Fix yogosha 6347

htdocs/accountancy/admin/categories_list.php

@@ -444,7 +444,7 @@ if ($search_country_id > 0) {
 	} else {
 		$sql .= " WHERE ";
 	}
-	$sql .= " (a.fk_country = ".$search_country_id." OR a.fk_country = 0)";
+	$sql .= " (a.fk_country = ".((int) $search_country_id)." OR a.fk_country = 0)";
 }
 
 // If sort order is "country", we use country_code instead

htdocs/accountancy/class/accountancycategory.class.php

@@ -675,7 +675,7 @@ class AccountancyCategory // extends CommonObject
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_accounting_category as c";
 		$sql .= " WHERE c.active = 1";
 		$sql .= " AND c.entity = ".$conf->entity;
-		$sql .= " AND (c.fk_country = ".$mysoc->country_id." OR c.fk_country = 0)";
+		$sql .= " AND (c.fk_country = ".((int) $mysoc->country_id)." OR c.fk_country = 0)";
 		$sql .= " AND cat.rowid = t.fk_accounting_category";
 		$sql .= " AND t.entity = ".$conf->entity;
 		$sql .= " ORDER BY cat.position ASC";
@@ -806,7 +806,7 @@ class AccountancyCategory // extends CommonObject
 		if ($categorytype >= 0) {
 			$sql .= " AND c.category_type = 1";
 		}
-		$sql .= " AND (c.fk_country = ".$mysoc->country_id." OR c.fk_country = 0)";
+		$sql .= " AND (c.fk_country = ".((int) $mysoc->country_id)." OR c.fk_country = 0)";
 		$sql .= " ORDER BY c.position ASC";
 
 		$resql = $this->db->query($sql);

htdocs/accountancy/class/accountingaccount.class.php

@@ -602,7 +602,7 @@ class AccountingAccount extends CommonObject
 
 			$sql = "UPDATE ".MAIN_DB_PREFIX."accounting_account ";
 			$sql .= "SET ".$fieldtouse." = '0'";
-			$sql .= " WHERE rowid = ".$this->db->escape($id);
+			$sql .= " WHERE rowid = ".((int) $id);
 
 			dol_syslog(get_class($this)."::accountDeactivate ".$fieldtouse." sql=".$sql, LOG_DEBUG);
 			$result = $this->db->query($sql);
@@ -640,7 +640,7 @@ class AccountingAccount extends CommonObject
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."accounting_account";
 		$sql .= " SET ".$fieldtouse." = '1'";
-		$sql .= " WHERE rowid = ".$this->db->escape($id);
+		$sql .= " WHERE rowid = ".((int) $id);
 
 		dol_syslog(get_class($this)."::account_activate ".$fieldtouse." sql=".$sql, LOG_DEBUG);
 		$result = $this->db->query($sql);

htdocs/accountancy/class/bookkeeping.class.php

@@ -294,7 +294,7 @@ class BookKeeping extends CommonObject
 		$sql = "SELECT count(*) as nb";
 		$sql .= " FROM ".MAIN_DB_PREFIX.$this->table_element;
 		$sql .= " WHERE doc_type = '".$this->db->escape($this->doc_type)."'";
-		$sql .= " AND fk_doc = ".$this->fk_doc;
+		$sql .= " AND fk_doc = ".((int) $this->fk_doc);
 		if (!empty($conf->global->ACCOUNTANCY_ENABLE_FKDOCDET)) {
 			// DO NOT USE THIS IN PRODUCTION. This will generate a lot of trouble into reports and will corrupt database (by generating duplicate entries.
 			$sql .= " AND fk_docdet = " . $this->fk_docdet;			// This field can be 0 if record is for several lines
@@ -312,7 +312,7 @@ class BookKeeping extends CommonObject
 				$sqlnum = "SELECT piece_num";
 				$sqlnum .= " FROM ".MAIN_DB_PREFIX.$this->table_element;
 				$sqlnum .= " WHERE doc_type = '".$this->db->escape($this->doc_type)."'"; // For example doc_type = 'bank'
-				$sqlnum .= " AND fk_doc = ".$this->fk_doc;
+				$sqlnum .= " AND fk_doc = ".((int) $this->fk_doc);
 				if (!empty($conf->global->ACCOUNTANCY_ENABLE_FKDOCDET)) {
 					// fk_docdet is rowid into llx_bank or llx_facturedet or llx_facturefourndet, or ...
 					$sqlnum .= " AND fk_docdet = ".((int) $this->fk_docdet);

htdocs/accountancy/journal/bankjournal.php

@@ -1320,7 +1320,7 @@ function getSourceDocRef($val, $typerecord)
 	if ($typerecord == 'payment') {
 		$sqlmid = 'SELECT payfac.fk_facture as id, f.ref as ref';
 		$sqlmid .= " FROM ".MAIN_DB_PREFIX."paiement_facture as payfac, ".MAIN_DB_PREFIX."facture as f";
-		$sqlmid .= " WHERE payfac.fk_facture = f.rowid AND payfac.fk_paiement=".$val["paymentid"];
+		$sqlmid .= " WHERE payfac.fk_facture = f.rowid AND payfac.fk_paiement=".((int) $val["paymentid"]);
 		$ref = $langs->transnoentitiesnoconv("Invoice");
 	} elseif ($typerecord == 'payment_supplier') {
 		$sqlmid = 'SELECT payfac.fk_facturefourn as id, f.ref';

htdocs/adherents/class/adherent.class.php

@@ -598,8 +598,8 @@ class Adherent extends CommonObject
 				if ($this->user_id) {
 					// Add link to user
 					$sql = "UPDATE ".MAIN_DB_PREFIX."user SET";
-					$sql .= " fk_member = ".$this->id;
-					$sql .= " WHERE rowid = ".$this->user_id;
+					$sql .= " fk_member = ".((int) $this->id);
+					$sql .= " WHERE rowid = ".((int) $this->user_id);
 					dol_syslog(get_class($this)."::create", LOG_DEBUG);
 					$resql = $this->db->query($sql);
 					if (!$resql) {
@@ -728,7 +728,7 @@ class Adherent extends CommonObject
 		if (!empty($this->oldcopy) && $this->typeid != $this->oldcopy->typeid) {
 			$sql2 = "SELECT libelle as label";
 			$sql2 .= " FROM ".MAIN_DB_PREFIX."adherent_type";
-			$sql2 .= " WHERE rowid = ".$this->typeid;
+			$sql2 .= " WHERE rowid = ".((int) $this->typeid);
 			$resql2 = $this->db->query($sql2);
 			if ($resql2) {
 				while ($obj = $this->db->fetch_object($resql2)) {

htdocs/adherents/class/adherent_type.class.php

@@ -362,7 +362,7 @@ class AdherentType extends CommonObject
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."adherent_type ";
 		$sql .= "SET ";
-		$sql .= "statut = ".$this->status.",";
+		$sql .= "statut = ".((int) $this->status).",";
 		$sql .= "libelle = '".$this->db->escape($this->label)."',";
 		$sql .= "morphy = '".$this->db->escape($this->morphy)."',";
 		$sql .= "subscription = '".$this->db->escape($this->subscription)."',";

htdocs/adherents/class/api_members.class.php

@@ -228,12 +228,12 @@ class Members extends DolibarrApi
 		}
 		$sql .= ' WHERE t.entity IN ('.getEntity('adherent').')';
 		if (!empty($typeid)) {
-			$sql .= ' AND t.fk_adherent_type='.$typeid;
+			$sql .= ' AND t.fk_adherent_type='.((int) $typeid);
 		}
 		// Select members of given category
 		if ($category > 0) {
-			$sql .= " AND c.fk_categorie = ".$this->db->escape($category);
-			$sql .= " AND c.fk_member = t.rowid ";
+			$sql .= " AND c.fk_categorie = ".((int) $category);
+			$sql .= " AND c.fk_member = t.rowid";
 		}
 		// Add sql filters
 		if ($sqlfilters) {

htdocs/adherents/class/subscription.class.php

@@ -267,14 +267,14 @@ class Subscription extends CommonObject
 		}
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."subscription SET ";
-		$sql .= " fk_type = ".$this->fk_type.",";
-		$sql .= " fk_adherent = ".$this->fk_adherent.",";
+		$sql .= " fk_type = ".((int) $this->fk_type).",";
+		$sql .= " fk_adherent = ".((int) $this->fk_adherent).",";
 		$sql .= " note=".($this->note ? "'".$this->db->escape($this->note)."'" : 'null').",";
 		$sql .= " subscription = ".price2num($this->amount).",";
 		$sql .= " dateadh='".$this->db->idate($this->dateh)."',";
 		$sql .= " datef='".$this->db->idate($this->datef)."',";
 		$sql .= " datec='".$this->db->idate($this->datec)."',";
-		$sql .= " fk_bank = ".($this->fk_bank ? $this->fk_bank : 'null');
+		$sql .= " fk_bank = ".($this->fk_bank ? ((int) $this->fk_bank) : 'null');
 		$sql .= " WHERE rowid = ".$this->id;
 
 		dol_syslog(get_class($this)."::update", LOG_DEBUG);
@@ -341,7 +341,7 @@ class Subscription extends CommonObject
 		}
 
 		if (!$error) {
-			$sql = "DELETE FROM ".MAIN_DB_PREFIX."subscription WHERE rowid = ".$this->id;
+			$sql = "DELETE FROM ".MAIN_DB_PREFIX."subscription WHERE rowid = ".((int) $this->id);
 			dol_syslog(get_class($this)."::delete", LOG_DEBUG);
 			$resql = $this->db->query($sql);
 			if ($resql) {

htdocs/api/class/api_setup.class.php

@@ -200,7 +200,7 @@ class Setup extends DolibarrApi
 		$sql = "SELECT id, code, type, libelle as label, module";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_paiement as t";
 		$sql .= " WHERE t.entity IN (".getEntity('c_paiement').")";
-		$sql .= " AND t.active = ".$active;
+		$sql .= " AND t.active = ".((int) $active);
 		// Add sql filters
 		if ($sqlfilters) {
 			if (!DolibarrApi::_checkFilters($sqlfilters)) {
@@ -1055,7 +1055,7 @@ class Setup extends DolibarrApi
 
 		$sql = "SELECT rowid AS id, zip, town, fk_county, fk_pays AS fk_country";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_ziptown as t";
-		$sql .= " AND t.active = ".$active;
+		$sql .= " AND t.active = ".((int) $active);
 		if ($zipcode) {
 			$sql .= " AND t.zip LIKE '%".$this->db->escape($zipcode)."%'";
 		}
@@ -1125,7 +1125,7 @@ class Setup extends DolibarrApi
 		$sql = "SELECT rowid as id, code, sortorder, libelle as label, libelle_facture as descr, type_cdr, nbjour, decalage, module";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_payment_term as t";
 		$sql .= " WHERE t.entity IN (".getEntity('c_payment_term').")";
-		$sql .= " AND t.active = ".$active;
+		$sql .= " AND t.active = ".((int) $active);
 		// Add sql filters
 		if ($sqlfilters) {
 			if (!DolibarrApi::_checkFilters($sqlfilters)) {
@@ -1183,7 +1183,7 @@ class Setup extends DolibarrApi
 		$sql = "SELECT rowid as id, code, libelle as label, description, tracking, module";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_shipment_mode as t";
 		$sql .= " WHERE t.entity IN (".getEntity('c_shipment_mode').")";
-		$sql .= " AND t.active = ".$active;
+		$sql .= " AND t.active = ".((int) $active);
 		// Add sql filters
 		if ($sqlfilters) {
 			if (!DolibarrApi::_checkFilters($sqlfilters)) {
@@ -1307,7 +1307,7 @@ class Setup extends DolibarrApi
 		$sql = "SELECT t.rowid, t.entity, t.code, t.label, t.url, t.icon, t.active";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_socialnetworks as t";
 		$sql .= " WHERE t.entity IN (".getEntity('c_socialnetworks').")";
-		$sql .= " AND t.active = ".$active;
+		$sql .= " AND t.active = ".((int) $active);
 		// Add sql filters
 		if ($sqlfilters) {
 			if (!DolibarrApi::_checkFilters($sqlfilters)) {

htdocs/asset/class/asset_type.class.php

@@ -332,7 +332,7 @@ class AssetType extends CommonObject
 	/**
 	 * 	Return array of Asset objects for asset type this->id (or all if this->id not defined)
 	 *
-	 * 	@param	string	$excludefilter		Filter to exclude. This parameter must not be provided by input of users
+	 * 	@param	string	$excludefilter		Filter string to exclude. This parameter must not be provided by input of users
 	 *  @param	int		$mode				0=Return array of asset instance
 	 *  									1=Return array of asset instance without extra data
 	 *  									2=Return array of asset id only
@@ -347,7 +347,7 @@ class AssetType extends CommonObject
 		$sql = "SELECT a.rowid";
 		$sql .= " FROM ".MAIN_DB_PREFIX."asset as a";
 		$sql .= " WHERE a.entity IN (".getEntity('asset').")";
-		$sql .= " AND a.fk_asset_type = ".$this->id;
+		$sql .= " AND a.fk_asset_type = ".((int) $this->id);
 		if (!empty($excludefilter)) {
 			$sql .= ' AND ('.$excludefilter.')';
 		}

htdocs/bom/class/bom.class.php

@@ -614,8 +614,8 @@ class BOM extends CommonObject
 		$sql .= " SET ref = '".$this->db->escape($num)."',";
 		$sql .= " status = ".self::STATUS_VALIDATED.",";
 		$sql .= " date_valid='".$this->db->idate($now)."',";
-		$sql .= " fk_user_valid = ".$user->id;
-		$sql .= " WHERE rowid = ".$this->id;
+		$sql .= " fk_user_valid = ".((int) $user->id);
+		$sql .= " WHERE rowid = ".((int) $this->id);
 
 		dol_syslog(get_class($this)."::validate()", LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/bookmarks/bookmarks.lib.php

@@ -80,7 +80,7 @@ function printDropdownBookmarksList()
 
 	// Menu with list of bookmarks
 	$sql = "SELECT rowid, title, url, target FROM ".MAIN_DB_PREFIX."bookmark";
-	$sql .= " WHERE (fk_user = ".$user->id." OR fk_user is NULL OR fk_user = 0)";
+	$sql .= " WHERE (fk_user = ".((int) $user->id)." OR fk_user is NULL OR fk_user = 0)";
 	$sql .= " AND entity IN (".getEntity('bookmarks').")";
 	$sql .= " ORDER BY position";
 	if ($resql = $db->query($sql)) {

htdocs/bookmarks/list.php

@@ -98,7 +98,7 @@ $sql .= " FROM ".MAIN_DB_PREFIX."bookmark as b LEFT JOIN ".MAIN_DB_PREFIX."user
 $sql .= " WHERE 1=1";
 $sql .= " AND b.entity IN (".getEntity('bookmark').")";
 if (!$user->admin) {
-	$sql .= " AND (b.fk_user = ".$user->id." OR b.fk_user is NULL OR b.fk_user = 0)";
+	$sql .= " AND (b.fk_user = ".((int) $user->id)." OR b.fk_user is NULL OR b.fk_user = 0)";
 }
 
 $sql .= $db->order($sortfield.", position", $sortorder);

htdocs/categories/class/categorie.class.php

@@ -774,7 +774,7 @@ class Categorie extends CommonObject
 
 		$sql = "DELETE FROM ".MAIN_DB_PREFIX."categorie_".(empty($this->MAP_CAT_TABLE[$type]) ? $type : $this->MAP_CAT_TABLE[$type]);
 		$sql .= " WHERE fk_categorie = ".$this->id;
-		$sql .= " AND fk_".(empty($this->MAP_CAT_FK[$type]) ? $type : $this->MAP_CAT_FK[$type])." = ".$obj->id;
+		$sql .= " AND fk_".(empty($this->MAP_CAT_FK[$type]) ? $type : $this->MAP_CAT_FK[$type])." = ".((int) $obj->id);
 
 		dol_syslog(get_class($this).'::del_type', LOG_DEBUG);
 		if ($this->db->query($sql)) {
@@ -1303,7 +1303,7 @@ class Categorie extends CommonObject
 		$sql .= " FROM ".MAIN_DB_PREFIX."categorie as c ";
 		$sql .= " WHERE c.entity IN (".getEntity('category').")";
 		$sql .= " AND c.type = ".((int) $type);
-		$sql .= " AND c.fk_parent = ".$this->fk_parent;
+		$sql .= " AND c.fk_parent = ".((int) $this->fk_parent);
 		$sql .= " AND c.label = '".$this->db->escape($this->label)."'";
 
 		dol_syslog(get_class($this)."::already_exists", LOG_DEBUG);
@@ -1552,7 +1552,7 @@ class Categorie extends CommonObject
 
 		// Generation requete recherche
 		$sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."categorie";
-		$sql .= " WHERE type = ".$this->MAP_ID[$type];
+		$sql .= " WHERE type = ".((int) $this->MAP_ID[$type]);
 		$sql .= " AND entity IN (".getEntity('category').")";
 		if ($nom) {
 			if (!$exact) {

htdocs/comm/action/class/actioncomm.class.php

@@ -1896,7 +1896,7 @@ class ActionComm extends CommonObject
 					$userforfilter = new User($this->db);
 					$result = $userforfilter->fetch('', $logint);
 					if ($result > 0) {
-						$sql .= " AND ar.fk_element = ".$userforfilter->id;
+						$sql .= " AND ar.fk_element = ".((int) $userforfilter->id);
 					} elseif ($result < 0 || $condition == '=') {
 						$sql .= " AND ar.fk_element = 0";
 					}
@@ -2410,7 +2410,7 @@ class ActionComm extends CommonObject
 			// Delete also very old past events (we do not keep more than 1 month record in past)
 			$sql = "DELETE FROM ".MAIN_DB_PREFIX."actioncomm_reminder";
 			$sql .= " WHERE dateremind < '".$this->db->idate($now - (3600 * 24 * 32))."'";
-			$sql .= " AND status = ".$actionCommReminder::STATUS_DONE;
+			$sql .= " AND status = ".((int) $actionCommReminder::STATUS_DONE);
 			$resql = $this->db->query($sql);
 
 			if (!$resql) {

htdocs/comm/action/index.php

@@ -741,10 +741,10 @@ if ($status == 'todo') {
 if ($filtert > 0 || $usergroup > 0) {
 	$sql .= " AND (";
 	if ($filtert > 0) {
-		$sql .= "ar.fk_element = ".$filtert;
+		$sql .= "ar.fk_element = ".((int) $filtert);
 	}
 	if ($usergroup > 0) {
-		$sql .= ($filtert > 0 ? " OR " : "")." ugu.fk_usergroup = ".$usergroup;
+		$sql .= ($filtert > 0 ? " OR " : "")." ugu.fk_usergroup = ".((int) $usergroup);
 	}
 	$sql .= ")";
 }

htdocs/comm/action/pertype.php

@@ -616,7 +616,7 @@ if ($filtert > 0 || $usergroup > 0) {
 		$sql .= "ar.fk_element = ".$filtert;
 	}
 	if ($usergroup > 0) {
-		$sql .= ($filtert > 0 ? " OR " : "")." ugu.fk_usergroup = ".$usergroup;
+		$sql .= ($filtert > 0 ? " OR " : "")." ugu.fk_usergroup = ".((int) $usergroup);
 	}
 	$sql .= ")";
 }

htdocs/comm/action/peruser.php

@@ -637,7 +637,7 @@ if ($filtert > 0 || $usergroup > 0) {
 		$sql .= "ar.fk_element = ".$filtert;
 	}
 	if ($usergroup > 0) {
-		$sql .= ($filtert > 0 ? " OR " : "")." ugu.fk_usergroup = ".$usergroup;
+		$sql .= ($filtert > 0 ? " OR " : "")." ugu.fk_usergroup = ".((int) $usergroup);
 	}
 	$sql .= ")";
 }
@@ -899,7 +899,7 @@ while ($currentdaytoshow < $lastdaytoshow) {
 		}
 		$sql .= " WHERE u.statut = 1 AND u.entity IN (".getEntity('user').")";
 		if ($usergroup > 0) {
-			$sql .= " AND ug.fk_usergroup = ".$usergroup;
+			$sql .= " AND ug.fk_usergroup = ".((int) $usergroup);
 		}
 		//print $sql;
 		$resql = $db->query($sql);

htdocs/comm/contact.php

@@ -104,23 +104,15 @@ if ($type == "f") {
 if ($socid) {
 	$sql .= " AND s.rowid = ".((int) $socid);
 }
-
-if (dol_strlen($stcomm)) {
-	$sql .= " AND s.fk_stcomm=".$db->escape($stcomm);
-}
-
 if (!empty($search_lastname)) {
 	$sql .= " AND p.name LIKE '%".$db->escape($search_lastname)."%'";
 }
-
 if (!empty($search_firstname)) {
 	$sql .= " AND p.firstname LIKE '%".$db->escape($search_firstname)."%'";
 }
-
 if (!empty($search_company)) {
 	$sql .= " AND s.nom LIKE '%".$db->escape($search_company)."%'";
 }
-
 if (!empty($contactname)) { // acces a partir du module de recherche
 	$sql .= " AND (p.name LIKE '%".$db->escape($contactname)."%' OR lower(p.firstname) LIKE '%".$db->escape($contactname)."%') ";
 	$sortfield = "p.name";

htdocs/comm/propal/class/propal.class.php

@@ -2463,12 +2463,12 @@ class Propal extends CommonObject
 		$error = 0;
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."propal";
-		$sql .= " SET fk_statut = ".$status.",";
+		$sql .= " SET fk_statut = ".((int) $status).",";
 		if (!empty($note)) {
 			$sql .= " note_private = '".$this->db->escape($note)."',";
 		}
 		$sql .= " date_cloture=NULL, fk_user_cloture=NULL";
-		$sql .= " WHERE rowid = ".$this->id;
+		$sql .= " WHERE rowid = ".((int) $this->id);
 
 		$this->db->begin();
 
@@ -4305,7 +4305,7 @@ class PropaleLigne extends CommonObjectLine
 		}
 		$sql .= ", fk_parent_line=".($this->fk_parent_line > 0 ? $this->fk_parent_line : "null");
 		if (!empty($this->rang)) {
-			$sql .= ", rang=".$this->rang;
+			$sql .= ", rang=".((int) $this->rang);
 		}
 		$sql .= ", date_start=".(!empty($this->date_start) ? "'".$this->db->idate($this->date_start)."'" : "null");
 		$sql .= ", date_end=".(!empty($this->date_end) ? "'".$this->db->idate($this->date_end)."'" : "null");
@@ -4317,7 +4317,7 @@ class PropaleLigne extends CommonObjectLine
 		$sql .= ", multicurrency_total_tva=".price2num($this->multicurrency_total_tva)."";
 		$sql .= ", multicurrency_total_ttc=".price2num($this->multicurrency_total_ttc)."";
 
-		$sql .= " WHERE rowid = ".$this->id;
+		$sql .= " WHERE rowid = ".((int) $this->id);
 
 		dol_syslog(get_class($this)."::update", LOG_DEBUG);
 		$resql = $this->db->query($sql);
@@ -4365,7 +4365,7 @@ class PropaleLigne extends CommonObjectLine
 		$sql .= " total_ht=".price2num($this->total_ht, 'MT')."";
 		$sql .= ",total_tva=".price2num($this->total_tva, 'MT')."";
 		$sql .= ",total_ttc=".price2num($this->total_ttc, 'MT')."";
-		$sql .= " WHERE rowid = ".$this->rowid;
+		$sql .= " WHERE rowid = ".((int) $this->rowid);
 
 		dol_syslog("PropaleLigne::update_total", LOG_DEBUG);
 

htdocs/comm/propal/index.php

@@ -88,7 +88,7 @@ if (!empty($conf->propal->enabled)) {
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 	}
 	if ($socid) {
-		$sql .= " AND p.fk_soc = ".$socid;
+		$sql .= " AND p.fk_soc = ".((int) $socid);
 	}
 
 	$resql = $db->query($sql);
@@ -160,7 +160,7 @@ $sql .= " WHERE c.entity IN (".getEntity($propalstatic->element).")";
 $sql .= " AND c.fk_soc = s.rowid";
 //$sql.= " AND c.fk_statut > 2";
 if ($socid) {
-	$sql .= " AND c.fk_soc = ".$socid;
+	$sql .= " AND c.fk_soc = ".((int) $socid);
 }
 if (!$user->rights->societe->client->voir && !$socid) {
 	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
@@ -318,7 +318,7 @@ if (! empty($conf->propal->enabled))
 	$sql.= " WHERE c.fk_soc = s.rowid";
 	$sql.= " AND c.entity = ".$conf->entity;
 	$sql.= " AND c.fk_statut = 1";
-	if ($socid) $sql.= " AND c.fk_soc = ".$socid;
+	if ($socid) $sql.= " AND c.fk_soc = ".((int) $socid);
 	if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
 	$sql.= " ORDER BY c.rowid DESC";
 
@@ -393,7 +393,7 @@ if (! empty($conf->propal->enabled))
 	$sql.= " WHERE c.fk_soc = s.rowid";
 	$sql.= " AND c.entity = ".$conf->entity;
 	$sql.= " AND c.fk_statut = 2 ";
-	if ($socid) $sql.= " AND c.fk_soc = ".$socid;
+	if ($socid) $sql.= " AND c.fk_soc = ".((int) $socid);
 	if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
 	$sql.= " ORDER BY c.rowid DESC";
 

htdocs/comm/propal/list.php

@@ -593,27 +593,27 @@ if ($sall) {
 	$sql .= natural_search(array_keys($fieldstosearchall), $sall);
 }
 if ($search_categ_cus > 0) {
-	$sql .= " AND cc.fk_categorie = ".$db->escape($search_categ_cus);
+	$sql .= " AND cc.fk_categorie = ".((int) $search_categ_cus);
 }
 if ($search_categ_cus == -2) {
 	$sql .= " AND cc.fk_categorie IS NULL";
 }
 
 if ($search_fk_cond_reglement > 0) {
-	$sql .= " AND p.fk_cond_reglement = ".$db->escape($search_fk_cond_reglement);
+	$sql .= " AND p.fk_cond_reglement = ".((int) $search_fk_cond_reglement);
 }
 if ($search_fk_shipping_method > 0) {
-	$sql .= " AND p.fk_shipping_method = ".$db->escape($search_fk_shipping_method);
+	$sql .= " AND p.fk_shipping_method = ".((int) $search_fk_shipping_method);
 }
 if ($search_fk_input_reason > 0) {
-	$sql .= " AND p.fk_input_reason = ".$db->escape($search_fk_input_reason);
+	$sql .= " AND p.fk_input_reason = ".((int) $search_fk_input_reason);
 }
 if ($search_fk_mode_reglement > 0) {
-	$sql .= " AND p.fk_mode_reglement = ".$db->escape($search_fk_mode_reglement);
+	$sql .= " AND p.fk_mode_reglement = ".((int) $search_fk_mode_reglement);
 }
 
 if ($search_product_category > 0) {
-	$sql .= " AND cp.fk_categorie = ".$db->escape($search_product_category);
+	$sql .= " AND cp.fk_categorie = ".((int) $search_product_category);
 }
 if ($socid > 0) {
 	$sql .= ' AND s.rowid = '.((int) $socid);

htdocs/comm/prospect/index.php

@@ -87,7 +87,7 @@ $sql .= " WHERE s.fk_stcomm = st.id";
 $sql .= " AND s.client IN (2, 3)";
 $sql .= " AND s.entity IN (".getEntity($companystatic->element).")";
 if (!$user->rights->societe->client->voir && !$socid) {
-	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
+	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
 }
 $sql .= " GROUP BY st.id";
 $sql .= " ORDER BY st.id";
@@ -129,7 +129,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propale->lire) {
 	$sql .= " AND p.fk_soc = s.rowid";
 	$sql .= " AND p.entity IN (".getEntity('propal').")";
 	if (!$user->rights->societe->client->voir && !$socid) {
-		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
+		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
 	}
 
 	$resql = $db->query($sql);
@@ -191,7 +191,7 @@ if (!empty($conf->propal->enabled) && $user->rights->propale->lire) {
 	$sql .= " AND p.fk_statut = 1";
 	$sql .= " AND p.entity IN (".getEntity('propal').")";
 	if (!$user->rights->societe->client->voir && !$socid) {
-		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
+		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
 	}
 	if ($socid) {
 		$sql .= " AND s.rowid = ".((int) $socid);
@@ -250,7 +250,7 @@ if (!$user->rights->societe->client->voir && !$socid) {
 $sql .= " WHERE s.fk_stcomm = 1";
 $sql .= " AND s.entity IN (".getEntity($companystatic->element).")";
 if (!$user->rights->societe->client->voir && !$socid) {
-	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
+	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $user->id);
 }
 $sql .= " ORDER BY s.tms ASC";
 $sql .= $db->plimit(15, 0);

htdocs/commande/class/commande.class.php

@@ -2539,7 +2539,7 @@ class Commande extends CommonOrder
 
 			$sql = "UPDATE ".MAIN_DB_PREFIX."commande";
 			$sql .= " SET date_commande = ".($date ? "'".$this->db->idate($date)."'" : 'null');
-			$sql .= " WHERE rowid = ".$this->id." AND fk_statut = ".self::STATUS_DRAFT;
+			$sql .= " WHERE rowid = ".$this->id." AND fk_statut = ".((int) self::STATUS_DRAFT);
 
 			dol_syslog(__METHOD__, LOG_DEBUG);
 			$resql = $this->db->query($sql);
@@ -4559,14 +4559,14 @@ class OrderLine extends CommonOrderLine
 		}
 		$sql .= " , fk_product_fournisseur_price=".(!empty($this->fk_fournprice) ? $this->fk_fournprice : "null");
 		$sql .= " , buy_price_ht='".price2num($this->pa_ht)."'";
-		$sql .= " , info_bits=".$this->info_bits;
-		$sql .= " , special_code=".$this->special_code;
+		$sql .= " , info_bits=".((int) $this->info_bits);
+		$sql .= " , special_code=".((int) $this->special_code);
 		$sql .= " , date_start=".(!empty($this->date_start) ? "'".$this->db->idate($this->date_start)."'" : "null");
 		$sql .= " , date_end=".(!empty($this->date_end) ? "'".$this->db->idate($this->date_end)."'" : "null");
 		$sql .= " , product_type=".$this->product_type;
 		$sql .= " , fk_parent_line=".(!empty($this->fk_parent_line) ? $this->fk_parent_line : "null");
 		if (!empty($this->rang)) {
-			$sql .= ", rang=".$this->rang;
+			$sql .= ", rang=".((int) $this->rang);
 		}
 		$sql .= " , fk_unit=".(!$this->fk_unit ? 'NULL' : $this->fk_unit);
 
@@ -4576,7 +4576,7 @@ class OrderLine extends CommonOrderLine
 		$sql .= " , multicurrency_total_tva=".price2num($this->multicurrency_total_tva)."";
 		$sql .= " , multicurrency_total_ttc=".price2num($this->multicurrency_total_ttc)."";
 
-		$sql .= " WHERE rowid = ".$this->rowid;
+		$sql .= " WHERE rowid = ".((int) $this->rowid);
 
 		dol_syslog(get_class($this)."::update", LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/commande/customer.php

@@ -89,9 +89,6 @@ $sql .= " AND s.entity IN (".getEntity('societe').")";
 if (!$user->rights->societe->client->voir && !$socid) {
 	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 }
-if (dol_strlen($stcomm)) {
-	$sql .= " AND s.fk_stcomm=".$stcomm;
-}
 if (GETPOST("search_nom")) {
 	$sql .= natural_search("s.nom", GETPOST("search_nom"));
 }

htdocs/commande/index.php

@@ -166,7 +166,7 @@ $sql .= " WHERE c.fk_soc = s.rowid";
 $sql .= " AND c.entity IN (".getEntity('commande').")";
 //$sql.= " AND c.fk_statut > 2";
 if ($socid) {
-	$sql .= " AND c.fk_soc = ".$socid;
+	$sql .= " AND c.fk_soc = ".((int) $socid);
 }
 if (!$user->rights->societe->client->voir && !$socid) {
 	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
@@ -250,7 +250,7 @@ if (!empty($conf->commande->enabled)) {
 	$sql .= " AND c.entity IN (".getEntity('commande').")";
 	$sql .= " AND c.fk_statut = ".Commande::STATUS_VALIDATED;
 	if ($socid) {
-		$sql .= " AND c.fk_soc = ".$socid;
+		$sql .= " AND c.fk_soc = ".((int) $socid);
 	}
 	if (!$user->rights->societe->client->voir && !$socid) {
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
@@ -337,9 +337,9 @@ if (!empty($conf->commande->enabled)) {
 	}
 	$sql .= " WHERE c.fk_soc = s.rowid";
 	$sql .= " AND c.entity IN (".getEntity('commande').")";
-	$sql .= " AND c.fk_statut = ".Commande::STATUS_ACCEPTED;
+	$sql .= " AND c.fk_statut = ".((int) Commande::STATUS_ACCEPTED);
 	if ($socid) {
-		$sql .= " AND c.fk_soc = ".$socid;
+		$sql .= " AND c.fk_soc = ".((int) $socid);
 	}
 	if (!$user->rights->societe->client->voir && !$socid) {
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;

htdocs/commande/list.php

@@ -473,7 +473,7 @@ if ($search_user > 0) {
 $sql .= ' WHERE c.fk_soc = s.rowid';
 $sql .= ' AND c.entity IN ('.getEntity('commande').')';
 if ($search_product_category > 0) {
-	$sql .= " AND cp.fk_categorie = ".$search_product_category;
+	$sql .= " AND cp.fk_categorie = ".((int) $search_product_category);
 }
 if ($socid > 0) {
 	$sql .= ' AND s.rowid = '.((int) $socid);

htdocs/compta/bank/bankentries_list.php

@@ -1181,7 +1181,7 @@ if ($resql) {
 			$sqlforbalance .= " ".MAIN_DB_PREFIX."bank as b";
 			$sqlforbalance .= " WHERE b.fk_account = ba.rowid";
 			$sqlforbalance .= " AND ba.entity IN (".getEntity('bank_account').")";
-			$sqlforbalance .= " AND b.fk_account = ".$search_account;
+			$sqlforbalance .= " AND b.fk_account = ".((int) $search_account);
 			$sqlforbalance .= " AND (b.datev < '".$db->idate($db->jdate($objp->dv))."' OR (b.datev = '".$db->idate($db->jdate($objp->dv))."' AND (b.dateo < '".$db->idate($db->jdate($objp->do))."' OR (b.dateo = '".$db->idate($db->jdate($objp->do))."' AND b.rowid < ".$objp->rowid."))))";
 			$resqlforbalance = $db->query($sqlforbalance);
 			//print $sqlforbalance;

htdocs/compta/bank/class/account.class.php

@@ -1070,7 +1070,7 @@ class Account extends CommonObject
 
 		if (!$error) {
 			$sql = "DELETE FROM ".MAIN_DB_PREFIX."bank_account";
-			$sql .= " WHERE rowid = ".$this->rowid;
+			$sql .= " WHERE rowid = ".((int) $this->rowid);
 
 			dol_syslog(get_class($this)."::delete", LOG_DEBUG);
 			$result = $this->db->query($sql);
@@ -2090,7 +2090,7 @@ class AccountLine extends CommonObject
 		$sql .= " amount = ".price2num($this->amount).",";
 		$sql .= " datev='".$this->db->idate($this->datev)."',";
 		$sql .= " dateo='".$this->db->idate($this->dateo)."'";
-		$sql .= " WHERE rowid = ".$this->rowid;
+		$sql .= " WHERE rowid = ".((int) $this->rowid);
 
 		dol_syslog(get_class($this)."::update", LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/compta/bank/class/api_bankaccounts.class.php

@@ -77,7 +77,7 @@ class BankAccounts extends DolibarrApi
 		$sql .= ' WHERE t.entity IN ('.getEntity('bank_account').')';
 		// Select accounts of given category
 		if ($category > 0) {
-			$sql .= " AND c.fk_categorie = ".$this->db->escape($category)." AND c.fk_account = t.rowid ";
+			$sql .= " AND c.fk_categorie = ".((int) $category)." AND c.fk_account = t.rowid";
 		}
 		// Add sql filters
 		if ($sqlfilters) {

htdocs/compta/bank/line.php

@@ -173,7 +173,7 @@ if ($user->rights->banque->modifier && $action == "update") {
 				$sql .= " datev = '".$db->idate($dateval)."',";
 			}
 		}
-		$sql .= " fk_account = ".$actarget->id;
+		$sql .= " fk_account = ".((int) $actarget->id);
 		$sql .= " WHERE rowid = ".((int) $acline->id);
 
 		$result = $db->query($sql);

htdocs/compta/bank/releve.php

@@ -606,7 +606,7 @@ if (empty($numref)) {
 				$sql .= ", ".MAIN_DB_PREFIX."bank_class as cl";
 				$sql .= " WHERE ct.rowid = cl.fk_categ";
 				$sql .= " AND ct.entity = ".$conf->entity;
-				$sql .= " AND cl.lineid = ".$objp->rowid;
+				$sql .= " AND cl.lineid = ".((int) $objp->rowid);
 
 				$resc = $db->query($sql);
 				if ($resc) {

htdocs/compta/bank/various_payment/list.php

@@ -250,19 +250,19 @@ if ($search_amount_cred) {
 	$sql .= natural_search("v.amount", $search_amount_cred, 1);
 }
 if ($search_bank_account > 0) {
-	$sql .= " AND b.fk_account=".$db->escape($search_bank_account);
+	$sql .= " AND b.fk_account = ".((int) $search_bank_account);
 }
 if ($search_bank_entry > 0) {
-	$sql .= " AND b.fk_account=".$db->escape($search_bank_account);
+	$sql .= " AND b.fk_account = ".((int) $search_bank_account);
 }
 if ($search_accountancy_account > 0) {
-	$sql .= " AND v.accountancy_code=".$db->escape($search_accountancy_account);
+	$sql .= " AND v.accountancy_code = ".((int) $search_accountancy_account);
 }
 if ($search_accountancy_subledger > 0) {
-	$sql .= " AND v.subledger_account=".$db->escape($search_accountancy_subledger);
+	$sql .= " AND v.subledger_account = ".((int) $search_accountancy_subledger);
 }
 if ($typeid > 0) {
-	$sql .= " AND v.fk_typepayment=".$typeid;
+	$sql .= " AND v.fk_typepayment=".((int) $typeid);
 }
 if ($search_all) {
 	$sql .= natural_search(array_keys($fieldstosearchall), $search_all);

htdocs/compta/clients.php

@@ -71,7 +71,7 @@ llxHeader();
 $thirdpartystatic = new Societe($db);
 
 if ($action == 'note') {
-	$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".$db->escape($note)."' WHERE rowid=".$socid;
+	$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET note='".$db->escape($note)."' WHERE rowid=".((int) $socid);
 	$result = $db->query($sql);
 }
 
@@ -107,29 +107,21 @@ if (!$user->rights->societe->client->voir && !$socid) {
 	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 }
 if (dol_strlen($stcomm)) {
-	$sql .= " AND s.fk_stcomm=".$stcomm;
+	$sql .= " AND s.fk_stcomm=".((int) $stcomm);
 }
-if ($socname) {
-	$sql .= natural_search("s.nom", $socname);
-	$sortfield = "s.nom";
-	$sortorder = "ASC";
-}
-if ($_GET["search_nom"]) {
+if (GETPOST("search_nom")) {
 	$sql .= natural_search("s.nom", GETPOST("search_nom"));
 }
-if ($_GET["search_compta"]) {
+if (GETPOST("search_compta")) {
 	$sql .= natural_search("s.code_compta", GETPOST("search_compta"));
 }
-if ($_GET["search_code_client"]) {
+if (GETPOST("search_code_client")) {
 	$sql .= natural_search("s.code_client", GETPOST("search_code_client"));
 }
-if (dol_strlen($begin)) {
-	$sql .= natural_search("s.nom", $begin);
-}
 if ($socid) {
 	$sql .= " AND s.rowid = ".((int) $socid);
 }
-$sql .= " ORDER BY $sortfield $sortorder ";
+$sql .= " ORDER BY $sortfield $sortorder";
 $sql .= $db->plimit($conf->liste_limit + 1, $offset);
 //print $sql;
 

htdocs/compta/facture/class/api_invoices.class.php

@@ -217,7 +217,7 @@ class Invoices extends DolibarrApi
 		}
 		// Insert sale filter
 		if ($search_sale > 0) {
-			$sql .= " AND sc.fk_user = ".$search_sale;
+			$sql .= " AND sc.fk_user = ".((int) $search_sale);
 		}
 		// Add sql filters
 		if ($sqlfilters) {

htdocs/compta/facture/class/facture-rec.class.php

@@ -470,9 +470,9 @@ class FactureRec extends CommonInvoice
 		$error = 0;
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX."facture_rec SET";
-		$sql .= " fk_soc = ".$this->fk_soc;
+		$sql .= " fk_soc = ".((int) $this->fk_soc);
 		// TODO Add missing fields
-		$sql .= " WHERE rowid = ".$this->id;
+		$sql .= " WHERE rowid = ".((int) $this->id);
 
 		dol_syslog(get_class($this)."::update", LOG_DEBUG);
 		$resql = $this->db->query($sql);
@@ -1136,12 +1136,12 @@ class FactureRec extends CommonInvoice
 			$sql .= ", qty=".price2num($qty);
 			$sql .= ", tva_tx=".price2num($txtva);
 			$sql .= ", vat_src_code='".$this->db->escape($vat_src_code)."'";
-			$sql .= ", localtax1_tx=".$txlocaltax1;
+			$sql .= ", localtax1_tx=".((float) $txlocaltax1);
 			$sql .= ", localtax1_type='".$this->db->escape($localtaxes_type[0])."'";
-			$sql .= ", localtax2_tx=".$txlocaltax2;
+			$sql .= ", localtax2_tx=".((float) $txlocaltax2);
 			$sql .= ", localtax2_type='".$this->db->escape($localtaxes_type[2])."'";
 			$sql .= ", fk_product=".(!empty($fk_product) ? "'".$this->db->escape($fk_product)."'" : "null");
-			$sql .= ", product_type=".$product_type;
+			$sql .= ", product_type=".((int) $product_type);
 			$sql .= ", remise_percent='".price2num($remise_percent)."'";
 			$sql .= ", subprice='".price2num($pu_ht)."'";
 			$sql .= ", total_ht='".price2num($total_ht)."'";
@@ -2124,11 +2124,11 @@ class FactureLigneRec extends CommonInvoiceLine
 			$sql .= ", total_localtax2=".price2num($this->total_localtax2);
 			$sql .= ", total_ttc=".price2num($this->total_ttc);
 		}
-		$sql .= ", rang=".$this->rang;
-		$sql .= ", special_code=".$this->special_code;
+		$sql .= ", rang=".((int) $this->rang);
+		$sql .= ", special_code=".((int) $this->special_code);
 		$sql .= ", fk_unit=".($this->fk_unit ? "'".$this->db->escape($this->fk_unit)."'" : "null");
 		$sql .= ", fk_contract_line=".($this->fk_contract_line ? $this->fk_contract_line : "null");
-		$sql .= " WHERE rowid = ".$this->id;
+		$sql .= " WHERE rowid = ".((int) $this->id);
 
 		$this->db->begin();
 

htdocs/compta/facture/class/facture.class.php

@@ -4105,7 +4105,7 @@ class Facture extends CommonInvoice
 		$sql .= " AND pf.fk_paiement IS NULL"; // Aucun paiement deja fait
 		$sql .= " AND ff.fk_statut IS NULL"; // Renvoi vrai si pas facture de remplacement
 		if ($socid > 0) {
-			$sql .= " AND f.fk_soc = ".$socid;
+			$sql .= " AND f.fk_soc = ".((int) $socid);
 		}
 		$sql .= " ORDER BY f.ref";
 
@@ -5594,7 +5594,7 @@ class FactureLigne extends CommonInvoiceLine
 		$sql .= ", buy_price_ht=".(($this->pa_ht || $this->pa_ht === 0 || $this->pa_ht === '0') ? price2num($this->pa_ht) : "null");	// $this->pa_ht should always be defined (set to 0 or to sell price depending on option)
 		$sql .= ", fk_parent_line=".($this->fk_parent_line > 0 ? $this->fk_parent_line : "null");
 		if (!empty($this->rang)) {
-			$sql .= ", rang=".$this->rang;
+			$sql .= ", rang=".((int) $this->rang);
 		}
 		$sql .= ", situation_percent=".$this->situation_percent;
 		$sql .= ", fk_unit=".(!$this->fk_unit ? 'NULL' : $this->fk_unit);
@@ -5606,7 +5606,7 @@ class FactureLigne extends CommonInvoiceLine
 		$sql .= ", multicurrency_total_tva=".price2num($this->multicurrency_total_tva)."";
 		$sql .= ", multicurrency_total_ttc=".price2num($this->multicurrency_total_ttc)."";
 
-		$sql .= " WHERE rowid = ".$this->rowid;
+		$sql .= " WHERE rowid = ".((int) $this->rowid);
 
 		dol_syslog(get_class($this)."::update", LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/compta/facture/list.php

@@ -546,7 +546,7 @@ if (!$user->rights->societe->client->voir && !$socid) {
 	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 }
 if ($search_product_category > 0) {
-	$sql .= " AND cp.fk_categorie = ".$db->escape($search_product_category);
+	$sql .= " AND cp.fk_categorie = ".((int) $search_product_category);
 }
 if ($socid > 0) {
 	$sql .= ' AND s.rowid = '.((int) $socid);
@@ -634,7 +634,7 @@ if ($search_login) {
 	$sql .= natural_search(array('u.login', 'u.firstname', 'u.lastname'), $search_login);
 }
 if ($search_categ_cus > 0) {
-	$sql .= " AND cc.fk_categorie = ".$db->escape($search_categ_cus);
+	$sql .= " AND cc.fk_categorie = ".((int) $search_categ_cus);
 }
 if ($search_categ_cus == -2) {
 	$sql .= " AND cc.fk_categorie IS NULL";
@@ -659,10 +659,10 @@ if ($search_status != '-1' && $search_status != '') {
 }
 
 if ($search_paymentmode > 0) {
-	$sql .= " AND f.fk_mode_reglement = ".$db->escape($search_paymentmode);
+	$sql .= " AND f.fk_mode_reglement = ".((int) $search_paymentmode);
 }
 if ($search_paymentterms > 0) {
-	$sql .= " AND f.fk_cond_reglement = ".$db->escape($search_paymentterms);
+	$sql .= " AND f.fk_cond_reglement = ".((int) $search_paymentterms);
 }
 if ($search_module_source) {
 	$sql .= natural_search("f.module_source", $search_module_source);
@@ -692,10 +692,10 @@ if ($option == 'late') {
 	$sql .= " AND f.date_lim_reglement < '".$db->idate(dol_now() - $conf->facture->client->warning_delay)."'";
 }
 if ($search_sale > 0) {
-	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".(int) $search_sale;
+	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $search_sale);
 }
 if ($search_user > 0) {
-	$sql .= " AND ec.fk_c_type_contact = tc.rowid AND tc.element='facture' AND tc.source='internal' AND ec.element_id = f.rowid AND ec.fk_socpeople = ".$search_user;
+	$sql .= " AND ec.fk_c_type_contact = tc.rowid AND tc.element='facture' AND tc.source='internal' AND ec.element_id = f.rowid AND ec.fk_socpeople = ".((int) $search_user);
 }
 // Add where from extra fields
 include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php';

htdocs/compta/index.php

@@ -138,7 +138,7 @@ if (!empty($conf->facture->enabled) && !empty($user->rights->facture->lire)) {
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 	}
 	if ($socid) {
-		$sql .= " AND f.fk_soc = ".$socid;
+		$sql .= " AND f.fk_soc = ".((int) $socid);
 	}
 	// Add where from hooks
 	$parameters = array();
@@ -283,7 +283,7 @@ if ((!empty($conf->fournisseur->enabled) && empty($conf->global->MAIN_USE_NEW_SU
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 	}
 	if ($socid) {
-		$sql .= " AND ff.fk_soc = ".$socid;
+		$sql .= " AND ff.fk_soc = ".((int) $socid);
 	}
 	// Add where from hooks
 	$parameters = array();
@@ -593,7 +593,7 @@ if (!empty($conf->facture->enabled) && !empty($conf->commande->enabled) && $user
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 	}
 	if ($socid) {
-		$sql .= " AND c.fk_soc = ".$socid;
+		$sql .= " AND c.fk_soc = ".((int) $socid);
 	}
 	$sql .= " AND c.fk_statut = ".Commande::STATUS_CLOSED;
 	$sql .= " AND c.facture = 0";

htdocs/compta/localtax/class/localtax.class.php

@@ -170,7 +170,7 @@ class Localtax extends CommonObject
 
 		// Update request
 		$sql = "UPDATE ".MAIN_DB_PREFIX."localtax SET";
-		$sql .= " localtaxtype=".$this->ltt.",";
+		$sql .= " localtaxtype=".((int) $this->ltt).",";
 		$sql .= " tms='".$this->db->idate($this->tms)."',";
 		$sql .= " datep='".$this->db->idate($this->datep)."',";
 		$sql .= " datev='".$this->db->idate($this->datev)."',";

htdocs/compta/localtax/index.php

@@ -584,7 +584,7 @@ $sql .= "SELECT SUM(amount) as mm, date_format(f.datev,'%Y-%m') as dm, 'claimed'
 $sql .= " FROM ".MAIN_DB_PREFIX."localtax as f";
 $sql .= " WHERE f.entity = ".$conf->entity;
 $sql .= " AND (f.datev >= '".$db->idate($date_start)."' AND f.datev <= '".$db->idate($date_end)."')";
-$sql .= " AND localtaxtype=".$localTaxType;
+$sql .= " AND localtaxtype=".((int) $localTaxType);
 $sql .= " GROUP BY dm";
 
 $sql .= " UNION ";
@@ -593,7 +593,7 @@ $sql .= "SELECT SUM(amount) as mm, date_format(f.datep,'%Y-%m') as dm, 'paid' as
 $sql .= " FROM ".MAIN_DB_PREFIX."localtax as f";
 $sql .= " WHERE f.entity = ".$conf->entity;
 $sql .= " AND (f.datep >= '".$db->idate($date_start)."' AND f.datep <= '".$db->idate($date_end)."')";
-$sql .= " AND localtaxtype=".$localTaxType;
+$sql .= " AND localtaxtype=".((int) $localTaxType);
 $sql .= " GROUP BY dm";
 
 $sql .= " ORDER BY dm ASC, mode ASC";

htdocs/compta/paiement/cheque/card.php

@@ -606,7 +606,7 @@ if ($action == 'new') {
 	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."paiement as p ON p.fk_bank = b.rowid";
 	$sql .= " WHERE ba.entity IN (".getEntity('bank_account').")";
 	$sql .= " AND b.fk_type= 'CHQ'";
-	$sql .= " AND b.fk_bordereau = ".$object->id;
+	$sql .= " AND b.fk_bordereau = ".((int) $object->id);
 	$sql .= $db->order($sortfield, $sortorder);
 
 	$resql = $db->query($sql);

htdocs/compta/paiement/cheque/list.php

@@ -104,7 +104,7 @@ if ($search_ref) {
 	$sql .= natural_search("bc.ref", $search_ref);
 }
 if ($search_account > 0) {
-	$sql .= " AND bc.fk_bank_account=".$search_account;
+	$sql .= " AND bc.fk_bank_account = ".((int) $search_account);
 }
 if ($search_amount) {
 	$sql .= natural_search("bc.amount", price2num($search_amount));

htdocs/compta/paiement/tovalidate.php

@@ -78,7 +78,7 @@ if ($socid) {
 }
 $sql .= " WHERE p.entity IN (".getEntity('invoice').')';
 if ($socid) {
-	$sql .= " AND f.fk_soc = ".$socid;
+	$sql .= " AND f.fk_soc = ".((int) $socid);
 }
 $sql .= " AND p.statut = 0";
 

htdocs/compta/prelevement/class/bonprelevement.class.php

@@ -203,7 +203,7 @@ class BonPrelevement extends CommonObject
 			$sql = "SELECT rowid";
 			$sql .= " FROM  ".MAIN_DB_PREFIX."prelevement_lignes";
 			$sql .= " WHERE fk_prelevement_bons = ".$this->id;
-			$sql .= " AND fk_soc =".$client_id;
+			$sql .= " AND fk_soc =".((int) $client_id);
 			$sql .= " AND code_banque = '".$this->db->escape($code_banque)."'";
 			$sql .= " AND code_guichet = '".$this->db->escape($code_guichet)."'";
 			$sql .= " AND number = '".$this->db->escape($number)."'";

htdocs/compta/prelevement/class/rejetprelevement.class.php

@@ -329,7 +329,7 @@ class RejetPrelevement
 
 		$sql = "SELECT pr.date_rejet as dr, motif, afacturer";
 		$sql .= " FROM ".MAIN_DB_PREFIX."prelevement_rejet as pr";
-		$sql .= " WHERE pr.fk_prelevement_lignes =".$rowid;
+		$sql .= " WHERE pr.fk_prelevement_lignes =".((int) $rowid);
 
 		$resql = $this->db->query($sql);
 		if ($resql) {
@@ -345,11 +345,11 @@ class RejetPrelevement
 
 				return 0;
 			} else {
-				dol_syslog("RejetPrelevement::Fetch Erreur rowid=$rowid numrows=0");
+				dol_syslog("RejetPrelevement::Fetch Erreur rowid=".$rowid." numrows=0");
 				return -1;
 			}
 		} else {
-			dol_syslog("RejetPrelevement::Fetch Erreur rowid=$rowid");
+			dol_syslog("RejetPrelevement::Fetch Erreur rowid=".$rowid);
 			return -2;
 		}
 	}

htdocs/compta/prelevement/fiche-rejet.php

@@ -170,15 +170,15 @@ $sql .= " FROM ".MAIN_DB_PREFIX."prelevement_bons as p";
 $sql .= " , ".MAIN_DB_PREFIX."prelevement_lignes as pl";
 $sql .= " , ".MAIN_DB_PREFIX."societe as s";
 $sql .= " , ".MAIN_DB_PREFIX."prelevement_rejet as pr";
-$sql .= " WHERE p.rowid=".$object->id;
+$sql .= " WHERE p.rowid=".((int) $object->id);
 $sql .= " AND pl.fk_prelevement_bons = p.rowid";
 $sql .= " AND p.entity = ".$conf->entity;
 $sql .= " AND pl.fk_soc = s.rowid";
 $sql .= " AND pl.statut = 3 ";
 $sql .= " AND pr.fk_prelevement_lignes = pl.rowid";
-if ($socid) {
+/*if ($socid) {
 	$sql .= " AND s.rowid = ".((int) $socid);
-}
+}*/
 $sql .= " ORDER BY pl.amount DESC";
 
 // Count total nb of records

htdocs/compta/recap-compta.php

@@ -189,7 +189,7 @@ if ($id > 0) {
 				$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."user as u ON p.fk_user_creat = u.rowid";
 				$sql .= " WHERE pf.fk_paiement = p.rowid";
 				$sql .= " AND p.entity = ".$conf->entity;
-				$sql .= " AND pf.fk_facture = ".$fac->id;
+				$sql .= " AND pf.fk_facture = ".((int) $fac->id);
 				$sql .= " ORDER BY p.datep ASC, p.rowid ASC";
 
 				$resqlp = $db->query($sql);

htdocs/compta/resultat/clientfourn.php

@@ -403,7 +403,7 @@ if ($modecompta == 'BOOKKEEPING') {
 	}
 	$sql .= " AND f.entity IN (".getEntity('invoice').")";
 	if ($socid) {
-		$sql .= " AND f.fk_soc = ".$socid;
+		$sql .= " AND f.fk_soc = ".((int) $socid);
 	}
 	$sql .= " GROUP BY name, socid";
 	$sql .= $db->order($sortfield, $sortorder);

htdocs/compta/sociales/list.php

@@ -218,7 +218,7 @@ if ($search_amount) {
 	$sql .= natural_search("cs.amount", $search_amount, 1);
 }
 if ($search_status != '' && $search_status >= 0) {
-	$sql .= " AND cs.paye = ".$db->escape($search_status);
+	$sql .= " AND cs.paye = ".((int) $search_status);
 }
 $sql .= dolSqlDateFilter("cs.periode", $search_day_lim, $search_month_lim, $search_year_lim);
 //$sql.= dolSqlDateFilter("cs.periode", 0, 0, $year);
@@ -230,8 +230,8 @@ if ($year > 0) {
 	$sql .= "OR (cs.periode IS NULL AND date_format(cs.date_ech, '%Y') = '".$db->escape($year)."')";
 	$sql .= ")";
 }
-if ($search_typeid) {
-	$sql .= " AND cs.fk_type=".$db->escape($search_typeid);
+if ($search_typeid > 0) {
+	$sql .= " AND cs.fk_type = ".((int) $search_typeid);
 }
 $sql .= " GROUP BY cs.rowid, cs.fk_type, cs.fk_user, cs.amount, cs.date_ech, cs.libelle, cs.paye, cs.periode, c.libelle, cs.fk_account, ba.label, ba.ref, ba.number, ba.account_number, ba.iban_prefix, ba.bic, ba.currency_code, ba.clos, pay.code, u.lastname";
 if (!empty($conf->projet->enabled)) {

htdocs/compta/stats/cabyuser.php

@@ -262,7 +262,7 @@ if ($modecompta == 'CREANCES-DETTES') {
 }
 $sql .= " AND f.entity IN (".getEntity('invoice').")";
 if ($socid) {
-	$sql .= " AND f.fk_soc = ".$socid;
+	$sql .= " AND f.fk_soc = ".((int) $socid);
 }
 $sql .= " GROUP BY u.rowid, u.lastname, u.firstname";
 $sql .= " ORDER BY u.rowid";

htdocs/compta/stats/index.php

@@ -681,7 +681,7 @@ print '</div>';
  AND p.facture =0";
  if ($socid)
  {
- $sql .= " AND f.fk_soc = ".$socid;
+ $sql .= " AND f.fk_soc = ".((int) $socid);
  }
  $sql .= " GROUP BY p.rowid";
 

htdocs/compta/stats/supplier_turnover.php

@@ -197,7 +197,7 @@ if ($modecompta == 'CREANCES-DETTES') {
 	$sql .= " AND f.type IN (0,2)";
 	$sql .= " AND f.entity IN (".getEntity('supplier_invoice').")";
 	if ($socid) {
-		$sql .= " AND f.fk_soc = ".$socid;
+		$sql .= " AND f.fk_soc = ".((int) $socid);
 	}
 } elseif ($modecompta == "RECETTES-DEPENSES") {
 	$sql = "SELECT date_format(p.datep,'%Y-%m') as dm, sum(pf.amount) as amount_ttc";
@@ -208,7 +208,7 @@ if ($modecompta == 'CREANCES-DETTES') {
 	$sql .= " AND pf.fk_facturefourn = f.rowid";
 	$sql .= " AND f.entity IN (".getEntity('supplier_invoice').")";
 	if ($socid) {
-		$sql .= " AND f.fk_soc = ".$socid;
+		$sql .= " AND f.fk_soc = ".((int) $socid);
 	}
 } elseif ($modecompta == "BOOKKEEPING") {
 	$pcgverid = $conf->global->CHARTOFACCOUNTS;

htdocs/compta/stats/supplier_turnover_by_thirdparty.php

@@ -301,7 +301,7 @@ if ($search_country > 0) {
 }
 $sql .= " AND f.entity IN (".getEntity('supplier_invoice').")";
 if ($socid) {
-	$sql .= " AND f.fk_soc = ".$socid;
+	$sql .= " AND f.fk_soc = ".((int) $socid);
 }
 $sql .= " GROUP BY s.rowid, s.nom, s.zip, s.town, s.fk_pays";
 $sql .= " ORDER BY s.rowid";

htdocs/compta/tva/class/tva.class.php

@@ -207,7 +207,7 @@ class Tva extends CommonObject
 		$sql .= " amount=".price2num($this->amount).",";
 		$sql .= " label='".$this->db->escape($this->label)."',";
 		$sql .= " note='".$this->db->escape($this->note)."',";
-		$sql .= " fk_user_creat=".$this->fk_user_creat.",";
+		$sql .= " fk_user_creat=".((int) $this->fk_user_creat).",";
 		$sql .= " fk_user_modif=".($this->fk_user_modif > 0 ? $this->fk_user_modif : $user->id)."";
 		$sql .= " WHERE rowid=".((int) $this->id);
 

htdocs/compta/tva/list.php

@@ -171,16 +171,16 @@ if (!empty($search_datepayment_end)) {
 	$sql .= ' AND t.datep <= "'.$db->idate($search_datepayment_end).'"';
 }
 if (!empty($search_type) && $search_type > 0) {
-	$sql .= ' AND t.fk_typepayment='.$search_type;
+	$sql .= ' AND t.fk_typepayment = '.((int) $search_type);
 }
 if (!empty($search_account) && $search_account > 0) {
-	$sql .= ' AND t.fk_account='.$search_account;
+	$sql .= ' AND t.fk_account = '.((int) $search_account);
 }
 if (!empty($search_amount)) {
 	$sql .= natural_search('t.amount', price2num(trim($search_amount)), 1);
 }
 if ($search_status != '' && $search_status >= 0) {
-	$sql .= " AND t.paye = ".$db->escape($search_status);
+	$sql .= " AND t.paye = ".((int) $search_status);
 }
 
 $sql .= " GROUP BY t.rowid, t.amount, t.label, t.datev, t.datep, t.paye, t.fk_typepayment, t.fk_account, ba.label, ba.ref, ba.number, ba.account_number, ba.iban_prefix, ba.bic, ba.currency_code, ba.clos, t.num_payment, pst.code";

htdocs/contact/class/contact.class.php

@@ -591,11 +591,11 @@ class Contact extends CommonObject
 		if (isset($this->stcomm_id)) {
 			$sql .= ", fk_stcommcontact = ".($this->stcomm_id > 0 || $this->stcomm_id == -1 ? $this->stcomm_id : "0");
 		}
-		$sql .= ", statut = ".$this->db->escape($this->statut);
+		$sql .= ", statut = ".((int) $this->statut);
 		$sql .= ", fk_user_modif=".($user->id > 0 ? "'".$this->db->escape($user->id)."'" : "NULL");
 		$sql .= ", default_lang=".($this->default_lang ? "'".$this->db->escape($this->default_lang)."'" : "NULL");
-		$sql .= ", entity = ".$this->db->escape($this->entity);
-		$sql .= " WHERE rowid=".$this->db->escape($id);
+		$sql .= ", entity = ".((int) $this->entity);
+		$sql .= " WHERE rowid=".((int) $id);
 
 		dol_syslog(get_class($this)."::update", LOG_DEBUG);
 		$result = $this->db->query($sql);
@@ -1221,7 +1221,7 @@ class Contact extends CommonObject
 					$obj = $this->db->fetch_object($resql);
 
 					$sqldel = "DELETE FROM ".MAIN_DB_PREFIX."element_contact";
-					$sqldel .= " WHERE rowid = ".$obj->rowid;
+					$sqldel .= " WHERE rowid = ".((int) $obj->rowid);
 					dol_syslog(__METHOD__, LOG_DEBUG);
 					$result = $this->db->query($sqldel);
 					if (!$result) {
@@ -1324,7 +1324,7 @@ class Contact extends CommonObject
 		$sql = "SELECT c.rowid, c.datec as datec, c.fk_user_creat,";
 		$sql .= " c.tms as tms, c.fk_user_modif";
 		$sql .= " FROM ".MAIN_DB_PREFIX."socpeople as c";
-		$sql .= " WHERE c.rowid = ".$this->db->escape($id);
+		$sql .= " WHERE c.rowid = ".((int) $id);
 
 		$resql = $this->db->query($sql);
 		if ($resql) {
@@ -1770,10 +1770,10 @@ class Contact extends CommonObject
 		$sql = "SELECT sc.fk_socpeople as id, sc.fk_c_type_contact";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_type_contact tc";
 		$sql .= ", ".MAIN_DB_PREFIX."societe_contacts sc";
-		$sql .= " WHERE sc.fk_soc =".$this->socid;
+		$sql .= " WHERE sc.fk_soc =".((int) $this->socid);
 		$sql .= " AND sc.fk_c_type_contact=tc.rowid";
-		$sql .= " AND tc.element='".$this->db->escape($element)."'";
-		$sql .= " AND tc.active=1";
+		$sql .= " AND tc.element = '".$this->db->escape($element)."'";
+		$sql .= " AND tc.active = 1";
 
 		dol_syslog(__METHOD__, LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/contact/list.php

@@ -392,7 +392,7 @@ if (!$user->rights->societe->client->voir && !$socid) { //restriction
 	$sql .= " AND (sc.fk_user = ".$user->id." OR p.fk_soc IS NULL)";
 }
 if (!empty($userid)) {    // propre au commercial
-	$sql .= " AND p.fk_user_creat=".$db->escape($userid);
+	$sql .= " AND p.fk_user_creat=".((int) $userid);
 }
 if ($search_level) {
 	$sql .= natural_search("p.fk_prospectcontactlevel", join(',', $search_level), 3);
@@ -414,19 +414,19 @@ if ($search_priv != '0' && $search_priv != '1') {
 }
 
 if ($search_categ > 0) {
-	$sql .= " AND cc.fk_categorie = ".$db->escape($search_categ);
+	$sql .= " AND cc.fk_categorie = ".((int) $search_categ);
 }
 if ($search_categ == -2) {
 	$sql .= " AND cc.fk_categorie IS NULL";
 }
 if ($search_categ_thirdparty > 0) {
-	$sql .= " AND cs.fk_categorie = ".$db->escape($search_categ_thirdparty);
+	$sql .= " AND cs.fk_categorie = ".((int) $search_categ_thirdparty);
 }
 if ($search_categ_thirdparty == -2) {
 	$sql .= " AND cs.fk_categorie IS NULL";
 }
 if ($search_categ_supplier > 0) {
-	$sql .= " AND cs2.fk_categorie = ".$db->escape($search_categ_supplier);
+	$sql .= " AND cs2.fk_categorie = ".((int) $search_categ_supplier);
 }
 if ($search_categ_supplier == -2) {
 	$sql .= " AND cs2.fk_categorie IS NULL";
@@ -495,10 +495,10 @@ if (count($search_roles) > 0) {
 	$sql .= " AND p.rowid IN (SELECT sc.fk_socpeople FROM ".MAIN_DB_PREFIX."societe_contacts as sc WHERE sc.fk_c_type_contact IN (".$db->sanitize(implode(',', $search_roles))."))";
 }
 if ($search_no_email != '' && $search_no_email >= 0) {
-	$sql .= " AND p.no_email = ".$db->escape($search_no_email);
+	$sql .= " AND p.no_email = ".((int) $search_no_email);
 }
 if ($search_status != '' && $search_status >= 0) {
-	$sql .= " AND p.statut = ".$db->escape($search_status);
+	$sql .= " AND p.statut = ".((int) $search_status);
 }
 if ($search_import_key) {
 	$sql .= natural_search("p.import_key", $search_import_key);

htdocs/contrat/class/contrat.class.php

@@ -3066,9 +3066,9 @@ class ContratLigne extends CommonObjectLine
 
 		// Update request
 		$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET";
-		$sql .= " fk_contrat=".$this->fk_contrat.",";
+		$sql .= " fk_contrat=".((int) $this->fk_contrat).",";
 		$sql .= " fk_product=".($this->fk_product ? "'".$this->db->escape($this->fk_product)."'" : 'null').",";
-		$sql .= " statut=".$this->statut.",";
+		$sql .= " statut=".((int) $this->statut).",";
 		$sql .= " label='".$this->db->escape($this->label)."',";
 		$sql .= " description='".$this->db->escape($this->description)."',";
 		$sql .= " date_commande=".($this->date_commande != '' ? "'".$this->db->idate($this->date_commande)."'" : "null").",";
@@ -3373,11 +3373,11 @@ class ContratLigne extends CommonObjectLine
 
 		$this->db->begin();
 
-		$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET statut = ".ContratLigne::STATUS_CLOSED.",";
+		$sql = "UPDATE ".MAIN_DB_PREFIX."contratdet SET statut = ".((int) ContratLigne::STATUS_CLOSED).",";
 		$sql .= " date_cloture = '".$this->db->idate($date_end)."',";
 		$sql .= " fk_user_cloture = ".$user->id.",";
 		$sql .= " commentaire = '".$this->db->escape($comment)."'";
-		$sql .= " WHERE rowid = ".$this->id." AND statut = ".ContratLigne::STATUS_OPEN;
+		$sql .= " WHERE rowid = ".$this->id." AND statut = ".((int) ContratLigne::STATUS_OPEN);
 
 		$resql = $this->db->query($sql);
 		if ($resql) {

htdocs/contrat/index.php

@@ -250,7 +250,7 @@ if (!empty($conf->contrat->enabled) && $user->rights->contrat->lire) {
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 	}
 	if ($socid) {
-		$sql .= " AND c.fk_soc = ".$socid;
+		$sql .= " AND c.fk_soc = ".((int) $socid);
 	}
 
 	$resql = $db->query($sql);

htdocs/contrat/list.php

@@ -265,10 +265,10 @@ if ($search_type_thirdparty != '' && $search_type_thirdparty > 0) {
 	$sql .= " AND s.fk_typent IN (".$db->sanitize($db->escape($search_type_thirdparty)).')';
 }
 if ($search_product_category > 0) {
-	$sql .= " AND cp.fk_categorie = ".$search_product_category;
+	$sql .= " AND cp.fk_categorie = ".((int) $search_product_category);
 }
 if ($socid) {
-	$sql .= " AND s.rowid = ".$db->escape($socid);
+	$sql .= " AND s.rowid = ".((int) $socid);
 }
 if (!$user->rights->societe->client->voir && !$socid) {
 	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
@@ -296,13 +296,13 @@ if ($search_town) {
 	$sql .= natural_search(array('s.town'), $search_town);
 }
 if ($search_sale > 0) {
-	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale;
+	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $search_sale);
 }
 if ($sall) {
 	$sql .= natural_search(array_keys($fieldstosearchall), $sall);
 }
 if ($search_user > 0) {
-	$sql .= " AND ec.fk_c_type_contact = tc.rowid AND tc.element='contrat' AND tc.source='internal' AND ec.element_id = c.rowid AND ec.fk_socpeople = ".$search_user;
+	$sql .= " AND ec.fk_c_type_contact = tc.rowid AND tc.element='contrat' AND tc.source='internal' AND ec.element_id = c.rowid AND ec.fk_socpeople = ".((int) $search_user);
 }
 // Add where from extra fields
 include DOL_DOCUMENT_ROOT.'/core/tpl/extrafields_list_search_sql.tpl.php';

htdocs/contrat/services_list.php

@@ -257,7 +257,7 @@ if ($search_product_category > 0) {
 $sql .= " WHERE c.entity = ".$conf->entity;
 $sql .= " AND c.rowid = cd.fk_contrat";
 if ($search_product_category > 0) {
-	$sql .= " AND cp.fk_categorie = ".$search_product_category;
+	$sql .= " AND cp.fk_categorie = ".((int) $search_product_category);
 }
 $sql .= " AND c.fk_soc = s.rowid";
 if (!$user->rights->societe->client->voir && !$socid) {

htdocs/core/class/commonobject.class.php

@@ -531,7 +531,7 @@ abstract class CommonObject
 		$sql .= " WHERE entity IN (".getEntity($element).")";
 
 		if ($id > 0) {
-			$sql .= " AND rowid = ".$db->escape($id);
+			$sql .= " AND rowid = ".((int) $id);
 		} elseif ($ref) {
 			$sql .= " AND ref = '".$db->escape($ref)."'";
 		} elseif ($ref_ext) {
@@ -542,7 +542,7 @@ abstract class CommonObject
 			return -1;
 		}
 		if ($ref || $ref_ext) {
-			$sql .= " AND entity = ".$conf->entity;
+			$sql .= " AND entity = ".((int) $conf->entity);
 		}
 
 		dol_syslog(get_class()."::isExistingObject", LOG_DEBUG);
@@ -1278,7 +1278,7 @@ abstract class CommonObject
 		}
 		$sql .= " AND tc.active=1";
 		if ($status >= 0) {
-			$sql .= " AND ec.statut = ".$status;
+			$sql .= " AND ec.statut = ".((int) $status);
 		}
 		$sql .= " ORDER BY t.lastname ASC";
 
@@ -1926,7 +1926,7 @@ abstract class CommonObject
 		if ($format == 'text') {
 			$sql .= $field." = '".$this->db->escape($value)."'";
 		} elseif ($format == 'int') {
-			$sql .= $field." = ".$this->db->escape($value);
+			$sql .= $field." = ".((int) $value);
 		} elseif ($format == 'date') {
 			$sql .= $field." = ".($value ? "'".$this->db->idate($value)."'" : "null");
 		}
@@ -3709,19 +3709,19 @@ abstract class CommonObject
 		$sql .= " WHERE ";
 		if ($justsource || $justtarget) {
 			if ($justsource) {
-				$sql .= "fk_source = ".$sourceid." AND sourcetype = '".$this->db->escape($sourcetype)."'";
+				$sql .= "fk_source = ".((int) $sourceid)." AND sourcetype = '".$this->db->escape($sourcetype)."'";
 				if ($withtargettype) {
 					$sql .= " AND targettype = '".$this->db->escape($targettype)."'";
 				}
 			} elseif ($justtarget) {
-				$sql .= "fk_target = ".$targetid." AND targettype = '".$this->db->escape($targettype)."'";
+				$sql .= "fk_target = ".((int) $targetid)." AND targettype = '".$this->db->escape($targettype)."'";
 				if ($withsourcetype) {
 					$sql .= " AND sourcetype = '".$this->db->escape($sourcetype)."'";
 				}
 			}
 		} else {
-			$sql .= "(fk_source = ".$sourceid." AND sourcetype = '".$this->db->escape($sourcetype)."')";
-			$sql .= " ".$clause." (fk_target = ".$targetid." AND targettype = '".$this->db->escape($targettype)."')";
+			$sql .= "(fk_source = ".((int) $sourceid)." AND sourcetype = '".$this->db->escape($sourcetype)."')";
+			$sql .= " ".$clause." (fk_target = ".((int) $targetid)." AND targettype = '".$this->db->escape($targettype)."')";
 		}
 		$sql .= ' ORDER BY '.$orderby;
 
@@ -4106,12 +4106,12 @@ abstract class CommonObject
 		}
 
 		$sql = "UPDATE ".MAIN_DB_PREFIX.$elementTable;
-		$sql .= " SET ".$fieldstatus." = ".$status;
+		$sql .= " SET ".$fieldstatus." = ".((int) $status);
 		// If status = 1 = validated, update also fk_user_valid
 		if ($status == 1 && $elementTable == 'expensereport') {
 			$sql .= ", fk_user_valid = ".$user->id;
 		}
-		$sql .= " WHERE rowid=".$elementId;
+		$sql .= " WHERE rowid=".((int) $elementId);
 
 		dol_syslog(get_class($this)."::setStatut", LOG_DEBUG);
 		if ($this->db->query($sql)) {
@@ -7122,11 +7122,11 @@ abstract class CommonObject
 				$sql .= ' as main';
 			}
 			if ($selectkey == 'rowid' && empty($value)) {
-				$sql .= " WHERE ".$selectkey."=0";
+				$sql .= " WHERE ".$selectkey." = 0";
 			} elseif ($selectkey == 'rowid') {
-				$sql .= " WHERE ".$selectkey."=".$this->db->escape($value);
+				$sql .= " WHERE ".$selectkey." = ".((int) $value);
 			} else {
-				$sql .= " WHERE ".$selectkey."='".$this->db->escape($value)."'";
+				$sql .= " WHERE ".$selectkey." = '".$this->db->escape($value)."'";
 			}
 
 			//$sql.= ' AND entity = '.$conf->entity;

htdocs/core/class/discount.class.php

@@ -292,7 +292,7 @@ class DiscountAbsolute
 			$sql .= " FROM ".MAIN_DB_PREFIX."societe_remise_except";
 			$sql .= " WHERE (fk_facture_line IS NOT NULL"; // Not used as absolute simple discount
 			$sql .= " OR fk_facture IS NOT NULL)"; // Not used as credit note and not used as deposit
-			$sql .= " AND fk_facture_source = ".$this->fk_facture_source;
+			$sql .= " AND fk_facture_source = ".((int) $this->fk_facture_source);
 			//$sql.=" AND rowid != ".$this->id;
 
 			dol_syslog(get_class($this)."::delete Check if we can remove discount", LOG_DEBUG);

htdocs/core/class/extrafields.class.php

@@ -1722,11 +1722,11 @@ class ExtraFields
 				$sql .= ' as main';
 			}
 			if ($selectkey == 'rowid' && empty($value)) {
-				$sql .= " WHERE ".$selectkey."=0";
+				$sql .= " WHERE ".$selectkey." = 0";
 			} elseif ($selectkey == 'rowid') {
-				$sql .= " WHERE ".$selectkey."=".$this->db->escape($value);
+				$sql .= " WHERE ".$selectkey." = ".((int) $value);
 			} else {
-				$sql .= " WHERE ".$selectkey."='".$this->db->escape($value)."'";
+				$sql .= " WHERE ".$selectkey." = '".$this->db->escape($value)."'";
 			}
 
 			//$sql.= ' AND entity = '.$conf->entity;

htdocs/core/class/html.form.class.php

@@ -2497,18 +2497,18 @@ class Form
 		}
 
 		if ($finished == 0) {
-			$sql .= " AND p.finished = ".$finished;
+			$sql .= " AND p.finished = ".((int) $finished);
 		} elseif ($finished == 1) {
-			$sql .= " AND p.finished = ".$finished;
+			$sql .= " AND p.finished = ".((int) $finished);
 			if ($status >= 0) {
-				$sql .= " AND p.tosell = ".$status;
+				$sql .= " AND p.tosell = ".((int) $status);
 			}
 		} elseif ($status >= 0) {
-			$sql .= " AND p.tosell = ".$status;
+			$sql .= " AND p.tosell = ".((int) $status);
 		}
 		// Filter by product type
 		if (strval($filtertype) != '') {
-			$sql .= " AND p.fk_product_type = ".$filtertype;
+			$sql .= " AND p.fk_product_type = ".((int) $filtertype);
 		} elseif (empty($conf->product->enabled)) { // when product module is disabled, show services only
 			$sql .= " AND p.fk_product_type = 1";
 		} elseif (empty($conf->service->enabled)) { // when service module is disabled, show products only
@@ -3828,7 +3828,6 @@ class Form
 		$sql = "SELECT id, code, libelle as label, type, active";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_paiement";
 		$sql .= " WHERE entity IN (".getEntity('c_paiement').")";
-		//if ($active >= 0) $sql.= " AND active = ".$active;
 
 		$resql = $this->db->query($sql);
 		if ($resql) {
@@ -4061,7 +4060,6 @@ class Form
 		$sql = "SELECT rowid, code, label, active";
 		$sql .= " FROM ".MAIN_DB_PREFIX."c_transport_mode";
 		$sql .= " WHERE entity IN (".getEntity('c_transport_mode').")";
-		//if ($active >= 0) $sql.= " AND active = ".$active;
 
 		$resql = $this->db->query($sql);
 		if ($resql) {

htdocs/core/class/html.formaccounting.class.php

@@ -242,7 +242,7 @@ class FormAccounting extends Form
 			$sql .= " WHERE c.active = 1";
 			$sql .= " AND c.category_type = 0";
 			if (empty($allcountries)) {
-				$sql .= " AND c.fk_country = ".$mysoc->country_id;
+				$sql .= " AND c.fk_country = ".((int) $mysoc->country_id);
 			}
 			$sql .= " ORDER BY c.label ASC";
 		} else {

htdocs/core/class/html.formintervention.class.php

@@ -77,14 +77,14 @@ class FormIntervention
 			if ($socid == '0') {
 				$sql .= " AND (f.fk_soc = 0 OR f.fk_soc IS NULL)";
 			} else {
-				$sql .= " AND f.fk_soc = ".$socid;
+				$sql .= " AND f.fk_soc = ".((int) $socid);
 			}
 		}
 
 		dol_syslog(get_class($this)."::select_intervention", LOG_DEBUG);
 		$resql = $this->db->query($sql);
 		if ($resql) {
-			$out .= '<select id="interventionid" class="flat" name="'.$htmlname.'">';
+			$out .= '<select id="interventionid" class="flat" name="'.dol_escape_htmltag($htmlname).'">';
 			if ($showempty) {
 				$out .= '<option value="0">&nbsp;</option>';
 			}

htdocs/core/class/html.formmail.class.php

@@ -1275,10 +1275,10 @@ class FormMail extends Form
 		$sql .= " AND entity IN (".getEntity('c_email_templates').")";
 		$sql .= " AND (private = 0 OR fk_user = ".$user->id.")"; // Get all public or private owned
 		if ($active >= 0) {
-			$sql .= " AND active = ".$active;
+			$sql .= " AND active = ".((int) $active);
 		}
 		if ($label) {
-			$sql .= " AND label ='".$db->escape($label)."'";
+			$sql .= " AND label = '".$db->escape($label)."'";
 		}
 		if (!($id > 0) && $languagetosearch) {
 			$sql .= " AND (lang = '".$db->escape($languagetosearch)."'".($languagetosearchmain ? " OR lang = '".$db->escape($languagetosearchmain)."'" : "")." OR lang IS NULL OR lang = '')";
@@ -1434,7 +1434,7 @@ class FormMail extends Form
 		$sql .= " AND entity IN (".getEntity('c_email_templates').")";
 		$sql .= " AND (private = 0 OR fk_user = ".$user->id.")"; // See all public templates or templates I own.
 		if ($active >= 0) {
-			$sql .= " AND active = ".$active;
+			$sql .= " AND active = ".((int) $active);
 		}
 		//if (is_object($outputlangs)) $sql.= " AND (lang = '".$this->db->escape($outputlangs->defaultlang)."' OR lang IS NULL OR lang = '')";	// Return all languages
 		$sql .= $this->db->order("position,lang,label", "ASC");

htdocs/core/class/html.formsocialcontrib.class.php

@@ -76,7 +76,7 @@ class FormSocialContrib
 			$sql = "SELECT c.id, c.libelle as type";
 			$sql .= " FROM ".MAIN_DB_PREFIX."c_chargesociales as c";
 			$sql .= " WHERE c.active = 1";
-			$sql .= " AND c.fk_pays = ".$mysoc->country_id;
+			$sql .= " AND c.fk_pays = ".((int) $mysoc->country_id);
 			$sql .= " ORDER BY c.libelle ASC";
 		} else {
 			$sql = "SELECT c.id, c.libelle as type";

htdocs/core/class/infobox.class.php

@@ -105,7 +105,7 @@ class InfoBox
 			$sql .= " WHERE b.box_id = d.rowid";
 			$sql .= " AND b.entity IN (0,".$conf->entity.")";
 			if ($zone >= 0) {
-				$sql .= " AND b.position = ".$zone;
+				$sql .= " AND b.position = ".((int) $zone);
 			}
 			if (is_object($user)) {
 				$sql .= " AND b.fk_user IN (0,".$user->id.")";
@@ -116,7 +116,7 @@ class InfoBox
 		} else { // available
 			$sql = "SELECT d.rowid as box_id, d.file, d.note, d.tms";
 			$sql .= " FROM ".MAIN_DB_PREFIX."boxes_def as d";
-			$sql .= " WHERE d.entity IN (0,".$conf->entity.")";
+			$sql .= " WHERE d.entity IN (0, ".$conf->entity.")";
 		}
 
 		dol_syslog(get_class()."::listBoxes get default box list for mode=".$mode." userid=".(is_object($user) ? $user->id : '')."", LOG_DEBUG);
@@ -254,8 +254,8 @@ class InfoBox
 		// Delete all lines
 		$sql = "DELETE FROM ".MAIN_DB_PREFIX."boxes";
 		$sql .= " WHERE entity = ".$conf->entity;
-		$sql .= " AND fk_user = ".$userid;
-		$sql .= " AND position = ".$zone;
+		$sql .= " AND fk_user = ".((int) $userid);
+		$sql .= " AND position = ".((int) $zone);
 
 		dol_syslog(get_class()."::saveboxorder", LOG_DEBUG);
 		$result = $db->query($sql);

htdocs/core/class/menubase.class.php

@@ -352,10 +352,10 @@ class Menubase
 		$sql .= " type='".$this->db->escape($this->type)."',";
 		$sql .= " mainmenu='".$this->db->escape($this->mainmenu)."',";
 		$sql .= " leftmenu='".$this->db->escape($this->leftmenu)."',";
-		$sql .= " fk_menu=".$this->fk_menu.",";
+		$sql .= " fk_menu=".((int) $this->fk_menu).",";
 		$sql .= " fk_mainmenu=".($this->fk_mainmenu ? "'".$this->db->escape($this->fk_mainmenu)."'" : "null").",";
 		$sql .= " fk_leftmenu=".($this->fk_leftmenu ? "'".$this->db->escape($this->fk_leftmenu)."'" : "null").",";
-		$sql .= " position=".($this->position > 0 ? $this->position : 0).",";
+		$sql .= " position=".($this->position > 0 ? ((int) $this->position) : 0).",";
 		$sql .= " url='".$this->db->escape($this->url)."',";
 		$sql .= " target='".$this->db->escape($this->target)."',";
 		$sql .= " titre='".$this->db->escape($this->title)."',";

htdocs/core/class/notify.class.php

@@ -176,7 +176,7 @@ class Notify
 		$sqlnotifcode = '';
 		if ($notifcode) {
 			if (is_numeric($notifcode)) {
-				$sqlnotifcode = " AND n.fk_action = ".$notifcode; // Old usage
+				$sqlnotifcode = " AND n.fk_action = ".((int) $notifcode); // Old usage
 			} else {
 				$sqlnotifcode = " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage
 			}
@@ -195,7 +195,7 @@ class Notify
 				$sql .= $sqlnotifcode;
 				$sql .= " AND s.entity IN (".getEntity('societe').")";
 				if ($socid > 0) {
-					$sql .= " AND s.rowid = ".$socid;
+					$sql .= " AND s.rowid = ".((int) $socid);
 				}
 
 				dol_syslog(__METHOD__." ".$notifcode.", ".$socid."", LOG_DEBUG);
@@ -233,7 +233,7 @@ class Notify
 				$sql .= $sqlnotifcode;
 				$sql .= " AND c.entity IN (".getEntity('user').")";
 				if ($userid > 0) {
-					$sql .= " AND c.rowid = ".$userid;
+					$sql .= " AND c.rowid = ".((int) $userid);
 				}
 
 				dol_syslog(__METHOD__." ".$notifcode.", ".$socid."", LOG_DEBUG);
@@ -380,11 +380,11 @@ class Notify
 			$sql .= " AND n.fk_soc = s.rowid";
 			$sql .= " AND c.statut = 1";
 			if (is_numeric($notifcode)) {
-				$sql .= " AND n.fk_action = ".$notifcode; // Old usage
+				$sql .= " AND n.fk_action = ".((int) $notifcode); // Old usage
 			} else {
 				$sql .= " AND a.code = '".$this->db->escape($notifcode)."'"; // New usage
 			}
-			$sql .= " AND s.rowid = ".$object->socid;
+			$sql .= " AND s.rowid = ".((int) $object->socid);
 
 			$sql .= "\nUNION\n";
 		}

htdocs/core/lib/agenda.lib.php

@@ -168,7 +168,7 @@ function show_array_actions_to_do($max = 5)
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 	}
 	if ($socid) {
-		$sql .= " AND s.rowid = ".$socid;
+		$sql .= " AND s.rowid = ".((int) $socid);
 	}
 	$sql .= " ORDER BY a.datep DESC, a.id DESC";
 	$sql .= $db->plimit($max, 0);
@@ -284,7 +284,7 @@ function show_array_last_actions_done($max = 5)
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 	}
 	if ($socid) {
-		$sql .= " AND s.rowid = ".$socid;
+		$sql .= " AND s.rowid = ".((int) $socid);
 	}
 	$sql .= " ORDER BY a.datep2 DESC";
 	$sql .= $db->plimit($max, 0);

htdocs/core/lib/company.lib.php

@@ -227,7 +227,7 @@ function societe_prepare_head(Societe $object)
 		if (empty($conf->stripe->enabled)) {
 			$sql .= " AND n.stripe_card_ref IS NULL";
 		} else {
-			$sql .= " AND (n.stripe_card_ref IS NULL OR (n.stripe_card_ref IS NOT NULL AND n.status = ".$servicestatus."))";
+			$sql .= " AND (n.stripe_card_ref IS NULL OR (n.stripe_card_ref IS NOT NULL AND n.status = ".((int) $servicestatus)."))";
 		}
 
 		$resql = $db->query($sql);
@@ -1448,7 +1448,7 @@ function show_actions_done($conf, $langs, $db, $filterobj, $objcon = '', $noprin
 		if (is_object($objcon) && $objcon->id > 0) {
 			$force_filter_contact = true;
 			$sql .= " INNER JOIN ".MAIN_DB_PREFIX."actioncomm_resources as r ON a.id = r.fk_actioncomm";
-			$sql .= " AND r.element_type = '".$db->escape($objcon->table_element)."' AND r.fk_element = ".$objcon->id;
+			$sql .= " AND r.element_type = '".$db->escape($objcon->table_element)."' AND r.fk_element = ".((int) $objcon->id);
 		}
 
 		if (is_object($filterobj) && in_array(get_class($filterobj), array('Societe', 'Client', 'Fournisseur'))) {
@@ -1457,7 +1457,7 @@ function show_actions_done($conf, $langs, $db, $filterobj, $objcon = '', $noprin
 			$sql .= " INNER JOIN ".MAIN_DB_PREFIX."element_resources as er";
 			$sql .= " ON er.resource_type = 'dolresource'";
 			$sql .= " AND er.element_id = a.id";
-			$sql .= " AND er.resource_id = ".$filterobj->id;
+			$sql .= " AND er.resource_id = ".((int) $filterobj->id);
 		} elseif (is_object($filterobj) && get_class($filterobj) == 'Project') {
 			/* Nothing */
 		} elseif (is_object($filterobj) && get_class($filterobj) == 'Adherent') {
@@ -1940,7 +1940,7 @@ function show_subsidiaries($conf, $langs, $db, $object)
 
 	$sql = "SELECT s.rowid, s.client, s.fournisseur, s.nom as name, s.name_alias, s.email, s.address, s.zip, s.town, s.code_client, s.code_fournisseur, s.code_compta, s.code_compta_fournisseur, s.canvas";
 	$sql .= " FROM ".MAIN_DB_PREFIX."societe as s";
-	$sql .= " WHERE s.parent = ".$object->id;
+	$sql .= " WHERE s.parent = ".((int) $object->id);
 	$sql .= " AND s.entity IN (".getEntity('societe').")";
 	$sql .= " ORDER BY s.nom";
 

htdocs/core/lib/fourn.lib.php

@@ -59,7 +59,7 @@ function facturefourn_prepare_head($object)
 		$nbStandingOrders = 0;
 		$sql = "SELECT COUNT(pfd.rowid) as nb";
 		$sql .= " FROM ".MAIN_DB_PREFIX."prelevement_facture_demande as pfd";
-		$sql .= " WHERE pfd.fk_facture_fourn = ".$object->id;
+		$sql .= " WHERE pfd.fk_facture_fourn = ".((int) $object->id);
 		$sql .= " AND pfd.ext_payment_id IS NULL";
 		$resql = $db->query($sql);
 		if ($resql) {

htdocs/core/lib/invoice.lib.php

@@ -734,7 +734,7 @@ function getDraftSupplierTable($maxCount = 500, $socid = 0)
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 	}
 	if ($socid) {
-		$sql .= " AND f.fk_soc = ".$socid;
+		$sql .= " AND f.fk_soc = ".((int) $socid);
 	}
 	// Add where from hooks
 	$parameters = array();
@@ -950,7 +950,7 @@ function getPurchaseInvoiceLatestEditTable($maxCount = 5, $socid = 0)
 	$sql .= " WHERE f.fk_soc = s.rowid";
 	$sql .= " AND f.entity IN (".getEntity('facture_fourn').")";
 	if ($socid) {
-		$sql .= " AND f.fk_soc = ".$socid;
+		$sql .= " AND f.fk_soc = ".((int) $socid);
 	}
 	if (!$user->rights->societe->client->voir && !$socid) {
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
@@ -1062,7 +1062,7 @@ function getCustomerInvoiceUnpaidOpenTable($maxCount = 500, $socid = 0)
 			$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 		}
 		if ($socid) {
-			$sql .= " AND f.fk_soc = ".$socid;
+			$sql .= " AND f.fk_soc = ".((int) $socid);
 		}
 		// Add where from hooks
 		$parameters = array();
@@ -1250,7 +1250,7 @@ function getPurchaseInvoiceUnpaidOpenTable($maxCount = 500, $socid = 0)
 			$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 		}
 		if ($socid) {
-			$sql .= " AND ff.fk_soc = ".$socid;
+			$sql .= " AND ff.fk_soc = ".((int) $socid);
 		}
 		// Add where from hooks
 		$parameters = array();

htdocs/core/lib/sendings.lib.php

@@ -246,7 +246,7 @@ function show_list_sending_receive($origin, $origin_id, $filter = '')
 	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON obj.fk_product = p.rowid";
 	//TODO Add link to expeditiondet_batch
 	$sql .= " WHERE e.entity IN (".getEntity('expedition').")";
-	$sql .= " AND obj.fk_".$origin." = ".$origin_id;
+	$sql .= " AND obj.fk_".$origin." = ".((int) $origin_id);
 	$sql .= " AND obj.rowid = ed.fk_origin_line";
 	$sql .= " AND ed.fk_expedition = e.rowid";
 	if ($filter) {

htdocs/core/lib/ticket.lib.php

@@ -336,7 +336,7 @@ function show_ticket_messaging($conf, $langs, $db, $filterobj, $objcon = '', $no
 		if (is_object($objcon) && $objcon->id > 0) {
 			$force_filter_contact = true;
 			$sql .= " INNER JOIN ".MAIN_DB_PREFIX."actioncomm_resources as r ON a.id = r.fk_actioncomm";
-			$sql .= " AND r.element_type = '".$db->escape($objcon->table_element)."' AND r.fk_element = ".$objcon->id;
+			$sql .= " AND r.element_type = '".$db->escape($objcon->table_element)."' AND r.fk_element = ".((int) $objcon->id);
 		}
 
 		if (is_object($filterobj) && get_class($filterobj) == 'Societe') {

htdocs/core/lib/usergroups.lib.php

@@ -110,7 +110,7 @@ function user_prepare_head($object)
 		$nbNote = 0;
 		$sql = "SELECT COUNT(n.rowid) as nb";
 		$sql .= " FROM ".MAIN_DB_PREFIX."notify_def as n";
-		$sql .= " WHERE fk_user = ".$object->id;
+		$sql .= " WHERE fk_user = ".((int) $object->id);
 		$resql = $db->query($sql);
 		if ($resql) {
 			$num = $db->num_rows($resql);

htdocs/core/modules/DolibarrModules.class.php

@@ -1371,7 +1371,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
 				if ($command) {
 					$sql .= " AND command = '".$this->db->escape($command)."'";
 				}
-				$sql .= " AND entity = ".$entity; // Must be exact entity
+				$sql .= " AND entity = ".((int) $entity); // Must be exact entity
 
 				$now = dol_now();
 
@@ -1612,7 +1612,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
 			$sql = "SELECT count(*)";
 			$sql .= " FROM ".MAIN_DB_PREFIX."const";
 			$sql .= " WHERE ".$this->db->decrypt('name')." = '".$this->db->escape($name)."'";
-			$sql .= " AND entity = ".$entity;
+			$sql .= " AND entity = ".((int) $entity);
 
 			$result = $this->db->query($sql);
 			if ($result) {
@@ -2197,7 +2197,7 @@ class DolibarrModules // Can not be abstract, because we need to instantiate it
 
 				$sql = "DELETE FROM ".MAIN_DB_PREFIX."const";
 				$sql .= " WHERE ".$this->db->decrypt('name')." LIKE '".$this->db->escape($this->const_name)."_".strtoupper($key)."'";
-				$sql .= " AND entity = ".$entity;
+				$sql .= " AND entity = ".((int) $entity);
 
 				dol_syslog(get_class($this)."::delete_const_".$key."", LOG_DEBUG);
 				if (!$this->db->query($sql)) {

htdocs/core/modules/mailings/pomme.modules.php

@@ -171,7 +171,7 @@ class mailing_pomme extends MailingTargets
 		$sql .= " FROM ".MAIN_DB_PREFIX."user as u";
 		$sql .= " WHERE u.email <> ''"; // u.email IS NOT NULL est implicite dans ce test
 		$sql .= " AND u.entity IN (0,".$conf->entity.")";
-		$sql .= " AND u.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".$mailing_id.")";
+		$sql .= " AND u.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".((int) $mailing_id).")";
 		if (GETPOSTISSET("filter") && GETPOST("filter") == '1') {
 			$sql .= " AND u.statut=1";
 		}

htdocs/core/modules/mailings/thirdparties.modules.php

@@ -77,7 +77,7 @@ class mailing_thirdparties extends MailingTargets
 			$sql .= " FROM ".MAIN_DB_PREFIX."societe as s";
 			$sql .= " WHERE s.email <> ''";
 			$sql .= " AND s.entity IN (".getEntity('societe').")";
-			$sql .= " AND s.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".$mailing_id.")";
+			$sql .= " AND s.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".((int) $mailing_id).")";
 		} else {
 			$addFilter = "";
 			if (GETPOSTISSET("filter_client") && GETPOST("filter_client") <> '-1') {
@@ -112,7 +112,7 @@ class mailing_thirdparties extends MailingTargets
 			$sql .= " FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."categorie_societe as cs, ".MAIN_DB_PREFIX."categorie as c";
 			$sql .= " WHERE s.email <> ''";
 			$sql .= " AND s.entity IN (".getEntity('societe').")";
-			$sql .= " AND s.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".$mailing_id.")";
+			$sql .= " AND s.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".((int) $mailing_id).")";
 			$sql .= " AND cs.fk_soc = s.rowid";
 			$sql .= " AND c.rowid = cs.fk_categorie";
 			$sql .= " AND c.rowid=".((int) GETPOST('filter', 'int'));
@@ -122,7 +122,7 @@ class mailing_thirdparties extends MailingTargets
 			$sql .= " FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."categorie_fournisseur as cs, ".MAIN_DB_PREFIX."categorie as c";
 			$sql .= " WHERE s.email <> ''";
 			$sql .= " AND s.entity IN (".getEntity('societe').")";
-			$sql .= " AND s.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".$mailing_id.")";
+			$sql .= " AND s.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".((int) $mailing_id).")";
 			$sql .= " AND cs.fk_soc = s.rowid";
 			$sql .= " AND c.rowid = cs.fk_categorie";
 			$sql .= " AND c.rowid=".((int) GETPOST('filter', 'int'));

htdocs/core/modules/mailings/thirdparties_services_expired.modules.php

@@ -110,7 +110,7 @@ class mailing_thirdparties_services_expired extends MailingTargets
 		$sql .= " FROM ".MAIN_DB_PREFIX."societe as s, ".MAIN_DB_PREFIX."contrat as c";
 		$sql .= ", ".MAIN_DB_PREFIX."contratdet as cd, ".MAIN_DB_PREFIX."product as p";
 		$sql .= " WHERE s.entity IN (".getEntity('societe').")";
-		$sql .= " AND s.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".$mailing_id.")";
+		$sql .= " AND s.email NOT IN (SELECT email FROM ".MAIN_DB_PREFIX."mailing_cibles WHERE fk_mailing=".((int) $mailing_id).")";
 		$sql .= " AND s.rowid = c.fk_soc AND cd.fk_contrat = c.rowid AND s.email != ''";
 		$sql .= " AND cd.statut= 4 AND cd.fk_product=p.rowid AND p.ref = '".$this->db->escape($product)."'";
 		$sql .= " AND cd.date_fin_validite < '".$this->db->idate($now)."'";

htdocs/core/modules/movement/doc/pdf_standard.modules.php

@@ -529,8 +529,8 @@ class pdf_stdandard extends ModelePDFMovement
 						if (!empty($conf->global->MAIN_MULTILANGS)) { // si l'option est active
 							$sql = "SELECT label";
 							$sql .= " FROM ".MAIN_DB_PREFIX."product_lang";
-							$sql .= " WHERE fk_product=".$objp->rowid;
-							$sql .= " AND lang='".$this->db->escape($langs->getDefaultLang())."'";
+							$sql .= " WHERE fk_product = ".((int) $objp->rowid);
+							$sql .= " AND lang = '".$this->db->escape($langs->getDefaultLang())."'";
 							$sql .= " LIMIT 1";
 
 							$result = $this->db->query($sql);

htdocs/core/modules/project/doc/doc_generic_project_odt.modules.php

@@ -742,7 +742,7 @@ class doc_generic_project_odt extends ModelePDFProjects
 						$sql .= ", u.lastname, u.firstname, t.thm";
 						$sql .= " FROM ".MAIN_DB_PREFIX."projet_task_time as t";
 						$sql .= " , ".MAIN_DB_PREFIX."user as u";
-						$sql .= " WHERE t.fk_task =".$task->id;
+						$sql .= " WHERE t.fk_task =".((int) $task->id);
 						$sql .= " AND t.fk_user = u.rowid";
 						$sql .= " ORDER BY t.task_date DESC";
 

htdocs/core/modules/project/task/doc/doc_generic_task_odt.modules.php

@@ -657,7 +657,7 @@ class doc_generic_task_odt extends ModelePDFTask
 					$sql .= ", u.lastname, u.firstname";
 					$sql .= " FROM ".MAIN_DB_PREFIX."projet_task_time as t";
 					$sql .= " , ".MAIN_DB_PREFIX."user as u";
-					$sql .= " WHERE t.fk_task =".$object->id;
+					$sql .= " WHERE t.fk_task =".((int) $object->id);
 					$sql .= " AND t.fk_user = u.rowid";
 					$sql .= " ORDER BY t.task_date DESC";
 

htdocs/core/modules/rapport/pdf_paiement.class.php

@@ -209,7 +209,7 @@ class pdf_paiement
 					$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$user->id;
 				}
 				if (!empty($socid)) {
-					$sql .= " AND s.rowid = ".$socid;
+					$sql .= " AND s.rowid = ".((int) $socid);
 				}
 				// If global param PAYMENTS_REPORT_GROUP_BY_MOD is set, payement are ordered by paiement_code
 				if (!empty($conf->global->PAYMENTS_REPORT_GROUP_BY_MOD)) {

htdocs/core/modules/stock/doc/pdf_standard.modules.php

@@ -315,7 +315,7 @@ class pdf_standard extends ModelePDFStock
 				$sql .= " FROM ".MAIN_DB_PREFIX."product_stock as ps, ".MAIN_DB_PREFIX."product as p";
 				$sql .= " WHERE ps.fk_product = p.rowid";
 				$sql .= " AND ps.reel <> 0"; // We do not show if stock is 0 (no product in this warehouse)
-				$sql .= " AND ps.fk_entrepot = ".$object->id;
+				$sql .= " AND ps.fk_entrepot = ".((int) $object->id);
 				$sql .= $this->db->order($sortfield, $sortorder);
 
 				//dol_syslog('List products', LOG_DEBUG);

htdocs/datapolicy/class/actions_datapolicy.class.php

@@ -121,7 +121,7 @@ class ActionsDatapolicy
 
 				if ($object->update($object->id, $user, 0)) {
 					// On supprime les contacts associé
-					$sql = "DELETE FROM ".MAIN_DB_PREFIX."socpeople WHERE fk_soc = ".$object->id;
+					$sql = "DELETE FROM ".MAIN_DB_PREFIX."socpeople WHERE fk_soc = ".((int) $object->id);
 					$this->db->query($sql);
 
 					setEventMessages($langs->trans('ANONYMISER_SUCCESS'), array());

htdocs/don/class/api_donations.class.php

@@ -123,7 +123,7 @@ class Donations extends DolibarrApi
 			$sql .= " AND t.fk_soc = sc.fk_soc";
 		}
 		if ($thirdparty_ids) {
-			$sql .= " AND t.fk_soc = ".$thirdparty_ids." ";
+			$sql .= " AND t.fk_soc = ".((int) $thirdparty_ids)." ";
 		}
 
 		// Add sql filters

htdocs/don/class/don.class.php

@@ -476,8 +476,8 @@ class Don extends CommonObject
 		$sql .= ",address='".$this->db->escape($this->address)."'";
 		$sql .= ",zip='".$this->db->escape($this->zip)."'";
 		$sql .= ",town='".$this->db->escape($this->town)."'";
-		$sql .= ",fk_country = ".($this->country_id > 0 ? $this->country_id : '0');
-		$sql .= ",public=".$this->public;
+		$sql .= ",fk_country = ".($this->country_id > 0 ? ((int) $this->country_id) : '0');
+		$sql .= ",public=".((int) $this->public);
 		$sql .= ",fk_projet=".($this->fk_project > 0 ? $this->fk_project : 'null');
 		$sql .= ",note_private=".(!empty($this->note_private) ? ("'".$this->db->escape($this->note_private)."'") : "NULL");
 		$sql .= ",note_public=".(!empty($this->note_public) ? ("'".$this->db->escape($this->note_public)."'") : "NULL");
@@ -486,8 +486,8 @@ class Don extends CommonObject
 		$sql .= ",email='".$this->db->escape(trim($this->email))."'";
 		$sql .= ",phone='".$this->db->escape(trim($this->phone))."'";
 		$sql .= ",phone_mobile='".$this->db->escape(trim($this->phone_mobile))."'";
-		$sql .= ",fk_statut=".$this->statut;
-		$sql .= " WHERE rowid = ".$this->id;
+		$sql .= ",fk_statut=".((int) $this->statut);
+		$sql .= " WHERE rowid = ".((int) $this->id);
 
 		dol_syslog(get_class($this)."::Update", LOG_DEBUG);
 		$resql = $this->db->query($sql);

htdocs/ecm/class/ecmfiles.class.php

@@ -425,7 +425,7 @@ class EcmFiles extends CommonObject
 			//$sql .= " AND t.entity = ".$conf->entity;							// hashforshare already unique
 		} elseif ($src_object_type && $src_object_id) {
 			// Warning: May return several record, and only first one is returned !
-			$sql .= " AND t.src_object_type ='".$this->db->escape($src_object_type)."' AND t.src_object_id = ".$this->db->escape($src_object_id);
+			$sql .= " AND t.src_object_type = '".$this->db->escape($src_object_type)."' AND t.src_object_id = ".((int) $src_object_id);
 			$sql .= " AND t.entity = ".$conf->entity;
 		} else {
 			$sql .= ' AND t.rowid = '.((int) $id); // rowid already unique

htdocs/eventorganization/conferenceorboothattendee_list.php

@@ -234,7 +234,7 @@ $reshook = $hookmanager->executeHooks('printFieldListSelect', $parameters, $obje
 $sql .= preg_replace('/^,/', '', $hookmanager->resPrint);
 $sql = preg_replace('/,\s*$/', '', $sql);
 $sql .= " FROM ".MAIN_DB_PREFIX.$object->table_element." as t";
-$sql .= " INNER JOIN ".MAIN_DB_PREFIX."actioncomm as a on a.id=t.fk_actioncomm AND a.id=".$confOrBooth->id;
+$sql .= " INNER JOIN ".MAIN_DB_PREFIX."actioncomm as a on a.id=t.fk_actioncomm AND a.id=".((int) $confOrBooth->id);
 if (is_array($extrafields->attributes[$object->table_element]['label']) && count($extrafields->attributes[$object->table_element]['label'])) {
 	$sql .= " LEFT JOIN ".MAIN_DB_PREFIX.$object->table_element."_extrafields as ef on (t.rowid = ef.fk_object)";
 }

htdocs/expedition/card.php

@@ -1982,7 +1982,7 @@ if ($action == 'create') {
 			//if ($conf->delivery_note->enabled) $sql .= " LEFT JOIN ".MAIN_DB_PREFIX."delivery as l ON l.fk_expedition = e.rowid LEFT JOIN ".MAIN_DB_PREFIX."deliverydet as ld ON ld.fk_delivery = l.rowid  AND obj.rowid = ld.fk_origin_line";
 			$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product as p ON obj.fk_product = p.rowid";
 			$sql .= " WHERE e.entity IN (".getEntity('expedition').")";
-			$sql .= " AND obj.fk_".$origin." = ".$origin_id;
+			$sql .= " AND obj.fk_".$origin." = ".((int) $origin_id);
 			$sql .= " AND obj.rowid = ed.fk_origin_line";
 			$sql .= " AND ed.fk_expedition = e.rowid";
 			//if ($filter) $sql.= $filter;

htdocs/expedition/class/api_shipments.class.php

@@ -140,7 +140,7 @@ class Shipments extends DolibarrApi
 		}
 		// Insert sale filter
 		if ($search_sale > 0) {
-			$sql .= " AND sc.fk_user = ".$search_sale;
+			$sql .= " AND sc.fk_user = ".((int) $search_sale);
 		}
 		// Add sql filters
 		if ($sqlfilters) {

htdocs/expedition/class/expedition.class.php

@@ -2125,7 +2125,7 @@ class Expedition extends CommonObject
 		if (!empty($this->shipping_method_id)) {
 			$sql = "SELECT em.code, em.tracking";
 			$sql .= " FROM ".MAIN_DB_PREFIX."c_shipment_mode as em";
-			$sql .= " WHERE em.rowid = ".$this->shipping_method_id;
+			$sql .= " WHERE em.rowid = ".((int) $this->shipping_method_id);
 
 			$resql = $this->db->query($sql);
 			if ($resql) {
@@ -2981,8 +2981,8 @@ class ExpeditionLigne extends CommonObjectLine
 			// update line
 			$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element." SET";
 			$sql .= " fk_entrepot = ".($this->entrepot_id > 0 ? $this->entrepot_id : 'null');
-			$sql .= " , qty = ".$qty;
-			$sql .= " WHERE rowid = ".$this->id;
+			$sql .= " , qty = ".((float) price2num($qty, 'MS'));
+			$sql .= " WHERE rowid = ".((int) $this->id);
 
 			if (!$this->db->query($sql)) {
 				$this->errors[] = $this->db->lasterror()." - sql=$sql";

htdocs/expedition/class/expeditionbatch.class.php

@@ -186,7 +186,7 @@ class ExpeditionLineBatch extends CommonObject
 		}
 		$sql .= " FROM ".MAIN_DB_PREFIX.self::$_table_element." as eb";
 		if ($fk_product > 0) {
-			$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lot as pl ON pl.batch = eb.batch AND pl.fk_product = ".$fk_product;
+			$sql .= " LEFT JOIN ".MAIN_DB_PREFIX."product_lot as pl ON pl.batch = eb.batch AND pl.fk_product = ".((int) $fk_product);
 		}
 		$sql .= " WHERE fk_expeditiondet=".(int) $id_line_expdet;
 

htdocs/expedition/list.php

@@ -282,7 +282,7 @@ if ($search_user > 0) {
 }
 $sql .= " WHERE e.entity IN (".getEntity('expedition').")";
 if ($search_product_category > 0) {
-	$sql .= " AND cp.fk_categorie = ".$search_product_category;
+	$sql .= " AND cp.fk_categorie = ".((int) $search_product_category);
 }
 if ($socid > 0) {
 	$sql .= ' AND s.rowid = '.$socid;
@@ -292,7 +292,7 @@ if (!$user->rights->societe->client->voir && !$socid) {	// Internal user with no
 	$sql .= " AND sc.fk_user = ".$user->id;
 }
 if ($socid) {
-	$sql .= " AND e.fk_soc = ".$socid;
+	$sql .= " AND e.fk_soc = ".((int) $socid);
 }
 if ($search_status <> '' && $search_status >= 0) {
 	$sql .= " AND e.fk_statut = ".((int) $search_status);
@@ -322,7 +322,7 @@ if ($search_type_thirdparty != '' && $search_type_thirdparty > 0) {
 	$sql .= " AND s.fk_typent IN (".$db->sanitize($search_type_thirdparty).')';
 }
 if ($search_sale > 0) {
-	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".$search_sale;
+	$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = ".((int) $search_sale);
 }
 if ($search_user > 0) {
 	// The contact on a shipment is also the contact of the order.
@@ -353,7 +353,7 @@ if ($sall) {
 	$sql .= natural_search(array_keys($fieldstosearchall), $sall);
 }
 if ($search_categ_cus > 0) {
-	$sql .= " AND cc.fk_categorie = ".$db->escape($search_categ_cus);
+	$sql .= " AND cc.fk_categorie = ".((int) $search_categ_cus);
 }
 if ($search_categ_cus == -2) {
 	$sql .= " AND cc.fk_categorie IS NULL";