Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-06 17:48:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add more robust php unit to detect not escaped sql. Fix not escaped sql

Browse Source
This commit is contained in:
Laurent Destailleur
2017-09-15 15:41:07 +02:00
parent 77056d9adb
commit 5e34b121dd
63 changed files with 420 additions and 438 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/modules/project/mod_project_simple.php
View File

@@ -75,7 +75,7 @@ class mod_project_simple extends ModeleNumRefProjects
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."projet";
$sql.= " WHERE ref LIKE '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);
if ($resql)
@@ -111,7 +111,7 @@ class mod_project_simple extends ModeleNumRefProjects
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."projet";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$sql.= " AND entity = ".$conf->entity;
$resql=$db->query($sql);

4
htdocs/core/modules/project/task/mod_task_simple.php
View File

@@ -76,7 +76,7 @@ class mod_task_simple extends ModeleNumRefTask
$sql = "SELECT MAX(CAST(SUBSTRING(task.ref FROM " . $posindice . ") AS SIGNED)) as max";
$sql .= " FROM " . MAIN_DB_PREFIX . "projet_task AS task, ";
$sql .= MAIN_DB_PREFIX . "projet AS project WHERE task.fk_projet=project.rowid";
$sql .= " AND task.ref LIKE '" . $this->prefix . "____-%'";
$sql .= " AND task.ref LIKE '" . $this->db->escape($this->prefix) . "____-%'";
$sql .= " AND project.entity = " . $conf->entity;
$resql=$db->query($sql);
if ($resql)
@@ -112,7 +112,7 @@ class mod_task_simple extends ModeleNumRefTask
$posindice=8;
$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
$sql.= " FROM ".MAIN_DB_PREFIX."projet_task";
$sql.= " WHERE ref like '".$this->prefix."____-%'";
$sql.= " WHERE ref LIKE '".$this->db->escape($this->prefix)."____-%'";
$resql=$db->query($sql);
if ($resql)