FIX #yogosha5746 - next step (work in progress)

htdocs/expensereport/class/expensereport.class.php

@@ -880,7 +880,7 @@ class ExpenseReport extends CommonObject
 		if ($user->rights->expensereport->lire) {
 			$sql = "SELECT de.fk_expensereport, de.date, de.comments, de.total_ht, de.total_ttc";
 			$sql .= " FROM ".MAIN_DB_PREFIX."expensereport_det as de";
-			$sql .= " WHERE de.fk_projet = ".$projectid;
+			$sql .= " WHERE de.fk_projet = ".((int) $projectid);
 
 			dol_syslog(get_class($this)."::fetch sql=".$sql, LOG_DEBUG);
 			$result = $this->db->query($sql);
@@ -1117,8 +1117,8 @@ class ExpenseReport extends CommonObject
 		// Delete extrafields of lines and lines
 		if (!$error && !empty($this->table_element_line)) {
 			$tabletodelete = $this->table_element_line;
-			//$sqlef = "DELETE FROM ".MAIN_DB_PREFIX.$tabletodelete."_extrafields WHERE fk_object IN (SELECT rowid FROM ".MAIN_DB_PREFIX.$tabletodelete." WHERE ".$this->fk_element." = ".$this->id.")";
-			$sql = "DELETE FROM ".MAIN_DB_PREFIX.$tabletodelete." WHERE ".$this->fk_element." = ".$this->id;
+			//$sqlef = "DELETE FROM ".MAIN_DB_PREFIX.$tabletodelete."_extrafields WHERE fk_object IN (SELECT rowid FROM ".MAIN_DB_PREFIX.$tabletodelete." WHERE ".$this->fk_element." = ".((int) $this->id).")";
+			$sql = "DELETE FROM ".MAIN_DB_PREFIX.$tabletodelete." WHERE ".$this->fk_element." = ".((int) $this->id);
 			if (!$this->db->query($sql)) {
 				$error++;
 				$this->error = $this->db->lasterror();
@@ -1154,7 +1154,7 @@ class ExpenseReport extends CommonObject
 
 		// Delete main record
 		if (!$error) {
-			$sql = "DELETE FROM ".MAIN_DB_PREFIX.$this->table_element." WHERE rowid = ".$this->id;
+			$sql = "DELETE FROM ".MAIN_DB_PREFIX.$this->table_element." WHERE rowid = ".((int) $this->id);
 			$res = $this->db->query($sql);
 			if (!$res) {
 				$error++;
@@ -2124,7 +2124,7 @@ class ExpenseReport extends CommonObject
 			// Select des infos sur le type fees
 			$sql = "SELECT c.code as code_type_fees, c.label as libelle_type_fees";
 			$sql .= " FROM ".MAIN_DB_PREFIX."c_type_fees as c";
-			$sql .= " WHERE c.id = ".$type_fees_id;
+			$sql .= " WHERE c.id = ".((int) $type_fees_id);
 			$resql = $this->db->query($sql);
 			if ($resql) {
 				$objp_fees = $this->db->fetch_object($resql);
@@ -2136,7 +2136,7 @@ class ExpenseReport extends CommonObject
 			// Select des informations du projet
 			$sql = "SELECT p.ref as ref_projet, p.title as title_projet";
 			$sql .= " FROM ".MAIN_DB_PREFIX."projet as p";
-			$sql .= " WHERE p.rowid = ".$projet_id;
+			$sql .= " WHERE p.rowid = ".((int) $projet_id);
 			$resql = $this->db->query($sql);
 			if ($resql) {
 				$objp_projet = $this->db->fetch_object($resql);
@@ -2331,7 +2331,7 @@ class ExpenseReport extends CommonObject
 		$ret = array();
 		$sql = "SELECT id, code, label";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_type_fees";
-		$sql .= " WHERE active = ".$active;
+		$sql .= " WHERE active = ".((int) $active);
 		dol_syslog(get_class($this)."::listOfTypes", LOG_DEBUG);
 		$result = $this->db->query($sql);
 		if ($result) {
@@ -2495,7 +2495,7 @@ class ExpenseReport extends CommonObject
 
 		$type = 'expense_report';
 
-		$sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".$this->id;
+		$sql = " SELECT COUNT(ab.rowid) as nb FROM ".MAIN_DB_PREFIX."accounting_bookkeeping as ab WHERE ab.doc_type='".$this->db->escape($type)."' AND ab.fk_doc = ".((int) $this->id);
 		$resql = $this->db->query($sql);
 		if ($resql) {
 			$obj = $this->db->fetch_object($resql);

htdocs/expensereport/class/expensereportstats.class.php

@@ -114,7 +114,7 @@ class ExpenseReportStats extends Stats
 	{
 		$sql = "SELECT MONTH(".$this->db->ifsql('e.'.$this->datetouse.' IS NULL', 'e.date_create', 'e.'.$this->datetouse).") as dm, count(*)";
 		$sql .= " FROM ".$this->from;
-		$sql .= " WHERE YEAR(e.".$this->datetouse.") = ".$year;
+		$sql .= " WHERE YEAR(e.".$this->datetouse.") = ".((int) $year);
 		$sql .= " AND ".$this->where;
 		$sql .= " GROUP BY dm";
 		$sql .= $this->db->order('dm', 'DESC');

htdocs/expensereport/payment/payment.php

@@ -206,7 +206,7 @@ if ($action == 'create' || empty($action)) {
 
 	$sql = "SELECT sum(p.amount) as total";
 	$sql .= " FROM ".MAIN_DB_PREFIX."payment_expensereport as p, ".MAIN_DB_PREFIX."expensereport as e";
-	$sql .= " WHERE p.fk_expensereport = e.rowid AND p.fk_expensereport = ".$id;
+	$sql .= " WHERE p.fk_expensereport = e.rowid AND p.fk_expensereport = ".((int) $id);
 	$sql .= ' AND e.entity IN ('.getEntity('expensereport').')';
 	$resql = $db->query($sql);
 	if ($resql) {

htdocs/fichinter/class/fichinterrec.class.php

@@ -434,10 +434,10 @@ class FichinterRec extends Fichinter
 		$error = 0;
 		$this->db->begin();
 
-		$sql = "DELETE FROM ".MAIN_DB_PREFIX."fichinterdet_rec WHERE fk_fichinter = ".$rowid;
+		$sql = "DELETE FROM ".MAIN_DB_PREFIX."fichinterdet_rec WHERE fk_fichinter = ".((int) $rowid);
 		dol_syslog($sql);
 		if ($this->db->query($sql)) {
-			$sql = "DELETE FROM ".MAIN_DB_PREFIX."fichinter_rec WHERE rowid = ".$rowid;
+			$sql = "DELETE FROM ".MAIN_DB_PREFIX."fichinter_rec WHERE rowid = ".((int) $rowid);
 			dol_syslog($sql);
 			if (!$this->db->query($sql)) {
 				$this->error = $this->db->lasterror();

htdocs/fichinter/class/fichinterstats.class.php

@@ -73,7 +73,7 @@ class FichinterStats extends Stats
 			//$this->where.= " AND c.fk_statut > 0";    // Not draft and not cancelled
 		}
 		if (!$user->rights->societe->client->voir && !$this->socid) {
-			$this->where .= " AND c.fk_soc = sc.fk_soc AND sc.fk_user = ".$user->id;
+			$this->where .= " AND c.fk_soc = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
 		}
 		$this->where .= ($this->where ? ' AND ' : '')."c.entity IN (".getEntity('fichinter').')';
 

htdocs/fourn/class/fournisseur.product.class.php

@@ -164,7 +164,7 @@ class ProductFournisseur extends Product
 		$this->db->begin();
 
 		$sql = "DELETE FROM ".MAIN_DB_PREFIX."product_fournisseur_price";
-		$sql .= " WHERE fk_product = ".$this->id." AND fk_soc = ".$id_fourn;
+		$sql .= " WHERE fk_product = ".$this->id." AND fk_soc = ".((int) $id_fourn);
 
 		dol_syslog(get_class($this)."::remove_fournisseur", LOG_DEBUG);
 		$resql2 = $this->db->query($sql);
@@ -208,7 +208,7 @@ class ProductFournisseur extends Product
 
 		if (empty($error)) {
 			$sql = "DELETE FROM ".MAIN_DB_PREFIX."product_fournisseur_price";
-			$sql .= " WHERE rowid = ".$rowid;
+			$sql .= " WHERE rowid = ".((int) $rowid);
 
 			dol_syslog(get_class($this)."::remove_product_fournisseur_price", LOG_DEBUG);
 			$resql = $this->db->query($sql);
@@ -438,7 +438,7 @@ class ProductFournisseur extends Product
 
 			// Delete price for this quantity
 			$sql = "DELETE FROM  ".MAIN_DB_PREFIX."product_fournisseur_price";
-			$sql .= " WHERE fk_soc = ".$fourn->id." AND ref_fourn = '".$this->db->escape($ref_fourn)."' AND quantity = ".$qty." AND entity = ".$conf->entity;
+			$sql .= " WHERE fk_soc = ".$fourn->id." AND ref_fourn = '".$this->db->escape($ref_fourn)."' AND quantity = ".((float) $qty)." AND entity = ".$conf->entity;
 			$resql = $this->db->query($sql);
 			if ($resql) {
 				// Add price for this quantity to supplier

htdocs/fourn/recap-fourn.php

@@ -73,7 +73,7 @@ if ($socid > 0) {
 		$sql .= " f.paye as paye, f.fk_statut as statut, f.rowid as facid,";
 		$sql .= " u.login, u.rowid as userid";
 		$sql .= " FROM ".MAIN_DB_PREFIX."societe as s,".MAIN_DB_PREFIX."facture_fourn as f,".MAIN_DB_PREFIX."user as u";
-		$sql .= " WHERE f.fk_soc = s.rowid AND s.rowid = ".$societe->id;
+		$sql .= " WHERE f.fk_soc = s.rowid AND s.rowid = ".((int) $societe->id);
 		$sql .= " AND f.entity IN (".getEntity("facture_fourn").")"; // Recognition of the entity attributed to this invoice for Multicompany
 		$sql .= " AND f.fk_user_valid = u.rowid";
 		$sql .= " ORDER BY f.datef DESC";

htdocs/holiday/class/holiday.class.php

@@ -2069,7 +2069,7 @@ class Holiday extends CommonObject
 
 		$sql = "SELECT rowid, code, label, affect, delay, newByMonth";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_holiday_types";
-		$sql .= " WHERE (fk_country IS NULL OR fk_country = ".$mysoc->country_id.')';
+		$sql .= " WHERE (fk_country IS NULL OR fk_country = ".((int) $mysoc->country_id).')';
 		if ($active >= 0) {
 			$sql .= " AND active = ".((int) $active);
 		}

htdocs/install/upgrade2.php

@@ -2161,7 +2161,7 @@ function migrate_detail_livraison($db, $langs, $conf)
 					if ($resql2) {
 						$sql = "SELECT total_ht";
 						$sql .= " FROM ".MAIN_DB_PREFIX."livraison";
-						$sql .= " WHERE rowid = ".$obj->fk_livraison;
+						$sql .= " WHERE rowid = ".((int) $obj->fk_livraison);
 						$resql3 = $db->query($sql);
 
 						if ($resql3) {
@@ -2864,7 +2864,7 @@ function migrate_project_task_time($db, $langs, $conf)
 					foreach ($totaltime as $taskid => $total_duration) {
 						$sql = "UPDATE ".MAIN_DB_PREFIX."projet_task SET";
 						$sql .= " duration_effective = ".$total_duration;
-						$sql .= " WHERE rowid = ".$taskid;
+						$sql .= " WHERE rowid = ".((int) $taskid);
 
 						$resql = $db->query($sql);
 						if (!$resql) {
@@ -3235,7 +3235,7 @@ function migrate_mode_reglement($db, $langs, $conf)
 
 		$sqlSelect = "SELECT id";
 		$sqlSelect .= " FROM ".MAIN_DB_PREFIX."c_paiement";
-		$sqlSelect .= " WHERE id = ".$old_id;
+		$sqlSelect .= " WHERE id = ".((int) $old_id);
 		$sqlSelect .= " AND code = '".$db->escape($elements['code'][$key])."'";
 
 		$resql = $db->query($sqlSelect);
@@ -3246,23 +3246,23 @@ function migrate_mode_reglement($db, $langs, $conf)
 
 				$db->begin();
 
-				$sqla = "UPDATE ".MAIN_DB_PREFIX."paiement SET ";
-				$sqla .= "fk_paiement = ".$elements['new_id'][$key];
-				$sqla .= " WHERE fk_paiement = ".$old_id;
-				$sqla .= " AND fk_paiement IN (SELECT id FROM ".MAIN_DB_PREFIX."c_paiement WHERE id = ".$old_id." AND code = '".$db->escape($elements['code'][$key])."')";
+				$sqla = "UPDATE ".MAIN_DB_PREFIX."paiement SET";
+				$sqla .= " fk_paiement = ".$elements['new_id'][$key];
+				$sqla .= " WHERE fk_paiement = ".((int) $old_id);
+				$sqla .= " AND fk_paiement IN (SELECT id FROM ".MAIN_DB_PREFIX."c_paiement WHERE id = ".((int) $old_id)." AND code = '".$db->escape($elements['code'][$key])."')";
 				$resqla = $db->query($sqla);
 
-				$sql = "UPDATE ".MAIN_DB_PREFIX."c_paiement SET ";
-				$sql .= "id = ".$elements['new_id'][$key];
-				$sql .= " WHERE id = ".$old_id;
+				$sql = "UPDATE ".MAIN_DB_PREFIX."c_paiement SET";
+				$sql .= " id = ".((int) $elements['new_id'][$key]);
+				$sql .= " WHERE id = ".((int) $old_id);
 				$sql .= " AND code = '".$db->escape($elements['code'][$key])."'";
 				$resql = $db->query($sql);
 
 				if ($resqla && $resql) {
 					foreach ($elements['tables'] as $table) {
 						$sql = "UPDATE ".MAIN_DB_PREFIX.$table." SET ";
-						$sql .= "fk_mode_reglement = ".$elements['new_id'][$key];
-						$sql .= " WHERE fk_mode_reglement = ".$old_id;
+						$sql .= "fk_mode_reglement = "((int) $elements['new_id'][$key]);
+						$sql .= " WHERE fk_mode_reglement = ".((int) $old_id);
 
 						$resql = $db->query($sql);
 						if (!$resql) {
@@ -3786,16 +3786,16 @@ function migrate_remise_except_entity($db, $langs, $conf)
 
 					$sqlSelect2 = "SELECT f.entity";
 					$sqlSelect2 .= " FROM ".MAIN_DB_PREFIX."facture as f";
-					$sqlSelect2 .= " WHERE f.rowid = ".$fk_facture;
+					$sqlSelect2 .= " WHERE f.rowid = ".((int) $fk_facture);
 				} elseif (!empty($obj->fk_facture_line)) {
 					$sqlSelect2 = "SELECT f.entity";
 					$sqlSelect2 .= " FROM ".MAIN_DB_PREFIX."facture as f, ".MAIN_DB_PREFIX."facturedet as fd";
-					$sqlSelect2 .= " WHERE fd.rowid = ".$obj->fk_facture_line;
+					$sqlSelect2 .= " WHERE fd.rowid = ".((int) $obj->fk_facture_line);
 					$sqlSelect2 .= " AND fd.fk_facture = f.rowid";
 				} else {
 					$sqlSelect2 = "SELECT s.entity";
 					$sqlSelect2 .= " FROM ".MAIN_DB_PREFIX."societe as s";
-					$sqlSelect2 .= " WHERE s.rowid = ".$obj->fk_soc;
+					$sqlSelect2 .= " WHERE s.rowid = ".((int) $obj->fk_soc);
 				}
 
 				$resql2 = $db->query($sqlSelect2);

htdocs/loan/card.php

@@ -636,7 +636,7 @@ if ($id > 0) {
 		$sql .= " FROM ".MAIN_DB_PREFIX."payment_loan as p";
 		$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as c ON p.fk_typepayment = c.id";
 		$sql .= ", ".MAIN_DB_PREFIX."loan as l";
-		$sql .= " WHERE p.fk_loan = ".$id;
+		$sql .= " WHERE p.fk_loan = ".((int) $id);
 		$sql .= " AND p.fk_loan = l.rowid";
 		$sql .= " AND l.entity IN ( ".getEntity('loan').")";
 		$sql .= " ORDER BY dp DESC";

htdocs/loan/class/loanschedule.class.php

@@ -447,7 +447,7 @@ class LoanSchedule extends CommonObject
 		$sql .= " t.fk_user_creat,";
 		$sql .= " t.fk_user_modif";
 		$sql .= " FROM ".MAIN_DB_PREFIX.$this->table_element." as t";
-		$sql .= " WHERE t.fk_loan = ".$loanid;
+		$sql .= " WHERE t.fk_loan = ".((int) $loanid);
 
 		dol_syslog(get_class($this)."::fetchAll", LOG_DEBUG);
 		$resql = $this->db->query($sql);
@@ -535,7 +535,7 @@ class LoanSchedule extends CommonObject
 	{
 		$sql = "SELECT p.datep";
 		$sql .= " FROM ".MAIN_DB_PREFIX."payment_loan as p ";
-		$sql .= " WHERE p.fk_loan = ".$loanid;
+		$sql .= " WHERE p.fk_loan = ".((int) $loanid);
 		$sql .= " ORDER BY p.datep DESC ";
 		$sql .= " LIMIT 1 ";
 
@@ -563,7 +563,7 @@ class LoanSchedule extends CommonObject
 
 		$sql = "SELECT p.rowid";
 		$sql .= " FROM ".MAIN_DB_PREFIX.$this->table_element." as p ";
-		$sql .= " WHERE p.fk_loan = ".$loanid;
+		$sql .= " WHERE p.fk_loan = ".((int) $loanid);
 		if (!empty($datemax)) {
 			$sql .= " AND p.datep > '".$this->db->idate($datemax)."'";
 		}

htdocs/loan/payment/payment.php

@@ -239,7 +239,7 @@ if ($action == 'create') {
 
 	$sql = "SELECT SUM(amount_capital) as total";
 	$sql .= " FROM ".MAIN_DB_PREFIX."payment_loan";
-	$sql .= " WHERE fk_loan = ".$chid;
+	$sql .= " WHERE fk_loan = ".((int) $chid);
 	$resql = $db->query($sql);
 	if ($resql) {
 		$obj = $db->fetch_object($resql);

htdocs/margin/agentMargins.php

@@ -290,7 +290,7 @@ if ($result) {
 				// sql nb sellers
 				$sql_seller  = "SELECT COUNT(sc.rowid) as nb";
 				$sql_seller .= " FROM ".MAIN_DB_PREFIX."societe_commerciaux as sc";
-				$sql_seller .= " WHERE sc.fk_soc = ".$objp->socid;
+				$sql_seller .= " WHERE sc.fk_soc = ".((int) $objp->socid);
 				$sql_seller .= " LIMIT 1";
 
 				$resql_seller = $db->query($sql_seller);

htdocs/modulebuilder/template/class/myobject.class.php

@@ -579,9 +579,9 @@ class MyObject extends CommonObject
 				$sql .= ", date_validation = '".$this->db->idate($now)."'";
 			}
 			if (!empty($this->fields['fk_user_valid'])) {
-				$sql .= ", fk_user_valid = ".$user->id;
+				$sql .= ", fk_user_valid = ".((int) $user->id);
 			}
-			$sql .= " WHERE rowid = ".$this->id;
+			$sql .= " WHERE rowid = ".((int) $this->id);
 
 			dol_syslog(get_class($this)."::validate()", LOG_DEBUG);
 			$resql = $this->db->query($sql);

htdocs/product/class/product.class.php

@@ -1820,9 +1820,9 @@ class Product extends CommonObject
 			$sql .= ", pfp.packaging";
 		}
 		$sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price as pfp";
-		$sql .= " WHERE pfp.rowid = ".$prodfournprice;
+		$sql .= " WHERE pfp.rowid = ".((int) $prodfournprice);
 		if ($qty > 0) {
-			$sql .= " AND pfp.quantity <= ".$qty;
+			$sql .= " AND pfp.quantity <= ".((float) $qty);
 		}
 		$sql .= " ORDER BY pfp.quantity DESC";
 
@@ -1874,15 +1874,15 @@ class Product extends CommonObject
 				$sql .= " pfp.multicurrency_price, pfp.multicurrency_unitprice, pfp.multicurrency_tx, pfp.fk_multicurrency, pfp.multicurrency_code,";
 				$sql .= " pfp.packaging";
 				$sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price as pfp";
-				$sql .= " WHERE pfp.fk_product = ".$product_id;
+				$sql .= " WHERE pfp.fk_product = ".((int) $product_id);
 				if ($fourn_ref != 'none') {
 					$sql .= " AND pfp.ref_fourn = '".$this->db->escape($fourn_ref)."'";
 				}
 				if ($fk_soc > 0) {
-					$sql .= " AND pfp.fk_soc = ".$fk_soc;
+					$sql .= " AND pfp.fk_soc = ".((int) $fk_soc);
 				}
 				if ($qty > 0) {
-					$sql .= " AND pfp.quantity <= ".$qty;
+					$sql .= " AND pfp.quantity <= ".((float) $qty);
 				}
 				$sql .= " ORDER BY pfp.quantity DESC";
 				$sql .= " LIMIT 1";
@@ -2360,7 +2360,7 @@ class Product extends CommonObject
 					$sql = "SELECT price, price_ttc, price_min, price_min_ttc,";
 					$sql .= " price_base_type, tva_tx, default_vat_code, tosell, price_by_qty, rowid";
 					$sql .= " FROM ".MAIN_DB_PREFIX."product_price";
-					$sql .= " WHERE fk_product = ".$this->id;
+					$sql .= " WHERE fk_product = ".((int) $this->id);
 					$sql .= " ORDER BY date_price DESC, rowid DESC";
 					$sql .= " LIMIT 1";
 					$resql = $this->db->query($sql);
@@ -2374,7 +2374,7 @@ class Product extends CommonObject
 						if ($this->prices_by_qty[0] == 1) {
 							$sql = "SELECT rowid,price, unitprice, quantity, remise_percent, remise, remise, price_base_type";
 							$sql .= " FROM ".MAIN_DB_PREFIX."product_price_by_qty";
-							$sql .= " WHERE fk_product_price = ".$this->prices_by_qty_id[0];
+							$sql .= " WHERE fk_product_price = ".((int) $this->prices_by_qty_id[0]);
 							$sql .= " ORDER BY quantity ASC";
 							$resultat = array();
 							$resql = $this->db->query($sql);
@@ -3946,8 +3946,8 @@ class Product extends CommonObject
 		}
 
 		$sql = "DELETE FROM ".MAIN_DB_PREFIX."product_association";
-		$sql .= " WHERE fk_product_pere  = ".$fk_parent;
-		$sql .= " AND fk_product_fils = ".$fk_child;
+		$sql .= " WHERE fk_product_pere  = ".((int) $fk_parent);
+		$sql .= " AND fk_product_fils = ".((int) $fk_child);
 
 		dol_syslog(get_class($this).'::del_sousproduit', LOG_DEBUG);
 		if (!$this->db->query($sql)) {
@@ -4040,14 +4040,14 @@ class Product extends CommonObject
 
 		$sql = "SELECT rowid";
 		$sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price";
-		$sql .= " WHERE fk_soc = ".$id_fourn;
+		$sql .= " WHERE fk_soc = ".((int) $id_fourn);
 		if ($ref_fourn) {
 			$sql .= " AND ref_fourn = '".$this->db->escape($ref_fourn)."'";
 		} else {
 			$sql .= " AND (ref_fourn = '' OR ref_fourn IS NULL)";
 		}
-		$sql .= " AND quantity = ".$quantity;
-		$sql .= " AND fk_product = ".$this->id;
+		$sql .= " AND quantity = ".((float) $quantity);
+		$sql .= " AND fk_product = ".((int) $this->id);
 		$sql .= " AND entity IN (".getEntity('productsupplierprice').")";
 
 		$resql = $this->db->query($sql);
@@ -4198,7 +4198,7 @@ class Product extends CommonObject
 		$sql .= ", multicurrency_price";
 		$sql .= ", multicurrency_price_ttc";
 		$sql .= " FROM ".MAIN_DB_PREFIX."product_price";
-		$sql .= " WHERE fk_product = ".$fromId;
+		$sql .= " WHERE fk_product = ".((int) $fromId);
 		$sql .= " ORDER BY date_price DESC";
 		if ($conf->global->PRODUIT_MULTIPRICES_LIMIT > 0) {
 			$sql .= " LIMIT ".$conf->global->PRODUIT_MULTIPRICES_LIMIT;
@@ -4230,7 +4230,7 @@ class Product extends CommonObject
 
 		$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'product_association (fk_product_pere, fk_product_fils, qty)';
 		$sql .= " SELECT ".$toId.", fk_product_fils, qty FROM ".MAIN_DB_PREFIX."product_association";
-		$sql .= " WHERE fk_product_pere = ".$fromId;
+		$sql .= " WHERE fk_product_pere = ".((int) $fromId);
 
 		dol_syslog(get_class($this).'::clone_association', LOG_DEBUG);
 		if (!$this->db->query($sql)) {
@@ -4262,7 +4262,7 @@ class Product extends CommonObject
 		. " datec, fk_product, fk_soc, ref_fourn, fk_user_author )"
 		. " SELECT '".$this->db->idate($now)."', ".$toId.", fk_soc, ref_fourn, fk_user_author"
 		. " FROM ".MAIN_DB_PREFIX."product_fournisseur"
-		. " WHERE fk_product = ".$fromId;
+		. " WHERE fk_product = ".((int) $fromId);
 
 		if ( ! $this->db->query($sql ) )
 		{
@@ -4273,9 +4273,9 @@ class Product extends CommonObject
 		// les prix de fournisseurs.
 		$sql = "INSERT ".MAIN_DB_PREFIX."product_fournisseur_price (";
 		$sql .= " datec, fk_product, fk_soc, price, quantity, fk_user)";
-		$sql .= " SELECT '".$this->db->idate($now)."', ".$toId.", fk_soc, price, quantity, fk_user";
+		$sql .= " SELECT '".$this->db->idate($now)."', ".((int) $toId).", fk_soc, price, quantity, fk_user";
 		$sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price";
-		$sql .= " WHERE fk_product = ".$fromId;
+		$sql .= " WHERE fk_product = ".((int) $fromId);
 
 		dol_syslog(get_class($this).'::clone_fournisseurs', LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/product/class/productcustomerprice.class.php

@@ -814,7 +814,7 @@ class Productcustomerprice extends CommonObject
 		// Find all susidiaries
 		$sql = "SELECT s.rowid";
 		$sql .= " FROM ".MAIN_DB_PREFIX."societe as s";
-		$sql .= " WHERE s.parent = ".$this->fk_soc;
+		$sql .= " WHERE s.parent = ".((int) $this->fk_soc);
 		$sql .= " AND s.entity IN (".getEntity('societe').")";
 
 		dol_syslog(get_class($this)."::setPriceOnAffiliateThirdparty", LOG_DEBUG);

htdocs/product/class/productfournisseurprice.class.php

@@ -438,7 +438,7 @@ class ProductFournisseurPrice extends CommonObject
 			$sql .= " status = ".self::STATUS_VALIDATED;
 			if (!empty($this->fields['date_validation'])) $sql .= ", date_validation = '".$this->db->idate($now)."'";
 			if (!empty($this->fields['fk_user_valid'])) $sql .= ", fk_user_valid = ".$user->id;
-			$sql .= " WHERE rowid = ".$this->id;
+			$sql .= " WHERE rowid = ".((int) $this->id);
 
 			dol_syslog(get_class($this)."::validate()", LOG_DEBUG);
 			$resql = $this->db->query($sql);

htdocs/product/class/propalmergepdfproduct.class.php

@@ -239,7 +239,7 @@ class Propalmergepdfproduct extends CommonObject
 
 
 		$sql .= " FROM ".MAIN_DB_PREFIX."propal_merge_pdf_product as t";
-		$sql .= " WHERE t.fk_product = ".$product_id;
+		$sql .= " WHERE t.fk_product = ".((int) $product_id);
 		if ($conf->global->MAIN_MULTILANGS && !empty($lang)) {
 			$sql .= " AND t.lang = '".$this->db->escape($lang)."'";
 		}

htdocs/product/dynamic_price/class/price_expression.class.php

@@ -327,7 +327,7 @@ class PriceExpression
 
 		if (!$error) {
 			$sql = "DELETE FROM ".MAIN_DB_PREFIX.$this->table_element;
-			$sql .= " WHERE rowid = ".$rowid;
+			$sql .= " WHERE rowid = ".((int) $rowid);
 
 			dol_syslog(__METHOD__);
 			$resql = $this->db->query($sql);

htdocs/product/dynamic_price/class/price_global_variable.class.php

@@ -250,7 +250,7 @@ class PriceGlobalVariable
 
 		if (!$error) {
 			$sql = "DELETE FROM ".MAIN_DB_PREFIX.$this->table_element;
-			$sql .= " WHERE rowid = ".$rowid;
+			$sql .= " WHERE rowid = ".((int) $rowid);
 
 			dol_syslog(__METHOD__);
 			$resql = $this->db->query($sql);

htdocs/product/dynamic_price/class/price_global_variable_updater.class.php

@@ -275,7 +275,7 @@ class PriceGlobalVariableUpdater
 
 		if (!$error) {
 			$sql = "DELETE FROM ".MAIN_DB_PREFIX.$this->table_element;
-			$sql .= " WHERE rowid = ".$rowid;
+			$sql .= " WHERE rowid = ".((int) $rowid);
 
 			dol_syslog(__METHOD__);
 			$resql = $this->db->query($sql);

htdocs/product/fournisseurs.php

@@ -793,7 +793,7 @@ END;
 							$sql .= ", ".$key;
 						}
 						$sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields";
-						$sql .= " WHERE fk_object = ".$rowid;
+						$sql .= " WHERE fk_object = ".((int) $rowid);
 						$resql = $db->query($sql);
 						if ($resql) {
 							$obj = $db->fetch_object($resql);
@@ -1145,7 +1145,7 @@ END;
 								$sql .= ", ".$key;
 							}
 							$sql .= " FROM ".MAIN_DB_PREFIX."product_fournisseur_price_extrafields";
-							$sql .= " WHERE fk_object = ".$productfourn->product_fourn_price_id;
+							$sql .= " WHERE fk_object = ".((int) $productfourn->product_fourn_price_id);
 							$resql = $db->query($sql);
 							if ($resql) {
 								if ($db->num_rows($resql) != 1) {

htdocs/product/list.php

@@ -473,7 +473,7 @@ if ($searchCategoryProductOperator == 1) {
 		if (intval($searchCategoryProduct) == -2) {
 			$searchCategoryProductSqlList[] = "cp.fk_categorie IS NULL";
 		} elseif (intval($searchCategoryProduct) > 0) {
-			$searchCategoryProductSqlList[] = "p.rowid IN (SELECT fk_product FROM ".MAIN_DB_PREFIX."categorie_product WHERE fk_categorie = ".$searchCategoryProduct.")";
+			$searchCategoryProductSqlList[] = "p.rowid IN (SELECT fk_product FROM ".MAIN_DB_PREFIX."categorie_product WHERE fk_categorie = ".((int) $searchCategoryProduct).")";
 		}
 	}
 	if (!empty($searchCategoryProductSqlList)) {
@@ -1530,7 +1530,7 @@ if ($resql) {
 				// then reuse the cache array if we need prices for other price levels
 				$sqlp = "SELECT p.rowid, p.fk_product, p.price, p.price_ttc, p.price_level, p.date_price, p.price_base_type";
 				$sqlp .= " FROM ".MAIN_DB_PREFIX."product_price as p";
-				$sqlp .= " WHERE fk_product = ".$obj->rowid;
+				$sqlp .= " WHERE fk_product = ".((int) $obj->rowid);
 				$sqlp .= " ORDER BY p.date_price DESC, p.rowid DESC, p.price_level ASC";
 				$resultp = $db->query($sqlp);
 				if ($resultp) {

htdocs/product/price.php

@@ -429,12 +429,12 @@ if (empty($reshook)) {
 			// Ajout / mise à jour
 			if ($rowid > 0) {
 				$sql = "UPDATE ".MAIN_DB_PREFIX."product_price_by_qty SET";
-				$sql .= " price='".$db->escape($price)."',";
-				$sql .= " unitprice=".$unitPrice.",";
-				$sql .= " quantity=".$quantity.",";
-				$sql .= " remise_percent=".$remise_percent.",";
-				$sql .= " remise=".$remise;
-				$sql .= " WHERE rowid = ".$rowid;
+				$sql .= " price=".((float) $price)."',";
+				$sql .= " unitprice=".((float) $unitPrice).",";
+				$sql .= " quantity=".((float) $quantity).",";
+				$sql .= " remise_percent=".((float) $remise_percent).",";
+				$sql .= " remise=".((float) $remise);
+				$sql .= " WHERE rowid = ".((int) $rowid);
 
 				$result = $db->query($sql);
 				if (!$result) {
@@ -442,7 +442,7 @@ if (empty($reshook)) {
 				}
 			} else {
 				$sql = "INSERT INTO ".MAIN_DB_PREFIX."product_price_by_qty (fk_product_price,price,unitprice,quantity,remise_percent,remise) values (";
-				$sql .= $priceid.','.$price.','.$unitPrice.','.$quantity.','.$remise_percent.','.$remise.')';
+				$sql .= ((int) $priceid).','.((float) $price).','.((float) $unitPrice).','.((float) $quantity).','.((float) $remise_percent).','.((float) $remise).')';
 
 				$result = $db->query($sql);
 				if (!$result) {
@@ -460,7 +460,7 @@ if (empty($reshook)) {
 		$rowid = GETPOST('rowid', 'int');
 		if (!empty($rowid)) {
 			$sql = "DELETE FROM ".MAIN_DB_PREFIX."product_price_by_qty";
-			$sql .= " WHERE rowid = ".$rowid;
+			$sql .= " WHERE rowid = ".((int) $rowid);
 
 			$result = $db->query($sql);
 		} else {
@@ -472,7 +472,7 @@ if (empty($reshook)) {
 		$priceid = GETPOST('priceid', 'int');
 		if (!empty($rowid)) {
 			$sql = "DELETE FROM ".MAIN_DB_PREFIX."product_price_by_qty";
-			$sql .= " WHERE fk_product_price = ".$priceid;
+			$sql .= " WHERE fk_product_price = ".((int) $priceid);
 
 			$result = $db->query($sql);
 		} else {
@@ -1413,11 +1413,11 @@ if ((empty($conf->global->PRODUIT_CUSTOMER_PRICES) || $action == 'showlog_defaul
 	$sql .= " p.date_price as dp, p.fk_price_expression, u.rowid as user_id, u.login";
 	$sql .= " FROM ".MAIN_DB_PREFIX."product_price as p,";
 	$sql .= " ".MAIN_DB_PREFIX."user as u";
-	$sql .= " WHERE fk_product = ".$object->id;
+	$sql .= " WHERE fk_product = ".((int) $object->id);
 	$sql .= " AND p.entity IN (".getEntity('productprice').")";
 	$sql .= " AND p.fk_user_author = u.rowid";
 	if (!empty($socid) && !empty($conf->global->PRODUIT_MULTIPRICES)) {
-		$sql .= " AND p.price_level = ".$soc->price_level;
+		$sql .= " AND p.price_level = ".((int) $soc->price_level);
 	}
 	$sql .= " ORDER BY p.date_price DESC, p.rowid DESC, p.price_level ASC";
 	// $sql .= $db->plimit();

htdocs/product/stock/class/mouvementstock.class.php

@@ -488,7 +488,7 @@ class MouvementStock extends CommonObject
 			if (!$error)
 			{
 				$sql = "SELECT rowid, reel FROM ".MAIN_DB_PREFIX."product_stock";
-				$sql .= " WHERE fk_entrepot = ".$entrepot_id." AND fk_product = ".$fk_product; // This is a unique key
+				$sql .= " WHERE fk_entrepot = ".((int) $entrepot_id)." AND fk_product = ".((int) $fk_product); // This is a unique key
 
 				dol_syslog(get_class($this)."::_create check if a record already exists in product_stock", LOG_DEBUG);
 				$resql = $this->db->query($sql);
@@ -544,12 +544,12 @@ class MouvementStock extends CommonObject
 			{
 				if ($alreadyarecord > 0)
 				{
-					$sql = "UPDATE ".MAIN_DB_PREFIX."product_stock SET reel = reel + ".$qty;
-					$sql .= " WHERE fk_entrepot = ".$entrepot_id." AND fk_product = ".$fk_product;
+					$sql = "UPDATE ".MAIN_DB_PREFIX."product_stock SET reel = reel + ".((float) $qty);
+					$sql .= " WHERE fk_entrepot = ".((int) $entrepot_id)." AND fk_product = ".((int) $fk_product);
 				} else {
 					$sql = "INSERT INTO ".MAIN_DB_PREFIX."product_stock";
 					$sql .= " (reel, fk_entrepot, fk_product) VALUES ";
-					$sql .= " (".$qty.", ".$entrepot_id.", ".$fk_product.")";
+					$sql .= " (".((float) $qty).", ".((int) $entrepot_id).", ".((int) $fk_product).")";
 				}
 
 				dol_syslog(get_class($this)."::_create update stock value", LOG_DEBUG);
@@ -602,7 +602,7 @@ class MouvementStock extends CommonObject
 				$newpmp = price2num($newpmp, 'MU');
 
 				// $sql = "UPDATE ".MAIN_DB_PREFIX."product SET pmp = ".$newpmp.", stock = ".$this->db->ifsql("stock IS NULL", 0, "stock") . " + ".$qty;
-				// $sql.= " WHERE rowid = ".$fk_product;
+				// $sql.= " WHERE rowid = ".((int) $fk_product);
 				// Update pmp + denormalized fields because we change content of produt_stock. Warning: Do not use "SET p.stock", does not works with pgsql
 				$sql = "UPDATE ".MAIN_DB_PREFIX."product as p SET pmp = ".((float) $newpmp).",";
 				$sql .= " stock=(SELECT SUM(ps.reel) FROM ".MAIN_DB_PREFIX."product_stock as ps WHERE ps.fk_product = p.rowid)";
@@ -763,7 +763,7 @@ class MouvementStock extends CommonObject
 
 		$sql = "SELECT fk_product_pere, fk_product_fils, qty";
 		$sql .= " FROM ".MAIN_DB_PREFIX."product_association";
-		$sql .= " WHERE fk_product_pere = ".$idProduct;
+		$sql .= " WHERE fk_product_pere = ".((int) $idProduct);
 		$sql .= " AND incdec = 1";
 
 		dol_syslog(get_class($this)."::_createSubProduct for parent product ".$idProduct, LOG_DEBUG);
@@ -875,7 +875,7 @@ class MouvementStock extends CommonObject
 		$nbSP=0;
 
 		$resql = "SELECT count(*) as nb FROM ".MAIN_DB_PREFIX."product_association";
-		$resql.= " WHERE fk_product_pere = ".$id;
+		$resql.= " WHERE fk_product_pere = ".((int) $id);
 		if ($this->db->query($resql))
 		{
 			$obj=$this->db->fetch_object($resql);
@@ -1284,7 +1284,7 @@ class MouvementStock extends CommonObject
 		$sql = "SELECT sum(pb.qty) as cpt";
 		$sql .= " FROM ".MAIN_DB_PREFIX."product_batch as pb";
 		$sql .= " INNER JOIN ".MAIN_DB_PREFIX."product_stock as ps ON ps.rowid = pb.fk_product_stock";
-		$sql .= " WHERE ps.fk_product = " . $fk_product;
+		$sql .= " WHERE ps.fk_product = " . ((int) $fk_product);
 		$sql .= " AND pb.batch = '" . $this->db->escape($batch) . "'";
 
 		$result = $this->db->query($sql);

htdocs/product/stock/class/productlot.class.php

@@ -275,7 +275,7 @@ class Productlot extends CommonObject
 		$sql .= " t.import_key";
 		$sql .= ' FROM '.MAIN_DB_PREFIX.$this->table_element.' as t';
 		if ($product_id > 0 && $batch != '') {
-			$sql .= " WHERE t.batch = '".$this->db->escape($batch)."' AND t.fk_product = ".$product_id;
+			$sql .= " WHERE t.batch = '".$this->db->escape($batch)."' AND t.fk_product = ".((int) $product_id);
 		} else {
 			$sql .= ' WHERE t.rowid = '.((int) $id);
 		}

htdocs/product/stock/replenish.php

@@ -205,7 +205,7 @@ if ($action == 'order' && GETPOST('valid')) {
 			$order = new CommandeFournisseur($db);
 			// Check if an order for the supplier exists
 			$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."commande_fournisseur";
-			$sql .= " WHERE fk_soc = ".$suppliersid[$i];
+			$sql .= " WHERE fk_soc = ".((int) $suppliersid[$i]);
 			$sql .= " AND source = 42 AND fk_statut = 0";
 			$sql .= " AND entity IN (".getEntity('commande_fournisseur').")";
 			$sql .= " ORDER BY date_creation DESC";

htdocs/projet/class/project.class.php

@@ -463,7 +463,7 @@ class Project extends CommonObject
 			$sql .= ", accept_booth_suggestions = ".($this->accept_booth_suggestions ? 1 : 0);
 			$sql .= ", price_registration = ".(strcmp($this->price_registration, '') ? price2num($this->price_registration) : "null");
 			$sql .= ", price_booth = ".(strcmp($this->price_booth, '') ? price2num($this->price_booth) : "null");
-			$sql .= " WHERE rowid = ".$this->id;
+			$sql .= " WHERE rowid = ".((int) $this->id);
 
 			dol_syslog(get_class($this)."::update", LOG_DEBUG);
 			$resql = $this->db->query($sql);
@@ -783,7 +783,7 @@ class Project extends CommonObject
 		// Remove linked categories.
 		if (!$error) {
 			$sql = "DELETE FROM ".MAIN_DB_PREFIX."categorie_project";
-			$sql .= " WHERE fk_project = ".$this->id;
+			$sql .= " WHERE fk_project = ".((int) $this->id);
 
 			$result = $this->db->query($sql);
 			if (!$result) {
@@ -808,7 +808,7 @@ class Project extends CommonObject
 			foreach ($elements as $table) {
 				if (!$error) {
 					$sql = "DELETE FROM ".MAIN_DB_PREFIX.$table;
-					$sql .= " WHERE fk_project = ".$this->id;
+					$sql .= " WHERE fk_project = ".((int) $this->id);
 
 					$result = $this->db->query($sql);
 					if (!$result) {
@@ -900,17 +900,17 @@ class Project extends CommonObject
 		if ($type == 'agenda') {
 			$sql = "SELECT COUNT(id) as nb FROM ".MAIN_DB_PREFIX."actioncomm WHERE fk_project = ".$this->id." AND entity IN (".getEntity('agenda').")";
 		} elseif ($type == 'expensereport') {
-			$sql = "SELECT COUNT(ed.rowid) as nb FROM ".MAIN_DB_PREFIX."expensereport as e, ".MAIN_DB_PREFIX."expensereport_det as ed WHERE e.rowid = ed.fk_expensereport AND e.entity IN (".getEntity('expensereport').") AND ed.fk_projet = ".$this->id;
+			$sql = "SELECT COUNT(ed.rowid) as nb FROM ".MAIN_DB_PREFIX."expensereport as e, ".MAIN_DB_PREFIX."expensereport_det as ed WHERE e.rowid = ed.fk_expensereport AND e.entity IN (".getEntity('expensereport').") AND ed.fk_projet = ".((int) $this->id);
 		} elseif ($type == 'project_task') {
 			$sql = "SELECT DISTINCT COUNT(pt.rowid) as nb FROM ".MAIN_DB_PREFIX."projet_task as pt WHERE pt.fk_projet = ".$this->id;
 		} elseif ($type == 'project_task_time') {	// Case we want to duplicate line foreach user
-			$sql = "SELECT DISTINCT COUNT(pt.rowid) as nb FROM ".MAIN_DB_PREFIX."projet_task as pt, ".MAIN_DB_PREFIX."projet_task_time as ptt WHERE pt.rowid = ptt.fk_task AND pt.fk_projet = ".$this->id;
+			$sql = "SELECT DISTINCT COUNT(pt.rowid) as nb FROM ".MAIN_DB_PREFIX."projet_task as pt, ".MAIN_DB_PREFIX."projet_task_time as ptt WHERE pt.rowid = ptt.fk_task AND pt.fk_projet = ".((int) $this->id);
 		} elseif ($type == 'stock_mouvement') {
-			$sql = 'SELECT COUNT(ms.rowid) as nb FROM '.MAIN_DB_PREFIX."stock_mouvement as ms, ".MAIN_DB_PREFIX."entrepot as e WHERE e.rowid = ms.fk_entrepot AND e.entity IN (".getEntity('stock').") AND ms.origintype = 'project' AND ms.fk_origin = ".$this->id." AND ms.type_mouvement = 1";
+			$sql = 'SELECT COUNT(ms.rowid) as nb FROM '.MAIN_DB_PREFIX."stock_mouvement as ms, ".MAIN_DB_PREFIX."entrepot as e WHERE e.rowid = ms.fk_entrepot AND e.entity IN (".getEntity('stock').") AND ms.origintype = 'project' AND ms.fk_origin = ".((int) $this->id)." AND ms.type_mouvement = 1";
 		} elseif ($type == 'loan') {
-			$sql = 'SELECT COUNT(l.rowid) as nb FROM '.MAIN_DB_PREFIX."loan as l WHERE l.entity IN (".getEntity('loan').") AND l.fk_projet = ".$this->id;
+			$sql = 'SELECT COUNT(l.rowid) as nb FROM '.MAIN_DB_PREFIX."loan as l WHERE l.entity IN (".getEntity('loan').") AND l.fk_projet = ".((int) $this->id);
 		} else {
-			$sql = "SELECT COUNT(rowid) as nb FROM ".MAIN_DB_PREFIX.$tablename." WHERE ".$projectkey." = ".$this->id." AND entity IN (".getEntity($type).")";
+			$sql = "SELECT COUNT(rowid) as nb FROM ".MAIN_DB_PREFIX.$tablename." WHERE ".$projectkey." = ".((int) $this->id)." AND entity IN (".getEntity($type).")";
 		}
 
 		$result = $this->db->query($sql);

htdocs/projet/class/task.class.php

@@ -1317,9 +1317,9 @@ class Task extends CommonObject
 		$sql .= " SUM(t.task_duration) as nbseconds,";
 		$sql .= " SUM(t.task_duration / 3600 * ".$this->db->ifsql("t.thm IS NULL", 0, "t.thm").") as amount, SUM(".$this->db->ifsql("t.thm IS NULL", 1, 0).") as nblinesnull";
 		$sql .= " FROM ".MAIN_DB_PREFIX."projet_task_time as t";
-		$sql .= " WHERE t.fk_task = ".$id;
+		$sql .= " WHERE t.fk_task = ".((int) $id);
 		if (is_object($fuser) && $fuser->id > 0) {
-			$sql .= " AND fk_user = ".$fuser->id;
+			$sql .= " AND fk_user = ".((int) $fuser->id);
 		}
 		if ($dates > 0) {
 			$datefieldname = "task_datehour";
@@ -1553,7 +1553,7 @@ class Task extends CommonObject
 
 			$sql = "UPDATE ".MAIN_DB_PREFIX."projet_task";
 			$sql .= " SET duration_effective = (SELECT SUM(task_duration) FROM ".MAIN_DB_PREFIX."projet_task_time as ptt where ptt.fk_task = ".((int) $this->id).")";
-			$sql .= " WHERE rowid = ".$this->id;
+			$sql .= " WHERE rowid = ".((int) $this->id);
 
 			dol_syslog(get_class($this)."::updateTimeSpent", LOG_DEBUG);
 			if (!$this->db->query($sql)) {

htdocs/public/members/public_list.php

@@ -131,7 +131,7 @@ llxHeaderVierge($langs->trans("ListOfValidatedPublicMembers"), $morehead);
 
 $sql = "SELECT rowid, firstname, lastname, societe, zip, town, email, birth, photo";
 $sql .= " FROM ".MAIN_DB_PREFIX."adherent";
-$sql .= " WHERE entity = ".$entity;
+$sql .= " WHERE entity = ".((int) $entity);
 $sql .= " AND statut = 1";
 $sql .= " AND public = 1";
 $sql .= $db->order($sortfield, $sortorder);

htdocs/public/stripe/ipn.php

@@ -373,7 +373,7 @@ if ($event->type == 'payout.created') {
 	}
 } elseif ($event->type == 'payment_method.detached') {
 	$db->begin();
-	$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_rib WHERE number = '".$db->escape($event->data->object->id)."' and status = ".$servicestatus;
+	$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_rib WHERE number = '".$db->escape($event->data->object->id)."' and status = ".((int) $servicestatus);
 	$db->query($sql);
 	$db->commit();
 } elseif ($event->type == 'charge.succeeded') {

htdocs/reception/class/reception.class.php

@@ -1410,7 +1410,7 @@ class Reception extends CommonObject
 		if (!empty($this->shipping_method_id)) {
 			$sql = "SELECT em.code, em.tracking";
 			$sql .= " FROM ".MAIN_DB_PREFIX."c_shipment_mode as em";
-			$sql .= " WHERE em.rowid = ".$this->shipping_method_id;
+			$sql .= " WHERE em.rowid = ".((int) $this->shipping_method_id);
 
 			$resql = $this->db->query($sql);
 			if ($resql) {

htdocs/resource/element_resource.php

@@ -118,7 +118,7 @@ if (empty($reshook)) {
 				$sql .= " FROM ".MAIN_DB_PREFIX."element_resources as er";
 				$sql .= " INNER JOIN ".MAIN_DB_PREFIX."resource as r ON r.rowid = er.resource_id AND er.resource_type = '".$db->escape($resource_type)."'";
 				$sql .= " INNER JOIN ".MAIN_DB_PREFIX."actioncomm as ac ON ac.id = er.element_id AND er.element_type = '".$db->escape($objstat->element)."'";
-				$sql .= " WHERE er.resource_id = ".$resource_id;
+				$sql .= " WHERE er.resource_id = ".((int) $resource_id);
 				$sql .= " AND er.busy = 1";
 				$sql .= " AND (";
 
@@ -193,8 +193,8 @@ if (empty($reshook)) {
 				$sql .= " FROM ".MAIN_DB_PREFIX."element_resources as er";
 				$sql .= " INNER JOIN ".MAIN_DB_PREFIX."resource as r ON r.rowid = er.resource_id AND er.resource_type = '".$db->escape($object->resource_type)."'";
 				$sql .= " INNER JOIN ".MAIN_DB_PREFIX."actioncomm as ac ON ac.id = er.element_id AND er.element_type = '".$db->escape($object->element_type)."'";
-				$sql .= " WHERE er.resource_id = ".$object->resource_id;
-				$sql .= " AND ac.id != ".$object->element_id;
+				$sql .= " WHERE er.resource_id = ".((int) $object->resource_id);
+				$sql .= " AND ac.id <> ".((int) $object->element_id);
 				$sql .= " AND er.busy = 1";
 				$sql .= " AND (";
 

htdocs/salaries/card.php

@@ -780,7 +780,7 @@ if ($id) {
 	$sql .= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank_account as ba ON b.fk_account = ba.rowid';
 	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as c ON p.fk_typepayment = c.id";
 	$sql .= ", ".MAIN_DB_PREFIX."salary as salaire";
-	$sql .= " WHERE p.fk_salary = ".$id;
+	$sql .= " WHERE p.fk_salary = ".((int) $id);
 	$sql .= " AND p.fk_salary = salaire.rowid";
 	$sql .= " AND salaire.entity IN (".getEntity('tax').")";
 	$sql .= " ORDER BY dp DESC";

htdocs/salaries/class/salariesstats.class.php

@@ -64,7 +64,7 @@ class SalariesStats extends Stats
 
 		$this->where = " entity = ".$conf->entity;
 		if ($this->socid > 0) {
-			$this->where .= " AND fk_soc = ".$this->socid;
+			$this->where .= " AND fk_soc = ".((int) $this->socid);
 		}
 		if (is_array($this->userid) && count($this->userid) > 0) {
 			$this->where .= ' AND fk_user IN ('.$this->db->sanitize(join(',', $this->userid)).')';
@@ -101,7 +101,7 @@ class SalariesStats extends Stats
 	{
 		$sql = "SELECT MONTH(datep) as dm, count(*)";
 		$sql .= " FROM ".$this->from;
-		$sql .= " WHERE YEAR(datep) = ".$year;
+		$sql .= " WHERE YEAR(datep) = ".((int) $year);
 		$sql .= " AND ".$this->where;
 		$sql .= " GROUP BY dm";
 		$sql .= $this->db->order('dm', 'DESC');

htdocs/salaries/paiement_salary.php

@@ -188,12 +188,12 @@ if ($action == 'create') {
 
 	$sql = "SELECT sum(p.amount) as total";
 	$sql .= " FROM ".MAIN_DB_PREFIX."payment_salary as p";
-	$sql .= " WHERE p.fk_salary = ".$chid;
+	$sql .= " WHERE p.fk_salary = ".((int) $chid);
 	$resql = $db->query($sql);
 	if ($resql) {
 		$obj = $db->fetch_object($resql);
 		$sumpaid = $obj->total;
-		$db->free();
+		$db->free($resql);
 	}
 	/*print '<tr><td>'.$langs->trans("AlreadyPaid").'</td><td>'.price($sumpaid,0,$outputlangs,1,-1,-1,$conf->currency).'</td></tr>';
 	print '<tr><td class="tdtop">'.$langs->trans("RemainderToPay").'</td><td>'.price($total-$sumpaid,0,$outputlangs,1,-1,-1,$conf->currency).'</td></tr>';*/

htdocs/societe/class/api_thirdparties.class.php

@@ -1017,7 +1017,7 @@ class Thirdparties extends DolibarrApi
 
 		$sql = "SELECT f.ref, f.type as factype, re.fk_facture_source, re.rowid, re.amount_ht, re.amount_tva, re.amount_ttc, re.description, re.fk_facture, re.fk_facture_line";
 		$sql .= " FROM ".MAIN_DB_PREFIX."societe_remise_except as re, ".MAIN_DB_PREFIX."facture as f";
-		$sql .= " WHERE f.rowid = re.fk_facture_source AND re.fk_soc = ".$id;
+		$sql .= " WHERE f.rowid = re.fk_facture_source AND re.fk_soc = ".((int) $id);
 		if ($filter == "available") {
 			$sql .= " AND re.fk_facture IS NULL AND re.fk_facture_line IS NULL";
 		}
@@ -1155,7 +1155,7 @@ class Thirdparties extends DolibarrApi
 		$sql .= " owner_address, default_rib, label, datec, tms as datem, rum, frstrecur";
 		$sql .= " FROM ".MAIN_DB_PREFIX."societe_rib";
 		if ($id) {
-			$sql .= " WHERE fk_soc  = ".$id." ";
+			$sql .= " WHERE fk_soc  = ".((int) $id);
 		}
 
 
@@ -1505,7 +1505,7 @@ class Thirdparties extends DolibarrApi
 			throw new RestException(422, 'Unprocessable Entity: You must pass the site attribute in your request data !');
 		}
 
-		$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc  = ".$id." AND site = '".$this->db->escape($request_data['site'])."'";
+		$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc  = ".((int) $id)." AND site = '".$this->db->escape($request_data['site'])."'";
 		$result = $this->db->query($sql);
 
 		if ($result && $this->db->num_rows($result) == 0) {
@@ -1585,7 +1585,7 @@ class Thirdparties extends DolibarrApi
 			// We found an existing SocieteAccount entity, we are replacing it
 		} else {
 			if (isset($request_data['site']) && $request_data['site'] !== $site) {
-				$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc  = ".$id." AND site = '".$this->db->escape($request_data['site'])."' ";
+				$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc  = ".((int) $id)." AND site = '".$this->db->escape($request_data['site'])."' ";
 				$result = $this->db->query($sql);
 
 				if ($result && $this->db->num_rows($result) !== 0) {
@@ -1649,7 +1649,7 @@ class Thirdparties extends DolibarrApi
 		} else {
 			// If the user tries to edit the site member, we check first if
 			if (isset($request_data['site']) && $request_data['site'] !== $site) {
-				$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc  = ".$id." AND site = '".$this->db->escape($request_data['site'])."' ";
+				$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc  = ".((int) $id)." AND site = '".$this->db->escape($request_data['site'])."' ";
 				$result = $this->db->query($sql);
 
 				if ($result && $this->db->num_rows($result) !== 0) {
@@ -1733,7 +1733,7 @@ class Thirdparties extends DolibarrApi
 		 */
 
 		$sql = "SELECT rowid, fk_soc, key_account, site, date_creation, tms";
-		$sql .= " FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".$id;
+		$sql .= " FROM ".MAIN_DB_PREFIX."societe_account WHERE fk_soc = ".((int) $id);
 
 		$result = $this->db->query($sql);
 

htdocs/societe/class/client.class.php

@@ -104,7 +104,7 @@ class Client extends Societe
 
 		$sql = "SELECT id, code, libelle as label, picto FROM ".MAIN_DB_PREFIX."c_stcomm";
 		if ($active >= 0) {
-			$sql .= " WHERE active = ".$active;
+			$sql .= " WHERE active = ".((int) $active);
 		}
 		$resql = $this->db->query($sql);
 		$num = $this->db->num_rows($resql);

htdocs/societe/class/companybankaccount.class.php

@@ -217,12 +217,12 @@ class CompanyBankAccount extends Account
 			$sql .= " WHERE rowid = ".((int) $id);
 		}
 		if ($socid) {
-			$sql .= " WHERE fk_soc  = ".$socid;
+			$sql .= " WHERE fk_soc  = ".((int) $socid);
 			if ($default > -1) {
-				$sql .= " AND default_rib = ".$this->db->escape($default);
+				$sql .= " AND default_rib = ".((int) $default);
 			}
 			if ($type) {
-				$sql .= " AND type ='".$this->db->escape($type)."'";
+				$sql .= " AND type = '".$this->db->escape($type)."'";
 			}
 		}
 
@@ -351,12 +351,12 @@ class CompanyBankAccount extends Account
 				$this->db->begin();
 
 				$sql2 = "UPDATE ".MAIN_DB_PREFIX."societe_rib SET default_rib = 0";
-				$sql2 .= " WHERE type = 'ban' AND fk_soc = ".$obj->fk_soc;
+				$sql2 .= " WHERE type = 'ban' AND fk_soc = ".((int) $obj->fk_soc);
 				dol_syslog(get_class($this).'::setAsDefault', LOG_DEBUG);
 				$result2 = $this->db->query($sql2);
 
 				$sql3 = "UPDATE ".MAIN_DB_PREFIX."societe_rib SET default_rib = 1";
-				$sql3 .= " WHERE rowid = ".$obj->id;
+				$sql3 .= " WHERE rowid = ".((int) $obj->id);
 				dol_syslog(get_class($this).'::setAsDefault', LOG_DEBUG);
 				$result3 = $this->db->query($sql3);
 

htdocs/societe/class/companypaymentmode.class.php

@@ -318,7 +318,7 @@ class CompanyPaymentMode extends CommonObject
 	public function fetch($id, $ref = null, $socid = 0, $type = '', $morewhere = '')
 	{
 		if ($socid) {
-			$morewhere .= " AND fk_soc  = ".$this->db->escape($socid)." AND default_rib = 1";
+			$morewhere .= " AND fk_soc = ".((int) $socid)." AND default_rib = 1";
 		}
 		if ($type) {
 			$morewhere .= " AND type = '".$this->db->escape($type)."'";
@@ -464,7 +464,7 @@ class CompanyPaymentMode extends CommonObject
 				$this->db->begin();
 
 				$sql2 = "UPDATE ".MAIN_DB_PREFIX."societe_rib SET default_rib = 0, tms = tms";
-				$sql2 .= " WHERE default_rib <> 0 AND fk_soc = ".$obj->fk_soc;
+				$sql2 .= " WHERE default_rib <> 0 AND fk_soc = ".((int) $obj->fk_soc);
 				if ($type) {
 					$sql2 .= " AND type = '".$this->db->escape($type)."'";
 				}
@@ -472,7 +472,7 @@ class CompanyPaymentMode extends CommonObject
 				$result2 = $this->db->query($sql2);
 
 				$sql3 = "UPDATE ".MAIN_DB_PREFIX."societe_rib SET default_rib = 1";
-				$sql3 .= " WHERE rowid = ".$obj->id;
+				$sql3 .= " WHERE rowid = ".((int) $obj->id);
 				if ($type) {
 					$sql3 .= " AND type = '".$this->db->escape($type)."'";
 				}

htdocs/societe/class/societe.class.php

@@ -1907,7 +1907,7 @@ class Societe extends CommonObject
 						}
 					} else {
 						$sql = "DELETE FROM ".MAIN_DB_PREFIX.$tabletodelete;
-						$sql .= " WHERE fk_soc = ".$id;
+						$sql .= " WHERE fk_soc = ".((int) $id);
 						if (!$this->db->query($sql)) {
 							$error++;
 							$this->errors[] = $this->db->lasterror();
@@ -1930,7 +1930,7 @@ class Societe extends CommonObject
 			if (!$error) {
 				$sql = "UPDATE ".MAIN_DB_PREFIX."societe";
 				$sql .= " SET parent = NULL";
-				$sql .= " WHERE parent = ".$id;
+				$sql .= " WHERE parent = ".((int) $id);
 				if (!$this->db->query($sql)) {
 					$error++;
 					$this->errors[] = $this->db->lasterror();
@@ -2326,7 +2326,7 @@ class Societe extends CommonObject
 
 			if (!$error) {
 				$sql = "DELETE FROM  ".MAIN_DB_PREFIX."societe_commerciaux";
-				$sql .= " WHERE fk_soc = ".$this->id." AND fk_user =".$commid;
+				$sql .= " WHERE fk_soc = ".$this->id." AND fk_user = ".((int) $commid);
 
 				$resql = $this->db->query($sql);
 				if (!$resql) {
@@ -2389,7 +2389,7 @@ class Societe extends CommonObject
 
 		if ($this->id > 0 && $commid > 0) {
 			$sql  = "DELETE FROM  ".MAIN_DB_PREFIX."societe_commerciaux ";
-			$sql .= " WHERE fk_soc = ".$this->id." AND fk_user =".$commid;
+			$sql .= " WHERE fk_soc = ".$this->id." AND fk_user = ".((int) $commid);
 
 			if (!$this->db->query($sql)) {
 				dol_syslog(get_class($this)."::del_commercial Erreur");

htdocs/societe/class/societeaccount.class.php

@@ -284,7 +284,7 @@ class SocieteAccount extends CommonObject
 	{
 		$sql = "SELECT sa.key_account as key_account, sa.entity";
 		$sql .= " FROM ".MAIN_DB_PREFIX."societe_account as sa";
-		$sql .= " WHERE sa.fk_soc = ".$id;
+		$sql .= " WHERE sa.fk_soc = ".((int) $id);
 		$sql .= " AND sa.entity IN (".getEntity('societe').")";
 		$sql .= " AND sa.site = '".$this->db->escape($site)."' AND sa.status = ".((int) $status);
 		$sql .= " AND sa.key_account IS NOT NULL AND sa.key_account <> ''";

htdocs/societe/consumption.php

@@ -146,7 +146,7 @@ if ($object->client) {
 		print ' <font class="error">('.$langs->trans("WrongCustomerCode").')</font>';
 	}
 	print '</td></tr>';
-	$sql = "SELECT count(*) as nb from ".MAIN_DB_PREFIX."facture where fk_soc = ".$socid;
+	$sql = "SELECT count(*) as nb from ".MAIN_DB_PREFIX."facture where fk_soc = ".((int) $socid);
 	$resql = $db->query($sql);
 	if (!$resql) {
 		dol_print_error($db);
@@ -183,7 +183,7 @@ if ($object->fournisseur) {
 		print ' <font class="error">('.$langs->trans("WrongSupplierCode").')</font>';
 	}
 	print '</td></tr>';
-	$sql = "SELECT count(*) as nb from ".MAIN_DB_PREFIX."commande_fournisseur where fk_soc = ".$socid;
+	$sql = "SELECT count(*) as nb from ".MAIN_DB_PREFIX."commande_fournisseur where fk_soc = ".((int) $socid);
 	$resql = $db->query($sql);
 	if (!$resql) {
 		dol_print_error($db);
@@ -229,7 +229,7 @@ if ($type_element == 'fichinter') { 	// Customer : show products from invoices
 	$documentstatic = new Fichinter($db);
 	$sql_select = 'SELECT f.rowid as doc_id, f.ref as doc_number, \'1\' as doc_type, f.datec as dateprint, f.fk_statut as status, ';
 	$tables_from = MAIN_DB_PREFIX."fichinter as f LEFT JOIN ".MAIN_DB_PREFIX."fichinterdet as d ON d.fk_fichinter = f.rowid"; // Must use left join to work also with option that disable usage of lines.
-	$where = " WHERE f.fk_soc = s.rowid AND s.rowid = ".$socid;
+	$where = " WHERE f.fk_soc = s.rowid AND s.rowid = ".((int) $socid);
 	$where .= " AND f.entity = ".$conf->entity;
 	$dateprint = 'f.datec';
 	$doc_number = 'f.ref';
@@ -239,7 +239,7 @@ if ($type_element == 'invoice') { 	// Customer : show products from invoices
 	$documentstatic = new Facture($db);
 	$sql_select = 'SELECT f.rowid as doc_id, f.ref as doc_number, f.type as doc_type, f.datef as dateprint, f.fk_statut as status, f.paye as paid, ';
 	$tables_from = MAIN_DB_PREFIX."facture as f,".MAIN_DB_PREFIX."facturedet as d";
-	$where = " WHERE f.fk_soc = s.rowid AND s.rowid = ".$socid;
+	$where = " WHERE f.fk_soc = s.rowid AND s.rowid = ".((int) $socid);
 	$where .= " AND d.fk_facture = f.rowid";
 	$where .= " AND f.entity IN (".getEntity('invoice').")";
 	$dateprint = 'f.datef';
@@ -251,7 +251,7 @@ if ($type_element == 'propal') {
 	$documentstatic = new Propal($db);
 	$sql_select = 'SELECT c.rowid as doc_id, c.ref as doc_number, \'1\' as doc_type, c.datep as dateprint, c.fk_statut as status, ';
 	$tables_from = MAIN_DB_PREFIX."propal as c,".MAIN_DB_PREFIX."propaldet as d";
-	$where = " WHERE c.fk_soc = s.rowid AND s.rowid = ".$socid;
+	$where = " WHERE c.fk_soc = s.rowid AND s.rowid = ".((int) $socid);
 	$where .= " AND d.fk_propal = c.rowid";
 	$where .= " AND c.entity = ".$conf->entity;
 	$datePrint = 'c.datep';
@@ -263,7 +263,7 @@ if ($type_element == 'order') {
 	$documentstatic = new Commande($db);
 	$sql_select = 'SELECT c.rowid as doc_id, c.ref as doc_number, \'1\' as doc_type, c.date_commande as dateprint, c.fk_statut as status, ';
 	$tables_from = MAIN_DB_PREFIX."commande as c,".MAIN_DB_PREFIX."commandedet as d";
-	$where = " WHERE c.fk_soc = s.rowid AND s.rowid = ".$socid;
+	$where = " WHERE c.fk_soc = s.rowid AND s.rowid = ".((int) $socid);
 	$where .= " AND d.fk_commande = c.rowid";
 	$where .= " AND c.entity = ".$conf->entity;
 	$dateprint = 'c.date_commande';
@@ -275,7 +275,7 @@ if ($type_element == 'supplier_invoice') { 	// Supplier : Show products from inv
 	$documentstatic = new FactureFournisseur($db);
 	$sql_select = 'SELECT f.rowid as doc_id, f.ref as doc_number, \'1\' as doc_type, f.datef as dateprint, f.fk_statut as status, f.paye as paid, ';
 	$tables_from = MAIN_DB_PREFIX."facture_fourn as f,".MAIN_DB_PREFIX."facture_fourn_det as d";
-	$where = " WHERE f.fk_soc = s.rowid AND s.rowid = ".$socid;
+	$where = " WHERE f.fk_soc = s.rowid AND s.rowid = ".((int) $socid);
 	$where .= " AND d.fk_facture_fourn = f.rowid";
 	$where .= " AND f.entity = ".$conf->entity;
 	$dateprint = 'f.datef';
@@ -287,7 +287,7 @@ if ($type_element == 'supplier_proposal') {
 	$documentstatic = new SupplierProposal($db);
 	$sql_select = 'SELECT c.rowid as doc_id, c.ref as doc_number, \'1\' as doc_type, c.date_valid as dateprint, c.fk_statut as status, ';
 	$tables_from = MAIN_DB_PREFIX."supplier_proposal as c,".MAIN_DB_PREFIX."supplier_proposaldet as d";
-	$where = " WHERE c.fk_soc = s.rowid AND s.rowid = ".$socid;
+	$where = " WHERE c.fk_soc = s.rowid AND s.rowid = ".((int) $socid);
 	$where .= " AND d.fk_supplier_proposal = c.rowid";
 	$where .= " AND c.entity = ".$conf->entity;
 	$dateprint = 'c.date_valid';
@@ -299,7 +299,7 @@ if ($type_element == 'supplier_order') { 	// Supplier : Show products from order
 	$documentstatic = new CommandeFournisseur($db);
 	$sql_select = 'SELECT c.rowid as doc_id, c.ref as doc_number, \'1\' as doc_type, c.date_valid as dateprint, c.fk_statut as status, ';
 	$tables_from = MAIN_DB_PREFIX."commande_fournisseur as c,".MAIN_DB_PREFIX."commande_fournisseurdet as d";
-	$where = " WHERE c.fk_soc = s.rowid AND s.rowid = ".$socid;
+	$where = " WHERE c.fk_soc = s.rowid AND s.rowid = ".((int) $socid);
 	$where .= " AND d.fk_commande = c.rowid";
 	$where .= " AND c.entity = ".$conf->entity;
 	$dateprint = 'c.date_valid';
@@ -312,7 +312,7 @@ if ($type_element == 'contract') { 	// Order
 	$documentstaticline = new ContratLigne($db);
 	$sql_select = 'SELECT c.rowid as doc_id, c.ref as doc_number, \'1\' as doc_type, c.date_contrat as dateprint, d.statut as status, ';
 	$tables_from = MAIN_DB_PREFIX."contrat as c,".MAIN_DB_PREFIX."contratdet as d";
-	$where = " WHERE c.fk_soc = s.rowid AND s.rowid = ".$socid;
+	$where = " WHERE c.fk_soc = s.rowid AND s.rowid = ".((int) $socid);
 	$where .= " AND d.fk_contrat = c.rowid";
 	$where .= " AND c.entity = ".$conf->entity;
 	$dateprint = 'c.date_valid';

htdocs/societe/paymentmodes.php

@@ -517,10 +517,10 @@ if (empty($reshook)) {
 			$db->begin();
 
 			if (empty($newcu)) {
-				$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_account WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity;
+				$sql = "DELETE FROM ".MAIN_DB_PREFIX."societe_account WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".((int) $servicestatus)." AND entity = ".$conf->entity;
 			} else {
 				$sql = 'SELECT rowid FROM '.MAIN_DB_PREFIX."societe_account";
-				$sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified !
+				$sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".((int) $servicestatus)." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified !
 			}
 
 			$resql = $db->query($sql);
@@ -542,7 +542,7 @@ if (empty($reshook)) {
 				} else {
 					$sql = 'UPDATE '.MAIN_DB_PREFIX."societe_account";
 					$sql .= " SET key_account = '".$db->escape(GETPOST('key_account', 'alpha'))."', site_account = '".$db->escape($site_account)."'";
-					$sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".$servicestatus." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified !
+					$sql .= " WHERE site = 'stripe' AND (site_account IS NULL or site_account = '' or site_account = '".$db->escape($site_account)."') AND fk_soc = ".$object->id." AND status = ".((int) $servicestatus)." AND entity = ".$conf->entity; // Keep = here for entity. Only 1 record must be modified !
 					$resql = $db->query($sql);
 				}
 			}
@@ -761,7 +761,7 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard'
 			print ' <font class="error">('.$langs->trans("WrongCustomerCode").')</font>';
 		}
 		print '</td></tr>';
-		$sql = "SELECT count(*) as nb from ".MAIN_DB_PREFIX."facture where fk_soc = ".$socid;
+		$sql = "SELECT count(*) as nb from ".MAIN_DB_PREFIX."facture where fk_soc = ".((int) $socid);
 		$resql = $db->query($sql);
 		if (!$resql) {
 			dol_print_error($db);
@@ -823,7 +823,7 @@ if ($socid && $action != 'edit' && $action != 'create' && $action != 'editcard'
 			print ' <font class="error">('.$langs->trans("WrongSupplierCode").')</font>';
 		}
 		print '</td></tr>';
-		$sql = "SELECT count(*) as nb from ".MAIN_DB_PREFIX."facture where fk_soc = ".$socid;
+		$sql = "SELECT count(*) as nb from ".MAIN_DB_PREFIX."facture where fk_soc = ".((int) $socid);
 		$resql = $db->query($sql);
 		if (!$resql) {
 			dol_print_error($db);

htdocs/societe/societecontact.php

@@ -227,7 +227,7 @@ if ($id > 0 || !empty($ref)) {
 			$sql .= " t.libelle as type, t.subscription";
 			$sql .= " FROM ".MAIN_DB_PREFIX."adherent as d";
 			$sql .= ", ".MAIN_DB_PREFIX."adherent_type as t";
-			$sql .= " WHERE d.fk_soc = ".$id;
+			$sql .= " WHERE d.fk_soc = ".((int) $id);
 			$sql .= " AND d.fk_adherent_type = t.rowid";
 
 			dol_syslog("get list sql=".$sql);

htdocs/takepos/receipt.php

@@ -260,7 +260,7 @@ if ($conf->global->TAKEPOS_PRINT_PAYMENT_METHOD) {
 	$sql .= " cp.code";
 	$sql .= " FROM ".MAIN_DB_PREFIX."paiement_facture as pf, ".MAIN_DB_PREFIX."paiement as p";
 	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as cp ON p.fk_paiement = cp.id";
-	$sql .= " WHERE pf.fk_paiement = p.rowid AND pf.fk_facture = ".$facid;
+	$sql .= " WHERE pf.fk_paiement = p.rowid AND pf.fk_facture = ".((int) $facid);
 	$sql .= " ORDER BY p.datep";
 	$resql = $db->query($sql);
 	if ($resql) {

htdocs/ticket/class/ticket.class.php

@@ -568,7 +568,7 @@ class Ticket extends CommonObject
 		$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_ticket_severity as severity ON severity.code=t.severity_code";
 
 		if ($id) {
-			$sql .= " WHERE t.rowid = ".$this->db->escape($id);
+			$sql .= " WHERE t.rowid = ".((int) $id);
 		} else {
 			$sql .= " WHERE t.entity IN (".getEntity($this->element, 1).")";
 			if (!empty($ref)) {

htdocs/ticket/class/ticketstats.class.php

@@ -98,7 +98,7 @@ class TicketStats extends Stats
 	{
 		$sql = "SELECT MONTH(datec) as dm, count(*)";
 		$sql .= " FROM ".$this->from;
-		$sql .= " WHERE YEAR(datec) = ".$year;
+		$sql .= " WHERE YEAR(datec) = ".((int) $year);
 		$sql .= " AND ".$this->where;
 		$sql .= " GROUP BY dm";
 		$sql .= $this->db->order('dm', 'DESC');

htdocs/user/class/user.class.php

@@ -871,7 +871,7 @@ class User extends CommonObject
 					$nid = $obj->id;
 
 					$sql = "DELETE FROM ".MAIN_DB_PREFIX."user_rights";
-					$sql .= " WHERE fk_user = ".$this->id." AND fk_id=".$nid;
+					$sql .= " WHERE fk_user = ".$this->id." AND fk_id = ".((int) $nid);
 					$sql .= " AND entity = ".$entity;
 					if (!$this->db->query($sql)) {
 						$error++;

htdocs/webservices/server_contact.php

@@ -503,7 +503,7 @@ function getContactsForThirdParty($authentication, $idthirdparty)
 		$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_departements as d ON c.fk_departement = d.rowid";
 		$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON c.rowid = u.fk_socpeople";
 		$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."societe as s ON c.fk_soc = s.rowid";
-		$sql .= " WHERE c.fk_soc = ".$idthirdparty;
+		$sql .= " WHERE c.fk_soc = ".((int) $idthirdparty);
 
 		$resql = $db->query($sql);
 		if ($resql) {

htdocs/webservices/server_productorservice.php

@@ -1006,7 +1006,7 @@ function getProductsForCategory($authentication, $id, $lang = '')
 				$table = "product";
 				$field = "product";
 				$sql  = "SELECT fk_".$field." FROM ".MAIN_DB_PREFIX."categorie_".$table;
-				$sql .= " WHERE fk_categorie = ".$id;
+				$sql .= " WHERE fk_categorie = ".((int) $id);
 				$sql .= " ORDER BY fk_".$field." ASC";
 
 

htdocs/website/class/website.class.php

@@ -1414,10 +1414,10 @@ class Website extends CommonObject
 
 			$sql = "SELECT wp.rowid, wp.lang, wp.pageurl, wp.fk_page";
 			$sql .= " FROM ".MAIN_DB_PREFIX."website_page as wp";
-			$sql .= " WHERE wp.fk_website = ".$website->id;
+			$sql .= " WHERE wp.fk_website = ".((int) $website->id);
 			$sql .= " AND (wp.fk_page = ".((int) $pageid)." OR wp.rowid  = ".((int) $pageid);
 			if ($tmppage->fk_page > 0) {
-				$sql .= " OR wp.fk_page = ".$tmppage->fk_page." OR wp.rowid = ".$tmppage->fk_page;
+				$sql .= " OR wp.fk_page = ".((int) $tmppage->fk_page)." OR wp.rowid = ".((int) $tmppage->fk_page);
 			}
 			$sql .= ")";