From adfb9ea34175e5e60d5c22c7e34f87daef5f96df Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@users.sourceforge.net>
Date: Sat, 20 Nov 2010 13:08:44 +0000
Subject: [PATCH] Sec: Removed security holes
---
htdocs/adherents/cotisations.php | 10 +++---
htdocs/adherents/document.php | 13 +++-----
htdocs/adherents/liste.php | 17 +++++-----
htdocs/admin/dict.php | 9 ++++--
htdocs/admin/tools/listevents.php | 11 +++----
htdocs/admin/tools/listsessions.php | 11 +++----
htdocs/bookmarks/liste.php | 15 ++++-----
htdocs/cashdesk/index.php | 4 ++-
htdocs/comm/action/document.php | 15 ++++-----
htdocs/comm/action/index.php | 3 +-
htdocs/comm/action/listactions.php | 32 +++++++++----------
htdocs/comm/action/rapport/index.php | 10 +++---
htdocs/comm/bookmark.php | 24 +++++++-------
htdocs/comm/fiche.php | 9 ++++--
htdocs/comm/mailing/cibles.php | 14 ++++----
htdocs/comm/mailing/liste.php | 15 ++++-----
htdocs/comm/propal.php | 14 ++++----
htdocs/comm/propal/document.php | 15 ++++-----
htdocs/comm/prospect/prospects.php | 18 +++++------
htdocs/commande/document.php | 17 +++++-----
htdocs/commande/liste.php | 21 ++++++------
htdocs/compta/bank/search.php | 11 ++++---
htdocs/compta/clients.php | 15 ++++-----
htdocs/compta/commande/liste.php | 23 +++++++------
htdocs/compta/deplacement/index.php | 18 ++++-------
htdocs/compta/dons/liste.php | 16 +++++-----
htdocs/compta/facture.php | 18 +++++++----
htdocs/compta/facture/document.php | 15 ++++-----
htdocs/compta/facture/impayees.php | 11 ++++---
htdocs/compta/paiement/avalider.php | 12 ++++---
htdocs/compta/paiement/cheque/liste.php | 12 ++++---
htdocs/compta/paiement/liste.php | 12 ++++---
htdocs/compta/propal.php | 12 ++++---
htdocs/compta/sociales/index.php | 17 ++++------
htdocs/compta/ventilation/liste.php | 12 ++++---
htdocs/contrat/document.php | 15 ++++-----
htdocs/ecm/docdir.php | 13 ++++----
htdocs/ecm/docfile.php | 13 ++++----
htdocs/ecm/docmine.php | 15 ++++-----
htdocs/ecm/index.php | 13 ++++----
htdocs/ecm/search.php | 13 ++++----
htdocs/expedition/liste.php | 12 ++++---
htdocs/fichinter/document.php | 15 ++++-----
htdocs/fichinter/index.php | 10 ++++--
htdocs/fourn/commande/document.php | 15 ++++-----
htdocs/fourn/contact.php | 13 ++++----
htdocs/fourn/facture/document.php | 15 ++++-----
htdocs/fourn/facture/impayees.php | 16 +++++-----
htdocs/fourn/facture/paiement.php | 12 ++++---
htdocs/ftp/index.php | 13 ++++----
htdocs/lib/functions.lib.php | 15 ++++-----
htdocs/main.inc.php | 20 +++++++-----
htdocs/product/composition/fiche.php | 1 -
htdocs/product/document.php | 15 ++++-----
htdocs/product/liste.php | 14 +++++---
htdocs/product/stats/commande.php | 14 ++++----
htdocs/product/stats/commande_fournisseur.php | 14 ++++----
htdocs/product/stats/contrat.php | 14 ++++----
htdocs/product/stats/facture.php | 14 ++++----
htdocs/product/stats/facture_fournisseur.php | 14 ++++----
htdocs/product/stats/propal.php | 14 ++++----
htdocs/product/stock/fiche.php | 1 -
htdocs/product/stock/user.php | 3 --
htdocs/projet/document.php | 15 ++++-----
htdocs/projet/tasks/document.php | 15 ++++-----
htdocs/public/members/public_list.php | 14 ++++----
htdocs/societe/document.php | 16 +++-------
htdocs/societe/notify/fiche.php | 9 ++++--
htdocs/user/group/index.php | 14 ++++----
htdocs/user/index.php | 14 ++++----
70 files changed, 493 insertions(+), 461 deletions(-)
diff --git a/htdocs/adherents/cotisations.php b/htdocs/adherents/cotisations.php
index 38049cd4cd3..3c18c0edfcc 100644
--- a/htdocs/adherents/cotisations.php
+++ b/htdocs/adherents/cotisations.php
@@ -32,18 +32,18 @@ require_once(DOL_DOCUMENT_ROOT."/compta/bank/class/account.class.php");
$langs->load("members");
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-$page=$_GET["page"];
$filter=$_GET["filter"];
$statut=isset($_GET["statut"])?$_GET["statut"]:1;
-if (! $sortorder) { $sortorder="DESC"; }
-if (! $sortfield) { $sortfield="c.dateadh"; }
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
if ($page == -1) { $page = 0 ; }
$offset = $conf->liste_limit * $page ;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) { $sortorder="DESC"; }
+if (! $sortfield) { $sortfield="c.dateadh"; }
$msg='';
$date_select=isset($_GET["date_select"])?$_GET["date_select"]:$_POST["date_select"];
diff --git a/htdocs/adherents/document.php b/htdocs/adherents/document.php
index 14a65528517..aaf62c657ce 100644
--- a/htdocs/adherents/document.php
+++ b/htdocs/adherents/document.php
@@ -47,22 +47,17 @@ if ($user->societe_id > 0)
//$result = restrictedArea($user, 'societe', $id);
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
if ($page == -1) { $page = 0 ; }
$offset = $conf->liste_limit * $page ;
$pageprev = $page - 1;
$pagenext = $page + 1;
-
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="name";
+
$upload_dir = $conf->adherent->dir_output . "/" . get_exdir($id,2,0,1) . '/' . $id;
diff --git a/htdocs/adherents/liste.php b/htdocs/adherents/liste.php
index e66a1ab00c4..c92247726bf 100644
--- a/htdocs/adherents/liste.php
+++ b/htdocs/adherents/liste.php
@@ -35,18 +35,19 @@ $langs->load("companies");
$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-$page=$_GET["page"];
-$filter=$_GET["filter"];
-$statut=isset($_GET["statut"])?$_GET["statut"]:'';
-
-if (! $sortorder) { $sortorder="ASC"; }
-if (! $sortfield) { $sortfield="d.nom"; }
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
if ($page == -1) { $page = 0 ; }
$offset = $conf->liste_limit * $page ;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) { $sortorder="ASC"; }
+if (! $sortfield) { $sortfield="d.nom"; }
+
+$filter=$_GET["filter"];
+$statut=isset($_GET["statut"])?$_GET["statut"]:'';
+
if ($_REQUEST["button_removefilter"])
{
diff --git a/htdocs/admin/dict.php b/htdocs/admin/dict.php
index ac1b8ae9a58..60a1ad7fa25 100644
--- a/htdocs/admin/dict.php
+++ b/htdocs/admin/dict.php
@@ -244,9 +244,14 @@ $tabcond[19]= $conf->societe->enabled;
$msg='';
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0 ; }
+$offset = $conf->liste_limit * $page ;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
-$sortfield=$_GET["sortfield"];
-$sortorder=$_GET["sortorder"];
/*
* Actions ajout ou modification d'une entree dans un dictionnaire de donnee
diff --git a/htdocs/admin/tools/listevents.php b/htdocs/admin/tools/listevents.php
index 5ca35e13ac1..3fb1e240e66 100644
--- a/htdocs/admin/tools/listevents.php
+++ b/htdocs/admin/tools/listevents.php
@@ -41,16 +41,15 @@ $langs->load("companies");
$langs->load("users");
$langs->load("other");
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="DESC";
-if (! $sortfield) $sortfield="dateevent";
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
if ($page == -1) { $page = 0 ; }
$offset = $conf->liste_limit * $page ;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="DESC";
+if (! $sortfield) $sortfield="dateevent";
/*
diff --git a/htdocs/admin/tools/listsessions.php b/htdocs/admin/tools/listsessions.php
index 9c4f37f9f61..8543dc49277 100644
--- a/htdocs/admin/tools/listsessions.php
+++ b/htdocs/admin/tools/listsessions.php
@@ -41,16 +41,15 @@ $langs->load("companies");
$langs->load("users");
$langs->load("other");
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="DESC";
-if (! $sortfield) $sortfield="dateevent";
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
if ($page == -1) { $page = 0 ; }
$offset = $conf->liste_limit * $page ;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="DESC";
+if (! $sortfield) $sortfield="dateevent";
/*
diff --git a/htdocs/bookmarks/liste.php b/htdocs/bookmarks/liste.php
index b0e1e2965b9..883de99eb2d 100644
--- a/htdocs/bookmarks/liste.php
+++ b/htdocs/bookmarks/liste.php
@@ -27,17 +27,16 @@ require("../main.inc.php");
require_once(DOL_DOCUMENT_ROOT."/bookmarks/class/bookmark.class.php");
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="position";
-
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
if ($page == -1) { $page = 0 ; }
-$limit = 26;
-$offset = $limit * $page ;
+$offset = $conf->liste_limit * $page ;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="position";
+$limit=$conf->liste_limit;
/*
diff --git a/htdocs/cashdesk/index.php b/htdocs/cashdesk/index.php
index 059d7b74191..5df22e0b4d9 100644
--- a/htdocs/cashdesk/index.php
+++ b/htdocs/cashdesk/index.php
@@ -38,6 +38,8 @@ if ( $_SESSION['uid'] > 0 )
exit;
}
+$usertxt=GETPOST('user','',1);
+
/*
* View
@@ -71,7 +73,7 @@ top_htmlhead('','',0,0,'',$arrayofcss);
<tr>
<td class="label1"><?php echo $langs->trans("Login"); ?></td>
- <td><input name="txtUsername" class="texte_login" type="text" value="<?php echo $_GET['user']; ?>" /></td>
+ <td><input name="txtUsername" class="texte_login" type="text" value="<?php echo $usertxt; ?>" /></td>
</tr>
<tr>
<td class="label1"><?php echo $langs->trans("Password"); ?></td>
diff --git a/htdocs/comm/action/document.php b/htdocs/comm/action/document.php
index 59d5e0c0b0e..80e976644a4 100755
--- a/htdocs/comm/action/document.php
+++ b/htdocs/comm/action/document.php
@@ -52,16 +52,15 @@ if ($user->societe_id > 0)
}
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="name";
/*
diff --git a/htdocs/comm/action/index.php b/htdocs/comm/action/index.php
index ab438e83053..0d5639a9ba6 100644
--- a/htdocs/comm/action/index.php
+++ b/htdocs/comm/action/index.php
@@ -64,7 +64,8 @@ if (! $user->rights->agenda->allactions->read || $filter =='mine') // If no perm
$filterd=$user->id;
}
-$action=GETPOST('action');
+$action=GETPOST('action','alpha');
+//$year=GETPOST("year");
$year=GETPOST("year","int")?GETPOST("year","int"):date("Y");
$month=GETPOST("month","int")?GETPOST("month","int"):date("m");
$day=GETPOST("day","int")?GETPOST("day","int"):0;
diff --git a/htdocs/comm/action/listactions.php b/htdocs/comm/action/listactions.php
index 3fc760d5fbe..3cc9c05d748 100644
--- a/htdocs/comm/action/listactions.php
+++ b/htdocs/comm/action/listactions.php
@@ -36,22 +36,20 @@ if ($conf->projet->enabled) require_once(DOL_DOCUMENT_ROOT."/lib/project.lib.php
$langs->load("companies");
$langs->load("agenda");
-$action=isset($_REQUEST['action'])?$_REQUEST['action']:'';
-$year=isset($_REQUEST["year"])?$_REQUEST["year"]:'';
-$month=isset($_REQUEST["month"])?$_REQUEST["month"]:'';
-$day=isset($_REQUEST["day"])?$_REQUEST["day"]:0;
-$pid=isset($_REQUEST["projectid"])?$_REQUEST["projectid"]:0;
-$status=isset($_GET["status"])?$_GET["status"]:$_POST["status"];
-
-$filtera = isset($_REQUEST["userasked"])?$_REQUEST["userasked"]:(isset($_REQUEST["filtera"])?$_REQUEST["filtera"]:'');
-$filtert = isset($_REQUEST["usertodo"])?$_REQUEST["usertodo"]:(isset($_REQUEST["filtert"])?$_REQUEST["filtert"]:'');
-$filterd = isset($_REQUEST["userdone"])?$_REQUEST["userdone"]:(isset($_REQUEST["filterd"])?$_REQUEST["filterd"]:'');
-
-$socid = isset($_GET["socid"])?$_GET["socid"]:$_POST["socid"];
-
-$sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
-$sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"];
-$page = isset($_GET["page"])?$_GET["page"]:$_POST["page"];
+$action=GETPOST('action','alpha');
+$year=GETPOST("year",'int');
+$month=GETPOST("month",'int');
+$day=GETPOST("day",'int');
+$pid=GETPOST("projectid",'int');
+$status=GETPOST("status",'alpha');
+
+$filtera = GETPOST("userasked","int")?GETPOST("userasked","int"):GETPOST("filtera","int");
+$filtert = GETPOST("usertodo","int")?GETPOST("usertodo","int"):GETPOST("filtert","int");
+$filterd = GETPOST("userdone","int")?GETPOST("userdone","int"):GETPOST("filterd","int");
+
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
if ($page == -1) { $page = 0 ; }
$limit = $conf->liste_limit;
$offset = $limit * $page ;
@@ -69,7 +67,7 @@ if (! $sortfield)
}
// Security check
-$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$socid = GETPOST("socid",'int');
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'agenda', 0, '', 'myactions');
diff --git a/htdocs/comm/action/rapport/index.php b/htdocs/comm/action/rapport/index.php
index 127de0cbba2..564a39f9a24 100644
--- a/htdocs/comm/action/rapport/index.php
+++ b/htdocs/comm/action/rapport/index.php
@@ -22,7 +22,7 @@
/**
* \file htdocs/comm/action/rapport/index.php
* \ingroup commercial
- * \brief Page accueil des rapports des actions
+ * \brief Page with reports of actions
* \version $Id$
*/
@@ -32,9 +32,9 @@ require_once(DOL_DOCUMENT_ROOT."/contact/class/contact.class.php");
require_once(DOL_DOCUMENT_ROOT."/comm/action/class/actioncomm.class.php");
require_once(DOL_DOCUMENT_ROOT."/includes/modules/action/rapport.pdf.php");
-$page = $_GET["page"];
-$sortfield=$_GET["sortfield"];
-$sortorder=$_GET["sortorder"];
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
if ($page == -1) { $page = 0 ; }
$limit = $conf->liste_limit;
$offset = $limit * $page ;
@@ -42,7 +42,7 @@ if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="a.datep";
// Security check
-$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$socid = GETPOST("socid");
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'agenda', $socid, '', 'myactions');
diff --git a/htdocs/comm/bookmark.php b/htdocs/comm/bookmark.php
index 5b159aca806..a2564deceec 100644
--- a/htdocs/comm/bookmark.php
+++ b/htdocs/comm/bookmark.php
@@ -26,20 +26,20 @@
require("../main.inc.php");
-
-llxHeader();
-
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="bid";
+$limit = $conf->liste_limit;
+
+
+llxHeader();
-if ($page == -1) { $page = 0 ; }
-$limit = 26;
-$offset = $limit * $page ;
-$pageprev = $page - 1;
-$pagenext = $page + 1;
/*
* Actions
@@ -94,7 +94,7 @@ $sql.= " FROM ".MAIN_DB_PREFIX."bookmark as b, ".MAIN_DB_PREFIX."societe as s, "
$sql.= " WHERE b.fk_soc = s.rowid AND b.fk_user=u.rowid";
if (! $user->admin) $sql.= " AND b.fk_user = ".$user->id;
$sql.= $db->order($sortfield,$sortorder);
-$sql.= $db->plimit( $limit, $offset);
+$sql.= $db->plimit($limit, $offset);
$resql=$db->query($sql);
if ($resql)
diff --git a/htdocs/comm/fiche.php b/htdocs/comm/fiche.php
index 81260e0fe9f..0a12de52313 100644
--- a/htdocs/comm/fiche.php
+++ b/htdocs/comm/fiche.php
@@ -52,8 +52,13 @@ $socid = isset($_GET["socid"])?$_GET["socid"]:'';
if ($user->societe_id > 0) $socid=$user->societe_id;
$result = restrictedArea($user,'societe',$socid,'');
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="nom";
diff --git a/htdocs/comm/mailing/cibles.php b/htdocs/comm/mailing/cibles.php
index 30cb894d4be..6bdbae8d46c 100644
--- a/htdocs/comm/mailing/cibles.php
+++ b/htdocs/comm/mailing/cibles.php
@@ -44,13 +44,13 @@ $dirmod=DOL_DOCUMENT_ROOT."/includes/modules/mailings";
$mesg = '';
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $_GET["page"] ;
-$pageprev = $_GET["page"] - 1;
-$pagenext = $_GET["page"] + 1;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="email";
diff --git a/htdocs/comm/mailing/liste.php b/htdocs/comm/mailing/liste.php
index 564f575e6eb..827d7e4a6eb 100644
--- a/htdocs/comm/mailing/liste.php
+++ b/htdocs/comm/mailing/liste.php
@@ -36,14 +36,13 @@ if ($user->societe_id > 0)
$socid = $user->societe_id;
}
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $_GET["page"] ;
-$pageprev = $_GET["page"] - 1;
-$pagenext = $_GET["page"] + 1;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="m.date_creat";
diff --git a/htdocs/comm/propal.php b/htdocs/comm/propal.php
index d7be10b9033..4da6686c778 100644
--- a/htdocs/comm/propal.php
+++ b/htdocs/comm/propal.php
@@ -1631,9 +1631,14 @@ else
$now=dol_now();
- $sortorder=$_GET['sortorder'];
- $sortfield=$_GET['sortfield'];
- $page=$_GET['page'];
+ $sortfield = GETPOST("sortfield",'alpha');
+ $sortorder = GETPOST("sortorder",'alpha');
+ $page = GETPOST("page",'int');
+ if ($page == -1) { $page = 0; }
+ $offset = $conf->liste_limit * $page;
+ $pageprev = $page - 1;
+ $pagenext = $page + 1;
+
$viewstatut=addslashes($_GET['viewstatut']);
$object_statut = addslashes($_GET['propal_statut']);
if($object_statut != '')
@@ -1642,9 +1647,6 @@ else
if (! $sortfield) $sortfield='p.datep';
if (! $sortorder) $sortorder='DESC';
$limit = $conf->liste_limit;
- $offset = $limit * $page ;
- $pageprev = $page - 1;
- $pagenext = $page + 1;
$sql = 'SELECT s.nom, s.rowid, s.client, ';
$sql.= 'p.rowid as propalid, p.total_ht, p.ref, p.fk_statut, p.fk_user_author, p.datep as dp, p.fin_validite as dfv,';
diff --git a/htdocs/comm/propal/document.php b/htdocs/comm/propal/document.php
index 66c715e9f7f..25bd527d841 100644
--- a/htdocs/comm/propal/document.php
+++ b/htdocs/comm/propal/document.php
@@ -49,16 +49,15 @@ if ($user->societe_id)
$result = restrictedArea($user, 'propale', $id, 'propal');
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="name";
/*
diff --git a/htdocs/comm/prospect/prospects.php b/htdocs/comm/prospect/prospects.php
index 741bc4ef7be..28f0b281712 100644
--- a/htdocs/comm/prospect/prospects.php
+++ b/htdocs/comm/prospect/prospects.php
@@ -33,16 +33,16 @@ $langs->load("propal");
$langs->load("companies");
// Security check
-$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$socid = GETPOST("socid",'int');
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'societe',$socid,'');
-$socname=isset($_GET["socname"])?$_GET["socname"]:$_POST["socname"];
-$stcomm=isset($_GET["stcomm"])?$_GET["stcomm"]:$_POST["stcomm"];
+$socname=GETPOST("socname",'alpha');
+$stcomm=GETPOST("stcomm",'int');
-$sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
-$sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"];
-$page=isset($_GET["page"])?$_GET["page"]:$_POST["page"];
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
if ($page == -1) { $page = 0; }
$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
@@ -50,10 +50,8 @@ $pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="s.nom";
-// Added by Matelli (see http://matelli.fr/showcases/patchs-dolibarr/enhance-prospect-searching.html)
-// Load potentiels filters
-$search_level_from = isset($_GET["search_level_from"])?$_GET["search_level_from"]:(isSet($_POST["search_level_from"])?$_POST["search_level_from"]:'');
-$search_level_to = isset($_GET["search_level_to"])?$_GET["search_level_to"]:(isSet($_POST["search_level_to"])?$_POST["search_level_to"]:'');
+$search_level_from = GETPOST("search_level_from","alpha");
+$search_level_to = GETPOST("search_level_to","alpha");
// If both parameters are set, search for everything BETWEEN them
if ($search_level_from != '' && $search_level_to != '')
diff --git a/htdocs/commande/document.php b/htdocs/commande/document.php
index abe08c4701a..1db72e2fff4 100644
--- a/htdocs/commande/document.php
+++ b/htdocs/commande/document.php
@@ -48,19 +48,18 @@ if ($user->societe_id) $socid=$user->societe_id;
$result=restrictedArea($user,'commande',$comid,'');
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="name";
-$id = $_GET['id'];
+$id = GETPOST('id','int');
$ref= $_GET['ref'];
$commande = new Commande($db);
if (! $commande->fetch($_GET['id'],$_GET['ref']) > 0)
diff --git a/htdocs/commande/liste.php b/htdocs/commande/liste.php
index 15e952943fa..49bfe93747c 100644
--- a/htdocs/commande/liste.php
+++ b/htdocs/commande/liste.php
@@ -50,12 +50,23 @@ $orderid = isset($_GET["orderid"])?$_GET["orderid"]:'';
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'commande', $orderid,'');
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
+if (! $sortfield) $sortfield='c.rowid';
+if (! $sortorder) $sortorder='DESC';
+$limit = $conf->liste_limit;
+
/*
* View
*/
-$now=gmmktime();
+$now=dol_now();
$html = new Form($db);
$formfile = new FormFile($db);
@@ -63,16 +74,8 @@ $companystatic = new Societe($db);
llxHeader();
-$begin=$_GET['begin'];
-$sortorder=$_GET['sortorder'];
-$sortfield=$_GET['sortfield'];
$viewstatut=$_GET['viewstatut'];
-if (! $sortfield) $sortfield='c.rowid';
-if (! $sortorder) $sortorder='DESC';
-
-$limit = $conf->liste_limit;
-$offset = $limit * $_GET['page'] ;
$sql = 'SELECT s.nom, s.rowid as socid, s.client, c.rowid, c.ref, c.total_ht, c.ref_client,';
$sql.= ' c.date_commande, c.date_livraison, c.fk_statut, c.facture as facturee';
diff --git a/htdocs/compta/bank/search.php b/htdocs/compta/bank/search.php
index 5d46b566f4a..213007a89af 100644
--- a/htdocs/compta/bank/search.php
+++ b/htdocs/compta/bank/search.php
@@ -49,11 +49,14 @@ if (! empty($_REQUEST["credit"])) $param.='&credit='.$_REQUEST["credit"];
if (! empty($_REQUEST["account"])) $param.='&account='.$_REQUEST["account"];
if (! empty($_REQUEST["bid"])) $param.='&bid='.$_REQUEST["bid"];
-$page =$_GET['page'];
-$sortorder=$_GET['sortorder'];
-$sortfield=$_GET['sortfield'];
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
if (! $sortorder) $sortorder='DESC';
if (! $sortfield) $sortfield='b.dateo';
diff --git a/htdocs/compta/clients.php b/htdocs/compta/clients.php
index 9f342f500fa..6a34816ccf9 100644
--- a/htdocs/compta/clients.php
+++ b/htdocs/compta/clients.php
@@ -42,16 +42,15 @@ accessforbidden();
$langs->load("companies");
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="nom";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="nom";
/*
diff --git a/htdocs/compta/commande/liste.php b/htdocs/compta/commande/liste.php
index 7eeead1d754..e8bd998fc09 100644
--- a/htdocs/compta/commande/liste.php
+++ b/htdocs/compta/commande/liste.php
@@ -34,26 +34,29 @@ require_once(DOL_DOCUMENT_ROOT."/commande/class/commande.class.php");
$langs->load('companies');
// Security check
-$orderid = isset($_GET["orderid"])?$_GET["orderid"]:'';
+$orderid = GETPOST("orderid",'int');
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'commande',$orderid,'');
// Assign and check variable
-$year=GETPOST('year','int',1);
-$month=GETPOST('month','int',1);
-$status=GETPOST('status','int',1);
-$onbill=GETPOST('afacturer','int',1);
-$page=GETPOST('page','int',1);
+$year=GETPOST('year','int');
+$month=GETPOST('month','int');
+$status=GETPOST('status','int');
+$onbill=GETPOST('afacturer','int');
+$page=GETPOST('page','int');
$sf_ref=GETPOST('sf_ref','',2);
-$begin=GETPOST('begin','',1); // TODO used ?
-$sortorder=GETPOST('sortorder','',1);
-$sortfield=GETPOST('sortfield','',1);
+$sortorder=GETPOST('sortorder','alpha');
+$sortfield=GETPOST('sortfield','alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortfield) $sortfield="c.rowid";
if (! $sortorder) $sortorder="DESC";
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
$html = new Form($db);
$formfile = new FormFile($db);
diff --git a/htdocs/compta/deplacement/index.php b/htdocs/compta/deplacement/index.php
index e4184dddf0b..24c9d37b862 100644
--- a/htdocs/compta/deplacement/index.php
+++ b/htdocs/compta/deplacement/index.php
@@ -40,20 +40,16 @@ $result = restrictedArea($user, 'deplacement','','');
llxHeader();
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-$page=$_GET["page"];
-
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="d.dated";
-
-
-if ($page == -1) { $page = 0 ; }
-
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
-$pageprev = $page - 1;
-$pagenext = $page + 1;
$sql = "SELECT s.nom, s.rowid as socid,"; // Ou
diff --git a/htdocs/compta/dons/liste.php b/htdocs/compta/dons/liste.php
index 8641faafdea..343ddc8c606 100644
--- a/htdocs/compta/dons/liste.php
+++ b/htdocs/compta/dons/liste.php
@@ -31,18 +31,18 @@ if ($conf->projet->enabled) require_once(DOL_DOCUMENT_ROOT."/projet/class/projec
$langs->load("companies");
$langs->load("donations");
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
+
$statut=isset($_GET["statut"])?$_GET["statut"]:"-1";
-$page=$_GET["page"];
if (! $sortorder) { $sortorder="DESC"; }
if (! $sortfield) { $sortfield="d.datedon"; }
-if ($page == -1) { $page = 0 ; }
-
-$offset = $conf->liste_limit * $page ;
-$pageprev = $page - 1;
-$pagenext = $page + 1;
/*
diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php
index 86ef099895a..2c778448a9b 100644
--- a/htdocs/compta/facture.php
+++ b/htdocs/compta/facture.php
@@ -3031,14 +3031,18 @@ else
***************************************************************************/
$now=dol_now();
- $page =$_GET['page'];
- $sortorder=$_GET['sortorder'];
- $sortfield=$_GET['sortfield'];
- $month =$_GET['month'];
- $year =$_GET['year'];
- $limit = $conf->liste_limit;
- $offset = $limit * $page ;
+ $sortfield = GETPOST("sortfield",'alpha');
+ $sortorder = GETPOST("sortorder",'alpha');
+ $page = GETPOST("page",'int');
+ if ($page == -1) { $page = 0; }
+ $offset = $conf->liste_limit * $page;
+ $pageprev = $page - 1;
+ $pagenext = $page + 1;
+
+ $month =GETPOST('month','int');
+ $year =GETPOST('year','int');
+ $limit = $conf->liste_limit;
if (! $sortorder) $sortorder='DESC';
if (! $sortfield) $sortfield='f.datef';
diff --git a/htdocs/compta/facture/document.php b/htdocs/compta/facture/document.php
index 06887448d30..f7716c40b8b 100644
--- a/htdocs/compta/facture/document.php
+++ b/htdocs/compta/facture/document.php
@@ -53,16 +53,15 @@ if ($user->societe_id > 0)
}
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="name";
/*
diff --git a/htdocs/compta/facture/impayees.php b/htdocs/compta/facture/impayees.php
index e25b48d736a..3b19b37b4e6 100644
--- a/htdocs/compta/facture/impayees.php
+++ b/htdocs/compta/facture/impayees.php
@@ -159,14 +159,17 @@ jQuery(document).ready(function() {
$now=dol_now();
-$page = $_GET["page"];
-$sortfield=$_GET["sortfield"];
-$sortorder=$_GET["sortorder"];
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortfield) $sortfield="f.date_lim_reglement";
if (! $sortorder) $sortorder="ASC";
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
$sql = "SELECT s.nom, s.rowid as socid";
$sql.= ", f.facnumber,f.increment,f.total as total_ht,f.total_ttc";
diff --git a/htdocs/compta/paiement/avalider.php b/htdocs/compta/paiement/avalider.php
index b5fcfa5a4c9..3c4f1c6b5d3 100644
--- a/htdocs/compta/paiement/avalider.php
+++ b/htdocs/compta/paiement/avalider.php
@@ -46,14 +46,16 @@ if ($user->societe_id > 0)
llxHeader();
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="p.rowid";
-if ($page == -1) $page = 0 ;
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
$sql = "SELECT p.rowid, p.datep as dp, p.amount, p.statut";
$sql .=", c.libelle as paiement_type, p.num_paiement";
diff --git a/htdocs/compta/paiement/cheque/liste.php b/htdocs/compta/paiement/cheque/liste.php
index 8ab21804061..24cbe6ad5fd 100644
--- a/htdocs/compta/paiement/cheque/liste.php
+++ b/htdocs/compta/paiement/cheque/liste.php
@@ -35,12 +35,14 @@ $langs->load("bills");
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'banque', '','');
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="bc.number";
diff --git a/htdocs/compta/paiement/liste.php b/htdocs/compta/paiement/liste.php
index 2c62831c980..18954b60456 100644
--- a/htdocs/compta/paiement/liste.php
+++ b/htdocs/compta/paiement/liste.php
@@ -40,12 +40,14 @@ $paymentstatic=new Paiement($db);
$accountstatic=new Account($db);
$companystatic=new Societe($db);
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="p.rowid";
diff --git a/htdocs/compta/propal.php b/htdocs/compta/propal.php
index ef1b91ed9a6..a159d3cc523 100644
--- a/htdocs/compta/propal.php
+++ b/htdocs/compta/propal.php
@@ -40,9 +40,14 @@ $langs->load('compta');
$langs->load('orders');
$langs->load('bills');
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
+
$viewstatut=$_GET['viewstatut'];
$propal_statut = $_GET['propal_statut'];
if($propal_statut != '')
@@ -50,7 +55,6 @@ $viewstatut=$propal_statut;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="p.datep";
-if ($page == -1) { $page = 0 ; }
$module='propale';
if (! empty($_GET["socid"]))
diff --git a/htdocs/compta/sociales/index.php b/htdocs/compta/sociales/index.php
index 2b3fb933323..fa3230f86b8 100644
--- a/htdocs/compta/sociales/index.php
+++ b/htdocs/compta/sociales/index.php
@@ -34,22 +34,19 @@ if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'tax', '', '', 'charges');
-$sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
-$sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"];
-$page = $_GET["page"];
-if ($page < 0) $page = 0;
-
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
-
if (! $sortfield) $sortfield="s.date_ech";
if (! $sortorder) $sortorder="DESC";
$year=$_GET["year"];
$filtre=$_GET["filtre"];
-$limit = $conf->liste_limit;
-$offset = $limit * $page ;
-//if (! $year) { $year=date("Y", time()); }
if (empty($_REQUEST['typeid']))
{
diff --git a/htdocs/compta/ventilation/liste.php b/htdocs/compta/ventilation/liste.php
index 65dd91bea56..7e0a85c4dbc 100644
--- a/htdocs/compta/ventilation/liste.php
+++ b/htdocs/compta/ventilation/liste.php
@@ -46,12 +46,16 @@ llxHeader('','Ventilation');
/*
* Lignes de factures
-*
*/
-$page = $_GET["page"];
-if ($page < 0) $page = 0;
+
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
$sql = "SELECT f.facnumber, f.rowid as facid, l.fk_product, l.description, l.price, l.rowid, l.fk_code_ventilation,";
$sql.= " p.rowid as product_id, p.ref as product_ref, p.label as product_label, p.fk_product_type as type";
diff --git a/htdocs/contrat/document.php b/htdocs/contrat/document.php
index 369f9272b35..cb475acad15 100644
--- a/htdocs/contrat/document.php
+++ b/htdocs/contrat/document.php
@@ -48,16 +48,15 @@ if ($user->societe_id > 0)
}
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="name";
$contrat = new Contrat($db);
diff --git a/htdocs/ecm/docdir.php b/htdocs/ecm/docdir.php
index a1f81eb1938..de2511b4cac 100644
--- a/htdocs/ecm/docdir.php
+++ b/htdocs/ecm/docdir.php
@@ -53,12 +53,13 @@ $section=$_GET["section"];
if (! $section) $section='misc';
$upload_dir = $conf->ecm->dir_output.'/'.$section;
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-$limit = $conf->liste_limit;
-$offset = $limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="label";
diff --git a/htdocs/ecm/docfile.php b/htdocs/ecm/docfile.php
index 5ce624f94a8..7f80ebeb1f1 100644
--- a/htdocs/ecm/docfile.php
+++ b/htdocs/ecm/docfile.php
@@ -50,12 +50,13 @@ if (!$user->rights->ecm->setup) accessforbidden();
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-$limit = $conf->liste_limit;
-$offset = $limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="label";
diff --git a/htdocs/ecm/docmine.php b/htdocs/ecm/docmine.php
index 12500b66aed..6736c954810 100644
--- a/htdocs/ecm/docmine.php
+++ b/htdocs/ecm/docmine.php
@@ -45,16 +45,15 @@ $user->getrights('ecm');
if ($user->societe_id > 0) $socid = $user->societe_id;
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="name";
$section=GETPOST("section");
if (! $section)
diff --git a/htdocs/ecm/index.php b/htdocs/ecm/index.php
index 6be444e387c..a635c8f76fa 100644
--- a/htdocs/ecm/index.php
+++ b/htdocs/ecm/index.php
@@ -59,12 +59,13 @@ if (! $section) $section=0;
$upload_dir = $conf->ecm->dir_output.'/'.$section;
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-$limit = $conf->liste_limit;
-$offset = $limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="label";
diff --git a/htdocs/ecm/search.php b/htdocs/ecm/search.php
index 4e0f299c2a6..989a17a3e46 100644
--- a/htdocs/ecm/search.php
+++ b/htdocs/ecm/search.php
@@ -57,12 +57,13 @@ if (! $section) $section=0;
$upload_dir = $conf->ecm->dir_output.'/'.$section;
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-$limit = $conf->liste_limit;
-$offset = $limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="label";
diff --git a/htdocs/expedition/liste.php b/htdocs/expedition/liste.php
index cd4677f984d..10d95c63123 100644
--- a/htdocs/expedition/liste.php
+++ b/htdocs/expedition/liste.php
@@ -37,13 +37,17 @@ if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'expedition',$expeditionid,'');
-$sortfield=isset($_GET["sortfield"])?$_GET["sortfield"]:"";
-$sortorder=isset($_GET["sortorder"])?$_GET["sortorder"]:"";
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
+$limit = $conf->liste_limit;
if (! $sortfield) $sortfield="e.ref";
if (! $sortorder) $sortorder="DESC";
-
$limit = $conf->liste_limit;
-$offset = $limit * $_GET["page"] ;
/*
diff --git a/htdocs/fichinter/document.php b/htdocs/fichinter/document.php
index d3a3b0bba3c..2ce6bbdf10d 100644
--- a/htdocs/fichinter/document.php
+++ b/htdocs/fichinter/document.php
@@ -45,16 +45,15 @@ $result = restrictedArea($user, 'ficheinter', $fichinterid, 'fichinter');
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="name";
$object = new Fichinter($db);
diff --git a/htdocs/fichinter/index.php b/htdocs/fichinter/index.php
index 3517ad688a3..aca2231cc76 100644
--- a/htdocs/fichinter/index.php
+++ b/htdocs/fichinter/index.php
@@ -33,8 +33,14 @@ require_once(DOL_DOCUMENT_ROOT."/lib/date.lib.php");
$langs->load("companies");
$langs->load("interventions");
-$sortorder=$_GET["sortorder"]?$_GET["sortorder"]:$_POST["sortorder"];
-$sortfield=$_GET["sortfield"]?$_GET["sortfield"]:$_POST["sortfield"];
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
+
$socid=$_GET["socid"]?$_GET["socid"]:$_POST["socid"];
$page=$_GET["page"]?$_GET["page"]:$_POST["page"];
diff --git a/htdocs/fourn/commande/document.php b/htdocs/fourn/commande/document.php
index 777e9aa2822..6894dc82760 100644
--- a/htdocs/fourn/commande/document.php
+++ b/htdocs/fourn/commande/document.php
@@ -49,16 +49,15 @@ if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'commande_fournisseur', $id,'');
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="name";
$commande = new CommandeFournisseur($db);
diff --git a/htdocs/fourn/contact.php b/htdocs/fourn/contact.php
index 9cef3874718..3e5e3c9ad1e 100644
--- a/htdocs/fourn/contact.php
+++ b/htdocs/fourn/contact.php
@@ -45,15 +45,16 @@ if ($user->societe_id > 0)
$socid = $user->societe_id;
}
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="p.name";
-if ($page == -1) { $page = 0 ; }
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
/*
diff --git a/htdocs/fourn/facture/document.php b/htdocs/fourn/facture/document.php
index 11c5f87f0c3..53a2ce32755 100644
--- a/htdocs/fourn/facture/document.php
+++ b/htdocs/fourn/facture/document.php
@@ -45,16 +45,15 @@ if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'fournisseur', $facid, 'facture_fourn', 'facture');
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="name";
diff --git a/htdocs/fourn/facture/impayees.php b/htdocs/fourn/facture/impayees.php
index 64dbff428e7..2effbbf87df 100644
--- a/htdocs/fourn/facture/impayees.php
+++ b/htdocs/fourn/facture/impayees.php
@@ -65,17 +65,19 @@ $companystatic=new Societe($db);
* Mode Liste *
* *
***************************************************************************/
-$page = $_GET["page"];
-$sortfield=$_GET["sortfield"];
-$sortorder=$_GET["sortorder"];
+
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortfield) $sortfield="f.date_lim_reglement";
if (! $sortorder) $sortorder="ASC";
if ($user->rights->fournisseur->facture->lire)
{
- $limit = $conf->liste_limit;
- $offset = $limit * $page ;
-
$sql = "SELECT s.nom, s.rowid as socid,";
$sql.= " f.rowid as ref, f.facnumber, f.total_ht, f.total_ttc,";
$sql.= " f.datef as df, f.date_lim_reglement as datelimite, ";
@@ -136,8 +138,6 @@ if ($user->rights->fournisseur->facture->lire)
foreach ($listfield as $key => $value) $sql.=$listfield[$key]." ".$sortorder.",";
$sql.= " f.facnumber DESC";
- //$sql .= $db->plimit($limit+1,$offset);
-
$result = $db->query($sql);
if ($result)
diff --git a/htdocs/fourn/facture/paiement.php b/htdocs/fourn/facture/paiement.php
index 7cdb22af9b7..f6339e301e4 100644
--- a/htdocs/fourn/facture/paiement.php
+++ b/htdocs/fourn/facture/paiement.php
@@ -39,12 +39,14 @@ $langs->load('banks');
$facid=isset($_GET['facid'])?$_GET['facid']:$_POST['facid'];
$action=isset($_GET['action'])?$_GET['action']:$_POST['action'];
-$sortfield = isset($_GET['sortfield'])?$_GET['sortfield']:$_POST['sortfield'];
-$sortorder = isset($_GET['sortorder'])?$_GET['sortorder']:$_POST['sortorder'];
-$page=isset($_GET['page'])?$_GET['page']:$_POST['page'];
-
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="p.rowid";
diff --git a/htdocs/ftp/index.php b/htdocs/ftp/index.php
index 75c198560f8..06cdce2b82c 100644
--- a/htdocs/ftp/index.php
+++ b/htdocs/ftp/index.php
@@ -53,12 +53,13 @@ $file=isset($_GET["file"])?$_GET["file"]:$_POST['file'];
$upload_dir = $conf->ftp->dir_temp;
$download_dir = $conf->ftp->dir_temp;
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-$limit = $conf->liste_limit;
-$offset = $limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="label";
diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php
index e5c50f0219f..332cc45fe0f 100644
--- a/htdocs/lib/functions.lib.php
+++ b/htdocs/lib/functions.lib.php
@@ -38,11 +38,11 @@ if (! defined('ADODB_DATE_VERSION')) include_once(DOL_DOCUMENT_ROOT."/includes/a
/**
- * Return value of a param into get or post variable
+ * Return value of a param into GET or POST supervariable
* @param paramname Name of parameter to found
- * @param check Type of check ('' or 'int')
+ * @param check Type of check (''=no check, 'int'=check it's numeric, 'alpha'=check it's alpha only)
* @param method Type of method (0 = get or post, 1 = only get, 2 = only post)
- * @return string Value found
+ * @return string Value found or '' if check fails
*/
function GETPOST($paramname,$check='',$method=0)
{
@@ -50,13 +50,12 @@ function GETPOST($paramname,$check='',$method=0)
else if ($method==2) isset($_POST[$paramname])?$_POST[$paramname]:'';
else $out = isset($_GET[$paramname])?$_GET[$paramname]:(isset($_POST[$paramname])?$_POST[$paramname]:'');
- // Clean value
- $out = trim($out);
-
if (!empty($check))
{
// Check if integer
- if ($check == 'int' && ! is_numeric($out)) $out='';
+ if ($check == 'int' && ! is_numeric(trim($out))) $out='';
+ // Check if alpha
+ if ($check == 'alpha' && ! preg_match('/^[#\(\)\-\._a-z0-9]+$/i',trim($out))) $out='';
}
return $out;
@@ -1526,7 +1525,7 @@ function img_allow($allow,$alt='default')
function img_mime($file,$alt='')
{
require_once(DOL_DOCUMENT_ROOT.'/lib/files.lib.php');
-
+
$mimetype=dol_mimetype($file,'',1);
$mimeimg=dol_mimetype($file,'',2);
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index f403db23783..d6b97d0a079 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -59,39 +59,43 @@ if (function_exists('get_magic_quotes_gpc')) // magic_quotes_* removed in PHP6
$_POST = array_map('stripslashes_deep', $_POST);
// $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
+ @set_magic_quotes_runtime(0);
}
- @set_magic_quotes_runtime(0);
}
// Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST)
-function test_sql_and_script_inject($val)
+function test_sql_and_script_inject($val,$get)
{
$sql_inj = 0;
+ // For SQL Injection
$sql_inj += preg_match('/delete[\s]+from/i', $val);
$sql_inj += preg_match('/create[\s]+table/i', $val);
$sql_inj += preg_match('/update.+set.+=/i', $val);
$sql_inj += preg_match('/insert[\s]+into/i', $val);
$sql_inj += preg_match('/select.+from/i', $val);
$sql_inj += preg_match('/union.+select/i', $val);
+ // For XSS Injection done by adding javascript with script
$sql_inj += preg_match('/<script/i', $val);
+ // For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
+ if ($get) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
return $sql_inj;
}
-function analyse_sql_and_script(&$var)
+function analyse_sql_and_script(&$var,$get)
{
if (is_array($var))
{
$result = array();
foreach ($var as $key => $value)
{
- if (test_sql_and_script_inject($key) > 0)
+ if (test_sql_and_script_inject($key,$get) > 0)
{
print 'Access refused by SQL/Script injection protection in main.inc.php';
exit;
}
else
{
- if (analyse_sql_and_script($value))
+ if (analyse_sql_and_script($value,$get))
{
$var[$key] = $value;
}
@@ -106,11 +110,11 @@ function analyse_sql_and_script(&$var)
}
else
{
- return (test_sql_and_script_inject($var) <= 0);
+ return (test_sql_and_script_inject($var,$get) <= 0);
}
}
-analyse_sql_and_script($_GET);
-analyse_sql_and_script($_POST);
+analyse_sql_and_script($_GET,1);
+analyse_sql_and_script($_POST,0);
// This is to make Dolibarr working with Plesk
set_include_path($_SERVER['DOCUMENT_ROOT'].'/htdocs');
diff --git a/htdocs/product/composition/fiche.php b/htdocs/product/composition/fiche.php
index 2def135a32b..9378c982314 100644
--- a/htdocs/product/composition/fiche.php
+++ b/htdocs/product/composition/fiche.php
@@ -124,7 +124,6 @@ if($action == 'search' )
$sql.= " AND cp.fk_categorie ='".addslashes($catMere)."'";
}
$sql.= " ORDER BY p.ref ASC";
- // $sql.= $db->plimit($limit + 1 ,$offset);
$resql = $db->query($sql) ;
}
diff --git a/htdocs/product/document.php b/htdocs/product/document.php
index 5b5c19e683d..38aac4c135b 100755
--- a/htdocs/product/document.php
+++ b/htdocs/product/document.php
@@ -48,16 +48,15 @@ if ($user->societe_id) $socid=$user->societe_id;
$result=restrictedArea($user,'produit|service',$id,'product','','',$fieldid);
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="name";
$product = new Product($db);
diff --git a/htdocs/product/liste.php b/htdocs/product/liste.php
index 533cfb61660..8836e74527b 100644
--- a/htdocs/product/liste.php
+++ b/htdocs/product/liste.php
@@ -33,7 +33,7 @@ if ($conf->categorie->enabled) require_once(DOL_DOCUMENT_ROOT."/categories/class
$langs->load("products");
$langs->load("stocks");
-$canvas=GETPOST('canvas','',1);
+$canvas=GETPOST('canvas','alpha');
$sref=GETPOST("sref");
$sbarcode=GETPOST("sbarcode");
@@ -41,13 +41,17 @@ $snom=GETPOST("snom");
$sall=GETPOST("sall");
$type=GETPOST("type","int");
-$sortfield = GETPOST("sortfield");
-$sortorder = GETPOST("sortorder");
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortfield) $sortfield="p.ref";
if (! $sortorder) $sortorder="ASC";
-$page = $_GET["page"];
+
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
// Security check
if ($type=='0') $result=restrictedArea($user,'produit',$id,'product','','',$fieldid);
diff --git a/htdocs/product/stats/commande.php b/htdocs/product/stats/commande.php
index 2377f8daa9e..05f03cd398f 100644
--- a/htdocs/product/stats/commande.php
+++ b/htdocs/product/stats/commande.php
@@ -45,13 +45,13 @@ $result=restrictedArea($user,'produit|service',$id,'product','','',$fieldid);
$mesg = '';
-$page = $_GET["page"];
-$sortfield=$_GET["sortfield"];
-$sortorder=$_GET["sortorder"];
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $_GET["page"] ;
-$pageprev = $_GET["page"] - 1;
-$pagenext = $_GET["page"] + 1;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="c.date_commande";
diff --git a/htdocs/product/stats/commande_fournisseur.php b/htdocs/product/stats/commande_fournisseur.php
index 561754dac3c..5720d45f891 100644
--- a/htdocs/product/stats/commande_fournisseur.php
+++ b/htdocs/product/stats/commande_fournisseur.php
@@ -45,13 +45,13 @@ $result=restrictedArea($user,'produit|service',$id,'product','','',$fieldid);
$mesg = '';
-$page = $_GET["page"];
-$sortfield=$_GET["sortfield"];
-$sortorder=$_GET["sortorder"];
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $_GET["page"] ;
-$pageprev = $_GET["page"] - 1;
-$pagenext = $_GET["page"] + 1;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="c.date_commande";
diff --git a/htdocs/product/stats/contrat.php b/htdocs/product/stats/contrat.php
index e2ea1510be1..cc2bf0ec89e 100644
--- a/htdocs/product/stats/contrat.php
+++ b/htdocs/product/stats/contrat.php
@@ -45,13 +45,13 @@ $result=restrictedArea($user,'produit|service',$id,'product','','',$fieldid);
$mesg = '';
-$page = $_GET["page"];
-$sortfield=$_GET["sortfield"];
-$sortorder=$_GET["sortorder"];
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $_GET["page"] ;
-$pageprev = $_GET["page"] - 1;
-$pagenext = $_GET["page"] + 1;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="c.date_contrat";
diff --git a/htdocs/product/stats/facture.php b/htdocs/product/stats/facture.php
index f69ba4e4df8..3c758e5a8f7 100644
--- a/htdocs/product/stats/facture.php
+++ b/htdocs/product/stats/facture.php
@@ -45,13 +45,13 @@ $result=restrictedArea($user,'produit|service',$id,'product','','',$fieldid);
$mesg = '';
-$page = $_GET["page"];
-$sortfield=$_GET["sortfield"];
-$sortorder=$_GET["sortorder"];
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $_GET["page"] ;
-$pageprev = $_GET["page"] - 1;
-$pagenext = $_GET["page"] + 1;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="f.datef";
diff --git a/htdocs/product/stats/facture_fournisseur.php b/htdocs/product/stats/facture_fournisseur.php
index 5b6b939b014..1441cd5b44e 100644
--- a/htdocs/product/stats/facture_fournisseur.php
+++ b/htdocs/product/stats/facture_fournisseur.php
@@ -46,13 +46,13 @@ $result=restrictedArea($user,'produit|service',$id,'product','','',$fieldid);
$mesg = '';
-$page = $_GET["page"];
-$sortfield=$_GET["sortfield"];
-$sortorder=$_GET["sortorder"];
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $_GET["page"] ;
-$pageprev = $_GET["page"] - 1;
-$pagenext = $_GET["page"] + 1;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="f.datef";
diff --git a/htdocs/product/stats/propal.php b/htdocs/product/stats/propal.php
index 26e3ed8db97..c88bba5e693 100644
--- a/htdocs/product/stats/propal.php
+++ b/htdocs/product/stats/propal.php
@@ -45,13 +45,13 @@ $result=restrictedArea($user,'produit|service',$id,'product','','',$fieldid);
$mesg = '';
-$page = $_GET["page"];
-$sortfield=$_GET["sortfield"];
-$sortorder=$_GET["sortorder"];
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $_GET["page"] ;
-$pageprev = $_GET["page"] - 1;
-$pagenext = $_GET["page"] + 1;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="DESC";
if (! $sortfield) $sortfield="p.datep";
diff --git a/htdocs/product/stock/fiche.php b/htdocs/product/stock/fiche.php
index 6e330fae629..2165ac76d61 100644
--- a/htdocs/product/stock/fiche.php
+++ b/htdocs/product/stock/fiche.php
@@ -364,7 +364,6 @@ else
if (!$user->rights->service->hidden) $sql.=' AND (p.hidden=0 OR p.fk_product_type != 1)';
}
$sql.= $db->order($sortfield,$sortorder);
- //$sql .= $db->plimit($limit + 1 ,$offset);
dol_syslog('List products sql='.$sql);
$resql = $db->query($sql) ;
diff --git a/htdocs/product/stock/user.php b/htdocs/product/stock/user.php
index f9289916b16..654d564b462 100644
--- a/htdocs/product/stock/user.php
+++ b/htdocs/product/stock/user.php
@@ -143,9 +143,6 @@ if ($_GET["id"])
$sql .= " WHERE ue.fk_user = u.rowid ";
$sql .= " AND ue.fk_entrepot = ".$entrepot->id;
- //$sql .= $db->order($sortfield,$sortorder);
- //$sql .= $db->plimit($limit + 1 ,$offset);
-
$resql = $db->query($sql) ;
if ($resql)
{
diff --git a/htdocs/projet/document.php b/htdocs/projet/document.php
index 763c204acb5..93d57366962 100644
--- a/htdocs/projet/document.php
+++ b/htdocs/projet/document.php
@@ -43,16 +43,15 @@ if ($user->societe_id > 0) $socid=$user->societe_id;
$result=restrictedArea($user,'projet',$id,'');
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="name";
$id = $_GET['id'];
diff --git a/htdocs/projet/tasks/document.php b/htdocs/projet/tasks/document.php
index a9869e30e5a..71a040aa46d 100644
--- a/htdocs/projet/tasks/document.php
+++ b/htdocs/projet/tasks/document.php
@@ -48,16 +48,15 @@ if ($user->societe_id > 0) $socid = $user->societe_id;
if (!$user->rights->projet->lire) accessforbidden();
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
+if (! $sortorder) $sortorder="ASC";
+if (! $sortfield) $sortfield="name";
$id = $_GET['id'];
diff --git a/htdocs/public/members/public_list.php b/htdocs/public/members/public_list.php
index f50f5d3b60f..979db4cd3aa 100644
--- a/htdocs/public/members/public_list.php
+++ b/htdocs/public/members/public_list.php
@@ -59,19 +59,19 @@ function llxFooterVierge()
}
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-$page=$_GET["page"];
$filter=$_GET["filter"];
$statut=isset($_GET["statut"])?$_GET["statut"]:'';
if (! $sortorder) { $sortorder="ASC"; }
if (! $sortfield) { $sortfield="nom"; }
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
-$pageprev = $page - 1;
-$pagenext = $page + 1;
/*
diff --git a/htdocs/societe/document.php b/htdocs/societe/document.php
index e7f5becfad0..6ef3aa61869 100644
--- a/htdocs/societe/document.php
+++ b/htdocs/societe/document.php
@@ -47,19 +47,13 @@ if ($user->societe_id > 0)
$result = restrictedArea($user, 'societe', $socid);
// Get parameters
-$page=$_GET["page"];
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
-
-if (! $sortorder) $sortorder="ASC";
-if (! $sortfield) $sortfield="name";
-if ($page == -1) { $page = 0 ; }
-$offset = $conf->liste_limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
$pageprev = $page - 1;
$pagenext = $page + 1;
-
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="name";
diff --git a/htdocs/societe/notify/fiche.php b/htdocs/societe/notify/fiche.php
index 4e8800ce6bb..b913a8fad1d 100644
--- a/htdocs/societe/notify/fiche.php
+++ b/htdocs/societe/notify/fiche.php
@@ -38,8 +38,13 @@ $socid = isset($_GET["socid"])?$_GET["socid"]:'';
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'societe','','');
-$sortorder=$_GET["sortorder"];
-$sortfield=$_GET["sortfield"];
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortorder) $sortorder="ASC";
if (! $sortfield) $sortfield="c.name";
diff --git a/htdocs/user/group/index.php b/htdocs/user/group/index.php
index 36aab9bef62..697df76d0f6 100644
--- a/htdocs/user/group/index.php
+++ b/htdocs/user/group/index.php
@@ -36,13 +36,13 @@ $langs->load("users");
$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
-$sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
-$sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"];
-$page=isset($_GET["page"])?$_GET["page"]:$_POST["page"];
-if ($page < 0) $page = 0;
-
-$limit = $conf->liste_limit;
-$offset = $limit * $page ;
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
if (! $sortfield) $sortfield="g.nom";
if (! $sortorder) $sortorder="ASC";
diff --git a/htdocs/user/index.php b/htdocs/user/index.php
index 68d40be2016..6bd0ab4607d 100644
--- a/htdocs/user/index.php
+++ b/htdocs/user/index.php
@@ -38,14 +38,14 @@ if ($user->societe_id > 0) $socid = $user->societe_id;
$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
-$sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
-$sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"];
-$page=isset($_GET["page"])?$_GET["page"]:$_POST["page"];
-if ($page < 0) $page = 0;
-
+$sortfield = GETPOST("sortfield",'alpha');
+$sortorder = GETPOST("sortorder",'alpha');
+$page = GETPOST("page",'int');
+if ($page == -1) { $page = 0; }
+$offset = $conf->liste_limit * $page;
+$pageprev = $page - 1;
+$pagenext = $page + 1;
$limit = $conf->liste_limit;
-$offset = $limit * $page ;
-
if (! $sortfield) $sortfield="u.login";
if (! $sortorder) $sortorder="ASC";
--
GitLab