Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-14 05:21:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add more robust php unit to detect not escaped sql. Fix not escaped sql

Browse Source
This commit is contained in:
Laurent Destailleur
2017-09-15 15:41:07 +02:00
parent 77056d9adb
commit 5e34b121dd
63 changed files with 420 additions and 438 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
htdocs/comm/action/class/actioncomm.class.php
View File

@@ -296,23 +296,23 @@ class ActionComm extends CommonObject
$sql.= "elementtype,";
$sql.= "entity";
$sql.= ") VALUES (";
$sql.= "'".$this->db->idate($now)."',";
$sql.= (strval($this->datep)!=''?"'".$this->db->idate($this->datep)."'":"null").",";
$sql.= (strval($this->datef)!=''?"'".$this->db->idate($this->datef)."'":"null").",";
$sql.= ((isset($this->durationp) && $this->durationp >= 0 && $this->durationp != '')?"'".$this->durationp."'":"null").","; // deprecated
$sql.= "'".$this->db->idate($now)."', ";
$sql.= (strval($this->datep)!=''?"'".$this->db->idate($this->datep)."'":"null").", ";
$sql.= (strval($this->datef)!=''?"'".$this->db->idate($this->datef)."'":"null").", ";
$sql.= ((isset($this->durationp) && $this->durationp >= 0 && $this->durationp != '')?"'".$this->db->escape($this->durationp)."'":"null").", "; // deprecated
$sql.= (isset($this->type_id)?$this->type_id:"null").",";
$sql.= (isset($this->type_code)?" '".$this->type_code."'":"null").",";
$sql.= ((isset($this->socid) && $this->socid > 0)?" '".$this->socid."'":"null").",";
$sql.= ((isset($this->fk_project) && $this->fk_project > 0)?" '".$this->fk_project."'":"null").",";
$sql.= " '".$this->db->escape($this->note)."',";
$sql.= ((isset($this->contactid) && $this->contactid > 0)?"'".$this->contactid."'":"null").",";
$sql.= (isset($user->id) && $user->id > 0 ? "'".$user->id."'":"null").",";
$sql.= ($userownerid>0?"'".$userownerid."'":"null").",";
$sql.= ($userdoneid>0?"'".$userdoneid."'":"null").",";
$sql.= "'".$this->db->escape($this->label)."','".$this->percentage."','".$this->priority."','".$this->fulldayevent."','".$this->db->escape($this->location)."','".$this->punctual."',";
$sql.= "'".$this->transparency."',";
$sql.= (! empty($this->fk_element)?$this->fk_element:"null").",";
$sql.= (! empty($this->elementtype)?"'".$this->elementtype."'":"null").",";
$sql.= (isset($this->type_code)?" '".$this->db->escape($this->type_code)."'":"null").", ";
$sql.= ((isset($this->socid) && $this->socid > 0) ? $this->socid:"null").", ";
$sql.= ((isset($this->fk_project) && $this->fk_project > 0) ? $this->fk_project:"null").", ";
$sql.= " '".$this->db->escape($this->note)."', ";
$sql.= ((isset($this->contactid) && $this->contactid > 0) ? $this->contactid:"null").", ";
$sql.= (isset($user->id) && $user->id > 0 ? $user->id:"null").", ";
$sql.= ($userownerid>0 ? $userownerid:"null").", ";
$sql.= ($userdoneid>0 ? $userdoneid:"null").", ";
$sql.= "'".$this->db->escape($this->label)."','".$this->db->escape($this->percentage)."','".$this->db->escape($this->priority)."','".$this->db->escape($this->fulldayevent)."','".$this->db->escape($this->location)."','".$this->db->escape($this->punctual)."', ";
$sql.= "'".$this->db->escape($this->transparency)."', ";
$sql.= (! empty($this->fk_element)?$this->fk_element:"null").", ";
$sql.= (! empty($this->elementtype)?"'".$this->db->escape($this->elementtype)."'":"null").", ";
$sql.= $conf->entity;
$sql.= ")";
@@ -758,11 +758,11 @@ class ActionComm extends CommonObject
$sql.= ", label = ".($this->label ? "'".$this->db->escape($this->label)."'":"null");
$sql.= ", datep = ".(strval($this->datep)!='' ? "'".$this->db->idate($this->datep)."'" : 'null');
$sql.= ", datep2 = ".(strval($this->datef)!='' ? "'".$this->db->idate($this->datef)."'" : 'null');
$sql.= ", durationp = ".(isset($this->durationp) && $this->durationp >= 0 && $this->durationp != ''?"'".$this->durationp."'":"null"); // deprecated
$sql.= ", durationp = ".(isset($this->durationp) && $this->durationp >= 0 && $this->durationp != ''?"'".$this->db->escape($this->durationp)."'":"null"); // deprecated
$sql.= ", note = ".($this->note ? "'".$this->db->escape($this->note)."'":"null");
$sql.= ", fk_project =". ($this->fk_project > 0 ? "'".$this->fk_project."'":"null");
$sql.= ", fk_soc =". ($socid > 0 ? "'".$socid."'":"null");
$sql.= ", fk_contact =". ($contactid > 0 ? "'".$contactid."'":"null");
$sql.= ", fk_project =". ($this->fk_project > 0 ? $this->fk_project:"null");
$sql.= ", fk_soc =". ($socid > 0 ? $socid:"null");
$sql.= ", fk_contact =". ($contactid > 0 ? $contactid:"null");
$sql.= ", priority = '".$this->db->escape($this->priority)."'";
$sql.= ", fulldayevent = '".$this->db->escape($this->fulldayevent)."'";
$sql.= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'":"null");
@@ -770,8 +770,8 @@ class ActionComm extends CommonObject
$sql.= ", fk_user_mod = ".$user->id;
$sql.= ", fk_user_action=".($userownerid > 0 ? "'".$userownerid."'":"null");
$sql.= ", fk_user_done=".($userdoneid > 0 ? "'".$userdoneid."'":"null");
if (! empty($this->fk_element)) $sql.= ", fk_element=".($this->fk_element?$this->fk_element:"null");
if (! empty($this->elementtype)) $sql.= ", elementtype=".($this->elementtype?"'".$this->elementtype."'":"null");
if (! empty($this->fk_element)) $sql.= ", fk_element=".($this->fk_element?$this->db->escape($this->fk_element):"null");
if (! empty($this->elementtype)) $sql.= ", elementtype=".($this->elementtype?"'".$this->db->escape($this->elementtype)."'":"null");
$sql.= " WHERE id=".$this->id;
dol_syslog(get_class($this)."::update", LOG_DEBUG);

2
htdocs/comm/mailing/class/advtargetemailing.class.php
View File

@@ -121,7 +121,7 @@ class AdvanceTargetingMailing extends CommonObject
$sql.= " ".(! isset($this->name)?'NULL':"'".$this->db->escape($this->name)."'").",";
$sql.= " ".$conf->entity.",";
$sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->fk_mailing."'").",";
$sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->db->escape($this->fk_mailing)."'").",";
$sql.= " ".(! isset($this->filtervalue)?'NULL':"'".$this->db->escape($this->filtervalue)."'").",";
$sql.= " ".$user->id.",";
$sql.= " '".$this->db->idate(dol_now())."',";

22
htdocs/comm/propal/class/propal.class.php
View File

@@ -938,7 +938,7 @@ class Propal extends CommonObject
$sql.= ", '".$this->db->escape($this->multicurrency_code)."'";
$sql.= ", ".(double) $this->multicurrency_tx;
$sql.= ")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
$resql=$this->db->query($sql);
if ($resql)
@@ -3772,28 +3772,28 @@ class PropaleLigne extends CommonObjectLine
$sql.= ' date_start, date_end';
$sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc)';
$sql.= " VALUES (".$this->fk_propal.",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
$sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").",";
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
$sql.= " '".$this->db->escape($this->desc)."',";
$sql.= " ".($this->fk_product?"'".$this->fk_product."'":"null").",";
$sql.= " '".$this->product_type."',";
$sql.= " ".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").",";
$sql.= " ".($this->fk_product?"'".$this->db->escape($this->fk_product)."'":"null").",";
$sql.= " '".$this->db->escape($this->product_type)."',";
$sql.= " ".($this->fk_remise_except?"'".$this->db->escape($this->fk_remise_except)."'":"null").",";
$sql.= " ".price2num($this->qty).",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
$sql.= " ".price2num($this->tva_tx).",";
$sql.= " ".price2num($this->localtax1_tx).",";
$sql.= " ".price2num($this->localtax2_tx).",";
$sql.= " '".$this->localtax1_type."',";
$sql.= " '".$this->localtax2_type."',";
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
$sql.= " ".($this->subprice?price2num($this->subprice):"null").",";
$sql.= " ".price2num($this->remise_percent).",";
$sql.= " ".(isset($this->info_bits)?"'".$this->info_bits."'":"null").",";
$sql.= " ".(isset($this->info_bits)?"'".$this->db->escape($this->info_bits)."'":"null").",";
$sql.= " ".price2num($this->total_ht).",";
$sql.= " ".price2num($this->total_tva).",";
$sql.= " ".price2num($this->total_localtax1).",";
$sql.= " ".price2num($this->total_localtax2).",";
$sql.= " ".price2num($this->total_ttc).",";
$sql.= " ".(!empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null").",";
$sql.= " ".(!empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null").",";
$sql.= " ".(isset($this->pa_ht)?"'".price2num($this->pa_ht)."'":"null").",";
$sql.= ' '.$this->special_code.',';
$sql.= ' '.$this->rang.',';
@@ -3975,7 +3975,7 @@ class PropaleLigne extends CommonObjectLine
$sql.= ", total_localtax1=".price2num($this->total_localtax1)."";
$sql.= ", total_localtax2=".price2num($this->total_localtax2)."";
}
$sql.= ", fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->fk_fournprice."'":"null");
$sql.= ", fk_product_fournisseur_price=".(! empty($this->fk_fournprice)?"'".$this->db->escape($this->fk_fournprice)."'":"null");
$sql.= ", buy_price_ht=".price2num($this->pa_ht);
if (strlen($this->special_code)) $sql.= ", special_code=".$this->special_code;
$sql.= ", fk_parent_line=".($this->fk_parent_line>0?$this->fk_parent_line:"null");