florian HENRY 7 years ago
parent
commit
fdedd6f75b

+ 1 - 1
htdocs/accountancy/expensereport/lines.php

@@ -106,7 +106,7 @@ if (is_array($changeaccount) && count($changeaccount) > 0) {
 	$db->begin();
 
 	$sql1 = "UPDATE " . MAIN_DB_PREFIX . "expensereport_det as erd";
-	$sql1 .= " SET erd.fk_code_ventilation=" . GETPOST('account_parent');
+	$sql1 .= " SET erd.fk_code_ventilation=" . GETPOST('account_parent','int');
 	$sql1 .= ' WHERE erd.rowid IN (' . implode(',', $changeaccount) . ')';
 
 	dol_syslog('accountancy/expensereport/lines.php::changeaccount sql= ' . $sql1);

+ 1 - 1
htdocs/accountancy/supplier/lines.php

@@ -114,7 +114,7 @@ if (is_array($changeaccount) && count($changeaccount) > 0) {
 	$db->begin();
 
 	$sql1 = "UPDATE " . MAIN_DB_PREFIX . "facture_fourn_det as l";
-	$sql1 .= " SET l.fk_code_ventilation=" . GETPOST('account_parent');
+	$sql1 .= " SET l.fk_code_ventilation=" . GETPOST('account_parent','int');
 	$sql1 .= ' WHERE l.rowid IN (' . implode(',', $changeaccount) . ')';
 
 	dol_syslog('accountancy/supplier/lines.php::changeaccount sql= ' . $sql1);

+ 5 - 5
htdocs/admin/external_rss.php

@@ -127,7 +127,7 @@ if ($_POST["delete"])
 
 		// Supprime boite box_external_rss de definition des boites
         $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def";
-        $sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".GETPOST("norss")." %'";
+        $sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".$db->escape(GETPOST("norss"))." %'";
 
 		$resql=$db->query($sql);
 		if ($resql)
@@ -268,19 +268,19 @@ if ($resql)
 		print '</td>';
 		print "</tr>";
 
-		
+
 		print '<tr class="oddeven">';
 		print "<td width=\"100px\">".$langs->trans("Title")."</td>";
 		print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_title_" . $idrss . "\" value=\"" . $conf->global->$keyrsstitle . "\"></td>";
 		print "</tr>";
 
-		
+
 		print '<tr class="oddeven">';
 		print "<td>".$langs->trans("URL")."</td>";
 		print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_urlrss_" . $idrss . "\" value=\"" . $conf->global->$keyrssurl . "\"></td>";
 		print "</tr>";
 
-		
+
 		print '<tr class="oddeven">';
 		print "<td>".$langs->trans("Status")."</td>";
 		print "<td>";
@@ -301,7 +301,7 @@ if ($resql)
 		// Logo
 	    if ($result > 0 && empty($rss->error))
 	    {
-			
+
 			print '<tr class="oddeven">';
 			print "<td>".$langs->trans("Logo")."</td>";
 			print '<td>';

+ 10 - 5
htdocs/compta/bank/ligne.php

@@ -92,11 +92,16 @@ if ($user->rights->banque->consolidate && $action == 'donext')
 
 if ($action == 'confirm_delete_categ' && $confirm == "yes" && $user->rights->banque->modifier)
 {
-    $sql = "DELETE FROM ".MAIN_DB_PREFIX."bank_class WHERE lineid = ".$rowid." AND fk_categ = ".GETPOST("cat1");
-    if (! $db->query($sql))
-    {
-        dol_print_error($db);
-    }
+	$cat1=GETPOST("cat1",'int');
+	if (!empty($rowid) && !empty($cat1)) {
+		$sql = "DELETE FROM ".MAIN_DB_PREFIX."bank_class WHERE lineid = ".$rowid." AND fk_categ = ".$cat1;
+    	if (! $db->query($sql))
+    	{
+        	dol_print_error($db);
+    	}
+	} else {
+		setEventMessage('Missing ids','errors');
+	}
 }
 
 if ($user->rights->banque->modifier && $action == "update")

+ 1 - 1
htdocs/fourn/facture/impayees.php

@@ -141,7 +141,7 @@ if ($user->rights->fournisseur->facture->lire)
 
 	if (dol_strlen(GETPOST('sf_re')) > 0)
 	{
-		$sql .= " AND f.ref_supplier LIKE '%".GETPOST('sf_re')."%'";
+		$sql .= " AND f.ref_supplier LIKE '%".$db->escape(GETPOST('sf_re'))."%'";
 	}
 
 	$sql.= " GROUP BY s.rowid, s.nom, f.rowid, f.ref, f.ref_supplier, f.total_ht, f.total_ttc, f.datef, f.date_lim_reglement, f.paye, f.fk_statut";

+ 21 - 15
htdocs/product/price.php

@@ -409,12 +409,12 @@ if (empty($reshook))
 	if ($action == 'update_price_by_qty')
 	{
 		// Récupération des variables
-		$rowid = GETPOST('rowid');
-		$priceid = GETPOST('priceid');
-		$newprice = price2num(GETPOST("price"), 'MU');
+		$rowid = GETPOST('rowid','int');
+		$priceid = GETPOST('priceid','int');
+		$newprice = price2num(GETPOST("price",'int'), 'MU');
 		// $newminprice=price2num(GETPOST("price_min"),'MU'); // TODO : Add min price management
-		$quantity = GETPOST('quantity');
-		$remise_percent = price2num(GETPOST('remise_percent'));
+		$quantity = GETPOST('quantity','int');
+		$remise_percent = price2num(GETPOST('remise_percent','int'));
 		$remise = 0; // TODO : allow discount by amount when available on documents
 
 		if (empty($quantity)) {
@@ -442,7 +442,7 @@ if (empty($reshook))
 				$sql .= " quantity=" . $quantity . ",";
 				$sql .= " remise_percent=" . $remise_percent . ",";
 				$sql .= " remise=" . $remise;
-				$sql .= " WHERE rowid = " . GETPOST('rowid');
+				$sql .= " WHERE rowid = " . $rowid;
 
 				$result = $db->query($sql);
 				if (! $result) dol_print_error($db);
@@ -458,22 +458,28 @@ if (empty($reshook))
 
 	if ($action == 'delete_price_by_qty')
 	{
-		$rowid = GETPOST('rowid');
-
-		$sql = "DELETE FROM " . MAIN_DB_PREFIX . "product_price_by_qty";
-		$sql .= " WHERE rowid = " . GETPOST('rowid');
+		$rowid = GETPOST('rowid','int');
+		if (!empty($rowid)) {
+			$sql = "DELETE FROM " . MAIN_DB_PREFIX . "product_price_by_qty";
+			$sql .= " WHERE rowid = " . $rowid;
 
-		$result = $db->query($sql);
+			$result = $db->query($sql)
+		} else {
+			setEventMessage('delete_price_by_qty Missing Ids','errors');
+		}
 	}
 
 	if ($action == 'delete_all_price_by_qty')
 	{
-		$priceid = GETPOST('priceid');
-
+		$priceid = GETPOST('priceid','int');
+		if (!empty($rowid)) {
 		$sql = "DELETE FROM " . MAIN_DB_PREFIX . "product_price_by_qty";
 		$sql .= " WHERE fk_product_price = " . $priceid;
 
 		$result = $db->query($sql);
+		} else {
+			setEventMessage('delete_all_price_by_qty Missing Ids','errors');
+		}
 	}
 
 	/**
@@ -485,7 +491,7 @@ if (empty($reshook))
 
 		$maxpricesupplier = $object->min_recommended_price();
 
-		$update_child_soc = GETPOST('updatechildprice');
+		$update_child_soc = GETPOST('updatechildprice','int');
 
 		// add price by customer
 		$prodcustprice->fk_soc = GETPOST('socid', 'int');
@@ -585,7 +591,7 @@ if (empty($reshook))
 	{
 		$maxpricesupplier = $object->min_recommended_price();
 
-		$update_child_soc = GETPOST('updatechildprice');
+		$update_child_soc = GETPOST('updatechildprice','int');
 
 		$prodcustprice->fetch(GETPOST('lineid', 'int'));