Fix escape

htdocs/core/extrafieldsinexport.inc.php

@@ -8,7 +8,8 @@ if (empty($keyforselect) || empty($keyforelement) || empty($keyforaliasextra))
 }
 
 // Add extra fields
-$sql = "SELECT name, label, type, param, fieldcomputed, fielddefault FROM ".MAIN_DB_PREFIX."extrafields WHERE elementtype = '".$keyforselect."' AND type != 'separate' AND entity IN (0, ".$conf->entity.') ORDER BY pos ASC';
+$sql = "SELECT name, label, type, param, fieldcomputed, fielddefault FROM ".MAIN_DB_PREFIX."extrafields";
+$sql .= " WHERE elementtype = '".$this->db->escape($keyforselect)."' AND type != 'separate' AND entity IN (0, ".$conf->entity.') ORDER BY pos ASC';
 //print $sql;
 $resql = $this->db->query($sql);
 if ($resql)    // This can fail when class is used on old database (during migration for example)

htdocs/core/lib/functions.lib.php

@@ -4908,9 +4908,9 @@ function get_localtax_by_third($local)
 	global $db, $mysoc;
 	$sql = "SELECT t.localtax1, t.localtax2 ";
 	$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t inner join ".MAIN_DB_PREFIX."c_country as c ON c.rowid=t.fk_pays";
-	$sql .= " WHERE c.code = '".$mysoc->country_code."' AND t.active = 1 AND t.taux=(";
+	$sql .= " WHERE c.code = '".$db->escape($mysoc->country_code)."' AND t.active = 1 AND t.taux=(";
 	$sql .= "  SELECT max(tt.taux) FROM ".MAIN_DB_PREFIX."c_tva as tt inner join ".MAIN_DB_PREFIX."c_country as c ON c.rowid=tt.fk_pays";
-	$sql .= "  WHERE c.code = '".$mysoc->country_code."' AND tt.active = 1";
+	$sql .= "  WHERE c.code = '".$db->escape($mysoc->country_code)."' AND tt.active = 1";
 	$sql .= "  )";
 
 	$resql = $db->query($sql);
@@ -4956,11 +4956,11 @@ function getTaxesFromId($vatrate, $buyer = null, $seller = null, $firstparamisid
 		}
 
 		$sql .= ", ".MAIN_DB_PREFIX."c_country as c";
-		/*if ($mysoc->country_code == 'ES') $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$buyer->country_code."'";    // vat in spain use the buyer country ??
-		else $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$seller->country_code."'";*/
-		$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$seller->country_code."'";
+		/*if ($mysoc->country_code == 'ES') $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($buyer->country_code)."'";    // vat in spain use the buyer country ??
+		else $sql.= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($seller->country_code)."'";*/
+		$sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($seller->country_code)."'";
 		$sql .= " AND t.taux = ".((float) $vatratecleaned)." AND t.active = 1";
-		if ($vatratecode) $sql .= " AND t.code = '".$vatratecode."'";
+		if ($vatratecode) $sql .= " AND t.code = '".$db->escape($vatratecode)."'";
 	}
 
 	$resql = $db->query($sql);
@@ -5011,10 +5011,10 @@ function getLocalTaxesFromRate($vatrate, $local, $buyer, $seller, $firstparamisi
 		}
 
 		$sql .= ", ".MAIN_DB_PREFIX."c_country as c";
-		if ($mysoc->country_code == 'ES') $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$buyer->country_code."'"; // local tax in spain use the buyer country ??
-		else $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$seller->country_code."'";
+		if ($mysoc->country_code == 'ES') $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($buyer->country_code)."'"; // local tax in spain use the buyer country ??
+		else $sql .= " WHERE t.fk_pays = c.rowid AND c.code = '".$db->escape($seller->country_code)."'";
 		$sql .= " AND t.taux = ".((float) $vatratecleaned)." AND t.active = 1";
-		if ($vatratecode) $sql .= " AND t.code = '".$vatratecode."'";
+		if ($vatratecode) $sql .= " AND t.code = '".$db->escape($vatratecode)."'";
 	}
 
 	$resql = $db->query($sql);
@@ -5088,7 +5088,7 @@ function get_product_vat_for_country($idprod, $thirdparty_seller, $idprodfournpr
 			// If vat of product for the country not found or not defined, we return the first higher vat of country.
 			$sql = "SELECT t.taux as vat_rate, t.code as default_vat_code";
 			$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
-			$sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$thirdparty_seller->country_code."'";
+			$sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$db->escape($thirdparty_seller->country_code)."'";
 			$sql .= " ORDER BY t.taux DESC, t.code ASC, t.recuperableonly ASC";
 			$sql .= $db->plimit(1);
 
@@ -5153,7 +5153,7 @@ function get_product_localtax_for_country($idprod, $local, $thirdparty_seller)
 		// If vat of product for the country not found or not defined, we return higher vat of country.
 		$sql = "SELECT taux as vat_rate, localtax1, localtax2";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_tva as t, ".MAIN_DB_PREFIX."c_country as c";
-		$sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$thirdparty_seller->country_code."'";
+		$sql .= " WHERE t.active=1 AND t.fk_pays = c.rowid AND c.code='".$db->escape($thirdparty_seller->country_code)."'";
 		$sql .= " ORDER BY t.taux DESC, t.recuperableonly ASC";
 		$sql .= $db->plimit(1);
 

htdocs/core/lib/functions2.lib.php

@@ -579,6 +579,7 @@ function clean_url($url, $http = 1)
 	// Fixed by Matelli (see http://matelli.fr/showcases/patchs-dolibarr/fix-cleaning-url.html)
 	// To include the minus sign in a char class, we must not escape it but put it at the end of the class
 	// Also, there's no need of escape a dot sign in a class
+	$regs = array();
 	if (preg_match('/^(https?:[\\/]+)?([0-9A-Z.-]+\.[A-Z]{2,4})(:[0-9]+)?/i', $url, $regs))
 	{
 		$proto = $regs[1];
@@ -737,6 +738,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
 	//$date=dol_stringtotime('20130101');
 
 	$hasglobalcounter = false;
+	$reg = array();
 	// Extract value for mask counter, mask raz and mask offset
 	if (preg_match('/\{(0+)([@\+][0-9\-\+\=]+)?([@\+][0-9\-\+\=]+)?\}/i', $mask, $reg))
 	{
@@ -755,6 +757,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
 	if (dol_strlen($maskcounter) < 3 && empty($conf->global->MAIN_COUNTER_WITH_LESS_3_DIGITS)) return 'ErrorCounterMustHaveMoreThan3Digits';
 
 	// Extract value for third party mask counter
+	$regClient = array();
 	if (preg_match('/\{(c+)(0*)\}/i', $mask, $regClientRef))
 	{
 		$maskrefclient = $regClientRef[1].$regClientRef[2];
@@ -774,6 +777,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
 	}
 
 	// Extract value for third party type
+	$regType = array();
 	if (preg_match('/\{(t+)\}/i', $mask, $regType))
 	{
 		$masktype = $regType[1];
@@ -802,6 +806,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
 	$maskperso = array();
 	$maskpersonew = array();
 	$tmpmask = $mask;
+	$regKey = array();
 	while (preg_match('/\{([A-Z]+)\-([1-9])\}/', $tmpmask, $regKey))
 	{
 		$maskperso[$regKey[1]] = '{'.$regKey[1].'-'.$regKey[2].'}';
@@ -918,19 +923,19 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
 			elseif ($yearlen == 2) $yearcomp1 = sprintf("%02d", date("y", $date) + $yearoffset + 1);
 
 			$sqlwhere .= "(";
-			$sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$yearcomp."'";
+			$sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$db->escape($yearcomp)."'";
 			$sqlwhere .= " AND SUBSTRING(".$field.", ".$monthpos.", ".$monthlen.") >= '".str_pad($monthcomp, $monthlen, '0', STR_PAD_LEFT)."')";
 			$sqlwhere .= " OR";
-			$sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$yearcomp1."'";
+			$sqlwhere .= " (SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$db->escape($yearcomp1)."'";
 			$sqlwhere .= " AND SUBSTRING(".$field.", ".$monthpos.", ".$monthlen.") < '".str_pad($monthcomp, $monthlen, '0', STR_PAD_LEFT)."') ";
 			$sqlwhere .= ')';
 		} elseif ($resetEveryMonth)
 		{
-			$sqlwhere .= "(SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$yearcomp."'";
+			$sqlwhere .= "(SUBSTRING(".$field.", ".$yearpos.", ".$yearlen.") = '".$db->escape($yearcomp)."'";
 			$sqlwhere .= " AND SUBSTRING(".$field.", ".$monthpos.", ".$monthlen.") = '".str_pad($monthcomp, $monthlen, '0', STR_PAD_LEFT)."')";
 		} else // reset is done on january
 		{
-			$sqlwhere .= '(SUBSTRING('.$field.', '.$yearpos.', '.$yearlen.") = '".$yearcomp."')";
+			$sqlwhere .= '(SUBSTRING('.$field.', '.$yearpos.', '.$yearlen.") = '".$db->escape($yearcomp)."')";
 		}
 	}
 	//print "sqlwhere=".$sqlwhere." yearcomp=".$yearcomp."<br>\n";	// sqlwhere and yearcomp defined only if we ask a reset
@@ -969,7 +974,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
 	$counter = 0;
 	$sql = "SELECT MAX(".$sqlstring.") as val";
 	$sql .= " FROM ".MAIN_DB_PREFIX.$table;
-	$sql .= " WHERE ".$field." LIKE '".$maskLike."'";
+	$sql .= " WHERE ".$field." LIKE '".$db->escape($maskLike)."'";
 	$sql .= " AND ".$field." NOT LIKE '(PROV%)'";
 	if ($bentityon) // only if entity enable
 		$sql .= " AND entity IN (".getEntity($sharetable).")";
@@ -1016,7 +1021,7 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
 		$ref = '';
 		$sql = "SELECT ".$field." as ref";
 		$sql .= " FROM ".MAIN_DB_PREFIX.$table;
-		$sql .= " WHERE ".$field." LIKE '".$maskLike."'";
+		$sql .= " WHERE ".$field." LIKE '".$db->escape($maskLike)."'";
 		$sql .= " AND ".$field." NOT LIKE '%PROV%'";
 		if ($bentityon) // only if entity enable
 			$sql .= " AND entity IN (".getEntity($sharetable).")";
@@ -1071,14 +1076,14 @@ function get_next_value($db, $mask, $table, $field, $where = '', $objsoc = '', $
 			$maskrefclient_sql = "SELECT MAX(".$maskrefclient_sqlstring.") as val";
 			$maskrefclient_sql .= " FROM ".MAIN_DB_PREFIX.$table;
 			//$sql.= " WHERE ".$field." not like '(%'";
-			$maskrefclient_sql .= " WHERE ".$field." LIKE '".$maskrefclient_maskLike."'";
+			$maskrefclient_sql .= " WHERE ".$field." LIKE '".$db->escape($maskrefclient_maskLike)."'";
 			if ($bentityon) // only if entity enable
 				$maskrefclient_sql .= " AND entity IN (".getEntity($sharetable).")";
 			elseif (!empty($forceentity))
 				$sql .= " AND entity IN (".$forceentity.")";
 			if ($where) $maskrefclient_sql .= $where; //use the same optional where as general mask
 			if ($sqlwhere) $maskrefclient_sql .= ' AND '.$sqlwhere; //use the same sqlwhere as general mask
-			$maskrefclient_sql .= ' AND (SUBSTRING('.$field.', '.(strpos($maskwithnocode, $maskrefclient) + 1).', '.dol_strlen($maskrefclient_maskclientcode).")='".$maskrefclient_clientcode."')";
+			$maskrefclient_sql .= ' AND (SUBSTRING('.$field.', '.(strpos($maskwithnocode, $maskrefclient) + 1).', '.dol_strlen($maskrefclient_maskclientcode).")='".$db->escape($maskrefclient_clientcode)."')";
 
 			dol_syslog("functions2::get_next_value maskrefclient", LOG_DEBUG);
 			$maskrefclient_resql = $db->query($maskrefclient_sql);

htdocs/core/lib/security.lib.php

@@ -528,7 +528,7 @@ function checkUserAccessToObject($user, $featuresarray, $objectid = 0, $tableand
 			{
 				$sql = "SELECT COUNT(dbt.".$dbt_select.") as nb";
 				$sql .= " FROM ".MAIN_DB_PREFIX.$dbtablename." as dbt";
-				$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = '".$user->id."'";
+				$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe_commerciaux as sc ON dbt.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
 				$sql .= " WHERE dbt.".$dbt_select." IN (".$objectid.")";
 				$sql .= " AND (dbt.fk_soc IS NULL OR sc.fk_soc IS NOT NULL)"; // Contact not linked to a company or to a company of user
 				$sql .= " AND dbt.entity IN (".getEntity($sharedelement, 1).")";

htdocs/core/modules/DolibarrModules.class.php

@@ -1586,10 +1586,10 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
 					$sql = "INSERT INTO ".MAIN_DB_PREFIX."const (name,type,value,note,visible,entity)";
 					$sql .= " VALUES (";
 					$sql .= $this->db->encrypt($name, 1);
-					$sql .= ",'".$type."'";
+					$sql .= ",'".$this->db->escape($type)."'";
 					$sql .= ",".(($val != '') ? $this->db->encrypt($val, 1) : "''");
 					$sql .= ",".($note ? "'".$this->db->escape($note)."'" : "null");
-					$sql .= ",'".$visible."'";
+					$sql .= ",'".$this->db->escape($visible)."'";
 					$sql .= ",".$entity;
 					$sql .= ")";
 
@@ -1630,7 +1630,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
 
 			if ($deleteonunactive) {
 				$sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
-				$sql .= " WHERE ".$this->db->decrypt('name')." = '".$name."'";
+				$sql .= " WHERE ".$this->db->decrypt('name')." = '".$this->db->escape($name)."'";
 				$sql .= " AND entity in (0, ".$conf->entity.")";
 				dol_syslog(get_class($this)."::delete_const", LOG_DEBUG);
 				if (!$this->db->query($sql)) {
@@ -1700,18 +1700,18 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
 									$sql = "INSERT INTO ".MAIN_DB_PREFIX."rights_def";
 									$sql .= " (id, entity, libelle, module, type, bydefault, perms, subperms)";
 									$sql .= " VALUES ";
-									$sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$r_modul."','".$r_type."',".$r_def.",'".$r_perms."','".$r_subperms."')";
+									$sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$this->db->escape($r_modul)."','".$this->db->escape($r_type)."',".$r_def.",'".$this->db->escape($r_perms)."','".$this->db->escape($r_subperms)."')";
 								} else {
 									$sql = "INSERT INTO ".MAIN_DB_PREFIX."rights_def";
 									$sql .= " (id, entity, libelle, module, type, bydefault, perms)";
 									$sql .= " VALUES ";
-									$sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$r_modul."','".$r_type."',".$r_def.",'".$r_perms."')";
+									$sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$this->db->escape($r_modul)."','".$this->db->escape($r_type)."',".$r_def.",'".$this->db->escape($r_perms)."')";
 								}
 							} else {
 								 $sql = "INSERT INTO ".MAIN_DB_PREFIX."rights_def ";
 								 $sql .= " (id, entity, libelle, module, type, bydefault)";
 								 $sql .= " VALUES ";
-								 $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$r_modul."','".$r_type."',".$r_def.")";
+								 $sql .= "(".$r_id.",".$entity.",'".$this->db->escape($r_desc)."','".$this->db->escape($r_modul)."','".$this->db->escape($r_type)."',".$r_def.")";
 							}
 
 							$resqlinsert = $this->db->query($sql, 1);
@@ -2009,7 +2009,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
 
 		$sql = "SELECT count(*)";
 		$sql .= " FROM ".MAIN_DB_PREFIX."const";
-		$sql .= " WHERE ".$this->db->decrypt('name')." = '".$name."'";
+		$sql .= " WHERE ".$this->db->decrypt('name')." = '".$this->db->escape($name)."'";
 		$sql .= " AND entity = ".$conf->entity;
 
 		dol_syslog(get_class($this)."::insert_dirs", LOG_DEBUG);

htdocs/core/modules/barcode/mod_barcode_product_standard.php

@@ -245,7 +245,7 @@ class mod_barcode_product_standard extends ModeleNumRefBarCode
 	{
         // phpcs:enable
 		$sql = "SELECT barcode FROM ".MAIN_DB_PREFIX."product";
-		$sql .= " WHERE barcode = '".$code."'";
+		$sql .= " WHERE barcode = '".$db->escape($code)."'";
 		if ($product->id > 0) $sql .= " AND rowid <> ".$product->id;
 
 		$resql = $db->query($sql);

htdocs/core/modules/expensereport/doc/pdf_standard.modules.php

@@ -1029,7 +1029,7 @@ class pdf_standard extends ModeleExpenseReport
 		$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as c ON p.fk_typepayment = c.id";
 		$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank as b ON p.fk_bank = b.rowid';
 		$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank_account as ba ON b.fk_account = ba.rowid';
-		$sql .= " WHERE e.rowid = '".$object->id."'";
+		$sql .= " WHERE e.rowid = ".((int) $object->id);
 		$sql .= " AND p.fk_expensereport = e.rowid";
 		$sql .= ' AND e.entity IN ('.getEntity('expensereport').')';
 		$sql .= " ORDER BY dp";

htdocs/core/modules/facture/mod_facture_mars.php

@@ -162,7 +162,7 @@ class mod_facture_mars extends ModeleNumRefFactures
 		$posindice = strlen($prefix) + 6;
 		$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
 		$sql .= " FROM ".MAIN_DB_PREFIX."facture";
-		$sql .= " WHERE ref LIKE '".$prefix."____-%'";
+		$sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-%'";
 		$sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")";
 
 		$resql = $db->query($sql);
@@ -184,7 +184,7 @@ class mod_facture_mars extends ModeleNumRefFactures
             $ref = '';
             $sql = "SELECT ref as ref";
             $sql .= " FROM ".MAIN_DB_PREFIX."facture";
-            $sql .= " WHERE ref LIKE '".$prefix."____-".$num."'";
+            $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-".$num."'";
             $sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")";
             $sql .= " ORDER BY ref DESC";
 

htdocs/core/modules/facture/mod_facture_terre.php

@@ -194,7 +194,7 @@ class mod_facture_terre extends ModeleNumRefFactures
 		$posindice = strlen($prefix) + 6;
 		$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
 		$sql .= " FROM ".MAIN_DB_PREFIX."facture";
-		$sql .= " WHERE ref LIKE '".$prefix."____-%'";
+		$sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-%'";
 		$sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")";
 
 		$resql = $db->query($sql);
@@ -215,7 +215,7 @@ class mod_facture_terre extends ModeleNumRefFactures
             $ref = '';
             $sql = "SELECT ref as ref";
             $sql .= " FROM ".MAIN_DB_PREFIX."facture";
-            $sql .= " WHERE ref LIKE '".$prefix."____-".$num."'";
+            $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-".$num."'";
             $sql .= " AND entity IN (".getEntity('invoicenumber', 1, $invoice).")";
             $sql .= " ORDER BY ref DESC";
 

htdocs/core/modules/import/import_csv.modules.php

@@ -843,7 +843,7 @@ class ImportCsv extends ModeleImports
 						if (!$error && !$updatedone) {
 							// Build SQL INSERT request
 							$sqlstart = 'INSERT INTO '.$tablename.'('.implode(', ', $listfields).', import_key';
-							$sqlend = ') VALUES('.implode(', ', $listvalues).", '".$importid."'";
+							$sqlend = ') VALUES('.implode(', ', $listvalues).", '".$this->db->escape($importid)."'";
 							if (!empty($tablewithentity_cache[$tablename])) {
 								$sqlstart .= ', entity';
 								$sqlend .= ', '.$conf->entity;

htdocs/core/modules/import/import_xlsx.modules.php

@@ -872,7 +872,7 @@ class ImportXlsx extends ModeleImports
 						if (!$error && !$updatedone) {
 							// Build SQL INSERT request
 							$sqlstart = 'INSERT INTO '.$tablename.'('.implode(', ', $listfields).', import_key';
-							$sqlend = ') VALUES('.implode(', ', $listvalues).", '".$importid."'";
+							$sqlend = ') VALUES('.implode(', ', $listvalues).", '".$db->escape($importid)."'";
 							if (!empty($tablewithentity_cache[$tablename])) {
 								$sqlstart .= ', entity';
 								$sqlend .= ', '.$conf->entity;

htdocs/core/modules/mailings/contacts1.modules.php

@@ -75,7 +75,7 @@ class mailing_contacts1 extends MailingTargets
 		$langs->load("commercial");
 
 		$statssql = array();
-		$statssql[0] = "SELECT '".$langs->trans("NbOfCompaniesContacts")."' as label,";
+		$statssql[0] = "SELECT '".$this->db->escape($langs->trans("NbOfCompaniesContacts"))."' as label,";
 		$statssql[0] .= " count(distinct(c.email)) as nb";
 		$statssql[0] .= " FROM ".MAIN_DB_PREFIX."socpeople as c";
 		$statssql[0] .= " WHERE c.entity IN (".getEntity('socpeople').")";
@@ -390,7 +390,7 @@ class mailing_contacts1 extends MailingTargets
 		{
 			//print "xx".$key;
 			if ($key == 'prospects') $sql .= " AND s.client=2";
-			foreach ($prospectlevel as $codelevel=>$valuelevel) if ($key == 'prospectslevel'.$codelevel) $sql .= " AND s.fk_prospectlevel='".$codelevel."'";
+			foreach ($prospectlevel as $codelevel=>$valuelevel) if ($key == 'prospectslevel'.$codelevel) $sql .= " AND s.fk_prospectlevel='".$this->db->escape($codelevel)."'";
 			if ($key == 'customers') $sql .= " AND s.client=1";
 			if ($key == 'suppliers') $sql .= " AND s.fournisseur=1";
 		}

htdocs/core/modules/mailings/fraise.modules.php

@@ -266,9 +266,9 @@ class mailing_fraise extends MailingTargets
         if ($dateendsubscriptionbefore > 0) $sql .= " AND datefin < '".$this->db->idate($dateendsubscriptionbefore)."'";
         $sql .= " AND a.fk_adherent_type = ta.rowid";
         // Filter on type
-        if ($_POST['filter_type']) $sql .= " AND ta.rowid='".$_POST['filter_type']."'";
+        if (GETPOSTISET('filter_type')) $sql .= " AND ta.rowid='".$this->db->escape(GETPOST('filter_type'))."'";
         // Filter on category
-        if ($_POST['filter_category']) $sql .= " AND c.rowid='".$_POST['filter_category']."'";
+        if (GETPOSTISSET('filter_category')) $sql .= " AND c.rowid='".$this->db->escape(GETPOST('filter_category'))."'";
         $sql .= " ORDER BY a.email";
         //print $sql;
 

htdocs/core/modules/mailings/modules_mailings.php

@@ -175,7 +175,7 @@ class MailingTargets // This can't be abstract as it is used for some method
        			$sql .= " tag,";
         		$sql .= " source_type)";
         		$sql .= " VALUES (".$mailing_id.",";
-        		$sql .= (empty($targetarray['fk_contact']) ? '0' : "'".$targetarray['fk_contact']."'").",";
+        		$sql .= (empty($targetarray['fk_contact']) ? '0' : "'".$this->db->escape($targetarray['fk_contact'])."'").",";
         		$sql .= "'".$this->db->escape($targetarray['lastname'])."',";
         		$sql .= "'".$this->db->escape($targetarray['firstname'])."',";
         		$sql .= "'".$this->db->escape($targetarray['email'])."',";

htdocs/core/modules/mailings/pomme.modules.php

@@ -73,7 +73,7 @@ class mailing_pomme extends MailingTargets
 		$langs->load("users");
 
 		$statssql = array();
-		$sql = "SELECT '".$langs->trans("DolibarrUsers")."' as label,";
+		$sql = "SELECT '".$this->db->escape($langs->trans("DolibarrUsers"))."' as label,";
 		$sql .= " count(distinct(u.email)) as nb";
 		$sql .= " FROM ".MAIN_DB_PREFIX."user as u";
 		$sql .= " WHERE u.email != ''"; // u.email IS NOT NULL est implicite dans ce test

htdocs/core/modules/mailings/thirdparties_services_expired.modules.php

@@ -113,7 +113,7 @@ class mailing_thirdparties_services_expired extends MailingTargets
         $sql .= " WHERE s.entity IN (".getEntity('societe').")";
         $sql .= " AND s.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".$mailing_id.")";
         $sql .= " AND s.rowid = c.fk_soc AND cd.fk_contrat = c.rowid AND s.email != ''";
-        $sql .= " AND cd.statut= 4 AND cd.fk_product=p.rowid AND p.ref = '".$product."'";
+        $sql .= " AND cd.statut= 4 AND cd.fk_product=p.rowid AND p.ref = '".$this->db->escape($product)."'";
         $sql .= " AND cd.date_fin_validite < '".$this->db->idate($now)."'";
         $sql .= " ORDER BY s.email";
 

htdocs/core/modules/movement/doc/pdf_standard.modules.php

@@ -291,13 +291,13 @@ class pdf_stdandard extends ModelePDFMovement
 		{
 			$sql .= " AND m.datem BETWEEN '".$db->idate(dol_get_first_day($year, 1, false))."' AND '".$db->idate(dol_get_last_day($year, 12, false))."'";
 		}
-		if ($idproduct > 0) $sql .= " AND p.rowid = '".$idproduct."'";
+		if ($idproduct > 0) $sql .= " AND p.rowid = ".((int) $idproduct);
 		if (!empty($search_ref))			$sql .= natural_search('m.rowid', $search_ref, 1);
 		if (!empty($search_movement))      $sql .= natural_search('m.label', $search_movement);
 		if (!empty($search_inventorycode)) $sql .= natural_search('m.inventorycode', $search_inventorycode);
 		if (!empty($search_product_ref))   $sql .= natural_search('p.ref', $search_product_ref);
 		if (!empty($search_product))       $sql .= natural_search('p.label', $search_product);
-		if ($search_warehouse > 0)          $sql .= " AND e.rowid = '".$db->escape($search_warehouse)."'";
+		if ($search_warehouse > 0)          $sql .= " AND e.rowid = ".((int) $db->escape($search_warehouse));
 		if (!empty($search_user))          $sql .= natural_search('u.login', $search_user);
 		if (!empty($search_batch))         $sql .= natural_search('m.batch', $search_batch);
 		if ($search_qty != '')				$sql .= natural_search('m.value', $search_qty, 1);
@@ -489,7 +489,7 @@ class pdf_stdandard extends ModelePDFMovement
 							$sql = "SELECT label";
 							$sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
 							$sql .= " WHERE fk_product=".$objp->rowid;
-							$sql .= " AND lang='".$langs->getDefaultLang()."'";
+							$sql .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'";
 							$sql .= " LIMIT 1";
 
 							$result = $db->query($sql);
@@ -1049,7 +1049,7 @@ class pdf_stdandard extends ModelePDFMovement
 		// Last movement
 		$sql = "SELECT max(m.datem) as datem";
 		$sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m";
-		$sql .= " WHERE m.fk_entrepot = '".$object->id."'";
+		$sql .= " WHERE m.fk_entrepot = ".((int) $object->id);
 		$resqlbis = $db->query($sql);
 		if ($resqlbis)
 		{

htdocs/core/modules/printing/printgcp.modules.php

@@ -312,7 +312,7 @@ class printing_printgcp extends PrintingDriver
         $fileprint .= '/'.$file;
         $mimetype = dol_mimetype($fileprint);
         // select printer uri for module order, propal,...
-        $sql = "SELECT rowid, printer_id, copy FROM ".MAIN_DB_PREFIX."printing WHERE module='".$module."' AND driver='printgcp' AND userid=".$user->id;
+        $sql = "SELECT rowid, printer_id, copy FROM ".MAIN_DB_PREFIX."printing WHERE module='".$this->db->escape($module)."' AND driver='printgcp' AND userid=".$user->id;
         $result = $this->db->query($sql);
         if ($result)
         {

htdocs/core/modules/printing/printipp.modules.php

@@ -107,7 +107,7 @@ class printing_printipp extends PrintingDriver
         if (!empty($this->user)) $ipp->setAuthentication($this->user, $this->password);
 
         // select printer uri for module order, propal,...
-        $sql = "SELECT rowid,printer_id,copy FROM ".MAIN_DB_PREFIX."printing WHERE module = '".$module."' AND driver = 'printipp' AND userid = ".$user->id;
+        $sql = "SELECT rowid,printer_id,copy FROM ".MAIN_DB_PREFIX."printing WHERE module = '".$this->db->escape($module)."' AND driver = 'printipp' AND userid = ".$user->id;
         $result = $this->db->query($sql);
         if ($result) {
             $obj = $this->db->fetch_object($result);

htdocs/core/modules/product/mod_codeproduct_elephant.php

@@ -313,7 +313,7 @@ class mod_codeproduct_elephant extends ModeleProductCode
 	{
         // phpcs:enable
 		$sql = "SELECT ref FROM ".MAIN_DB_PREFIX."product";
-		$sql .= " WHERE ref = '".$code."'";
+		$sql .= " WHERE ref = '".$this->db->escape($code)."'";
 		if ($product->id > 0) $sql .= " AND rowid <> ".$product->id;
 
 		$resql = $db->query($sql);

htdocs/core/modules/societe/mod_codeclient_monkey.php

@@ -133,7 +133,7 @@ class mod_codeclient_monkey extends ModeleThirdPartyCode
         $posindice = strlen($prefix) + 6;
         $sql = "SELECT MAX(CAST(SUBSTRING(".$field." FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
 		$sql .= " FROM ".MAIN_DB_PREFIX."societe";
-		$sql .= " WHERE ".$field." LIKE '".$prefix."____-%'";
+		$sql .= " WHERE ".$field." LIKE '".$db->escape($prefix)."____-%'";
 		$sql .= " AND entity IN (".getEntity('societe').")";
 
 		dol_syslog(get_class($this)."::getNextValue", LOG_DEBUG);

htdocs/core/modules/stock/doc/pdf_standard.modules.php

@@ -863,7 +863,7 @@ class pdf_standard extends ModelePDFStock
 		// Last movement
 		$sql = "SELECT max(m.datem) as datem";
 		$sql .= " FROM ".MAIN_DB_PREFIX."stock_mouvement as m";
-		$sql .= " WHERE m.fk_entrepot = '".$object->id."'";
+		$sql .= " WHERE m.fk_entrepot = ".((int) $object->id);
 		$resqlbis = $db->query($sql);
 		if ($resqlbis)
 		{

htdocs/core/modules/supplier_invoice/mod_facture_fournisseur_cactus.php

@@ -182,7 +182,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices
         $posindice = strlen($prefix) + 6;
         $sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max"; // This is standard SQL
         $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn";
-        $sql .= " WHERE ref LIKE '".$prefix."____-%'";
+        $sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-%'";
         $sql .= " AND entity = ".$conf->entity;
 
         $resql = $db->query($sql);
@@ -204,7 +204,7 @@ class mod_facture_fournisseur_cactus extends ModeleNumRefSuppliersInvoices
         	$ref = '';
         	$sql = "SELECT ref as ref";
         	$sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn";
-        	$sql .= " WHERE ref LIKE '".$prefix."____-".$num."'";
+        	$sql .= " WHERE ref LIKE '".$db->escape($prefix)."____-".$num."'";
         	$sql .= " AND entity = ".$conf->entity;
 
         	dol_syslog(get_class($this)."::getNextValue", LOG_DEBUG);

htdocs/core/modules/ticket/mod_ticket_simple.php

@@ -93,7 +93,7 @@ class mod_ticket_simple extends ModeleNumRefTicket
 		$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
 		$sql .= " FROM ".MAIN_DB_PREFIX."ticket";
 		$search = $this->prefix."____-%";
-		$sql .= " WHERE ref LIKE '".$search."'";
+		$sql .= " WHERE ref LIKE '".$db->escape($search)."'";
 		$sql .= " AND entity = ".$conf->entity;
 		$resql = $db->query($sql);
 		if ($resql) {
@@ -128,7 +128,7 @@ class mod_ticket_simple extends ModeleNumRefTicket
 		$sql = "SELECT MAX(CAST(SUBSTRING(ref FROM ".$posindice.") AS SIGNED)) as max";
 		$sql .= " FROM ".MAIN_DB_PREFIX."ticket";
 		$search = $this->prefix."____-%";
-		$sql .= " WHERE ref LIKE '".$search."'";
+		$sql .= " WHERE ref LIKE '".$db->escape($search)."'";
 		$sql .= " AND entity = ".$conf->entity;
 
 		$resql = $db->query($sql);