diff --git a/htdocs/compta/prelevement/class/rejetprelevement.class.php b/htdocs/compta/prelevement/class/rejetprelevement.class.php
index db92da8ce90..4a515357495 100644
--- a/htdocs/compta/prelevement/class/rejetprelevement.class.php
+++ b/htdocs/compta/prelevement/class/rejetprelevement.class.php
@@ -222,8 +222,8 @@ class RejetPrelevement
$sql = "SELECT fk_user_demande";
$sql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pfd";
- $sql .= " WHERE pfd.fk_prelevement_bons = ".$this->bon_id;
- $sql .= " AND pfd.fk_facture".($this->type == 'bank-transfer' ? '_fourn=' : '=').$fac->id;
+ $sql .= " WHERE pfd.fk_prelevement_bons = ".((int) $this->bon_id);
+ $sql .= " AND pfd.fk_facture".($this->type == 'bank-transfer' ? '_fourn' : '').' = '.((int) $fac->id);
$resql = $this->db->query($sql);
if ($resql) {
@@ -296,7 +296,7 @@ class RejetPrelevement
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."facture as f ON (pf.fk_facture = f.rowid)";
}
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."prelevement_lignes as pl ON (pf.fk_prelevement_lignes = pl.rowid)";
- $sql .= " WHERE pf.fk_prelevement_lignes = ".$this->id;
+ $sql .= " WHERE pf.fk_prelevement_lignes = ".((int) $this->id);
$sql .= " AND f.entity IN (".getEntity('invoice').")";
$resql = $this->db->query($sql);
diff --git a/htdocs/compta/tva/class/paymentvat.class.php b/htdocs/compta/tva/class/paymentvat.class.php
index bc234b4516e..8eaf141b06c 100644
--- a/htdocs/compta/tva/class/paymentvat.class.php
+++ b/htdocs/compta/tva/class/paymentvat.class.php
@@ -620,7 +620,7 @@ class PaymentVAT extends CommonObject
public function update_fk_bank($id_bank)
{
// phpcs:enable
- $sql = "UPDATE ".MAIN_DB_PREFIX."payment_vat SET fk_bank = ".((int) $id_bank)." WHERE rowid = ".$this->id;
+ $sql = "UPDATE ".MAIN_DB_PREFIX."payment_vat SET fk_bank = ".((int) $id_bank)." WHERE rowid = ".((int) $this->id);
dol_syslog(get_class($this)."::update_fk_bank", LOG_DEBUG);
$result = $this->db->query($sql);
diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php
index 83bc4202b9d..fd9830f36ca 100644
--- a/htdocs/contact/class/contact.class.php
+++ b/htdocs/contact/class/contact.class.php
@@ -595,7 +595,7 @@ class Contact extends CommonObject
$sql .= ", fk_user_modif=".($user->id > 0 ? "'".$this->db->escape($user->id)."'" : "NULL");
$sql .= ", default_lang=".($this->default_lang ? "'".$this->db->escape($this->default_lang)."'" : "NULL");
$sql .= ", entity = ".((int) $this->entity);
- $sql .= " WHERE rowid=".((int) $id);
+ $sql .= " WHERE rowid = ".((int) $id);
dol_syslog(get_class($this)."::update", LOG_DEBUG);
$result = $this->db->query($sql);
@@ -871,12 +871,12 @@ class Contact extends CommonObject
// Mis a jour contact
$sql = "UPDATE ".MAIN_DB_PREFIX."socpeople SET";
- $sql .= " birthday=".($this->birthday ? "'".$this->db->idate($this->birthday)."'" : "null");
+ $sql .= " birthday = ".($this->birthday ? "'".$this->db->idate($this->birthday)."'" : "null");
$sql .= ", photo = ".($this->photo ? "'".$this->db->escape($this->photo)."'" : "null");
if ($user) {
- $sql .= ", fk_user_modif=".$user->id;
+ $sql .= ", fk_user_modif = ".((int) $user->id);
}
- $sql .= " WHERE rowid=".$this->db->escape($id);
+ $sql .= " WHERE rowid = ".((int) $id);
dol_syslog(get_class($this)."::update_perso this->birthday=".$this->birthday." -", LOG_DEBUG);
$resql = $this->db->query($sql);
@@ -1278,7 +1278,7 @@ class Contact extends CommonObject
if (!$error) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."socpeople";
- $sql .= " WHERE rowid=".((int) $this->id);
+ $sql .= " WHERE rowid = ".((int) $this->id);
dol_syslog(__METHOD__, LOG_DEBUG);
$result = $this->db->query($sql);
if (!$result) {
diff --git a/htdocs/contrat/card.php b/htdocs/contrat/card.php
index 470895a2c22..56e3d797086 100644
--- a/htdocs/contrat/card.php
+++ b/htdocs/contrat/card.php
@@ -1433,7 +1433,7 @@ if ($action == 'create') {
$sql .= " p.rowid as pid, p.ref as pref, p.label as plabel, p.fk_product_type as ptype, p.entity as pentity, p.tosell, p.tobuy, p.tobatch";
$sql .= " FROM ".MAIN_DB_PREFIX."contratdet as cd";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON cd.fk_product = p.rowid";
- $sql .= " WHERE cd.rowid = ".$object->lines[$cursorline - 1]->id;
+ $sql .= " WHERE cd.rowid = ".((int) $object->lines[$cursorline - 1]->id);
$result = $db->query($sql);
if ($result) {
diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php
index 9b2364f7233..65ffcb7e99a 100644
--- a/htdocs/contrat/class/contrat.class.php
+++ b/htdocs/contrat/class/contrat.class.php
@@ -507,7 +507,7 @@ class Contrat extends CommonObject
if ($num) {
$sql = "UPDATE ".MAIN_DB_PREFIX."contrat SET ref = '".$this->db->escape($num)."', statut = 1";
//$sql.= ", fk_user_valid = ".$user->id.", date_valid = '".$this->db->idate($now)."'";
- $sql .= " WHERE rowid = ".$this->id." AND statut = 0";
+ $sql .= " WHERE rowid = ".((int) $this->id)." AND statut = 0";
dol_syslog(get_class($this)."::validate", LOG_DEBUG);
$resql = $this->db->query($sql);
@@ -607,7 +607,7 @@ class Contrat extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."contrat SET statut = 0";
//$sql.= ", fk_user_valid = null, date_valid = null";
- $sql .= " WHERE rowid = ".$this->id." AND statut = 1";
+ $sql .= " WHERE rowid = ".((int) $this->id)." AND statut = 1";
dol_syslog(get_class($this)."::validate", LOG_DEBUG);
$resql = $this->db->query($sql);
@@ -1197,7 +1197,7 @@ class Contrat extends CommonObject
// Delete contratdet extrafields
$main = MAIN_DB_PREFIX.'contratdet';
$ef = $main."_extrafields";
- $sql = "DELETE FROM $ef WHERE fk_object IN (SELECT rowid FROM $main WHERE fk_contrat = ".((int) $this->id).")";
+ $sql = "DELETE FROM ".$ef." WHERE fk_object IN (SELECT rowid FROM ".$main." WHERE fk_contrat = ".((int) $this->id).")";
dol_syslog(get_class($this)."::delete contratdet_extrafields", LOG_DEBUG);
$resql = $this->db->query($sql);
@@ -2112,7 +2112,7 @@ class Contrat extends CommonObject
$sql = "SELECT cd.rowid";
$sql .= " FROM ".MAIN_DB_PREFIX."contratdet as cd";
- $sql .= " WHERE fk_contrat =".$this->id;
+ $sql .= " WHERE fk_contrat =".((int) $this->id);
if ($status >= 0) {
$sql .= " AND statut = ".((int) $status);
}
@@ -2146,9 +2146,9 @@ class Contrat extends CommonObject
$sql = "SELECT c.rowid, c.ref";
$sql .= " FROM ".MAIN_DB_PREFIX."contrat as c";
- $sql .= " WHERE fk_soc =".$this->socid;
+ $sql .= " WHERE fk_soc =".((int) $this->socid);
if ($option == 'others') {
- $sql .= " AND c.rowid != ".$this->id;
+ $sql .= " AND c.rowid <> ".((int) $this->id);
}
dol_syslog(get_class($this)."::getOtherContracts()", LOG_DEBUG);
@@ -3332,10 +3332,10 @@ class ContratLigne extends CommonObjectLine
if ($date_end >= 0) {
$sql .= " date_fin_validite = ".(dol_strlen($date_end) != 0 ? "'".$this->db->idate($date_end)."'" : "null").",";
}
- $sql .= " fk_user_ouverture = ".$user->id.",";
+ $sql .= " fk_user_ouverture = ".((int) $user->id).",";
$sql .= " date_cloture = null,";
$sql .= " commentaire = '".$this->db->escape($comment)."'";
- $sql .= " WHERE rowid = ".$this->id." AND (statut = ".ContratLigne::STATUS_INITIAL." OR statut = ".ContratLigne::STATUS_CLOSED.")";
+ $sql .= " WHERE rowid = ".((int) $this->id)." AND (statut = ".ContratLigne::STATUS_INITIAL." OR statut = ".ContratLigne::STATUS_CLOSED.")";
dol_syslog(get_class($this)."::active_line", LOG_DEBUG);
$resql = $this->db->query($sql);
@@ -3396,9 +3396,9 @@ class ContratLigne extends CommonObjectLine
$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET statut = ".((int) ContratLigne::STATUS_CLOSED).",";
$sql .= " date_cloture = '".$this->db->idate($date_end)."',";
- $sql .= " fk_user_cloture = ".$user->id.",";
+ $sql .= " fk_user_cloture = ".((int) $user->id).",";
$sql .= " commentaire = '".$this->db->escape($comment)."'";
- $sql .= " WHERE rowid = ".$this->id." AND statut = ".((int) ContratLigne::STATUS_OPEN);
+ $sql .= " WHERE rowid = ".((int) $this->id)." AND statut = ".((int) ContratLigne::STATUS_OPEN);
$resql = $this->db->query($sql);
if ($resql) {
diff --git a/htdocs/core/boxes/box_produits.php b/htdocs/core/boxes/box_produits.php
index dde3b685d25..d039881445e 100644
--- a/htdocs/core/boxes/box_produits.php
+++ b/htdocs/core/boxes/box_produits.php
@@ -122,8 +122,8 @@ class box_produits extends ModeleBoxes
if (!empty($conf->global->MAIN_MULTILANGS)) { // si l'option est active
$sqld = "SELECT label";
$sqld .= " FROM ".MAIN_DB_PREFIX."product_lang";
- $sqld .= " WHERE fk_product=".$objp->rowid;
- $sqld .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'";
+ $sqld .= " WHERE fk_product = ".((int) $objp->rowid);
+ $sqld .= " AND lang = '".$this->db->escape($langs->getDefaultLang())."'";
$sqld .= " LIMIT 1";
$resultd = $this->db->query($sqld);
diff --git a/htdocs/core/boxes/box_produits_alerte_stock.php b/htdocs/core/boxes/box_produits_alerte_stock.php
index d7ae1566a44..5e7ec72d0e1 100644
--- a/htdocs/core/boxes/box_produits_alerte_stock.php
+++ b/htdocs/core/boxes/box_produits_alerte_stock.php
@@ -129,8 +129,8 @@ class box_produits_alerte_stock extends ModeleBoxes
if (!empty($conf->global->MAIN_MULTILANGS)) { // si l'option est active
$sqld = "SELECT label";
$sqld .= " FROM ".MAIN_DB_PREFIX."product_lang";
- $sqld .= " WHERE fk_product=".$objp->rowid;
- $sqld .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'";
+ $sqld .= " WHERE fk_product = ".((int) $objp->rowid);
+ $sqld .= " AND lang = '".$this->db->escape($langs->getDefaultLang())."'";
$sqld .= " LIMIT 1";
$resultd = $this->db->query($sqld);
diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php
index 89d7cb1c7d0..a60e0680536 100644
--- a/htdocs/core/class/commonobject.class.php
+++ b/htdocs/core/class/commonobject.class.php
@@ -1224,7 +1224,7 @@ abstract class CommonObject
$listId = implode(",", $temp);
$sql = "DELETE FROM ".MAIN_DB_PREFIX."element_contact";
- $sql .= " WHERE element_id = ".$this->id;
+ $sql .= " WHERE element_id = ".((int) $this->id);
if ($listId) {
$sql .= " AND fk_c_type_contact IN (".$this->db->sanitize($listId).")";
}
@@ -1272,9 +1272,9 @@ abstract class CommonObject
if ($source == 'external' || $source == 'thirdparty') {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."socpeople t on ec.fk_socpeople = t.rowid";
}
- $sql .= " WHERE ec.element_id =".$this->id;
+ $sql .= " WHERE ec.element_id = ".((int) $this->id);
$sql .= " AND ec.fk_c_type_contact=tc.rowid";
- $sql .= " AND tc.element='".$this->db->escape($this->element)."'";
+ $sql .= " AND tc.element = '".$this->db->escape($this->element)."'";
if ($code) {
$sql .= " AND tc.code = '".$this->db->escape($code)."'";
}
@@ -2658,7 +2658,7 @@ abstract class CommonObject
}
$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element." SET ".$fieldname." = ".((int) $id);
- $sql .= " WHERE rowid = ".$this->id." AND fk_statut = 0";
+ $sql .= " WHERE rowid = ".((int) $this->id)." AND fk_statut = 0";
if ($this->db->query($sql)) {
$this->fk_delivery_address = $id;
@@ -3219,7 +3219,7 @@ abstract class CommonObject
$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
$sql .= " SET ref_ext = '".$this->db->escape($ref_ext)."'";
- $sql .= " WHERE ".(isset($this->table_rowid) ? $this->table_rowid : 'rowid')." = ".$this->id;
+ $sql .= " WHERE ".(isset($this->table_rowid) ? $this->table_rowid : 'rowid')." = ".((int) $this->id);
dol_syslog(get_class($this)."::update_ref_ext", LOG_DEBUG);
if ($this->db->query($sql)) {
@@ -3270,8 +3270,8 @@ abstract class CommonObject
}
$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
$sql .= " SET note".$newsuffix." = ".(!empty($note) ? ("'".$this->db->escape($note)."'") : "NULL");
- $sql .= " ,".$fieldusermod." = ".$user->id;
- $sql .= " WHERE rowid =".$this->id;
+ $sql .= ", ".$fieldusermod." = ".((int) $user->id);
+ $sql .= " WHERE rowid = ".((int) $this->id);
dol_syslog(get_class($this)."::update_note", LOG_DEBUG);
if ($this->db->query($sql)) {
@@ -3440,7 +3440,7 @@ abstract class CommonObject
//var_dump($diff_when_using_price_ht.' '.$diff_on_current_total);
if ($diff_when_using_price_ht && $diff_on_current_total) {
- $sqlfix = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldtva." = ".$tmpcal[1].", total_ttc = ".$tmpcal[2]." WHERE rowid = ".$obj->rowid;
+ $sqlfix = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldtva." = ".price2num((float) $tmpcal[1]).", total_ttc = ".price2num((float) $tmpcal[2])." WHERE rowid = ".((int) $obj->rowid);
dol_syslog('We found unconsistent data into detailed line (diff_when_using_price_ht = '.$diff_when_using_price_ht.' and diff_on_current_total = '.$diff_on_current_total.') for line rowid = '.$obj->rowid." (total vat of line calculated=".$tmpcal[1].", database=".$obj->total_tva."). We fix the total_vat and total_ttc of line by running sqlfix = ".$sqlfix, LOG_WARNING);
$resqlfix = $this->db->query($sqlfix);
if (!$resqlfix) {
@@ -3484,7 +3484,7 @@ abstract class CommonObject
dol_print_error('', $errmsg);
exit;
}
- $sqlfix = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldtva." = ".($obj->total_tva - $diff).", total_ttc = ".($obj->total_ttc - $diff)." WHERE rowid = ".$obj->rowid;
+ $sqlfix = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldtva." = ".price2num($obj->total_tva - $diff).", total_ttc = ".price2num($obj->total_ttc - $diff)." WHERE rowid = ".((int) $obj->rowid);
dol_syslog('We found a difference of '.$diff.' for line rowid = '.$obj->rowid.". We fix the total_vat and total_ttc of line by running sqlfix = ".$sqlfix);
$resqlfix = $this->db->query($sqlfix);
if (!$resqlfix) {
@@ -4359,7 +4359,7 @@ abstract class CommonObject
$sql = "SELECT subprice as pu_ht, qty, remise_percent, total_ht";
$sql .= " FROM ".MAIN_DB_PREFIX.$this->table_element_line;
- $sql .= " WHERE ".$this->fk_element." = ".$this->id;
+ $sql .= " WHERE ".$this->fk_element." = ".((int) $this->id);
dol_syslog(get_class($this).'::getTotalDiscount', LOG_DEBUG);
$resql = $this->db->query($sql);
@@ -6135,7 +6135,7 @@ abstract class CommonObject
foreach ($new_array_languages as $key => $langcodearray) { // $key = 'name', 'town', ...
foreach ($langcodearray as $langcode => $value) {
$sql_del = "DELETE FROM ".MAIN_DB_PREFIX."object_lang";
- $sql_del .= " WHERE fk_object = ".$this->id." AND property = '".$this->db->escape($key)."' AND type_object = '".$this->db->escape($table_element)."'";
+ $sql_del .= " WHERE fk_object = ".((int) $this->id)." AND property = '".$this->db->escape($key)."' AND type_object = '".$this->db->escape($table_element)."'";
$sql_del .= " AND lang = '".$this->db->escape($langcode)."'";
$this->db->query($sql_del);
@@ -6319,7 +6319,7 @@ abstract class CommonObject
$linealreadyfound = 0;
// Check if there is already a line for this object (in most cases, it is, but sometimes it is not, for example when extra field has been created after), so we must keep this overload)
- $sql = "SELECT COUNT(rowid) as nb FROM ".MAIN_DB_PREFIX.$this->table_element."_extrafields WHERE fk_object = ".$this->id;
+ $sql = "SELECT COUNT(rowid) as nb FROM ".MAIN_DB_PREFIX.$this->table_element."_extrafields WHERE fk_object = ".((int) $this->id);
$resql = $this->db->query($sql);
if ($resql) {
$tmpobj = $this->db->fetch_object($resql);
@@ -6334,7 +6334,7 @@ abstract class CommonObject
} else {
$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element."_extrafields SET ".$key." = '".$this->db->escape($this->array_options["options_".$key])."'";
}
- $sql .= " WHERE fk_object = ".$this->id;
+ $sql .= " WHERE fk_object = ".((int) $this->id);
} else {
$result = $this->insertExtraFields('', $user);
if ($result < 0) {
@@ -8576,7 +8576,7 @@ abstract class CommonObject
if (is_null($value)) {
return 'NULL';
} elseif (preg_match('/^(int|double|real|price)/i', $fieldsentry['type'])) {
- return $this->db->escape("$value");
+ return price2num("$value");
} elseif ($fieldsentry['type'] == 'boolean') {
if ($value) {
return 'true';
@@ -8776,7 +8776,7 @@ abstract class CommonObject
if (!empty($id)) {
$sql .= ' WHERE t.rowid = '.((int) $id);
} elseif (!empty($ref)) {
- $sql .= " WHERE t.ref = ".$this->quote($ref, $this->fields['ref']);
+ $sql .= " WHERE t.ref = '".$this->db->escape($ref)."'";
} else {
$sql .= ' WHERE 1 = 1'; // usage with empty id and empty ref is very rare
}
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index 8c1550bcb4c..8f3c92a3c43 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -2625,7 +2625,7 @@ class Form
if ((!empty($conf->global->PRODUIT_CUSTOMER_PRICES_BY_QTY) || !empty($conf->global->PRODUIT_CUSTOMER_PRICES_BY_QTY_MULTIPRICES)) && !empty($objp->price_by_qty) && $objp->price_by_qty == 1) { // Price by quantity will return many prices for the same product
$sql = "SELECT rowid, quantity, price, unitprice, remise_percent, remise, price_base_type";
$sql .= " FROM ".MAIN_DB_PREFIX."product_price_by_qty";
- $sql .= " WHERE fk_product_price=".$objp->price_rowid;
+ $sql .= " WHERE fk_product_price = ".((int) $objp->price_rowid);
$sql .= " ORDER BY quantity ASC";
dol_syslog(get_class($this)."::select_produits_list search prices by qty", LOG_DEBUG);
diff --git a/htdocs/core/db/pgsql.class.php b/htdocs/core/db/pgsql.class.php
index 5245a9dac3c..6e9a4f54db6 100644
--- a/htdocs/core/db/pgsql.class.php
+++ b/htdocs/core/db/pgsql.class.php
@@ -924,11 +924,11 @@ class DoliDBPgsql extends DoliDB
// phpcs:enable
$listtables = array();
- $like = '';
+ $escapedlike = '';
if ($table) {
- $like = " AND table_name LIKE '".$this->escape($table)."'";
+ $escapedlike = " AND table_name LIKE '".$this->escape($table)."'";
}
- $result = pg_query($this->db, "SELECT table_name FROM information_schema.tables WHERE table_schema = 'public'".$like." ORDER BY table_name");
+ $result = pg_query($this->db, "SELECT table_name FROM information_schema.tables WHERE table_schema = 'public'".$escapedlike." ORDER BY table_name");
if ($result) {
while ($row = $this->fetch_row($result)) {
$listtables[] = $row[0];
diff --git a/htdocs/core/lib/admin.lib.php b/htdocs/core/lib/admin.lib.php
index ec12e397052..6361860e392 100644
--- a/htdocs/core/lib/admin.lib.php
+++ b/htdocs/core/lib/admin.lib.php
@@ -536,7 +536,7 @@ function dolibarr_get_const($db, $name, $entity = 1)
$sql = "SELECT ".$db->decrypt('value')." as value";
$sql .= " FROM ".MAIN_DB_PREFIX."const";
- $sql .= " WHERE name = ".$db->encrypt($name, 1);
+ $sql .= " WHERE name = '".$db->escape($db->encrypt($name))."'";
$sql .= " AND entity = ".((int) $entity);
dol_syslog("admin.lib::dolibarr_get_const", LOG_DEBUG);
@@ -583,7 +583,7 @@ function dolibarr_set_const($db, $name, $value, $type = 'chaine', $visible = 0,
$db->begin();
$sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
- $sql .= " WHERE name = ".$db->encrypt($name, 1);
+ $sql .= " WHERE name = '".$db->escape($db->encrypt($name))."'";
if ($entity >= 0) {
$sql .= " AND entity = ".((int) $entity);
}
diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php
index 4b536ccb2ad..8806bcc8b92 100644
--- a/htdocs/core/lib/company.lib.php
+++ b/htdocs/core/lib/company.lib.php
@@ -64,7 +64,7 @@ function societe_prepare_head(Societe $object)
} else {
$sql = "SELECT COUNT(p.rowid) as nb";
$sql .= " FROM ".MAIN_DB_PREFIX."socpeople as p";
- $sql .= " WHERE p.fk_soc = ".$object->id;
+ $sql .= " WHERE p.fk_soc = ".((int) $object->id);
$resql = $db->query($sql);
if ($resql) {
$obj = $db->fetch_object($resql);
@@ -140,7 +140,7 @@ function societe_prepare_head(Societe $object)
} else {
$sql = "SELECT COUNT(n.rowid) as nb";
$sql .= " FROM ".MAIN_DB_PREFIX."projet as n";
- $sql .= " WHERE fk_soc = ".$object->id;
+ $sql .= " WHERE fk_soc = ".((int) $object->id);
$sql .= " AND entity IN (".getEntity('project').")";
$resql = $db->query($sql);
if ($resql) {
@@ -223,7 +223,7 @@ function societe_prepare_head(Societe $object)
$sql = "SELECT COUNT(n.rowid) as nb";
$sql .= " FROM ".MAIN_DB_PREFIX."societe_rib as n";
- $sql .= " WHERE n.fk_soc = ".$object->id;
+ $sql .= " WHERE n.fk_soc = ".((int) $object->id);
if (empty($conf->stripe->enabled)) {
$sql .= " AND n.stripe_card_ref IS NULL";
} else {
@@ -240,7 +240,7 @@ function societe_prepare_head(Societe $object)
//if (! empty($conf->stripe->enabled) && $nbBankAccount > 0) $nbBankAccount = '...'; // No way to know exact number
- $head[$h][0] = DOL_URL_ROOT.'/societe/paymentmodes.php?socid='.$object->id;
+ $head[$h][0] = DOL_URL_ROOT.'/societe/paymentmodes.php?socid='.urlencode($object->id);
$head[$h][1] = $title;
if ($foundonexternalonlinesystem) {
$head[$h][1] .= '...';
@@ -252,12 +252,12 @@ function societe_prepare_head(Societe $object)
}
if (!empty($conf->website->enabled) && (!empty($conf->global->WEBSITE_USE_WEBSITE_ACCOUNTS)) && (!empty($user->rights->societe->lire))) {
- $head[$h][0] = DOL_URL_ROOT.'/societe/website.php?id='.$object->id;
+ $head[$h][0] = DOL_URL_ROOT.'/societe/website.php?id='.urlencode($object->id);
$head[$h][1] = $langs->trans("WebSiteAccounts");
$nbNote = 0;
$sql = "SELECT COUNT(n.rowid) as nb";
$sql .= " FROM ".MAIN_DB_PREFIX."societe_account as n";
- $sql .= " WHERE fk_soc = ".$object->id.' AND fk_website > 0';
+ $sql .= " WHERE fk_soc = ".((int) $object->id).' AND fk_website > 0';
$resql = $db->query($sql);
if ($resql) {
$obj = $db->fetch_object($resql);
@@ -304,7 +304,7 @@ function societe_prepare_head(Societe $object)
} else {
$sql = "SELECT COUNT(n.rowid) as nb";
$sql .= " FROM ".MAIN_DB_PREFIX."notify_def as n";
- $sql .= " WHERE fk_soc = ".$object->id;
+ $sql .= " WHERE fk_soc = ".((int) $object->id);
$resql = $db->query($sql);
if ($resql) {
$obj = $db->fetch_object($resql);
@@ -315,7 +315,7 @@ function societe_prepare_head(Societe $object)
dol_setcache($cachekey, $nbNotif, 120); // If setting cache fails, this is not a problem, so we do not test result.
}
- $head[$h][0] = DOL_URL_ROOT.'/societe/notify/card.php?socid='.$object->id;
+ $head[$h][0] = DOL_URL_ROOT.'/societe/notify/card.php?socid='.urlencode($object->id);
$head[$h][1] = $langs->trans("Notifications");
if ($nbNotif > 0) {
$head[$h][1] .= ''.$nbNotif.'';
@@ -332,7 +332,7 @@ function societe_prepare_head(Societe $object)
if (!empty($object->note_public)) {
$nbNote++;
}
- $head[$h][0] = DOL_URL_ROOT.'/societe/note.php?id='.$object->id;
+ $head[$h][0] = DOL_URL_ROOT.'/societe/note.php?id='.urlencode($object->id);
$head[$h][1] = $langs->trans("Notes");
if ($nbNote > 0) {
$head[$h][1] .= ''.$nbNote.'';
@@ -380,7 +380,7 @@ function societe_prepare_head(Societe $object)
} else {
$sql = "SELECT COUNT(id) as nb";
$sql .= " FROM ".MAIN_DB_PREFIX."actioncomm";
- $sql .= " WHERE fk_soc = ".$object->id;
+ $sql .= " WHERE fk_soc = ".((int) $object->id);
$resql = $db->query($sql);
if ($resql) {
$obj = $db->fetch_object($resql);
@@ -806,7 +806,7 @@ function show_projects($conf, $langs, $db, $object, $backtopage = '', $nocreatel
$sql .= ", cls.code as opp_status_code";
$sql .= " FROM ".MAIN_DB_PREFIX."projet as p";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_lead_status as cls on p.fk_opp_status = cls.rowid";
- $sql .= " WHERE p.fk_soc = ".$object->id;
+ $sql .= " WHERE p.fk_soc = ".((int) $object->id);
$sql .= " AND p.entity IN (".getEntity('project').")";
$sql .= " ORDER BY p.dateo DESC";
@@ -1083,7 +1083,7 @@ function show_contacts($conf, $langs, $db, $object, $backtopage = '')
$sql .= " t.civility as civility_id, t.address, t.zip, t.town";
$sql .= " FROM ".MAIN_DB_PREFIX."socpeople as t";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."socpeople_extrafields as ef on (t.rowid = ef.fk_object)";
- $sql .= " WHERE t.fk_soc = ".$object->id;
+ $sql .= " WHERE t.fk_soc = ".((int) $object->id);
if ($search_status != '' && $search_status != '-1') {
$sql .= " AND t.statut = ".((int) $search_status);
}
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index ee353269e29..ddfad586e7c 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -5273,8 +5273,10 @@ function price($amount, $form = 0, $outlangs = '', $trunc = 1, $rounding = -1, $
* @param int $option Put 1 if you know that content is already universal format number (so no correction on decimal will be done)
* Put 2 if you know that number is a user input (so we know we don't have to fix decimal separator).
* @return string Amount with universal numeric format (Example: '99.99999').
- * If conversion fails, it return text unchanged if ($rounding = '' and $option = 1) or '0' if ($rounding is defined and $option = 1).
- * If amount is null or '', it returns '' if $rounding = '' or '0' if $rounding is defined..
+ * If conversion fails to return a numeric, it returns:
+ * text unchanged or partial if ($rounding = ''): price2num('W9ç', '', 0) => '9ç', price2num('W9ç', '', 1) => 'W9ç', price2num('W9ç', '', 2) => '9ç'
+ * '0' if ($rounding is defined): price2num('W9ç', 'MT', 0) => '9', price2num('W9ç', 'MT', 1) => '0', price2num('W9ç', 'MT', 2) => '9'
+ * If amount is null or '', it returns '' if $rounding = '' or '0' if $rounding is defined.
*
* @see price() Opposite function of price2num
*/
diff --git a/htdocs/core/lib/functions2.lib.php b/htdocs/core/lib/functions2.lib.php
index d79f688391d..ae7acf44861 100644
--- a/htdocs/core/lib/functions2.lib.php
+++ b/htdocs/core/lib/functions2.lib.php
@@ -1790,8 +1790,8 @@ function dol_set_user_param($db, $conf, &$user, $tab)
// We remove old parameters for all keys in $tab
$sql = "DELETE FROM ".MAIN_DB_PREFIX."user_param";
- $sql .= " WHERE fk_user = ".$user->id;
- $sql .= " AND entity = ".$conf->entity;
+ $sql .= " WHERE fk_user = ".((int) $user->id);
+ $sql .= " AND entity = ".((int) $conf->entity);
$sql .= " AND param in (";
$i = 0;
foreach ($tab as $key => $value) {
@@ -1815,7 +1815,7 @@ function dol_set_user_param($db, $conf, &$user, $tab)
// Set new parameters
if ($value) {
$sql = "INSERT INTO ".MAIN_DB_PREFIX."user_param(fk_user,entity,param,value)";
- $sql .= " VALUES (".$user->id.",".$conf->entity.",";
+ $sql .= " VALUES (".((int) $user->id).",".$conf->entity.",";
$sql .= " '".$db->escape($key)."','".$db->escape($value)."')";
dol_syslog("functions2.lib::dol_set_user_param", LOG_DEBUG);
diff --git a/htdocs/core/lib/invoice.lib.php b/htdocs/core/lib/invoice.lib.php
index 8f6a97894b9..1f797c67d1b 100644
--- a/htdocs/core/lib/invoice.lib.php
+++ b/htdocs/core/lib/invoice.lib.php
@@ -47,7 +47,7 @@ function facture_prepare_head($object)
if (empty($conf->global->MAIN_DISABLE_CONTACTS_TAB)) {
$nbContact = count($object->liste_contact(-1, 'internal')) + count($object->liste_contact(-1, 'external'));
- $head[$h][0] = DOL_URL_ROOT.'/compta/facture/contact.php?facid='.$object->id;
+ $head[$h][0] = DOL_URL_ROOT.'/compta/facture/contact.php?facid='.urlencode($object->id);
$head[$h][1] = $langs->trans('ContactsAddresses');
if ($nbContact > 0) {
$head[$h][1] .= ''.$nbContact.'';
@@ -60,7 +60,7 @@ function facture_prepare_head($object)
$nbStandingOrders = 0;
$sql = "SELECT COUNT(pfd.rowid) as nb";
$sql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pfd";
- $sql .= " WHERE pfd.fk_facture = ".$object->id;
+ $sql .= " WHERE pfd.fk_facture = ".((int) $object->id);
$sql .= " AND pfd.ext_payment_id IS NULL";
$resql = $db->query($sql);
if ($resql) {
@@ -71,7 +71,7 @@ function facture_prepare_head($object)
} else {
dol_print_error($db);
}
- $head[$h][0] = DOL_URL_ROOT.'/compta/facture/prelevement.php?facid='.$object->id;
+ $head[$h][0] = DOL_URL_ROOT.'/compta/facture/prelevement.php?facid='.urlencode($object->id);
$head[$h][1] = $langs->trans('StandingOrders');
if ($nbStandingOrders > 0) {
$head[$h][1] .= ''.$nbStandingOrders.'';
diff --git a/htdocs/core/lib/project.lib.php b/htdocs/core/lib/project.lib.php
index ddf3aa64382..73fc5295a99 100644
--- a/htdocs/core/lib/project.lib.php
+++ b/htdocs/core/lib/project.lib.php
@@ -353,7 +353,7 @@ function task_prepare_head($object)
//$sql .= " FROM ".MAIN_DB_PREFIX."projet_task_time as t, ".MAIN_DB_PREFIX."projet_task as pt, ".MAIN_DB_PREFIX."user as u";
//$sql .= " WHERE t.fk_user = u.rowid AND t.fk_task = pt.rowid";
$sql .= " FROM ".MAIN_DB_PREFIX."projet_task_time as t";
- $sql .= " WHERE t.fk_task =".$object->id;
+ $sql .= " WHERE t.fk_task = ".((int) $object->id);
$resql = $db->query($sql);
if ($resql) {
$obj = $db->fetch_object($resql);
@@ -364,7 +364,7 @@ function task_prepare_head($object)
dol_print_error($db);
}
- $head[$h][0] = DOL_URL_ROOT.'/projet/tasks/time.php?id='.$object->id.(GETPOST('withproject') ? '&withproject=1' : '');
+ $head[$h][0] = DOL_URL_ROOT.'/projet/tasks/time.php?id='.urlencode($object->id).(GETPOST('withproject') ? '&withproject=1' : '');
$head[$h][1] = $langs->trans("TimeSpent");
if ($nbTimeSpent > 0) {
$head[$h][1] .= '...';
@@ -386,7 +386,7 @@ function task_prepare_head($object)
if (!empty($object->note_public)) {
$nbNote++;
}
- $head[$h][0] = DOL_URL_ROOT.'/projet/tasks/note.php?id='.$object->id.(GETPOST('withproject') ? '&withproject=1' : '');
+ $head[$h][0] = DOL_URL_ROOT.'/projet/tasks/note.php?id='.urlencode($object->id).(GETPOST('withproject') ? '&withproject=1' : '');
$head[$h][1] = $langs->trans('Notes');
if ($nbNote > 0) {
$head[$h][1] .= ''.$nbNote.'';
diff --git a/htdocs/core/modules/mailings/modules_mailings.php b/htdocs/core/modules/mailings/modules_mailings.php
index 7c0aa2b19b5..de5feb233ad 100644
--- a/htdocs/core/modules/mailings/modules_mailings.php
+++ b/htdocs/core/modules/mailings/modules_mailings.php
@@ -208,7 +208,7 @@ class MailingTargets // This can't be abstract as it is used for some method
//Update the status to show thirdparty mail that don't want to be contacted anymore'
$sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles";
$sql .= " SET statut=3";
- $sql .= " WHERE fk_mailing=".$mailing_id." AND email in (SELECT email FROM ".MAIN_DB_PREFIX."societe where fk_stcomm=-1)";
+ $sql .= " WHERE fk_mailing = ".((int) $mailing_id)." AND email in (SELECT email FROM ".MAIN_DB_PREFIX."societe where fk_stcomm=-1)";
$sql .= " AND source_type='thirdparty'";
dol_syslog(__METHOD__.": mailing update status to display thirdparty mail that do not want to be contacted");
$result=$this->db->query($sql);
@@ -216,7 +216,7 @@ class MailingTargets // This can't be abstract as it is used for some method
//Update the status to show contact mail that don't want to be contacted anymore'
$sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles";
$sql .= " SET statut=3";
- $sql .= " WHERE fk_mailing=".$mailing_id." AND source_type='contact' AND (email in (SELECT sc.email FROM ".MAIN_DB_PREFIX."socpeople AS sc ";
+ $sql .= " WHERE fk_mailing = ".((int) $mailing_id)." AND source_type='contact' AND (email in (SELECT sc.email FROM ".MAIN_DB_PREFIX."socpeople AS sc ";
$sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe s ON s.rowid=sc.fk_soc WHERE s.fk_stcomm=-1 OR no_email=1))";
dol_syslog(__METHOD__.": mailing update status to display contact mail that do not want to be contacted",LOG_DEBUG);
$result=$this->db->query($sql);
@@ -224,7 +224,7 @@ class MailingTargets // This can't be abstract as it is used for some method
$sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles";
$sql .= " SET statut=3";
- $sql .= " WHERE fk_mailing=".$mailing_id." AND email IN (SELECT mu.email FROM ".MAIN_DB_PREFIX."mailing_unsubscribe AS mu WHERE mu.entity IN ('".getEntity('mailing')."'))";
+ $sql .= " WHERE fk_mailing =" .((int) $mailing_id)." AND email IN (SELECT mu.email FROM ".MAIN_DB_PREFIX."mailing_unsubscribe AS mu WHERE mu.entity IN ('".getEntity('mailing')."'))";
dol_syslog(__METHOD__.":mailing update status to display emails that do not want to be contacted anymore", LOG_DEBUG);
$result = $this->db->query($sql);
diff --git a/htdocs/core/modules/modReceiptPrinter.class.php b/htdocs/core/modules/modReceiptPrinter.class.php
index ee87f4c57ba..1e26de93bcb 100644
--- a/htdocs/core/modules/modReceiptPrinter.class.php
+++ b/htdocs/core/modules/modReceiptPrinter.class.php
@@ -133,6 +133,7 @@ class modReceiptPrinter extends DolibarrModules
public function init($options = '')
{
global $conf, $langs;
+
// Clean before activation
$this->remove($options);
@@ -140,8 +141,8 @@ class modReceiptPrinter extends DolibarrModules
$sql = array(
"CREATE TABLE IF NOT EXISTS ".MAIN_DB_PREFIX."printer_receipt (rowid integer AUTO_INCREMENT PRIMARY KEY, name varchar(128), fk_type integer, fk_profile integer, parameter varchar(128), entity integer) ENGINE=innodb;",
"CREATE TABLE IF NOT EXISTS ".MAIN_DB_PREFIX."printer_receipt_template (rowid integer AUTO_INCREMENT PRIMARY KEY, name varchar(128), template text, entity integer) ENGINE=innodb;",
- "DELETE FROM ".MAIN_DB_PREFIX."printer_receipt_template WHERE name = '".$langs->trans('Example')."';",
- "INSERT INTO ".MAIN_DB_PREFIX."printer_receipt_template (name,template,entity) VALUES ('".$langs->trans('Example')."', '".$templateexample."', 1);",
+ "DELETE FROM ".MAIN_DB_PREFIX."printer_receipt_template WHERE name = '".$this->db->escape($langs->trans('Example'))."';",
+ "INSERT INTO ".MAIN_DB_PREFIX."printer_receipt_template (name,template,entity) VALUES ('".$this->db->escape($langs->trans('Example'))."', '".$this->db->escape($templateexample)."', 1);",
);
return $this->_init($sql, $options);
}
diff --git a/htdocs/core/modules/stock/doc/pdf_standard.modules.php b/htdocs/core/modules/stock/doc/pdf_standard.modules.php
index ebc109151d6..5374245cea4 100644
--- a/htdocs/core/modules/stock/doc/pdf_standard.modules.php
+++ b/htdocs/core/modules/stock/doc/pdf_standard.modules.php
@@ -337,8 +337,8 @@ class pdf_standard extends ModelePDFStock
if (!empty($conf->global->MAIN_MULTILANGS)) { // si l'option est active
$sql = "SELECT label";
$sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
- $sql .= " WHERE fk_product=".$objp->rowid;
- $sql .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'";
+ $sql .= " WHERE fk_product = ".((int) $objp->rowid);
+ $sql .= " AND lang = '".$this->db->escape($langs->getDefaultLang())."'";
$sql .= " LIMIT 1";
$result = $this->db->query($sql);
diff --git a/htdocs/don/class/don.class.php b/htdocs/don/class/don.class.php
index 181b3fc0ca3..6bb4c99b86d 100644
--- a/htdocs/don/class/don.class.php
+++ b/htdocs/don/class/don.class.php
@@ -555,7 +555,7 @@ class Don extends CommonObject
// Delete donation
if (!$error) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."don_extrafields";
- $sql .= " WHERE fk_object=".$this->id;
+ $sql .= " WHERE fk_object = ".((int) $this->id);
$resql = $this->db->query($sql);
if (!$resql) {
diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php
index a60f3c88c6a..42d290aa02f 100644
--- a/htdocs/expedition/class/expedition.class.php
+++ b/htdocs/expedition/class/expedition.class.php
@@ -2805,7 +2805,7 @@ class ExpeditionLigne extends CommonObjectLine
// delete batch expedition line
if ($conf->productbatch->enabled) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."expeditiondet_batch";
- $sql .= " WHERE fk_expeditiondet = ".$this->id;
+ $sql .= " WHERE fk_expeditiondet = ".((int) $this->id);
if (!$this->db->query($sql)) {
$this->errors[] = $this->db->lasterror()." - sql=$sql";
@@ -2951,7 +2951,7 @@ class ExpeditionLigne extends CommonObjectLine
if (!$error && !empty($expedition_batch_id)) {
// delete lot expedition line
$sql = "DELETE FROM ".MAIN_DB_PREFIX."expeditiondet_batch";
- $sql .= " WHERE fk_expeditiondet = ".$this->id;
+ $sql .= " WHERE fk_expeditiondet = ".((int) $this->id);
$sql .= " AND rowid = ".((int) $expedition_batch_id);
if (!$this->db->query($sql)) {
diff --git a/htdocs/fourn/card.php b/htdocs/fourn/card.php
index 866fd31318e..f37e96ba602 100644
--- a/htdocs/fourn/card.php
+++ b/htdocs/fourn/card.php
@@ -589,7 +589,7 @@ if ($object->id > 0) {
$sql = "SELECT p.rowid, p.ref, p.date_valid as dc, p.fk_statut, p.total_ht, p.total_tva, p.total_ttc";
$sql .= " FROM ".MAIN_DB_PREFIX."supplier_proposal as p ";
- $sql .= " WHERE p.fk_soc =".$object->id;
+ $sql .= " WHERE p.fk_soc = ".((int) $object->id);
$sql .= " AND p.entity IN (".getEntity('supplier_proposal').")";
$sql .= " ORDER BY p.date_valid DESC";
$sql .= $db->plimit($MAXLIST);
@@ -681,7 +681,7 @@ if ($object->id > 0) {
// TODO move to DAO class
$sql = "SELECT count(p.rowid) as total";
$sql .= " FROM ".MAIN_DB_PREFIX."commande_fournisseur as p";
- $sql .= " WHERE p.fk_soc =".$object->id;
+ $sql .= " WHERE p.fk_soc = ".((int) $object->id);
$sql .= " AND p.entity IN (".getEntity('commande_fournisseur').")";
$resql = $db->query($sql);
if ($resql) {
@@ -691,7 +691,7 @@ if ($object->id > 0) {
$sql = "SELECT p.rowid,p.ref, p.date_commande as dc, p.fk_statut, p.total_ht, p.total_tva, p.total_ttc";
$sql .= " FROM ".MAIN_DB_PREFIX."commande_fournisseur as p";
- $sql .= " WHERE p.fk_soc =".$object->id;
+ $sql .= " WHERE p.fk_soc = ".((int) $object->id);
$sql .= " AND p.entity IN (".getEntity('commande_fournisseur').")";
$sql .= " ORDER BY p.date_commande DESC";
$sql .= $db->plimit($MAXLIST);
diff --git a/htdocs/fourn/class/fournisseur.class.php b/htdocs/fourn/class/fournisseur.class.php
index 121e699757c..805ed7c1ba6 100644
--- a/htdocs/fourn/class/fournisseur.class.php
+++ b/htdocs/fourn/class/fournisseur.class.php
@@ -59,7 +59,7 @@ class Fournisseur extends Societe
{
$sql = "SELECT rowid";
$sql .= " FROM ".MAIN_DB_PREFIX."commande_fournisseur as cf";
- $sql .= " WHERE cf.fk_soc = ".$this->id;
+ $sql .= " WHERE cf.fk_soc = ".((int) $this->id);
$resql = $this->db->query($sql);
if ($resql) {
diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php
index 3d71fd46b11..d248ed44321 100644
--- a/htdocs/fourn/class/fournisseur.commande.class.php
+++ b/htdocs/fourn/class/fournisseur.commande.class.php
@@ -473,7 +473,7 @@ class CommandeFournisseur extends CommonOrder
if (!empty($conf->global->PRODUCT_USE_SUPPLIER_PACKAGING)) {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_fournisseur_price as pfp ON l.fk_product = pfp.fk_product and l.ref = pfp.ref_fourn AND pfp.fk_soc = ".((int) $this->socid);
}
- $sql .= " WHERE l.fk_commande = ".$this->id;
+ $sql .= " WHERE l.fk_commande = ".((int) $this->id);
if ($only_product) {
$sql .= ' AND p.fk_product_type = 0';
}
@@ -627,7 +627,7 @@ class CommandeFournisseur extends CommonOrder
if (preg_match('/^[\(]?PROV/i', $this->ref)) {
// Now we rename also files into index
$sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filename = CONCAT('".$this->db->escape($this->newref)."', SUBSTR(filename, ".(strlen($this->ref) + 1).")), filepath = 'fournisseur/commande/".$this->db->escape($this->newref)."'";
- $sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'fournisseur/commande/".$this->db->escape($this->ref)."' and entity = ".$conf->entity;
+ $sql .= " WHERE filename LIKE '".$this->db->escape($this->ref)."%' AND filepath = 'fournisseur/commande/".$this->db->escape($this->ref)."' and entity = ".((int) $conf->entity);
$resql = $this->db->query($sql);
if (!$resql) {
$error++; $this->error = $this->db->lasterror();
@@ -2236,7 +2236,7 @@ class CommandeFournisseur extends CommonOrder
$sql .= " FROM ".MAIN_DB_PREFIX."product as p,";
$sql .= " ".MAIN_DB_PREFIX."commande_fournisseur_dispatch as cfd";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entrepot as e ON cfd.fk_entrepot = e.rowid";
- $sql .= " WHERE cfd.fk_commande = ".$this->id;
+ $sql .= " WHERE cfd.fk_commande = ".((int) $this->id);
$sql .= " AND cfd.fk_product = p.rowid";
if ($status >= 0) {
$sql .= " AND cfd.status = ".((int) $status);
diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php
index f7c7ee26e1c..e8ec417edd7 100644
--- a/htdocs/fourn/class/fournisseur.facture.class.php
+++ b/htdocs/fourn/class/fournisseur.facture.class.php
@@ -2946,7 +2946,7 @@ class FactureFournisseur extends CommonInvoice
{
$isUsed = false;
- $sql = "SELECT fk_invoice_supplier FROM ".MAIN_DB_PREFIX."societe_remise_except WHERE fk_invoice_supplier_source=".$this->id;
+ $sql = "SELECT fk_invoice_supplier FROM ".MAIN_DB_PREFIX."societe_remise_except WHERE fk_invoice_supplier_source = ".((int) $this->id);
$resql = $this->db->query($sql);
if (!empty($resql)) {
$obj = $this->db->fetch_object($resql);
@@ -3701,12 +3701,12 @@ class SupplierInvoiceLine extends CommonObjectLine
// Mise a jour ligne en base
$sql = "UPDATE ".MAIN_DB_PREFIX."facture_fourn_det SET";
- $sql .= " total_ht='".price2num($this->total_ht)."'";
- $sql .= ", tva='".price2num($this->total_tva)."'";
- $sql .= ", total_localtax1='".price2num($this->total_localtax1)."'";
- $sql .= ", total_localtax2='".price2num($this->total_localtax2)."'";
- $sql .= ", total_ttc='".price2num($this->total_ttc)."'";
- $sql .= " WHERE rowid = ".$this->rowid;
+ $sql .= " total_ht = ".price2num($this->total_ht);
+ $sql .= ", tva= ".price2num($this->total_tva);
+ $sql .= ", total_localtax1 = ".price2num($this->total_localtax1);
+ $sql .= ", total_localtax2 = ".price2num($this->total_localtax2);
+ $sql .= ", total_ttc = ".price2num($this->total_ttc);
+ $sql .= " WHERE rowid = ".((int) $this->rowid);
dol_syslog("FactureFournisseurLigne.class.php::update_total", LOG_DEBUG);
diff --git a/htdocs/fourn/class/fournisseur.product.class.php b/htdocs/fourn/class/fournisseur.product.class.php
index 3eaed8d27b8..b08d9237c63 100644
--- a/htdocs/fourn/class/fournisseur.product.class.php
+++ b/htdocs/fourn/class/fournisseur.product.class.php
@@ -164,7 +164,7 @@ class ProductFournisseur extends Product
$this->db->begin();
$sql = "DELETE FROM ".MAIN_DB_PREFIX."product_fournisseur_price";
- $sql .= " WHERE fk_product = ".$this->id." AND fk_soc = ".((int) $id_fourn);
+ $sql .= " WHERE fk_product = ".((int) $this->id)." AND fk_soc = ".((int) $id_fourn);
dol_syslog(get_class($this)."::remove_fournisseur", LOG_DEBUG);
$resql2 = $this->db->query($sql);
@@ -438,7 +438,7 @@ class ProductFournisseur extends Product
// Delete price for this quantity
$sql = "DELETE FROM ".MAIN_DB_PREFIX."product_fournisseur_price";
- $sql .= " WHERE fk_soc = ".$fourn->id." AND ref_fourn = '".$this->db->escape($ref_fourn)."' AND quantity = ".((float) $qty)." AND entity = ".$conf->entity;
+ $sql .= " WHERE fk_soc = ".((int) $fourn->id)." AND ref_fourn = '".$this->db->escape($ref_fourn)."' AND quantity = ".((float) $qty)." AND entity = ".((int) $conf->entity);
$resql = $this->db->query($sql);
if ($resql) {
// Add price for this quantity to supplier
@@ -459,7 +459,7 @@ class ProductFournisseur extends Product
$sql .= " ".((int) $fourn->id).",";
$sql .= " '".$this->db->escape($ref_fourn)."',";
$sql .= " '".$this->db->escape($desc_fourn)."',";
- $sql .= " ".$user->id.",";
+ $sql .= " ".((int) $user->id).",";
$sql .= " ".price2num($buyprice).",";
$sql .= " ".((float) $qty).",";
$sql .= " ".((float) $remise_percent).",";
diff --git a/htdocs/fourn/commande/dispatch.php b/htdocs/fourn/commande/dispatch.php
index 09588389cb1..ead05251920 100644
--- a/htdocs/fourn/commande/dispatch.php
+++ b/htdocs/fourn/commande/dispatch.php
@@ -341,11 +341,11 @@ if ($action == 'dispatch' && $user->rights->fournisseur->commande->receptionner)
if (GETPOSTISSET($saveprice)) {
// TODO Use class
$sql = "UPDATE ".MAIN_DB_PREFIX."product_fournisseur_price";
- $sql .= " SET unitprice='".GETPOST($pu)."'";
- $sql .= ", price=".GETPOST($pu)."*quantity";
- $sql .= ", remise_percent='".(!empty($dto) ? $dto : 0)."'";
- $sql .= " WHERE fk_soc=".$object->socid;
- $sql .= " AND fk_product=".GETPOST($prod, 'int');
+ $sql .= " SET unitprice = ".price2num(GETPOST($pu), 'MU', 2);
+ $sql .= ", price = ".price2num(GETPOST($pu), 'MU', 2)." * quantity";
+ $sql .= ", remise_percent = ".price2num((empty($dto) ? 0 : $dto), 3, 2)."'";
+ $sql .= " WHERE fk_soc = ".((int) $object->socid);
+ $sql .= " AND fk_product=".((int) GETPOST($prod, 'int'));
$resql = $db->query($sql);
}
@@ -653,7 +653,7 @@ if ($id > 0 || !empty($ref)) {
$sql = "SELECT l.rowid, cfd.fk_product, sum(cfd.qty) as qty";
$sql .= " FROM ".MAIN_DB_PREFIX."commande_fournisseur_dispatch as cfd";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."commande_fournisseurdet as l on l.rowid = cfd.fk_commandefourndet";
- $sql .= " WHERE cfd.fk_commande = ".$object->id;
+ $sql .= " WHERE cfd.fk_commande = ".((int) $object->id);
$sql .= " GROUP BY l.rowid, cfd.fk_product";
$resql = $db->query($sql);
@@ -689,7 +689,7 @@ if ($id > 0 || !empty($ref)) {
$sql .= " FROM ".MAIN_DB_PREFIX."commande_fournisseurdet as l";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON l.fk_product=p.rowid";
- $sql .= " WHERE l.fk_commande = ".$object->id;
+ $sql .= " WHERE l.fk_commande = ".((int) $object->id);
if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) {
$sql .= " AND l.product_type = 0";
}
@@ -1113,7 +1113,7 @@ if ($id > 0 || !empty($ref)) {
if ($conf->reception->enabled) {
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."reception as r ON cfd.fk_reception = r.rowid";
}
- $sql .= " WHERE cfd.fk_commande = ".$object->id;
+ $sql .= " WHERE cfd.fk_commande = ".((int) $object->id);
$sql .= " AND cfd.fk_product = p.rowid";
$sql .= " ORDER BY cfd.rowid ASC";
diff --git a/htdocs/fourn/facture/card.php b/htdocs/fourn/facture/card.php
index ae0d306b2cd..2f3fb2b0078 100644
--- a/htdocs/fourn/facture/card.php
+++ b/htdocs/fourn/facture/card.php
@@ -595,7 +595,7 @@ if (empty($reshook)) {
$sql = "SELECT re.rowid, re.amount_ht, re.amount_tva, re.amount_ttc,";
$sql .= " re.description, re.fk_invoice_supplier_source";
$sql .= " FROM ".MAIN_DB_PREFIX."societe_remise_except as re";
- $sql .= " WHERE fk_invoice_supplier = ".$object->id;
+ $sql .= " WHERE fk_invoice_supplier = ".((int) $object->id);
$resql = $db->query($sql);
if (!empty($resql)) {
while ($obj = $db->fetch_object($resql)) {
@@ -3132,11 +3132,10 @@ if ($action == 'create') {
$creditnoteamount = 0;
$depositamount = 0;
-
$sql = "SELECT re.rowid, re.amount_ht, re.amount_tva, re.amount_ttc,";
$sql .= " re.description, re.fk_invoice_supplier_source";
$sql .= " FROM ".MAIN_DB_PREFIX."societe_remise_except as re";
- $sql .= " WHERE fk_invoice_supplier = ".$object->id;
+ $sql .= " WHERE fk_invoice_supplier = ".((int) $object->id);
$resql = $db->query($sql);
if ($resql) {
$num = $db->num_rows($resql);
diff --git a/htdocs/fourn/facture/list.php b/htdocs/fourn/facture/list.php
index 0d34a3790df..8f2aaadb8ea 100644
--- a/htdocs/fourn/facture/list.php
+++ b/htdocs/fourn/facture/list.php
@@ -344,7 +344,7 @@ if (empty($reshook)) {
$rsql .= " , u.rowid as user_id, u.lastname, u.firstname, u.login";
$rsql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pfd";
$rsql .= " , ".MAIN_DB_PREFIX."user as u";
- $rsql .= " WHERE fk_facture_fourn = ".$objecttmp->id;
+ $rsql .= " WHERE fk_facture_fourn = ".((int) $objecttmp->id);
$rsql .= " AND pfd.fk_user_demande = u.rowid";
$rsql .= " AND pfd.traite = 0";
$rsql .= " ORDER BY pfd.date_demande DESC";
diff --git a/htdocs/holiday/class/holiday.class.php b/htdocs/holiday/class/holiday.class.php
index 41af59a751b..ec7b4c463b6 100644
--- a/htdocs/holiday/class/holiday.class.php
+++ b/htdocs/holiday/class/holiday.class.php
@@ -719,7 +719,7 @@ class Holiday extends CommonObject
$error++;
}
$sql .= " ref = '".$this->db->escape($num)."'";
- $sql .= " WHERE rowid= ".$this->id;
+ $sql .= " WHERE rowid = ".((int) $this->id);
$this->db->begin();
@@ -828,7 +828,7 @@ class Holiday extends CommonObject
} else {
$sql .= " detail_refuse = NULL";
}
- $sql .= " WHERE rowid= ".$this->id;
+ $sql .= " WHERE rowid = ".((int) $this->id);
$this->db->begin();
@@ -937,7 +937,7 @@ class Holiday extends CommonObject
$sql .= " detail_refuse = NULL";
}
- $sql .= " WHERE rowid= ".$this->id;
+ $sql .= " WHERE rowid = ".((int) $this->id);
$this->db->begin();
diff --git a/htdocs/install/repair.php b/htdocs/install/repair.php
index 5cfe9f66846..037c7ee4b82 100644
--- a/htdocs/install/repair.php
+++ b/htdocs/install/repair.php
@@ -929,7 +929,7 @@ if ($ok && GETPOST('clean_product_stock_batch', 'alpha')) {
// TODO If it fails, we must make update
//$sql2 ="UPDATE ".MAIN_DB_PREFIX."product_batch";
//$sql2.=" SET ".$obj->psrowid.", '000000', ".($obj->reel - $obj->reelbatch).")";
- //$sql2.=" WHERE fk_product_stock = ".$obj->psrowid"
+ //$sql2.=" WHERE fk_product_stock = ".((int) $obj->psrowid)
}
}
}
diff --git a/htdocs/install/upgrade2.php b/htdocs/install/upgrade2.php
index de34a38e82c..974dd4c8324 100644
--- a/htdocs/install/upgrade2.php
+++ b/htdocs/install/upgrade2.php
@@ -2097,7 +2097,7 @@ function migrate_commande_livraison($db, $langs, $conf)
$sqlu = "UPDATE ".MAIN_DB_PREFIX."livraison SET";
$sqlu .= " ref_client='".$db->escape($obj->ref_client)."'";
$sqlu .= ", date_livraison='".$db->idate($delivery_date)."'";
- $sqlu .= " WHERE rowid = ".$obj->rowid;
+ $sqlu .= " WHERE rowid = ".((int) $obj->rowid);
$resql3 = $db->query($sqlu);
if (!$resql3) {
$error++;
@@ -2170,11 +2170,11 @@ function migrate_detail_livraison($db, $langs, $conf)
$obj = $db->fetch_object($resql);
$sql = "UPDATE ".MAIN_DB_PREFIX."livraisondet SET";
- $sql .= " fk_product=".$obj->fk_product;
- $sql .= ",description='".$db->escape($obj->description)."'";
- $sql .= ",subprice='".$db->escape($obj->subprice)."'";
- $sql .= ",total_ht='".$db->escape($obj->total_ht)."'";
- $sql .= " WHERE fk_commande_ligne = ".$obj->rowid;
+ $sql .= " fk_product = ".((int) $obj->fk_product);
+ $sql .= ",description = '".$db->escape($obj->description)."'";
+ $sql .= ",subprice = ".price2num($obj->subprice);
+ $sql .= ",total_ht = ".price2num($obj->total_ht);
+ $sql .= " WHERE fk_commande_ligne = ".((int) $obj->rowid);
$resql2 = $db->query($sql);
if ($resql2) {
@@ -2188,8 +2188,8 @@ function migrate_detail_livraison($db, $langs, $conf)
$total_ht = $obju->total_ht + $obj->total_ht;
$sqlu = "UPDATE ".MAIN_DB_PREFIX."livraison SET";
- $sqlu .= " total_ht='".$db->escape($total_ht)."'";
- $sqlu .= " WHERE rowid=".$obj->fk_livraison;
+ $sqlu .= " total_ht = ".price2num($total_ht, 'MT');
+ $sqlu .= " WHERE rowid = ".((int) $obj->fk_livraison);
$resql4 = $db->query($sqlu);
if (!$resql4) {
$error++;
@@ -2266,8 +2266,8 @@ function migrate_stocks($db, $langs, $conf)
$obj = $db->fetch_object($resql);
$sql = "UPDATE ".MAIN_DB_PREFIX."product SET";
- $sql .= " stock = '".$db->escape($obj->total)."'";
- $sql .= " WHERE rowid=".$obj->fk_product;
+ $sql .= " stock = ".price2num($obj->total, 'MS');
+ $sql .= " WHERE rowid = ".((int) $obj->fk_product);
$resql2 = $db->query($sql);
if ($resql2) {
@@ -2330,7 +2330,7 @@ function migrate_menus($db, $langs, $conf)
$sql = "UPDATE ".MAIN_DB_PREFIX."menu SET";
$sql .= " enabled = '".$db->escape($obj->action)."'";
- $sql .= " WHERE rowid=".$obj->rowid;
+ $sql .= " WHERE rowid = ".((int) $obj->rowid);
$sql .= " AND enabled = '1'";
$resql2 = $db->query($sql);
@@ -2400,7 +2400,7 @@ function migrate_commande_deliveryaddress($db, $langs, $conf)
$sql = "UPDATE ".MAIN_DB_PREFIX."expedition SET";
$sql .= " fk_adresse_livraison = '".$db->escape($obj->fk_adresse_livraison)."'";
- $sql .= " WHERE rowid=".$obj->fk_expedition;
+ $sql .= " WHERE rowid = ".((int) $obj->fk_expedition);
$resql2 = $db->query($sql);
if (!$resql2) {
@@ -3049,7 +3049,7 @@ function migrate_shipping_delivery($db, $langs, $conf)
$result = $db->query($sqlInsert);
if ($result) {
$sqlUpdate = "UPDATE ".MAIN_DB_PREFIX."livraison SET fk_expedition = NULL";
- $sqlUpdate .= " WHERE rowid = ".$obj->rowid;
+ $sqlUpdate .= " WHERE rowid = ".((int) $obj->rowid);
$result = $db->query($sqlUpdate);
if (!$result) {
@@ -3137,7 +3137,7 @@ function migrate_shipping_delivery2($db, $langs, $conf)
$sqlUpdate = "UPDATE ".MAIN_DB_PREFIX."livraison SET";
$sqlUpdate .= " ref_customer = '".$db->escape($obj->ref_customer)."',";
$sqlUpdate .= " date_delivery = ".($obj->date_delivery ? "'".$db->escape($obj->date_delivery)."'" : 'null');
- $sqlUpdate .= " WHERE rowid = ".$obj->delivery_id;
+ $sqlUpdate .= " WHERE rowid = ".((int) $obj->delivery_id);
$result = $db->query($sqlUpdate);
if (!$result) {
@@ -3629,7 +3629,7 @@ function migrate_reset_blocked_log($db, $langs, $conf)
print 'Process entity '.$obj->entity;
- $sqlSearch = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."blockedlog WHERE action = 'MODULE_SET' and entity = ".$obj->entity;
+ $sqlSearch = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."blockedlog WHERE action = 'MODULE_SET' and entity = ".((int) $obj->entity);
$resqlSearch = $db->query($sqlSearch);
if ($resqlSearch) {
$objSearch = $db->fetch_object($resqlSearch);
@@ -3638,7 +3638,7 @@ function migrate_reset_blocked_log($db, $langs, $conf)
print ' - Record for entity must be reset...';
$sqlUpdate = "DELETE FROM ".MAIN_DB_PREFIX."blockedlog";
- $sqlUpdate .= " WHERE entity = ".$obj->entity;
+ $sqlUpdate .= " WHERE entity = ".((int) $obj->entity);
$resqlUpdate = $db->query($sqlUpdate);
if (!$resqlUpdate) {
$error++;
@@ -3725,7 +3725,7 @@ function migrate_remise_entity($db, $langs, $conf)
$sqlUpdate = "UPDATE ".MAIN_DB_PREFIX."societe_remise SET";
$sqlUpdate .= " entity = ".$obj->entity;
- $sqlUpdate .= " WHERE rowid = ".$obj->rowid;
+ $sqlUpdate .= " WHERE rowid = ".((int) $obj->rowid);
$result = $db->query($sqlUpdate);
if (!$result) {
@@ -3810,8 +3810,8 @@ function migrate_remise_except_entity($db, $langs, $conf)
$obj2 = $db->fetch_object($resql2);
$sqlUpdate = "UPDATE ".MAIN_DB_PREFIX."societe_remise_except SET";
- $sqlUpdate .= " entity = ".$obj2->entity;
- $sqlUpdate .= " WHERE rowid = ".$obj->rowid;
+ $sqlUpdate .= " entity = ".((int) $obj2->entity);
+ $sqlUpdate .= " WHERE rowid = ".((int) $obj->rowid);
$result = $db->query($sqlUpdate);
if (!$result) {
@@ -3880,8 +3880,8 @@ function migrate_user_rights_entity($db, $langs, $conf)
$obj = $db->fetch_object($resql);
$sqlUpdate = "UPDATE ".MAIN_DB_PREFIX."user_rights SET";
- $sqlUpdate .= " entity = ".$obj->entity;
- $sqlUpdate .= " WHERE fk_user = ".$obj->rowid;
+ $sqlUpdate .= " entity = ".((int) $obj->entity);
+ $sqlUpdate .= " WHERE fk_user = ".((int) $obj->rowid);
$result = $db->query($sqlUpdate);
if (!$result) {
@@ -3945,8 +3945,8 @@ function migrate_usergroup_rights_entity($db, $langs, $conf)
$obj = $db->fetch_object($resql);
$sqlUpdate = "UPDATE ".MAIN_DB_PREFIX."usergroup_rights SET";
- $sqlUpdate .= " entity = ".$obj->entity;
- $sqlUpdate .= " WHERE fk_usergroup = ".$obj->rowid;
+ $sqlUpdate .= " entity = ".((int) $obj->entity);
+ $sqlUpdate .= " WHERE fk_usergroup = ".((int) $obj->rowid);
$result = $db->query($sqlUpdate);
if (!$result) {
diff --git a/htdocs/loan/class/loanschedule.class.php b/htdocs/loan/class/loanschedule.class.php
index 126002eb47a..9beff9dd22e 100644
--- a/htdocs/loan/class/loanschedule.class.php
+++ b/htdocs/loan/class/loanschedule.class.php
@@ -498,7 +498,7 @@ class LoanSchedule extends CommonObject
$toinsert = array();
$sql = "SELECT l.rowid";
- $sql .= " FROM ".MAIN_DB_PREFIX."loan as l ";
+ $sql .= " FROM ".MAIN_DB_PREFIX."loan as l";
$sql .= " WHERE l.paid = 0";
$resql = $this->db->query($sql);
@@ -511,7 +511,8 @@ class LoanSchedule extends CommonObject
$this->db->begin();
$sql = "INSERT INTO ".MAIN_DB_PREFIX."payment_loan ";
$sql .= "(fk_loan,datec,tms,datep,amount_capital,amount_insurance,amount_interest,fk_typepayment,num_payment,note_private,note_public,fk_bank,fk_user_creat,fk_user_modif) ";
- $sql .= "SELECT fk_loan,datec,tms,datep,amount_capital,amount_insurance,amount_interest,fk_typepayment,num_payment,note_private,note_public,fk_bank,fk_user_creat,fk_user_modif FROM ".MAIN_DB_PREFIX."loan_schedule WHERE rowid =".$echid;
+ $sql .= "SELECT fk_loan,datec,tms,datep,amount_capital,amount_insurance,amount_interest,fk_typepayment,num_payment,note_private,note_public,fk_bank,fk_user_creat,fk_user_modif";
+ $sql .= " FROM ".MAIN_DB_PREFIX."loan_schedule WHERE rowid =".((int) $echid);
$res = $this->db->query($sql);
if ($res) {
$this->db->commit();
diff --git a/htdocs/mailmanspip/class/mailmanspip.class.php b/htdocs/mailmanspip/class/mailmanspip.class.php
index d08f6f65094..c5ce2292f6a 100644
--- a/htdocs/mailmanspip/class/mailmanspip.class.php
+++ b/htdocs/mailmanspip/class/mailmanspip.class.php
@@ -232,7 +232,7 @@ class MailmanSpip
$mydb = $this->connectSpip();
if ($mydb) {
- $query = "DELETE FROM spip_auteurs WHERE login='".$object->login."'";
+ $query = "DELETE FROM spip_auteurs WHERE login = '".$mydb->escape($object->login)."'";
$result = $mydb->query($query);
@@ -271,7 +271,7 @@ class MailmanSpip
$mydb = $this->connectSpip();
if ($mydb) {
- $query = "SELECT login FROM spip_auteurs WHERE login='".$object->login."'";
+ $query = "SELECT login FROM spip_auteurs WHERE login = '".$mydb->escape($object->login)."'";
$result = $mydb->query($query);
diff --git a/htdocs/mrp/class/mo.class.php b/htdocs/mrp/class/mo.class.php
index b00aa6e8b91..a0bc74bc4ad 100644
--- a/htdocs/mrp/class/mo.class.php
+++ b/htdocs/mrp/class/mo.class.php
@@ -546,7 +546,7 @@ class Mo extends CommonObject
$result = 0;
$sql = 'SELECT COUNT(rowid) as nb FROM '.MAIN_DB_PREFIX.'stock_mouvement as sm';
- $sql .= " WHERE sm.origintype = 'mo' and sm.fk_origin = ".$this->id;
+ $sql .= " WHERE sm.origintype = 'mo' and sm.fk_origin = ".((int) $this->id);
$resql = $this->db->query($sql);
if ($resql) {
diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index fc8f5cc4720..ae2aca9fbc9 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -1446,8 +1446,8 @@ class Product extends CommonObject
if ($key == $current_lang) {
$sql = "SELECT rowid";
$sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
- $sql .= " WHERE fk_product=".$this->id;
- $sql .= " AND lang='".$this->db->escape($key)."'";
+ $sql .= " WHERE fk_product = ".((int) $this->id);
+ $sql .= " AND lang = '".$this->db->escape($key)."'";
$result = $this->db->query($sql);
@@ -1459,7 +1459,7 @@ class Product extends CommonObject
if (!empty($conf->global->PRODUCT_USE_OTHER_FIELD_IN_TRANSLATION)) {
$sql2 .= ", note='".$this->db->escape($this->other)."'";
}
- $sql2 .= " WHERE fk_product=".$this->id." AND lang='".$this->db->escape($key)."'";
+ $sql2 .= " WHERE fk_product = ".((int) $this->id)." AND lang = '".$this->db->escape($key)."'";
} else {
$sql2 = "INSERT INTO ".MAIN_DB_PREFIX."product_lang (fk_product, lang, label, description";
if (!empty($conf->global->PRODUCT_USE_OTHER_FIELD_IN_TRANSLATION)) {
@@ -1486,20 +1486,20 @@ class Product extends CommonObject
$sql = "SELECT rowid";
$sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
- $sql .= " WHERE fk_product=".$this->id;
- $sql .= " AND lang='".$this->db->escape($key)."'";
+ $sql .= " WHERE fk_product = ".((int) $this->id);
+ $sql .= " AND lang = '".$this->db->escape($key)."'";
$result = $this->db->query($sql);
if ($this->db->num_rows($result)) { // if there is already a description line for this language
$sql2 = "UPDATE ".MAIN_DB_PREFIX."product_lang";
$sql2 .= " SET ";
- $sql2 .= " label='".$this->db->escape($this->multilangs["$key"]["label"])."',";
- $sql2 .= " description='".$this->db->escape($this->multilangs["$key"]["description"])."'";
+ $sql2 .= " label = '".$this->db->escape($this->multilangs["$key"]["label"])."',";
+ $sql2 .= " description = '".$this->db->escape($this->multilangs["$key"]["description"])."'";
if (!empty($conf->global->PRODUCT_USE_OTHER_FIELD_IN_TRANSLATION)) {
- $sql2 .= ", note='".$this->db->escape($this->multilangs["$key"]["other"])."'";
+ $sql2 .= ", note = '".$this->db->escape($this->multilangs["$key"]["other"])."'";
}
- $sql2 .= " WHERE fk_product=".$this->id." AND lang='".$this->db->escape($key)."'";
+ $sql2 .= " WHERE fk_product = ".((int) $this->id)." AND lang = '".$this->db->escape($key)."'";
} else {
$sql2 = "INSERT INTO ".MAIN_DB_PREFIX."product_lang (fk_product, lang, label, description";
if (!empty($conf->global->PRODUCT_USE_OTHER_FIELD_IN_TRANSLATION)) {
@@ -1548,7 +1548,7 @@ class Product extends CommonObject
public function delMultiLangs($langtodelete, $user)
{
$sql = "DELETE FROM ".MAIN_DB_PREFIX."product_lang";
- $sql .= " WHERE fk_product=".$this->id." AND lang='".$this->db->escape($langtodelete)."'";
+ $sql .= " WHERE fk_product = ".((int) $this->id)." AND lang = '".$this->db->escape($langtodelete)."'";
dol_syslog(get_class($this).'::delMultiLangs', LOG_DEBUG);
$result = $this->db->query($sql);
@@ -1645,7 +1645,7 @@ class Product extends CommonObject
$sql = "SELECT lang, label, description, note as other";
$sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
- $sql .= " WHERE fk_product=".$this->id;
+ $sql .= " WHERE fk_product = ".((int) $this->id);
$result = $this->db->query($sql);
if ($result) {
@@ -1750,7 +1750,7 @@ class Product extends CommonObject
{
// phpcs:enable
$sql = "DELETE FROM ".MAIN_DB_PREFIX."product_price_by_qty";
- $sql .= " WHERE fk_product_price=".((int) $rowid);
+ $sql .= " WHERE fk_product_price = ".((int) $rowid);
$resql = $this->db->query($sql);
$sql = "DELETE FROM ".MAIN_DB_PREFIX."product_price";
@@ -2265,7 +2265,7 @@ class Product extends CommonObject
$separatedStock = false; // Set to true will count stock from subtable llx_product_stock. It is slower than using denormalized field 'stock', but it is required when using multientity and shared warehouses.
if (!empty($conf->global->MULTICOMPANY_PRODUCT_SHARING_ENABLED)) {
if (!empty($conf->global->MULTICOMPANY_PMP_PER_ENTITY_ENABLED)) {
- $checkPMPPerEntity = $this->db->query("SELECT pmp FROM " . MAIN_DB_PREFIX . "product_perentity WHERE fk_product = ".((int) $id)." AND entity = ".(int) $conf->entity);
+ $checkPMPPerEntity = $this->db->query("SELECT pmp FROM " . MAIN_DB_PREFIX . "product_perentity WHERE fk_product = ".((int) $id)." AND entity = ".(int) $conf->entity);
if ($this->db->num_rows($checkPMPPerEntity)>0) {
$separatedEntityPMP = true;
}
@@ -2470,7 +2470,7 @@ class Product extends CommonObject
{
$sql = "SELECT rowid, price, unitprice, quantity, remise_percent, remise, price_base_type";
$sql.= " FROM ".MAIN_DB_PREFIX."product_price_by_qty";
- $sql.= " WHERE fk_product_price = ".$this->prices_by_qty_id[$i];
+ $sql.= " WHERE fk_product_price = ".((int) $this->prices_by_qty_id[$i]);
$sql.= " ORDER BY quantity ASC";
$resultat=array();
$resql = $this->db->query($sql);
@@ -2578,7 +2578,7 @@ class Product extends CommonObject
if ($this->prices_by_qty[$i] == 1) {
$sql = "SELECT rowid, price, unitprice, quantity, remise_percent, remise, price_base_type";
$sql .= " FROM ".MAIN_DB_PREFIX."product_price_by_qty";
- $sql .= " WHERE fk_product_price = ".$this->prices_by_qty_id[$i];
+ $sql .= " WHERE fk_product_price = ".((int) $this->prices_by_qty_id[$i]);
$sql .= " ORDER BY quantity ASC";
$resultat = array();
$resql = $this->db->query($sql);
@@ -4062,9 +4062,9 @@ class Product extends CommonObject
}
$sql = 'UPDATE '.MAIN_DB_PREFIX.'product_association SET ';
- $sql .= 'qty='.$qty;
- $sql .= ',incdec='.$incdec;
- $sql .= ' WHERE fk_product_pere='.$id_pere.' AND fk_product_fils='.$id_fils;
+ $sql .= 'qty = '.price2num($qty, 'MS');
+ $sql .= ',incdec = '.price2num($incdec, 'MS');
+ $sql .= ' WHERE fk_product_pere = '.((int) $id_pere).' AND fk_product_fils = '.((int) $id_fils);
if (!$this->db->query($sql)) {
dol_print_error($this->db);
@@ -4569,7 +4569,7 @@ class Product extends CommonObject
public function hasVariants()
{
$nb = 0;
- $sql = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_parent = ".$this->id;
+ $sql = "SELECT count(rowid) as nb FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_parent = ".((int) $this->id);
$sql .= " AND entity IN (".getEntity('product').")";
$resql = $this->db->query($sql);
@@ -4593,7 +4593,7 @@ class Product extends CommonObject
{
global $conf;
if (!empty($conf->variants->enabled)) {
- $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_child = ".$this->id." AND entity IN (".getEntity('product').")";
+ $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."product_attribute_combination WHERE fk_product_child = ".((int) $this->id)." AND entity IN (".getEntity('product').")";
$query = $this->db->query($sql);
diff --git a/htdocs/product/class/productcustomerprice.class.php b/htdocs/product/class/productcustomerprice.class.php
index 0683732d6cb..07590099571 100644
--- a/htdocs/product/class/productcustomerprice.class.php
+++ b/htdocs/product/class/productcustomerprice.class.php
@@ -721,7 +721,7 @@ class Productcustomerprice extends CommonObject
$sql .= " t.import_key";
$sql .= " FROM ".MAIN_DB_PREFIX."product_customer_price as t";
- $sql .= " WHERE t.rowid = ".$this->id;
+ $sql .= " WHERE t.rowid = ".((int) $this->id);
$this->db->begin();
dol_syslog(get_class($this)."::update", LOG_DEBUG);
diff --git a/htdocs/product/class/propalmergepdfproduct.class.php b/htdocs/product/class/propalmergepdfproduct.class.php
index 67c24ac37c8..99b7e7e188b 100644
--- a/htdocs/product/class/propalmergepdfproduct.class.php
+++ b/htdocs/product/class/propalmergepdfproduct.class.php
@@ -445,7 +445,7 @@ class Propalmergepdfproduct extends CommonObject
if (!$error) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product";
- $sql .= " WHERE fk_product=".$this->fk_product." AND file_name='".$this->db->escape($this->file_name)."'";
+ $sql .= " WHERE fk_product = ".((int) $this->fk_product)." AND file_name = '".$this->db->escape($this->file_name)."'";
dol_syslog(__METHOD__, LOG_DEBUG);
$resql = $this->db->query($sql);
diff --git a/htdocs/product/fournisseurs.php b/htdocs/product/fournisseurs.php
index 97f29de72f6..9451fec435e 100644
--- a/htdocs/product/fournisseurs.php
+++ b/htdocs/product/fournisseurs.php
@@ -272,7 +272,7 @@ if (empty($reshook)) {
$extralabels = $extrafields->fetch_name_optionals_label("product_fournisseur_price");
$extrafield_values = $extrafields->getOptionalsFromPost("product_fournisseur_price");
if (!empty($extrafield_values)) {
- $resql = $db->query("SELECT fk_object FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields WHERE fk_object = ".$object->product_fourn_price_id);
+ $resql = $db->query("SELECT fk_object FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields WHERE fk_object = ".((int) $object->product_fourn_price_id));
// Insert a new extrafields row, if none exists
if ($db->num_rows($resql) != 1) {
$sql = "INSERT INTO ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields (fk_object, ";
diff --git a/htdocs/product/list.php b/htdocs/product/list.php
index a975dc2c21b..ff21caf96f9 100644
--- a/htdocs/product/list.php
+++ b/htdocs/product/list.php
@@ -1253,8 +1253,8 @@ if ($resql) {
if (!empty($conf->global->MAIN_MULTILANGS)) { // If multilang is enabled
$sql = "SELECT label";
$sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
- $sql .= " WHERE fk_product=".$obj->rowid;
- $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'";
+ $sql .= " WHERE fk_product = ".((int) $obj->rowid);
+ $sql .= " AND lang = '".$db->escape($langs->getDefaultLang())."'";
$sql .= " LIMIT 1";
$result = $db->query($sql);
diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php
index 65e69b91384..2380b4103a2 100644
--- a/htdocs/product/reassortlot.php
+++ b/htdocs/product/reassortlot.php
@@ -393,8 +393,8 @@ if ($resql) {
if (!empty($conf->global->MAIN_MULTILANGS)) { // si l'option est active
$sql = "SELECT label";
$sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
- $sql .= " WHERE fk_product=".$objp->rowid;
- $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'";
+ $sql .= " WHERE fk_product = ".((int) $objp->rowid);
+ $sql .= " AND lang = '".$db->escape($langs->getDefaultLang())."'";
$sql .= " LIMIT 1";
$result = $db->query($sql);
@@ -406,7 +406,6 @@ if ($resql) {
}
}
-
$product_static->ref = $objp->ref;
$product_static->id = $objp->rowid;
$product_static->label = $objp->label;
diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php
index 6760da10cb0..7defecb7c62 100644
--- a/htdocs/product/stock/card.php
+++ b/htdocs/product/stock/card.php
@@ -662,8 +662,8 @@ if ($action == 'create') {
if (!empty($conf->global->MAIN_MULTILANGS)) { // si l'option est active
$sql = "SELECT label";
$sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
- $sql .= " WHERE fk_product=".$objp->rowid;
- $sql .= " AND lang='".$db->escape($langs->getDefaultLang())."'";
+ $sql .= " WHERE fk_product = ".((int) $objp->rowid);
+ $sql .= " AND lang = '".$db->escape($langs->getDefaultLang())."'";
$sql .= " LIMIT 1";
$result = $db->query($sql);
diff --git a/htdocs/product/stock/class/entrepot.class.php b/htdocs/product/stock/class/entrepot.class.php
index 55ee6abf8fa..04dcddb8fab 100644
--- a/htdocs/product/stock/class/entrepot.class.php
+++ b/htdocs/product/stock/class/entrepot.class.php
@@ -366,7 +366,7 @@ class Entrepot extends CommonObject
foreach ($elements as $table) {
if (!$error) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX.$table;
- $sql .= " WHERE fk_entrepot = ".$this->id;
+ $sql .= " WHERE fk_entrepot = ".((int) $this->id);
$result = $this->db->query($sql);
if (!$result) {
@@ -585,7 +585,7 @@ class Entrepot extends CommonObject
$sql = "SELECT count(distinct p.rowid) as nb";
$sql .= " FROM ".MAIN_DB_PREFIX."product_stock as ps";
$sql .= ", ".MAIN_DB_PREFIX."product as p";
- $sql .= " WHERE ps.fk_entrepot = ".$this->id;
+ $sql .= " WHERE ps.fk_entrepot = ".((int) $this->id);
$sql .= " AND ps.fk_product = p.rowid";
//print $sql;
@@ -630,7 +630,7 @@ class Entrepot extends CommonObject
if ($separatedPMP) {
$sql .= ", ".MAIN_DB_PREFIX."product_perentity as pa";
}
- $sql .= " WHERE ps.fk_entrepot = ".$this->id;
+ $sql .= " WHERE ps.fk_entrepot = ".((int) $this->id);
if ($separatedPMP) {
$sql .= " AND pa.fk_product = p.rowid AND pa.entity = ". (int) $conf->entity;
}
diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php
index 16501940949..02939ead090 100644
--- a/htdocs/projet/class/project.class.php
+++ b/htdocs/projet/class/project.class.php
@@ -867,7 +867,7 @@ class Project extends CommonObject
if (!$error) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."projet_extrafields";
- $sql .= " WHERE fk_object=".$this->id;
+ $sql .= " WHERE fk_object = ".((int) $this->id);
$resql = $this->db->query($sql);
if (!$resql) {
@@ -944,7 +944,7 @@ class Project extends CommonObject
}
if ($type == 'agenda') {
- $sql = "SELECT COUNT(id) as nb FROM ".MAIN_DB_PREFIX."actioncomm WHERE fk_project = ".$this->id." AND entity IN (".getEntity('agenda').")";
+ $sql = "SELECT COUNT(id) as nb FROM ".MAIN_DB_PREFIX."actioncomm WHERE fk_project = ".((int) $this->id)." AND entity IN (".getEntity('agenda').")";
} elseif ($type == 'expensereport') {
$sql = "SELECT COUNT(ed.rowid) as nb FROM ".MAIN_DB_PREFIX."expensereport as e, ".MAIN_DB_PREFIX."expensereport_det as ed WHERE e.rowid = ed.fk_expensereport AND e.entity IN (".getEntity('expensereport').") AND ed.fk_projet = ".((int) $this->id);
} elseif ($type == 'project_task') {
diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php
index 70a38a6818b..53973f7672e 100644
--- a/htdocs/projet/class/task.class.php
+++ b/htdocs/projet/class/task.class.php
@@ -519,7 +519,7 @@ class Task extends CommonObject
if (!$error) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."projet_task_time";
- $sql .= " WHERE fk_task=".$this->id;
+ $sql .= " WHERE fk_task = ".((int) $this->id);
$resql = $this->db->query($sql);
if (!$resql) {
@@ -529,7 +529,7 @@ class Task extends CommonObject
if (!$error) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."projet_task_extrafields";
- $sql .= " WHERE fk_object=".$this->id;
+ $sql .= " WHERE fk_object = ".((int) $this->id);
$resql = $this->db->query($sql);
if (!$resql) {
@@ -603,7 +603,7 @@ class Task extends CommonObject
$sql = "SELECT COUNT(*) as nb";
$sql .= " FROM ".MAIN_DB_PREFIX."projet_task";
- $sql .= " WHERE fk_task_parent=".$this->id;
+ $sql .= " WHERE fk_task_parent = ".((int) $this->id);
dol_syslog(get_class($this)."::hasChildren", LOG_DEBUG);
$resql = $this->db->query($sql);
@@ -636,7 +636,7 @@ class Task extends CommonObject
$sql = "SELECT COUNT(*) as nb";
$sql .= " FROM ".MAIN_DB_PREFIX."projet_task_time";
- $sql .= " WHERE fk_task=".$this->id;
+ $sql .= " WHERE fk_task = ".((int) $this->id);
dol_syslog(get_class($this)."::hasTimeSpent", LOG_DEBUG);
$resql = $this->db->query($sql);
@@ -1639,7 +1639,7 @@ class Task extends CommonObject
$this->db->begin();
$sql = "DELETE FROM ".MAIN_DB_PREFIX."projet_task_time";
- $sql .= " WHERE rowid = ".$this->timespent_id;
+ $sql .= " WHERE rowid = ".((int) $this->timespent_id);
dol_syslog(get_class($this)."::delTimeSpent", LOG_DEBUG);
$resql = $this->db->query($sql);
diff --git a/htdocs/resource/class/dolresource.class.php b/htdocs/resource/class/dolresource.class.php
index 91f68951842..b7f16a9ff9d 100644
--- a/htdocs/resource/class/dolresource.class.php
+++ b/htdocs/resource/class/dolresource.class.php
@@ -360,7 +360,7 @@ class Dolresource extends CommonObject
$sql .= " t.fk_user_create,";
$sql .= " t.tms";
$sql .= " FROM ".MAIN_DB_PREFIX."element_resources as t";
- $sql .= " WHERE t.rowid = ".$this->db->escape($id);
+ $sql .= " WHERE t.rowid = ".((int) $id);
dol_syslog(get_class($this)."::fetch", LOG_DEBUG);
$resql = $this->db->query($sql);
diff --git a/htdocs/salaries/class/salary.class.php b/htdocs/salaries/class/salary.class.php
index ab1e06f3b34..17274813ef5 100644
--- a/htdocs/salaries/class/salary.class.php
+++ b/htdocs/salaries/class/salary.class.php
@@ -286,7 +286,7 @@ class Salary extends CommonObject
/*if (!$error)
{
$sql = "DELETE FROM ".MAIN_DB_PREFIX."salary_extrafields";
- $sql .= " WHERE fk_object=".$this->id;
+ $sql .= " WHERE fk_object = ".((int) $this->id);
$resql = $this->db->query($sql);
if (!$resql)
diff --git a/htdocs/societe/class/companybankaccount.class.php b/htdocs/societe/class/companybankaccount.class.php
index f4e871fce83..24e8c40165b 100644
--- a/htdocs/societe/class/companybankaccount.class.php
+++ b/htdocs/societe/class/companybankaccount.class.php
@@ -292,7 +292,7 @@ class CompanyBankAccount extends Account
if (!$error) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_rib";
- $sql .= " WHERE rowid = ".$this->id;
+ $sql .= " WHERE rowid = ".((int) $this->id);
if (!$this->db->query($sql)) {
$error++;
diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php
index 0dd3e31da01..555fa3b05e1 100644
--- a/htdocs/societe/class/societe.class.php
+++ b/htdocs/societe/class/societe.class.php
@@ -917,7 +917,7 @@ class Societe extends CommonObject
// update accountancy for this entity
if (!$error && !empty($conf->global->MAIN_COMPANY_PERENTITY_SHARED)) {
- $this->db->query("DELETE FROM " . MAIN_DB_PREFIX . "societe_perentity WHERE fk_soc = " . $this->id . " AND entity = " . $conf->entity);
+ $this->db->query("DELETE FROM " . MAIN_DB_PREFIX . "societe_perentity WHERE fk_soc = " . ((int) $this->id) . " AND entity = " . ((int) $conf->entity));
$sql = "INSERT INTO " . MAIN_DB_PREFIX . "societe_perentity (";
$sql .= " fk_soc";
@@ -1535,7 +1535,7 @@ class Societe extends CommonObject
// update accountancy for this entity
if (!$error && !empty($conf->global->MAIN_COMPANY_PERENTITY_SHARED)) {
- $this->db->query("DELETE FROM " . MAIN_DB_PREFIX . "societe_perentity WHERE fk_soc = " . $this->id . " AND entity = " . $conf->entity);
+ $this->db->query("DELETE FROM " . MAIN_DB_PREFIX . "societe_perentity WHERE fk_soc = " . ((int) $this->id) . " AND entity = " . ((int) $conf->entity));
$sql = "INSERT INTO " . MAIN_DB_PREFIX . "societe_perentity (";
$sql .= " fk_soc";
@@ -2401,7 +2401,7 @@ class Societe extends CommonObject
if (!$error) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_commerciaux";
- $sql .= " WHERE fk_soc = ".$this->id." AND fk_user = ".((int) $commid);
+ $sql .= " WHERE fk_soc = ".((int) $this->id)." AND fk_user = ".((int) $commid);
$resql = $this->db->query($sql);
if (!$resql) {
@@ -2413,7 +2413,7 @@ class Societe extends CommonObject
if (!$error) {
$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_commerciaux";
$sql .= " (fk_soc, fk_user)";
- $sql .= " VALUES (".$this->id.", ".$commid.")";
+ $sql .= " VALUES (".((int) $this->id).", ".((int) $commid).")";
$resql = $this->db->query($sql);
if (!$resql) {
@@ -2423,7 +2423,7 @@ class Societe extends CommonObject
}
if (!$error) {
- $this->context = array('commercial_modified'=>$commid);
+ $this->context = array('commercial_modified' => $commid);
$result = $this->call_trigger('COMPANY_LINK_SALE_REPRESENTATIVE', $user);
if ($result < 0) {
@@ -2464,7 +2464,7 @@ class Societe extends CommonObject
if ($this->id > 0 && $commid > 0) {
$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_commerciaux ";
- $sql .= " WHERE fk_soc = ".$this->id." AND fk_user = ".((int) $commid);
+ $sql .= " WHERE fk_soc = ".((int) $this->id)." AND fk_user = ".((int) $commid);
if (!$this->db->query($sql)) {
dol_syslog(get_class($this)."::del_commercial Erreur");
@@ -2837,7 +2837,7 @@ class Societe extends CommonObject
$sql = "SELECT rowid, email, statut as status, phone_mobile, lastname, poste, firstname";
$sql .= " FROM ".MAIN_DB_PREFIX."socpeople";
- $sql .= " WHERE fk_soc = ".$this->id;
+ $sql .= " WHERE fk_soc = ".((int) $this->id);
$sql .= " ORDER BY lastname, firstname";
$resql = $this->db->query($sql);
@@ -2897,7 +2897,7 @@ class Societe extends CommonObject
// phpcs:enable
$contacts = array();
- $sql = "SELECT rowid, lastname, firstname FROM ".MAIN_DB_PREFIX."socpeople WHERE fk_soc = ".$this->id;
+ $sql = "SELECT rowid, lastname, firstname FROM ".MAIN_DB_PREFIX."socpeople WHERE fk_soc = ".((int) $this->id);
$resql = $this->db->query($sql);
if ($resql) {
$nump = $this->db->num_rows($resql);
@@ -2927,7 +2927,7 @@ class Societe extends CommonObject
require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
$contacts = array();
- $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."socpeople WHERE fk_soc = ".$this->id;
+ $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."socpeople WHERE fk_soc = ".((int) $this->id);
$resql = $this->db->query($sql);
if ($resql) {
$nump = $this->db->num_rows($resql);
@@ -3743,7 +3743,7 @@ class Societe extends CommonObject
public function has_projects()
{
// phpcs:enable
- $sql = 'SELECT COUNT(*) as numproj FROM '.MAIN_DB_PREFIX.'projet WHERE fk_soc = '.$this->id;
+ $sql = 'SELECT COUNT(*) as numproj FROM '.MAIN_DB_PREFIX.'projet WHERE fk_soc = '.((int) $this->id);
$resql = $this->db->query($sql);
if ($resql) {
$obj = $this->db->fetch_object($resql);
@@ -4761,6 +4761,7 @@ class Societe extends CommonObject
$this->db->begin();
+ $field = 'accountancy_code_sell';
if ($type == 'buy') {
$field = 'accountancy_code_buy';
} elseif ($type == 'sell') {
@@ -4770,8 +4771,8 @@ class Societe extends CommonObject
}
$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element." SET ";
- $sql.= "$field = '".$this->db->escape($value)."'";
- $sql.= " WHERE rowid = ".$this->id;
+ $sql.= $field." = '".$this->db->escape($value)."'";
+ $sql.= " WHERE rowid = ".((int) $this->id);
dol_syslog(get_class($this)."::".__FUNCTION__." sql=".$sql, LOG_DEBUG);
$resql = $this->db->query($sql);
diff --git a/htdocs/stripe/class/stripe.class.php b/htdocs/stripe/class/stripe.class.php
index 5614b3c6138..c671ac9c396 100644
--- a/htdocs/stripe/class/stripe.class.php
+++ b/htdocs/stripe/class/stripe.class.php
@@ -170,7 +170,7 @@ class Stripe extends CommonObject
$sql = "SELECT sa.key_account as key_account, sa.entity"; // key_account is cus_....
$sql .= " FROM ".MAIN_DB_PREFIX."societe_account as sa";
- $sql .= " WHERE sa.fk_soc = ".$object->id;
+ $sql .= " WHERE sa.fk_soc = ".((int) $object->id);
$sql .= " AND sa.entity IN (".getEntity('societe').")";
$sql .= " AND sa.site = 'stripe' AND sa.status = ".((int) $status);
$sql .= " AND (sa.site_account IS NULL OR sa.site_account = '' OR sa.site_account = '".$this->db->escape($stripearrayofkeysbyenv[$status]['publishable_key'])."')";
@@ -359,7 +359,7 @@ class Stripe extends CommonObject
$sql = "SELECT pi.ext_payment_id, pi.entity, pi.fk_facture, pi.sourcetype, pi.ext_payment_site";
$sql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pi";
- $sql .= " WHERE pi.fk_facture = ".$object->id;
+ $sql .= " WHERE pi.fk_facture = ".((int) $object->id);
$sql .= " AND pi.sourcetype = '".$this->db->escape($object->element)."'";
$sql .= " AND pi.entity IN (".getEntity('societe').")";
$sql .= " AND pi.ext_payment_site = '".$this->db->escape($service)."'";
@@ -728,7 +728,7 @@ class Stripe extends CommonObject
$sql = "SELECT sa.stripe_card_ref, sa.proprio, sa.exp_date_month, sa.exp_date_year, sa.number, sa.cvn"; // stripe_card_ref is card_....
$sql .= " FROM ".MAIN_DB_PREFIX."societe_rib as sa";
- $sql .= " WHERE sa.rowid = ".$object->id; // We get record from ID, no need for filter on entity
+ $sql .= " WHERE sa.rowid = ".((int) $object->id); // We get record from ID, no need for filter on entity
$sql .= " AND sa.type = 'card'";
dol_syslog(get_class($this)."::fetch search stripe card id for paymentmode id=".$object->id.", stripeacc=".$stripeacc.", status=".$status.", createifnotlinkedtostripe=".$createifnotlinkedtostripe, LOG_DEBUG);
@@ -826,7 +826,7 @@ class Stripe extends CommonObject
$sql .= " SET stripe_card_ref = '".$this->db->escape($card->id)."', card_type = '".$this->db->escape($card->brand)."',";
$sql .= " country_code = '".$this->db->escape($card->country)."',";
$sql .= " approved = ".($card->cvc_check == 'pass' ? 1 : 0);
- $sql .= " WHERE rowid = ".$object->id;
+ $sql .= " WHERE rowid = ".((int) $object->id);
$sql .= " AND type = 'card'";
$resql = $this->db->query($sql);
if (!$resql) {
diff --git a/htdocs/takepos/floors.php b/htdocs/takepos/floors.php
index 508d6e670b3..b3ba955f4e8 100644
--- a/htdocs/takepos/floors.php
+++ b/htdocs/takepos/floors.php
@@ -93,9 +93,9 @@ if ($action == "update") {
$top = 95;
}
if ($left > 3 or $top > 4) {
- $db->query("UPDATE ".MAIN_DB_PREFIX."takepos_floor_tables set leftpos=".$left.", toppos=".$top." WHERE rowid='".$place."'");
+ $db->query("UPDATE ".MAIN_DB_PREFIX."takepos_floor_tables set leftpos = ".((int) $left).", toppos = ".((int) $top)." WHERE rowid = ".((int) $place));
} else {
- $db->query("DELETE from ".MAIN_DB_PREFIX."takepos_floor_tables where rowid='".$place."'");
+ $db->query("DELETE from ".MAIN_DB_PREFIX."takepos_floor_tables where rowid = ".((int) $place));
}
}
@@ -104,11 +104,11 @@ if ($action == "updatename") {
if (strlen($newname) > 3) {
$newname = substr($newname, 0, 3); // Only 3 chars
}
- $db->query("UPDATE ".MAIN_DB_PREFIX."takepos_floor_tables set label='".$db->escape($newname)."' WHERE rowid='".$place."'");
+ $db->query("UPDATE ".MAIN_DB_PREFIX."takepos_floor_tables set label='".$db->escape($newname)."' WHERE rowid = ".((int) $place));
}
if ($action == "add") {
- $sql = "INSERT INTO ".MAIN_DB_PREFIX."takepos_floor_tables(entity, label, leftpos, toppos, floor) VALUES (".$conf->entity.", '', '45', '45', ".$floor.")";
+ $sql = "INSERT INTO ".MAIN_DB_PREFIX."takepos_floor_tables(entity, label, leftpos, toppos, floor) VALUES (".$conf->entity.", '', '45', '45', ".((int) $floor).")";
$asdf = $db->query($sql);
$db->query("update ".MAIN_DB_PREFIX."takepos_floor_tables set label=rowid where label=''"); // No empty table names
}
diff --git a/htdocs/ticket/class/ticket.class.php b/htdocs/ticket/class/ticket.class.php
index 1ffec54ed22..bf08e2fdf01 100644
--- a/htdocs/ticket/class/ticket.class.php
+++ b/htdocs/ticket/class/ticket.class.php
@@ -2296,7 +2296,7 @@ class Ticket extends CommonObject
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."socpeople t on ec.fk_socpeople = t.rowid";
}
- $sql .= " WHERE ec.element_id =".$this->id;
+ $sql .= " WHERE ec.element_id = ".((int) $this->id);
$sql .= " AND ec.fk_c_type_contact=tc.rowid";
$sql .= " AND tc.element='".$this->db->escape($this->element)."'";
if ($source == 'internal') {
diff --git a/htdocs/user/bank.php b/htdocs/user/bank.php
index aa6f97a6c05..00b85dc23a6 100644
--- a/htdocs/user/bank.php
+++ b/htdocs/user/bank.php
@@ -369,7 +369,7 @@ if ($action != 'edit' && $action != 'create') { // If not bank account yet, $ac
$sql = "SELECT s.rowid as sid, s.ref as sref, s.label, s.datesp, s.dateep, s.paye, s.amount, SUM(ps.amount) as alreadypaid";
$sql .= " FROM ".MAIN_DB_PREFIX."salary as s";
$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."payment_salary as ps ON (s.rowid = ps.fk_salary)";
- $sql .= " WHERE s.fk_user = ".$object->id;
+ $sql .= " WHERE s.fk_user = ".((int) $object->id);
$sql .= " AND s.entity IN (".getEntity('salary').")";
$sql .= " GROUP BY s.rowid, s.ref, s.label, s.datesp, s.dateep, s.paye, s.amount";
$sql .= " ORDER BY s.dateep DESC";
@@ -433,7 +433,7 @@ if ($action != 'edit' && $action != 'create') { // If not bank account yet, $ac
$sql = "SELECT h.rowid, h.statut as status, h.fk_type, h.date_debut, h.date_fin, h.halfday";
$sql .= " FROM ".MAIN_DB_PREFIX."holiday as h";
- $sql .= " WHERE h.fk_user = ".$object->id;
+ $sql .= " WHERE h.fk_user = ".((int) $object->id);
$sql .= " AND h.entity IN (".getEntity('holiday').")";
$sql .= " ORDER BY h.date_debut DESC";
@@ -485,8 +485,8 @@ if ($action != 'edit' && $action != 'create') { // If not bank account yet, $ac
$sql = "SELECT e.rowid, e.ref, e.fk_statut as status, e.date_debut, e.total_ttc";
$sql .= " FROM ".MAIN_DB_PREFIX."expensereport as e";
- $sql .= " WHERE e.fk_user_author = ".$object->id;
- $sql .= " AND e.entity = ".$conf->entity;
+ $sql .= " WHERE e.fk_user_author = ".((int) $object->id);
+ $sql .= " AND e.entity = ".((int) $conf->entity);
$sql .= " ORDER BY e.date_debut DESC";
$resql = $db->query($sql);
diff --git a/htdocs/user/card.php b/htdocs/user/card.php
index ad1007f3c52..be91f302b97 100644
--- a/htdocs/user/card.php
+++ b/htdocs/user/card.php
@@ -512,15 +512,15 @@ if (empty($reshook)) {
if (!empty($contact->socid)) {
$sql .= ", fk_soc=".((int) $contact->socid);
}
- $sql .= " WHERE rowid=".$object->id;
+ $sql .= " WHERE rowid = ".((int) $object->id);
} elseif ($socid > 0) {
$sql = "UPDATE ".MAIN_DB_PREFIX."user";
$sql .= " SET fk_socpeople=NULL, fk_soc=".((int) $socid);
- $sql .= " WHERE rowid=".$object->id;
+ $sql .= " WHERE rowid = ".((int) $object->id);
} else {
$sql = "UPDATE ".MAIN_DB_PREFIX."user";
$sql .= " SET fk_socpeople=NULL, fk_soc=NULL";
- $sql .= " WHERE rowid=".$object->id;
+ $sql .= " WHERE rowid = ".((int) $object->id);
}
dol_syslog("usercard::update", LOG_DEBUG);
$resql = $db->query($sql);
diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php
index 5ba74969107..e4a0e015fe8 100644
--- a/test/phpunit/CodingPhpTest.php
+++ b/test/phpunit/CodingPhpTest.php
@@ -143,7 +143,6 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
$user=$this->savuser;
$langs=$this->savlangs;
$db=$this->savdb;
-
print __METHOD__."\n";
}
@@ -290,7 +289,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// with xxx that is not 'thi' (for $this->db->sanitize) and 'db-' (for $db->sanitize). It means we forget a ' if string or an (int) if int when forging sql request.
preg_match_all('/(DELETE|OR|AND|WHERE|INSERT)\s.*([^\s][^\s][^\s])\s*=\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
- if ($val[2] == 'ity' && $val[3] == 'con') {
+ if ($val[2] == 'ity' && $val[3] == 'con') { // exclude entity = $conf->entity
continue;
}
var_dump($matches);
@@ -316,7 +315,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
// Check string sql|set...'".$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request.
preg_match_all('/(sql|SET|WHERE).+\s*\'"\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
- if (! in_array($val[2], array('this->db-', 'this->esc', 'db->escap', 'dbsession', 'db->idate', 'excludeGr', 'includeGr'))) {
+ if (! in_array($val[2], array('this->db-', 'this->esc', 'db->escap', 'mydb->esc', 'dbsession', 'db->idate', 'escapedli', 'excludeGr', 'includeGr'))) {
$ok=false;
break;
}