From da8e71b2c52c6970825571ee936ee3469167f09c Mon Sep 17 00:00:00 2001 From: Laurent Destailleur <eldy@destailleur.fr> Date: Thu, 20 Aug 2015 16:05:29 +0200 Subject: [PATCH] Fix #3309 --- htdocs/societe/class/societe.class.php | 2 +- htdocs/user/card.php | 2 +- htdocs/user/class/user.class.php | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/societe/class/societe.class.php b/htdocs/societe/class/societe.class.php index 0869f46c575..fb99c05728c 100644 --- a/htdocs/societe/class/societe.class.php +++ b/htdocs/societe/class/societe.class.php @@ -672,7 +672,7 @@ class Societe extends CommonObject $this->localtax2_value=trim($this->localtax2_value); $this->capital=price2num(trim($this->capital),'MT'); - if (empty($this->capital)) $this->capital = 0; + if (empty($this->capital) || ! is_numeric($this->capital)) $this->capital = 0; $this->effectif_id=trim($this->effectif_id); $this->forme_juridique_code=trim($this->forme_juridique_code); diff --git a/htdocs/user/card.php b/htdocs/user/card.php index 737af4baa27..6693544f78d 100644 --- a/htdocs/user/card.php +++ b/htdocs/user/card.php @@ -709,7 +709,7 @@ if (($action == 'create') || ($action == 'adduserldap')) print '<form action="'.$_SERVER['PHP_SELF'].'" method="POST" name="createuser">'; print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">'; print '<input type="hidden" name="action" value="add">'; - if (! empty($ldap_sid)) print '<input type="hidden" name="ldap_sid" value="'.$ldap_sid.'">'; + if (! empty($ldap_sid)) print '<input type="hidden" name="ldap_sid" value="'.dol_escape_htmltag($ldap_sid).'">'; print '<input type="hidden" name="entity" value="'.$conf->entity.'">'; print '<table class="border" width="100%">'; diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 280e6491f17..dce4dbcf720 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -182,7 +182,7 @@ class User extends CommonObject if ($sid) // permet une recherche du user par son SID ActiveDirectory ou Samba { - $sql.= " AND (u.ldap_sid = '".$sid."' OR u.login = '".$this->db->escape($login)."') LIMIT 1"; + $sql.= " AND (u.ldap_sid = '".$this->db->escape($sid)."' OR u.login = '".$this->db->escape($login)."') LIMIT 1"; } else if ($login) { @@ -845,7 +845,7 @@ class User extends CommonObject else { $sql = "INSERT INTO ".MAIN_DB_PREFIX."user (datec,login,ldap_sid,entity)"; - $sql.= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->ldap_sid."',".$this->db->escape($this->entity).")"; + $sql.= " VALUES('".$this->db->idate($this->datec)."','".$this->db->escape($this->login)."','".$this->db->escape($this->ldap_sid)."',".$this->db->escape($this->entity).")"; $result=$this->db->query($sql); dol_syslog(get_class($this)."::create", LOG_DEBUG); -- GitLab