mirror of
https://github.com/Dolibarr/dolibarr.git
synced 2025-12-17 06:51:23 +01:00
Add more robust php unit to detect not escaped sql. Fix not escaped sql
This commit is contained in:
Laurent Destailleur
@@ -141,7 +141,7 @@ class FactureRec extends CommonInvoice
|
||||
$sql.= ", nb_gen_max";
|
||||
$sql.= ", auto_validate";
|
||||
$sql.= ") VALUES (";
|
||||
$sql.= "'".$this->titre."'";
|
||||
$sql.= "'".$this->db->escape($this->titre)."'";
|
||||
$sql.= ", ".$facsrc->socid;
|
||||
$sql.= ", ".$conf->entity;
|
||||
$sql.= ", '".$this->db->idate($now)."'";
|
||||
@@ -149,11 +149,11 @@ class FactureRec extends CommonInvoice
|
||||
$sql.= ", ".(!empty($facsrc->remise)?$this->remise:'0');
|
||||
$sql.= ", ".(!empty($this->note_private)?("'".$this->db->escape($this->note_private)."'"):"NULL");
|
||||
$sql.= ", ".(!empty($this->note_public)?("'".$this->db->escape($this->note_public)."'"):"NULL");
|
||||
$sql.= ", '".$user->id."'";
|
||||
$sql.= ", '".$this->db->escape($user->id)."'";
|
||||
$sql.= ", ".(! empty($facsrc->fk_project)?"'".$facsrc->fk_project."'":"null");
|
||||
$sql.= ", ".(! empty($facsrc->fk_account)?"'".$facsrc->fk_account."'":"null");
|
||||
$sql.= ", '".$facsrc->cond_reglement_id."'";
|
||||
$sql.= ", '".$facsrc->mode_reglement_id."'";
|
||||
$sql.= ", '".$this->db->escape($facsrc->cond_reglement_id)."'";
|
||||
$sql.= ", '".$this->db->escape($facsrc->mode_reglement_id)."'";
|
||||
$sql.= ", ".$this->usenewprice;
|
||||
$sql.= ", ".$this->frequency;
|
||||
$sql.= ", '".$this->db->escape($this->unit_frequency)."'";
|
||||
@@ -1504,7 +1504,7 @@ class FactureLigneRec extends CommonInvoiceLine
|
||||
$sql.= ", localtax1_type='".$this->db->escape($this->localtax1_type)."'";
|
||||
$sql.= ", localtax2_tx=".price2num($this->localtax2_tx);
|
||||
$sql.= ", localtax2_type='".$this->db->escape($this->localtax2_type)."'";
|
||||
$sql.= ", fk_product=".(! empty($this->fk_product)?"'".$this->fk_product."'":"null");
|
||||
$sql.= ", fk_product=".($this->fk_product > 0 ? $this->fk_product :"null");
|
||||
$sql.= ", product_type=".$this->product_type;
|
||||
$sql.= ", remise_percent='".price2num($this->remise_percent)."'";
|
||||
$sql.= ", subprice='".price2num($this->subprice)."'";
|
||||
|
||||
@@ -4446,16 +4446,16 @@ class FactureLigne extends CommonInvoiceLine
|
||||
$sql.= ' fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc';
|
||||
$sql.= ')';
|
||||
$sql.= " VALUES (".$this->fk_facture.",";
|
||||
$sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
|
||||
$sql.= " ".($this->fk_parent_line>0 ? $this->fk_parent_line:"null").",";
|
||||
$sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
|
||||
$sql.= " '".$this->db->escape($this->desc)."',";
|
||||
$sql.= " ".price2num($this->qty).",";
|
||||
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
|
||||
$sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
|
||||
$sql.= " ".price2num($this->tva_tx).",";
|
||||
$sql.= " ".price2num($this->localtax1_tx).",";
|
||||
$sql.= " ".price2num($this->localtax2_tx).",";
|
||||
$sql.= " '".$this->localtax1_type."',";
|
||||
$sql.= " '".$this->localtax2_type."',";
|
||||
$sql.= " '".$this->db->escape($this->localtax1_type)."',";
|
||||
$sql.= " '".$this->db->escape($this->localtax2_type)."',";
|
||||
$sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").',';
|
||||
$sql.= " ".$this->product_type.",";
|
||||
$sql.= " ".price2num($this->remise_percent).",";
|
||||
@@ -4468,7 +4468,7 @@ class FactureLigne extends CommonInvoiceLine
|
||||
$sql.= ' '.$this->special_code.',';
|
||||
$sql.= ' '.(! empty($this->fk_fournprice)?$this->fk_fournprice:"null").',';
|
||||
$sql.= ' '.price2num($this->pa_ht).',';
|
||||
$sql.= " '".$this->info_bits."',";
|
||||
$sql.= " '".$this->db->escape($this->info_bits)."',";
|
||||
$sql.= " ".price2num($this->total_ht).",";
|
||||
$sql.= " ".price2num($this->total_tva).",";
|
||||
$sql.= " ".price2num($this->total_ttc).",";
|
||||
|
||||
@@ -85,13 +85,11 @@ class PaymentTerm // extends CommonObject
|
||||
if (isset($this->decalage)) $this->decalage=trim($this->decalage);
|
||||
|
||||
|
||||
|
||||
// Check parameters
|
||||
// Put here code to add control on parameters values
|
||||
|
||||
// Insert request
|
||||
$sql = "INSERT INTO ".MAIN_DB_PREFIX."c_payment_term(";
|
||||
|
||||
$sql.= "rowid,";
|
||||
$sql.= "code,";
|
||||
$sql.= "sortorder,";
|
||||
@@ -101,21 +99,16 @@ class PaymentTerm // extends CommonObject
|
||||
$sql.= "type_cdr,";
|
||||
$sql.= "nbjour,";
|
||||
$sql.= "decalage";
|
||||
|
||||
|
||||
$sql.= ") VALUES (";
|
||||
|
||||
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->rowid."'").",";
|
||||
$sql.= " ".(! isset($this->rowid)?'NULL':"'".$this->db->escape($this->rowid)."'").",";
|
||||
$sql.= " ".(! isset($this->code)?'NULL':"'".$this->db->escape($this->code)."'").",";
|
||||
$sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->sortorder."'").",";
|
||||
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->active."'").",";
|
||||
$sql.= " ".(! isset($this->sortorder)?'NULL':"'".$this->db->escape($this->sortorder)."'").",";
|
||||
$sql.= " ".(! isset($this->active)?'NULL':"'".$this->db->escape($this->active)."'").",";
|
||||
$sql.= " ".(! isset($this->libelle)?'NULL':"'".$this->db->escape($this->libelle)."'").",";
|
||||
$sql.= " ".(! isset($this->libelle_facture)?'NULL':"'".$this->db->escape($this->libelle_facture)."'").",";
|
||||
$sql.= " ".(! isset($this->type_cdr)?'NULL':"'".$this->type_cdr."'").",";
|
||||
$sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->nbjour."'").",";
|
||||
$sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->decalage."'")."";
|
||||
|
||||
|
||||
$sql.= " ".(! isset($this->type_cdr)?'NULL':"'".$this->db->escape($this->type_cdr)."'").",";
|
||||
$sql.= " ".(! isset($this->nbjour)?'NULL':"'".$this->db->escape($this->nbjour)."'").",";
|
||||
$sql.= " ".(! isset($this->decalage)?'NULL':"'".$this->db->escape($this->decalage)."'")."";
|
||||
$sql.= ")";
|
||||
|
||||
$this->db->begin();
|
||||
@@ -285,7 +278,6 @@ class PaymentTerm // extends CommonObject
|
||||
|
||||
// Update request
|
||||
$sql = "UPDATE ".MAIN_DB_PREFIX."c_payment_term SET";
|
||||
|
||||
$sql.= " code=".(isset($this->code)?"'".$this->db->escape($this->code)."'":"null").",";
|
||||
$sql.= " sortorder=".(isset($this->sortorder)?$this->sortorder:"null").",";
|
||||
$sql.= " active=".(isset($this->active)?$this->active:"null").",";
|
||||
@@ -294,8 +286,6 @@ class PaymentTerm // extends CommonObject
|
||||
$sql.= " type_cdr=".(isset($this->type_cdr)?$this->type_cdr:"null").",";
|
||||
$sql.= " nbjour=".(isset($this->nbjour)?$this->nbjour:"null").",";
|
||||
$sql.= " decalage=".(isset($this->decalage)?$this->decalage:"null")."";
|
||||
|
||||
|
||||
$sql.= " WHERE rowid=".$this->id;
|
||||
|
||||
$this->db->begin();
|
||||
|
||||
Reference in New Issue
Block a user