diff --git a/htdocs/adherents/class/adherent_type.class.php b/htdocs/adherents/class/adherent_type.class.php index c4402a157bd..b4347277b5d 100644 --- a/htdocs/adherents/class/adherent_type.class.php +++ b/htdocs/adherents/class/adherent_type.class.php @@ -176,7 +176,7 @@ class AdherentType extends CommonObject $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."adherent_type_lang"; $sql .= " WHERE fk_type=".$this->id; - $sql .= " AND lang='".$key."'"; + $sql .= " AND lang = '".$this->db->escape($key)."'"; $result = $this->db->query($sql); @@ -202,7 +202,7 @@ class AdherentType extends CommonObject $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."adherent_type_lang"; $sql .= " WHERE fk_type=".$this->id; - $sql .= " AND lang='".$key."'"; + $sql .= " AND lang = '".$this->db->escape($key)."'"; $result = $this->db->query($sql); @@ -552,7 +552,7 @@ class AdherentType extends CommonObject $sql = "SELECT a.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."adherent as a"; $sql .= " WHERE a.entity IN (".getEntity('member').")"; - $sql .= " AND a.fk_adherent_type = ".$this->id; + $sql .= " AND a.fk_adherent_type = ".((int) $this->id); if (!empty($excludefilter)) { $sql .= ' AND ('.$excludefilter.')'; } diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index f2bcf690a48..b06a7538aae 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -302,13 +302,13 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s on (s.rowid = d.fk_soc)"; $sql .= ", ".MAIN_DB_PREFIX."adherent_type as t"; $sql .= " WHERE d.fk_adherent_type = t.rowid "; if ($catid > 0) { - $sql .= " AND cm.fk_categorie = ".$db->escape($catid); + $sql .= " AND cm.fk_categorie = ".((int) $catid); } if ($catid == -2) { $sql .= " AND cm.fk_categorie IS NULL"; } if ($search_categ > 0) { - $sql .= " AND cm.fk_categorie = ".$db->escape($search_categ); + $sql .= " AND cm.fk_categorie = ".((int) $search_categ); } if ($search_categ == -2) { $sql .= " AND cm.fk_categorie IS NULL"; diff --git a/htdocs/adherents/subscription/list.php b/htdocs/adherents/subscription/list.php index a69962e84b6..27c3dd247c7 100644 --- a/htdocs/adherents/subscription/list.php +++ b/htdocs/adherents/subscription/list.php @@ -191,7 +191,7 @@ if ($search_note) { $sql .= natural_search('c.note', $search_note); } if ($search_account > 0) { - $sql .= " AND b.fk_account = ".urldecode($search_account); + $sql .= " AND b.fk_account = ".((int) $search_account); } if ($search_amount) { $sql .= natural_search('c.subscription', $search_amount, 1); diff --git a/htdocs/admin/perms.php b/htdocs/admin/perms.php index e60f2118f2c..31304c85819 100644 --- a/htdocs/admin/perms.php +++ b/htdocs/admin/perms.php @@ -132,7 +132,7 @@ print ''."\n"; $sql = "SELECT r.id, r.libelle as label, r.module, r.module_position, r.perms, r.subperms, r.bydefault"; $sql .= " FROM ".MAIN_DB_PREFIX."rights_def as r"; $sql .= " WHERE r.libelle NOT LIKE 'tou%'"; // On ignore droits "tous" -$sql .= " AND r.entity = ".$entity; +$sql .= " AND r.entity = ".((int) $entity); if (empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { $sql .= " AND r.perms NOT LIKE '%_advance'"; // Hide advanced perms if option is not enabled } diff --git a/htdocs/asset/class/asset_type.class.php b/htdocs/asset/class/asset_type.class.php index 6b345aaef68..17943f4dfd4 100644 --- a/htdocs/asset/class/asset_type.class.php +++ b/htdocs/asset/class/asset_type.class.php @@ -332,7 +332,7 @@ class AssetType extends CommonObject /** * Return array of Asset objects for asset type this->id (or all if this->id not defined) * - * @param string $excludefilter Filter to exclude + * @param string $excludefilter Filter to exclude. This parameter must not be provided by input of users * @param int $mode 0=Return array of asset instance * 1=Return array of asset instance without extra data * 2=Return array of asset id only diff --git a/htdocs/bom/class/api_boms.class.php b/htdocs/bom/class/api_boms.class.php index 24ec68d0e2f..b0f536140dd 100644 --- a/htdocs/bom/class/api_boms.class.php +++ b/htdocs/bom/class/api_boms.class.php @@ -134,14 +134,14 @@ class Boms extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($restrictonsocid && $socid) { - $sql .= " AND t.fk_soc = ".$socid; + $sql .= " AND t.fk_soc = ".((int) $socid); } if ($restrictonsocid && $search_sale > 0) { $sql .= " AND t.rowid = sc.fk_soc"; // Join for the needed table to filter by sale } // Insert sale filter if ($restrictonsocid && $search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } if ($sqlfilters) { if (!DolibarrApi::_checkFilters($sqlfilters)) { diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index ba8ffe0e89f..880b0cc69df 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -1300,7 +1300,7 @@ class Categorie extends CommonObject $sql = "SELECT c.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."categorie as c "; $sql .= " WHERE c.entity IN (".getEntity('category').")"; - $sql .= " AND c.type = ".$type; + $sql .= " AND c.type = ".((int) $type); $sql .= " AND c.fk_parent = ".$this->fk_parent; $sql .= " AND c.label = '".$this->db->escape($this->label)."'"; @@ -1792,7 +1792,7 @@ class Categorie extends CommonObject $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."categorie_lang"; $sql .= " WHERE fk_category=".$this->id; - $sql .= " AND lang='".$key."'"; + $sql .= " AND lang = '".$this->db->escape($key)."'"; $result = $this->db->query($sql); diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index 21c130cafac..4bef5ddcd16 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -1227,17 +1227,17 @@ class ActionComm extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."actioncomm as a"; $sql .= " WHERE a.entity IN (".getEntity('agenda').")"; if (!empty($socid)) { - $sql .= " AND a.fk_soc = ".$socid; + $sql .= " AND a.fk_soc = ".((int) $socid); } if (!empty($elementtype)) { if ($elementtype == 'project') { - $sql .= ' AND a.fk_project = '.$fk_element; + $sql .= ' AND a.fk_project = '.((int) $fk_element); } elseif ($elementtype == 'contact') { $sql .= ' AND a.id IN'; $sql .= " (SELECT fk_actioncomm FROM ".MAIN_DB_PREFIX."actioncomm_resources WHERE"; - $sql .= " element_type = 'socpeople' AND fk_element = ".$fk_element.')'; + $sql .= " element_type = 'socpeople' AND fk_element = ".((int) $fk_element).')'; } else { - $sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$db->escape($elementtype)."'"; + $sql .= " AND a.fk_element = ".((int) $fk_element)." AND a.elementtype = '".$db->escape($elementtype)."'"; } } if (!empty($filter)) { diff --git a/htdocs/comm/contact.php b/htdocs/comm/contact.php index b1e8b3c3768..8a921e1c358 100644 --- a/htdocs/comm/contact.php +++ b/htdocs/comm/contact.php @@ -101,7 +101,7 @@ if ($type == "f") { $sql .= " AND s.fournisseur = 1"; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if (dol_strlen($stcomm)) { diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php index b720ff638c9..b727a18b76f 100644 --- a/htdocs/comm/index.php +++ b/htdocs/comm/index.php @@ -169,7 +169,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $resql = $db->query($sql); diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index 3a03254099d..3674356af20 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -2734,7 +2734,7 @@ class Propal extends CommonObject $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($draft) { $sql .= " AND p.fk_statut = ".self::STATUS_DRAFT; diff --git a/htdocs/comm/propal/index.php b/htdocs/comm/propal/index.php index 156dbafbf2a..2005e51571b 100644 --- a/htdocs/comm/propal/index.php +++ b/htdocs/comm/propal/index.php @@ -372,7 +372,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propale->lire) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY p.rowid DESC"; diff --git a/htdocs/commande/class/api_orders.class.php b/htdocs/commande/class/api_orders.class.php index d839cf38924..17b7d4285b4 100644 --- a/htdocs/commande/class/api_orders.class.php +++ b/htdocs/commande/class/api_orders.class.php @@ -191,7 +191,7 @@ class Orders extends DolibarrApi } // Insert sale filter if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // Add sql filters if ($sqlfilters) { diff --git a/htdocs/commande/index.php b/htdocs/commande/index.php index 4b6fcc7d8aa..66798c94157 100644 --- a/htdocs/commande/index.php +++ b/htdocs/commande/index.php @@ -209,7 +209,7 @@ if (!empty($conf->commande->enabled)) { $sql .= " AND c.entity IN (".getEntity('commande').")"; $sql .= " AND c.fk_statut = 0"; if ($socid) { - $sql .= " AND c.fk_soc = ".$socid; + $sql .= " AND c.fk_soc = ".((int) $socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; diff --git a/htdocs/compta/bank/account_statement_document.php b/htdocs/compta/bank/account_statement_document.php index ea4911e7050..e144f6acbe0 100644 --- a/htdocs/compta/bank/account_statement_document.php +++ b/htdocs/compta/bank/account_statement_document.php @@ -79,12 +79,12 @@ $result = restrictedArea($user, 'banque', $object->id, 'bank_account', '', ''); // Define number of receipt to show (current, previous or next one ?) $found = false; -if ($_GET["rel"] == 'prev') { +if (GETPOST("rel") == 'prev') { // Recherche valeur pour num = numero releve precedent $sql = "SELECT DISTINCT(b.num_releve) as num"; $sql .= " FROM ".MAIN_DB_PREFIX."bank as b"; $sql .= " WHERE b.num_releve < '".$db->escape($numref)."'"; - $sql .= " AND b.fk_account = ".$id; + $sql .= " AND b.fk_account = ".((int) $id); $sql .= " ORDER BY b.num_releve DESC"; dol_syslog("htdocs/compta/bank/releve.php", LOG_DEBUG); @@ -97,12 +97,12 @@ if ($_GET["rel"] == 'prev') { $found = true; } } -} elseif ($_GET["rel"] == 'next') { +} elseif (GETPOST("rel") == 'next') { // Recherche valeur pour num = numero releve precedent $sql = "SELECT DISTINCT(b.num_releve) as num"; $sql .= " FROM ".MAIN_DB_PREFIX."bank as b"; $sql .= " WHERE b.num_releve > '".$db->escape($numref)."'"; - $sql .= " AND b.fk_account = ".$id; + $sql .= " AND b.fk_account = ".((int) $id); $sql .= " ORDER BY b.num_releve ASC"; dol_syslog("htdocs/compta/bank/releve.php", LOG_DEBUG); diff --git a/htdocs/compta/bank/bankentries_list.php b/htdocs/compta/bank/bankentries_list.php index 37ef8a5da76..f07b38045f2 100644 --- a/htdocs/compta/bank/bankentries_list.php +++ b/htdocs/compta/bank/bankentries_list.php @@ -581,7 +581,7 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count $sql .= " WHERE b.fk_account = ba.rowid"; $sql .= " AND ba.entity IN (".getEntity('bank_account').")"; if ($search_account > 0) { - $sql .= " AND b.fk_account = ".$search_account; + $sql .= " AND b.fk_account = ".((int) $search_account); } // Search period criteria if (dol_strlen($search_dt_start) > 0) { @@ -607,7 +607,7 @@ if ($search_num_releve) { $sql .= natural_search("b.num_releve", $search_num_releve); } if ($search_conciliated != '' && $search_conciliated != '-1') { - $sql .= " AND b.rappro = ".urlencode($search_conciliated); + $sql .= " AND b.rappro = ".((int) $search_conciliated); } if ($search_thirdparty_user) { $sql.= " AND (b.rowid IN "; diff --git a/htdocs/compta/bank/various_payment/list.php b/htdocs/compta/bank/various_payment/list.php index 39cbb91fde1..65542598351 100644 --- a/htdocs/compta/bank/various_payment/list.php +++ b/htdocs/compta/bank/various_payment/list.php @@ -264,10 +264,6 @@ if ($search_accountancy_subledger > 0) { if ($typeid > 0) { $sql .= " AND v.fk_typepayment=".$typeid; } -if ($filtre) { - $filtre = str_replace(":", "=", $filtre); - $sql .= " AND ".$filtre; -} if ($search_all) { $sql .= natural_search(array_keys($fieldstosearchall), $search_all); } diff --git a/htdocs/compta/deplacement/index.php b/htdocs/compta/deplacement/index.php index 659eada708b..547f0676b7b 100644 --- a/htdocs/compta/deplacement/index.php +++ b/htdocs/compta/deplacement/index.php @@ -162,7 +162,7 @@ if (!$user->rights->societe->client->voir && !$user->socid) { $sql .= " AND d.fk_soc = s. rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND d.fk_soc = ".$socid; + $sql .= " AND d.fk_soc = ".((int) $socid); } $sql .= $db->order("d.tms", "DESC"); $sql .= $db->plimit($max, 0); diff --git a/htdocs/compta/deplacement/list.php b/htdocs/compta/deplacement/list.php index a36d7867716..61d30ea1345 100644 --- a/htdocs/compta/deplacement/list.php +++ b/htdocs/compta/deplacement/list.php @@ -108,11 +108,11 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND (sc.fk_user = ".$user->id." OR d.fk_soc IS NULL) "; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($search_ref) { - $sql .= " AND d.rowid=".$search_ref; + $sql .= " AND d.rowid = ".((int) $search_ref); } if ($search_name) { $sql .= natural_search('u.lastname', $search_name); diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 84f97d61ef0..1afa9347f67 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -4033,7 +4033,7 @@ class Facture extends CommonInvoice $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($draft) { $sql .= " AND f.fk_statut = ".self::STATUS_DRAFT; diff --git a/htdocs/compta/facture/index.php b/htdocs/compta/facture/index.php index 4939fbb6a95..a4d6dd6fec7 100644 --- a/htdocs/compta/facture/index.php +++ b/htdocs/compta/facture/index.php @@ -232,7 +232,7 @@ function getDraftTable($maxCount = 500, $socid = 0) $sql .= " AND f.entity IN (".getEntity('facture').")"; $sql .= " AND f.fk_statut = ".Facture::STATUS_DRAFT; if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; @@ -329,7 +329,7 @@ function getLatestEditTable($maxCount = 5, $socid = 0) $sql .= " WHERE f.fk_soc = s.rowid"; $sql .= " AND f.entity IN (".getEntity('facture').")"; if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; @@ -432,7 +432,7 @@ function getOpenTable($maxCount = 500, $socid = 0) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY f.rowid DESC"; $sql .= $db->plimit($maxCount, 0); diff --git a/htdocs/compta/facture/list.php b/htdocs/compta/facture/list.php index 31365b33b58..6cf770cb79c 100644 --- a/htdocs/compta/facture/list.php +++ b/htdocs/compta/facture/list.php @@ -513,14 +513,7 @@ if ($userid) { if ($userid == -1) { $sql .= ' AND f.fk_user_author IS NULL'; } else { - $sql .= ' AND f.fk_user_author = '.$userid; - } -} -if ($filtre) { - $aFilter = explode(',', $filtre); - foreach ($aFilter as $filter) { - $filt = explode(':', $filter); - $sql .= ' AND '.$db->escape(trim($filt[0])).' = '.$db->escape(trim($filt[1])); + $sql .= ' AND f.fk_user_author = '.((int) $userid); } } if ($search_ref) { diff --git a/htdocs/compta/paiement/class/paiement.class.php b/htdocs/compta/paiement/class/paiement.class.php index 42b05f39263..73962cabaca 100644 --- a/htdocs/compta/paiement/class/paiement.class.php +++ b/htdocs/compta/paiement/class/paiement.class.php @@ -171,9 +171,9 @@ class Paiement extends CommonObject if ($id > 0) { $sql .= ' AND p.rowid = '.((int) $id); } elseif ($ref) { - $sql .= " AND p.ref = '".$ref."'"; + $sql .= " AND p.ref = '".$this->db->escape($ref)."'"; } elseif ($fk_bank) { - $sql .= ' AND p.fk_bank = '.$fk_bank; + $sql .= ' AND p.fk_bank = '.((int) $fk_bank); } $resql = $this->db->query($sql); diff --git a/htdocs/compta/paiement/list.php b/htdocs/compta/paiement/list.php index 269acd29600..75c63620b0b 100644 --- a/htdocs/compta/paiement/list.php +++ b/htdocs/compta/paiement/list.php @@ -200,13 +200,13 @@ if (GETPOST("orphelins", "alpha")) { $sql .= " AND sc.fk_user = ".$user->id; } if ($socid > 0) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } if ($userid) { if ($userid == -1) { $sql .= " AND f.fk_user_author IS NULL"; } else { - $sql .= " AND f.fk_user_author = ".$userid; + $sql .= " AND f.fk_user_author = ".((int) $userid); } } @@ -216,7 +216,7 @@ if (GETPOST("orphelins", "alpha")) { $sql .= natural_search('p.ref', $search_ref); } if ($search_account > 0) { - $sql .= " AND b.fk_account=".$search_account; + $sql .= " AND b.fk_account=".((int) $search_account); } if ($search_paymenttype != '') { $sql .= " AND c.code='".$db->escape($search_paymenttype)."'"; diff --git a/htdocs/compta/paymentbybanktransfer/index.php b/htdocs/compta/paymentbybanktransfer/index.php index 92bc7ec6ff8..a705353112c 100644 --- a/htdocs/compta/paymentbybanktransfer/index.php +++ b/htdocs/compta/paymentbybanktransfer/index.php @@ -115,7 +115,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $resql = $db->query($sql); diff --git a/htdocs/compta/prelevement/card.php b/htdocs/compta/prelevement/card.php index 24ea982f01b..d04e7131edc 100644 --- a/htdocs/compta/prelevement/card.php +++ b/htdocs/compta/prelevement/card.php @@ -351,12 +351,12 @@ if ($id > 0 || $ref) { $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_lignes as pl"; $sql .= ", ".MAIN_DB_PREFIX."prelevement_bons as pb"; $sql .= ", ".MAIN_DB_PREFIX."societe as s"; - $sql .= " WHERE pl.fk_prelevement_bons = ".$id; + $sql .= " WHERE pl.fk_prelevement_bons = ".((int) $id); $sql .= " AND pl.fk_prelevement_bons = pb.rowid"; $sql .= " AND pb.entity = ".$conf->entity; $sql .= " AND pl.fk_soc = s.rowid"; if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/compta/prelevement/create.php b/htdocs/compta/prelevement/create.php index deb5fe2fcd5..e12c50b75f5 100644 --- a/htdocs/compta/prelevement/create.php +++ b/htdocs/compta/prelevement/create.php @@ -319,7 +319,7 @@ if ($type == 'bank-transfer') { $sql .= " AND pfd.fk_facture = f.rowid"; } if ($socid > 0) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $nbtotalofrecords = ''; diff --git a/htdocs/compta/prelevement/demandes.php b/htdocs/compta/prelevement/demandes.php index 9d0fa17d246..266097f7a2d 100644 --- a/htdocs/compta/prelevement/demandes.php +++ b/htdocs/compta/prelevement/demandes.php @@ -141,14 +141,14 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } if (!$status) { $sql .= " AND pfd.traite = 0"; } $sql .= " AND pfd.ext_payment_id IS NULL"; if ($status) { - $sql .= " AND pfd.traite = ".$status; + $sql .= " AND pfd.traite = ".((int) $status); } $sql .= " AND f.total_ttc > 0"; if (empty($conf->global->WITHDRAWAL_ALLOW_ANY_INVOICE_STATUS)) { diff --git a/htdocs/compta/prelevement/factures.php b/htdocs/compta/prelevement/factures.php index 301a5c7808c..23511a4a00a 100644 --- a/htdocs/compta/prelevement/factures.php +++ b/htdocs/compta/prelevement/factures.php @@ -195,10 +195,10 @@ if ($object->type != 'bank-transfer') { $sql .= " AND f.entity IN (".getEntity('supplier_invoice').")"; } if ($object->id > 0) { - $sql .= " AND p.rowid=".$object->id; + $sql .= " AND p.rowid = ".((int) $object->id); } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/compta/prelevement/fiche-rejet.php b/htdocs/compta/prelevement/fiche-rejet.php index 62c3c4849f8..9a4f209e134 100644 --- a/htdocs/compta/prelevement/fiche-rejet.php +++ b/htdocs/compta/prelevement/fiche-rejet.php @@ -177,7 +177,7 @@ $sql .= " AND pl.fk_soc = s.rowid"; $sql .= " AND pl.statut = 3 "; $sql .= " AND pr.fk_prelevement_lignes = pl.rowid"; if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY pl.amount DESC"; diff --git a/htdocs/compta/prelevement/index.php b/htdocs/compta/prelevement/index.php index 2da8e1f0812..6e537159721 100644 --- a/htdocs/compta/prelevement/index.php +++ b/htdocs/compta/prelevement/index.php @@ -115,7 +115,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $resql = $db->query($sql); diff --git a/htdocs/compta/prelevement/line.php b/htdocs/compta/prelevement/line.php index 68ca3795fe3..73c985355b1 100644 --- a/htdocs/compta/prelevement/line.php +++ b/htdocs/compta/prelevement/line.php @@ -262,9 +262,9 @@ if ($id) { $sql .= " AND f.fk_soc = s.rowid"; $sql .= " AND pf.fk_facture = f.rowid"; $sql .= " AND f.entity IN (".getEntity('invoice').")"; - $sql .= " AND pl.rowid=".$id; + $sql .= " AND pl.rowid = ".((int) $id); if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY $sortfield $sortorder "; $sql .= $db->plimit($conf->liste_limit + 1, $offset); diff --git a/htdocs/compta/resultat/index.php b/htdocs/compta/resultat/index.php index e5b86ba762e..272d6808b32 100644 --- a/htdocs/compta/resultat/index.php +++ b/htdocs/compta/resultat/index.php @@ -347,7 +347,7 @@ if (!empty($conf->facture->enabled) && ($modecompta == 'CREANCES-DETTES' || $mod $sql .= " AND f.entity = ".$conf->entity; if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $sql .= " GROUP BY dm"; diff --git a/htdocs/compta/resultat/result.php b/htdocs/compta/resultat/result.php index 91932100565..8ef75bf5846 100644 --- a/htdocs/compta/resultat/result.php +++ b/htdocs/compta/resultat/result.php @@ -281,7 +281,7 @@ if ($modecompta == 'CREANCES-DETTES') { if (! empty($date_start) && ! empty($date_end)) $sql.= " AND t.doc_date >= '".$db->idate($date_start)."' AND t.doc_date <= '".$db->idate($date_end)."'"; if (! empty($month)) { - $sql .= " AND MONTH(t.doc_date) = " . $month; + $sql .= " AND MONTH(t.doc_date) = " . ((int) $month); } $resql = $db->query($sql); if ($resql) diff --git a/htdocs/compta/sociales/list.php b/htdocs/compta/sociales/list.php index dff6a887f0f..48c6936a225 100644 --- a/htdocs/compta/sociales/list.php +++ b/htdocs/compta/sociales/list.php @@ -209,10 +209,6 @@ if ($year > 0) { $sql .= "OR (cs.periode IS NULL AND date_format(cs.date_ech, '%Y') = '".$db->escape($year)."')"; $sql .= ")"; } -if ($filtre) { - $filtre = str_replace(":", "=", $filtre); - $sql .= " AND ".$filtre; -} if ($search_typeid) { $sql .= " AND cs.fk_type=".$db->escape($search_typeid); } diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 021ca10ebb9..309ebba3062 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -4129,7 +4129,7 @@ class Form * * @param string $selected Id shipping mode pre-selected * @param string $htmlname Name of select zone - * @param string $filtre To filter list + * @param string $filtre To filter list. This parameter must not come from input of users * @param int $useempty 1=Add an empty value in list, 2=Add an empty value in list only if there is more than 2 entries. * @param string $moreattrib To add more attribute on select * @param int $noinfoadmin 0=Add admin info, 1=Disable admin info @@ -4324,7 +4324,7 @@ class Form * @param string $selected Id account pre-selected * @param string $htmlname Name of select zone * @param int $status Status of searched accounts (0=open, 1=closed, 2=both) - * @param string $filtre To filter list + * @param string $filtre To filter list. This parameter must not come from input of users * @param int $useempty 1=Add an empty value in list, 2=Add an empty value in list only if there is more than 2 entries. * @param string $moreattrib To add more attribute on select * @param int $showcurrency Show currency in label @@ -4410,7 +4410,7 @@ class Form * @param string $selected Id establishment pre-selected * @param string $htmlname Name of select zone * @param int $status Status of searched establishment (0=open, 1=closed, 2=both) - * @param string $filtre To filter list + * @param string $filtre To filter list. This parameter must not come from input of users * @param int $useempty 1=Add an empty value in list, 2=Add an empty value in list only if there is more than 2 entries. * @param string $moreattrib To add more attribute on select * @return int <0 if error, Num of establishment found if OK (0, 1, 2, ...) diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 71b74a8a1db..76adb4a3485 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -3543,7 +3543,7 @@ class Product extends CommonObject $sql .= " AND p.fk_soc = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid > 0) { - $sql .= " AND p.fk_soc = ".$socid; + $sql .= " AND p.fk_soc = ".((int) $socid); } $sql .= $morefilter; $sql .= " GROUP BY date_format(p.date_valid,'%Y%m')"; diff --git a/htdocs/product/list.php b/htdocs/product/list.php index 32d36d2d6f6..dfd15249585 100644 --- a/htdocs/product/list.php +++ b/htdocs/product/list.php @@ -475,13 +475,13 @@ if ($fourn_id > 0) { $sql .= " AND pfp.fk_soc = ".((int) $fourn_id); } if ($search_country) { - $sql .= " AND p.fk_country = ".$search_country; + $sql .= " AND p.fk_country = ".((int) $search_country); } if ($search_state) { - $sql .= " AND p.fk_state = ".$search_state; + $sql .= " AND p.fk_state = ".((int) $search_state); } if ($search_finished >= 0 && $search_finished !== '') { - $sql .= " AND p.finished = ".$search_finished; + $sql .= " AND p.finished = ".((int) $search_finished); } if ($search_accountancy_code_sell) { $sql .= natural_search('p.accountancy_code_sell', $search_accountancy_code_sell); diff --git a/htdocs/product/popuprop.php b/htdocs/product/popuprop.php index 001635be24b..2b84f11ac66 100644 --- a/htdocs/product/popuprop.php +++ b/htdocs/product/popuprop.php @@ -140,7 +140,7 @@ $sql .= ", ".MAIN_DB_PREFIX."product as p"; $sql .= ' WHERE p.entity IN ('.getEntity('product').')'; $sql .= " AND p.rowid = pd.fk_product"; if ($type !== '') { - $sql .= " AND fk_product_type = ".$type; + $sql .= " AND fk_product_type = ".((int) $type); } $sql .= " GROUP BY p.rowid, p.label, p.ref, p.fk_product_type"; diff --git a/htdocs/product/reassort.php b/htdocs/product/reassort.php index e0d1d7447a0..815b49911dd 100644 --- a/htdocs/product/reassort.php +++ b/htdocs/product/reassort.php @@ -177,19 +177,19 @@ if ($snom) { $sql .= natural_search('p.label', $snom); } if (!empty($tosell)) { - $sql .= " AND p.tosell = ".$tosell; + $sql .= " AND p.tosell = ".((int) $tosell); } if (!empty($tobuy)) { - $sql .= " AND p.tobuy = ".$tobuy; + $sql .= " AND p.tobuy = ".((int) $tobuy); } if (!empty($canvas)) { $sql .= " AND p.canvas = '".$db->escape($canvas)."'"; } -if ($catid) { - $sql .= " AND cp.fk_categorie = ".$catid; +if ($catid > 0) { + $sql .= " AND cp.fk_categorie = ".((int) $catid); } if ($fourn_id > 0) { - $sql .= " AND p.rowid = pf.fk_product AND pf.fk_soc = ".$fourn_id; + $sql .= " AND p.rowid = pf.fk_product AND pf.fk_soc = ".((int) $fourn_id); } // Insert categ filter if ($search_categ) { diff --git a/htdocs/product/reassortlot.php b/htdocs/product/reassortlot.php index 5983d5e6b4e..8a5da81ca5b 100644 --- a/htdocs/product/reassortlot.php +++ b/htdocs/product/reassortlot.php @@ -165,19 +165,19 @@ if ($snom) { $sql .= natural_search("p.label", $snom); } if (!empty($tosell)) { - $sql .= " AND p.tosell = ".$tosell; + $sql .= " AND p.tosell = ".((int) $tosell); } if (!empty($tobuy)) { - $sql .= " AND p.tobuy = ".$tobuy; + $sql .= " AND p.tobuy = ".((int) $tobuy); } if (!empty($canvas)) { $sql .= " AND p.canvas = '".$db->escape($canvas)."'"; } -if ($catid) { - $sql .= " AND cp.fk_categorie = ".$catid; +if ($catid > 0) { + $sql .= " AND cp.fk_categorie = ".((int) $catid); } if ($fourn_id > 0) { - $sql .= " AND p.rowid = pf.fk_product AND pf.fk_soc = ".$fourn_id; + $sql .= " AND p.rowid = pf.fk_product AND pf.fk_soc = ".((int) $fourn_id); } // Insert categ filter if ($search_categ) { diff --git a/htdocs/product/stats/commande.php b/htdocs/product/stats/commande.php index 4eaa0a3b3b8..fe8016f362a 100644 --- a/htdocs/product/stats/commande.php +++ b/htdocs/product/stats/commande.php @@ -162,7 +162,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND c.fk_soc = ".$socid; + $sql .= " AND c.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/commande_fournisseur.php b/htdocs/product/stats/commande_fournisseur.php index dcc2b9c0cee..bc8346e39b1 100644 --- a/htdocs/product/stats/commande_fournisseur.php +++ b/htdocs/product/stats/commande_fournisseur.php @@ -162,7 +162,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND c.fk_soc = ".$socid; + $sql .= " AND c.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/contrat.php b/htdocs/product/stats/contrat.php index 93778a19047..e419593208c 100644 --- a/htdocs/product/stats/contrat.php +++ b/htdocs/product/stats/contrat.php @@ -148,7 +148,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " GROUP BY c.rowid, c.ref, c.ref_customer, c.ref_supplier, c.date_contrat, c.statut, s.nom, s.rowid, s.code_client"; $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/facture.php b/htdocs/product/stats/facture.php index e0d262ee1fb..fa7d4fae24f 100644 --- a/htdocs/product/stats/facture.php +++ b/htdocs/product/stats/facture.php @@ -179,7 +179,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/facture_fournisseur.php b/htdocs/product/stats/facture_fournisseur.php index 497aa3574bf..018f1c28f02 100644 --- a/htdocs/product/stats/facture_fournisseur.php +++ b/htdocs/product/stats/facture_fournisseur.php @@ -162,7 +162,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND f.fk_soc = ".$socid; + $sql .= " AND f.fk_soc = ".((int) $socid); } $sql .= " ORDER BY $sortfield $sortorder "; diff --git a/htdocs/product/stats/mo.php b/htdocs/product/stats/mo.php index 479dbdd1a17..1cabfd9ef85 100644 --- a/htdocs/product/stats/mo.php +++ b/htdocs/product/stats/mo.php @@ -140,7 +140,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND c.entity IN (".getEntity('mo').")"; $sql .= " AND cd.fk_product =".$product->id; if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " GROUP BY c.rowid, c.ref, c.date_valid, c.status"; //$sql .= ", s.nom, s.rowid, s.code_client"; diff --git a/htdocs/product/stats/propal.php b/htdocs/product/stats/propal.php index 95f2884c7b5..7dfc8b6d1db 100644 --- a/htdocs/product/stats/propal.php +++ b/htdocs/product/stats/propal.php @@ -163,7 +163,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND p.fk_soc = ".$socid; + $sql .= " AND p.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stats/supplier_proposal.php b/htdocs/product/stats/supplier_proposal.php index d918ce7c7d2..86689786b2d 100644 --- a/htdocs/product/stats/supplier_proposal.php +++ b/htdocs/product/stats/supplier_proposal.php @@ -163,7 +163,7 @@ if ($id > 0 || !empty($ref)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND p.fk_soc = ".$socid; + $sql .= " AND p.fk_soc = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); diff --git a/htdocs/product/stock/class/entrepot.class.php b/htdocs/product/stock/class/entrepot.class.php index 9d601dc9687..30dba05e417 100644 --- a/htdocs/product/stock/class/entrepot.class.php +++ b/htdocs/product/stock/class/entrepot.class.php @@ -547,7 +547,7 @@ class Entrepot extends CommonObject $sql = "SELECT rowid, ref as label"; $sql .= " FROM ".MAIN_DB_PREFIX."entrepot"; $sql .= " WHERE entity IN (".getEntity('stock').")"; - $sql .= " AND statut = ".$status; + $sql .= " AND statut = ".((int) $status); $result = $this->db->query($sql); $i = 0; diff --git a/htdocs/product/stock/movement_card.php b/htdocs/product/stock/movement_card.php index 6dc3c665e15..31c71d9e2bd 100644 --- a/htdocs/product/stock/movement_card.php +++ b/htdocs/product/stock/movement_card.php @@ -456,7 +456,7 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON m.fk_user_author = u.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lot as pl ON m.batch = pl.batch AND m.fk_product = pl.fk_product"; $sql .= " WHERE m.fk_product = p.rowid"; if ($msid > 0) { - $sql .= " AND m.rowid = ".$msid; + $sql .= " AND m.rowid = ".((int) $msid); } $sql .= " AND m.fk_entrepot = e.rowid"; $sql .= " AND e.entity IN (".getEntity('stock').")"; @@ -464,7 +464,7 @@ if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) { $sql .= " AND p.fk_product_type = 0"; } if ($id > 0) { - $sql .= " AND e.rowid ='".$id."'"; + $sql .= " AND e.rowid = ".((int) $id); } $sql .= dolSqlDateFilter('m.datem', 0, $month, $year); if ($idproduct > 0) { diff --git a/htdocs/product/stock/movement_list.php b/htdocs/product/stock/movement_list.php index 62cbe7f8620..65192df842f 100644 --- a/htdocs/product/stock/movement_list.php +++ b/htdocs/product/stock/movement_list.php @@ -503,7 +503,7 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON m.fk_user_author = u.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lot as pl ON m.batch = pl.batch AND m.fk_product = pl.fk_product"; $sql .= " WHERE m.fk_product = p.rowid"; if ($msid > 0) { - $sql .= " AND m.rowid = ".$msid; + $sql .= " AND m.rowid = ".((int) $msid); } $sql .= " AND m.fk_entrepot = e.rowid"; $sql .= " AND e.entity IN (".getEntity('stock').")"; @@ -511,7 +511,7 @@ if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) { $sql .= " AND p.fk_product_type = 0"; } if ($id > 0) { - $sql .= " AND e.rowid ='".$id."'"; + $sql .= " AND e.rowid = ".((int) $id); } if (!empty($search_date_start)) { $sql .= " AND m.datem >= '" . $db->idate($search_date_start) . "'"; diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php index 44638c00f46..091409539a8 100644 --- a/htdocs/projet/class/task.class.php +++ b/htdocs/projet/class/task.class.php @@ -1266,10 +1266,10 @@ class Task extends CommonObject $sql .= $morewherefilter; } if ($id > 0) { - $sql .= " AND t.fk_task = ".$id; + $sql .= " AND t.fk_task = ".((int) $id); } if ($userid > 0) { - $sql .= " AND t.fk_user = ".$userid; + $sql .= " AND t.fk_user = ".((int) $userid); } dol_syslog(get_class($this)."::getSummaryOfTimeSpent", LOG_DEBUG); diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index a9849ef9f20..e907ab3b06e 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -426,7 +426,7 @@ if ($search_public != '') { // For external user, no check is done on company permission because readability is managed by public status of project and assignement. //if ($socid > 0) $sql.= " AND s.rowid = ".$socid; if ($search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } // No check is done on company permission because readability is managed by public status of project and assignement. //if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND ((s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id.") OR (s.rowid IS NULL))"; diff --git a/htdocs/salaries/list.php b/htdocs/salaries/list.php index 907f16f21bc..c007c160a86 100644 --- a/htdocs/salaries/list.php +++ b/htdocs/salaries/list.php @@ -275,10 +275,6 @@ if ($search_account > 0) { if ($search_status != '' && $search_status >= 0) { $sql .= " AND s.paye = ".$db->escape($search_status); } -if ($filtre) { - $filtre = str_replace(":", "=", $filtre); - $sql .= " AND ".$filtre; -} if ($search_type_id) { $sql .= " AND s.fk_typepayment=".$search_type_id; } diff --git a/htdocs/societe/class/api_thirdparties.class.php b/htdocs/societe/class/api_thirdparties.class.php index cd356d2e2a2..f0cf3fa595a 100644 --- a/htdocs/societe/class/api_thirdparties.class.php +++ b/htdocs/societe/class/api_thirdparties.class.php @@ -1364,10 +1364,10 @@ class Thirdparties extends DolibarrApi $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."societe_rib"; if ($id) { - $sql .= " WHERE fk_soc = ".$id." "; + $sql .= " WHERE fk_soc = ".((int) $id); } if ($companybankid) { - $sql .= " AND rowid = ".$companybankid.""; + $sql .= " AND rowid = ".((int) $companybankid); } $i = 0; @@ -1433,9 +1433,9 @@ class Thirdparties extends DolibarrApi * We select all the records that match the socid */ $sql = "SELECT rowid, fk_soc, key_account, site, date_creation, tms FROM ".MAIN_DB_PREFIX."societe_account"; - $sql .= " WHERE fk_soc = $id"; + $sql .= " WHERE fk_soc = ".((int) $id); if ($site) { - $sql .= " AND site ='$site'"; + $sql .= " AND site ='".$this->db-escape($site)."'"; } $result = $this->db->query($sql); diff --git a/htdocs/societe/index.php b/htdocs/societe/index.php index b76a80e1148..c87d260f23e 100644 --- a/htdocs/societe/index.php +++ b/htdocs/societe/index.php @@ -101,8 +101,8 @@ $sql .= ' WHERE s.entity IN ('.getEntity('societe').')'; if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } -if ($socid) { - $sql .= " AND s.rowid = ".$socid; +if ($socid > 0) { + $sql .= " AND s.rowid = ".((int) $socid); } if (!$user->rights->fournisseur->lire) { $sql .= " AND (s.fournisseur <> 1 OR s.client <> 0)"; // client=0, fournisseur=0 must be visible diff --git a/htdocs/societe/website.php b/htdocs/societe/website.php index e7a1e086228..e34672bfd1d 100644 --- a/htdocs/societe/website.php +++ b/htdocs/societe/website.php @@ -283,7 +283,7 @@ if ($objectwebsiteaccount->ismultientitymanaged == 1) { } else { $sql .= " WHERE 1 = 1"; } -$sql .= " AND fk_soc = ".$object->id; +$sql .= " AND fk_soc = ".((int) $object->id); foreach ($search as $key => $val) { $mode_search = (($objectwebsiteaccount->isInt($objectwebsiteaccount->fields[$key]) || $objectwebsiteaccount->isFloat($objectwebsiteaccount->fields[$key])) ? 1 : 0); if ($search[$key] != '') { diff --git a/htdocs/stripe/class/stripe.class.php b/htdocs/stripe/class/stripe.class.php index 9caf72c20e1..7f325090b5e 100644 --- a/htdocs/stripe/class/stripe.class.php +++ b/htdocs/stripe/class/stripe.class.php @@ -100,7 +100,7 @@ class Stripe extends CommonObject $sql .= " WHERE service = '".$this->db->escape($mode)."'"; $sql .= " AND entity = ".((int) $entity); if ($fk_soc > 0) { - $sql .= " AND fk_soc = ".$fk_soc; + $sql .= " AND fk_soc = ".((int) $fk_soc); } else { $sql .= " AND fk_soc IS NULL"; } diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php index 78b1df5f6a4..158829ea425 100644 --- a/htdocs/supplier_proposal/class/supplier_proposal.class.php +++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php @@ -1209,9 +1209,9 @@ class SupplierProposal extends CommonObject $sql .= " WHERE p.fk_statut = c.id"; $sql .= " AND p.entity IN (".getEntity('supplier_proposal').")"; if ($ref) { - $sql .= " AND p.ref='".$ref."'"; + $sql .= " AND p.ref = '".$this->db->escape($ref)."'"; } else { - $sql .= " AND p.rowid=".$rowid; + $sql .= " AND p.rowid = ".((int) $rowid); } dol_syslog(get_class($this)."::fetch", LOG_DEBUG); diff --git a/htdocs/takepos/invoice.php b/htdocs/takepos/invoice.php index 7fd162c5fbd..669b37bf806 100644 --- a/htdocs/takepos/invoice.php +++ b/htdocs/takepos/invoice.php @@ -1419,7 +1419,7 @@ if ($placeid > 0) { $sql .= " ".MAIN_DB_PREFIX."product_stock as ps"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = ps.fk_product"; $sql .= " WHERE ps.reel != 0"; - $sql .= " AND ps.fk_entrepot = ".$conf->global->$constantforkey; + $sql .= " AND ps.fk_entrepot = ".((int) $conf->global->$constantforkey); $sql .= " AND e.entity IN (".getEntity('stock').")"; $sql .= " AND ps.fk_product = ".$line->fk_product; $resql = $db->query($sql); diff --git a/htdocs/ticket/list.php b/htdocs/ticket/list.php index b774f659d0c..4137680b0f7 100644 --- a/htdocs/ticket/list.php +++ b/htdocs/ticket/list.php @@ -346,7 +346,7 @@ if (is_array($extrafields->attributes[$object->table_element]['label']) && count $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON (t.fk_soc = s.rowid)"; $sql .= " WHERE t.entity IN (".getEntity($object->element).")"; if ($socid > 0) { - $sql .= " AND t.fk_soc = ".$socid; + $sql .= " AND t.fk_soc = ".((int) $socid); } foreach ($search as $key => $val) { diff --git a/htdocs/user/class/api_users.class.php b/htdocs/user/class/api_users.class.php index 2f8972ceafe..803b517a354 100644 --- a/htdocs/user/class/api_users.class.php +++ b/htdocs/user/class/api_users.class.php @@ -93,7 +93,7 @@ class Users extends DolibarrApi // Select products of given category if ($category > 0) { $sql .= " AND c.fk_categorie = ".$this->db->escape($category); - $sql .= " AND c.fk_user = t.rowid "; + $sql .= " AND c.fk_user = t.rowid"; } // Add sql filters diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 2ac519b0a26..c1224285c7c 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -2229,7 +2229,7 @@ class User extends CommonObject /** * Add user into a group * - * @param int $group Id of group + * @param int $group Id of group * @param int $entity Entity * @param int $notrigger Disable triggers * @return int <0 if KO, >0 if OK @@ -2245,7 +2245,7 @@ class User extends CommonObject $sql = "DELETE FROM ".MAIN_DB_PREFIX."usergroup_user"; $sql .= " WHERE fk_user = ".$this->id; - $sql .= " AND fk_usergroup = ".$group; + $sql .= " AND fk_usergroup = ".((int) $group); $sql .= " AND entity = ".$entity; $result = $this->db->query($sql); @@ -2286,7 +2286,7 @@ class User extends CommonObject /** * Remove a user from a group * - * @param int $group Id of group + * @param int $group Id of group * @param int $entity Entity * @param int $notrigger Disable triggers * @return int <0 if KO, >0 if OK @@ -2302,7 +2302,7 @@ class User extends CommonObject $sql = "DELETE FROM ".MAIN_DB_PREFIX."usergroup_user"; $sql .= " WHERE fk_user = ".$this->id; - $sql .= " AND fk_usergroup = ".$group; + $sql .= " AND fk_usergroup = ".((int) $group); $sql .= " AND entity = ".$entity; $result = $this->db->query($sql); @@ -3065,7 +3065,7 @@ class User extends CommonObject * fullpath = chemin complet compose des id: "_grandparentid_parentid_id" * * @param int $deleteafterid Removed all users including the leaf $deleteafterid (and all its child) in user tree. - * @param string $filter SQL filter on users + * @param string $filter SQL filter on users. This parameter must not come from user intput. * @return array Array of users $this->users. Note: $this->parentof is also set. */ public function get_full_tree($deleteafterid = 0, $filter = '') diff --git a/htdocs/user/home.php b/htdocs/user/home.php index dfb201bc441..4a41b3fd899 100644 --- a/htdocs/user/home.php +++ b/htdocs/user/home.php @@ -128,7 +128,7 @@ if ($reshook > 0) { $sql .= " WHERE u.entity IN (".getEntity('user').")"; } if (!empty($socid)) { - $sql .= " AND u.fk_soc = ".$socid; + $sql .= " AND u.fk_soc = ".((int) $socid); } $sql .= $db->order("u.datec", "DESC"); $sql .= $db->plimit($max); diff --git a/htdocs/user/list.php b/htdocs/user/list.php index 75cea8b604d..eeb7118bb2e 100644 --- a/htdocs/user/list.php +++ b/htdocs/user/list.php @@ -353,7 +353,7 @@ if ($reshook > 0) { $sql .= " WHERE u.entity IN (".getEntity('user').")"; } if ($socid > 0) { - $sql .= " AND u.fk_soc = ".$socid; + $sql .= " AND u.fk_soc = ".((int) $socid); } //if ($search_user != '') $sql.=natural_search(array('u.login', 'u.lastname', 'u.firstname'), $search_user); if ($search_supervisor > 0) { diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php index f14fcee2e0f..48b44d2fc57 100644 --- a/htdocs/user/perms.php +++ b/htdocs/user/perms.php @@ -194,7 +194,7 @@ $permsuser = array(); $sql = "SELECT DISTINCT ur.fk_id"; $sql .= " FROM ".MAIN_DB_PREFIX."user_rights as ur"; $sql .= " WHERE ur.entity = ".$entity; -$sql .= " AND ur.fk_user = ".$object->id; +$sql .= " AND ur.fk_user = ".((int) $object->id); dol_syslog("get user perms", LOG_DEBUG); $result = $db->query($sql); diff --git a/htdocs/website/class/website.class.php b/htdocs/website/class/website.class.php index 1d30b71ad0a..27ede3cd0ef 100644 --- a/htdocs/website/class/website.class.php +++ b/htdocs/website/class/website.class.php @@ -1415,7 +1415,7 @@ class Website extends CommonObject $sql = "SELECT wp.rowid, wp.lang, wp.pageurl, wp.fk_page"; $sql .= " FROM ".MAIN_DB_PREFIX."website_page as wp"; $sql .= " WHERE wp.fk_website = ".$website->id; - $sql .= " AND (wp.fk_page = ".$pageid." OR wp.rowid = ".$pageid; + $sql .= " AND (wp.fk_page = ".((int) $pageid)." OR wp.rowid = ".((int) $pageid); if ($tmppage->fk_page > 0) { $sql .= " OR wp.fk_page = ".$tmppage->fk_page." OR wp.rowid = ".$tmppage->fk_page; } diff --git a/htdocs/zapier/class/api_zapier.class.php b/htdocs/zapier/class/api_zapier.class.php index f5447bfa804..ebf62d115ab 100644 --- a/htdocs/zapier/class/api_zapier.class.php +++ b/htdocs/zapier/class/api_zapier.class.php @@ -180,7 +180,7 @@ class ZapierApi extends DolibarrApi $sql .= " AND t.fk_soc = sc.fk_soc"; } if ($restrictonsocid && $socid) { - $sql .= " AND t.fk_soc = ".$socid; + $sql .= " AND t.fk_soc = ".((int) $socid); } if ($restrictonsocid && $search_sale > 0) { // Join for the needed table to filter by sale @@ -188,7 +188,7 @@ class ZapierApi extends DolibarrApi } // Insert sale filter if ($restrictonsocid && $search_sale > 0) { - $sql .= " AND sc.fk_user = ".$search_sale; + $sql .= " AND sc.fk_user = ".((int) $search_sale); } if ($sqlfilters) { if (!DolibarrApi::_checkFilters($sqlfilters)) {