diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php
index f3924f73a76..df4f5d7c3f5 100644
--- a/htdocs/accountancy/admin/accountmodel.php
+++ b/htdocs/accountancy/admin/accountmodel.php
@@ -45,7 +45,7 @@ $langs->loadLangs(array("errors","admin","companies","resource","holiday","compt
$action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
$confirm=GETPOST('confirm','alpha');
-$id=GETPOST('id','int');
+$id=31;
$rowid=GETPOST('rowid','alpha');
$code=GETPOST('code','alpha');
@@ -58,8 +58,8 @@ $listoffset=GETPOST('listoffset');
$listlimit=GETPOST('listlimit')>0?GETPOST('listlimit'):1000;
$active = 1;
-$sortfield = GETPOST("sortfield",'alpha');
-$sortorder = GETPOST("sortorder",'alpha');
+$sortfield = GETPOST("sortfield",'aZ09comma');
+$sortorder = GETPOST("sortorder",'aZ09comma');
$page = GETPOST("page",'int');
if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1
$offset = $listlimit * $page ;
@@ -84,59 +84,48 @@ $hookmanager->initHooks(array('admin'));
$tabname=array();
$tabname[31]= MAIN_DB_PREFIX."accounting_system";
-$tabname[32]= MAIN_DB_PREFIX."c_accounting_category";
// Dictionary labels
$tablib=array();
$tablib[31]= "Pcg_version";
-$tablib[32]= "DictionaryAccountancyCategory";
// Requests to extract data
$tabsql=array();
$tabsql[31]= "SELECT s.rowid as rowid, pcg_version, s.label, s.fk_country as country_id, c.code as country_code, c.label as country, s.active FROM ".MAIN_DB_PREFIX."accounting_system as s, ".MAIN_DB_PREFIX."c_country as c WHERE s.fk_country=c.rowid and c.active=1";
-$tabsql[32]= "SELECT a.rowid as rowid, a.code as code, a.label, a.range_account, a.sens, a.category_type, a.formula, a.position as position, a.fk_country as country_id, c.code as country_code, c.label as country, a.active FROM ".MAIN_DB_PREFIX."c_accounting_category as a, ".MAIN_DB_PREFIX."c_country as c WHERE a.fk_country=c.rowid and c.active=1";
// Criteria to sort dictionaries
$tabsqlsort=array();
$tabsqlsort[31]="pcg_version ASC";
-$tabsqlsort[32]="position ASC";
// Nom des champs en resultat de select pour affichage du dictionnaire
$tabfield=array();
$tabfield[31]= "pcg_version,label,country_id,country";
-$tabfield[32]= "code,label,range_account,sens,category_type,formula,position,country_id,country";
// Nom des champs d'edition pour modification d'un enregistrement
$tabfieldvalue=array();
$tabfieldvalue[31]= "pcg_version,label,country";
-$tabfieldvalue[32]= "code,label,range_account,sens,category_type,formula,position,country";
// Nom des champs dans la table pour insertion d'un enregistrement
$tabfieldinsert=array();
$tabfieldinsert[31]= "pcg_version,label,fk_country";
-$tabfieldinsert[32]= "code,label,range_account,sens,category_type,formula,position,fk_country";
// Nom du rowid si le champ n'est pas de type autoincrement
// Example: "" if id field is "rowid" and has autoincrement on
// "nameoffield" if id field is not "rowid" or has not autoincrement on
$tabrowid=array();
$tabrowid[31]= "";
-$tabrowid[32]= "";
// Condition to show dictionary in setup page
$tabcond=array();
$tabcond[31]= ! empty($conf->accounting->enabled);
-$tabcond[32]= ! empty($conf->accounting->enabled);
// List of help for fields
$tabhelp=array();
$tabhelp[31] = array('pcg_version'=>$langs->trans("EnterAnyCode"));
-$tabhelp[32] = array('code'=>$langs->trans("EnterAnyCode"));
// List of check for fields (NOT USED YET)
$tabfieldcheck=array();
$tabfieldcheck[31] = array();
-$tabfieldcheck[32] = array();
// Define elementList and sourceList (used for dictionary type of contacts "llx_c_type_contact")
@@ -484,7 +473,7 @@ print "
\n";
// Confirmation de la suppression de la ligne
if ($action == 'delete')
{
- print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.$rowid.'&code='.$code.'&id='.$id, $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
+ print $form->formconfirm($_SERVER["PHP_SELF"].'?'.($page?'page='.urlencode($page).'&':'').'sortfield='.urlencode($sortfield).'&sortorder='.urlencode($sortorder).'&rowid='.urlencode($rowid).'&code='.urlencode($code).'&id='.urlencode($id), $langs->trans('DeleteLine'), $langs->trans('ConfirmDeleteLine'), 'confirm_delete','',0,1);
}
//var_dump($elementList);
@@ -503,24 +492,9 @@ if ($id)
$sql.= " c.rowid = ".$search_country_id;
}
- if ($sortfield)
- {
- // If sort order is "country", we use country_code instead
- if ($sortfield == 'country') $sortfield='country_code';
- $sql.= " ORDER BY ".$sortfield;
- if ($sortorder)
- {
- $sql.=" ".strtoupper($sortorder);
- }
- $sql.=", ";
- // Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
- $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
- $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
- }
- else {
- $sql.=" ORDER BY ";
- }
- $sql.=$tabsqlsort[$id];
+ // If sort order is "country", we use country_code instead
+ if ($sortfield == 'country') $sortfield='country_code';
+ $sql.=$db->order($sortfield,$sortorder);
$sql.=$db->plimit($listlimit+1,$offset);
//print $sql;
diff --git a/htdocs/accountancy/admin/categories.php b/htdocs/accountancy/admin/categories.php
index 7ab463e3179..9c40802c925 100644
--- a/htdocs/accountancy/admin/categories.php
+++ b/htdocs/accountancy/admin/categories.php
@@ -88,7 +88,7 @@ $formaccounting = new FormAccounting($db);
llxheader('', $langs->trans('AccountingCategory'));
-$linkback = ''.$langs->trans("BackToList").'';
+$linkback = ''.$langs->trans("BackToList").'';
print load_fiche_titre($langs->trans('AccountingCategory'), $linkback);
diff --git a/htdocs/accountancy/admin/categories_list.php b/htdocs/accountancy/admin/categories_list.php
index fb7561dda94..40ea103a12f 100644
--- a/htdocs/accountancy/admin/categories_list.php
+++ b/htdocs/accountancy/admin/categories_list.php
@@ -54,8 +54,8 @@ $listoffset=GETPOST('listoffset');
$listlimit=GETPOST('listlimit')>0?GETPOST('listlimit'):1000;
$active = 1;
-$sortfield = GETPOST("sortfield",'alpha');
-$sortorder = GETPOST("sortorder",'alpha');
+$sortfield = GETPOST("sortfield",'aZ09comma');
+$sortorder = GETPOST("sortorder",'aZ09comma');
$page = GETPOST("page",'int');
if (empty($page) || $page == -1) { $page = 0; } // If $page is not defined, or '' or -1
$offset = $listlimit * $page ;
@@ -300,7 +300,7 @@ if ($action == 'confirm_delete' && $confirm == 'yes') // delete
if ($tabrowid[$id]) { $rowidcol=$tabrowid[$id]; }
else { $rowidcol="rowid"; }
- $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
+ $sql = "DELETE from ".$tabname[$id]." WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
dol_syslog("delete", LOG_DEBUG);
$result = $db->query($sql);
@@ -324,10 +324,10 @@ if ($action == $acts[0])
else { $rowidcol="rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
}
elseif ($code) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$this->db->escape($code)."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 1 WHERE code = '".$db->escape($code)."'";
}
$result = $db->query($sql);
@@ -344,10 +344,10 @@ if ($action == $acts[1])
else { $rowidcol="rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
}
elseif ($code) {
- $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$this->db->escape($code)."'";
+ $sql = "UPDATE ".$tabname[$id]." SET active = 0 WHERE code = '".$db->escape($code)."'";
}
$result = $db->query($sql);
@@ -364,10 +364,10 @@ if ($action == 'activate_favorite')
else { $rowidcol="rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
+ $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
}
elseif ($code) {
- $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$this->db->escape($code)."'";
+ $sql = "UPDATE ".$tabname[$id]." SET favorite = 1 WHERE code = '".$db->escape($code)."'";
}
$result = $db->query($sql);
@@ -384,10 +384,10 @@ if ($action == 'disable_favorite')
else { $rowidcol="rowid"; }
if ($rowid) {
- $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$this->db->escape($rowid)."'";
+ $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE ".$rowidcol." = '".$db->escape($rowid)."'";
}
elseif ($code) {
- $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$this->db->escape($code)."'";
+ $sql = "UPDATE ".$tabname[$id]." SET favorite = 0 WHERE code = '".$db->escape($code)."'";
}
$result = $db->query($sql);
@@ -437,24 +437,9 @@ if ($id)
$sql.= " (a.fk_country = ".$search_country_id." OR a.fk_country = 0)";
}
- if ($sortfield)
- {
- // If sort order is "country", we use country_code instead
- if ($sortfield == 'country') $sortfield='country_code';
- $sql.= " ORDER BY ".$sortfield;
- if ($sortorder)
- {
- $sql.=" ".strtoupper($sortorder);
- }
- $sql.=", ";
- // Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
- $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
- $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
- }
- else {
- $sql.=" ORDER BY ";
- }
- $sql.=$tabsqlsort[$id];
+ // If sort order is "country", we use country_code instead
+ if ($sortfield == 'country') $sortfield='country_code';
+ $sql.=$db->order($sortfield,$sortorder);
$sql.=$db->plimit($listlimit+1,$offset);
//print $sql;
@@ -793,7 +778,7 @@ if ($id)
print '';
if (empty($obj->formula))
{
- print '';
+ print '';
print $langs->trans("ListOfAccounts");
print '';
}
diff --git a/htdocs/accountancy/admin/journals_list.php b/htdocs/accountancy/admin/journals_list.php
index 7612e7b261a..971fdc20811 100644
--- a/htdocs/accountancy/admin/journals_list.php
+++ b/htdocs/accountancy/admin/journals_list.php
@@ -36,7 +36,7 @@ $langs->load("accountancy");
$action=GETPOST('action','alpha')?GETPOST('action','alpha'):'view';
$confirm=GETPOST('confirm','alpha');
-$id=GETPOST('id','int');
+$id=35;
$rowid=GETPOST('rowid','alpha');
$code=GETPOST('code','alpha');
@@ -400,24 +400,9 @@ if ($id)
$sql=$tabsql[$id];
$sql.= " WHERE a.entity = ".$conf->entity;
- if ($sortfield)
- {
- // If sort order is "country", we use country_code instead
- if ($sortfield == 'country') $sortfield='country_code';
- $sql.= " ORDER BY ".$sortfield;
- if ($sortorder)
- {
- $sql.=" ".strtoupper($sortorder);
- }
- $sql.=", ";
- // Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
- $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
- $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
- }
- else {
- $sql.=" ORDER BY ";
- }
- $sql.=$tabsqlsort[$id];
+ // If sort order is "country", we use country_code instead
+ if ($sortfield == 'country') $sortfield='country_code';
+ $sql.=$db->order($sortfield,$sortorder);
$sql.=$db->plimit($listlimit+1,$offset);
$fieldlist=explode(',',$tabfield[$id]);
diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php
index 438c7cd5227..72ac51e1799 100644
--- a/htdocs/admin/dict.php
+++ b/htdocs/admin/dict.php
@@ -965,14 +965,14 @@ if (empty($id))
print "
\n";
-$param = '&id='.$id;
-if ($search_country_id > 0) $param.= '&search_country_id='.$search_country_id;
+$param = '&id='.urlencode($id);
+if ($search_country_id > 0) $param.= '&search_country_id='.urlencode($search_country_id);
if ($search_code != '') $param.= '&search_code='.urlencode($search_country_id);
if ($entity != '') $param.= '&entity=' . (int) $entity;
$paramwithsearch = $param;
-if ($sortorder) $paramwithsearch.= '&sortorder='.$sortorder;
-if ($sortfield) $paramwithsearch.= '&sortfield='.$sortfield;
-if (GETPOST('from')) $paramwithsearch.= '&from='.GETPOST('from','alpha');
+if ($sortorder) $paramwithsearch.= '&sortorder='.urlencode($sortorder);
+if ($sortfield) $paramwithsearch.= '&sortfield='.urlencode($sortfield);
+if (GETPOST('from')) $paramwithsearch.= '&from='.urlencode(GETPOST('from','alpha'));
// Confirmation de la suppression de la ligne
@@ -999,10 +999,10 @@ if ($id)
{
// If sort order is "country", we use country_code instead
if ($sortfield == 'country') $sortfield='country_code';
- $sql.= " ORDER BY ".$sortfield;
+ $sql.= " ORDER BY ".$db->escape($sortfield);
if ($sortorder)
{
- $sql.=" ".strtoupper($sortorder);
+ $sql.=" ".strtoupper($db->escape($sortorder));
}
$sql.=", ";
// Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
diff --git a/htdocs/admin/mails_templates.php b/htdocs/admin/mails_templates.php
index fb2729bb77b..24bd6a7b8fe 100644
--- a/htdocs/admin/mails_templates.php
+++ b/htdocs/admin/mails_templates.php
@@ -430,24 +430,9 @@ if ($search_type_template != '' && $search_type_template != '-1') $sql.=natural_
if ($search_lang) $sql.=natural_search('lang', $search_lang);
if ($search_fk_user != '' && $search_fk_user != '-1') $sql.=natural_search('fk_user', $search_fk_user, 2);
if ($search_topic) $sql.=natural_search('topic', $search_topic);
-if ($sortfield)
-{
- // If sort order is "country", we use country_code instead
- if ($sortfield == 'country') $sortfield='country_code';
- $sql.= " ORDER BY ".$sortfield;
- if ($sortorder)
- {
- $sql.=" ".strtoupper($sortorder);
- }
- $sql.=", ";
- // Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
- $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
- $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
-}
-else {
- $sql.=" ORDER BY ";
-}
-$sql.=$tabsqlsort[$id];
+// If sort order is "country", we use country_code instead
+if ($sortfield == 'country') $sortfield='country_code';
+$sql.=$db->order($sortfield,$sortorder);
$sql.=$db->plimit($listlimit+1,$offset);
//print $sql;
diff --git a/htdocs/admin/website.php b/htdocs/admin/website.php
index 9811052509a..e13bd4a2312 100644
--- a/htdocs/admin/website.php
+++ b/htdocs/admin/website.php
@@ -419,24 +419,7 @@ if ($id)
{
// Complete requete recherche valeurs avec critere de tri
$sql=$tabsql[$id];
-
- if ($sortfield)
- {
- // If sort order is "country", we use country_code instead
- $sql.= " ORDER BY ".$sortfield;
- if ($sortorder)
- {
- $sql.=" ".strtoupper($sortorder);
- }
- $sql.=", ";
- // Clear the required sort criteria for the tabsqlsort to be able to force it with selected value
- $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.' '.$sortorder.',/i','',$tabsqlsort[$id]);
- $tabsqlsort[$id]=preg_replace('/([a-z]+\.)?'.$sortfield.',/i','',$tabsqlsort[$id]);
- }
- else {
- $sql.=" ORDER BY ";
- }
- $sql.=$tabsqlsort[$id];
+ $sql.=$db->order($sortfield,$sortorder);
$sql.=$db->plimit($limit+1, $offset);
//print $sql;
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 37e957c868c..a22a9675ff6 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -578,12 +578,12 @@ function GETPOST($paramname, $check='none', $method=0, $filter=NULL, $options=NU
{
//var_dump($paramname.' - '.$out.' '.$user->default_values[$relativepathstring]['filters'][$paramname]);
- // We save search key only if:
- // - not empty, or
- // - if value is empty and a default value exists that is not empty (it means we did a filter to an empty value when default was not).
+ // We save search key only if $out not empty that means:
+ // - posted value not empty, or
+ // - if posted value is empty and a default value exists that is not empty (it means we did a filter to an empty value when default was not).
//if (! empty($out) || ! empty($user->default_values[$relativepathstring]['filters'][$paramname]))
- if (! empty($out))
+ if ($out != '') // $out = '0' like 'abc' is a search criteria to keep
{
$user->lastsearch_values_tmp[$relativepathstring][$paramname]=$out;
}
|