Merge remote-tracking branch 'upstream/develop' into 14a22

.gitattributes

@@ -18,6 +18,7 @@
 *.pp text eol=lf
 *.sh text eol=lf
 *.yaml text eol=lf
+*.conf text eol=lf
 
 .bash_aliases text eol=lf
 
@@ -26,6 +27,7 @@
 *.ico binary
 *.png binary
 *.jpg binary
+*.jpeg binary
 *.odt binary
 *.odf binary
 *.frm binary

.github/CODE_OF_CONDUCT.md

@@ -77,8 +77,8 @@ contact@dolibarr.org
 
 ## 10. License and attribution
 
-This Code of Conduct is distributed under a [Creative Commons Attribution-ShareAlike license](http://creativecommons.org/licenses/by-sa/3.0/).
+This Code of Conduct is distributed under a [Creative Commons Attribution-ShareAlike license](https://creativecommons.org/licenses/by-sa/3.0/).
 
-Portions of text derived from the [Django Code of Conduct](https://www.djangoproject.com/conduct/) and the [Geek Feminism Anti-Harassment Policy](http://geekfeminism.wikia.com/wiki/Conference_anti-harassment/Policy).
+Portions of text derived from the [Django Code of Conduct](https://www.djangoproject.com/conduct/) and the [Geek Feminism Anti-Harassment Policy](https://geekfeminism.wikia.com/wiki/Conference_anti-harassment/Policy).
 
-Retrieved on November 22, 2016 from [http://citizencodeofconduct.org/](http://citizencodeofconduct.org/)
+Retrieved on November 22, 2016 from [https://citizencodeofconduct.org/](http://citizencodeofconduct.org/)

COPYING

@@ -1,7 +1,7 @@
                     GNU GENERAL PUBLIC LICENSE
                        Version 3, 29 June 2007
 
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 

ChangeLog

@@ -25,7 +25,7 @@ Following changes may create regressions for some external modules, but were nec
 * Field "total" renamed into "total_ttc" for table lx_propal, llx_supplier_proposal for better field name consistency
 * If your database is PostgreSql, you must use version 9.1.0 or more (Dolibarr need the SQL function CONCAT)
 * If your database is MySql or MariaDB, you need at least version 5.1
-
+* Function set_price_level() has been renamed into setPriceLevel() to follow camelcase rules
 
 
 ***** ChangeLog for 13.0.2 compared to 13.0.1 *****
@@ -49,21 +49,21 @@ FIX: #16533
 FIX: #16629
 FIX: #16671 Can not generate zip file of documents in backup tool
 FIX: Add "Now" link on social charges creation card
-FIX: avoid undefined url and missing token
+FIX: avoid undefined URL and missing token
 FIX: Bad project filter in ticket list
 FIX: Buttons to disable bindings not working
 FIX: class not found when creating recuring invoice from invoice+discount
-FIX: File attachment on lots
+FIX: File attachment on lots/batches
 FIX: handling $heightforinfotot when he's superior to a page height on Supplier Invoice
 FIX: hourglass and hide button to pay
-FIX: massaction validate invoice do not regenerate pdf
+FIX: massaction validate invoice do not regenerate PDF
 FIX: missing mp4 video mime
 FIX: picto on shipment to reset qty to 0. Some quantities were not reset.
 FIX: Protection to avoid #16504
 FIX: rounding amount on card updating
-FIX: Rounding amount on social charges card updating
+FIX: rounding amount on social charges card updating
 FIX: select list dependencies now work for ModuleBuilder sellist field
-FIX: Status in popup of member in widget
+FIX: status in popup of member in widget
 FIX: status on tooltip on widgets
 FIX: Timezone management for datetime on list of events
 FIX: Timezone management for datetime with modulebuilder and extrafields
@@ -94,9 +94,9 @@ FIX: #16135
 FIX: #16143
 FIX: #16156
 FIX: #16160
-FIX: #16165 Create customer discount without vat
+FIX: #16165  Create customer discount without VAT
 FIX: #16185
-FIX: #16189, fix download/see check deposit PDF
+FIX: #16189  fix download/see check deposit PDF
 FIX: #16215
 FIX: Accountancy - label_operation is used instead of label_compte
 FIX: Add critical price patch
@@ -106,7 +106,7 @@ FIX: cash fence for takepos with multientity
 FIX: CSRF errors on margin forms
 FIX: encoding status in graph of vendor proposals
 FIX: Fix detect dispached product and set to received completely when the supplier order have services (support STOCK_SUPPORTS_SERVICES)
-FIX: Hide/Unhide external ICSS calendars
+FIX: hide/unhide external ICS calendars
 FIX: link to create event when task is in a project with a thirdparty
 FIX: Localtax must be converted with price2num
 FIX: manage price min for PRODUIT_CUSTOMER_PRICES
@@ -127,7 +127,7 @@ FIX: warning when adding a line if $remise_percent is an empty string
 FIX: status late on purchase orders
 FIX: ODT generation very slow
 FIX: amount in summary of report
-FIX: vat value when code contains number
+FIX: VAT value when code contains number
 FIX: payment term label on PDF
 FIX: date selector when using reduced year (like on smartphone)
 
@@ -146,7 +146,7 @@ NEW: Accountancy - add options to disable binding on sales, purchases & expense
 NEW: Accountancy balance - add a menu entry to show subtotal by group
 NEW: Accountancy - change menu disposition
 NEW: Accountancy - on transfers, select the periodicity by default
-NEW: Accountancy - Add export for Gestinum (v3 & v5) #15180
+NEW: Accountancy - add export for Gestinum (v3 & v5) #15180
 NEW: new currency rate editor
 NEW: Solve blocking feature. Can increase stock of a Kit without changing subproduct stock.
 NEW: add a widget to show the customers with outstanding limits reached

README.md

@@ -98,7 +98,7 @@ See the [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog)
 ### Main application/modules (all optional)
 
 - Customers, Prospects (Leads) and/or Suppliers directory + Contacts
-- Members management 
+- Members/Membership management 
 - Products and/or Services catalog
 - Commercial proposals management
 - Customer & Supplier Orders management
@@ -112,6 +112,7 @@ See the [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog)
 - Shared calendar/agenda (with ical and vcal export for third party tools integration)
 - Opportunities or Leads management
 - Projects & Tasks management
+- Ticket System
 - Contracts management
 - Interventions management
 - Employee's leave requests management
@@ -160,7 +161,7 @@ See the [ChangeLog](https://github.com/Dolibarr/dolibarr/blob/develop/ChangeLog)
   - Canadian double taxes (federal/province) and other countries using cumulative VAT
   - Tunisian tax stamp
   - Argentina invoice numbering using A,B,C...
-  - Compatible with [European directives](http://europa.eu/legislation_summaries/taxation/l31057_en.htm) (2006/112/CE ... 2010/45/UE)
+  - Compatible with [European directives] (https://europa.eu/legislation_summaries/taxation/l31057_en.htm) (2006/112/CE ... 2010/45/UE)
   - Compatible with European GDPR rules
   - ...
 - Flexible PDF & ODT generation for invoices, proposals, orders...

build/pdf/htmldoc_en.book

@@ -1,4 +1,4 @@
 #HTMLDOC 1.8.27
 -t pdf14 -f "../../doc/dolibarr_en.pdf" --webpage --no-title --logoimage "../../doc/images/dolibarr_256x256.png" --linkcolor #2200c0 --linkstyle plain --size Universal --left 0.30in --right 0.30in --top 0.40in --bottom 0.30in --header ... --header1 ... --footer c/d --nup 1 --tocheader ... --tocfooter ... --portrait --color --no-pscommands --no-xrxcomments --compression=9 --jpeg=50 --fontsize 10.0 --fontspacing 1.0 --headingfont Helvetica --bodyfont Helvetica --headfootsize 9.0 --headfootfont Helvetica --charset iso-8859-1 --links --no-embedfonts --pagemode document --pagelayout single --firstpage p1 --pageeffect none --pageduration 10 --effectduration 1.0 --no-encryption --permissions all  --owner-password ""  --user-password "" --browserwidth 680 --no-strict --no-overflow
-http://wiki.dolibarr.org/index.php/Main_Page
-http://wiki.dolibarr.org/index.php/What_Dolibarr_Do
+https://wiki.dolibarr.org/index.php/Home
+https://wiki.dolibarr.org/index.php/What_Dolibarr_Does

build/sitemap/README

@@ -1,5 +1,5 @@
 # Format of sitemap file is available at
-# http://www.sitemaps.org/protocol.html
+# https://www.sitemaps.org/protocol.html
 
 # To build a sitemap from urllist-bing.txt, run 
 # google-sitemapgen --config=config-bing.xml --testing

composer.json

@@ -29,7 +29,6 @@
 		"ckeditor/ckeditor" : "4.12.1",
 		"mike42/escpos-php" : "2.2",
 		"mobiledetect/mobiledetectlib" : "2.8.34",
-		"phpoffice/phpexcel" : "1.8.1",
 		"restler/framework" : "3.0.0-RC6",
 		"tecnickcom/tcpdf" : "6.3.2",
 		"nnnick/chartjs" : "^2.9",

dev/initdata/generate-product.php

@@ -102,8 +102,8 @@ for ($s = 0; $s < GEN_NUMBER_PRODUIT; $s++) {
 	$produit->ref = ($produit->type?'S':'P').time().$s;
 	$produit->label = 'Label '.time().$s;
 	$produit->description = 'Description '.time().$s;
-	$produit->price = mt_rand(1, 1000);
-	$produit->tva_tx = "19.6";
+	$produit->price = mt_rand(1, 999.99);
+	$produit->tva_tx = "20.0";
 	$ret=$produit->create($user);
 	if ($ret < 0) {
 		print "Error $ret - ".$produit->error."\n";

dev/resources/iso-normes/company_ids.txt

@@ -1,2 +1,2 @@
-Spain  https://incwell.eu/en/company-formation-spain/
+
 France https://www.economie.gouv.fr/entreprises/numeros-identification-entreprise

doc/user/README-DE.md

@@ -6,7 +6,10 @@ Benutzeranleitung
 --------------------------------
 
 Alle Dolibarr-Informationen sind online verfuegbar ueber die Webseiten:
-https://www.dolibarr.de 
-oder
-https://www.dolibarr.org
-https://wiki.dolibarr.org
+
+
+https://www.dolibarr.de (de)   oder   https://www.dolibarr.org   (intl)
+
+
+https://wiki.dolibarr.org/index.php/Hauptseite (de)
+

htdocs/accountancy/admin/account.php

@@ -218,7 +218,7 @@ if ($db->type == 'pgsql') {
 } else {
 	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as a2 ON a2.rowid = aa.account_parent AND a2.entity = ".$conf->entity;
 }
-$sql .= " WHERE asy.rowid = ".$pcgver;
+$sql .= " WHERE asy.rowid = ".((int) $pcgver);
 //print $sql;
 if (strlen(trim($search_account))) {
 	$lengthpaddingaccount = 0;
@@ -349,7 +349,7 @@ if ($resql) {
 	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as c ON a.fk_country = c.rowid AND c.active = 1";
 	$sql .= " WHERE a.active = 1";
 	dol_syslog('accountancy/admin/account.php $sql='.$sql);
-	print $sql;
+
 	$resqlchart = $db->query($sql);
 	if ($resqlchart) {
 		$numbis = $db->num_rows($resqlchart);
@@ -430,7 +430,7 @@ if ($resql) {
 		print_liste_field_titre($arrayfields['aa.account_parent']['label'], $_SERVER["PHP_SELF"], "aa.account_parent", "", $param, '', $sortfield, $sortorder, 'left ');
 	}
 	if (!empty($arrayfields['aa.pcg_type']['checked'])) {
-		print_liste_field_titre($arrayfields['aa.pcg_type']['label'], $_SERVER["PHP_SELF"], 'aa.pcg_type', '', $param, '', $sortfield, $sortorder, '', $arrayfields['aa.pcg_type']['help']);
+		print_liste_field_titre($arrayfields['aa.pcg_type']['label'], $_SERVER["PHP_SELF"], 'aa.pcg_type', '', $param, '', $sortfield, $sortorder, '', $arrayfields['aa.pcg_type']['help'], 1);
 	}
 	if ($conf->global->MAIN_FEATURES_LEVEL >= 2) {
 		if (!empty($arrayfields['aa.reconcilable']['checked'])) {

htdocs/accountancy/admin/categories_list.php

@@ -149,7 +149,7 @@ if (GETPOST('actionadd', 'alpha') || GETPOST('actionmodify', 'alpha')) {
 	// Check that all fields are filled
 	$ok = 1;
 	foreach ($listfield as $f => $value) {
-		if ($value == 'formula' && empty($_POST['formula'])) {
+		if ($value == 'formula' && !GETPOST('formula')) {
 			continue;
 		}
 		if ($value == 'range_account' && empty($_POST['range_account'])) {

htdocs/accountancy/admin/index.php

@@ -81,7 +81,7 @@ if ($action == 'update') {
 			$constvalue = GETPOST($constname, 'alpha');
 
 			if ($constname == 'ACCOUNTING_DATE_START_BINDING') {
-				$constvalue = dol_mktime(12, 0, 0, GETPOST($constname.'month', 'int'), GETPOST($constname.'day', 'int'), GETPOST($constname.'year', 'int'));
+				$constvalue = dol_mktime(0, 0, 0, GETPOST($constname.'month', 'int'), GETPOST($constname.'day', 'int'), GETPOST($constname.'year', 'int'));
 			}
 
 			if (!dolibarr_set_const($db, $constname, $constvalue, 'chaine', 0, '', $conf->entity)) {

htdocs/accountancy/admin/productaccount.php

@@ -189,13 +189,13 @@ if ($action == 'update') {
 					$db->begin();
 
 					if (!empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
-						$sql = "INSERT INTO " . MAIN_DB_PREFIX . "product_perentity (fk_product, entity, " . $accountancy_field_name . ")";
-						$sql .= " VALUES (" . ((int) $productid) . ", " . ((int) $conf->entity) . ", " . $accounting->account_number . ")";
-						$sql .= " ON DUPLICATE KEY UPDATE " . $accountancy_field_name . " = " . $accounting->account_number;
+						$sql = "INSERT INTO ".MAIN_DB_PREFIX."product_perentity (fk_product, entity, '".$db->escape($accountancy_field_name)."')";
+						$sql .= " VALUES (".((int) $productid).", ".((int) $conf->entity).", '".$db->escape($accounting->account_number)."')";
+						$sql .= " ON DUPLICATE KEY UPDATE ".$accountancy_field_name." = '".$db->escape($accounting->account_number)."'";
 					} else {
 						$sql = " UPDATE ".MAIN_DB_PREFIX."product";
-						$sql .= " SET " . $accountancy_field_name . " = " . $accounting->account_number;
-						$sql .= " WHERE rowid = " . ((int) $productid);
+						$sql .= " SET ".$accountancy_field_name." = '".$db->escape($accounting->account_number)."'";
+						$sql .= " WHERE rowid = ".((int) $productid);
 					}
 
 					dol_syslog("/accountancy/admin/productaccount.php sql=".$sql, LOG_DEBUG);
@@ -280,14 +280,14 @@ $sql .= " p.tms, p.fk_product_type as product_type,";
 $sql .= " aa.rowid as aaid";
 $sql .= " FROM ".MAIN_DB_PREFIX."product as p";
 if (!empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
-	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_accounting as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
+	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_perentity as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
 	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "accounting_account as aa ON aa.account_number = pa." . $accountancy_field_name . " AND aa.fk_pcg_version = '" . $db->escape($pcgvercode) . "'";
 } else {
 	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "accounting_account as aa ON aa.account_number = p." . $accountancy_field_name . " AND aa.fk_pcg_version = '" . $db->escape($pcgvercode) . "'";
 }
 $sql .= ' WHERE p.entity IN ('.getEntity('product').')';
 if (strlen(trim($search_current_account))) {
-	$sql .= natural_search((!empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED) ? "pa." : "p.") . $accountancy_field_name, $search_current_account);
+	$sql .= natural_search((empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED) ? "p." : "pa.") . $accountancy_field_name, $search_current_account);
 }
 if ($search_current_account_valid == 'withoutvalidaccount') {
 	$sql .= " AND aa.account_number IS NULL";
@@ -466,7 +466,7 @@ if ($result) {
 	} else {
 		print_liste_field_titre("OnBuy", $_SERVER["PHP_SELF"], "p.tobuy", "", $param, '', $sortfield, $sortorder, 'center ');
 	}
-	print_liste_field_titre("CurrentDedicatedAccountingAccount", $_SERVER["PHP_SELF"], (empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED) ? "pa." : "p.") . $accountancy_field_name, "", $param, '', $sortfield, $sortorder);
+	print_liste_field_titre("CurrentDedicatedAccountingAccount", $_SERVER["PHP_SELF"], (empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED) ? "p." : "pa.") . $accountancy_field_name, "", $param, '', $sortfield, $sortorder);
 	print_liste_field_titre("AssignDedicatedAccountingAccount");
 	$clickpitco = $form->showCheckAddButtons('checkforselect', 1);
 	print_liste_field_titre($clickpitco, '', '', '', '', '', '', '', 'center ');

htdocs/accountancy/bookkeeping/list.php

@@ -45,14 +45,14 @@ $search_mvt_num = GETPOST('search_mvt_num', 'int');
 $search_doc_type = GETPOST("search_doc_type", 'alpha');
 $search_doc_ref = GETPOST("search_doc_ref", 'alpha');
 $search_date_start = dol_mktime(0, 0, 0, GETPOST('search_date_startmonth', 'int'), GETPOST('search_date_startday', 'int'), GETPOST('search_date_startyear', 'int'));
-$search_date_end = dol_mktime(0, 0, 0, GETPOST('search_date_endmonth', 'int'), GETPOST('search_date_endday', 'int'), GETPOST('search_date_endyear', 'int'));
+$search_date_end = dol_mktime(23, 59, 59, GETPOST('search_date_endmonth', 'int'), GETPOST('search_date_endday', 'int'), GETPOST('search_date_endyear', 'int'));
 $search_doc_date = dol_mktime(0, 0, 0, GETPOST('doc_datemonth', 'int'), GETPOST('doc_dateday', 'int'), GETPOST('doc_dateyear', 'int'));
 $search_date_creation_start = dol_mktime(0, 0, 0, GETPOST('date_creation_startmonth', 'int'), GETPOST('date_creation_startday', 'int'), GETPOST('date_creation_startyear', 'int'));
-$search_date_creation_end = dol_mktime(0, 0, 0, GETPOST('date_creation_endmonth', 'int'), GETPOST('date_creation_endday', 'int'), GETPOST('date_creation_endyear', 'int'));
+$search_date_creation_end = dol_mktime(23, 59, 59, GETPOST('date_creation_endmonth', 'int'), GETPOST('date_creation_endday', 'int'), GETPOST('date_creation_endyear', 'int'));
 $search_date_modification_start = dol_mktime(0, 0, 0, GETPOST('date_modification_startmonth', 'int'), GETPOST('date_modification_startday', 'int'), GETPOST('date_modification_startyear', 'int'));
-$search_date_modification_end = dol_mktime(0, 0, 0, GETPOST('date_modification_endmonth', 'int'), GETPOST('date_modification_endday', 'int'), GETPOST('date_modification_endyear', 'int'));
+$search_date_modification_end = dol_mktime(23, 59, 59, GETPOST('date_modification_endmonth', 'int'), GETPOST('date_modification_endday', 'int'), GETPOST('date_modification_endyear', 'int'));
 $search_date_export_start = dol_mktime(0, 0, 0, GETPOST('date_export_startmonth', 'int'), GETPOST('date_export_startday', 'int'), GETPOST('date_export_startyear', 'int'));
-$search_date_export_end = dol_mktime(0, 0, 0, GETPOST('date_export_endmonth', 'int'), GETPOST('date_export_endday', 'int'), GETPOST('date_export_endyear', 'int'));
+$search_date_export_end = dol_mktime(23, 59, 59, GETPOST('date_export_endmonth', 'int'), GETPOST('date_export_endday', 'int'), GETPOST('date_export_endyear', 'int'));
 
 //var_dump($search_date_start);exit;
 if (GETPOST("button_delmvt_x") || GETPOST("button_delmvt.x") || GETPOST("button_delmvt")) {
@@ -520,7 +520,7 @@ if ($action == 'export_fileconfirm' && $user->rights->accounting->mouvements->ex
 					$sql = " UPDATE ".MAIN_DB_PREFIX."accounting_bookkeeping";
 					$sql .= " SET date_export = '".$db->idate($now)."'";
 					$sql .= " , date_validated = '".$db->idate($now)."'";
-					$sql .= " WHERE rowid = ".$movement->id;
+					$sql .= " WHERE rowid = ".((int) $movement->id);
 
 					dol_syslog("/accountancy/bookeeping/list.php Function export_file Specify movements as exported sql=".$sql, LOG_DEBUG);
 					$result = $db->query($sql);
@@ -727,7 +727,9 @@ if (!empty($arrayfields['t.piece_num']['checked'])) {
 }
 // Code journal
 if (!empty($arrayfields['t.code_journal']['checked'])) {
-	print '<td class="liste_titre center"><input type="text" name="search_ledger_code" size="3" value="'.(is_array($search_ledger_code) ? join('|', $search_ledger_code) : $search_ledger_code).'"></td>';
+	print '<td class="liste_titre center">';
+	print $formaccounting->multi_select_journal($search_ledger_code, 'search_ledger_code', 0, 1, 1, 1);
+	print '</td>';
 }
 // Date document
 if (!empty($arrayfields['t.doc_date']['checked'])) {
@@ -748,12 +750,10 @@ if (!empty($arrayfields['t.doc_ref']['checked'])) {
 if (!empty($arrayfields['t.numero_compte']['checked'])) {
 	print '<td class="liste_titre">';
 	print '<div class="nowrap">';
-	print $langs->trans('From').' ';
-	print $formaccounting->select_account($search_accountancy_code_start, 'search_accountancy_code_start', 1, array(), 1, 1, 'maxwidth200');
+	print $formaccounting->select_account($search_accountancy_code_start, 'search_accountancy_code_start', $langs->trans('From'), array(), 1, 1, 'maxwidth200', 1);
 	print '</div>';
 	print '<div class="nowrap">';
-	print $langs->trans('to').' ';
-	print $formaccounting->select_account($search_accountancy_code_end, 'search_accountancy_code_end', 1, array(), 1, 1, 'maxwidth200');
+	print $formaccounting->select_account($search_accountancy_code_end, 'search_accountancy_code_end', $langs->trans('to'), array(), 1, 1, 'maxwidth200', 1);
 	print '</div>';
 	print '</td>';
 }

htdocs/accountancy/bookkeeping/listbyaccount.php

@@ -46,7 +46,7 @@ $search_date_endyear =  GETPOST('search_date_endyear', 'int');
 $search_date_endmonth =  GETPOST('search_date_endmonth', 'int');
 $search_date_endday =  GETPOST('search_date_endday', 'int');
 $search_date_start = dol_mktime(0, 0, 0, $search_date_startmonth, $search_date_startday, $search_date_startyear);
-$search_date_end = dol_mktime(0, 0, 0, $search_date_endmonth, $search_date_endday, $search_date_endyear);
+$search_date_end = dol_mktime(23, 59, 59, $search_date_endmonth, $search_date_endday, $search_date_endyear);
 $search_doc_date = dol_mktime(0, 0, 0, GETPOST('doc_datemonth', 'int'), GETPOST('doc_dateday', 'int'), GETPOST('doc_dateyear', 'int'));
 $search_date_export_startyear =  GETPOST('search_date_export_startyear', 'int');
 $search_date_export_startmonth =  GETPOST('search_date_export_startmonth', 'int');

htdocs/accountancy/class/accountancycategory.class.php

@@ -428,7 +428,7 @@ class AccountancyCategory // extends CommonObject
 		global $conf;
 		$sql = "SELECT t.rowid, t.account_number, t.label";
 		$sql .= " FROM ".MAIN_DB_PREFIX."accounting_account as t";
-		$sql .= " WHERE t.fk_accounting_category = ".$id;
+		$sql .= " WHERE t.fk_accounting_category = ".((int) $id);
 		$sql .= " AND t.entity = ".$conf->entity;
 
 		$this->lines_display = array();
@@ -863,7 +863,7 @@ class AccountancyCategory // extends CommonObject
 		if (!empty($cat_id)) {
 			$sql = "SELECT t.rowid, t.account_number, t.label as account_label";
 			$sql .= " FROM ".MAIN_DB_PREFIX."accounting_account as t";
-			$sql .= " WHERE t.fk_accounting_category = ".$cat_id;
+			$sql .= " WHERE t.fk_accounting_category = ".((int) $cat_id);
 			$sql .= " AND t.entity = ".$conf->entity;
 			$sql .= " ORDER BY t.account_number";
 		} else {

htdocs/accountancy/class/accountancyexport.class.php

@@ -1644,7 +1644,7 @@ class AccountancyExport
 							// Get new customer invoice ref and company name
 							$sql = 'SELECT f.ref, s.nom FROM ' . MAIN_DB_PREFIX . 'facture as f';
 							$sql .= ' LEFT JOIN ' . MAIN_DB_PREFIX . 'societe AS s ON f.fk_soc = s.rowid';
-							$sql .= ' WHERE f.rowid = ' . $line->fk_doc;
+							$sql .= ' WHERE f.rowid = '.((int) $line->fk_doc);
 							$resql = $this->db->query($sql);
 							if ($resql) {
 								if ($obj = $this->db->fetch_object($resql)) {
@@ -1658,7 +1658,7 @@ class AccountancyExport
 							// Get new supplier invoice ref and company name
 							$sql = 'SELECT ff.ref, s.nom FROM ' . MAIN_DB_PREFIX . 'facture_fourn as ff';
 							$sql .= ' LEFT JOIN ' . MAIN_DB_PREFIX . 'societe AS s ON ff.fk_soc = s.rowid';
-							$sql .= ' WHERE ff.rowid = ' . $line->fk_doc;
+							$sql .= ' WHERE ff.rowid = '.((int) $line->fk_doc);
 							$resql = $this->db->query($sql);
 							if ($resql) {
 								if ($obj = $this->db->fetch_object($resql)) {

htdocs/accountancy/class/accountancyimport.class.php

@@ -0,0 +1,101 @@
+<?php
+/*
+ * Copyright (C) 2007-2012  Laurent Destailleur <eldy@users.sourceforge.net>
+ * Copyright (C) 2014       Juanjo Menent       <jmenent@2byte.es>
+ * Copyright (C) 2015       Florian Henry       <florian.henry@open-concept.pro>
+ * Copyright (C) 2015       Raphaël Doursenaud  <rdoursenaud@gpcsolutions.fr>
+ * Copyright (C) 2016       Pierre-Henry Favre  <phf@atm-consulting.fr>
+ * Copyright (C) 2016-2020  Alexandre Spangaro  <aspangaro@open-dsi.fr>
+ * Copyright (C) 2013-2017  Olivier Geffroy     <jeff@jeffinfo.com>
+ * Copyright (C) 2017       Elarifr. Ari Elbaz  <github@accedinfo.com>
+ * Copyright (C) 2017-2019  Frédéric France     <frederic.france@netlogic.fr>
+ * Copyright (C) 2017       André Schild        <a.schild@aarboard.ch>
+ * Copyright (C) 2020       Guillaume Alexandre <guillaume@tag-info.fr>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+/**
+ * \file		htdocs/accountancy/class/accountancyimport.class.php
+ * \ingroup		Accountancy (Double entries)
+ * \brief 		Class accountancy import
+ */
+
+
+
+/**
+ * Manage the different format accountancy import
+ */
+class AccountancyImport
+{
+	/**
+	 *  Compute amount
+	 *
+	 * @param   array       $arrayrecord        Array of read values: [fieldpos] => (['val']=>val, ['type']=>-1=null,0=blank,1=string), [fieldpos+1]...
+	 * @param   string      $fieldname          Field name with alias
+	 * @param   array       $listfields         Fields list to add
+	 * @param   array       $listvalues         Values list to add
+	 * @return  int         <0 if KO, >0 if OK
+	 */
+	public function computeAmount(&$arrayrecord, $fieldname, &$listfields, &$listvalues)
+	{
+		$fieldArr = explode('.', $fieldname);
+		if (count($fieldArr) > 0) {
+			$fieldname = $fieldArr[1];
+		}
+
+		$debit  = trim($arrayrecord[11]['val']);
+		$credit = trim($arrayrecord[12]['val']);
+		if (!empty($debit)) {
+			$amount = $debit;
+		} else {
+			$amount = $credit;
+		}
+
+		$listfields[] = $fieldname;
+		$listvalues[] = "'" . abs($amount) . "'";
+
+		return 1;
+	}
+
+
+	/**
+	 *  Compute sens
+	 *
+	 * @param   array       $arrayrecord        Array of read values: [fieldpos] => (['val']=>val, ['type']=>-1=null,0=blank,1=string), [fieldpos+1]...
+	 * @param   string      $fieldname          Field name with alias
+	 * @param   array       $listfields         Fields list to add
+	 * @param   array       $listvalues         Values list to add
+	 * @return  int         <0 if KO, >0 if OK
+	 */
+	public function computeDirection(&$arrayrecord, $fieldname, &$listfields, &$listvalues)
+	{
+		$fieldArr = explode('.', $fieldname);
+		if (count($fieldArr) > 0) {
+			$fieldname = $fieldArr[1];
+		}
+
+		$debit = trim($arrayrecord[11]['val']);
+		if (!empty($debit)) {
+			$sens = 'D';
+		} else {
+			$sens = 'C';
+		}
+
+		$listfields[] = $fieldname;
+		$listvalues[] = "'" . $sens . "'";
+
+		return 1;
+	}
+}

htdocs/accountancy/closure/index.php

@@ -91,9 +91,9 @@ if ($action == 'validate_movements_confirm' && !empty($user->rights->accounting-
 
 				$sql = " UPDATE ".MAIN_DB_PREFIX."accounting_bookkeeping";
 				$sql .= " SET date_validated = '".$db->idate($now)."'";
-				$sql .= " WHERE rowid = ".$movement->id;
-				$sql .= " AND doc_date >= '" . dol_print_date($date_start, 'dayrfc') . "'";
-				$sql .= " AND doc_date <= '" . dol_print_date($date_end, 'dayrfc') . "'";
+				$sql .= " WHERE rowid = ".((int) $movement->id);
+				$sql .= " AND doc_date >= '" . $db->idate($date_start) . "'";
+				$sql .= " AND doc_date <= '" . $db->idate($date_end) . "'";
 
 				dol_syslog("/accountancy/closure/index.php :: Function validate_movement_confirm Specify movements as validated sql=".$sql, LOG_DEBUG);
 				$result = $db->query($sql);

htdocs/accountancy/customer/card.php

@@ -61,7 +61,7 @@ if ($action == 'ventil' && $user->rights->accounting->bind->write) {
 		}
 
 		$sql = " UPDATE ".MAIN_DB_PREFIX."facturedet";
-		$sql .= " SET fk_code_ventilation = ".$codeventil;
+		$sql .= " SET fk_code_ventilation = ".((int) $codeventil);
 		$sql .= " WHERE rowid = ".((int) $id);
 
 		$resql = $db->query($sql);
@@ -110,7 +110,7 @@ if (!empty($id)) {
 	$sql .= " FROM ".MAIN_DB_PREFIX."facturedet as l";
 	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product";
 	if (!empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
-		$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_accounting as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
+		$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_perentity as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
 	}
 	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON l.fk_code_ventilation = aa.rowid";
 	$sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture as f ON f.rowid = l.fk_facture";

htdocs/accountancy/customer/index.php

@@ -147,12 +147,12 @@ if ($action == 'validatehistory') {
 	if (!empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
 		$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_perentity as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
 	}
-	$alias_company_accounting = !empty($conf->global->ACCOUNTANCY_COMPANY_SHARED) ? "sa" : "s";
-	$alias_product_accounting = !empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED) ? "pa" : "p";
-	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa  ON " . $alias_product_accounting . ".accountancy_code_sell = aa.account_number         AND aa.active = 1  AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
-	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON " . $alias_product_accounting . ".accountancy_code_sell_intra = aa2.account_number  AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
-	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON " . $alias_product_accounting . ".accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
-	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa4 ON " . $alias_company_accounting . ".accountancy_code_sell = aa4.account_number        AND aa4.active = 1 AND aa4.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa4.entity = ".$conf->entity;
+	$alias_societe_perentity = empty($conf->global->ACCOUNTANCY_COMPANY_SHARED) ? "s" : "sa";
+	$alias_product_perentity = empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED) ? "p" : "pa";
+	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa  ON " . $alias_product_perentity . ".accountancy_code_sell = aa.account_number         AND aa.active = 1  AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
+	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON " . $alias_product_perentity . ".accountancy_code_sell_intra = aa2.account_number  AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
+	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON " . $alias_product_perentity . ".accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
+	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa4 ON " . $alias_societe_perentity . ".accountancy_code_sell = aa4.account_number        AND aa4.active = 1 AND aa4.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa4.entity = ".$conf->entity;
 	$sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0";
 	$sql .= " AND l.product_type <= 2";
 
@@ -207,8 +207,8 @@ if ($action == 'validatehistory') {
 
 			if ($objp->aarowid_suggest > 0) {
 				$sqlupdate = "UPDATE ".MAIN_DB_PREFIX."facturedet";
-				$sqlupdate .= " SET fk_code_ventilation = ".$objp->aarowid_suggest;
-				$sqlupdate .= " WHERE fk_code_ventilation <= 0 AND product_type <= 2 AND rowid = ".$objp->rowid;
+				$sqlupdate .= " SET fk_code_ventilation = ".((int) $objp->aarowid_suggest);
+				$sqlupdate .= " WHERE fk_code_ventilation <= 0 AND product_type <= 2 AND rowid = ".((int) $objp->rowid);
 
 				$resqlupdate = $db->query($sqlupdate);
 				if (!$resqlupdate) {

htdocs/accountancy/customer/lines.php

@@ -183,7 +183,7 @@ $sql = "SELECT f.rowid as facid, f.ref as ref, f.type, f.datef, f.ref_client,";
 $sql .= " fd.rowid, fd.description, fd.product_type as line_type, fd.total_ht, fd.total_tva, fd.tva_tx, fd.vat_src_code, fd.total_ttc,";
 $sql .= " s.rowid as socid, s.nom as name, s.code_compta, s.code_client,";
 $sql .= " p.rowid as product_id, p.fk_product_type as product_type, p.ref as product_ref, p.label as product_label,";
-if (empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
+if (!empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
 	$sql .= " pa.accountancy_code_sell,";
 } else {
 	$sql .= " p.accountancy_code_sell,";
@@ -198,7 +198,7 @@ $sql .= $hookmanager->resPrint;
 $sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd";
 $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = fd.fk_product";
 if (!empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
-	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_accounting as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
+	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_perentity as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
 }
 $sql .= " INNER JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON aa.rowid = fd.fk_code_ventilation";
 $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture as f ON f.rowid = fd.fk_facture";

htdocs/accountancy/customer/list.php

@@ -218,7 +218,7 @@ if (empty($chartaccountcode)) {
 $sql = "SELECT f.rowid as facid, f.ref as ref, f.datef, f.type as ftype,";
 $sql .= " l.rowid, l.fk_product, l.description, l.total_ht, l.fk_code_ventilation, l.product_type as type_l, l.tva_tx as tva_tx_line, l.vat_src_code,";
 $sql .= " p.rowid as product_id, p.ref as product_ref, p.label as product_label, p.fk_product_type as type, p.tva_tx as tva_tx_prod,";
-if (empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
+if (!empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
 	$sql .= " pa.accountancy_code_sell as code_sell, pa.accountancy_code_sell_intra as code_sell_intra, pa.accountancy_code_sell_export as code_sell_export,";
 	$sql .= " pa.accountancy_code_buy as code_buy, pa.accountancy_code_buy_intra as code_buy_intra, pa.accountancy_code_buy_export as code_buy_export,";
 } else {
@@ -240,20 +240,20 @@ $sql .= $hookmanager->resPrint;
 $sql .= " FROM ".MAIN_DB_PREFIX."facture as f";
 $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc";
 if (!empty($conf->global->ACCOUNTANCY_COMPANY_SHARED)) {
-	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "societe_accounting as sa ON sa.fk_soc = s.rowid AND sa.entity = " . ((int) $conf->entity);
+	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "societe_perentity as sa ON sa.fk_soc = s.rowid AND sa.entity = " . ((int) $conf->entity);
 }
 $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays ";
 $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facturedet as l ON f.rowid = l.fk_facture";
 $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = l.fk_product";
 if (!empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
-	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_accounting as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
-}
-$alias_company_accounting = empty($conf->global->MAIN_COMPANY_PERENTITY_SHARED) ? "s" : "sa";
-$alias_product_accounting = empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED) ? "p" : "pa";
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa  ON " . $alias_product_accounting . ".accountancy_code_sell = aa.account_number         AND aa.active = 1  AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON " . $alias_product_accounting . ".accountancy_code_sell_intra = aa2.account_number  AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON " . $alias_product_accounting . ".accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa4 ON " . $alias_company_accounting . ".accountancy_code_sell = aa4.account_number        AND aa4.active = 1 AND aa4.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa4.entity = ".$conf->entity;
+	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_perentity as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
+}
+$alias_societe_perentity = empty($conf->global->MAIN_COMPANY_PERENTITY_SHARED) ? "s" : "sa";
+$alias_product_perentity = empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED) ? "p" : "pa";
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa  ON " . $alias_product_perentity . ".accountancy_code_sell = aa.account_number         AND aa.active = 1  AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON " . $alias_product_perentity . ".accountancy_code_sell_intra = aa2.account_number  AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON " . $alias_product_perentity . ".accountancy_code_sell_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa4 ON " . $alias_societe_perentity . ".accountancy_code_sell = aa4.account_number        AND aa4.active = 1 AND aa4.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa4.entity = ".$conf->entity;
 
 $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0";
 $sql .= " AND l.product_type <= 2";

htdocs/accountancy/expensereport/card.php

@@ -64,7 +64,7 @@ if ($action == 'ventil' && $user->rights->accounting->bind->write) {
 		}
 
 		$sql = " UPDATE ".MAIN_DB_PREFIX."expensereport_det";
-		$sql .= " SET fk_code_ventilation = ".$codeventil;
+		$sql .= " SET fk_code_ventilation = ".((int) $codeventil);
 		$sql .= " WHERE rowid = ".((int) $id);
 
 		$resql = $db->query($sql);

htdocs/accountancy/expensereport/list.php

@@ -153,8 +153,8 @@ if ($massaction == 'ventil' && $user->rights->accounting->bind->write) {
 				$ko++;
 			} else {
 				$sql = " UPDATE ".MAIN_DB_PREFIX."expensereport_det";
-				$sql .= " SET fk_code_ventilation = ".$monCompte;
-				$sql .= " WHERE rowid = ".$monId;
+				$sql .= " SET fk_code_ventilation = ".((int) $monCompte);
+				$sql .= " WHERE rowid = ".((int) $monId);
 
 				$accountventilated = new AccountingAccount($db);
 				$accountventilated->fetch($monCompte, '', 1);

htdocs/accountancy/journal/bankjournal.php

@@ -421,7 +421,7 @@ if ($result) {
 					//$tabtp[$obj->rowid][$account_pay_loan] += $obj->amount;
 					$sqlmid = 'SELECT pl.amount_capital, pl.amount_insurance, pl.amount_interest, l.accountancy_account_capital, l.accountancy_account_insurance, l.accountancy_account_interest';
 					$sqlmid .= ' FROM '.MAIN_DB_PREFIX.'payment_loan as pl, '.MAIN_DB_PREFIX.'loan as l';
-					$sqlmid .= ' WHERE l.rowid = pl.fk_loan AND pl.fk_bank = '.$obj->rowid;
+					$sqlmid .= ' WHERE l.rowid = pl.fk_loan AND pl.fk_bank = '.((int) $obj->rowid);
 
 					dol_syslog("accountancy/journal/bankjournal.php:: sqlmid=".$sqlmid, LOG_DEBUG);
 					$resultmid = $db->query($sqlmid);

htdocs/accountancy/journal/sellsjournal.php

@@ -115,8 +115,9 @@ if (!empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
 	$sql .= " p.accountancy_code_sell";
 }
 $sql .= " FROM ".MAIN_DB_PREFIX."facturedet as fd";
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON p.rowid = fd.fk_product";
 if (!empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
-	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_accounting as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
+	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_perentity as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
 }
 $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa ON aa.rowid = fd.fk_code_ventilation";
 $sql .= " JOIN ".MAIN_DB_PREFIX."facture as f ON f.rowid = fd.fk_facture";

htdocs/accountancy/supplier/card.php

@@ -64,7 +64,7 @@ if ($action == 'ventil' && $user->rights->accounting->bind->write) {
 		}
 
 		$sql = " UPDATE ".MAIN_DB_PREFIX."facture_fourn_det";
-		$sql .= " SET fk_code_ventilation = ".$codeventil;
+		$sql .= " SET fk_code_ventilation = ".((int) $codeventil);
 		$sql .= " WHERE rowid = ".((int) $id);
 
 		$resql = $db->query($sql);

htdocs/accountancy/supplier/index.php

@@ -193,8 +193,8 @@ if ($action == 'validatehistory') {
 
 			if ($objp->aarowid_suggest > 0) {
 				$sqlupdate = "UPDATE ".MAIN_DB_PREFIX."facture_fourn_det";
-				$sqlupdate .= " SET fk_code_ventilation = ".$objp->aarowid_suggest;
-				$sqlupdate .= " WHERE fk_code_ventilation <= 0 AND product_type <= 2 AND rowid = ".$objp->rowid;
+				$sqlupdate .= " SET fk_code_ventilation = ".((int) $objp->aarowid_suggest);
+				$sqlupdate .= " WHERE fk_code_ventilation <= 0 AND product_type <= 2 AND rowid = ".((int) $objp->rowid);
 
 				$resqlupdate = $db->query($sqlupdate);
 				if (!$resqlupdate) {

htdocs/accountancy/supplier/list.php

@@ -177,8 +177,8 @@ if ($massaction == 'ventil') {
 				$ko++;
 			} else {
 				$sql = " UPDATE ".MAIN_DB_PREFIX."facture_fourn_det";
-				$sql .= " SET fk_code_ventilation = ".$monCompte;
-				$sql .= " WHERE rowid = ".$monId;
+				$sql .= " SET fk_code_ventilation = ".((int) $monCompte);
+				$sql .= " WHERE rowid = ".((int) $monId);
 
 				$accountventilated = new AccountingAccount($db);
 				$accountventilated->fetch($monCompte, '', 1);
@@ -245,19 +245,19 @@ $sql .= $hookmanager->resPrint;
 $sql .= " FROM ".MAIN_DB_PREFIX."facture_fourn as f";
 $sql .= " INNER JOIN ".MAIN_DB_PREFIX."societe as s ON s.rowid = f.fk_soc";
 if (!empty($conf->global->MAIN_COMPANY_PERENTITY_SHARED)) {
-	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "societe_accounting as sa ON sa.fk_soc = s.rowid AND sa.entity = " . ((int) $conf->entity);
+	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "societe_perentity as sa ON sa.fk_soc = s.rowid AND sa.entity = " . ((int) $conf->entity);
 }
 $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."c_country as co ON co.rowid = s.fk_pays ";
 $sql .= " INNER JOIN ".MAIN_DB_PREFIX."facture_fourn_det as l ON f.rowid = l.fk_facture_fourn";
 if (!empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED)) {
-	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_accounting as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
-}
-$alias_company_accounting = !empty($conf->global->MAIN_COMPANY_PERENTITY_SHARED) ? "sa" : "s";
-$alias_product_accounting = !empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED) ? "pa" : "p";
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa  ON " . $alias_product_accounting . ".accountancy_code_buy = aa.account_number         AND aa.active = 1  AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON " . $alias_product_accounting . ".accountancy_code_buy_intra = aa2.account_number  AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON " . $alias_product_accounting . ".accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
-$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa4 ON " . $alias_company_accounting . ".accountancy_code_buy = aa4.account_number        AND aa4.active = 1 AND aa4.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa4.entity = ".$conf->entity;
+	$sql .= " LEFT JOIN " . MAIN_DB_PREFIX . "product_perentity as pa ON pa.fk_product = p.rowid AND pa.entity = " . ((int) $conf->entity);
+}
+$alias_societe_perentity = empty($conf->global->MAIN_COMPANY_PERENTITY_SHARED) ? "s" : "sa";
+$alias_product_perentity = empty($conf->global->MAIN_PRODUCT_PERENTITY_SHARED) ? "p" : "pa";
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa  ON " . $alias_product_perentity . ".accountancy_code_buy = aa.account_number         AND aa.active = 1  AND aa.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa2 ON " . $alias_product_perentity . ".accountancy_code_buy_intra = aa2.account_number  AND aa2.active = 1 AND aa2.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa2.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa3 ON " . $alias_product_perentity . ".accountancy_code_buy_export = aa3.account_number AND aa3.active = 1 AND aa3.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa3.entity = ".$conf->entity;
+$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."accounting_account as aa4 ON " . $alias_societe_perentity . ".accountancy_code_buy = aa4.account_number        AND aa4.active = 1 AND aa4.fk_pcg_version = '".$db->escape($chartaccountcode)."' AND aa4.entity = ".$conf->entity;
 $sql .= " WHERE f.fk_statut > 0 AND l.fk_code_ventilation <= 0";
 $sql .= " AND l.product_type <= 2";
 // Define begin binding date

htdocs/adherents/canvas/actions_adherentcard_common.class.php

@@ -273,7 +273,7 @@ abstract class ActionsAdherentCardCommon
 
 		// We set country_id, and country_code label of the chosen country
 		if ($this->object->country_id) {
-			$sql = "SELECT code, label FROM ".MAIN_DB_PREFIX."c_country WHERE rowid = ".$this->object->country_id;
+			$sql = "SELECT code, label FROM ".MAIN_DB_PREFIX."c_country WHERE rowid = ".((int) $this->object->country_id);
 			$resql = $this->db->query($sql);
 			if ($resql) {
 				$obj = $this->db->fetch_object($resql);

htdocs/adherents/card.php

@@ -7,6 +7,7 @@
  * Copyright (C) 2012-2020  Philippe Grand          <philippe.grand@atoo-net.com>
  * Copyright (C) 2015-2018  Alexandre Spangaro      <aspangaro@open-dsi.fr>
  * Copyright (C) 2018-2020  Frédéric France         <frederic.france@netlogic.fr>
+ * Copyright (C) 2021       Waël Almoman            <info@almoman.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -331,62 +332,66 @@ if (empty($reshook)) {
 				}
 			}
 
-			$result = $object->update($user, 0, $nosyncuser, $nosyncuserpass);
-
-			if ($result >= 0 && !count($object->errors)) {
-				$categories = GETPOST('memcats', 'array');
-				$object->setCategories($categories);
-
-				// Logo/Photo save
-				$dir = $conf->adherent->dir_output.'/'.get_exdir(0, 0, 0, 1, $object, 'member').'/photos';
-				$file_OK = is_uploaded_file($_FILES['photo']['tmp_name']);
-				if ($file_OK) {
-					if (GETPOST('deletephoto')) {
-						require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
-						$fileimg = $conf->adherent->dir_output.'/'.get_exdir(0, 0, 0, 1, $object, 'member').'/photos/'.$object->photo;
-						$dirthumbs = $conf->adherent->dir_output.'/'.get_exdir(0, 0, 0, 1, $object, 'member').'/photos/thumbs';
-						dol_delete_file($fileimg);
-						dol_delete_dir_recursive($dirthumbs);
-					}
-
-					if (image_format_supported($_FILES['photo']['name']) > 0) {
-						dol_mkdir($dir);
+			if (!$error) {
+				$result = $object->update($user, 0, $nosyncuser, $nosyncuserpass);
+
+				if ($result >= 0 && !count($object->errors)) {
+					$categories = GETPOST('memcats', 'array');
+					$object->setCategories($categories);
+
+					// Logo/Photo save
+					$dir = $conf->adherent->dir_output.'/'.get_exdir(0, 0, 0, 1, $object, 'member').'/photos';
+					$file_OK = is_uploaded_file($_FILES['photo']['tmp_name']);
+					if ($file_OK) {
+						if (GETPOST('deletephoto')) {
+							require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
+							$fileimg = $conf->adherent->dir_output.'/'.get_exdir(0, 0, 0, 1, $object, 'member').'/photos/'.$object->photo;
+							$dirthumbs = $conf->adherent->dir_output.'/'.get_exdir(0, 0, 0, 1, $object, 'member').'/photos/thumbs';
+							dol_delete_file($fileimg);
+							dol_delete_dir_recursive($dirthumbs);
+						}
 
-						if (@is_dir($dir)) {
-							$newfile = $dir.'/'.dol_sanitizeFileName($_FILES['photo']['name']);
-							if (!dol_move_uploaded_file($_FILES['photo']['tmp_name'], $newfile, 1, 0, $_FILES['photo']['error']) > 0) {
-								setEventMessages($langs->trans("ErrorFailedToSaveFile"), null, 'errors');
-							} else {
-								// Create thumbs
-								$object->addThumbs($newfile);
+						if (image_format_supported($_FILES['photo']['name']) > 0) {
+							dol_mkdir($dir);
+
+							if (@is_dir($dir)) {
+								$newfile = $dir.'/'.dol_sanitizeFileName($_FILES['photo']['name']);
+								if (!dol_move_uploaded_file($_FILES['photo']['tmp_name'], $newfile, 1, 0, $_FILES['photo']['error']) > 0) {
+									setEventMessages($langs->trans("ErrorFailedToSaveFile"), null, 'errors');
+								} else {
+									// Create thumbs
+									$object->addThumbs($newfile);
+								}
 							}
+						} else {
+							setEventMessages("ErrorBadImageFormat", null, 'errors');
 						}
 					} else {
-						setEventMessages("ErrorBadImageFormat", null, 'errors');
-					}
-				} else {
-					switch ($_FILES['photo']['error']) {
-						case 1: //uploaded file exceeds the upload_max_filesize directive in php.ini
-						case 2: //uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the html form
-							$errors[] = "ErrorFileSizeTooLarge";
-							break;
-						case 3: //uploaded file was only partially uploaded
-							$errors[] = "ErrorFilePartiallyUploaded";
-							break;
+						switch ($_FILES['photo']['error']) {
+							case 1: //uploaded file exceeds the upload_max_filesize directive in php.ini
+							case 2: //uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the html form
+								$errors[] = "ErrorFileSizeTooLarge";
+								break;
+							case 3: //uploaded file was only partially uploaded
+								$errors[] = "ErrorFilePartiallyUploaded";
+								break;
+						}
 					}
-				}
 
-				$rowid = $object->id;
-				$id = $object->id;
-				$action = '';
+					$rowid = $object->id;
+					$id = $object->id;
+					$action = '';
 
-				if (!empty($backtopage)) {
-					header("Location: ".$backtopage);
-					exit;
+					if (!empty($backtopage)) {
+						header("Location: ".$backtopage);
+						exit;
+					}
+				} else {
+					setEventMessages($object->error, $object->errors, 'errors');
+					$action = '';
 				}
 			} else {
-				setEventMessages($object->error, $object->errors, 'errors');
-				$action = '';
+				$action = 'edit';
 			}
 		} else {
 			$action = 'edit';
@@ -550,7 +555,6 @@ if (empty($reshook)) {
 				$db->commit();
 				$rowid = $object->id;
 				$id = $object->id;
-				$action = '';
 			} else {
 				$db->rollback();
 
@@ -559,12 +563,41 @@ if (empty($reshook)) {
 				} else {
 					setEventMessages($object->error, $object->errors, 'errors');
 				}
+			}
+			// Auto-create thirdparty on member creation
+			if (!empty($conf->global->ADHERENT_DEFAULT_CREATE_THIRDPARTY)) {
+				if ($result > 0) {
+					// User creation
+					$company = new Societe($db);
+
+					$companyalias = '';
+					$fullname = $object->getFullName($langs);
+
+					if ($object->morphy == 'mor') {
+						$companyname = $object->company;
+						if (!empty($fullname)) {
+							$companyalias = $fullname;
+						}
+					} else {
+						$companyname = $fullname;
+						if (!empty($object->company)) {
+							$companyalias = $object->company;
+						}
+					}
+
+					$result = $company->create_from_member($object, $companyname, $companyalias);
 
-				$action = 'create';
+					if ($result < 0) {
+						$langs->load("errors");
+						setEventMessages($langs->trans($company->error), null, 'errors');
+						setEventMessages($company->error, $company->errors, 'errors');
+					}
+				} else {
+					setEventMessages($object->error, $object->errors, 'errors');
+				}
 			}
-		} else {
-			$action = 'create';
 		}
+		$action = ($result < 0 || !$error) ?  '' : 'create';
 	}
 
 	if ($user->rights->adherent->supprimer && $action == 'confirm_delete' && $confirm == 'yes') {

htdocs/adherents/class/adherent.class.php

@@ -692,7 +692,7 @@ class Adherent extends CommonObject
 			$sql .= ", datevalid = '".$this->db->idate($this->datevalid)."'"; // Must be modified only when validating a member
 		}
 		$sql .= ", fk_user_mod = ".($user->id > 0 ? $user->id : 'null'); // Can be null because member can be create by a guest
-		$sql .= " WHERE rowid = ".$this->id;
+		$sql .= " WHERE rowid = ".((int) $this->id);
 
 		// If we change the type of membership, we set also label of new type
 		if (!empty($this->oldcopy) && $this->typeid != $this->oldcopy->typeid) {
@@ -964,7 +964,7 @@ class Adherent extends CommonObject
 		}
 
 		// Remove category
-		$sql = "DELETE FROM ".MAIN_DB_PREFIX."categorie_member WHERE fk_member = ".$rowid;
+		$sql = "DELETE FROM ".MAIN_DB_PREFIX."categorie_member WHERE fk_member = ".((int) $rowid);
 		dol_syslog(get_class($this)."::delete", LOG_DEBUG);
 		$resql = $this->db->query($sql);
 		if (!$resql) {
@@ -975,7 +975,7 @@ class Adherent extends CommonObject
 
 		// Remove subscription
 		if (!$error) {
-			$sql = "DELETE FROM ".MAIN_DB_PREFIX."subscription WHERE fk_adherent = ".$rowid;
+			$sql = "DELETE FROM ".MAIN_DB_PREFIX."subscription WHERE fk_adherent = ".((int) $rowid);
 			dol_syslog(get_class($this)."::delete", LOG_DEBUG);
 			$resql = $this->db->query($sql);
 			if (!$resql) {
@@ -1007,7 +1007,7 @@ class Adherent extends CommonObject
 
 		// Remove adherent
 		if (!$error) {
-			$sql = "DELETE FROM ".MAIN_DB_PREFIX."adherent WHERE rowid = ".$rowid;
+			$sql = "DELETE FROM ".MAIN_DB_PREFIX."adherent WHERE rowid = ".((int) $rowid);
 			dol_syslog(get_class($this)."::delete", LOG_DEBUG);
 			$resql = $this->db->query($sql);
 			if (!$resql) {
@@ -1154,7 +1154,7 @@ class Adherent extends CommonObject
 		// Set link to user
 		if ($userid > 0) {
 			$sql = "UPDATE ".MAIN_DB_PREFIX."user SET fk_member = ".((int) $this->id);
-			$sql .= " WHERE rowid = ".$userid;
+			$sql .= " WHERE rowid = ".((int) $userid);
 			dol_syslog(get_class($this)."::setUserId", LOG_DEBUG);
 			$resql = $this->db->query($sql);
 			if (!$resql) {

htdocs/adherents/class/adherent_type.class.php

@@ -425,7 +425,7 @@ class AdherentType extends CommonObject
 		$error = 0;
 
 		$sql = "DELETE FROM ".MAIN_DB_PREFIX."adherent_type";
-		$sql .= " WHERE rowid = ".$this->id;
+		$sql .= " WHERE rowid = ".((int) $this->id);
 
 		$resql = $this->db->query($sql);
 		if ($resql) {

htdocs/adherents/class/adherentstats.class.php

@@ -72,7 +72,7 @@ class AdherentStats extends Stats
 		$this->where .= " AND p.fk_adherent = m.rowid AND m.entity IN (".getEntity('adherent').")";
 		//if (!$user->rights->societe->client->voir && !$user->socid) $this->where .= " AND p.fk_soc = sc.fk_soc AND sc.fk_user = " .$user->id;
 		if ($this->memberid) {
-			$this->where .= " AND m.rowid = ".$this->memberid;
+			$this->where .= " AND m.rowid = ".((int) $this->memberid);
 		}
 		//if ($this->userid > 0) $this->where.=' AND fk_user_author = '.$this->userid;
 	}

htdocs/adherents/note.php

@@ -97,7 +97,7 @@ if ($id) {
 
 	print dol_get_fiche_head($head, 'note', $langs->trans("Member"), -1, 'user');
 
-	print "<form method=\"post\" action=\"".$_SERVER['PHP_SELF']."\">";
+	print '<form method="POST" action="'.$_SERVER['PHP_SELF'].'">';
 	print '<input type="hidden" name="token" value="'.newToken().'">';
 
 	$linkback = '<a href="'.DOL_URL_ROOT.'/adherents/list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';

htdocs/adherents/type_translation.php

@@ -15,8 +15,8 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- * or see http://www.gnu.org/
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ * or see https://www.gnu.org/
  */
 
 /**

htdocs/admin/boxes.php

@@ -93,7 +93,7 @@ if ($action == 'add') {
 						$arrayofexistingboxid = array();
 						$nbboxonleft = $nbboxonright = 0;
 						$sql = "SELECT box_id, box_order FROM ".MAIN_DB_PREFIX."boxes";
-						$sql .= " WHERE position = ".$pos." AND fk_user = ".$fk_user." AND entity = ".$conf->entity;
+						$sql .= " WHERE position = ".((int) $pos)." AND fk_user = ".((int) $fk_user)." AND entity = ".((int) $conf->entity);
 						dol_syslog("boxes.php activate box", LOG_DEBUG);
 						$resql = $db->query($sql);
 						if ($resql) {

htdocs/admin/company.php

@@ -288,8 +288,8 @@ if ($action == 'addthumb' || $action == 'addthumbsquarred') {  // Regenerate thu
 	} else {
 		$error++;
 		$langs->load("errors");
-		setEventMessages($langs->trans("ErrorFileDoesNotExists", $_GET["file"]), null, 'errors');
-		dol_syslog($langs->transnoentities("ErrorFileDoesNotExists", $_GET["file"]), LOG_WARNING);
+		setEventMessages($langs->trans("ErrorFileDoesNotExists", GETPOST("file")), null, 'errors');
+		dol_syslog($langs->transnoentities("ErrorFileDoesNotExists", GETPOST("file")), LOG_WARNING);
 	}
 }
 

htdocs/admin/dict.php

@@ -1915,10 +1915,10 @@ if ($id) {
 								$showfield = 0;
 							} elseif ($fieldlist[$field] == 'unicode') {
 								$valuetoshow = $langs->getCurrencySymbol($obj->code, 1);
-							} elseif ($fieldlist[$field] == 'label' && $tabname[$_GET["id"]] == MAIN_DB_PREFIX.'c_units') {
+							} elseif ($fieldlist[$field] == 'label' && $tabname[GETPOST("id", 'int')] == MAIN_DB_PREFIX.'c_units') {
 								$langs->load("products");
 								$valuetoshow = $langs->trans($obj->{$fieldlist[$field]});
-							} elseif ($fieldlist[$field] == 'short_label' && $tabname[$_GET["id"]] == MAIN_DB_PREFIX.'c_units') {
+							} elseif ($fieldlist[$field] == 'short_label' && $tabname[GETPOST("id", 'int')] == MAIN_DB_PREFIX.'c_units') {
 								$langs->load("products");
 								$valuetoshow = $langs->trans($obj->{$fieldlist[$field]});
 							} elseif (($fieldlist[$field] == 'unit') && ($tabname[$id] == MAIN_DB_PREFIX.'c_paper_format')) {
@@ -2056,7 +2056,7 @@ if ($id) {
 					if ($id == 4) {
 						print '<td class="nowrap center">';
 						if ($iserasable) {
-							print '<a class="reposition" href="'.$url.'action='.$acts[$obj->favorite].'_favorite">'.$actl[$obj->favorite].'</a>';
+							print '<a class="reposition" href="'.$url.'action='.$acts[$obj->favorite].'_favorite&token='.newToken().'">'.$actl[$obj->favorite].'</a>';
 						} else {
 							print $langs->trans("AlwaysActive");
 						}
@@ -2066,7 +2066,7 @@ if ($id) {
 					// Active
 					print '<td class="nowrap center">';
 					if ($canbedisabled) {
-						print '<a class="reposition" href="'.$url.'action='.$acts[$obj->active].'">'.$actl[$obj->active].'</a>';
+						print '<a class="reposition" href="'.$url.'action='.$acts[$obj->active].'&token='.newToken().'">'.$actl[$obj->active].'</a>';
 					} else {
 						if (in_array($obj->code, array('AC_OTH', 'AC_OTH_AUTO'))) {
 							print $langs->trans("AlwaysActive");

htdocs/admin/dolistore/class/PSWebServiceLibrary.class.php

@@ -7,7 +7,7 @@
 * This source file is subject to the Open Software License (OSL 3.0)
 * that is bundled with this package in the file LICENSE.txt.
 * It is also available through the world-wide-web at this URL:
-* http://opensource.org/licenses/osl-3.0.php
+* https://opensource.org/licenses/osl-3.0.php
 * If you did not receive a copy of the license and are unable to
 * obtain it through the world-wide-web, please send an email
 * to license@prestashop.com so we can send you a copy immediately.
@@ -16,11 +16,11 @@
 *
 * Do not edit or add to this file if you wish to upgrade PrestaShop to newer
 * versions in the future. If you wish to customize PrestaShop for your
-* needs please refer to http://www.prestashop.com for more information.
+* needs please refer to https://www.prestashop.com for more information.
 *
 * @author PrestaShop SA <contact@prestashop.com>
 * @copyright  2007-2013 PrestaShop SA
-* @license    http://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
+* @license    https://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
 * International Registered Trademark & Property of PrestaShop SA
 * PrestaShop Webservice Library
 * @package PrestaShopWebservice

htdocs/admin/eventorganization.php

@@ -52,6 +52,8 @@ $arrayofparameters = array(
 	'EVENTORGANIZATION_TASK_LABEL'=>array('type'=>'textarea','enabled'=>1),
 	'EVENTORGANIZATION_CATEG_THIRDPARTY_CONF'=>array('type'=>'category:'.Categorie::TYPE_CUSTOMER, 'enabled'=>1),
 	'EVENTORGANIZATION_CATEG_THIRDPARTY_BOOTH'=>array('type'=>'category:'.Categorie::TYPE_CUSTOMER, 'enabled'=>1),
+	//'EVENTORGANIZATION_FILTERATTENDEES_CAT'=>array('type'=>'category:'.Categorie::TYPE_CUSTOMER, 'enabled'=>1),
+	//'EVENTORGANIZATION_FILTERATTENDEES_TYPE'=>array('type'=>'thirdparty_type:', 'enabled'=>1),
 	'EVENTORGANIZATION_TEMPLATE_EMAIL_ASK_CONF'=>array('type'=>'emailtemplate:eventorganization_send', 'enabled'=>1),
 	'EVENTORGANIZATION_TEMPLATE_EMAIL_ASK_BOOTH'=>array('type'=>'emailtemplate:eventorganization_send', 'enabled'=>1),
 	'EVENTORGANIZATION_TEMPLATE_EMAIL_AFT_SUBS_BOOTH'=>array('type'=>'emailtemplate:eventorganization_send', 'enabled'=>1),
@@ -144,7 +146,7 @@ if ($action == 'updateMask') {
 			}
 		}
 	}
-} elseif ($action == 'setdoc') {
+}/* elseif ($action == 'setdoc') {
 	// Set or unset default model
 	$tmpobjectkey = GETPOST('object');
 	if (!empty($tmpobjectkey)) {
@@ -167,7 +169,7 @@ if ($action == 'updateMask') {
 		$constforval = 'EVENTORGANIZATION_'.strtoupper($tmpobjectkey).'_ADDON_PDF';
 		dolibarr_del_const($db, $constforval, $conf->entity);
 	}
-}
+}*/
 
 
 
@@ -177,7 +179,7 @@ if ($action == 'updateMask') {
 
 $form = new Form($db);
 
-$dirmodels = array_merge(array('/'), (array) $conf->modules_parts['models']);
+//$dirmodels = array_merge(array('/'), (array) $conf->modules_parts['models']);
 
 $page_name = "EventOrganizationSetup";
 llxHeader('', $langs->trans($page_name));
@@ -249,6 +251,10 @@ if ($action == 'edit') {
 				$tmp = explode(':', $val['type']);
 				print img_picto('', 'category', 'class="pictofixedwidth"');
 				print $formother->select_categories($tmp[1], $conf->global->{$constname}, $constname, 0, $langs->trans('CustomersProspectsCategoriesShort'));
+			} elseif (preg_match('/thirdparty_type/', $val['type'])) {
+				require_once DOL_DOCUMENT_ROOT.'/core/class/html.formcompany.class.php';
+				$formcompany = new FormCompany($db);
+				print $formcompany->selectProspectCustomerType($conf->global->{$constname}, $constname);
 			} else {
 				print '<input name="'.$constname.'"  class="flat '.(empty($val['css']) ? 'minwidth200' : $val['css']).'" value="'.$conf->global->{$constname}.'">';
 			}
@@ -309,6 +315,16 @@ if ($action == 'edit') {
 						}
 						print '<div class="select2-container-multi-dolibarr" style="width: 90%;"><ul class="select2-choices-dolibarr">' . implode(' ', $toprint) . '</ul></div>';
 					}
+				} elseif (preg_match('/thirdparty_type/', $val['type'])) {
+					if ($conf->global->{$constname}==2) {
+						print $langs->trans("Prospect");
+					} elseif ($conf->global->{$constname}==3) {
+						print $langs->trans("ProspectCustomer");
+					} elseif ($conf->global->{$constname}==1) {
+						print $langs->trans("Customer");
+					} elseif ($conf->global->{$constname}==0) {
+						print $langs->trans("NorProspectNorCustomer");
+					}
 				} else {
 					print  $conf->global->{$constname};
 				}
@@ -327,7 +343,7 @@ if ($action == 'edit') {
 }
 
 
-$moduledir = 'eventorganization';
+/*$moduledir = 'eventorganization';
 $myTmpObjects = array();
 $myTmpObjects['MyObject'] = array('includerefgeneration'=>0, 'includedocgeneration'=>0);
 
@@ -337,9 +353,6 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) {
 		continue;
 	}
 	if ($myTmpObjectArray['includerefgeneration']) {
-		/*
-		 * Orders Numbering model
-		 */
 		$setupnotempty++;
 
 		print load_fiche_titre($langs->trans("NumberingModules", $myTmpObjectKey), '', '');
@@ -444,9 +457,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) {
 	}
 
 	if ($myTmpObjectArray['includedocgeneration']) {
-		/*
-		 * Document templates generators
-		 */
+
 		$setupnotempty++;
 		$type = strtolower($myTmpObjectKey);
 
@@ -588,10 +599,7 @@ foreach ($myTmpObjects as $myTmpObjectKey => $myTmpObjectArray) {
 		print '</table>';
 	}
 }
-
-if (empty($setupnotempty)) {
-	print '<br>'.$langs->trans("NothingToSetup");
-}
+*/
 
 // Page end
 print dol_get_fiche_end();

htdocs/admin/eventorganization_confboothattendee_extrafields.php

@@ -0,0 +1,113 @@
+<?php
+/* Copyright (C) 2001-2002	Rodolphe Quiedeville	<rodolphe@quiedeville.org>
+ * Copyright (C) 2003		Jean-Louis Bergamo		<jlb@j1b.org>
+ * Copyright (C) 2004-2011	Laurent Destailleur		<eldy@users.sourceforge.net>
+ * Copyright (C) 2012		Regis Houssin			<regis.houssin@inodbox.com>
+ * Copyright (C) 2014		Florian Henry			<florian.henry@open-concept.pro>
+ * Copyright (C) 2015		Jean-François Ferry		<jfefe@aternatik.fr>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+/**
+ *      \file       admin/conferenceorboothattendee_extrafields.php
+ *		\ingroup    eventorganization
+ *		\brief      Page to setup extra fields of conferenceorboothattendee
+ */
+require '../main.inc.php';
+require_once DOL_DOCUMENT_ROOT.'/core/lib/eventorganization.lib.php';
+require_once DOL_DOCUMENT_ROOT.'/core/class/extrafields.class.php';
+
+// Load translation files required by the page
+$langs->loadLangs(array('eventorganization', 'admin'));
+
+$extrafields = new ExtraFields($db);
+$form = new Form($db);
+
+// List of supported format
+$tmptype2label = ExtraFields::$type2label;
+$type2label = array('');
+foreach ($tmptype2label as $key => $val) {
+	$type2label[$key] = $langs->transnoentitiesnoconv($val);
+}
+
+$action = GETPOST('action', 'aZ09');
+$attrname = GETPOST('attrname', 'alpha');
+$elementtype = 'eventorganization_conferenceorboothattendee'; //Must be the $table_element of the class that manage extrafield
+
+if (!$user->admin) {
+	accessforbidden();
+}
+
+
+/*
+ * Actions
+ */
+
+require DOL_DOCUMENT_ROOT.'/core/actions_extrafields.inc.php';
+
+
+
+/*
+ * View
+ */
+
+
+llxHeader('', $langs->trans("EventOrganizationSetup"), $help_url);
+
+
+$linkback = '<a href="'.DOL_URL_ROOT.'/admin/modules.php?restore_lastsearch_values=1">'.$langs->trans("BackToModuleList").'</a>';
+print load_fiche_titre($langs->trans("EventOrganizationSetup"), $linkback, 'title_setup');
+
+
+$head = eventorganizationAdminPrepareHead();
+
+print dol_get_fiche_head($head, 'conferenceorboothattendee_extrafields', $langs->trans("ConferenceOrBoothAttendeeExtraFields"), -1, 'account');
+
+require DOL_DOCUMENT_ROOT.'/core/tpl/admin_extrafields_view.tpl.php';
+
+print dol_get_fiche_end();
+
+
+// Buttons
+if ($action != 'create' && $action != 'edit') {
+	print '<div class="tabsAction">';
+	print "<a class=\"butAction\" href=\"".$_SERVER["PHP_SELF"]."?action=create#newattrib\">".$langs->trans("NewAttribute")."</a>";
+	print "</div>";
+}
+
+
+/*
+ * Creation of an optional field
+ */
+if ($action == 'create') {
+	print '<br><div id="newattrib"></div>';
+	print load_fiche_titre($langs->trans('NewAttribute'));
+
+	require DOL_DOCUMENT_ROOT.'/core/tpl/admin_extrafields_add.tpl.php';
+}
+
+/*
+ * Edition of an optional field
+ */
+if ($action == 'edit' && !empty($attrname)) {
+	print "<br>";
+	print load_fiche_titre($langs->trans("FieldEdition", $attrname));
+
+	require DOL_DOCUMENT_ROOT.'/core/tpl/admin_extrafields_edit.tpl.php';
+}
+
+// End of page
+llxFooter();
+$db->close();

htdocs/admin/external_rss.php

@@ -140,7 +140,7 @@ if (GETPOST("delete")) {
 				$resql = $db->query($sql);
 
 				$sql = "DELETE FROM ".MAIN_DB_PREFIX."boxes_def";
-				$sql .= " WHERE rowid = ".$obj->rowid;
+				$sql .= " WHERE rowid = ".((int) $obj->rowid);
 				$resql = $db->query($sql);
 
 				if (!$resql) {

htdocs/admin/menus/index.php

@@ -111,13 +111,13 @@ if ($action == 'up') {
 	}
 
 	$sql = "UPDATE ".MAIN_DB_PREFIX."menu as m";
-	$sql .= " SET m.position = ".$previous['order'];
-	$sql .= " WHERE m.rowid = ".$current['rowid']; // Up the selected entry
+	$sql .= " SET m.position = ".((int) $previous['order']);
+	$sql .= " WHERE m.rowid = ".((int) $current['rowid']); // Up the selected entry
 	dol_syslog("admin/menus/index.php ".$sql);
 	$db->query($sql);
 	$sql = "UPDATE ".MAIN_DB_PREFIX."menu as m";
-	$sql .= " SET m.position = ".($current['order'] != $previous['order'] ? $current['order'] : $current['order'] + 1);
-	$sql .= " WHERE m.rowid = ".$previous['rowid']; // Descend celui du dessus
+	$sql .= " SET m.position = ".((int) ($current['order'] != $previous['order'] ? $current['order'] : $current['order'] + 1));
+	$sql .= " WHERE m.rowid = ".((int) $previous['rowid']); // Descend celui du dessus
 	dol_syslog("admin/menus/index.php ".$sql);
 	$db->query($sql);
 } elseif ($action == 'down') {
@@ -162,13 +162,13 @@ if ($action == 'up') {
 	}
 
 	$sql = "UPDATE ".MAIN_DB_PREFIX."menu as m";
-	$sql .= " SET m.position = ".($current['order'] != $next['order'] ? $next['order'] : $current['order'] + 1); // Down the selected entry
-	$sql .= " WHERE m.rowid = ".$current['rowid'];
+	$sql .= " SET m.position = ".((int) ($current['order'] != $next['order'] ? $next['order'] : $current['order'] + 1)); // Down the selected entry
+	$sql .= " WHERE m.rowid = ".((int) $current['rowid']);
 	dol_syslog("admin/menus/index.php ".$sql);
 	$db->query($sql);
 	$sql = "UPDATE ".MAIN_DB_PREFIX."menu as m"; // Up the next entry
-	$sql .= " SET m.position = ".$current['order'];
-	$sql .= " WHERE m.rowid = ".$next['rowid'];
+	$sql .= " SET m.position = ".((int) $current['order']);
+	$sql .= " WHERE m.rowid = ".((int) $next['rowid']);
 	dol_syslog("admin/menus/index.php ".$sql);
 	$db->query($sql);
 } elseif ($action == 'confirm_delete' && $confirm == 'yes') {

htdocs/admin/pdf.php

@@ -68,6 +68,20 @@ if ($action == 'update') {
 	dolibarr_set_const($db, "MAIN_GENERATE_DOCUMENTS_WITHOUT_VAT", GETPOST("MAIN_GENERATE_DOCUMENTS_WITHOUT_VAT"), 'chaine', 0, '', $conf->entity);
 
 	dolibarr_set_const($db, "MAIN_TVAINTRA_NOT_IN_ADDRESS", GETPOST("MAIN_TVAINTRA_NOT_IN_ADDRESS"), 'chaine', 0, '', $conf->entity);
+
+	if (!empty($conf->projet->enabled)) {
+		if (GETPOST('PDF_SHOW_PROJECT_REF_OR_LABEL') == 'no') {
+			dolibarr_del_const($db, "PDF_SHOW_PROJECT", $conf->entity);
+			dolibarr_del_const($db, "PDF_SHOW_PROJECT_TITLE", $conf->entity);
+		} elseif (GETPOST('PDF_SHOW_PROJECT_REF_OR_LABEL') == 'showprojectref') {
+			dolibarr_set_const($db, "PDF_SHOW_PROJECT", GETPOST("PDF_SHOW_PROJECT_REF_OR_LABEL"), 'chaine', 0, '', $conf->entity);
+			dolibarr_del_const($db, "PDF_SHOW_PROJECT_TITLE", $conf->entity);
+		} elseif (GETPOST('PDF_SHOW_PROJECT_REF_OR_LABEL') == 'showprojectlabel') {
+			dolibarr_del_const($db, "PDF_SHOW_PROJECT", $conf->entity);
+			dolibarr_set_const($db, "PDF_SHOW_PROJECT_TITLE", GETPOST("PDF_SHOW_PROJECT_REF_OR_LABEL"), 'chaine', 0, '', $conf->entity);
+		}
+	}
+
 	dolibarr_set_const($db, "MAIN_GENERATE_DOCUMENTS_HIDE_DETAILS", GETPOST("MAIN_GENERATE_DOCUMENTS_HIDE_DETAILS"), 'chaine', 0, '', $conf->entity);
 	dolibarr_set_const($db, "MAIN_GENERATE_DOCUMENTS_HIDE_DESC", GETPOST("MAIN_GENERATE_DOCUMENTS_HIDE_DESC"), 'chaine', 0, '', $conf->entity);
 	dolibarr_set_const($db, "MAIN_GENERATE_DOCUMENTS_HIDE_REF", GETPOST("MAIN_GENERATE_DOCUMENTS_HIDE_REF"), 'chaine', 0, '', $conf->entity);
@@ -290,23 +304,15 @@ print '<tr class="oddeven"><td>'.$langs->trans("MAIN_DOCUMENTS_LOGO_HEIGHT").'</
 print '<input type="text" class="maxwidth50" name="MAIN_DOCUMENTS_LOGO_HEIGHT" value="'.(!empty($conf->global->MAIN_DOCUMENTS_LOGO_HEIGHT) ? $conf->global->MAIN_DOCUMENTS_LOGO_HEIGHT : 20).'">';
 print '</td></tr>';
 
-//Desc
+// Show project
 
-print '<tr class="oddeven"><td>'.$langs->trans("HideDescOnPDF").'</td><td>';
-print $form->selectyesno('MAIN_GENERATE_DOCUMENTS_HIDE_DESC', (!empty($conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_DESC)) ? $conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_DESC : 0, 1);
-print '</td></tr>';
-
-//Ref
-
-print '<tr class="oddeven"><td>'.$langs->trans("HideRefOnPDF").'</td><td>';
-print $form->selectyesno('MAIN_GENERATE_DOCUMENTS_HIDE_REF', (!empty($conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_REF)) ? $conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_REF : 0, 1);
-print '</td></tr>';
-
-//Details
-
-print '<tr class="oddeven"><td>'.$langs->trans("HideDetailsOnPDF").'</td><td>';
-print $form->selectyesno('MAIN_GENERATE_DOCUMENTS_HIDE_DETAILS', (!empty($conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_DETAILS)) ? $conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_DETAILS : 0, 1);
-print '</td></tr>';
+if (!empty($conf->projet->enabled)) {
+	print '<tr class="oddeven"><td>'.$langs->trans("PDF_SHOW_PROJECT").'</td><td>';
+	$tmparray = array('no' => 'No', 'showprojectref' => 'RefProject', 'showprojectlabel' => 'ShowProjectLabel');
+	$showprojectref = empty($conf->global->PDF_SHOW_PROJECT) ? (empty($conf->global->PDF_SHOW_PROJECT_TITLE) ? 'no' : 'showprojectlabel') : 'showprojectref';
+	print $form->selectarray('PDF_SHOW_PROJECT_REF_OR_LABEL', $tmparray, $showprojectref, 0, 0, 0, '', 1);
+	print '</td></tr>';
+}
 
 //Invert sender and recipient
 
@@ -320,10 +326,7 @@ print '<tr class="oddeven"><td>'.$langs->trans("PlaceCustomerAddressToIsoLocatio
 print $form->selectyesno('MAIN_PDF_USE_ISO_LOCATION', (!empty($conf->global->MAIN_PDF_USE_ISO_LOCATION)) ? $conf->global->MAIN_PDF_USE_ISO_LOCATION : 0, 1);
 print '</td></tr>';
 
-
-print '<tr class="oddeven"><td>'.$langs->trans("ShowDetailsInPDFPageFoot").'</td><td>';
-print $form->selectarray('MAIN_GENERATE_DOCUMENTS_SHOW_FOOT_DETAILS', $arraydetailsforpdffoot, (!empty($conf->global->MAIN_GENERATE_DOCUMENTS_SHOW_FOOT_DETAILS) ? $conf->global->MAIN_GENERATE_DOCUMENTS_SHOW_FOOT_DETAILS : 0));
-print '</td></tr>';
+// Use 2 languages into PDF
 
 print '<tr class="oddeven"><td>'.$langs->trans("PDF_USE_ALSO_LANGUAGE_CODE").'</td><td>';
 //if (! empty($conf->global->MAIN_MULTILANGS))
@@ -335,11 +338,36 @@ print $formadmin->select_language($selected, 'PDF_USE_ALSO_LANGUAGE_CODE', 0, nu
 //}
 print '</td></tr>';
 
+//Desc
+
+print '<tr class="oddeven"><td>'.$langs->trans("HideDescOnPDF").'</td><td>';
+print $form->selectyesno('MAIN_GENERATE_DOCUMENTS_HIDE_DESC', (!empty($conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_DESC)) ? $conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_DESC : 0, 1);
+print '</td></tr>';
+
+//Ref
+
+print '<tr class="oddeven"><td>'.$langs->trans("HideRefOnPDF").'</td><td>';
+print $form->selectyesno('MAIN_GENERATE_DOCUMENTS_HIDE_REF', (!empty($conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_REF)) ? $conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_REF : 0, 1);
+print '</td></tr>';
+
+//Details
+
+print '<tr class="oddeven"><td>'.$langs->trans("HideDetailsOnPDF").'</td><td>';
+print $form->selectyesno('MAIN_GENERATE_DOCUMENTS_HIDE_DETAILS', (!empty($conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_DETAILS)) ? $conf->global->MAIN_GENERATE_DOCUMENTS_HIDE_DETAILS : 0, 1);
+print '</td></tr>';
+
 // SHOW_SUBPRODUCT_REF_IN_PDF - Option to show the detail of product ref for kits.
+
 print '<tr class="oddeven"><td>'.$langs->trans("SHOW_SUBPRODUCT_REF_IN_PDF", $langs->transnoentitiesnoconv("AssociatedProductsAbility"), $langs->transnoentitiesnoconv("Products")).'</td><td>';
 print $form->selectyesno('SHOW_SUBPRODUCT_REF_IN_PDF', (!empty($conf->global->SHOW_SUBPRODUCT_REF_IN_PDF)) ? $conf->global->SHOW_SUBPRODUCT_REF_IN_PDF : 0, 1);
 print '</td></tr>';
 
+// Show more details in footer
+
+print '<tr class="oddeven"><td>'.$langs->trans("ShowDetailsInPDFPageFoot").'</td><td>';
+print $form->selectarray('MAIN_GENERATE_DOCUMENTS_SHOW_FOOT_DETAILS', $arraydetailsforpdffoot, (!empty($conf->global->MAIN_GENERATE_DOCUMENTS_SHOW_FOOT_DETAILS) ? $conf->global->MAIN_GENERATE_DOCUMENTS_SHOW_FOOT_DETAILS : 0));
+print '</td></tr>';
+
 print '</table>';
 print '</div>';
 

htdocs/admin/perms.php

@@ -159,8 +159,8 @@ if ($result) {
 				// TODO Define familyposition
 				$family = (!empty($modules[$obj->module]->family_position) ? $modules[$obj->module]->family_position : '');
 				$familyposition = 0;
-				$sqlupdate = 'UPDATE '.MAIN_DB_PREFIX."rights_def SET module_position = ".$modules[$obj->module]->module_position.",";
-				$sqlupdate .= " family_position = ".$familyposition;
+				$sqlupdate = 'UPDATE '.MAIN_DB_PREFIX."rights_def SET module_position = ".((int) $modules[$obj->module]->module_position).",";
+				$sqlupdate .= " family_position = ".((int) $familyposition);
 				$sqlupdate .= " WHERE module_position = 0 AND module = '".$db->escape($obj->module)."'";
 				$db->query($sqlupdate);
 			}

htdocs/admin/sms.php

@@ -156,7 +156,7 @@ asort($listofmethods);
 
 if (!count($listofmethods)) {
 	$descnosms = $langs->trans("NoSmsEngine", '{Dolistore}');
-	$descnosms = str_replace('{Dolistore}', '<a href="http://www.dolistore.com/search.php?orderby=position&orderway=desc&search_query=smsmanager">DoliStore</a>', $descnosms);
+	$descnosms = str_replace('{Dolistore}', '<a href="https://www.dolistore.com/search.php?orderby=position&orderway=desc&search_query=smsmanager">DoliStore</a>', $descnosms);
 	print '<div class="warning">'.$descnosms.'</div>';
 }
 

htdocs/admin/stock.php

@@ -673,6 +673,17 @@ if (!empty($conf->global->MAIN_DEFAULT_WAREHOUSE_USER)) {
 	print "</td>\n";
 	print "</tr>\n";
 }
+
+print '<tr class="oddeven">';
+print '<td>'.$langs->trans("WarehouseAskWarehouseOnThirparty").'</td>';
+print '<td class="right">';
+if ($conf->use_javascript_ajax) {
+	print ajax_constantonoff('SOCIETE_ASK_FOR_WAREHOUSE');
+} else {
+	$arrval = array('0' => $langs->trans("No"), '1' => $langs->trans("Yes"));
+	print $form->selectarray("SOCIETE_ASK_FOR_WAREHOUSE", $arrval, $conf->global->SOCIETE_ASK_FOR_WAREHOUSE);
+}
+
 print '<tr class="oddeven">';
 print '<td>'.$langs->trans("WarehouseAskWarehouseDuringPropal").'</td>';
 print '<td class="right">';

htdocs/admin/translation.php

@@ -168,7 +168,7 @@ if ($action == 'add') {
 
 // Delete line from delete picto
 if ($action == 'delete') {
-	$sql = "DELETE FROM ".MAIN_DB_PREFIX."overwrite_trans WHERE rowid = ".$db->escape($id);
+	$sql = "DELETE FROM ".MAIN_DB_PREFIX."overwrite_trans WHERE rowid = ".((int) $id);
 	$result = $db->query($sql);
 	if ($result >= 0) {
 		setEventMessages($langs->trans("RecordDeleted"), null, 'mesgs');

htdocs/api/class/api.class.php

@@ -237,8 +237,6 @@ class DolibarrApi
 
 	// phpcs:disable PEAR.NamingConventions.ValidFunctionName.PublicUnderscore
 	/**
-	 * Check user access to a resource
-	 *
 	 * Check access by user to a given resource
 	 *
 	 * @param string	$resource		element to check

htdocs/api/class/api_setup.class.php

@@ -73,7 +73,7 @@ class Setup extends DolibarrApi
 
 		$sql = "SELECT rowid, code, libelle as label, module";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_input_method as t";
-		$sql .= " WHERE t.active = ".$active;
+		$sql .= " WHERE t.active = ".((int) $active);
 		// Add sql filters
 		if ($sqlfilters) {
 			if (!DolibarrApi::_checkFilters($sqlfilters)) {
@@ -136,7 +136,7 @@ class Setup extends DolibarrApi
 
 		$sql = "SELECT rowid, code, label, module";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_input_reason as t";
-		$sql .= " WHERE t.active = ".$active;
+		$sql .= " WHERE t.active = ".((int) $active);
 		// Add sql filters
 		if ($sqlfilters) {
 			if (!DolibarrApi::_checkFilters($sqlfilters)) {
@@ -539,7 +539,7 @@ class Setup extends DolibarrApi
 
 		$sql = "SELECT rowid, code, label";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_availability as t";
-		$sql .= " WHERE t.active = ".$active;
+		$sql .= " WHERE t.active = ".((int) $active);
 		// Add sql filters
 		if ($sqlfilters) {
 			if (!DolibarrApi::_checkFilters($sqlfilters)) {
@@ -648,7 +648,7 @@ class Setup extends DolibarrApi
 
 		$sql = "SELECT id, code, type, libelle as label, module";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_actioncomm as t";
-		$sql .= " WHERE t.active = ".$active;
+		$sql .= " WHERE t.active = ".((int) $active);
 		if ($type) {
 			$sql .= " AND t.type LIKE '%".$this->db->escape($type)."%'";
 		}
@@ -714,7 +714,7 @@ class Setup extends DolibarrApi
 
 		$sql = "SELECT id, code, label, accountancy_code, active, module, position";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_type_fees as t";
-		$sql .= " WHERE t.active = ".$active;
+		$sql .= " WHERE t.active = ".((int) $active);
 		if ($module) {
 			$sql .= " AND t.module LIKE '%".$this->db->escape($module)."%'";
 		}
@@ -778,7 +778,7 @@ class Setup extends DolibarrApi
 
 		$sql = "SELECT rowid, code, element as type, libelle as label, source, module, position";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_type_contact as t";
-		$sql .= " WHERE t.active = ".$active;
+		$sql .= " WHERE t.active = ".((int) $active);
 		if ($type) {
 			$sql .= " AND type LIKE '%".$this->db->escape($type)."%'";
 		}
@@ -843,7 +843,7 @@ class Setup extends DolibarrApi
 
 		$sql = "SELECT rowid, code, label, module";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_civility as t";
-		$sql .= " WHERE t.active = ".$active;
+		$sql .= " WHERE t.active = ".((int) $active);
 		if ($module) {
 			$sql .= " AND t.module LIKE '%".$this->db->escape($module)."%'";
 		}
@@ -911,7 +911,7 @@ class Setup extends DolibarrApi
 			$sql .= " JOIN ".MAIN_DB_PREFIX."multicurrency as m ON m.code=t.code_iso";
 			$sql .= " JOIN ".MAIN_DB_PREFIX."multicurrency_rate as cr ON (m.rowid = cr.fk_multicurrency)";
 		}
-		$sql .= " WHERE t.active = ".$active;
+		$sql .= " WHERE t.active = ".((int) $active);
 		if (!empty($multicurrency)) {
 			$sql .= " AND m.entity IN (".getEntity('multicurrency').")";
 			if (!empty($multicurrency) && $multicurrency != 2) {
@@ -1242,7 +1242,7 @@ class Setup extends DolibarrApi
 		//TODO link with multicurrency module
 		$sql = "SELECT t.rowid, t.code, t.label,t.short_label, t.active, t.scale, t.unit_type";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_units as t";
-		$sql .= " WHERE t.active = ".$active;
+		$sql .= " WHERE t.active = ".((int) $active);
 		// Add sql filters
 		if ($sqlfilters) {
 			if (!DolibarrApi::_checkFilters($sqlfilters)) {
@@ -1365,7 +1365,7 @@ class Setup extends DolibarrApi
 
 		$sql = "SELECT rowid, code, pos,  label, use_default, description";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_ticket_category as t";
-		$sql .= " WHERE t.active = ".$active;
+		$sql .= " WHERE t.active = ".((int) $active);
 		// Add sql filters
 		if ($sqlfilters) {
 			if (!DolibarrApi::_checkFilters($sqlfilters)) {
@@ -1423,7 +1423,7 @@ class Setup extends DolibarrApi
 
 		$sql = "SELECT rowid, code, pos,  label, use_default, color, description";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_ticket_severity as t";
-		$sql .= " WHERE t.active = ".$active;
+		$sql .= " WHERE t.active = ".((int) $active);
 		// Add sql filters
 		if ($sqlfilters) {
 			if (!DolibarrApi::_checkFilters($sqlfilters)) {

htdocs/asset/class/asset_type.class.php

@@ -238,7 +238,7 @@ class AssetType extends CommonObject
 		$error = 0;
 
 		$sql = "DELETE FROM ".MAIN_DB_PREFIX."asset_type";
-		$sql .= " WHERE rowid = ".$this->id;
+		$sql .= " WHERE rowid = ".((int) $this->id);
 
 		$resql = $this->db->query($sql);
 		if ($resql) {

htdocs/bom/bom_note.php

@@ -79,8 +79,8 @@ include DOL_DOCUMENT_ROOT.'/core/actions_setnotes.inc.php'; // Must be include,
 
 $form = new Form($db);
 
-//$help_url='EN:Customers_Orders|FR:Commandes_Clients|ES:Pedidos de clientes';
-$help_url = '';
+$help_url = 'EN:Module_BOM';
+
 llxHeader('', $langs->trans('BillOfMaterials'), $help_url);
 
 if ($id > 0 || !empty($ref)) {

htdocs/bom/tpl/index.html

@@ -0,0 +1 @@
+

htdocs/cashdesk/affContenu.php

@@ -26,7 +26,7 @@
 require_once 'class/Facturation.class.php';
 
 // Si nouvelle vente, reinitialisation des donnees (destruction de l'objet et vidage de la table contenant la liste des articles)
-if ($_GET['id'] == 'NOUV') {
+if (GETPOST('id', 'int') == 'NOUV') {
 	unset($_SESSION['serObjFacturation']);
 	unset($_SESSION['poscart']);
 }

htdocs/cashdesk/facturation_verif.php

@@ -1,7 +1,7 @@
 <?php
 /* Copyright (C) 2007-2008 Jeremie Ollivier    <jeremie.o@laposte.net>
  * Copyright (C) 2008-2010 Laurent Destailleur <eldy@uers.sourceforge.net>
- * Copyright (C) 2018		Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2018      Juanjo Menent       <jmenent@2byte.es>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -45,14 +45,14 @@ if (empty($user->rights->cashdesk->run)) {
 
 switch ($action) {
 	default:
-		if ($_POST['hdnSource'] != 'NULL') {
+		if (GETPOST('hdnSource') != 'NULL') {
 			$sql = "SELECT p.rowid, p.ref, p.price, p.tva_tx, p.default_vat_code, p.recuperableonly";
 			if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) {
 				$sql .= ", ps.reel";
 			}
 			$sql .= " FROM ".MAIN_DB_PREFIX."product as p";
 			if (!empty($conf->stock->enabled) && !empty($conf_fkentrepot)) {
-				$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = ".$conf_fkentrepot;
+				$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_stock as ps ON p.rowid = ps.fk_product AND ps.fk_entrepot = ".((int) $conf_fkentrepot);
 			}
 			$sql .= " WHERE p.entity IN (".getEntity('product').")";
 
@@ -164,18 +164,18 @@ switch ($action) {
 					$obj_facturation->vatrate = $vatrate; // Save vat rate (full text vat with code)
 
 					// Definition du filtre pour n'afficher que le produit concerne
-					if ($_POST['hdnSource'] == 'LISTE') {
+					if (GETPOST('hdnSource') == 'LISTE') {
 						$filtre = $ret['ref'];
-					} elseif ($_POST['hdnSource'] == 'REF') {
-						$filtre = $_POST['txtRef'];
+					} elseif (GETPOST('hdnSource') == 'REF') {
+						$filtre = GETPOST('txtRef');
 					}
 
-					$redirection = DOL_URL_ROOT.'/cashdesk/affIndex.php?menutpl=facturation&filtre='.$filtre;
+					$redirection = DOL_URL_ROOT.'/cashdesk/affIndex.php?menutpl=facturation&filtre='.urlencode($filtre);
 				} else {
 					$obj_facturation->raz();
 
-					if ($_POST['hdnSource'] == 'REF') {
-						$redirection = DOL_URL_ROOT.'/cashdesk/affIndex.php?menutpl=facturation&filtre='.$_POST['txtRef'];
+					if (GETPOST('hdnSource') == 'REF') {
+						$redirection = DOL_URL_ROOT.'/cashdesk/affIndex.php?menutpl=facturation&filtre='.urlencode(GETPOST('txtRef'));
 					} else {
 						$redirection = DOL_URL_ROOT.'/cashdesk/affIndex.php?menutpl=facturation';
 					}
@@ -200,10 +200,10 @@ switch ($action) {
 
 	case 'ajout_article':
 		if (!empty($obj_facturation->id)) {	// A product was previously selected and stored in session, so we can add it
-			dol_syslog("facturation_verif save vat ".$_POST['selTva']);
-			$obj_facturation->qte($_POST['txtQte']);
-			$obj_facturation->tva($_POST['selTva']); // id of vat. Saved so we can use it for next product
-			$obj_facturation->remisePercent($_POST['txtRemise']);
+			dol_syslog("facturation_verif save vat ".GETPOST('selTva'));
+			$obj_facturation->qte(GETPOST('txtQte'));
+			$obj_facturation->tva(GETPOST('selTva')); // id of vat. Saved so we can use it for next product
+			$obj_facturation->remisePercent(GETPOST('txtRemise'));
 			$obj_facturation->ajoutArticle(); // This add an entry into $_SESSION['poscart']
 			// We update prixTotalTtc
 		}
@@ -212,7 +212,7 @@ switch ($action) {
 		break;
 
 	case 'suppr_article':
-		$obj_facturation->supprArticle($_GET['suppr_id']);
+		$obj_facturation->supprArticle(GETPOST('suppr_id'));
 
 		$redirection = DOL_URL_ROOT.'/cashdesk/affIndex.php?menutpl=facturation';
 		break;

htdocs/cashdesk/validation_verif.php

@@ -165,7 +165,7 @@ switch ($action) {
 		if (empty($cond_reglement_id)) {
 			$cond_reglement_id = 0; // If cond_reglement_id not found
 		}
-		$note .= $_POST['txtaNotes'];
+		$note .= GETPOST('txtaNotes', 'alphanohtml');
 		dol_syslog("obj_facturation->getSetPaymentMode()=".$obj_facturation->getSetPaymentMode()." mode_reglement_id=".$mode_reglement_id." cond_reglement_id=".$cond_reglement_id);
 
 		$error = 0;

htdocs/categories/class/categorie.class.php

@@ -604,7 +604,7 @@ class Categorie extends CommonObject
 		/* FIX #1317 : Check for child category and move up 1 level*/
 		if (!$error) {
 			$sql = "UPDATE ".MAIN_DB_PREFIX."categorie";
-			$sql .= " SET fk_parent = ".$this->fk_parent;
+			$sql .= " SET fk_parent = ".((int) $this->fk_parent);
 			$sql .= " WHERE fk_parent = ".$this->id;
 
 			if (!$this->db->query($sql)) {
@@ -869,7 +869,7 @@ class Categorie extends CommonObject
 	public function containsObject($type, $object_id)
 	{
 		$sql = "SELECT COUNT(*) as nb FROM ".MAIN_DB_PREFIX."categorie_".(empty($this->MAP_CAT_TABLE[$type]) ? $type : $this->MAP_CAT_TABLE[$type]);
-		$sql .= " WHERE fk_categorie = ".$this->id." AND fk_".(empty($this->MAP_CAT_FK[$type]) ? $type : $this->MAP_CAT_FK[$type])." = ".$object_id;
+		$sql .= " WHERE fk_categorie = ".$this->id." AND fk_".(empty($this->MAP_CAT_FK[$type]) ? $type : $this->MAP_CAT_FK[$type])." = ".((int) $object_id);
 		dol_syslog(get_class($this)."::containsObject", LOG_DEBUG);
 		$resql = $this->db->query($sql);
 		if ($resql) {

htdocs/comm/action/card.php

@@ -80,16 +80,12 @@ $id = GETPOST('id', 'int');
 if ($user->socid) {
 	$socid = $user->socid;
 }
-$result = restrictedArea($user, 'agenda', $id, 'actioncomm&societe', 'myactions|allactions', 'fk_soc', 'id');
-if ($user->socid && $socid) {
-	$result = restrictedArea($user, 'societe', $socid);
-}
 
 $error = GETPOST("error");
 $donotclearsession = GETPOST('donotclearsession') ?GETPOST('donotclearsession') : 0;
 
-$cactioncomm = new CActionComm($db);
 $object = new ActionComm($db);
+$cactioncomm = new CActionComm($db);
 $contact = new Contact($db);
 $extrafields = new ExtraFields($db);
 $formfile = new FormFile($db);
@@ -132,6 +128,11 @@ if (!empty($conf->global->AGENDA_REMINDER_EMAIL)) {
 
 $TDurationTypes = array('y'=>$langs->trans('Years'), 'm'=>$langs->trans('Month'), 'w'=>$langs->trans('Weeks'), 'd'=>$langs->trans('Days'), 'h'=>$langs->trans('Hours'), 'i'=>$langs->trans('Minutes'));
 
+$result = restrictedArea($user, 'agenda', $object->id, 'actioncomm&societe', 'myactions|allactions', 'fk_soc', 'id');
+if ($user->socid && $socid) {
+	$result = restrictedArea($user, 'societe', $socid);
+}
+
 
 /*
  * Actions

htdocs/comm/action/class/actioncomm.class.php

@@ -407,7 +407,7 @@ class ActionComm extends CommonObject
 		// Check parameters
 		if (!isset($this->userownerid) || $this->userownerid === '') {	// $this->userownerid may be 0 (anonymous event) of > 0
 			dol_syslog("You tried to create an event but mandatory property ownerid was not defined", LOG_WARNING);
-			$this->errors[] = 'ErrorPropertyUserowneridNotDefined';
+			$this->errors[] = 'ErrorActionCommPropertyUserowneridNotDefined';
 			return -1;
 		}
 
@@ -478,7 +478,7 @@ class ActionComm extends CommonObject
 				$this->type_id = $cactioncomm->id;
 				$this->type_code = $cactioncomm->code;
 			} elseif ($result == 0) {
-				$this->error = 'Failed to get record with id '.$this->type_id.' code '.$this->type_code.' from dictionary "type of events"';
+				$this->error = $langs->trans('ErrorActionCommBadType', $this->type_id, $this->type_code);
 				return -1;
 			} else {
 				$this->error = $cactioncomm->error;
@@ -1367,7 +1367,7 @@ class ActionComm extends CommonObject
 		$sql .= ' fk_user_author,';
 		$sql .= ' fk_user_mod';
 		$sql .= ' FROM '.MAIN_DB_PREFIX.'actioncomm as a';
-		$sql .= ' WHERE a.id = '.$id;
+		$sql .= ' WHERE a.id = '.((int) $id);
 
 		dol_syslog(get_class($this)."::info", LOG_DEBUG);
 		$result = $this->db->query($sql);

htdocs/comm/action/document.php

@@ -54,7 +54,6 @@ if ($user->socid > 0) {
 	unset($_GET["action"]);
 	$action = '';
 }
-$result = restrictedArea($user, 'agenda', $id, 'actioncomm&societe', 'myactions|allactions', 'fk_soc', 'id');
 
 $object = new ActionComm($db);
 
@@ -84,10 +83,16 @@ if (!$sortfield) {
 $upload_dir = $conf->agenda->dir_output.'/'.dol_sanitizeFileName($object->ref);
 $modulepart = 'actions';
 
+$result = restrictedArea($user, 'agenda', $id, 'actioncomm&societe', 'myactions|allactions', 'fk_soc', 'id');
+if ($user->socid && $socid) {
+	$result = restrictedArea($user, 'societe', $socid);
+}
+
 
 /*
  * Actions
  */
+
 include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php';
 
 
@@ -98,6 +103,7 @@ include DOL_DOCUMENT_ROOT.'/core/actions_linkedfiles.inc.php';
 $form = new Form($db);
 
 $help_url = 'EN:Module_Agenda_En|FR:Module_Agenda|ES:M&omodulodulo_Agenda';
+
 llxHeader('', $langs->trans("Agenda"), $help_url);
 
 

htdocs/comm/action/index.php

@@ -79,7 +79,6 @@ $socid = GETPOST("search_socid", "int") ?GETPOST("search_socid", "int") : GETPOS
 if ($user->socid) {
 	$socid = $user->socid;
 }
-$result = restrictedArea($user, 'agenda', 0, '', 'myactions');
 if ($socid < 0) {
 	$socid = '';
 }
@@ -155,6 +154,11 @@ $langs->loadLangs(array('agenda', 'other', 'commercial'));
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('agenda'));
 
+$result = restrictedArea($user, 'agenda', 0, 'actioncomm&societe', 'myactions|allactions', 'fk_soc', 'id');
+if ($user->socid && $socid) {
+	$result = restrictedArea($user, 'societe', $socid);
+}
+
 
 /*
  * Actions

htdocs/comm/action/info.php

@@ -45,6 +45,9 @@ if ($user->socid > 0) {
 }
 
 $result = restrictedArea($user, 'agenda', $id, 'actioncomm&societe', 'myactions|allactions', 'fk_soc', 'id');
+if ($user->socid && $socid) {
+	$result = restrictedArea($user, 'societe', $socid);
+}
 
 
 /*

htdocs/comm/action/list.php

@@ -128,7 +128,6 @@ $socid = GETPOST("search_socid", 'int') ?GETPOST("search_socid", 'int') : GETPOS
 if ($user->socid) {
 	$socid = $user->socid;
 }
-$result = restrictedArea($user, 'agenda', 0, '', 'myactions');
 if ($socid < 0) {
 	$socid = '';
 }
@@ -165,7 +164,11 @@ include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_array_fields.tpl.php';
 $object->fields = dol_sort_array($object->fields, 'position');
 $arrayfields = dol_sort_array($arrayfields, 'position');
 
-//var_dump($_POST);exit;
+$result = restrictedArea($user, 'agenda', 0, '', 'myactions');
+if ($user->socid && $socid) {
+	$result = restrictedArea($user, 'societe', $socid);
+}
+
 
 /*
  *	Actions

htdocs/comm/action/pertype.php

@@ -75,7 +75,6 @@ $socid = GETPOST("search_socid", "int") ?GETPOST("search_socid", "int") : GETPOS
 if ($user->socid) {
 	$socid = $user->socid;
 }
-$result = restrictedArea($user, 'agenda', 0, '', 'myactions');
 if ($socid < 0) {
 	$socid = '';
 }
@@ -170,6 +169,11 @@ $langs->loadLangs(array('users', 'agenda', 'other', 'commercial'));
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('agenda'));
 
+$result = restrictedArea($user, 'agenda', 0, '', 'myactions');
+if ($user->socid && $socid) {
+	$result = restrictedArea($user, 'societe', $socid);
+}
+
 
 /*
  * Actions

htdocs/comm/action/peruser.php

@@ -71,12 +71,10 @@ if (!$sortfield) {
 	$sortfield = "a.datec";
 }
 
-// Security check
 $socid = GETPOST("search_socid", "int") ?GETPOST("search_socid", "int") : GETPOST("socid", "int");
 if ($user->socid) {
 	$socid = $user->socid;
 }
-$result = restrictedArea($user, 'agenda', 0, '', 'myactions');
 if ($socid < 0) {
 	$socid = '';
 }
@@ -177,6 +175,11 @@ $langs->loadLangs(array('users', 'agenda', 'other', 'commercial'));
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('agenda'));
 
+$result = restrictedArea($user, 'agenda', 0, '', 'myactions');
+if ($user->socid && $socid) {
+	$result = restrictedArea($user, 'societe', $socid);
+}
+
 
 /*
  * Actions

htdocs/comm/action/rapport/index.php

@@ -59,7 +59,10 @@ $socid = GETPOST('socid', 'int');
 if ($user->socid) {
 	$socid = $user->socid;
 }
-$result = restrictedArea($user, 'agenda', $socid, '', 'myactions');
+$result = restrictedArea($user, 'agenda', 0, '', 'myactions');
+if ($user->socid && $socid) {
+	$result = restrictedArea($user, 'societe', $socid);
+}
 
 
 /*

htdocs/comm/admin/propaldet_extrafields.php

@@ -31,11 +31,6 @@ require '../../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/propal.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/core/class/extrafields.class.php';
 
-
-if (!$user->admin) {
-	accessforbidden();
-}
-
 // Load translation files required by the page
 $langs->loadlangs(array('admin', 'other', 'propal'));
 

htdocs/comm/card.php

@@ -88,15 +88,10 @@ if (!empty($conf->notification->enabled)) {
 	$langs->load("mails");
 }
 
-// Security check
-$id = (GETPOST('socid', 'int') ? GETPOST('socid', 'int') : GETPOST('id', 'int'));
-if ($user->socid > 0) {
-	$id = $user->socid;
-}
-$result = restrictedArea($user, 'societe', $id, '&societe');
-
 $action = GETPOST('action', 'aZ09');
 
+$id = (GETPOST('socid', 'int') ? GETPOST('socid', 'int') : GETPOST('id', 'int'));
+
 $limit = GETPOST('limit', 'int') ? GETPOST('limit', 'int') : $conf->liste_limit;
 $sortfield = GETPOST("sortfield", 'alpha');
 $sortorder = GETPOST("sortorder", 'alpha');
@@ -124,15 +119,6 @@ $extrafields->fetch_name_optionals_label($object->table_element);
 // Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
 $hookmanager->initHooks(array('thirdpartycomm', 'globalcard'));
 
-// Security check
-$result = restrictedArea($user, 'societe', $id, '&societe', '', 'fk_soc', 'rowid', 0);
-
-if ($object->id > 0) {
-	if (!($object->client > 0) || empty($user->rights->societe->lire)) {
-		accessforbidden();
-	}
-}
-
 $now = dol_now();
 
 if ($id > 0 && empty($object->id)) {
@@ -142,6 +128,17 @@ if ($id > 0 && empty($object->id)) {
 		dol_print_error($db, $object->error, $object->errors);
 	}
 }
+if ($object->id > 0) {
+	if (!($object->client > 0) || empty($user->rights->societe->lire)) {
+		accessforbidden();
+	}
+}
+
+// Security check
+if ($user->socid > 0) {
+	$id = $user->socid;
+}
+$result = restrictedArea($user, 'societe', $object->id, '&societe', '', 'fk_soc', 'rowid', 0);
 
 
 /*

htdocs/comm/contact.php

@@ -54,6 +54,7 @@ $begin = GETPOST('begin', 'alpha');
 // Security check
 $socid = GETPOST('socid', 'int');
 if ($user->socid) {
+	$action = '';
 	$socid = $user->socid;
 }
 $result = restrictedArea($user, 'societe', $socid, '');

htdocs/comm/index.php

@@ -29,10 +29,6 @@
 
 require '../main.inc.php';
 
-if (!$user->rights->societe->lire) {
-	accessforbidden();
-}
-
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/agenda.lib.php';
 require_once DOL_DOCUMENT_ROOT.'/comm/action/class/actioncomm.class.php';
@@ -63,10 +59,21 @@ if (isset($user->socid) && $user->socid > 0) {
 $max = $conf->global->MAIN_SIZE_SHORTLIST_LIMIT;
 $now = dol_now();
 
+// Security check
+$socid = GETPOST("socid", 'int');
+if ($user->socid > 0) {
+	$action = '';
+	$id = $user->socid;
+}
+restrictedArea($user, 'societe', $id, '&societe', '', 'fk_soc', 'rowid', 0);
+
+
 /*
  * Actions
  */
 
+// None
+
 
 /*
  * View

htdocs/comm/mailing/advtargetemailing.php

@@ -42,11 +42,6 @@ if (!empty($conf->categorie->enabled)) {
 	$langs->load("categories");
 }
 
-// Security check
-if (!$user->rights->mailing->lire || $user->socid > 0) {
-	accessforbidden();
-}
-
 // Load variable for pagination
 $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit;
 $sortfield = GETPOST('sortfield', 'aZ09comma');
@@ -99,6 +94,12 @@ if ($result < 0) {
 	}
 }
 
+// Security check
+if (!$user->rights->mailing->lire || (empty($conf->global->EXTERNAL_USERS_ARE_AUTHORIZED) && $user->socid > 0)) {
+	accessforbidden();
+}
+//$result = restrictedArea($user, 'mailing');
+
 
 /*
  * Actions

htdocs/comm/mailing/card.php

@@ -40,10 +40,6 @@ require_once DOL_DOCUMENT_ROOT.'/core/class/extrafields.class.php';
 // Load translation files required by the page
 $langs->load("mails");
 
-if (!$user->rights->mailing->lire || (empty($conf->global->EXTERNAL_USERS_ARE_AUTHORIZED) && $user->socid > 0)) {
-	accessforbidden();
-}
-
 $id = (GETPOST('mailid', 'int') ? GETPOST('mailid', 'int') : GETPOST('id', 'int'));
 $action = GETPOST('action', 'aZ09');
 $cancel = GETPOST('cancel');
@@ -80,6 +76,10 @@ $listofmethods = array();
 $listofmethods['mail'] = 'PHP mail function';
 $listofmethods['smtps'] = 'SMTP/SMTPS socket library';
 
+// Security check
+if (!$user->rights->mailing->lire || (empty($conf->global->EXTERNAL_USERS_ARE_AUTHORIZED) && $user->socid > 0)) {
+	accessforbidden();
+}
 
 
 /*
@@ -149,7 +149,7 @@ if (empty($reshook)) {
 			// or sent in error (statut=-1)
 			$sql = "SELECT mc.rowid, mc.fk_mailing, mc.lastname, mc.firstname, mc.email, mc.other, mc.source_url, mc.source_id, mc.source_type, mc.tag";
 			$sql .= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc";
-			$sql .= " WHERE mc.statut < 1 AND mc.fk_mailing = ".$object->id;
+			$sql .= " WHERE mc.statut < 1 AND mc.fk_mailing = ".((int) $object->id);
 			$sql .= " ORDER BY mc.statut DESC"; // first status 0, then status -1
 
 			dol_syslog("card.php: select targets", LOG_DEBUG);

htdocs/comm/mailing/cibles.php

@@ -35,12 +35,6 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
 // Load translation files required by the page
 $langs->load("mails");
 
-// Security check
-if (!$user->rights->mailing->lire || $user->socid > 0) {
-	accessforbidden();
-}
-
-
 // Load variable for pagination
 $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit;
 $sortfield = GETPOST('sortfield', 'aZ09comma');
@@ -75,6 +69,13 @@ $object = new Mailing($db);
 $result = $object->fetch($id);
 
 
+// Security check
+if (!$user->rights->mailing->lire || (empty($conf->global->EXTERNAL_USERS_ARE_AUTHORIZED) && $user->socid > 0)) {
+	accessforbidden();
+}
+//$result = restrictedArea($user, 'mailing');
+
+
 /*
  * Actions
  */

htdocs/comm/mailing/class/advtargetemailing.class.php

@@ -284,9 +284,9 @@ class AdvanceTargetingMailing extends CommonObject
 
 		$sql .= " FROM ".MAIN_DB_PREFIX."advtargetemailing as t";
 		if (!empty($id)) {
-			$sql .= " WHERE t.fk_element = ".$id." AND type_element='mailing'";
+			$sql .= " WHERE t.fk_element = ".((int) $id)." AND type_element = 'mailing'";
 		} else {
-			$sql .= " WHERE t.fk_element = ".$this->fk_element."  AND type_element='mailing'";
+			$sql .= " WHERE t.fk_element = ".((int) $this->fk_element)." AND type_element = 'mailing'";
 		}
 
 		dol_syslog(get_class($this)."::fetch sql=".$sql, LOG_DEBUG);
@@ -347,9 +347,9 @@ class AdvanceTargetingMailing extends CommonObject
 
 		$sql .= " FROM ".MAIN_DB_PREFIX."advtargetemailing as t";
 		if (!empty($id)) {
-			$sql .= " WHERE t.fk_element = ".$id." AND type_element='$type_element'";
+			$sql .= " WHERE t.fk_element = ".((int) $id)." AND type_element = '".$this->db->escape($type_element)."'";
 		} else {
-			$sql .= " WHERE t.fk_element = ".$this->fk_element."  AND type_element='$type_element'";
+			$sql .= " WHERE t.fk_element = ".((int) $this->fk_element)." AND type_element = '".$this->db->escape($type_element)."'";
 		}
 
 		dol_syslog(get_class($this)."::fetch sql=".$sql, LOG_DEBUG);

htdocs/comm/mailing/class/mailing.class.php

@@ -427,7 +427,7 @@ class Mailing extends CommonObject
 				$sql .= " source_id ,";
 				$sql .= " source_type";
 				$sql .= " FROM ".MAIN_DB_PREFIX."mailing_cibles";
-				$sql .= " WHERE fk_mailing = ".$fromid;
+				$sql .= " WHERE fk_mailing = ".((int) $fromid);
 
 				$result = $this->db->query($sql);
 				if ($result) {
@@ -499,7 +499,7 @@ class Mailing extends CommonObject
 	public function delete($rowid)
 	{
 		$sql = "DELETE FROM ".MAIN_DB_PREFIX."mailing";
-		$sql .= " WHERE rowid = ".$rowid;
+		$sql .= " WHERE rowid = ".((int) $rowid);
 
 		dol_syslog("Mailing::delete", LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/comm/mailing/info.php

@@ -33,9 +33,10 @@ $id = GETPOST('id', 'int');
 $langs->load("mails");
 
 // Security check
-if (!$user->rights->mailing->lire || $user->socid > 0) {
+if (!$user->rights->mailing->lire || (empty($conf->global->EXTERNAL_USERS_ARE_AUTHORIZED) && $user->socid > 0)) {
 	accessforbidden();
 }
+//$result = restrictedArea($user, 'mailing');
 
 
 

htdocs/comm/mailing/list.php

@@ -28,9 +28,6 @@ require_once DOL_DOCUMENT_ROOT.'/comm/mailing/class/mailing.class.php';
 // Load translation files required by the page
 $langs->load("mails");
 
-// Security check
-$result = restrictedArea($user, 'mailing');
-
 $sortfield = GETPOST("sortfield", 'alpha');
 $sortorder = GETPOST("sortorder", 'alpha');
 $limit = GETPOST('limit', 'int') ?GETPOST('limit', 'int') : $conf->liste_limit;
@@ -69,6 +66,11 @@ $fieldstosearchall = array(
 	'm.titre'=>'Ref',
 );
 
+// Security check
+if (!$user->rights->mailing->lire || (empty($conf->global->EXTERNAL_USERS_ARE_AUTHORIZED) && $user->socid > 0)) {
+	accessforbidden();
+}
+//$result = restrictedArea($user, 'mailing');
 
 
 

htdocs/comm/multiprix.php

@@ -40,15 +40,23 @@ if ($user->socid > 0) {
 	$_socid = $user->socid;
 }
 
+// Security check
+$socid = GETPOST("socid", 'int');
+if ($user->socid > 0) {
+	$action = '';
+	$id = $user->socid;
+}
+$result = restrictedArea($user, 'societe', $id, '&societe', '', 'fk_soc', 'rowid', 0);
+
 
 /*
  * Actions
  */
 
-if ($action == 'setpricelevel') {
+if ($action == 'setpricelevel' && $user->rights->societe->creer) {
 	$soc = new Societe($db);
 	$soc->fetch($id);
-	$soc->set_price_level(GETPOST("price_level"), $user);
+	$soc->setPriceLevel(GETPOST("price_level"), $user);
 
 	header("Location: multiprix.php?id=".$id);
 	exit;

htdocs/comm/propal/card.php

@@ -89,12 +89,6 @@ $hideref = (GETPOST('hideref', 'int') ? GETPOST('hideref', 'int') : (!empty($con
 // Nombre de ligne pour choix de produit/service predefinis
 $NBLINES = 4;
 
-// Security check
-if (!empty($user->socid)) {
-	$socid = $user->socid;
-}
-$result = restrictedArea($user, 'propal', $id);
-
 $object = new Propal($db);
 $extrafields = new ExtraFields($db);
 
@@ -134,6 +128,14 @@ $permissionnote = $usercancreate; // Used by the include of actions_setnotes.inc
 $permissiondellink = $usercancreate; // Used by the include of actions_dellink.inc.php
 $permissiontoedit = $usercancreate; // Used by the include of actions_lineupdown.inc.php
 
+// Security check
+if (!empty($user->socid)) {
+	$socid = $user->socid;
+	$object->id = $user->socid;
+}
+restrictedArea($user, 'propal', $object->id);
+
+
 /*
  * Actions
  */
@@ -642,7 +644,7 @@ if (empty($reshook)) {
 			if ($object->statut == $object::STATUS_VALIDATED) {
 				$db->begin();
 
-				$result = $object->cloture($user, GETPOST('statut', 'int'), GETPOST('note_private', 'restricthtml'));
+				$result = $object->signature($user, GETPOST('statut', 'int'), GETPOST('note_private', 'restricthtml'));
 				if ($result < 0) {
 					setEventMessages($object->error, $object->errors, 'errors');
 					$error++;
@@ -1586,7 +1588,7 @@ if ($action == 'create') {
 		// Contacts (ask contact only if thirdparty already defined).
 		print "<tr><td>".$langs->trans("DefaultContact").'</td><td>';
 		print img_picto('', 'contact');
-		print $form->selectcontacts($soc->id, $contactid, 'contactid', 1, $srccontactslist);
+		print $form->selectcontacts($soc->id, $contactid, 'contactid', 1, '', '', 0, 'minwidth300');
 		print '</td></tr>';
 
 		// Third party discounts info line

htdocs/comm/propal/class/propal.class.php

@@ -140,6 +140,16 @@ class Propal extends CommonObject
 	 */
 	public $date_validation;
 
+	/**
+	 * @var integer|string $date_signature;
+	 */
+	public $date_signature;
+
+	/**
+	 * @var User $user_signature
+	 */
+	public $user_signature;
+
 	/**
 	 * @var integer|string date of the quote;
 	 */
@@ -1232,7 +1242,7 @@ class Propal extends CommonObject
 				/*if (! $error && $this->fk_delivery_address)
 				{
 					$sql = "UPDATE ".MAIN_DB_PREFIX."propal";
-					$sql.= " SET fk_delivery_address = ".$this->fk_delivery_address;
+					$sql.= " SET fk_delivery_address = ".((int) $this->fk_delivery_address);
 					$sql.= " WHERE ref = '".$this->db->escape($this->ref)."'";
 					$sql.= " AND entity = ".setEntity($this);
 
@@ -2203,7 +2213,7 @@ class Propal extends CommonObject
 			$this->db->begin();
 
 			$sql = "UPDATE ".MAIN_DB_PREFIX."propal ";
-			$sql .= " SET fk_input_reason = ".$id;
+			$sql .= " SET fk_input_reason = ".((int) $id);
 			$sql .= " WHERE rowid = ".$this->id;
 
 			dol_syslog(__METHOD__, LOG_DEBUG);
@@ -2322,13 +2332,13 @@ class Propal extends CommonObject
 		$remise = trim($remise) ?trim($remise) : 0;
 
 		if (!empty($user->rights->propal->creer)) {
-			$remise = price2num($remise);
+			$remise = price2num($remise, 2);
 
 			$error = 0;
 
 			$this->db->begin();
 
-			$sql = "UPDATE ".MAIN_DB_PREFIX."propal SET remise_percent = ".$remise;
+			$sql = "UPDATE ".MAIN_DB_PREFIX."propal SET remise_percent = ".((float) $remise);
 			$sql .= " WHERE rowid = ".$this->id." AND fk_statut = ".self::STATUS_DRAFT;
 
 			dol_syslog(__METHOD__, LOG_DEBUG);
@@ -2380,17 +2390,18 @@ class Propal extends CommonObject
 	public function set_remise_absolue($user, $remise, $notrigger = 0)
 	{
 		// phpcs:enable
-		$remise = trim($remise) ?trim($remise) : 0;
+		if (empty($remise)) {
+			$remise = 0;
+		}
+		$remise = price2num($remise);
 
 		if (!empty($user->rights->propal->creer)) {
-			$remise = price2num($remise);
-
 			$error = 0;
 
 			$this->db->begin();
 
-			$sql = "UPDATE ".MAIN_DB_PREFIX."propal ";
-			$sql .= " SET remise_absolue = ".$remise;
+			$sql = "UPDATE ".MAIN_DB_PREFIX."propal";
+			$sql .= " SET remise_absolue = ".((float) $remise);
 			$sql .= " WHERE rowid = ".$this->id." AND fk_statut = ".self::STATUS_DRAFT;
 
 			dol_syslog(__METHOD__, LOG_DEBUG);
@@ -2435,19 +2446,17 @@ class Propal extends CommonObject
 	 *	Reopen the commercial proposal
 	 *
 	 *	@param      User	$user		Object user that close
-	 *	@param      int		$statut		Statut
+	 *	@param      int		$status		Status
 	 *	@param      string	$note		Comment
 	 *  @param		int		$notrigger	1=Does not execute triggers, 0= execute triggers
 	 *	@return     int         		<0 if KO, >0 if OK
 	 */
-	public function reopen($user, $statut, $note = '', $notrigger = 0)
+	public function reopen($user, $status, $note = '', $notrigger = 0)
 	{
-
-		$this->statut = $statut;
 		$error = 0;
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."propal";
-		$sql .= " SET fk_statut = ".$this->statut.",";
+		$sql .= " SET fk_statut = ".$status.",";
 		if (!empty($note)) {
 			$sql .= " note_private = '".$this->db->escape($note)."',";
 		}
@@ -2484,11 +2493,105 @@ class Propal extends CommonObject
 			$this->db->rollback();
 			return -1 * $error;
 		} else {
+			$this->statut = $status;
+			$this->status = $status;
+
 			$this->db->commit();
 			return 1;
 		}
 	}
 
+	/**
+	 *	Sign the commercial proposal
+	 *
+	 *	@param      User	$user		Object user that close
+	 *	@param      int		$statut		Status
+	 *	@param      string	$note		Complete private note with this note
+	 *  @param		int		$notrigger	1=Does not execute triggers, 0=Execute triggers
+	 *	@return     int         		<0 if KO, >0 if OK
+	 */
+	public function signature($user, $statut, $note = '', $notrigger = 0)
+	{
+		global $langs,$conf;
+
+		$error = 0;
+		$now = dol_now();
+
+		$this->db->begin();
+
+		$newprivatenote = dol_concatdesc($this->note_private, $note);
+
+		$sql  = "UPDATE ".MAIN_DB_PREFIX."propal";
+		$sql .= " SET fk_statut = ".$statut.", note_private = '".$this->db->escape($newprivatenote)."', date_signature='".$this->db->idate($now)."', fk_user_signature=".$user->id;
+		$sql .= " WHERE rowid = ".$this->id;
+
+		$resql = $this->db->query($sql);
+		if ($resql) {
+			$modelpdf = $conf->global->PROPALE_ADDON_PDF_ODT_CLOSED ? $conf->global->PROPALE_ADDON_PDF_ODT_CLOSED : $this->model_pdf;
+			$trigger_name = 'PROPAL_CLOSE_REFUSED';
+
+			if ($statut == self::STATUS_SIGNED) {
+				$trigger_name = 'PROPAL_CLOSE_SIGNED';
+				$modelpdf = $conf->global->PROPALE_ADDON_PDF_ODT_TOBILL ? $conf->global->PROPALE_ADDON_PDF_ODT_TOBILL:$this->model_pdf;
+
+				// The connected company is classified as a client
+				$soc=new Societe($this->db);
+				$soc->id = $this->socid;
+				$result = $soc->set_as_client();
+
+				if ($result < 0) {
+					$this->error=$this->db->lasterror();
+					$this->db->rollback();
+					return -2;
+				}
+			}
+
+			if (empty($conf->global->MAIN_DISABLE_PDF_AUTOUPDATE)) {
+				// Define output language
+				$outputlangs = $langs;
+				if (!empty($conf->global->MAIN_MULTILANGS)) {
+					$outputlangs = new Translate("", $conf);
+					$newlang = (GETPOST('lang_id', 'aZ09') ? GETPOST('lang_id', 'aZ09') : $this->thirdparty->default_lang);
+					$outputlangs->setDefaultLang($newlang);
+				}
+
+				//$ret=$object->fetch($id);    // Reload to get new records
+				$this->generateDocument($modelpdf, $outputlangs);
+			}
+
+			if (!$error) {
+				$this->oldcopy= clone $this;
+				$this->statut = $statut;
+				$this->date_signature = $now;
+				$this->note_private = $newprivatenote;
+			}
+
+			if (!$notrigger && empty($error)) {
+				// Call trigger
+				$result=$this->call_trigger($trigger_name, $user);
+				if ($result < 0) {
+					$error++;
+				}
+				// End call triggers
+			}
+
+			if (!$error ) {
+				$this->db->commit();
+				return 1;
+			} else {
+				$this->statut = $this->oldcopy->statut;
+				$this->date_signature = $this->oldcopy->date_signature;
+				$this->note_private = $this->oldcopy->note_private;
+
+				$this->db->rollback();
+				return -1;
+			}
+		} else {
+			$this->error=$this->db->lasterror();
+			$this->db->rollback();
+			return -1;
+		}
+	}
 
 	/**
 	 *	Close the commercial proposal
@@ -2511,7 +2614,7 @@ class Propal extends CommonObject
 		$newprivatenote = dol_concatdesc($this->note_private, $note);
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."propal";
-		$sql .= " SET fk_statut = ".$status.", note_private = '".$this->db->escape($newprivatenote)."', date_cloture='".$this->db->idate($now)."', fk_user_cloture=".$user->id;
+		$sql .= " SET fk_statut = ".((int) $status).", note_private = '".$this->db->escape($newprivatenote)."', date_cloture='".$this->db->idate($now)."', fk_user_cloture=".$user->id;
 		$sql .= " WHERE rowid = ".$this->id;
 
 		$resql = $this->db->query($sql);
@@ -2884,7 +2987,7 @@ class Propal extends CommonObject
 		// Delete extrafields of lines and lines
 		if (!$error && !empty($this->table_element_line)) {
 			$tabletodelete = $this->table_element_line;
-			$sqlef = "DELETE FROM ".MAIN_DB_PREFIX.$tabletodelete."_extrafields WHERE fk_object IN (SELECT rowid FROM ".MAIN_DB_PREFIX.$tabletodelete." WHERE ".$this->fk_element." = ".$this->id.")";
+			$sqlef = "DELETE FROM ".MAIN_DB_PREFIX.$tabletodelete."_extrafields WHERE fk_object IN (SELECT rowid FROM ".MAIN_DB_PREFIX.$tabletodelete." WHERE ".$this->fk_element." = ".((int) $this->id).")";
 			$sql = "DELETE FROM ".MAIN_DB_PREFIX.$tabletodelete." WHERE ".$this->fk_element." = ".$this->id;
 			if (!$this->db->query($sqlef) || !$this->db->query($sql)) {
 				$error++;
@@ -2995,7 +3098,7 @@ class Propal extends CommonObject
 			$this->db->begin();
 
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.'propal';
-			$sql .= ' SET fk_availability = '.$availability_id;
+			$sql .= ' SET fk_availability = '.((int) $availability_id);
 			$sql .= ' WHERE rowid='.((int) $this->id);
 
 			dol_syslog(__METHOD__.' availability('.$availability_id.')', LOG_DEBUG);
@@ -3059,7 +3162,7 @@ class Propal extends CommonObject
 			$this->db->begin();
 
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.'propal';
-			$sql .= ' SET fk_input_reason = '.$demand_reason_id;
+			$sql .= ' SET fk_input_reason = '.((int) $demand_reason_id);
 			$sql .= ' WHERE rowid='.((int) $this->id);
 
 			dol_syslog(__METHOD__.' demand_reason('.$demand_reason_id.')', LOG_DEBUG);
@@ -3113,8 +3216,8 @@ class Propal extends CommonObject
 	public function info($id)
 	{
 		$sql = "SELECT c.rowid, ";
-		$sql .= " c.datec, c.date_valid as datev, c.date_cloture as dateo,";
-		$sql .= " c.fk_user_author, c.fk_user_valid, c.fk_user_cloture";
+		$sql .= " c.datec, c.date_valid as datev, c.date_signature, c.date_cloture as dateo,";
+		$sql .= " c.fk_user_author, c.fk_user_valid, c.fk_user_signature, c.fk_user_cloture";
 		$sql .= " FROM ".MAIN_DB_PREFIX."propal as c";
 		$sql .= " WHERE c.rowid = ".((int) $id);
 
@@ -3128,6 +3231,7 @@ class Propal extends CommonObject
 
 				$this->date_creation     = $this->db->jdate($obj->datec);
 				$this->date_validation   = $this->db->jdate($obj->datev);
+				$this->date_signature    = $this->db->jdate($obj->date_signature);
 				$this->date_cloture      = $this->db->jdate($obj->dateo);
 
 				$cuser = new User($this->db);
@@ -3140,6 +3244,12 @@ class Propal extends CommonObject
 					$this->user_validation = $vuser;
 				}
 
+				if ($obj->fk_user_signature) {
+					$user_signature = new User($this->db);
+					$user_signature->fetch($obj->fk_user_signature);
+					$this->user_signature = $user_signature;
+				}
+
 				if ($obj->fk_user_cloture) {
 					$cluser = new User($this->db);
 					$cluser->fetch($obj->fk_user_cloture);

htdocs/comm/propal/class/propalestats.class.php

@@ -100,18 +100,18 @@ class PropaleStats extends Stats
 			$this->where .= " AND p.fk_soc = ".$this->socid;
 		}
 		if ($this->userid > 0) {
-			$this->where .= ' AND fk_user_author = '.$this->userid;
+			$this->where .= ' AND fk_user_author = '.((int) $this->userid);
 		}
 
 		if ($typentid) {
 			$this->join .= ' LEFT JOIN '.MAIN_DB_PREFIX.'societe as s ON s.rowid = p.fk_soc';
-			$this->where .= ' AND s.fk_typent = '.$typentid;
+			$this->where .= ' AND s.fk_typent = '.((int) $typentid);
 		}
 
 		if ($categid) {
 			$this->join .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie_societe as cs ON cs.fk_soc = p.fk_soc';
 			$this->join .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie as c ON c.rowid = cs.fk_categorie';
-			$this->where .= ' AND c.rowid = '.$categid;
+			$this->where .= ' AND c.rowid = '.((int) $categid);
 		}
 	}
 

htdocs/comm/propal/contact.php

@@ -40,12 +40,6 @@ $ref = GETPOST('ref', 'alpha');
 $lineid = GETPOST('lineid', 'int');
 $action = GETPOST('action', 'aZ09');
 
-// Security check
-if ($user->socid) {
-	$socid = $user->socid;
-}
-$result = restrictedArea($user, 'propal', $id);
-
 $object = new Propal($db);
 
 // Load object
@@ -67,6 +61,13 @@ if (!$error) {
 	exit;
 }
 
+// Security check
+if (!empty($user->socid)) {
+	$socid = $user->socid;
+	$object->id = $user->socid;
+}
+restrictedArea($user, 'propal', $object->id);
+
 
 /*
  * Add a new contact

htdocs/comm/propal/document.php

@@ -80,6 +80,13 @@ if (!$sortfield) {
 $object = new Propal($db);
 $object->fetch($id, $ref);
 
+// Security check
+if (!empty($user->socid)) {
+	$socid = $user->socid;
+	$object->id = $user->socid;
+}
+restrictedArea($user, 'propal', $object->id);
+
 
 /*
  * Actions

htdocs/comm/propal/index.php

@@ -26,15 +26,6 @@
  */
 
 require '../../main.inc.php';
-
-// Security check
-$socid = GETPOST('socid', 'int');
-if (isset($user->socid) && $user->socid > 0) {
-	$action = '';
-	$socid = $user->socid;
-}
-restrictedArea($user, 'propal');
-
 require_once DOL_DOCUMENT_ROOT.'/core/class/html.formfile.class.php';
 require_once DOL_DOCUMENT_ROOT.'/comm/propal/class/propal.class.php';
 
@@ -48,9 +39,19 @@ $langs->loadLangs(array('propal', 'companies'));
 $now = dol_now();
 $max = 5;
 
+// Security check
+$socid = GETPOST('socid', 'int');
+if (isset($user->socid) && $user->socid > 0) {
+	$action = '';
+	$socid = $user->socid;
+}
+restrictedArea($user, 'propal');
+
+
 /*
  * View
  */
+
 $propalstatic = new Propal($db);
 $companystatic = new Societe($db);
 $form = new Form($db);

htdocs/comm/propal/info.php

@@ -39,18 +39,18 @@ $id = GETPOST('id', 'int');
 $ref = GETPOST('ref', 'alpha');
 $socid = GETPOST('socid', 'int');
 
-// Security check
-if (!empty($user->socid)) {
-	$socid = $user->socid;
-}
-$result = restrictedArea($user, 'propal', $id);
-
 $object = new Propal($db);
 if (!$object->fetch($id, $ref) > 0) {
 	dol_print_error($db);
 	exit;
 }
 
+// Security check
+if (!empty($user->socid)) {
+	$socid = $user->socid;
+	$object->id = $user->socid;
+}
+restrictedArea($user, 'propal', $object->id);
 
 
 /*

htdocs/comm/propal/note.php

@@ -40,13 +40,19 @@ $id = GETPOST('id', 'int');
 $ref = GETPOST('ref', 'alpha');
 $action = GETPOST('action', 'aZ09');
 
+$now = dol_now();
+
+$object = new Propal($db);
+if ($id > 0 || !empty($ref)) {
+	$object->fetch($id, $ref);
+}
+
 // Security check
-if ($user->socid) {
+if ($user->socid > 0) {
 	$socid = $user->socid;
+	$object->id = $user->socid;
 }
-$result = restrictedArea($user, 'propale', $id, 'propal');
-
-$object = new Propal($db);
+restrictedArea($user, 'propal', $object->id, 'propal');
 
 
 /*
@@ -63,86 +69,78 @@ include DOL_DOCUMENT_ROOT.'/core/actions_setnotes.inc.php'; // Must be include,
  * View
  */
 
+$form = new Form($db);
+
 $help_url = 'EN:Commercial_Proposals|FR:Proposition_commerciale|ES:Presupuestos';
 
 llxHeader('', $langs->trans('Proposal'), $help_url);
 
-$form = new Form($db);
+if ($object->id > 0) {
+	if ($object->fetch_thirdparty() > 0) {
+		$head = propal_prepare_head($object);
+		print dol_get_fiche_head($head, 'note', $langs->trans('Proposal'), -1, 'propal');
+
+		$cssclass = 'titlefield';
+		//if ($action == 'editnote_public') $cssclass='titlefieldcreate';
+		//if ($action == 'editnote_private') $cssclass='titlefieldcreate';
+
+
+		// Proposal card
+
+		$linkback = '<a href="'.DOL_URL_ROOT.'/comm/propal/list.php?restore_lastsearch_values=1'.(!empty($socid) ? '&socid='.$socid : '').'">'.$langs->trans("BackToList").'</a>';
 
-if ($id > 0 || !empty($ref)) {
-	if ($mesg) {
-		print $mesg;
-	}
 
-	$now = dol_now();
-
-	if ($object->fetch($id, $ref) > 0) {
-		if ($object->fetch_thirdparty() > 0) {
-			$head = propal_prepare_head($object);
-			print dol_get_fiche_head($head, 'note', $langs->trans('Proposal'), -1, 'propal');
-
-			$cssclass = 'titlefield';
-			//if ($action == 'editnote_public') $cssclass='titlefieldcreate';
-			//if ($action == 'editnote_private') $cssclass='titlefieldcreate';
-
-
-			// Proposal card
-
-			$linkback = '<a href="'.DOL_URL_ROOT.'/comm/propal/list.php?restore_lastsearch_values=1'.(!empty($socid) ? '&socid='.$socid : '').'">'.$langs->trans("BackToList").'</a>';
-
-
-			$morehtmlref = '<div class="refidno">';
-			// Ref customer
-			$morehtmlref .= $form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', 0, 1);
-			$morehtmlref .= $form->editfieldval("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', null, null, '', 1);
-			// Thirdparty
-			$morehtmlref .= '<br>'.$langs->trans('ThirdParty').' : '.$object->thirdparty->getNomUrl(1);
-			// Project
-			if (!empty($conf->projet->enabled)) {
-				$langs->load("projects");
-				$morehtmlref .= '<br>'.$langs->trans('Project').' ';
-				if ($user->rights->propal->creer) {
-					if ($action != 'classify') {
-						//$morehtmlref.='<a class="editfielda" href="' . $_SERVER['PHP_SELF'] . '?action=classify&amp;id=' . $object->id . '">' . img_edit($langs->transnoentitiesnoconv('SetProject')) . '</a>';
-						$morehtmlref .= ' : ';
-					}
-					if ($action == 'classify') {
-						//$morehtmlref.=$form->form_project($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->socid, $object->fk_project, 'projectid', 0, 0, 1, 1);
-						$morehtmlref .= '<form method="post" action="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'">';
-						$morehtmlref .= '<input type="hidden" name="action" value="classin">';
-						$morehtmlref .= '<input type="hidden" name="token" value="'.newToken().'">';
-						$morehtmlref .= $formproject->select_projects($object->socid, $object->fk_project, 'projectid', $maxlength, 0, 1, 0, 1, 0, 0, '', 1);
-						$morehtmlref .= '<input type="submit" class="button valignmiddle" value="'.$langs->trans("Modify").'">';
-						$morehtmlref .= '</form>';
-					} else {
-						$morehtmlref .= $form->form_project($_SERVER['PHP_SELF'].'?id='.$object->id, $object->socid, $object->fk_project, 'none', 0, 0, 0, 1);
-					}
+		$morehtmlref = '<div class="refidno">';
+		// Ref customer
+		$morehtmlref .= $form->editfieldkey("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', 0, 1);
+		$morehtmlref .= $form->editfieldval("RefCustomer", 'ref_client', $object->ref_client, $object, 0, 'string', '', null, null, '', 1);
+		// Thirdparty
+		$morehtmlref .= '<br>'.$langs->trans('ThirdParty').' : '.$object->thirdparty->getNomUrl(1);
+		// Project
+		if (!empty($conf->projet->enabled)) {
+			$langs->load("projects");
+			$morehtmlref .= '<br>'.$langs->trans('Project').' ';
+			if ($user->rights->propal->creer) {
+				if ($action != 'classify') {
+					//$morehtmlref.='<a class="editfielda" href="' . $_SERVER['PHP_SELF'] . '?action=classify&amp;id=' . $object->id . '">' . img_edit($langs->transnoentitiesnoconv('SetProject')) . '</a>';
+					$morehtmlref .= ' : ';
+				}
+				if ($action == 'classify') {
+					//$morehtmlref.=$form->form_project($_SERVER['PHP_SELF'] . '?id=' . $object->id, $object->socid, $object->fk_project, 'projectid', 0, 0, 1, 1);
+					$morehtmlref .= '<form method="post" action="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'">';
+					$morehtmlref .= '<input type="hidden" name="action" value="classin">';
+					$morehtmlref .= '<input type="hidden" name="token" value="'.newToken().'">';
+					$morehtmlref .= $formproject->select_projects($object->socid, $object->fk_project, 'projectid', $maxlength, 0, 1, 0, 1, 0, 0, '', 1);
+					$morehtmlref .= '<input type="submit" class="button valignmiddle" value="'.$langs->trans("Modify").'">';
+					$morehtmlref .= '</form>';
+				} else {
+					$morehtmlref .= $form->form_project($_SERVER['PHP_SELF'].'?id='.$object->id, $object->socid, $object->fk_project, 'none', 0, 0, 0, 1);
+				}
+			} else {
+				if (!empty($object->fk_project)) {
+					$proj = new Project($db);
+					$proj->fetch($object->fk_project);
+					$morehtmlref .= '<a href="'.DOL_URL_ROOT.'/projet/card.php?id='.$object->fk_project.'" title="'.$langs->trans('ShowProject').'">';
+					$morehtmlref .= $proj->ref;
+					$morehtmlref .= '</a>';
 				} else {
-					if (!empty($object->fk_project)) {
-						$proj = new Project($db);
-						$proj->fetch($object->fk_project);
-						$morehtmlref .= '<a href="'.DOL_URL_ROOT.'/projet/card.php?id='.$object->fk_project.'" title="'.$langs->trans('ShowProject').'">';
-						$morehtmlref .= $proj->ref;
-						$morehtmlref .= '</a>';
-					} else {
-						$morehtmlref .= '';
-					}
+					$morehtmlref .= '';
 				}
 			}
-			$morehtmlref .= '</div>';
+		}
+		$morehtmlref .= '</div>';
 
-			dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
+		dol_banner_tab($object, 'ref', $linkback, 1, 'ref', 'ref', $morehtmlref);
 
-			print '<div class="fichecenter">';
-			print '<div class="underbanner clearboth"></div>';
+		print '<div class="fichecenter">';
+		print '<div class="underbanner clearboth"></div>';
 
-			$cssclass = "titlefield";
-			include DOL_DOCUMENT_ROOT.'/core/tpl/notes.tpl.php';
+		$cssclass = "titlefield";
+		include DOL_DOCUMENT_ROOT.'/core/tpl/notes.tpl.php';
 
-			print '</div>';
+		print '</div>';
 
-			print dol_get_fiche_end();
-		}
+		print dol_get_fiche_end();
 	}
 }
 

htdocs/comm/propal/stats/index.php

@@ -38,12 +38,6 @@ $WIDTH = DolGraph::getDefaultGraphSizeForStats('width');
 $HEIGHT = DolGraph::getDefaultGraphSizeForStats('height');
 
 $mode = GETPOSTISSET("mode") ? GETPOST("mode", 'aZ09') : 'customer';
-if ($mode == 'customer' && !$user->rights->propale->lire) {
-	accessforbidden();
-}
-if ($mode == 'supplier' && !$user->rights->supplier_proposal->lire) {
-	accessforbidden();
-}
 
 $object_status = GETPOST('object_status', 'intcomma');
 $typent_id = GETPOST('typent_id', 'int');
@@ -66,6 +60,13 @@ $endyear = $year;
 // Load translation files required by the page
 $langs->loadLangs(array('orders', 'companies', 'other', 'suppliers', 'supplier_proposal'));
 
+if ($mode == 'customer' && !$user->rights->propale->lire) {
+	accessforbidden();
+}
+if ($mode == 'supplier' && !$user->rights->supplier_proposal->lire) {
+	accessforbidden();
+}
+
 
 /*
  * View

htdocs/comm/prospect/index.php

@@ -30,11 +30,19 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/agenda.lib.php';
 // Load translation files required by the page
 $langs->load("propal");
 
-
 if ($user->socid > 0) {
 	$socid = $user->socid;
 }
 
+// Security check
+$socid = GETPOST('socid', 'int');
+if ($user->socid) {
+	$action = '';
+	$socid = $user->socid;
+}
+$result = restrictedArea($user, 'propal', $socid, '');
+
+
 
 /*
  *	View

htdocs/comm/prospect/recap-prospect.php

@@ -1,90 +0,0 @@
-<?php
-/* Copyright (C) 2001-2004 Rodolphe Quiedeville <rodolphe@quiedeville.org>
- * Copyright (C) 2004-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <https://www.gnu.org/licenses/>.
- */
-
-/**
- *   	\file       htdocs/comm/prospect/recap-prospect.php
- *		\ingroup    societe
- *		\brief      Page with prospect summary
- */
-
-require '../../main.inc.php';
-require_once DOL_DOCUMENT_ROOT.'/core/lib/company.lib.php';
-require_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php';
-
-// Load translation files required by the page
-$langs->loadLangs(array('companies', 'other'));
-if (!empty($conf->facture->enabled)) {
-	$langs->load("bills");
-}
-
-// Security check
-$socid = GETPOST("socid", 'int');
-if ($user->socid > 0) {
-	$action = '';
-	$socid = $user->socid;
-}
-
-
-/*
- *	View
- */
-
-llxHeader();
-
-if ($socid > 0) {
-	$societe = new Societe($db);
-	$societe->fetch($socid);
-
-	/*
-	 * Affichage onglets
-	 */
-	$head = societe_prepare_head($societe);
-
-	print dol_get_fiche_head($head, 'prospect', $langs->trans("ThirdParty"), 0, 'company');
-
-
-	print "<table width=\"100%\">\n";
-	print '<tr><td valign="top" width="50%">';
-
-	print '<table class="border centpercent">';
-
-	// Name
-	print '<tr><td width="20%">'.$langs->trans("Thirdpary").'</td><td width="80%" colspan="3">'.$societe->getNomUrl(1).'</td></tr>';
-
-	// Prefix
-	if (!empty($conf->global->SOCIETE_USEPREFIX)) {  // Old not used prefix field
-		print '<tr><td>'.$langs->trans("Prefix").'</td><td colspan="3">';
-		print ($societe->prefix_comm ? $societe->prefix_comm : '&nbsp;');
-		print '</td></tr>';
-	}
-
-	print "</table>";
-
-	print "</td></tr></table>\n";
-
-	print '</div>';
-
-
-	print $langs->trans("FeatureNotYetAvailable");
-} else {
-	dol_print_error($db);
-}
-
-// End of page
-llxFooter();
-$db->close();

htdocs/comm/recap-client.php

@@ -33,12 +33,12 @@ if (!empty($conf->facture->enabled)) {
 }
 
 // Security check
-$socid = $_GET["socid"];
+$socid = GETPOST("socid", 'int');
 if ($user->socid > 0) {
 	$action = '';
-	$socid = $user->socid;
+	$id = $user->socid;
 }
-
+$result = restrictedArea($user, 'societe', $id, '&societe', '', 'fk_soc', 'rowid', 0);
 
 
 /*

htdocs/comm/remise.php

@@ -66,7 +66,7 @@ if (GETPOST('action', 'aZ09') == 'setremise') {
 			header("Location: ".$backtopage);
 			exit;
 		} else {
-			header("Location: remise.php?id=".$_GET["id"]);
+			header("Location: remise.php?id=".GETPOST("id", 'int'));
 			exit;
 		}
 	} else {
@@ -74,6 +74,12 @@ if (GETPOST('action', 'aZ09') == 'setremise') {
 	}
 }
 
+// Security check
+if ($user->socid > 0) {
+	$id = $user->socid;
+}
+$result = restrictedArea($user, 'societe', $id, '&societe', '', 'fk_soc', 'rowid', 0);
+
 
 /*
  * View
@@ -83,7 +89,6 @@ $form = new Form($db);
 
 llxHeader();
 
-
 /*********************************************************************************
  *
  * Mode fiche

htdocs/comm/remx.php

@@ -46,6 +46,12 @@ if ($user->socid > 0) {
 	$socid = $user->socid;
 }
 
+// Security check
+if ($user->socid > 0) {
+	$id = $user->socid;
+}
+$result = restrictedArea($user, 'societe', $id, '&societe', '', 'fk_soc', 'rowid', 0);
+
 
 /*
  * Actions
@@ -56,7 +62,7 @@ if (GETPOST('cancel', 'alpha') && !empty($backtopage)) {
 	 exit;
 }
 
-if ($action == 'confirm_split' && GETPOST("confirm", "alpha") == 'yes') {
+if ($action == 'confirm_split' && GETPOST("confirm", "alpha") == 'yes' && $user->rights->societe->creer) {
 	//if ($user->rights->societe->creer)
 	//if ($user->rights->facture->creer)
 
@@ -186,7 +192,7 @@ if ($action == 'setremise' && $user->rights->societe->creer) {
 	}
 }
 
-if (GETPOST('action', 'aZ09') == 'confirm_remove' && GETPOST("confirm") == 'yes') {
+if (GETPOST('action', 'aZ09') == 'confirm_remove' && GETPOST("confirm") == 'yes' && $user->rights->societe->creer) {
 	//if ($user->rights->societe->creer)
 	//if ($user->rights->facture->creer)
 
@@ -481,8 +487,8 @@ if ($socid > 0) {
 					print '</td>';
 					if ($user->rights->societe->creer || $user->rights->facture->creer) {
 						print '<td class="center nowrap">';
-						print '<a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=split&remid='.$obj->rowid.($backtopage ? '&backtopage='.urlencode($backtopage) : '').'">'.img_split($langs->trans("SplitDiscount")).'</a>';
-						print '<a class="reposition marginleftonly" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=remove&remid='.$obj->rowid.($backtopage ? '&backtopage='.urlencode($backtopage) : '').'">'.img_delete($langs->trans("RemoveDiscount")).'</a>';
+						print '<a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=split&token='.newToken().'&remid='.$obj->rowid.($backtopage ? '&backtopage='.urlencode($backtopage) : '').'">'.img_split($langs->trans("SplitDiscount")).'</a>';
+						print '<a class="reposition marginleftonly" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=remove&token='.newToken().'&remid='.$obj->rowid.($backtopage ? '&backtopage='.urlencode($backtopage) : '').'">'.img_delete($langs->trans("RemoveDiscount")).'</a>';
 						print '</td>';
 					} else {
 						print '<td>&nbsp;</td>';
@@ -620,8 +626,8 @@ if ($socid > 0) {
 					print '</td>';
 					if ($user->rights->societe->creer || $user->rights->facture->creer) {
 						print '<td class="center nowrap">';
-						print '<a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=split&remid='.$obj->rowid.($backtopage ? '&backtopage='.urlencode($backtopage) : '').'">'.img_split($langs->trans("SplitDiscount")).'</a>';
-						print '<a class="reposition marginleftonly" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=remove&remid='.$obj->rowid.($backtopage ? '&backtopage='.urlencode($backtopage) : '').'">'.img_delete($langs->trans("RemoveDiscount")).'</a>';
+						print '<a class="reposition" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=split&token='.newToken().'&remid='.$obj->rowid.($backtopage ? '&backtopage='.urlencode($backtopage) : '').'">'.img_split($langs->trans("SplitDiscount")).'</a>';
+						print '<a class="reposition marginleftonly" href="'.$_SERVER["PHP_SELF"].'?id='.$object->id.'&action=remove&token='.newToken().'&remid='.$obj->rowid.($backtopage ? '&backtopage='.urlencode($backtopage) : '').'">'.img_delete($langs->trans("RemoveDiscount")).'</a>';
 						print '</td>';
 					} else {
 						print '<td>&nbsp;</td>';

htdocs/commande/card.php

@@ -423,7 +423,7 @@ if (empty($reshook)) {
 								$originidforcontact=$srcobject->origin_id;
 							}
 							$sqlcontact = "SELECT code, fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc";
-							$sqlcontact.= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$db->escape($originforcontact)."'";
+							$sqlcontact.= " WHERE element_id = ".((int) $originidforcontact)." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$db->escape($originforcontact)."'";
 
 							$resqlcontact = $db->query($sqlcontact);
 							if ($resqlcontact)
@@ -501,7 +501,7 @@ if (empty($reshook)) {
 			setEventMessages($object->error, $object->errors, 'errors');
 		}
 	} elseif ($action == 'setremise' && $usercancreate) {
-		$result = $object->setDiscount($user, GETPOST('remise'));
+		$result = $object->setDiscount($user, price2num(GETPOST('remise'), 2));
 		if ($result < 0) {
 			setEventMessages($object->error, $object->errors, 'errors');
 		}
@@ -515,7 +515,7 @@ if (empty($reshook)) {
 		}
 	} elseif ($action == 'setdate' && $usercancreate) {
 		// print "x ".$_POST['liv_month'].", ".$_POST['liv_day'].", ".$_POST['liv_year'];
-		$date = dol_mktime(0, 0, 0, GETPOST('order_month'), GETPOST('order_day'), GETPOST('order_year'));
+		$date = dol_mktime(0, 0, 0, GETPOST('order_month', 'int'), GETPOST('order_day', 'int'), GETPOST('order_year', 'int'));
 
 		$result = $object->set_date($user, $date);
 		if ($result < 0) {

htdocs/commande/class/commande.class.php

@@ -1113,7 +1113,7 @@ class Commande extends CommonOrder
 						}
 
 						$sqlcontact = "SELECT ctc.code, ctc.source, ec.fk_socpeople FROM ".MAIN_DB_PREFIX."element_contact as ec, ".MAIN_DB_PREFIX."c_type_contact as ctc";
-						$sqlcontact .= " WHERE element_id = ".$originidforcontact." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'";
+						$sqlcontact .= " WHERE element_id = ".((int) $originidforcontact)." AND ec.fk_c_type_contact = ctc.rowid AND ctc.element = '".$this->db->escape($originforcontact)."'";
 
 						$resqlcontact = $this->db->query($sqlcontact);
 						if ($resqlcontact) {
@@ -2331,7 +2331,7 @@ class Commande extends CommonOrder
 
 			$sql = "SELECT fk_product, qty";
 			$sql .= " FROM ".MAIN_DB_PREFIX."commandedet";
-			$sql .= " WHERE rowid = ".$lineid;
+			$sql .= " WHERE rowid = ".((int) $lineid);
 
 			$result = $this->db->query($sql);
 			if ($result) {
@@ -2413,11 +2413,11 @@ class Commande extends CommonOrder
 
 			$this->db->begin();
 
-			$remise = price2num($remise);
+			$remise = price2num($remise, 2);
 
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.'commande';
-			$sql .= ' SET remise_percent = '.$remise;
-			$sql .= ' WHERE rowid = '.$this->id.' AND fk_statut = '.self::STATUS_DRAFT.' ;';
+			$sql .= ' SET remise_percent = '.((float) $remise);
+			$sql .= ' WHERE rowid = '.$this->id.' AND fk_statut = '.self::STATUS_DRAFT;
 
 			dol_syslog(__METHOD__, LOG_DEBUG);
 			$resql = $this->db->query($sql);
@@ -2468,18 +2468,20 @@ class Commande extends CommonOrder
 	public function set_remise_absolue($user, $remise, $notrigger = 0)
 	{
 		// phpcs:enable
-		$remise = trim($remise) ?trim($remise) : 0;
+		if (empty($remise)) {
+			$remise = 0;
+		}
+
+		$remise = price2num($remise);
 
 		if ($user->rights->commande->creer) {
 			$error = 0;
 
 			$this->db->begin();
 
-			$remise = price2num($remise);
-
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.'commande';
-			$sql .= ' SET remise_absolue = '.$remise;
-			$sql .= ' WHERE rowid = '.$this->id.' AND fk_statut = '.self::STATUS_DRAFT.' ;';
+			$sql .= ' SET remise_absolue = '.((float) $remise);
+			$sql .= ' WHERE rowid = '.$this->id.' AND fk_statut = '.self::STATUS_DRAFT;
 
 			dol_syslog(__METHOD__, LOG_DEBUG);
 			$resql = $this->db->query($sql);
@@ -2741,7 +2743,7 @@ class Commande extends CommonOrder
 			$this->db->begin();
 
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.'commande';
-			$sql .= ' SET fk_availability = '.$availability_id;
+			$sql .= ' SET fk_availability = '.((int) $availability_id);
 			$sql .= ' WHERE rowid='.((int) $this->id);
 
 			dol_syslog(__METHOD__, LOG_DEBUG);
@@ -2805,7 +2807,7 @@ class Commande extends CommonOrder
 			$this->db->begin();
 
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.'commande';
-			$sql .= ' SET fk_input_reason = '.$demand_reason_id;
+			$sql .= ' SET fk_input_reason = '.((int) $demand_reason_id);
 			$sql .= ' WHERE rowid='.((int) $this->id);
 
 			dol_syslog(__METHOD__, LOG_DEBUG);
@@ -2867,7 +2869,7 @@ class Commande extends CommonOrder
 			$this->db->begin();
 
 			$sql = 'UPDATE '.MAIN_DB_PREFIX.'commande SET';
-			$sql .= ' ref_client = '.(empty($ref_client) ? 'NULL' : '\''.$this->db->escape($ref_client).'\'');
+			$sql .= ' ref_client = '.(empty($ref_client) ? 'NULL' : "'".$this->db->escape($ref_client)."'");
 			$sql .= ' WHERE rowid = '.$this->id;
 
 			dol_syslog(__METHOD__.' this->id='.$this->id.', ref_client='.$ref_client, LOG_DEBUG);

htdocs/commande/class/commandestats.class.php

@@ -100,13 +100,13 @@ class CommandeStats extends Stats
 
 		if ($typentid) {
 			$this->join .= ' LEFT JOIN '.MAIN_DB_PREFIX.'societe as s ON s.rowid = c.fk_soc';
-			$this->where .= ' AND s.fk_typent = '.$typentid;
+			$this->where .= ' AND s.fk_typent = '.((int) $typentid);
 		}
 
 		if ($categid) {
 			$this->join .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie_societe as cats ON cats.fk_soc = c.fk_soc';
 			$this->join .= ' LEFT JOIN '.MAIN_DB_PREFIX.'categorie as cat ON cat.rowid = cats.fk_categorie';
-			$this->where .= ' AND cat.rowid = '.$categid;
+			$this->where .= ' AND cat.rowid = '.((int) $categid);
 		}
 	}
 

htdocs/compta/bank/annuel.php

@@ -138,10 +138,11 @@ $head = bank_prepare_head($object);
 print dol_get_fiche_head($head, 'annual', $langs->trans("FinancialAccount"), 0, 'account');
 
 $title = $langs->trans("FinancialAccount")." : ".$object->label;
-$link = ($year_start ? "<a href='".$_SERVER["PHP_SELF"]."?account=".$object->id."&year_start=".($year_start - 1)."'>".img_previous('', 'class="valignbottom"')."</a> ".$langs->trans("Year")." <a href='".$_SERVER["PHP_SELF"]."?account=".$object->id."&year_start=".($year_start + 1)."'>".img_next('', 'class="valignbottom"')."</a>" : "");
+$link = ($year_start ? '<a href="'.$_SERVER["PHP_SELF"].'?account='.$object->id.'&year_start='.($year_start - 1).'">'.img_previous('', 'class="valignbottom"')."</a> ".$langs->trans("Year").' <a href="'.$_SERVER["PHP_SELF"].'?account='.$object->id.'&year_start='.($year_start + 1).'">'.img_next('', 'class="valignbottom"').'</a>' : '');
 
 $linkback = '<a href="'.DOL_URL_ROOT.'/compta/bank/list.php?restore_lastsearch_values=1">'.$langs->trans("BackToList").'</a>';
 
+$morehtmlref = '';
 
 if (!empty($id)) {
 	if (!preg_match('/,/', $id)) {