diff --git a/htdocs/accountancy/journal/bankjournal.php b/htdocs/accountancy/journal/bankjournal.php index 741b2c9f038..e3e2a308cf9 100644 --- a/htdocs/accountancy/journal/bankjournal.php +++ b/htdocs/accountancy/journal/bankjournal.php @@ -130,7 +130,7 @@ $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank_url as bu3 ON bu3.fk_bank = b.rowid A $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."bank_url as bu4 ON bu4.fk_bank = b.rowid AND bu4.type='payment_supplier'"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as soc on bu1.url_id=soc.rowid"; $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u on bu2.url_id=u.rowid"; -$sql .= " WHERE ba.fk_accountancy_journal=".$id_journal; +$sql .= " WHERE ba.fk_accountancy_journal=".((int) $id_journal); $sql .= ' AND b.amount != 0 AND ba.entity IN ('.getEntity('bank_account', 0).')'; // We don't share object for accountancy if ($date_start && $date_end) { $sql .= " AND b.dateo >= '".$db->idate($date_start)."' AND b.dateo <= '".$db->idate($date_end)."'"; diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php index 74ff6c6aa62..322a688bd45 100644 --- a/htdocs/comm/action/card.php +++ b/htdocs/comm/action/card.php @@ -1395,7 +1395,7 @@ if ($id > 0) { // Confirmation suppression action if ($action == 'delete') { - print $form->formconfirm("card.php?id=".$id, $langs->trans("DeleteAction"), $langs->trans("ConfirmDeleteAction"), "confirm_delete", '', '', 1); + print $form->formconfirm("card.php?id=".urlencode($id), $langs->trans("DeleteAction"), $langs->trans("ConfirmDeleteAction"), "confirm_delete", '', '', 1); } if ($action == 'edit') { diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php index 4958811ef4d..c3ef480d2ae 100644 --- a/htdocs/comm/mailing/card.php +++ b/htdocs/comm/mailing/card.php @@ -308,7 +308,7 @@ if (empty($reshook)) { dol_syslog("comm/mailing/card.php: ok for #".$i.($mail->error ? ' - '.$mail->error : ''), LOG_DEBUG); $sql = "UPDATE ".MAIN_DB_PREFIX."mailing_cibles"; - $sql .= " SET statut=1, date_envoi='".$db->idate($now)."' WHERE rowid=".$obj->rowid; + $sql .= " SET statut=1, date_envoi = '".$db->idate($now)."' WHERE rowid=".((int) $obj->rowid); $resql2 = $db->query($sql); if (!$resql2) { dol_print_error($db); @@ -378,7 +378,7 @@ if (empty($reshook)) { } } - $sql = "UPDATE ".MAIN_DB_PREFIX."mailing SET statut=".$statut." WHERE rowid=".$object->id; + $sql = "UPDATE ".MAIN_DB_PREFIX."mailing SET statut=".((int) $statut)." WHERE rowid = ".((int) $object->id); dol_syslog("comm/mailing/card.php: update global status", LOG_DEBUG); $resql2 = $db->query($sql); if (!$resql2) { diff --git a/htdocs/comm/mailing/cibles.php b/htdocs/comm/mailing/cibles.php index 27859403d96..afd6273d6c0 100644 --- a/htdocs/comm/mailing/cibles.php +++ b/htdocs/comm/mailing/cibles.php @@ -104,8 +104,6 @@ if ($action == 'add') { } if ($result > 0) { setEventMessages($langs->trans("XTargetsAdded", $result), null, 'mesgs'); - //header("Location: ".$_SERVER['PHP_SELF']."?id=".$id); - //exit; $action = ''; } if ($result == 0) { diff --git a/htdocs/comm/propal/card.php b/htdocs/comm/propal/card.php index ebca0177868..44e2ad8a4cd 100644 --- a/htdocs/comm/propal/card.php +++ b/htdocs/comm/propal/card.php @@ -1248,7 +1248,7 @@ if (empty($reshook)) { if (empty($user->rights->margins->creer)) { foreach ($object->lines as &$line) { - if ($line->id == GETPOST('lineid')) { + if ($line->id == GETPOST('lineid', 'int')) { $fournprice = $line->fk_fournprice; $buyingprice = $line->pa_ht; break; @@ -2433,7 +2433,7 @@ if ($action == 'create') { // Show object lines $result = $object->getLinesArray(); - print '
+ print ' diff --git a/htdocs/commande/card.php b/htdocs/commande/card.php index 0665a567738..12117a5f1cb 100644 --- a/htdocs/commande/card.php +++ b/htdocs/commande/card.php @@ -1052,7 +1052,7 @@ if (empty($reshook)) { if (!$error) { if (empty($user->rights->margins->creer)) { foreach ($object->lines as &$line) { - if ($line->id == GETPOST('lineid')) { + if ($line->id == GETPOST('lineid', 'int')) { $fournprice = $line->fk_fournprice; $buyingprice = $line->pa_ht; break; @@ -2416,7 +2416,7 @@ if ($action == 'create' && $usercancreate) { */ $result = $object->getLinesArray(); - print ' + print ' diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php index c89ad9340d2..40fd3892c4c 100644 --- a/htdocs/commande/class/commande.class.php +++ b/htdocs/commande/class/commande.class.php @@ -4206,11 +4206,15 @@ class OrderLine extends CommonOrderLine $error = 0; + if (empty($this->id) && !empty($this->rowid)) { // For backward compatibility + $this->id = $this->rowid; + } + // check if order line is not in a shipment line before deleting $sqlCheckShipmentLine = "SELECT"; $sqlCheckShipmentLine .= " ed.rowid"; $sqlCheckShipmentLine .= " FROM ".MAIN_DB_PREFIX."expeditiondet ed"; - $sqlCheckShipmentLine .= " WHERE ed.fk_origin_line = ".$this->rowid; + $sqlCheckShipmentLine .= " WHERE ed.fk_origin_line = ".((int) $this->id); $resqlCheckShipmentLine = $this->db->query($sqlCheckShipmentLine); if (!$resqlCheckShipmentLine) { @@ -4235,7 +4239,7 @@ class OrderLine extends CommonOrderLine $this->db->begin(); - $sql = 'DELETE FROM '.MAIN_DB_PREFIX."commandedet WHERE rowid=".$this->rowid; + $sql = 'DELETE FROM '.MAIN_DB_PREFIX."commandedet WHERE rowid = ".((int) $this->id); dol_syslog("OrderLine::delete", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/compta/bank/account_statement_document.php b/htdocs/compta/bank/account_statement_document.php index 6103df38f66..4f317c1a9ed 100644 --- a/htdocs/compta/bank/account_statement_document.php +++ b/htdocs/compta/bank/account_statement_document.php @@ -129,7 +129,7 @@ if (!empty($numref)) { $object->fetch_thirdparty(); $upload_dir = $conf->bank->dir_output."/".$id."/statement/".dol_sanitizeFileName($numref); } -$backtopage = $_SERVER['PHP_SELF']."?account=".$id."&num=".$numref; +$backtopage = $_SERVER['PHP_SELF']."?account=".urlencode($id)."&num=".urlencode($numref); include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php'; diff --git a/htdocs/compta/bank/line.php b/htdocs/compta/bank/line.php index 3aa477dfc9c..76f7f821f8a 100644 --- a/htdocs/compta/bank/line.php +++ b/htdocs/compta/bank/line.php @@ -291,7 +291,7 @@ if ($result) { // Confirmations if ($action == 'delete_categ') { - print $form->formconfirm($_SERVER['PHP_SELF']."?rowid=".$rowid."&cat1=".GETPOST("fk_categ")."&orig_account=".$orig_account, $langs->trans("RemoveFromRubrique"), $langs->trans("RemoveFromRubriqueConfirm"), "confirm_delete_categ", '', 'yes', 1); + print $form->formconfirm($_SERVER['PHP_SELF']."?rowid=".urlencode($rowid)."&cat1=".urlencode(GETPOST("fk_categ", 'int'))."&orig_account=".urlencode($orig_account), $langs->trans("RemoveFromRubrique"), $langs->trans("RemoveFromRubriqueConfirm"), "confirm_delete_categ", '', 'yes', 1); } print ''; diff --git a/htdocs/compta/bank/various_payment/list.php b/htdocs/compta/bank/various_payment/list.php index dcc1f4aef97..5e6d199db0a 100644 --- a/htdocs/compta/bank/various_payment/list.php +++ b/htdocs/compta/bank/various_payment/list.php @@ -226,7 +226,7 @@ $sql .= " WHERE v.entity IN (".getEntity('payment_various').")"; // Search criteria if ($search_ref) { - $sql .= " AND v.rowid=".$db->escape($search_ref); + $sql .= " AND v.rowid = ".((int) $search_ref); } if ($search_label) { $sql .= natural_search(array('v.label'), $search_label); diff --git a/htdocs/compta/deplacement/card.php b/htdocs/compta/deplacement/card.php index 3d4693f8c7b..6f390e82552 100644 --- a/htdocs/compta/deplacement/card.php +++ b/htdocs/compta/deplacement/card.php @@ -366,7 +366,7 @@ if ($action == 'create') { * Confirm delete trip */ if ($action == 'delete') { - print $form->formconfirm($_SERVER["PHP_SELF"]."?id=".$id, $langs->trans("DeleteTrip"), $langs->trans("ConfirmDeleteTrip"), "confirm_delete"); + print $form->formconfirm($_SERVER["PHP_SELF"]."?id=".urlencode($id), $langs->trans("DeleteTrip"), $langs->trans("ConfirmDeleteTrip"), "confirm_delete"); } $soc = new Societe($db); diff --git a/htdocs/compta/facture/card-rec.php b/htdocs/compta/facture/card-rec.php index 4f0148a05a1..1ee26e6daf3 100644 --- a/htdocs/compta/facture/card-rec.php +++ b/htdocs/compta/facture/card-rec.php @@ -770,7 +770,7 @@ if (empty($reshook)) { } /*$line = new FactureLigne($db); - $line->fetch(GETPOST('lineid')); + $line->fetch(GETPOST('lineid', 'int')); $percent = $line->get_prev_progress($object->id); if (GETPOST('progress') < $percent) @@ -823,7 +823,7 @@ if (empty($reshook)) { // Update line if (!$error) { $result = $object->updateline( - GETPOST('lineid'), + GETPOST('lineid', 'int'), $description, $pu_ht, $qty, @@ -1597,7 +1597,7 @@ if ($action == 'create') { // Lines - print ' + print ' diff --git a/htdocs/compta/facture/card.php b/htdocs/compta/facture/card.php index bde5a6e6c38..df27efe91ed 100644 --- a/htdocs/compta/facture/card.php +++ b/htdocs/compta/facture/card.php @@ -238,13 +238,13 @@ if (empty($reshook)) { $object->fetch($id); $object->fetch_thirdparty(); - $result = $object->deleteline(GETPOST('lineid')); + $result = $object->deleteline(GETPOST('lineid', 'int')); if ($result > 0) { // Define output language $outputlangs = $langs; $newlang = ''; - if ($conf->global->MAIN_MULTILANGS && empty($newlang) && !empty($_REQUEST['lang_id'])) { - $newlang = $_REQUEST['lang_id']; + if ($conf->global->MAIN_MULTILANGS && empty($newlang) && GETPOST('lang_id')) { + $newlang = GETPOST('lang_id'); } if ($conf->global->MAIN_MULTILANGS && empty($newlang)) { $newlang = $object->thirdparty->default_lang; @@ -2416,7 +2416,7 @@ if (empty($reshook)) { if (!$error) { if (empty($usercancreatemargin)) { foreach ($object->lines as &$line) { - if ($line->id == GETPOST('lineid')) { + if ($line->id == GETPOST('lineid', 'int')) { $fournprice = $line->fk_fournprice; $buyingprice = $line->pa_ht; break; @@ -5168,7 +5168,7 @@ if ($action == 'create') { } } - print ' + print ' diff --git a/htdocs/compta/facture/class/facture-rec.class.php b/htdocs/compta/facture/class/facture-rec.class.php index 363a781538a..ee4d1a48397 100644 --- a/htdocs/compta/facture/class/facture-rec.class.php +++ b/htdocs/compta/facture/class/facture-rec.class.php @@ -765,7 +765,7 @@ class FactureRec extends CommonInvoice { $rowid = $this->id; - dol_syslog(get_class($this)."::delete rowid=".$rowid, LOG_DEBUG); + dol_syslog(get_class($this)."::delete rowid=".((int) $rowid), LOG_DEBUG); $error = 0; $this->db->begin(); diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php index 9ae760220a4..26a5d862457 100644 --- a/htdocs/compta/facture/class/facture.class.php +++ b/htdocs/compta/facture/class/facture.class.php @@ -3657,7 +3657,7 @@ class Facture extends CommonInvoice { global $user; - dol_syslog(get_class($this)."::deleteline rowid=".$rowid, LOG_DEBUG); + dol_syslog(get_class($this)."::deleteline rowid=".((int) $rowid), LOG_DEBUG); if ($this->statut != self::STATUS_DRAFT) { $this->error = 'ErrorDeleteLineNotAllowedByObjectStatus'; diff --git a/htdocs/compta/prelevement/card.php b/htdocs/compta/prelevement/card.php index 20a11effdad..cd3e155ae06 100644 --- a/htdocs/compta/prelevement/card.php +++ b/htdocs/compta/prelevement/card.php @@ -380,7 +380,7 @@ if ($id > 0 || $ref) { $num = $db->num_rows($result); $i = 0; - $urladd = "&id=".$id; + $urladd = "&id=".urlencode($id); print ''."\n"; print ''; diff --git a/htdocs/compta/prelevement/factures.php b/htdocs/compta/prelevement/factures.php index 9cfeb860d33..c00c29e1c39 100644 --- a/htdocs/compta/prelevement/factures.php +++ b/htdocs/compta/prelevement/factures.php @@ -220,7 +220,7 @@ if ($resql) { $num = $db->num_rows($resql); $i = 0; - $param = "&id=".$id; + $param = "&id=".urlencode($id); // Lines of title fields print ''; diff --git a/htdocs/compta/prelevement/line.php b/htdocs/compta/prelevement/line.php index dce5dd39b60..a912ecdba3a 100644 --- a/htdocs/compta/prelevement/line.php +++ b/htdocs/compta/prelevement/line.php @@ -275,7 +275,7 @@ if ($id) { $num = $db->num_rows($result); $i = 0; - $urladd = "&id=".$id; + $urladd = "&id=".urlencode($id); print_barre_liste($langs->trans("Bills"), $page, "factures.php", $urladd, $sortfield, $sortorder, '', $num, 0, ''); diff --git a/htdocs/contrat/card.php b/htdocs/contrat/card.php index 1ab26b73c75..c925dea94bf 100644 --- a/htdocs/contrat/card.php +++ b/htdocs/contrat/card.php @@ -711,7 +711,7 @@ if (empty($reshook)) { $db->rollback(); } } elseif ($action == 'confirm_deleteline' && $confirm == 'yes' && $user->rights->contrat->creer) { - $result = $object->deleteline(GETPOST('lineid'), $user); + $result = $object->deleteline(GETPOST('lineid', 'int'), $user); if ($result >= 0) { header("Location: ".$_SERVER['PHP_SELF']."?id=".$object->id); @@ -1963,7 +1963,7 @@ if ($action == 'create') { $dateSelector = 1; print "\n"; - print ' + print ' diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php index 33dd0e8e2f7..3bfe1a2315e 100644 --- a/htdocs/contrat/class/contrat.class.php +++ b/htdocs/contrat/class/contrat.class.php @@ -1832,7 +1832,7 @@ class Contrat extends CommonObject $this->db->begin(); $sql = "DELETE FROM ".MAIN_DB_PREFIX.$this->table_element_line; - $sql .= " WHERE rowid=".$idline; + $sql .= " WHERE rowid = ".((int) $idline); dol_syslog(get_class($this)."::deleteline", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php index 2088263a2c2..4aa20d8f41a 100644 --- a/htdocs/core/class/commonobject.class.php +++ b/htdocs/core/class/commonobject.class.php @@ -8893,7 +8893,7 @@ abstract class CommonObject $this->db->begin(); $sql = "DELETE FROM ".MAIN_DB_PREFIX.$this->table_element_line; - $sql .= " WHERE rowid=".$idline; + $sql .= " WHERE rowid = ".((int) $idline); dol_syslog(get_class($this)."::deleteLineCommon", LOG_DEBUG); $resql = $this->db->query($sql); diff --git a/htdocs/core/lib/company.lib.php b/htdocs/core/lib/company.lib.php index 7183e24dea5..d197b687876 100644 --- a/htdocs/core/lib/company.lib.php +++ b/htdocs/core/lib/company.lib.php @@ -571,7 +571,7 @@ function getState($id, $withcode = '', $dbtouse = 0, $withregion = 0, $outputlan $sql = "SELECT d.rowid as id, d.code_departement as code, d.nom as name, d.active, c.label as country, c.code as country_code, r.code_region as region_code, r.nom as region_name FROM"; $sql .= " ".MAIN_DB_PREFIX."c_departements as d, ".MAIN_DB_PREFIX."c_regions as r,".MAIN_DB_PREFIX."c_country as c"; - $sql .= " WHERE d.fk_region=r.code_region and r.fk_pays=c.rowid and d.rowid=".$id; + $sql .= " WHERE d.fk_region=r.code_region and r.fk_pays=c.rowid and d.rowid=".((int) $id); $sql .= " AND d.active = 1 AND r.active = 1 AND c.active = 1"; $sql .= " ORDER BY c.code, d.code_departement"; diff --git a/htdocs/core/tpl/resource_view.tpl.php b/htdocs/core/tpl/resource_view.tpl.php index 81ad11ebdc9..740590cb34a 100644 --- a/htdocs/core/tpl/resource_view.tpl.php +++ b/htdocs/core/tpl/resource_view.tpl.php @@ -33,7 +33,7 @@ if ((array) $linked_resources && count($linked_resources) > 0) { //$element_id = $linked_resource['rowid']; - if ($mode == 'edit' && $linked_resource['rowid'] == GETPOST('lineid')) { + if ($mode == 'edit' && $linked_resource['rowid'] == GETPOST('lineid', 'int')) { print '
'; print ''; print ''; @@ -47,7 +47,7 @@ if ((array) $linked_resources && count($linked_resources) > 0) { print '
'; } else { $class = ''; - if ($linked_resource['rowid'] == GETPOST('lineid')) { + if ($linked_resource['rowid'] == GETPOST('lineid', 'int')) { $class = 'highlight'; } diff --git a/htdocs/don/card.php b/htdocs/don/card.php index 1dfade00bec..0763ff9b7e5 100644 --- a/htdocs/don/card.php +++ b/htdocs/don/card.php @@ -120,7 +120,7 @@ if ($action == 'confirm_reopen' && $confirm == 'yes' && $permissiontoadd) { if ($action == 'update') { if (!empty($cancel)) { - header("Location: ".$_SERVER['PHP_SELF']."?id=".$id); + header("Location: ".$_SERVER['PHP_SELF']."?id=".urlencode($id)); exit; } diff --git a/htdocs/expedition/class/expeditionbatch.class.php b/htdocs/expedition/class/expeditionbatch.class.php index f97d6b87a1b..736cfba6e42 100644 --- a/htdocs/expedition/class/expeditionbatch.class.php +++ b/htdocs/expedition/class/expeditionbatch.class.php @@ -151,10 +151,8 @@ class ExpeditionLineBatch extends CommonObject */ public static function deletefromexp($db, $id_expedition) { - $id_expedition = (int) $id_expedition; - $sql = "DELETE FROM ".MAIN_DB_PREFIX.self::$_table_element; - $sql .= " WHERE fk_expeditiondet in (SELECT rowid FROM ".MAIN_DB_PREFIX."expeditiondet WHERE fk_expedition=".$id_expedition.")"; + $sql .= " WHERE fk_expeditiondet in (SELECT rowid FROM ".MAIN_DB_PREFIX."expeditiondet WHERE fk_expedition=".((int) $id_expedition).")"; dol_syslog(__METHOD__, LOG_DEBUG); if ($db->query($sql)) { diff --git a/htdocs/expedition/shipment.php b/htdocs/expedition/shipment.php index cba2e14cf74..80dbaf698ef 100644 --- a/htdocs/expedition/shipment.php +++ b/htdocs/expedition/shipment.php @@ -258,7 +258,7 @@ if ($id > 0 || !empty($ref)) { // Confirm validation if ($action == 'cloture') { - $formconfirm = $form->formconfirm($_SERVER['PHP_SELF']."?id=".$id, $langs->trans("CloseShipment"), $langs->trans("ConfirmCloseShipment"), "confirm_cloture"); + $formconfirm = $form->formconfirm($_SERVER['PHP_SELF']."?id=".urlencode($id), $langs->trans("CloseShipment"), $langs->trans("ConfirmCloseShipment"), "confirm_cloture"); } // Call Hook formConfirm diff --git a/htdocs/fourn/class/fournisseur.facture.class.php b/htdocs/fourn/class/fournisseur.facture.class.php index fca16305047..8245e8ec1cc 100644 --- a/htdocs/fourn/class/fournisseur.facture.class.php +++ b/htdocs/fourn/class/fournisseur.facture.class.php @@ -678,7 +678,7 @@ class FactureFournisseur extends CommonInvoice $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as p ON t.fk_mode_reglement = p.id"; $sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_incoterms as i ON t.fk_incoterms = i.rowid'; if ($id) { - $sql .= " WHERE t.rowid=".$id; + $sql .= " WHERE t.rowid=".((int) $id); } if ($ref) { $sql .= " WHERE t.ref='".$this->db->escape($ref)."' AND t.entity IN (".getEntity('supplier_invoice').")"; diff --git a/htdocs/fourn/commande/card.php b/htdocs/fourn/commande/card.php index 8358b71f2c7..e33b9de48c1 100644 --- a/htdocs/fourn/commande/card.php +++ b/htdocs/fourn/commande/card.php @@ -1326,7 +1326,7 @@ if (empty($reshook)) { $_GET['socid'] = $_POST['socid']; } else { $db->commit(); - header("Location: ".$_SERVER['PHP_SELF']."?id=".$id); + header("Location: ".$_SERVER['PHP_SELF']."?id=".urlencode($id)); exit; } } @@ -2275,7 +2275,7 @@ if ($action == 'create') { //$result = $object->getLinesArray(); - print ' + print ' diff --git a/htdocs/fourn/commande/dispatch.php b/htdocs/fourn/commande/dispatch.php index c27a33f522b..b183092972e 100644 --- a/htdocs/fourn/commande/dispatch.php +++ b/htdocs/fourn/commande/dispatch.php @@ -1166,7 +1166,7 @@ if ($id > 0 || !empty($ref)) { $objp = $db->fetch_object($resql); if ($action == 'editline' && $lineid == $objp->dispatchlineid) { - print ' + print ' diff --git a/htdocs/fourn/facture/card.php b/htdocs/fourn/facture/card.php index 578c9c7e062..e59e4583e72 100644 --- a/htdocs/fourn/facture/card.php +++ b/htdocs/fourn/facture/card.php @@ -3293,7 +3293,7 @@ if ($action == 'create') { /* * Lines */ - print ''; + print ''; print ''; print ''; print ''; diff --git a/htdocs/ftp/admin/ftpclient.php b/htdocs/ftp/admin/ftpclient.php index 5094f178cea..12ee32a496f 100644 --- a/htdocs/ftp/admin/ftpclient.php +++ b/htdocs/ftp/admin/ftpclient.php @@ -237,6 +237,7 @@ if (!function_exists('ftp_connect')) { while ($i < $num) { $obj = $db->fetch_object($resql); + $reg = array(); preg_match('/([0-9]+)$/i', $obj->name, $reg); $idrss = $reg[0]; //print "x".join(',',$reg)."=".$obj->name."=".$idrss; diff --git a/htdocs/install/lib/repair.lib.php b/htdocs/install/lib/repair.lib.php index 242fbff25d4..bd54e55ebde 100644 --- a/htdocs/install/lib/repair.lib.php +++ b/htdocs/install/lib/repair.lib.php @@ -140,7 +140,7 @@ function clean_data_ecm_directories() $label = $obj->label; $newlabel = dol_sanitizeFileName($label); if ($label != $newlabel) { - $sqlupdate = "UPDATE ".MAIN_DB_PREFIX."ecm_directories set label='".$db->escape($newlabel)."' WHERE rowid=".$id; + $sqlupdate = "UPDATE ".MAIN_DB_PREFIX."ecm_directories set label = '".$db->escape($newlabel)."' WHERE rowid = ".((int) $id); print ''.$sqlupdate."\n"; $resqlupdate = $db->query($sqlupdate); if (!$resqlupdate) { diff --git a/htdocs/intracommreport/card.php b/htdocs/intracommreport/card.php index 0226848bd48..24b8797a670 100644 --- a/htdocs/intracommreport/card.php +++ b/htdocs/intracommreport/card.php @@ -203,7 +203,7 @@ if ($id > 0 && $action != 'edit') { ); } print $form->formconfirm( - "card.php?rowid=".$id, + "card.php?rowid=".urlencode($id), $langs->trans("DeleteReport"), $langs->trans("ConfirmDeleteReport"), "confirm_delete", diff --git a/htdocs/margin/productMargins.php b/htdocs/margin/productMargins.php index f18cc4ee503..ac006c042aa 100644 --- a/htdocs/margin/productMargins.php +++ b/htdocs/margin/productMargins.php @@ -198,7 +198,7 @@ $sql .= ' AND f.entity IN ('.getEntity('invoice').')'; $sql .= " AND f.fk_statut NOT IN (".$db->sanitize(implode(', ', $invoice_status_except_list)).")"; $sql .= " AND d.fk_facture = f.rowid"; if ($id > 0) { - $sql .= " AND d.fk_product =".$id; + $sql .= " AND d.fk_product =".((int) $id); } if (!empty($TSelectedCats)) { $sql .= ' AND cp.fk_categorie IN ('.$db->sanitize(implode(',', $TSelectedCats)).')'; diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php index fbe706e93db..a1fd7a5b1dc 100644 --- a/htdocs/product/class/product.class.php +++ b/htdocs/product/class/product.class.php @@ -4535,8 +4535,8 @@ class Product extends CommonObject $sql .= " FROM ".MAIN_DB_PREFIX."product as p,"; $sql .= " ".MAIN_DB_PREFIX."product_association as pa"; $sql .= " WHERE p.rowid = pa.fk_product_fils"; - $sql .= " AND pa.fk_product_pere = ".$id; - $sql .= " AND pa.fk_product_fils != ".$id; // This should not happens, it is to avoid infinite loop if it happens + $sql .= " AND pa.fk_product_pere = ".((int) $id); + $sql .= " AND pa.fk_product_fils <> ".((int) $id); // This should not happens, it is to avoid infinite loop if it happens dol_syslog(get_class($this).'::getChildsArbo id='.$id.' level='.$level, LOG_DEBUG); diff --git a/htdocs/product/price.php b/htdocs/product/price.php index a08eaa8558b..7dfb94be79f 100644 --- a/htdocs/product/price.php +++ b/htdocs/product/price.php @@ -568,7 +568,7 @@ if (empty($reshook)) { if ($action == 'delete_customer_price' && ($user->rights->produit->supprimer || $user->rights->service->supprimer)) { // Delete price by customer - $prodcustprice->id = GETPOST('lineid'); + $prodcustprice->id = GETPOST('lineid', 'int'); $result = $prodcustprice->delete($user); if ($result < 0) { diff --git a/htdocs/product/stock/card.php b/htdocs/product/stock/card.php index 0a77a39a0df..0d3783dc161 100644 --- a/htdocs/product/stock/card.php +++ b/htdocs/product/stock/card.php @@ -137,7 +137,7 @@ if (empty($reshook)) { header("Location: ".$backtopage); exit; } else { - header("Location: card.php?id=".$id); + header("Location: card.php?id=".urlencode($id)); exit; } } else { diff --git a/htdocs/reception/class/reception.class.php b/htdocs/reception/class/reception.class.php index d5e3feaa255..946990f0c7b 100644 --- a/htdocs/reception/class/reception.class.php +++ b/htdocs/reception/class/reception.class.php @@ -1317,7 +1317,7 @@ class Reception extends CommonObject $sql = "SELECT em.rowid, em.code, em.libelle, em.description, em.tracking, em.active"; $sql .= " FROM ".MAIN_DB_PREFIX."c_shipment_mode as em"; if ($id != '') { - $sql .= " WHERE em.rowid=".$id; + $sql .= " WHERE em.rowid = ".((int) $id); } $resql = $this->db->query($sql); diff --git a/htdocs/societe/list.php b/htdocs/societe/list.php index 9c5d261f996..f79857d744f 100644 --- a/htdocs/societe/list.php +++ b/htdocs/societe/list.php @@ -292,7 +292,7 @@ if ($action == "change") { // Change customer for TakePOS $db->query($sql); } - $sql = "UPDATE ".MAIN_DB_PREFIX."facture set fk_soc=".$idcustomer." where ref='(PROV-POS".$_SESSION["takeposterminal"]."-".$place.")'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."facture set fk_soc=".((int) $idcustomer)." where ref='(PROV-POS".$_SESSION["takeposterminal"]."-".$place.")'"; $resql = $db->query($sql); ?>