diff --git a/htdocs/adherents/liste.php b/htdocs/adherents/liste.php
index 4b221c6d40a2d1aec9004e798b75f45be5af5d47..7b1890aa228fc46b798bc348873a95d301e95226 100644
--- a/htdocs/adherents/liste.php
+++ b/htdocs/adherents/liste.php
@@ -134,7 +134,7 @@ if ($filter == 'outofdate')
// Insert categ filter
if ($search_categ)
{
- $sql.= " AND cf.fk_categorie = ".addslashes($search_categ);
+ $sql.= " AND cf.fk_categorie = ".$db->escape($search_categ);
}
// Count total nb of records with no order and no limits
diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php
index 91c154051a06d317bcbbadf4e99c32e9fe5757bf..d59be620015b02cd08754ef994fb681eac657ade 100644
--- a/htdocs/admin/dict.php
+++ b/htdocs/admin/dict.php
@@ -387,7 +387,7 @@ if ($_POST["actionadd"] || $_POST["actionmodify"])
if ($tabrowid[$_POST["id"]] && !in_array($tabrowid[$_POST["id"]],$listfieldmodify))
{
$sql.= $tabrowid[$_POST["id"]]."=";
- $sql.= "'".addslashes($_POST["rowid"])."', ";
+ $sql.= "'".$db->escape($_POST["rowid"])."', ";
}
$i = 0;
foreach ($listfieldmodify as $field)
diff --git a/htdocs/admin/external_rss.php b/htdocs/admin/external_rss.php
index 3ca9949a494f9a318d788637d306d733b56c6c63..6f69d08ef78a2117aed0c7512464ea0da32dc102 100644
--- a/htdocs/admin/external_rss.php
+++ b/htdocs/admin/external_rss.php
@@ -86,7 +86,7 @@ if ($_POST["action"] == 'add' || $_POST["modify"])
{
// Ajoute boite box_external_rss dans definition des boites
$sql = "INSERT INTO ".MAIN_DB_PREFIX."boxes_def (file, note)";
- $sql.= " VALUES ('box_external_rss.php','".addslashes($_POST["norss"].' ('.$_POST[$external_rss_title]).")')";
+ $sql.= " VALUES ('box_external_rss.php','".$db->escape($_POST["norss"].' ('.$_POST[$external_rss_title]).")')";
if (! $db->query($sql))
{
dol_print_error($db);
diff --git a/htdocs/admin/facture.php b/htdocs/admin/facture.php
index 7f108e565af558e16a34c9c6cba6b165c840c8f1..3e44bdf946f0adee805c6a7208d470d5ed8bb4c4 100644
--- a/htdocs/admin/facture.php
+++ b/htdocs/admin/facture.php
@@ -156,7 +156,7 @@ if ($_GET["action"] == 'setdoc')
$sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
$sql.= " VALUES ('".$_GET["value"]."', '".$type."', ".$conf->entity.", ";
- $sql.= ($_GET["label"]?"'".addslashes($_GET["label"])."'":'null').", ";
+ $sql.= ($_GET["label"]?"'".$db->escape($_GET["label"])."'":'null').", ";
$sql.= (! empty($_GET["scandir"])?"'".$_GET["scandir"]."'":"null");
$sql.= ")";
dol_syslog("facture.php ".$sql);
diff --git a/htdocs/admin/societe.php b/htdocs/admin/societe.php
index 39601b559aaa0eac4a2bf70cac45423cead2a546..2b312f76127e05e9d964148a2992bd5dcf521b45 100644
--- a/htdocs/admin/societe.php
+++ b/htdocs/admin/societe.php
@@ -112,7 +112,7 @@ if ($_GET["action"] == 'del')
{
$type='company';
$sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model";
- $sql.= " WHERE nom='".addslashes($_GET["value"])."' AND type='".$type."' AND entity=".$conf->entity;
+ $sql.= " WHERE nom='".$db->escape($_GET["value"])."' AND type='".$type."' AND entity=".$conf->entity;
if ($db->query($sql))
{
diff --git a/htdocs/asterisk/cidlookup.php b/htdocs/asterisk/cidlookup.php
index 5156a3fd27d6e9faf0a5841fe3ea050427f5d6c4..aa9548f8b9bc45e874563dc38792d5bda83cc8c5 100644
--- a/htdocs/asterisk/cidlookup.php
+++ b/htdocs/asterisk/cidlookup.php
@@ -44,10 +44,10 @@ if (empty($phone))
$sql = "SELECT nom FROM ".MAIN_DB_PREFIX."societe as s";
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."socpeople as sp ON sp.fk_soc = s.rowid";
$sql.= " WHERE s.entity=".$conf->entity;
-$sql.= " AND (s.tel='".addslashes($phone)."'";
-$sql.= " OR sp.phone='".addslashes($phone)."'";
-$sql.= " OR sp.phone_perso='".addslashes($phone)."'";
-$sql.= " OR sp.phone_mobile='".addslashes($phone)."')";
+$sql.= " AND (s.tel='".$db->escape($phone)."'";
+$sql.= " OR sp.phone='".$db->escape($phone)."'";
+$sql.= " OR sp.phone_perso='".$db->escape($phone)."'";
+$sql.= " OR sp.phone_mobile='".$db->escape($phone)."')";
$sql.= $db->plimit(1);
dol_syslog('cidlookup search information with phone '.$phone, LOG_DEBUG);
diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php
index 0f4ea9faf9ce01b25aa918eaacc98499aedc8f0d..139fd4b878afe66be43e602e4ccba33b5f6abd41 100644
--- a/htdocs/comm/action/index.php
+++ b/htdocs/comm/action/index.php
@@ -224,7 +224,7 @@ $sql.= ' WHERE a.fk_action = ca.id';
$sql.= ' AND a.fk_user_author = u.rowid';
$sql.= ' AND u.entity in (0,'.$conf->entity.')'; // To limit to entity
if ($user->societe_id) $sql.= ' AND a.fk_soc = '.$user->societe_id; // To limit to external user company
-if ($pid) $sql.=" AND a.fk_project=".addslashes($pid);
+if ($pid) $sql.=" AND a.fk_project=".$db->escape($pid);
if ($action == 'show_day')
{
$sql.= " AND (";
diff --git a/htdocs/comm/action/listactions.php b/htdocs/comm/action/listactions.php
index 0957413bee71e4010656439d5e06b6d25b32f10d..6d8ec2ac9a8db8a40eae4306a50583e03ce0a2cc 100644
--- a/htdocs/comm/action/listactions.php
+++ b/htdocs/comm/action/listactions.php
@@ -141,7 +141,7 @@ $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."user as ud ON a.fk_user_done = ud.rowid";
$sql.= " WHERE c.id = a.fk_action";
$sql.= ' AND a.fk_user_author = u.rowid'; // To limit to entity
$sql.= ' AND u.entity in (0,'.$conf->entity.')'; // To limit to entity
-if ($pid) $sql.=" AND a.fk_project=".addslashes($pid);
+if ($pid) $sql.=" AND a.fk_project=".$db->escape($pid);
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
if ($socid) $sql.= " AND s.rowid = ".$socid;
if ($_GET["type"]) $sql.= " AND c.id = ".$_GET["type"];
diff --git a/htdocs/comm/mailing/cibles.php b/htdocs/comm/mailing/cibles.php
index abf06b6e66f8b912f0722859b9e39af129c6d8ff..97d22cad6886751131746a75abf571b06ec2176a 100644
--- a/htdocs/comm/mailing/cibles.php
+++ b/htdocs/comm/mailing/cibles.php
@@ -357,9 +357,9 @@ if ($mil->fetch($_REQUEST["id"]) >= 0)
$sql = "SELECT mc.rowid, mc.nom, mc.prenom, mc.email, mc.other, mc.statut, mc.date_envoi, mc.source_url, mc.source_id, mc.source_type";
$sql .= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc";
$sql .= " WHERE mc.fk_mailing=".$mil->id;
- if ($search_nom) $sql.= " AND mc.nom like '%".addslashes($search_nom)."%'";
- if ($search_prenom) $sql.= " AND mc.prenom like '%".addslashes($search_prenom)."%'";
- if ($search_email) $sql.= " AND mc.email like '%".addslashes($search_email)."%'";
+ if ($search_nom) $sql.= " AND mc.nom like '%".$db->escape($search_nom)."%'";
+ if ($search_prenom) $sql.= " AND mc.prenom like '%".$db->escape($search_prenom)."%'";
+ if ($search_email) $sql.= " AND mc.email like '%".$db->escape($search_email)."%'";
$sql .= $db->order($sortfield,$sortorder);
$sql .= $db->plimit($conf->liste_limit+1, $offset);
diff --git a/htdocs/comm/mailing/liste.php b/htdocs/comm/mailing/liste.php
index 6183dafb72c377901983f4ddd74909503af8caaa..92ab366dd3be630c64e2d3deeb3c6b1d5be59a39 100644
--- a/htdocs/comm/mailing/liste.php
+++ b/htdocs/comm/mailing/liste.php
@@ -67,7 +67,7 @@ if ($filteremail)
$sql.= " mc.statut as sendstatut";
$sql.= " FROM ".MAIN_DB_PREFIX."mailing as m, ".MAIN_DB_PREFIX."mailing_cibles as mc";
$sql.= " WHERE m.rowid = mc.fk_mailing AND m.entity = ".$conf->entity;
- $sql.= " AND mc.email = '".addslashes($filteremail)."'";
+ $sql.= " AND mc.email = '".$db->escape($filteremail)."'";
if ($sref) $sql.= " AND m.rowid = '".$sref."'";
if ($sall) $sql.= " AND (m.titre like '%".$sall."%' OR m.sujet like '%".$sall."%' OR m.body like '%".$sall."%')";
if (! $sortorder) $sortorder="ASC";
diff --git a/htdocs/comm/prospect/prospects.php b/htdocs/comm/prospect/prospects.php
index f3d0d14210d79986c51a7dc3190de79ffd890092..a664d1927d4bedc84faf2fb17cb2e102b85b9448 100644
--- a/htdocs/comm/prospect/prospects.php
+++ b/htdocs/comm/prospect/prospects.php
@@ -181,8 +181,8 @@ if ($search_sale) $sql.= " AND s.rowid = sc.fk_soc"; // Join for the needed tab
if ($search_categ) $sql.= " AND s.rowid = cs.fk_societe"; // Join for the needed table to filter by categ
if (isset($stcomm) && $stcomm != '') $sql.= " AND s.fk_stcomm=".$stcomm;
-if ($_GET["search_nom"]) $sql .= " AND s.nom like '%".addslashes(strtolower($_GET["search_nom"]))."%'";
-if ($_GET["search_ville"]) $sql .= " AND s.ville like '%".addslashes(strtolower($_GET["search_ville"]))."%'";
+if ($_GET["search_nom"]) $sql .= " AND s.nom like '%".$db->escape(strtolower($_GET["search_nom"]))."%'";
+if ($_GET["search_ville"]) $sql .= " AND s.ville like '%".$db->escape(strtolower($_GET["search_ville"]))."%'";
// Insert levels filters
if ($search_levels)
{
@@ -191,16 +191,16 @@ if ($search_levels)
// Insert sale filter
if ($search_sale)
{
- $sql .= " AND sc.fk_user = ".addslashes($search_sale);
+ $sql .= " AND sc.fk_user = ".$db->escape($search_sale);
}
// Insert categ filter
if ($search_categ)
{
- $sql .= " AND cs.fk_categorie = ".addslashes($search_categ);
+ $sql .= " AND cs.fk_categorie = ".$db->escape($search_categ);
}
if ($socname)
{
- $sql .= " AND s.nom like '%".addslashes($socname)."%'";
+ $sql .= " AND s.nom like '%".$db->escape($socname)."%'";
$sortfield = "s.nom";
$sortorder = "ASC";
}
diff --git a/htdocs/commande/liste.php b/htdocs/commande/liste.php
index a5c100e4bf15c2a71af0af591019a3b5374074c8..907a9e91f1a4b687485c88268149dbf2988158c0 100644
--- a/htdocs/commande/liste.php
+++ b/htdocs/commande/liste.php
@@ -88,11 +88,11 @@ if ($socid) $sql.= ' AND s.rowid = '.$socid;
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
if ($sref)
{
- $sql.= " AND c.ref LIKE '%".addslashes($sref)."%'";
+ $sql.= " AND c.ref LIKE '%".$db->escape($sref)."%'";
}
if ($sall)
{
- $sql.= " AND (c.ref LIKE '%".addslashes($sall)."%' OR c.note LIKE '%".addslashes($sall)."%')";
+ $sql.= " AND (c.ref LIKE '%".$db->escape($sall)."%' OR c.note LIKE '%".$db->escape($sall)."%')";
}
if ($viewstatut <> '')
{
@@ -131,11 +131,11 @@ if ($_GET['deliveryyear'] > 0)
}
if (!empty($snom))
{
- $sql.= ' AND s.nom LIKE \'%'.addslashes($snom).'%\'';
+ $sql.= ' AND s.nom LIKE \'%'.$db->escape($snom).'%\'';
}
if (!empty($sref_client))
{
- $sql.= ' AND c.ref_client LIKE \'%'.addslashes($sref_client).'%\'';
+ $sql.= ' AND c.ref_client LIKE \'%'.$db->escape($sref_client).'%\'';
}
$sql.= ' ORDER BY '.$sortfield.' '.$sortorder;
diff --git a/htdocs/compta/bank/account.php b/htdocs/compta/bank/account.php
index e68d8edc5f9ae0e228565bb764dcab1e9e64f3ae..4913321216e0b93b4f39a124f4a33aca0534cc28 100644
--- a/htdocs/compta/bank/account.php
+++ b/htdocs/compta/bank/account.php
@@ -186,13 +186,13 @@ if ($account || $_GET["ref"])
$mode_search = 0;
if ($_REQUEST["req_nb"])
{
- $sql_rech.= " AND b.num_chq like '%".addslashes($_REQUEST["req_nb"])."%'";
+ $sql_rech.= " AND b.num_chq like '%".$db->escape($_REQUEST["req_nb"])."%'";
$param.='&req_nb='.urlencode($_REQUEST["req_nb"]);
$mode_search = 1;
}
if ($_REQUEST["req_desc"])
{
- $sql_rech.= " AND b.label like '%".addslashes($_REQUEST["req_desc"])."%'";
+ $sql_rech.= " AND b.label like '%".$db->escape($_REQUEST["req_desc"])."%'";
$param.='&req_desc='.urlencode($_REQUEST["req_desc"]);
$mode_search = 1;
}
@@ -210,7 +210,7 @@ if ($account || $_GET["ref"])
}
if ($_REQUEST["thirdparty"])
{
- $sql_rech.=" AND (COALESCE(s.nom,'') LIKE '%".addslashes($_REQUEST["thirdparty"])."%')";
+ $sql_rech.=" AND (COALESCE(s.nom,'') LIKE '%".$db->escape($_REQUEST["thirdparty"])."%')";
$param.='&thirdparty='.urlencode($_REQUEST["thirdparty"]);
$mode_search = 1;
}
diff --git a/htdocs/compta/bank/categ.php b/htdocs/compta/bank/categ.php
index 0c1f82495bbd38f08f8d1bbcc0b6deb813749f73..804b4deb094887527fc508ec10daf3d4c2d041af 100644
--- a/htdocs/compta/bank/categ.php
+++ b/htdocs/compta/bank/categ.php
@@ -43,7 +43,7 @@ if ($_POST["action"] == 'add')
$sql.= "label";
$sql.= ", entity";
$sql.= ") VALUES (";
- $sql.= "'".addslashes($_POST["label"])."'";
+ $sql.= "'".$db->escape($_POST["label"])."'";
$sql.= ", ".$conf->entity;
$sql.= ")";
diff --git a/htdocs/compta/bank/ligne.php b/htdocs/compta/bank/ligne.php
index 769b7de07ef15de3018b18ff8224a481cb6954af..c449861aa3cdb51c0784d37f11cd4cdc33a82b1d 100644
--- a/htdocs/compta/bank/ligne.php
+++ b/htdocs/compta/bank/ligne.php
@@ -101,7 +101,7 @@ if ($_POST["action"] == "update")
$dateop = dol_mktime(12,0,0,$_POST["dateomonth"],$_POST["dateoday"],$_POST["dateoyear"]);
$dateval= dol_mktime(12,0,0,$_POST["datevmonth"],$_POST["datevday"],$_POST["datevyear"]);
$sql = "UPDATE ".MAIN_DB_PREFIX."bank";
- $sql.= " SET label='".addslashes($_POST["label"])."',";
+ $sql.= " SET label='".$db->escape($_POST["label"])."',";
if (isset($_POST['amount'])) $sql.=" amount='$amount',";
$sql.= " dateo = '".$db->idate($dateop)."', datev = '".$db->idate($dateval)."',";
$sql.= " fk_account = ".$_POST['accountid'];
@@ -127,13 +127,13 @@ if ($_POST["action"] == 'type')
if ($_POST["action"] == 'banque')
{
- $sql = "UPDATE ".MAIN_DB_PREFIX."bank set banque='".addslashes($_POST["banque"])."' WHERE rowid = $rowid;";
+ $sql = "UPDATE ".MAIN_DB_PREFIX."bank set banque='".$db->escape($_POST["banque"])."' WHERE rowid = $rowid;";
$result = $db->query($sql);
}
if ($_POST["action"] == 'emetteur')
{
- $sql = "UPDATE ".MAIN_DB_PREFIX."bank set emetteur='".addslashes($_POST["emetteur"])."' WHERE rowid = $rowid;";
+ $sql = "UPDATE ".MAIN_DB_PREFIX."bank set emetteur='".$db->escape($_POST["emetteur"])."' WHERE rowid = $rowid;";
$result = $db->query($sql);
}
diff --git a/htdocs/compta/clients.php b/htdocs/compta/clients.php
index 1ee0afc4cfbf0e371b2606880bcd329627d46713..e32310f0354c321cd99d2dffee5423bff61a327d 100644
--- a/htdocs/compta/clients.php
+++ b/htdocs/compta/clients.php
@@ -76,7 +76,7 @@ if ($action == 'note')
if ($mode == 'search') {
if ($mode-search == 'soc') {
$sql = "SELECT s.rowid FROM ".MAIN_DB_PREFIX."societe as s ";
- $sql.= " WHERE lower(s.nom) like '%".addslashes(strtolower($socname))."%'";
+ $sql.= " WHERE lower(s.nom) like '%".$db->escape(strtolower($socname))."%'";
$sql.= " AND s.entity = ".$conf->entity;
}
@@ -113,29 +113,29 @@ if (dol_strlen($stcomm))
if ($socname)
{
- $sql.= " AND s.nom like '%".addslashes(strtolower($socname))."%'";
+ $sql.= " AND s.nom like '%".$db->escape(strtolower($socname))."%'";
$sortfield = "s.nom";
$sortorder = "ASC";
}
if ($_GET["search_nom"])
{
- $sql.= " AND s.nom like '%".addslashes(strtolower($_GET["search_nom"]))."%'";
+ $sql.= " AND s.nom like '%".$db->escape(strtolower($_GET["search_nom"]))."%'";
}
if ($_GET["search_compta"])
{
- $sql.= " AND s.code_compta like '%".addslashes($_GET["search_compta"])."%'";
+ $sql.= " AND s.code_compta like '%".$db->escape($_GET["search_compta"])."%'";
}
if ($_GET["search_code_client"])
{
- $sql.= " AND s.code_client like '%".addslashes($_GET["search_code_client"])."%'";
+ $sql.= " AND s.code_client like '%".$db->escape($_GET["search_code_client"])."%'";
}
if (dol_strlen($begin))
{
- $sql.= " AND s.nom like '".addslashes($begin)."'";
+ $sql.= " AND s.nom like '".$db->escape($begin)."'";
}
if ($socid)
diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php
index af4678ff3c502113299711913252ccf6237ac4d2..b0e26a914bb2726deb55fe4c7e3d01173b710841 100644
--- a/htdocs/compta/facture.php
+++ b/htdocs/compta/facture.php
@@ -2930,19 +2930,19 @@ else
}
if ($_GET['search_ref'])
{
- $sql.= ' AND f.facnumber LIKE \'%'.addslashes(trim($_GET['search_ref'])).'%\'';
+ $sql.= ' AND f.facnumber LIKE \'%'.$db->escape(trim($_GET['search_ref'])).'%\'';
}
if ($_GET['search_societe'])
{
- $sql.= ' AND s.nom LIKE \'%'.addslashes(trim($_GET['search_societe'])).'%\'';
+ $sql.= ' AND s.nom LIKE \'%'.$db->escape(trim($_GET['search_societe'])).'%\'';
}
if ($_GET['search_montant_ht'])
{
- $sql.= ' AND f.total = \''.addslashes(trim($_GET['search_montant_ht'])).'\'';
+ $sql.= ' AND f.total = \''.$db->escape(trim($_GET['search_montant_ht'])).'\'';
}
if ($_GET['search_montant_ttc'])
{
- $sql.= ' AND f.total_ttc = \''.addslashes(trim($_GET['search_montant_ttc'])).'\'';
+ $sql.= ' AND f.total_ttc = \''.$db->escape(trim($_GET['search_montant_ttc'])).'\'';
}
if ($month > 0)
{
@@ -2957,11 +2957,11 @@ else
}
if ($_POST['sf_ref'])
{
- $sql.= ' AND f.facnumber LIKE \'%'.addslashes(trim($_POST['sf_ref'])) . '%\'';
+ $sql.= ' AND f.facnumber LIKE \'%'.$db->escape(trim($_POST['sf_ref'])) . '%\'';
}
if ($sall)
{
- $sql.= ' AND (s.nom LIKE \'%'.addslashes($sall).'%\' OR f.facnumber LIKE \'%'.addslashes($sall).'%\' OR f.note LIKE \'%'.addslashes($sall).'%\' OR fd.description LIKE \'%'.addslashes($sall).'%\')';
+ $sql.= ' AND (s.nom LIKE \'%'.$db->escape($sall).'%\' OR f.facnumber LIKE \'%'.$db->escape($sall).'%\' OR f.note LIKE \'%'.$db->escape($sall).'%\' OR fd.description LIKE \'%'.$db->escape($sall).'%\')';
}
if (! $sall)
{
diff --git a/htdocs/compta/paiement/liste.php b/htdocs/compta/paiement/liste.php
index b560624867ecc193c7692ccc2667a07c8240ca93..0731ab9e7752affa2cd34e90c18f1cd4dbddfc77 100644
--- a/htdocs/compta/paiement/liste.php
+++ b/htdocs/compta/paiement/liste.php
@@ -108,7 +108,7 @@ if ($_REQUEST["search_amount"])
}
if ($_REQUEST["search_company"])
{
- $sql .=" AND s.nom LIKE '%".addslashes($_REQUEST["search_company"])."%'";
+ $sql .=" AND s.nom LIKE '%".$db->escape($_REQUEST["search_company"])."%'";
}
if ($_GET["orphelins"]) // Option for debugging purpose only
diff --git a/htdocs/compta/propal.php b/htdocs/compta/propal.php
index c1414dae0399f3d6caba5144f373d7754831cd6d..470862e58b8551225f1e68b6e3d57170f50c8b09 100644
--- a/htdocs/compta/propal.php
+++ b/htdocs/compta/propal.php
@@ -576,15 +576,15 @@ else
if ($year > 0) $sql .= " AND date_format(p.datep, '%Y') = $year";
if (!empty($_GET['search_ref']))
{
- $sql.= " AND p.ref LIKE '%".addslashes($_GET['search_ref'])."%'";
+ $sql.= " AND p.ref LIKE '%".$db->escape($_GET['search_ref'])."%'";
}
if (!empty($_GET['search_societe']))
{
- $sql.= " AND s.nom LIKE '%".addslashes($_GET['search_societe'])."%'";
+ $sql.= " AND s.nom LIKE '%".$db->escape($_GET['search_societe'])."%'";
}
if (!empty($_GET['search_montant_ht']))
{
- $sql.= " AND p.price='".addslashes($_GET['search_montant_ht'])."'";
+ $sql.= " AND p.price='".$db->escape($_GET['search_montant_ht'])."'";
}
$sql.= " ORDER BY $sortfield $sortorder, p.rowid DESC ";
$sql.= $db->plimit($limit + 1,$offset);
diff --git a/htdocs/contact/index.php b/htdocs/contact/index.php
index 1015553c7b9348889d7af9ecfec263b214b8c587..97b5c4306d765466b930a0f17c27631f2b0abfce 100644
--- a/htdocs/contact/index.php
+++ b/htdocs/contact/index.php
@@ -136,19 +136,19 @@ else
if ($search_nom) // filtre sur le nom
{
- $sql .= " AND p.name like '%".addslashes($search_nom)."%'";
+ $sql .= " AND p.name like '%".$db->escape($search_nom)."%'";
}
if ($search_prenom) // filtre sur le prenom
{
- $sql .= " AND p.firstname like '%".addslashes($search_prenom)."%'";
+ $sql .= " AND p.firstname like '%".$db->escape($search_prenom)."%'";
}
if ($search_societe) // filtre sur la societe
{
- $sql .= " AND s.nom like '%".addslashes($search_societe)."%'";
+ $sql .= " AND s.nom like '%".$db->escape($search_societe)."%'";
}
if ($search_email) // filtre sur l'email
{
- $sql .= " AND p.email like '%".addslashes($search_email)."%'";
+ $sql .= " AND p.email like '%".$db->escape($search_email)."%'";
}
if ($type == "o") // filtre sur type
{
@@ -168,7 +168,7 @@ if ($type == "p") // filtre sur type
}
if ($sall)
{
- $sql .= " AND (p.name like '%".addslashes($sall)."%' OR p.firstname like '%".addslashes($sall)."%' OR p.email like '%".addslashes($sall)."%') ";
+ $sql .= " AND (p.name like '%".$db->escape($sall)."%' OR p.firstname like '%".$db->escape($sall)."%' OR p.email like '%".$db->escape($sall)."%') ";
}
if ($socid)
{
diff --git a/htdocs/contrat/liste.php b/htdocs/contrat/liste.php
index 86f753549337c6832e8eb02d06b4cb3e33cc0c96..0966858a014942438433a5be3786b0a3cd8e86a8 100644
--- a/htdocs/contrat/liste.php
+++ b/htdocs/contrat/liste.php
@@ -81,9 +81,9 @@ $sql.= " WHERE c.fk_soc = s.rowid ";
$sql.= " AND s.entity = ".$conf->entity;
if ($socid) $sql.= " AND s.rowid = ".$socid;
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
-if ($search_nom) $sql.= " AND s.nom like '%".addslashes($search_nom)."%'";
-if ($search_contract) $sql.= " AND c.rowid = '".addslashes($search_contract)."'";
-if ($sall) $sql.= " AND (s.nom like '%".addslashes($sall)."%' OR cd.label like '%".addslashes($sall)."%' OR cd.description like '%".addslashes($sall)."%')";
+if ($search_nom) $sql.= " AND s.nom like '%".$db->escape($search_nom)."%'";
+if ($search_contract) $sql.= " AND c.rowid = '".$db->escape($search_contract)."'";
+if ($sall) $sql.= " AND (s.nom like '%".$db->escape($sall)."%' OR cd.label like '%".$db->escape($sall)."%' OR cd.description like '%".$db->escape($sall)."%')";
$sql.= " GROUP BY c.rowid, c.ref, c.datec, c.date_contrat, c.statut,";
$sql.= " s.nom, s.rowid";
$sql.= " ORDER BY $sortfield $sortorder";
diff --git a/htdocs/contrat/services.php b/htdocs/contrat/services.php
index 11a57ae87ab298a116e0440a41d620e5678d7982..e8659d536194f4010c196a69c3c2a133d0cf3fee 100644
--- a/htdocs/contrat/services.php
+++ b/htdocs/contrat/services.php
@@ -94,9 +94,9 @@ if ($mode == "0") $sql.= " AND cd.statut = 0";
if ($mode == "4") $sql.= " AND cd.statut = 4";
if ($mode == "5") $sql.= " AND cd.statut = 5";
if ($filter == "expired") $sql.= " AND date_fin_validite < ".$db->idate($now);
-if ($search_nom) $sql.= " AND s.nom like '%".addslashes($search_nom)."%'";
-if ($search_contract) $sql.= " AND c.rowid = '".addslashes($search_contract)."'";
-if ($search_service) $sql.= " AND (p.ref like '%".addslashes($search_service)."%' OR p.description like '%".addslashes($search_service)."%')";
+if ($search_nom) $sql.= " AND s.nom like '%".$db->escape($search_nom)."%'";
+if ($search_contract) $sql.= " AND c.rowid = '".$db->escape($search_contract)."'";
+if ($search_service) $sql.= " AND (p.ref like '%".$db->escape($search_service)."%' OR p.description like '%".$db->escape($search_service)."%')";
if ($socid > 0) $sql.= " AND s.rowid = ".$socid;
$filter_date1=dol_mktime(0,0,0,$_REQUEST['op1month'],$_REQUEST['op1day'],$_REQUEST['op1year']);
$filter_date2=dol_mktime(0,0,0,$_REQUEST['op2month'],$_REQUEST['op2day'],$_REQUEST['op2year']);
diff --git a/htdocs/expedition/liste.php b/htdocs/expedition/liste.php
index 10d95c63123814f15930fb7af5f144cf70ce2b90..b2d8752f5349daae62f030c1f635c082ba1dc58f 100644
--- a/htdocs/expedition/liste.php
+++ b/htdocs/expedition/liste.php
@@ -81,7 +81,7 @@ if ($socid)
}
if ($_POST["sf_ref"])
{
- $sql.= " AND e.ref like '%".addslashes($_POST["sf_ref"])."%'";
+ $sql.= " AND e.ref like '%".$db->escape($_POST["sf_ref"])."%'";
}
$sql.= $db->order($sortfield,$sortorder);
diff --git a/htdocs/fichinter/index.php b/htdocs/fichinter/index.php
index c3eba98e93770693bbec702dace5d9ef28569e46..200fffb153e51fe996fca1286bdbc769e9a9fb22 100644
--- a/htdocs/fichinter/index.php
+++ b/htdocs/fichinter/index.php
@@ -80,9 +80,9 @@ $sql.= ", ".MAIN_DB_PREFIX."fichinter as f)";
$sql.= " LEFT JOIN ".MAIN_DB_PREFIX."fichinterdet as fd ON fd.fk_fichinter = f.rowid";
$sql.= " WHERE f.fk_soc = s.rowid ";
$sql.= " AND f.entity = ".$conf->entity;
-if ($search_ref) $sql .= " AND f.ref like '%".addslashes($search_ref)."%'";
-if ($search_company) $sql .= " AND s.nom like '%".addslashes($search_company)."%'";
-if ($search_desc) $sql .= " AND (f.description like '%".addslashes($search_desc)."%' OR fd.description like '%".addslashes($search_desc)."%')";
+if ($search_ref) $sql .= " AND f.ref like '%".$db->escape($search_ref)."%'";
+if ($search_company) $sql .= " AND s.nom like '%".$db->escape($search_company)."%'";
+if ($search_desc) $sql .= " AND (f.description like '%".$db->escape($search_desc)."%' OR fd.description like '%".$db->escape($search_desc)."%')";
if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
if ($socid) $sql.= " AND s.rowid = " . $socid;
$sql.= " ORDER BY ".$sortfield." ".$sortorder;
diff --git a/htdocs/fourn/commande/liste.php b/htdocs/fourn/commande/liste.php
index 2865c71d2bb684688ef6f6c40d23898e0539671e..3d4b4bacf9fd5748712c2905d2cd2883a93b276f 100644
--- a/htdocs/fourn/commande/liste.php
+++ b/htdocs/fourn/commande/liste.php
@@ -87,15 +87,15 @@ $sql.= " AND s.entity = ".$conf->entity;
if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
if ($sref)
{
- $sql.= " AND cf.ref LIKE '%".addslashes($sref)."%'";
+ $sql.= " AND cf.ref LIKE '%".$db->escape($sref)."%'";
}
if ($snom)
{
- $sql.= " AND s.nom LIKE '%".addslashes($snom)."%'";
+ $sql.= " AND s.nom LIKE '%".$db->escape($snom)."%'";
}
if ($suser)
{
- $sql.= " AND u.login LIKE '%".addslashes($suser)."%'";
+ $sql.= " AND u.login LIKE '%".$db->escape($suser)."%'";
}
if ($sttc)
{
@@ -103,7 +103,7 @@ if ($sttc)
}
if ($sall)
{
- $sql.= " AND (cf.ref like '%".addslashes($sall)."%' OR cf.note like '%".addslashes($sall)."%')";
+ $sql.= " AND (cf.ref like '%".$db->escape($sall)."%' OR cf.note like '%".$db->escape($sall)."%')";
}
if ($socid) $sql.= " AND s.rowid = ".$socid;
diff --git a/htdocs/fourn/facture/index.php b/htdocs/fourn/facture/index.php
index f5b5a816c825cd450fae9abc828eda4fc615ef96..99655e4f7777682a033268c6e74ff7d16ae55018 100644
--- a/htdocs/fourn/facture/index.php
+++ b/htdocs/fourn/facture/index.php
@@ -69,7 +69,7 @@ if ($_POST["mode"] == 'search')
if ($_POST["mode-search"] == 'soc')
{
$sql = "SELECT s.rowid FROM ".MAIN_DB_PREFIX."societe as s ";
- $sql.= " WHERE s.nom like '%".addslashes(strtolower($socname))."%'";
+ $sql.= " WHERE s.nom like '%".$db->escape(strtolower($socname))."%'";
}
$resql=$db->query($sql);
@@ -120,11 +120,11 @@ if ($_GET["filtre"])
if ($_REQUEST["search_ref"])
{
- $sql .= " AND fac.rowid like '%".addslashes($_REQUEST["search_ref"])."%'";
+ $sql .= " AND fac.rowid like '%".$db->escape($_REQUEST["search_ref"])."%'";
}
if ($_REQUEST["search_ref_supplier"])
{
- $sql .= " AND fac.facnumber like '%".addslashes($_REQUEST["search_ref_supplier"])."%'";
+ $sql .= " AND fac.facnumber like '%".$db->escape($_REQUEST["search_ref_supplier"])."%'";
}
if ($month > 0)
{
@@ -139,22 +139,22 @@ else if ($year > 0)
}
if ($_GET["search_libelle"])
{
- $sql .= " AND fac.libelle like '%".addslashes($_GET["search_libelle"])."%'";
+ $sql .= " AND fac.libelle like '%".$db->escape($_GET["search_libelle"])."%'";
}
if ($_GET["search_societe"])
{
- $sql .= " AND s.nom like '%".addslashes($_GET["search_societe"])."%'";
+ $sql .= " AND s.nom like '%".$db->escape($_GET["search_societe"])."%'";
}
if ($_GET["search_montant_ht"])
{
- $sql .= " AND fac.total_ht = '".addslashes($_GET["search_montant_ht"])."'";
+ $sql .= " AND fac.total_ht = '".$db->escape($_GET["search_montant_ht"])."'";
}
if ($_GET["search_montant_ttc"])
{
- $sql .= " AND fac.total_ttc = '".addslashes($_GET["search_montant_ttc"])."'";
+ $sql .= " AND fac.total_ttc = '".$db->escape($_GET["search_montant_ttc"])."'";
}
$sql.= $db->order($sortfield,$sortorder);
diff --git a/htdocs/fourn/facture/paiement.php b/htdocs/fourn/facture/paiement.php
index 48f535b66129489341493f32d3cba54613492e66..58dcf976252c6dfa22883076066681eaaf8896bc 100644
--- a/htdocs/fourn/facture/paiement.php
+++ b/htdocs/fourn/facture/paiement.php
@@ -383,7 +383,7 @@ if (! $_GET['action'] && ! $_POST['action'])
}
if ($_REQUEST["search_company"])
{
- $sql .=" AND s.nom LIKE '%".addslashes($_REQUEST["search_company"])."%'";
+ $sql .=" AND s.nom LIKE '%".$db->escape($_REQUEST["search_company"])."%'";
}
$sql.= $db->order($sortfield,$sortorder);
$sql.= $db->plimit($limit + 1 ,$offset);
diff --git a/htdocs/fourn/liste.php b/htdocs/fourn/liste.php
index ce7882dfa7c8ff23b6139e51493865ea4b6da6a6..661cd130b672c95e8190c103107e6146688b9b17 100644
--- a/htdocs/fourn/liste.php
+++ b/htdocs/fourn/liste.php
@@ -78,22 +78,22 @@ if ($search_categ) $sql.= " AND s.rowid = cf.fk_societe"; // Join for the needed
if (!$user->rights->societe->client->voir && !$socid) $sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
if ($socid) $sql .= " AND s.rowid = ".$socid;
if ($socname) {
- $sql .= " AND s.nom like '%".addslashes($socname)."%'";
+ $sql .= " AND s.nom like '%".$db->escape($socname)."%'";
$sortfield = "s.nom";
$sortorder = "ASC";
}
if ($search_nom)
{
- $sql .= " AND s.nom LIKE '%".addslashes($search_nom)."%'";
+ $sql .= " AND s.nom LIKE '%".$db->escape($search_nom)."%'";
}
if ($search_ville)
{
- $sql .= " AND s.ville LIKE '%".addslashes($search_ville)."%'";
+ $sql .= " AND s.ville LIKE '%".$db->escape($search_ville)."%'";
}
// Insert categ filter
if ($search_categ)
{
- $sql .= " AND cf.fk_categorie = ".addslashes($search_categ);
+ $sql .= " AND cf.fk_categorie = ".$db->escape($search_categ);
}
// Count total nb of records
$nbtotalofrecords = 0;
diff --git a/htdocs/includes/login/functions_dolibarr.php b/htdocs/includes/login/functions_dolibarr.php
index a5458cfcd0ad8563624764ea3cb582233830a3f3..6ef452e32e84be19c937983fe0cbfbcf647c337d 100644
--- a/htdocs/includes/login/functions_dolibarr.php
+++ b/htdocs/includes/login/functions_dolibarr.php
@@ -48,7 +48,7 @@ function check_user_password_dolibarr($usertotest,$passwordtotest)
$sql ='SELECT pass, pass_crypted';
$sql.=' FROM '.$table;
- $sql.=' WHERE '.$usernamecol." = '".addslashes($_POST["username"])."'";
+ $sql.=' WHERE '.$usernamecol." = '".$db->escape($_POST["username"])."'";
$sql.=' AND '.$entitycol." IN (0," . ($_POST["entity"] ? $_POST["entity"] : 1) . ")";
dol_syslog("functions_dolibarr::check_user_password_dolibarr sql=".$sql);
diff --git a/htdocs/includes/login/functions_myopenid.php b/htdocs/includes/login/functions_myopenid.php
index 17baa87a7a1cd285ab9d1d753db6c09633950a86..e1a67e824037804fe3460a6eb6fea35cc9aeac02 100644
--- a/htdocs/includes/login/functions_myopenid.php
+++ b/htdocs/includes/login/functions_myopenid.php
@@ -69,7 +69,7 @@ function check_user_password_myopenid($usertotest,$passwordtotest)
$sql ="SELECT login";
$sql.=" FROM ".MAIN_DB_PREFIX."user";
- $sql.=" WHERE openid = '".addslashes($_GET['openid_identity'])."'";
+ $sql.=" WHERE openid = '".$db->escape($_GET['openid_identity'])."'";
$sql.=" AND entity IN (0," . ($_SESSION["dol_entity"] ? $_SESSION["dol_entity"] : 1) . ")";
dol_syslog("functions_dolibarr::check_user_password_myopenid sql=".$sql);
diff --git a/htdocs/install/inc.php b/htdocs/install/inc.php
index 57cd16177ce00875170750121eb6205a0d8930c0..b009b9e18bd1d3f26ba8230e72d1039c6b85a08e 100644
--- a/htdocs/install/inc.php
+++ b/htdocs/install/inc.php
@@ -191,7 +191,7 @@ if (! defined('SYSLOG_FILE_NO_ERROR'))
// Forcage du parametrage PHP magic_quotes_gpc et nettoyage des parametres
// (Sinon il faudrait a chaque POST, conditionner
// la lecture de variable par stripslashes selon etat de get_magic_quotes).
-// En mode off (recommande il faut juste faire addslashes au moment d'un insert/update.
+// En mode off (recommande il faut juste faire $db->escape au moment d'un insert/update.
function stripslashes_deep($value)
{
return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value));
diff --git a/htdocs/install/upgrade2.php b/htdocs/install/upgrade2.php
index 9c50e9cdf4adce9cd21788b6efbbe9f30045650a..52f390aa19f9995b2aab6f40c48829636e11f8f0 100644
--- a/htdocs/install/upgrade2.php
+++ b/htdocs/install/upgrade2.php
@@ -748,7 +748,7 @@ function migrate_contracts_det($db,$langs,$conf)
$sql.= " VALUES (";
$sql.= $obj->cref.",".($obj->fk_product?$obj->fk_product:0).",";
$sql.= ($obj->mise_en_service?"4":"0").",";
- $sql.= "'".addslashes($obj->label)."', null,";
+ $sql.= "'".$db->escape($obj->label)."', null,";
$sql.= ($obj->mise_en_service?"'".$obj->mise_en_service."'":($obj->date_contrat?"'".$obj->date_contrat."'":"null")).",";
$sql.= ($obj->mise_en_service?"'".$obj->mise_en_service."'":"null").",";
$sql.= ($obj->fin_validite?"'".$obj->fin_validite."'":"null").",";
@@ -1953,7 +1953,7 @@ function migrate_detail_livraison($db,$langs,$conf)
$sql = "UPDATE ".MAIN_DB_PREFIX."livraisondet SET";
$sql.= " fk_product=".$obj->fk_product;
- $sql.= ",description='".addslashes($obj->description)."'";
+ $sql.= ",description='".$db->escape($obj->description)."'";
$sql.= ",subprice='".$obj->subprice."'";
$sql.= ",total_ht='".$obj->total_ht."'";
$sql.= " WHERE fk_commande_ligne = ".$obj->rowid;
diff --git a/htdocs/lib/company.lib.php b/htdocs/lib/company.lib.php
index 11831e080b6f2e83aeff4836a6d189959c2dcae8..f62ebd6431fc50f7008108e307d28d64c631dd80 100644
--- a/htdocs/lib/company.lib.php
+++ b/htdocs/lib/company.lib.php
@@ -720,7 +720,7 @@ function show_actions_done($conf,$langs,$db,$object,$objcon='')
$sql.= " 'AC_EMAILING' as acode,";
$sql.= " u.rowid as user_id, u.login"; // User that valid action
$sql.= " FROM ".MAIN_DB_PREFIX."mailing as m, ".MAIN_DB_PREFIX."mailing_cibles as mc, ".MAIN_DB_PREFIX."user as u";
- $sql.= " WHERE mc.email = '".addslashes($objcon->email)."'"; // Search is done on email.
+ $sql.= " WHERE mc.email = '".$db->escape($objcon->email)."'"; // Search is done on email.
$sql.= " AND mc.statut = 1";
$sql.= " AND u.rowid = m.fk_user_valid";
$sql.= " AND mc.fk_mailing=m.rowid";
diff --git a/htdocs/lib/functions2.lib.php b/htdocs/lib/functions2.lib.php
index 64a973133ecce093309e3601acade7b1c2c8a232..0da839cb59ab388972ee3f2e1a592da57ba95b3e 100644
--- a/htdocs/lib/functions2.lib.php
+++ b/htdocs/lib/functions2.lib.php
@@ -900,7 +900,7 @@ function dol_set_user_param($db, $conf, &$user, $tab)
{
$sql = "INSERT INTO ".MAIN_DB_PREFIX."user_param(fk_user,entity,param,value)";
$sql.= " VALUES (".$user->id.",".$conf->entity.",";
- $sql.= " '".$key."','".addslashes($value)."');";
+ $sql.= " '".$key."','".$db->escape($value)."');";
dol_syslog("functions2.lib::dol_set_user_param sql=".$sql, LOG_DEBUG);
$result=$db->query($sql);
diff --git a/htdocs/product/composition/fiche.php b/htdocs/product/composition/fiche.php
index 9378c982314f7f39dd4b7fd4f8ae4aec06f3c013..4c24114a6f390c93052e26473c521a5783ae8082 100644
--- a/htdocs/product/composition/fiche.php
+++ b/htdocs/product/composition/fiche.php
@@ -121,7 +121,7 @@ if($action == 'search' )
}
if ($conf->categorie->enabled && $catMere != -1 and $catMere)
{
- $sql.= " AND cp.fk_categorie ='".addslashes($catMere)."'";
+ $sql.= " AND cp.fk_categorie ='".$db->escape($catMere)."'";
}
$sql.= " ORDER BY p.ref ASC";
diff --git a/htdocs/product/liste.php b/htdocs/product/liste.php
index b4fb84569ec55ea2c710ddf6288e35ba59f131ab..b034364b4b9438fea58f131fb225307937e55856 100644
--- a/htdocs/product/liste.php
+++ b/htdocs/product/liste.php
@@ -143,7 +143,7 @@ else
}
if ($sall)
{
- $sql.= " AND (p.ref like '%".addslashes($sall)."%' OR p.label like '%".addslashes($sall)."%' OR p.description like '%".addslashes($sall)."%' OR p.note like '%".addslashes($sall)."%')";
+ $sql.= " AND (p.ref like '%".$db->escape($sall)."%' OR p.label like '%".$db->escape($sall)."%' OR p.description like '%".$db->escape($sall)."%' OR p.note like '%".$db->escape($sall)."%')";
}
# if the type is not 1, we show all products (type = 0,2,3)
if (dol_strlen($type))
@@ -156,10 +156,10 @@ if (dol_strlen($type))
}
if ($sref) $sql.= " AND p.ref like '%".$sref."%'";
if ($sbarcode) $sql.= " AND p.barcode like '%".$sbarcode."%'";
-if ($snom) $sql.= " AND p.label like '%".addslashes($snom)."%'";
+if ($snom) $sql.= " AND p.label like '%".$db->escape($snom)."%'";
if (isset($_GET["tosell"]) && dol_strlen($_GET["tosell"]) > 0)
{
- $sql.= " AND p.tosell = ".addslashes($_GET["tosell"]);
+ $sql.= " AND p.tosell = ".$db->escape($_GET["tosell"]);
}
if (isset($_GET["tobuy"]) && dol_strlen($_GET["tobuy"]) > 0)
{
@@ -167,7 +167,7 @@ if (isset($_GET["tobuy"]) && dol_strlen($_GET["tobuy"]) > 0)
}
if (dol_strlen($canvas) > 0)
{
- $sql.= " AND p.canvas = '".addslashes($canvas)."'";
+ $sql.= " AND p.canvas = '".$db->escape($canvas)."'";
}
if($catid)
{
@@ -180,7 +180,7 @@ if ($fourn_id > 0)
// Insert categ filter
if ($search_categ)
{
- $sql .= " AND cp.fk_categorie = ".addslashes($search_categ);
+ $sql .= " AND cp.fk_categorie = ".$db->escape($search_categ);
}
$sql.= " GROUP BY p.rowid, p.ref, p.label, p.barcode, p.price, p.price_ttc, p.price_base_type,";
$sql.= " p.fk_product_type, p.tms,";
diff --git a/htdocs/product/reassort.php b/htdocs/product/reassort.php
index 3896b7a0a02d81b2eb72a22f0cf73aa1097de7b5..d3a39056440963bdfe17f5123c6221a5639793c2 100644
--- a/htdocs/product/reassort.php
+++ b/htdocs/product/reassort.php
@@ -118,7 +118,7 @@ else
}
if ($sall)
{
- $sql.= " AND (p.ref like '%".addslashes($sall)."%' OR p.label like '%".addslashes($sall)."%' OR p.description like '%".addslashes($sall)."%' OR p.note like '%".addslashes($sall)."%')";
+ $sql.= " AND (p.ref like '%".$db->escape($sall)."%' OR p.label like '%".$db->escape($sall)."%' OR p.description like '%".$db->escape($sall)."%' OR p.note like '%".$db->escape($sall)."%')";
}
# if the type is not 1, we show all products (type = 0,2,3)
if (dol_strlen($type))
@@ -131,7 +131,7 @@ if (dol_strlen($type))
}
if ($sref) $sql.= " AND p.ref like '%".$sref."%'";
if ($sbarcode) $sql.= " AND p.barcode like '%".$sbarcode."%'";
-if ($snom) $sql.= " AND p.label like '%".addslashes($snom)."%'";
+if ($snom) $sql.= " AND p.label like '%".$db->escape($snom)."%'";
if (isset($_GET["tosell"]) && dol_strlen($_GET["tosell"]) > 0)
{
$sql.= " AND p.tosell = ".$_GET["tosell"];
@@ -142,7 +142,7 @@ if (isset($_GET["tobuy"]) && dol_strlen($_GET["tobuy"]) > 0)
}
if (dol_strlen($canvas) > 0)
{
- $sql.= " AND p.canvas = '".addslashes($canvas)."'";
+ $sql.= " AND p.canvas = '".$db->escape($canvas)."'";
}
if($catid)
{
@@ -155,7 +155,7 @@ if ($fourn_id > 0)
// Insert categ filter
if ($search_categ)
{
- $sql .= " AND cp.fk_categorie = ".addslashes($search_categ);
+ $sql .= " AND cp.fk_categorie = ".$db->escape($search_categ);
}
$sql.= " GROUP BY p.rowid, p.ref, p.label, p.barcode, p.price, p.price_ttc, p.price_base_type,";
$sql.= " p.fk_product_type, p.tms,";
diff --git a/htdocs/product/stock/mouvement.php b/htdocs/product/stock/mouvement.php
index 01bf675e822db922cd986b9fefcca3f206fb230c..1353eb699d50889a086d09021b691b878823b410 100644
--- a/htdocs/product/stock/mouvement.php
+++ b/htdocs/product/stock/mouvement.php
@@ -105,19 +105,19 @@ else if ($year > 0)
}
if (! empty($search_movement))
{
- $sql.= " AND m.label LIKE '%".addslashes($search_movement)."%'";
+ $sql.= " AND m.label LIKE '%".$db->escape($search_movement)."%'";
}
if (! empty($search_product))
{
- $sql.= " AND p.label LIKE '%".addslashes($search_product)."%'";
+ $sql.= " AND p.label LIKE '%".$db->escape($search_product)."%'";
}
if (! empty($search_warehouse))
{
- $sql.= " AND s.label LIKE '%".addslashes($search_warehouse)."%'";
+ $sql.= " AND s.label LIKE '%".$db->escape($search_warehouse)."%'";
}
if (! empty($search_user))
{
- $sql.= " AND u.login LIKE '%".addslashes($search_user)."%'";
+ $sql.= " AND u.login LIKE '%".$db->escape($search_user)."%'";
}
if (! empty($_GET['idproduct']))
{
diff --git a/htdocs/product/stock/valo.php b/htdocs/product/stock/valo.php
index e4201dcc85cdc6997f0a9f647615c3efc67909a1..533d7cadd43c9749cdb76bd543f6942f94f49807 100644
--- a/htdocs/product/stock/valo.php
+++ b/htdocs/product/stock/valo.php
@@ -65,11 +65,11 @@ if ($sref)
}
if ($sall)
{
- $sql.= " AND (e.label LIKE '%".addslashes($sall)."%'";
- $sql.= " OR e.description LIKE '%".addslashes($sall)."%'";
- $sql.= " OR e.lieu LIKE '%".addslashes($sall)."%'";
- $sql.= " OR e.address LIKE '%".addslashes($sall)."%'";
- $sql.= " OR e.ville LIKE '%".addslashes($sall)."%')";
+ $sql.= " AND (e.label LIKE '%".$db->escape($sall)."%'";
+ $sql.= " OR e.description LIKE '%".$db->escape($sall)."%'";
+ $sql.= " OR e.lieu LIKE '%".$db->escape($sall)."%'";
+ $sql.= " OR e.address LIKE '%".$db->escape($sall)."%'";
+ $sql.= " OR e.ville LIKE '%".$db->escape($sall)."%')";
}
$sql.= " GROUP BY e.rowid, e.label, e.statut, e.lieu";
$sql.= " ORDER BY $sortfield $sortorder ";
diff --git a/htdocs/projet/liste.php b/htdocs/projet/liste.php
index b23eeec9eea9fc9702e4fb870f52fe5e1f8d7797..65fbd0df786ef8b8e5348787542208a0ce9a62aa 100644
--- a/htdocs/projet/liste.php
+++ b/htdocs/projet/liste.php
@@ -81,15 +81,15 @@ if (! $user->rights->projet->all->lire) $sql.= " AND p.rowid IN (".$projectsList
if ($socid) $sql.= " AND (p.fk_soc IS NULL OR p.fk_soc = 0 OR p.fk_soc = ".$socid.")";
if ($_GET["search_ref"])
{
- $sql.= " AND p.ref LIKE '%".addslashes($_GET["search_ref"])."%'";
+ $sql.= " AND p.ref LIKE '%".$db->escape($_GET["search_ref"])."%'";
}
if ($_GET["search_label"])
{
- $sql.= " AND p.title LIKE '%".addslashes($_GET["search_label"])."%'";
+ $sql.= " AND p.title LIKE '%".$db->escape($_GET["search_label"])."%'";
}
if ($_GET["search_societe"])
{
- $sql.= " AND s.nom LIKE '%".addslashes($_GET["search_societe"])."%'";
+ $sql.= " AND s.nom LIKE '%".$db->escape($_GET["search_societe"])."%'";
}
$sql.= $db->order($sortfield,$sortorder);
$sql.= $db->plimit($conf->liste_limit+1, $offset);
diff --git a/htdocs/societe/socnote.php b/htdocs/societe/socnote.php
index cbaa87cef6c997e2bbdbcc10fce90fe165c1ee5b..f901dca092dbfa0174674034d0a91083dbecbed1 100644
--- a/htdocs/societe/socnote.php
+++ b/htdocs/societe/socnote.php
@@ -46,7 +46,7 @@ $result = restrictedArea($user, 'societe', $socid);
if ($action == 'add')
{
- $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".addslashes($_POST["note"])."' WHERE rowid=".$_POST["socid"];
+ $sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".$db->escape($_POST["note"])."' WHERE rowid=".$_POST["socid"];
$result = $db->query($sql);
$_GET["socid"]=$_POST["socid"]; // Pour retour sur fiche
diff --git a/htdocs/support/inc.php b/htdocs/support/inc.php
index bf0ce03347130ca86f47d318bcc8fa9b8cafe33e..74e0c3ddb9bb9201aed9ebea8d6ba5dcf2433b97 100644
--- a/htdocs/support/inc.php
+++ b/htdocs/support/inc.php
@@ -126,7 +126,7 @@ if (empty($conf->db->user)) $conf->db->user='';
// Forcage du parametrage PHP magic_quotes_gpc et nettoyage des parametres
// (Sinon il faudrait a chaque POST, conditionner
// la lecture de variable par stripslashes selon etat de get_magic_quotes).
-// En mode off (recommande il faut juste faire addslashes au moment d'un insert/update.
+// En mode off (recommande il faut juste faire $db->escape au moment d'un insert/update.
function stripslashes_deep($value)
{
return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value));