Fix path to copyrighted files

FIX bad calculation for stock value

ChangeLog

@@ -3,10 +3,33 @@ English Dolibarr ChangeLog
 --------------------------------------------------------------
 
 ***** ChangeLog for 3.5.7 compared to 3.5.6 *****
-Fix: Paypal link were broken dur to SSL v3 closed.
+Fix: Paypal link were broken due to SSL v3 closed.
 Fix: [ bug #1769 ] Error when installing to a PostgreSQL DB that contains numbers
 Fix: [ bug #1752 ] Date filter of margins module, filters since 12H instead of 00H
 Fix: [ bug #1757 ] Sorting breaks product/service statistics
+Fix: [ bug #1797 ] Tulip supplier invoice module takes creation date instead of invoice date
+Fix: [ bug #1792 ] Users are not allowed to see margins module index page when no product view permission is enabled
+Fix: [ bug #1846 ] Browser IE11 not detected
+Fix: [ bug #1906 ] Deplacement does not allow translated decimal format
+Fix: [ bug #1905 ] Custom deplacement types do not get translated in deplacement card
+Fix: [ bug #2583 ] Unable to create a bank transfer with localized numbers
+Fix: [ bug #2577 ] Incorrect invoice status in "Linked objects" page of a project
+Fix: [ bug #2576 ] Unable to edit a dictionary entry that has # in its ref
+Fix: [ bug #2758 ] Product::update sets product note to "null" when $prod->note is null
+Fix: [ bug #2757 ] Deleting product category photo gives "Forbidden access" error
+Fix: [ bug #2976 ] "Report" tab is the current tab but it is not marked as selected by the UI
+Fix: [ bug #2861 ] Undefined variable $res when migrating
+Fix: [ bug #2837 ] Product list table column header does not match column body
+Fix: [ bug #2835 ] Customer prices of a product shows incorrect history order
+Fix: [ bug #2814 ] JPEG photos are not displayed in Product photos page
+Fix: [ bug #2715 ] Statistics page has broken layout with long thirdparty names
+Fix: [ bug #2570 ] [Contacts] Page should not process if ID is invalid
+Fix: [ bug #3268 ] SQL error when accessing thirdparty log page without a socid parameter
+Fix: [ bug #3180 ] formObjectOptions hook when editing thirdparty card does not print result
+Fix: [ bug #1791 ] Margin menu not available if any Finance module is not enabled
+Fix: [ bug #3310 ] OrderLine::fetch, FactureLigne::fetch and PropaleLigne::fetch do not return anything
+Fix: [ bug #3206 ] PropaleLigne, OrderLine and FactureLigne given to triggers through update function does not contain all the information
+Fix: [ bug #3313 ] Error enabling module with PostgreSQL database
 
 ***** ChangeLog for 3.5.6 compared to 3.5.5 *****
 Fix: Avoid missing class error for fetch_thirdparty method #1973

build/debian/changelog

@@ -1,3 +1,10 @@
+dolibarr (3.5.7-3) unstable; urgency=low
+
+  [ Laurent Destailleur (eldy) ]
+  * New upstream release.
+    
+ -- Laurent Destailleur (eldy) <eldy@users.sourceforge.net>  Tue, 12 May 2015 12:00:00 +0100     
+
 dolibarr (3.5.6-3) unstable; urgency=low
 
   [ Laurent Destailleur (eldy) ]

build/debian/copyright

@@ -159,7 +159,7 @@ Comments:
  Those files are not shipped in the binary package as we
  configure Dolibarr to use Dejavu fonts from "fonts-dejavu-core".
   
-Files: docs/images/*
+Files: doc/images/*
 Copyright: Laurent Destailleur 
 License: CC-BY-SA-3.0
  You are free:
@@ -176,7 +176,7 @@ License: CC-BY-SA-3.0
  .
  For more information, see http://creativecommons.org/licenses/by-sa/3.0/
 
-Files: htdocs/includes/fpdi/*
+Files: htdocs/includes/fpdfi/*
 Copyright: 2004-2011 Setasign - Jan Slabon
 License: GPL-2+
  This program is free software; you can redistribute it

build/exe/doliwamp/doliwamp.iss

@@ -17,9 +17,9 @@
 ; ----- Change this -----
 AppName=DoliWamp
 ; DoliWamp-x.x.x or DoliWamp-x.x.x-alpha or DoliWamp-x.x.x-beta or DoliWamp-x.x.x-rc or DoliWamp-x.x.x
-AppVerName=DoliWamp-3.5.6
+AppVerName=__FILENAMEEXEDOLIWAMP__
 ; DoliWamp-x.x x or DoliWamp-x.x.x-alpha or DoliWamp-x.x.x-beta or DoliWamp-x.x.x-rc or DoliWamp-x.x.x
-OutputBaseFilename=DoliWamp-3.5.6
+OutputBaseFilename=__FILENAMEEXEDOLIWAMP__
 ; ----- End of change
 ;OutputManifestFile=build\doliwampbuild.log
 ; Define full path from which all relative path are defined
@@ -32,7 +32,7 @@ AppPublisherURL=http://www.nltechno.com
 AppSupportURL=http://www.dolibarr.org
 AppUpdatesURL=http://www.dolibarr.org
 AppComments=DoliWamp includes Dolibarr, Apache, PHP and Mysql softwares.
-AppCopyright=Copyright (C) 2008-2013 Laurent Destailleur, NLTechno
+AppCopyright=Copyright (C) 2008-2015 Laurent Destailleur, NLTechno
 DefaultDirName=c:\dolibarr
 DefaultGroupName=Dolibarr
 ;LicenseFile=COPYING
@@ -109,7 +109,7 @@ Source: "C:\Program Files\Wamp\bin\mysql\mysql5.0.45\*.*"; DestDir: "{app}\bin\m
 Source: "build\exe\doliwamp\mysql\*.*"; DestDir: "{app}\bin\mysql\data\mysql"; Flags: onlyifdoesntexist ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db"
 ; Dolibarr
 Source: "htdocs\*.*"; DestDir: "{app}\www\dolibarr\htdocs"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,custom\*,custom2\*,documents\*,includes\ckeditor\_source\*,includes\savant\*,includes\phpmailer\*,jquery\plugins\template\*,nltechno*,PHPExcel\Shared\PDF\*,PHPExcel\Shared\PCLZip\*,tcpdf\fonts\dejavu-fonts-ttf-2.33\*,tcpdf\fonts\freefont-20100919\*,tcpdf\fonts\utils\*,*\conf.php,*\conf.php.mysql,*\conf.php.old,*\conf.php.postgres,*\conf.php.sav,*\install.forced.php"
-Source: "dev\*.*"; DestDir: "{app}\www\dolibarr\dev"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,dbmodel\*,fpdf\*,initdata\*,iso-normes\*,licence\*,phpcheckstyle\*,phpunit\*,samples\*,test\*,uml\*,xdebug\*"
+Source: "dev\*.*"; DestDir: "{app}\www\dolibarr\dev"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,dbmodel\*,fpdf\*,initdata\*,iso-normes\*,licence\*,phpcheckstyle\*,phpunit\*,samples\*,test\*,uml\*,vagrant\*,xdebug\*"
 Source: "doc\*.*"; DestDir: "{app}\www\dolibarr\doc"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,wiki\*,plaquette\*,dev\*,images\dolibarr_screenshot2.png,images\dolibarr_screenshot3.png,images\dolibarr_screenshot4.png,images\dolibarr_screenshot5.png,images\dolibarr_screenshot6.png,images\dolibarr_screenshot7.png,images\dolibarr_screenshot8.png,images\dolibarr_screenshot9.png,images\dolibarr_screenshot10.png,images\dolibarr_screenshot11.png,images\dolibarr_screenshot12.png"
 Source: "scripts\*.*"; DestDir: "{app}\www\dolibarr\scripts"; Flags: ignoreversion recursesubdirs; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,product\materiel.net.php,product\import-product.php"
 Source: "*.*"; DestDir: "{app}\www\dolibarr"; Flags: ignoreversion; Excludes: ".gitignore,.project,CVS\*,Thumbs.db,default.properties,install.lock"

build/makepack-howto.txt

@@ -12,7 +12,6 @@ beta version of Dolibarr, step by step.
 - Update version number with x.y.z-w in htdocs/filefunc.inc.php
 - Update version number with x.y.z-w in build/debian/changelog
 - Update version number with x.y.z-w in build/exe/doliwamp/doliwamp.iss
-- Update version number with x.y.z-w in build/rpm/*.spec
 - Commit all changes.
 - Add a Tag (x.y.betaz_YYYYMMDD) and push it: git push --tags
 - Create a branch (x.y).
@@ -34,7 +33,6 @@ complete release of Dolibarr, step by step.
 - Update version number with x.y.z in htdocs/filefunc.inc.php
 - Update version number with x.y.z in build/debian/changelog
 - Update version number with x.y.z in build/exe/doliwamp/doliwamp.iss
-- Update version number with x.y.z in build/rpm/*.spec
 - Commit all changes.
 - Add a Tag (x.y.z)
 

build/rpm/dolibarr_fedora.spec

@@ -331,23 +331,4 @@ fi
 
 # version x.y.z-0.1.a for alpha, x.y.z-0.2.b for beta, x.y.z-0.3 for release
 %changelog
-* Tue Dec 2 2014 Laurent Destailleur 3.5.6-0.3
-- Upstream release
-
-* Tue Jul 8 2014 Laurent Destailleur 3.5.5-0.3
-- Upstream release
-
-* Tue Jul 1 2014 Laurent Destailleur 3.5.4-0.3
-- Upstream release
-
-* Fri May 2 2014 Laurent Destailleur 3.5.3-0.3
-- Upstream release
-
-* Fri Feb 14 2014 Laurent Destailleur 3.5.2-0.3
-- Upstream release
-
-* Fri Feb 7 2014 Laurent Destailleur 3.5.1-0.3
-- Upstream release
-
-* Mon Dec 30 2013 Laurent Destailleur 3.5.0-0.3
-- Initial version (#723326)
+__CHANGELOGSTRING__

build/rpm/dolibarr_generic.spec

@@ -567,23 +567,4 @@ fi
 
 # version x.y.z-0.1.a for alpha, x.y.z-0.2.b for beta, x.y.z-0.3 for release
 %changelog
-* Tue Dec 2 2014 Laurent Destailleur 3.5.6-0.3
-- Upstream release
-
-* Tue Jul 8 2014 Laurent Destailleur 3.5.5-0.3
-- Upstream release
-
-* Tue Jul 1 2014 Laurent Destailleur 3.5.4-0.3
-- Upstream release
-
-* Fri May 2 2014 Laurent Destailleur 3.5.3-0.3
-- Upstream release
-
-* Fri Feb 14 2014 Laurent Destailleur 3.5.2-0.3
-- Upstream release
-
-* Fri Feb 7 2014 Laurent Destailleur 3.5.1-0.3
-- Upstream release
-
-* Mon Dec 30 2013 Laurent Destailleur 3.5.0-0.3
-- Initial version (#723326)
+__CHANGELOGSTRING__

build/rpm/dolibarr_mandriva.spec

@@ -336,23 +336,4 @@ fi
 
 # version x.y.z-0.1.a for alpha, x.y.z-0.2.b for beta, x.y.z-0.3 for release
 %changelog
-* Tue Dec 2 2014 Laurent Destailleur 3.5.6-0.3
-- Upstream release
-
-* Tue Jul 8 2014 Laurent Destailleur 3.5.5-0.3
-- Upstream release
-
-* Tue Jul 1 2014 Laurent Destailleur 3.5.4-0.3
-- Upstream release
-
-* Fri May 2 2014 Laurent Destailleur 3.5.3-0.3
-- Upstream release
-
-* Fri Feb 14 2014 Laurent Destailleur 3.5.2-0.3
-- Upstream release
-
-* Fri Feb 7 2014 Laurent Destailleur 3.5.1-0.3
-- Upstream release
-
-* Mon Dec 30 2013 Laurent Destailleur 3.5.0-0.3
-- Initial version (#723326)
+__CHANGELOGSTRING__

build/rpm/dolibarr_opensuse.spec

@@ -347,23 +347,4 @@ fi
 
 # version x.y.z-0.1.a for alpha, x.y.z-0.2.b for beta, x.y.z-0.3 for release
 %changelog
-* Tue Dec 2 2014 Laurent Destailleur 3.5.6-0.3
-- Upstream release
-
-* Tue Jul 8 2014 Laurent Destailleur 3.5.5-0.3
-- Upstream release
-
-* Tue Jul 1 2014 Laurent Destailleur 3.5.4-0.3
-- Upstream release
-
-* Fri May 2 2014 Laurent Destailleur 3.5.3-0.3
-- Upstream release
-
-* Fri Feb 14 2014 Laurent Destailleur 3.5.2-0.3
-- Upstream release
-
-* Fri Feb 7 2014 Laurent Destailleur 3.5.1-0.3
-- Upstream release
-
-* Mon Dec 30 2013 Laurent Destailleur 3.5.0-0.3
-- Initial version (#723326)
+__CHANGELOGSTRING__

htdocs/adherents/liste.php

@@ -2,7 +2,7 @@
 /* Copyright (C) 2001-2003 Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2002-2003 Jean-Louis Bergamo   <jlb@j1b.org>
  * Copyright (C) 2004-2014 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2013      Raphaël Doursenaud   <rdoursenaud@gpcsolutions.fr>
+ * Copyright (C) 2013-2015 Raphaël Doursenaud   <rdoursenaud@gpcsolutions.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -97,7 +97,7 @@ $sql.= ", ".MAIN_DB_PREFIX."adherent_type as t";
 $sql.= " WHERE d.fk_adherent_type = t.rowid ";
 if ($catid > 0)    $sql.= " AND cm.fk_categorie = ".$catid;
 if ($catid == -2)  $sql.= " AND cm.fk_categorie IS NULL";
-if ($search_categ > 0)   $sql.= " AND cm.fk_categorie = ".$search_categ;
+if ($search_categ > 0)   $sql.= " AND cm.fk_categorie = ".$db->escape($search_categ);
 if ($search_categ == -2) $sql.= " AND cm.fk_categorie IS NULL";
 $sql.= " AND d.entity = ".$conf->entity;
 if ($sall)
@@ -106,15 +106,15 @@ if ($sall)
         $scrit = explode(' ', $sall);
         foreach ($scrit as $crit) {
             $sql.=" AND (";
-            if (is_numeric($sall)) $sql.= "d.rowid = ".$sall." OR ";
-            $sql.=" d.firstname LIKE '%".$sall."%' OR d.lastname LIKE '%".$sall."%' OR d.societe LIKE '%".$sall."%'";
-            $sql.=" OR d.email LIKE '%".$sall."%' OR d.login LIKE '%".$sall."%' OR d.address LIKE '%".$sall."%'";
-            $sql.=" OR d.town LIKE '%".$sall."%' OR d.note LIKE '%".$sall."%')";
+            if (is_numeric($sall)) $sql.= "d.rowid = ".$db->escape($sall)." OR ";
+            $sql.=" d.firstname LIKE '%".$db->escape($sall)."%' OR d.lastname LIKE '%".$db->escape($sall)."%' OR d.societe LIKE '%".$db->escape($sall)."%'";
+            $sql.=" OR d.email LIKE '%".$db->escape($sall)."%' OR d.login LIKE '%".$db->escape($sall)."%' OR d.address LIKE '%".$db->escape($sall)."%'";
+            $sql.=" OR d.town LIKE '%".$db->escape($sall)."%' OR d.note LIKE '%".$db->escape($sall)."%')";
         }
 }
 if ($type > 0)
 {
-	$sql.=" AND t.rowid=".$type;
+	$sql.=" AND t.rowid=".$db->escape($type);
 }
 if (isset($_GET["statut"]) || isset($_POST["statut"]))
 {
@@ -188,17 +188,17 @@ if ($resql)
 	}
 
 	$param="";
-	if ($statut != "") $param.="&statut=".$statut;
-	if ($search_nom)   $param.="&search_nom=".$search_nom;
-	if ($search_login) $param.="&search_login=".$search_login;
-	if ($search_email) $param.="&search_email=".$search_email;
-	if ($filter)       $param.="&filter=".$filter;
-	if ($type > 0)     $param.="&type=".$type;
+	if ($statut != "") $param.="&statut=".htmlspecialchars($statut);
+	if ($search_nom)   $param.="&search_nom=".htmlspecialchars($search_nom);
+	if ($search_login) $param.="&search_login=".htmlspecialchars($search_login);
+	if ($search_email) $param.="&search_email=".htmlspecialchars($search_email);
+	if ($filter)       $param.="&filter=".htmlspecialchars($filter);
+	if ($type > 0)     $param.="&type=".htmlspecialchars($type);
 	print_barre_liste($titre,$page,$_SERVER["PHP_SELF"],$param,$sortfield,$sortorder,'',$num,$nbtotalofrecords);
 
 	if ($sall)
 	{
-		print $langs->trans("Filter")." (".$langs->trans("Ref").", ".$langs->trans("Lastname").", ".$langs->trans("Firstname").", ".$langs->trans("EMail").", ".$langs->trans("Address")." ".$langs->trans("or")." ".$langs->trans("Town")."): ".$sall;
+		print $langs->trans("Filter")." (".$langs->trans("Ref").", ".$langs->trans("Lastname").", ".$langs->trans("Firstname").", ".$langs->trans("EMail").", ".$langs->trans("Address")." ".$langs->trans("or")." ".$langs->trans("Town")."): ".htmlspecialchars($sall);
 	}
 
 	print '<form method="POST" action="'.$_SERVER["PHP_SELF"].($param?'?'.$param:'').'">';
@@ -236,13 +236,13 @@ if ($resql)
 	print '<tr class="liste_titre">';
 
 	print '<td class="liste_titre" align="left">';
-	print '<input class="flat" type="text" name="search_ref" value="'.$search_ref.'" size="4"></td>';
+	print '<input class="flat" type="text" name="search_ref" value="'.htmlspecialchars($search_ref).'" size="4"></td>';
 
 	print '<td class="liste_titre" align="left">';
-	print '<input class="flat" type="text" name="search_lastname" value="'.$search_lastname.'" size="12"></td>';
+	print '<input class="flat" type="text" name="search_lastname" value="'.htmlspecialchars($search_lastname).'" size="12"></td>';
 
 	print '<td class="liste_titre" align="left">';
-	print '<input class="flat" type="text" name="search_login" value="'.$search_login.'" size="7"></td>';
+	print '<input class="flat" type="text" name="search_login" value="'.htmlspecialchars($search_login).'" size="7"></td>';
 
 	print '<td class="liste_titre">';
 	$listetype=$membertypestatic->liste_array();
@@ -252,7 +252,7 @@ if ($resql)
 	print '<td class="liste_titre">&nbsp;</td>';
 
 	print '<td class="liste_titre" align="left">';
-	print '<input class="flat" type="text" name="search_email" value="'.$search_email.'" size="12"></td>';
+	print '<input class="flat" type="text" name="search_email" value="'.htmlspecialchars($search_email).'" size="12"></td>';
 
 	print '<td class="liste_titre">&nbsp;</td>';
 

htdocs/admin/agenda_extsites.php

@@ -1,6 +1,7 @@
 <?php
-/* Copyright (C) 2008-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2011-2014 Juanjo Menent        <jmenent@2byte.es>
+/* Copyright (C) 2008-2011  Laurent Destailleur <eldy@users.sourceforge.net>
+ * Copyright (C) 2011-2014  Juanjo Menent       <jmenent@2byte.es>
+ * Copyright (C) 2016       Raphaël Doursenaud  <rdoursenaud@gpcsolutions.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -88,7 +89,7 @@ if ($actionsave)
 	// Save nb of agenda
 	if (! $error)
 	{
-		$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','alpha')),'chaine',0,'',$conf->entity);
+		$res=dolibarr_set_const($db,'AGENDA_EXT_NB',trim(GETPOST('AGENDA_EXT_NB','int')),'chaine',0,'',$conf->entity);
 		if (! $res > 0) $error++;
 		if (empty($conf->global->AGENDA_EXT_NB)) $conf->global->AGENDA_EXT_NB=5;
 		$MAXAGENDA=empty($conf->global->AGENDA_EXT_NB)?5:$conf->global->AGENDA_EXT_NB;
@@ -201,9 +202,9 @@ while ($i <= $MAXAGENDA)
 	// Nb
 	print '<td width="180" class="nowrap">'.$langs->trans("AgendaExtNb",$key)."</td>";
 	// Name
-	print '<td><input type="text" class="flat hideifnotset" name="agenda_ext_name'.$key.'" value="'. (GETPOST('agenda_ext_name'.$key)?GETPOST('agenda_ext_name'.$key):$conf->global->$name) . '" size="28"></td>';
+	print '<td><input type="text" class="flat hideifnotset" name="agenda_ext_name'.$key.'" value="'. (GETPOST('agenda_ext_name'.$key)?GETPOST('agenda_ext_name'.$key, 'alpha'):$conf->global->$name) . '" size="28"></td>';
 	// URL
-	print '<td><input type="url" class="flat hideifnotset" name="agenda_ext_src'.$key.'" value="'. (GETPOST('agenda_ext_src'.$key)?GETPOST('agenda_ext_src'.$key):$conf->global->$src) . '" size="60"></td>';
+	print '<td><input type="url" class="flat hideifnotset" name="agenda_ext_src'.$key.'" value="'. (GETPOST('agenda_ext_src'.$key)?GETPOST('agenda_ext_src'.$key, 'alpha'):$conf->global->$src) . '" size="60"></td>';
 	// Color (Possible colors are limited by Google)
 	print '<td class="nowrap" align="right">';
 	//print $formadmin->selectColor($conf->global->$color, "google_agenda_color".$key, $colorlist);

htdocs/admin/dict.php

@@ -6,7 +6,7 @@
  * Copyright (C) 2010-2013 Juanjo Menent        <jmenent@2byte.es>
  * Copyright (C) 2011      Philippe Grand       <philippe.grand@atoo-net.com>
  * Copyright (C) 2011      Remy Younes          <ryounes@gmail.com>
- * Copyright (C) 2012-2013 Marcos García        <marcosgdf@gmail.com>
+ * Copyright (C) 2012-2015 Marcos García        <marcosgdf@gmail.com>
  * Copyright (C) 2012      Christophe Battarel	<christophe.battarel@ltairis.fr>
  * Copyright (C) 2011-2012 Alexandre Spangaro	<alexandre.spangaro@gmail.com>
  *
@@ -1104,7 +1104,7 @@ if ($id)
 
                     if (isset($obj->type) && in_array($obj->type, array('system', 'systemauto'))) $iserasable=0;
 
-                    $url = $_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.(! empty($obj->rowid)?$obj->rowid:(! empty($obj->code)?$obj->code:'')).'&amp;code='.(! empty($obj->code)?$obj->code:'').'&amp;id='.$id.'&amp;';
+                    $url = $_SERVER["PHP_SELF"].'?'.($page?'page='.$page.'&':'').'sortfield='.$sortfield.'&sortorder='.$sortorder.'&rowid='.(! empty($obj->rowid)?$obj->rowid:(! empty($obj->code)?$obj->code:'')).'&amp;code='.(! empty($obj->code)?urlencode($obj->code):'').'&amp;id='.$id.'&amp;';
 
                     // Active
                     print '<td align="center" class="nowrap">';

htdocs/categories/photos.php

@@ -264,11 +264,11 @@ if ($object->id)
 			// On propose la generation de la vignette si elle n'existe pas et si la taille est superieure aux limites
 			if (!$obj['photo_vignette'] && preg_match('/(\.bmp|\.gif|\.jpg|\.jpeg|\.png)$/i',$obj['photo']) && ($object->imgWidth > $maxWidth || $object->imgHeight > $maxHeight))
 			{
-				print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->entity.'&amp;action=addthumb&amp;type='.$type.'&amp;file='.urlencode($pdir.$viewfilename).'">'.img_picto($langs->trans('GenerateThumb'),'refresh').'&nbsp;&nbsp;</a>';
+				print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=addthumb&amp;type='.$type.'&amp;file='.urlencode($pdir.$viewfilename).'">'.img_picto($langs->trans('GenerateThumb'),'refresh').'&nbsp;&nbsp;</a>';
 			}
 			if ($user->rights->categorie->creer)
 			{
-				print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->entity.'&amp;action=delete&amp;type='.$type.'&amp;file='.urlencode($pdir.$viewfilename).'">';
+				print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&amp;action=delete&amp;type='.$type.'&amp;file='.urlencode($pdir.$viewfilename).'">';
 				print img_delete().'</a>';
 			}
 			if ($nbbyrow) print '</td>';

htdocs/comm/propal.php

@@ -494,6 +494,27 @@ if ($action == 'send' && ! GETPOST('addfile') && ! GETPOST('removedfile') && ! G
 			}
 		}
 
+		if ($_POST['sendtocc'])
+		{
+			// Le destinataire a ete fourni via le champ libre
+			$sendtocc = $_POST['sendtocc'];
+			$sendtoccid = 0;
+		}
+		elseif ($_POST['receivercc'] != '-1')
+		{
+			// Recipient was provided from combo list
+			if ($_POST['receivercc'] == 'thirdparty') // Id of third party
+			{
+				$sendtocc = $object->client->email;
+				$sendtoccid = 0;
+			}
+			else    // Id du contact
+			{
+				$sendtocc = $object->client->contact_get_property($_POST['receivercc'],'email');
+				$sendtoccid = $_POST['receivercc'];
+			}
+		}
+
 		if (dol_strlen($sendto))
 		{
 			$langs->load("commercial");
@@ -501,7 +522,6 @@ if ($action == 'send' && ! GETPOST('addfile') && ! GETPOST('removedfile') && ! G
 			$from = $_POST['fromname'] . ' <' . $_POST['frommail'] .'>';
 			$replyto = $_POST['replytoname']. ' <' . $_POST['replytomail'].'>';
 			$message = $_POST['message'];
-			$sendtocc = $_POST['sendtocc'];
 			$deliveryreceipt = $_POST['deliveryreceipt'];
 
 			if (dol_strlen($_POST['subject'])) $subject = $_POST['subject'];

htdocs/comm/propal/class/propal.class.php

@@ -528,13 +528,14 @@ class Propal extends CommonObject
                 $price = $pu - $remise;
             }
 
-            // Update line
-            $this->line=new PropaleLigne($this->db);
+            //Fetch current line from the database and then clone the object and set it in $oldline property
+            $line = new PropaleLigne($this->db);
+            $line->fetch($rowid);
 
-            // Stock previous line records
-            $staticline=new PropaleLigne($this->db);
-            $staticline->fetch($rowid);
-            $this->line->oldline = $staticline;
+            $staticline = clone $line;
+
+            $line->oldline = $staticline;
+            $this->line = $line;
 
             // Reorder if fk_parent_line change
             if (! empty($fk_parent_line) && ! empty($staticline->fk_parent_line) && $fk_parent_line != $staticline->fk_parent_line)
@@ -2845,10 +2846,12 @@ class PropaleLigne  extends CommonObject
             $this->date_end         = $this->db->jdate($objp->date_end);
 
 			$this->db->free($result);
+
+            return 1;
 		}
 		else
 		{
-			dol_print_error($this->db);
+			return -1;
 		}
 	}
 
@@ -2876,11 +2879,12 @@ class PropaleLigne  extends CommonObject
         if (empty($this->total_localtax2)) $this->total_localtax2=0;
         if (empty($this->rang)) $this->rang=0;
         if (empty($this->remise)) $this->remise=0;
-        if (empty($this->remise_percent)) $this->remise_percent=0;
+        if (empty($this->remise_percent) || ! is_numeric($this->remise_percent)) $this->remise_percent=0;
         if (empty($this->info_bits)) $this->info_bits=0;
         if (empty($this->special_code)) $this->special_code=0;
         if (empty($this->fk_parent_line)) $this->fk_parent_line=0;
         if (empty($this->fk_fournprice)) $this->fk_fournprice=0;
+		if (! is_numeric($this->qty)) $this->qty = 0;
 
         if (empty($this->pa_ht)) $this->pa_ht=0;
 

htdocs/comm/propal/list.php

@@ -141,7 +141,9 @@ if (! $sortorder) $sortorder='DESC';
 $limit = $conf->liste_limit;
 
 
-$sql = 'SELECT s.rowid, s.nom, s.town, s.client, s.code_client,';
+if (! $sall) $sql = 'SELECT';
+else $sql = 'SELECT DISTINCT';
+$sql.= ' s.rowid, s.nom, s.town, s.client, s.code_client,';
 $sql.= ' p.rowid as propalid, p.note_private, p.total_ht, p.ref, p.ref_client, p.fk_statut, p.fk_user_author, p.datep as dp, p.fin_validite as dfv,';
 if (! $user->rights->societe->client->voir && ! $socid) $sql .= " sc.fk_soc, sc.fk_user,";
 $sql.= ' u.login';

htdocs/commande/class/commande.class.php

@@ -367,7 +367,7 @@ class Commande extends CommonOrder
                     {
                         $mouvP = new MouvementStock($this->db);
                         // We increment stock of product (and sub-products)
-                        $result=$mouvP->reception($user, $this->lines[$i]->fk_product, $idwarehouse, $this->lines[$i]->qty, $this->lines[$i]->subprice, $langs->trans("OrderBackToDraftInDolibarr",$this->ref));
+                        $result=$mouvP->reception($user, $this->lines[$i]->fk_product, $idwarehouse, $this->lines[$i]->qty, 0, $langs->trans("OrderBackToDraftInDolibarr",$this->ref));
                         if ($result < 0) { $error++; }
                     }
                 }
@@ -555,7 +555,7 @@ class Commande extends CommonOrder
 					{
 						$mouvP = new MouvementStock($this->db);
 						// We increment stock of product (and sub-products)
-						$result=$mouvP->reception($user, $this->lines[$i]->fk_product, $idwarehouse, $this->lines[$i]->qty, $this->lines[$i]->subprice, $langs->trans("OrderCanceledInDolibarr",$this->ref));
+						$result=$mouvP->reception($user, $this->lines[$i]->fk_product, $idwarehouse, $this->lines[$i]->qty, 0, $langs->trans("OrderCanceledInDolibarr",$this->ref));
 						if ($result < 0) {
 							$error++;
 						}
@@ -881,6 +881,7 @@ class Commande extends CommonOrder
         // Clear fields
         $this->user_author_id     = $user->id;
         $this->user_valid         = '';
+        $this->date				  = dol_now();
         $this->date_creation      = '';
         $this->date_validation    = '';
         $this->ref_client         = '';
@@ -2349,13 +2350,14 @@ class Commande extends CommonOrder
                 $price = ($pu - $remise);
             }
 
-            // Update line
-            $this->line=new OrderLine($this->db);
+            //Fetch current line from the database and then clone the object and set it in $oldline property
+            $line = new OrderLine($this->db);
+            $line->fetch($rowid);
 
-            // Stock previous line records
-            $staticline=new OrderLine($this->db);
-            $staticline->fetch($rowid);
-            $this->line->oldline = $staticline;
+            $staticline = clone $line;
+
+            $line->oldline = $staticline;
+            $this->line = $line;
 
             // Reorder if fk_parent_line change
             if (! empty($fk_parent_line) && ! empty($staticline->fk_parent_line) && $fk_parent_line != $staticline->fk_parent_line)
@@ -3156,10 +3158,12 @@ class OrderLine extends CommonOrderLine
             $this->date_end         = $this->db->jdate($objp->date_end);
 
             $this->db->free($result);
+
+            return 1;
         }
         else
         {
-            dol_print_error($this->db);
+            return -1;
         }
     }
 

htdocs/compta/bank/class/account.class.php

@@ -1133,7 +1133,6 @@ class AccountLine extends CommonObject
         }
         else
         {
-            dol_print_error($this->db);
             return -1;
         }
     }

htdocs/compta/bank/virement.php

@@ -1,8 +1,9 @@
 <?php
 /* Copyright (C) 2001-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2004-2008 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copytight (C) 2005-2009 Regis Houssin        <regis.houssin@capnetworks.com>
+ * Copytight (C) 2005-2015 Regis Houssin        <regis.houssin@capnetworks.com>
  * Copytight (C) 2012	   Juanjo Menent        <jmenent@2byte.es>
+ * Copyright (C) 2015      Marcos García        <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -48,7 +49,7 @@ if ($action == 'add')
 	$mesg='';
 	$dateo = dol_mktime(12,0,0,GETPOST('remonth','int'),GETPOST('reday','int'),GETPOST('reyear','int'));
 	$label = GETPOST('label','alpha');
-	$amount= GETPOST('amount','int');
+	$amount= GETPOST('amount');
 
 	if (! $label)
 	{
@@ -179,7 +180,7 @@ print $form->select_comptes($account_to,'account_to',0,'',1);
 print "</td>\n";
 
 print "<td>";
-$form->select_date($dateo,'','','','','add');
+$form->select_date((! empty($dateo)?$dateo:''),'','','','','add');
 print "</td>\n";
 print '<td><input name="label" class="flat" type="text" size="40" value="'.$label.'"></td>';
 print '<td><input name="amount" class="flat" type="text" size="8" value="'.$amount.'"></td>';

htdocs/compta/deplacement/fiche.php

@@ -4,6 +4,7 @@
  * Copyright (C) 2005-2012	Regis Houssin        <regis.houssin@capnetworks.com>
  * Copyright (C) 2012		Juanjo Menent        <jmenent@2byte.es>
  * Copyright (C) 2013       Florian Henry		  	<florian.henry@open-concept.pro>
+ * Copyright (C) 2015       Marcos García        <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -123,8 +124,14 @@ else if ($action == 'add' && $user->rights->deplacement->creer)
     {
         $error=0;
 
+	    $km = GETPOST('km');
+
+	    if ($km) {
+		    $km = price2num($km);
+	    }
+
         $object->date			= dol_mktime(12, 0, 0, GETPOST('remonth','int'), GETPOST('reday','int'), GETPOST('reyear','int'));
-        $object->km				= GETPOST('km','int');
+        $object->km				= $km;
         $object->type			= GETPOST('type','alpha');
         $object->socid			= GETPOST('socid','int');
         $object->fk_user		= GETPOST('fk_user','int');
@@ -182,8 +189,14 @@ else if ($action == 'update' && $user->rights->deplacement->creer)
     {
         $result = $object->fetch($id);
 
+	    $km = GETPOST('km');
+
+	    if ($km) {
+		    $km = price2num($km);
+	    }
+
         $object->date			= dol_mktime(12, 0, 0, GETPOST('remonth','int'), GETPOST('reday','int'), GETPOST('reyear','int'));
-        $object->km				= GETPOST('km','int');
+        $object->km				= $km;
         $object->type			= GETPOST('type','alpha');
         $object->socid			= GETPOST('socid','int');
         $object->fk_user		= GETPOST('fk_user','int');
@@ -225,12 +238,6 @@ else if ($action == 'setdated' && $user->rights->deplacement->creer)
     $result=$object->setValueFrom('dated',$dated,'','','date');
     if ($result < 0) dol_print_error($db, $object->error);
 }
-else if ($action == 'setkm' && $user->rights->deplacement->creer)
-{
-    $object->fetch($id);
-    $result=$object->setValueFrom('km',GETPOST('km','int'));
-    if ($result < 0) dol_print_error($db, $object->error);
-}
 else if ($action == 'setnote_public' && $user->rights->deplacement->creer)
 {
     $object->fetch($id);
@@ -385,7 +392,7 @@ else if ($id)
 
             // Km
             print '<tr><td class="fieldrequired">'.$langs->trans("FeesKilometersOrAmout").'</td><td>';
-            print '<input name="km" class="flat" size="10" value="'.$object->km.'">';
+            print '<input name="km" class="flat" size="10" value="'.price($object->km).'">';
             print '</td></tr>';
 
             // Where
@@ -453,10 +460,12 @@ else if ($id)
             print '</td></tr>';
 
             // Type
+	        $form->load_cache_types_fees();
+
             print '<tr><td>';
             print $form->editfieldkey("Type",'type',$langs->trans($object->type),$object,$conf->global->MAIN_EDIT_ALSO_INLINE && $user->rights->deplacement->creer,'select:types_fees');
             print '</td><td>';
-            print $form->editfieldval("Type",'type',$langs->trans($object->type),$object,$conf->global->MAIN_EDIT_ALSO_INLINE && $user->rights->deplacement->creer,'select:types_fees');
+            print $form->editfieldval("Type",'type', $form->cache_types_fees[$object->type],$object,$conf->global->MAIN_EDIT_ALSO_INLINE && $user->rights->deplacement->creer,'select:types_fees');
             print '</td></tr>';
 
             // Who
@@ -477,7 +486,7 @@ else if ($id)
             print '<tr><td valign="top">';
             print $form->editfieldkey("FeesKilometersOrAmout",'km',$object->km,$object,$conf->global->MAIN_EDIT_ALSO_INLINE && $user->rights->deplacement->creer,'numeric:6');
             print '</td><td>';
-            print $form->editfieldval("FeesKilometersOrAmout",'km',$object->km,$object,$conf->global->MAIN_EDIT_ALSO_INLINE && $user->rights->deplacement->creer,'numeric:6');
+            print $form->editfieldval("FeesKilometersOrAmout",'km',price($object->km),$object,$conf->global->MAIN_EDIT_ALSO_INLINE && $user->rights->deplacement->creer,'numeric:6');
             print "</td></tr>";
 
             // Where

htdocs/compta/facture.php

@@ -283,12 +283,12 @@ else if ($action == 'setinvoicedate' && $user->rights->facture->creer)
 	$object->fetch($id);
 	$old_date_lim_reglement=$object->date_lim_reglement;
 	$date=dol_mktime(12,0,0,$_POST['invoicedatemonth'],$_POST['invoicedateday'],$_POST['invoicedateyear']);
-	if (empty($date)) 
+	if (empty($date))
 	{
 	    setEventMessage($langs->trans("ErrorFieldRequired",$langs->transnoentitiesnoconv("Date")),'errors');
 	    header('Location: '.$_SERVER["PHP_SELF"].'?facid='.$id.'&action=editinvoicedate');
 	    exit;
-	     
+
 	}
     $object->date=$date;
 	$new_date_lim_reglement=$object->calculate_date_lim_reglement();
@@ -1712,6 +1712,27 @@ if (($action == 'send' || $action == 'relance') && ! $_POST['addfile'] && ! $_PO
 			}
 		}
 
+		if ($_POST['sendtocc'])
+		{
+		        // Le destinataire a ete fourni via le champ libre
+		        $sendtocc = $_POST['sendtocc'];
+		        $sendtoccid = 0;
+		}
+		elseif ($_POST['receivercc'] != '-1')
+		{
+		        // Recipient was provided from combo list
+		        if ($_POST['receivercc'] == 'thirdparty') // Id of third party
+		        {
+		                $sendtocc = $object->client->email;
+		                $sendtoccid = 0;
+		        }
+		        else    // Id du contact
+		        {
+		                $sendtocc = $object->client->contact_get_property($_POST['receivercc'],'email');
+		                $sendtoccid = $_POST['receivercc'];
+		        }
+		}
+
 		if (dol_strlen($sendto))
 		{
 			$langs->load("commercial");
@@ -1719,7 +1740,6 @@ if (($action == 'send' || $action == 'relance') && ! $_POST['addfile'] && ! $_PO
 			$from = $_POST['fromname'] . ' <' . $_POST['frommail'] .'>';
 			$replyto = $_POST['replytoname']. ' <' . $_POST['replytomail'].'>';
 			$message = $_POST['message'];
-			$sendtocc = $_POST['sendtocc'];
 			$deliveryreceipt = $_POST['deliveryreceipt'];
 
 			if ($action == 'send')
@@ -3810,7 +3830,7 @@ else if ($id > 0 || ! empty($ref))
 		// Linked object block
 		$somethingshown=$object->showLinkedObjectBlock();
 
-		if (empty($somethingshown) && ! empty($conf->commande->enabled)) 
+		if (empty($somethingshown) && ! empty($conf->commande->enabled))
 		{
 			print '<br><a href="#" id="linktoorder">' . $langs->trans('LinkedOrder') . '</a>';
 

htdocs/compta/facture/class/facture.class.php

@@ -1796,7 +1796,7 @@ class Facture extends CommonInvoice
 						{
 							$mouvP = new MouvementStock($this->db);
 							// We decrease stock for product
-							if ($this->type == 2) $result=$mouvP->reception($user, $this->lines[$i]->fk_product, $idwarehouse, $this->lines[$i]->qty, $this->lines[$i]->subprice, $langs->trans("InvoiceValidatedInDolibarr",$num));
+							if ($this->type == 2) $result=$mouvP->reception($user, $this->lines[$i]->fk_product, $idwarehouse, $this->lines[$i]->qty, 0, $langs->trans("InvoiceValidatedInDolibarr",$num));
 							else $result=$mouvP->livraison($user, $this->lines[$i]->fk_product, $idwarehouse, $this->lines[$i]->qty, $this->lines[$i]->subprice, $langs->trans("InvoiceValidatedInDolibarr",$num));
 							if ($result < 0) {
 								$error++;
@@ -2224,13 +2224,14 @@ class Facture extends CommonInvoice
 			}
 			$price    = price2num($price);
 
-			// Update line into database
-			$this->line=new FactureLigne($this->db);
+			//Fetch current line from the database and then clone the object and set it in $oldline property
+			$line = new FactureLigne($this->db);
+			$line->fetch($rowid);
 
-			// Stock previous line records
-			$staticline=new FactureLigne($this->db);
-			$staticline->fetch($rowid);
-			$this->line->oldline = $staticline;
+			$staticline = clone $line;
+
+			$line->oldline = $staticline;
+			$this->line = $line;
 
 			// Reorder if fk_parent_line change
 			if (! empty($fk_parent_line) && ! empty($staticline->fk_parent_line) && $fk_parent_line != $staticline->fk_parent_line)
@@ -3471,10 +3472,12 @@ class FactureLigne  extends CommonInvoiceLine
 			$this->product_desc			= $objp->product_desc;
 
 			$this->db->free($result);
+
+			return 1;
 		}
 		else
 		{
-			dol_print_error($this->db);
+			return -1;
 		}
 	}
 

htdocs/compta/facture/stats/index.php

@@ -217,6 +217,13 @@ complete_head_from_modules($conf,$langs,null,$head,$h,$type);
 
 dol_fiche_head($head,'byyear',$langs->trans("Statistics"));
 
+$tmp_companies = $form->select_thirdparty_list($socid,'socid',$filter,1, 0, 0, array(), '', 1);
+//Array passed as an argument to Form::selectarray to build a proper select input
+$companies = array();
+
+foreach ($tmp_companies as $value) {
+	$companies[$value['value']] = $value['label'];
+}
 
 print '<div class="fichecenter"><div class="fichethirdleft">';
 
@@ -232,7 +239,7 @@ print '<div class="fichecenter"><div class="fichethirdleft">';
 	print '<tr><td>'.$langs->trans("ThirdParty").'</td><td>';
 	if ($mode == 'customer') $filter='s.client in (1,2,3)';
 	if ($mode == 'supplier') $filter='s.fournisseur = 1';
-	print $form->select_company($socid,'socid',$filter,1);
+	print $form->selectarray('socid', $companies, $socid, 1, 0, 0, 'style="width: 100%"');
 	print '</td></tr>';
 	// User
 	print '<tr><td>'.$langs->trans("CreatedBy").'</td><td>';

htdocs/compta/index.php

@@ -1,7 +1,8 @@
 <?php
-/* Copyright (C) 2001-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
- * Copyright (C) 2004-2013 Laurent Destailleur  <eldy@users.sourceforge.net>
- * Copyright (C) 2005-2012 Regis Houssin        <regis.houssin@capnetworks.com>
+/* Copyright (C) 2001-2005  Rodolphe Quiedeville    <rodolphe@quiedeville.org>
+ * Copyright (C) 2004-2013  Laurent Destailleur     <eldy@users.sourceforge.net>
+ * Copyright (C) 2005-2012  Regis Houssin           <regis.houssin@capnetworks.com>
+ * Copyright (C) 2015       Raphaël Doursenaud      <rdoursenaud@gpcsolutions.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -685,7 +686,7 @@ if (! empty($conf->tax->enabled) && $user->rights->tax->charges->lire)
 					$chargestatic->lib=$obj->libelle;
 					$chargestatic->paye=$obj->paye;
 					print '<td>'.$chargestatic->getNomUrl(1).'</td>';
-					print '<td align="center">'.dol_print_date($obj->date_ech,'day').'</td>';
+					print '<td align="center">'.dol_print_date($db->jdate($obj->date_ech),'day').'</td>';
 					print '<td align="right">'.price($obj->amount).'</td>';
 					print '<td align="right">'.price($obj->sumpaid).'</td>';
 					print '<td align="center">'.$chargestatic->getLibStatut(3).'</td>';
@@ -1026,7 +1027,7 @@ if ($resql)
 		$obj = $db->fetch_object($resql);
 		$var=!$var;
 
-		print "<tr ".$bc[$var]."><td>".dol_print_date($obj->da,"day")."</td>";
+		print "<tr ".$bc[$var]."><td>".dol_print_date($db->jdate($obj->da),"day")."</td>";
 		print "<td><a href=\"action/fiche.php\">$obj->libelle $obj->label</a></td></tr>";
 		$i++;
 	}

htdocs/compta/prelevement/class/rejetprelevement.class.php

@@ -87,7 +87,7 @@ class RejetPrelevement
 
 		dol_syslog("RejetPrelevement::Create id $id");
 		$bankaccount = $conf->global->PRELEVEMENT_ID_BANKACCOUNT;
-		$facs = $this->getListInvoices();
+		$facs = $this->getListInvoices(1);
 
 		$this->db->begin();
 
@@ -132,7 +132,7 @@ class RejetPrelevement
 		for ($i = 0; $i < $num; $i++)
 		{
 			$fac = new Facture($this->db);
-			$fac->fetch($facs[$i]);
+			$fac->fetch($facs[$i][0]);
 
 			// Make a negative payment
 			$pai = new Paiement($this->db);
@@ -144,7 +144,7 @@ class RejetPrelevement
 			 * PHP installs sends only the part integer negative
 			*/
 
-			$pai->amounts[$facs[$i]] = price2num($fac->total_ttc * -1);
+			$pai->amounts[$facs[$i][0]] = price2num($facs[$i][1] * -1);
 			$pai->datepaye = $date_rejet;
 			$pai->paiementid = 3; // type of payment: withdrawal
 			$pai->num_paiement = $fac->ref;
@@ -152,7 +152,7 @@ class RejetPrelevement
 			if ($pai->create($this->user) < 0)  // we call with no_commit
 			{
 				$error++;
-				dol_syslog("RejetPrelevement::Create Error creation payment invoice ".$facs[$i]);
+				dol_syslog("RejetPrelevement::Create Error creation payment invoice ".$facs[$i][0]);
 			}
 			else
 			{
@@ -269,22 +269,24 @@ class RejetPrelevement
 	}
 
 	/**
-	 *    Retrieve the list of invoices
+	 * Retrieve the list of invoices
+	 * @param 	int		$amounts 	If you want to get the amount of the order for each invoice
 	 *
-	 *    @return	void
+	 * @return	Array List of invoices related to the withdrawal line
+	 * @TODO	A withdrawal line is today linked to one and only one invoice. So the function should return only one object ?
 	 */
-	private function getListInvoices()
+	private function getListInvoices($amounts=0)
 	{
 		global $conf;
 
 		$arr = array();
 
 		 //Returns all invoices of a withdrawal
-		$sql = "SELECT f.rowid as facid";
+		$sql = "SELECT f.rowid as facid, pl.amount";
 		$sql.= " FROM ".MAIN_DB_PREFIX."prelevement_facture as pf";
-		$sql.= ", ".MAIN_DB_PREFIX."facture as f";
+		$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."facture as f ON (pf.fk_facture = f.rowid)";
+		$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."prelevement_lignes as pl ON (pf.fk_prelevement_lignes = pl.rowid)";
 		$sql.= " WHERE pf.fk_prelevement_lignes = ".$this->id;
-		$sql.= " AND pf.fk_facture = f.rowid";
 		$sql.= " AND f.entity = ".$conf->entity;
 
 		$resql=$this->db->query($sql);
@@ -298,7 +300,14 @@ class RejetPrelevement
 				while ($i < $num)
 				{
 					$row = $this->db->fetch_row($resql);
-					$arr[$i] = $row[0];
+					if (!$amounts) $arr[$i] = $row[0];
+					else
+					{
+						$arr[$i] = array(
+							$row[0],
+							$row[1]
+						);
+					}
 					$i++;
 				}
 			}

htdocs/contact/exportimport.php

@@ -33,81 +33,80 @@ $id = GETPOST('id', 'int');
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
 
+$contact = new Contact($db);
+
 
 /*
  *	View
  */
 
+$form = new Form($db);
+
 $title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("Contacts") : $langs->trans("ContactsAddresses"));
 
 llxHeader('',$title,'EN:Module_Third_Parties|FR:Module_Tiers|ES:Módulo_Empresas');
 
-$form = new Form($db);
-
-$contact = new Contact($db);
-$contact->fetch($id, $user);
-
-
-$head = contact_prepare_head($contact);
-
-dol_fiche_head($head, 'exportimport', $title, 0, 'contact');
-
-
-/*
- * Fiche en mode visu
- */
-print '<table class="border" width="100%">';
-
-$linkback = '<a href="'.DOL_URL_ROOT.'/contact/list.php">'.$langs->trans("BackToList").'</a>';
-
-// Ref
-print '<tr><td>'.$langs->trans("Ref").'</td><td colspan="3">';
-print $form->showrefnav($contact, 'id', $linkback);
-print '</td></tr>';
-
-// Name
-print '<tr><td width="20%">'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</td><td>'.$contact->lastname.'</td>';
-print '<td width="20%">'.$langs->trans("Firstname").'</td><td width="25%">'.$contact->firstname.'</td></tr>';
-
-// Company
-if (empty($conf->global->SOCIETE_DISABLE_CONTACTS))
+if ($id > 0)
 {
-    if ($contact->socid > 0)
-    {
-    	$objsoc = new Societe($db);
-    	$objsoc->fetch($contact->socid);
+	$contact->fetch($id, $user);
 
-    	print '<tr><td width="15%">'.$langs->trans("Company").'</td><td colspan="3">'.$objsoc->getNomUrl(1).'</td></tr>';
-    }
-    else
-    {
-    	print '<tr><td width="15%">'.$langs->trans("Company").'</td><td colspan="3">';
-    	print $langs->trans("ContactNotLinkedToCompany");
-    	print '</td></tr>';
-    }
+	$head = contact_prepare_head($contact);
+
+	dol_fiche_head($head, 'exportimport', $title, 0, 'contact');
+
+
+	/*
+	 * Fiche en mode visu
+	 */
+	print '<table class="border" width="100%">';
+
+	$linkback = '<a href="'.DOL_URL_ROOT.'/contact/list.php">'.$langs->trans("BackToList").'</a>';
+
+	// Ref
+	print '<tr><td>'.$langs->trans("Ref").'</td><td colspan="3">';
+	print $form->showrefnav($contact, 'id', $linkback);
+	print '</td></tr>';
+
+	// Name
+	print '<tr><td width="20%">'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</td><td>'.$contact->lastname.'</td>';
+	print '<td width="20%">'.$langs->trans("Firstname").'</td><td width="25%">'.$contact->firstname.'</td></tr>';
+
+	// Company
+	if (empty($conf->global->SOCIETE_DISABLE_CONTACTS))
+	{
+	    if ($contact->socid > 0)
+	    {
+	        $objsoc = new Societe($db);
+	        $objsoc->fetch($contact->socid);
+
+	        print '<tr><td width="15%">'.$langs->trans("Company").'</td><td colspan="3">'.$objsoc->getNomUrl(1).'</td></tr>';
+	    }
+	    else
+	    {
+	        print '<tr><td width="15%">'.$langs->trans("Company").'</td><td colspan="3">';
+	        print $langs->trans("ContactNotLinkedToCompany");
+	        print '</td></tr>';
+	    }
+	}
+
+	// Civility
+	print '<tr><td>'.$langs->trans("UserTitle").'</td><td colspan="3">';
+	print $contact->getCivilityLabel();
+	print '</td></tr>';
+
+	print '</table>';
+
+	print '</div>';
+
+	print '<br>';
+
+	print $langs->trans("ExportCardToFormat").': ';
+	print '<a href="'.DOL_URL_ROOT.'/contact/vcard.php?id='.$contact->id.'">';
+	print img_picto($langs->trans("VCard"),'vcard.png').' ';
+	print $langs->trans("VCard");
+	print '</a>';
 }
 
-// Civility
-print '<tr><td>'.$langs->trans("UserTitle").'</td><td colspan="3">';
-print $contact->getCivilityLabel();
-print '</td></tr>';
-
-print '</table>';
-
-print '</div>';
-
-print '<br>';
-
-print $langs->trans("ExportCardToFormat").': ';
-print '<a href="'.DOL_URL_ROOT.'/contact/vcard.php?id='.$contact->id.'">';
-print img_picto($langs->trans("VCard"),'vcard.png').' ';
-print $langs->trans("VCard");
-print '</a>';
-
-
-
-
 $db->close();
 
 llxFooter();
-?>

htdocs/contact/info.php

@@ -35,6 +35,8 @@ $contactid = GETPOST("id",'int');
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'contact', $contactid, 'socpeople&societe');
 
+$contact = new Contact($db);
+
 
 
 /*
@@ -43,25 +45,26 @@ $result = restrictedArea($user, 'contact', $contactid, 'socpeople&societe');
 
 llxHeader('',$langs->trans("ContactsAddresses"),'EN:Module_Third_Parties|FR:Module_Tiers|ES:Módulo_Empresas');
 
+if ($contactid > 0)
+{
+	$result = $contact->fetch($contactid, $user);
 
-$contact = new Contact($db);
-$contact->fetch($contactid, $user);
-$contact->info($contactid);
+	$contact->info($contactid);
 
 
-$head = contact_prepare_head($contact);
+	$head = contact_prepare_head($contact);
 
-dol_fiche_head($head, 'info', $langs->trans("ContactsAddresses"), 0, 'contact');
+	dol_fiche_head($head, 'info', $langs->trans("ContactsAddresses"), 0, 'contact');
 
 
-print '<table width="100%"><tr><td>';
-print '</td></tr></table>';
+	print '<table width="100%"><tr><td>';
+	print '</td></tr></table>';
 
-dol_print_object_info($contact);
+	dol_print_object_info($contact);
 
-print "</div>";
+	print "</div>";
+}
 
 llxFooter();
 
 $db->close();
-?>

htdocs/contact/ldap.php

@@ -40,37 +40,40 @@ if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
 
 $contact = new Contact($db);
-$contact->fetch($id, $user);
 
-
-/*
- * Actions
- */
-
-if ($action == 'dolibarr2ldap')
+if ($id > 0)
 {
-	$message="";
+	$contact->fetch($id, $user);
 
-	$db->begin();
+	/*
+	 * Actions
+	 */
 
-	$ldap=new Ldap();
-	$result=$ldap->connect_bind();
-
-	$info=$contact->_load_ldap_info();
-	$dn=$contact->_load_ldap_dn($info);
-	$olddn=$dn;	// We can say that old dn = dn as we force synchro
-
-	$result=$ldap->update($dn,$info,$user,$olddn);
-
-	if ($result >= 0)
+	if ($action == 'dolibarr2ldap')
 	{
-		$message.='<div class="ok">'.$langs->trans("ContactSynchronized").'</div>';
-		$db->commit();
-	}
-	else
-	{
-		$message.='<div class="error">'.$ldap->error.'</div>';
-		$db->rollback();
+		$message="";
+
+		$db->begin();
+
+		$ldap=new Ldap();
+		$result=$ldap->connect_bind();
+
+		$info=$contact->_load_ldap_info();
+		$dn=$contact->_load_ldap_dn($info);
+		$olddn=$dn;	// We can say that old dn = dn as we force synchro
+
+		$result=$ldap->update($dn,$info,$user,$olddn);
+
+		if ($result >= 0)
+		{
+			$message.='<div class="ok">'.$langs->trans("ContactSynchronized").'</div>';
+			$db->commit();
+		}
+		else
+		{
+			$message.='<div class="error">'.$ldap->error.'</div>';
+			$db->rollback();
+		}
 	}
 }
 
@@ -79,138 +82,139 @@ if ($action == 'dolibarr2ldap')
  *	View
  */
 
+$form = new Form($db);
+
 $title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("Contacts") : $langs->trans("ContactsAddresses"));
 
 llxHeader('',$title,'EN:Module_Third_Parties|FR:Module_Tiers|ES:M&oacute;dulo_Empresas');
 
-$form = new Form($db);
-
-$head = contact_prepare_head($contact);
-
-dol_fiche_head($head, 'ldap', $title, 0, 'contact');
-
-
-print '<table class="border" width="100%">';
-
-// Ref
-print '<tr><td width="20%">'.$langs->trans("Ref").'</td><td colspan="3">';
-print $form->showrefnav($contact,'id');
-print '</td></tr>';
-
-// Name
-print '<tr><td>'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</td><td>'.$contact->lastname.'</td>';
-print '<td>'.$langs->trans("Firstname").'</td><td width="25%">'.$contact->firstname.'</td></tr>';
-
-// Company
-if ($contact->socid > 0)
+if ($id > 0)
 {
-	$objsoc = new Societe($db);
-	$objsoc->fetch($contact->socid);
+	$head = contact_prepare_head($contact);
 
-	print '<tr><td width="20%">'.$langs->trans("Company").'</td><td colspan="3">'.$objsoc->getNomUrl(1).'</td></tr>';
-}
-else
-{
-	print '<tr><td width="20%">'.$langs->trans("Company").'</td><td colspan="3">';
-	print $langs->trans("ContactNotLinkedToCompany");
+	dol_fiche_head($head, 'ldap', $title, 0, 'contact');
+
+
+	print '<table class="border" width="100%">';
+
+	// Ref
+	print '<tr><td width="20%">'.$langs->trans("Ref").'</td><td colspan="3">';
+	print $form->showrefnav($contact,'id');
 	print '</td></tr>';
-}
 
-// Civility
-print '<tr><td>'.$langs->trans("UserTitle").'</td><td colspan="3">';
-print $contact->getCivilityLabel();
-print '</td></tr>';
+	// Name
+	print '<tr><td>'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</td><td>'.$contact->lastname.'</td>';
+	print '<td>'.$langs->trans("Firstname").'</td><td width="25%">'.$contact->firstname.'</td></tr>';
 
-// LDAP DN
-print '<tr><td>LDAP '.$langs->trans("LDAPContactDn").'</td><td class="valeur" colspan="3">'.$conf->global->LDAP_CONTACT_DN."</td></tr>\n";
-
-// LDAP Cle
-print '<tr><td>LDAP '.$langs->trans("LDAPNamingAttribute").'</td><td class="valeur" colspan="3">'.$conf->global->LDAP_KEY_CONTACTS."</td></tr>\n";
-
-// LDAP Server
-print '<tr><td>LDAP '.$langs->trans("LDAPPrimaryServer").'</td><td class="valeur" colspan="3">'.$conf->global->LDAP_SERVER_HOST."</td></tr>\n";
-print '<tr><td>LDAP '.$langs->trans("LDAPSecondaryServer").'</td><td class="valeur" colspan="3">'.$conf->global->LDAP_SERVER_HOST_SLAVE."</td></tr>\n";
-print '<tr><td>LDAP '.$langs->trans("LDAPServerPort").'</td><td class="valeur" colspan="3">'.$conf->global->LDAP_SERVER_PORT."</td></tr>\n";
-
-print '</table>';
-
-print '</div>';
-
-
-dol_htmloutput_mesg($message);
-
-
-/*
- * Barre d'actions
- */
-
-print '<div class="tabsAction">';
-
-if (! empty($conf->global->LDAP_CONTACT_ACTIVE) && $conf->global->LDAP_CONTACT_ACTIVE != 'ldap2dolibarr')
-{
-	print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?id='.$contact->id.'&amp;action=dolibarr2ldap">'.$langs->trans("ForceSynchronize").'</a>';
-}
-
-print "</div>\n";
-
-if (! empty($conf->global->LDAP_CONTACT_ACTIVE) && $conf->global->LDAP_CONTACT_ACTIVE != 'ldap2dolibarr') print "<br>\n";
-
-
-
-// Affichage attributs LDAP
-print_titre($langs->trans("LDAPInformationsForThisContact"));
-
-print '<table width="100%" class="noborder">';
-
-print '<tr class="liste_titre">';
-print '<td>'.$langs->trans("LDAPAttributes").'</td>';
-print '<td>'.$langs->trans("Value").'</td>';
-print '</tr>';
-
-// Lecture LDAP
-$ldap=new Ldap();
-$result=$ldap->connect_bind();
-if ($result > 0)
-{
-	$info=$contact->_load_ldap_info();
-	$dn=$contact->_load_ldap_dn($info,1);
-	$search = "(".$contact->_load_ldap_dn($info,2).")";
-	$records=$ldap->getAttribute($dn,$search);
-
-	//var_dump($records);
-
-	// Affichage arbre
-	if (count($records) && $records != false && (! isset($records['count']) || $records['count'] > 0))
+	// Company
+	if ($contact->socid > 0)
 	{
-		if (! is_array($records))
-		{
-			print '<tr '.$bc[false].'><td colspan="2"><font class="error">'.$langs->trans("ErrorFailedToReadLDAP").'</font></td></tr>';
-		}
-		else
-		{
-			$result=show_ldap_content($records,0,$records['count'],true);
-		}
+		$objsoc = new Societe($db);
+		$objsoc->fetch($contact->socid);
+
+		print '<tr><td width="20%">'.$langs->trans("Company").'</td><td colspan="3">'.$objsoc->getNomUrl(1).'</td></tr>';
 	}
 	else
 	{
-		print '<tr '.$bc[false].'><td colspan="2">'.$langs->trans("LDAPRecordNotFound").' (dn='.$dn.' - search='.$search.')</td></tr>';
+		print '<tr><td width="20%">'.$langs->trans("Company").'</td><td colspan="3">';
+		print $langs->trans("ContactNotLinkedToCompany");
+		print '</td></tr>';
 	}
 
-	$ldap->unbind();
-	$ldap->close();
+	// Civility
+	print '<tr><td>'.$langs->trans("UserTitle").'</td><td colspan="3">';
+	print $contact->getCivilityLabel();
+	print '</td></tr>';
+
+	// LDAP DN
+	print '<tr><td>LDAP '.$langs->trans("LDAPContactDn").'</td><td class="valeur" colspan="3">'.$conf->global->LDAP_CONTACT_DN."</td></tr>\n";
+
+	// LDAP Cle
+	print '<tr><td>LDAP '.$langs->trans("LDAPNamingAttribute").'</td><td class="valeur" colspan="3">'.$conf->global->LDAP_KEY_CONTACTS."</td></tr>\n";
+
+	// LDAP Server
+	print '<tr><td>LDAP '.$langs->trans("LDAPPrimaryServer").'</td><td class="valeur" colspan="3">'.$conf->global->LDAP_SERVER_HOST."</td></tr>\n";
+	print '<tr><td>LDAP '.$langs->trans("LDAPSecondaryServer").'</td><td class="valeur" colspan="3">'.$conf->global->LDAP_SERVER_HOST_SLAVE."</td></tr>\n";
+	print '<tr><td>LDAP '.$langs->trans("LDAPServerPort").'</td><td class="valeur" colspan="3">'.$conf->global->LDAP_SERVER_PORT."</td></tr>\n";
+
+	print '</table>';
+
+	print '</div>';
+
+
+	dol_htmloutput_mesg($message);
+
+
+	/*
+	 * Barre d'actions
+	 */
+
+	print '<div class="tabsAction">';
+
+	if (! empty($conf->global->LDAP_CONTACT_ACTIVE) && $conf->global->LDAP_CONTACT_ACTIVE != 'ldap2dolibarr')
+	{
+		print '<a class="butAction" href="'.$_SERVER["PHP_SELF"].'?id='.$contact->id.'&amp;action=dolibarr2ldap">'.$langs->trans("ForceSynchronize").'</a>';
+	}
+
+	print "</div>\n";
+
+	if (! empty($conf->global->LDAP_CONTACT_ACTIVE) && $conf->global->LDAP_CONTACT_ACTIVE != 'ldap2dolibarr') print "<br>\n";
+
+
+
+	// Affichage attributs LDAP
+	print_titre($langs->trans("LDAPInformationsForThisContact"));
+
+	print '<table width="100%" class="noborder">';
+
+	print '<tr class="liste_titre">';
+	print '<td>'.$langs->trans("LDAPAttributes").'</td>';
+	print '<td>'.$langs->trans("Value").'</td>';
+	print '</tr>';
+
+	// Lecture LDAP
+	$ldap=new Ldap();
+	$result=$ldap->connect_bind();
+	if ($result > 0)
+	{
+		$info=$contact->_load_ldap_info();
+		$dn=$contact->_load_ldap_dn($info,1);
+		$search = "(".$contact->_load_ldap_dn($info,2).")";
+		$records=$ldap->getAttribute($dn,$search);
+
+		//var_dump($records);
+
+		// Affichage arbre
+		if (count($records) && $records != false && (! isset($records['count']) || $records['count'] > 0))
+		{
+			if (! is_array($records))
+			{
+				print '<tr '.$bc[false].'><td colspan="2"><font class="error">'.$langs->trans("ErrorFailedToReadLDAP").'</font></td></tr>';
+			}
+			else
+			{
+				$result=show_ldap_content($records,0,$records['count'],true);
+			}
+		}
+		else
+		{
+			print '<tr '.$bc[false].'><td colspan="2">'.$langs->trans("LDAPRecordNotFound").' (dn='.$dn.' - search='.$search.')</td></tr>';
+		}
+
+		$ldap->unbind();
+		$ldap->close();
+	}
+	else
+	{
+		dol_print_error('',$ldap->error);
+	}
+
+
+	print '</table>';
+
 }
-else
-{
-	dol_print_error('',$ldap->error);
-}
-
-
-print '</table>';
-
-
 
 
 $db->close();
 
 llxFooter();
-?>

htdocs/contact/list.php

@@ -3,7 +3,7 @@
  * Copyright (C) 2003      Eric Seigne          <erics@rycks.com>
  * Copyright (C) 2004-2012 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2005-2012 Regis Houssin        <regis.houssin@capnetworks.com>
- * Copyright (C) 2013      Raphaël Doursenaud   <rdoursenaud@gpcsolutions.fr>
+ * Copyright (C) 2013-2015 Raphaël Doursenaud   <rdoursenaud@gpcsolutions.fr>
  * Copyright (C) 2013      Cédric Salvador      <csalvador@gpcsolutions.fr>
  * Copyright (C) 2013      Alexandre Spangaro   <alexandre.spangaro@gmail.com> 
  *
@@ -151,7 +151,7 @@ else
 	if ($search_priv == '1') $sql .= " AND (p.priv='1' AND p.fk_user_creat=".$user->id.")";
 }
 
-if ($search_categ > 0)   $sql.= " AND cs.fk_categorie = ".$search_categ;
+if ($search_categ > 0)   $sql.= " AND cs.fk_categorie = ".$db->escape($search_categ);
 if ($search_categ == -2) $sql.= " AND cs.fk_categorie IS NULL";
 
 if ($search_lastname) {      // filter on lastname
@@ -245,11 +245,11 @@ if ($result)
 {
 	$contactstatic=new Contact($db);
 
-    $param ='&begin='.urlencode($begin).'&view='.urlencode($view).'&userid='.urlencode($userid).'&contactname='.urlencode($sall);
-    $param.='&type='.urlencode($type).'&view='.urlencode($view).'&search_lastname='.urlencode($search_lastname).'&search_firstname='.urlencode($search_firstname).'&search_societe='.urlencode($search_societe).'&search_email='.urlencode($search_email);
-    if (!empty($search_categ)) $param.='&search_categ='.$search_categ;
-    if ($search_status != '') $param.='&amp;search_status='.$search_status;
-    if ($search_priv == '0' || $search_priv == '1') $param.="&search_priv=".urlencode($search_priv);
+    $param ='&begin='.htmlspecialchars($begin).'&view='.htmlspecialchars($view).'&userid='.htmlspecialchars($userid).'&contactname='.htmlspecialchars($sall);
+    $param.='&type='.htmlspecialchars($type).'&view='.htmlspecialchars($view).'&search_lastname='.htmlspecialchars($search_lastname).'&search_firstname='.htmlspecialchars($search_firstname).'&search_societe='.htmlspecialchars($search_societe).'&search_email='.htmlspecialchars($search_email);
+    if (!empty($search_categ)) $param.='&search_categ='.htmlspecialchars($search_categ);
+    if ($search_status != '') $param.='&amp;search_status='.htmlspecialchars($search_status);
+    if ($search_priv == '0' || $search_priv == '1') $param.="&search_priv=".htmlspecialchars($search_priv);
 
 	$num = $db->num_rows($result);
     $i = 0;
@@ -258,7 +258,7 @@ if ($result)
 
     print '<form method="post" action="'.$_SERVER["PHP_SELF"].'">';
     print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
-    print '<input type="hidden" name="view" value="'.$view.'">';
+    print '<input type="hidden" name="view" value="'.htmlspecialchars($view).'">';
     print '<input type="hidden" name="sortfield" value="'.$sortfield.'">';
     print '<input type="hidden" name="sortorder" value="'.$sortorder.'">';
 
@@ -277,7 +277,7 @@ if ($result)
     
     if ($sall)
     {
-        print $langs->trans("Filter")." (".$langs->trans("Lastname").", ".$langs->trans("Firstname")." ".$langs->trans("or")." ".$langs->trans("EMail")."): ".$sall;
+        print $langs->trans("Filter")." (".$langs->trans("Lastname").", ".$langs->trans("Firstname")." ".$langs->trans("or")." ".$langs->trans("EMail")."): ".htmlspecialchars($sall);
     }
 
     print '<table class="liste" width="100%">';
@@ -302,36 +302,36 @@ if ($result)
     // Ligne des champs de filtres
     print '<tr class="liste_titre">';
     print '<td class="liste_titre">';
-    print '<input class="flat" type="text" name="search_lastname" size="9" value="'.$search_lastname.'">';
+    print '<input class="flat" type="text" name="search_lastname" size="9" value="'.htmlspecialchars($search_lastname).'">';
     print '</td>';
     print '<td class="liste_titre">';
-    print '<input class="flat" type="text" name="search_firstname" size="9" value="'.$search_firstname.'">';
+    print '<input class="flat" type="text" name="search_firstname" size="9" value="'.htmlspecialchars($search_firstname).'">';
     print '</td>';
     print '<td class="liste_titre">';
-    print '<input class="flat" type="text" name="search_poste" size="9" value="'.$search_poste.'">';
+    print '<input class="flat" type="text" name="search_poste" size="9" value="'.htmlspecialchars($search_poste).'">';
     print '</td>';
     if (empty($conf->global->SOCIETE_DISABLE_CONTACTS))
     {
         print '<td class="liste_titre">';
-        print '<input class="flat" type="text" name="search_societe" size="9" value="'.$search_societe.'">';
+        print '<input class="flat" type="text" name="search_societe" size="9" value="'.htmlspecialchars($search_societe).'">';
         print '</td>';
     }
     print '<td class="liste_titre">';
-    print '<input class="flat" type="text" name="search_phonepro" size="8" value="'.$search_phonepro.'">';
+    print '<input class="flat" type="text" name="search_phonepro" size="8" value="'.htmlspecialchars($search_phonepro).'">';
     print '</td>';
     print '<td class="liste_titre">';
-    print '<input class="flat" type="text" name="search_phonemob" size="8" value="'.$search_phonemob.'">';
+    print '<input class="flat" type="text" name="search_phonemob" size="8" value="'.htmlspecialchars($search_phonemob).'">';
     print '</td>';
     print '<td class="liste_titre">';
-    print '<input class="flat" type="text" name="search_fax" size="8" value="'.$search_fax.'">';
+    print '<input class="flat" type="text" name="search_fax" size="8" value="'.htmlspecialchars($search_fax).'">';
     print '</td>';
     print '<td class="liste_titre">';
-    print '<input class="flat" type="text" name="search_email" size="8" value="'.$search_email.'">';
+    print '<input class="flat" type="text" name="search_email" size="8" value="'.htmlspecialchars($search_email).'">';
     print '</td>';
     if (! empty($conf->skype->enabled))
     {
         print '<td class="liste_titre">';
-        print '<input class="flat" type="text" name="search_skype" size="8" value="'.$search_skype.'">';
+        print '<input class="flat" type="text" name="search_skype" size="8" value="'.htmlspecialchars($search_skype).'">';
         print '</td>';
     }    
 	print '<td class="liste_titre">&nbsp;</td>';

htdocs/contact/perso.php

@@ -38,210 +38,213 @@ if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
 $object = new Contact($db);
 
-/*
- * Action
- */
+$result = $object->fetch($id, $user);
 
-if ($action == 'update' && ! $_POST["cancel"] && $user->rights->societe->contact->creer)
+if ($id > 0)
 {
-	$ret = $object->fetch($id);
+    /*
+     * Action
+     */
 
-	// Note: Correct date should be completed with location to have exact GM time of birth.
-	$object->birthday = dol_mktime(0,0,0,$_POST["birthdaymonth"],$_POST["birthdayday"],$_POST["birthdayyear"]);
-	$object->birthday_alert = $_POST["birthday_alert"];
+    if ($action == 'update' && ! $_POST["cancel"] && $user->rights->societe->contact->creer)
+    {
+        // Note: Correct date should be completed with location to have exact GM time of birth.
+        $object->birthday = dol_mktime(0,0,0,$_POST["birthdaymonth"],$_POST["birthdayday"],$_POST["birthdayyear"]);
+        $object->birthday_alert = $_POST["birthday_alert"];
 
-	$result = $object->update_perso($id, $user);
-	if ($result > 0)
-	{
-		$object->old_name='';
-		$object->old_firstname='';
-	}
-	else
-	{
-		$error = $object->error;
-	}
+        $result = $object->update_perso($id, $user);
+        if ($result > 0)
+        {
+            $object->old_name='';
+            $object->old_firstname='';
+        }
+        else
+        {
+            $error = $object->error;
+        }
+    }
 }
 
-
 /*
  *	View
  */
 
+$form = new Form($db);
+
 $now=dol_now();
 
 $title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("Contacts") : $langs->trans("ContactsAddresses"));
 
 llxHeader('',$title,'EN:Module_Third_Parties|FR:Module_Tiers|ES:Módulo_Empresas');
 
-$form = new Form($db);
-
-$object->fetch($id, $user);
-
-$head = contact_prepare_head($object);
-
-dol_fiche_head($head, 'perso', $title, 0, 'contact');
-
-if ($action == 'edit')
+if ($id > 0)
 {
-	/*
-	 * Fiche en mode edition
-	 */
+    $head = contact_prepare_head($object);
 
-    print '<form name="perso" method="POST" action="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'">';
-    print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
-    print '<input type="hidden" name="action" value="update">';
-    print '<input type="hidden" name="id" value="'.$object->id.'">';
+    dol_fiche_head($head, 'perso', $title, 0, 'contact');
 
-    print '<table class="border" width="100%">';
-
-    // Ref
-    print '<tr><td width="20%">'.$langs->trans("Ref").'</td><td colspan="3">';
-    print $object->id;
-    print '</td></tr>';
-
-    // Name
-    print '<tr><td width="20%">'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</td><td width="30%">'.$object->lastname.'</td>';
-    print '<td width="20%">'.$langs->trans("Firstname").'</td><td width="30%">'.$object->firstname.'</td>';
-
-    // Company
-    if (empty($conf->global->SOCIETE_DISABLE_CONTACTS))
+    if ($action == 'edit')
     {
-        if ($object->socid > 0)
+        /*
+         * Fiche en mode edition
+         */
+
+        print '<form name="perso" method="POST" action="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'">';
+        print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
+        print '<input type="hidden" name="action" value="update">';
+        print '<input type="hidden" name="id" value="'.$object->id.'">';
+
+        print '<table class="border" width="100%">';
+
+        // Ref
+        print '<tr><td width="20%">'.$langs->trans("Ref").'</td><td colspan="3">';
+        print $object->id;
+        print '</td></tr>';
+
+        // Name
+        print '<tr><td width="20%">'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</td><td width="30%">'.$object->lastname.'</td>';
+        print '<td width="20%">'.$langs->trans("Firstname").'</td><td width="30%">'.$object->firstname.'</td>';
+
+        // Company
+        if (empty($conf->global->SOCIETE_DISABLE_CONTACTS))
         {
-            $objsoc = new Societe($db);
-            $objsoc->fetch($object->socid);
+            if ($object->socid > 0)
+            {
+                $objsoc = new Societe($db);
+                $objsoc->fetch($object->socid);
 
-            print '<tr><td>'.$langs->trans("Company").'</td><td colspan="3">'.$objsoc->getNomUrl(1).'</td>';
-        }
-        else
-        {
-            print '<tr><td>'.$langs->trans("Company").'</td><td colspan="3">';
-            print $langs->trans("ContactNotLinkedToCompany");
-            print '</td></tr>';
-        }
-    }
-
-    // Civility
-    print '<tr><td>'.$langs->trans("UserTitle").'</td><td colspan="3">';
-    print $object->getCivilityLabel();
-    print '</td></tr>';
-
-    // Date To Birth
-    print '<tr><td>'.$langs->trans("DateToBirth").'</td><td>';
-    $form=new Form($db);
-    print $form->select_date($object->birthday,'birthday',0,0,1,"perso");
-    print '</td>';
-
-    print '<td colspan="2">'.$langs->trans("Alert").': ';
-    if (! empty($object->birthday_alert))
-    {
-        print '<input type="checkbox" name="birthday_alert" checked="checked"></td>';
-    }
-    else
-    {
-        print '<input type="checkbox" name="birthday_alert"></td>';
-    }
-    print '</tr>';
-
-    print "</table><br>";
-
-    print '<center>';
-    print '<input type="submit" class="button" name="save" value="'.$langs->trans("Save").'">';
-    print ' &nbsp; ';
-    print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
-    print '</center>';
-
-    print "</form>";
-}
-else
-{
-    /*
-     * Fiche en mode visu
-     */
-    print '<table class="border" width="100%">';
-
-    $linkback = '<a href="'.DOL_URL_ROOT.'/contact/list.php">'.$langs->trans("BackToList").'</a>';
-
-    // Ref
-    print '<tr><td width="20%">'.$langs->trans("Ref").'</td><td colspan="3">';
-    print $form->showrefnav($object, 'id', $linkback);
-    print '</td></tr>';
-
-    // Name
-    print '<tr><td width="20%">'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</td><td width="30%">'.$object->lastname.'</td>';
-    print '<td width="20%">'.$langs->trans("Firstname").'</td><td width="30%">'.$object->firstname.'</td></tr>';
-
-    // Company
-    if (empty($conf->global->SOCIETE_DISABLE_CONTACTS))
-    {
-        if ($object->socid > 0)
-        {
-            $objsoc = new Societe($db);
-            $objsoc->fetch($object->socid);
-
-            print '<tr><td>'.$langs->trans("Company").'</td><td colspan="3">'.$objsoc->getNomUrl(1).'</td></tr>';
+                print '<tr><td>'.$langs->trans("Company").'</td><td colspan="3">'.$objsoc->getNomUrl(1).'</td>';
+            }
+            else
+            {
+                print '<tr><td>'.$langs->trans("Company").'</td><td colspan="3">';
+                print $langs->trans("ContactNotLinkedToCompany");
+                print '</td></tr>';
+            }
         }
 
-        else
-        {
-            print '<tr><td>'.$langs->trans("Company").'</td><td colspan="3">';
-            print $langs->trans("ContactNotLinkedToCompany");
-            print '</td></tr>';
-        }
-    }
+        // Civility
+        print '<tr><td>'.$langs->trans("UserTitle").'</td><td colspan="3">';
+        print $object->getCivilityLabel();
+        print '</td></tr>';
 
-    // Civility
-    print '<tr><td>'.$langs->trans("UserTitle").'</td><td colspan="3">';
-    print $object->getCivilityLabel();
-    print '</td></tr>';
-
-    // Date To Birth
-    print '<tr>';
-    if (! empty($object->birthday))
-    {
-        include_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
-
-        print '<td>'.$langs->trans("DateToBirth").'</td><td colspan="3">'.dol_print_date($object->birthday,"day");
-
-        print ' &nbsp; ';
-        //var_dump($birthdatearray);
-        $ageyear=convertSecondToTime($now-$object->birthday,'year')-1970;
-        $agemonth=convertSecondToTime($now-$object->birthday,'month')-1;
-        if ($ageyear >= 2) print '('.$ageyear.' '.$langs->trans("DurationYears").')';
-        else if ($agemonth >= 2) print '('.$agemonth.' '.$langs->trans("DurationMonths").')';
-        else print '('.$agemonth.' '.$langs->trans("DurationMonth").')';
-
-
-        print ' &nbsp; - &nbsp; ';
-        if ($object->birthday_alert) print $langs->trans("BirthdayAlertOn");
-        else print $langs->trans("BirthdayAlertOff");
+        // Date To Birth
+        print '<tr><td>'.$langs->trans("DateToBirth").'</td><td>';
+        $form=new Form($db);
+        print $form->select_date($object->birthday,'birthday',0,0,1,"perso");
         print '</td>';
+
+        print '<td colspan="2">'.$langs->trans("Alert").': ';
+        if (! empty($object->birthday_alert))
+        {
+            print '<input type="checkbox" name="birthday_alert" checked="checked"></td>';
+        }
+        else
+        {
+            print '<input type="checkbox" name="birthday_alert"></td>';
+        }
+        print '</tr>';
+
+        print "</table><br>";
+
+        print '<center>';
+        print '<input type="submit" class="button" name="save" value="'.$langs->trans("Save").'">';
+        print ' &nbsp; ';
+        print '<input type="submit" class="button" name="cancel" value="'.$langs->trans("Cancel").'">';
+        print '</center>';
+
+        print "</form>";
     }
     else
     {
-        print '<td>'.$langs->trans("DateToBirth").'</td><td colspan="3">'.$langs->trans("Unknown")."</td>";
-    }
-    print "</tr>";
+        /*
+         * Fiche en mode visu
+         */
+        print '<table class="border" width="100%">';
 
-    print "</table>";
+        $linkback = '<a href="'.DOL_URL_ROOT.'/contact/list.php">'.$langs->trans("BackToList").'</a>';
 
-}
+        // Ref
+        print '<tr><td width="20%">'.$langs->trans("Ref").'</td><td colspan="3">';
+        print $form->showrefnav($object, 'id', $linkback);
+        print '</td></tr>';
 
-dol_fiche_end();
+        // Name
+        print '<tr><td width="20%">'.$langs->trans("Lastname").' / '.$langs->trans("Label").'</td><td width="30%">'.$object->lastname.'</td>';
+        print '<td width="20%">'.$langs->trans("Firstname").'</td><td width="30%">'.$object->firstname.'</td></tr>';
 
-if ($action != 'edit')
-{
-    // Barre d'actions
-    if ($user->societe_id == 0)
-    {
-        print '<div class="tabsAction">';
-
-        if ($user->rights->societe->contact->creer)
+        // Company
+        if (empty($conf->global->SOCIETE_DISABLE_CONTACTS))
         {
-            print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;action=edit">'.$langs->trans('Modify').'</a>';
+            if ($object->socid > 0)
+            {
+                $objsoc = new Societe($db);
+                $objsoc->fetch($object->socid);
+
+                print '<tr><td>'.$langs->trans("Company").'</td><td colspan="3">'.$objsoc->getNomUrl(1).'</td></tr>';
+            }
+
+            else
+            {
+                print '<tr><td>'.$langs->trans("Company").'</td><td colspan="3">';
+                print $langs->trans("ContactNotLinkedToCompany");
+                print '</td></tr>';
+            }
         }
 
-        print "</div>";
+        // Civility
+        print '<tr><td>'.$langs->trans("UserTitle").'</td><td colspan="3">';
+        print $object->getCivilityLabel();
+        print '</td></tr>';
+
+        // Date To Birth
+        print '<tr>';
+        if (! empty($object->birthday))
+        {
+            include_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
+
+            print '<td>'.$langs->trans("DateToBirth").'</td><td colspan="3">'.dol_print_date($object->birthday,"day");
+
+            print ' &nbsp; ';
+            //var_dump($birthdatearray);
+            $ageyear=convertSecondToTime($now-$object->birthday,'year')-1970;
+            $agemonth=convertSecondToTime($now-$object->birthday,'month')-1;
+            if ($ageyear >= 2) print '('.$ageyear.' '.$langs->trans("DurationYears").')';
+            else if ($agemonth >= 2) print '('.$agemonth.' '.$langs->trans("DurationMonths").')';
+            else print '('.$agemonth.' '.$langs->trans("DurationMonth").')';
+
+
+            print ' &nbsp; - &nbsp; ';
+            if ($object->birthday_alert) print $langs->trans("BirthdayAlertOn");
+            else print $langs->trans("BirthdayAlertOff");
+            print '</td>';
+        }
+        else
+        {
+            print '<td>'.$langs->trans("DateToBirth").'</td><td colspan="3">'.$langs->trans("Unknown")."</td>";
+        }
+        print "</tr>";
+
+        print "</table>";
+
+    }
+
+    dol_fiche_end();
+
+    if ($action != 'edit')
+    {
+        // Barre d'actions
+        if ($user->societe_id == 0)
+        {
+            print '<div class="tabsAction">';
+
+            if ($user->rights->societe->contact->creer)
+            {
+                print '<a class="butAction" href="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'&amp;action=edit">'.$langs->trans('Modify').'</a>';
+            }
+
+            print "</div>";
+        }
     }
 }
 
@@ -249,4 +252,3 @@ if ($action != 'edit')
 llxFooter();
 
 $db->close();
-?>

htdocs/contact/vcard.php

@@ -35,70 +35,72 @@ $id = GETPOST('id', 'int');
 $result = restrictedArea($user, 'contact', $id, 'socpeople&societe');
 
 $contact = new Contact($db);
-$result=$contact->fetch($id);
 
-$physicalperson=1;
-
-$company = new Societe($db);
-if ($contact->socid)
+if ($id > 0)
 {
-	$result=$company->fetch($contact->socid);
-	//print "ee";
+	$result=$contact->fetch($id);
+
+	$physicalperson=1;
+
+	$company = new Societe($db);
+	if ($contact->socid)
+	{
+		$result=$company->fetch($contact->socid);
+		//print "ee";
+	}
+
+	// We create VCard
+	$v = new vCard();
+	$v->setProdId('Dolibarr '.DOL_VERSION);
+
+	$v->setUid('DOLIBARR-CONTACTID-'.$contact->id);
+	$v->setName($contact->lastname, $contact->firstname, "", "", "");
+	$v->setFormattedName($contact->getFullName($langs));
+
+	// By default, all informations are for work (except phone_perso and phone_mobile)
+	$v->setPhoneNumber($contact->phone_pro, "PREF;WORK;VOICE");
+	$v->setPhoneNumber($contact->phone_mobile, "CELL;VOICE");
+	$v->setPhoneNumber($contact->fax, "WORK;FAX");
+
+	$v->setAddress("", "", $contact->address, $contact->town, "", $contact->zip, ($contact->country_code?$contact->country_id:''), "WORK;POSTAL");
+	$v->setLabel("", "", $contact->address, $contact->town, "", $contact->zip, ($contact->country_code?$contact->country_id:''), "WORK");
+	$v->setEmail($contact->email,'internet,pref');
+	$v->setNote($contact->note);
+
+	$v->setTitle($contact->poste);
+
+	// Data from linked company
+	if ($company->id)
+	{
+		$v->setURL($company->url, "WORK");
+		if (! $contact->phone_pro) $v->setPhoneNumber($company->phone, "WORK;VOICE");
+		if (! $contact->fax)       $v->setPhoneNumber($company->fax, "WORK;FAX");
+		if (! $contact->zip)        $v->setAddress("", "", $company->address, $company->town, "", $company->zip, $company->country_code, "WORK;POSTAL");
+		if ($company->email != $contact->email) $v->setEmail($company->email,'internet');
+		// Si contact lie a un tiers non de type "particulier"
+		if ($contact->typent_code != 'TE_PRIVATE') $v->setOrg($company->nom);
+	}
+
+	// Personal informations
+	$v->setPhoneNumber($contact->phone_perso, "HOME;VOICE");
+	if ($contact->birthday) $v->setBirthday($contact->birthday);
+
+	$db->close();
+
+
+	// Renvoi la VCard au navigateur
+
+	$output = $v->getVCard();
+
+	$filename =trim(urldecode($v->getFileName()));      // "Nom prenom.vcf"
+	$filenameurlencoded = dol_sanitizeFileName(urlencode($filename));
+	//$filename = dol_sanitizeFileName($filename);
+
+
+	header("Content-Disposition: attachment; filename=\"".$filename."\"");
+	header("Content-Length: ".dol_strlen($output));
+	header("Connection: close");
+	header("Content-Type: text/x-vcard; name=\"".$filename."\"");
+
+	print $output;
 }
-
-// We create VCard
-$v = new vCard();
-$v->setProdId('Dolibarr '.DOL_VERSION);
-
-$v->setUid('DOLIBARR-CONTACTID-'.$contact->id);
-$v->setName($contact->lastname, $contact->firstname, "", "", "");
-$v->setFormattedName($contact->getFullName($langs));
-
-// By default, all informations are for work (except phone_perso and phone_mobile)
-$v->setPhoneNumber($contact->phone_pro, "PREF;WORK;VOICE");
-$v->setPhoneNumber($contact->phone_mobile, "CELL;VOICE");
-$v->setPhoneNumber($contact->fax, "WORK;FAX");
-
-$v->setAddress("", "", $contact->address, $contact->town, "", $contact->zip, ($contact->country_code?$contact->country_id:''), "WORK;POSTAL");
-$v->setLabel("", "", $contact->address, $contact->town, "", $contact->zip, ($contact->country_code?$contact->country_id:''), "WORK");
-$v->setEmail($contact->email,'internet,pref');
-$v->setNote($contact->note);
-
-$v->setTitle($contact->poste);
-
-// Data from linked company
-if ($company->id)
-{
-	$v->setURL($company->url, "WORK");
-	if (! $contact->phone_pro) $v->setPhoneNumber($company->phone, "WORK;VOICE");
-	if (! $contact->fax)       $v->setPhoneNumber($company->fax, "WORK;FAX");
-	if (! $contact->zip)        $v->setAddress("", "", $company->address, $company->town, "", $company->zip, $company->country_code, "WORK;POSTAL");
-	if ($company->email != $contact->email) $v->setEmail($company->email,'internet');
-	// Si contact lie a un tiers non de type "particulier"
-	if ($contact->typent_code != 'TE_PRIVATE') $v->setOrg($company->nom);
-}
-
-// Personal informations
-$v->setPhoneNumber($contact->phone_perso, "HOME;VOICE");
-if ($contact->birthday) $v->setBirthday($contact->birthday);
-
-$db->close();
-
-
-// Renvoi la VCard au navigateur
-
-$output = $v->getVCard();
-
-$filename =trim(urldecode($v->getFileName()));      // "Nom prenom.vcf"
-$filenameurlencoded = dol_sanitizeFileName(urlencode($filename));
-//$filename = dol_sanitizeFileName($filename);
-
-
-header("Content-Disposition: attachment; filename=\"".$filename."\"");
-header("Content-Length: ".dol_strlen($output));
-header("Connection: close");
-header("Content-Type: text/x-vcard; name=\"".$filename."\"");
-
-print $output;
-
-?>

htdocs/contrat/liste.php

@@ -78,7 +78,7 @@ $sql.= ", ".MAIN_DB_PREFIX."contrat as c";
 $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."contratdet as cd ON c.rowid = cd.fk_contrat";
 $sql.= " WHERE c.fk_soc = s.rowid ";
 $sql.= " AND c.entity = ".$conf->entity;
-if ($socid) $sql.= " AND s.rowid = ".$socid;
+if ($socid) $sql.= " AND s.rowid = ".$db->escape($socid);
 if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
 if ($search_nom) {
     $sql .= natural_search('s.nom', $search_nom);
@@ -100,13 +100,13 @@ if ($resql)
     $num = $db->num_rows($resql);
     $i = 0;
 
-    print_barre_liste($langs->trans("ListOfContracts"), $page, $_SERVER["PHP_SELF"], '&search_contract='.$search_contract.'&search_nom='.$search_nom, $sortfield, $sortorder,'',$num);
+    print_barre_liste($langs->trans("ListOfContracts"), $page, $_SERVER["PHP_SELF"], '&search_contract='.htmlspecialchars($search_contract).'&search_nom='.htmlspecialchars($search_nom), $sortfield, $sortorder,'',$num);
 
     print '<table class="liste" width="100%">';
 
     print '<tr class="liste_titre">';
-    $param='&amp;search_contract='.$search_contract;
-    $param.='&amp;search_nom='.$search_nom;
+    $param='&amp;search_contract='.htmlspecialchars($search_contract);
+    $param.='&amp;search_nom='.htmlspecialchars($search_nom);
     print_liste_field_titre($langs->trans("Ref"), $_SERVER["PHP_SELF"], "c.rowid","","$param",'',$sortfield,$sortorder);
     print_liste_field_titre($langs->trans("Company"), $_SERVER["PHP_SELF"], "s.nom","","$param",'',$sortfield,$sortorder);
     //print_liste_field_titre($langs->trans("DateCreation"), $_SERVER["PHP_SELF"], "c.datec","","$param",'align="center"',$sortfield,$sortorder);
@@ -122,10 +122,10 @@ if ($resql)
     print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<tr class="liste_titre">';
     print '<td class="liste_titre">';
-    print '<input type="text" class="flat" size="3" name="search_contract" value="'.$search_contract.'">';
+    print '<input type="text" class="flat" size="3" name="search_contract" value="'.htmlspecialchars($search_contract).'">';
     print '</td>';
     print '<td class="liste_titre">';
-    print '<input type="text" class="flat" size="24" name="search_nom" value="'.$search_nom.'">';
+    print '<input type="text" class="flat" size="24" name="search_nom" value="'.htmlspecialchars($search_nom).'">';
     print '</td>';
     print '<td class="liste_titre">&nbsp;</td>';
     //print '<td class="liste_titre">&nbsp;</td>';

htdocs/core/boxes/box_prospect.php

@@ -119,7 +119,6 @@ class box_prospect extends ModeleBoxes
 			}
 		}
 		else {
-			dol_syslog("box_prospect::loadBox not allowed de read this box content",LOG_ERR);
 			$this->info_box_contents[0][0] = array('td' => 'align="left"',
         'text' => $langs->trans("ReadPermissionNotAllowed"));
 		}

htdocs/core/class/html.form.class.php

@@ -836,7 +836,7 @@ class Form
                         $out.= '<option value="'.$obj->rowid.'">'.$label.'</option>';
                     }
 
-                    array_push($outarray, array('key'=>$obj->rowid, 'value'=>$obj->name, 'label'=>$obj->name));
+                    array_push($outarray, array('key'=>$obj->rowid, 'value'=>$obj->rowid, 'label'=>$label));
 
                     $i++;
                     if (($i % 10) == 0) $out.="\n";
@@ -4110,7 +4110,7 @@ class Form
                 {
                     global $dolibarr_main_url_root;
                     $ret.='<!-- Put link to gravatar -->';
-                    $ret.='<img alt="Photo found on Gravatar" title="Photo Gravatar.com - email '.$email.'" border="0" width="'.$width.'" src="http://www.gravatar.com/avatar/'.dol_hash($email).'?s='.$width.'&d='.urlencode(dol_buildpath('/theme/common/nophoto.jpg',2)).'">';
+                    $ret.='<img alt="Photo found on Gravatar" title="Photo Gravatar.com - email '.$email.'" border="0" width="'.$width.'" src="https://www.gravatar.com/avatar/'.dol_hash($email).'?s='.$width.'&d='.urlencode(dol_buildpath('/theme/common/nophoto.jpg',2)).'">';
                 }
                 else
                 {

htdocs/core/class/menubase.class.php

@@ -152,7 +152,7 @@ class Menubase
         $sql.= " '".$this->fk_menu."',";
         $sql.= " ".($this->fk_mainmenu?"'".$this->fk_mainmenu."'":"null").",";
         $sql.= " ".($this->fk_leftmenu?"'".$this->fk_leftmenu."'":"null").",";
-        $sql.= " '".$this->position."',";
+        $sql.= " '".(int) $this->position."',";
         $sql.= " '".$this->db->escape($this->url)."',";
         $sql.= " '".$this->db->escape($this->target)."',";
         $sql.= " '".$this->db->escape($this->titre)."',";

htdocs/core/lib/functions.lib.php

@@ -10,6 +10,7 @@
  * Copyright (C) 2010-2011 Juanjo Menent        <jmenent@2byte.es>
  * Copyright (C) 2013      Cédric Salvador      <csalvador@gpcsolutions.fr>
  * Copyright (C) 2013      Alexandre Spangaro   <alexandre.spangaro@gmail.com>
+ * Copyright (C) 2014-2015 Marcos García        <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -146,7 +147,7 @@ function getBrowserInfo()
 	elseif (preg_match('/epiphany/i',$_SERVER["HTTP_USER_AGENT"]))                       { $name='epiphany';  $version=$reg[2]; }
 	elseif ((empty($phone) || preg_match('/iphone/i',$_SERVER["HTTP_USER_AGENT"])) && preg_match('/safari(\/|\s)([\d\.]*)/i',$_SERVER["HTTP_USER_AGENT"], $reg)) { $name='safari'; $version=$reg[2]; }	// Safari is often present in string for mobile but its not.
 	elseif (preg_match('/opera(\/|\s)([\d\.]*)/i',  $_SERVER["HTTP_USER_AGENT"], $reg))  { $name='opera';     $version=$reg[2]; }
-	elseif (preg_match('/msie(\/|\s)([\d\.]*)/i',   $_SERVER["HTTP_USER_AGENT"], $reg))  { $name='ie';        $version=$reg[2]; }    // MS products at end
+	elseif (preg_match('/(MSIE\s([0-9]+\.[0-9]))|.*(Trident\/[0-9]+.[0-9];\srv:([0-9]+\.[0-9]+))/i',   $_SERVER["HTTP_USER_AGENT"], $reg))  { $name='ie';        $version= end($reg); }    // MS products at end
 	// Other
 	$firefox=0;
 	if (in_array($name,array('firefox','iceweasel'))) $firefox=1;
@@ -2515,7 +2516,7 @@ function load_fiche_titre($titre, $mesg='', $picto='title.png', $pictoisfullpath
 	$return='';
 
 	if ($picto == 'setup') $picto='title.png';
-	if (!empty($conf->browser->ie) && $picto=='title.png') $picto='title.gif';
+	if (($conf->browser->name == 'ie') && $picto=='title.png') $picto='title.gif';
 
 	$return.= "\n";
 	$return.= '<table '.($id?'id="'.$id.'" ':'').'summary="" width="100%" border="0" class="notopnoleftnoright" style="margin-bottom: 2px;"><tr>';
@@ -2553,7 +2554,7 @@ function print_barre_liste($titre, $page, $file, $options='', $sortfield='', $so
 	global $conf,$langs;
 
 	if ($picto == 'setup') $picto='title.png';
-	if (!empty($conf->browser->ie) && $picto=='title.png') $picto='title.gif';
+	if (($conf->browser->name == 'ie') && $picto=='title.png') $picto='title.gif';
 
 	if (($num > $conf->liste_limit) || ($num == -1))
 	{

htdocs/core/lib/report.lib.php

@@ -39,7 +39,7 @@
 */
 function report_header($nom,$variante,$period,$periodlink,$description,$builddate,$exportlink='',$moreparam=array(),$calcmode='')
 {
-	global $langs, $hselected;
+	global $langs;
 
 	print "\n\n<!-- debut cartouche rapport -->\n";
 
@@ -48,7 +48,7 @@ function report_header($nom,$variante,$period,$periodlink,$description,$builddat
 	$head[$h][1] = $langs->trans("Report");
 	$head[$h][2] = 'report';
 
-	dol_fiche_head($head, $hselected);
+	dol_fiche_head($head, 'report');
 
 	print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'">';
 	foreach($moreparam as $key => $value)

htdocs/core/menus/standard/eldy.lib.php

@@ -134,9 +134,11 @@ function print_eldy_menu($db,$atarget,$type_user,&$tabMenu,&$menu,$noout=0)
 	}
 
 	// Financial
-	$tmpentry=array('enabled'=>(! empty($conf->comptabilite->enabled) || ! empty($conf->accounting->enabled) || ! empty($conf->facture->enabled) || ! empty($conf->deplacement->enabled) || ! empty($conf->don->enabled) || ! empty($conf->tax->enabled)),
-	'perms'=>(! empty($user->rights->compta->resultat->lire) || ! empty($user->rights->accounting->plancompte->lire) || ! empty($user->rights->facture->lire) || ! empty($user->rights->deplacement->lire) || ! empty($user->rights->don->lire) || ! empty($user->rights->tax->charges->lire)),
-	'module'=>'comptabilite|accounting|facture|deplacement|don|tax');
+	$tmpentry = array(
+		'enabled' => (!empty($conf->comptabilite->enabled) || !empty($conf->accounting->enabled) || !empty($conf->facture->enabled) || !empty($conf->deplacement->enabled) || !empty($conf->don->enabled) || !empty($conf->tax->enabled) || !empty($conf->margin->enabled)),
+		'perms' => (!empty($user->rights->compta->resultat->lire) || !empty($user->rights->accounting->plancompte->lire) || !empty($user->rights->facture->lire) || !empty($user->rights->deplacement->lire) || !empty($user->rights->don->lire) || !empty($user->rights->tax->charges->lire) || !empty($user->rights->margins->liretous)),
+		'module' => 'comptabilite|accounting|facture|deplacement|don|tax'
+	);
 	$showmode=dol_eldy_showmenu($type_user, $tmpentry, $listofmodulesforexternal);
 	if ($showmode)
 	{

htdocs/core/modules/DolibarrModules.class.php

@@ -1009,7 +1009,6 @@ abstract class DolibarrModules
 
         $this->db->begin();
 
-        //var_dump($this->menu); exit;
         foreach ($this->menu as $key => $value)
         {
             $menu = new Menubase($this->db);
@@ -1018,11 +1017,9 @@ abstract class DolibarrModules
             if (! $this->menu[$key]['fk_menu'])
             {
                 $menu->fk_menu=0;
-                //print 'aaa'.$this->menu[$key]['fk_menu'];
             }
             else
             {
-                //print 'xxx'.$this->menu[$key]['fk_menu'];exit;
                 $foundparent=0;
                 $fk_parent=$this->menu[$key]['fk_menu'];
                 if (preg_match('/^r=/',$fk_parent))	// old deprecated method

htdocs/core/modules/modProjet.class.php

@@ -280,11 +280,9 @@ class modProjet extends DolibarrModules
         $this->export_sql_end[$r] .=' LEFT JOIN '.MAIN_DB_PREFIX.'projet_extrafields as extra ON p.rowid = extra.fk_object';
 		$this->export_sql_end[$r] .=' LEFT JOIN '.MAIN_DB_PREFIX."projet_task as pt ON p.rowid = pt.fk_projet";
         $this->export_sql_end[$r] .=' LEFT JOIN '.MAIN_DB_PREFIX.'projet_task_extrafields as extra2 ON pt.rowid = extra2.fk_object';
-		$this->export_sql_end[$r] .=' LEFT JOIN '.MAIN_DB_PREFIX."projet_task_time as ptt ON pt.rowid = ptt.fk_task,";
-		$this->export_sql_end[$r] .=' '.MAIN_DB_PREFIX.'societe as s';
-		$this->export_sql_end[$r] .=' WHERE p.fk_soc = s.rowid';
-		$this->export_sql_end[$r] .=' AND p.entity = '.$conf->entity;
-
+		$this->export_sql_end[$r] .=' LEFT JOIN '.MAIN_DB_PREFIX."projet_task_time as ptt ON pt.rowid = ptt.fk_task";
+		$this->export_sql_end[$r] .=' LEFT JOIN '.MAIN_DB_PREFIX.'societe as s ON p.fk_soc = s.rowid';
+		$this->export_sql_end[$r] .=' WHERE p.entity = '.$conf->entity;
 	}
 
 

htdocs/core/modules/societe/mod_codecompta_aquarium.php

@@ -44,8 +44,8 @@ class mod_codecompta_aquarium extends ModeleAccountancyCode
 	function __construct()
 	{
 	    global $conf;
-		if (empty($conf->global->COMPANY_AQUARIUM_MASK_CUSTOMER)) $conf->global->COMPANY_AQUARIUM_MASK_CUSTOMER='411';
-        if (empty($conf->global->COMPANY_AQUARIUM_MASK_SUPPLIER)) $conf->global->COMPANY_AQUARIUM_MASK_SUPPLIER='401';
+		if (! isset($conf->global->COMPANY_AQUARIUM_MASK_CUSTOMER) || trim($conf->global->COMPANY_AQUARIUM_MASK_CUSTOMER) == '') $conf->global->COMPANY_AQUARIUM_MASK_CUSTOMER='411';
+        if (! isset($conf->global->COMPANY_AQUARIUM_MASK_SUPPLIER) || trim($conf->global->COMPANY_AQUARIUM_MASK_SUPPLIER) == '') $conf->global->COMPANY_AQUARIUM_MASK_SUPPLIER='401';
 		$this->prefixcustomeraccountancycode=$conf->global->COMPANY_AQUARIUM_MASK_CUSTOMER;
 	    $this->prefixsupplieraccountancycode=$conf->global->COMPANY_AQUARIUM_MASK_SUPPLIER;
 	}

htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_tulip.php

@@ -125,7 +125,8 @@ class mod_facture_fournisseur_tulip extends ModeleNumRefSuppliersInvoices
 			return 0;
 		}
 
-		$numFinal=get_next_value($db,$mask,'facture_fourn','ref','',$objsoc->code_fournisseur,$object->datef);
+	    //Supplier invoices take invoice date instead of creation date for the mask
+		$numFinal=get_next_value($db,$mask,'facture_fourn','ref','',$objsoc->code_fournisseur,$object->date);
 
 		return  $numFinal;
 	}

htdocs/core/tpl/objectline_edit.tpl.php

@@ -128,7 +128,7 @@ $coldisplay=-1; // We remove first td
 
 	<?php if (! empty($conf->margin->enabled)) { ?>
 		<td align="right"><?php $coldisplay++; ?>
-			<select id="fournprice" name="fournprice" class="hideobject"></select>
+			<select id="fournprice" name="fournprice"></select>
 			<input type="text" size="5" id="buying_price" name="buying_price" class="hideobject" value="<?php echo price($line->pa_ht,0,'',0); ?>">
 		</td>
 	    <?php if ($user->rights->margins->creer) {

htdocs/expedition/class/expedition.class.php

@@ -164,8 +164,6 @@ class Expedition extends CommonObject
 
 		$now=dol_now();
 
-		if (empty($this->model_pdf)) $this->model_pdf=$conf->global->EXPEDITION_ADDON_PDF;
-
 		require_once DOL_DOCUMENT_ROOT .'/product/stock/class/mouvementstock.class.php';
 		$error = 0;
 
@@ -849,7 +847,7 @@ class Expedition extends CommonObject
 					$mouvS = new MouvementStock($this->db);
 					// We decrement stock of product (and sub-products)
 					// We use warehouse selected for each line
-					$result=$mouvS->reception($user, $obj->fk_product, $obj->fk_entrepot, $obj->qty, $obj->subprice, $langs->trans("ShipmentDeletedInDolibarr",$this->ref));
+					$result=$mouvS->reception($user, $obj->fk_product, $obj->fk_entrepot, $obj->qty, 0, $langs->trans("ShipmentDeletedInDolibarr",$this->ref));
 					if ($result < 0)
 					{
 						$error++;

htdocs/expedition/fiche.php

@@ -113,6 +113,7 @@ if ($action == 'add')
 
     $object->socid					= $objectsrc->socid;
     $object->ref_customer			= $objectsrc->ref_client;
+	$object->model_pdf				= GETPOST('model');
     $object->date_delivery			= $date_delivery;	// Date delivery planed
     $object->fk_delivery_address	= $objectsrc->fk_delivery_address;
     $object->shipping_method_id		= GETPOST('shipping_method_id','int');
@@ -662,6 +663,14 @@ if ($action == 'create')
             print '<td colspan="3">';
             print '<input name="tracking_number" size="20" value="'.GETPOST('tracking_number','alpha').'">';
             print "</td></tr>\n";
+            
+            // Document model
+            print "<tr><td>".$langs->trans("Model")."</td>";
+            print '<td colspan="3">';
+			include_once DOL_DOCUMENT_ROOT . '/core/modules/expedition/modules_expedition.php';
+			$liste = ModelePdfExpedition::liste_modeles($db);
+			print $form->selectarray('model', $liste, $conf->global->EXPEDITION_ADDON_PDF);
+            print "</td></tr>\n";
 
             // Other attributes
             $parameters=array('colspan' => ' colspan="3"');

htdocs/filefunc.inc.php

@@ -29,7 +29,7 @@
  *  \brief      File that include conf.php file and commons lib like functions.lib.php
  */
 
-if (! defined('DOL_VERSION')) define('DOL_VERSION','3.5.6');
+if (! defined('DOL_VERSION')) define('DOL_VERSION','3.5.8');
 if (! defined('EURO')) define('EURO',chr(128));
 
 // Define syslog constants

htdocs/fourn/commande/dispatch.php

@@ -229,9 +229,17 @@ if ($id > 0 || ! empty($ref))
 			$resql = $db->query($sql);
 			if ($resql)
 			{
-				while ( $row = $db->fetch_row($resql) )
+				$num = $db->num_rows($resql);
+				$i = 0;
+				
+				if ($num)
 				{
-					$products_dispatched[$row[0]] = $row[1];
+					while ($i < $num)
+					{
+						$objd = $db->fetch_object($resql);
+						$products_dispatched[$objd->fk_product] = price2num($objd->qty, 5);
+						$i++;
+					}
 				}
 				$db->free($resql);
 			}
@@ -277,7 +285,7 @@ if ($id > 0 || ! empty($ref))
 					}
 					else
 					{
-						$remaintodispatch=($objp->qty - $products_dispatched[$objp->fk_product]);	// Calculation of dispatched
+						$remaintodispatch=(price2num($objp->qty, 5) - $products_dispatched[$objp->fk_product]);	// Calculation of dispatched
 						if ($remaintodispatch < 0) $remaintodispatch=0;
 						if ($remaintodispatch)
 						{

htdocs/install/upgrade.php

@@ -19,7 +19,7 @@
  * Upgrade scripts can be ran from command line with syntax:
  *
  * cd htdocs/install
- * php upgrade.php 3.4.0 3.5.0
+ * php upgrade.php 3.4.0 3.5.0 [dirmodule|ignoredbversion]
  * php upgrade2.php 3.4.0 3.5.0
  *
  * Return code is 0 if OK, >0 if error
@@ -54,7 +54,8 @@ $setuplang=GETPOST("selectlang",'',3)?GETPOST("selectlang",'',3):'auto';
 $langs->setDefaultLang($setuplang);
 $versionfrom=GETPOST("versionfrom",'',3)?GETPOST("versionfrom",'',3):(empty($argv[1])?'':$argv[1]);
 $versionto=GETPOST("versionto",'',3)?GETPOST("versionto",'',3):(empty($argv[2])?'':$argv[2]);
-$versionmodule=GETPOST("versionmodule",'',3)?GETPOST("versionmodule",'',3):(empty($argv[3])?'':$argv[3]);
+$versionmodule=(GETPOST("versionmodule",'',3) && GETPOST("versionmodule",'',3) != 'ignoredbversion')?GETPOST("versionmodule",'',3):((empty($argv[3]) || $argv[3] == 'ignoredbversion')?'':$argv[3]);
+$ignoredbversion=(GETPOST('ignoredbversion','',3)=='ignoredbversion')?GETPOST('ignoredbversion','',3):((empty($argv[3]) || $argv[3] != 'ignoredbversion')?'':$argv[3]);
 
 $langs->load("admin");
 $langs->load("install");

htdocs/install/upgrade2.php

@@ -3661,8 +3661,8 @@ function migrate_reload_modules($db,$langs,$conf)
     if (! empty($conf->global->MAIN_MODULE_SERVICE))    // Permission has changed into 2.7
     {
         dolibarr_install_syslog("upgrade2::migrate_reload_modules Reactivate module Service");
-        if ($res) {
-            $res=@include_once DOL_DOCUMENT_ROOT.'/core/modules/modService.class.php';
+	    $res=@include_once DOL_DOCUMENT_ROOT.'/core/modules/modService.class.php';
+	    if ($res) {
             $mod=new modService($db);
             //$mod->remove('noboxes');
             $mod->init('newboxdefonly');
@@ -3671,8 +3671,8 @@ function migrate_reload_modules($db,$langs,$conf)
     if (! empty($conf->global->MAIN_MODULE_COMMANDE))   // Permission has changed into 2.9
     {
         dolibarr_install_syslog("upgrade2::migrate_reload_modules Reactivate module Commande");
-        if ($res) {
-            $res=@include_once DOL_DOCUMENT_ROOT.'/core/modules/modCommande.class.php';
+	    $res=@include_once DOL_DOCUMENT_ROOT.'/core/modules/modCommande.class.php';
+	    if ($res) {
             $mod=new modCommande($db);
             //$mod->remove('noboxes');
             $mod->init('newboxdefonly');
@@ -3681,8 +3681,8 @@ function migrate_reload_modules($db,$langs,$conf)
     if (! empty($conf->global->MAIN_MODULE_FACTURE))    // Permission has changed into 2.9
     {
         dolibarr_install_syslog("upgrade2::migrate_reload_modules Reactivate module Facture");
-        if ($res) {
-            $res=@include_once DOL_DOCUMENT_ROOT.'/core/modules/modFacture.class.php';
+	    $res=@include_once DOL_DOCUMENT_ROOT.'/core/modules/modFacture.class.php';
+	    if ($res) {
             $mod=new modFacture($db);
             //$mod->remove('noboxes');
             $mod->init('newboxdefonly');
@@ -3732,8 +3732,8 @@ function migrate_reload_modules($db,$langs,$conf)
     if (! empty($conf->global->MAIN_MODULE_ECM))    // Permission has changed into 3.0 and 3.1
     {
         dolibarr_install_syslog("upgrade2::migrate_reload_modules Reactivate module ECM");
-        if ($res) {
-            $res=@include_once DOL_DOCUMENT_ROOT.'/core/modules/modECM.class.php';
+	    $res=@include_once DOL_DOCUMENT_ROOT.'/core/modules/modECM.class.php';
+	    if ($res) {
             $mod=new modECM($db);
             $mod->remove('noboxes');	// We need to remove because a permission id has been removed
             $mod->init('newboxdefonly');

htdocs/main.inc.php

@@ -80,13 +80,15 @@ function test_sql_and_script_inject($val, $type)
     // For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)
     if ($type != 2)
     {
-        $sql_inj += preg_match('/delete[\s]+from/i', $val);
-        $sql_inj += preg_match('/create[\s]+table/i', $val);
-        $sql_inj += preg_match('/update.+set.+=/i', $val);
-        $sql_inj += preg_match('/insert[\s]+into/i', $val);
-        $sql_inj += preg_match('/select.+from/i', $val);
-        $sql_inj += preg_match('/union.+select/i', $val);
-        $sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+        $sql_inj += preg_match('/delete\s+from/i',	 $val);
+        $sql_inj += preg_match('/create\s+table/i',	 $val);
+        $sql_inj += preg_match('/update.+set.+=/i',  $val);
+        $sql_inj += preg_match('/insert\s+into/i', 	 $val);
+        $sql_inj += preg_match('/select.+from/i', 	 $val);
+        $sql_inj += preg_match('/union.+select/i', 	 $val);
+        $sql_inj += preg_match('/into\s+(outfile|dumpfile)/i',  $val);
+        $sql_inj += preg_match('/(\.\.%2f)+/i',		 $val);
+        $sql_inj += preg_match('/onerror=/i', 	     $val);
     }
     // For XSS Injection done by adding javascript with script
     // This is all cases a browser consider text is javascript:
@@ -94,7 +96,8 @@ function test_sql_and_script_inject($val, $type)
     // All examples on page: http://ha.ckers.org/xss.html#XSScalc
     $sql_inj += preg_match('/<script/i', $val);
     if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
-    $sql_inj += preg_match('/base[\s]+href/i', $val);
+    $sql_inj += preg_match('/base[\s]+href/si', $val);
+    $sql_inj += preg_match('/<.*onmouse/si', $val);       // onmouseover can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
     if ($type == 1)
     {
         $sql_inj += preg_match('/javascript:/i', $val);

htdocs/margin/customerMargins.php

@@ -50,9 +50,9 @@ $pagenext = $page + 1;
 $startdate=$enddate='';
 
 if (!empty($_POST['startdatemonth']))
-  $startdate  = dol_mktime(12, 0, 0, $_POST['startdatemonth'],  $_POST['startdateday'],  $_POST['startdateyear']);
+  $startdate  = dol_mktime(0, 0, 0, $_POST['startdatemonth'],  $_POST['startdateday'],  $_POST['startdateyear']);
 if (!empty($_POST['enddatemonth']))
-  $enddate  = dol_mktime(12, 0, 0, $_POST['enddatemonth'],  $_POST['enddateday'],  $_POST['enddateyear']);
+  $enddate  = dol_mktime(23, 59, 59, $_POST['enddatemonth'],  $_POST['enddateday'],  $_POST['enddateyear']);
 
 /*
  * View

htdocs/margin/index.php

@@ -1,5 +1,6 @@
 <?php
 /* Copyright (C) 2012	Christophe Battarel	<christophe.battarel@altairis.fr>
+ * Copyright (C) 2014   Marcos García       <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -21,6 +22,16 @@
  *	\brief      Page d'index du module margin
  */
 
-require 'productMargins.php';
+require '../main.inc.php';
+
+if ($user->rights->produit->lire) {
+	$page = 'productMargins';
+} elseif ($user->rights->societe->lire) {
+	$page = 'customerMargins';
+} else {
+	$page = 'agentMargins';
+}
+
+header('Location: '.dol_buildpath('/margin/'.$page.'.php', 1));
 
 ?>

htdocs/margin/lib/margins.lib.php

@@ -1,5 +1,6 @@
 <?php
 /* Copyright (C) 2012	Christophe Battarel	<christophe.battarel@altairis.fr>
+ * Copyright (C) 2014   Marcos García       <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -56,21 +57,25 @@ function marges_admin_prepare_head()
  */
 function marges_prepare_head()
 {
-	global $langs, $conf;
+	global $langs, $conf, $user;
 	$langs->load("marges@marges");
 
 	$h = 0;
 	$head = array();
 
-	$head[$h][0] = DOL_URL_ROOT."/margin/productMargins.php";
-	$head[$h][1] = $langs->trans("ProductMargins");
-	$head[$h][2] = 'productMargins';
-	$h++;
+	if ($user->rights->produit->lire) {
+		$head[$h][0] = DOL_URL_ROOT."/margin/productMargins.php";
+		$head[$h][1] = $langs->trans("ProductMargins");
+		$head[$h][2] = 'productMargins';
+		$h++;
+	}
 
-	$head[$h][0] = DOL_URL_ROOT."/margin/customerMargins.php";
-	$head[$h][1] = $langs->trans("CustomerMargins");
-	$head[$h][2] = 'customerMargins';
-	$h++;
+	if ($user->rights->societe->lire) {
+		$head[$h][0] = DOL_URL_ROOT."/margin/customerMargins.php";
+		$head[$h][1] = $langs->trans("CustomerMargins");
+		$head[$h][2] = 'customerMargins';
+		$h++;
+	}
 
 	$head[$h][0] = DOL_URL_ROOT."/margin/agentMargins.php";
 	$head[$h][1] = $langs->trans("AgentMargins");

htdocs/margin/productMargins.php

@@ -72,9 +72,9 @@ $pagenext = $page + 1;
 $startdate=$enddate='';
 
 if (!empty($_POST['startdatemonth']))
-  $startdate  = dol_mktime(12, 0, 0, $_POST['startdatemonth'], $_POST['startdateday'], $_POST['startdateyear']);
+  $startdate  = dol_mktime(0, 0, 0, $_POST['startdatemonth'], $_POST['startdateday'], $_POST['startdateyear']);
 if (!empty($_POST['enddatemonth']))
-  $enddate  = dol_mktime(12, 0, 0, $_POST['enddatemonth'], $_POST['enddateday'], $_POST['enddateyear']);
+  $enddate  = dol_mktime(23, 59, 59, $_POST['enddatemonth'], $_POST['enddateday'], $_POST['enddateyear']);
 
 
 /*

htdocs/product/class/product.class.php

@@ -442,7 +442,7 @@ class Product extends CommonObject
 		$this->ref = dol_string_nospecial(trim($this->ref));
 		$this->libelle = trim($this->libelle);
 		$this->description = trim($this->description);
-		$this->note = (isset($this->note)? trim($this->note):"null");
+		$this->note = (isset($this->note)? trim($this->note):null);
 		$this->weight = price2num($this->weight);
 		$this->weight_units = trim($this->weight_units);
 		$this->length = price2num($this->length);
@@ -2662,7 +2662,7 @@ class Product extends CommonObject
 		$sql = "SELECT ps.reel, ps.fk_entrepot, ps.pmp";
 		$sql.= " FROM ".MAIN_DB_PREFIX."product_stock as ps";
 		$sql.= ", ".MAIN_DB_PREFIX."entrepot as w";
-		$sql.= " WHERE w.entity IN (".getEntity('warehouse', 1).")";
+		$sql.= " WHERE w.entity IN (".getEntity('stock', 1).")";
 		$sql.= " AND w.rowid = ps.fk_entrepot";
 		$sql.= " AND ps.fk_product = ".$this->id;
 
@@ -2856,7 +2856,7 @@ class Product extends CommonObject
 
     				if (! utf8_check($file)) $file=utf8_encode($file);	// To be sure file is stored in UTF8 in memory
 
-    				if (dol_is_file($dir.$file) && preg_match('/(\.jpg|\.bmp|\.gif|\.png|\.tiff)$/i', $dir.$file))
+    				if (dol_is_file($dir.$file) && preg_match('/(\.jp(e?)g|\.bmp|\.gif|\.png|\.tiff)$/i', $dir.$file))
     				{
     					$nbphoto++;
     					$photo = $file;

htdocs/product/liste.php

@@ -4,7 +4,7 @@
  * Copyright (C) 2005-2012 Regis Houssin        <regis.houssin@capnetworks.com>
  * Copyright (C) 2012-2013 Marcos García        <marcosgdf@gmail.com>
  * Copyright (C) 2013      Juanjo Menent        <jmenent@2byte.es>
- * Copyright (C) 2013      Raphaël Doursenaud   <rdoursenaud@gpcsolutions.fr>
+ * Copyright (C) 2013-2015 Raphaël Doursenaud   <rdoursenaud@gpcsolutions.fr>
  * Copyright (C) 2013      Jean Heimburger   	<jean@tiaris.info>
  * Copyright (C) 2013      Cédric Salvador      <csalvador@gpcsolutions.fr>
  * Copyright (C) 2013      Florian Henry        <florian.henry@open-concept.pro>
@@ -181,7 +181,7 @@ else
     if (dol_strlen($canvas) > 0)                    $sql.= " AND p.canvas = '".$db->escape($canvas)."'";
     if ($catid > 0)    $sql.= " AND cp.fk_categorie = ".$catid;
     if ($catid == -2)  $sql.= " AND cp.fk_categorie IS NULL";
-    if ($search_categ > 0)   $sql.= " AND cp.fk_categorie = ".$search_categ;
+    if ($search_categ > 0)   $sql.= " AND cp.fk_categorie = ".$db->escape($search_categ);
     if ($search_categ == -2) $sql.= " AND cp.fk_categorie IS NULL";
     if ($fourn_id > 0) $sql.= " AND pfp.fk_soc = ".$fourn_id;
     $sql.= " GROUP BY p.rowid, p.ref, p.label, p.barcode, p.price, p.price_ttc, p.price_base_type,";
@@ -233,9 +233,9 @@ else
     	// Displays product removal confirmation
     	if (GETPOST('delprod'))	dol_htmloutput_mesg($langs->trans("ProductDeleted",GETPOST('delprod')));
 
-    	$param="&amp;sref=".$sref.($sbarcode?"&amp;sbarcode=".$sbarcode:"")."&amp;snom=".$snom."&amp;sall=".$sall."&amp;tosell=".$tosell."&amp;tobuy=".$tobuy;
+    	$param="&amp;sref=".htmlspecialchars($sref).($sbarcode?"&amp;sbarcode=".htmlspecialchars($sbarcode):"")."&amp;snom=".htmlspecialchars($snom)."&amp;sall=".htmlspecialchars($sall)."&amp;tosell=".htmlspecialchars($tosell)."&amp;tobuy=".htmlspecialchars($tobuy);
     	$param.=($fourn_id?"&amp;fourn_id=".$fourn_id:"");
-    	$param.=($search_categ?"&amp;search_categ=".$search_categ:"");
+    	$param.=($search_categ?"&amp;search_categ=".htmlspecialchars($search_categ):"");
     	$param.=isset($type)?"&amp;type=".$type:"";
 
     	print_barre_liste($texte, $page, "liste.php", $param, $sortfield, $sortorder, '', $num, $nbtotalofrecords);
@@ -320,15 +320,15 @@ else
     		// Lignes des champs de filtre
     		print '<tr class="liste_titre">';
     		print '<td class="liste_titre" align="left">';
-    		print '<input class="flat" type="text" name="sref" size="8" value="'.$sref.'">';
+    		print '<input class="flat" type="text" name="sref" size="8" value="'.htmlspecialchars($sref).'">';
     		print '</td>';
     		print '<td class="liste_titre" align="left">';
-    		print '<input class="flat" type="text" name="snom" size="12" value="'.$snom.'">';
+    		print '<input class="flat" type="text" name="snom" size="12" value="'.htmlspecialchars($snom).'">';
     		print '</td>';
     		if (! empty($conf->barcode->enabled))
     		{
     			print '<td class="liste_titre">';
-    			print '<input class="flat" type="text" name="sbarcode" size="6" value="'.$sbarcode.'">';
+    			print '<input class="flat" type="text" name="sbarcode" size="6" value="'.htmlspecialchars($sbarcode).'">';
     			print '</td>';
     		}
     		print '<td class="liste_titre">';
@@ -459,7 +459,7 @@ else
     			}
 
     			// Better buy price
-    			if ($user->rights->produit->creer) {
+    			if ($user->rights->fournisseur->lire) {
         			print  '<td align="right">';
         			if ($objp->minsellprice != '')
         			{
@@ -510,9 +510,9 @@ else
     			$i++;
     		}
 
-    		$param="&amp;sref=".$sref.($sbarcode?"&amp;sbarcode=".$sbarcode:"")."&amp;snom=".$snom."&amp;sall=".$sall."&amp;tosell=".$tosell."&amp;tobuy=".$tobuy;
+    		$param="&amp;sref=".htmlspecialchars($sref).($sbarcode?"&amp;sbarcode=".htmlspecialchars($sbarcode):"")."&amp;snom=".htmlspecialchars($snom)."&amp;sall=".htmlspecialchars($sall)."&amp;tosell=".htmlspecialchars($tosell)."&amp;tobuy=".htmlspecialchars($tobuy);
     		$param.=($fourn_id?"&amp;fourn_id=".$fourn_id:"");
-    		$param.=($search_categ?"&amp;search_categ=".$search_categ:"");
+    		$param.=($search_categ?"&amp;search_categ=".htmlspecialchars($search_categ):"");
     		$param.=isset($type)?"&amp;type=".$type:"";
     		print_barre_liste('', $page, "liste.php", $param, $sortfield, $sortorder,'',$num,$nbtotalofrecords);
 

htdocs/product/price.php

@@ -670,7 +670,7 @@ $sql.= " WHERE fk_product = ".$object->id;
 $sql.= " AND p.entity IN (".getEntity('productprice', 1).")";
 $sql.= " AND p.fk_user_author = u.rowid";
 if (! empty($socid) && ! empty($conf->global->PRODUIT_MULTIPRICES)) $sql.= " AND p.price_level = ".$soc->price_level;
-$sql.= " ORDER BY p.date_price DESC, p.price_level ASC";
+$sql.= " ORDER BY p.date_price DESC, p.price_level ASC, p.rowid DESC";
 
 dol_syslog("sql=".$sql);
 $result = $db->query($sql);

htdocs/product/stock/class/entrepot.class.php

@@ -358,7 +358,7 @@ class Entrepot extends CommonObject
 
 		$sql = "SELECT rowid, label";
 		$sql.= " FROM ".MAIN_DB_PREFIX."entrepot";
-		$sql.= " WHERE entity IN (".getEntity('warehouse', 1).")";
+		$sql.= " WHERE entity IN (".getEntity('stock', 1).")";
 		$sql.= " AND statut = ".$status;
 
 		$result = $this->db->query($sql);
@@ -418,7 +418,7 @@ class Entrepot extends CommonObject
 	{
 		$ret=array();
 
-		$sql = "SELECT sum(ps.reel) as nb, sum(ps.reel * ps.pmp) as value";
+		$sql = "SELECT sum(ps.reel) as nb, sum(ps.reel * p.pmp) as value";
 		$sql.= " FROM ".MAIN_DB_PREFIX."product_stock as ps";
 		$sql.= ", ".MAIN_DB_PREFIX."product as p";
 		$sql.= " WHERE ps.fk_entrepot = ".$this->id;

htdocs/product/stock/fiche.php

@@ -364,7 +364,7 @@ else
 			print_liste_field_titre($langs->trans("Product"),"", "p.ref","&id=".$_GET['id'],"","",$sortfield,$sortorder);
 			print_liste_field_titre($langs->trans("Label"),"", "p.label","&id=".$_GET['id'],"","",$sortfield,$sortorder);
             print_liste_field_titre($langs->trans("Units"),"", "ps.reel","&id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder);
-            print_liste_field_titre($langs->trans("AverageUnitPricePMPShort"),"", "ps.pmp","&id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder);
+            print_liste_field_titre($langs->trans("AverageUnitPricePMPShort"),"", "p.pmp","&id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder);
 			print_liste_field_titre($langs->trans("EstimatedStockValueShort"),"", "","&id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder);
             if (empty($conf->global->PRODUIT_MULTIPRICES)) print_liste_field_titre($langs->trans("SellPriceMin"),"", "p.price","&id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder);
             if (empty($conf->global->PRODUIT_MULTIPRICES)) print_liste_field_titre($langs->trans("EstimatedStockValueSellShort"),"", "","&id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder);
@@ -426,10 +426,10 @@ else
 					$totalunit+=$objp->value;
 
                     // Price buy PMP
-					print '<td align="right">'.price(price2num($objp->pmp,'MU')).'</td>';
+					print '<td align="right">'.price(price2num($objp->ppmp,'MU')).'</td>';
                     // Total PMP
-					print '<td align="right">'.price(price2num($objp->pmp*$objp->value,'MT')).'</td>';
-					$totalvalue+=price2num($objp->pmp*$objp->value,'MT');
+					print '<td align="right">'.price(price2num($objp->ppmp*$objp->value,'MT')).'</td>';
+					$totalvalue+=price2num($objp->ppmp*$objp->value,'MT');
 
                     // Price sell min
                     if (empty($conf->global->PRODUIT_MULTIPRICES))

htdocs/product/stock/product.php

@@ -528,9 +528,10 @@ print '<td align="right">'.$langs->trans("SellPriceMin").'</td>';
 print '<td align="right">'.$langs->trans("EstimatedStockValueSellShort").'</td>';
 print '</tr>';
 
-$sql = "SELECT e.rowid, e.label, ps.reel, ps.pmp";
+$sql = "SELECT e.rowid, e.label, ps.reel, p.pmp";
 $sql.= " FROM ".MAIN_DB_PREFIX."entrepot as e,";
 $sql.= " ".MAIN_DB_PREFIX."product_stock as ps";
+$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = ps.fk_product";
 $sql.= " WHERE ps.reel != 0";
 $sql.= " AND ps.fk_entrepot = e.rowid";
 $sql.= " AND e.entity = ".$conf->entity;

htdocs/product/stock/valo.php

@@ -53,7 +53,7 @@ $year = strftime("%Y",time());
 
 // Affichage valorisation par entrepot
 $sql = "SELECT e.rowid as ref, e.label, e.statut, e.lieu,";
-$sql.= " SUM(ps.pmp * ps.reel) as estimatedvalue, SUM(p.price * ps.reel) as sellvalue";
+$sql.= " SUM(p.pmp * ps.reel) as estimatedvalue, SUM(p.price * ps.reel) as sellvalue";
 $sql.= " FROM ".MAIN_DB_PREFIX."entrepot as e";
 $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON e.rowid = ps.fk_entrepot";
 $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON ps.fk_product = p.rowid";

htdocs/projet/element.php

@@ -3,6 +3,7 @@
  * Copyright (C) 2004-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2005-2010 Regis Houssin        <regis.houssin@capnetworks.com>
  * Copyright (C) 2012	   Juanjo Menent        <jmenent@2byte.es>
+ * Copyright (C) 2015      Marcos García        <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -281,7 +282,14 @@ foreach ($listofreferent as $key => $value)
 				if (empty($value['disableamount'])) print '<td align="right">'.(isset($element->total_ttc)?price($element->total_ttc):'&nbsp;').'</td>';
 
 				// Status
-				print '<td align="right">'.$element->getLibStatut(5).'</td>';
+				print '<td align="right">';
+				if ($element instanceof CommonInvoice) {
+					//This applies for Facture and FactureFournisseur
+					print $element->getLibStatut(5, $element->getSommePaiement());
+				} else {
+					print $element->getLibStatut(5);
+				}
+				print '</td>';
 
 				print '</tr>';
 

htdocs/societe/consumption.php

@@ -180,7 +180,7 @@ if ($type_element == 'order')
 	$where = " WHERE c.fk_soc = s.rowid AND s.rowid = ".$socid;
 	$where.= " AND d.fk_commande = c.rowid";
 	$where.= " AND c.entity = ".$conf->entity;
-	$datePrint = 'c.datef';
+	$datePrint = 'c.date_commande';
 	$doc_number='c.ref';
 	$thirdTypeSelect='customer';
 }

htdocs/societe/info.php

@@ -40,6 +40,7 @@ $result = restrictedArea($user, 'societe', $socid, '&societe');
 // Initialize technical object to manage hooks of thirdparties. Note that conf->hooks_modules contains array array
 $hookmanager->initHooks(array('infothirdparty'));
 
+$soc = new Societe($db);
 
 
 /*
@@ -59,27 +60,27 @@ $error=$hookmanager->error; $errors=array_merge($errors, (array) $hookmanager->e
 $help_url='EN:Module_Third_Parties|FR:Module_Tiers|ES:Empresas';
 llxHeader('',$langs->trans("ThirdParty"),$help_url);
 
-$soc = new Societe($db);
-$soc->fetch($socid);
-$soc->info($socid);
+if ($socid > 0)
+{
+	$result = $soc->fetch($socid);
 
-/*
- * Affichage onglets
- */
-$head = societe_prepare_head($soc);
+	$soc->info($socid);
 
-dol_fiche_head($head, 'info', $langs->trans("ThirdParty"),0,'company');
+	/*
+	 * Affichage onglets
+	 */
+	$head = societe_prepare_head($soc);
+
+	dol_fiche_head($head, 'info', $langs->trans("ThirdParty"), 0, 'company');
 
 
+	print '<table width="100%"><tr><td>';
+	dol_print_object_info($soc);
+	print '</td></tr></table>';
 
-print '<table width="100%"><tr><td>';
-dol_print_object_info($soc);
-print '</td></tr></table>';
-
-print '</div>';
-
+	dol_fiche_end();
+}
 
 llxFooter();
 
 $db->close();
-?>

htdocs/societe/soc.php

@@ -999,6 +999,7 @@ else
         // Other attributes
         $parameters=array('colspan' => ' colspan="3"', 'colspanvalue' => '3');
         $reshook=$hookmanager->executeHooks('formObjectOptions',$parameters,$object,$action);    // Note that $action and $object may have been modified by hook
+        print $hookmanager->resPrint;
         if (empty($reshook) && ! empty($extrafields->attribute_label))
         {
         	print $object->showOptionals($extrafields,'edit');
@@ -1407,6 +1408,7 @@ else
             // Other attributes
             $parameters=array('colspan' => ' colspan="3"', 'colspanvalue' => '3');
             $reshook=$hookmanager->executeHooks('formObjectOptions',$parameters,$object,$action);    // Note that $action and $object may have been modified by hook
+            print $hookmanager->resPrint;
             if (empty($reshook) && ! empty($extrafields->attribute_label))
             {
             	print $object->showOptionals($extrafields,'edit');

htdocs/societe/societe.php

@@ -3,7 +3,7 @@
  * Copyright (C) 2004-2013 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2005-2012 Regis Houssin        <regis.houssin@capnetworks.com>
  * Copyright (C) 2012      Marcos García        <marcosgdf@gmail.com>
- * Copyright (C) 2013      Raphaël Doursenaud   <rdoursenaud@gpcsolutions.fr>
+ * Copyright (C) 2013-2015 Raphaël Doursenaud   <rdoursenaud@gpcsolutions.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -210,12 +210,12 @@ if (! $user->rights->fournisseur->lire) $sql.=" AND (s.fournisseur <> 1 OR s.cli
 // Insert sale filter
 if ($search_sale)
 {
-    $sql .= " AND sc.fk_user = ".$search_sale;
+    $sql .= " AND sc.fk_user = ".$db->escape($search_sale);
 }
 // Insert categ filter
 if ($search_categ)
 {
-    $sql .= " AND cs.fk_categorie = ".$search_categ;
+    $sql .= " AND cs.fk_categorie = ".$db->escape($search_categ);
 }
 if ($search_nom_only)
 {
@@ -272,12 +272,12 @@ if ($resql)
 	$num = $db->num_rows($resql);
 	$i = 0;
 
-	$params = "&amp;socname=".$socname."&amp;search_nom=".$search_nom."&amp;search_town=".$search_town;
-	$params.= ($sbarcode?"&amp;sbarcode=".$sbarcode:"");
-	$params.= '&amp;search_idprof1='.$search_idprof1;
-	$params.= '&amp;search_idprof2='.$search_idprof2;
-	$params.= '&amp;search_idprof3='.$search_idprof3;
-	$params.= '&amp;search_idprof4='.$search_idprof4;
+	$params = "&amp;socname=".htmlspecialchars($socname)."&amp;search_nom=".htmlspecialchars($search_nom)."&amp;search_town=".htmlspecialchars($search_town);
+	$params.= ($sbarcode?"&amp;sbarcode=".htmlspecialchars($sbarcode):"");
+	$params.= '&amp;search_idprof1='.htmlspecialchars($search_idprof1);
+	$params.= '&amp;search_idprof2='.htmlspecialchars($search_idprof2);
+	$params.= '&amp;search_idprof3='.htmlspecialchars($search_idprof3);
+	$params.= '&amp;search_idprof4='.htmlspecialchars($search_idprof4);
 
 	print_barre_liste($title, $page, $_SERVER["PHP_SELF"],$params,$sortfield,$sortorder,'',$num,$nbtotalofrecords);
 
@@ -348,34 +348,34 @@ if ($resql)
 	print '<input type="hidden" name="sortfield" value="'.$sortfield.'">';
 	print '<input type="hidden" name="sortorder" value="'.$sortorder.'">';
 	if (! empty($search_nom_only) && empty($search_nom)) $search_nom=$search_nom_only;
-	print '<input class="flat" type="text" name="search_nom" value="'.$search_nom.'">';
+	print '<input class="flat" type="text" name="search_nom" value="'.htmlspecialchars($search_nom).'">';
 	print '</td>';
 	// Barcode
 	if (! empty($conf->barcode->enabled))
 	{
-    	print '<td class="liste_titre">';
-    	print '<input class="flat" type="text" name="sbarcode" size="6" value="'.$sbarcode.'">';
-    	print '</td>';
+		print '<td class="liste_titre">';
+		print '<input class="flat" type="text" name="sbarcode" size="6" value="'.htmlspecialchars($sbarcode).'">';
+		print '</td>';
     }
 	// Town
 	print '<td class="liste_titre">';
-	print '<input class="flat" size="10" type="text" name="search_town" value="'.$search_town.'">';
+	print '<input class="flat" size="10" type="text" name="search_town" value="'.htmlspecialchars($search_town).'">';
 	print '</td>';
 	// IdProf1
 	print '<td class="liste_titre">';
-	print '<input class="flat" size="4" type="text" name="search_idprof1" value="'.$search_idprof1.'">';
+	print '<input class="flat" size="4" type="text" name="search_idprof1" value="'.htmlspecialchars($search_idprof1).'">';
 	print '</td>';
 	// IdProf2
 	print '<td class="liste_titre">';
-	print '<input class="flat" size="4" type="text" name="search_idprof2" value="'.$search_idprof2.'">';
+	print '<input class="flat" size="4" type="text" name="search_idprof2" value="'.htmlspecialchars($search_idprof2).'">';
 	print '</td>';
 	// IdProf3
 	print '<td class="liste_titre">';
-	print '<input class="flat" size="4" type="text" name="search_idprof3" value="'.$search_idprof3.'">';
+	print '<input class="flat" size="4" type="text" name="search_idprof3" value="'.htmlspecialchars($search_idprof3).'">';
 	print '</td>';
 	// IdProf4
 	print '<td class="liste_titre">';
-	print '<input class="flat" size="4" type="text" name="search_idprof4" value="'.$search_idprof4.'">';
+	print '<input class="flat" size="4" type="text" name="search_idprof4" value="'.htmlspecialchars($search_idprof4).'">';
 	print '</td>';
 	// Type (customer/prospect/supplier)
 	print '<td class="liste_titre" align="middle">';