diff --git a/htdocs/comm/askpricesupplier/class/askpricesupplier.class.php b/htdocs/comm/askpricesupplier/class/askpricesupplier.class.php
index 2854a0a0d4b4806dc60bdff2d49eaf08f485f9ef..bee62cb384dd680f52d32be56192cfe873cb5cbc 100644
--- a/htdocs/comm/askpricesupplier/class/askpricesupplier.class.php
+++ b/htdocs/comm/askpricesupplier/class/askpricesupplier.class.php
@@ -757,8 +757,8 @@ class AskPriceSupplier extends CommonObject
$sql.= $this->socid;
$sql.= ", 0";
$sql.= ", ".$this->remise;
- $sql.= ", ".($this->remise_percent?$this->remise_percent:'null');
- $sql.= ", ".($this->remise_absolue?$this->remise_absolue:'null');
+ $sql.= ", ".($this->remise_percent?$this->db->escape($this->remise_percent):'null');
+ $sql.= ", ".($this->remise_absolue?$this->db->escape($this->remise_absolue):'null');
$sql.= ", 0";
$sql.= ", 0";
$sql.= ", '".$this->db->idate($now)."'";
@@ -766,7 +766,7 @@ class AskPriceSupplier extends CommonObject
$sql.= ", ".($user->id > 0 ? "'".$user->id."'":"null");
$sql.= ", '".$this->db->escape($this->note_private)."'";
$sql.= ", '".$this->db->escape($this->note_public)."'";
- $sql.= ", '".$this->modelpdf."'";
+ $sql.= ", '".$this->db->escape($this->modelpdf)."'";
$sql.= ", ".$this->cond_reglement_id;
$sql.= ", ".$this->mode_reglement_id;
$sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL');
diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php
index 77c4e5c6f76435b9223af605471d4e9598351504..421b2506e7388ffc82cb8d126062c4a39146cb98 100644
--- a/htdocs/comm/propal/class/propal.class.php
+++ b/htdocs/comm/propal/class/propal.class.php
@@ -858,8 +858,8 @@ class Propal extends CommonObject
$sql.= $this->socid;
$sql.= ", 0";
$sql.= ", ".$this->remise;
- $sql.= ", ".($this->remise_percent?$this->remise_percent:'null');
- $sql.= ", ".($this->remise_absolue?$this->remise_absolue:'null');
+ $sql.= ", ".($this->remise_percent?$this->db->escape($this->remise_percent):'null');
+ $sql.= ", ".($this->remise_absolue?$this->db->escape($this->remise_absolue):'null');
$sql.= ", 0";
$sql.= ", 0";
$sql.= ", '".$this->db->idate($this->date)."'";
@@ -868,7 +868,7 @@ class Propal extends CommonObject
$sql.= ", ".($user->id > 0 ? "'".$user->id."'":"null");
$sql.= ", '".$this->db->escape($this->note_private)."'";
$sql.= ", '".$this->db->escape($this->note_public)."'";
- $sql.= ", '".$this->modelpdf."'";
+ $sql.= ", '".$this->db->escape($this->modelpdf)."'";
$sql.= ", ".($this->fin_validite!=''?"'".$this->db->idate($this->fin_validite)."'":"null");
$sql.= ", ".$this->cond_reglement_id;
$sql.= ", ".$this->mode_reglement_id;
diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php
index d6d93c17bd8eb8bc6ceeea5e3f9eb488f8abf2f2..32fe2d52726a3f920da6778f9123a44a3ca0dc02 100644
--- a/htdocs/commande/class/commande.class.php
+++ b/htdocs/commande/class/commande.class.php
@@ -745,13 +745,13 @@ class Commande extends CommonOrder
$sql.= " VALUES ('(PROV)',".$this->socid.", '".$this->db->idate($now)."', ".$user->id;
$sql.= ", ".($this->fk_project>0?$this->fk_project:"null");
$sql.= ", '".$this->db->idate($date)."'";
- $sql.= ", ".($this->source>=0 && $this->source != '' ?$this->source:'null');
+ $sql.= ", ".($this->source>=0 && $this->source != '' ?$this->db->escape($this->source):'null');
$sql.= ", '".$this->db->escape($this->note_private)."'";
$sql.= ", '".$this->db->escape($this->note_public)."'";
$sql.= ", ".($this->ref_ext?"'".$this->db->escape($this->ref_ext)."'":"null");
$sql.= ", ".($this->ref_client?"'".$this->db->escape($this->ref_client)."'":"null");
$sql.= ", ".($this->ref_int?"'".$this->db->escape($this->ref_int)."'":"null");
- $sql.= ", '".$this->modelpdf."'";
+ $sql.= ", '".$this->db->escape($this->modelpdf)."'";
$sql.= ", ".($this->cond_reglement_id>0?"'".$this->cond_reglement_id."'":"null");
$sql.= ", ".($this->mode_reglement_id>0?"'".$this->mode_reglement_id."'":"null");
$sql.= ", ".($this->fk_account>0?$this->fk_account:'NULL');
@@ -760,8 +760,8 @@ class Commande extends CommonOrder
$sql.= ", ".($this->date_livraison?"'".$this->db->idate($this->date_livraison)."'":"null");
$sql.= ", ".($this->fk_delivery_address>0?$this->fk_delivery_address:'NULL');
$sql.= ", ".($this->shipping_method_id>0?$this->shipping_method_id:'NULL');
- $sql.= ", ".($this->remise_absolue>0?$this->remise_absolue:'NULL');
- $sql.= ", ".($this->remise_percent>0?$this->remise_percent:0);
+ $sql.= ", ".($this->remise_absolue>0?$this->db->escape($this->remise_absolue):'NULL');
+ $sql.= ", ".($this->remise_percent>0?$this->db->escape($this->remise_percent):0);
$sql.= ", ".(int) $this->fk_incoterms;
$sql.= ", '".$this->db->escape($this->location_incoterms)."'";
$sql.= ", ".$conf->entity;
diff --git a/htdocs/compta/facture/class/facture.class.php b/htdocs/compta/facture/class/facture.class.php
index 98afb750fd680c640c36ebc1836501354e3a7a9b..73da2cfce2f90096d83137babe37821661ce82c3 100644
--- a/htdocs/compta/facture/class/facture.class.php
+++ b/htdocs/compta/facture/class/facture.class.php
@@ -332,7 +332,7 @@ class Facture extends CommonInvoice
$sql.= "'(PROV)'";
$sql.= ", ".$conf->entity;
$sql.= ", ".($this->ref_ext?"'".$this->db->escape($this->ref_ext)."'":"null");
- $sql.= ", '".$this->type."'";
+ $sql.= ", '".$this->db->escape($this->type)."'";
$sql.= ", '".$socid."'";
$sql.= ", '".$this->db->idate($now)."'";
$sql.= ", ".($this->remise_absolue>0?$this->remise_absolue:'NULL');
@@ -348,7 +348,7 @@ class Facture extends CommonInvoice
$sql.= ", ".($this->fk_project?$this->fk_project:"null");
$sql.= ", ".$this->cond_reglement_id;
$sql.= ", ".$this->mode_reglement_id;
- $sql.= ", '".$this->db->idate($datelim)."', '".$this->modelpdf."'";
+ $sql.= ", '".$this->db->idate($datelim)."', '".$this->db->escape($this->modelpdf)."'";
$sql.= ", ".($this->situation_cycle_ref?"'".$this->db->escape($this->situation_cycle_ref)."'":"null");
$sql.= ", ".($this->situation_counter?"'".$this->db->escape($this->situation_counter)."'":"null");
$sql.= ", ".($this->situation_final?$this->situation_final:0);
diff --git a/htdocs/contact/class/contact.class.php b/htdocs/contact/class/contact.class.php
index dc3c7fc36405f295c94007c11836cb150e58df9c..f3c0b9bd3f5ff4011b3a53b3c863105752f74f34 100644
--- a/htdocs/contact/class/contact.class.php
+++ b/htdocs/contact/class/contact.class.php
@@ -168,9 +168,9 @@ class Contact extends CommonObject
$sql.= " ".($user->id > 0 ? "'".$user->id."'":"null").",";
$sql.= " ".$this->priv.",";
$sql.= " ".$this->statut.",";
- $sql.= " ".(! empty($this->canvas)?"'".$this->canvas."'":"null").",";
+ $sql.= " ".(! empty($this->canvas)?"'".$this->db->escape($this->canvas)."'":"null").",";
$sql.= " ".$conf->entity.",";
- $sql.= "'".$this->db->escape($this->ref_ext)."',";
+ $sql.= "'".$this->db->escape($this->ref_ext)."',";
$sql.= " ".(! empty($this->import_key)?"'".$this->import_key."'":"null");
$sql.= ")";
diff --git a/htdocs/fichinter/class/fichinter.class.php b/htdocs/fichinter/class/fichinter.class.php
index 5e88cc94243cea0d7e612765c352e7f434469ed9..d0bcee286d0a127194809f4c05d98c1144361953 100644
--- a/htdocs/fichinter/class/fichinter.class.php
+++ b/htdocs/fichinter/class/fichinter.class.php
@@ -149,11 +149,11 @@ class Fichinter extends CommonObject
$sql.= " VALUES (";
$sql.= $this->socid;
$sql.= ", '".$this->db->idate($now)."'";
- $sql.= ", '".$this->ref."'";
+ $sql.= ", '".$this->db->escape($this->ref)."'";
$sql.= ", ".$conf->entity;
$sql.= ", ".$user->id;
$sql.= ", ".($this->description?"'".$this->db->escape($this->description)."'":"null");
- $sql.= ", '".$this->modelpdf."'";
+ $sql.= ", '".$this->db->escape($this->modelpdf)."'";
$sql.= ", ".($this->fk_project ? $this->fk_project : 0);
$sql.= ", ".($this->fk_contrat ? $this->fk_contrat : 0);
$sql.= ", ".$this->statut;
diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php
index 5e207f0b4b613de1ed4ff5d62f20b713beaa1622..233c0510b3a19cebe334c1605f9fcdfdb73bebd1 100644
--- a/htdocs/fourn/class/fournisseur.commande.class.php
+++ b/htdocs/fourn/class/fournisseur.commande.class.php
@@ -1002,7 +1002,7 @@ class CommandeFournisseur extends CommonOrder
$sql.= ") ";
$sql.= " VALUES (";
$sql.= "''";
- $sql.= ", '".$this->ref_supplier."'";
+ $sql.= ", '".$this->db->escape($this->ref_supplier)."'";
$sql.= ", '".$this->db->escape($this->note_private)."'";
$sql.= ", '".$this->db->escape($this->note_public)."'";
$sql.= ", ".$conf->entity;
@@ -1011,7 +1011,7 @@ class CommandeFournisseur extends CommonOrder
$sql.= ", ".($this->date_livraison?"'".$this->db->idate($this->date_livraison)."'":"null");
$sql.= ", ".$user->id;
$sql.= ", 0";
- $sql.= ", " . $this->source;
+ $sql.= ", ".$this->db->escape($this->source);
$sql.= ", '".$conf->global->COMMANDE_SUPPLIER_ADDON_PDF."'";
$sql.= ", ".($this->mode_reglement_id > 0 ? $this->mode_reglement_id : 'null');
$sql.= ", ".($this->cond_reglement_id > 0 ? $this->cond_reglement_id : 'null');
diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index 13368f652a9616e87115d60cf838705fbfec098b..7c2d089960a3e870c9736ca844326c592d83e801 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -694,7 +694,7 @@ class Product extends CommonObject
$sql = "UPDATE ".MAIN_DB_PREFIX."product";
$sql.= " SET label = '" . $this->db->escape($this->label) ."'";
- $sql.= ", ref = '" . $this->ref ."'";
+ $sql.= ", ref = '" . $this->db->escape($this->ref) ."'";
$sql.= ", ref_ext = ".(! empty($this->ref_ext)?"'".$this->db->escape($this->ref_ext)."'":"null");
$sql.= ", tva_tx = " . $this->tva_tx;
$sql.= ", recuperableonly = " . $this->tva_npr;
@@ -722,9 +722,9 @@ class Product extends CommonObject
$sql.= ", customcode = '" . $this->db->escape($this->customcode) ."'";
$sql.= ", fk_country = " . ($this->country_id > 0 ? $this->country_id : 'null');
$sql.= ", note = ".(isset($this->note) ? "'" .$this->db->escape($this->note)."'" : 'null');
- $sql.= ", duration = '" . $this->duration_value . $this->duration_unit ."'";
- $sql.= ", accountancy_code_buy = '" . $this->accountancy_code_buy."'";
- $sql.= ", accountancy_code_sell= '" . $this->accountancy_code_sell."'";
+ $sql.= ", duration = '" . $this->db->escape($this->duration_value . $this->duration_unit) ."'";
+ $sql.= ", accountancy_code_buy = '" . $this->db->escape($this->accountancy_code_buy)."'";
+ $sql.= ", accountancy_code_sell= '" . $this->db->escape($this->accountancy_code_sell)."'";
$sql.= ", desiredstock = " . ((isset($this->desiredstock) && $this->desiredstock != '') ? $this->desiredstock : "null");
$sql.= ", fk_unit= " . (!$this->fk_unit ? 'NULL' : $this->fk_unit);
$sql.= " WHERE rowid = " . $id;
diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php
index c3dfeb7b2263d4e83cad6add05d8a1c22dfe9402..81698196f205adc8ed25ef18a37cea5f76ca58e6 100644
--- a/htdocs/societe/class/societe.class.php
+++ b/htdocs/societe/class/societe.class.php
@@ -461,14 +461,14 @@ class Societe extends CommonObject
$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe (nom, name_alias, entity, datec, fk_user_creat, canvas, status, ref_int, ref_ext, fk_stcomm, fk_incoterms, location_incoterms ,import_key)";
$sql.= " VALUES ('".$this->db->escape($this->name)."', '".$this->db->escape($this->name_alias)."', ".$conf->entity.", '".$this->db->idate($now)."'";
$sql.= ", ".(! empty($user->id) ? "'".$user->id."'":"null");
- $sql.= ", ".(! empty($this->canvas) ? "'".$this->canvas."'":"null");
+ $sql.= ", ".(! empty($this->canvas) ? "'".$this->db->escape($this->canvas)."'":"null");
$sql.= ", ".$this->status;
- $sql.= ", ".(! empty($this->ref_int) ? "'".$this->ref_int."'":"null");
- $sql.= ", ".(! empty($this->ref_ext) ? "'".$this->ref_ext."'":"null");
+ $sql.= ", ".(! empty($this->ref_int) ? "'".$this->db->escape($this->ref_int)."'":"null");
+ $sql.= ", ".(! empty($this->ref_ext) ? "'".$this->db->escape($this->ref_ext)."'":"null");
$sql.= ", 0";
$sql.= ", ".(int) $this->fk_incoterms;
$sql.= ", '".$this->db->escape($this->location_incoterms)."'";
- $sql.= ", ".(! empty($this->import_key) ? "'".$this->import_key."'":"null").")";
+ $sql.= ", ".(! empty($this->import_key) ? "'".$this->db->escape($this->import_key)."'":"null").")";
dol_syslog(get_class($this)."::create", LOG_DEBUG);
$result=$this->db->query($sql);
@@ -789,7 +789,7 @@ class Societe extends CommonObject
$sql .= ",ref_ext = " .(! empty($this->ref_ext)?"'".$this->db->escape($this->ref_ext) ."'":"null");
$sql .= ",address = '" . $this->db->escape($this->address) ."'";
- $sql .= ",zip = ".(! empty($this->zip)?"'".$this->zip."'":"null");
+ $sql .= ",zip = ".(! empty($this->zip)?"'".$this->db->escape($this->zip)."'":"null");
$sql .= ",town = ".(! empty($this->town)?"'".$this->db->escape($this->town)."'":"null");
$sql .= ",fk_departement = '" . (! empty($this->state_id)?$this->state_id:'0') ."'";
@@ -841,17 +841,17 @@ class Societe extends CommonObject
$sql .= ",prefix_comm = ".(! empty($this->prefix_comm)?"'".$this->db->escape($this->prefix_comm)."'":"null");
- $sql .= ",fk_effectif = ".(! empty($this->effectif_id)?"'".$this->effectif_id."'":"null");
+ $sql .= ",fk_effectif = ".(! empty($this->effectif_id)?"'".$this->db->escape($this->effectif_id)."'":"null");
- $sql .= ",fk_typent = ".(! empty($this->typent_id)?"'".$this->typent_id."'":"0");
+ $sql .= ",fk_typent = ".(! empty($this->typent_id)?"'".$this->db->escape($this->typent_id)."'":"0");
- $sql .= ",fk_forme_juridique = ".(! empty($this->forme_juridique_code)?"'".$this->forme_juridique_code."'":"null");
+ $sql .= ",fk_forme_juridique = ".(! empty($this->forme_juridique_code)?"'".$this->db->escape($this->forme_juridique_code)."'":"null");
$sql .= ",client = " . (! empty($this->client)?$this->client:0);
$sql .= ",fournisseur = " . (! empty($this->fournisseur)?$this->fournisseur:0);
- $sql .= ",barcode = ".(! empty($this->barcode)?"'".$this->barcode."'":"null");
- $sql .= ",default_lang = ".(! empty($this->default_lang)?"'".$this->default_lang."'":"null");
- $sql .= ",logo = ".(! empty($this->logo)?"'".$this->logo."'":"null");
+ $sql .= ",barcode = ".(! empty($this->barcode)?"'".$this->db->escape($this->barcode)."'":"null");
+ $sql .= ",default_lang = ".(! empty($this->default_lang)?"'".$this->db->escape($this->default_lang)."'":"null");
+ $sql .= ",logo = ".(! empty($this->logo)?"'".$this->db->escape($this->logo)."'":"null");
$sql .= ",webservices_url = ".(! empty($this->webservices_url)?"'".$this->db->escape($this->webservices_url)."'":"null");
$sql .= ",webservices_key = ".(! empty($this->webservices_key)?"'".$this->db->escape($this->webservices_key)."'":"null");
@@ -1531,7 +1531,7 @@ class Societe extends CommonObject
// Positionne remise courante
$sql = "UPDATE ".MAIN_DB_PREFIX."societe ";
- $sql.= " SET remise_client = '".$remise."'";
+ $sql.= " SET remise_client = '".$this->db->escape($remise)."'";
$sql.= " WHERE rowid = " . $this->id .";";
$resql=$this->db->query($sql);
if (! $resql)
@@ -1544,7 +1544,7 @@ class Societe extends CommonObject
// Ecrit trace dans historique des remises
$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_remise";
$sql.= " (datec, fk_soc, remise_client, note, fk_user_author)";
- $sql.= " VALUES ('".$this->db->idate($now)."', ".$this->id.", '".$remise."',";
+ $sql.= " VALUES ('".$this->db->idate($now)."', ".$this->id.", '".$this->db->escape($remise)."',";
$sql.= " '".$this->db->escape($note)."',";
$sql.= " ".$user->id;
$sql.= ")";
@@ -1694,7 +1694,7 @@ class Societe extends CommonObject
$now=dol_now();
$sql = "UPDATE ".MAIN_DB_PREFIX."societe";
- $sql .= " SET price_level = '".$price_level."'";
+ $sql .= " SET price_level = '".$this->db->escape($price_level)."'";
$sql .= " WHERE rowid = " . $this->id;
if (! $this->db->query($sql))
@@ -1705,7 +1705,7 @@ class Societe extends CommonObject
$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_prices";
$sql .= " (datec, fk_soc, price_level, fk_user_author)";
- $sql .= " VALUES ('".$this->db->idate($now)."',".$this->id.",'".$price_level."',".$user->id.")";
+ $sql .= " VALUES ('".$this->db->idate($now)."',".$this->id.",'".$this->db->escape($price_level)."',".$user->id.")";
if (! $this->db->query($sql))
{
@@ -3242,7 +3242,7 @@ class Societe extends CommonObject
* @param User $user User making change
* @return int <0 if KO, >0 if OK
*/
- function set_OutstandingBill (User $user)
+ function set_OutstandingBill(User $user)
{
if ($this->id)
{