Fix escape

htdocs/admin/bank.php

@@ -283,7 +283,7 @@ print load_fiche_titre($langs->trans("BankAccountModelModule"), '', '');
 $def = array();
 $sql = "SELECT nom";
 $sql .= " FROM ".MAIN_DB_PREFIX."document_model";
-$sql .= " WHERE type = '".$type."'";
+$sql .= " WHERE type = '".$db->escape($type)."'";
 $sql .= " AND entity = ".$conf->entity;
 $resql = $db->query($sql);
 if ($resql) {

htdocs/admin/barcode.php

@@ -58,10 +58,10 @@ if ($action == 'setbarcodeproducton')
 if ($action == 'setcoder')
 {
 	$coder = GETPOST('coder', 'alpha');
-	$code_id = GETPOST('code_id', 'alpha');
+	$code_id = GETPOST('code_id', 'int');
 	$sqlp = "UPDATE ".MAIN_DB_PREFIX."c_barcode_type";
-	$sqlp .= " SET coder = '".$coder."'";
-	$sqlp .= " WHERE rowid = ".$code_id;
+	$sqlp .= " SET coder = '".$db->escape($coder)."'";
+	$sqlp .= " WHERE rowid = ".((int) $code_id);
 	$sqlp .= " AND entity = ".$conf->entity;
 
 	$resql = $db->query($sqlp);
@@ -104,8 +104,8 @@ if ($action == 'setcoder')
 	            $code_id = $obj->rowid;
 
 	            $sqlp = "UPDATE ".MAIN_DB_PREFIX."c_barcode_type";
-	            $sqlp .= " SET coder = '".$coder."'";
-	            $sqlp .= " WHERE rowid = ".$code_id;
+	            $sqlp .= " SET coder = '".$db->escape($coder)."'";
+	            $sqlp .= " WHERE rowid = ".((int) $code_id);
 	            $sqlp .= " AND entity = ".$conf->entity;
 
 	            $upsql = $db->query($sqlp);

htdocs/admin/bom.php

@@ -292,7 +292,7 @@ print load_fiche_titre($langs->trans("BOMsModelModule"), '', '');
 $def = array();
 $sql = "SELECT nom";
 $sql .= " FROM ".MAIN_DB_PREFIX."document_model";
-$sql .= " WHERE type = '".$type."'";
+$sql .= " WHERE type = '".$db->escape($type)."'";
 $sql .= " AND entity = ".$conf->entity;
 $resql = $db->query($sql);
 if ($resql)

htdocs/core/actions_massactions.inc.php

@@ -648,9 +648,9 @@ if ($massaction == 'confirm_createbills')   // Create bills from orders
 			$sql .= ", targettype";
 			$sql .= ") VALUES (";
 			$sql .= $id_order;
-			$sql .= ", '".$objecttmp->origin."'";
+			$sql .= ", '".$db->escape($objecttmp->origin)."'";
 			$sql .= ", ".$objecttmp->id;
-			$sql .= ", '".$objecttmp->element."'";
+			$sql .= ", '".$db->escape($objecttmp->element)."'";
 			$sql .= ")";
 
 			if (!$db->query($sql))

htdocs/core/boxes/box_produits.php

@@ -117,7 +117,7 @@ class box_produits extends ModeleBoxes
 						$sqld = "SELECT label";
 						$sqld .= " FROM ".MAIN_DB_PREFIX."product_lang";
 						$sqld .= " WHERE fk_product=".$objp->rowid;
-						$sqld .= " AND lang='".$langs->getDefaultLang()."'";
+						$sqld .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'";
 						$sqld .= " LIMIT 1";
 
 						$resultd = $this->db->query($sqld);

htdocs/core/boxes/box_produits_alerte_stock.php

@@ -130,7 +130,7 @@ class box_produits_alerte_stock extends ModeleBoxes
 						$sqld = "SELECT label";
 						$sqld .= " FROM ".MAIN_DB_PREFIX."product_lang";
 						$sqld .= " WHERE fk_product=".$objp->rowid;
-						$sqld .= " AND lang='".$langs->getDefaultLang()."'";
+						$sqld .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'";
 						$sqld .= " LIMIT 1";
 
 						$resultd = $this->db->query($sqld);

htdocs/core/boxes/box_task.php

@@ -154,10 +154,10 @@ class box_task extends ModeleBoxes
 			$sql .= " JOIN ".MAIN_DB_PREFIX."projet as p ON (pt.fk_projet = p.rowid)";
 
             if ($filterValue === 'im_task_contact') {
-                $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = pt.rowid AND ec.fk_socpeople = '".$user->id."' )";
+                $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = pt.rowid AND ec.fk_socpeople = ".((int) $user->id).")";
                 $sql .= " JOIN ".MAIN_DB_PREFIX."c_type_contact  as tc ON (ec.fk_c_type_contact = tc.rowid AND tc.element = 'project_task' AND tc.source = 'internal' )";
             } elseif ($filterValue === 'im_project_contact') {
-                $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = p.rowid AND ec.fk_socpeople = '".$user->id."' )";
+                $sql .= " JOIN ".MAIN_DB_PREFIX."element_contact as ec ON (ec.element_id = p.rowid AND ec.fk_socpeople = ".((int) $user->id).")";
                 $sql .= " JOIN ".MAIN_DB_PREFIX."c_type_contact  as tc ON (ec.fk_c_type_contact = tc.rowid AND tc.element = 'project' AND tc.source = 'internal' )";
             }
 

htdocs/core/class/commondocgenerator.class.php

@@ -604,7 +604,7 @@ abstract class CommonDocGenerator
 				if ($columns != "")
 				{
 					$columns = substr($columns, 0, strlen($columns) - 2);
-					$resql = $this->db->query("SELECT $columns FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields AS ex INNER JOIN ".MAIN_DB_PREFIX."product_fournisseur_price AS f ON ex.fk_object = f.rowid WHERE f.ref_fourn = '".$line->ref_supplier."'");
+					$resql = $this->db->query("SELECT ".$columns." FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields AS ex INNER JOIN ".MAIN_DB_PREFIX."product_fournisseur_price AS f ON ex.fk_object = f.rowid WHERE f.ref_fourn = '".$this->db->escape($line->ref_supplier)."'");
 
 					if ($this->db->num_rows($resql) > 0)
 					{

htdocs/core/class/commoninvoice.class.php

@@ -462,7 +462,7 @@ abstract class CommonInvoice extends CommonObject
 		$type = 'customer_invoice';
 		if ($this->element == 'invoice_supplier') $type = 'supplier_invoice';
 
-		$sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$type."' AND ab.fk_doc = ".$this->id;
+		$sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id;
 		$resql = $this->db->query($sql);
 		if ($resql)
 		{

htdocs/core/class/commonobject.class.php

@@ -1028,8 +1028,8 @@ abstract class CommonObject
 		// Insert into database
 		$sql = "UPDATE ".MAIN_DB_PREFIX."element_contact set";
 		$sql .= " statut = ".$statut;
-		if ($type_contact_id) $sql .= ", fk_c_type_contact = '".$type_contact_id."'";
-		if ($fk_socpeople) $sql .= ", fk_socpeople = '".$fk_socpeople."'";
+		if ($type_contact_id) $sql .= ", fk_c_type_contact = ".((int) $type_contact_id);
+		if ($fk_socpeople) $sql .= ", fk_socpeople = ".((int) $fk_socpeople);
 		$sql .= " where rowid = ".$rowid;
 		$resql = $this->db->query($sql);
 		if ($resql)
@@ -1389,9 +1389,9 @@ abstract class CommonObject
 		if ($source == 'internal') $sql .= " AND c.entity IN (".getEntity('user').")";
 		if ($source == 'external') $sql .= " AND c.entity IN (".getEntity('societe').")";
 		$sql .= " AND ec.fk_c_type_contact = tc.rowid";
-		$sql .= " AND tc.element = '".$element."'";
-		$sql .= " AND tc.source = '".$source."'";
-		if ($code) $sql .= " AND tc.code = '".$code."'";
+		$sql .= " AND tc.element = '".$this->db->escape($element)."'";
+		$sql .= " AND tc.source = '".$this->db->escape($source)."'";
+		if ($code) $sql .= " AND tc.code = '".$this->db->escape($code)."'";
 		$sql .= " AND tc.active = 1";
 		if ($status) $sql .= " AND ec.statut = ".$status;
 
@@ -3243,16 +3243,16 @@ abstract class CommonObject
 		{
 			if ($justsource)
 			{
-				$sql .= "fk_source = ".$sourceid." AND sourcetype = '".$sourcetype."'";
-				if ($withtargettype) $sql .= " AND targettype = '".$targettype."'";
+				$sql .= "fk_source = ".$sourceid." AND sourcetype = '".$this->db->escape($sourcetype)."'";
+				if ($withtargettype) $sql .= " AND targettype = '".$this->db->escape($targettype)."'";
 			} elseif ($justtarget)
 			{
-				$sql .= "fk_target = ".$targetid." AND targettype = '".$targettype."'";
-				if ($withsourcetype) $sql .= " AND sourcetype = '".$sourcetype."'";
+				$sql .= "fk_target = ".$targetid." AND targettype = '".$this->db->escape($targettype)."'";
+				if ($withsourcetype) $sql .= " AND sourcetype = '".$this->db->escape($sourcetype)."'";
 			}
 		} else {
-			$sql .= "(fk_source = ".$sourceid." AND sourcetype = '".$sourcetype."')";
-			$sql .= " ".$clause." (fk_target = ".$targetid." AND targettype = '".$targettype."')";
+			$sql .= "(fk_source = ".$sourceid." AND sourcetype = '".$this->db->escape($sourcetype)."')";
+			$sql .= " ".$clause." (fk_target = ".$targetid." AND targettype = '".$this->db->escape($targettype)."')";
 		}
 		$sql .= ' ORDER BY '.$orderby;
 
@@ -4841,7 +4841,7 @@ abstract class CommonObject
 		// Request to get translation values for object
 		$sql = "SELECT rowid, property, lang , value";
 		$sql .= " FROM ".MAIN_DB_PREFIX."object_lang";
-		$sql .= " WHERE type_object = '".$element."'";
+		$sql .= " WHERE type_object = '".$this->db->escape($element)."'";
 		$sql .= " AND fk_object = ".$this->id;
 
 		//dol_syslog(get_class($this)."::fetch_optionals get extrafields data for ".$this->table_element, LOG_DEBUG);		// Too verbose
@@ -8295,7 +8295,7 @@ abstract class CommonObject
 
 		$sql = "INSERT INTO ".MAIN_DB_PREFIX."categorie_".(empty($categorystatic->MAP_CAT_TABLE[$type]) ? $type : $categorystatic->MAP_CAT_TABLE[$type])." (fk_categorie, fk_product)";
 		$sql .= " SELECT fk_categorie, $toId FROM ".MAIN_DB_PREFIX."categorie_".(empty($categorystatic->MAP_CAT_TABLE[$type]) ? $type : $categorystatic->MAP_CAT_TABLE[$type]);
-		$sql .= " WHERE fk_product = '".$fromId."'";
+		$sql .= " WHERE fk_product = ".((int) $fromId);
 
 		if (!$this->db->query($sql))
 		{
@@ -8341,7 +8341,7 @@ abstract class CommonObject
 
 		$sql = "DELETE FROM ".MAIN_DB_PREFIX."ecm_files";
 		$sql.= " WHERE filename LIKE '".$this->db->escape($this->ref)."%'";
-		$sql.= " AND filepath = '".$element."/".$this->db->escape($this->ref)."' AND entity = ".$conf->entity;
+		$sql.= " AND filepath = '".$this->db->escape($element)."/".$this->db->escape($this->ref)."' AND entity = ".$conf->entity;
 
 		if (!$this->db->query($sql)) {
 			$this->error = $this->db->lasterror();

htdocs/core/class/extrafields.class.php

@@ -426,7 +426,7 @@ class ExtraFields
 			$sql .= " help,";
 			$sql .= " totalizable";
 			$sql .= " )";
-			$sql .= " VALUES('".$attrname."',";
+			$sql .= " VALUES('".$this->db->escape($attrname)."',";
 			$sql .= " '".$this->db->escape($label)."',";
 			$sql .= " '".$this->db->escape($type)."',";
 			$sql .= " ".$pos.",";
@@ -494,8 +494,8 @@ class ExtraFields
 			{
 				$sql = "SELECT COUNT(rowid) as nb";
 				$sql .= " FROM ".MAIN_DB_PREFIX."extrafields";
-				$sql .= " WHERE elementtype = '".$elementtype."'";
-				$sql .= " AND name = '".$attrname."'";
+				$sql .= " WHERE elementtype = '".$this->db->escape($elementtype)."'";
+				$sql .= " AND name = '".$this->db->escape($attrname)."'";
 				//$sql.= " AND entity IN (0,".$conf->entity.")";      Do not test on entity here. We want to see if there is still on field remaning in other entities before deleting field in table
 				$resql = $this->db->query($sql);
 				if ($resql)
@@ -539,9 +539,9 @@ class ExtraFields
 		if (isset($attrname) && $attrname != '' && preg_match("/^\w[a-zA-Z0-9-_]*$/", $attrname))
 		{
 			$sql = "DELETE FROM ".MAIN_DB_PREFIX."extrafields";
-			$sql .= " WHERE name = '".$attrname."'";
+			$sql .= " WHERE name = '".$this->db->escape($attrname)."'";
 			$sql .= " AND entity IN  (0,".$conf->entity.')';
-			$sql .= " AND elementtype = '".$elementtype."'";
+			$sql .= " AND elementtype = '".$this->db->escape($elementtype)."'";
 
 			dol_syslog(get_class($this)."::delete_label", LOG_DEBUG);
 			$resql = $this->db->query($sql);
@@ -724,15 +724,15 @@ class ExtraFields
 			{
 				// We dont want on all entities, we delete all and current
 				$sql_del = "DELETE FROM ".MAIN_DB_PREFIX."extrafields";
-				$sql_del .= " WHERE name = '".$attrname."'";
+				$sql_del .= " WHERE name = '".$this->db->escape($attrname)."'";
 				$sql_del .= " AND entity IN (0, ".($entity === '' ? $conf->entity : $entity).")";
-				$sql_del .= " AND elementtype = '".$elementtype."'";
+				$sql_del .= " AND elementtype = '".$this->db->escape($elementtype)."'";
 			} else {
 				// We want on all entities ($entities = '0'), we delete on all only (we keep setup specific to each entity)
 				$sql_del = "DELETE FROM ".MAIN_DB_PREFIX."extrafields";
-				$sql_del .= " WHERE name = '".$attrname."'";
+				$sql_del .= " WHERE name = '".$this->db->escape($attrname)."'";
 				$sql_del .= " AND entity = 0";
-				$sql_del .= " AND elementtype = '".$elementtype."'";
+				$sql_del .= " AND elementtype = '".$this->db->escape($elementtype)."'";
 			}
 			$resql1 = $this->db->query($sql_del);
 
@@ -761,7 +761,7 @@ class ExtraFields
 			$sql .= " enabled,";
 			$sql .= " help";
 			$sql .= ") VALUES (";
-			$sql .= "'".$attrname."',";
+			$sql .= "'".$this->db->escape($attrname)."',";
 			$sql .= " ".($entity === '' ? $conf->entity : $entity).",";
 			$sql .= " '".$this->db->escape($label)."',";
 			$sql .= " '".$this->db->escape($type)."',";
@@ -829,7 +829,7 @@ class ExtraFields
 		$sql = "SELECT rowid,name,label,type,size,elementtype,fieldunique,fieldrequired,param,pos,alwayseditable,perms,langs,list,printable,totalizable,fielddefault,fieldcomputed,entity,enabled,help";
 		$sql .= " FROM ".MAIN_DB_PREFIX."extrafields";
 		//$sql.= " WHERE entity IN (0,".$conf->entity.")";    // Filter is done later
-		if ($elementtype) $sql .= " WHERE elementtype = '".$elementtype."'"; // Filed with object->table_element
+		if ($elementtype) $sql .= " WHERE elementtype = '".$this->db->escape($elementtype)."'"; // Filed with object->table_element
 		$sql .= " ORDER BY pos";
 
 		$resql = $this->db->query($sql);

htdocs/core/class/html.form.class.php

@@ -2183,7 +2183,7 @@ class Form
 		// Multilang : we add translation
 		if (!empty($conf->global->MAIN_MULTILANGS))
 		{
-			$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang='".$langs->getDefaultLang()."'";
+			$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lang as pl ON pl.fk_product = p.rowid AND pl.lang='".$this->db->escape($langs->getDefaultLang())."'";
 		}
 
 		if (!empty($conf->global->PRODUIT_ATTRIBUTES_HIDECHILD)) {
@@ -2503,9 +2503,9 @@ class Form
 		{
 			$sql = "SELECT price, price_ttc, price_base_type, tva_tx";
 			$sql .= " FROM ".MAIN_DB_PREFIX."product_price";
-			$sql .= " WHERE fk_product='".$objp->rowid."'";
+			$sql .= " WHERE fk_product = ".((int) $objp->rowid);
 			$sql .= " AND entity IN (".getEntity('productprice').")";
-			$sql .= " AND price_level=".$price_level;
+			$sql .= " AND price_level = ".((int) $price_level);
 			$sql .= " ORDER BY date_price DESC, rowid DESC"; // Warning DESC must be both on date_price and rowid.
 			$sql .= " LIMIT 1";
 
@@ -7016,7 +7016,7 @@ class Form
 		// phpcs:enable
 		$sql = "SELECT rowid, label";
 		$sql .= " FROM ".MAIN_DB_PREFIX."export_model";
-		$sql .= " WHERE type = '".$type."'";
+		$sql .= " WHERE type = '".$this->db->escape($type)."'";
 		$sql .= " ORDER BY rowid";
 		$result = $this->db->query($sql);
 		if ($result)
@@ -7460,10 +7460,10 @@ class Form
 		if (!empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity)
 		{
 			$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entity as e ON e.rowid=ug.entity";
-			if ($force_entity) $sql .= " WHERE ug.entity IN (0,".$force_entity.")";
+			if ($force_entity) $sql .= " WHERE ug.entity IN (0, ".$force_entity.")";
 			else $sql .= " WHERE ug.entity IS NOT NULL";
 		} else {
-			$sql .= " WHERE ug.entity IN (0,".$conf->entity.")";
+			$sql .= " WHERE ug.entity IN (0, ".$conf->entity.")";
 		}
 		if (is_array($exclude) && $excludeGroups) $sql .= " AND ug.rowid NOT IN ('".$excludeGroups."')";
 		if (is_array($include) && $includeGroups) $sql .= " AND ug.rowid IN ('".$includeGroups."')";

htdocs/core/class/html.formaccounting.class.php

@@ -174,7 +174,7 @@ class FormAccounting extends Form
             $sql .= " WHERE c.active = 1";
 			$sql .= " AND c.category_type = 0";
 			$sql .= " AND c.fk_country = co.rowid";
-            if (empty($allcountries)) $sql .= " AND co.code = '".$mysoc->country_code."'";
+            if (empty($allcountries)) $sql .= " AND co.code = '".$this->db->escape($mysoc->country_code)."'";
             $sql .= " ORDER BY c.label ASC";
         }
 

htdocs/core/class/html.formcompany.class.php

@@ -516,7 +516,7 @@ class FormCompany extends Form
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_forme_juridique as f, ".MAIN_DB_PREFIX."c_country as c";
 		$sql .= " WHERE f.fk_pays=c.rowid";
 		$sql .= " AND f.active = 1 AND c.active = 1";
-		if ($country_codeid) $sql .= " AND c.code = '".$country_codeid."'";
+		if ($country_codeid) $sql .= " AND c.code = '".$this->db->escape($country_codeid)."'";
 		if ($filter) $sql .= " ".$filter;
 		$sql .= " ORDER BY c.code";
 

htdocs/core/class/html.formmail.class.php

@@ -1296,7 +1296,7 @@ class FormMail extends Form
 		$sql .= " WHERE type_template='".$this->db->escape($type_template)."'";
 		$sql .= " AND entity IN (".getEntity('c_email_templates').")";
 		$sql .= " AND (fk_user is NULL or fk_user = 0 or fk_user = ".$user->id.")";
-		if (is_object($outputlangs)) $sql .= " AND (lang = '".$outputlangs->defaultlang."' OR lang IS NULL OR lang = '')";
+		if (is_object($outputlangs)) $sql .= " AND (lang = '".$this->db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')";
 		$sql .= $this->db->order("lang,label", "ASC");
 		//print $sql;
 
@@ -1330,7 +1330,7 @@ class FormMail extends Form
 		$sql .= " AND entity IN (".getEntity('c_email_templates').")";
 		$sql .= " AND (private = 0 OR fk_user = ".$user->id.")"; // See all public templates or templates I own.
 		if ($active >= 0) $sql .= " AND active = ".$active;
-		//if (is_object($outputlangs)) $sql.= " AND (lang = '".$outputlangs->defaultlang."' OR lang IS NULL OR lang = '')";	// Return all languages
+		//if (is_object($outputlangs)) $sql.= " AND (lang = '".$this->db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')";	// Return all languages
 		$sql .= $this->db->order("position,lang,label", "ASC");
 		//print $sql;
 

htdocs/core/class/html.formother.class.php

@@ -256,7 +256,7 @@ class FormOther
     	$sql = "SELECT r.taux, r.revenuestamp_type";
     	$sql .= " FROM ".MAIN_DB_PREFIX."c_revenuestamp as r,".MAIN_DB_PREFIX."c_country as c";
     	$sql .= " WHERE r.active = 1 AND r.fk_pays = c.rowid";
-    	$sql .= " AND c.code = '".$country_code."'";
+    	$sql .= " AND c.code = '".$this->db->escape($country_code)."'";
 
     	dol_syslog(get_class($this).'::select_revenue_stamp', LOG_DEBUG);
     	$resql = $this->db->query($sql);

htdocs/core/class/html.formsocialcontrib.class.php

@@ -83,7 +83,7 @@ class FormSocialContrib
             $sql = "SELECT c.id, c.libelle as type";
             $sql .= " FROM ".MAIN_DB_PREFIX."c_chargesociales as c, ".MAIN_DB_PREFIX."c_country as co";
             $sql .= " WHERE c.active = 1 AND c.fk_pays = co.rowid";
-            $sql .= " AND co.code = '".$mysoc->country_code."'";
+            $sql .= " AND co.code = '".$this->db->escape($mysoc->country_code)."'";
             $sql .= " ORDER BY c.libelle ASC";
         }
 

htdocs/core/class/infobox.class.php

@@ -273,12 +273,13 @@ class InfoBox
                         //dol_syslog("aaaaa".count($listarray));
                         $i++;
                         $ii = sprintf('%02d', $i);
+
                         $sql = "INSERT INTO ".MAIN_DB_PREFIX."boxes";
                         $sql .= "(box_id, position, box_order, fk_user, entity)";
                         $sql .= " values (";
                         $sql .= " ".$id.",";
                         $sql .= " ".$zone.",";
-                        $sql .= " '".$colonne.$ii."',";
+                        $sql .= " '".$this->db->escape($colonne.$ii)."',";
                         $sql .= " ".$userid.",";
                         $sql .= " ".$conf->entity;
                         $sql .= ")";

htdocs/core/class/link.class.php

@@ -98,7 +98,7 @@ class Link extends CommonObject
         $this->db->begin();
 
         $sql = "INSERT INTO ".MAIN_DB_PREFIX."links (entity, datea, url, label, objecttype, objectid)";
-        $sql .= " VALUES ('".$conf->entity."', '".$this->db->idate($this->datea)."'";
+        $sql .= " VALUES (".$conf->entity.", '".$this->db->idate($this->datea)."'";
         $sql .= ", '".$this->db->escape($this->url)."'";
         $sql .= ", '".$this->db->escape($this->label)."'";
         $sql .= ", '".$this->db->escape($this->objecttype)."'";
@@ -175,7 +175,7 @@ class Link extends CommonObject
         $this->db->begin();
 
         $sql  = "UPDATE ".MAIN_DB_PREFIX."links SET ";
-        $sql .= "entity = '".$conf->entity."'";
+        $sql .= "entity = ".$conf->entity;
         $sql .= ", datea = '".$this->db->idate(dol_now())."'";
         $sql .= ", url = '".$this->db->escape($this->url)."'";
         $sql .= ", label = '".$this->db->escape($this->label)."'";
@@ -235,7 +235,7 @@ class Link extends CommonObject
         global $conf;
 
         $sql = "SELECT rowid, entity, datea, url, label, objecttype, objectid FROM ".MAIN_DB_PREFIX."links";
-        $sql .= " WHERE objecttype = '".$objecttype."' AND objectid = ".$objectid;
+        $sql .= " WHERE objecttype = '".$this->db->escape($objecttype)."' AND objectid = ".$objectid;
         if ($conf->entity != 0) $sql .= " AND entity = ".$conf->entity;
         if ($sortfield) {
             if (empty($sortorder)) {
@@ -286,7 +286,7 @@ class Link extends CommonObject
         global $conf;
 
         $sql = "SELECT COUNT(rowid) as nb FROM ".MAIN_DB_PREFIX."links";
-        $sql .= " WHERE objecttype = '".$objecttype."' AND objectid = ".$objectid;
+        $sql .= " WHERE objecttype = '".$this->db->escape($objecttype)."' AND objectid = ".$objectid;
         if ($conf->entity != 0) $sql .= " AND entity = ".$conf->entity;
 
         $resql = $db->query($sql);

htdocs/core/class/menubase.class.php

@@ -622,7 +622,7 @@ class Menubase
 		$sql = "SELECT m.rowid, m.type, m.module, m.fk_menu, m.fk_mainmenu, m.fk_leftmenu, m.url, m.titre, m.langs, m.perms, m.enabled, m.target, m.mainmenu, m.leftmenu, m.position";
 		$sql .= " FROM ".MAIN_DB_PREFIX."menu as m";
 		$sql .= " WHERE m.entity IN (0,".$conf->entity.")";
-		$sql .= " AND m.menu_handler IN ('".$menu_handler."','all')";
+		$sql .= " AND m.menu_handler IN ('".$this->db->escape($menu_handler)."','all')";
 		if ($type_user == 0) $sql .= " AND m.usertype IN (0,2)";
 		if ($type_user == 1) $sql .= " AND m.usertype IN (1,2)";
 		$sql .= " ORDER BY m.position, m.rowid";

htdocs/core/class/notify.class.php

@@ -171,7 +171,7 @@ class Notify
 				if ($notifcode)
 				{
 					if (is_numeric($notifcode)) $sql .= " AND n.fk_action = ".$notifcode; // Old usage
-					else $sql .= " AND a.code = '".$notifcode."'"; // New usage
+					else $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage
 				}
 				$sql .= " AND s.entity IN (".getEntity('societe').")";
 				if ($socid > 0) $sql .= " AND s.rowid = ".$socid;
@@ -214,7 +214,7 @@ class Notify
 				if ($notifcode)
 				{
 					if (is_numeric($notifcode)) $sql .= " AND n.fk_action = ".$notifcode; // Old usage
-					else $sql .= " AND a.code = '".$notifcode."'"; // New usage
+					else $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage
 				}
 				$sql .= " AND c.entity IN (".getEntity('user').")";
 				if ($userid > 0) $sql .= " AND c.rowid = ".$userid;
@@ -355,7 +355,7 @@ class Notify
 			$sql .= " AND n.fk_soc = s.rowid";
 			$sql .= " AND c.statut = 1";
 			if (is_numeric($notifcode)) $sql .= " AND n.fk_action = ".$notifcode; // Old usage
-			else $sql .= " AND a.code = '".$notifcode."'"; // New usage
+			else $sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage
 			$sql .= " AND s.rowid = ".$object->socid;
 
 			$sql .= "\nUNION\n";

htdocs/core/db/mysqli.class.php

@@ -693,7 +693,7 @@ class DoliDBMysqli extends DoliDB
 				if ((preg_match("/null/i", $field_desc['default'])) || (preg_match("/CURRENT_TIMESTAMP/i", $field_desc['default']))) {
 					$sqlfields[$i]  .= " default ".$field_desc['default'];
 				} else {
-					$sqlfields[$i]  .= " default '".$field_desc['default']."'";
+					$sqlfields[$i]  .= " default '".$this->escape($field_desc['default'])."'";
 				}
 			}
 			if (preg_match("/^[^\s]/i", $field_desc['null'])) {
@@ -711,7 +711,7 @@ class DoliDBMysqli extends DoliDB
             $i = 0;
             foreach ($unique_keys as $key => $value)
             {
-                $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$value."')";
+                $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$this->escape($value)."')";
                 $i++;
             }
         }
@@ -809,7 +809,7 @@ class DoliDBMysqli extends DoliDB
         {
             if (preg_match("/null/i", $field_desc['default']))
             $sql .= " default ".$field_desc['default'];
-            else $sql .= " default '".$field_desc['default']."'";
+            else $sql .= " default '".$this->escape($field_desc['default'])."'";
         }
         if (isset($field_desc['extra']) && preg_match("/^[^\s]/i", $field_desc['extra']))
         {

htdocs/core/db/pgsql.class.php

@@ -904,7 +904,7 @@ class DoliDBPgsql extends DoliDB
 		$listtables = array();
 
 		$like = '';
-		if ($table) $like = " AND table_name LIKE '".$table."'";
+		if ($table) $like = " AND table_name LIKE '".$this->escape($table)."'";
 		$result = pg_query($this->db, "SELECT table_name FROM information_schema.tables WHERE table_schema = 'public'".$like." ORDER BY table_name");
         if ($result)
         {
@@ -942,7 +942,7 @@ class DoliDBPgsql extends DoliDB
 		$sql .= "	'' as \"Privileges\"";
 		$sql .= "	FROM information_schema.columns infcol";
 		$sql .= "	WHERE table_schema='public' ";
-		$sql .= "	AND table_name='".$table."'";
+		$sql .= "	AND table_name='".$this->escape($table)."'";
 		$sql .= "	ORDER BY ordinal_position;";
 
 		dol_syslog($sql, LOG_DEBUG);
@@ -992,7 +992,7 @@ class DoliDBPgsql extends DoliDB
 			{
 				if (preg_match("/null/i", $field_desc['default']))
 				    $sqlfields[$i] .= " default ".$field_desc['default'];
-				else $sqlfields[$i] .= " default '".$field_desc['default']."'";
+			    else $sqlfields[$i] .= " default '".$this->escape($field_desc['default'])."'";
 			} elseif (preg_match("/^[^\s]/i", $field_desc['null']))
 			    $sqlfields[$i]  .= " ".$field_desc['null'];
 
@@ -1008,7 +1008,7 @@ class DoliDBPgsql extends DoliDB
 			$i = 0;
 			foreach ($unique_keys as $key => $value)
 			{
-				$sqluq[$i] = "UNIQUE KEY '".$key."' ('".$value."')";
+				$sqluq[$i] = "UNIQUE KEY '".$key."' ('".$this->escape($value)."')";
 				$i++;
 			}
 		}
@@ -1090,9 +1090,9 @@ class DoliDBPgsql extends DoliDB
     public function DDLDescTable($table, $field = "")
 	{
         // phpcs:enable
-		$sql = "SELECT attname FROM pg_attribute, pg_type WHERE typname = '".$table."' AND attrelid = typrelid";
+		$sql = "SELECT attname FROM pg_attribute, pg_type WHERE typname = '".$this->escape($table)."' AND attrelid = typrelid";
 		$sql .= " AND attname NOT IN ('cmin', 'cmax', 'ctid', 'oid', 'tableoid', 'xmin', 'xmax')";
-		if ($field) $sql .= " AND attname = '".$field."'";
+		if ($field) $sql .= " AND attname = '".$this->escape($field)."'";
 
 		dol_syslog($sql, LOG_DEBUG);
 		$this->_results = $this->query($sql);
@@ -1130,7 +1130,7 @@ class DoliDBPgsql extends DoliDB
             if (preg_match("/null/i", $field_desc['default'])) {
                 $sql .= " default ".$field_desc['default'];
 			} else {
-				$sql .= " default '".$field_desc['default']."'";
+				$sql .= " default '".$this->escape($field_desc['default'])."'";
 			}
 		}
 		if (preg_match("/^[^\s]/i", $field_desc['extra'])) {

htdocs/core/db/sqlite3.class.php

@@ -420,7 +420,7 @@ class DoliDBSqlite3 extends DoliDB
             $constraintname = trim($reg[2]);
             $tablename = trim($reg[1]);
 
-            $descTable = $this->db->querySingle("SELECT sql FROM sqlite_master WHERE name='".$tablename."'");
+            $descTable = $this->db->querySingle("SELECT sql FROM sqlite_master WHERE name='".$this->escape($tablename)."'");
 
             // 1- Renommer la table avec un nom temporaire
             $this->query('ALTER TABLE '.$tablename.' RENAME TO tmp_'.$tablename);
@@ -921,7 +921,7 @@ class DoliDBSqlite3 extends DoliDB
             {
                 if (preg_match("/null/i", $field_desc['default']))
                     $sqlfields[$i] .= " default ".$field_desc['default'];
-                else $sqlfields[$i] .= " default '".$field_desc['default']."'";
+                else $sqlfields[$i] .= " default '".$this->escape($field_desc['default'])."'";
             } elseif (preg_match("/^[^\s]/i", $field_desc['null']))
                 $sqlfields[$i] .= " ".$field_desc['null'];
 
@@ -937,7 +937,7 @@ class DoliDBSqlite3 extends DoliDB
             $i = 0;
             foreach ($unique_keys as $key => $value)
             {
-                $sqluq[$i] = "UNIQUE KEY '".$key."' ('".$value."')";
+            	$sqluq[$i] = "UNIQUE KEY '".$key."' ('".$this->escape($value)."')";
                 $i++;
             }
         }
@@ -1030,7 +1030,7 @@ class DoliDBSqlite3 extends DoliDB
         {
             if (preg_match("/null/i", $field_desc['default']))
             $sql .= " default ".$field_desc['default'];
-            else $sql .= " default '".$field_desc['default']."'";
+            else $sql .= " default '".$this->escape($field_desc['default'])."'";
         }
         if (preg_match("/^[^\s]/i", $field_desc['extra']))
         $sql .= " ".$field_desc['extra'];

htdocs/core/lib/admin.lib.php

@@ -292,7 +292,7 @@ function run_sql($sqlfile, $silent = 1, $entity = '', $usesavepoint = 1, $handle
         		$sql = preg_replace('/llx_/i', MAIN_DB_PREFIX, $sql);
         	}
 
-            if (!empty($handler)) $sql = preg_replace('/__HANDLER__/i', "'".$handler."'", $sql);
+            if (!empty($handler)) $sql = preg_replace('/__HANDLER__/i', "'".$db->escape($handler)."'", $sql);
 
             $newsql = preg_replace('/__ENTITY__/i', (!empty($entity) ? $entity : $conf->entity), $sql);
 
@@ -1630,7 +1630,7 @@ function addDocumentModel($name, $type, $label = '', $description = '')
 	$db->begin();
 
     $sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
-    $sql .= " VALUES ('".$db->escape($name)."','".$type."',".$conf->entity.", ";
+    $sql .= " VALUES ('".$db->escape($name)."','".$db->escape($type)."',".$conf->entity.", ";
     $sql .= ($label ? "'".$db->escape($label)."'" : 'null').", ";
     $sql .= (!empty($description) ? "'".$db->escape($description)."'" : "null");
     $sql .= ")";
@@ -1663,7 +1663,7 @@ function delDocumentModel($name, $type)
 
 	$sql = "DELETE FROM ".MAIN_DB_PREFIX."document_model";
 	$sql .= " WHERE nom = '".$db->escape($name)."'";
-	$sql .= " AND type = '".$type."'";
+	$sql .= " AND type = '".$db->escape($type)."'";
 	$sql .= " AND entity = ".$conf->entity;
 
 	dol_syslog("admin.lib::delDocumentModel", LOG_DEBUG);

htdocs/core/lib/company.lib.php

@@ -574,7 +574,7 @@ function currency_name($code_iso, $withcode = '', $outputlangs = null)
 
 	// If no translation, we read table to get label by default
 	$sql = "SELECT label FROM ".MAIN_DB_PREFIX."c_currencies";
-	$sql .= " WHERE code_iso='".$code_iso."'";
+	$sql .= " WHERE code_iso='".$db->escape($code_iso)."'";
 
 	$resql = $db->query($sql);
 	if ($resql)
@@ -607,7 +607,7 @@ function getFormeJuridiqueLabel($code)
 	if (!$code) return '';
 
 	$sql = "SELECT libelle FROM ".MAIN_DB_PREFIX."c_forme_juridique";
-	$sql .= " WHERE code='$code'";
+	$sql .= " WHERE code='".$db->escape($code)."'";
 
 	dol_syslog("Company.lib::getFormeJuridiqueLabel", LOG_DEBUG);
 	$resql = $db->query($sql);

htdocs/core/lib/files.lib.php

@@ -142,6 +142,7 @@ function dol_dir_list($path, $types = "all", $recursive = 0, $filter = "", $excl
 
 							if (!$filter || preg_match('/'.$filter.'/i', $file))	// We do not search key $filter into all $path, only into $file part
 							{
+								$reg = array();
 								preg_match('/([^\/]+)\/[^\/]+$/', $path.'/'.$file, $reg);
 								$level1name = (isset($reg[1]) ? $reg[1] : '');
 								$file_list[] = array(

htdocs/core/lib/functions.lib.php

@@ -4857,10 +4857,10 @@ function get_localtax($vatrate, $local, $thirdparty_buyer = "", $thirdparty_sell
 	// By default, search value of local tax on line of common tax
 	$sql = "SELECT t.localtax1, t.localtax2, t.localtax1_type, t.localtax2_type";
    	$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
-   	$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$thirdparty_seller->country_code."'";
+   	$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($thirdparty_seller->country_code)."'";
    	$sql .= " AND t.taux = ".((float) $vatratecleaned)." AND t.active = 1";
-   	if ($vatratecode) $sql .= " AND t.code ='".$vatratecode."'"; // If we have the code, we use it in priority
-   	else $sql .= " AND t.recuperableonly ='".$vatnpr."'";
+   	if ($vatratecode) $sql .= " AND t.code ='".$db->escape($vatratecode)."'"; // If we have the code, we use it in priority
+   	else $sql .= " AND t.recuperableonly ='".$db->escape($vatnpr)."'";
    	dol_syslog("get_localtax", LOG_DEBUG);
    	$resql = $db->query($sql);
 

htdocs/core/modules/societe/mod_codeclient_elephant.php

@@ -320,8 +320,8 @@ class mod_codeclient_elephant extends ModeleThirdPartyCode
 	{
         // phpcs:enable
 		$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe";
-		if ($type == 1) $sql .= " WHERE code_fournisseur = '".$code."'";
-		else $sql .= " WHERE code_client = '".$code."'";
+		if ($type == 1) $sql .= " WHERE code_fournisseur = '".$db->escape($code)."'";
+		else $sql .= " WHERE code_client = '".$db->escape($code)."'";
 		if ($soc->id > 0) $sql .= " AND rowid <> ".$soc->id;
 
 		$resql = $db->query($sql);

htdocs/core/modules/societe/mod_codeclient_monkey.php

@@ -226,8 +226,8 @@ class mod_codeclient_monkey extends ModeleThirdPartyCode
 		global $conf, $mc;
 
 		$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe";
-		if ($type == 1) $sql .= " WHERE code_fournisseur = '".$code."'";
-		else $sql .= " WHERE code_client = '".$code."'";
+		if ($type == 1) $sql .= " WHERE code_fournisseur = '".$db->escape($code)."'";
+		else $sql .= " WHERE code_client = '".$db->escape($code)."'";
 		$sql .= " AND entity IN (".getEntity('societe').")";
 		if ($soc->id > 0) $sql .= " AND rowid <> ".$soc->id;
 

htdocs/core/modules/societe/mod_codecompta_digitaria.php

@@ -244,7 +244,7 @@ class mod_codecompta_digitaria extends ModeleAccountancyCode
         }
 
         $sql = "SELECT ".$typethirdparty." FROM ".MAIN_DB_PREFIX."societe";
-        $sql .= " WHERE ".$typethirdparty." = '".$code."'";
+        $sql .= " WHERE ".$typethirdparty." = '".$db->escape($code)."'";
 
         $resql = $db->query($sql);
         if ($resql)

test/phpunit/CodingPhpTest.php

@@ -152,7 +152,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
         $db=$this->savdb;
 
         include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
-        $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
+        $filesarray = dol_dir_list(DOL_DOCUMENT_ROOT.'/core', 'files', 1, '\.php', null, 'fullname');
         //$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', null, 'fullname');
 
         foreach ($filesarray as $key => $file)
@@ -166,10 +166,17 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
             print 'Check php file '.$file['fullname']."\n";
             $filecontent=file_get_contents($file['fullname']);
 
+            if (preg_match('/\.class\.php/', $file['relativename'])) {
+            	// Must must not found $db->
+
+            } else {
+            	// Must must not found $this->db->
+
+            }
 
             $ok=true;
             $matches=array();
-            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
+            // Check string get_class...
             preg_match_all('/'.preg_quote('get_class($this)."::".__METHOD__', '/').'/', $filecontent, $matches, PREG_SET_ORDER);
             foreach ($matches as $key => $val)
             {
@@ -182,7 +189,7 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
 
             $ok=true;
             $matches=array();
-            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
+            // Check string $this->db->idate without quotes
             preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER);
             foreach ($matches as $key => $val)
             {
@@ -200,11 +207,12 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
 
             $ok=true;
             $matches=array();
+
             // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
-            preg_match_all('/(=|sql.+)\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
+            preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
             foreach ($matches as $key => $val)
             {
-                if ($val[2] != 'db->' && $val[2] != 'esca')
+                if ($val[1] != 'db->' && $val[1] != 'esca')
                 {
                     $ok=false;
                     break;
@@ -212,7 +220,21 @@ class CodingPhpTest extends PHPUnit\Framework\TestCase
                 //if ($reg[0] != 'db') $ok=false;
             }
             //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
-            $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].' ('.$val[0].'). Bad.');
+            $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.');
+            //exit;
+
+            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
+            preg_match_all('/sql.+\s*\'"\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER);
+            foreach ($matches as $key => $val)
+            {
+            	if (! in_array($val[1], array('this->db-', 'this->esc', 'db->escap', 'db->idate', 'excludeGr', 'includeGr'))) {
+            		$ok=false;
+            		break;
+            	}
+            	//if ($reg[0] != 'db') $ok=false;
+            }
+            //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+            $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['relativename'].': '.$val[0].' - Bad.');
             //exit;