Skip to content
Snippets Groups Projects
Commit dda17f40 authored by Cédric Gross's avatar Cédric Gross Committed by Juanjo Menent
Browse files

Security fix

parent 2031cdfd
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
htdocs/product/stock/fiche.php
+ 13
15
View file @ dda17f40
...@@ -39,6 +39,7 @@ $action=GETPOST('action'); ...@@ -39,6 +39,7 @@ $action=GETPOST('action');
$sortfield = GETPOST("sortfield",'alpha'); $sortfield = GETPOST("sortfield",'alpha');
$sortorder = GETPOST("sortorder",'alpha'); $sortorder = GETPOST("sortorder",'alpha');
$id = GETPOST("id",'int');
if (! $sortfield) $sortfield="p.ref"; if (! $sortfield) $sortfield="p.ref";
if (! $sortorder) $sortorder="DESC"; if (! $sortorder) $sortorder="DESC";
...@@ -109,7 +110,7 @@ if ($action == 'confirm_delete' && $_REQUEST["confirm"] == 'yes' && $user->right ...@@ -109,7 +110,7 @@ if ($action == 'confirm_delete' && $_REQUEST["confirm"] == 'yes' && $user->right
if ($action == 'update' && $_POST["cancel"] <> $langs->trans("Cancel")) if ($action == 'update' && $_POST["cancel"] <> $langs->trans("Cancel"))
{ {
$object = new Entrepot($db); $object = new Entrepot($db);
if ($object->fetch($_POST["id"])) if ($object->fetch($id))
{ {
$object->libelle = $_POST["libelle"]; $object->libelle = $_POST["libelle"];
$object->description = $_POST["desc"]; $object->description = $_POST["desc"];
...@@ -120,23 +121,20 @@ if ($action == 'update' && $_POST["cancel"] <> $langs->trans("Cancel")) ...@@ -120,23 +121,20 @@ if ($action == 'update' && $_POST["cancel"] <> $langs->trans("Cancel"))
$object->town = $_POST["town"]; $object->town = $_POST["town"];
$object->country_id = $_POST["country_id"]; $object->country_id = $_POST["country_id"];
if ( $object->update($_POST["id"], $user) > 0) if ( $object->update($id, $user) > 0)
{ {
$action = ''; $action = '';
$_GET["id"] = $_POST["id"];
//$mesg = '<div class="ok">Fiche mise a jour</div>'; //$mesg = '<div class="ok">Fiche mise a jour</div>';
} }
else else
{ {
$action = 'edit'; $action = 'edit';
$_GET["id"] = $_POST["id"];
$mesg = '<div class="error">'.$object->error.'</div>'; $mesg = '<div class="error">'.$object->error.'</div>';
} }
} }
else else
{ {
$action = 'edit'; $action = 'edit';
$_GET["id"] = $_POST["id"];
$mesg = '<div class="error">'.$object->error.'</div>'; $mesg = '<div class="error">'.$object->error.'</div>';
} }
} }
...@@ -144,7 +142,6 @@ if ($action == 'update' && $_POST["cancel"] <> $langs->trans("Cancel")) ...@@ -144,7 +142,6 @@ if ($action == 'update' && $_POST["cancel"] <> $langs->trans("Cancel"))
if ($_POST["cancel"] == $langs->trans("Cancel")) if ($_POST["cancel"] == $langs->trans("Cancel"))
{ {
$action = ''; $action = '';
$_GET["id"] = $_POST["id"];
} }
...@@ -219,12 +216,13 @@ if ($action == 'create') ...@@ -219,12 +216,13 @@ if ($action == 'create')
} }
else else
{ {
if ($_GET["id"]) $id=GETPOST("id",'int');
if ($id)
{ {
dol_htmloutput_mesg($mesg); dol_htmloutput_mesg($mesg);
$object = new Entrepot($db); $object = new Entrepot($db);
$result = $object->fetch($_GET["id"]); $result = $object->fetch($id);
if ($result < 0) if ($result < 0)
{ {
dol_print_error($db); dol_print_error($db);
...@@ -368,13 +366,13 @@ else ...@@ -368,13 +366,13 @@ else
print '<table class="noborder" width="100%">'; print '<table class="noborder" width="100%">';
print "<tr class=\"liste_titre\">"; print "<tr class=\"liste_titre\">";
print_liste_field_titre($langs->trans("Product"),"", "p.ref","&amp;id=".$_GET['id'],"","",$sortfield,$sortorder); print_liste_field_titre($langs->trans("Product"),"", "p.ref","&amp;id=".$id,"","",$sortfield,$sortorder);
print_liste_field_titre($langs->trans("Label"),"", "p.label","&amp;id=".$_GET['id'],"","",$sortfield,$sortorder); print_liste_field_titre($langs->trans("Label"),"", "p.label","&amp;id=".$id,"","",$sortfield,$sortorder);
print_liste_field_titre($langs->trans("Units"),"", "ps.reel","&amp;id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder); print_liste_field_titre($langs->trans("Units"),"", "ps.reel","&amp;id=".$id,"",'align="right"',$sortfield,$sortorder);
print_liste_field_titre($langs->trans("AverageUnitPricePMPShort"),"", "ps.pmp","&amp;id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder); print_liste_field_titre($langs->trans("AverageUnitPricePMPShort"),"", "ps.pmp","&amp;id=".$id,"",'align="right"',$sortfield,$sortorder);
print_liste_field_titre($langs->trans("EstimatedStockValueShort"),"", "","&amp;id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder); print_liste_field_titre($langs->trans("EstimatedStockValueShort"),"", "","&amp;id=".$id,"",'align="right"',$sortfield,$sortorder);
if (empty($conf->global->PRODUIT_MULTIPRICES)) print_liste_field_titre($langs->trans("SellPriceMin"),"", "p.price","&amp;id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder); if (empty($conf->global->PRODUIT_MULTIPRICES)) print_liste_field_titre($langs->trans("SellPriceMin"),"", "p.price","&amp;id=".$id,"",'align="right"',$sortfield,$sortorder);
if (empty($conf->global->PRODUIT_MULTIPRICES)) print_liste_field_titre($langs->trans("EstimatedStockValueSellShort"),"", "","&amp;id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder); if (empty($conf->global->PRODUIT_MULTIPRICES)) print_liste_field_titre($langs->trans("EstimatedStockValueSellShort"),"", "","&amp;id=".$id,"",'align="right"',$sortfield,$sortorder);
if ($user->rights->stock->mouvement->creer) print '<td>&nbsp;</td>'; if ($user->rights->stock->mouvement->creer) print '<td>&nbsp;</td>';
if ($user->rights->stock->creer) print '<td>&nbsp;</td>'; if ($user->rights->stock->creer) print '<td>&nbsp;</td>';
print "</tr>"; print "</tr>";
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment