From e6f1d4835f785539745cf248a0e911f73063751b Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 29 Oct 2024 02:18:17 +0100 Subject: [PATCH] Clean sql code --- .../mailing/class/advtargetemailing.class.php | 10 ++-- .../cashcontrol/class/cashcontrol.class.php | 2 +- htdocs/contrat/class/contrat.class.php | 6 +- htdocs/contrat/class/contratligne.class.php | 10 ++-- htdocs/core/class/cgenericdic.class.php | 4 +- htdocs/core/class/comment.class.php | 16 +++--- htdocs/core/class/commonobject.class.php | 13 +++-- htdocs/core/class/extrafields.class.php | 14 ++--- htdocs/core/class/link.class.php | 2 +- htdocs/core/db/mysqli.class.php | 2 +- htdocs/core/db/pgsql.class.php | 2 +- htdocs/delivery/class/delivery.class.php | 2 +- htdocs/ecm/class/ecmdirectory.class.php | 2 +- .../class/conferenceorboothattendee.class.php | 2 +- htdocs/expedition/class/expedition.class.php | 56 +++++++++---------- .../class/expensereport.class.php | 14 ++--- htdocs/fichinter/class/fichinter.class.php | 2 +- .../class/fournisseur.commande.class.php | 4 +- .../fourn/class/fournisseur.facture.class.php | 2 +- .../fourn/class/fournisseur.product.class.php | 8 +-- htdocs/holiday/class/holiday.class.php | 30 +++++----- htdocs/install/upgrade2.php | 14 +++-- htdocs/loan/class/loan.class.php | 12 ++-- htdocs/mrp/class/mo.class.php | 4 +- .../partnership/class/partnership.class.php | 6 -- .../class/productcustomerprice.class.php | 6 +- .../class/productfournisseurprice.class.php | 2 +- .../class/propalmergepdfproduct.class.php | 10 ++-- .../price_global_variable_updater.class.php | 2 +- htdocs/projet/class/project.class.php | 2 +- htdocs/reception/class/reception.class.php | 2 +- .../class/recruitmentcandidature.class.php | 2 +- .../class/recruitmentjobposition.class.php | 2 +- htdocs/societe/class/societe.class.php | 2 +- test/phpunit/CodingPhpTest.php | 19 +++++++ 35 files changed, 151 insertions(+), 137 deletions(-) diff --git a/htdocs/comm/mailing/class/advtargetemailing.class.php b/htdocs/comm/mailing/class/advtargetemailing.class.php index cb7ea75452b..0fd4ea09ccd 100644 --- a/htdocs/comm/mailing/class/advtargetemailing.class.php +++ b/htdocs/comm/mailing/class/advtargetemailing.class.php @@ -185,13 +185,13 @@ class AdvanceTargetingMailing extends CommonObject $sql .= "fk_user_mod"; $sql .= ") VALUES ("; $sql .= " ".(!isset($this->name) ? 'NULL' : "'".$this->db->escape($this->name)."'").","; - $sql .= " ".$conf->entity.","; + $sql .= " ".((int) $conf->entity).","; $sql .= " ".(!isset($this->fk_element) ? 'NULL' : "'".$this->db->escape($this->fk_element)."'").","; $sql .= " ".(!isset($this->type_element) ? 'NULL' : "'".$this->db->escape($this->type_element)."'").","; $sql .= " ".(!isset($this->filtervalue) ? 'NULL' : "'".$this->db->escape($this->filtervalue)."'").","; - $sql .= " ".$user->id.","; + $sql .= " ".((int) $user->id).","; $sql .= " '".$this->db->idate(dol_now())."',"; - $sql .= " ".$user->id; + $sql .= " ".((int) $user->id); $sql .= ")"; $this->db->begin(); @@ -429,11 +429,11 @@ class AdvanceTargetingMailing extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."mailing_advtarget SET"; $sql .= " name=".(isset($this->name) ? "'".$this->db->escape($this->name)."'" : "''").","; - $sql .= " entity=".$conf->entity.","; + $sql .= " entity=".((int) $conf->entity).","; $sql .= " fk_element=".(isset($this->fk_element) ? $this->fk_element : "null").","; $sql .= " type_element=".(isset($this->type_element) ? "'".$this->db->escape($this->type_element)."'" : "null").","; $sql .= " filtervalue=".(isset($this->filtervalue) ? "'".$this->db->escape($this->filtervalue)."'" : "null").","; - $sql .= " fk_user_mod=".$user->id; + $sql .= " fk_user_mod=".((int) $user->id); $sql .= " WHERE rowid=".((int) $this->id); diff --git a/htdocs/compta/cashcontrol/class/cashcontrol.class.php b/htdocs/compta/cashcontrol/class/cashcontrol.class.php index b575cc8678b..a8ab833cde1 100644 --- a/htdocs/compta/cashcontrol/class/cashcontrol.class.php +++ b/htdocs/compta/cashcontrol/class/cashcontrol.class.php @@ -300,7 +300,7 @@ class CashControl extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX."pos_cash_fence"; $sql .= " SET status = ".self::STATUS_VALIDATED.","; $sql .= " date_valid='".$this->db->idate($now)."',"; - $sql .= " fk_user_valid = ".$user->id; + $sql .= " fk_user_valid = ".((int) $user->id); $sql .= " WHERE rowid=".((int) $this->id); $this->db->begin(); diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index cd4ec1813db..81371d0556e 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -41,7 +41,8 @@ require_once DOL_DOCUMENT_ROOT.'/margin/lib/margins.lib.php'; require_once DOL_DOCUMENT_ROOT.'/core/class/commonsignedobject.class.php'; /** - * Class to manage contracts + * Class to manage contracts + * * @property int $signed_status * @static array $SIGNED_STATUSES */ @@ -551,7 +552,6 @@ class Contrat extends CommonObject if ($num) { $sql = "UPDATE ".MAIN_DB_PREFIX."contrat SET ref = '".$this->db->escape($num)."', statut = 1"; - //$sql.= ", fk_user_valid = ".$user->id.", date_valid = '".$this->db->idate($now)."'"; $sql .= " WHERE rowid = ".((int) $this->id)." AND statut = 0"; dol_syslog(get_class($this)."::validate", LOG_DEBUG); @@ -1397,7 +1397,7 @@ class Contrat extends CommonObject $sql .= " ref_customer=".(isset($this->ref_customer) ? "'".$this->db->escape($this->ref_customer)."'" : "null").","; $sql .= " ref_supplier=".(isset($this->ref_supplier) ? "'".$this->db->escape($this->ref_supplier)."'" : "null").","; $sql .= " ref_ext=".(isset($this->ref_ext) ? "'".$this->db->escape($this->ref_ext)."'" : "null").","; - $sql .= " entity=".$conf->entity.","; + $sql .= " entity=".((int) $conf->entity).","; $sql .= " date_contrat=".(dol_strlen($this->date_contrat) != 0 ? "'".$this->db->idate($this->date_contrat)."'" : 'null').","; $sql .= " statut=".(isset($this->statut) ? $this->statut : (isset($this->status) ? $this->status : "null")).","; $sql .= " fk_soc=".($this->socid > 0 ? $this->socid : "null").","; diff --git a/htdocs/contrat/class/contratligne.class.php b/htdocs/contrat/class/contratligne.class.php index a29539d1101..713497af42e 100644 --- a/htdocs/contrat/class/contratligne.class.php +++ b/htdocs/contrat/class/contratligne.class.php @@ -722,11 +722,11 @@ class ContratLigne extends CommonObjectLine $sql .= " fk_remise_except = ".($this->fk_remise_except > 0 ? $this->fk_remise_except : "null").","; $sql .= " subprice = ".($this->subprice != '' ? $this->subprice : "null").","; $sql .= " price_ht = ".($this->price_ht != '' ? $this->price_ht : "null").","; - $sql .= " total_ht = ".$this->total_ht.","; - $sql .= " total_tva = ".$this->total_tva.","; - $sql .= " total_localtax1 = ".$this->total_localtax1.","; - $sql .= " total_localtax2 = ".$this->total_localtax2.","; - $sql .= " total_ttc = ".$this->total_ttc.","; + $sql .= " total_ht = ".((float) $this->total_ht).","; + $sql .= " total_tva = ".((float) $this->total_tva).","; + $sql .= " total_localtax1 = ".((float) $this->total_localtax1).","; + $sql .= " total_localtax2 = ".((float) $this->total_localtax2).","; + $sql .= " total_ttc = ".((float) $this->total_ttc).","; $sql .= " fk_product_fournisseur_price = ".(!empty($this->fk_fournprice) ? $this->fk_fournprice : "NULL").","; $sql .= " buy_price_ht = '".price2num($this->pa_ht)."',"; $sql .= " info_bits = '".$this->db->escape($this->info_bits)."',"; diff --git a/htdocs/core/class/cgenericdic.class.php b/htdocs/core/class/cgenericdic.class.php index fd4016f4dc5..9c4e3317775 100644 --- a/htdocs/core/class/cgenericdic.class.php +++ b/htdocs/core/class/cgenericdic.class.php @@ -350,9 +350,9 @@ class CGenericDic extends CommonDict // Update request $sql = "UPDATE ".$this->db->prefix().$this->table_element.' SET'; $sql .= " code = ".(isset($this->code) ? "'".$this->db->escape($this->code)."'" : "null").','; - $sql .= " ".$fieldlabel." = ".(isset($this->label) ? "'".$this->db->escape($this->label)."'" : "null").','; + $sql .= " ".$this->db->sanitize($fieldlabel)." = ".(isset($this->label) ? "'".$this->db->escape($this->label)."'" : "null").','; $sql .= " active = ".(isset($this->active) ? $this->active : "null"); - $sql .= " WHERE ".$fieldrowid." = ".((int) $this->id); + $sql .= " WHERE ".$this->db->sanitize($fieldrowid)." = ".((int) $this->id); $this->db->begin(); diff --git a/htdocs/core/class/comment.class.php b/htdocs/core/class/comment.class.php index 9ffa0d60a1e..c1e3f61379d 100644 --- a/htdocs/core/class/comment.class.php +++ b/htdocs/core/class/comment.class.php @@ -249,14 +249,14 @@ class Comment extends CommonObject // Update request $sql = "UPDATE ".$this->db->prefix().$this->table_element." SET"; - $sql .= " description=".(isset($this->description) ? "'".$this->db->escape($this->description)."'" : "null").","; - $sql .= " datec=".($this->datec != '' ? "'".$this->db->idate($this->datec)."'" : 'null').","; - $sql .= " fk_element=".(isset($this->fk_element) ? $this->fk_element : "null").","; - $sql .= " element_type='".$this->db->escape($this->element_type)."',"; - $sql .= " fk_user_modif=".$user->id.","; - $sql .= " entity=".(!empty($this->entity) ? $this->entity : '1').","; - $sql .= " import_key=".(!empty($this->import_key) ? "'".$this->db->escape($this->import_key)."'" : "null"); - $sql .= " WHERE rowid=".((int) $this->id); + $sql .= " description = ".(isset($this->description) ? "'".$this->db->escape($this->description)."'" : "null").","; + $sql .= " datec = ".($this->datec != '' ? "'".$this->db->idate($this->datec)."'" : 'null').","; + $sql .= " fk_element = ".(isset($this->fk_element) ? $this->fk_element : "null").","; + $sql .= " element_type = '".$this->db->escape($this->element_type)."',"; + $sql .= " fk_user_modif = ".((int) $user->id).","; + $sql .= " entity = ".(!empty($this->entity) ? $this->entity : '1').","; + $sql .= " import_key = ".(!empty($this->import_key) ? "'".$this->db->escape($this->import_key)."'" : "null"); + $sql .= " WHERE rowid = ".((int) $this->id); $this->db->begin(); diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 3f7786e758b..3eed4eb5e01 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -1369,7 +1369,7 @@ abstract class CommonObject // phpcs:enable // Insert into database $sql = "UPDATE ".$this->db->prefix()."element_contact set"; - $sql .= " statut = ".$statut; + $sql .= " statut = ".((int) $statut); if ($type_contact_id) { $sql .= ", fk_c_type_contact = ".((int) $type_contact_id); } @@ -1377,6 +1377,7 @@ abstract class CommonObject $sql .= ", fk_socpeople = ".((int) $fk_socpeople); } $sql .= " where rowid = ".((int) $rowid); + $resql = $this->db->query($sql); if ($resql) { return 0; @@ -4102,11 +4103,11 @@ abstract class CommonObject if (!$error && empty($nodatabaseupdate)) { $sql = "UPDATE ".$this->db->prefix().$this->table_element.' SET'; - $sql .= " ".$fieldht." = ".((float) price2num($this->total_ht, 'MT', 1)).","; - $sql .= " ".$fieldtva." = ".((float) price2num($this->total_tva, 'MT', 1)).","; - $sql .= " ".$fieldlocaltax1." = ".((float) price2num($this->total_localtax1, 'MT', 1)).","; - $sql .= " ".$fieldlocaltax2." = ".((float) price2num($this->total_localtax2, 'MT', 1)).","; - $sql .= " ".$fieldttc." = ".((float) price2num($this->total_ttc, 'MT', 1)); + $sql .= " ".$this->db->sanitize($fieldht)." = ".((float) price2num($this->total_ht, 'MT', 1)).","; + $sql .= " ".$this->db->sanitize($fieldtva)." = ".((float) price2num($this->total_tva, 'MT', 1)).","; + $sql .= " ".$this->db->sanitize($fieldlocaltax1)." = ".((float) price2num($this->total_localtax1, 'MT', 1)).","; + $sql .= " ".$this->db->sanitize($fieldlocaltax2)." = ".((float) price2num($this->total_localtax2, 'MT', 1)).","; + $sql .= " ".$this->db->sanitize($fieldttc)." = ".((float) price2num($this->total_ttc, 'MT', 1)); $sql .= ", multicurrency_total_ht = ".((float) price2num($this->multicurrency_total_ht, 'MT', 1)); $sql .= ", multicurrency_total_tva = ".((float) price2num($this->multicurrency_total_tva, 'MT', 1)); $sql .= ", multicurrency_total_ttc = ".((float) price2num($this->multicurrency_total_ttc, 'MT', 1)); diff --git a/htdocs/core/class/extrafields.class.php b/htdocs/core/class/extrafields.class.php index 89cebe8a7c5..8560d1af9e3 100644 --- a/htdocs/core/class/extrafields.class.php +++ b/htdocs/core/class/extrafields.class.php @@ -360,10 +360,10 @@ class ExtraFields 'default' => $default_value ); - $result = $this->db->DDLAddField($this->db->prefix().$table, $attrname, $field_desc); + $result = $this->db->DDLAddField($this->db->prefix().$this->db->sanitize($table), $attrname, $field_desc); if ($result > 0) { if ($unique) { - $sql = "ALTER TABLE ".$this->db->prefix().$table." ADD UNIQUE INDEX uk_".$table."_".$attrname." (".$attrname.")"; + $sql = "ALTER TABLE ".$this->db->prefix().$this->db->sanitize($table)." ADD UNIQUE INDEX uk_".$this->db->sanitize($table)."_".$attrname." (".$attrname.")"; $resql = $this->db->query($sql, 1, 'dml'); } return 1; @@ -927,11 +927,11 @@ class ExtraFields $sql .= " '".$this->db->escape($type)."',"; $sql .= " '".$this->db->escape($size)."',"; $sql .= " '".$this->db->escape($elementtype)."',"; - $sql .= " ".$unique.","; - $sql .= " ".$required.","; + $sql .= " ".((int) $unique).","; + $sql .= " ".((int) $required).","; $sql .= " ".($perms ? "'".$this->db->escape($perms)."'" : "null").","; $sql .= " ".($langfile ? "'".$this->db->escape($langfile)."'" : "null").","; - $sql .= " ".$pos.","; + $sql .= " ".((int) $pos).","; $sql .= " '".$this->db->escape($alwayseditable)."',"; $sql .= " '".$this->db->escape($params)."',"; $sql .= " '".$this->db->escape($list)."',"; @@ -939,8 +939,8 @@ class ExtraFields $sql .= " ".($totalizable ? 'TRUE' : 'FALSE').","; $sql .= " ".(($default != '') ? "'".$this->db->escape($default)."'" : "null").","; $sql .= " ".($computed ? "'".$this->db->escape($computed)."'" : "null").","; - $sql .= " ".$user->id.","; - $sql .= " ".$user->id.","; + $sql .= " ".((int) $user->id).","; + $sql .= " ".((int) $user->id).","; $sql .= "'".$this->db->idate(dol_now())."',"; $sql .= "'".$this->db->escape($enabled)."',"; $sql .= " ".($help ? "'".$this->db->escape($help)."'" : "null").","; diff --git a/htdocs/core/class/link.class.php b/htdocs/core/class/link.class.php index 8ea08e7d52a..5bc16898203 100644 --- a/htdocs/core/class/link.class.php +++ b/htdocs/core/class/link.class.php @@ -177,7 +177,7 @@ class Link extends CommonObject $this->db->begin(); $sql = "UPDATE ".$this->db->prefix()."links SET "; - $sql .= "entity = ".$conf->entity; + $sql .= "entity = ".((int) $conf->entity); $sql .= ", datea = '".$this->db->idate(dol_now())."'"; $sql .= ", url = '".$this->db->escape($this->url)."'"; $sql .= ", label = '".$this->db->escape($this->label)."'"; diff --git a/htdocs/core/db/mysqli.class.php b/htdocs/core/db/mysqli.class.php index 02c768ca649..3d9ddbeae7c 100644 --- a/htdocs/core/db/mysqli.class.php +++ b/htdocs/core/db/mysqli.class.php @@ -980,7 +980,7 @@ class DoliDBMysqli extends DoliDB $sql .= " ".$this->sanitize($field_desc['attribute']); } if (isset($field_desc['null']) && preg_match("/^[^\s]/i", $field_desc['null'])) { - $sql .= " ".$field_desc['null']; + $sql .= " ".$this->sanitize($field_desc['null']); } if (isset($field_desc['default']) && preg_match("/^[^\s]/i", $field_desc['default'])) { if (in_array($field_desc['type'], array('tinyint', 'smallint', 'int', 'double'))) { diff --git a/htdocs/core/db/pgsql.class.php b/htdocs/core/db/pgsql.class.php index 7188062936b..1578e796e91 100644 --- a/htdocs/core/db/pgsql.class.php +++ b/htdocs/core/db/pgsql.class.php @@ -1213,7 +1213,7 @@ class DoliDBPgsql extends DoliDB $sql .= " ".$this->sanitize($field_desc['attribute']); } if (isset($field_desc['null']) && preg_match("/^[^\s]/i", $field_desc['null'])) { - $sql .= " ".$field_desc['null']; + $sql .= " ".$this->sanitize($field_desc['null']); } if (isset($field_desc['default']) && preg_match("/^[^\s]/i", $field_desc['default'])) { if (in_array($field_desc['type'], array('tinyint', 'smallint', 'int', 'double'))) { diff --git a/htdocs/delivery/class/delivery.class.php b/htdocs/delivery/class/delivery.class.php index dcc64cb67db..c921aa3d7ff 100644 --- a/htdocs/delivery/class/delivery.class.php +++ b/htdocs/delivery/class/delivery.class.php @@ -450,7 +450,7 @@ class Delivery extends CommonObject $sql .= " ref='".$this->db->escape($numref)."'"; $sql .= ", fk_statut = 1"; $sql .= ", date_valid = '".$this->db->idate($now)."'"; - $sql .= ", fk_user_valid = ".$user->id; + $sql .= ", fk_user_valid = ".((int) $user->id); $sql .= " WHERE rowid = ".((int) $this->id); $sql .= " AND fk_statut = 0"; diff --git a/htdocs/ecm/class/ecmdirectory.class.php b/htdocs/ecm/class/ecmdirectory.class.php index 940fb8ff905..7d0f3418574 100644 --- a/htdocs/ecm/class/ecmdirectory.class.php +++ b/htdocs/ecm/class/ecmdirectory.class.php @@ -303,7 +303,7 @@ class EcmDirectory extends CommonObject if (preg_match('/[0-9]+/', $value)) { $sql .= " cachenbofdoc = ".(int) $value; } else { - $sql .= " cachenbofdoc = cachenbofdoc ".$value." 1"; + $sql .= " cachenbofdoc = cachenbofdoc ".preg_replace('/[^\-\+]/', '', $value)." 1"; } $sql .= " WHERE rowid = ".((int) $this->id); diff --git a/htdocs/eventorganization/class/conferenceorboothattendee.class.php b/htdocs/eventorganization/class/conferenceorboothattendee.class.php index e7f834a623c..dead35a402c 100644 --- a/htdocs/eventorganization/class/conferenceorboothattendee.class.php +++ b/htdocs/eventorganization/class/conferenceorboothattendee.class.php @@ -635,7 +635,7 @@ class ConferenceOrBoothAttendee extends CommonObject $sql .= ", date_validation = '".$this->db->idate($now)."'"; } if (!empty($this->fields['fk_user_valid'])) { // @phan-suppress-current-line PhanTypeMismatchProperty - $sql .= ", fk_user_valid = ".$user->id; + $sql .= ", fk_user_valid = ".((int) $user->id); } $sql .= " WHERE rowid = ".((int) $this->id); diff --git a/htdocs/expedition/class/expedition.class.php b/htdocs/expedition/class/expedition.class.php index 0ac90b12afb..5480618a842 100644 --- a/htdocs/expedition/class/expedition.class.php +++ b/htdocs/expedition/class/expedition.class.php @@ -846,7 +846,7 @@ class Expedition extends CommonObject $sql .= " ref='".$this->db->escape($numref)."'"; $sql .= ", fk_statut = 1"; $sql .= ", date_valid = '".$this->db->idate($now)."'"; - $sql .= ", fk_user_valid = ".$user->id; + $sql .= ", fk_user_valid = ".((int) $user->id); $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::valid update expedition", LOG_DEBUG); @@ -893,7 +893,7 @@ class Expedition extends CommonObject $this->error = $this->db->lasterror(); } $sql = 'UPDATE '.MAIN_DB_PREFIX."ecm_files set filepath = 'expedition/sending/".$this->db->escape($this->newref)."'"; - $sql .= " WHERE filepath = 'expedition/sending/".$this->db->escape($this->ref)."' and entity = ".$conf->entity; + $sql .= " WHERE filepath = 'expedition/sending/".$this->db->escape($this->ref)."' and entity = ".((int) $conf->entity); $resql = $this->db->query($sql); if (!$resql) { $error++; @@ -1212,32 +1212,32 @@ class Expedition extends CommonObject // Update request $sql = "UPDATE ".MAIN_DB_PREFIX."expedition SET"; - $sql .= " ref=".(isset($this->ref) ? "'".$this->db->escape($this->ref)."'" : "null").","; - $sql .= " ref_ext=".(isset($this->ref_ext) ? "'".$this->db->escape($this->ref_ext)."'" : "null").","; - $sql .= " ref_customer=".(isset($this->ref_customer) ? "'".$this->db->escape($this->ref_customer)."'" : "null").","; - $sql .= " fk_soc=".(isset($this->socid) ? $this->socid : "null").","; - $sql .= " date_creation=".(dol_strlen($this->date_creation) != 0 ? "'".$this->db->idate($this->date_creation)."'" : 'null').","; - $sql .= " fk_user_author=".(isset($this->fk_user_author) ? $this->fk_user_author : "null").","; - $sql .= " date_valid=".(dol_strlen($this->date_valid) != 0 ? "'".$this->db->idate($this->date_valid)."'" : 'null').","; - $sql .= " fk_user_valid=".(isset($this->fk_user_valid) ? $this->fk_user_valid : "null").","; - $sql .= " date_expedition=".(dol_strlen($this->date_expedition) != 0 ? "'".$this->db->idate($this->date_expedition)."'" : 'null').","; - $sql .= " date_delivery=".(dol_strlen($this->date_delivery) != 0 ? "'".$this->db->idate($this->date_delivery)."'" : 'null').","; - $sql .= " fk_address=".(isset($this->fk_delivery_address) ? $this->fk_delivery_address : "null").","; - $sql .= " fk_shipping_method=".((isset($this->shipping_method_id) && $this->shipping_method_id > 0) ? $this->shipping_method_id : "null").","; - $sql .= " tracking_number=".(isset($this->tracking_number) ? "'".$this->db->escape($this->tracking_number)."'" : "null").","; - $sql .= " fk_statut=".(isset($this->statut) ? $this->statut : "null").","; - $sql .= " fk_projet=".(isset($this->fk_project) ? $this->fk_project : "null").","; - $sql .= " height=".(($this->trueHeight != '') ? $this->trueHeight : "null").","; - $sql .= " width=".(($this->trueWidth != '') ? $this->trueWidth : "null").","; - $sql .= " size_units=".(isset($this->size_units) ? $this->size_units : "null").","; - $sql .= " size=".(($this->trueDepth != '') ? $this->trueDepth : "null").","; - $sql .= " weight_units=".(isset($this->weight_units) ? $this->weight_units : "null").","; - $sql .= " weight=".(($this->trueWeight != '') ? $this->trueWeight : "null").","; - $sql .= " note_private=".(isset($this->note_private) ? "'".$this->db->escape($this->note_private)."'" : "null").","; - $sql .= " note_public=".(isset($this->note_public) ? "'".$this->db->escape($this->note_public)."'" : "null").","; - $sql .= " model_pdf=".(isset($this->model_pdf) ? "'".$this->db->escape($this->model_pdf)."'" : "null").","; - $sql .= " entity=".$conf->entity; - $sql .= " WHERE rowid=".((int) $this->id); + $sql .= " ref = ".(isset($this->ref) ? "'".$this->db->escape($this->ref)."'" : "null").","; + $sql .= " ref_ext = ".(isset($this->ref_ext) ? "'".$this->db->escape($this->ref_ext)."'" : "null").","; + $sql .= " ref_customer = ".(isset($this->ref_customer) ? "'".$this->db->escape($this->ref_customer)."'" : "null").","; + $sql .= " fk_soc = ".(isset($this->socid) ? $this->socid : "null").","; + $sql .= " date_creation = ".(dol_strlen($this->date_creation) != 0 ? "'".$this->db->idate($this->date_creation)."'" : 'null').","; + $sql .= " fk_user_author = ".(isset($this->fk_user_author) ? $this->fk_user_author : "null").","; + $sql .= " date_valid = ".(dol_strlen($this->date_valid) != 0 ? "'".$this->db->idate($this->date_valid)."'" : 'null').","; + $sql .= " fk_user_valid = ".(isset($this->fk_user_valid) ? $this->fk_user_valid : "null").","; + $sql .= " date_expedition = ".(dol_strlen($this->date_expedition) != 0 ? "'".$this->db->idate($this->date_expedition)."'" : 'null').","; + $sql .= " date_delivery = ".(dol_strlen($this->date_delivery) != 0 ? "'".$this->db->idate($this->date_delivery)."'" : 'null').","; + $sql .= " fk_address = ".(isset($this->fk_delivery_address) ? $this->fk_delivery_address : "null").","; + $sql .= " fk_shipping_method = ".((isset($this->shipping_method_id) && $this->shipping_method_id > 0) ? $this->shipping_method_id : "null").","; + $sql .= " tracking_number = ".(isset($this->tracking_number) ? "'".$this->db->escape($this->tracking_number)."'" : "null").","; + $sql .= " fk_statut = ".(isset($this->statut) ? $this->statut : "null").","; + $sql .= " fk_projet = ".(isset($this->fk_project) ? $this->fk_project : "null").","; + $sql .= " height = ".(($this->trueHeight != '') ? $this->trueHeight : "null").","; + $sql .= " width = ".(($this->trueWidth != '') ? $this->trueWidth : "null").","; + $sql .= " size_units = ".(isset($this->size_units) ? $this->size_units : "null").","; + $sql .= " size = ".(($this->trueDepth != '') ? $this->trueDepth : "null").","; + $sql .= " weight_units = ".(isset($this->weight_units) ? $this->weight_units : "null").","; + $sql .= " weight = ".(($this->trueWeight != '') ? $this->trueWeight : "null").","; + $sql .= " note_private = ".(isset($this->note_private) ? "'".$this->db->escape($this->note_private)."'" : "null").","; + $sql .= " note_public = ".(isset($this->note_public) ? "'".$this->db->escape($this->note_public)."'" : "null").","; + $sql .= " model_pdf = ".(isset($this->model_pdf) ? "'".$this->db->escape($this->model_pdf)."'" : "null").","; + $sql .= " entity = ".((int) $conf->entity); + $sql .= " WHERE rowid = ".((int) $this->id); $this->db->begin(); diff --git a/htdocs/expensereport/class/expensereport.class.php b/htdocs/expensereport/class/expensereport.class.php index 3941e22a3b0..805b414bfe5 100644 --- a/htdocs/expensereport/class/expensereport.class.php +++ b/htdocs/expensereport/class/expensereport.class.php @@ -622,9 +622,9 @@ class ExpenseReport extends CommonObject $this->db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element." SET"; - $sql .= " total_ht = ".$this->total_ht; - $sql .= " , total_ttc = ".$this->total_ttc; - $sql .= " , total_tva = ".$this->total_tva; + $sql .= " total_ht = ".((float) $this->total_ht); + $sql .= " , total_ttc = ".((float) $this->total_ttc); + $sql .= " , total_tva = ".((float) $this->total_tva); $sql .= " , date_debut = '".$this->db->idate($this->date_debut)."'"; $sql .= " , date_fin = '".$this->db->idate($this->date_fin)."'"; if ($userofexpensereport && is_object($userofexpensereport)) { @@ -633,7 +633,7 @@ class ExpenseReport extends CommonObject $sql .= " , fk_user_validator = ".($this->fk_user_validator > 0 ? $this->fk_user_validator : "null"); $sql .= " , fk_user_valid = ".($this->fk_user_valid > 0 ? $this->fk_user_valid : "null"); $sql .= " , fk_user_approve = ".($this->fk_user_approve > 0 ? $this->fk_user_approve : "null"); - $sql .= " , fk_user_modif = ".$user->id; + $sql .= " , fk_user_modif = ".((int) $user->id); $sql .= " , fk_statut = ".($this->fk_statut >= 0 ? $this->fk_statut : '0'); $sql .= " , fk_c_paiement = ".($this->fk_c_paiement > 0 ? $this->fk_c_paiement : "null"); $sql .= " , note_public = ".(!empty($this->note_public) ? "'".$this->db->escape($this->note_public)."'" : "''"); @@ -1906,9 +1906,9 @@ class ExpenseReport extends CommonObject $this->total_ttc += $this->total_tva; $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element." SET"; - $sql .= " total_ht = ".$this->total_ht; - $sql .= " , total_ttc = ".$this->total_ttc; - $sql .= " , total_tva = ".$this->total_tva; + $sql .= " total_ht = ".((float) $this->total_ht); + $sql .= " , total_ttc = ".((float) $this->total_ttc); + $sql .= " , total_tva = ".((float) $this->total_tva); $sql .= " WHERE rowid = ".((int) $this->id); $result = $this->db->query($sql); diff --git a/htdocs/fichinter/class/fichinter.class.php b/htdocs/fichinter/class/fichinter.class.php index 29f442313ec..d8046af6f16 100644 --- a/htdocs/fichinter/class/fichinter.class.php +++ b/htdocs/fichinter/class/fichinter.class.php @@ -1237,7 +1237,7 @@ class Fichinter extends CommonObject if ($user->hasRight('ficheinter', 'creer')) { $sql = "UPDATE ".MAIN_DB_PREFIX."fichinter "; $sql .= " SET description = '".$this->db->escape($description)."',"; - $sql .= " fk_user_modif = ".$user->id; + $sql .= " fk_user_modif = ".((int) $user->id); $sql .= " WHERE rowid = ".((int) $this->id); if ($this->db->query($sql)) { diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php index ca614d62b41..c8a9393c19c 100644 --- a/htdocs/fourn/class/fournisseur.commande.class.php +++ b/htdocs/fourn/class/fournisseur.commande.class.php @@ -1273,8 +1273,8 @@ class CommandeFournisseur extends CommonOrder $sql .= " SET ref='".$this->db->escape($num)."',"; if (empty($secondlevel)) { // standard or first level approval $sql .= " date_approve='".$this->db->idate($now)."',"; - $sql .= " fk_user_approve = ".$user->id; - if (getDolGlobalString('SUPPLIER_ORDER_3_STEPS_TO_BE_APPROVED') && $this->total_ht >= $conf->global->SUPPLIER_ORDER_3_STEPS_TO_BE_APPROVED) { + $sql .= " fk_user_approve = ".((int) $user->id); + if (getDolGlobalString('SUPPLIER_ORDER_3_STEPS_TO_BE_APPROVED') && $this->total_ht >= getDolGlobalFloat('SUPPLIER_ORDER_3_STEPS_TO_BE_APPROVED')) { if (empty($this->user_approve_id2)) { $movetoapprovestatus = false; // second level approval not done $comment = ' (first level)'; diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index d699dcddd1d..38d27153d41 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -3132,7 +3132,7 @@ class FactureFournisseur extends CommonInvoice $sql .= " WHERE sc.fk_user = ".((int) $user->id); $clause = "AND"; } - $sql .= " ".$clause." f.entity = ".$conf->entity; + $sql .= " ".$clause." f.entity = ".((int) $conf->entity); $resql = $this->db->query($sql); if ($resql) { diff --git a/htdocs/fourn/class/fournisseur.product.class.php b/htdocs/fourn/class/fournisseur.product.class.php index a7feae2dc24..484fa462c1a 100644 --- a/htdocs/fourn/class/fournisseur.product.class.php +++ b/htdocs/fourn/class/fournisseur.product.class.php @@ -537,14 +537,14 @@ class ProductFournisseur extends Product $sql .= " multicurrency_tx = ".(isset($multicurrency_tx) ? "'".$this->db->escape($multicurrency_tx)."'" : '1').","; $sql .= " fk_multicurrency = ".(isset($fk_multicurrency) ? (int) $fk_multicurrency : 'null').","; $sql .= " multicurrency_code = ".(isset($multicurrency_code) ? "'".$this->db->escape($multicurrency_code)."'" : 'null').","; - $sql .= " entity = ".$conf->entity.","; - $sql .= " tva_tx = ".price2num($tva_tx).","; + $sql .= " entity = ".((int) $conf->entity).","; + $sql .= " tva_tx = ".((float) price2num($tva_tx)).","; // TODO Add localtax1 and localtax2 //$sql.= " localtax1_tx=".($localtax1>=0?$localtax1:'NULL').","; //$sql.= " localtax2_tx=".($localtax2>=0?$localtax2:'NULL').","; //$sql.= " localtax1_type=".($localtaxtype1!=''?"'".$this->db->escape($localtaxtype1)."'":"'0'").","; //$sql.= " localtax2_type=".($localtaxtype2!=''?"'".$this->db->escape($localtaxtype2)."'":"'0'").","; - $sql .= " default_vat_code=".($newdefaultvatcode ? "'".$this->db->escape($newdefaultvatcode)."'" : "null").","; + $sql .= " default_vat_code = ".($newdefaultvatcode ? "'".$this->db->escape($newdefaultvatcode)."'" : "null").","; $sql .= " info_bits = ".((int) $newnpr).","; $sql .= " charges = ".((float) $charges).","; // deprecated $sql .= " delivery_time_days = ".($delivery_time_days != '' ? ((int) $delivery_time_days) : 'null').","; @@ -1524,7 +1524,7 @@ class ProductFournisseur extends Product $sql .= (isset($multicurrency_code) ? "'".$this->db->escape($multicurrency_code)."'" : 'null').","; $sql .= "'".$this->db->idate($datec)."',"; $sql .= " ".((int) $this->product_fourn_price_id).","; - $sql .= " ".$user->id.","; + $sql .= " ".((int) $user->id).","; $sql .= " ".price2num($buyprice).","; $sql .= " ".price2num($qty); $sql .= ")"; diff --git a/htdocs/holiday/class/holiday.class.php b/htdocs/holiday/class/holiday.class.php index 836f6a930d2..cf58c6d442d 100644 --- a/htdocs/holiday/class/holiday.class.php +++ b/htdocs/holiday/class/holiday.class.php @@ -1047,9 +1047,9 @@ class Holiday extends CommonObject } else { $error++; } - $sql .= " halfday = ".$this->halfday.","; + $sql .= " halfday = ".((int) $this->halfday).","; if (!empty($this->status) && is_numeric($this->status)) { - $sql .= " statut = ".$this->status.","; + $sql .= " statut = ".((int) $this->status).","; } else { $error++; } @@ -2275,13 +2275,13 @@ class Holiday extends CommonObject } /** - * Liste le log des congés payés + * List log of leaves * - * @param string $order Filtrage par ordre - * @param string $filter Filtre de séléction + * @param string $sqlorder SQL sort order + * @param string $sqlwhere SQL where * @return int -1 si erreur, 1 si OK et 2 si pas de résultat */ - public function fetchLog($order, $filter) + public function fetchLog($sqlorder, $sqlwhere) { $sql = "SELECT"; $sql .= " cpl.rowid,"; @@ -2295,31 +2295,31 @@ class Holiday extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."holiday_logs as cpl"; $sql .= " WHERE cpl.rowid > 0"; // To avoid error with other search and criteria - // Filtrage de séléction - if (!empty($filter)) { - $sql .= " ".$filter; + // Filter + if (!empty($sqlwhere)) { + $sql .= " ".$sqlwhere; } - // Ordre d'affichage - if (!empty($order)) { - $sql .= " ".$order; + // Order + if (!empty($sqlorder)) { + $sql .= " ".$sqlorder; } dol_syslog(get_class($this)."::fetchLog", LOG_DEBUG); $resql = $this->db->query($sql); - // Si pas d'erreur SQL + // If no error SQL if ($resql) { $i = 0; $tab_result = $this->logs; $num = $this->db->num_rows($resql); - // Si pas d'enregistrement + // If no record if (!$num) { return 2; } - // On liste les résultats et on les ajoutent dans le tableau + // Loop on result to fill the array while ($i < $num) { $obj = $this->db->fetch_object($resql); diff --git a/htdocs/install/upgrade2.php b/htdocs/install/upgrade2.php index ee047d04628..4ae77d4114b 100644 --- a/htdocs/install/upgrade2.php +++ b/htdocs/install/upgrade2.php @@ -2529,8 +2529,9 @@ function migrate_restore_missing_links($db, $langs, $conf) $obj = $db->fetch_object($resql); print 'Line '.$obj->rowid.' in '.$table1.' is linked to record '.$obj->field.' in '.$table2.' that has no link to '.$table1.'. We fix this.
'; - $sql = "UPDATE ".MAIN_DB_PREFIX.$table2." SET"; - $sql .= " ".$field2." = '".$db->escape($obj->rowid)."'"; + + $sql = "UPDATE ".MAIN_DB_PREFIX.$db->sanitize($table2)." SET"; + $sql .= " ".$db->sanitize($field2)." = '".$db->escape($obj->rowid)."'"; $sql .= " WHERE rowid = ".((int) $obj->field); $resql2 = $db->query($sql); @@ -2588,8 +2589,9 @@ function migrate_restore_missing_links($db, $langs, $conf) $obj = $db->fetch_object($resql); print 'Line '.$obj->rowid.' in '.$table1.' is linked to record '.$obj->field.' in '.$table2.' that has no link to '.$table1.'. We fix this.
'; - $sql = "UPDATE ".MAIN_DB_PREFIX.$table2." SET"; - $sql .= " ".$field2." = '".$db->escape($obj->rowid)."'"; + + $sql = "UPDATE ".MAIN_DB_PREFIX.$db->sanitize($table2)." SET"; + $sql .= " ".$db->sanitize($field2)." = '".$db->escape($obj->rowid)."'"; $sql .= " WHERE rowid = ".((int) $obj->field); $resql2 = $db->query($sql); @@ -3251,8 +3253,8 @@ function migrate_actioncomm_element($db, $langs, $conf) $db->begin(); $sql = "UPDATE ".MAIN_DB_PREFIX."actioncomm SET "; - $sql .= "fk_element = ".$field.", elementtype = '".$db->escape($type)."'"; - $sql .= " WHERE ".$field." IS NOT NULL"; + $sql .= "fk_element = ".$db->sanitize($field).", elementtype = '".$db->escape($type)."'"; + $sql .= " WHERE ".$db->sanitize($field)." IS NOT NULL"; $sql .= " AND fk_element IS NULL"; $sql .= " AND elementtype IS NULL"; diff --git a/htdocs/loan/class/loan.class.php b/htdocs/loan/class/loan.class.php index 86e236ffc92..a4e2c7ed848 100644 --- a/htdocs/loan/class/loan.class.php +++ b/htdocs/loan/class/loan.class.php @@ -312,10 +312,10 @@ class Loan extends CommonObject $sql .= " '".$this->db->escape($this->account_capital)."',"; $sql .= " '".$this->db->escape($this->account_insurance)."',"; $sql .= " '".$this->db->escape($this->account_interest)."',"; - $sql .= " ".$conf->entity.","; + $sql .= " ".((int) $conf->entity).","; $sql .= " '".$this->db->idate($now)."',"; $sql .= " ".(empty($this->fk_project) ? 'NULL' : $this->fk_project).","; - $sql .= " ".$user->id.","; + $sql .= " ".((int) $user->id).","; $sql .= " '".price2num($newinsuranceamount)."'"; $sql .= ")"; @@ -421,7 +421,7 @@ class Loan extends CommonObject $sql .= " accountancy_account_insurance = '".$this->db->escape($this->account_insurance)."',"; $sql .= " accountancy_account_interest = '".$this->db->escape($this->account_interest)."',"; $sql .= " fk_projet=".(empty($this->fk_project) ? 'NULL' : ((int) $this->fk_project)).","; - $sql .= " fk_user_modif = ".$user->id.","; + $sql .= " fk_user_modif = ".((int) $user->id).","; $sql .= " insurance_amount = '".price2num($this->db->escape($this->insurance_amount))."'"; $sql .= " WHERE rowid=".((int) $this->id); @@ -446,7 +446,7 @@ class Loan extends CommonObject public function setPaid($user) { $sql = "UPDATE ".MAIN_DB_PREFIX."loan SET"; - $sql .= " paid = ".$this::STATUS_PAID; + $sql .= " paid = ".((int) $this::STATUS_PAID); $sql .= " WHERE rowid = ".((int) $this->id); $return = $this->db->query($sql); @@ -485,7 +485,7 @@ class Loan extends CommonObject public function setStarted($user) { $sql = "UPDATE ".MAIN_DB_PREFIX."loan SET"; - $sql .= " paid = ".$this::STATUS_STARTED; + $sql .= " paid = ".((int) $this::STATUS_STARTED); $sql .= " WHERE rowid = ".((int) $this->id); $return = $this->db->query($sql); @@ -508,7 +508,7 @@ class Loan extends CommonObject public function setUnpaid($user) { $sql = "UPDATE ".MAIN_DB_PREFIX."loan SET"; - $sql .= " paid = ".$this::STATUS_UNPAID; + $sql .= " paid = ".((int) $this::STATUS_UNPAID); $sql .= " WHERE rowid = ".((int) $this->id); $return = $this->db->query($sql); diff --git a/htdocs/mrp/class/mo.class.php b/htdocs/mrp/class/mo.class.php index 28317996858..7b3e68b7298 100644 --- a/htdocs/mrp/class/mo.class.php +++ b/htdocs/mrp/class/mo.class.php @@ -1124,8 +1124,8 @@ class Mo extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element; $sql .= " SET ref = '".$this->db->escape($num)."',"; $sql .= " status = ".self::STATUS_VALIDATED.","; - $sql .= " date_valid='".$this->db->idate($now)."',"; - $sql .= " fk_user_valid = ".$user->id; + $sql .= " date_valid = '".$this->db->idate($now)."',"; + $sql .= " fk_user_valid = ".((int) $user->id); $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::validate()", LOG_DEBUG); diff --git a/htdocs/partnership/class/partnership.class.php b/htdocs/partnership/class/partnership.class.php index 0a5ba9ba95f..50ab5ce7bc3 100644 --- a/htdocs/partnership/class/partnership.class.php +++ b/htdocs/partnership/class/partnership.class.php @@ -804,12 +804,6 @@ class Partnership extends CommonObject $sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element; $sql .= " SET ref = '".$this->db->escape($num)."',"; $sql .= " status = ".self::STATUS_APPROVED; - // if (!empty($this->fields['date_validation'])) { - // $sql .= ", date_validation = '".$this->db->idate($now)."'"; - // } - // if (!empty($this->fields['fk_user_valid'])) { - // $sql .= ", fk_user_valid = ".$user->id; - // } $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::accept()", LOG_DEBUG); diff --git a/htdocs/product/class/productcustomerprice.class.php b/htdocs/product/class/productcustomerprice.class.php index 28316407537..559a30f5bac 100644 --- a/htdocs/product/class/productcustomerprice.class.php +++ b/htdocs/product/class/productcustomerprice.class.php @@ -824,7 +824,7 @@ class ProductCustomerPrice extends CommonObject // Update request $sql = "UPDATE ".$this->db->prefix()."product_customer_price SET"; - $sql .= " entity=".$conf->entity.","; + $sql .= " entity=".((int) $conf->entity).","; $sql .= " datec='".$this->db->idate(dol_now())."',"; $sql .= " tms=".(dol_strlen((string) $this->tms) != 0 ? "'".$this->db->idate($this->tms)."'" : 'null').","; $sql .= " fk_product=".(isset($this->fk_product) ? $this->fk_product : "null").","; @@ -842,7 +842,7 @@ class ProductCustomerPrice extends CommonObject $sql .= " localtax2_tx=".(isset($this->localtax2_tx) ? (empty($this->localtax2_tx) ? 0 : $this->localtax2_tx) : "null").","; $sql .= " localtax1_type=".(!empty($this->localtax1_type) ? "'".$this->db->escape($this->localtax1_type)."'" : "'0'").","; $sql .= " localtax2_type=".(!empty($this->localtax2_type) ? "'".$this->db->escape($this->localtax2_type)."'" : "'0'").","; - $sql .= " fk_user=".$user->id.","; + $sql .= " fk_user=".((int) $user->id).","; $sql .= " price_label=".(isset($this->price_label) ? "'".$this->db->escape($this->price_label)."'" : "null").","; $sql .= " import_key=".(isset($this->import_key) ? "'".$this->db->escape($this->import_key)."'" : "null"); @@ -894,8 +894,6 @@ class ProductCustomerPrice extends CommonObject */ public function setPriceOnAffiliateThirdparty($user, $forceupdateaffiliate) { - global $conf; - if (getDolGlobalString('PRODUCT_DISABLE_PROPAGATE_CUSTOMER_PRICES_ON_CHILD_COMPANIES')) { return 0; } diff --git a/htdocs/product/class/productfournisseurprice.class.php b/htdocs/product/class/productfournisseurprice.class.php index b0f9850423f..bf57ac8f7d4 100644 --- a/htdocs/product/class/productfournisseurprice.class.php +++ b/htdocs/product/class/productfournisseurprice.class.php @@ -566,7 +566,7 @@ class ProductFournisseurPrice extends CommonObject $sql .= ", date_validation = '".$this->db->idate($now)."'"; } if (!empty($this->fields['fk_user_valid'])) { - $sql .= ", fk_user_valid = ".$user->id; + $sql .= ", fk_user_valid = ".((int) $user->id); } $sql .= " WHERE rowid = ".((int) $this->id); diff --git a/htdocs/product/class/propalmergepdfproduct.class.php b/htdocs/product/class/propalmergepdfproduct.class.php index 4819a0df0b8..44a0e5eaf14 100644 --- a/htdocs/product/class/propalmergepdfproduct.class.php +++ b/htdocs/product/class/propalmergepdfproduct.class.php @@ -329,15 +329,15 @@ class Propalmergepdfproduct extends CommonObject // Update request $sql = "UPDATE ".$this->db->prefix()."propal_merge_pdf_product SET"; - $sql .= " fk_product=".(isset($this->fk_product) ? $this->fk_product : "null").","; - $sql .= " file_name=".(isset($this->file_name) ? "'".$this->db->escape($this->file_name)."'" : "null").","; + $sql .= " fk_product = ".(isset($this->fk_product) ? $this->fk_product : "null").","; + $sql .= " file_name = ".(isset($this->file_name) ? "'".$this->db->escape($this->file_name)."'" : "null").","; if (getDolGlobalInt('MAIN_MULTILANGS')) { - $sql .= " lang=".(isset($this->lang) ? "'".$this->db->escape($this->lang)."'" : "null").","; + $sql .= " lang = ".(isset($this->lang) ? "'".$this->db->escape($this->lang)."'" : "null").","; } - $sql .= " fk_user_mod=".$user->id; + $sql .= " fk_user_mod = ".((int) $user->id); - $sql .= " WHERE rowid=".((int) $this->id); + $sql .= " WHERE rowid = ".((int) $this->id); $this->db->begin(); diff --git a/htdocs/product/dynamic_price/class/price_global_variable_updater.class.php b/htdocs/product/dynamic_price/class/price_global_variable_updater.class.php index b6404b0b608..c303e2806c3 100644 --- a/htdocs/product/dynamic_price/class/price_global_variable_updater.class.php +++ b/htdocs/product/dynamic_price/class/price_global_variable_updater.class.php @@ -576,7 +576,7 @@ class PriceGlobalVariableUpdater // Update request $sql = "UPDATE ".$this->db->prefix().$this->table_element." SET"; - $sql .= " next_update = ".$this->next_update; + $sql .= " next_update = ".((int) $this->next_update); $sql .= " WHERE rowid = ".((int) $this->id); $this->db->begin(); diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php index 375e75df425..062b4975f87 100644 --- a/htdocs/projet/class/project.class.php +++ b/htdocs/projet/class/project.class.php @@ -649,7 +649,7 @@ class Project extends CommonObject $sql .= ", fk_user_close = ".($this->fk_user_close > 0 ? $this->fk_user_close : "null"); $sql .= ", opp_amount = ".(strcmp($this->opp_amount, '') ? price2num($this->opp_amount) : "null"); $sql .= ", budget_amount = ".(strcmp($this->budget_amount, '') ? price2num($this->budget_amount) : "null"); - $sql .= ", fk_user_modif = ".$user->id; + $sql .= ", fk_user_modif = ".((int) $user->id); $sql .= ", usage_opportunity = ".($this->usage_opportunity ? 1 : 0); $sql .= ", usage_task = ".($this->usage_task ? 1 : 0); $sql .= ", usage_bill_time = ".($this->usage_bill_time ? 1 : 0); diff --git a/htdocs/reception/class/reception.class.php b/htdocs/reception/class/reception.class.php index 3cb4dfafc5e..8bb29ddb0f6 100644 --- a/htdocs/reception/class/reception.class.php +++ b/htdocs/reception/class/reception.class.php @@ -596,7 +596,7 @@ class Reception extends CommonObject $sql .= " ref='".$this->db->escape($numref)."'"; $sql .= ", fk_statut = 1"; $sql .= ", date_valid = '".$this->db->idate($now)."'"; - $sql .= ", fk_user_valid = ".$user->id; + $sql .= ", fk_user_valid = ".((int) $user->id); $sql .= " WHERE rowid = ".((int) $this->id); dol_syslog(get_class($this)."::valid update reception", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/recruitment/class/recruitmentcandidature.class.php b/htdocs/recruitment/class/recruitmentcandidature.class.php index 2657468598b..f5ef6554689 100644 --- a/htdocs/recruitment/class/recruitmentcandidature.class.php +++ b/htdocs/recruitment/class/recruitmentcandidature.class.php @@ -573,7 +573,7 @@ class RecruitmentCandidature extends CommonObject $sql .= ", date_validation = '".$this->db->idate($now)."',"; } if (!empty($this->fields['fk_user_valid'])) { // @phan-suppress-current-line PhanTypeMismatchProperty - $sql .= ", fk_user_valid = ".$user->id; + $sql .= ", fk_user_valid = ".((int) $user->id); } $sql .= " WHERE rowid = ".((int) $this->id); diff --git a/htdocs/recruitment/class/recruitmentjobposition.class.php b/htdocs/recruitment/class/recruitmentjobposition.class.php index 1d7d604aa4c..6eab8b522d5 100644 --- a/htdocs/recruitment/class/recruitmentjobposition.class.php +++ b/htdocs/recruitment/class/recruitmentjobposition.class.php @@ -581,7 +581,7 @@ class RecruitmentJobPosition extends CommonObject $sql .= ", date_validation = '".$this->db->idate($now)."',"; } if (!empty($this->fields['fk_user_valid'])) { // @phan-suppress-current-line PhanTypeMismatchProperty - $sql .= ", fk_user_valid = ".$user->id; + $sql .= ", fk_user_valid = ".((int) $user->id); } $sql .= " WHERE rowid = ".((int) $this->id); diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index af72f0f539a..958cf25f7e6 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -1594,7 +1594,7 @@ class Societe extends CommonObject dol_syslog(get_class($this)."::update verify ok or not done"); $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET "; - $sql .= "entity = ".$this->db->escape($this->entity); + $sql .= "entity = ".((int) $this->entity); $sql .= ",nom = '".$this->db->escape($this->name)."'"; // Required $sql .= ",name_alias = '".$this->db->escape($this->name_alias)."'"; $sql .= ",ref_ext = ".(!empty($this->ref_ext) ? "'".$this->db->escape($this->ref_ext)."'" : "null"); diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php index ea0a885e00a..6d314157d61 100644 --- a/test/phpunit/CodingPhpTest.php +++ b/test/phpunit/CodingPhpTest.php @@ -331,6 +331,25 @@ class CodingPhpTest extends CommonClassTest $this->assertTrue($ok, 'Found a forged SQL string that contains the function NOW() in file '.$file['relativename'].' Using this SQL function is forbidden. See https://wiki.dolibarr.org/index.php?title=Language_and_development_rules#SQL_Coding_rules'); //exit; + // Check bad casting on forge sql + $ok = true; + $matches = array(); + preg_match_all('/\$sql\s*\.?=\s*[\"\'][a-z\s=_]+[\'\"]\s*\.\$([a-z->_]+)/', $filecontent, $matches, PREG_SET_ORDER); + foreach ($matches as $key => $val) { + if (in_array($val[1], array('object->get', 'user', 'this->sanitize', 'this->db->sanitize', 'this->db->escape', 'this->db->encrypt', 'this->db->plimit', 'db->decrypt', 'db->sanitize', 'db->ifsql', 'this->db->prefix', 'clause', 'sqlwhere', 'sqlorder'))) { // exclude $db->escape( and $this-> + continue; + } + //if ($val[1] != '\'"' && $val[1] != '\'\'') { + var_dump($matches); + $ok = false; + break; + //} + //if ($reg[0] != 'db') $ok=false; + } + //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n"; + $this->assertTrue($ok, 'Found a forged SQL string that does not use escape or int cast for file '.$file['relativename']); + //exit; + // Check that forged sql string is using ' instead of " as string PHP quotes $ok = true; $matches = array();