Clean code

htdocs/compta/facture/class/facture.class.php

@@ -4890,8 +4890,8 @@ class Facture extends CommonInvoice
 		if ($this->statut >= 0) {
 			$fieldname = 'retained_warranty_date_limit';
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
-			$sql .= ' SET '.$fieldname.' = '.(strval($timestamp) != '' ? '\''.$this->db->idate($timestamp).'\'' : 'null');
-			$sql .= ' WHERE rowid='.((int) $this->id);
+			$sql .= " SET ".$fieldname." = ".(strval($timestamp) != '' ? "'".$this->db->idate($timestamp)."'" : 'null');
+			$sql .= ' WHERE rowid = '.((int) $this->id);
 
 			if ($this->db->query($sql)) {
 				$this->retained_warranty_date_limit = $timestamp;

htdocs/compta/stats/byratecountry.php

@@ -306,7 +306,7 @@ if ($modecompta == 'CREANCES-DETTES') {
 	$sql .= " fd.product_type AS product_type,";
 	$sql .= " cc.code, cc.label AS country,";
 	for ($i = 1; $i <= 12; $i++) {
-		$sql .= " SUM(".$db->ifsql('MONTH(f.datef)='.$i, 'fd.total_ht', '0').") AS month".str_pad($i, 2, '0', STR_PAD_LEFT).",";
+		$sql .= " SUM(".$db->ifsql("MONTH(f.datef)=".$i, "fd.total_ht", "0").") AS month".str_pad($i, 2, "0", STR_PAD_LEFT).",";
 	}
 	$sql .= "  SUM(fd.total_ht) as total";
 	$sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd";
@@ -393,7 +393,7 @@ if ($modecompta == 'CREANCES-DETTES') {
 	$sql2 .= " ffd.product_type AS product_type,";
 	$sql2 .= " cc.code, cc.label AS country,";
 	for ($i = 1; $i <= 12; $i++) {
-		$sql2 .= " SUM(".$db->ifsql('MONTH(ff.datef)='.$i, 'ffd.total_ht', '0').") AS month".str_pad($i, 2, '0', STR_PAD_LEFT).",";
+		$sql2 .= " SUM(".$db->ifsql("MONTH(ff.datef)=".$i, "ffd.total_ht", "0").") AS month".str_pad($i, 2, "0", STR_PAD_LEFT).",";
 	}
 	$sql2 .= "  SUM(ffd.total_ht) as total";
 	$sql2 .= " FROM ".MAIN_DB_PREFIX."facture_fourn_det as ffd";

htdocs/compta/tva/class/tva.class.php

@@ -768,7 +768,7 @@ class Tva extends CommonObject
 
 		$sql = 'SELECT sum(amount) as amount';
 		$sql .= ' FROM '.MAIN_DB_PREFIX.$table;
-		$sql .= ' WHERE '.$field.' = '.((int) $this->id);
+		$sql .= " WHERE ".$field." = ".((int) $this->id);
 
 		dol_syslog(get_class($this)."::getSommePaiement", LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/compta/tva/list.php

@@ -161,16 +161,16 @@ if (!empty($search_label)) {
 	$sql .= natural_search('t.label', $search_label);
 }
 if (!empty($search_dateend_start)) {
-	$sql .= ' AND t.datev >= "'.$db->idate($search_dateend_start).'"';
+	$sql .= " AND t.datev >= '".$db->idate($search_dateend_start)."'";
 }
 if (!empty($search_dateend_end)) {
-	$sql .= ' AND t.datev <= "'.$db->idate($search_dateend_end).'"';
+	$sql .= " AND t.datev <= '".$db->idate($search_dateend_end)."'";
 }
 if (!empty($search_datepayment_start)) {
-	$sql .= ' AND t.datep >= "'.$db->idate($search_datepayment_start).'"';
+	$sql .= " AND t.datep >= '".$db->idate($search_datepayment_start)."'";
 }
 if (!empty($search_datepayment_end)) {
-	$sql .= ' AND t.datep <= "'.$db->idate($search_datepayment_end).'"';
+	$sql .= " AND t.datep <= '".$db->idate($search_datepayment_end)."'";
 }
 if (!empty($search_type) && $search_type > 0) {
 	$sql .= ' AND t.fk_typepayment = '.((int) $search_type);

htdocs/contact/class/contact.class.php

@@ -388,8 +388,8 @@ class Contact extends CommonObject
 			$sql .= " WHERE sp.fk_soc = s.rowid AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
 			$clause = "AND";
 		}
-		$sql .= ' '.$clause.' sp.entity IN ('.getEntity($this->element).')';
-		$sql .= " AND (sp.priv='0' OR (sp.priv='1' AND sp.fk_user_creat=".((int) $user->id)."))";
+		$sql .= " ".$clause." sp.entity IN (".getEntity($this->element).")";
+		$sql .= " AND (sp.priv='0' OR (sp.priv='1' AND sp.fk_user_creat = ".((int) $user->id)."))";
 		if ($user->socid > 0) {
 			$sql .= " AND sp.fk_soc = ".((int) $user->socid);
 		}

htdocs/contact/list.php

@@ -478,7 +478,7 @@ if (strlen($search_fax)) {
 if (!empty($conf->socialnetworks->enabled)) {
 	foreach ($socialnetworks as $key => $value) {
 		if ($value['active'] && strlen($search_[$key])) {
-			$sql .= ' AND p.socialnetworks LIKE \'%"'.$key.'":"'.$search_[$key].'%\'';
+			$sql .= " AND p.socialnetworks LIKE '%\"".$key."\":\"".$search_[$key]."%'";
 		}
 	}
 }

htdocs/contrat/class/contrat.class.php

@@ -1222,7 +1222,7 @@ class Contrat extends CommonObject
 
 		// Delete llx_ecm_files
 		if (!$error) {
-			$sql = 'DELETE FROM '.MAIN_DB_PREFIX."ecm_files WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? '' : '@'.$this->module))."' AND src_object_id = ".((int) $this->id);
+			$sql = 'DELETE FROM '.MAIN_DB_PREFIX."ecm_files WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? "" : "@".$this->module))."' AND src_object_id = ".((int) $this->id);
 			$resql = $this->db->query($sql);
 			if (!$resql) {
 				$this->error = $this->db->lasterror();
@@ -3257,12 +3257,12 @@ class ContratLigne extends CommonObjectLine
 		$sql .= " '".$this->db->escape($this->info_bits)."',";
 		$sql .= " ".price2num($this->price_ht).",".price2num($this->remise).",";
 		if ($this->fk_fournprice > 0) {
-			$sql .= ' '.$this->fk_fournprice.',';
+			$sql .= ' '.((int) $this->fk_fournprice).',';
 		} else {
 			$sql .= ' null,';
 		}
 		if ($this->pa_ht > 0) {
-			$sql .= ' '.price2num($this->pa_ht);
+			$sql .= ' '.((float) price2num($this->pa_ht));
 		} else {
 			$sql .= ' null';
 		}

htdocs/contrat/index.php

@@ -99,7 +99,7 @@ $sql .= " WHERE cd.fk_contrat = c.rowid AND c.fk_soc = s.rowid";
 $sql .= " AND (cd.statut != 4 OR (cd.statut = 4 AND (cd.date_fin_validite is null or cd.date_fin_validite >= '".$db->idate($now)."')))";
 $sql .= " AND c.entity IN (".getEntity('contract', 0).")";
 if ($user->socid) {
-	$sql .= ' AND c.fk_soc = '.$user->socid;
+	$sql .= ' AND c.fk_soc = '.((int) $user->socid);
 }
 if (!$user->rights->societe->client->voir && !$socid) {
 	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
@@ -136,7 +136,7 @@ $sql .= " WHERE cd.fk_contrat = c.rowid AND c.fk_soc = s.rowid";
 $sql .= " AND (cd.statut = 4 AND cd.date_fin_validite < '".$db->idate($now)."')";
 $sql .= " AND c.entity IN (".getEntity('contract', 0).")";
 if ($user->socid) {
-	$sql .= ' AND c.fk_soc = '.$user->socid;
+	$sql .= ' AND c.fk_soc = '.((int) $user->socid);
 }
 if (!$user->rights->societe->client->voir && !$socid) {
 	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
@@ -304,11 +304,11 @@ print '</div><div class="fichetwothirdright"><div class="ficheaddleft">';
 // Last modified contracts
 $max = 5;
 $sql = 'SELECT ';
-$sql .= ' sum('.$db->ifsql("cd.statut=0", 1, 0).') as nb_initial,';
-$sql .= ' sum('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NULL OR cd.date_fin_validite >= '".$db->idate($now)."')", 1, 0).') as nb_running,';
-$sql .= ' sum('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now)."')", 1, 0).') as nb_expired,';
-$sql .= ' sum('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now - $conf->contrat->services->expires->warning_delay)."')", 1, 0).') as nb_late,';
-$sql .= ' sum('.$db->ifsql("cd.statut=5", 1, 0).') as nb_closed,';
+$sql .= " sum(".$db->ifsql("cd.statut=0", 1, 0).') as nb_initial,';
+$sql .= " sum(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NULL OR cd.date_fin_validite >= '".$db->idate($now)."')", 1, 0).') as nb_running,';
+$sql .= " sum(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now)."')", 1, 0).') as nb_expired,';
+$sql .= " sum(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now - $conf->contrat->services->expires->warning_delay)."')", 1, 0).') as nb_late,';
+$sql .= " sum(".$db->ifsql("cd.statut=5", 1, 0).') as nb_closed,';
 $sql .= " c.rowid as cid, c.ref, c.datec, c.tms, c.statut, s.nom as name, s.rowid as socid";
 $sql .= " FROM ".MAIN_DB_PREFIX."societe as s,";
 if (!$user->rights->societe->client->voir && !$socid) {

htdocs/contrat/list.php

@@ -236,11 +236,11 @@ $sql .= ' s.rowid as socid, s.nom as name, s.name_alias, s.email, s.town, s.zip,
 $sql .= " typent.code as typent_code,";
 $sql .= " state.code_departement as state_code, state.nom as state_name,";
 $sql .= " MIN(".$db->ifsql("cd.statut=4", "cd.date_fin_validite", "null").") as lower_planned_end_date,";
-$sql .= ' SUM('.$db->ifsql("cd.statut=0", 1, 0).') as nb_initial,';
-$sql .= ' SUM('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NULL OR cd.date_fin_validite >= '".$db->idate($now)."')", 1, 0).') as nb_running,';
-$sql .= ' SUM('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now)."')", 1, 0).') as nb_expired,';
-$sql .= ' SUM('.$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now - $conf->contrat->services->expires->warning_delay)."')", 1, 0).') as nb_late,';
-$sql .= ' SUM('.$db->ifsql("cd.statut=5", 1, 0).') as nb_closed';
+$sql .= " SUM(".$db->ifsql("cd.statut=0", 1, 0).') as nb_initial,';
+$sql .= " SUM(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NULL OR cd.date_fin_validite >= '".$db->idate($now)."')", 1, 0).') as nb_running,';
+$sql .= " SUM(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now)."')", 1, 0).') as nb_expired,';
+$sql .= " SUM(".$db->ifsql("cd.statut=4 AND (cd.date_fin_validite IS NOT NULL AND cd.date_fin_validite < '".$db->idate($now - $conf->contrat->services->expires->warning_delay)."')", 1, 0).') as nb_late,';
+$sql .= " SUM(".$db->ifsql("cd.statut=5", 1, 0).') as nb_closed';
 // Add fields from extrafields
 if (!empty($extrafields->attributes[$object->table_element]['label'])) {
 	foreach ($extrafields->attributes[$object->table_element]['label'] as $key => $val) {

htdocs/core/ajax/check_notifications.php

@@ -75,12 +75,9 @@ if ($action == 'stopreminder') {
 	$listofreminderid = GETPOST('listofreminderids', 'intcomma');
 
 	// Set the reminder as done
-	//foreach ($listofreminderidsarray as $listofreminderid) {
-	//	if (empty($listofreminderid)) continue;
-	//$sql = 'DELETE FROM '.MAIN_DB_PREFIX.'action_reminder WHERE rowid = '.$listofreminderid.' AND fk_user = '.$user->id;
 	$sql = 'UPDATE '.MAIN_DB_PREFIX.'actioncomm_reminder SET status = 1';
 	$sql .= ' WHERE status = 0 AND rowid IN ('.$db->sanitize($db->escape($listofreminderid)).')';
-	$sql .= ' AND fk_user = '.$user->id.' AND entity = '.$conf->entity;
+	$sql .= ' AND fk_user = '.((int) $user->id).' AND entity = '.((int) $conf->entity);
 	$resql = $db->query($sql);
 	if (!$resql) {
 		dol_print_error($db);
@@ -149,13 +146,13 @@ if (empty($_SESSION['auto_check_events_not_before']) || $time >= $_SESSION['auto
 	$sql = 'SELECT a.id as id_agenda, a.code, a.datep, a.label, a.location, ar.rowid as id_reminder, ar.dateremind, ar.fk_user as id_user_reminder';
 	$sql .= ' FROM '.MAIN_DB_PREFIX.'actioncomm as a';
 	if (!empty($user->conf->MAIN_USER_WANT_ALL_EVENTS_NOTIFICATIONS)) {
-		$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.$user->id;
+		$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.((int) $user->id);
 		$sql .= ' WHERE a.code <> "AC_OTH_AUTO"';
 		$sql .= ' AND (';
 		$sql .= " (ar.typeremind = 'browser' AND ar.dateremind < '".$db->idate(dol_now())."' AND ar.status = 0 AND ar.entity = ".$conf->entity;
 		$sql .= ' )';
 	} else {
-		$sql .= ' JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.$user->id;
+		$sql .= ' JOIN '.MAIN_DB_PREFIX.'actioncomm_reminder as ar ON a.id = ar.fk_actioncomm AND ar.fk_user = '.((int) $user->id);
 		$sql .= " AND ar.typeremind = 'browser' AND ar.dateremind < '".$db->idate(dol_now())."' AND ar.status = 0 AND ar.entity = ".$conf->entity;
 	}
 	$sql .= $db->order('datep', 'ASC');

htdocs/core/boxes/box_services_expired.php

@@ -93,7 +93,7 @@ class box_services_expired extends ModeleBoxes
 			$sql .= " AND c.entity = ".$conf->entity;
 			$sql .= " AND c.fk_soc=s.rowid AND cd.fk_contrat=c.rowid AND c.statut > 0";
 			if ($user->socid) {
-				$sql .= ' AND c.fk_soc = '.$user->socid;
+				$sql .= ' AND c.fk_soc = '.((int) $user->socid);
 			}
 			if (!$user->rights->societe->client->voir && !$user->socid) {
 				$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);

htdocs/core/boxes/box_validated_projects.php

@@ -157,7 +157,7 @@ class box_validated_projects extends ModeleBoxes
 					);
 
 					if ($objp->fk_soc > 0) {
-						$sql = 'SELECT rowid, nom as name FROM '.MAIN_DB_PREFIX.'societe WHERE rowid ='.$objp->fk_soc;
+						$sql = 'SELECT rowid, nom as name FROM '.MAIN_DB_PREFIX.'societe WHERE rowid = '.((int) $objp->fk_soc);
 						$resql = $this->db->query($sql);
 						//$socstatic = new Societe($this->db);
 						$obj2 = $this->db->fetch_object($resql);
@@ -165,7 +165,7 @@ class box_validated_projects extends ModeleBoxes
 							'td' => 'class="tdoverflowmax150 maxwidth200onsmartphone"',
 							'text' => $obj2->name,
 							'asis' => 1,
-							'url' => DOL_URL_ROOT.'/societe/card.php?socid='.$obj2->rowid
+							'url' => DOL_URL_ROOT.'/societe/card.php?socid='.urlencode($obj2->rowid)
 						);
 					} else {
 						$this->info_box_contents[$i][] = array(

htdocs/core/class/commoninvoice.class.php

@@ -132,7 +132,7 @@ abstract class CommonInvoice extends CommonObject
 
 		$sql = 'SELECT sum(amount) as amount, sum(multicurrency_amount) as multicurrency_amount';
 		$sql .= ' FROM '.MAIN_DB_PREFIX.$table;
-		$sql .= ' WHERE '.$field.' = '.((int) $this->id);
+		$sql .= " WHERE ".$field." = ".((int) $this->id);
 
 		dol_syslog(get_class($this)."::getSommePaiement", LOG_DEBUG);
 		$resql = $this->db->query($sql);
@@ -308,9 +308,8 @@ abstract class CommonInvoice extends CommonObject
 
 		$sql = 'SELECT p.ref, pf.amount, pf.multicurrency_amount, p.fk_paiement, p.datep, p.num_paiement as num, t.code'.$field3;
 		$sql .= ' FROM '.MAIN_DB_PREFIX.$table.' as pf, '.MAIN_DB_PREFIX.$table2.' as p, '.MAIN_DB_PREFIX.'c_paiement as t';
-		$sql .= ' WHERE pf.'.$field.' = '.((int) $this->id);
-		//$sql.= ' WHERE pf.'.$field.' = 1';
-		$sql .= ' AND pf.'.$field2.' = p.rowid';
+		$sql .= " WHERE pf.".$field." = ".((int) $this->id);
+		$sql .= " AND pf.".$field2." = p.rowid";
 		$sql .= ' AND p.fk_paiement = t.id';
 		$sql .= ' AND p.entity IN ('.getEntity($sharedentity).')';
 		if ($filtertype) {

htdocs/core/class/commonobject.class.php

@@ -2054,7 +2054,7 @@ abstract class CommonObject
 		}
 		if (isset($this->ismultientitymanaged) && !is_numeric($this->ismultientitymanaged)) {
 			$tmparray = explode('@', $this->ismultientitymanaged);
-			$sql .= ' AND te.'.$tmparray[0].' = '.($tmparray[1] == 'societe' ? 's' : 'parenttable').'.rowid'; // If we need to link to this table to limit select to entity
+			$sql .= " AND te.".$tmparray[0]." = ".($tmparray[1] == "societe" ? "s" : "parenttable").".rowid"; // If we need to link to this table to limit select to entity
 		} elseif ($restrictiononfksoc == 1 && $this->element != 'societe' && !$user->rights->societe->client->voir && !$socid) {
 			$sql .= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to socid
 		}
@@ -2075,13 +2075,13 @@ abstract class CommonObject
 			$sql .= ' AND parenttable.entity IN ('.getEntity($tmparray[1]).')';
 		}
 		if ($restrictiononfksoc == 1 && $socid && $this->element != 'societe') {
-			$sql .= ' AND te.fk_soc = '.$socid;
+			$sql .= ' AND te.fk_soc = '.((int) $socid);
 		}
 		if ($restrictiononfksoc == 2 && $socid && $this->element != 'societe') {
-			$sql .= ' AND (te.fk_soc = '.$socid.' OR te.fk_soc IS NULL)';
+			$sql .= ' AND (te.fk_soc = '.((int) $socid).' OR te.fk_soc IS NULL)';
 		}
 		if ($restrictiononfksoc && $socid && $this->element == 'societe') {
-			$sql .= ' AND te.rowid = '.$socid;
+			$sql .= ' AND te.rowid = '.((int) $socid);
 		}
 		//print 'socid='.$socid.' restrictiononfksoc='.$restrictiononfksoc.' ismultientitymanaged = '.$this->ismultientitymanaged.' filter = '.$filter.' -> '.$sql."<br>";
 
@@ -2124,7 +2124,7 @@ abstract class CommonObject
 		}
 		if (isset($this->ismultientitymanaged) && !is_numeric($this->ismultientitymanaged)) {
 			$tmparray = explode('@', $this->ismultientitymanaged);
-			$sql .= ' AND te.'.$tmparray[0].' = '.($tmparray[1] == 'societe' ? 's' : 'parenttable').'.rowid'; // If we need to link to this table to limit select to entity
+			$sql .= " AND te.".$tmparray[0]." = ".($tmparray[1] == "societe" ? "s" : "parenttable").".rowid"; // If we need to link to this table to limit select to entity
 		} elseif ($restrictiononfksoc == 1 && $this->element != 'societe' && !$user->rights->societe->client->voir && !$socid) {
 			$sql .= ' AND te.fk_soc = s.rowid'; // If we need to link to societe to limit select to socid
 		}
@@ -2145,13 +2145,13 @@ abstract class CommonObject
 			$sql .= ' AND parenttable.entity IN ('.getEntity($tmparray[1]).')';
 		}
 		if ($restrictiononfksoc == 1 && $socid && $this->element != 'societe') {
-			$sql .= ' AND te.fk_soc = '.$socid;
+			$sql .= ' AND te.fk_soc = '.((int) $socid);
 		}
 		if ($restrictiononfksoc == 2 && $socid && $this->element != 'societe') {
-			$sql .= ' AND (te.fk_soc = '.$socid.' OR te.fk_soc IS NULL)';
+			$sql .= ' AND (te.fk_soc = '.((int) $socid).' OR te.fk_soc IS NULL)';
 		}
 		if ($restrictiononfksoc && $socid && $this->element == 'societe') {
-			$sql .= ' AND te.rowid = '.$socid;
+			$sql .= ' AND te.rowid = '.((int) $socid);
 		}
 		//print 'socid='.$socid.' restrictiononfksoc='.$restrictiononfksoc.' ismultientitymanaged = '.$this->ismultientitymanaged.' filter = '.$filter.' -> '.$sql."<br>";
 		// Rem: Bug in some mysql version: SELECT MIN(rowid) FROM llx_socpeople WHERE rowid > 1 when one row in database with rowid=1, returns 1 instead of null
@@ -2206,19 +2206,19 @@ abstract class CommonObject
 			return -1;
 		}
 
-		$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
+		$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element;
 		if (!empty($this->fields['fk_project'])) {		// Common case
 			if ($projectid) {
-				$sql .= ' SET fk_project = '.((int) $projectid);
+				$sql .= " SET fk_project = ".((int) $projectid);
 			} else {
-				$sql .= ' SET fk_project = NULL';
+				$sql .= " SET fk_project = NULL";
 			}
 			$sql .= ' WHERE rowid = '.((int) $this->id);
 		} elseif ($this->table_element == 'actioncomm') {	// Special case for actioncomm
 			if ($projectid) {
-				$sql .= ' SET fk_project = '.((int) $projectid);
+				$sql .= " SET fk_project = ".((int) $projectid);
 			} else {
-				$sql .= ' SET fk_project = NULL';
+				$sql .= " SET fk_project = NULL";
 			}
 			$sql .= ' WHERE id = '.((int) $this->id);
 		} else // Special case for old architecture objects
@@ -2266,8 +2266,8 @@ abstract class CommonObject
 				$fieldname = 'fk_typepayment';
 			}
 
-			$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
-			$sql .= ' SET '.$fieldname.' = '.(($id > 0 || $id == '0') ? $id : 'NULL');
+			$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element;
+			$sql .= " SET ".$fieldname." = ".(($id > 0 || $id == '0') ? ((int) $id) : 'NULL');
 			$sql .= ' WHERE rowid='.((int) $this->id);
 
 			if ($this->db->query($sql)) {
@@ -2278,7 +2278,7 @@ abstract class CommonObject
 				}
 				return 1;
 			} else {
-				dol_syslog(get_class($this).'::setPaymentMethods Error '.$sql.' - '.$this->db->error());
+				dol_syslog(get_class($this).'::setPaymentMethods Error '.$this->db->error());
 				$this->error = $this->db->error();
 				return -1;
 			}
@@ -2302,7 +2302,7 @@ abstract class CommonObject
 			$fieldname = 'multicurrency_code';
 
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
-			$sql .= ' SET '.$fieldname." = '".$this->db->escape($code)."'";
+			$sql .= " SET ".$fieldname." = '".$this->db->escape($code)."'";
 			$sql .= ' WHERE rowid='.((int) $this->id);
 
 			if ($this->db->query($sql)) {
@@ -2340,7 +2340,7 @@ abstract class CommonObject
 			$fieldname = 'multicurrency_tx';
 
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
-			$sql .= ' SET '.$fieldname.' = '.((float) $rate);
+			$sql .= " SET ".$fieldname." = ".((float) $rate);
 			$sql .= ' WHERE rowid='.((int) $this->id);
 
 			if ($this->db->query($sql)) {
@@ -2548,7 +2548,7 @@ abstract class CommonObject
 			}
 
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
-			$sql .= ' SET '.$fieldname.' = '.(($id > 0 || $id == '0') ? $id : 'NULL');
+			$sql .= " SET ".$fieldname." = ".(($id > 0 || $id == '0') ? ((int) $id) : 'NULL');
 			$sql .= ' WHERE rowid='.((int) $this->id);
 
 			if ($this->db->query($sql)) {
@@ -2590,7 +2590,7 @@ abstract class CommonObject
 			}
 
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
-			$sql .= ' SET '.$fieldname.' = '.(($id > 0 || $id == '0') ? $id : 'NULL');
+			$sql .= " SET ".$fieldname." = ".(($id > 0 || $id == '0') ? ((int) $id) : 'NULL');
 			$sql .= ' WHERE rowid='.((int) $this->id);
 
 			if ($this->db->query($sql)) {
@@ -2625,7 +2625,7 @@ abstract class CommonObject
 			$fieldname = 'retained_warranty_fk_cond_reglement';
 
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
-			$sql .= ' SET '.$fieldname.' = '.((int) $id);
+			$sql .= " SET ".$fieldname." = ".((int) $id);
 			$sql .= ' WHERE rowid='.((int) $this->id);
 
 			if ($this->db->query($sql)) {
@@ -2665,7 +2665,7 @@ abstract class CommonObject
 			return 1;
 		} else {
 			$this->error = $this->db->error();
-			dol_syslog(get_class($this).'::setDeliveryAddress Error '.$sql.' - '.$this->error);
+			dol_syslog(get_class($this).'::setDeliveryAddress Error '.$this->error);
 			return -1;
 		}
 	}
@@ -2884,7 +2884,7 @@ abstract class CommonObject
 		// Count number of lines to reorder (according to choice $renum)
 		$nl = 0;
 		$sql = 'SELECT count(rowid) FROM '.MAIN_DB_PREFIX.$this->table_element_line;
-		$sql .= ' WHERE '.$this->fk_element.'='.((int) $this->id);
+		$sql .= " WHERE ".$this->fk_element." = ".((int) $this->id);
 		if (!$renum) {
 			$sql .= ' AND rang = 0';
 		}
@@ -2906,7 +2906,7 @@ abstract class CommonObject
 
 			// We first search all lines that are parent lines (for multilevel details lines)
 			$sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$this->table_element_line;
-			$sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id);
+			$sql .= " WHERE ".$this->fk_element." = ".((int) $this->id);
 			if ($fk_parent_line) {
 				$sql .= ' AND fk_parent_line IS NULL';
 			}
@@ -2954,7 +2954,7 @@ abstract class CommonObject
 		$rows = array();
 
 		$sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$this->table_element_line;
-		$sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id);
+		$sql .= " WHERE ".$this->fk_element." = ".((int) $this->id);
 		$sql .= ' AND fk_parent_line = '.((int) $id);
 		$sql .= ' ORDER BY rang ASC';
 
@@ -3031,7 +3031,7 @@ abstract class CommonObject
 			$fieldposition = 'position';
 		}
 
-		$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) $rang);
+		$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldposition." = ".((int) $rang);
 		$sql .= ' WHERE rowid = '.((int) $rowid);
 
 		dol_syslog(get_class($this)."::updateRangOfLine", LOG_DEBUG);
@@ -3074,11 +3074,11 @@ abstract class CommonObject
 				$fieldposition = 'position';
 			}
 
-			$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) $rang);
-			$sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id);
+			$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldposition." = ".((int) $rang);
+			$sql .= " WHERE ".$this->fk_element." = ".((int) $this->id);
 			$sql .= ' AND rang = '.((int) ($rang - 1));
 			if ($this->db->query($sql)) {
-				$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) ($rang - 1));
+				$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldposition." = ".((int) ($rang - 1));
 				$sql .= ' WHERE rowid = '.((int) $rowid);
 				if (!$this->db->query($sql)) {
 					dol_print_error($this->db);
@@ -3105,11 +3105,11 @@ abstract class CommonObject
 				$fieldposition = 'position';
 			}
 
-			$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) $rang);
-			$sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id);
+			$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldposition." = ".((int) $rang);
+			$sql .= " WHERE ".$this->fk_element." = ".((int) $this->id);
 			$sql .= ' AND rang = '.((int) ($rang + 1));
 			if ($this->db->query($sql)) {
-				$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element_line.' SET '.$fieldposition.' = '.((int) ($rang + 1));
+				$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element_line." SET ".$fieldposition." = ".((int) ($rang + 1));
 				$sql .= ' WHERE rowid = '.((int) $rowid);
 				if (!$this->db->query($sql)) {
 					dol_print_error($this->db);
@@ -3148,7 +3148,7 @@ abstract class CommonObject
 	public function getIdOfLine($rang)
 	{
 		$sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$this->table_element_line;
-		$sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id);
+		$sql .= " WHERE ".$this->fk_element." = ".((int) $this->id);
 		$sql .= ' AND rang = '.((int) $rang);
 		$resql = $this->db->query($sql);
 		if ($resql) {
@@ -3174,8 +3174,8 @@ abstract class CommonObject
 
 		// Search the last rang with fk_parent_line
 		if ($fk_parent_line) {
-			$sql = 'SELECT max('.$positionfield.') FROM '.MAIN_DB_PREFIX.$this->table_element_line;
-			$sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id);
+			$sql = "SELECT max(".$positionfield.") FROM ".MAIN_DB_PREFIX.$this->table_element_line;
+			$sql .= " WHERE ".$this->fk_element." = ".((int) $this->id);
 			$sql .= ' AND fk_parent_line = '.((int) $fk_parent_line);
 
 			dol_syslog(get_class($this)."::line_max", LOG_DEBUG);
@@ -3190,8 +3190,8 @@ abstract class CommonObject
 			}
 		} else {
 			// If not, search the last rang of element
-			$sql = 'SELECT max('.$positionfield.') FROM '.MAIN_DB_PREFIX.$this->table_element_line;
-			$sql .= ' WHERE '.$this->fk_element.' = '.$this->id;
+			$sql = "SELECT max(".$positionfield.") FROM ".MAIN_DB_PREFIX.$this->table_element_line;
+			$sql .= " WHERE ".$this->fk_element." = ".((int) $this->id);
 
 			dol_syslog(get_class($this)."::line_max", LOG_DEBUG);
 			$resql = $this->db->query($sql);
@@ -3217,7 +3217,7 @@ abstract class CommonObject
 			return -1;
 		}
 
-		$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
+		$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element;
 		$sql .= " SET ref_ext = '".$this->db->escape($ref_ext)."'";
 		$sql .= " WHERE ".(isset($this->table_rowid) ? $this->table_rowid : 'rowid')." = ".((int) $this->id);
 
@@ -3268,7 +3268,7 @@ abstract class CommonObject
 		} else {
 			$fieldusermod = "fk_user_modif";
 		}
-		$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element;
+		$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element;
 		$sql .= " SET note".$newsuffix." = ".(!empty($note) ? ("'".$this->db->escape($note)."'") : "NULL");
 		$sql .= ", ".$fieldusermod." = ".((int) $user->id);
 		$sql .= " WHERE rowid = ".((int) $this->id);
@@ -3386,21 +3386,21 @@ abstract class CommonObject
 			$fieldup = 'value_unit';
 		}
 
-		$sql = 'SELECT rowid, qty, '.$fieldup.' as up, remise_percent, total_ht, '.$fieldtva.' as total_tva, total_ttc, '.$fieldlocaltax1.' as total_localtax1, '.$fieldlocaltax2.' as total_localtax2,';
+		$sql = "SELECT rowid, qty, ".$fieldup." as up, remise_percent, total_ht, ".$fieldtva." as total_tva, total_ttc, ".$fieldlocaltax1." as total_localtax1, ".$fieldlocaltax2." as total_localtax2,";
 		$sql .= ' tva_tx as vatrate, localtax1_tx, localtax2_tx, localtax1_type, localtax2_type, info_bits, product_type';
 		if ($this->table_element_line == 'facturedet') {
 			$sql .= ', situation_percent';
 		}
 		$sql .= ', multicurrency_total_ht, multicurrency_total_tva, multicurrency_total_ttc';
 		$sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element_line;
-		$sql .= ' WHERE '.$this->fk_element.' = '.((int) $this->id);
+		$sql .= " WHERE ".$this->fk_element." = ".((int) $this->id);
 		if ($exclspec) {
 			$product_field = 'product_type';
 			if ($this->table_element_line == 'contratdet') {
 				$product_field = ''; // contratdet table has no product_type field
 			}
 			if ($product_field) {
-				$sql .= ' AND '.$product_field.' <> 9';
+				$sql .= " AND ".$product_field." <> 9";
 			}
 		}
 		$sql .= ' ORDER by rowid'; // We want to be sure to always use same order of line to not change lines differently when option MAIN_ROUNDOFTOTAL_NOT_TOTALOFROUND is used
@@ -3553,14 +3553,14 @@ abstract class CommonObject
 
 			if (empty($nodatabaseupdate)) {
 				$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element.' SET';
-				$sql .= " ".$fieldht." = ".price2num($this->total_ht).",";
-				$sql .= " ".$fieldtva." = ".price2num($this->total_tva).",";
-				$sql .= " ".$fieldlocaltax1." = ".price2num($this->total_localtax1).",";
-				$sql .= " ".$fieldlocaltax2." = ".price2num($this->total_localtax2).",";
-				$sql .= " ".$fieldttc." = ".price2num($this->total_ttc);
-				$sql .= ", multicurrency_total_ht = ".price2num($this->multicurrency_total_ht, 'MT', 1);
-				$sql .= ", multicurrency_total_tva = ".price2num($this->multicurrency_total_tva, 'MT', 1);
-				$sql .= ", multicurrency_total_ttc = ".price2num($this->multicurrency_total_ttc, 'MT', 1);
+				$sql .= " ".$fieldht." = ".((float) price2num($this->total_ht)).",";
+				$sql .= " ".$fieldtva." = ".((float) price2num($this->total_tva)).",";
+				$sql .= " ".$fieldlocaltax1." = ".((float) price2num($this->total_localtax1)).",";
+				$sql .= " ".$fieldlocaltax2." = ".((float) price2num($this->total_localtax2)).",";
+				$sql .= " ".$fieldttc." = ".((float) price2num($this->total_ttc));
+				$sql .= ", multicurrency_total_ht = ".((float) price2num($this->multicurrency_total_ht, 'MT', 1));
+				$sql .= ", multicurrency_total_tva = ".((float) price2num($this->multicurrency_total_tva, 'MT', 1));
+				$sql .= ", multicurrency_total_ttc = ".((float) price2num($this->multicurrency_total_ttc, 'MT', 1));
 				$sql .= " WHERE rowid = ".((int) $this->id);
 
 				dol_syslog(get_class($this)."::update_price", LOG_DEBUG);
@@ -4038,7 +4038,7 @@ abstract class CommonObject
 
 		global $db;
 
-		$sql = 'SELECT '.$field_select.' FROM '.MAIN_DB_PREFIX.$table_element.' WHERE '.$field_where.' = '.((int) $fk_object_where);
+		$sql = "SELECT ".$field_select." FROM ".MAIN_DB_PREFIX.$table_element." WHERE ".$field_where." = ".((int) $fk_object_where);
 		$resql = $db->query($sql);
 
 		$TRes = array();
@@ -4067,7 +4067,7 @@ abstract class CommonObject
 
 		global $db;
 
-		$sql = 'DELETE FROM '.MAIN_DB_PREFIX.$table_element.' WHERE '.$field_where.' = '.((int) $fk_object_where);
+		$sql = "DELETE FROM ".MAIN_DB_PREFIX.$table_element." WHERE ".$field_where." = ".((int) $fk_object_where);
 		$resql = $db->query($sql);
 
 		if (empty($resql)) {
@@ -5317,7 +5317,7 @@ abstract class CommonObject
 								$update_main_doc_field = 1;
 							}
 							if ($update_main_doc_field && !empty($this->table_element)) {
-								$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element." SET last_main_doc = '".$this->db->escape($ecmfile->filepath.'/'.$ecmfile->filename)."'";
+								$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element." SET last_main_doc = '".$this->db->escape($ecmfile->filepath."/".$ecmfile->filename)."'";
 								$sql .= " WHERE rowid = ".((int) $this->id);
 
 								$resql = $this->db->query($sql);
@@ -6677,17 +6677,17 @@ abstract class CommonObject
 
 					//We have to join on extrafield table
 					if (strpos($InfoFieldList[4], 'extra') !== false) {
-						$sql .= ' as main, '.MAIN_DB_PREFIX.$InfoFieldList[0].'_extrafields as extra';
-						$sqlwhere .= ' WHERE extra.fk_object=main.'.$InfoFieldList[2].' AND '.$InfoFieldList[4];
+						$sql .= " as main, ".MAIN_DB_PREFIX.$InfoFieldList[0]."_extrafields as extra";
+						$sqlwhere .= " WHERE extra.fk_object=main.".$InfoFieldList[2]." AND ".$InfoFieldList[4];
 					} else {
-						$sqlwhere .= ' WHERE '.$InfoFieldList[4];
+						$sqlwhere .= " WHERE ".$InfoFieldList[4];
 					}
 				} else {
 					$sqlwhere .= ' WHERE 1=1';
 				}
 				// Some tables may have field, some other not. For the moment we disable it.
 				if (in_array($InfoFieldList[0], array('tablewithentity'))) {
-					$sqlwhere .= ' AND entity = '.$conf->entity;
+					$sqlwhere .= " AND entity = ".((int) $conf->entity);
 				}
 				$sql .= $sqlwhere;
 				//print $sql;
@@ -6830,16 +6830,16 @@ abstract class CommonObject
 					// We have to join on extrafield table
 					if (strpos($InfoFieldList[4], 'extra') !== false) {
 						$sql .= ' as main, '.MAIN_DB_PREFIX.$InfoFieldList[0].'_extrafields as extra';
-						$sqlwhere .= ' WHERE extra.fk_object=main.'.$InfoFieldList[2].' AND '.$InfoFieldList[4];
+						$sqlwhere .= " WHERE extra.fk_object=main.".$InfoFieldList[2]." AND ".$InfoFieldList[4];
 					} else {
-						$sqlwhere .= ' WHERE '.$InfoFieldList[4];
+						$sqlwhere .= " WHERE ".$InfoFieldList[4];
 					}
 				} else {
 					$sqlwhere .= ' WHERE 1=1';
 				}
 				// Some tables may have field, some other not. For the moment we disable it.
 				if (in_array($InfoFieldList[0], array('tablewithentity'))) {
-					$sqlwhere .= ' AND entity = '.$conf->entity;
+					$sqlwhere .= " AND entity = ".((int) $conf->entity);
 				}
 				// $sql.=preg_replace('/^ AND /','',$sqlwhere);
 				// print $sql;
@@ -8770,8 +8770,8 @@ abstract class CommonObject
 			return 0;
 		}
 
-		$sql = 'SELECT '.$fieldlist;
-		$sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' as t';
+		$sql = "SELECT ".$fieldlist;
+		$sql .= " FROM ".MAIN_DB_PREFIX.$this->table_element.' as t';
 
 		if (!empty($id)) {
 			$sql .= ' WHERE t.rowid = '.((int) $id);
@@ -8825,9 +8825,9 @@ abstract class CommonObject
 
 		$objectline = new $objectlineclassname($this->db);
 
-		$sql = 'SELECT '.$objectline->getFieldList('l');
-		$sql .= ' FROM '.MAIN_DB_PREFIX.$objectline->table_element.' as l';
-		$sql .= ' WHERE l.fk_'.$this->element.' = '.((int) $this->id);
+		$sql = "SELECT ".$objectline->getFieldList('l');
+		$sql .= " FROM ".MAIN_DB_PREFIX.$objectline->table_element." as l";
+		$sql .= " WHERE l.fk_".$this->element." = ".((int) $this->id);
 		if ($morewhere) {
 			$sql .= $morewhere;
 		}
@@ -8973,7 +8973,7 @@ abstract class CommonObject
 
 		if ($forcechilddeletion) {	// Force also delete of childtables that should lock deletion in standard case when option force is off
 			foreach ($this->childtables as $table) {
-				$sql = 'DELETE FROM '.MAIN_DB_PREFIX.$table.' WHERE '.$this->fk_element.' = '.((int) $this->id);
+				$sql = "DELETE FROM ".MAIN_DB_PREFIX.$table." WHERE ".$this->fk_element." = ".((int) $this->id);
 				$resql = $this->db->query($sql);
 				if (!$resql) {
 					$this->error = $this->db->lasterror();
@@ -9022,7 +9022,7 @@ abstract class CommonObject
 					}
 				} else {
 					// Delete record in child table
-					$sql = 'DELETE FROM '.MAIN_DB_PREFIX.$table.' WHERE '.$this->fk_element.' = '.((int) $this->id);
+					$sql = "DELETE FROM ".MAIN_DB_PREFIX.$table." WHERE ".$this->fk_element." = ".((int) $this->id);
 
 					$resql = $this->db->query($sql);
 					if (!$resql) {
@@ -9100,7 +9100,7 @@ abstract class CommonObject
 			$this->db->begin();
 
 			$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX.$this->table_element;
-			$sql .= ' WHERE '.$parentField.' = '.(int) $parentId;
+			$sql .= " WHERE ".$parentField." = ".(int) $parentId;
 
 			$resql = $this->db->query($sql);
 			if (!$resql) {
@@ -9533,7 +9533,7 @@ abstract class CommonObject
 		// Delete in database with mode 1
 		if ($mode == 1) {
 			$sql = 'DELETE FROM '.MAIN_DB_PREFIX."ecm_files_extrafields";
-			$sql .= " WHERE fk_object IN (SELECT rowid FROM ".MAIN_DB_PREFIX."ecm_files WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? '' : '@'.$this->module))."' AND src_object_id = ".((int) $this->id).")";
+			$sql .= " WHERE fk_object IN (SELECT rowid FROM ".MAIN_DB_PREFIX."ecm_files WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? "" : "@".$this->module))."' AND src_object_id = ".((int) $this->id).")";
 			$resql = $this->db->query($sql);
 			if (!$resql) {
 				$this->error = $this->db->lasterror();
@@ -9542,7 +9542,7 @@ abstract class CommonObject
 			}
 
 			$sql = 'DELETE FROM '.MAIN_DB_PREFIX."ecm_files";
-			$sql .= " WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? '' : '@'.$this->module))."' AND src_object_id = ".((int) $this->id);
+			$sql .= " WHERE src_object_type = '".$this->db->escape($this->table_element.(empty($this->module) ? "" : "@".$this->module))."' AND src_object_id = ".((int) $this->id);
 			$resql = $this->db->query($sql);
 			if (!$resql) {
 				$this->error = $this->db->lasterror();

htdocs/core/class/commonobjectline.class.php

@@ -86,7 +86,7 @@ abstract class CommonObjectLine extends CommonObject
 			$label_type = 'code';
 		}
 
-		$sql = 'select '.$label_type.', code from '.MAIN_DB_PREFIX.'c_units where rowid='.$this->fk_unit;
+		$sql = "SELECT ".$label_type.", code from ".MAIN_DB_PREFIX."c_units where rowid = ".((int) $this->fk_unit);
 		$resql = $this->db->query($sql);
 		if ($resql && $this->db->num_rows($resql) > 0) {
 			$res = $this->db->fetch_array($resql);
@@ -98,7 +98,7 @@ abstract class CommonObjectLine extends CommonObject
 			$this->db->free($resql);
 			return $label;
 		} else {
-			$this->error = $this->db->error().' sql='.$sql;
+			$this->error = $this->db->lasterror();
 			dol_syslog(get_class($this)."::getLabelOfUnit Error ".$this->error, LOG_ERR);
 			return -1;
 		}

htdocs/core/class/coreobject.class.php

@@ -183,7 +183,7 @@ class CoreObject extends CommonObject
 
 				$this->{$className} = array();
 
-				$sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX.$childTable.' WHERE '.$this->fk_element.' = '.((int) $this->id);
+				$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX.$childTable." WHERE ".$this->fk_element." = ".((int) $this->id);
 				$res = $this->db->query($sql);
 
 				if ($res) {

htdocs/core/class/discount.class.php

@@ -516,10 +516,10 @@ class DiscountAbsolute
 			$sql .= " AND rc.fk_user = ".((int) $user->id);
 		}
 		if ($filter) {
-			$sql .= ' AND ('.$filter.')';
+			$sql .= " AND (".$filter.")";
 		}
 		if ($maxvalue) {
-			$sql .= ' AND rc.amount_ttc <= '.price2num($maxvalue);
+			$sql .= ' AND rc.amount_ttc <= '.((float) price2num($maxvalue));
 		}
 
 		$resql = $this->db->query($sql);
@@ -555,12 +555,12 @@ class DiscountAbsolute
 		if ($invoice->element == 'facture' || $invoice->element == 'invoice') {
 			$sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount';
 			$sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture as f';
-			$sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.$invoice->id;
+			$sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.((int) $invoice->id);
 			$sql .= ' AND f.type = 3';
 		} elseif ($invoice->element == 'invoice_supplier') {
 			$sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount';
 			$sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture_fourn as f';
-			$sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.$invoice->id;
+			$sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.((int) $invoice->id);
 			$sql .= ' AND f.type = 3';
 		} else {
 			$this->error = get_class($this)."::getSumDepositsUsed was called with a bad object as a first parameter";
@@ -596,13 +596,13 @@ class DiscountAbsolute
 		if ($invoice->element == 'facture' || $invoice->element == 'invoice') {
 			$sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount';
 			$sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture as f';
-			$sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.$invoice->id;
-			$sql .= ' AND f.type IN ('.$this->db->sanitize($invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE.', '.$invoice::TYPE_SITUATION).')'; // Find discount coming from credit note or excess received
+			$sql .= ' WHERE rc.fk_facture_source=f.rowid AND rc.fk_facture = '.((int) $invoice->id);
+			$sql .= " AND f.type IN (".$this->db->sanitize($invoice::TYPE_STANDARD.", ".$invoice::TYPE_CREDIT_NOTE.", ".$invoice::TYPE_SITUATION).')'; // Find discount coming from credit note or excess received
 		} elseif ($invoice->element == 'invoice_supplier') {
 			$sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount';
 			$sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc, '.MAIN_DB_PREFIX.'facture_fourn as f';
-			$sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.$invoice->id;
-			$sql .= ' AND f.type IN ('.$this->db->sanitize($invoice::TYPE_STANDARD.', '.$invoice::TYPE_CREDIT_NOTE).')'; // Find discount coming from credit note or excess paid
+			$sql .= ' WHERE rc.fk_invoice_supplier_source=f.rowid AND rc.fk_invoice_supplier = '.((int) $invoice->id);
+			$sql .= " AND f.type IN (".$this->db->sanitize($invoice::TYPE_STANDARD.", ".$invoice::TYPE_CREDIT_NOTE).')'; // Find discount coming from credit note or excess paid
 		} else {
 			$this->error = get_class($this)."::getSumCreditNotesUsed was called with a bad object as a first parameter";
 			dol_print_error($this->error);
@@ -636,11 +636,11 @@ class DiscountAbsolute
 		if ($invoice->element == 'facture' || $invoice->element == 'invoice') {
 			$sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount';
 			$sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc';
-			$sql .= ' WHERE rc.fk_facture IS NULL AND rc.fk_facture_source = '.$invoice->id;
+			$sql .= ' WHERE rc.fk_facture IS NULL AND rc.fk_facture_source = '.((int) $invoice->id);
 		} elseif ($invoice->element == 'invoice_supplier') {
 			$sql = 'SELECT sum(rc.amount_ttc) as amount, sum(rc.multicurrency_amount_ttc) as multicurrency_amount';
 			$sql .= ' FROM '.MAIN_DB_PREFIX.'societe_remise_except as rc';
-			$sql .= ' WHERE rc.fk_invoice_supplier IS NULL AND rc.fk_invoice_supplier_source = '.$invoice->id;
+			$sql .= ' WHERE rc.fk_invoice_supplier IS NULL AND rc.fk_invoice_supplier_source = '.((int) $invoice->id);
 		} else {
 			$this->error = get_class($this)."::getSumCreditNotesUsed was called with a bad object as a first parameter";
 			dol_print_error($this->error);

htdocs/core/class/dolreceiptprinter.class.php

@@ -867,7 +867,7 @@ class dolReceiptPrinter extends Printer
 		$error = 0;
 		$sql = 'SELECT template';
 		$sql .= ' FROM '.MAIN_DB_PREFIX.'printer_receipt_template';
-		$sql .= ' WHERE rowid='.$templateid;
+		$sql .= ' WHERE rowid = '.((int) $templateid);
 		$sql .= ' AND entity = '.$conf->entity;
 		$resql = $this->db->query($sql);
 		if ($resql) {
@@ -905,7 +905,7 @@ class dolReceiptPrinter extends Printer
 		$sql = 'SELECT rowid, name, fk_type, fk_profile, parameter';
 		$sql .= ' FROM '.MAIN_DB_PREFIX.'printer_receipt';
 		$sql .= ' WHERE rowid = '.((int) $printerid);
-		$sql .= ' AND entity = '.$conf->entity;
+		$sql .= ' AND entity = '.((int) $conf->entity);
 		$resql = $this->db->query($sql);
 		if ($resql) {
 			$obj = $this->db->fetch_array($resql);

htdocs/core/class/extrafields.class.php

@@ -1273,16 +1273,16 @@ class ExtraFields
 						//We have to join on extrafield table
 						if (strpos($InfoFieldList[4], 'extra') !== false) {
 							$sql .= ' as main, '.MAIN_DB_PREFIX.$InfoFieldList[0].'_extrafields as extra';
-							$sqlwhere .= ' WHERE extra.fk_object=main.'.$InfoFieldList[2].' AND '.$InfoFieldList[4];
+							$sqlwhere .= " WHERE extra.fk_object=main.".$InfoFieldList[2]." AND ".$InfoFieldList[4];
 						} else {
-							$sqlwhere .= ' WHERE '.$InfoFieldList[4];
+							$sqlwhere .= " WHERE ".$InfoFieldList[4];
 						}
 					} else {
 						$sqlwhere .= ' WHERE 1=1';
 					}
 					// Some tables may have field, some other not. For the moment we disable it.
 					if (in_array($InfoFieldList[0], array('tablewithentity'))) {
-						$sqlwhere .= ' AND entity = '.$conf->entity;
+						$sqlwhere .= ' AND entity = '.((int) $conf->entity);
 					}
 					$sql .= $sqlwhere;
 					//print $sql;
@@ -1485,16 +1485,16 @@ class ExtraFields
 						// We have to join on extrafield table
 						if (strpos($InfoFieldList[4], 'extra.') !== false) {
 							$sql .= ' as main, '.MAIN_DB_PREFIX.$InfoFieldList[0].'_extrafields as extra';
-							$sqlwhere .= ' WHERE extra.fk_object=main.'.$InfoFieldList[2].' AND '.$InfoFieldList[4];
+							$sqlwhere .= " WHERE extra.fk_object=main.".$InfoFieldList[2]." AND ".$InfoFieldList[4];
 						} else {
-							$sqlwhere .= ' WHERE '.$InfoFieldList[4];
+							$sqlwhere .= " WHERE ".$InfoFieldList[4];
 						}
 					} else {
 						$sqlwhere .= ' WHERE 1=1';
 					}
 					// Some tables may have field, some other not. For the moment we disable it.
 					if (in_array($InfoFieldList[0], array('tablewithentity'))) {
-						$sqlwhere .= ' AND entity = '.$conf->entity;
+						$sqlwhere .= " AND entity = ".((int) $conf->entity);
 					}
 					// $sql.=preg_replace('/^ AND /','',$sqlwhere);
 					// print $sql;

htdocs/core/class/hookmanager.class.php

@@ -172,6 +172,7 @@ class HookManager
 				'addSearchEntry',
 				'addStatisticLine',
 				'addSectionECMAuto',
+				'checkSecureAccess',
 				'createDictionaryFieldlist',
 				'editDictionaryFieldlist',
 				'getFormMail',

htdocs/core/class/html.form.class.php

@@ -2565,7 +2565,7 @@ class Form
 			$sql .= ')';
 		}
 		if (count($warehouseStatusArray)) {
-			$sql .= ' GROUP BY'.$selectFields;
+			$sql .= " GROUP BY ".$selectFields;
 		}
 
 		//Sort by category
@@ -6988,7 +6988,7 @@ class Form
 		if (isset($objecttmp->ismultientitymanaged)) {
 			if (!is_numeric($objecttmp->ismultientitymanaged)) {
 				$tmparray = explode('@', $objecttmp->ismultientitymanaged);
-				$sql .= ' INNER JOIN '.MAIN_DB_PREFIX.$tmparray[1].' as parenttable ON parenttable.rowid = t.'.$tmparray[0];
+				$sql .= " INNER JOIN ".MAIN_DB_PREFIX.$tmparray[1]." as parenttable ON parenttable.rowid = t.".$tmparray[0];
 			}
 			if ($objecttmp->ismultientitymanaged == 'fk_soc@societe') {
 				if (!$user->rights->societe->client->voir && !$user->socid) {
@@ -7009,7 +7009,7 @@ class Form
 					$sql .= " AND t.entity IN (".getEntity($objecttmp->table_element).")";
 				}
 				if (!is_numeric($objecttmp->ismultientitymanaged)) {
-					$sql .= ' AND parenttable.entity = t.'.$tmparray[0];
+					$sql .= " AND parenttable.entity = t.".$tmparray[0];
 				}
 				if ($objecttmp->ismultientitymanaged == 1 && !empty($user->socid)) {
 					if ($objecttmp->element == 'societe') {

htdocs/core/class/html.formmail.class.php

@@ -601,7 +601,7 @@ class FormMail extends Form
 
 						// Add also email aliases from the c_email_senderprofile table
 						$sql = 'SELECT rowid, label, email FROM '.MAIN_DB_PREFIX.'c_email_senderprofile';
-						$sql .= ' WHERE active = 1 AND (private = 0 OR private = '.$user->id.')';
+						$sql .= ' WHERE active = 1 AND (private = 0 OR private = '.((int) $user->id).')';
 						$sql .= ' ORDER BY position';
 						$resql = $this->db->query($sql);
 						if ($resql) {

htdocs/core/class/utils.class.php

@@ -1088,11 +1088,11 @@ class Utils
 					fwrite($handle, "/*!40000 ALTER TABLE `".$table."` DISABLE KEYS */;\n");
 				}
 
-				$sql = 'SELECT * FROM '.$table; // Here SELECT * is allowed because we don't have definition of columns to take
+				$sql = "SELECT * FROM ".$table; // Here SELECT * is allowed because we don't have definition of columns to take
 				$result = $db->query($sql);
 				while ($row = $db->fetch_row($result)) {
 					// For each row of data we print a line of INSERT
-					fwrite($handle, 'INSERT '.$delayed.$ignore.'INTO `'.$table.'` VALUES (');
+					fwrite($handle, "INSERT ".$delayed.$ignore."INTO ".$table." VALUES (");
 					$columns = count($row);
 					for ($j = 0; $j < $columns; $j++) {
 						// Processing each columns of the row to ensure that we correctly save the value (eg: add quotes for string - in fact we add quotes for everything, it's easier)

htdocs/core/class/validate.class.php

@@ -263,7 +263,7 @@ class Validate
 		}
 
 		foreach ($value_arr as $val) {
-			$sql = 'SELECT ' . $col . ' FROM ' . MAIN_DB_PREFIX . $table . " WHERE " . $col ." = '" . $this->db->escape($val) . "'"; // nore quick than count(*) to check existing of a row
+			$sql = "SELECT ".$col." FROM ".MAIN_DB_PREFIX.$table." WHERE ".$col." = '".$this->db->escape($val)."'"; // nore quick than count(*) to check existing of a row
 			$resql = $this->db->getRow($sql);
 			if ($resql) {
 				continue;

htdocs/core/customreports.php

@@ -239,13 +239,14 @@ if (is_array($search_groupby) && count($search_groupby)) {
 			$fieldtocount = $search_groupby[$gkey];
 		}
 
-		$sql = 'SELECT DISTINCT '.$fieldtocount.' as val';
+		$sql = "SELECT DISTINCT ".$fieldtocount." as val";
 		if (strpos($fieldtocount, 'te.') === 0) {
 			$sql .= ' FROM '.MAIN_DB_PREFIX.$object->table_element.'_extrafields as te';
 		} else {
 			$sql .= ' FROM '.MAIN_DB_PREFIX.$object->table_element.' as t';
 		}
 		// TODO Add the where here
+		// ...
 
 		$sql .= ' LIMIT '.($MAXUNIQUEVALFORGROUP + 1);
 
@@ -469,60 +470,60 @@ if (!empty($search_measures) && !empty($search_xaxis)) {
 	foreach ($search_xaxis as $key => $val) {
 		if (preg_match('/\-year$/', $val)) {
 			$tmpval = preg_replace('/\-year$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y') as x_".$key.', ';
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y') as x_".$key.', ';
 		} elseif (preg_match('/\-month$/', $val)) {
 			$tmpval = preg_replace('/\-month$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m') as x_".$key.', ';
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m') as x_".$key.', ';
 		} elseif (preg_match('/\-day$/', $val)) {
 			$tmpval = preg_replace('/\-day$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m-%d') as x_".$key.', ';
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m-%d') as x_".$key.', ';
 		} else {
-			$sql .= $val.' as x_'.$key.', ';
+			$sql .= $val." as x_".$key.", ";
 		}
 	}
 	foreach ($search_groupby as $key => $val) {
 		if (preg_match('/\-year$/', $val)) {
 			$tmpval = preg_replace('/\-year$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y') as g_".$key.', ';
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y') as g_".$key.', ';
 		} elseif (preg_match('/\-month$/', $val)) {
 			$tmpval = preg_replace('/\-month$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m') as g_".$key.', ';
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m') as g_".$key.', ';
 		} elseif (preg_match('/\-day$/', $val)) {
 			$tmpval = preg_replace('/\-day$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m-%d') as g_".$key.', ';
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m-%d') as g_".$key.', ';
 		} else {
-			$sql .= $val.' as g_'.$key.', ';
+			$sql .= $val." as g_".$key.", ";
 		}
 	}
 	foreach ($search_measures as $key => $val) {
 		if ($val == 't.count') {
-			$sql .= 'COUNT(t.'.$fieldid.') as y_'.$key.', ';
+			$sql .= "COUNT(t.".$fieldid.") as y_".$key.', ';
 		} elseif (preg_match('/\-sum$/', $val)) {
 			$tmpval = preg_replace('/\-sum$/', '', $val);
-			$sql .= 'SUM('.$db->ifsql($tmpval.' IS NULL', '0', $tmpval).') as y_'.$key.', ';
+			$sql .= "SUM(".$db->ifsql($tmpval.' IS NULL', '0', $tmpval).") as y_".$key.", ";
 		} elseif (preg_match('/\-average$/', $val)) {
 			$tmpval = preg_replace('/\-average$/', '', $val);
-			$sql .= 'AVG('.$db->ifsql($tmpval.' IS NULL', '0', $tmpval).') as y_'.$key.', ';
+			$sql .= "AVG(".$db->ifsql($tmpval.' IS NULL', '0', $tmpval).") as y_".$key.", ";
 		} elseif (preg_match('/\-min$/', $val)) {
 			$tmpval = preg_replace('/\-min$/', '', $val);
-			$sql .= 'MIN('.$db->ifsql($tmpval.' IS NULL', '0', $tmpval).') as y_'.$key.', ';
+			$sql .= "MIN(".$db->ifsql($tmpval.' IS NULL', '0', $tmpval).") as y_".$key.", ";
 		} elseif (preg_match('/\-max$/', $val)) {
 			$tmpval = preg_replace('/\-max$/', '', $val);
-			$sql .= 'MAX('.$db->ifsql($tmpval.' IS NULL', '0', $tmpval).') as y_'.$key.', ';
+			$sql .= "MAX(".$db->ifsql($tmpval.' IS NULL', '0', $tmpval).") as y_".$key.", ";
 		}
 	}
 	$sql = preg_replace('/,\s*$/', '', $sql);
 	$sql .= ' FROM '.MAIN_DB_PREFIX.$object->table_element.' as t';
 	// Add measure from extrafields
 	if ($object->isextrafieldmanaged) {
-		$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.$object->table_element.'_extrafields as te ON te.fk_object = t.'.$fieldid;
+		$sql .= " LEFT JOIN ".MAIN_DB_PREFIX.$object->table_element."_extrafields as te ON te.fk_object = t.".$fieldid;
 	}
 	if ($object->ismultientitymanaged) {
 		if ($object->ismultientitymanaged == 1) {
 			// Nothing here
 		} else {
 			$tmparray = explode('@', $object->ismultientitymanaged);
-			$sql .= ' INNER JOIN '.MAIN_DB_PREFIX.$tmparray[1].' as parenttable ON t.'.$tmparray[0].' = parenttable.rowid';
+			$sql .= " INNER JOIN ".MAIN_DB_PREFIX.$tmparray[1]." as parenttable ON t.".$tmparray[0]." = parenttable.rowid";
 			$sql .= ' AND parenttable.entity IN ('.getEntity($tmparray[1]).')';
 		}
 	}
@@ -537,27 +538,27 @@ if (!empty($search_measures) && !empty($search_xaxis)) {
 	foreach ($search_xaxis as $key => $val) {
 		if (preg_match('/\-year$/', $val)) {
 			$tmpval = preg_replace('/\-year$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y'), ";
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y'), ";
 		} elseif (preg_match('/\-month$/', $val)) {
 			$tmpval = preg_replace('/\-month$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m'), ";
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m'), ";
 		} elseif (preg_match('/\-day$/', $val)) {
 			$tmpval = preg_replace('/\-day$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m-%d'), ";
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m-%d'), ";
 		} else {
-			$sql .= $val.', ';
+			$sql .= $val.", ";
 		}
 	}
 	foreach ($search_groupby as $key => $val) {
 		if (preg_match('/\-year$/', $val)) {
 			$tmpval = preg_replace('/\-year$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y'), ";
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y'), ";
 		} elseif (preg_match('/\-month$/', $val)) {
 			$tmpval = preg_replace('/\-month$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m'), ";
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m'), ";
 		} elseif (preg_match('/\-day$/', $val)) {
 			$tmpval = preg_replace('/\-day$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m-%d'), ";
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m-%d'), ";
 		} else {
 			$sql .= $val.', ';
 		}
@@ -567,13 +568,13 @@ if (!empty($search_measures) && !empty($search_xaxis)) {
 	foreach ($search_xaxis as $key => $val) {
 		if (preg_match('/\-year$/', $val)) {
 			$tmpval = preg_replace('/\-year$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y'), ";
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y'), ";
 		} elseif (preg_match('/\-month$/', $val)) {
 			$tmpval = preg_replace('/\-month$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m'), ";
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m'), ";
 		} elseif (preg_match('/\-day$/', $val)) {
 			$tmpval = preg_replace('/\-day$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m-%d'), ";
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m-%d'), ";
 		} else {
 			$sql .= $val.', ';
 		}
@@ -581,13 +582,13 @@ if (!empty($search_measures) && !empty($search_xaxis)) {
 	foreach ($search_groupby as $key => $val) {
 		if (preg_match('/\-year$/', $val)) {
 			$tmpval = preg_replace('/\-year$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y'), ";
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y'), ";
 		} elseif (preg_match('/\-month$/', $val)) {
 			$tmpval = preg_replace('/\-month$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m'), ";
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m'), ";
 		} elseif (preg_match('/\-day$/', $val)) {
 			$tmpval = preg_replace('/\-day$/', '', $val);
-			$sql .= 'DATE_FORMAT('.$tmpval.", '%Y-%m-%d'), ";
+			$sql .= "DATE_FORMAT(".$tmpval.", '%Y-%m-%d'), ";
 		} else {
 			$sql .= $val.', ';
 		}

htdocs/core/db/pgsql.class.php

@@ -905,7 +905,7 @@ class DoliDBPgsql extends DoliDB
 		// Test charset match LC_TYPE (pgsql error otherwise)
 		//print $charset.' '.setlocale(LC_CTYPE,'0'); exit;
 
-		$sql = 'CREATE DATABASE "'.$database.'" OWNER "'.$owner.'" ENCODING \''.$charset.'\'';
+		$sql = "CREATE DATABASE '".$this->escape($database)."' OWNER '".$this->escape($owner)."' ENCODING '".$this->escape($charset)."'";
 		dol_syslog($sql, LOG_DEBUG);
 		$ret = $this->query($sql);
 		return $ret;

htdocs/core/db/sqlite3.class.php

@@ -421,7 +421,7 @@ class DoliDBSqlite3 extends DoliDB
 			$descTable = $this->db->querySingle("SELECT sql FROM sqlite_master WHERE name='".$this->escape($tablename)."'");
 
 			// 1- Renommer la table avec un nom temporaire
-			$this->query('ALTER TABLE '.$tablename.' RENAME TO tmp_'.$tablename);
+			$this->query("ALTER TABLE ".$tablename." RENAME TO tmp_".$tablename);
 
 			// 2- Recréer la table avec la contrainte ajoutée
 
@@ -436,10 +436,10 @@ class DoliDBSqlite3 extends DoliDB
 			$this->query($descTable);
 
 			// 3- Transférer les données
-			$this->query('INSERT INTO '.$tablename.' SELECT * FROM tmp_'.$tablename);
+			$this->query("INSERT INTO ".$tablename." SELECT * FROM tmp_".$tablename);
 
 			// 4- Supprimer la table temporaire
-			$this->query('DROP TABLE tmp_'.$tablename);
+			$this->query("DROP TABLE tmp_".$tablename);
 
 			// dummy statement
 			$query = "SELECT 0";
@@ -840,17 +840,12 @@ class DoliDBSqlite3 extends DoliDB
 		}
 
 		// ALTER DATABASE dolibarr_db DEFAULT CHARACTER SET latin DEFAULT COLLATE latin1_swedish_ci
-		$sql = 'CREATE DATABASE '.$database;
-		$sql .= ' DEFAULT CHARACTER SET '.$charset.' DEFAULT COLLATE '.$collation;
+		$sql = "CREATE DATABASE ".$this->escape($database);
+		$sql .= " DEFAULT CHARACTER SET ".$this->escape($charset)." DEFAULT COLLATE ".$this->escape($collation);
 
 		dol_syslog($sql, LOG_DEBUG);
 		$ret = $this->query($sql);
-		if (!$ret) {
-			// We try again for compatibility with Mysql < 4.1.1
-			$sql = 'CREATE DATABASE '.$database;
-			$ret = $this->query($sql);
-			dol_syslog($sql, LOG_DEBUG);
-		}
+
 		return $ret;
 	}
 

htdocs/core/lib/admin.lib.php

@@ -306,8 +306,8 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
 			// with
 			// 'INSERT INTO llx_accounting_account (entity, rowid, fk_pcg_version, pcg_type, account_number, account_parent, label, active) VALUES (__ENTITY__, 1401 + 200100000, 'PCG99-ABREGE','CAPIT', '1234', 1400 + 200100000,...'
 			// Note: string with 'PCG99-ABREGE','CAPIT', 1234  instead of  'PCG99-ABREGE','CAPIT', '1234' is also supported
-			$newsql = preg_replace('/VALUES\s*\(__ENTITY__, \s*(\d+)\s*,(\s*\'[^\',]*\'\s*,\s*\'[^\',]*\'\s*,\s*\'?[^\',]*\'?\s*),\s*\'?([^\',]*)\'?/ims', 'VALUES (__ENTITY__, \1 + '.$offsetforchartofaccount.', \2, \3 + '.$offsetforchartofaccount, $newsql);
-			$newsql = preg_replace('/([,\s])0 \+ '.$offsetforchartofaccount.'/ims', '\1 0', $newsql);
+			$newsql = preg_replace('/VALUES\s*\(__ENTITY__, \s*(\d+)\s*,(\s*\'[^\',]*\'\s*,\s*\'[^\',]*\'\s*,\s*\'?[^\',]*\'?\s*),\s*\'?([^\',]*)\'?/ims', 'VALUES (__ENTITY__, \1 + '.((int) $offsetforchartofaccount).', \2, \3 + '.((int) $offsetforchartofaccount), $newsql);
+			$newsql = preg_replace('/([,\s])0 \+ '.((int) $offsetforchartofaccount).'/ims', '\1 0', $newsql);
 			//var_dump($newsql);
 			$arraysql[$i] = $newsql;
 

htdocs/core/lib/company.lib.php

@@ -1526,7 +1526,7 @@ function show_actions_done($conf, $langs, $db, $filterobj, $objcon = '', $noprin
 				}
 			} elseif (is_object($filterobj) && is_array($filterobj->fields) && is_array($filterobj->fields['rowid']) && is_array($filterobj->fields['ref']) && $filterobj->table_element && $filterobj->element) {
 				// Generic case
-				$sql .= " AND a.fk_element = o.rowid AND a.elementtype = '".$db->escape($filterobj->element).($module ? '@'.$module : '')."'";
+				$sql .= " AND a.fk_element = o.rowid AND a.elementtype = '".$db->escape($filterobj->element).($module ? "@".$module : "")."'";
 				if ($filterobj->id) {
 					$sql .= " AND a.fk_element = ".((int) $filterobj->id);
 				}

htdocs/core/lib/files.lib.php

@@ -2945,25 +2945,6 @@ function dol_check_secure_access_document($modulepart, $original_file, $entity,
 				$sqlprotectagainstexternals = $hookmanager->resArray['sqlprotectagainstexternals'];
 			}
 		}
-
-		/*
-		// For modules who wants to manage different levels of permissions for documents
-		$subPermCategoryConstName = strtoupper($modulepart).'_SUBPERMCATEGORY_FOR_DOCUMENTS';
-		if (!empty($conf->global->$subPermCategoryConstName)) {
-			$subPermCategory = $conf->global->$subPermCategoryConstName;
-			if (!empty($subPermCategory) && (($fuser->rights->$modulepart->$subPermCategory->{$lire}) || ($fuser->rights->$modulepart->$subPermCategory->{$read}) || ($fuser->rights->$modulepart->$subPermCategory->{$download}))) {
-				$accessallowed = 1;
-			}
-		}
-
-		// Define $sqlprotectagainstexternals for modules who want to protect access using a SQL query.
-		$sqlProtectConstName = strtoupper($modulepart).'_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS';
-		if (!empty($conf->global->$sqlProtectConstName)) {	// If module want to define its own $sqlprotectagainstexternals
-			// Example: mymodule_SQLPROTECTAGAINSTEXTERNALS_FOR_DOCUMENTS = "SELECT fk_soc FROM ".MAIN_DB_PREFIX.$modulepart." WHERE ref='".$db->escape($refname)."' AND entity=".$conf->entity;
-			// TODO Replace this with a hook
-			eval('$sqlprotectagainstexternals = "'.$conf->global->$sqlProtectConstName.'";');
-		}
-		*/
 	}
 
 	$ret = array(

htdocs/core/lib/invoice.lib.php

@@ -239,7 +239,7 @@ function getCustomerInvoicePieChart($socid = 0)
 	$sql .= " WHERE f.fk_soc = s.rowid";
 	$sql .= " AND f.entity IN (".getEntity('facture').")";
 	if ($user->socid) {
-		$sql .= ' AND f.fk_soc = '.$user->socid;
+		$sql .= ' AND f.fk_soc = '.((int) $user->socid);
 	}
 	if (!$user->rights->societe->client->voir && !$socid) {
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
@@ -359,7 +359,7 @@ function getPurchaseInvoicePieChart($socid = 0)
 	$sql .= " WHERE f.fk_soc = s.rowid";
 	$sql .= " AND f.entity IN (".getEntity('facture_fourn').")";
 	if ($user->socid) {
-		$sql .= ' AND f.fk_soc = '.$user->socid;
+		$sql .= ' AND f.fk_soc = '.((int) $user->socid);
 	}
 	if (!$user->rights->societe->client->voir && !$socid) {
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);

htdocs/core/lib/order.lib.php

@@ -205,7 +205,7 @@ function getCustomerOrderPieChart($socid = 0)
 	$sql .= " WHERE c.fk_soc = s.rowid";
 	$sql .= " AND c.entity IN (".getEntity('societe').")";
 	if ($user->socid) {
-		$sql .= ' AND c.fk_soc = '.$user->socid;
+		$sql .= ' AND c.fk_soc = '.((int) $user->socid);
 	}
 	if (!$user->rights->societe->client->voir && !$socid) {
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);

htdocs/core/lib/propal.lib.php

@@ -184,7 +184,7 @@ function getCustomerProposalPieChart($socid = 0)
 	$sql .= " WHERE p.entity IN (".getEntity($propalstatic->element).")";
 	$sql .= " AND p.fk_soc = s.rowid";
 	if ($user->socid) {
-		$sql .= ' AND p.fk_soc = '.$user->socid;
+		$sql .= ' AND p.fk_soc = '.((int) $user->socid);
 	}
 	if (!$user->rights->societe->client->voir && !$socid) {
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);

htdocs/core/modules/modFournisseur.class.php

@@ -353,7 +353,7 @@ class modFournisseur extends DolibarrModules
 		$this->export_sql_end[$r] .= ' WHERE f.fk_soc = s.rowid AND f.rowid = fd.fk_facture_fourn';
 		$this->export_sql_end[$r] .= ' AND f.entity IN ('.getEntity('supplier_invoice').')';
 		if (is_object($user) && empty($user->rights->societe->client->voir)) {
-			$this->export_sql_end[$r] .= ' AND sc.fk_user = '.$user->id;
+			$this->export_sql_end[$r] .= ' AND sc.fk_user = '.((int) $user->id);
 		}
 
 		$r++;
@@ -417,7 +417,7 @@ class modFournisseur extends DolibarrModules
 		$this->export_sql_end[$r] .= ' WHERE f.fk_soc = s.rowid';
 		$this->export_sql_end[$r] .= ' AND f.entity IN ('.getEntity('supplier_invoice').')';
 		if (is_object($user) && empty($user->rights->societe->client->voir)) {
-			$this->export_sql_end[$r] .= ' AND sc.fk_user = '.$user->id;
+			$this->export_sql_end[$r] .= ' AND sc.fk_user = '.((int) $user->id);
 		}
 
 		// Order
@@ -493,7 +493,7 @@ class modFournisseur extends DolibarrModules
 		$this->export_sql_end[$r] .= ' WHERE f.fk_soc = s.rowid AND f.rowid = fd.fk_commande';
 		$this->export_sql_end[$r] .= ' AND f.entity IN ('.getEntity('supplier_order').')';
 		if (is_object($user) && empty($user->rights->societe->client->voir)) {
-			$this->export_sql_end[$r] .= ' AND sc.fk_user = '.$user->id;
+			$this->export_sql_end[$r] .= ' AND sc.fk_user = '.((int) $user->id);
 		}
 
 		//Import Supplier Invoice

htdocs/core/modules/modSociete.class.php

@@ -340,7 +340,7 @@ class modSociete extends DolibarrModules
 		$this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_incoterms as incoterm ON s.fk_incoterms = incoterm.rowid';
 		$this->export_sql_end[$r] .= ' WHERE s.entity IN ('.getEntity('societe').')';
 		if (is_object($user) && empty($user->rights->societe->client->voir)) {
-			$this->export_sql_end[$r] .= ' AND (sc.fk_user = '.$user->id.' ';
+			$this->export_sql_end[$r] .= ' AND (sc.fk_user = '.((int) $user->id).' ';
 			if (!empty($conf->global->SOCIETE_EXPORT_SUBORDINATES_CHILDS)) {
 				$subordinatesids = $user->getAllChildIds();
 				$this->export_sql_end[$r] .= count($subordinatesids) > 0 ? ' OR (sc.fk_user IN ('.$this->db->sanitize(implode(',', $subordinatesids)).')' : '';
@@ -410,7 +410,7 @@ class modSociete extends DolibarrModules
 		$this->export_sql_end[$r] .= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_typent as t ON s.fk_typent = t.id';
 		$this->export_sql_end[$r] .= ' WHERE c.entity IN ('.getEntity('socpeople').')';
 		if (is_object($user) && empty($user->rights->societe->client->voir)) {
-			$this->export_sql_end[$r] .= ' AND (sc.fk_user = '.$user->id.' ';
+			$this->export_sql_end[$r] .= ' AND (sc.fk_user = '.((int) $user->id).' ';
 			if (!empty($conf->global->SOCIETE_EXPORT_SUBORDINATES_CHILDS)) {
 				$subordinatesids = $user->getAllChildIds();
 				$this->export_sql_end[$r] .= count($subordinatesids) > 0 ? ' OR (sc.fk_user IN ('.$this->db->sanitize(implode(',', $subordinatesids)).')' : '';

htdocs/expensereport/class/expensereport.class.php

@@ -2525,7 +2525,7 @@ class ExpenseReport extends CommonObject
 
 		$sql = 'SELECT sum(amount) as amount';
 		$sql .= ' FROM '.MAIN_DB_PREFIX.$table;
-		$sql .= ' WHERE '.$field.' = '.((int) $this->id);
+		$sql .= " WHERE ".$field." = ".((int) $this->id);
 
 		dol_syslog(get_class($this)."::getSumPayments", LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/fichinter/index.php

@@ -80,7 +80,7 @@ if (!$user->rights->societe->client->voir && !$socid) {
 $sql .= " WHERE f.entity IN (".getEntity('intervention').")";
 $sql .= " AND f.fk_soc = s.rowid";
 if ($user->socid) {
-	$sql .= ' AND f.fk_soc = '.$user->socid;
+	$sql .= ' AND f.fk_soc = '.((int) $user->socid);
 }
 if (!$user->rights->societe->client->voir && !$socid) {
 	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);

htdocs/fourn/class/fournisseur.facture.class.php

@@ -2411,7 +2411,7 @@ class FactureFournisseur extends CommonInvoice
 		$sql .= ' AND ff.fk_statut > 0';
 		$sql .= " AND ff.entity = ".$conf->entity;
 		if ($user->socid) {
-			$sql .= ' AND ff.fk_soc = '.$user->socid;
+			$sql .= ' AND ff.fk_soc = '.((int) $user->socid);
 		}
 		if (!$user->rights->societe->client->voir && !$user->socid) {
 			$sql .= " AND ff.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id);

htdocs/fourn/commande/index.php

@@ -73,7 +73,7 @@ if (!$user->rights->societe->client->voir && !$socid) {
 $sql .= " WHERE cf.fk_soc = s.rowid";
 $sql .= " AND cf.entity IN (".getEntity('supplier_order').")";
 if ($user->socid) {
-	$sql .= ' AND cf.fk_soc = '.$user->socid;
+	$sql .= ' AND cf.fk_soc = '.((int) $user->socid);
 }
 if (!$user->rights->societe->client->voir && !$socid) {
 	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);

htdocs/fourn/paiement/list.php

@@ -192,7 +192,7 @@ if (!$user->rights->societe->client->voir) {
 
 $sql .= ' WHERE f.entity = '.$conf->entity;
 if (!$user->rights->societe->client->voir) {
-	$sql .= ' AND s.rowid = sc.fk_soc AND sc.fk_user = '.$user->id;
+	$sql .= ' AND s.rowid = sc.fk_soc AND sc.fk_user = '.((int) $user->id);
 }
 if ($socid > 0) {
 	$sql .= ' AND f.fk_soc = '.((int) $socid);

htdocs/loan/class/loan.class.php

@@ -651,7 +651,7 @@ class Loan extends CommonObject
 
 		$sql = 'SELECT sum(amount_capital) as amount';
 		$sql .= ' FROM '.MAIN_DB_PREFIX.$table;
-		$sql .= ' WHERE '.$field.' = '.((int) $this->id);
+		$sql .= " WHERE ".$field." = ".((int) $this->id);
 
 		dol_syslog(get_class($this)."::getSumPayment", LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/product/stock/replenishorders.php

@@ -135,7 +135,7 @@ if ($conf->global->STOCK_CALCULATE_ON_SUPPLIER_VALIDATE_ORDER) {
 	$sql .= ' AND cf.fk_statut < 5';
 }
 if (!$user->rights->societe->client->voir && !$socid) {
-	$sql .= ' AND s.rowid = sc.fk_soc AND sc.fk_user = '.$user->id;
+	$sql .= ' AND s.rowid = sc.fk_soc AND sc.fk_user = '.((int) $user->id);
 }
 if ($sref) {
 	$sql .= natural_search('cf.ref', $sref);

htdocs/salaries/class/salary.class.php

@@ -570,7 +570,7 @@ class Salary extends CommonObject
 
 		$sql = 'SELECT sum(amount) as amount';
 		$sql .= ' FROM '.MAIN_DB_PREFIX.$table;
-		$sql .= ' WHERE '.$field.' = '.((int) $this->id);
+		$sql .= " WHERE ".$field." = ".((int) $this->id);
 
 		dol_syslog(get_class($this)."::getSommePaiement", LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/supplier_proposal/index.php

@@ -72,7 +72,7 @@ if (!$user->rights->societe->client->voir && !$socid) {
 $sql .= " WHERE p.fk_soc = s.rowid";
 $sql .= " AND p.entity IN (".getEntity('supplier_proposal').")";
 if ($user->socid) {
-	$sql .= ' AND p.fk_soc = '.$user->socid;
+	$sql .= ' AND p.fk_soc = '.((int) $user->socid);
 }
 if (!$user->rights->societe->client->voir && !$socid) {
 	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);