslashes($this->poste)."'";
+		$sql .= ", poste='".$this->db->escape($this->poste)."'";
-		$sql .= ", fax='".addslashes($this->fax)."'";
+		$sql .= ", fax='".$this->db->escape($this->fax)."'";
-		$sql .= ", email='".addslashes($this->email)."'";
+		$sql .= ", email='".$this->db->escape($this->email)."'";
-		$sql .= ", note='".addslashes($this->note)."'";
+		$sql .= ", note='".$this->db->escape($this->note)."'";
-		$sql .= ", phone = '".addslashes($this->phone_pro)."'";
+		$sql .= ", phone = '".$this->db->escape($this->phone_pro)."'";
-		$sql .= ", phone_perso = '".addslashes($this->phone_perso)."'";
+		$sql .= ", phone_perso = '".$this->db->escape($this->phone_perso)."'";
-		$sql .= ", phone_mobile = '".addslashes($this->phone_mobile)."'";
+		$sql .= ", phone_mobile = '".$this->db->escape($this->phone_mobile)."'";
-		$sql .= ", jabberid = '".addslashes($this->jabberid)."'";
+		$sql .= ", jabberid = '".$this->db->escape($this->jabberid)."'";
 		$sql .= ", priv = '".$this->priv."'";
 		$sql .= ", fk_user_modif=".($user->id > 0 ? "'".$user->id."'":"null");
 		$sql .= ", default_lang=".($this->default_lang?"'".$this->default_lang."'":"null");
@@ -752,7 +752,7 @@ class Contact extends CommonObject
 	{
 		$sql = "SELECT count(mc.email) as nb";
 		$sql.= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc";
-		$sql.= " WHERE mc.email = '".addslashes($this->email)."'";
+		$sql.= " WHERE mc.email = '".$this->db->escape($this->email)."'";
 		$sql.= " AND mc.statut=1";      // -1 erreur, 0 non envoye, 1 envoye avec succes
 		$resql=$this->db->query($sql);
 		if ($resql)

htdocs/contrat/class/contrat.class.php

@@ -154,7 +154,7 @@ class Contrat extends CommonObject
 		$sql.= " date_fin_validite = ".(dol_strlen($date_end)!=0?"'".$this->db->idate($date_end)."'":"null").",";
 		$sql.= " fk_user_ouverture = ".$user->id.",";
 		$sql.= " date_cloture = null,";
-		$sql.= " commentaire = '".addslashes($comment)."'";
+		$sql.= " commentaire = '".$this->db->escape($comment)."'";
 		$sql.= " WHERE rowid = ".$line_id . " AND (statut = 0 OR statut = 3 OR statut = 5)";
 
 		dol_syslog("Contrat::active_line sql=".$sql);
@@ -200,7 +200,7 @@ class Contrat extends CommonObject
 		$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET statut = 5,";
 		$sql.= " date_cloture = '".$this->db->idate($date_end)."',";
 		$sql.= " fk_user_cloture = ".$user->id.",";
-		$sql.= " commentaire = '".addslashes($comment)."'";
+		$sql.= " commentaire = '".$this->db->escape($comment)."'";
 		$sql.= " WHERE rowid = ".$line_id . " AND statut = 4";
 
 		$resql = $this->db->query($sql) ;
@@ -885,7 +885,7 @@ class Contrat extends CommonObject
 			$sql.= " price_ht, remise";								// \TODO A virer
 			if ($date_start > 0) { $sql.= ",date_ouverture_prevue"; }
 			if ($date_end > 0)  { $sql.= ",date_fin_validite"; }
-			$sql.= ") VALUES ($this->id, '" . addslashes($label) . "','" . addslashes($desc) . "',";
+			$sql.= ") VALUES ($this->id, '" . $this->db->escape($label) . "','" . $this->db->escape($desc) . "',";
 			$sql.= ($fk_product>0 ? $fk_product : "null").",";
 			$sql.= " '".$qty."',";
 			$sql.= " '".$txtva."',";
@@ -978,7 +978,7 @@ class Contrat extends CommonObject
 
 		$this->db->begin();
 
-		$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet set description='".addslashes($desc)."'";
+		$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet set description='".$this->db->escape($desc)."'";
 		$sql .= ",price_ht='" .     price2num($price)."'";
 		$sql .= ",subprice='" .     price2num($subprice)."'";
 		$sql .= ",remise='" .       price2num($remise)."'";
@@ -1794,8 +1794,8 @@ class ContratLigne
 		$sql.= " fk_contrat='".$this->fk_contrat."',";
 		$sql.= " fk_product=".($this->fk_product?"'".$this->fk_product."'":'null').",";
 		$sql.= " statut='".$this->statut."',";
-		$sql.= " label='".addslashes($this->label)."',";
+		$sql.= " label='".$this->db->escape($this->label)."',";
-		$sql.= " description='".addslashes($this->description)."',";
+		$sql.= " description='".$this->db->escape($this->description)."',";
 		$sql.= " date_commande=".($this->date_commande!=''?$this->db->idate($this->date_commande):"null").",";
 		$sql.= " date_ouverture_prevue=".($this->date_ouverture_prevue!=''?$this->db->idate($this->date_ouverture_prevue):"null").",";
 		$sql.= " date_ouverture=".($this->date_ouverture!=''?$this->db->idate($this->date_ouverture):"null").",";
@@ -1819,7 +1819,7 @@ class ContratLigne
 		$sql.= " fk_user_author=".($this->fk_user_author >= 0?$this->fk_user_author:"NULL").",";
 		$sql.= " fk_user_ouverture=".($this->fk_user_ouverture > 0?$this->fk_user_ouverture:"NULL").",";
 		$sql.= " fk_user_cloture=".($this->fk_user_cloture > 0?$this->fk_user_cloture:"NULL").",";
-		$sql.= " commentaire='".addslashes($this->commentaire)."'";
+		$sql.= " commentaire='".$this->db->escape($this->commentaire)."'";
 		$sql.= " WHERE rowid=".$this->id;
 
 		dol_syslog("ContratLigne::update sql=".$sql, LOG_DEBUG);

htdocs/core/class/commonobject.class.php

@@ -563,7 +563,7 @@ class CommonObject
 		$sql.= " FROM ".MAIN_DB_PREFIX.$this->table_element." as te";
 		if ($this->ismultientitymanaged == 2 || ($this->element != 'societe' && !$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ", ".MAIN_DB_PREFIX."societe as s";	// If we need to link to societe to limit select to entity
 		if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON ".$alias.".rowid = sc.fk_soc";
-		$sql.= " WHERE te.".$fieldid." < '".addslashes($this->ref)."'";
+		$sql.= " WHERE te.".$fieldid." < '".$this->db->escape($this->ref)."'";
 		if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " AND sc.fk_user = " .$user->id;
 		if (! empty($filter)) $sql.=" AND ".$filter;
 		if ($this->ismultientitymanaged == 2 || ($this->element != 'societe' && !$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ' AND te.fk_soc = s.rowid';			// If we need to link to societe to limit select to entity
@@ -584,7 +584,7 @@ class CommonObject
 		$sql.= " FROM ".MAIN_DB_PREFIX.$this->table_element." as te";
 		if ($this->ismultientitymanaged == 2 || ($this->element != 'societe' && !$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ", ".MAIN_DB_PREFIX."societe as s";	// If we need to link to societe to limit select to entity
 		if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON ".$alias.".rowid = sc.fk_soc";
-		$sql.= " WHERE te.".$fieldid." > '".addslashes($this->ref)."'";
+		$sql.= " WHERE te.".$fieldid." > '".$this->db->escape($this->ref)."'";
 		if (!$this->isnolinkedbythird && !$user->rights->societe->client->voir) $sql.= " AND sc.fk_user = " .$user->id;
 		if (isset($filter)) $sql.=" AND ".$filter;
 		if ($this->ismultientitymanaged == 2 || ($this->element != 'societe' && !$this->isnolinkedbythird && !$user->rights->societe->client->voir)) $sql.= ' AND te.fk_soc = s.rowid';			// If we need to link to societe to limit select to entity
@@ -925,11 +925,11 @@ class CommonObject
 		// TODO uniformize fields note_private
 		if ($this->table_element == 'fichinter' || $this->table_element == 'projet' || $this->table_element == 'projet_task')
 		{
-			$sql.= " SET note_private = '".addslashes($note)."'";
+			$sql.= " SET note_private = '".$this->db->escape($note)."'";
 		}
 		else
 		{
-			$sql.= " SET note = '".addslashes($note)."'";
+			$sql.= " SET note = '".$this->db->escape($note)."'";
 		}
 		$sql.= " WHERE rowid =". $this->id;
 
@@ -961,7 +961,7 @@ class CommonObject
 		}
 
 		$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
-		$sql.= " SET note_public = '".addslashes($note_public)."'";
+		$sql.= " SET note_public = '".$this->db->escape($note_public)."'";
 		$sql.= " WHERE rowid =". $this->id;
 
 		dol_syslog("CommonObject::update_note_public sql=".$sql);

htdocs/core/class/discount.class.php

@@ -152,7 +152,7 @@ class DiscountAbsolute
 		$sql.= " amount_ht, amount_tva, amount_ttc, tva_tx,";
 		$sql.= " fk_facture_source";
 		$sql.= ")";
-		$sql.= " VALUES (".$this->db->idate($this->datec!=''?$this->datec:dol_now()).", ".$this->fk_soc.", ".$user->id.", '".addslashes($this->description)."',";
+		$sql.= " VALUES (".$this->db->idate($this->datec!=''?$this->datec:dol_now()).", ".$this->fk_soc.", ".$user->id.", '".$this->db->escape($this->description)."',";
 		$sql.= " ".$this->amount_ht.", ".$this->amount_tva.", ".$this->amount_ttc.", ".$this->tva_tx.",";
 		$sql.= " ".($this->fk_facture_source?"'".$this->fk_facture_source."'":"null");
 		$sql.= ")";

htdocs/core/class/events.class.php

@@ -98,7 +98,7 @@ class Events // extends CommonObject
 		$sql.= " ".($_SERVER['HTTP_USER_AGENT']?"'".dol_trunc($_SERVER['HTTP_USER_AGENT'],250)."'":'NULL').",";
 		$sql.= " ".$this->db->idate($this->dateevent).",";
 		$sql.= " ".($user->id?"'".$user->id."'":'NULL').",";
-		$sql.= " '".addslashes($this->description)."'";
+		$sql.= " '".$this->db->escape($this->description)."'";
 		$sql.= ")";
 
 		dol_syslog("Events::create sql=".$sql, LOG_DEBUG);
@@ -139,7 +139,7 @@ class Events // extends CommonObject
 		$sql = "UPDATE ".MAIN_DB_PREFIX."events SET";
 		$sql.= " type='".$this->type."',";
 		$sql.= " dateevent=".$this->db->idate($this->dateevent).",";
-		$sql.= " description='".addslashes($this->description)."'";
+		$sql.= " description='".$this->db->escape($this->description)."'";
 		$sql.= " WHERE rowid=".$this->id;
 
 		dol_syslog("Events::update sql=".$sql, LOG_DEBUG);

htdocs/core/class/menubase.class.php

@@ -195,20 +195,20 @@ class Menubase
 
         // Update request
         $sql = "UPDATE ".MAIN_DB_PREFIX."menu SET";
-        $sql.= " menu_handler='".addslashes($this->menu_handler)."',";
+        $sql.= " menu_handler='".$this->db->escape($this->menu_handler)."',";
-        $sql.= " module='".addslashes($this->module)."',";
+        $sql.= " module='".$this->db->escape($this->module)."',";
         $sql.= " type='".$this->type."',";
-        $sql.= " mainmenu='".addslashes($this->mainmenu)."',";
+        $sql.= " mainmenu='".$this->db->escape($this->mainmenu)."',";
         $sql.= " fk_menu='".$this->fk_menu."',";
         $sql.= " position='".$this->position."',";
-        $sql.= " url='".addslashes($this->url)."',";
+        $sql.= " url='".$this->db->escape($this->url)."',";
-        $sql.= " target='".addslashes($this->target)."',";
+        $sql.= " target='".$this->db->escape($this->target)."',";
-        $sql.= " titre='".addslashes($this->titre)."',";
+        $sql.= " titre='".$this->db->escape($this->titre)."',";
-        $sql.= " langs='".addslashes($this->langs)."',";
+        $sql.= " langs='".$this->db->escape($this->langs)."',";
         $sql.= " level='".$this->level."',";
-        $sql.= " leftmenu='".addslashes($this->leftmenu)."',";
+        $sql.= " leftmenu='".$this->db->escape($this->leftmenu)."',";
-        $sql.= " perms='".addslashes($this->perms)."',";
+        $sql.= " perms='".$this->db->escape($this->perms)."',";
-        $sql.= " enabled='".addslashes($this->enabled)."',";
+        $sql.= " enabled='".$this->db->escape($this->enabled)."',";
         $sql.= " usertype='".$this->user."'";
         $sql.= " WHERE rowid=".$this->id;
 

htdocs/core/class/notify.class.php

@@ -208,7 +208,7 @@ class Notify
                         $sendto = htmlentities($sendto);
 
                         $sql = "INSERT INTO ".MAIN_DB_PREFIX."notify (daten, fk_action, fk_contact, objet_type, objet_id, email)";
-                        $sql.= " VALUES (".$this->db->idate(mktime()).", ".$actiondefid." ,".$obj->cid." , '".$objet_type."', ".$objet_id.", '".addslashes($obj->email)."')";
+                        $sql.= " VALUES (".$this->db->idate(mktime()).", ".$actiondefid." ,".$obj->cid." , '".$objet_type."', ".$objet_id.", '".$this->db->escape($obj->email)."')";
                         dol_syslog("Notify::send sql=".$sql);
                         if (! $this->db->query($sql) )
                         {

htdocs/ecm/class/ecmdirectory.class.php

@@ -131,10 +131,10 @@ class EcmDirectory // extends CommonObject
 			$sql.= "date_c,";
 			$sql.= "fk_user_c";
 			$sql.= ") VALUES (";
-			$sql.= " '".addslashes($this->label)."',";
+			$sql.= " '".$this->db->escape($this->label)."',";
 			$sql.= " '".$conf->entity."',";
 			$sql.= " '".$this->fk_parent."',";
-			$sql.= " '".addslashes($this->description)."',";
+			$sql.= " '".$this->db->escape($this->description)."',";
 			$sql.= " ".($this->cachenbofdoc).",";
 			$sql.= " '".$this->db->idate($this->date_c)."',";
 			$sql.= " '".$this->fk_user_c."'";
@@ -201,9 +201,9 @@ class EcmDirectory // extends CommonObject
 
 		// Update request
 		$sql = "UPDATE ".MAIN_DB_PREFIX."ecm_directories SET";
-		$sql.= " label='".addslashes($this->label)."',";
+		$sql.= " label='".$this->db->escape($this->label)."',";
 		$sql.= " fk_parent='".$this->fk_parent."',";
-		$sql.= " description='".addslashes($this->description)."'";
+		$sql.= " description='".$this->db->escape($this->description)."'";
 		$sql.= " WHERE rowid=".$this->id;
 
 		dol_syslog("EcmDirectories::update sql=".$sql, LOG_DEBUG);

htdocs/expedition/class/expedition.class.php

@@ -182,7 +182,7 @@ class Expedition extends CommonObject
 		$sql.= ", ".$this->socid;
 		$sql.= ", ".($this->fk_delivery_address>0?$this->fk_delivery_address:"null");
 		$sql.= ", ".($this->expedition_method_id>0?$this->expedition_method_id:"null");
-		$sql.= ", '".addslashes($this->tracking_number)."'";
+		$sql.= ", '".$this->db->escape($this->tracking_number)."'";
 		$sql.= ", ".$this->weight;
 		$sql.= ", ".$this->sizeS;	// TODO Should use this->trueDepth
 		$sql.= ", ".$this->sizeW;	// TODO Should use this->trueWidth
@@ -664,8 +664,8 @@ class Expedition extends CommonObject
         $sql = "UPDATE ".MAIN_DB_PREFIX."expedition SET";
 
 		$sql.= " tms=".(dol_strlen($this->tms)!=0 ? "'".$this->db->idate($this->tms)."'" : 'null').",";
-		$sql.= " ref=".(isset($this->ref)?"'".addslashes($this->ref)."'":"null").",";
+		$sql.= " ref=".(isset($this->ref)?"'".$this->db->escape($this->ref)."'":"null").",";
-		$sql.= " ref_customer=".(isset($this->ref_customer)?"'".addslashes($this->ref_customer)."'":"null").",";
+		$sql.= " ref_customer=".(isset($this->ref_customer)?"'".$this->db->escape($this->ref_customer)."'":"null").",";
 		$sql.= " fk_soc=".(isset($this->socid)?$this->socid:"null").",";
 		$sql.= " date_creation=".(dol_strlen($this->date_creation)!=0 ? "'".$this->db->idate($this->date_creation)."'" : 'null').",";
 		$sql.= " fk_user_author=".(isset($this->fk_user_author)?$this->fk_user_author:"null").",";
@@ -675,7 +675,7 @@ class Expedition extends CommonObject
 		$sql.= " date_delivery=".(dol_strlen($this->date_delivery)!=0 ? "'".$this->db->idate($this->date_delivery)."'" : 'null').",";
 		$sql.= " fk_address=".(isset($this->fk_adresse_livraison)?$this->fk_adresse_livraison:"null").",";
 		$sql.= " fk_expedition_methode=".(isset($this->expedition_method_id)?$this->expedition_method_id:"null").",";
-		$sql.= " tracking_number=".(isset($this->tracking_number)?"'".addslashes($this->tracking_number)."'":"null").",";
+		$sql.= " tracking_number=".(isset($this->tracking_number)?"'".$this->db->escape($this->tracking_number)."'":"null").",";
 		$sql.= " fk_statut=".(isset($this->statut)?$this->statut:"null").",";
 		$sql.= " height=".(isset($this->trueHeight)?$this->trueHeight:"null").",";
 		$sql.= " width=".(isset($this->trueWidth)?$this->trueWidth:"null").",";
@@ -683,8 +683,8 @@ class Expedition extends CommonObject
 		$sql.= " size=".(isset($this->trueDepth)?$this->trueDepth:"null").",";
 		$sql.= " weight_units=".(isset($this->weight_units)?$this->weight_units:"null").",";
 		$sql.= " weight=".(isset($this->trueWeight)?$this->trueWeight:"null").",";
-		$sql.= " note=".(isset($this->note)?"'".addslashes($this->note)."'":"null").",";
+		$sql.= " note=".(isset($this->note)?"'".$this->db->escape($this->note)."'":"null").",";
-		$sql.= " model_pdf=".(isset($this->model_pdf)?"'".addslashes($this->model_pdf)."'":"null").",";
+		$sql.= " model_pdf=".(isset($this->model_pdf)?"'".$this->db->escape($this->model_pdf)."'":"null").",";
 		$sql.= " entity=".$conf->entity;
 
         $sql.= " WHERE rowid=".$this->id;

htdocs/fichinter/class/fichinter.class.php

@@ -141,7 +141,7 @@ class Fichinter extends CommonObject
 		$sql.= ", '".$this->ref."'";
 		$sql.= ", ".$conf->entity;
 		$sql.= ", ".$this->author;
-		$sql.= ", ".($this->description?"'".addslashes($this->description)."'":"null");
+		$sql.= ", ".($this->description?"'".$this->db->escape($this->description)."'":"null");
 		$sql.= ", '".$this->modelpdf."'";
 		$sql.= ", ".($this->fk_project ? $this->fk_project : 0);
 		$sql.= ", ".$this->statut;
@@ -180,7 +180,7 @@ class Fichinter extends CommonObject
 		 *  Insertion dans la base
 		 */
 		$sql = "UPDATE ".MAIN_DB_PREFIX."fichinter SET ";
-		$sql.= ", description  = '".addslashes($this->description)."'";
+		$sql.= ", description  = '".$this->db->escape($this->description)."'";
 		$sql.= ", duree = ".$this->duree;
 		$sql.= ", fk_projet = ".$this->fk_project;
 		$sql.= " WHERE rowid = ".$id;
@@ -638,7 +638,7 @@ class Fichinter extends CommonObject
 		if ($user->rights->ficheinter->creer)
 		{
 			$sql = "UPDATE ".MAIN_DB_PREFIX."fichinter ";
-			$sql.= " SET description = '".addslashes($description)."'";
+			$sql.= " SET description = '".$this->db->escape($description)."'";
 			$sql.= " WHERE rowid = ".$this->id;
 			$sql.= " AND entity = ".$conf->entity;
 			$sql.= " AND fk_statut = 0";
@@ -895,7 +895,7 @@ class FichinterLigne
 		$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'fichinterdet';
 		$sql.= ' (fk_fichinter, description, date, duree, rang)';
 		$sql.= " VALUES (".$this->fk_fichinter.",";
-		$sql.= " '".addslashes($this->desc)."',";
+		$sql.= " '".$this->db->escape($this->desc)."',";
 		$sql.= " ".$this->db->idate($this->datei).",";
 		$sql.= " ".$this->duration.",";
 		$sql.= ' '.$rangToUse;
@@ -938,7 +938,7 @@ class FichinterLigne
 
 		// Mise a jour ligne en base
 		$sql = "UPDATE ".MAIN_DB_PREFIX."fichinterdet SET";
-		$sql.= " description='".addslashes($this->desc)."'";
+		$sql.= " description='".$this->db->escape($this->desc)."'";
 		$sql.= ",date=".$this->db->idate($this->datei);
 		$sql.= ",duree=".$this->duration;
 		$sql.= ",rang='".$this->rang."'";

htdocs/fourn/class/fournisseur.class.php

@@ -222,7 +222,7 @@ class Fournisseur extends Societe
 	{
 		$sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie (label,visible,type)";
 		$sql.= " VALUES ";
-		$sql.= " ('".addslashes($name)."',1,1)";
+		$sql.= " ('".$this->db->escape($name)."',1,1)";
 
 		dol_syslog("Fournisseur::CreateCategory sql=".$sql);
 		$resql = $this->db->query($sql);

htdocs/fourn/class/fournisseur.commande.class.php

@@ -232,7 +232,7 @@ class CommandeFournisseur extends Commande
 		$sql = "INSERT INTO ".MAIN_DB_PREFIX."commande_fournisseur_log (datelog, fk_commande, fk_statut, fk_user, comment)";
 		$sql.= " VALUES (".$this->db->idate($datelog).",".$this->id.", ".$statut.", ";
 		$sql.= $user->id.", ";
-		$sql.= ($comment?"'".addslashes($comment)."'":'null');
+		$sql.= ($comment?"'".$this->db->escape($comment)."'":'null');
 		$sql.= ")";
 
 		dol_syslog("FournisseurCommande::log sql=".$sql, LOG_DEBUG);
@@ -926,7 +926,7 @@ class CommandeFournisseur extends Commande
 			$sql.= " qty, tva_tx, localtax1_tx, localtax2_tx, remise_percent, subprice, remise, ref,";
 			$sql.= " total_ht, total_tva, total_localtax1, total_localtax2, total_ttc";
 			$sql.= ")";
-			$sql.= " VALUES (".$this->id.", '" . addslashes($label) . "','" . addslashes($desc) . "',";
+			$sql.= " VALUES (".$this->id.", '" . $this->db->escape($label) . "','" . $this->db->escape($desc) . "',";
 			if ($fk_product) { $sql.= $fk_product.","; }
 			else { $sql.= "null,"; }
 			$sql.= "'".$product_type."',";
@@ -1230,7 +1230,7 @@ class CommandeFournisseur extends Commande
 
 	  $sql = "INSERT INTO ".MAIN_DB_PREFIX."commande_fournisseurdet";
 	  $sql .= " (fk_commande,label,description,fk_product, price, qty, tva_tx, localtax1_tx, localtax2_tx, remise_percent, subprice, remise, ref)";
-	  $sql .= " VALUES (".$idc.", '" . addslashes($libelle) . "','" . addslashes($comclient->lines[$i]->desc) . "'";
+	  $sql .= " VALUES (".$idc.", '" . $this->db->escape($libelle) . "','" . $this->db->escape($comclient->lines[$i]->desc) . "'";
 	  $sql .= ",".$comclient->lines[$i]->fk_product.",'".price2num($comclient->lines[$i]->price)."'";
 	  $sql .= ", '".$comclient->lines[$i]->qty."', ".$comclient->lines[$i]->tva_tx.", ".$comclient->lines[$i]->localtax1_tx.", ".$comclient->lines[$i]->localtax2_tx.", ".$comclient->lines[$i]->remise_percent;
 	  $sql .= ", '".price2num($comclient->lines[$i]->subprice)."','0','".$ref."') ;";
@@ -1257,8 +1257,8 @@ class CommandeFournisseur extends Commande
 		$result = 0;
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."commande_fournisseur";
-		$sql.= " SET note  ='".addslashes($note)."',";
+		$sql.= " SET note  ='".$this->db->escape($note)."',";
-		$sql.= " note_public  ='".addslashes($note_public)."'";
+		$sql.= " note_public  ='".$this->db->escape($note_public)."'";
 		$sql.= " WHERE rowid = ".$this->id;
 
 		dol_syslog("CommandeFournisseur::UpdateNote sql=".$sql);
@@ -1424,7 +1424,7 @@ class CommandeFournisseur extends Commande
 
 			// Mise a jour ligne en base
 			$sql = "UPDATE ".MAIN_DB_PREFIX."commande_fournisseurdet SET";
-			$sql.= " description='".addslashes($desc)."'";
+			$sql.= " description='".$this->db->escape($desc)."'";
 			$sql.= ",subprice='".price2num($subprice)."'";
 			$sql.= ",remise='".price2num($remise)."'";
 			$sql.= ",remise_percent='".price2num($remise_percent)."'";

htdocs/fourn/class/fournisseur.facture.class.php

@@ -569,19 +569,19 @@ class FactureFournisseur extends Facture
 
         // Update request
         $sql = "UPDATE ".MAIN_DB_PREFIX."facture_fourn SET";
-        $sql.= " facnumber=".(isset($this->facnumber)?"'".addslashes($this->facnumber)."'":"null").",";
+        $sql.= " facnumber=".(isset($this->facnumber)?"'".$this->db->escape($this->facnumber)."'":"null").",";
         $sql.= " entity=".(isset($this->entity)?$this->entity:"null").",";
         $sql.= " type=".(isset($this->type)?$this->type:"null").",";
         $sql.= " fk_soc=".(isset($this->fk_soc)?$this->fk_soc:"null").",";
         $sql.= " datec=".(dol_strlen($this->datec)!=0 ? "'".$this->db->idate($this->datec)."'" : 'null').",";
         $sql.= " datef=".(dol_strlen($this->date)!=0 ? "'".$this->db->idate($this->date)."'" : 'null').",";
         $sql.= " tms=".(dol_strlen($this->tms)!=0 ? "'".$this->db->idate($this->tms)."'" : 'null').",";
-        $sql.= " libelle=".(isset($this->label)?"'".addslashes($this->label)."'":"null").",";
+        $sql.= " libelle=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
         $sql.= " paye=".(isset($this->paye)?$this->paye:"null").",";
         $sql.= " amount=".(isset($this->amount)?$this->amount:"null").",";
         $sql.= " remise=".(isset($this->remise)?$this->remise:"null").",";
-        $sql.= " close_code=".(isset($this->close_code)?"'".addslashes($this->close_code)."'":"null").",";
+        $sql.= " close_code=".(isset($this->close_code)?"'".$this->db->escape($this->close_code)."'":"null").",";
-        $sql.= " close_note=".(isset($this->close_note)?"'".addslashes($this->close_note)."'":"null").",";
+        $sql.= " close_note=".(isset($this->close_note)?"'".$this->db->escape($this->close_note)."'":"null").",";
         $sql.= " tva=".(isset($this->tva)?$this->tva:"null").",";
         $sql.= " localtax1=".(isset($this->localtax1)?$this->localtax1:"null").",";
         $sql.= " localtax2=".(isset($this->localtax2)?$this->localtax2:"null").",";
@@ -596,10 +596,10 @@ class FactureFournisseur extends Facture
         $sql.= " fk_projet=".(isset($this->fk_project)?$this->fk_project:"null").",";
         $sql.= " fk_cond_reglement=".(isset($this->fk_cond_reglement)?$this->fk_cond_reglement:"null").",";
         $sql.= " date_lim_reglement=".(dol_strlen($this->date_echeance)!=0 ? "'".$this->db->idate($this->date_echeance)."'" : 'null').",";
-        $sql.= " note=".(isset($this->note)?"'".addslashes($this->note)."'":"null").",";
+        $sql.= " note=".(isset($this->note)?"'".$this->db->escape($this->note)."'":"null").",";
-        $sql.= " note_public=".(isset($this->note_public)?"'".addslashes($this->note_public)."'":"null").",";
+        $sql.= " note_public=".(isset($this->note_public)?"'".$this->db->escape($this->note_public)."'":"null").",";
-        $sql.= " model_pdf=".(isset($this->model_pdf)?"'".addslashes($this->model_pdf)."'":"null").",";
+        $sql.= " model_pdf=".(isset($this->model_pdf)?"'".$this->db->escape($this->model_pdf)."'":"null").",";
-        $sql.= " import_key=".(isset($this->import_key)?"'".addslashes($this->import_key)."'":"null")."";
+        $sql.= " import_key=".(isset($this->import_key)?"'".$this->db->escape($this->import_key)."'":"null")."";
         $sql.= " WHERE rowid=".$this->id;
 
         $this->db->begin();
@@ -700,7 +700,7 @@ class FactureFournisseur extends Facture
 	{
 		if ($user->rights->fournisseur->facture->creer)
 		{
-			$sql = 'UPDATE '.MAIN_DB_PREFIX.'facture_fourn SET facnumber = '.(empty($ref_supplier) ? 'NULL' : '\''.addslashes($ref_supplier).'\'');
+			$sql = 'UPDATE '.MAIN_DB_PREFIX.'facture_fourn SET facnumber = '.(empty($ref_supplier) ? 'NULL' : '\''.$this->db->escape($ref_supplier).'\'');
 			$sql.= ' WHERE rowid = '.$this->id;
 
 			dol_syslog("FactureFournisseur::set_ref_supplier sql=".$sql);
@@ -1096,7 +1096,7 @@ class FactureFournisseur extends Facture
 		}
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."facture_fourn_det SET";
-		$sql.= " description ='".addslashes($label)."'";
+		$sql.= " description ='".$this->db->escape($label)."'";
 		$sql.= ", pu_ht = ".price2num($pu_ht);
 		$sql.= ", pu_ttc = ".price2num($pu_ttc);
 		$sql.= ", qty = ".price2num($qty);

htdocs/fourn/class/paiementfourn.class.php

@@ -145,7 +145,7 @@ class PaiementFourn extends Paiement
 			$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'paiementfourn (';
 			$sql.= 'datec, datep, amount, fk_paiement, num_paiement, note, fk_user_author, fk_bank)';
 			$sql.= ' VALUES ('.$this->db->idate(mktime()).',';
-			$sql.= " ".$this->db->idate($this->datepaye).", '".$this->total."', ".$this->paiementid.", '".$this->num_paiement."', '".addslashes($this->note)."', ".$user->id.", 0)";
+			$sql.= " ".$this->db->idate($this->datepaye).", '".$this->total."', ".$this->paiementid.", '".$this->num_paiement."', '".$this->db->escape($this->note)."', ".$user->id.", 0)";
 
 			dol_syslog("PaiementFourn::create sql=".$sql);
 			$resql = $this->db->query($sql);

htdocs/imports/class/import.class.php

@@ -230,7 +230,7 @@ class Import
 
 		$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'import_model (';
 		$sql.= 'label, type, field)';
-		$sql.= " VALUES ('".addslashes($this->model_name)."', '".$this->datatoimport."', '".$this->hexa."')";
+		$sql.= " VALUES ('".$this->db->escape($this->model_name)."', '".$this->datatoimport."', '".$this->hexa."')";
 
 		dol_syslog("Import::create sql=".$sql, LOG_DEBUG);
 		$resql=$this->db->query($sql);

htdocs/livraison/class/livraison.class.php

@@ -125,7 +125,7 @@ class Livraison extends CommonObject
 			$numref = "(PROV".$this->id.")";
 
 			$sql = "UPDATE ".MAIN_DB_PREFIX."livraison ";
-			$sql.= "SET ref = '".addslashes($numref)."'";
+			$sql.= "SET ref = '".$this->db->escape($numref)."'";
 			$sql.= " WHERE rowid = ".$this->id;
 
 			dol_syslog("Livraison::create sql=".$sql, LOG_DEBUG);
@@ -220,7 +220,7 @@ class Livraison extends CommonObject
 		$sql.= " fk_product, description, qty)";
 		$sql.= " VALUES (".$this->id.",".$commande_ligne_id.",";
 		$sql.= " ".($idprod>0?$idprod:"null").",";
-		$sql.= " ".($description?"'".addslashes($description)."'":"null").",";
+		$sql.= " ".($description?"'".$this->db->escape($description)."'":"null").",";
 		$sql.= $qty.")";
 
 		dol_syslog("Livraison::create_line sql=".$sql, LOG_DEBUG);
@@ -365,7 +365,7 @@ class Livraison extends CommonObject
 					}
 
 					$sql = "UPDATE ".MAIN_DB_PREFIX."livraison SET";
-					$sql.= " ref='".addslashes($this->ref)."'";
+					$sql.= " ref='".$this->db->escape($this->ref)."'";
 					$sql.= ", fk_statut = 1";
 					$sql.= ", date_valid = ".$this->db->idate(mktime());
 					$sql.= ", fk_user_valid = ".$user->id;

htdocs/product/canvas/default/product.default.class.php

@@ -207,7 +207,7 @@ class ProductDefault extends Product
 			{
 				if ($field['enabled'])
 				{
-					$sql.= $clause." ".$field['name']." LIKE '%".addslashes($sall)."%'";
+					$sql.= $clause." ".$field['name']." LIKE '%".$this->db->escape($sall)."%'";
 					if ($clause=='') $clause = ' OR';
 				}
 			}
@@ -220,17 +220,17 @@ class ProductDefault extends Product
 			if ($field['enabled'])
 			{
 				$fieldname = "s".$field['alias'];
-				if (${$fieldname}) $sql.= " AND ".$field['name']." LIKE '%".addslashes(${$fieldname})."%'";
+				if (${$fieldname}) $sql.= " AND ".$field['name']." LIKE '%".$this->db->escape(${$fieldname})."%'";
 			}
 		}
 
 		if (isset($_GET["tosell"]) && dol_strlen($_GET["tosell"]) > 0)
 		{
-			$sql.= " AND p.tosell = ".addslashes($_GET["tosell"]);
+			$sql.= " AND p.tosell = ".$this->db->escape($_GET["tosell"]);
 		}
 		if (isset($_GET["canvas"]) && dol_strlen($_GET["canvas"]) > 0)
 		{
-			$sql.= " AND p.canvas = '".addslashes($_GET["canvas"])."'";
+			$sql.= " AND p.canvas = '".$this->db->escape($_GET["canvas"])."'";
 		}
 		$sql.= $this->db->order($sortfield,$sortorder);
 		$sql.= $this->db->plimit($limit + 1 ,$offset);

htdocs/product/canvas/service/product.service.class.php

@@ -155,18 +155,18 @@ class ProductService extends Product
 		if (!$user->rights->service->hidden) $sql.=' AND (p.hidden=0 OR p.fk_product_type != 1)';
 		if ($sall)
 		{
-			$sql.= " AND (p.ref like '%".addslashes($sall)."%' OR p.label like '%".addslashes($sall)."%' OR p.description like '%".addslashes($sall)."%' OR p.note like '%".addslashes($sall)."%')";
+			$sql.= " AND (p.ref like '%".$this->db->escape($sall)."%' OR p.label like '%".$this->db->escape($sall)."%' OR p.description like '%".$this->db->escape($sall)."%' OR p.note like '%".$this->db->escape($sall)."%')";
 		}
 		if ($sref)     $sql.= " AND p.ref like '%".$sref."%'";
 		if ($sbarcode) $sql.= " AND p.barcode like '%".$sbarcode."%'";
-		if ($snom)     $sql.= " AND p.label like '%".addslashes($snom)."%'";
+		if ($snom)     $sql.= " AND p.label like '%".$this->db->escape($snom)."%'";
 		if (isset($_GET["tosell"]) && dol_strlen($_GET["tosell"]) > 0)
 		{
-			$sql.= " AND p.tosell = ".addslashes($_GET["tosell"]);
+			$sql.= " AND p.tosell = ".$this->db->escape($_GET["tosell"]);
 		}
 		if (isset($_GET["canvas"]) && dol_strlen($_GET["canvas"]) > 0)
 		{
-			$sql.= " AND p.canvas = '".addslashes($_GET["canvas"])."'";
+			$sql.= " AND p.canvas = '".$this->db->escape($_GET["canvas"])."'";
 		}
 		if($catid)
 		{
@@ -179,7 +179,7 @@ class ProductService extends Product
 		// Insert categ filter
 		if ($search_categ)
 		{
-			$sql .= " AND cp.fk_categorie = ".addslashes($search_categ);
+			$sql .= " AND cp.fk_categorie = ".$this->db->escape($search_categ);
 		}
 		$sql.= $this->db->order($sortfield,$sortorder);
 		$sql.= $this->db->plimit($limit + 1 ,$offset);

htdocs/product/class/product.class.php

@@ -290,7 +290,7 @@ class Product extends CommonObject
 					$sql.= ", '".$this->ref."'";
 					$sql.= ", ".price2num($price_min_ht);
 					$sql.= ", ".price2num($price_min_ttc);
-					$sql.= ", ".($this->libelle?"'".addslashes($this->libelle)."'":"null");
+					$sql.= ", ".($this->libelle?"'".$this->db->escape($this->libelle)."'":"null");
 					$sql.= ", ".$user->id;
 					$sql.= ", ".$this->type;
 					$sql.= ", ".price2num($price_ht);
@@ -448,7 +448,7 @@ class Product extends CommonObject
 		$this->accountancy_code_sell= trim($this->accountancy_code_sell);
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."product";
-		$sql.= " SET label = '" . addslashes($this->libelle) ."'";
+		$sql.= " SET label = '" . $this->db->escape($this->libelle) ."'";
 		$sql.= ",ref = '" . $this->ref ."'";
 		$sql.= ",tva_tx = " . $this->tva_tx;
 
@@ -469,10 +469,10 @@ class Product extends CommonObject
 		$sql.= ",volume = " . ($this->volume!='' ? "'".$this->volume."'" : 'null');
 		$sql.= ",volume_units = " . ($this->volume_units!='' ? "'".$this->volume_units."'" : 'null');
 		$sql.= ",seuil_stock_alerte = " . ((isset($this->seuil_stock_alerte) && $this->seuil_stock_alerte != '') ? "'".$this->seuil_stock_alerte."'" : "null");
-		$sql.= ",description = '" . addslashes($this->description) ."'";
+		$sql.= ",description = '" . $this->db->escape($this->description) ."'";
-        $sql.= ",customcode = '" .        addslashes($this->customcode) ."'";
+        $sql.= ",customcode = '" .        $this->db->escape($this->customcode) ."'";
         $sql.= ",fk_country = " . ($this->country_id > 0 ? $this->country_id : 'null');
-        $sql.= ",note = '" .        addslashes($this->note) ."'";
+        $sql.= ",note = '" .        $this->db->escape($this->note) ."'";
 		$sql.= ",duration = '" . $this->duration_value . $this->duration_unit ."'";
 		$sql.= ",accountancy_code_buy = '" . $this->accountancy_code_buy."'";
 		$sql.= ",accountancy_code_sell= '" . $this->accountancy_code_sell."'";
@@ -627,17 +627,17 @@ class Product extends CommonObject
 				if ($this->db->num_rows($result)) // si aucune ligne dans la base
 				{
 					$sql2 = "UPDATE ".MAIN_DB_PREFIX."product_lang";
-					$sql2.= " SET label='".addslashes($this->libelle)."',";
+					$sql2.= " SET label='".$this->db->escape($this->libelle)."',";
-					$sql2.= " description='".addslashes($this->description)."',";
+					$sql2.= " description='".$this->db->escape($this->description)."',";
-					$sql2.= " note='".addslashes($this->note)."'";
+					$sql2.= " note='".$this->db->escape($this->note)."'";
 					$sql2.= " WHERE fk_product=".$this->id." AND lang='".$key."'";
 				}
 				else
 				{
 					$sql2 = "INSERT INTO ".MAIN_DB_PREFIX."product_lang (fk_product, lang, label, description, note)";
-					$sql2.= " VALUES(".$this->id.",'".$key."','". addslashes($this->libelle);
+					$sql2.= " VALUES(".$this->id.",'".$key."','". $this->db->escape($this->libelle);
-					$sql2.= "','".addslashes($this->description);
+					$sql2.= "','".$this->db->escape($this->description);
-					$sql2.= "','".addslashes($this->note)."')";
+					$sql2.= "','".$this->db->escape($this->note)."')";
 				}
 				if (!$this->db->query($sql2)) return -1;
 			}
@@ -646,17 +646,17 @@ class Product extends CommonObject
 				if ($this->db->num_rows($result)) // si aucune ligne dans la base
 				{
 					$sql2 = "UPDATE ".MAIN_DB_PREFIX."product_lang";
-					$sql2.= " SET label='".addslashes($this->multilangs["$key"]["libelle"])."',";
+					$sql2.= " SET label='".$this->db->escape($this->multilangs["$key"]["libelle"])."',";
-					$sql2.= " description='".addslashes($this->multilangs["$key"]["description"])."',";
+					$sql2.= " description='".$this->db->escape($this->multilangs["$key"]["description"])."',";
-					$sql2.= " note='".addslashes($this->multilangs["$key"]["note"])."'";
+					$sql2.= " note='".$this->db->escape($this->multilangs["$key"]["note"])."'";
 					$sql2.= " WHERE fk_product=".$this->id." AND lang='".$key."'";
 				}
 				else
 				{
 					$sql2 = "INSERT INTO ".MAIN_DB_PREFIX."product_lang (fk_product, lang, label, description, note)";
-					$sql2.= " VALUES(".$this->id.",'".$key."','". addslashes($this->multilangs["$key"]["libelle"]);
+					$sql2.= " VALUES(".$this->id.",'".$key."','". $this->db->escape($this->multilangs["$key"]["libelle"]);
-					$sql2.= "','".addslashes($this->multilangs["$key"]["description"]);
+					$sql2.= "','".$this->db->escape($this->multilangs["$key"]["description"]);
-					$sql2.= "','".addslashes($this->multilangs["$key"]["note"])."')";
+					$sql2.= "','".$this->db->escape($this->multilangs["$key"]["note"])."')";
 				}
 
 				// on ne sauvegarde pas des champs vides
@@ -990,7 +990,7 @@ class Product extends CommonObject
 		$sql.= " import_key";
 		$sql.= " FROM ".MAIN_DB_PREFIX."product";
 		if ($id) $sql.= " WHERE rowid = '".$id."'";
-		if ($ref) $sql.= " WHERE ref = '".addslashes($ref)."'";
+		if ($ref) $sql.= " WHERE ref = '".$this->db->escape($ref)."'";
 
 		dol_syslog("Product::fetch sql=".$sql);
 		$result = $this->db->query($sql);
@@ -2097,7 +2097,7 @@ class Product extends CommonObject
 			$prods = array ();
 			while ($record = $this->db->fetch_array ($res))
 			{
-				$prods[addslashes($record['label'])] = array(0=>$record['id']);
+				$prods[$this->db->escape($record['label'])] = array(0=>$record['id']);
 			}
 			return $prods;
 		}
@@ -2127,12 +2127,12 @@ class Product extends CommonObject
 			$prods = array();
 			while ($rec = $this->db->fetch_array($res))
 			{
-				//$prods[addslashes($rec['label'])]= array(0=>$rec['id'],1=>$rec['qty'],2=>$rec['fk_product_type']);
+				//$prods[$this->db->escape($rec['label'])]= array(0=>$rec['id'],1=>$rec['qty'],2=>$rec['fk_product_type']);
-				$prods[addslashes($rec['label'])]= array(0=>$rec['id'],1=>$rec['qty']);
+				$prods[$this->db->escape($rec['label'])]= array(0=>$rec['id'],1=>$rec['qty']);
 				$listofchilds=$this->getChildsArbo($rec['id']);
 				foreach($listofchilds as $keyChild => $valueChild)
 				{
-					$prods[addslashes($rec['label'])][$keyChild] = $valueChild;
+					$prods[$this->db->escape($rec['label'])][$keyChild] = $valueChild;
 				}
 			}
 			//var_dump($prods);

htdocs/product/stock/class/entrepot.class.php

@@ -81,7 +81,7 @@ class Entrepot extends CommonObject
 		$this->db->begin();
 
 		$sql = "INSERT INTO ".MAIN_DB_PREFIX."entrepot (datec, fk_user_author, label)";
-		$sql .= " VALUES (".$this->db->idate(mktime()).",".$user->id.",'".addslashes($this->libelle)."')";
+		$sql .= " VALUES (".$this->db->idate(mktime()).",".$user->id.",'".$this->db->escape($this->libelle)."')";
 
 		dol_syslog("Entrepot::create sql=".$sql);
 		$result=$this->db->query($sql);
@@ -127,13 +127,13 @@ class Entrepot extends CommonObject
 	 */
 	function update($id, $user)
 	{
-		$this->libelle=addslashes(trim($this->libelle));
+		$this->libelle=$this->db->escape(trim($this->libelle));
-		$this->description=addslashes(trim($this->description));
+		$this->description=$this->db->escape(trim($this->description));
 
-		$this->lieu=addslashes(trim($this->lieu));
+		$this->lieu=$this->db->escape(trim($this->lieu));
-		$this->address=addslashes(trim($this->address));
+		$this->address=$this->db->escape(trim($this->address));
 		$this->cp=trim($this->cp);
-		$this->ville=addslashes(trim($this->ville));
+		$this->ville=$this->db->escape(trim($this->ville));
 		$this->pays_id=trim($this->pays_id?$this->pays_id:0);
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."entrepot ";

htdocs/product/stock/class/mouvementstock.class.php

@@ -75,7 +75,7 @@ class MouvementStock
 			$sql.= " (datem, fk_product, fk_entrepot, value, type_mouvement, fk_user_author, label, price)";
 			$sql.= " VALUES ('".$this->db->idate($now)."', ".$fk_product.", ".$entrepot_id.", ".$qty.", ".$type.",";
 			$sql.= " ".$user->id.",";
-			$sql.= " '".addslashes($label)."',";
+			$sql.= " '".$this->db->escape($label)."',";
 			$sql.= " '".price2num($price)."')";
 
 			dol_syslog("MouvementStock::_create sql=".$sql, LOG_DEBUG);

htdocs/projet/class/project.class.php

@@ -103,9 +103,9 @@ class Project extends CommonObject
 		$sql.= ", dateo";
 		$sql.= ", datee";
 		$sql.= ") VALUES (";
-		$sql.= "'".addslashes($this->ref)."'";
+		$sql.= "'".$this->db->escape($this->ref)."'";
-		$sql.= ", '".addslashes($this->title)."'";
+		$sql.= ", '".$this->db->escape($this->title)."'";
-		$sql.= ", '".addslashes($this->description)."'";
+		$sql.= ", '".$this->db->escape($this->description)."'";
 		$sql.= ", ".($this->socid > 0?$this->socid:"null");
 		$sql.= ", ".$user->id;
         $sql.= ", 0";
@@ -178,8 +178,8 @@ class Project extends CommonObject
 		{
 			$sql = "UPDATE ".MAIN_DB_PREFIX."projet SET";
 			$sql.= " ref='".$this->ref."'";
-			$sql.= ", title = '".addslashes($this->title)."'";
+			$sql.= ", title = '".$this->db->escape($this->title)."'";
-			$sql.= ", description = '".addslashes($this->description)."'";
+			$sql.= ", description = '".$this->db->escape($this->description)."'";
 			$sql.= ", fk_soc = ".($this->socid > 0?$this->socid:"null");
 			$sql.= ", fk_statut = ".$this->statut;
 			$sql.= ", public = ".($this->public?1:0);

htdocs/projet/class/task.class.php

@@ -253,8 +253,8 @@ class Task extends CommonObject
         $sql = "UPDATE ".MAIN_DB_PREFIX."projet_task SET";
 		$sql.= " fk_projet=".(isset($this->fk_project)?$this->fk_project:"null").",";
 		$sql.= " fk_task_parent=".(isset($this->fk_task_parent)?$this->fk_task_parent:"null").",";
-		$sql.= " label=".(isset($this->label)?"'".addslashes($this->label)."'":"null").",";
+		$sql.= " label=".(isset($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
-		$sql.= " description=".(isset($this->description)?"'".addslashes($this->description)."'":"null").",";
+		$sql.= " description=".(isset($this->description)?"'".$this->db->escape($this->description)."'":"null").",";
 		$sql.= " duration_effective=".(isset($this->duration_effective)?$this->duration_effective:"null").",";
 		$sql.= " dateo=".($this->date_start!=''?$this->db->idate($this->date_start):'null').",";
 		$sql.= " datee=".($this->date_end!=''?$this->db->idate($this->date_end):'null').",";
@@ -670,7 +670,7 @@ class Task extends CommonObject
 		$sql.= ", '".$this->db->idate($this->timespent_date)."'";
 		$sql.= ", ".$this->timespent_duration;
 		$sql.= ", ".$this->timespent_fk_user;
-		$sql.= ", ".(isset($this->timespent_note)?"'".addslashes($this->timespent_note)."'":"null");
+		$sql.= ", ".(isset($this->timespent_note)?"'".$this->db->escape($this->timespent_note)."'":"null");
 		$sql.= ")";
 
 		dol_syslog(get_class($this)."::addTimeSpent sql=".$sql, LOG_DEBUG);
@@ -777,7 +777,7 @@ class Task extends CommonObject
 		$sql.= " task_date = '".$this->db->idate($this->timespent_date)."',";
 		$sql.= " task_duration = ".$this->timespent_duration.",";
 		$sql.= " fk_user = ".$this->timespent_fk_user.",";
-		$sql.= " note = ".(isset($this->timespent_note)?"'".addslashes($this->timespent_note)."'":"null");
+		$sql.= " note = ".(isset($this->timespent_note)?"'".$this->db->escape($this->timespent_note)."'":"null");
 		$sql.= " WHERE rowid = ".$this->timespent_id;
 
 		dol_syslog(get_class($this)."::updateTimeSpent sql=".$sql, LOG_DEBUG);

htdocs/societe/class/address.class.php

@@ -88,7 +88,7 @@ class Address
 		if ($result >= 0)
 		{
 			$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_address (label, fk_soc, name, datec, fk_user_creat) ";
-			$sql .= " VALUES ('".addslashes($this->label)."', '".$socid."', '".addslashes($this->name)."', ".$this->db->idate(mktime()).", '".$user->id."')";
+			$sql .= " VALUES ('".$this->db->escape($this->label)."', '".$socid."', '".$this->db->escape($this->name)."', ".$this->db->idate(mktime()).", '".$user->id."')";
 
 			$result=$this->db->query($sql);
 			if ($result)
@@ -190,18 +190,18 @@ class Address
 			dol_syslog("Address::Update verify ok");
 
 			$sql = "UPDATE ".MAIN_DB_PREFIX."societe_address";
-			$sql.= " SET label = '" . addslashes($this->label) ."'"; // Champ obligatoire
+			$sql.= " SET label = '" . $this->db->escape($this->label) ."'"; // Champ obligatoire
-			$sql.= ",name = '" . addslashes($this->name) ."'"; // Champ obligatoire
+			$sql.= ",name = '" . $this->db->escape($this->name) ."'"; // Champ obligatoire
-			$sql.= ",address = '" . addslashes($this->address) ."'";
+			$sql.= ",address = '" . $this->db->escape($this->address) ."'";
 
 			if ($this->cp)
 			{ $sql .= ",cp = '" . $this->cp ."'"; }
 
 			if ($this->ville)
-			{ $sql .= ",ville = '" . addslashes($this->ville) ."'"; }
+			{ $sql .= ",ville = '" . $this->db->escape($this->ville) ."'"; }
 
 			$sql .= ",fk_pays = '" . ($this->pays_id?$this->pays_id:'0') ."'";
-			$sql.= ",note = '" . addslashes($this->note) ."'";
+			$sql.= ",note = '" . $this->db->escape($this->note) ."'";
 
 			if ($this->tel)
 			{ $sql .= ",tel = '" . $this->tel ."'"; }

htdocs/societe/class/companybankaccount.class.php

@@ -107,16 +107,16 @@ class CompanyBankAccount
 		}
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."societe_rib SET ";
-		$sql .= " bank = '" .addslashes($this->bank)."'";
+		$sql .= " bank = '" .$this->db->escape($this->bank)."'";
 		$sql .= ",code_banque='".$this->code_banque."'";
 		$sql .= ",code_guichet='".$this->code_guichet."'";
 		$sql .= ",number='".$this->number."'";
 		$sql .= ",cle_rib='".$this->cle_rib."'";
 		$sql .= ",bic='".$this->bic."'";
 		$sql .= ",iban_prefix = '".$this->iban_prefix."'";
-		$sql .= ",domiciliation='".addslashes($this->domiciliation)."'";
+		$sql .= ",domiciliation='".$this->db->escape($this->domiciliation)."'";
-		$sql .= ",proprio = '".addslashes($this->proprio)."'";
+		$sql .= ",proprio = '".$this->db->escape($this->proprio)."'";
-		$sql .= ",adresse_proprio = '".addslashes($this->adresse_proprio)."'";
+		$sql .= ",adresse_proprio = '".$this->db->escape($this->adresse_proprio)."'";
 		$sql .= " WHERE fk_soc = ".$this->socid;
 
 		$result = $this->db->query($sql);

htdocs/societe/class/societe.class.php

@@ -429,28 +429,28 @@ class Societe extends CommonObject
             dol_syslog("Societe::Update verify ok");
 
             $sql = "UPDATE ".MAIN_DB_PREFIX."societe";
-            $sql.= " SET nom = '" . addslashes($this->nom) ."'"; // Champ obligatoire
+            $sql.= " SET nom = '" . $this->db->escape($this->nom) ."'"; // Champ obligatoire
             $sql.= ",datea = '".$this->db->idate(mktime())."'";
-            $sql.= ",address = '" . addslashes($this->address) ."'";
+            $sql.= ",address = '" . $this->db->escape($this->address) ."'";
 
             $sql.= ",cp = ".($this->cp?"'".$this->cp."'":"null");
-            $sql.= ",ville = ".($this->ville?"'".addslashes($this->ville)."'":"null");
+            $sql.= ",ville = ".($this->ville?"'".$this->db->escape($this->ville)."'":"null");
 
             $sql .= ",fk_departement = '" . ($this->departement_id?$this->departement_id:'0') ."'";
             $sql .= ",fk_pays = '" . ($this->pays_id?$this->pays_id:'0') ."'";
 
-            $sql .= ",tel = ".($this->tel?"'".addslashes($this->tel)."'":"null");
+            $sql .= ",tel = ".($this->tel?"'".$this->db->escape($this->tel)."'":"null");
-            $sql .= ",fax = ".($this->fax?"'".addslashes($this->fax)."'":"null");
+            $sql .= ",fax = ".($this->fax?"'".$this->db->escape($this->fax)."'":"null");
-            $sql .= ",email = ".($this->email?"'".addslashes($this->email)."'":"null");
+            $sql .= ",email = ".($this->email?"'".$this->db->escape($this->email)."'":"null");
-            $sql .= ",url = ".($this->url?"'".addslashes($this->url)."'":"null");
+            $sql .= ",url = ".($this->url?"'".$this->db->escape($this->url)."'":"null");
 
-            $sql .= ",siren   = '". addslashes($this->siren)   ."'";
+            $sql .= ",siren   = '". $this->db->escape($this->siren)   ."'";
-            $sql .= ",siret   = '". addslashes($this->siret)   ."'";
+            $sql .= ",siret   = '". $this->db->escape($this->siret)   ."'";
-            $sql .= ",ape     = '". addslashes($this->ape)     ."'";
+            $sql .= ",ape     = '". $this->db->escape($this->ape)     ."'";
-            $sql .= ",idprof4 = '". addslashes($this->idprof4) ."'";
+            $sql .= ",idprof4 = '". $this->db->escape($this->idprof4) ."'";
 
             $sql .= ",tva_assuj = ".($this->tva_assuj!=''?"'".$this->tva_assuj."'":"null");
-            $sql .= ",tva_intra = '" . addslashes($this->tva_intra) ."'";
+            $sql .= ",tva_intra = '" . $this->db->escape($this->tva_intra) ."'";
 
             // Local taxes
             $sql .= ",localtax1_assuj = ".($this->localtax1_assuj!=''?"'".$this->localtax1_assuj."'":"null");
@@ -458,7 +458,7 @@ class Societe extends CommonObject
 
             $sql .= ",capital = ".$this->capital;
 
-            $sql .= ",prefix_comm = ".($this->prefix_comm?"'".addslashes($this->prefix_comm)."'":"null");
+            $sql .= ",prefix_comm = ".($this->prefix_comm?"'".$this->db->escape($this->prefix_comm)."'":"null");
 
             $sql .= ",fk_effectif = ".($this->effectif_id?"'".$this->effectif_id."'":"null");
 
@@ -476,24 +476,24 @@ class Societe extends CommonObject
             {
                 //$this->check_codeclient();
 
-                $sql .= ", code_client = ".($this->code_client?"'".addslashes($this->code_client)."'":"null");
+                $sql .= ", code_client = ".($this->code_client?"'".$this->db->escape($this->code_client)."'":"null");
 
                 // Attention get_codecompta peut modifier le code suivant le module utilise
                 if (empty($this->code_compta)) $this->get_codecompta('customer');
 
-                $sql .= ", code_compta = ".($this->code_compta?"'".addslashes($this->code_compta)."'":"null");
+                $sql .= ", code_compta = ".($this->code_compta?"'".$this->db->escape($this->code_compta)."'":"null");
             }
 
             if ($allowmodcodefournisseur)
             {
                 //$this->check_codefournisseur();
 
-                $sql .= ", code_fournisseur = ".($this->code_fournisseur?"'".addslashes($this->code_fournisseur)."'":"null");
+                $sql .= ", code_fournisseur = ".($this->code_fournisseur?"'".$this->db->escape($this->code_fournisseur)."'":"null");
 
                 // Attention get_codecompta peut modifier le code suivant le module utilise
                 if (empty($this->code_compta_fournisseur)) $this->get_codecompta('supplier');
 
-                $sql .= ", code_compta_fournisseur = ".($this->code_compta_fournisseur?"'".addslashes($this->code_compta_fournisseur)."'":"null");
+                $sql .= ", code_compta_fournisseur = ".($this->code_compta_fournisseur?"'".$this->db->escape($this->code_compta_fournisseur)."'":"null");
             }
             $sql .= ", fk_user_modif = ".($user->id > 0 ? "'".$user->id."'":"null");
             $sql .= " WHERE rowid = '" . $id ."'";
@@ -1135,7 +1135,7 @@ class Societe extends CommonObject
             $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_remise ";
             $sql.= " (datec, fk_soc, remise_client, note, fk_user_author)";
             $sql.= " VALUES (".$this->db->idate(mktime()).", ".$this->id.", '".$remise."',";
-            $sql.= " '".addslashes($note)."',";
+            $sql.= " '".$this->db->escape($note)."',";
             $sql.= " ".$user->id;
             $sql.= ")";
 
@@ -2147,7 +2147,7 @@ class Societe extends CommonObject
         $sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_log (datel, fk_soc, fk_statut, fk_user, author, label)";
         $sql.= " VALUES ('".$dateaction."', ".$socid.", ".$id_status.",";
         $sql.= "'".$user->id."',";
-        $sql.= "'".addslashes($user->login)."',";
+        $sql.= "'".$this->db->escape($user->login)."',";
         $sql.= "'Change statut from ".$oldstcomm." to ".$stcommid."'";
         $sql.= ")";
         $result = $thi->db->query($sql);