Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-09 02:58:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add more robust php unit to detect not escaped sql. Fix not escaped sql

Browse Source
This commit is contained in:
Laurent Destailleur
2017-09-15 15:41:07 +02:00
parent 77056d9adb
commit 5e34b121dd
63 changed files with 420 additions and 438 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/core/modules/facture/mod_facture_mars.php
View File

@@ -37,7 +37,7 @@ class mod_facture_mars extends ModeleNumRefFactures
var $prefixcreditnote='AV';
var $error='';
/**
* Constructor
*/
@@ -48,7 +48,7 @@ class mod_facture_mars extends ModeleNumRefFactures
$this->prefixinvoice = $conf->global->INVOICE_NUMBERING_MARS_FORCE_PREFIX;
}
}
/**
* Renvoi la description du modele de numerotation
*
@@ -89,7 +89,7 @@ class mod_facture_mars extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixinvoice."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixinvoice)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -111,7 +111,7 @@ class mod_facture_mars extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(SUBSTRING(facnumber FROM ".$posindice.")) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixcreditnote."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

10
htdocs/core/modules/facture/mod_facture_terre.php
View File

@@ -35,7 +35,7 @@ class mod_facture_terre extends ModeleNumRefFactures
var $prefixdeposit='AC';
var $error='';
/**
* Constructor
*/
@@ -46,7 +46,7 @@ class mod_facture_terre extends ModeleNumRefFactures
$this->prefixinvoice = $conf->global->INVOICE_NUMBERING_TERRE_FORCE_PREFIX;
}
}
/**
* Renvoi la description du modele de numerotation
*
@@ -87,7 +87,7 @@ class mod_facture_terre extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixinvoice."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixinvoice)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -109,7 +109,7 @@ class mod_facture_terre extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixcreditnote."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixcreditnote)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
@@ -130,7 +130,7 @@ class mod_facture_terre extends ModeleNumRefFactures
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(facnumber FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
$sql.= " FROM ".MAIN_DB_PREFIX."facture";
$sql.= " WHERE facnumber LIKE '".$this->prefixdeposit."____-%'";
$sql.= " WHERE facnumber LIKE '".$this->db->escape($this->prefixdeposit)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);