Add more robust php unit to detect not escaped sql. Fix not escaped sql

2025-12-09 11:08:34 +01:00 · 2017-09-15 15:41:07 +02:00
parent 77056d9adb
commit 5e34b121dd
63 changed files with 420 additions and 438 deletions
--- a/htdocs/fourn/class/fournisseur.commande.class.php
+++ b/htdocs/fourn/class/fournisseur.commande.class.php
@@ -1414,7 +1414,7 @@ class CommandeFournisseur extends CommonOrder
                            if ($remise_percent == 0 && $prod->remise_percent !=0)
                            	$remise_percent =$prod->remise_percent;

-				
+
                        }
                        if ($result == 0)                   // If result == 0, we failed to found the supplier reference price
                        {
@@ -2678,14 +2678,14 @@ class CommandeFournisseur extends CommonOrder
                if ($db->num_rows($query))
                {
                    $obj = $db->fetch_object($query);
-    
+
                    $string = $langs->trans($obj->code);
                    if ($string == $obj->code)
                    {
                        $string = $obj->label != '-' ? $obj->label : '';
                    }
                    return $string;
-                }    
+                }
            }
            else dol_print_error($db);
        }
@@ -3129,15 +3129,15 @@ class CommandeFournisseurLigne extends CommonOrderLine
        $sql.= " ".($this->date_end?"'".$this->db->idate($this->date_end)."'":"null").",";
        if ($this->fk_product) { $sql.= $this->fk_product.","; }
        else { $sql.= "null,"; }
-        $sql.= "'".$this->product_type."',";
-        $sql.= "'".$this->qty."', ";
+        $sql.= "'".$this->db->escape($this->product_type)."',";
+        $sql.= "'".$this->db->escape($this->qty)."', ";

-        $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
+        $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
        $sql.= " ".$this->tva_tx.", ";
        $sql.= " ".$this->localtax1_tx.",";
        $sql.= " ".$this->localtax2_tx.",";
-        $sql.= " '".$this->localtax1_type."',";
-        $sql.= " '".$this->localtax2_type."',";
+        $sql.= " '".$this->db->escape($this->localtax1_type)."',";
+        $sql.= " '".$this->db->escape($this->localtax2_type)."',";
        $sql.= " ".$this->remise_percent.", ".price2num($this->subprice,'MU').", '".$this->db->escape($this->ref_supplier)."',";
        $sql.= " ".price2num($this->total_ht).",";
        $sql.= " ".price2num($this->total_tva).",";
--- a/htdocs/fourn/class/fournisseur.commande.dispatch.class.php
+++ b/htdocs/fourn/class/fournisseur.commande.dispatch.class.php
@@ -105,14 +105,11 @@ class CommandeFournisseurDispatch extends CommonObject
 		if (isset($this->status)) $this->status=trim($this->status);
 		if (isset($this->batch)) $this->batch=trim($this->batch);

-
-
 		// Check parameters
 		// Put here code to add control on parameters values

        // Insert request
 		$sql = "INSERT INTO ".MAIN_DB_PREFIX.$this->table_element."(";
-
 		$sql.= "fk_commande,";
 		$sql.= "fk_product,";
 		$sql.= "fk_commandefourndet,";
@@ -125,24 +122,19 @@ class CommandeFournisseurDispatch extends CommonObject
 		$sql.= "batch,";
 		$sql.= "eatby,";
 		$sql.= "sellby";
-
-
        $sql.= ") VALUES (";
-
-		$sql.= " ".(! isset($this->fk_commande)?'NULL':"'".$this->fk_commande."'").",";
-		$sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->fk_product."'").",";
-		$sql.= " ".(! isset($this->fk_commandefourndet)?'NULL':"'".$this->fk_commandefourndet."'").",";
-		$sql.= " ".(! isset($this->qty)?'NULL':"'".$this->qty."'").",";
-		$sql.= " ".(! isset($this->fk_entrepot)?'NULL':"'".$this->fk_entrepot."'").",";
-		$sql.= " ".(! isset($this->fk_user)?'NULL':"'".$this->fk_user."'").",";
+		$sql.= " ".(! isset($this->fk_commande)?'NULL':"'".$this->db->escape($this->fk_commande)."'").",";
+		$sql.= " ".(! isset($this->fk_product)?'NULL':"'".$this->db->escape($this->fk_product)."'").",";
+		$sql.= " ".(! isset($this->fk_commandefourndet)?'NULL':"'".$this->db->escape($this->fk_commandefourndet)."'").",";
+		$sql.= " ".(! isset($this->qty)?'NULL':"'".$this->db->escape($this->qty)."'").",";
+		$sql.= " ".(! isset($this->fk_entrepot)?'NULL':"'".$this->db->escape($this->fk_entrepot)."'").",";
+		$sql.= " ".(! isset($this->fk_user)?'NULL':"'".$this->db->escape($this->fk_user)."'").",";
 		$sql.= " ".(! isset($this->datec) || dol_strlen($this->datec)==0?'NULL':"'".$this->db->idate($this->datec)."'").",";
 		$sql.= " ".(! isset($this->comment)?'NULL':"'".$this->db->escape($this->comment)."'").",";
-		$sql.= " ".(! isset($this->status)?'NULL':"'".$this->status."'").",";
+		$sql.= " ".(! isset($this->status)?'NULL':"'".$this->db->escape($this->status)."'").",";
 		$sql.= " ".(! isset($this->batch)?'NULL':"'".$this->db->escape($this->batch)."'").",";
 		$sql.= " ".(! isset($this->eatby) || dol_strlen($this->eatby)==0?'NULL':"'".$this->db->idate($this->eatby)."'").",";
 		$sql.= " ".(! isset($this->sellby) || dol_strlen($this->sellby)==0?'NULL':"'".$this->db->idate($this->sellby)."'")."";
-
-
 		$sql.= ")";

 		$this->db->begin();
--- a/htdocs/fourn/class/fournisseur.facture.class.php
+++ b/htdocs/fourn/class/fournisseur.facture.class.php
@@ -2701,17 +2701,17 @@ class SupplierInvoiceLine extends CommonObjectLine
        $sql.= ', fk_multicurrency, multicurrency_code, multicurrency_subprice, multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc';
        $sql.= ')';
        $sql.= " VALUES (".$this->fk_facture_fourn.",";
-        $sql.= " ".($this->fk_parent_line>0?"'".$this->fk_parent_line."'":"null").",";
+        $sql.= " ".($this->fk_parent_line>0?"'".$this->db->escape($this->fk_parent_line)."'":"null").",";
        $sql.= " ".(! empty($this->label)?"'".$this->db->escape($this->label)."'":"null").",";
        $sql.= " '".$this->db->escape($this->desc)."',";
        $sql.= " ".price2num($this->qty).",";

-        $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->vat_src_code."'").",";
+        $sql.= " ".(empty($this->vat_src_code)?"''":"'".$this->db->escape($this->vat_src_code)."'").",";
        $sql.= " ".price2num($this->tva_tx).",";
        $sql.= " ".price2num($this->localtax1_tx).",";
        $sql.= " ".price2num($this->localtax2_tx).",";
-        $sql.= " '".$this->localtax1_type."',";
-        $sql.= " '".$this->localtax2_type."',";
+        $sql.= " '".$this->db->escape($this->localtax1_type)."',";
+        $sql.= " '".$this->db->escape($this->localtax2_type)."',";
        $sql.= ' '.(! empty($this->fk_product)?$this->fk_product:"null").',';
        $sql.= " ".$this->product_type.",";
        $sql.= " ".price2num($this->remise_percent).",";
@@ -2722,7 +2722,7 @@ class SupplierInvoiceLine extends CommonObjectLine
        $sql.= ' '.(!empty($this->fk_code_ventilation)?$this->fk_code_ventilation:0).',';
        $sql.= ' '.$this->rang.',';
        $sql.= ' '.$this->special_code.',';
-        $sql.= " '".$this->info_bits."',";
+        $sql.= " '".$this->db->escape($this->info_bits)."',";
        $sql.= " ".price2num($this->total_ht).",";
        $sql.= " ".price2num($this->total_tva).",";
        $sql.= " ".price2num($this->total_ttc).",";