From 419c15ee8efd6b7554ff084c3e4f5acb3c62f324 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 12 May 2017 15:28:10 +0200
Subject: [PATCH] Fix escaping class
---
htdocs/adherents/class/adherent.class.php | 10 +++----
htdocs/comm/propal/class/propal.class.php | 8 +++---
htdocs/commande/class/commande.class.php | 6 ++---
htdocs/compta/bank/class/account.class.php | 26 +++++++++----------
htdocs/compta/facture/class/facture.class.php | 10 +++----
.../compta/localtax/class/localtax.class.php | 8 +++---
.../cheque/class/remisecheque.class.php | 2 +-
.../salaries/class/paymentsalary.class.php | 10 +++----
.../sociales/class/chargesociales.class.php | 4 +--
htdocs/compta/tva/class/tva.class.php | 8 +++---
htdocs/contrat/class/contrat.class.php | 26 +++++++++----------
htdocs/theme/eldy/style.css.php | 4 +--
12 files changed, 61 insertions(+), 61 deletions(-)
diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php
index e12c49732dd..5a4c6ad08a0 100644
--- a/htdocs/adherents/class/adherent.class.php
+++ b/htdocs/adherents/class/adherent.class.php
@@ -433,18 +433,18 @@ class Adherent extends CommonObject
$sql.= ", town=" .($this->town?"'".$this->db->escape($this->town)."'":"null");
$sql.= ", country=".($this->country_id>0?"'".$this->country_id."'":"null");
$sql.= ", state_id=".($this->state_id>0?"'".$this->state_id."'":"null");
- $sql.= ", email='".$this->email."'";
- $sql.= ", skype='".$this->skype."'";
+ $sql.= ", email='".$this->db->escape($this->email)."'";
+ $sql.= ", skype='".$this->db->escape($this->skype)."'";
$sql.= ", phone=" .($this->phone?"'".$this->db->escape($this->phone)."'":"null");
$sql.= ", phone_perso=" .($this->phone_perso?"'".$this->db->escape($this->phone_perso)."'":"null");
$sql.= ", phone_mobile=" .($this->phone_mobile?"'".$this->db->escape($this->phone_mobile)."'":"null");
$sql.= ", note_private=" .($this->note_private?"'".$this->db->escape($this->note_private)."'":"null");
$sql.= ", note_public=" .($this->note_private?"'".$this->db->escape($this->note_public)."'":"null");
$sql.= ", photo=" .($this->photo?"'".$this->photo."'":"null");
- $sql.= ", public='".$this->public."'";
+ $sql.= ", public='".$this->db->escape($this->public)."'";
$sql.= ", statut=" .$this->statut;
$sql.= ", fk_adherent_type=".$this->typeid;
- $sql.= ", morphy='".$this->morphy."'";
+ $sql.= ", morphy='".$this->db->escape($this->morphy)."'";
$sql.= ", birth=" .($this->birth?"'".$this->db->idate($this->birth)."'":"null");
if ($this->datefin) $sql.= ", datefin='".$this->db->idate($this->datefin)."'"; // Ne doit etre modifie que par effacement cotisation
if ($this->datevalid) $sql.= ", datevalid='".$this->db->idate($this->datevalid)."'"; // Ne doit etre modifie que par validation adherent
@@ -643,7 +643,7 @@ class Adherent extends CommonObject
// Search for last subscription id and end date
$sql = "SELECT rowid, datec as dateop, dateadh as datedeb, datef as datefin";
$sql.= " FROM ".MAIN_DB_PREFIX."cotisation";
- $sql.= " WHERE fk_adherent='".$this->id."'";
+ $sql.= " WHERE fk_adherent=".$this->id;
$sql.= " ORDER by dateadh DESC"; // Sort by start subscription date
dol_syslog(get_class($this)."::update_end_date", LOG_DEBUG);
diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php
index f272120477f..5dbb8541838 100644
--- a/htdocs/comm/propal/class/propal.class.php
+++ b/htdocs/comm/propal/class/propal.class.php
@@ -911,7 +911,7 @@ class Propal extends CommonObject
if ($this->id)
{
$this->ref='(PROV'.$this->id.')';
- $sql = 'UPDATE '.MAIN_DB_PREFIX."propal SET ref='".$this->ref."' WHERE rowid=".$this->id;
+ $sql = 'UPDATE '.MAIN_DB_PREFIX."propal SET ref='".$this->db->escape($this->ref)."' WHERE rowid=".$this->id;
dol_syslog(get_class($this)."::create", LOG_DEBUG);
$resql=$this->db->query($sql);
@@ -3443,14 +3443,14 @@ class PropaleLigne extends CommonObjectLine
$sql.= " , tva_tx='".price2num($this->tva_tx)."'";
$sql.= " , localtax1_tx=".price2num($this->localtax1_tx);
$sql.= " , localtax2_tx=".price2num($this->localtax2_tx);
- $sql.= " , localtax1_type='".$this->localtax1_type."'";
- $sql.= " , localtax2_type='".$this->localtax2_type."'";
+ $sql.= " , localtax1_type='".$this->db->escape($this->localtax1_type)."'";
+ $sql.= " , localtax2_type='".$this->db->escape($this->localtax2_type)."'";
$sql.= " , qty='".price2num($this->qty)."'";
$sql.= " , subprice=".price2num($this->subprice)."";
$sql.= " , remise_percent=".price2num($this->remise_percent)."";
$sql.= " , price=".price2num($this->price).""; // TODO A virer
$sql.= " , remise=".price2num($this->remise).""; // TODO A virer
- $sql.= " , info_bits='".$this->info_bits."'";
+ $sql.= " , info_bits='".$this->db->escape($this->info_bits)."'";
if (empty($this->skip_update_total))
{
$sql.= " , total_ht=".price2num($this->total_ht)."";
diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php
index cd97a6295f7..4aee6ae057d 100644
--- a/htdocs/commande/class/commande.class.php
+++ b/htdocs/commande/class/commande.class.php
@@ -3633,7 +3633,7 @@ class OrderLine extends CommonOrderLine
$this->db->begin();
- $sql = 'DELETE FROM '.MAIN_DB_PREFIX."commandedet WHERE rowid='".$this->rowid."';";
+ $sql = 'DELETE FROM '.MAIN_DB_PREFIX."commandedet WHERE rowid=".$this->rowid;
dol_syslog("OrderLine::delete", LOG_DEBUG);
$resql=$this->db->query($sql);
@@ -3874,8 +3874,8 @@ class OrderLine extends CommonOrderLine
$sql.= " , tva_tx=".price2num($this->tva_tx);
$sql.= " , localtax1_tx=".price2num($this->localtax1_tx);
$sql.= " , localtax2_tx=".price2num($this->localtax2_tx);
- $sql.= " , localtax1_type='".$this->localtax1_type."'";
- $sql.= " , localtax2_type='".$this->localtax2_type."'";
+ $sql.= " , localtax1_type='".$this->db->escape($this->localtax1_type)."'";
+ $sql.= " , localtax2_type='".$this->db->escape($this->localtax2_type)."'";
$sql.= " , qty=".price2num($this->qty);
$sql.= " , subprice=".price2num($this->subprice)."";
$sql.= " , remise_percent=".price2num($this->remise_percent)."";
diff --git a/htdocs/compta/bank/class/account.class.php b/htdocs/compta/bank/class/account.class.php
index 96661f4074a..01c683285f5 100644
--- a/htdocs/compta/bank/class/account.class.php
+++ b/htdocs/compta/bank/class/account.class.php
@@ -683,17 +683,17 @@ class Account extends CommonObject
$sql.= ",accountancy_journal = '".$this->accountancy_journal."'";
$sql.= ",bank = '".$this->db->escape($this->bank)."'";
- $sql.= ",code_banque='".$this->code_banque."'";
- $sql.= ",code_guichet='".$this->code_guichet."'";
- $sql.= ",number='".$this->number."'";
- $sql.= ",cle_rib='".$this->cle_rib."'";
- $sql.= ",bic='".$this->bic."'";
- $sql.= ",iban_prefix = '".$this->iban."'";
+ $sql.= ",code_banque='".$this->db->escape($this->code_banque)."'";
+ $sql.= ",code_guichet='".$this->db->escape($this->code_guichet)."'";
+ $sql.= ",number='".$this->db->escape($this->number)."'";
+ $sql.= ",cle_rib='".$this->db->escape($this->cle_rib)."'";
+ $sql.= ",bic='".$this->db->escape($this->bic)."'";
+ $sql.= ",iban_prefix = '".$this->db->escape($this->iban)."'";
$sql.= ",domiciliation='".$this->db->escape($this->domiciliation)."'";
$sql.= ",proprio = '".$this->db->escape($this->proprio)."'";
$sql.= ",owner_address = '".$this->db->escape($this->owner_address)."'";
- $sql.= ",currency_code = '".$this->currency_code."'";
+ $sql.= ",currency_code = '".$this->db->escape($this->currency_code)."'";
$sql.= ",min_allowed = ".($this->min_allowed != '' ? price2num($this->min_allowed) : "null");
$sql.= ",min_desired = ".($this->min_desired != '' ? price2num($this->min_desired) : "null");
@@ -767,12 +767,12 @@ class Account extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."bank_account SET ";
$sql.= " bank = '".$this->db->escape($this->bank)."'";
- $sql.= ",code_banque='".$this->code_banque."'";
- $sql.= ",code_guichet='".$this->code_guichet."'";
- $sql.= ",number='".$this->number."'";
- $sql.= ",cle_rib='".$this->cle_rib."'";
- $sql.= ",bic='".$this->bic."'";
- $sql.= ",iban_prefix = '".$this->iban."'";
+ $sql.= ",code_banque='".$this->db->escape($this->code_banque)."'";
+ $sql.= ",code_guichet='".$this->db->escape($this->code_guichet)."'";
+ $sql.= ",number='".$this->db->escape($this->number)."'";
+ $sql.= ",cle_rib='".$this->db->escape($this->cle_rib)."'";
+ $sql.= ",bic='".$this->db->escape($this->bic)."'";
+ $sql.= ",iban_prefix = '".$this->db->escape($this->iban)."'";
$sql.= ",domiciliation='".$this->db->escape($this->domiciliation)."'";
$sql.= ",proprio = '".$this->db->escape($this->proprio)."'";
$sql.= ",owner_address = '".$this->db->escape($this->owner_address)."'";
diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php
index ba834856fab..a1364702d52 100644
--- a/htdocs/compta/facture/class/facture.class.php
+++ b/htdocs/compta/facture/class/facture.class.php
@@ -392,7 +392,7 @@ class Facture extends CommonInvoice
// Update ref with new one
$this->ref='(PROV'.$this->id.')';
- $sql = 'UPDATE '.MAIN_DB_PREFIX."facture SET facnumber='".$this->ref."' WHERE rowid=".$this->id;
+ $sql = 'UPDATE '.MAIN_DB_PREFIX."facture SET facnumber='".$this->db->escape($this->ref)."' WHERE rowid=".$this->id;
dol_syslog(get_class($this)."::create", LOG_DEBUG);
$resql=$this->db->query($sql);
@@ -4375,14 +4375,14 @@ class FactureLigne extends CommonInvoiceLine
$sql.= ",tva_tx=".price2num($this->tva_tx)."";
$sql.= ",localtax1_tx=".price2num($this->localtax1_tx)."";
$sql.= ",localtax2_tx=".price2num($this->localtax2_tx)."";
- $sql.= ",localtax1_type='".$this->localtax1_type."'";
- $sql.= ",localtax2_type='".$this->localtax2_type."'";
+ $sql.= ",localtax1_type='".$this->db->escape($this->localtax1_type)."'";
+ $sql.= ",localtax2_type='".$this->db->escape($this->localtax2_type)."'";
$sql.= ",qty=".price2num($this->qty)."";
$sql.= ",date_start=".(! empty($this->date_start)?"'".$this->db->idate($this->date_start)."'":"null");
$sql.= ",date_end=".(! empty($this->date_end)?"'".$this->db->idate($this->date_end)."'":"null");
$sql.= ",product_type=".$this->product_type;
- $sql.= ",info_bits='".$this->info_bits."'";
- $sql.= ",special_code='".$this->special_code."'";
+ $sql.= ",info_bits='".$this->db->escape($this->info_bits)."'";
+ $sql.= ",special_code='".$this->db->escape($this->special_code)."'";
if (empty($this->skip_update_total))
{
$sql.= ",total_ht=".price2num($this->total_ht)."";
diff --git a/htdocs/compta/localtax/class/localtax.class.php b/htdocs/compta/localtax/class/localtax.class.php
index 067c8dc9cbe..e59b2c6ce2b 100644
--- a/htdocs/compta/localtax/class/localtax.class.php
+++ b/htdocs/compta/localtax/class/localtax.class.php
@@ -154,12 +154,12 @@ class Localtax extends CommonObject
$sql.= " tms=".$this->db->idate($this->tms).",";
$sql.= " datep=".$this->db->idate($this->datep).",";
$sql.= " datev=".$this->db->idate($this->datev).",";
- $sql.= " amount='".$this->amount."',";
+ $sql.= " amount=".price2num($this->amount).",";
$sql.= " label='".$this->db->escape($this->label)."',";
$sql.= " note='".$this->db->escape($this->note)."',";
- $sql.= " fk_bank='".$this->fk_bank."',";
- $sql.= " fk_user_creat='".$this->fk_user_creat."',";
- $sql.= " fk_user_modif='".$this->fk_user_modif."'";
+ $sql.= " fk_bank=".$this->fk_bank.",";
+ $sql.= " fk_user_creat=".$this->fk_user_creat.",";
+ $sql.= " fk_user_modif=".$this->fk_user_modif;
$sql.= " WHERE rowid=".$this->id;
dol_syslog(get_class($this)."::update", LOG_DEBUG);
diff --git a/htdocs/compta/paiement/cheque/class/remisecheque.class.php b/htdocs/compta/paiement/cheque/class/remisecheque.class.php
index 6ab43a277c0..0d327e2832f 100644
--- a/htdocs/compta/paiement/cheque/class/remisecheque.class.php
+++ b/htdocs/compta/paiement/cheque/class/remisecheque.class.php
@@ -177,7 +177,7 @@ class RemiseCheque extends CommonObject
{
$sql = "UPDATE ".MAIN_DB_PREFIX."bordereau_cheque";
$sql.= " SET ref='(PROV".$this->id.")'";
- $sql.= " WHERE rowid='".$this->id."';";
+ $sql.= " WHERE rowid=".$this->id."";
dol_syslog("RemiseCheque::Create", LOG_DEBUG);
$resql = $this->db->query($sql);
diff --git a/htdocs/compta/salaries/class/paymentsalary.class.php b/htdocs/compta/salaries/class/paymentsalary.class.php
index a4bee09d7de..871a938a9c9 100644
--- a/htdocs/compta/salaries/class/paymentsalary.class.php
+++ b/htdocs/compta/salaries/class/paymentsalary.class.php
@@ -97,19 +97,19 @@ class PaymentSalary extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."payment_salary SET";
$sql.= " tms=".$this->db->idate($this->tms).",";
- $sql.= " fk_user='".$this->fk_user."',";
+ $sql.= " fk_user=".$this->fk_user.",";
$sql.= " datep=".$this->db->idate($this->datep).",";
$sql.= " datev=".$this->db->idate($this->datev).",";
- $sql.= " amount='".$this->amount."',";
+ $sql.= " amount=".price2num($this->amount).",";
$sql.= " fk_typepayment=".$this->fk_typepayment."',";
- $sql.= " num_payment='".$this->num_payment."',";
+ $sql.= " num_payment='".$this->db->escape($this->num_payment)."',";
$sql.= " label='".$this->db->escape($this->label)."',";
$sql.= " datesp=".$this->db->idate($this->datesp).",";
$sql.= " dateep=".$this->db->idate($this->dateep).",";
$sql.= " note='".$this->db->escape($this->note)."',";
$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").",";
- $sql.= " fk_user_author='".$this->fk_user_author."',";
- $sql.= " fk_user_modif='".$this->fk_user_modif."'";
+ $sql.= " fk_user_author=".$this->fk_user_author.",";
+ $sql.= " fk_user_modif=".$this->fk_user_modif;
$sql.= " WHERE rowid=".$this->id;
diff --git a/htdocs/compta/sociales/class/chargesociales.class.php b/htdocs/compta/sociales/class/chargesociales.class.php
index e5653ba2ee3..da79bbffb75 100644
--- a/htdocs/compta/sociales/class/chargesociales.class.php
+++ b/htdocs/compta/sociales/class/chargesociales.class.php
@@ -216,7 +216,7 @@ class ChargeSociales extends CommonObject
// Delete payments
if (! $error)
{
- $sql = "DELETE FROM ".MAIN_DB_PREFIX."paiementcharge where fk_charge='".$this->id."'";
+ $sql = "DELETE FROM ".MAIN_DB_PREFIX."paiementcharge where fk_charge=".$this->id;
dol_syslog(get_class($this)."::delete", LOG_DEBUG);
$resql=$this->db->query($sql);
if (! $resql)
@@ -228,7 +228,7 @@ class ChargeSociales extends CommonObject
if (! $error)
{
- $sql = "DELETE FROM ".MAIN_DB_PREFIX."chargesociales where rowid='".$this->id."'";
+ $sql = "DELETE FROM ".MAIN_DB_PREFIX."chargesociales where rowid=".$this->id;
dol_syslog(get_class($this)."::delete", LOG_DEBUG);
$resql=$this->db->query($sql);
if (! $resql)
diff --git a/htdocs/compta/tva/class/tva.class.php b/htdocs/compta/tva/class/tva.class.php
index eb4ee3a2408..d7ba51d6dc8 100644
--- a/htdocs/compta/tva/class/tva.class.php
+++ b/htdocs/compta/tva/class/tva.class.php
@@ -175,12 +175,12 @@ class Tva extends CommonObject
$sql.= " tms=".$this->db->idate($this->tms).",";
$sql.= " datep=".$this->db->idate($this->datep).",";
$sql.= " datev=".$this->db->idate($this->datev).",";
- $sql.= " amount='".$this->amount."',";
+ $sql.= " amount=".price2num($this->amount).",";
$sql.= " label='".$this->db->escape($this->label)."',";
$sql.= " note='".$this->db->escape($this->note)."',";
- $sql.= " fk_bank='".$this->fk_bank."',";
- $sql.= " fk_user_creat='".$this->fk_user_creat."',";
- $sql.= " fk_user_modif='".$this->fk_user_modif."'";
+ $sql.= " fk_bank=".$this->fk_bank.",";
+ $sql.= " fk_user_creat=".$this->fk_user_creat.",";
+ $sql.= " fk_user_modif=".$this->fk_user_modif."";
$sql.= " WHERE rowid=".$this->id;
diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php
index 6ad972a11eb..d9addfff113 100644
--- a/htdocs/contrat/class/contrat.class.php
+++ b/htdocs/contrat/class/contrat.class.php
@@ -2606,9 +2606,9 @@ class ContratLigne extends CommonObjectLine
// Update request
$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET";
- $sql.= " fk_contrat='".$this->fk_contrat."',";
+ $sql.= " fk_contrat=".$this->fk_contrat.",";
$sql.= " fk_product=".($this->fk_product?"'".$this->fk_product."'":'null').",";
- $sql.= " statut='".$this->statut."',";
+ $sql.= " statut=".$this->statut.",";
$sql.= " label='".$this->db->escape($this->label)."',";
$sql.= " description='".$this->db->escape($this->description)."',";
$sql.= " date_commande=".($this->date_commande!=''?"'".$this->db->idate($this->date_commande)."'":"null").",";
@@ -2616,23 +2616,23 @@ class ContratLigne extends CommonObjectLine
$sql.= " date_ouverture=".($this->date_ouverture!=''?"'".$this->db->idate($this->date_ouverture)."'":"null").",";
$sql.= " date_fin_validite=".($this->date_fin_validite!=''?"'".$this->db->idate($this->date_fin_validite)."'":"null").",";
$sql.= " date_cloture=".($this->date_cloture!=''?"'".$this->db->idate($this->date_cloture)."'":"null").",";
- $sql.= " tva_tx='".$this->tva_tx."',";
- $sql.= " localtax1_tx='".$this->localtax1_tx."',";
- $sql.= " localtax2_tx='".$this->localtax2_tx."',";
- $sql.= " qty='".$this->qty."',";
- $sql.= " remise_percent='".$this->remise_percent."',";
+ $sql.= " tva_tx=".$this->tva_tx.",";
+ $sql.= " localtax1_tx=".$this->localtax1_tx.",";
+ $sql.= " localtax2_tx=".$this->localtax2_tx.",";
+ $sql.= " qty=".$this->qty.",";
+ $sql.= " remise_percent=".$this->remise_percent.",";
$sql.= " remise=".($this->remise?"'".$this->remise."'":"null").",";
$sql.= " fk_remise_except=".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").",";
$sql.= " subprice=".($this->subprice != '' ? $this->subprice : "null").",";
$sql.= " price_ht=".($this->price_ht != '' ? $this->price_ht : "null").",";
- $sql.= " total_ht='".$this->total_ht."',";
- $sql.= " total_tva='".$this->total_tva."',";
- $sql.= " total_localtax1='".$this->total_localtax1."',";
- $sql.= " total_localtax2='".$this->total_localtax2."',";
- $sql.= " total_ttc='".$this->total_ttc."',";
+ $sql.= " total_ht=".$this->total_ht.",";
+ $sql.= " total_tva=".$this->total_tva.",";
+ $sql.= " total_localtax1=".$this->total_localtax1.",";
+ $sql.= " total_localtax2=".$this->total_localtax2.",";
+ $sql.= " total_ttc=".$this->total_ttc.",";
$sql.= " fk_product_fournisseur_price=".(!empty($this->fk_fournprice)?$this->fk_fournprice:"NULL").",";
$sql.= " buy_price_ht='".price2num($this->pa_ht)."',";
- $sql.= " info_bits='".$this->info_bits."',";
+ $sql.= " info_bits='".$this->db->escape($this->info_bits)."',";
$sql.= " fk_user_author=".($this->fk_user_author >= 0?$this->fk_user_author:"NULL").",";
$sql.= " fk_user_ouverture=".($this->fk_user_ouverture > 0?$this->fk_user_ouverture:"NULL").",";
$sql.= " fk_user_cloture=".($this->fk_user_cloture > 0?$this->fk_user_cloture:"NULL").",";
diff --git a/htdocs/theme/eldy/style.css.php b/htdocs/theme/eldy/style.css.php
index d03ff95a50f..fef5f3d1e64 100644
--- a/htdocs/theme/eldy/style.css.php
+++ b/htdocs/theme/eldy/style.css.php
@@ -53,8 +53,8 @@ else header('Cache-Control: no-cache');
// On the fly GZIP compression for all pages (if browser support it). Must set the bit 3 of constant to 1.
if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x04)) { ob_start("ob_gzhandler"); }
-if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang')); // If language was forced on URL
-if (GETPOST('theme')) $conf->theme=GETPOST('theme'); // If theme was forced on URL
+if (GETPOST('lang')) $langs->setDefaultLang(GETPOST('lang', 'alpha')); // If language was forced on URL
+if (GETPOST('theme')) $conf->theme=GETPOST('theme', 'alpha'); // If theme was forced on URL
$langs->load("main",0,1);
$right=($langs->trans("DIRECTION")=='rtl'?'left':'right');
$left=($langs->trans("DIRECTION")=='rtl'?'right':'left');
--
GitLab