Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-08 00:52:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix sql injection

Browse Source
This commit is contained in:
Laurent Destailleur
2021-07-05 18:46:27 +02:00
parent 3ac72fe73c
commit abb1ad6bf0
4 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/compta/bank/class/account.class.php
View File

@@ -829,8 +829,8 @@ class Account extends CommonObject
$sql .= ",min_desired = ".($this->min_desired != '' ? price2num($this->min_desired) : "null");
$sql .= ",comment = '".$this->db->escape($this->comment)."'";
$sql .= ",state_id = ".($this->state_id > 0 ? $this->state_id : "null");
$sql .= ",fk_pays = ".($this->country_id > 0 ? $this->country_id : "null");
$sql .= ",state_id = ".($this->state_id > 0 ? ((int) $this->state_id) : "null");
$sql .= ",fk_pays = ".($this->country_id > 0 ? ((int) $this->country_id) : "null");
$sql .= ",ics = '".$this->db->escape($this->ics)."'";
$sql .= ",ics_transfer = '".$this->db->escape($this->ics_transfer)."'";

8
htdocs/compta/sociales/class/cchargesociales.class.php
View File

@@ -260,13 +260,13 @@ class Cchargesociales
// Update request
$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element.' SET';
$sql .= ' libelle = '.(isset($this->libelle) ? "'".$this->db->escape($this->libelle)."'" : "null").',';
$sql .= ' deductible = '.(isset($this->deductible) ? $this->deductible : "null").',';
$sql .= ' active = '.(isset($this->active) ? $this->active : "null").',';
$sql .= ' deductible = '.(isset($this->deductible) ? ((int) $this->deductible) : "null").',';
$sql .= ' active = '.(isset($this->active) ? ((int) $this->active) : "null").',';
$sql .= ' code = '.(isset($this->code) ? "'".$this->db->escape($this->code)."'" : "null").',';
$sql .= ' fk_pays = '.(isset($this->fk_pays) ? $this->fk_pays : "null").',';
$sql .= ' fk_pays = '.((isset($this->fk_pays) && $this->fk_pays > 0) ? ((int) $this->fk_pays) : "null").',';
$sql .= ' module = '.(isset($this->module) ? "'".$this->db->escape($this->module)."'" : "null").',';
$sql .= ' accountancy_code = '.(isset($this->accountancy_code) ? "'".$this->db->escape($this->accountancy_code)."'" : "null");
$sql .= ' WHERE id='.$this->id;
$sql .= ' WHERE id='.((int) $this->id);
$this->db->begin();

2
htdocs/societe/card.php
View File

@@ -554,7 +554,7 @@ if (empty($reshook)) {
}
// We set country_id, country_code and country for the selected country
$object->country_id = GETPOST('country_id') != '' ?GETPOST('country_id') : $mysoc->country_id;
$object->country_id = GETPOST('country_id', 'int') != '' ? GETPOST('country_id', 'int') : $mysoc->country_id;
if ($object->country_id) {
$tmparray = getCountry($object->country_id, 'all');
$object->country_code = $tmparray['code'];

8
htdocs/societe/class/societe.class.php
View File

@@ -894,7 +894,7 @@ class Societe extends CommonObject
$sql .= ", ".(!empty($user->id) ? ((int) $user->id) : "null");
$sql .= ", ".(!empty($this->typent_id) ? ((int) $this->typent_id) : "null");
$sql .= ", ".(!empty($this->canvas) ? "'".$this->db->escape($this->canvas)."'" : "null");
$sql .= ", ".$this->status;
$sql .= ", ".((int) $this->status);
$sql .= ", ".(!empty($this->ref_ext) ? "'".$this->db->escape($this->ref_ext)."'" : "null");
$sql .= ", 0";
$sql .= ", ".(int) $this->fk_incoterms;
@@ -1369,13 +1369,13 @@ class Societe extends CommonObject
$sql .= ",zip = ".(!empty($this->zip) ? "'".$this->db->escape($this->zip)."'" : "null");
$sql .= ",town = ".(!empty($this->town) ? "'".$this->db->escape($this->town)."'" : "null");
$sql .= ",fk_departement = '".(!empty($this->state_id) ? $this->state_id : '0')."'";
$sql .= ",fk_pays = '".(!empty($this->country_id) ? $this->country_id : '0')."'";
$sql .= ",fk_departement = ".((!empty($this->state_id) && $this->state_id > 0) ? ((int) $this->state_id) : 'null');
$sql .= ",fk_pays = ".((!empty($this->country_id) && $this->country_id > 0) ? ((int) $this->country_id) : 'null');
$sql .= ",phone = ".(!empty($this->phone) ? "'".$this->db->escape($this->phone)."'" : "null");
$sql .= ",fax = ".(!empty($this->fax) ? "'".$this->db->escape($this->fax)."'" : "null");
$sql .= ",email = ".(!empty($this->email) ? "'".$this->db->escape($this->email)."'" : "null");
$sql .= ", socialnetworks = '".$this->db->escape(json_encode($this->socialnetworks))."'";
$sql .= ",socialnetworks = '".$this->db->escape(json_encode($this->socialnetworks))."'";
$sql .= ",url = ".(!empty($this->url) ? "'".$this->db->escape($this->url)."'" : "null");
$sql .= ",parent = ".($this->parent > 0 ? $this->parent : "null");