Home Explore Help
Sign In
iProspective
/
dolibarr
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

fix 7963

florian HENRY 7 years ago
parent
968bb8a100
commit
fdedd6f75b
6 changed files with 39 additions and 28 deletions
Split View Show Diff Stats
  1. 1 1
      htdocs/accountancy/expensereport/lines.php
  2. 1 1
      htdocs/accountancy/supplier/lines.php
  3. 5 5
      htdocs/admin/external_rss.php
  4. 10 5
      htdocs/compta/bank/ligne.php
  5. 1 1
      htdocs/fourn/facture/impayees.php
  6. 21 15
      htdocs/product/price.php

+ 1 - 1
htdocs/accountancy/expensereport/lines.php
View File 

@@ -106,7 +106,7 @@ if (is_array($changeaccount) && count($changeaccount) > 0) {
 
 	$db->begin();
 
 
 	$sql1 = "UPDATE " . MAIN_DB_PREFIX . "expensereport_det as erd";
 
-	$sql1 .= " SET erd.fk_code_ventilation=" . GETPOST('account_parent');
 
+	$sql1 .= " SET erd.fk_code_ventilation=" . GETPOST('account_parent','int');
 
 	$sql1 .= ' WHERE erd.rowid IN (' . implode(',', $changeaccount) . ')';
 
 
 	dol_syslog('accountancy/expensereport/lines.php::changeaccount sql= ' . $sql1);

+ 1 - 1
htdocs/accountancy/supplier/lines.php
View File 

@@ -114,7 +114,7 @@ if (is_array($changeaccount) && count($changeaccount) > 0) {
 
 	$db->begin();
 
 
 	$sql1 = "UPDATE " . MAIN_DB_PREFIX . "facture_fourn_det as l";
 
-	$sql1 .= " SET l.fk_code_ventilation=" . GETPOST('account_parent');
 
+	$sql1 .= " SET l.fk_code_ventilation=" . GETPOST('account_parent','int');
 
 	$sql1 .= ' WHERE l.rowid IN (' . implode(',', $changeaccount) . ')';
 
 
 	dol_syslog('accountancy/supplier/lines.php::changeaccount sql= ' . $sql1);

+ 5 - 5
htdocs/admin/external_rss.php
View File 

@@ -127,7 +127,7 @@ if ($_POST["delete"])
 
 
 		// Supprime boite box_external_rss de definition des boites
 
         $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def";
 
-        $sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".GETPOST("norss")." %'";
 
+        $sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".$db->escape(GETPOST("norss"))." %'";
 
 
 		$resql=$db->query($sql);
 
 		if ($resql)
 
@@ -268,19 +268,19 @@ if ($resql)
 
 		print '</td>';
 
 		print "</tr>";
 
 
-		
+
 
 		print '<tr class="oddeven">';
 
 		print "<td width=\"100px\">".$langs->trans("Title")."</td>";
 
 		print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_title_" . $idrss . "\" value=\"" . $conf->global->$keyrsstitle . "\"></td>";
 
 		print "</tr>";
 
 
-		
+
 
 		print '<tr class="oddeven">';
 
 		print "<td>".$langs->trans("URL")."</td>";
 
 		print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_urlrss_" . $idrss . "\" value=\"" . $conf->global->$keyrssurl . "\"></td>";
 
 		print "</tr>";
 
 
-		
+
 
 		print '<tr class="oddeven">';
 
 		print "<td>".$langs->trans("Status")."</td>";
 
 		print "<td>";
 
@@ -301,7 +301,7 @@ if ($resql)
 
 		// Logo
 
 	    if ($result > 0 && empty($rss->error))
 
 	    {
 
-			
+
 
 			print '<tr class="oddeven">';
 
 			print "<td>".$langs->trans("Logo")."</td>";
 
 			print '<td>';

+ 10 - 5
htdocs/compta/bank/ligne.php
View File 

@@ -92,11 +92,16 @@ if ($user->rights->banque->consolidate && $action == 'donext')
 
 
 if ($action == 'confirm_delete_categ' && $confirm == "yes" && $user->rights->banque->modifier)
 
 {
 
-    $sql = "DELETE FROM ".MAIN_DB_PREFIX."bank_class WHERE lineid = ".$rowid." AND fk_categ = ".GETPOST("cat1");
 
-    if (! $db->query($sql))
 
-    {
 
-        dol_print_error($db);
 
-    }
 
+	$cat1=GETPOST("cat1",'int');
 
+	if (!empty($rowid) && !empty($cat1)) {
 
+		$sql = "DELETE FROM ".MAIN_DB_PREFIX."bank_class WHERE lineid = ".$rowid." AND fk_categ = ".$cat1;
 
+    	if (! $db->query($sql))
 
+    	{
 
+        	dol_print_error($db);
 
+    	}
 
+	} else {
 
+		setEventMessage('Missing ids','errors');
 
+	}
 
 }
 
 
 if ($user->rights->banque->modifier && $action == "update")

+ 1 - 1
htdocs/fourn/facture/impayees.php
View File 

@@ -141,7 +141,7 @@ if ($user->rights->fournisseur->facture->lire)
 
 
 	if (dol_strlen(GETPOST('sf_re')) > 0)
 
 	{
 
-		$sql .= " AND f.ref_supplier LIKE '%".GETPOST('sf_re')."%'";
 
+		$sql .= " AND f.ref_supplier LIKE '%".$db->escape(GETPOST('sf_re'))."%'";
 
 	}
 
 
 	$sql.= " GROUP BY s.rowid, s.nom, f.rowid, f.ref, f.ref_supplier, f.total_ht, f.total_ttc, f.datef, f.date_lim_reglement, f.paye, f.fk_statut";

+ 21 - 15
htdocs/product/price.php
View File 

@@ -409,12 +409,12 @@ if (empty($reshook))
 
 	if ($action == 'update_price_by_qty')
 
 	{
 
 		// Récupération des variables
 
-		$rowid = GETPOST('rowid');
 
-		$priceid = GETPOST('priceid');
 
-		$newprice = price2num(GETPOST("price"), 'MU');
 
+		$rowid = GETPOST('rowid','int');
 
+		$priceid = GETPOST('priceid','int');
 
+		$newprice = price2num(GETPOST("price",'int'), 'MU');
 
 		// $newminprice=price2num(GETPOST("price_min"),'MU'); // TODO : Add min price management
 
-		$quantity = GETPOST('quantity');
 
-		$remise_percent = price2num(GETPOST('remise_percent'));
 
+		$quantity = GETPOST('quantity','int');
 
+		$remise_percent = price2num(GETPOST('remise_percent','int'));
 
 		$remise = 0; // TODO : allow discount by amount when available on documents
 
 
 		if (empty($quantity)) {
 
@@ -442,7 +442,7 @@ if (empty($reshook))
 
 				$sql .= " quantity=" . $quantity . ",";
 
 				$sql .= " remise_percent=" . $remise_percent . ",";
 
 				$sql .= " remise=" . $remise;
 
-				$sql .= " WHERE rowid = " . GETPOST('rowid');
 
+				$sql .= " WHERE rowid = " . $rowid;
 
 
 				$result = $db->query($sql);
 
 				if (! $result) dol_print_error($db);
 
@@ -458,22 +458,28 @@ if (empty($reshook))
 
 
 	if ($action == 'delete_price_by_qty')
 
 	{
 
-		$rowid = GETPOST('rowid');
 
-
 
-		$sql = "DELETE FROM " . MAIN_DB_PREFIX . "product_price_by_qty";
 
-		$sql .= " WHERE rowid = " . GETPOST('rowid');
 
+		$rowid = GETPOST('rowid','int');
 
+		if (!empty($rowid)) {
 
+			$sql = "DELETE FROM " . MAIN_DB_PREFIX . "product_price_by_qty";
 
+			$sql .= " WHERE rowid = " . $rowid;
 
 
-		$result = $db->query($sql);
 
+			$result = $db->query($sql)
 
+		} else {
 
+			setEventMessage('delete_price_by_qty Missing Ids','errors');
 
+		}
 
 	}
 
 
 	if ($action == 'delete_all_price_by_qty')
 
 	{
 
-		$priceid = GETPOST('priceid');
 
-
 
+		$priceid = GETPOST('priceid','int');
 
+		if (!empty($rowid)) {
 
 		$sql = "DELETE FROM " . MAIN_DB_PREFIX . "product_price_by_qty";
 
 		$sql .= " WHERE fk_product_price = " . $priceid;
 
 
 		$result = $db->query($sql);
 
+		} else {
 
+			setEventMessage('delete_all_price_by_qty Missing Ids','errors');
 
+		}
 
 	}
 
 
 	/**
 
@@ -485,7 +491,7 @@ if (empty($reshook))
 
 
 		$maxpricesupplier = $object->min_recommended_price();
 
 
-		$update_child_soc = GETPOST('updatechildprice');
 
+		$update_child_soc = GETPOST('updatechildprice','int');
 
 
 		// add price by customer
 
 		$prodcustprice->fk_soc = GETPOST('socid', 'int');
 
@@ -585,7 +591,7 @@ if (empty($reshook))
 
 	{
 
 		$maxpricesupplier = $object->min_recommended_price();
 
 
-		$update_child_soc = GETPOST('updatechildprice');
 
+		$update_child_soc = GETPOST('updatechildprice','int');
 
 
 		$prodcustprice->fetch(GETPOST('lineid', 'int'));