Fix: Sanizite data

htdocs/admin/compta.php

@@ -2,7 +2,7 @@
 /* Copyright (C) 2004      Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2004-2008 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2005-2009 Regis Houssin        <regis@dolibarr.fr>
- * Copyright (C) 2011      Juanjo Menent	    <jmenent@2byte.es>
+ * Copyright (C) 2011-2012 Juanjo Menent	    <jmenent@2byte.es>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -33,13 +33,13 @@ $langs->load('compta');
 if (!$user->admin)
 accessforbidden();
 
-$action = GETPOST("action");
+$action = GETPOST('action','alpha');
 
 $compta_mode = defined('COMPTA_MODE')?COMPTA_MODE:'RECETTES-DEPENSES';
 
 if ($action == 'setcomptamode')
 {
-	$compta_mode = GETPOST("compta_mode");
+	$compta_mode = GETPOST('compta_mode','alpha');
 	
 	$res = dolibarr_set_const($db, 'COMPTA_MODE', $compta_mode,'chaine',0,'',$conf->entity);
 	
@@ -58,10 +58,10 @@ if ($action == 'setcomptamode')
 
 if ($action == 'update' || $action == 'add')
 {
-	$constname = GETPOST("constname");
-	$constvalue = GETPOST("constvalue");
-	$consttype = GETPOST("consttype");
-	$constnote = GETPOST("constnote");
+	$constname = GETPOST('constname','alpha');
+	$constvalue = GETPOST('constvalue','alpha');
+	$consttype = GETPOST('consttype','alpha');
+	$constnote = GETPOST('constnote','alpha');
 	
 	$res = dolibarr_set_const($db, $constname, $constvalue, $consttype, 0, $constnote, $conf->entity);
 	

htdocs/admin/dons.php

@@ -1,5 +1,6 @@
 <?php
-/* Copyright (C) 2005-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
+/* Copyright (C) 2005-2010  Laurent Destailleur  	<eldy@users.sourceforge.net>
+ * Copyright (C) 2012		Juanjo Menent			<jmenent@2byte.es>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -31,14 +32,16 @@ if (!$user->admin) accessforbidden();
 
 $typeconst=array('yesno','texte','chaine');
 
+$action = GETPOST('action','alpha');
+
 
 /*
  * Action
  */
 
-if ($_GET["action"] == 'specimen')
+if ($action == 'specimen')
 {
-    $modele=$_GET["module"];
+    $modele=GETPOST('module','alpha');
 
     $don = new Don($db);
     $don->initAsSpecimen();
@@ -71,25 +74,29 @@ if ($_GET["action"] == 'specimen')
     }
 }
 
-if ($_GET["action"] == 'setdoc')
+if ($action == 'setdoc')
 {
+	$value = GETPOST('value','alpha');
+	$label = GETPOST('label','alpha');
+	$scandir = GETPOST('scandir','alpha');
+	
     $db->begin();
 
-    if (dolibarr_set_const($db, "DON_ADDON_MODEL",$_GET["value"],'chaine',0,'',$conf->entity))
+    if (dolibarr_set_const($db, "DON_ADDON_MODEL",$value,'chaine',0,'',$conf->entity))
     {
-        $conf->global->DON_ADDON_MODEL = $_GET["value"];
+        $conf->global->DON_ADDON_MODEL = $value;
     }
 
     // On active le modele
     $type='donation';
     $sql_del = "DELETE FROM ".MAIN_DB_PREFIX."document_model";
-    $sql_del.= " WHERE nom = '".$db->escape($_GET["value"])."' AND type = '".$type."'";
+    $sql_del.= " WHERE nom = '".$db->escape($value)."' AND type = '".$type."'";
     $result1=$db->query($sql_del);
 
     $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
-    $sql.= " VALUES ('".$db->escape($_GET["value"])."', '".$type."', ".$conf->entity.", ";
-    $sql.= ($_GET["label"]?"'".$db->escape($_GET["label"])."'":'null').", ";
-    $sql.= (! empty($_GET["scandir"])?"'".$db->escape($_GET["scandir"])."'":"null");
+    $sql.= " VALUES ('".$db->escape($value)."', '".$type."', ".$conf->entity.", ";
+    $sql.= ($label?"'".$db->escape($label)."'":'null').", ";
+    $sql.= (! empty($scandir)?"'".$db->escape($scandir)."'":"null");
     $sql.= ")";
     $result2=$db->query($sql);
     if ($result1 && $result2)
@@ -102,22 +109,28 @@ if ($_GET["action"] == 'setdoc')
     }
 }
 
-if ($_GET["action"] == 'set')
+if ($action == 'set')
 {
+	$value = GETPOST('value','alpha');
+	$label = GETPOST('label','alpha');
+	$scandir = GETPOST('scandir','alpha');
+	
     $type='donation';
     $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
-    $sql.= " VALUES ('".$db->escape($_GET["value"])."','".$type."',".$conf->entity.", ";
-    $sql.= ($_GET["label"]?"'".$db->escape($_GET["label"])."'":'null').", ";
-    $sql.= (! empty($_GET["scandir"])?"'".$db->escape($_GET["scandir"])."'":"null");
+    $sql.= " VALUES ('".$db->escape($value)."','".$type."',".$conf->entity.", ";
+    $sql.= ($label?"'".$db->escape($label)."'":'null').", ";
+    $sql.= (! empty($scandir)?"'".$db->escape($scandir)."'":"null");
     $sql.= ")";
     $resql=$db->query($sql);
 }
 
-if ($_GET["action"] == 'del')
+if ($action == 'del')
 {
+	$value = GETPOST('value','alpha');
+	
     $type='donation';
     $sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model";
-    $sql .= "  WHERE nom = '".$_GET["value"]."' AND type = '".$type."'";
+    $sql .= "  WHERE nom = '".$value."' AND type = '".$type."'";
     $resql=$db->query($sql);
 }
 

htdocs/admin/facture.php

@@ -4,6 +4,7 @@
  * Copyright (C) 2005		Eric Seigne					<eric.seigne@ryxeo.com>
  * Copyright (C) 2005-2012	Regis Houssin				<regis@dolibarr.fr>
  * Copyright (C) 2008		Raphael Bertrand (Resultic)	<raphael.bertrand@resultic.fr>
+ * Copyright (C) 2012		Juanjo Menent				<jmenent@2byte.es>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -44,10 +45,10 @@ $value = GETPOST('value','alpha');
 
 if ($action == 'updateMask')
 {
-    $maskconstinvoice=GETPOST("maskconstinvoice");
-    $maskconstcredit=GETPOST("maskconstcredit");
-    $maskinvoice=GETPOST("maskinvoice");
-    $maskcredit=GETPOST("maskcredit");
+    $maskconstinvoice=GETPOST('maskconstinvoice','alpha');
+    $maskconstcredit=GETPOST('maskconstcredit','alpha');
+    $maskinvoice=GETPOST('maskinvoice','alpha');
+    $maskcredit=GETPOST('maskcredit','alpha');
     if ($maskconstinvoice) $res = dolibarr_set_const($db,$maskconstinvoice,$maskinvoice,'chaine',0,'',$conf->entity);
     if ($maskconstcredit)  $res = dolibarr_set_const($db,$maskconstcredit,$maskcredit,'chaine',0,'',$conf->entity);
 
@@ -65,7 +66,7 @@ if ($action == 'updateMask')
 
 if ($action == 'specimen')
 {
-    $modele=GETPOST("module");
+    $modele=GETPOST('module','alpha');
 
     $facture = new Facture($db);
     $facture->initAsSpecimen();
@@ -116,8 +117,8 @@ if ($action == 'setModuleOptions')
     {
         if (array_key_exists('param'.$i,$_POST))
         {
-            $param=$_POST["param".$i];
-            $value=$_POST["value".$i];
+            $param=GETPOST("param".$i,'alpha');
+            $value=GETPOST("value".$i,'alpha');
             if ($param) $res = dolibarr_set_const($db,$param,$value,'chaine',0,'',$conf->entity);
         }
     }
@@ -135,8 +136,8 @@ if ($action == 'setModuleOptions')
 
 if ($action == 'set')
 {
-	$label = GETPOST("label");
-	$scandir = GETPOST("scandir");
+	$label = GETPOST('label','alpha');
+	$scandir = GETPOST('scandir','alpha');
 
     $type='invoice';
     $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
@@ -166,8 +167,8 @@ if ($action == 'del')
 
 if ($action == 'setdoc')
 {
-	$label = GETPOST("label");
-	$scandir = GETPOST("scandir");
+	$label = GETPOST('label','alpha');
+	$scandir = GETPOST('scandir','alpha');
 
     $db->begin();
 
@@ -214,8 +215,8 @@ if ($action == 'setmod')
 
 if ($action == 'setribchq')
 {
-	$rib = GETPOST("rib");
-	$chq = GETPOST("chq");
+	$rib = GETPOST('rib','alpha');
+	$chq = GETPOST('chq','alpha');
 
 	$res = dolibarr_set_const($db, "FACTURE_RIB_NUMBER",$rib,'chaine',0,'',$conf->entity);
     $res = dolibarr_set_const($db, "FACTURE_CHQ_NUMBER",$chq,'chaine',0,'',$conf->entity);
@@ -234,7 +235,7 @@ if ($action == 'setribchq')
 
 if ($action == 'set_FACTURE_DRAFT_WATERMARK')
 {
-	$draft = GETPOST("FACTURE_DRAFT_WATERMARK");
+	$draft = GETPOST('FACTURE_DRAFT_WATERMARK','alpha');
 
     $res = dolibarr_set_const($db, "FACTURE_DRAFT_WATERMARK",trim($draft),'chaine',0,'',$conf->entity);
 
@@ -252,7 +253,7 @@ if ($action == 'set_FACTURE_DRAFT_WATERMARK')
 
 if ($action == 'set_FACTURE_FREE_TEXT')
 {
-	$free = GETPOST("FACTURE_FREE_TEXT");
+	$free = GETPOST('FACTURE_FREE_TEXT','alpha');
 
     $res = dolibarr_set_const($db, "FACTURE_FREE_TEXT",$free,'chaine',0,'',$conf->entity);
 
@@ -270,7 +271,7 @@ if ($action == 'set_FACTURE_FREE_TEXT')
 
 if ($action == 'setforcedate')
 {
-	$forcedate = GETPOST("forcedate");
+	$forcedate = GETPOST('forcedate','alpha');
 
     $res = dolibarr_set_const($db, "FAC_FORCE_DATE_VALIDATION",$forcedate,'chaine',0,'',$conf->entity);
 

htdocs/admin/prelevement.php

@@ -35,7 +35,7 @@ $langs->load("withdrawals");
 // Security check
 if (!$user->admin) accessforbidden();
 
-$action = GETPOST("action");
+$action = GETPOST('action','alpha');
 
 
 /*

htdocs/admin/taxes.php

@@ -2,7 +2,7 @@
 /* Copyright (C) 2004      Rodolphe Quiedeville <rodolphe@quiedeville.org>
  * Copyright (C) 2004-2008 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2005-2009 Regis Houssin        <regis@dolibarr.fr>
- * Copyright (C) 2011 	   Juanjo Menent		<jmenent@2byte.es>
+ * Copyright (C) 2011-2012 Juanjo Menent		<jmenent@2byte.es>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -31,7 +31,7 @@ $langs->load('admin');
 
 if (!$user->admin) accessforbidden();
 
-$action = GETPOST("action");
+$action = GETPOST('action','alpha');
 
 /*
  * Actions
@@ -53,7 +53,7 @@ $tax_mode = empty($conf->global->TAX_MODE)?0:$conf->global->TAX_MODE;
 
 if ($action == 'settaxmode')
 {
-    $tax_mode = GETPOST("tax_mode");
+    $tax_mode = GETPOST('tax_mode','alpha');
 
     $db->begin();
 

htdocs/compta/bank/admin/bank.php

@@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2009 		Laurent Destailleur            <eldy@users.sourceforge.net>
- * Copyright (C) 2010-2011  Juanjo Menent			       <jmenent@2byte.es>
+ * Copyright (C) 2010-2012  Juanjo Menent			       <jmenent@2byte.es>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -36,7 +36,7 @@ $langs->load("banks");
 if (!$user->admin)
   accessforbidden();
 
-$action = GETPOST("action");
+$action = GETPOST('action','alpha');
 
 
 /*
@@ -45,7 +45,7 @@ $action = GETPOST("action");
 
 if ($action == 'set_BANK_CHEQUERECEIPT_FREE_TEXT')
 {
-	$free = GETPOST("BANK_CHEQUERECEIPT_FREE_TEXT");
+	$free = GETPOST('BANK_CHEQUERECEIPT_FREE_TEXT','alpha');
     $res = dolibarr_set_const($db, "BANK_CHEQUERECEIPT_FREE_TEXT",$free,'chaine',0,'',$conf->entity);
 
 	if (! $res > 0) $error++;
@@ -63,7 +63,7 @@ if ($action == 'set_BANK_CHEQUERECEIPT_FREE_TEXT')
 //Order display of bank account
 if ($action == 'setbankorder')
 {
-	if (dolibarr_set_const($db, "BANK_SHOW_ORDER_OPTION",$_GET["value"],'chaine',0,'',$conf->entity) > 0)
+	if (dolibarr_set_const($db, "BANK_SHOW_ORDER_OPTION",GETPOST('value','alpha'),'chaine',0,'',$conf->entity) > 0)
 	{
 		Header("Location: ".$_SERVER["PHP_SELF"]);
 		exit;