Fix escaping

htdocs/cashdesk/facturation.php

@@ -42,7 +42,7 @@ if (GETPOST('filtre', 'alpha')) {
 	$sql = "SELECT p.rowid, p.ref, p.label, p.tva_tx, p.fk_product_type";
 	if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel";
 	$sql .= " FROM ".MAIN_DB_PREFIX."product as p";
-	if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'";
+	if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'";
 	$sql .= " WHERE p.entity IN (".getEntity('product').")";
 	$sql .= " AND p.tosell = 1";
 	if (!$conf->global->CASHDESK_SERVICES) $sql .= " AND p.fk_product_type = 0";
@@ -92,7 +92,7 @@ if (GETPOST('filtre', 'alpha')) {
 	$sql = "SELECT p.rowid, ref, label, tva_tx, p.fk_product_type";
 	if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel";
 	$sql .= " FROM ".MAIN_DB_PREFIX."product as p";
-	if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'";
+	if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'";
 	$sql .= " WHERE p.entity IN (".getEntity('product').")";
 	$sql .= " AND p.tosell = 1";
 	if (!$conf->global->CASHDESK_SERVICES) $sql .= " AND p.fk_product_type = 0";

htdocs/cashdesk/facturation_dhtml.php

@@ -45,7 +45,7 @@ if (dol_strlen($search) >= 0)	// If search criteria is on char length at least
 	$sql = "SELECT p.rowid, p.ref, p.label, p.tva_tx";
 	if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= ", ps.reel";
 	$sql .= " FROM ".MAIN_DB_PREFIX."product as p";
-	if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$conf_fkentrepot."'";
+	if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = '".$db->escape($conf_fkentrepot)."'";
 	$sql .= " WHERE p.entity IN (".getEntity('product').")";
 	$sql .= " AND p.tosell = 1";
 	$sql .= " AND p.fk_product_type = 0";

htdocs/cashdesk/index_verif.php

@@ -89,7 +89,7 @@ if ($retour >= 0)
 
 	$sql = "SELECT rowid, lastname, firstname";
 	$sql .= " FROM ".MAIN_DB_PREFIX."user";
-	$sql .= " WHERE login = '".$username."'";
+	$sql .= " WHERE login = '".$db->escape($username)."'";
 	$sql .= " AND entity IN (0,".$conf->entity.")";
 
 	$result = $db->query($sql);

htdocs/comm/action/class/actioncomm.class.php

@@ -1031,8 +1031,8 @@ class ActionComm extends CommonObject
 		$sql .= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'" : "null");
 		$sql .= ", transparency = '".$this->db->escape($this->transparency)."'";
 		$sql .= ", fk_user_mod = ".$user->id;
-		$sql .= ", fk_user_action=".($userownerid > 0 ? "'".$userownerid."'" : "null");
-		$sql .= ", fk_user_done=".($userdoneid > 0 ? "'".$userdoneid."'" : "null");
+		$sql .= ", fk_user_action = ".($userownerid > 0 ? "'".$this->db->escape($userownerid)."'" : "null");
+		$sql .= ", fk_user_done = ".($userdoneid > 0 ? "'".$this->db->escape($userdoneid)."'" : "null");
 		if (!empty($this->fk_element)) $sql .= ", fk_element=".($this->fk_element ? $this->db->escape($this->fk_element) : "null");
 		if (!empty($this->elementtype)) $sql .= ", elementtype=".($this->elementtype ? "'".$this->db->escape($this->elementtype)."'" : "null");
 		$sql .= " WHERE id=".$this->id;
@@ -1127,7 +1127,7 @@ class ActionComm extends CommonObject
 	 *  Load all objects with filters.
 	 *  @todo WARNING: This make a fetch on all records instead of making one request with a join.
 	 *
-	 *  @param		DoliDb	$db				Database handler
+	 *  @param		DoliDb	$db				Not used
 	 *  @param		int		$socid			Filter by thirdparty
 	 *  @param		int		$fk_element		Id of element action is linked to
 	 *  @param		string	$elementtype	Type of element action is linked to
@@ -1160,32 +1160,32 @@ class ActionComm extends CommonObject
 				$sql .= " element_type = 'socpeople' AND fk_element = ".$fk_element.')';
 			}
 			else {
-				$sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$elementtype."'";
+				$sql .= " AND a.fk_element = ".(int) $fk_element." AND a.elementtype = '".$this->db->escape($elementtype)."'";
 			}
 		}
 		if (!empty($filter)) $sql .= $filter;
-		if ($sortorder && $sortfield) $sql .= $db->order($sortfield, $sortorder);
-		$sql .= $db->plimit($limit, 0);
+		if ($sortorder && $sortfield) $sql .= $this->db->order($sortfield, $sortorder);
+		$sql .= $this->db->plimit($limit, 0);
 
-		$resql = $db->query($sql);
+		$resql = $this->db->query($sql);
 		if ($resql)
 		{
-			$num = $db->num_rows($resql);
+			$num = $this->db->num_rows($resql);
 
 			if ($num)
 			{
 				for ($i = 0; $i < $num; $i++)
 				{
-					$obj = $db->fetch_object($resql);
-					$actioncommstatic = new ActionComm($db);
+					$obj = $this->db->fetch_object($resql);
+					$actioncommstatic = new ActionComm($this->db);
 					$actioncommstatic->fetch($obj->id);
 					$resarray[$i] = $actioncommstatic;
 				}
 			}
-			$db->free($resql);
+			$this->db->free($resql);
 			return $resarray;
 		} else {
-			return $db->lasterror();
+			return $this->db->lasterror();
 		}
 	}
 

htdocs/comm/action/class/cactioncomm.class.php

@@ -139,7 +139,7 @@ class CActionComm
         $sql .= " FROM ".MAIN_DB_PREFIX."c_actioncomm";
         $sql .= " WHERE 1=1";
         if ($active != '') $sql .= " AND active=".$active;
-        if (!empty($excludetype)) $sql .= " AND type <> '".$excludetype."'";
+        if (!empty($excludetype)) $sql .= " AND type <> '".$this->db->escape($excludetype)."'";
         if ($morefilter) $sql .= " AND ".$morefilter;
         $sql .= " ORDER BY module, position, type";
 

htdocs/comm/action/index.php

@@ -810,7 +810,7 @@ if ($conf->global->AGENDA_SHOW_HOLIDAYS)
 	if ($action == 'show_day')
 	{
 		// Request only leaves for the current selected day
-		$sql .= " AND '".$year."-".$month."-".$day."' BETWEEN x.date_debut AND x.date_fin";
+		$sql .= " AND '".$db->escape($year)."-".$db->escape($month)."-".$db->escape($day)."' BETWEEN x.date_debut AND x.date_fin";
 	} elseif ($action == 'show_week')
 	{
 		// TODO: Add filter to reduce database request

htdocs/comm/mailing/class/advtargetemailing.class.php

@@ -567,7 +567,7 @@ class AdvanceTargetingMailing extends CommonObject
 					if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') ||
 						($extrafields->attributes[$elementtype]['type'][$key] == 'text')) {
 						if (!empty($arrayquery['options_'.$key])) {
-							$sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key]."')";
+							$sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')";
 						}
 					} elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') ||
 						($extrafields->attributes[$elementtype]['type'][$key] == 'double')) {
@@ -587,7 +587,7 @@ class AdvanceTargetingMailing extends CommonObject
 						if (is_array($arrayquery['options_'.$key])) {
 							$sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))";
 						} elseif (!empty($arrayquery['options_'.$key])) {
-							$sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key]."')";
+							$sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')";
 						}
 					}
 				}
@@ -708,7 +708,7 @@ class AdvanceTargetingMailing extends CommonObject
 					if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') ||
 					($extrafields->attributes[$elementtype]['type'][$key] == 'text')) {
 						if (!empty($arrayquery['options_'.$key.'_cnct'])) {
-							$sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key.'_cnct']."')";
+							$sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')";
 						}
 					} elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') ||
 						($extrafields->attributes[$elementtype]['type'][$key] == 'double')) {
@@ -732,7 +732,7 @@ class AdvanceTargetingMailing extends CommonObject
 						if (is_array($arrayquery['options_'.$key.'_cnct'])) {
 							$sqlwhere[] = " (te.".$key." IN ('".implode("','", $arrayquery['options_'.$key.'_cnct'])."'))";
 						} elseif (!empty($arrayquery['options_'.$key.'_cnct'])) {
-							$sqlwhere[] = " (te.".$key." LIKE '".$arrayquery['options_'.$key.'_cnct']."')";
+							$sqlwhere[] = " (te.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key.'_cnct'])."')";
 						}
 					}
 				}
@@ -810,7 +810,7 @@ class AdvanceTargetingMailing extends CommonObject
 							if (($extrafields->attributes[$elementtype]['type'][$key] == 'varchar') ||
 								($extrafields->attributes[$elementtype]['type'][$key] == 'text')) {
 								if (!empty($arrayquery['options_'.$key])) {
-									$sqlwhere[] = " (tse.".$key." LIKE '".$arrayquery['options_'.$key]."')";
+									$sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')";
 								}
 							} elseif (($extrafields->attributes[$elementtype]['type'][$key] == 'int') ||
 								($extrafields->attributes[$elementtype]['type'][$key] == 'double')) {
@@ -830,7 +830,7 @@ class AdvanceTargetingMailing extends CommonObject
 								if (is_array($arrayquery['options_'.$key])) {
 									$sqlwhere[] = " (tse.".$key." IN ('".implode("','", $arrayquery['options_'.$key])."'))";
 								} elseif (!empty($arrayquery['options_'.$key])) {
-									$sqlwhere[] = " (tse.".$key." LIKE '".$arrayquery['options_'.$key]."')";
+									$sqlwhere[] = " (tse.".$key." LIKE '".$this->db->escape($arrayquery['options_'.$key])."')";
 								}
 							}
 						}

htdocs/comm/propal/class/propal.class.php

@@ -1061,7 +1061,7 @@ class Propal extends CommonObject
 		$sql .= ", '".$this->db->idate($this->date)."'";
 		$sql .= ", '".$this->db->idate($now)."'";
 		$sql .= ", '(PROV)'";
-		$sql .= ", ".($user->id > 0 ? "'".$user->id."'" : "NULL");
+		$sql .= ", ".($user->id > 0 ? "'".$this->db->escape($user->id)."'" : "NULL");
 		$sql .= ", '".$this->db->escape($this->note_private)."'";
 		$sql .= ", '".$this->db->escape($this->note_public)."'";
 		$sql .= ", '".$this->db->escape($this->model_pdf)."'";