Browse Source

Fix #yogosha6370

Laurent Destailleur 4 years ago
parent
commit
5cc86d2319
39 changed files with 154 additions and 166 deletions
  1. 4 4
      htdocs/accountancy/class/accountancycategory.class.php
  2. 1 1
      htdocs/adherents/class/subscription.class.php
  3. 1 1
      htdocs/compta/localtax/class/localtax.class.php
  4. 2 2
      htdocs/compta/sociales/class/paymentsocialcontribution.class.php
  5. 2 2
      htdocs/compta/tva/class/paymentvat.class.php
  6. 5 5
      htdocs/contact/class/contact.class.php
  7. 5 5
      htdocs/contrat/class/contrat.class.php
  8. 1 1
      htdocs/core/boxes/box_boms.php
  9. 1 1
      htdocs/core/boxes/box_mos.php
  10. 8 9
      htdocs/core/class/commonobject.class.php
  11. 5 5
      htdocs/core/class/discount.class.php
  12. 1 1
      htdocs/core/class/events.class.php
  13. 4 4
      htdocs/core/class/extrafields.class.php
  14. 19 19
      htdocs/core/class/html.form.class.php
  15. 3 3
      htdocs/core/class/html.formcompany.class.php
  16. 1 1
      htdocs/core/db/DoliDB.class.php
  17. 1 1
      htdocs/core/lib/functions.lib.php
  18. 2 2
      htdocs/don/class/paymentdonation.class.php
  19. 1 1
      htdocs/ecm/class/ecmdirectory.class.php
  20. 10 10
      htdocs/expensereport/class/expensereport.class.php
  21. 1 1
      htdocs/expensereport/class/paymentexpensereport.class.php
  22. 2 2
      htdocs/fichinter/class/fichinter.class.php
  23. 3 2
      htdocs/fourn/card.php
  24. 5 5
      htdocs/fourn/class/fournisseur.commande.class.php
  25. 5 5
      htdocs/fourn/class/fournisseur.facture.class.php
  26. 15 15
      htdocs/fourn/class/fournisseur.product.class.php
  27. 9 9
      htdocs/holiday/class/holiday.class.php
  28. 2 2
      htdocs/install/upgrade2.php
  29. 6 6
      htdocs/loan/class/loanschedule.class.php
  30. 4 4
      htdocs/loan/class/paymentloan.class.php
  31. 2 2
      htdocs/product/class/product.class.php
  32. 2 2
      htdocs/product/class/productcustomerprice.class.php
  33. 3 10
      htdocs/product/class/propalmergepdfproduct.class.php
  34. 1 1
      htdocs/product/dynamic_price/class/price_global_variable.class.php
  35. 4 4
      htdocs/product/dynamic_price/class/price_global_variable_updater.class.php
  36. 4 4
      htdocs/product/stock/class/mouvementstock.class.php
  37. 2 2
      htdocs/salaries/class/paymentsalary.class.php
  38. 4 4
      htdocs/societe/class/societe.class.php
  39. 3 8
      htdocs/ticket/class/ticket.class.php

+ 4 - 4
htdocs/accountancy/class/accountancycategory.class.php

@@ -201,7 +201,7 @@ class AccountancyCategory // extends CommonObject
 		$sql .= "entity";
 		$sql .= ") VALUES (";
 		if ($this->rowid > 0) {
-			$sql .= " ".$this->rowid.",";
+			$sql .= " ".((int) $this->rowid).",";
 		}
 		$sql .= " ".(!isset($this->code) ? 'NULL' : "'".$this->db->escape($this->code)."'").",";
 		$sql .= " ".(!isset($this->label) ? 'NULL' : "'".$this->db->escape($this->label)."'").",";
@@ -209,9 +209,9 @@ class AccountancyCategory // extends CommonObject
 		$sql .= " ".(!isset($this->sens) ? 'NULL' : "'".$this->db->escape($this->sens)."'").",";
 		$sql .= " ".(!isset($this->category_type) ? 'NULL' : "'".$this->db->escape($this->category_type)."'").",";
 		$sql .= " ".(!isset($this->formula) ? 'NULL' : "'".$this->db->escape($this->formula)."'").",";
-		$sql .= " ".(!isset($this->position) ? 'NULL' : $this->db->escape($this->position)).",";
-		$sql .= " ".(!isset($this->fk_country) ? 'NULL' : $this->db->escape($this->fk_country)).",";
-		$sql .= " ".(!isset($this->active) ? 'NULL' : $this->db->escape($this->active));
+		$sql .= " ".(!isset($this->position) ? 'NULL' : ((int) $this->position)).",";
+		$sql .= " ".(!isset($this->fk_country) ? 'NULL' : ((int) $this->fk_country)).",";
+		$sql .= " ".(!isset($this->active) ? 'NULL' : ((int) $this->active));
 		$sql .= ", ".$conf->entity;
 		$sql .= ")";
 

+ 1 - 1
htdocs/adherents/class/subscription.class.php

@@ -168,7 +168,7 @@ class Subscription extends CommonObject
 		$sql .= " VALUES (".((int) $this->fk_adherent).", '".$this->db->escape($type)."', '".$this->db->idate($now)."',";
 		$sql .= " '".$this->db->idate($this->dateh)."',";
 		$sql .= " '".$this->db->idate($this->datef)."',";
-		$sql .= " ".$this->amount.",";
+		$sql .= " ".((float) $this->amount).",";
 		$sql .= " '".$this->db->escape($this->note_public ? $this->note_public : $this->note)."')";
 
 		$resql = $this->db->query($sql);

+ 1 - 1
htdocs/compta/localtax/class/localtax.class.php

@@ -110,7 +110,7 @@ class Localtax extends CommonObject
 		$sql .= "fk_user_creat,";
 		$sql .= "fk_user_modif";
 		$sql .= ") VALUES (";
-		$sql .= " ".$this->ltt.",";
+		$sql .= " ".((int) $this->ltt).",";
 		$sql .= " '".$this->db->idate($this->tms)."',";
 		$sql .= " '".$this->db->idate($this->datep)."',";
 		$sql .= " '".$this->db->idate($this->datev)."',";

+ 2 - 2
htdocs/compta/sociales/class/paymentsocialcontribution.class.php

@@ -181,8 +181,8 @@ class PaymentSocialContribution extends CommonObject
 			$sql .= " fk_typepaiement, num_paiement, note, fk_user_creat, fk_bank)";
 			$sql .= " VALUES ($this->chid, '".$this->db->idate($now)."',";
 			$sql .= " '".$this->db->idate($this->datepaye)."',";
-			$sql .= " ".$totalamount.",";
-			$sql .= " ".$this->paiementtype.", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note)."', ".$user->id.",";
+			$sql .= " ".((float) $totalamount).",";
+			$sql .= " ".((int) $this->paiementtype).", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note)."', ".$user->id.",";
 			$sql .= " 0)";
 
 			$resql = $this->db->query($sql);

+ 2 - 2
htdocs/compta/tva/class/paymentvat.class.php

@@ -180,8 +180,8 @@ class PaymentVAT extends CommonObject
 			$sql .= " fk_typepaiement, num_paiement, note, fk_user_creat, fk_bank)";
 			$sql .= " VALUES ($this->chid, '".$this->db->idate($now)."',";
 			$sql .= " '".$this->db->idate($this->datepaye)."',";
-			$sql .= " ".$totalamount.",";
-			$sql .= " ".$this->paiementtype.", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note)."', ".$user->id.",";
+			$sql .= " ".((float) $totalamount).",";
+			$sql .= " ".((int) $this->paiementtype).", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note)."', ".$user->id.",";
 			$sql .= " 0)";
 
 			$resql = $this->db->query($sql);

+ 5 - 5
htdocs/contact/class/contact.class.php

@@ -455,18 +455,18 @@ class Contact extends CommonObject
 		$sql .= ") VALUES (";
 		$sql .= "'".$this->db->idate($now)."',";
 		if ($this->socid > 0) {
-			$sql .= " ".$this->db->escape($this->socid).",";
+			$sql .= " ".((int) $this->socid).",";
 		} else {
 			$sql .= "null,";
 		}
 		$sql .= "'".$this->db->escape($this->lastname)."',";
 		$sql .= "'".$this->db->escape($this->firstname)."',";
-		$sql .= " ".($user->id > 0 ? "'".$this->db->escape($user->id)."'" : "null").",";
-		$sql .= " ".$this->db->escape($this->priv).",";
+		$sql .= " ".($user->id > 0 ? ((int) $user->id)."'" : "null").",";
+		$sql .= " ".((int) $this->priv).",";
 		$sql .= " 0,";
-		$sql .= " ".$this->db->escape($this->statut).",";
+		$sql .= " ".((int) $this->statut).",";
 		$sql .= " ".(!empty($this->canvas) ? "'".$this->db->escape($this->canvas)."'" : "null").",";
-		$sql .= " ".$this->db->escape($this->entity).",";
+		$sql .= " ".((int) $this->entity).",";
 		$sql .= "'".$this->db->escape($this->ref_ext)."',";
 		$sql .= " ".(!empty($this->import_key) ? "'".$this->db->escape($this->import_key)."'" : "null");
 		$sql .= ")";

+ 5 - 5
htdocs/contrat/class/contrat.class.php

@@ -1546,11 +1546,11 @@ class Contrat extends CommonObject
 			$sql .= ") VALUES (";
 			$sql .= $this->id.", '', '".$this->db->escape($desc)."',";
 			$sql .= ($fk_product > 0 ? $fk_product : "null").",";
-			$sql .= " ".$qty.",";
-			$sql .= " ".$txtva.",";
+			$sql .= " ".((float) $qty).",";
+			$sql .= " ".((float) $txtva).",";
 			$sql .= " ".($vat_src_code ? "'".$this->db->escape($vat_src_code)."'" : "null").",";
-			$sql .= " ".$txlocaltax1.",";
-			$sql .= " ".$txlocaltax2.",";
+			$sql .= " ".((float) $txlocaltax1).",";
+			$sql .= " ".((float) $txlocaltax2).",";
 			$sql .= " '".$this->db->escape($localtax1_type)."',";
 			$sql .= " '".$this->db->escape($localtax2_type)."',";
 			$sql .= " ".price2num($remise_percent).",";
@@ -1559,7 +1559,7 @@ class Contrat extends CommonObject
 			$sql .= " '".$this->db->escape($info_bits)."',";
 			$sql .= " ".price2num($price).",".price2num($remise).",";
 			if (isset($fk_fournprice)) {
-				$sql .= ' '.$fk_fournprice.',';
+				$sql .= ' '.((int) $fk_fournprice).',';
 			} else {
 				$sql .= ' null,';
 			}

+ 1 - 1
htdocs/core/boxes/box_boms.php

@@ -97,7 +97,7 @@ class box_boms extends ModeleBoxes
 			$sql .= " WHERE c.fk_product = p.rowid";
 			$sql .= " AND c.entity = ".$conf->entity;
 			$sql .= " ORDER BY c.tms DESC, c.ref DESC";
-			$sql .= " ".$this->db->plimit($max, 0);
+			$sql .= $this->db->plimit($max, 0);
 
 			$result = $this->db->query($sql);
 			if ($result) {

+ 1 - 1
htdocs/core/boxes/box_mos.php

@@ -97,7 +97,7 @@ class box_mos extends ModeleBoxes
 			$sql .= " WHERE c.fk_product = p.rowid";
 			$sql .= " AND c.entity = ".$conf->entity;
 			$sql .= " ORDER BY c.tms DESC, c.ref DESC";
-			$sql .= " ".$this->db->plimit($max, 0);
+			$sql .= $this->db->plimit($max, 0);
 
 			$result = $this->db->query($sql);
 			if ($result) {

+ 8 - 9
htdocs/core/class/commonobject.class.php

@@ -3541,17 +3541,16 @@ abstract class CommonObject
 
 			if (empty($nodatabaseupdate)) {
 				$sql = 'UPDATE '.MAIN_DB_PREFIX.$this->table_element.' SET';
-				$sql .= " ".$fieldht."='".price2num($this->total_ht)."',";
-				$sql .= " ".$fieldtva."='".price2num($this->total_tva)."',";
-				$sql .= " ".$fieldlocaltax1."='".price2num($this->total_localtax1)."',";
-				$sql .= " ".$fieldlocaltax2."='".price2num($this->total_localtax2)."',";
-				$sql .= " ".$fieldttc."='".price2num($this->total_ttc)."'";
-						$sql .= ", multicurrency_total_ht='".price2num($this->multicurrency_total_ht, 'MT', 1)."'";
-						$sql .= ", multicurrency_total_tva='".price2num($this->multicurrency_total_tva, 'MT', 1)."'";
-						$sql .= ", multicurrency_total_ttc='".price2num($this->multicurrency_total_ttc, 'MT', 1)."'";
+				$sql .= " ".$fieldht." = ".price2num($this->total_ht).",";
+				$sql .= " ".$fieldtva." = ".price2num($this->total_tva).",";
+				$sql .= " ".$fieldlocaltax1." = ".price2num($this->total_localtax1).",";
+				$sql .= " ".$fieldlocaltax2." = ".price2num($this->total_localtax2).",";
+				$sql .= " ".$fieldttc." = ".price2num($this->total_ttc);
+				$sql .= ", multicurrency_total_ht = ".price2num($this->multicurrency_total_ht, 'MT', 1);
+				$sql .= ", multicurrency_total_tva = ".price2num($this->multicurrency_total_tva, 'MT', 1);
+				$sql .= ", multicurrency_total_ttc = ".price2num($this->multicurrency_total_ttc, 'MT', 1);
 				$sql .= ' WHERE rowid = '.$this->id;
 
-
 				dol_syslog(get_class($this)."::update_price", LOG_DEBUG);
 				$resql = $this->db->query($sql);
 				if (!$resql) {

+ 5 - 5
htdocs/core/class/discount.class.php

@@ -257,11 +257,11 @@ class DiscountAbsolute
 		$sql .= " multicurrency_amount_ht, multicurrency_amount_tva, multicurrency_amount_ttc,";
 		$sql .= " fk_facture_source, fk_invoice_supplier_source";
 		$sql .= ")";
-		$sql .= " VALUES (".$conf->entity.", '".$this->db->idate($this->datec != '' ? $this->datec : dol_now())."', ".$this->fk_soc.", ".(empty($this->discount_type) ? 0 : intval($this->discount_type)).", ".$userid.", '".$this->db->escape($this->description)."',";
-		$sql .= " ".$this->amount_ht.", ".$this->amount_tva.", ".$this->amount_ttc.", ".$this->tva_tx.", '".$this->db->escape($this->vat_src_code)."',";
-		$sql .= " ".$this->multicurrency_amount_ht.", ".$this->multicurrency_amount_tva.", ".$this->multicurrency_amount_ttc.", ";
-		$sql .= " ".($this->fk_facture_source ? "'".$this->db->escape($this->fk_facture_source)."'" : "null").",";
-		$sql .= " ".($this->fk_invoice_supplier_source ? "'".$this->db->escape($this->fk_invoice_supplier_source)."'" : "null");
+		$sql .= " VALUES (".$conf->entity.", '".$this->db->idate($this->datec != '' ? $this->datec : dol_now())."', ".((int) $this->fk_soc).", ".(empty($this->discount_type) ? 0 : intval($this->discount_type)).", ".((int) $userid).", '".$this->db->escape($this->description)."',";
+		$sql .= " ".price2num($this->amount_ht).", ".price2num($this->amount_tva).", ".price2num($this->amount_ttc).", ".price2num($this->tva_tx).", '".$this->db->escape($this->vat_src_code)."',";
+		$sql .= " ".price2num($this->multicurrency_amount_ht).", ".price2num($this->multicurrency_amount_tva).", ".price2num($this->multicurrency_amount_ttc).", ";
+		$sql .= " ".($this->fk_facture_source ? ((int) $this->fk_facture_source) : "null").",";
+		$sql .= " ".($this->fk_invoice_supplier_source ? ((int) $this->fk_invoice_supplier_source) : "null");
 		$sql .= ")";
 
 		dol_syslog(get_class($this)."::create", LOG_DEBUG);

+ 1 - 1
htdocs/core/class/events.class.php

@@ -163,7 +163,7 @@ class Events // extends CommonObject
 		$sql .= "prefix_session";
 		$sql .= ") VALUES (";
 		$sql .= " '".$this->db->escape($this->type)."',";
-		$sql .= " ".$conf->entity.",";
+		$sql .= " ".((int) $conf->entity).",";
 		$sql .= " '".$this->db->escape(getUserRemoteIP())."',";
 		$sql .= " ".($this->user_agent ? "'".$this->db->escape(dol_trunc($this->user_agent, 250))."'" : 'NULL').",";
 		$sql .= " '".$this->db->idate($this->dateevent)."',";

+ 4 - 4
htdocs/core/class/extrafields.class.php

@@ -472,14 +472,14 @@ class ExtraFields
 			$sql .= " VALUES('".$this->db->escape($attrname)."',";
 			$sql .= " '".$this->db->escape($label)."',";
 			$sql .= " '".$this->db->escape($type)."',";
-			$sql .= " ".$pos.",";
+			$sql .= " ".((int) $pos).",";
 			$sql .= " '".$this->db->escape($size)."',";
 			$sql .= " ".($entity === '' ? $conf->entity : $entity).",";
 			$sql .= " '".$this->db->escape($elementtype)."',";
-			$sql .= " ".$unique.",";
-			$sql .= " ".$required.",";
+			$sql .= " ".((int) $unique).",";
+			$sql .= " ".((int) $required).",";
 			$sql .= " '".$this->db->escape($params)."',";
-			$sql .= " ".$alwayseditable.",";
+			$sql .= " ".((int) $alwayseditable).",";
 			$sql .= " ".($perms ? "'".$this->db->escape($perms)."'" : "null").",";
 			$sql .= " ".($langfile ? "'".$this->db->escape($langfile)."'" : "null").",";
 			$sql .= " '".$this->db->escape($list)."',";

+ 19 - 19
htdocs/core/class/html.form.class.php

@@ -1849,7 +1849,7 @@ class Form
 	 *  @param	string			$force_entity	'0' or Ids of environment to force
 	 *  @param	int				$maxlength		Maximum length of string into list (0=no limit)
 	 *  @param	int				$showstatus		0=show user status only if status is disabled, 1=always show user status into label, -1=never show user status
-	 *  @param	string			$morefilter		Add more filters into sql request (Example: 'employee = 1')
+	 *  @param	string			$morefilter		Add more filters into sql request (Example: 'employee = 1'). This value must not come from user input.
 	 *  @param	integer			$show_every		0=default list, 1=add also a value "Everybody" at beginning of list
 	 *  @param	string			$enableonlytext	If option $enableonlytext is set, we use this text to explain into label why record is disabled. Not used if enableonly is empty.
 	 *  @param	string			$morecss		More css
@@ -1903,9 +1903,9 @@ class Form
 		}
 		$sql .= " FROM ".MAIN_DB_PREFIX."user as u";
 		if (!empty($conf->multicompany->enabled) && $conf->entity == 1 && $user->admin && !$user->entity) {
-			$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entity as e ON e.rowid=u.entity";
+			$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."entity as e ON e.rowid = u.entity";
 			if ($force_entity) {
-				$sql .= " WHERE u.entity IN (0, ".$force_entity.")";
+				$sql .= " WHERE u.entity IN (0, ".$this->db->sanitize($force_entity).")";
 			} else {
 				$sql .= " WHERE u.entity IS NOT NULL";
 			}
@@ -1919,7 +1919,7 @@ class Form
 			}
 		}
 		if (!empty($user->socid)) {
-			$sql .= " AND u.fk_soc = ".$user->socid;
+			$sql .= " AND u.fk_soc = ".((int) $user->socid);
 		}
 		if (is_array($exclude) && $excludeUsers) {
 			$sql .= " AND u.rowid NOT IN (".$this->db->sanitize($excludeUsers).")";
@@ -3052,20 +3052,20 @@ class Form
 	/**
 	 *	Return list of suppliers products
 	 *
-	 *	@param	int		$socid   		Id societe fournisseur (0 pour aucun filtre)
-	 *	@param  int		$selected       Product price pre-selected (must be 'id' in product_fournisseur_price or 'idprod_IDPROD')
-	 *	@param  string	$htmlname       Nom de la zone select
-	 *  @param	string	$filtertype     Filter on product type (''=nofilter, 0=product, 1=service)
-	 *	@param  string	$filtre         Pour filtre sql
-	 *	@param  string	$filterkey      Filtre des produits
-	 *  @param  int		$statut         -1=Return all products, 0=Products not on buy, 1=Products on buy
-	 *  @param  int		$outputmode     0=HTML select string, 1=Array
-	 *  @param  int     $limit          Limit of line number
+	 *	@param	int		$socid   			Id of supplier thirdparty (0 = no filter)
+	 *	@param  int		$selected       	Product price pre-selected (must be 'id' in product_fournisseur_price or 'idprod_IDPROD')
+	 *	@param  string	$htmlname       	Name of HTML select
+	 *  @param	string	$filtertype     	Filter on product type (''=nofilter, 0=product, 1=service)
+	 *	@param  string	$filtre         	Generic filter. Data must not come from user input.
+	 *	@param  string	$filterkey      	Filter of produdts
+	 *  @param  int		$statut         	-1=Return all products, 0=Products not on buy, 1=Products on buy
+	 *  @param  int		$outputmode     	0=HTML select string, 1=Array
+	 *  @param  int     $limit          	Limit of line number
 	 *  @param  int     $alsoproductwithnosupplierprice    1=Add also product without supplier prices
-	 *  @param	string	$morecss		Add more CSS
+	 *  @param	string	$morecss			Add more CSS
 	 *  @param	int		$showstockinlist	Show stock information (slower).
-	 *  @param	string	$placeholder	Placeholder
-	 *  @return array           		Array of keys for json
+	 *  @param	string	$placeholder		Placeholder
+	 *  @return array           			Array of keys for json
 	 */
 	public function select_produits_fournisseurs_list($socid, $selected = '', $htmlname = 'productid', $filtertype = '', $filtre = '', $filterkey = '', $statut = -1, $outputmode = 0, $limit = 100, $alsoproductwithnosupplierprice = 0, $morecss = '', $showstockinlist = 0, $placeholder = '')
 	{
@@ -3102,8 +3102,8 @@ class Form
 		}
 		$sql .= " FROM ".MAIN_DB_PREFIX."product as p";
 		$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_fournisseur_price as pfp ON ( p.rowid = pfp.fk_product AND pfp.entity IN (".getEntity('product').") )";
-		if ($socid) {
-			$sql .= " AND pfp.fk_soc = ".$socid;
+		if ($socid > 0) {
+			$sql .= " AND pfp.fk_soc = ".((int) $socid);
 		}
 		$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON pfp.fk_soc = s.rowid";
 		// Units
@@ -3115,7 +3115,7 @@ class Form
 			$sql .= " AND p.tobuy = ".((int) $statut);
 		}
 		if (strval($filtertype) != '') {
-			$sql .= " AND p.fk_product_type=".$this->db->escape($filtertype);
+			$sql .= " AND p.fk_product_type = ".((int) $filtertype);
 		}
 		if (!empty($filtre)) {
 			$sql .= " ".$filtre;

+ 3 - 3
htdocs/core/class/html.formcompany.class.php

@@ -45,7 +45,7 @@ class FormCompany extends Form
 	 *    	Return list of labels (translated) of third parties type
 	 *
 	 *		@param	int		$mode		0=Return id+label, 1=Return code+label
-	 *      @param  string	$filter     Add a SQL filter to select
+	 *      @param  string	$filter     Add a SQL filter to select. Data must not come from user input.
 	 *    	@return array      			Array of types
 	 */
 	public function typent_array($mode = 0, $filter = '')
@@ -96,7 +96,7 @@ class FormCompany extends Form
 	 *	Renvoie la liste des types d'effectifs possibles (pas de traduction car nombre)
 	 *
 	 *	@param	int		$mode		0=renvoi id+libelle, 1=renvoi code+libelle
-	 *	@param  string	$filter     Add a SQL filter to select
+	 *	@param  string	$filter     Add a SQL filter to select. Data must not come from user input.
 	 *  @return array				Array of types d'effectifs
 	 */
 	public function effectif_array($mode = 0, $filter = '')
@@ -509,7 +509,7 @@ class FormCompany extends Form
 	 *
 	 *    @param	string		$selected        	Preselected code of juridical type
 	 *    @param    int			$country_codeid     0=list for all countries, otherwise list only country requested
-	 *    @param    string		$filter          	Add a SQL filter on list
+	 *    @param    string		$filter          	Add a SQL filter on list. Data must not come from user input.
 	 *    @param	string		$htmlname			HTML name of select
 	 *    @param	string		$morecss			More CSS
 	 *    @return	string							String with HTML select

+ 1 - 1
htdocs/core/db/DoliDB.class.php

@@ -108,7 +108,7 @@ abstract class DoliDB implements Database
 	 * Sanitize a string for SQL forging
 	 *
 	 * @param   string 	$stringtosanitize 	String to escape
-	 * @param   int		$allowsimplequote 	Allow simple quote
+	 * @param   int		$allowsimplequote 	1=Allow simple quotes in string. When string is used as a list of SQL string ('aa', 'bb', ...)
 	 * @return  string                      String escaped
 	 */
 	public function sanitize($stringtosanitize, $allowsimplequote = 0)

+ 1 - 1
htdocs/core/lib/functions.lib.php

@@ -5190,7 +5190,7 @@ function price($amount, $form = 0, $outlangs = '', $trunc = 1, $rounding = -1, $
  * 	@param	int				$option			Put 1 if you know that content is already universal format number (so no correction on decimal will be done)
  * 											Put 2 if you know that number is a user input (so we know we don't have to fix decimal separator).
  *	@return	string							Amount with universal numeric format (Example: '99.99999').
- *											If conversion fails, it return text unchanged if $rounding = '' or '0' if $rounding is defined.
+ *											If conversion fails, it return text unchanged if ($rounding = '' and $option = 1) or '0' if ($rounding is defined and $option = 1).
  *											If amount is null or '', it returns '' if $rounding = '' or '0' if $rounding is defined..
  *
  *	@see    price()							Opposite function of price2num

+ 2 - 2
htdocs/don/class/paymentdonation.class.php

@@ -189,8 +189,8 @@ class PaymentDonation extends CommonObject
 			$sql .= " fk_user_creat, fk_bank)";
 			$sql .= " VALUES ($this->chid, '".$this->db->idate($now)."',";
 			$sql .= " '".$this->db->idate($this->datepaid)."',";
-			$sql .= " ".$totalamount.",";
-			$sql .= " ".$this->paymenttype.", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note_public)."', ";
+			$sql .= " ".price2num($totalamount).",";
+			$sql .= " ".((int) $this->paymenttype).", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note_public)."', ";
 			$sql .= " ".($this->ext_payment_id ? "'".$this->db->escape($this->ext_payment_id)."'" : "null").", ".($this->ext_payment_site ? "'".$this->db->escape($this->ext_payment_site)."'" : "null").",";
 			$sql .= " ".$user->id.", 0)";
 

+ 1 - 1
htdocs/ecm/class/ecmdirectory.class.php

@@ -196,7 +196,7 @@ class EcmDirectory extends CommonObject
 			$sql .= " '".$this->db->escape($conf->entity)."',";
 			$sql .= " '".$this->db->escape($this->fk_parent)."',";
 			$sql .= " '".$this->db->escape($this->description)."',";
-			$sql .= " ".$this->cachenbofdoc.",";
+			$sql .= " ".((int) $this->cachenbofdoc).",";
 			$sql .= " '".$this->db->idate($this->date_c)."',";
 			$sql .= " '".$this->db->escape($this->fk_user_c)."'";
 			$sql .= ")";

+ 10 - 10
htdocs/expensereport/class/expensereport.class.php

@@ -2697,20 +2697,20 @@ class ExpenseReportLine
 		$sql .= ' (fk_expensereport, fk_c_type_fees, fk_projet,';
 		$sql .= ' tva_tx, vat_src_code, comments, qty, value_unit, total_ht, total_tva, total_ttc, date, rule_warning_message, fk_c_exp_tax_cat, fk_ecm_files)';
 		$sql .= " VALUES (".$this->db->escape($this->fk_expensereport).",";
-		$sql .= " ".$this->db->escape($this->fk_c_type_fees).",";
-		$sql .= " ".$this->db->escape((!empty($this->fk_project) && $this->fk_project > 0) ? $this->fk_project : ((!empty($this->fk_projet) && $this->fk_projet > 0) ? $this->fk_projet : 'null')).",";
-		$sql .= " ".$this->db->escape($this->vatrate).",";
+		$sql .= " ".((int) $this->fk_c_type_fees).",";
+		$sql .= " ".((int) (!empty($this->fk_project) && $this->fk_project > 0) ? $this->fk_project : ((!empty($this->fk_projet) && $this->fk_projet > 0) ? $this->fk_projet : 'null')).",";
+		$sql .= " ".((float) $this->vatrate).",";
 		$sql .= " '".$this->db->escape(empty($this->vat_src_code) ? '' : $this->vat_src_code)."',";
 		$sql .= " '".$this->db->escape($this->comments)."',";
-		$sql .= " ".$this->db->escape($this->qty).",";
-		$sql .= " ".$this->db->escape($this->value_unit).",";
-		$sql .= " ".$this->db->escape($this->total_ht).",";
-		$sql .= " ".$this->db->escape($this->total_tva).",";
-		$sql .= " ".$this->db->escape($this->total_ttc).",";
+		$sql .= " ".((float) $this->qty).",";
+		$sql .= " ".((int) $this->value_unit).",";
+		$sql .= " ".price2num($this->total_ht).",";
+		$sql .= " ".price2num($this->total_tva).",";
+		$sql .= " ".price2num($this->total_ttc).",";
 		$sql .= " '".$this->db->idate($this->date)."',";
 		$sql .= " ".(empty($this->rule_warning_message) ? 'null' : "'".$this->db->escape($this->rule_warning_message)."'").",";
-		$sql .= " ".$this->db->escape($this->fk_c_exp_tax_cat).",";
-		$sql .= " ".($this->fk_ecm_files > 0 ? $this->fk_ecm_files : 'null');
+		$sql .= " ".((int) $this->fk_c_exp_tax_cat).",";
+		$sql .= " ".($this->fk_ecm_files > 0 ? ((int) $this->fk_ecm_files) : 'null');
 		$sql .= ")";
 
 		$resql = $this->db->query($sql);

+ 1 - 1
htdocs/expensereport/class/paymentexpensereport.class.php

@@ -168,7 +168,7 @@ class PaymentExpenseReport extends CommonObject
 			$sql .= " fk_typepayment, num_payment, note, fk_user_creat, fk_bank)";
 			$sql .= " VALUES ($this->fk_expensereport, '".$this->db->idate($now)."',";
 			$sql .= " '".$this->db->idate($this->datepaid)."',";
-			$sql .= " ".$totalamount.",";
+			$sql .= " ".price2num($totalamount).",";
 			$sql .= " ".$this->fk_typepayment.", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note_public)."', ".$user->id.",";
 			$sql .= " 0)";
 

+ 2 - 2
htdocs/fichinter/class/fichinter.class.php

@@ -1499,8 +1499,8 @@ class FichinterLigne extends CommonObjectLine
 		$sql .= " VALUES (".$this->fk_fichinter.",";
 		$sql .= " '".$this->db->escape($this->desc)."',";
 		$sql .= " '".$this->db->idate($this->datei)."',";
-		$sql .= " ".$this->duration.",";
-		$sql .= ' '.$rangToUse;
+		$sql .= " ".((int) $this->duration).",";
+		$sql .= ' '.((int) $rangToUse);
 		$sql .= ')';
 
 		dol_syslog("FichinterLigne::insert", LOG_DEBUG);

+ 3 - 2
htdocs/fourn/card.php

@@ -592,7 +592,7 @@ if ($object->id > 0) {
 		$sql .= " WHERE p.fk_soc =".$object->id;
 		$sql .= " AND p.entity IN (".getEntity('supplier_proposal').")";
 		$sql .= " ORDER BY p.date_valid DESC";
-		$sql .= " ".$db->plimit($MAXLIST);
+		$sql .= $db->plimit($MAXLIST);
 
 		$resql = $db->query($sql);
 		if ($resql) {
@@ -694,7 +694,8 @@ if ($object->id > 0) {
 		$sql .= " WHERE p.fk_soc =".$object->id;
 		$sql .= " AND p.entity IN (".getEntity('commande_fournisseur').")";
 		$sql .= " ORDER BY p.date_commande DESC";
-		$sql .= " ".$db->plimit($MAXLIST);
+		$sql .= $db->plimit($MAXLIST);
+
 		$resql = $db->query($sql);
 		if ($resql) {
 			$i = 0;

+ 5 - 5
htdocs/fourn/class/fournisseur.commande.class.php

@@ -3681,19 +3681,19 @@ class CommandeFournisseurLigne extends CommonOrderLine
 		$sql .= "'".$this->db->escape($this->rang)."',";
 		$sql .= "'".$this->db->escape($this->qty)."', ";
 		$sql .= " ".(empty($this->vat_src_code) ? "''" : "'".$this->db->escape($this->vat_src_code)."'").",";
-		$sql .= " ".$this->tva_tx.", ";
-		$sql .= " ".$this->localtax1_tx.",";
-		$sql .= " ".$this->localtax2_tx.",";
+		$sql .= " ".price2num($this->tva_tx).", ";
+		$sql .= " ".price2num($this->localtax1_tx).",";
+		$sql .= " ".price2num($this->localtax2_tx).",";
 		$sql .= " '".$this->db->escape($this->localtax1_type)."',";
 		$sql .= " '".$this->db->escape($this->localtax2_type)."',";
-		$sql .= " ".$this->remise_percent.", ".price2num($this->subprice, 'MU').", '".$this->db->escape($this->ref_supplier)."',";
+		$sql .= " ".((float) $this->remise_percent).", ".price2num($this->subprice, 'MU').", '".$this->db->escape($this->ref_supplier)."',";
 		$sql .= " ".price2num($this->total_ht).",";
 		$sql .= " ".price2num($this->total_tva).",";
 		$sql .= " ".price2num($this->total_localtax1).",";
 		$sql .= " ".price2num($this->total_localtax2).",";
 		$sql .= " ".price2num($this->total_ttc).",";
 		$sql .= ($this->fk_unit ? "'".$this->db->escape($this->fk_unit)."'" : "null");
-		$sql .= ", ".($this->fk_multicurrency ? $this->fk_multicurrency : "null");
+		$sql .= ", ".($this->fk_multicurrency ? ((int) $this->fk_multicurrency) : "null");
 		$sql .= ", '".$this->db->escape($this->multicurrency_code)."'";
 		$sql .= ", ".($this->multicurrency_subprice ? price2num($this->multicurrency_subprice) : '0');
 		$sql .= ", ".($this->multicurrency_total_ht ? price2num($this->multicurrency_total_ht) : '0');

+ 5 - 5
htdocs/fourn/class/fournisseur.facture.class.php

@@ -3584,17 +3584,17 @@ class SupplierInvoiceLine extends CommonObjectLine
 		$sql .= " '".$this->db->escape($this->localtax1_type)."',";
 		$sql .= " '".$this->db->escape($this->localtax2_type)."',";
 		$sql .= ' '.(!empty($this->fk_product) ? $this->fk_product : "null").',';
-		$sql .= " ".$this->product_type.",";
+		$sql .= " ".((int) $this->product_type).",";
 		$sql .= " ".price2num($this->remise_percent).",";
-		$sql .= ' '.(! empty($this->fk_remise_except)?$this->fk_remise_except:"null").',';
+		$sql .= ' '.(! empty($this->fk_remise_except) ? ((int) $this->fk_remise_except) : "null").',';
 		$sql .= " ".price2num($this->subprice).",";
 		$sql .= " ".(!empty($this->qty) ?price2num($this->total_ttc / $this->qty) : price2num($this->total_ttc)).",";
 		$sql .= " ".(!empty($this->date_start) ? "'".$this->db->idate($this->date_start)."'" : "null").",";
 		$sql .= " ".(!empty($this->date_end) ? "'".$this->db->idate($this->date_end)."'" : "null").",";
 		$sql .= ' '.(!empty($this->fk_code_ventilation) ? $this->fk_code_ventilation : 0).',';
-		$sql .= ' '.$this->rang.',';
-		$sql .= ' '.$this->special_code.',';
-		$sql .= " '".$this->db->escape($this->info_bits)."',";
+		$sql .= ' '.((int) $this->rang).',';
+		$sql .= ' '.((int) $this->special_code).',';
+		$sql .= " ".((int) $this->info_bits)."',";
 		$sql .= " ".price2num($this->total_ht).",";
 		$sql .= " ".price2num($this->total_tva).",";
 		$sql .= " ".price2num($this->total_ttc).",";

+ 15 - 15
htdocs/fourn/class/fournisseur.product.class.php

@@ -455,28 +455,28 @@ class ProductFournisseur extends Product
 				$sql .= (isset($fk_multicurrency) ? "'".$this->db->escape($fk_multicurrency)."'" : 'null').",";
 				$sql .= (isset($multicurrency_code) ? "'".$this->db->escape($multicurrency_code)."'" : 'null').",";
 				$sql .= " '".$this->db->idate($now)."',";
-				$sql .= " ".$this->id.",";
-				$sql .= " ".$fourn->id.",";
+				$sql .= " ".((int) $this->id).",";
+				$sql .= " ".((int) $fourn->id).",";
 				$sql .= " '".$this->db->escape($ref_fourn)."',";
 				$sql .= " '".$this->db->escape($desc_fourn)."',";
 				$sql .= " ".$user->id.",";
-				$sql .= " ".$buyprice.",";
-				$sql .= " ".$qty.",";
-				$sql .= " ".$remise_percent.",";
-				$sql .= " ".$remise.",";
-				$sql .= " ".$unitBuyPrice.",";
-				$sql .= " ".$tva_tx.",";
-				$sql .= " ".$charges.",";
-				$sql .= " ".$availability.",";
+				$sql .= " ".price2num($buyprice).",";
+				$sql .= " ".((float) $qty).",";
+				$sql .= " ".((float) $remise_percent).",";
+				$sql .= " ".((float) $remise).",";
+				$sql .= " ".price2num($unitBuyPrice).",";
+				$sql .= " ".price2num($tva_tx).",";
+				$sql .= " ".price2num($charges).",";
+				$sql .= " ".((int) $availability).",";
 				$sql .= " ".($newdefaultvatcode ? "'".$this->db->escape($newdefaultvatcode)."'" : "null").",";
-				$sql .= " ".$newnpr.",";
+				$sql .= " ".((int) $newnpr).",";
 				$sql .= $conf->entity.",";
-				$sql .= ($delivery_time_days != '' ? $delivery_time_days : 'null').",";
+				$sql .= ($delivery_time_days != '' ? ((int) $delivery_time_days) : 'null').",";
 				$sql .= (empty($supplier_reputation) ? 'NULL' : "'".$this->db->escape($supplier_reputation)."'").",";
 				$sql .= (empty($barcode) ? 'NULL' : "'".$this->db->escape($barcode)."'").",";
 				$sql .= (empty($fk_barcode_type) ? 'NULL' : "'".$this->db->escape($fk_barcode_type)."'");
 				if (!empty($conf->global->PRODUCT_USE_SUPPLIER_PACKAGING)) {
-					$sql .= ", ".(empty($this->packaging) ? 1 : $this->db->escape($this->packaging));
+					$sql .= ", ".(empty($this->packaging) ? '1' : "'".$this->db->escape($this->packaging)."'");
 				}
 				$sql .= ")";
 
@@ -1253,10 +1253,10 @@ class ProductFournisseur extends Product
 		$sql .= (isset($fk_multicurrency) ? "'".$this->db->escape($fk_multicurrency)."'" : 'null').",";
 		$sql .= (isset($multicurrency_code) ? "'".$this->db->escape($multicurrency_code)."'" : 'null').",";
 		$sql .= "'".$this->db->idate($datec)."',";
-		$sql .= " ".$this->product_fourn_price_id.",";
+		$sql .= " ".((int) $this->product_fourn_price_id).",";
 		$sql .= " ".$user->id.",";
 		$sql .= " ".price2num($buyprice).",";
-		$sql .= " ".$qty;
+		$sql .= " ".price2num($qty);
 		$sql .= ")";
 
 		$resql = $this->db->query($sql);

+ 9 - 9
htdocs/holiday/class/holiday.class.php

@@ -275,17 +275,17 @@ class Holiday extends CommonObject
 		$sql .= "entity";
 		$sql .= ") VALUES (";
 		$sql .= "'(PROV)',";
-		$sql .= "'".$this->db->escape($this->fk_user)."',";
+		$sql .= " ".((int) $this->fk_user)."',";
 		$sql .= " '".$this->db->idate($now)."',";
 		$sql .= " '".$this->db->escape($this->description)."',";
 		$sql .= " '".$this->db->idate($this->date_debut)."',";
 		$sql .= " '".$this->db->idate($this->date_fin)."',";
-		$sql .= " ".$this->halfday.",";
+		$sql .= " ".((int) $this->halfday).",";
 		$sql .= " '1',";
-		$sql .= " '".$this->db->escape($this->fk_validator)."',";
-		$sql .= " ".$this->fk_type.",";
-		$sql .= " ".$user->id.",";
-		$sql .= " ".$conf->entity;
+		$sql .= " ".((int) $this->fk_validator).",";
+		$sql .= " ".((int) $this->fk_type).",";
+		$sql .= " ".((int) $user->id).",";
+		$sql .= " ".((int) $conf->entity);
 		$sql .= ")";
 
 		$this->db->begin();
@@ -1952,12 +1952,12 @@ class Holiday extends CommonObject
 		$sql .= "fk_type";
 		$sql .= ") VALUES (";
 		$sql .= " '".$this->db->idate(dol_now())."',";
-		$sql .= " '".$this->db->escape($fk_user_action)."',";
-		$sql .= " '".$this->db->escape($fk_user_update)."',";
+		$sql .= " ".((int) $fk_user_action).",";
+		$sql .= " ".((int) $fk_user_update).",";
 		$sql .= " '".$this->db->escape($label)."',";
 		$sql .= " '".$this->db->escape($prev_solde)."',";
 		$sql .= " '".$this->db->escape($new_solde)."',";
-		$sql .= " ".$fk_type;
+		$sql .= " ".((int) $fk_type);
 		$sql .= ")";
 
 		$resql = $this->db->query($sql);

+ 2 - 2
htdocs/install/upgrade2.php

@@ -2465,7 +2465,7 @@ function migrate_restore_missing_links($db, $langs, $conf)
 				print 'Line '.$obj->rowid.' in '.$table1.' is linked to record '.$obj->field.' in '.$table2.' that has no link to '.$table1.'. We fix this.<br>';
 				$sql = "UPDATE ".MAIN_DB_PREFIX.$table2." SET";
 				$sql .= " ".$field2." = '".$db->escape($obj->rowid)."'";
-				$sql .= " WHERE rowid=".$obj->field;
+				$sql .= " WHERE rowid = ".((int) $obj->field);
 
 				$resql2 = $db->query($sql);
 				if (!$resql2) {
@@ -2522,7 +2522,7 @@ function migrate_restore_missing_links($db, $langs, $conf)
 				print 'Line '.$obj->rowid.' in '.$table1.' is linked to record '.$obj->field.' in '.$table2.' that has no link to '.$table1.'. We fix this.<br>';
 				$sql = "UPDATE ".MAIN_DB_PREFIX.$table2." SET";
 				$sql .= " ".$field2." = '".$db->escape($obj->rowid)."'";
-				$sql .= " WHERE rowid=".$obj->field;
+				$sql .= " WHERE rowid = ".((int) $obj->field);
 
 				$resql2 = $db->query($sql);
 				if (!$resql2) {

+ 6 - 6
htdocs/loan/class/loanschedule.class.php

@@ -177,12 +177,12 @@ class LoanSchedule extends CommonObject
 			$sql .= " fk_typepayment, fk_user_creat, fk_bank)";
 			$sql .= " VALUES (".$this->fk_loan.", '".$this->db->idate($now)."',";
 			$sql .= " '".$this->db->idate($this->datep)."',";
-			$sql .= " ".$this->amount_capital.",";
-			$sql .= " ".$this->amount_insurance.",";
-			$sql .= " ".$this->amount_interest.",";
-			$sql .= " ".$this->fk_typepayment.", ";
-			$sql .= " ".$user->id.",";
-			$sql .= " ".$this->fk_bank.")";
+			$sql .= " ".price2num($this->amount_capital).",";
+			$sql .= " ".price2num($this->amount_insurance).",";
+			$sql .= " ".price2num($this->amount_interest).",";
+			$sql .= " ".price2num($this->fk_typepayment).", ";
+			$sql .= " ".((int) $user->id).",";
+			$sql .= " ".((int) $this->fk_bank).")";
 
 			dol_syslog(get_class($this)."::create", LOG_DEBUG);
 			$resql = $this->db->query($sql);

+ 4 - 4
htdocs/loan/class/paymentloan.class.php

@@ -182,10 +182,10 @@ class PaymentLoan extends CommonObject
 			$sql .= " fk_typepayment, num_payment, note_private, note_public, fk_user_creat, fk_bank)";
 			$sql .= " VALUES (".$this->chid.", '".$this->db->idate($now)."',";
 			$sql .= " '".$this->db->idate($this->datep)."',";
-			$sql .= " ".$this->amount_capital.",";
-			$sql .= " ".$this->amount_insurance.",";
-			$sql .= " ".$this->amount_interest.",";
-			$sql .= " ".$this->paymenttype.", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note_private)."', '".$this->db->escape($this->note_public)."', ".$user->id.",";
+			$sql .= " ".price2num($this->amount_capital).",";
+			$sql .= " ".price2num($this->amount_insurance).",";
+			$sql .= " ".price2num($this->amount_interest).",";
+			$sql .= " ".((int) $this->paymenttype).", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note_private)."', '".$this->db->escape($this->note_public)."', ".$user->id.",";
 			$sql .= " 0)";
 
 			dol_syslog(get_class($this)."::create", LOG_DEBUG);

+ 2 - 2
htdocs/product/class/product.class.php

@@ -1714,8 +1714,8 @@ class Product extends CommonObject
 		// Add new price
 		$sql = "INSERT INTO ".MAIN_DB_PREFIX."product_price(price_level,date_price, fk_product, fk_user_author, price, price_ttc, price_base_type,tosell, tva_tx, default_vat_code, recuperableonly,";
 		$sql .= " localtax1_tx, localtax2_tx, localtax1_type, localtax2_type, price_min,price_min_ttc,price_by_qty,entity,fk_price_expression) ";
-		$sql .= " VALUES(".($level ? $level : 1).", '".$this->db->idate($now)."',".$this->id.",".$user->id.",".$this->price.",".$this->price_ttc.",'".$this->db->escape($this->price_base_type)."',".$this->status.",".$this->tva_tx.", ".($this->default_vat_code ? ("'".$this->db->escape($this->default_vat_code)."'") : "null").",".$this->tva_npr.",";
-		$sql .= " ".$this->localtax1_tx.", ".$this->localtax2_tx.", '".$this->db->escape($this->localtax1_type)."', '".$this->db->escape($this->localtax2_type)."', ".$this->price_min.",".$this->price_min_ttc.",".$this->price_by_qty.",".$conf->entity.",".($this->fk_price_expression > 0 ? $this->fk_price_expression : 'null');
+		$sql .= " VALUES(".($level ? $level : 1).", '".$this->db->idate($now)."', ".$this->id.", ".$user->id.", ".price2num($this->price).", ".price2num($this->price_ttc).",'".$this->db->escape($this->price_base_type)."',".((int) $this->status).", ".price2num($this->tva_tx).", ".($this->default_vat_code ? ("'".$this->db->escape($this->default_vat_code)."'") : "null").", ".((int) $this->tva_npr).",";
+		$sql .= " ".price2num($this->localtax1_tx).", ".price2num($this->localtax2_tx).", '".$this->db->escape($this->localtax1_type)."', '".$this->db->escape($this->localtax2_type)."', ".price2num($this->price_min).", ".price2num($this->price_min_ttc).", ".price2num($this->price_by_qty).", ".$conf->entity.",".($this->fk_price_expression > 0 ? ((int) $this->fk_price_expression) : 'null');
 		$sql .= ")";
 
 		dol_syslog(get_class($this)."::_log_price", LOG_DEBUG);

+ 2 - 2
htdocs/product/class/productcustomerprice.class.php

@@ -209,7 +209,7 @@ class Productcustomerprice extends CommonObject
 		$sql .= "fk_user,";
 		$sql .= "import_key";
 		$sql .= ") VALUES (";
-		$sql .= " ".$conf->entity.",";
+		$sql .= " ".((int) $conf->entity).",";
 		$sql .= " '".$this->db->idate(dol_now())."',";
 		$sql .= " ".(!isset($this->fk_product) ? 'NULL' : "'".$this->db->escape($this->fk_product)."'").",";
 		$sql .= " ".(!isset($this->fk_soc) ? 'NULL' : "'".$this->db->escape($this->fk_soc)."'").",";
@@ -226,7 +226,7 @@ class Productcustomerprice extends CommonObject
 		$sql .= " ".(!isset($this->localtax1_tx) ? 'NULL' : (empty($this->localtax1_tx) ? 0 : $this->localtax1_tx)).",";
 		$sql .= " ".(empty($this->localtax2_type) ? "'0'" : "'".$this->db->escape($this->localtax2_type)."'").",";
 		$sql .= " ".(!isset($this->localtax2_tx) ? 'NULL' : (empty($this->localtax2_tx) ? 0 : $this->localtax2_tx)).",";
-		$sql .= " ".$user->id.",";
+		$sql .= " ".((int) $user->id).",";
 		$sql .= " ".(!isset($this->import_key) ? 'NULL' : "'".$this->db->escape($this->import_key)."'")."";
 		$sql .= ")";
 

+ 3 - 10
htdocs/product/class/propalmergepdfproduct.class.php

@@ -105,7 +105,6 @@ class Propalmergepdfproduct extends CommonObject
 
 		// Insert request
 		$sql = "INSERT INTO ".MAIN_DB_PREFIX."propal_merge_pdf_product(";
-
 		$sql .= "fk_product,";
 		$sql .= "file_name,";
 		if ($conf->global->MAIN_MULTILANGS) {
@@ -114,25 +113,19 @@ class Propalmergepdfproduct extends CommonObject
 		$sql .= "fk_user_author,";
 		$sql .= "fk_user_mod,";
 		$sql .= "datec";
-
-
 		$sql .= ") VALUES (";
-
-		$sql .= " ".(!isset($this->fk_product) ? 'NULL' : "'".$this->db->escape($this->fk_product)."'").",";
+		$sql .= " ".(!isset($this->fk_product) ? 'NULL' : ((int) $this->fk_product)).",";
 		$sql .= " ".(!isset($this->file_name) ? 'NULL' : "'".$this->db->escape($this->file_name)."'").",";
 		if ($conf->global->MAIN_MULTILANGS) {
 			$sql .= " ".(!isset($this->lang) ? 'NULL' : "'".$this->db->escape($this->lang)."'").",";
 		}
-		$sql .= " ".$user->id.",";
-		$sql .= " ".$user->id.",";
+		$sql .= " ".((int) $user->id).",";
+		$sql .= " ".((int) $user->id).",";
 		$sql .= " '".$this->db->idate(dol_now())."'";
-
-
 		$sql .= ")";
 
 		$this->db->begin();
 
-		dol_syslog(__METHOD__, LOG_DEBUG);
 		$resql = $this->db->query($sql);
 		if (!$resql) {
 			$error++; $this->errors[] = "Error ".$this->db->lasterror();

+ 1 - 1
htdocs/product/dynamic_price/class/price_global_variable.class.php

@@ -93,7 +93,7 @@ class PriceGlobalVariable
 		$sql .= ") VALUES (";
 		$sql .= " ".(isset($this->code) ? "'".$this->db->escape($this->code)."'" : "''").",";
 		$sql .= " ".(isset($this->description) ? "'".$this->db->escape($this->description)."'" : "''").",";
-		$sql .= " ".$this->value;
+		$sql .= " ".((float) $this->value);
 		$sql .= ")";
 
 		$this->db->begin();

+ 4 - 4
htdocs/product/dynamic_price/class/price_global_variable_updater.class.php

@@ -103,12 +103,12 @@ class PriceGlobalVariableUpdater
 		$sql = "INSERT INTO ".MAIN_DB_PREFIX.$this->table_element." (";
 		$sql .= "type, description, parameters, fk_variable, update_interval, next_update, last_status";
 		$sql .= ") VALUES (";
-		$sql .= " ".$this->type.",";
+		$sql .= " ".((int) $this->type).",";
 		$sql .= " ".(isset($this->description) ? "'".$this->db->escape($this->description)."'" : "''").",";
 		$sql .= " ".(isset($this->parameters) ? "'".$this->db->escape($this->parameters)."'" : "''").",";
-		$sql .= " ".$this->fk_variable.",";
-		$sql .= " ".$this->update_interval.",";
-		$sql .= " ".$this->next_update.",";
+		$sql .= " ".((int) $this->fk_variable).",";
+		$sql .= " ".((int) $this->update_interval).",";
+		$sql .= " ".((int) $this->next_update).",";
 		$sql .= " ".(isset($this->last_status) ? "'".$this->db->escape($this->last_status)."'" : "''");
 		$sql .= ")";
 

+ 4 - 4
htdocs/product/stock/class/mouvementstock.class.php

@@ -432,14 +432,14 @@ class MouvementStock extends CommonObject
 			$sql .= " ".($batch ? "'".$this->db->escape($batch)."'" : "null").", ";
 			$sql .= " ".($eatby ? "'".$this->db->idate($eatby)."'" : "null").", ";
 			$sql .= " ".($sellby ? "'".$this->db->idate($sellby)."'" : "null").", ";
-			$sql .= " ".$this->entrepot_id.", ".$this->qty.", ".((int) $this->type).",";
-			$sql .= " ".$user->id.",";
+			$sql .= " ".((int) $this->entrepot_id).", ".((float) $this->qty).", ".((int) $this->type).",";
+			$sql .= " ".((int) $user->id).",";
 			$sql .= " '".$this->db->escape($label)."',";
 			$sql .= " ".($inventorycode ? "'".$this->db->escape($inventorycode)."'" : "null").",";
 			$sql .= " ".price2num($price).",";
-			$sql .= " ".$fk_origin.",";
+			$sql .= " ".((int) $fk_origin).",";
 			$sql .= " '".$this->db->escape($origintype)."',";
-			$sql .= " ".$fk_project;
+			$sql .= " ".((int) $fk_project);
 			$sql .= ")";
 
 			dol_syslog(get_class($this)."::_create insert record into stock_mouvement", LOG_DEBUG);

+ 2 - 2
htdocs/salaries/class/paymentsalary.class.php

@@ -168,8 +168,8 @@ class PaymentSalary extends CommonObject
 			$sql .= " fk_typepayment, num_payment, note, fk_user_author, fk_bank)";
 			$sql .= " VALUES ($this->chid, '".$this->db->idate($now)."',";
 			$sql .= " '".$this->db->idate($this->datepaye)."',";
-			$sql .= " ".$totalamount.",";
-			$sql .= " ".$this->paiementtype.", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note)."', ".$user->id.",";
+			$sql .= " ".price2num($totalamount).",";
+			$sql .= " ".((int) $this->paiementtype).", '".$this->db->escape($this->num_payment)."', '".$this->db->escape($this->note)."', ".((int) $user->id).",";
 			$sql .= " 0)";
 
 			$resql = $this->db->query($sql);

+ 4 - 4
htdocs/societe/class/societe.class.php

@@ -2112,9 +2112,9 @@ class Societe extends CommonObject
 			// Writes trace in discount history
 			$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_remise";
 			$sql .= " (entity, datec, fk_soc, remise_client, note, fk_user_author)";
-			$sql .= " VALUES (".$conf->entity.", '".$this->db->idate($now)."', ".$this->id.", '".$this->db->escape($remise)."',";
+			$sql .= " VALUES (".$conf->entity.", '".$this->db->idate($now)."', ".((int) $this->id).", '".$this->db->escape($remise)."',";
 			$sql .= " '".$this->db->escape($note)."',";
-			$sql .= " ".$user->id;
+			$sql .= " ".((int) $user->id);
 			$sql .= ")";
 
 			$resql = $this->db->query($sql);
@@ -2171,9 +2171,9 @@ class Societe extends CommonObject
 			// Writes trace in discount history
 			$sql = "INSERT INTO ".MAIN_DB_PREFIX."societe_remise_supplier";
 			$sql .= " (entity, datec, fk_soc, remise_supplier, note, fk_user_author)";
-			$sql .= " VALUES (".$conf->entity.", '".$this->db->idate($now)."', ".$this->id.", '".$this->db->escape($remise)."',";
+			$sql .= " VALUES (".$conf->entity.", '".$this->db->idate($now)."', ".((int) $this->id).", '".$this->db->escape($remise)."',";
 			$sql .= " '".$this->db->escape($note)."',";
-			$sql .= " ".$user->id;
+			$sql .= " ".((int) $user->id);
 			$sql .= ")";
 
 			$resql = $this->db->query($sql);

+ 3 - 8
htdocs/ticket/class/ticket.class.php

@@ -1829,7 +1829,6 @@ class Ticket extends CommonObject
 	public function searchSocidByEmail($email, $type = '0', $filters = array(), $clause = 'AND')
 	{
 		$thirdparties = array();
-		$case = 0;
 		$exact = 0;
 
 		// Generation requete recherche
@@ -1843,7 +1842,7 @@ class Ticket extends CommonObject
 			}
 		}
 		if (!empty($email)) {
-			if (!$exact) {
+			if (empty($exact)) {
 				$regs = array();
 				if (preg_match('/^([\*])?[^*]+([\*])?$/', $email, $regs) && count($regs) > 1) {
 					$email = str_replace('*', '%', $email);
@@ -1856,15 +1855,11 @@ class Ticket extends CommonObject
 				$sql .= "(";
 			}
 
-			if (!$case) {
-				$sql .= "email LIKE '".$this->db->escape($email)."'";
-			} else {
-				$sql .= "email LIKE BINARY '".$this->db->escape($email)."'";
-			}
+			$sql .= "email LIKE '".$this->db->escape($email)."'";
 		}
 		if (is_array($filters) && !empty($filters)) {
 			foreach ($filters as $field => $value) {
-				$sql .= " ".$clause." ".$field." LIKE BINARY '".$this->db->escape($value)."'";
+				$sql .= " ".$clause." ".$field." LIKE '".$this->db->escape($value)."'";
 			}
 			if (!empty($email)) {
 				$sql .= ")";