diff --git a/htdocs/adherents/type.php b/htdocs/adherents/type.php
index 016fc5e049943d4b21920a27ed08e676b85aed35..a0f36c409def33584ea5b949f4c29a397c92278b 100644
--- a/htdocs/adherents/type.php
+++ b/htdocs/adherents/type.php
@@ -390,13 +390,13 @@ if ($rowid > 0)
}
if ($status != '')
{
- $sql.= " AND d.statut IN (".$status.")"; // Peut valoir un nombre ou liste de nombre separes par virgules
+ $sql.= " AND d.statut IN (".$db->escape($status).")"; // Peut valoir un nombre ou liste de nombre separes par virgules
}
if ($action == 'search')
{
if (GETPOST('search'))
{
- $sql.= natural_search(array("d.firstname","d.lastname"), GETPOST('search'));
+ $sql.= natural_search(array("d.firstname","d.lastname"), GETPOST('search','alpha'));
}
}
if (! empty($search_lastname))
diff --git a/htdocs/comm/mailing/class/advtargetemailing.class.php b/htdocs/comm/mailing/class/advtargetemailing.class.php
index a0744fcfa04145ae81418309e1b6beac2ecfd6cb..ce6a9cf9896218f2c1bacb7a9a6a203b909a079c 100644
--- a/htdocs/comm/mailing/class/advtargetemailing.class.php
+++ b/htdocs/comm/mailing/class/advtargetemailing.class.php
@@ -640,16 +640,16 @@ class AdvanceTargetingMailing extends CommonObject
$sqlwhere[]=$this->transformToSQL('t.firstname',$arrayquery['contact_firstname']);
}
if (!empty($arrayquery['contact_country']) && count($arrayquery['contact_country'])) {
- $sqlwhere[]= " (t.fk_pays IN (".implode(',',$arrayquery['contact_country'])."))";
+ $sqlwhere[]= " (t.fk_pays IN (".$db->escape(implode(',',$arrayquery['contact_country']))."))";
}
if (!empty($arrayquery['contact_status']) && count($arrayquery['contact_status'])>0) {
- $sqlwhere[]= " (t.statut IN (".implode(',',$arrayquery['contact_status'])."))";
+ $sqlwhere[]= " (t.statut IN (".$db->escape(implode(',',$arrayquery['contact_status']))."))";
}
if (!empty($arrayquery['contact_civility']) && count($arrayquery['contact_civility'])>0) {
- $sqlwhere[]= " (t.civility IN ('".implode("','",$arrayquery['contact_civility'])."'))";
+ $sqlwhere[]= " (t.civility IN ('".$db->escape(implode("','",$arrayquery['contact_civility']))."'))";
}
if ($arrayquery['contact_no_email']!='') {
- $sqlwhere[]= " (t.no_email='".$arrayquery['contact_no_email']."')";
+ $sqlwhere[]= " (t.no_email='".$db->escape($arrayquery['contact_no_email'])."')";
}
if ($arrayquery['contact_update_st_dt']!='') {
$sqlwhere[]= " (t.tms >= '".$this->db->idate($arrayquery['contact_update_st_dt'])."' AND t.tms <= '".$this->db->idate($arrayquery['contact_update_end_dt'])."')";
@@ -658,7 +658,7 @@ class AdvanceTargetingMailing extends CommonObject
$sqlwhere[]= " (t.datec >= '".$this->db->idate($arrayquery['contact_create_st_dt'])."' AND t.datec <= '".$this->db->idate($arrayquery['contact_create_end_dt'])."')";
}
if (!empty($arrayquery['contact_categ']) && count($arrayquery['contact_categ'])>0) {
- $sqlwhere[]= " (contactcateg.fk_categorie IN (".implode(",",$arrayquery['contact_categ'])."))";
+ $sqlwhere[]= " (contactcateg.fk_categorie IN (".$db->escape(implode(",",$arrayquery['contact_categ']))."))";
}
//Standard Extrafield feature
diff --git a/htdocs/comm/propal/stats/index.php b/htdocs/comm/propal/stats/index.php
index 5c74c8374a01edc24e36848df109c5af3b1aa62f..273862f68bff43e33d39d7d9d564fa77e33a38ea 100644
--- a/htdocs/comm/propal/stats/index.php
+++ b/htdocs/comm/propal/stats/index.php
@@ -92,7 +92,7 @@ dol_mkdir($dir);
$stats = new PropaleStats($db, $socid, ($userid>0?$userid:0), $mode);
-if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$object_status.')';
+if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND p.fk_statut IN ('.$db->escape($object_status).')';
// Build graphic number of object
$data = $stats->getNbByMonthWithPrevYear($endyear,$startyear);
@@ -299,7 +299,7 @@ foreach ($data as $val)
while (! empty($year) && $oldyear > $year+1)
{ // If we have empty year
$oldyear--;
-
+
print '<tr class="oddeven" height="24">';
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$oldyear.'&mode='.$mode.($socid>0?'&socid='.$socid:'').($userid>0?'&userid='.$userid:'').'">'.$oldyear.'</a></td>';
print '<td align="right">0</td>';
diff --git a/htdocs/commande/stats/index.php b/htdocs/commande/stats/index.php
index ed9f890680449467f835ec6348482439a6015a64..6a8b57e3707e94c3d70b215c8d14c220b076c40d 100644
--- a/htdocs/commande/stats/index.php
+++ b/htdocs/commande/stats/index.php
@@ -88,11 +88,11 @@ dol_mkdir($dir);
$stats = new CommandeStats($db, $socid, $mode, ($userid>0?$userid:0));
if ($mode == 'customer')
{
- if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$object_status.')';
+ if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')';
}
if ($mode == 'supplier')
{
- if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$object_status.')';
+ if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')';
}
diff --git a/htdocs/compta/facture/stats/index.php b/htdocs/compta/facture/stats/index.php
index 55ff4dad6e3f705ff6bfbb1dbcb3f2b96d1894e8..bf54e4f58abaea5a911babf988612b76de571bdf 100644
--- a/htdocs/compta/facture/stats/index.php
+++ b/htdocs/compta/facture/stats/index.php
@@ -84,11 +84,11 @@ dol_mkdir($dir);
$stats = new FactureStats($db, $socid, $mode, ($userid>0?$userid:0));
if ($mode == 'customer')
{
- if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND f.fk_statut IN ('.$object_status.')';
+ if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')';
}
if ($mode == 'supplier')
{
- if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$object_status.')';
+ if ($object_status != '' && $object_status >= 0) $stats->where .= ' AND f.fk_statut IN ('.$db->escape($object_status).')';
}
// Build graphic number of object
@@ -299,7 +299,7 @@ foreach ($data as $val)
while ($year && $oldyear > $year+1)
{ // If we have empty year
$oldyear--;
-
+
print '<tr class="oddeven" height="24">';
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$oldyear.'&mode='.$mode.($socid>0?'&socid='.$socid:'').($userid>0?'&userid='.$userid:'').'">'.$oldyear.'</a></td>';
print '<td align="right">0</td>';
@@ -310,7 +310,7 @@ foreach ($data as $val)
print '<td align="right"></td>';
print '</tr>';
}
-
+
print '<tr class="oddeven" height="24">';
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$year.'&mode='.$mode.($socid>0?'&socid='.$socid:'').($userid>0?'&userid='.$userid:'').'">'.$year.'</a></td>';
print '<td align="right">'.$val['nb'].'</td>';
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index b7a2b46dfc01545b48fadcab9ce196489b7b2b25..c8ea494ad3a39155236aa2dd9f549db668ac855d 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -1918,7 +1918,7 @@ class Form
$sql.= ' WHERE p.entity IN ('.getEntity('product').')';
if (count($warehouseStatusArray))
{
- $sql.= ' AND (p.fk_product_type = 1 OR e.statut IN ('.implode(',',$warehouseStatusArray).'))';
+ $sql.= ' AND (p.fk_product_type = 1 OR e.statut IN ('.$db->escape(implode(',',$warehouseStatusArray)).'))';
}
if (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD)) {
diff --git a/htdocs/don/list.php b/htdocs/don/list.php
index 5521b233a28ab97fe97e9035487789eb4a33aa8f..9602b69a6154b7cf2ff6a660d3ccadc316b4e520 100644
--- a/htdocs/don/list.php
+++ b/htdocs/don/list.php
@@ -92,11 +92,11 @@ $sql.= " FROM ".MAIN_DB_PREFIX."don as d LEFT JOIN ".MAIN_DB_PREFIX."projet AS p
$sql.= " ON p.rowid = d.fk_projet WHERE 1 = 1";
if ($statut != '' && $statut != '-1')
{
- $sql .= " AND d.fk_statut IN (".$statut.")";
+ $sql .= " AND d.fk_statut IN (".$db->escape($statut).")";
}
if (trim($search_ref) != '')
{
- $sql.= natural_search('d.ref',$search_ref);
+ $sql.= natural_search('d.ref', $search_ref);
}
if (trim($search_all) != '')
{
diff --git a/htdocs/expensereport/stats/index.php b/htdocs/expensereport/stats/index.php
index e158e4728a877b96ee9ddd019058e98176e9355b..d0e3a1164bc0087e2a35a982dfd9838645e9a0dd 100644
--- a/htdocs/expensereport/stats/index.php
+++ b/htdocs/expensereport/stats/index.php
@@ -74,7 +74,7 @@ print load_fiche_titre($title, $mesg);
dol_mkdir($dir);
$stats = new ExpenseReportStats($db, $socid, $userid);
-if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$object_status.')';
+if ($object_status != '' && $object_status >= -1) $stats->where .= ' AND e.fk_statut IN ('.$db->escape($object_status).')';
// Build graphic number of object
// $data = array(array('Lib',val1,val2,val3),...)
@@ -262,7 +262,7 @@ foreach ($data as $val)
while ($year && $oldyear > $year+1)
{ // If we have empty year
$oldyear--;
-
+
print '<tr '.$bc[$var].' height="24">';
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$oldyear.'&mode='.$mode.'">'.$oldyear.'</a></td>';
print '<td align="right">0</td>';
@@ -271,7 +271,7 @@ foreach ($data as $val)
print '</tr>';
}
-
+
print '<tr '.$bc[$var].' height="24">';
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$year.'&mode='.$mode.'">'.$year.'</a></td>';
print '<td align="right">'.$val['nb'].'</td>';
diff --git a/htdocs/fichinter/stats/index.php b/htdocs/fichinter/stats/index.php
index 4daa0b7e00d0a6654771a784111313de87e7667c..1c0ba5764edfc1429d9e5bdb51618cc789de70ed 100644
--- a/htdocs/fichinter/stats/index.php
+++ b/htdocs/fichinter/stats/index.php
@@ -75,7 +75,7 @@ print load_fiche_titre($title,'','title_commercial.png');
dol_mkdir($dir);
$stats = new FichinterStats($db, $socid, $mode, ($userid>0?$userid:0));
-if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$object_status.')';
+if ($object_status != '' && $object_status > -1) $stats->where .= ' AND c.fk_statut IN ('.$db->escape($object_status).')';
// Build graphic number of object
$data = $stats->getNbByMonthWithPrevYear($endyear,$startyear);
@@ -291,7 +291,7 @@ foreach ($data as $val)
while (! empty($year) && $oldyear > $year+1)
{ // If we have empty year
$oldyear--;
-
+
print '<tr '.$bc[$var].' height="24">';
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$oldyear.'&mode='.$mode.($socid>0?'&socid='.$socid:'').($userid>0?'&userid='.$userid:'').'">'.$oldyear.'</a></td>';
@@ -304,7 +304,7 @@ foreach ($data as $val)
print '</tr>';
}
-
+
print '<tr '.$bc[$var].' height="24">';
print '<td align="center"><a href="'.$_SERVER["PHP_SELF"].'?year='.$year.'&mode='.$mode.($socid>0?'&socid='.$socid:'').($userid>0?'&userid='.$userid:'').'">'.$year.'</a></td>';
print '<td align="right">'.$val['nb'].'</td>';
diff --git a/htdocs/fourn/commande/list.php b/htdocs/fourn/commande/list.php
index ee9a6b3e49002005241c54f37a52aff4a3d696da..ac67d25682418322ec5a8e8788ffd790ae29f07c 100644
--- a/htdocs/fourn/commande/list.php
+++ b/htdocs/fourn/commande/list.php
@@ -535,9 +535,9 @@ if ($search_request_author) $sql.=natural_search(array('u.lastname','u.firstname
if ($billed != '' && $billed >= 0) $sql .= " AND cf.billed = ".$billed;
//Required triple check because statut=0 means draft filter
-if (GETPOST('statut', 'alpha') !== '')
+if (GETPOST('statut', 'intcomma') !== '')
{
- $sql .= " AND cf.fk_statut IN (".$db->escape(GETPOST('statut', 'alpha')).")";
+ $sql .= " AND cf.fk_statut IN (".$db->escape($db->escape(GETPOST('statut', 'intcomma'))).")";
}
if ($search_status != '' && $search_status >= 0)
{
diff --git a/htdocs/product/class/html.formproduct.class.php b/htdocs/product/class/html.formproduct.class.php
index 1dbfbc7662f6506ba28e60f6f9255d4e7ee51ba8..c526e7ae52bf5688d6680b6eddb9bf2fe2ced475 100644
--- a/htdocs/product/class/html.formproduct.class.php
+++ b/htdocs/product/class/html.formproduct.class.php
@@ -57,7 +57,7 @@ class FormProduct
* @param string $batch Add quantity of batch stock in label for product with batch name batch, batch name precedes batch_id. Nothing if ''.
* @param string $status warehouse status filter, following comma separated filter options can be used
* 'warehouseopen' = select products from open warehouses,
- * 'warehouseclosed' = select products from closed warehouses,
+ * 'warehouseclosed' = select products from closed warehouses,
* 'warehouseinternal' = select products from warehouses for internal correct/transfer only
* @param boolean $sumStock sum total stock of a warehouse, default true
* @param array $exclude warehouses ids to exclude
@@ -68,28 +68,28 @@ class FormProduct
global $conf, $langs;
if (empty($fk_product) && count($this->cache_warehouses)) return 0; // Cache already loaded and we do not want a list with information specific to a product
-
+
if (is_array($exclude)) $excludeGroups = implode("','",$exclude);
$warehouseStatus = array();
- if (preg_match('/warehouseclosed/', $status))
+ if (preg_match('/warehouseclosed/', $status))
{
$warehouseStatus[] = Entrepot::STATUS_CLOSED;
}
- if (preg_match('/warehouseopen/', $status))
+ if (preg_match('/warehouseopen/', $status))
{
$warehouseStatus[] = Entrepot::STATUS_OPEN_ALL;
}
- if (preg_match('/warehouseinternal/', $status))
+ if (preg_match('/warehouseinternal/', $status))
{
$warehouseStatus[] = Entrepot::STATUS_OPEN_INTERNAL;
}
-
+
$sql = "SELECT e.rowid, e.label, e.description, e.fk_parent";
- if (!empty($fk_product))
+ if (!empty($fk_product))
{
- if (!empty($batch))
+ if (!empty($batch))
{
$sql.= ", pb.qty as stock";
}
@@ -107,7 +107,7 @@ class FormProduct
if (!empty($fk_product))
{
$sql.= " AND ps.fk_product = '".$fk_product."'";
- if (!empty($batch))
+ if (!empty($batch))
{
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."product_batch as pb on pb.fk_product_stock = ps.rowid AND pb.batch = '".$batch."'";
}
@@ -115,15 +115,15 @@ class FormProduct
$sql.= " WHERE e.entity IN (".getEntity('stock').")";
if (count($warehouseStatus))
{
- $sql.= " AND e.statut IN (".implode(',',$warehouseStatus).")";
+ $sql.= " AND e.statut IN (".$db->escape(implode(',',$warehouseStatus)).")";
}
else
{
$sql.= " AND e.statut = 1";
}
-
- if(!empty($exclude)) $sql.= ' AND e.rowid NOT IN('.implode(',', $exclude).')';
-
+
+ if(!empty($exclude)) $sql.= ' AND e.rowid NOT IN('.$db->escape(implode(',', $exclude)).')';
+
if ($sumStock && empty($fk_product)) $sql.= " GROUP BY e.rowid, e.label, e.description, e.fk_parent";
$sql.= " ORDER BY e.label";
@@ -144,7 +144,7 @@ class FormProduct
$this->cache_warehouses[$obj->rowid]['stock'] = $obj->stock;
$i++;
}
-
+
// Full label init
foreach($this->cache_warehouses as $obj_rowid=>$tab) {
$this->cache_warehouses[$obj_rowid]['full_label'] = $this->get_parent_path($tab);
@@ -158,18 +158,18 @@ class FormProduct
return -1;
}
}
-
+
/**
* Return full path to current warehouse in $tab (recursive function)
- *
+ *
* @param array $tab warehouse data in $this->cache_warehouses line
* @param String $final_label full label with all parents, separated by ' >> ' (completed on each call)
* @return String full label with all parents, separated by ' >> '
*/
private function get_parent_path($tab, $final_label='') {
-
+
if(empty($final_label)) $final_label = $tab['label'];
-
+
if(empty($tab['parent_id'])) return $final_label;
else {
if(!empty($this->cache_warehouses[$tab['parent_id']])) {
@@ -177,9 +177,9 @@ class FormProduct
return $this->get_parent_path($this->cache_warehouses[$tab['parent_id']], $final_label);
}
}
-
+
return $final_label;
-
+
}
/**
@@ -189,7 +189,7 @@ class FormProduct
* @param string $htmlname Name of html select html
* @param string $filterstatus warehouse status filter, following comma separated filter options can be used
* 'warehouseopen' = select products from open warehouses,
- * 'warehouseclosed' = select products from closed warehouses,
+ * 'warehouseclosed' = select products from closed warehouses,
* 'warehouseinternal' = select products from warehouses for internal correct/transfer only
* @param int $empty 1=Can be empty, 0 if not
* @param int $disabled 1=Select is disabled
@@ -208,7 +208,7 @@ class FormProduct
global $conf,$langs,$user;
dol_syslog(get_class($this)."::selectWarehouses $selected, $htmlname, $filterstatus, $empty, $disabled, $fk_product, $empty_label, $showstock, $forcecombo, $morecss",LOG_DEBUG);
-
+
$out='';
if (empty($conf->global->ENTREPOT_EXTRA_STATUS)) $filterstatus = '';
$this->loadWarehouses($fk_product, '', $filterstatus, true, $exclude);
@@ -221,7 +221,7 @@ class FormProduct
$out.= $comboenhancement;
$nodatarole=($comboenhancement?' data-role="none"':'');
}
-
+
$out.='<select class="flat'.($morecss?' '.$morecss:'').'"'.($disabled?' disabled':'').' id="'.$htmlname.'" name="'.($htmlname.($disabled?'_disabled':'')).'"'.$nodatarole.'>';
if ($empty) $out.='<option value="-1">'.($empty_label?$empty_label:' ').'</option>';
foreach($this->cache_warehouses as $id => $arraytypes)
diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index 14b6047368793551fcab41c6d25c6c5ddd924630..06afce94c89e6dbb9629dfb0fc66a7f3c0308f53 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -3750,7 +3750,7 @@ class Product extends CommonObject
$sql.= " WHERE w.entity IN (".getEntity('stock').")";
$sql.= " AND w.rowid = ps.fk_entrepot";
$sql.= " AND ps.fk_product = ".$this->id;
- if ($conf->global->ENTREPOT_EXTRA_STATUS && count($warehouseStatus)) $sql.= " AND w.statut IN (".implode(',',$warehouseStatus).")";
+ if ($conf->global->ENTREPOT_EXTRA_STATUS && count($warehouseStatus)) $sql.= " AND w.statut IN (".$db->escape(implode(',',$warehouseStatus)).")";
dol_syslog(get_class($this)."::load_stock", LOG_DEBUG);
$result = $this->db->query($sql);
diff --git a/htdocs/supplier_proposal/list.php b/htdocs/supplier_proposal/list.php
index 6a8a0884ce2ae80cffcbc894d7643ecb2dfc3550..e6e205def8a8466859c635626e78ecacaf4998ff 100644
--- a/htdocs/supplier_proposal/list.php
+++ b/htdocs/supplier_proposal/list.php
@@ -284,7 +284,7 @@ if ($search_montant_vat != '') $sql.= natural_search("sp.tva", $search_montant_v
if ($search_montant_ttc != '') $sql.= natural_search("sp.total", $search_montant_ttc, 1);
if ($sall) $sql .= natural_search(array_keys($fieldstosearchall), $sall);
if ($socid) $sql.= ' AND s.rowid = '.$socid;
-if ($search_status >= 0 && $search_status != '') $sql.= ' AND sp.fk_statut IN ('.$search_status.')';
+if ($search_status >= 0 && $search_status != '') $sql.= ' AND sp.fk_statut IN ('.$db->escape($search_status).')';
if ($month > 0)
{
if ($year > 0 && empty($day))