mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-12-15 14:01:22 +01:00
Add more robust php unit to detect not escaped sql. Fix not escaped sql
This commit is contained in:
Laurent Destailleur
@@ -573,21 +573,21 @@ class Account extends CommonObject
|
||||
$sql.= ", '".$this->db->escape($this->account_number)."'";
|
||||
$sql.= ", ".($this->fk_accountancy_journal > 0 ? $this->db->escape($this->fk_accountancy_journal) : "null");
|
||||
$sql.= ", '".$this->db->escape($this->bank)."'";
|
||||
$sql.= ", '".$this->code_banque."'";
|
||||
$sql.= ", '".$this->code_guichet."'";
|
||||
$sql.= ", '".$this->number."'";
|
||||
$sql.= ", '".$this->cle_rib."'";
|
||||
$sql.= ", '".$this->bic."'";
|
||||
$sql.= ", '".$this->iban."'";
|
||||
$sql.= ", '".$this->db->escape($this->code_banque)."'";
|
||||
$sql.= ", '".$this->db->escape($this->code_guichet)."'";
|
||||
$sql.= ", '".$this->db->escape($this->number)."'";
|
||||
$sql.= ", '".$this->db->escape($this->cle_rib)."'";
|
||||
$sql.= ", '".$this->db->escape($this->bic)."'";
|
||||
$sql.= ", '".$this->db->escape($this->iban)."'";
|
||||
$sql.= ", '".$this->db->escape($this->domiciliation)."'";
|
||||
$sql.= ", '".$this->db->escape($this->proprio)."'";
|
||||
$sql.= ", '".$this->db->escape($this->owner_address)."'";
|
||||
$sql.= ", '".$this->currency_code."'";
|
||||
$sql.= ", '".$this->db->escape($this->currency_code)."'";
|
||||
$sql.= ", ".$this->rappro;
|
||||
$sql.= ", ".price2num($this->min_allowed);
|
||||
$sql.= ", ".price2num($this->min_desired);
|
||||
$sql.= ", '".$this->db->escape($this->comment)."'";
|
||||
$sql.= ", ".($this->state_id>0?"'".$this->state_id."'":"null");
|
||||
$sql.= ", ".($this->state_id>0?$this->state_id:"null");
|
||||
$sql.= ", ".$this->country_id;
|
||||
$sql.= ")";
|
||||
|
||||
@@ -702,7 +702,7 @@ class Account extends CommonObject
|
||||
$sql.= ",courant = ".$this->courant;
|
||||
$sql.= ",clos = ".$this->clos;
|
||||
$sql.= ",rappro = ".$this->rappro;
|
||||
$sql.= ",url = ".($this->url?"'".$this->url."'":"null");
|
||||
$sql.= ",url = ".($this->url?"'".$this->db->escape($this->url)."'":"null");
|
||||
$sql.= ",account_number = '".$this->db->escape($this->account_number)."'";
|
||||
$sql.= ",fk_accountancy_journal = ".($this->fk_accountancy_journal > 0 ? $this->db->escape($this->fk_accountancy_journal) : "null");
|
||||
$sql.= ",bank = '".$this->db->escape($this->bank)."'";
|
||||
@@ -722,7 +722,7 @@ class Account extends CommonObject
|
||||
$sql.= ",min_desired = ".($this->min_desired != '' ? price2num($this->min_desired) : "null");
|
||||
$sql.= ",comment = '".$this->db->escape($this->comment)."'";
|
||||
|
||||
$sql.= ",state_id = ".($this->state_id>0?"'".$this->state_id."'":"null");
|
||||
$sql.= ",state_id = ".($this->state_id>0?$this->state_id:"null");
|
||||
$sql.= ",fk_pays = ".$this->country_id;
|
||||
|
||||
$sql.= " WHERE rowid = ".$this->id;
|
||||
@@ -807,7 +807,7 @@ class Account extends CommonObject
|
||||
$sql.= ",domiciliation='".$this->db->escape($this->domiciliation)."'";
|
||||
$sql.= ",proprio = '".$this->db->escape($this->proprio)."'";
|
||||
$sql.= ",owner_address = '".$this->db->escape($this->owner_address)."'";
|
||||
$sql.= ",state_id = ".($this->state_id>0?"'".$this->state_id."'":"null");
|
||||
$sql.= ",state_id = ".($this->state_id>0?$this->state_id:"null");
|
||||
$sql.= ",fk_pays = ".$this->country_id;
|
||||
$sql.= " WHERE rowid = ".$this->id;
|
||||
$sql.= " AND entity = ".$conf->entity;
|
||||
@@ -1694,9 +1694,9 @@ class AccountLine extends CommonObject
|
||||
$sql .= ", '".$this->db->idate($this->datev)."'";
|
||||
$sql .= ", '".$this->db->escape($this->label)."'";
|
||||
$sql .= ", ".price2num($this->amount);
|
||||
$sql .= ", ".($this->fk_user_author > 0 ? "'".$this->fk_user_author."'":"null");
|
||||
$sql .= ", ".($this->num_chq ? "'".$this->num_chq."'" : "null");
|
||||
$sql .= ", '".$this->fk_account."'";
|
||||
$sql .= ", ".($this->fk_user_author > 0 ? $this->fk_user_author :"null");
|
||||
$sql .= ", ".($this->num_chq ? "'".$this->db->escape($this->num_chq)."'" : "null");
|
||||
$sql .= ", '".$this->db->escape($this->fk_account)."'";
|
||||
$sql .= ", '".$this->db->escape($this->fk_type)."'";
|
||||
$sql .= ", ".($this->emetteur ? "'".$this->db->escape($this->emetteur)."'" : "null");
|
||||
$sql .= ", ".($this->bank_chq ? "'".$this->db->escape($this->bank_chq)."'" : "null");
|
||||
|
||||
@@ -107,7 +107,7 @@ class Deplacement extends CommonObject
|
||||
$sql.= ", ".$conf->entity;
|
||||
$sql.= ", ".$user->id;
|
||||
$sql.= ", ".$this->fk_user;
|
||||
$sql.= ", '".$this->type."'";
|
||||
$sql.= ", '".$this->db->escape($this->type)."'";
|
||||
$sql.= ", ".($this->note_private?"'".$this->db->escape($this->note_private)."'":"null");
|
||||
$sql.= ", ".($this->note_public?"'".$this->db->escape($this->note_public)."'":"null");
|
||||
$sql.= ", ".($this->fk_project > 0? $this->fk_project : 0);
|
||||
|
||||
@@ -141,7 +141,7 @@ class FactureRec extends CommonInvoice
|
||||
$sql.= ", nb_gen_max";
|
||||
$sql.= ", auto_validate";
|
||||
$sql.= ") VALUES (";
|
||||
$sql.= "'".$this->titre."'";
|
||||
$sql.= "'".$this->db->escape($this->titre)."'";
|
||||
$sql.= ", ".$facsrc->socid;
|
||||
$sql.= ", ".$conf->entity;
|
||||
$sql.= ", '".$this->db->idate($now)."'";
|
||||
@@ -149,11 +149,11 @@ class FactureRec extends CommonInvoice
|
||||
$sql.= ", ".(!empty($facsrc->remise)?$this->remise:'0');
|
||||
$sql.= ", ".(!empty($this->note_private)?("'".$this->db->escape($this->note_private)."'"):"NULL");
|
||||
$sql.= ", ".(!empty($this->note_public)?("'".$this->db->escape($this->note_public)."'"):"NULL");
|
||||
$sql.= ", '".$user->id."'";
|
||||
$sql.= ", '".$this->db->escape($user->id)."'";
|
||||
$sql.= ", ".(! empty($facsrc->fk_project)?"'".$facsrc->fk_project."'":"null");
|
||||
$sql.= ", ".(! empty($facsrc->fk_account)?"'".$facsrc->fk_account."'":"null");
|
||||
$sql.= ", '".$facsrc->cond_reglement_id."'";
|
||||
$sql.= ", '".$facsrc->mode_reglement_id."'";
|
||||
$sql.= ", '".$this->db->escape($facsrc->cond_reglement_id)."'";
|
||||
$sql.= ", '".$this->db->escape($facsrc->mode_reglement_id)."'";
|
||||
$sql.= ", ".$this->usenewprice;
|
||||
$sql.= ", ".$this->frequency;
|
||||
$sql.= ", '".$this->db->escape($this->unit_frequency)."'";
|
||||
@@ -1504,7 +1504,7 @@ class FactureLigneRec extends CommonInvoiceLine
|
||||
$sql.= ", localtax1_type='".$this->db->escape($this->localtax1_type)."'";
|
||||
$sql.= ", localtax2_tx=".price2num($this->localtax2_tx);
|
||||
$sql.= ", localtax2_type='".$this->db->escape($this->localtax2_type)."'";
|
||||
$sql.= ", fk_product=".(! empty($this->fk_product)?"'".$this->fk_product."'":"null");
|
||||
$sql.= ", fk_product=".($this->fk_product > 0 ? $this->fk_product :"null");
|
||||
$sql.= ", product_type=".$this->product_type;
|
||||
$sql.= ", remise_percent='".price2num($this->remise_percent)."'";
|
||||
$sql.= ", subprice='".price2num($this->subprice)."'";
|
||||
|
||||
@@ -4446,16 +4446,16 @@ class FactureLigne extends CommonInvoiceLine
|
||||
$sql.= ' fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc';
|
||||
$sql.= ')';
|
||||
$sql.= " VALUES (".$this->fk_facture.",";
|
||||
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
|
||||
$sql.= " ".($this->fk_parent_line>0 ? $this->fk_parent_line:"null").",";
|
||||
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
|
||||
$sql.= " '".$this->db->escape($this->desc)."',";
|
||||
$sql.= " ".price2num($this->qty).",";
|
||||
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
|
||||
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
|
||||
$sql.= " ".price2num($this->tva_tx).",";
|
||||
$sql.= " ".price2num($this->localtax1_tx).",";
|
||||
$sql.= " ".price2num($this->localtax2_tx).",";
|
||||
$sql.= " '".$this->localtax1_type."',";
|
||||
$sql.= " '".$this->localtax2_type."',";
|
||||
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
|
||||
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
|
||||
$sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").',';
|
||||
$sql.= " ".$this->product_type.",";
|
||||
$sql.= " ".price2num($this->remise_percent).",";
|
||||
@@ -4468,7 +4468,7 @@ class FactureLigne extends CommonInvoiceLine
|
||||
$sql.= ' '.$this->special_code.',';
|
||||
$sql.= ' '.(! empty($this->fk_fournprice)?$this->fk_fournprice:"null").',';
|
||||
$sql.= ' '.price2num($this->pa_ht).',';
|
||||
$sql.= " '".$this->info_bits."',";
|
||||
$sql.= " '".$this->db->escape($this->info_bits)."',";
|
||||
$sql.= " ".price2num($this->total_ht).",";
|
||||
$sql.= " ".price2num($this->total_tva).",";
|
||||
$sql.= " ".price2num($this->total_ttc).",";
|
||||
|
||||
@@ -85,13 +85,11 @@ class PaymentTerm // extends CommonObject
|
||||
if (isset($this->decalage)) $this->decalage=trim($this->decalage);
|
||||
|
||||
|
||||
|
||||
// Check parameters
|
||||
// Put here code to add control on parameters values
|
||||
|
||||
// Insert request
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."c_payment_term(";
|
||||
|
||||
$sql.= "rowid,";
|
||||
$sql.= "code,";
|
||||
$sql.= "sortorder,";
|
||||
@@ -101,21 +99,16 @@ class PaymentTerm // extends CommonObject
|
||||
$sql.= "type_cdr,";
|
||||
$sql.= "nbjour,";
|
||||
$sql.= "decalage";
|
||||
|
||||
|
||||
$sql.= ") VALUES (";
|
||||
|
||||
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").",";
|
||||
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").",";
|
||||
$sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").",";
|
||||
$sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->sortorder."'").",";
|
||||
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").",";
|
||||
$sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->db->escape($this->sortorder)."'").",";
|
||||
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'").",";
|
||||
$sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").",";
|
||||
$sql.= " ".(! isset($this->libelle_facture)?'NULL':"'".$this->db->escape($this->libelle_facture)."'").",";
|
||||
$sql.= " ".(! isset($this->type_cdr)?'NULL':"'".$this->type_cdr."'").",";
|
||||
$sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->nbjour."'").",";
|
||||
$sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->decalage."'")."";
|
||||
|
||||
|
||||
$sql.= " ".(! isset($this->type_cdr)?'NULL':"'".$this->db->escape($this->type_cdr)."'").",";
|
||||
$sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->db->escape($this->nbjour)."'").",";
|
||||
$sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->db->escape($this->decalage)."'")."";
|
||||
$sql.= ")";
|
||||
|
||||
$this->db->begin();
|
||||
@@ -285,7 +278,6 @@ class PaymentTerm // extends CommonObject
|
||||
|
||||
// Update request
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."c_payment_term SET";
|
||||
|
||||
$sql.= " code=".(isset($this->code)?"'".$this->db->escape($this->code)."'":"null").",";
|
||||
$sql.= " sortorder=".(isset($this->sortorder)?$this->sortorder:"null").",";
|
||||
$sql.= " active=".(isset($this->active)?$this->active:"null").",";
|
||||
@@ -294,8 +286,6 @@ class PaymentTerm // extends CommonObject
|
||||
$sql.= " type_cdr=".(isset($this->type_cdr)?$this->type_cdr:"null").",";
|
||||
$sql.= " nbjour=".(isset($this->nbjour)?$this->nbjour:"null").",";
|
||||
$sql.= " decalage=".(isset($this->decalage)?$this->decalage:"null")."";
|
||||
|
||||
|
||||
$sql.= " WHERE rowid=".$this->id;
|
||||
|
||||
$this->db->begin();
|
||||
|
||||
@@ -87,12 +87,12 @@ class Localtax extends CommonObject
|
||||
$sql.= " '".$this->db->idate($this->tms)."',";
|
||||
$sql.= " '".$this->db->idate($this->datep)."',";
|
||||
$sql.= " '".$this->db->idate($this->datev)."',";
|
||||
$sql.= " '".$this->amount."',";
|
||||
$sql.= " '".$this->label."',";
|
||||
$sql.= " '".$this->note."',";
|
||||
$sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->fk_bank."'").",";
|
||||
$sql.= " '".$this->fk_user_creat."',";
|
||||
$sql.= " '".$this->fk_user_modif."'";
|
||||
$sql.= " '".$this->db->escape($this->amount)."',";
|
||||
$sql.= " '".$this->db->escape($this->label)."',";
|
||||
$sql.= " '".$this->db->escape($this->note)."',";
|
||||
$sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->db->escape($this->fk_bank)."'").",";
|
||||
$sql.= " '".$this->db->escape($this->fk_user_creat)."',";
|
||||
$sql.= " '".$this->db->escape($this->fk_user_modif)."'";
|
||||
$sql.= ")";
|
||||
|
||||
dol_syslog(get_class($this)."::create", LOG_DEBUG);
|
||||
|
||||
@@ -108,7 +108,7 @@ class PaymentSalary extends CommonObject
|
||||
$sql.= " datesp='".$this->db->idate($this->datesp)."',";
|
||||
$sql.= " dateep='".$this->db->idate($this->dateep)."',";
|
||||
$sql.= " note='".$this->db->escape($this->note)."',";
|
||||
$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").",";
|
||||
$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->db->escape($this->fk_bank)."'":"null").",";
|
||||
$sql.= " fk_user_author=".$this->fk_user_author.",";
|
||||
$sql.= " fk_user_modif=".$this->fk_user_modif;
|
||||
|
||||
@@ -344,18 +344,18 @@ class PaymentSalary extends CommonObject
|
||||
$sql.= ", entity";
|
||||
$sql.= ") ";
|
||||
$sql.= " VALUES (";
|
||||
$sql.= "'".$this->fk_user."'";
|
||||
$sql.= "'".$this->db->escape($this->fk_user)."'";
|
||||
$sql.= ", '".$this->db->idate($this->datep)."'";
|
||||
$sql.= ", '".$this->db->idate($this->datev)."'";
|
||||
$sql.= ", ".$this->amount;
|
||||
$sql.= ", ".($this->salary > 0 ? $this->salary : "null");
|
||||
$sql.= ", '".$this->type_payment."'";
|
||||
$sql.= ", '".$this->num_payment."'";
|
||||
$sql.= ", '".$this->db->escape($this->type_payment)."'";
|
||||
$sql.= ", '".$this->db->escape($this->num_payment)."'";
|
||||
if ($this->note) $sql.= ", '".$this->db->escape($this->note)."'";
|
||||
$sql.= ", '".$this->db->escape($this->label)."'";
|
||||
$sql.= ", '".$this->db->idate($this->datesp)."'";
|
||||
$sql.= ", '".$this->db->idate($this->dateep)."'";
|
||||
$sql.= ", '".$user->id."'";
|
||||
$sql.= ", '".$this->db->escape($user->id)."'";
|
||||
$sql.= ", '".$this->db->idate($now)."'";
|
||||
$sql.= ", NULL";
|
||||
$sql.= ", ".$conf->entity;
|
||||
|
||||
@@ -26,7 +26,7 @@
|
||||
require_once DOL_DOCUMENT_ROOT.'/core/class/commonobject.class.php';
|
||||
|
||||
|
||||
/**
|
||||
/**
|
||||
* Classe permettant la gestion des paiements des charges
|
||||
* La tva collectee n'est calculee que sur les factures payees.
|
||||
*/
|
||||
@@ -36,7 +36,7 @@ class ChargeSociales extends CommonObject
|
||||
public $table='chargesociales';
|
||||
public $table_element='chargesociales';
|
||||
public $picto = 'bill';
|
||||
|
||||
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
@@ -110,7 +110,7 @@ class ChargeSociales extends CommonObject
|
||||
$this->paye = $obj->paye;
|
||||
$this->periode = $this->db->jdate($obj->periode);
|
||||
$this->import_key = $this->import_key;
|
||||
|
||||
|
||||
$this->db->free($resql);
|
||||
|
||||
return 1;
|
||||
@@ -171,8 +171,8 @@ class ChargeSociales extends CommonObject
|
||||
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."chargesociales (fk_type, fk_account, fk_mode_reglement, libelle, date_ech, periode, amount, fk_projet, entity, fk_user_author, date_creation)";
|
||||
$sql.= " VALUES (".$this->type;
|
||||
$sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL');
|
||||
$sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"NULL");
|
||||
$sql.= ", ".($this->fk_account>0 ? $this->fk_account:'NULL');
|
||||
$sql.= ", ".($this->mode_reglement_id>0 ? $this->mode_reglement_id:"NULL");
|
||||
$sql.= ", '".$this->db->escape($this->lib)."'";
|
||||
$sql.= ", '".$this->db->idate($this->date_ech)."'";
|
||||
$sql.= ", '".$this->db->idate($this->periode)."'";
|
||||
@@ -378,7 +378,7 @@ class ChargeSociales extends CommonObject
|
||||
if ($return) return 1;
|
||||
else return -1;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Retourne le libelle du statut d'une charge (impaye, payee)
|
||||
*
|
||||
@@ -445,7 +445,7 @@ class ChargeSociales extends CommonObject
|
||||
if ($statut == 0 && $alreadypaid > 0) return $langs->trans("BillStatusStarted").' '.img_picto($langs->trans("BillStatusStarted"), 'statut3');
|
||||
if ($statut == 1) return $langs->trans("Paid").' '.img_picto($langs->trans("Paid"), 'statut6');
|
||||
}
|
||||
|
||||
|
||||
return "Error, mode/status not found";
|
||||
}
|
||||
|
||||
|
||||
@@ -106,12 +106,12 @@ class Tva extends CommonObject
|
||||
$sql.= " '".$this->db->idate($now)."',";
|
||||
$sql.= " '".$this->db->idate($this->datep)."',";
|
||||
$sql.= " '".$this->db->idate($this->datev)."',";
|
||||
$sql.= " '".$this->amount."',";
|
||||
$sql.= " '".$this->label."',";
|
||||
$sql.= " '".$this->note."',";
|
||||
$sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->fk_bank."'").",";
|
||||
$sql.= " '".$this->fk_user_creat."',";
|
||||
$sql.= " '".$this->fk_user_modif."'";
|
||||
$sql.= " '".$this->db->escape($this->amount)."',";
|
||||
$sql.= " '".$this->db->escape($this->label)."',";
|
||||
$sql.= " '".$this->db->escape($this->note)."',";
|
||||
$sql.= " ".($this->fk_bank <= 0 ? "NULL" : "'".$this->db->escape($this->fk_bank)."'").",";
|
||||
$sql.= " '".$this->db->escape($this->fk_user_creat)."',";
|
||||
$sql.= " '".$this->db->escape($this->fk_user_modif)."'";
|
||||
|
||||
$sql.= ")";
|
||||
|
||||
@@ -535,11 +535,11 @@ class Tva extends CommonObject
|
||||
$sql.= "'".$this->db->idate($this->datep)."'";
|
||||
$sql.= ", '".$this->db->idate($this->datev)."'";
|
||||
$sql.= ", ".$this->amount;
|
||||
$sql.= ", '".$this->type_payment."'";
|
||||
$sql.= ", '".$this->num_payment."'";
|
||||
$sql.= ", '".$this->db->escape($this->type_payment)."'";
|
||||
$sql.= ", '".$this->db->escape($this->num_payment)."'";
|
||||
if ($this->note) $sql.=", '".$this->db->escape($this->note)."'";
|
||||
if ($this->label) $sql.=", '".$this->db->escape($this->label)."'";
|
||||
$sql.= ", '".$user->id."'";
|
||||
$sql.= ", '".$this->db->escape($user->id)."'";
|
||||
$sql.= ", NULL";
|
||||
$sql.= ", ".$conf->entity;
|
||||
$sql.= ")";
|
||||
|
||||
Reference in New Issue
Block a user