Fix: sql error with combobox and uniformize code

htdocs/comm/contact.php

@@ -2,7 +2,7 @@
 /* Copyright (C) 2001-2005 Rodolphe Quiedeville	<rodolphe@quiedeville.org>
  * Copyright (C) 2003      Eric Seigne			<erics@rycks.com>
  * Copyright (C) 2004-2009 Laurent Destailleur	<eldy@users.sourceforge.net>
- * Copyright (C) 2005-2011 Regis Houssin		<regis@dolibarr.fr>
+ * Copyright (C) 2005-2012 Regis Houssin		<regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -28,19 +28,19 @@ require("../main.inc.php");
 
 $langs->load("companies");
 
-$sortfield=isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
-$sortorder=isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"];
-$page=$_GET["page"];
+$sortfield=GETPOST('sortfield', 'alpha');
+$sortorder=GETPOST('sortorder', 'alpha');
+$page=GETPOST('page', 'int');
 if (! $sortorder) $sortorder="ASC";
 if (! $sortfield) $sortfield="p.name";
-if ($page < 0) { $page = 0 ; }
+if ($page < 0) { $page = 0; }
 $limit = $conf->liste_limit;
 $offset = $limit * $page ;
 
 $type=$_GET["type"];
 
 // Security check
-$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$socid = GETPOST('socid');
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'societe',$socid,'');
 
@@ -75,12 +75,12 @@ if ($type == "f")
 $sql = "SELECT s.rowid, s.nom,  st.libelle as stcomm";
 $sql.= ", p.rowid as cidp, p.name, p.firstname, p.email, p.phone";
 $sql.= " FROM ".MAIN_DB_PREFIX."c_stcomm as st,";
-if (!$user->rights->societe->client->voir && !$socid) $sql .= " ".MAIN_DB_PREFIX."societe_commerciaux as sc,";
+if (! $user->rights->societe->client->voir && ! $socid) $sql .= " ".MAIN_DB_PREFIX."societe_commerciaux as sc,";
 $sql.= " ".MAIN_DB_PREFIX."socpeople as p";
 $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = p.fk_soc";
 $sql.= " WHERE s.fk_stcomm = st.id";
-$sql.= " AND p.entity = ".$conf->entity;
-if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
+$sql.= " AND p.entity IN (".getEntity('societe', 1).")";
+if (! $user->rights->societe->client->voir && ! $socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
 if ($type == "c") $sql.= " AND s.client IN (1, 3)";
 if ($type == "p") $sql.= " AND s.client IN (2, 3)";
 if ($type == "f") $sql.= " AND s.fournisseur = 1";
@@ -93,27 +93,27 @@ if (dol_strlen($stcomm))
 
 if (dol_strlen($begin)) // filtre sur la premiere lettre du nom
 {
-  $sql.= " AND upper(p.name) like '$begin%'";
+  $sql.= " AND upper(p.name) LIKE '".$begin."%'";
 }
 
 if (trim($_GET["search_nom"]))
 {
-  $sql.= " AND p.name like '%".trim($_GET["search_nom"])."%'";
+  $sql.= " AND p.name LIKE '%".trim($_GET["search_nom"])."%'";
 }
 
 if (trim($_GET["search_prenom"]))
 {
-  $sql.= " AND p.firstname like '%".trim($_GET["search_prenom"])."%'";
+  $sql.= " AND p.firstname LIKE '%".trim($_GET["search_prenom"])."%'";
 }
 
 if (trim($_GET["search_societe"]))
 {
-  $sql.= " AND s.nom like '%".trim($_GET["search_societe"])."%'";
+  $sql.= " AND s.nom LIKE '%".trim($_GET["search_societe"])."%'";
 }
 
 if ($_GET["contactname"]) // acces a partir du module de recherche
 {
-  $sql.= " AND ( p.name like '%".strtolower($_GET["contactname"])."%' OR lower(p.firstname) like '%".strtolower($_GET["contactname"])."%') ";
+  $sql.= " AND (p.name LIKE '%".strtolower($_GET["contactname"])."%' OR lower(p.firstname) LIKE '%".strtolower($_GET["contactname"])."%') ";
   $sortfield = "p.name";
   $sortorder = "ASC";
 }
@@ -178,7 +178,8 @@ else
     dol_print_error($db);
 }
 
+llxFooter();
+
 $db->close();
 
-llxFooter();
 ?>

htdocs/comm/propal/contact.php

 <?php
 /* Copyright (C) 2005      Patrick Rouillon     <patrick@rouillon.net>
  * Copyright (C) 2005-2009 Destailleur Laurent  <eldy@users.sourceforge.net>
+ * Copyright (C) 2005-2012 Regis Houssin		<regis@dolibarr.fr>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -33,12 +34,10 @@ $langs->load("orders");
 $langs->load("sendings");
 $langs->load("companies");
 
-$id=GETPOST('id');
-$ligne=GETPOST('ligne');
-$lineid=GETPOST('lineid');
-$action=GETPOST('action');
-
-$id = isset($id)?$id:'';
+$id=GETPOST('id', 'int');
+$ref= GETPOST('ref', 'alpha');
+$lineid=GETPOST('lineid', 'int');
+$action=GETPOST('action', 'alpha');
 
 // Security check
 if ($user->societe_id) $socid=$user->societe_id;
@@ -49,7 +48,7 @@ $result = restrictedArea($user, 'propale', $id, 'propal');
  * Ajout d'un nouveau contact
  */
 
-if ($_POST["action"] == 'addcontact' && $user->rights->propale->creer)
+if ($action == 'addcontact' && $user->rights->propale->creer)
 {
 
 	$result = 0;
@@ -63,7 +62,7 @@ if ($_POST["action"] == 'addcontact' && $user->rights->propale->creer)
 
 	if ($result >= 0)
 	{
-		Header("Location: contact.php?id=".$propal->id);
+		Header("Location: ".$_SERVER['PHP_SELF']."?id=".$propal->id);
 		exit;
 	}
 	else
@@ -103,10 +102,11 @@ if ($action == 'deleteline' && $user->rights->propale->creer)
 
 	if ($result >= 0)
 	{
-		Header("Location: contact.php?id=".$propal->id);
+		Header("Location: ".$_SERVER['PHP_SELF']."?id=".$propal->id);
 		exit;
 	}
-	else {
+	else
+	{
 		dol_print_error($db);
 	}
 }
@@ -131,27 +131,23 @@ $userstatic=new User($db);
 /* *************************************************************************** */
 dol_htmloutput_mesg($mesg);
 
-$id = $id;
-$ref= GETPOST('ref');
 if ($id > 0 || ! empty($ref))
 {
 	$propal = New Propal($db);
-	if ( $propal->fetch($id,$ref) > 0)
+	if ($propal->fetch($id,$ref) > 0)
 	{
 		$soc = new Societe($db);
 		$soc->fetch($propal->socid);
 
-
 		$head = propal_prepare_head($propal);
 		dol_fiche_head($head, 'contact', $langs->trans("Proposal"), 0, 'propal');
 
-
 		/*
-		*   Propal synthese pour rappel
-		*/
+		 * Propal synthese pour rappel
+		 */
 		print '<table class="border" width="100%">';
 
-		$linkback="<a href=\"".DOL_URL_ROOT.'/comm/propal.php'."?page=$page&socid=$socid&viewstatut=$viewstatut&sortfield=$sortfield&$sortorder\">".$langs->trans("BackToList")."</a>";
+		$linkback='<a href="'.DOL_URL_ROOT.'/comm/propal.php?page='.$page.'&socid='.$socid.'&viewstatut='.$viewstatut.'&sortfield='.$sortfield.'&sortorder='.$sortorder.'">'.$langs->trans("BackToList").'</a>';
 
 		// Ref
 		print '<tr><td width="25%">'.$langs->trans('Ref').'</td><td colspan="3">';
@@ -179,17 +175,15 @@ if ($id > 0 || ! empty($ref))
 
 		print '</div>';
 
-
-
 		/*
-		* Lignes de contacts
-		*/
-		echo '<br><table class="noborder" width="100%">';
+		 * Lignes de contacts
+		 */
+		print '<br><table class="noborder" width="100%">';
 
 		/*
-		* Ajouter une ligne de contact
-		* Non affiche en mode modification de ligne
-		*/
+		 * Ajouter une ligne de contact
+		 * Non affiche en mode modification de ligne
+		 */
 		if ($action != 'editline' && $user->rights->propale->creer)
 		{
 			print '<tr class="liste_titre">';
@@ -351,7 +345,7 @@ if ($id > 0 || ! empty($ref))
 				if ($user->rights->propale->creer)
 				{
 					print '&nbsp;';
-					print '<a href="contact.php?id='.$propal->id.'&amp;action=deleteline&amp;lineid='.$tab[$i]['rowid'].'">';
+					print '<a href="'.$_SERVER["PHP_SELF"].'?id='.$propal->id.'&amp;action=deleteline&amp;lineid='.$tab[$i]['rowid'].'">';
 					print img_delete();
 					print '</a>';
 				}
@@ -370,7 +364,8 @@ if ($id > 0 || ! empty($ref))
 	}
 }
 
+llxFooter();
+
 $db->close();
 
-llxFooter();
 ?>
\ No newline at end of file

htdocs/core/class/html.formcompany.class.php

@@ -516,20 +516,19 @@ class FormCompany
 		// On recherche les societes
 		$sql = "SELECT s.rowid, s.nom FROM";
 		$sql.= " ".MAIN_DB_PREFIX."societe as s";
-		if ($selected && $conf->use_javascript_ajax && $conf->global->COMPANY_USE_SEARCH_TO_SELECT) $sql.= " WHERE rowid = ".$selected;
+		$sql.= " WHERE s.entity IN (".getEntity('societe', 1).")";
+		if ($selected && $conf->use_javascript_ajax && $conf->global->COMPANY_USE_SEARCH_TO_SELECT) $sql.= " AND rowid = ".$selected;
 		else
 		{
 			// For ajax search we limit here. For combo list, we limit later
 			if ($conf->use_javascript_ajax && $conf->global->COMPANY_USE_SEARCH_TO_SELECT
 			&& is_array($limitto) && count($limitto))
 			{
-				$sql.= " WHERE rowid IN (".join(',',$limitto).")";
+				$sql.= " AND rowid IN (".join(',',$limitto).")";
 			}
 		}
-		$sql.= " AND s.entity IN (".getEntity('societe', 1).")";
 		$sql.= " ORDER BY nom ASC";
-
-		//print $sql;
+		
 		$resql = $this->db->query($sql);
 		if ($resql)
 		{