Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Fix: Sanitize data

  • Loading branch information...
commit 3b8694432cadf7bf5c3229d3450f7fd4089f057c 1 parent 3e71364
@simnandez simnandez authored
Showing with 21 additions and 21 deletions.
  1. +9 −9 htdocs/admin/propal.php
  2. +12 −12 htdocs/societe/admin/societe.php
View
18 htdocs/admin/propal.php
@@ -46,8 +46,8 @@
if ($action == 'updateMask')
{
- $maskconstpropal=GETPOST("maskconstpropal");
- $maskpropal=GETPOST("maskpropal");
+ $maskconstpropal=GETPOST('maskconstpropal','alpha');
+ $maskpropal=GETPOST('maskpropal','alpha');
if ($maskconstpropal) $res = dolibarr_set_const($db,$maskconstpropal,$maskpropal,'chaine',0,'',$conf->entity);
if (! $res > 0) $error++;
@@ -64,7 +64,7 @@
if ($action == 'specimen')
{
- $modele=GETPOST("module");
+ $modele=GETPOST('module','alpha');
$propal = new Propal($db);
$propal->initAsSpecimen();
@@ -109,7 +109,7 @@
if ($action == 'set_PROPALE_DRAFT_WATERMARK')
{
- $draft = GETPOST("PROPALE_DRAFT_WATERMARK");
+ $draft = GETPOST('PROPALE_DRAFT_WATERMARK','alpha');
$res = dolibarr_set_const($db, "PROPALE_DRAFT_WATERMARK",trim($draft),'chaine',0,'',$conf->entity);
if (! $res > 0) $error++;
@@ -126,7 +126,7 @@
if ($action == 'set_PROPALE_FREE_TEXT')
{
- $freetext = GETPOST("PROPALE_FREE_TEXT");
+ $freetext = GETPOST('PROPALE_FREE_TEXT','alpha');
$res = dolibarr_set_const($db, "PROPALE_FREE_TEXT",$freetext,'chaine',0,'',$conf->entity);
@@ -183,8 +183,8 @@
if ($action == 'set')
{
- $label = GETPOST("label");
- $scandir = GETPOST("scandir");
+ $label = GETPOST('label','alpha');
+ $scandir = GETPOST('scandir','alpha');
$type='propal';
$sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
@@ -210,8 +210,8 @@
else if ($action == 'setdoc')
{
- $label = GETPOST("label");
- $scandir = GETPOST("scandir");
+ $label = GETPOST('label','alpha');
+ $scandir = GETPOST('scandir','alpha');
$db->begin();
View
24 htdocs/societe/admin/societe.php
@@ -3,7 +3,7 @@
* Copyright (C) 2004 Eric Seigne <eric.seigne@ryxeo.com>
* Copyright (C) 2005-2011 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
- * Copyright (C) 2011 Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2011-2012 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -31,8 +31,8 @@
$langs->load("admin");
-$action=GETPOST("action");
-$value=GETPOST("value");
+$action=GETPOST('action','alpha');
+$value=GETPOST('value','alpha');
if (!$user->admin) accessforbidden();
@@ -69,7 +69,7 @@
if ($action == 'COMPANY_USE_SEARCH_TO_SELECT')
{
- $companysearch = GETPOST("activate_COMPANY_USE_SEARCH_TO_SELECT");
+ $companysearch = GETPOST('activate_COMPANY_USE_SEARCH_TO_SELECT','alpha');
$res = dolibarr_set_const($db, "COMPANY_USE_SEARCH_TO_SELECT", $companysearch,'chaine',0,'',$conf->entity);
if (! $res > 0) $error++;
if (! $error)
@@ -93,8 +93,8 @@
{
if (array_key_exists('param'.$i,$_POST))
{
- $param=$_POST["param".$i];
- $value=$_POST["value".$i];
+ $param=GETPOST("param".$i,'alpha');
+ $value=GETPOST("value".$i,'alpha');
if ($param) $res = dolibarr_set_const($db,$param,$value,'chaine',0,'',$conf->entity);
if (! $res > 0) $error++;
}
@@ -114,8 +114,8 @@
// Activate a document generator module
if ($action == 'set')
{
- $label = GETPOST("label");
- $scandir = GETPOST("scandir");
+ $label = GETPOST('label','alpha');
+ $scandir = GETPOST('scandir','alpha');
$type='company';
$sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
@@ -141,8 +141,8 @@
// Define default generator
if ($action == 'setdoc')
{
- $label = GETPOST("label");
- $scandir = GETPOST("scandir");
+ $label = GETPOST('label','alpha');
+ $scandir = GETPOST('scandir','alpha');
$db->begin();
@@ -154,7 +154,7 @@
// On active le modele
$type='company';
$sql_del = "DELETE FROM ".MAIN_DB_PREFIX."document_model";
- $sql_del.= " WHERE nom = '".$db->escape($_GET["value"])."'";
+ $sql_del.= " WHERE nom = '".$db->escape(GETPOST('value','alpha'))."'";
$sql_del.= " AND type = '".$type."'";
$sql_del.= " AND entity = ".$conf->entity;
dol_syslog("societe.php ".$sql);
@@ -181,7 +181,7 @@
//Activate ProfId
if ($action == 'setprofid')
{
- $status = GETPOST("status");
+ $status = GETPOST('status','alpha');
$idprof="SOCIETE_IDPROF".$value."_UNIQUE";
if (dolibarr_set_const($db, $idprof,$status,'chaine',0,'',$conf->entity) > 0)
Please sign in to comment.
Something went wrong with that request. Please try again.