7 年前 · fdedd6f75b
--- a/htdocs/accountancy/expensereport/lines.php
+++ b/htdocs/accountancy/expensereport/lines.php
@@ -106,7 +106,7 @@ if (is_array($changeaccount) && count($changeaccount) > 0) {
 
				 	$db->begin();
			
 
				 
			
 
				 	$sql1 = "UPDATE " . MAIN_DB_PREFIX . "expensereport_det as erd";
			
 
				-	$sql1 .= " SET erd.fk_code_ventilation=" . GETPOST('account_parent');
			
 
				+	$sql1 .= " SET erd.fk_code_ventilation=" . GETPOST('account_parent','int');
			
 
				 	$sql1 .= ' WHERE erd.rowid IN (' . implode(',', $changeaccount) . ')';
			
 
				 
			
 
				 	dol_syslog('accountancy/expensereport/lines.php::changeaccount sql= ' . $sql1);
			
--- a/htdocs/accountancy/supplier/lines.php
+++ b/htdocs/accountancy/supplier/lines.php
@@ -114,7 +114,7 @@ if (is_array($changeaccount) && count($changeaccount) > 0) {
 
				 	$db->begin();
			
 
				 
			
 
				 	$sql1 = "UPDATE " . MAIN_DB_PREFIX . "facture_fourn_det as l";
			
 
				-	$sql1 .= " SET l.fk_code_ventilation=" . GETPOST('account_parent');
			
 
				+	$sql1 .= " SET l.fk_code_ventilation=" . GETPOST('account_parent','int');
			
 
				 	$sql1 .= ' WHERE l.rowid IN (' . implode(',', $changeaccount) . ')';
			
 
				 
			
 
				 	dol_syslog('accountancy/supplier/lines.php::changeaccount sql= ' . $sql1);
			
--- a/htdocs/admin/external_rss.php
+++ b/htdocs/admin/external_rss.php
@@ -127,7 +127,7 @@ if ($_POST["delete"])
 
				 
			
 
				 		// Supprime boite box_external_rss de definition des boites
			
 
				         $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def";
			
 
				-        $sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".GETPOST("norss")." %'";
			
 
				+        $sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".$db->escape(GETPOST("norss"))." %'";
			
 
				 
			
 
				 		$resql=$db->query($sql);
			
 
				 		if ($resql)
			
@@ -268,19 +268,19 @@ if ($resql)
 
				 		print '</td>';
			
 
				 		print "</tr>";
			
 
				 
			
 
				-		
			
 
				+
			
 
				 		print '<tr class="oddeven">';
			
 
				 		print "<td width=\"100px\">".$langs->trans("Title")."</td>";
			
 
				 		print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_title_" . $idrss . "\" value=\"" . $conf->global->$keyrsstitle . "\"></td>";
			
 
				 		print "</tr>";
			
 
				 
			
 
				-		
			
 
				+
			
 
				 		print '<tr class="oddeven">';
			
 
				 		print "<td>".$langs->trans("URL")."</td>";
			
 
				 		print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_urlrss_" . $idrss . "\" value=\"" . $conf->global->$keyrssurl . "\"></td>";
			
 
				 		print "</tr>";
			
 
				 
			
 
				-		
			
 
				+
			
 
				 		print '<tr class="oddeven">';
			
 
				 		print "<td>".$langs->trans("Status")."</td>";
			
 
				 		print "<td>";
			
@@ -301,7 +301,7 @@ if ($resql)
 
				 		// Logo
			
 
				 	    if ($result > 0 && empty($rss->error))
			
 
				 	    {
			
 
				-			
			
 
				+
			
 
				 			print '<tr class="oddeven">';
			
 
				 			print "<td>".$langs->trans("Logo")."</td>";
			
 
				 			print '<td>';
			
--- a/htdocs/compta/bank/ligne.php
+++ b/htdocs/compta/bank/ligne.php
@@ -92,11 +92,16 @@ if ($user->rights->banque->consolidate && $action == 'donext')
 
				 
			
 
				 if ($action == 'confirm_delete_categ' && $confirm == "yes" && $user->rights->banque->modifier)
			
 
				 {
			
 
				-    $sql = "DELETE FROM ".MAIN_DB_PREFIX."bank_class WHERE lineid = ".$rowid." AND fk_categ = ".GETPOST("cat1");
			
 
				-    if (! $db->query($sql))
			
 
				-    {
			
 
				-        dol_print_error($db);
			
 
				-    }
			
 
				+	$cat1=GETPOST("cat1",'int');
			
 
				+	if (!empty($rowid) && !empty($cat1)) {
			
 
				+		$sql = "DELETE FROM ".MAIN_DB_PREFIX."bank_class WHERE lineid = ".$rowid." AND fk_categ = ".$cat1;
			
 
				+    	if (! $db->query($sql))
			
 
				+    	{
			
 
				+        	dol_print_error($db);
			
 
				+    	}
			
 
				+	} else {
			
 
				+		setEventMessage('Missing ids','errors');
			
 
				+	}
			
 
				 }
			
 
				 
			
 
				 if ($user->rights->banque->modifier && $action == "update")
			
--- a/htdocs/fourn/facture/impayees.php
+++ b/htdocs/fourn/facture/impayees.php
@@ -141,7 +141,7 @@ if ($user->rights->fournisseur->facture->lire)
 
				 
			
 
				 	if (dol_strlen(GETPOST('sf_re')) > 0)
			
 
				 	{
			
 
				-		$sql .= " AND f.ref_supplier LIKE '%".GETPOST('sf_re')."%'";
			
 
				+		$sql .= " AND f.ref_supplier LIKE '%".$db->escape(GETPOST('sf_re'))."%'";
			
 
				 	}
			
 
				 
			
 
				 	$sql.= " GROUP BY s.rowid, s.nom, f.rowid, f.ref, f.ref_supplier, f.total_ht, f.total_ttc, f.datef, f.date_lim_reglement, f.paye, f.fk_statut";
			
--- a/htdocs/product/price.php
+++ b/htdocs/product/price.php
@@ -409,12 +409,12 @@ if (empty($reshook))
 
				 	if ($action == 'update_price_by_qty')
			
 
				 	{
			
 
				 		// Récupération des variables
			
 
				-		$rowid = GETPOST('rowid');
			
 
				-		$priceid = GETPOST('priceid');
			
 
				-		$newprice = price2num(GETPOST("price"), 'MU');
			
 
				+		$rowid = GETPOST('rowid','int');
			
 
				+		$priceid = GETPOST('priceid','int');
			
 
				+		$newprice = price2num(GETPOST("price",'int'), 'MU');
			
 
				 		// $newminprice=price2num(GETPOST("price_min"),'MU'); // TODO : Add min price management
			
 
				-		$quantity = GETPOST('quantity');
			
 
				-		$remise_percent = price2num(GETPOST('remise_percent'));
			
 
				+		$quantity = GETPOST('quantity','int');
			
 
				+		$remise_percent = price2num(GETPOST('remise_percent','int'));
			
 
				 		$remise = 0; // TODO : allow discount by amount when available on documents
			
 
				 
			
 
				 		if (empty($quantity)) {
			
@@ -442,7 +442,7 @@ if (empty($reshook))
 
				 				$sql .= " quantity=" . $quantity . ",";
			
 
				 				$sql .= " remise_percent=" . $remise_percent . ",";
			
 
				 				$sql .= " remise=" . $remise;
			
 
				-				$sql .= " WHERE rowid = " . GETPOST('rowid');
			
 
				+				$sql .= " WHERE rowid = " . $rowid;
			
 
				 
			
 
				 				$result = $db->query($sql);
			
 
				 				if (! $result) dol_print_error($db);
			
@@ -458,22 +458,28 @@ if (empty($reshook))
 
				 
			
 
				 	if ($action == 'delete_price_by_qty')
			
 
				 	{
			
 
				-		$rowid = GETPOST('rowid');
			
 
				-
			
 
				-		$sql = "DELETE FROM " . MAIN_DB_PREFIX . "product_price_by_qty";
			
 
				-		$sql .= " WHERE rowid = " . GETPOST('rowid');
			
 
				+		$rowid = GETPOST('rowid','int');
			
 
				+		if (!empty($rowid)) {
			
 
				+			$sql = "DELETE FROM " . MAIN_DB_PREFIX . "product_price_by_qty";
			
 
				+			$sql .= " WHERE rowid = " . $rowid;
			
 
				 
			
 
				-		$result = $db->query($sql);
			
 
				+			$result = $db->query($sql)
			
 
				+		} else {
			
 
				+			setEventMessage('delete_price_by_qty Missing Ids','errors');
			
 
				+		}
			
 
				 	}
			
 
				 
			
 
				 	if ($action == 'delete_all_price_by_qty')
			
 
				 	{
			
 
				-		$priceid = GETPOST('priceid');
			
 
				-
			
 
				+		$priceid = GETPOST('priceid','int');
			
 
				+		if (!empty($rowid)) {
			
 
				 		$sql = "DELETE FROM " . MAIN_DB_PREFIX . "product_price_by_qty";
			
 
				 		$sql .= " WHERE fk_product_price = " . $priceid;
			
 
				 
			
 
				 		$result = $db->query($sql);
			
 
				+		} else {
			
 
				+			setEventMessage('delete_all_price_by_qty Missing Ids','errors');
			
 
				+		}
			
 
				 	}
			
 
				 
			
 
				 	/**
			
@@ -485,7 +491,7 @@ if (empty($reshook))
 
				 
			
 
				 		$maxpricesupplier = $object->min_recommended_price();
			
 
				 
			
 
				-		$update_child_soc = GETPOST('updatechildprice');
			
 
				+		$update_child_soc = GETPOST('updatechildprice','int');
			
 
				 
			
 
				 		// add price by customer
			
 
				 		$prodcustprice->fk_soc = GETPOST('socid', 'int');
			
@@ -585,7 +591,7 @@ if (empty($reshook))
 
				 	{
			
 
				 		$maxpricesupplier = $object->min_recommended_price();
			
 
				 
			
 
				-		$update_child_soc = GETPOST('updatechildprice');
			
 
				+		$update_child_soc = GETPOST('updatechildprice','int');
			
 
				 
			
 
				 		$prodcustprice->fetch(GETPOST('lineid', 'int'));