From d38168f49ead681f89257e8bda6c1d67cea4f978 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 19 Sep 2020 22:59:04 +0200 Subject: [PATCH] Fix escape --- htdocs/install/lib/repair.lib.php | 2 +- htdocs/install/repair.php | 7 ++- htdocs/install/upgrade2.php | 52 ++++++++++++---------- htdocs/webservices/server_user.php | 2 +- htdocs/website/class/websitepage.class.php | 4 +- test/phpunit/CodingPhpTest.php | 2 +- 6 files changed, 36 insertions(+), 33 deletions(-) diff --git a/htdocs/install/lib/repair.lib.php b/htdocs/install/lib/repair.lib.php index 19b91bb0a26..1a05dad1b77 100644 --- a/htdocs/install/lib/repair.lib.php +++ b/htdocs/install/lib/repair.lib.php @@ -130,7 +130,7 @@ function clean_data_ecm_directories() $newlabel = dol_sanitizeFileName($label); if ($label != $newlabel) { - $sqlupdate = "UPDATE ".MAIN_DB_PREFIX."ecm_directories set label='".$newlabel."' WHERE rowid=".$id; + $sqlupdate = "UPDATE ".MAIN_DB_PREFIX."ecm_directories set label='".$db->escape($newlabel)."' WHERE rowid=".$id; print ''.$sqlupdate."\n"; $resqlupdate = $db->query($sqlupdate); if (!$resqlupdate) dol_print_error($db, 'Failed to update'); diff --git a/htdocs/install/repair.php b/htdocs/install/repair.php index b4fe656bbac..e8965adedb3 100644 --- a/htdocs/install/repair.php +++ b/htdocs/install/repair.php @@ -30,7 +30,6 @@ include_once $dolibarr_main_document_root.'/core/lib/images.lib.php'; require_once $dolibarr_main_document_root.'/core/class/extrafields.class.php'; require_once 'lib/repair.lib.php'; -$grant_query = ''; $step = 2; $ok = 0; @@ -445,8 +444,8 @@ if ($ok && GETPOST('standard', 'alpha')) if ($obj2 && $obj2->nb == 0) { // Module not found, so we canremove entry - $sqldeletea = "DELETE FROM ".MAIN_DB_PREFIX."boxes WHERE entity = ".$obj->entity." AND box_id IN (SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def WHERE file = '".$obj->file."' AND entity = ".$obj->entity.")"; - $sqldeleteb = "DELETE FROM ".MAIN_DB_PREFIX."boxes_def WHERE file = '".$obj->file."' AND entity = ".$obj->entity; + $sqldeletea = "DELETE FROM ".MAIN_DB_PREFIX."boxes WHERE entity = ".$obj->entity." AND box_id IN (SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def WHERE file = '".$db->escape($obj->file)."' AND entity = ".$obj->entity.")"; + $sqldeleteb = "DELETE FROM ".MAIN_DB_PREFIX."boxes_def WHERE file = '".$db->escape($obj->file)."' AND entity = ".$obj->entity; if (GETPOST('standard', 'alpha') == 'confirmed') { @@ -782,7 +781,7 @@ if ($ok && GETPOST('clean_menus', 'alpha')) print ' - Module condition '.$modulecond.' seems ko, we delete menu entry.'; if (GETPOST('clean_menus') == 'confirmed') { - $sql2 = "DELETE FROM ".MAIN_DB_PREFIX."menu WHERE module = '".$modulecond."'"; + $sql2 = "DELETE FROM ".MAIN_DB_PREFIX."menu WHERE module = '".$db->escape($modulecond)."'"; $resql2 = $db->query($sql2); if (!$resql2) { diff --git a/htdocs/install/upgrade2.php b/htdocs/install/upgrade2.php index 90ac30058e0..6c154ca062a 100644 --- a/htdocs/install/upgrade2.php +++ b/htdocs/install/upgrade2.php @@ -978,11 +978,11 @@ function migrate_contracts_det($db, $langs, $conf) $sql .= $obj->cref.", ".($obj->fk_product ? $obj->fk_product : 0).", "; $sql .= "0, "; $sql .= "'".$db->escape($obj->label)."', null, "; - $sql .= ($obj->date_contrat ? "'".$obj->date_contrat."'" : "null").", "; + $sql .= ($obj->date_contrat ? "'".$db->escape($obj->date_contrat)."'" : "null").", "; $sql .= "null, "; $sql .= "null, "; - $sql .= "'".$obj->tva_tx."' , 1, "; - $sql .= "'".$obj->price."', '".$obj->price."', ".$obj->fk_user_author.","; + $sql .= "'".$db->escape($obj->tva_tx)."' , 1, "; + $sql .= "'".$db->escape($obj->price)."', '".$db->escape($obj->price)."', ".$obj->fk_user_author.","; $sql .= "null"; $sql .= ")"; @@ -1171,9 +1171,11 @@ function migrate_contracts_date2($db, $langs, $conf) $obj = $db->fetch_object($resql); if ($obj->date_contrat > $obj->datemin) { + $datemin = $db->jdate($obj->datemin); + print $langs->trans('MigrationContractsInvalidDateFix', $obj->cref, $obj->date_contrat, $obj->datemin)."
\n"; $sql = "UPDATE ".MAIN_DB_PREFIX."contrat"; - $sql .= " SET date_contrat='".$obj->datemin."'"; + $sql .= " SET date_contrat='".$db->idate($datemin)."'"; $sql .= " WHERE rowid=".$obj->cref; $resql2 = $db->query($sql); if (!$resql2) dol_print_error($db); @@ -2088,9 +2090,11 @@ function migrate_commande_livraison($db, $langs, $conf) if ($resql2) { + $date_livraison = $db->jdate($obj->date_livraison); + $sqlu = "UPDATE ".MAIN_DB_PREFIX."livraison SET"; - $sqlu .= " ref_client='".$obj->ref_client."'"; - $sqlu .= ", date_livraison='".$obj->date_livraison."'"; + $sqlu .= " ref_client='".$db->escape($obj->ref_client)."'"; + $sqlu .= ", date_livraison='".$db->idate($date_livraison)."'"; $sqlu .= " WHERE rowid = ".$obj->rowid; $resql3 = $db->query($sqlu); if (!$resql3) @@ -2172,8 +2176,8 @@ function migrate_detail_livraison($db, $langs, $conf) $sql = "UPDATE ".MAIN_DB_PREFIX."livraisondet SET"; $sql .= " fk_product=".$obj->fk_product; $sql .= ",description='".$db->escape($obj->description)."'"; - $sql .= ",subprice='".$obj->subprice."'"; - $sql .= ",total_ht='".$obj->total_ht."'"; + $sql .= ",subprice='".$db->escape($obj->subprice)."'"; + $sql .= ",total_ht='".$db->escape($obj->total_ht)."'"; $sql .= " WHERE fk_commande_ligne = ".$obj->rowid; $resql2 = $db->query($sql); @@ -2190,7 +2194,7 @@ function migrate_detail_livraison($db, $langs, $conf) $total_ht = $obju->total_ht + $obj->total_ht; $sqlu = "UPDATE ".MAIN_DB_PREFIX."livraison SET"; - $sqlu .= " total_ht='".$total_ht."'"; + $sqlu .= " total_ht='".$db->escape($total_ht)."'"; $sqlu .= " WHERE rowid=".$obj->fk_livraison; $resql4 = $db->query($sqlu); if (!$resql4) @@ -2274,7 +2278,7 @@ function migrate_stocks($db, $langs, $conf) $obj = $db->fetch_object($resql); $sql = "UPDATE ".MAIN_DB_PREFIX."product SET"; - $sql .= " stock = '".$obj->total."'"; + $sql .= " stock = '".$db->escape($obj->total)."'"; $sql .= " WHERE rowid=".$obj->fk_product; $resql2 = $db->query($sql); @@ -2343,7 +2347,7 @@ function migrate_menus($db, $langs, $conf) $obj = $db->fetch_object($resql); $sql = "UPDATE ".MAIN_DB_PREFIX."menu SET"; - $sql .= " enabled = '".$obj->action."'"; + $sql .= " enabled = '".$db->escape($obj->action)."'"; $sql .= " WHERE rowid=".$obj->rowid; $sql .= " AND enabled = '1'"; @@ -2419,7 +2423,7 @@ function migrate_commande_deliveryaddress($db, $langs, $conf) $obj = $db->fetch_object($resql); $sql = "UPDATE ".MAIN_DB_PREFIX."expedition SET"; - $sql .= " fk_adresse_livraison = '".$obj->fk_adresse_livraison."'"; + $sql .= " fk_adresse_livraison = '".$db->escape($obj->fk_adresse_livraison)."'"; $sql .= " WHERE rowid=".$obj->fk_expedition; $resql2 = $db->query($sql); @@ -2508,7 +2512,7 @@ function migrate_restore_missing_links($db, $langs, $conf) print 'Line '.$obj->rowid.' in '.$table1.' is linked to record '.$obj->field.' in '.$table2.' that has no link to '.$table1.'. We fix this.
'; $sql = "UPDATE ".MAIN_DB_PREFIX.$table2." SET"; - $sql .= " ".$field2." = '".$obj->rowid."'"; + $sql .= " ".$field2." = '".$db->escape($obj->rowid)."'"; $sql .= " WHERE rowid=".$obj->field; $resql2 = $db->query($sql); @@ -2568,7 +2572,7 @@ function migrate_restore_missing_links($db, $langs, $conf) print 'Line '.$obj->rowid.' in '.$table1.' is linked to record '.$obj->field.' in '.$table2.' that has no link to '.$table1.'. We fix this.
'; $sql = "UPDATE ".MAIN_DB_PREFIX.$table2." SET"; - $sql .= " ".$field2." = '".$obj->rowid."'"; + $sql .= " ".$field2." = '".$db->escape($obj->rowid)."'"; $sql .= " WHERE rowid=".$obj->field; $resql2 = $db->query($sql); @@ -2821,9 +2825,9 @@ function migrate_relationship_tables($db, $langs, $conf, $table, $fk_source, $so $sqlInsert .= ", targettype"; $sqlInsert .= ") VALUES ("; $sqlInsert .= $obj->$fk_source; - $sqlInsert .= ", '".$sourcetype."'"; + $sqlInsert .= ", '".$db->escape($sourcetype)."'"; $sqlInsert .= ", ".$obj->$fk_target; - $sqlInsert .= ", '".$targettype."'"; + $sqlInsert .= ", '".$db->escape($targettype)."'"; $sqlInsert .= ")"; $result = $db->query($sqlInsert); @@ -3023,8 +3027,8 @@ function migrate_customerorder_shipping($db, $langs, $conf) $obj = $db->fetch_object($resql); $sqlUpdate = "UPDATE ".MAIN_DB_PREFIX."expedition SET"; - $sqlUpdate .= " ref_customer = '".$obj->ref_client."'"; - $sqlUpdate .= ", date_delivery = '".($obj->date_livraison ? $obj->date_livraison : 'null')."'"; + $sqlUpdate .= " ref_customer = '".$db->escape($obj->ref_client)."'"; + $sqlUpdate .= ", date_delivery = '".$db->escape($obj->date_livraison ? $obj->date_livraison : 'null')."'"; $sqlUpdate .= " WHERE rowid = ".$obj->shipping_id; $result = $db->query($sqlUpdate); @@ -3210,8 +3214,8 @@ function migrate_shipping_delivery2($db, $langs, $conf) $obj = $db->fetch_object($resql); $sqlUpdate = "UPDATE ".MAIN_DB_PREFIX."livraison SET"; - $sqlUpdate .= " ref_customer = '".$obj->ref_customer."',"; - $sqlUpdate .= " date_delivery = ".($obj->date_delivery ? "'".$obj->date_delivery."'" : 'null'); + $sqlUpdate .= " ref_customer = '".$db->escape($obj->ref_customer)."',"; + $sqlUpdate .= " date_delivery = ".($obj->date_delivery ? "'".$db->escape($obj->date_delivery)."'" : 'null'); $sqlUpdate .= " WHERE rowid = ".$obj->delivery_id; $result = $db->query($sqlUpdate); @@ -3277,7 +3281,7 @@ function migrate_actioncomm_element($db, $langs, $conf) $db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."actioncomm SET "; - $sql .= "fk_element = ".$field.", elementtype = '".$type."'"; + $sql .= "fk_element = ".$field.", elementtype = '".$db->escape($type)."'"; $sql .= " WHERE ".$field." IS NOT NULL"; $sql .= " AND fk_element IS NULL"; $sql .= " AND elementtype IS NULL"; @@ -3336,7 +3340,7 @@ function migrate_mode_reglement($db, $langs, $conf) $sqlSelect = "SELECT id"; $sqlSelect .= " FROM ".MAIN_DB_PREFIX."c_paiement"; $sqlSelect .= " WHERE id = ".$old_id; - $sqlSelect .= " AND code = '".$elements['code'][$key]."'"; + $sqlSelect .= " AND code = '".$db->escape($elements['code'][$key])."'"; $resql = $db->query($sqlSelect); if ($resql) @@ -3351,13 +3355,13 @@ function migrate_mode_reglement($db, $langs, $conf) $sqla = "UPDATE ".MAIN_DB_PREFIX."paiement SET "; $sqla .= "fk_paiement = ".$elements['new_id'][$key]; $sqla .= " WHERE fk_paiement = ".$old_id; - $sqla .= " AND fk_paiement IN (SELECT id FROM ".MAIN_DB_PREFIX."c_paiement WHERE id = ".$old_id." AND code = '".$elements['code'][$key]."')"; + $sqla .= " AND fk_paiement IN (SELECT id FROM ".MAIN_DB_PREFIX."c_paiement WHERE id = ".$old_id." AND code = '".$db->escape($elements['code'][$key])."')"; $resqla = $db->query($sqla); $sql = "UPDATE ".MAIN_DB_PREFIX."c_paiement SET "; $sql .= "id = ".$elements['new_id'][$key]; $sql .= " WHERE id = ".$old_id; - $sql .= " AND code = '".$elements['code'][$key]."'"; + $sql .= " AND code = '".$db->escape($elements['code'][$key])."'"; $resql = $db->query($sql); if ($resqla && $resql) diff --git a/htdocs/webservices/server_user.php b/htdocs/webservices/server_user.php index bc43c4ab6d4..000bad4b563 100644 --- a/htdocs/webservices/server_user.php +++ b/htdocs/webservices/server_user.php @@ -540,7 +540,7 @@ function createUserFromThirdparty($authentication, $thirdpartywithuser) $sql = "SELECT rowid"; $sql .= " FROM ".MAIN_DB_PREFIX."c_country"; $sql .= " WHERE active = 1"; - $sql .= " AND code='".$thirdparty->country_code."'"; + $sql .= " AND code='".$db->escape($thirdparty->country_code)."'"; $resql = $db->query($sql); if ($resql) diff --git a/htdocs/website/class/websitepage.class.php b/htdocs/website/class/websitepage.class.php index 2ed4b9a75a3..b5e29e04176 100644 --- a/htdocs/website/class/websitepage.class.php +++ b/htdocs/website/class/websitepage.class.php @@ -382,9 +382,9 @@ class WebsitePage extends CommonObject if (count($filter) > 0) { foreach ($filter as $key => $value) { if ($key == 't.rowid' || $key == 't.fk_website' || $key == 'status') { - $sqlwhere[] = $key.'='.$value; + $sqlwhere[] = $key.' = '.$value; } elseif ($key == 'type_container') { - $sqlwhere[] = $key."='".$value."'"; + $sqlwhere[] = $key." = '".$this->db->escape($value)."'"; } elseif ($key == 'lang' || $key == 't.lang') { $listoflang = array(); $foundnull = 0; diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index 60ba1ae4bbe..00af206c552 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -152,7 +152,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase $db=$this->savdb; include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; - $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/core', 'files', 1, '\.php', null, 'fullname'); + $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/bom', 'files', 1, '\.php', null, 'fullname'); //$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname'); foreach ($filesarray as $key => $file)