Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-06 09:38:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add more robust php unit to detect not escaped sql. Fix not escaped sql

Browse Source
This commit is contained in:
Laurent Destailleur
2017-09-15 15:41:07 +02:00
parent 77056d9adb
commit 5e34b121dd
63 changed files with 420 additions and 438 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
htdocs/core/class/commonobject.class.php
View File

@@ -580,8 +580,8 @@ abstract class CommonObject
$sql = "SELECT tc.rowid";
$sql.= " FROM ".MAIN_DB_PREFIX."c_type_contact as tc";
$sql.= " WHERE tc.element='".$this->db->escape($this->element)."'";
$sql.= " AND tc.source='".$source."'";
$sql.= " AND tc.code='".$type_contact."' AND tc.active=1";
$sql.= " AND tc.source='".$this->db->escape($source)."'";
$sql.= " AND tc.code='".$this->db->escape($type_contact)."' AND tc.active=1";
//print $sql;
$resql=$this->db->query($sql);
if ($resql)
@@ -2475,9 +2475,9 @@ abstract class CommonObject
$sql.= ", targettype";
$sql.= ") VALUES (";
$sql.= $origin_id;
$sql.= ", '".$origin."'";
$sql.= ", '".$this->db->escape($origin)."'";
$sql.= ", ".$this->id;
$sql.= ", '".$this->element."'";
$sql.= ", '".$this->db->escape($this->element)."'";
$sql.= ")";
dol_syslog(get_class($this)."::add_object_linked", LOG_DEBUG);
@@ -3812,11 +3812,11 @@ abstract class CommonObject
$sql.= ", mandatory";
$sql.= ") VALUES (";
$sql.= $resource_id;
$sql.= ", '".$resource_type."'";
$sql.= ", '".$this->id."'";
$sql.= ", '".$this->element."'";
$sql.= ", '".$busy."'";
$sql.= ", '".$mandatory."'";
$sql.= ", '".$this->db->escape($resource_type)."'";
$sql.= ", '".$this->db->escape($this->id)."'";
$sql.= ", '".$this->db->escape($this->element)."'";
$sql.= ", '".$this->db->escape($busy)."'";
$sql.= ", '".$this->db->escape($mandatory)."'";
$sql.= ")";
dol_syslog(get_class($this)."::add_element_resource", LOG_DEBUG);