From d0cc64479d6986e62e29013dde7c42acae472eeb Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 24 Apr 2021 20:18:11 +0200 Subject: [PATCH] Fix protect sql --- htdocs/accountancy/admin/accountmodel.php | 2 +- htdocs/accountancy/bookkeeping/card.php | 2 +- .../class/accountancycategory.class.php | 10 +++++----- .../class/accountingaccount.class.php | 4 ++-- htdocs/accountancy/class/bookkeeping.class.php | 4 ++-- htdocs/accountancy/customer/index.php | 4 ++-- htdocs/accountancy/expensereport/index.php | 4 ++-- htdocs/accountancy/journal/bankjournal.php | 16 ++++++++-------- htdocs/accountancy/supplier/index.php | 4 ++-- htdocs/adherents/class/adherent.class.php | 4 ++-- htdocs/adherents/class/adherent_type.class.php | 2 +- htdocs/adherents/class/subscription.class.php | 2 +- htdocs/adherents/list.php | 2 +- htdocs/adherents/subscription.php | 2 +- htdocs/adherents/subscription/list.php | 2 +- htdocs/adherents/type.php | 2 +- htdocs/admin/boxes.php | 4 ++-- htdocs/admin/dict.php | 2 +- htdocs/admin/external_rss.php | 2 +- htdocs/admin/security.php | 2 +- htdocs/asset/class/asset_type.class.php | 2 +- htdocs/blockedlog/class/authority.class.php | 2 +- htdocs/bookmarks/class/bookmark.class.php | 2 +- htdocs/categories/class/categorie.class.php | 2 +- htdocs/comm/action/class/actioncomm.class.php | 2 +- htdocs/comm/action/index.php | 2 +- htdocs/comm/action/pertype.php | 2 +- htdocs/comm/action/peruser.php | 2 +- htdocs/comm/index.php | 10 +++++----- htdocs/comm/mailing/advtargetemailing.php | 2 +- htdocs/comm/mailing/cibles.php | 2 +- htdocs/comm/propal/class/propal.class.php | 2 +- htdocs/comm/prospect/index.php | 2 +- htdocs/commande/class/commande.class.php | 4 ++-- htdocs/commande/customer.php | 2 +- htdocs/compta/bank/class/account.class.php | 7 ++++--- htdocs/compta/bank/line.php | 2 +- htdocs/compta/cashcontrol/report.php | 2 +- htdocs/compta/clients.php | 2 +- htdocs/compta/facture/class/facture.class.php | 2 +- .../prelevement/class/bonprelevement.class.php | 2 +- .../prelevement/class/ligneprelevement.class.php | 2 +- htdocs/compta/prelevement/list.php | 2 +- htdocs/compta/prelevement/rejets.php | 2 +- .../sociales/class/chargesociales.class.php | 2 +- htdocs/compta/sociales/list.php | 2 +- htdocs/contact/list.php | 2 +- htdocs/contrat/index.php | 10 +++++----- htdocs/contrat/services_list.php | 2 +- htdocs/core/class/commoninvoice.class.php | 4 ++-- htdocs/core/class/commonobject.class.php | 4 ++-- htdocs/core/lib/company.lib.php | 6 +++--- .../movement/doc/pdf_standard.modules.php | 2 +- htdocs/core/website.inc.php | 2 +- htdocs/don/class/don.class.php | 2 +- htdocs/expedition/class/expedition.class.php | 8 ++++---- htdocs/fichinter/card-rec.php | 2 +- htdocs/fichinter/class/fichinter.class.php | 2 +- htdocs/fichinter/list.php | 2 +- .../fourn/class/fournisseur.commande.class.php | 2 +- htdocs/loan/list.php | 2 +- htdocs/mrp/mo_movements.php | 2 +- htdocs/product/class/product.class.php | 4 ++-- htdocs/product/stock/stockatdate.php | 2 +- htdocs/projet/list.php | 2 +- htdocs/reception/class/reception.class.php | 4 ++-- htdocs/societe/index.php | 2 +- .../class/supplier_proposal.class.php | 2 +- htdocs/supplier_proposal/index.php | 2 +- htdocs/user/class/usergroup.class.php | 2 +- 70 files changed, 109 insertions(+), 108 deletions(-) diff --git a/htdocs/accountancy/admin/accountmodel.php b/htdocs/accountancy/admin/accountmodel.php index 7c05a9a0da4..f0fd9702009 100644 --- a/htdocs/accountancy/admin/accountmodel.php +++ b/htdocs/accountancy/admin/accountmodel.php @@ -442,7 +442,7 @@ if ($id) { } else { $sql .= " WHERE "; } - $sql .= " c.rowid = ".$search_country_id; + $sql .= " c.rowid = ".((int) $search_country_id); } // If sort order is "country", we use country_code instead diff --git a/htdocs/accountancy/bookkeeping/card.php b/htdocs/accountancy/bookkeeping/card.php index e3cac139c08..f91b1821df4 100644 --- a/htdocs/accountancy/bookkeeping/card.php +++ b/htdocs/accountancy/bookkeeping/card.php @@ -563,7 +563,7 @@ if ($action == 'create') { { $sqlmid = 'SELECT rowid as ref'; $sqlmid .= " FROM ".MAIN_DB_PREFIX."facture as fac"; - $sqlmid .= " WHERE fac.rowid=" . $object->fk_doc; + $sqlmid .= " WHERE fac.rowid=" . ((int) $object->fk_doc); dol_syslog("accountancy/bookkeeping/card.php::sqlmid=" . $sqlmid, LOG_DEBUG); $resultmid = $db->query($sqlmid); if ($resultmid) { diff --git a/htdocs/accountancy/class/accountancycategory.class.php b/htdocs/accountancy/class/accountancycategory.class.php index 9550933f2d8..d8e1598d1ac 100644 --- a/htdocs/accountancy/class/accountancycategory.class.php +++ b/htdocs/accountancy/class/accountancycategory.class.php @@ -473,7 +473,7 @@ class AccountancyCategory // extends CommonObject $sql .= " SELECT DISTINCT aa.account_number"; $sql .= " FROM ".MAIN_DB_PREFIX."accounting_account as aa"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_system as asy ON aa.fk_pcg_version = asy.pcg_version"; - $sql .= " AND asy.rowid = ".$conf->global->CHARTOFACCOUNTS; + $sql .= " AND asy.rowid = ".((int) $conf->global->CHARTOFACCOUNTS); $sql .= " AND aa.active = 1"; $sql .= " AND aa.entity = ".$conf->entity.")"; $sql .= " GROUP BY t.numero_compte, t.label_operation, t.doc_ref"; @@ -562,7 +562,7 @@ class AccountancyCategory // extends CommonObject $sql = "SELECT aa.rowid, aa.account_number"; $sql .= " FROM ".MAIN_DB_PREFIX."accounting_account as aa"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_system as asy ON aa.fk_pcg_version = asy.pcg_version"; - $sql .= " AND asy.rowid = ".$conf->global->CHARTOFACCOUNTS; + $sql .= " AND asy.rowid = ".((int) $conf->global->CHARTOFACCOUNTS); $sql .= " AND aa.active = 1"; $sql .= " AND aa.entity = ".$conf->entity; $sql .= " ORDER BY LENGTH(aa.account_number) DESC;"; // LENGTH is ok with mysql and postgresql @@ -589,8 +589,8 @@ class AccountancyCategory // extends CommonObject $accountincptsadded[$account_number_formated] = 1; // We found an account number that is in list $cpts of account to add $sql = "UPDATE ".MAIN_DB_PREFIX."accounting_account"; - $sql .= " SET fk_accounting_category=".$id_cat; - $sql .= " WHERE rowid=".$obj->rowid; + $sql .= " SET fk_accounting_category=".((int) $id_cat); + $sql .= " WHERE rowid=".((int) $obj->rowid); dol_syslog(__METHOD__, LOG_DEBUG); $resqlupdate = $this->db->query($sql); if (!$resqlupdate) { @@ -629,7 +629,7 @@ class AccountancyCategory // extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."accounting_account as aa"; $sql .= " SET fk_accounting_category= 0"; - $sql .= " WHERE aa.rowid= ".$cpt_id; + $sql .= " WHERE aa.rowid = ".((int) $cpt_id); $this->db->begin(); dol_syslog(__METHOD__." sql=".$sql, LOG_DEBUG); diff --git a/htdocs/accountancy/class/accountingaccount.class.php b/htdocs/accountancy/class/accountingaccount.class.php index a7d89c45294..28601380ac1 100644 --- a/htdocs/accountancy/class/accountingaccount.class.php +++ b/htdocs/accountancy/class/accountingaccount.class.php @@ -347,10 +347,10 @@ class AccountingAccount extends CommonObject $sql .= " , label = ".($this->label ? "'".$this->db->escape($this->label)."'" : "''"); $sql .= " , labelshort = ".($this->labelshort ? "'".$this->db->escape($this->labelshort)."'" : "''"); $sql .= " , fk_accounting_category = ".(empty($this->account_category) ? 0 : (int) $this->account_category); - $sql .= " , fk_user_modif = ".$user->id; + $sql .= " , fk_user_modif = ".((int) $user->id); $sql .= " , active = ".(int) $this->active; $sql .= " , reconcilable = ".(int) $this->reconcilable; - $sql .= " WHERE rowid = ".$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::update sql=".$sql, LOG_DEBUG); $result = $this->db->query($sql); diff --git a/htdocs/accountancy/class/bookkeeping.class.php b/htdocs/accountancy/class/bookkeeping.class.php index 6220904dbe8..00ed8879076 100644 --- a/htdocs/accountancy/class/bookkeeping.class.php +++ b/htdocs/accountancy/class/bookkeeping.class.php @@ -1860,7 +1860,7 @@ class BookKeeping extends CommonObject $sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "accounting_account as aa ON aa.account_number = ab.numero_compte"; $sql .= " AND aa.active = 1"; $sql .= " INNER JOIN " . MAIN_DB_PREFIX . "accounting_system as asy ON aa.fk_pcg_version = asy.pcg_version"; - $sql .= " AND asy.rowid = " . $pcgver; + $sql .= " AND asy.rowid = " . ((int) $pcgver); $sql .= " AND ab.entity IN (" . getEntity('accountancy') . ")"; $sql .= " ORDER BY account_number ASC"; */ @@ -1893,7 +1893,7 @@ class BookKeeping extends CommonObject $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON aa.account_number = ab.numero_compte"; $sql .= " AND aa.active = 1"; $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_system as asy ON aa.fk_pcg_version = asy.pcg_version"; - $sql .= " AND asy.rowid = ".$pcgver; + $sql .= " AND asy.rowid = ".((int) $pcgver); $sql .= " AND ab.entity IN (".getEntity('accountancy').")"; $sql .= " ORDER BY account_number ASC"; diff --git a/htdocs/accountancy/customer/index.php b/htdocs/accountancy/customer/index.php index 0b32e2802c4..43daa2efa88 100644 --- a/htdocs/accountancy/customer/index.php +++ b/htdocs/accountancy/customer/index.php @@ -110,13 +110,13 @@ if ($action == 'validatehistory') { $sql1 = "UPDATE " . MAIN_DB_PREFIX . "facturedet"; $sql1 .= " SET fk_code_ventilation = accnt.rowid"; $sql1 .= " FROM " . MAIN_DB_PREFIX . "product as p, " . MAIN_DB_PREFIX . "accounting_account as accnt , " . MAIN_DB_PREFIX . "accounting_system as syst"; - $sql1 .= " WHERE " . MAIN_DB_PREFIX . "facturedet.fk_product = p.rowid AND accnt.fk_pcg_version = syst.pcg_version AND syst.rowid=" . $conf->global->CHARTOFACCOUNTS.' AND accnt.entity = '.$conf->entity; + $sql1 .= " WHERE " . MAIN_DB_PREFIX . "facturedet.fk_product = p.rowid AND accnt.fk_pcg_version = syst.pcg_version AND syst.rowid=" . ((int) $conf->global->CHARTOFACCOUNTS).' AND accnt.entity = '.$conf->entity; $sql1 .= " AND accnt.active = 1 AND p.accountancy_code_sell=accnt.account_number"; $sql1 .= " AND " . MAIN_DB_PREFIX . "facturedet.fk_code_ventilation = 0"; } else { $sql1 = "UPDATE " . MAIN_DB_PREFIX . "facturedet as fd, " . MAIN_DB_PREFIX . "product as p, " . MAIN_DB_PREFIX . "accounting_account as accnt , " . MAIN_DB_PREFIX . "accounting_system as syst"; $sql1 .= " SET fk_code_ventilation = accnt.rowid"; - $sql1 .= " WHERE fd.fk_product = p.rowid AND accnt.fk_pcg_version = syst.pcg_version AND syst.rowid=" . $conf->global->CHARTOFACCOUNTS.' AND accnt.entity = '.$conf->entity; + $sql1 .= " WHERE fd.fk_product = p.rowid AND accnt.fk_pcg_version = syst.pcg_version AND syst.rowid=" . ((int) $conf->global->CHARTOFACCOUNTS).' AND accnt.entity = '.$conf->entity; $sql1 .= " AND accnt.active = 1 AND p.accountancy_code_sell=accnt.account_number"; $sql1 .= " AND fd.fk_code_ventilation = 0"; }*/ diff --git a/htdocs/accountancy/expensereport/index.php b/htdocs/accountancy/expensereport/index.php index 38f7f596932..b4e85fd517a 100644 --- a/htdocs/accountancy/expensereport/index.php +++ b/htdocs/accountancy/expensereport/index.php @@ -103,13 +103,13 @@ if ($action == 'validatehistory') { $sql1 = "UPDATE ".MAIN_DB_PREFIX."expensereport_det"; $sql1 .= " SET fk_code_ventilation = accnt.rowid"; $sql1 .= " FROM ".MAIN_DB_PREFIX."c_type_fees as t, ".MAIN_DB_PREFIX."accounting_account as accnt , ".MAIN_DB_PREFIX."accounting_system as syst"; - $sql1 .= " WHERE ".MAIN_DB_PREFIX."expensereport_det.fk_c_type_fees = t.id AND accnt.fk_pcg_version = syst.pcg_version AND syst.rowid=".$conf->global->CHARTOFACCOUNTS.' AND accnt.entity = '.$conf->entity; + $sql1 .= " WHERE ".MAIN_DB_PREFIX."expensereport_det.fk_c_type_fees = t.id AND accnt.fk_pcg_version = syst.pcg_version AND syst.rowid = ".((int) $conf->global->CHARTOFACCOUNTS).' AND accnt.entity = '.$conf->entity; $sql1 .= " AND accnt.active = 1 AND t.accountancy_code = accnt.account_number"; $sql1 .= " AND ".MAIN_DB_PREFIX."expensereport_det.fk_code_ventilation = 0"; } else { $sql1 = "UPDATE ".MAIN_DB_PREFIX."expensereport_det as erd, ".MAIN_DB_PREFIX."c_type_fees as t, ".MAIN_DB_PREFIX."accounting_account as accnt , ".MAIN_DB_PREFIX."accounting_system as syst"; $sql1 .= " SET erd.fk_code_ventilation = accnt.rowid"; - $sql1 .= " WHERE erd.fk_c_type_fees = t.id AND accnt.fk_pcg_version = syst.pcg_version AND syst.rowid=".$conf->global->CHARTOFACCOUNTS.' AND accnt.entity = '.$conf->entity; + $sql1 .= " WHERE erd.fk_c_type_fees = t.id AND accnt.fk_pcg_version = syst.pcg_version AND syst.rowid = ".((int) $conf->global->CHARTOFACCOUNTS).' AND accnt.entity = '.$conf->entity; $sql1 .= " AND accnt.active = 1 AND t.accountancy_code=accnt.account_number"; $sql1 .= " AND erd.fk_code_ventilation = 0"; } diff --git a/htdocs/accountancy/journal/bankjournal.php b/htdocs/accountancy/journal/bankjournal.php index 27b37c74932..741b2c9f038 100644 --- a/htdocs/accountancy/journal/bankjournal.php +++ b/htdocs/accountancy/journal/bankjournal.php @@ -1323,42 +1323,42 @@ function getSourceDocRef($val, $typerecord) } elseif ($typerecord == 'payment_supplier') { $sqlmid = 'SELECT payfac.fk_facturefourn as id, f.ref'; $sqlmid .= " FROM ".MAIN_DB_PREFIX."paiementfourn_facturefourn as payfac, ".MAIN_DB_PREFIX."facture_fourn as f"; - $sqlmid .= " WHERE payfac.fk_facturefourn = f.rowid AND payfac.fk_paiementfourn=".$val["paymentsupplierid"]; + $sqlmid .= " WHERE payfac.fk_facturefourn = f.rowid AND payfac.fk_paiementfourn=".((int) $val["paymentsupplierid"]); $ref = $langs->transnoentitiesnoconv("SupplierInvoice"); } elseif ($typerecord == 'payment_expensereport') { $sqlmid = 'SELECT e.rowid as id, e.ref'; $sqlmid .= " FROM ".MAIN_DB_PREFIX."payment_expensereport as pe, ".MAIN_DB_PREFIX."expensereport as e"; - $sqlmid .= " WHERE pe.rowid=".$val["paymentexpensereport"]." AND pe.fk_expensereport = e.rowid"; + $sqlmid .= " WHERE pe.rowid=".((int) $val["paymentexpensereport"])." AND pe.fk_expensereport = e.rowid"; $ref = $langs->transnoentitiesnoconv("ExpenseReport"); } elseif ($typerecord == 'payment_salary') { $sqlmid = 'SELECT s.rowid as ref'; $sqlmid .= " FROM ".MAIN_DB_PREFIX."payment_salary as s"; - $sqlmid .= " WHERE s.rowid=".$val["paymentsalid"]; + $sqlmid .= " WHERE s.rowid=".((int) $val["paymentsalid"]); $ref = $langs->transnoentitiesnoconv("SalaryPayment"); } elseif ($typerecord == 'sc') { $sqlmid = 'SELECT sc.rowid as ref'; $sqlmid .= " FROM ".MAIN_DB_PREFIX."paiementcharge as sc"; - $sqlmid .= " WHERE sc.rowid=".$val["paymentscid"]; + $sqlmid .= " WHERE sc.rowid=".((int) $val["paymentscid"]); $ref = $langs->transnoentitiesnoconv("SocialContribution"); } elseif ($typerecord == 'payment_vat') { $sqlmid = 'SELECT v.rowid as ref'; $sqlmid .= " FROM ".MAIN_DB_PREFIX."tva as v"; - $sqlmid .= " WHERE v.rowid=".$val["paymentvatid"]; + $sqlmid .= " WHERE v.rowid=".((int) $val["paymentvatid"]); $ref = $langs->transnoentitiesnoconv("PaymentVat"); } elseif ($typerecord == 'payment_donation') { $sqlmid = 'SELECT payd.fk_donation as ref'; $sqlmid .= " FROM ".MAIN_DB_PREFIX."payment_donation as payd"; - $sqlmid .= " WHERE payd.fk_donation=".$val["paymentdonationid"]; + $sqlmid .= " WHERE payd.fk_donation=".((int) $val["paymentdonationid"]); $ref = $langs->transnoentitiesnoconv("Donation"); } elseif ($typerecord == 'payment_loan') { $sqlmid = 'SELECT l.rowid as ref'; $sqlmid .= " FROM ".MAIN_DB_PREFIX."payment_loan as l"; - $sqlmid .= " WHERE l.rowid=".$val["paymentloanid"]; + $sqlmid .= " WHERE l.rowid=".((int) $val["paymentloanid"]); $ref = $langs->transnoentitiesnoconv("LoanPayment"); } elseif ($typerecord == 'payment_various') { $sqlmid = 'SELECT v.rowid as ref'; $sqlmid .= " FROM ".MAIN_DB_PREFIX."payment_various as v"; - $sqlmid .= " WHERE v.rowid=".$val["paymentvariousid"]; + $sqlmid .= " WHERE v.rowid=".((int) $val["paymentvariousid"]); $ref = $langs->transnoentitiesnoconv("VariousPayment"); } // Add warning diff --git a/htdocs/accountancy/supplier/index.php b/htdocs/accountancy/supplier/index.php index 392551708de..91dd921f1fa 100644 --- a/htdocs/accountancy/supplier/index.php +++ b/htdocs/accountancy/supplier/index.php @@ -118,13 +118,13 @@ if ($action == 'validatehistory') { $sql1 = "UPDATE " . MAIN_DB_PREFIX . "facture_fourn_det"; $sql1 .= " SET fk_code_ventilation = accnt.rowid"; $sql1 .= " FROM " . MAIN_DB_PREFIX . "product as p, " . MAIN_DB_PREFIX . "accounting_account as accnt , " . MAIN_DB_PREFIX . "accounting_system as syst"; - $sql1 .= " WHERE " . MAIN_DB_PREFIX . "facture_fourn_det.fk_product = p.rowid AND accnt.fk_pcg_version = syst.pcg_version AND syst.rowid=" . $conf->global->CHARTOFACCOUNTS.' AND accnt.entity = '.$conf->entity; + $sql1 .= " WHERE " . MAIN_DB_PREFIX . "facture_fourn_det.fk_product = p.rowid AND accnt.fk_pcg_version = syst.pcg_version AND syst.rowid=" . ((int) $conf->global->CHARTOFACCOUNTS).' AND accnt.entity = '.$conf->entity; $sql1 .= " AND accnt.active = 1 AND p.accountancy_code_buy=accnt.account_number"; $sql1 .= " AND " . MAIN_DB_PREFIX . "facture_fourn_det.fk_code_ventilation = 0"; } else { $sql1 = "UPDATE " . MAIN_DB_PREFIX . "facture_fourn_det as fd, " . MAIN_DB_PREFIX . "product as p, " . MAIN_DB_PREFIX . "accounting_account as accnt , " . MAIN_DB_PREFIX . "accounting_system as syst"; $sql1 .= " SET fk_code_ventilation = accnt.rowid"; - $sql1 .= " WHERE fd.fk_product = p.rowid AND accnt.fk_pcg_version = syst.pcg_version AND syst.rowid=" . $conf->global->CHARTOFACCOUNTS.' AND accnt.entity = '.$conf->entity; + $sql1 .= " WHERE fd.fk_product = p.rowid AND accnt.fk_pcg_version = syst.pcg_version AND syst.rowid=" . ((int) $conf->global->CHARTOFACCOUNTS).' AND accnt.entity = '.$conf->entity; $sql1 .= " AND accnt.active = 1 AND p.accountancy_code_buy=accnt.account_number"; $sql1 .= " AND fd.fk_code_ventilation = 0"; }*/ diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index 0299b32663c..d7dbeb9eb13 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -1597,8 +1597,8 @@ class Adherent extends CommonObject $inserturlid = $acct->add_url_line($insertid, $this->id, DOL_URL_ROOT.'/adherents/card.php?rowid=', $this->getFullname($langs), 'member'); if ($inserturlid > 0) { // Update table subscription - $sql = "UPDATE ".MAIN_DB_PREFIX."subscription SET fk_bank=".$insertid; - $sql .= " WHERE rowid=".$subscriptionid; + $sql = "UPDATE ".MAIN_DB_PREFIX."subscription SET fk_bank=".((int) $insertid); + $sql .= " WHERE rowid=".((int) $subscriptionid); dol_syslog("subscription::subscription", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/adherents/class/adherent_type.class.php b/htdocs/adherents/class/adherent_type.class.php index b2f181e59be..d051c40810b 100644 --- a/htdocs/adherents/class/adherent_type.class.php +++ b/htdocs/adherents/class/adherent_type.class.php @@ -365,7 +365,7 @@ class AdherentType extends CommonObject $sql .= "note = '".$this->db->escape($this->note)."',"; $sql .= "vote = ".(integer) $this->db->escape($this->vote).","; $sql .= "mail_valid = '".$this->db->escape($this->mail_valid)."'"; - $sql .= " WHERE rowid =".$this->id; + $sql .= " WHERE rowid =".((int) $this->id); $result = $this->db->query($sql); if ($result) { diff --git a/htdocs/adherents/class/subscription.class.php b/htdocs/adherents/class/subscription.class.php index 65b01991100..95bbe79804f 100644 --- a/htdocs/adherents/class/subscription.class.php +++ b/htdocs/adherents/class/subscription.class.php @@ -217,7 +217,7 @@ class Subscription extends CommonObject $sql .= " datef,"; $sql .= " subscription, note, fk_bank"; $sql .= " FROM ".MAIN_DB_PREFIX."subscription"; - $sql .= " WHERE rowid=".$rowid; + $sql .= " WHERE rowid=".((int) $rowid); dol_syslog(get_class($this)."::fetch", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/adherents/list.php b/htdocs/adherents/list.php index 9560a284e2a..b713362912e 100644 --- a/htdocs/adherents/list.php +++ b/htdocs/adherents/list.php @@ -318,7 +318,7 @@ if ($sall) { $sql .= natural_search(array_keys($fieldstosearchall), $sall); } if ($search_type > 0) { - $sql .= " AND t.rowid=".$db->escape($search_type); + $sql .= " AND t.rowid=".((int) $search_type); } if ($search_filter == 'withoutsubscription') { $sql .= " AND (datefin IS NULL OR t.subscription = 0)"; diff --git a/htdocs/adherents/subscription.php b/htdocs/adherents/subscription.php index 54729e5ba8a..ec9b2c3a65e 100644 --- a/htdocs/adherents/subscription.php +++ b/htdocs/adherents/subscription.php @@ -677,7 +677,7 @@ if ($rowid > 0) { $sql .= " FROM ".MAIN_DB_PREFIX."adherent as d, ".MAIN_DB_PREFIX."subscription as c"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank as b ON c.fk_bank = b.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank_account as ba ON b.fk_account = ba.rowid"; - $sql .= " WHERE d.rowid = c.fk_adherent AND d.rowid=".$rowid; + $sql .= " WHERE d.rowid = c.fk_adherent AND d.rowid=".((int) $rowid); $sql .= $db->order($sortfield, $sortorder); $result = $db->query($sql); diff --git a/htdocs/adherents/subscription/list.php b/htdocs/adherents/subscription/list.php index 7322f92fccd..55cafade309 100644 --- a/htdocs/adherents/subscription/list.php +++ b/htdocs/adherents/subscription/list.php @@ -170,7 +170,7 @@ if (isset($date_select) && $date_select != '') { } if ($search_ref) { if (is_numeric($search_ref)) { - $sql .= " AND (c.rowid = ".$db->escape($search_ref).")"; + $sql .= " AND c.rowid = ".((int) $search_ref); } else { $sql .= " AND 1 = 2"; // Always wrong } diff --git a/htdocs/adherents/type.php b/htdocs/adherents/type.php index 25c44baa7db..c9b98784142 100644 --- a/htdocs/adherents/type.php +++ b/htdocs/adherents/type.php @@ -500,7 +500,7 @@ if ($rowid > 0) { $sql .= " FROM ".MAIN_DB_PREFIX."adherent as d, ".MAIN_DB_PREFIX."adherent_type as t"; $sql .= " WHERE d.fk_adherent_type = t.rowid "; $sql .= " AND d.entity IN (".getEntity('adherent').")"; - $sql .= " AND t.rowid = ".$object->id; + $sql .= " AND t.rowid = ".((int) $object->id); if ($sall) { $sql .= natural_search(array("f.firstname", "d.lastname", "d.societe", "d.email", "d.login", "d.address", "d.town", "d.note_public", "d.note_private"), $sall); } diff --git a/htdocs/admin/boxes.php b/htdocs/admin/boxes.php index e8793ca3c30..fc3e30a484b 100644 --- a/htdocs/admin/boxes.php +++ b/htdocs/admin/boxes.php @@ -156,7 +156,7 @@ if ($action == 'delete') { $sql = "DELETE FROM ".MAIN_DB_PREFIX."boxes"; $sql .= " WHERE entity = ".$conf->entity; - $sql .= " AND box_id=".$obj->box_id; + $sql .= " AND box_id=".((int) $obj->box_id); $resql = $db->query($sql); @@ -255,7 +255,7 @@ if ($resql) { // We renumber the order of the boxes if one of them is in '' // This occurs just after an insert. if ($decalage) { - $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($decalage)."' WHERE rowid=".$obj->rowid; + $sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($decalage)."' WHERE rowid=".((int) $obj->rowid); $db->query($sql); } } diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php index 636278dd6fb..455c01d0337 100644 --- a/htdocs/admin/dict.php +++ b/htdocs/admin/dict.php @@ -1151,7 +1151,7 @@ if ($id) { $sql .= " WHERE 1 = 1"; } if ($search_country_id > 0) { - $sql .= " AND c.rowid = ".$search_country_id; + $sql .= " AND c.rowid = ".((int) $search_country_id); } if ($search_code != '' && $id == 9) { $sql .= natural_search("code_iso", $search_code); diff --git a/htdocs/admin/external_rss.php b/htdocs/admin/external_rss.php index b8b412ad6f8..71086096e4f 100644 --- a/htdocs/admin/external_rss.php +++ b/htdocs/admin/external_rss.php @@ -136,7 +136,7 @@ if (GETPOST("delete")) { $sql = "DELETE FROM ".MAIN_DB_PREFIX."boxes"; $sql .= " WHERE entity = ".$conf->entity; - $sql .= " AND box_id = ".$obj->rowid; + $sql .= " AND box_id = ".((int) $obj->rowid); $resql = $db->query($sql); $sql = "DELETE FROM ".MAIN_DB_PREFIX."boxes_def"; diff --git a/htdocs/admin/security.php b/htdocs/admin/security.php index 9ce22b7c08e..e3521f1d0af 100644 --- a/htdocs/admin/security.php +++ b/htdocs/admin/security.php @@ -71,7 +71,7 @@ if ($action == 'activate_encrypt') { if (dol_hash($obj->pass)) { $sql = "UPDATE ".MAIN_DB_PREFIX."user"; $sql .= " SET pass_crypted = '".dol_hash($obj->pass)."', pass = NULL"; - $sql .= " WHERE rowid=".$obj->rowid; + $sql .= " WHERE rowid=".((int) $obj->rowid); //print $sql; $resql2 = $db->query($sql); diff --git a/htdocs/asset/class/asset_type.class.php b/htdocs/asset/class/asset_type.class.php index 99205d2b3f3..36c654c28ba 100644 --- a/htdocs/asset/class/asset_type.class.php +++ b/htdocs/asset/class/asset_type.class.php @@ -188,7 +188,7 @@ class AssetType extends CommonObject $sql .= "accountancy_code_depreciation_asset = '".$this->db->escape($this->accountancy_code_depreciation_asset)."',"; $sql .= "accountancy_code_depreciation_expense = '".$this->db->escape($this->accountancy_code_depreciation_expense)."',"; $sql .= "note = '".$this->db->escape($this->note)."'"; - $sql .= " WHERE rowid =".$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); $result = $this->db->query($sql); if ($result) { diff --git a/htdocs/blockedlog/class/authority.class.php b/htdocs/blockedlog/class/authority.class.php index 9fc10fdc59e..2071eb03c47 100644 --- a/htdocs/blockedlog/class/authority.class.php +++ b/htdocs/blockedlog/class/authority.class.php @@ -148,7 +148,7 @@ class BlockedLogAuthority global $langs; - dol_syslog(get_class($this)."::fetch id=".$id, LOG_DEBUG); + dol_syslog(get_class($this)."::fetch id=".((int) $id), LOG_DEBUG); if (empty($id) && empty($signature)) { $this->error = 'BadParameter'; diff --git a/htdocs/bookmarks/class/bookmark.class.php b/htdocs/bookmarks/class/bookmark.class.php index 4fe8c3cee83..9a5b3a53c20 100644 --- a/htdocs/bookmarks/class/bookmark.class.php +++ b/htdocs/bookmarks/class/bookmark.class.php @@ -219,7 +219,7 @@ class Bookmark extends CommonObject $sql .= " ,title = '".$this->db->escape($this->title)."'"; $sql .= " ,favicon = '".$this->db->escape($this->favicon)."'"; $sql .= " ,position = ".(int) $this->position; - $sql .= " WHERE rowid = ".$this->id; + $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog("Bookmark::update", LOG_DEBUG); if ($this->db->query($sql)) { diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php index 1f467b507d1..51079636d4f 100644 --- a/htdocs/categories/class/categorie.class.php +++ b/htdocs/categories/class/categorie.class.php @@ -1470,7 +1470,7 @@ class Categorie extends CommonObject // Load bank categories $sql = "SELECT c.label, c.rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."bank_class as a, ".MAIN_DB_PREFIX."bank_categ as c"; - $sql .= " WHERE a.lineid=".$id." AND a.fk_categ = c.rowid"; + $sql .= " WHERE a.lineid=".((int) $id)." AND a.fk_categ = c.rowid"; $sql .= " AND c.entity IN (".getEntity('category').")"; $sql .= " ORDER BY c.label"; diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php index f7ceea4743d..d8bcd0efb1b 100644 --- a/htdocs/comm/action/class/actioncomm.class.php +++ b/htdocs/comm/action/class/actioncomm.class.php @@ -2436,7 +2436,7 @@ class ActionComm extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."actioncomm "; $sql .= " SET percent = ".(int) $percent; - $sql .= " WHERE id=".$id; + $sql .= " WHERE id = ".((int) $id); if ($this->db->query($sql)) { $this->db->commit(); diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php index 33e4fabe2aa..be0884a5556 100644 --- a/htdocs/comm/action/index.php +++ b/htdocs/comm/action/index.php @@ -720,7 +720,7 @@ if ($action == 'show_day') { $sql .= ')'; } if ($type) { - $sql .= " AND ca.id = ".$type; + $sql .= " AND ca.id = ".((int) $type); } if ($status == '0') { $sql .= " AND a.percent = 0"; diff --git a/htdocs/comm/action/pertype.php b/htdocs/comm/action/pertype.php index 8d436f0e0f6..19f8a8ce31c 100644 --- a/htdocs/comm/action/pertype.php +++ b/htdocs/comm/action/pertype.php @@ -592,7 +592,7 @@ if ($action == 'show_day') { $sql .= ')'; } if ($type) { - $sql .= " AND ca.id = ".$type; + $sql .= " AND ca.id = ".((int) $type); } if ($status == '0') { $sql .= " AND a.percent = 0"; diff --git a/htdocs/comm/action/peruser.php b/htdocs/comm/action/peruser.php index 3ad2d31b353..62af33b34ee 100644 --- a/htdocs/comm/action/peruser.php +++ b/htdocs/comm/action/peruser.php @@ -613,7 +613,7 @@ if ($action == 'show_day') { $sql .= ')'; } if ($type) { - $sql .= " AND ca.id = ".$type; + $sql .= " AND ca.id = ".((int) $type); } if ($status == '0') { $sql .= " AND a.percent = 0"; diff --git a/htdocs/comm/index.php b/htdocs/comm/index.php index 60a6bd5974b..5c2360624a4 100644 --- a/htdocs/comm/index.php +++ b/htdocs/comm/index.php @@ -219,7 +219,7 @@ if (!empty($conf->supplier_proposal->enabled) && $user->rights->supplier_proposa $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $resql = $db->query($sql); @@ -605,7 +605,7 @@ if (((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_S $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY s.datec DESC"; $sql .= $db->plimit($max, 0); @@ -711,7 +711,7 @@ if (!empty($conf->contrat->enabled) && $user->rights->contrat->lire && 0) { // T $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY c.tms DESC"; $sql .= $db->plimit($max + 1, 0); @@ -786,7 +786,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propal->lire) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY p.rowid DESC"; @@ -902,7 +902,7 @@ if (!empty($conf->commande->enabled) && $user->rights->commande->lire) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY c.rowid DESC"; diff --git a/htdocs/comm/mailing/advtargetemailing.php b/htdocs/comm/mailing/advtargetemailing.php index 2487e772373..bd052f4161e 100644 --- a/htdocs/comm/mailing/advtargetemailing.php +++ b/htdocs/comm/mailing/advtargetemailing.php @@ -379,7 +379,7 @@ if ($action == 'deletefilter') { if ($action == 'delete') { // Ici, rowid indique le destinataire et id le mailing - $sql = "DELETE FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE rowid=".$rowid; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE rowid = ".((int) $rowid); $resql = $db->query($sql); if ($resql) { if (!empty($id)) { diff --git a/htdocs/comm/mailing/cibles.php b/htdocs/comm/mailing/cibles.php index d9557845492..27859403d96 100644 --- a/htdocs/comm/mailing/cibles.php +++ b/htdocs/comm/mailing/cibles.php @@ -167,7 +167,7 @@ if (GETPOST('exportcsv', 'int')) { if ($action == 'delete') { // Ici, rowid indique le destinataire et id le mailing - $sql = "DELETE FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE rowid=".$rowid; + $sql = "DELETE FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE rowid = ".((int) $rowid); $resql = $db->query($sql); if ($resql) { if (!empty($id)) { diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php index ffee98ffbba..441020c9b5d 100644 --- a/htdocs/comm/propal/class/propal.class.php +++ b/htdocs/comm/propal/class/propal.class.php @@ -1477,7 +1477,7 @@ class Propal extends CommonObject $sql .= " WHERE p.entity IN (".getEntity('propal').")"; // Dont't use entity if you use rowid $sql .= " AND p.ref='".$this->db->escape($ref)."'"; } else { - $sql .= " WHERE p.rowid=".$rowid; + $sql .= " WHERE p.rowid = ".((int) $rowid); } dol_syslog(get_class($this)."::fetch", LOG_DEBUG); diff --git a/htdocs/comm/prospect/index.php b/htdocs/comm/prospect/index.php index 3aacd070ae4..8883e0af6f3 100644 --- a/htdocs/comm/prospect/index.php +++ b/htdocs/comm/prospect/index.php @@ -194,7 +194,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propale->lire) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY p.rowid DESC"; $sql .= $db->plimit(5, 0); diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index 635e561eaef..c89ad9340d2 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -1807,7 +1807,7 @@ class Commande extends CommonOrder $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_incoterms as i ON c.fk_incoterms = i.rowid'; if ($id) { - $sql .= " WHERE c.rowid=".$id; + $sql .= " WHERE c.rowid=".((int) $id); } else { $sql .= " WHERE c.entity IN (".getEntity('commande').")"; // Dont't use entity if you use rowid } @@ -2687,7 +2687,7 @@ class Commande extends CommonOrder $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($draft) { $sql .= " AND c.fk_statut = ".self::STATUS_DRAFT; diff --git a/htdocs/commande/customer.php b/htdocs/commande/customer.php index 4f75ca3d4c5..6dfa898a024 100644 --- a/htdocs/commande/customer.php +++ b/htdocs/commande/customer.php @@ -105,7 +105,7 @@ if (dol_strlen($begin)) { $sql .= " AND s.nom like '".$db->escape($begin)."'"; } if ($socid > 0) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " AND c.fk_statut in (1, 2) AND c.facture = 0"; $sql .= " GROUP BY s.nom"; diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php index 943fef0c32a..13c2bdba4ce 100644 --- a/htdocs/compta/bank/class/account.class.php +++ b/htdocs/compta/bank/class/account.class.php @@ -509,6 +509,7 @@ class Account extends CommonObject } // Clean parameters + $label = $emetteur = trim($emetteur); $banque = trim($banque); @@ -516,7 +517,7 @@ class Account extends CommonObject if (is_numeric($oper)) { // Clean operation to have a code instead of a rowid $sql = "SELECT code FROM ".MAIN_DB_PREFIX."c_paiement"; - $sql .= " WHERE id=".$oper; + $sql .= " WHERE id = ".((int) $oper); $sql .= " AND entity IN (".getEntity('c_paiement').")"; $resql = $this->db->query($sql); if ($resql) { @@ -1223,7 +1224,7 @@ class Account extends CommonObject $sql .= " AND (ba.rappro = 1 AND ba.courant != 2)"; // Compte rapprochable $sql .= " AND clos = 0"; if ($filteraccountid) { - $sql .= " AND ba.rowid = ".$filteraccountid; + $sql .= " AND ba.rowid = ".((int) $filteraccountid); } $resql = $this->db->query($sql); @@ -1278,7 +1279,7 @@ class Account extends CommonObject $sql .= " AND (ba.rappro = 1 AND ba.courant != 2)"; // Compte rapprochable $sql .= " AND clos = 0"; if ($filteraccountid) { - $sql .= " AND ba.rowid = ".$filteraccountid; + $sql .= " AND ba.rowid = ".((int) $filteraccountid); } $resql = $this->db->query($sql); diff --git a/htdocs/compta/bank/line.php b/htdocs/compta/bank/line.php index bfea7c74b60..3aa477dfc9c 100644 --- a/htdocs/compta/bank/line.php +++ b/htdocs/compta/bank/line.php @@ -268,7 +268,7 @@ $sql = "SELECT b.rowid,b.dateo as do,b.datev as dv, b.amount, b.label, b.rappro, $sql .= " b.num_releve, b.fk_user_author, b.num_chq, b.fk_type, b.fk_account, b.fk_bordereau as receiptid,"; $sql .= " b.emetteur,b.banque"; $sql .= " FROM ".MAIN_DB_PREFIX."bank as b"; -$sql .= " WHERE rowid=".$rowid; +$sql .= " WHERE rowid=".((int) $rowid); $sql .= " ORDER BY dateo ASC"; $result = $db->query($sql); if ($result) { diff --git a/htdocs/compta/cashcontrol/report.php b/htdocs/compta/cashcontrol/report.php index add61ac086c..653161ca3bc 100644 --- a/htdocs/compta/cashcontrol/report.php +++ b/htdocs/compta/cashcontrol/report.php @@ -342,7 +342,7 @@ if ($resql) { $sql .= "SET"; $sql .= " cash='".$db->escape($cash)."'"; $sql .= ", card='".$db->escape($bank)."'"; - $sql .= " where rowid=".$id; + $sql .= " where rowid = ".((int) $id); $db->query($sql); */ diff --git a/htdocs/compta/clients.php b/htdocs/compta/clients.php index 191038ed28a..60924dae644 100644 --- a/htdocs/compta/clients.php +++ b/htdocs/compta/clients.php @@ -127,7 +127,7 @@ if (dol_strlen($begin)) { $sql .= natural_search("s.nom", $begin); } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY $sortfield $sortorder "; $sql .= $db->plimit($conf->liste_limit + 1, $offset); diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index b949877dc82..9ae760220a4 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -1604,7 +1604,7 @@ class Facture extends CommonInvoice $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_incoterms as i ON f.fk_incoterms = i.rowid'; if ($rowid) { - $sql .= " WHERE f.rowid=".$rowid; + $sql .= " WHERE f.rowid=".((int) $rowid); } else { $sql .= ' WHERE f.entity IN ('.getEntity('invoice').')'; // Dont't use entity if you use rowid if ($ref) { diff --git a/htdocs/compta/prelevement/class/bonprelevement.class.php b/htdocs/compta/prelevement/class/bonprelevement.class.php index 087911ce140..ea44a75899d 100644 --- a/htdocs/compta/prelevement/class/bonprelevement.class.php +++ b/htdocs/compta/prelevement/class/bonprelevement.class.php @@ -290,7 +290,7 @@ class BonPrelevement extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_bons as p"; $sql .= " WHERE p.entity IN (".getEntity('invoice').")"; if ($rowid > 0) { - $sql .= " AND p.rowid = ".$rowid; + $sql .= " AND p.rowid = ".((int) $rowid); } else { $sql .= " AND p.ref = '".$this->db->escape($ref)."'"; } diff --git a/htdocs/compta/prelevement/class/ligneprelevement.class.php b/htdocs/compta/prelevement/class/ligneprelevement.class.php index 6fa9b94b637..1c57feca37e 100644 --- a/htdocs/compta/prelevement/class/ligneprelevement.class.php +++ b/htdocs/compta/prelevement/class/ligneprelevement.class.php @@ -79,7 +79,7 @@ class LignePrelevement $sql .= ", pl.statut, pl.fk_soc"; $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_lignes as pl"; $sql .= ", ".MAIN_DB_PREFIX."prelevement_bons as p"; - $sql .= " WHERE pl.rowid=".$rowid; + $sql .= " WHERE pl.rowid=".((int) $rowid); $sql .= " AND p.rowid = pl.fk_prelevement_bons"; $sql .= " AND p.entity = ".$conf->entity; diff --git a/htdocs/compta/prelevement/list.php b/htdocs/compta/prelevement/list.php index 0818dbb61d1..feb69bdc7fb 100644 --- a/htdocs/compta/prelevement/list.php +++ b/htdocs/compta/prelevement/list.php @@ -125,7 +125,7 @@ if ($type == 'bank-transfer') { $sql .= " AND f.fk_soc = s.rowid"; $sql .= " AND f.entity IN (".getEntity('invoice').")"; if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($search_line) { $sql .= " AND pl.rowid = '".$db->escape($search_line)."'"; diff --git a/htdocs/compta/prelevement/rejets.php b/htdocs/compta/prelevement/rejets.php index fb03f2a6c6c..5aec35cf504 100644 --- a/htdocs/compta/prelevement/rejets.php +++ b/htdocs/compta/prelevement/rejets.php @@ -99,7 +99,7 @@ if ($type == 'bank-transfer') { $sql .= " AND p.type = 'debit-order'"; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= $db->order($sortfield, $sortorder); $sql .= $db->plimit($limit + 1, $offset); diff --git a/htdocs/compta/sociales/class/chargesociales.class.php b/htdocs/compta/sociales/class/chargesociales.class.php index 20cc2c82b0c..1977ac9791b 100644 --- a/htdocs/compta/sociales/class/chargesociales.class.php +++ b/htdocs/compta/sociales/class/chargesociales.class.php @@ -147,7 +147,7 @@ class ChargeSociales extends CommonObject $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_paiement as p ON cs.fk_mode_reglement = p.id'; $sql .= ' WHERE cs.entity IN ('.getEntity('tax').')'; if ($ref) { - $sql .= " AND cs.rowid = ".$ref; + $sql .= " AND cs.ref = '".$this->db->escape($ref)."'"; } else { $sql .= " AND cs.rowid = ".((int) $id); } diff --git a/htdocs/compta/sociales/list.php b/htdocs/compta/sociales/list.php index ffebc7dcc73..2b0c3961759 100644 --- a/htdocs/compta/sociales/list.php +++ b/htdocs/compta/sociales/list.php @@ -195,7 +195,7 @@ $sql .= " WHERE cs.fk_type = c.id"; $sql .= " AND cs.entity = ".$conf->entity; // Search criteria if ($search_ref) { - $sql .= " AND cs.rowid=".$db->escape($search_ref); + $sql .= " AND cs.ref = '".$db->escape($search_ref)."'"; } if ($search_label) { $sql .= natural_search("cs.libelle", $search_label); diff --git a/htdocs/contact/list.php b/htdocs/contact/list.php index b02856ceb3b..c7386c260ed 100644 --- a/htdocs/contact/list.php +++ b/htdocs/contact/list.php @@ -513,7 +513,7 @@ if ($type == "o") { // filtre sur type $sql .= " AND s.client IN (2, 3)"; } if (!empty($socid)) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } // Add where from extra fields include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php'; diff --git a/htdocs/contrat/index.php b/htdocs/contrat/index.php index 8ab94ca6793..aed4cba2fe1 100644 --- a/htdocs/contrat/index.php +++ b/htdocs/contrat/index.php @@ -323,11 +323,11 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " GROUP BY c.rowid, c.ref, c.datec, c.tms, c.statut, s.nom, s.rowid"; $sql .= " ORDER BY c.tms DESC"; -$sql .= " LIMIT ".$max; +$sql .= $db->plimit($max); dol_syslog("contrat/index.php", LOG_DEBUG); $result = $db->query($sql); @@ -398,7 +398,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY cd.tms DESC"; @@ -480,7 +480,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY cd.tms DESC"; @@ -562,7 +562,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY cd.tms DESC"; diff --git a/htdocs/contrat/services_list.php b/htdocs/contrat/services_list.php index 7247dc02c83..a0ecc6b4be8 100644 --- a/htdocs/contrat/services_list.php +++ b/htdocs/contrat/services_list.php @@ -288,7 +288,7 @@ if ($search_service) { $sql .= " AND (p.ref LIKE '%".$db->escape($search_service)."%' OR p.description LIKE '%".$db->escape($search_service)."%' OR cd.description LIKE '%".$db->escape($search_service)."%')"; } if ($socid > 0) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $filter_dateouvertureprevue_start = dol_mktime(0, 0, 0, $opouvertureprevuemonth, $opouvertureprevueday, $opouvertureprevueyear); diff --git a/htdocs/core/class/commoninvoice.class.php b/htdocs/core/class/commoninvoice.class.php index 50d94da8531..81f2b529f1d 100644 --- a/htdocs/core/class/commoninvoice.class.php +++ b/htdocs/core/class/commoninvoice.class.php @@ -604,10 +604,10 @@ abstract class CommonInvoice extends CommonObject $sqltemp = 'SELECT c.type_cdr, c.nbjour, c.decalage'; $sqltemp .= ' FROM '.MAIN_DB_PREFIX.'c_payment_term as c'; if (is_numeric($cond_reglement)) { - $sqltemp .= " WHERE c.rowid=".$cond_reglement; + $sqltemp .= " WHERE c.rowid=".((int) $cond_reglement); } else { $sqltemp .= " WHERE c.entity IN (".getEntity('c_payment_term').")"; - $sqltemp .= " AND c.code='".$this->db->escape($cond_reglement)."'"; + $sqltemp .= " AND c.code = '".$this->db->escape($cond_reglement)."'"; } dol_syslog(get_class($this).'::calculate_date_lim_reglement', LOG_DEBUG); diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index a93acda2a17..2088263a2c2 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -3969,7 +3969,7 @@ abstract class CommonObject $sql = "DELETE FROM " . MAIN_DB_PREFIX . "element_element"; $sql .= " WHERE"; if ($rowid > 0) { - $sql .= " rowid = " . $rowid; + $sql .= " rowid = " . ((int) $rowid); } else { if ($deletesource) { $sql .= " fk_source = " . $sourceid . " AND sourcetype = '" . $this->db->escape($sourcetype) . "'"; @@ -5012,7 +5012,7 @@ abstract class CommonObject $this->db->begin(); $sql = "DELETE FROM ".MAIN_DB_PREFIX."element_resources"; - $sql .= " WHERE rowid=".$rowid; + $sql .= " WHERE rowid = ".((int) $rowid); dol_syslog(get_class($this)."::delete_resource", LOG_DEBUG); diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index fb97d2e5361..7183e24dea5 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -504,11 +504,11 @@ function getCountry($searchkey, $withcode = '', $dbtouse = 0, $outputlangs = '', $sql = "SELECT rowid, code, label FROM ".MAIN_DB_PREFIX."c_country"; if (is_numeric($searchkey)) { - $sql .= " WHERE rowid=".$searchkey; + $sql .= " WHERE rowid = ".((int) $searchkey); } elseif (!empty($searchkey)) { - $sql .= " WHERE code='".$db->escape($searchkey)."'"; + $sql .= " WHERE code = '".$db->escape($searchkey)."'"; } else { - $sql .= " WHERE label='".$db->escape($searchlabel)."'"; + $sql .= " WHERE label = '".$db->escape($searchlabel)."'"; } $resql = $dbtouse->query($sql); diff --git a/htdocs/core/modules/movement/doc/pdf_standard.modules.php b/htdocs/core/modules/movement/doc/pdf_standard.modules.php index c8a0c50862b..c2817fb50f6 100644 --- a/htdocs/core/modules/movement/doc/pdf_standard.modules.php +++ b/htdocs/core/modules/movement/doc/pdf_standard.modules.php @@ -295,7 +295,7 @@ class pdf_stdandard extends ModelePDFMovement $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lot as pl ON m.batch = pl.batch AND m.fk_product = pl.fk_product"; $sql .= " WHERE m.fk_product = p.rowid"; if ($msid > 0) { - $sql .= " AND m.rowid = ".$msid; + $sql .= " AND m.rowid = ".((int) $msid); } $sql .= " AND m.fk_entrepot = e.rowid"; $sql .= " AND e.entity IN (".getEntity('stock').")"; diff --git a/htdocs/core/website.inc.php b/htdocs/core/website.inc.php index 30ffee00248..8ffa69e31ac 100644 --- a/htdocs/core/website.inc.php +++ b/htdocs/core/website.inc.php @@ -94,7 +94,7 @@ if ($_SERVER['PHP_SELF'] != DOL_URL_ROOT.'/website/index.php') { // If we browsi $sql = "SELECT wp.rowid, wp.lang, wp.pageurl, wp.fk_page"; $sql .= " FROM ".MAIN_DB_PREFIX."website_page as wp"; $sql .= " WHERE wp.fk_website = ".((int) $website->id); - $sql .= " AND (wp.fk_page = ".$pageid." OR wp.rowid = ".$pageid; + $sql .= " AND (wp.fk_page = ".((int) $pageid)." OR wp.rowid = ".((int) $pageid); if (is_object($websitepage) && $websitepage->fk_page > 0) { $sql .= " OR wp.fk_page = ".$websitepage->fk_page." OR wp.rowid = ".$websitepage->fk_page; } diff --git a/htdocs/don/class/don.class.php b/htdocs/don/class/don.class.php index 1ec3ebe1cc5..a925cdb4ba4 100644 --- a/htdocs/don/class/don.class.php +++ b/htdocs/don/class/don.class.php @@ -612,7 +612,7 @@ class Don extends CommonObject $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as c ON d.fk_country = c.rowid"; $sql .= " WHERE d.entity IN (".getEntity('donation').")"; if (!empty($id)) { - $sql .= " AND d.rowid=".$id; + $sql .= " AND d.rowid=".((int) $id); } elseif (!empty($ref)) { $sql .= " AND d.ref='".$this->db->escape($ref)."'"; } diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index ed6f7a25eaf..f7c5a1d32a8 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -545,7 +545,7 @@ class Expedition extends CommonObject $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_shipment_mode as s ON e.fk_shipping_method = s.rowid'; $sql .= " WHERE e.entity IN (".getEntity('expedition').")"; if ($id) { - $sql .= " AND e.rowid=".$id; + $sql .= " AND e.rowid = ".((int) $id); } if ($ref) { $sql .= " AND e.ref='".$this->db->escape($ref)."'"; @@ -2033,7 +2033,7 @@ class Expedition extends CommonObject $sql = "SELECT em.rowid, em.code, em.libelle as label, em.description, em.tracking, em.active"; $sql .= " FROM ".MAIN_DB_PREFIX."c_shipment_mode as em"; if ($id != '') { - $sql .= " WHERE em.rowid=".$id; + $sql .= " WHERE em.rowid=".((int) $id); } $resql = $this->db->query($sql); @@ -2072,7 +2072,7 @@ class Expedition extends CommonObject $sql .= ",libelle='".$this->db->escape($this->update['libelle'])."'"; $sql .= ",description='".$this->db->escape($this->update['description'])."'"; $sql .= ",tracking='".$this->db->escape($this->update['tracking'])."'"; - $sql .= " WHERE rowid=".$id; + $sql .= " WHERE rowid=".((int) $id); $resql = $this->db->query($sql); } if ($resql < 0) { @@ -2952,7 +2952,7 @@ class ExpeditionLigne extends CommonObjectLine // delete lot expedition line $sql = "DELETE FROM ".MAIN_DB_PREFIX."expeditiondet_batch"; $sql .= " WHERE fk_expeditiondet = ".$this->id; - $sql .= " AND rowid = ".$expedition_batch_id; + $sql .= " AND rowid = ".((int) $expedition_batch_id); if (!$this->db->query($sql)) { $this->errors[] = $this->db->lasterror()." - sql=$sql"; diff --git a/htdocs/fichinter/card-rec.php b/htdocs/fichinter/card-rec.php index b7280c2f4a4..26ea2cfaaa8 100644 --- a/htdocs/fichinter/card-rec.php +++ b/htdocs/fichinter/card-rec.php @@ -771,7 +771,7 @@ if ($action == 'create') { $sql .= " WHERE f.fk_soc = s.rowid"; $sql .= " AND f.entity = ".$conf->entity; if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; diff --git a/htdocs/fichinter/class/fichinter.class.php b/htdocs/fichinter/class/fichinter.class.php index 1fef1ed7c03..1c1c1ab37be 100644 --- a/htdocs/fichinter/class/fichinter.class.php +++ b/htdocs/fichinter/class/fichinter.class.php @@ -432,7 +432,7 @@ class Fichinter extends CommonObject $sql .= " WHERE f.entity IN (".getEntity('intervention').")"; $sql .= " AND f.ref='".$this->db->escape($ref)."'"; } else { - $sql .= " WHERE f.rowid=".$rowid; + $sql .= " WHERE f.rowid=".((int) $rowid); } dol_syslog(get_class($this)."::fetch", LOG_DEBUG); diff --git a/htdocs/fichinter/list.php b/htdocs/fichinter/list.php index ee9edc6694b..86c1cccef95 100644 --- a/htdocs/fichinter/list.php +++ b/htdocs/fichinter/list.php @@ -282,7 +282,7 @@ if (!$user->rights->societe->client->voir && empty($socid)) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($sall) { $sql .= natural_search(array_keys($fieldstosearchall), $sall); diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php index c999f204749..331e211e5ac 100644 --- a/htdocs/fourn/class/fournisseur.commande.class.php +++ b/htdocs/fourn/class/fournisseur.commande.class.php @@ -331,7 +331,7 @@ class CommandeFournisseur extends CommonOrder if (empty($id)) { $sql .= " WHERE c.entity IN (".getEntity('supplier_order').")"; } else { - $sql .= " WHERE c.rowid=".$id; + $sql .= " WHERE c.rowid=".((int) $id); } if ($ref) { diff --git a/htdocs/loan/list.php b/htdocs/loan/list.php index fa1de74b0cc..f9b08a63a48 100644 --- a/htdocs/loan/list.php +++ b/htdocs/loan/list.php @@ -113,7 +113,7 @@ if ($search_amount) { $sql .= natural_search("l.capital", $search_amount, 1); } if ($search_ref) { - $sql .= " AND l.rowid = ".$db->escape($search_ref); + $sql .= " AND l.rowid = ".((int) $search_ref); } if ($search_label) { $sql .= natural_search("l.label", $search_label); diff --git a/htdocs/mrp/mo_movements.php b/htdocs/mrp/mo_movements.php index b4b777f7b49..7b9c0662e53 100644 --- a/htdocs/mrp/mo_movements.php +++ b/htdocs/mrp/mo_movements.php @@ -441,7 +441,7 @@ if ($object->id > 0 && (empty($action) || ($action != 'edit' && $action != 'crea $sql .= " WHERE m.fk_product = p.rowid"; $sql .= " AND m.origintype = 'mo' AND m.fk_origin = ".(int) $object->id; if ($msid > 0) { - $sql .= " AND m.rowid = ".$msid; + $sql .= " AND m.rowid = ".((int) $msid); } $sql .= " AND m.fk_entrepot = e.rowid"; $sql .= " AND e.entity IN (".getEntity('stock').")"; diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index 6ed0b4266a8..fbe706e93db 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -1679,11 +1679,11 @@ class Product extends CommonObject { // phpcs:enable $sql = "DELETE FROM ".MAIN_DB_PREFIX."product_price_by_qty"; - $sql .= " WHERE fk_product_price=".$rowid; + $sql .= " WHERE fk_product_price=".((int) $rowid); $resql = $this->db->query($sql); $sql = "DELETE FROM ".MAIN_DB_PREFIX."product_price"; - $sql .= " WHERE rowid=".$rowid; + $sql .= " WHERE rowid=".((int) $rowid); $resql = $this->db->query($sql); if ($resql) { return 1; diff --git a/htdocs/product/stock/stockatdate.php b/htdocs/product/stock/stockatdate.php index d9a9be0cd70..e5eb2751109 100644 --- a/htdocs/product/stock/stockatdate.php +++ b/htdocs/product/stock/stockatdate.php @@ -266,7 +266,7 @@ $reshook = $hookmanager->executeHooks('printFieldListJoin', $parameters); // Not $sql .= $hookmanager->resPrint; $sql .= ' WHERE p.entity IN ('.getEntity('product').')'; if ($productid > 0) { - $sql .= " AND p.rowid = ".$productid; + $sql .= " AND p.rowid = ".((int) $productid); } if (empty($conf->global->STOCK_SUPPORTS_SERVICES)) { $sql .= " AND p.fk_product_type = 0"; diff --git a/htdocs/projet/list.php b/htdocs/projet/list.php index a0888daee2a..a9f17f5439b 100644 --- a/htdocs/projet/list.php +++ b/htdocs/projet/list.php @@ -424,7 +424,7 @@ if ($search_public != '') { $sql .= " AND p.public = ".$db->escape($search_public); } // For external user, no check is done on company permission because readability is managed by public status of project and assignement. -//if ($socid > 0) $sql.= " AND s.rowid = ".$socid; +//if ($socid > 0) $sql.= " AND s.rowid = ".((int) $socid); if ($search_sale > 0) { $sql .= " AND sc.fk_user = ".((int) $search_sale); } diff --git a/htdocs/reception/class/reception.class.php b/htdocs/reception/class/reception.class.php index b2f31505c44..d5e3feaa255 100644 --- a/htdocs/reception/class/reception.class.php +++ b/htdocs/reception/class/reception.class.php @@ -384,7 +384,7 @@ class Reception extends CommonObject $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_incoterms as i ON e.fk_incoterms = i.rowid'; $sql .= " WHERE e.entity IN (".getEntity('reception').")"; if ($id) { - $sql .= " AND e.rowid=".$id; + $sql .= " AND e.rowid=".((int) $id); } if ($ref) { $sql .= " AND e.ref='".$this->db->escape($ref)."'"; @@ -1356,7 +1356,7 @@ class Reception extends CommonObject $sql .= ",libelle='".$this->db->escape($this->update['libelle'])."'"; $sql .= ",description='".$this->db->escape($this->update['description'])."'"; $sql .= ",tracking='".$this->db->escape($this->update['tracking'])."'"; - $sql .= " WHERE rowid=".$id; + $sql .= " WHERE rowid=".((int) $id); $resql = $this->db->query($sql); } if ($resql < 0) { diff --git a/htdocs/societe/index.php b/htdocs/societe/index.php index a8a4c454c2c..f56beedb64e 100644 --- a/htdocs/societe/index.php +++ b/htdocs/societe/index.php @@ -274,7 +274,7 @@ if (!$user->rights->societe->client->voir && !$socid) { $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if (!$user->rights->fournisseur->lire) { $sql .= " AND (s.fournisseur != 1 OR s.client != 0)"; diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php index 0320a663ea8..728bf8f0fd9 100644 --- a/htdocs/supplier_proposal/class/supplier_proposal.class.php +++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php @@ -1938,7 +1938,7 @@ class SupplierProposal extends CommonObject $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } if ($draft) { $sql .= " AND p.fk_statut = 0"; diff --git a/htdocs/supplier_proposal/index.php b/htdocs/supplier_proposal/index.php index 0cfdc5a09b6..75eba410d0f 100644 --- a/htdocs/supplier_proposal/index.php +++ b/htdocs/supplier_proposal/index.php @@ -315,7 +315,7 @@ if (!empty($conf->supplier_proposal->enabled) && $user->rights->supplier_proposa $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id; } if ($socid) { - $sql .= " AND s.rowid = ".$socid; + $sql .= " AND s.rowid = ".((int) $socid); } $sql .= " ORDER BY p.rowid DESC"; diff --git a/htdocs/user/class/usergroup.class.php b/htdocs/user/class/usergroup.class.php index f0b6bcdfe87..3738c63b435 100644 --- a/htdocs/user/class/usergroup.class.php +++ b/htdocs/user/class/usergroup.class.php @@ -504,7 +504,7 @@ class UserGroup extends CommonObject } $sql = "DELETE FROM ".MAIN_DB_PREFIX."usergroup_rights"; - $sql .= " WHERE fk_usergroup = $this->id AND fk_id=".$nid; + $sql .= " WHERE fk_usergroup = $this->id AND fk_id=".((int) $nid); $sql .= " AND entity = ".$entity; if (!$this->db->query($sql)) { $error++;