Permalink
Browse files

Fix: Sanitize data

  • Loading branch information...
1 parent 2e7ce76 commit a0cae7709c358afa998d4bee8804d93f77597db4 @simnandez simnandez committed Mar 29, 2012
@@ -4,8 +4,8 @@
* Copyright (C) 2004-2012 Laurent Destailleur <eldy@users.sourceforge.net>
* Copyright (C) 2004 Sebastien Di Cintio <sdicintio@ressource-toi.org>
* Copyright (C) 2004 Benoit Mortier <benoit.mortier@opensides.be>
- * Copyright (C) 2005-2011 Regis Houssin <regis@dolibarr.fr>
- * Copyright (C) 2011 Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
+ * Copyright (C) 2011-2012 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -39,7 +39,7 @@
$type=array('yesno','texte','chaine');
-$action = GETPOST("action");
+$action = POST('action','alpha');
/*
@@ -78,7 +78,7 @@
// Action activation d'un sous module du module adherent
if ($action == 'set')
{
- $result=dolibarr_set_const($db, $_GET["name"],$_GET["value"],'',0,'',$conf->entity);
+ $result=dolibarr_set_const($db, GETPOST('name','alpha'),GETPOST('value','alpha'),'',0,'',$conf->entity);
if ($result < 0)
{
print $db->error();
@@ -88,7 +88,7 @@
// Action desactivation d'un sous module du module adherent
if ($action == 'unset')
{
- $result=dolibarr_del_const($db,$_GET["name"],$conf->entity);
+ $result=dolibarr_del_const($db,GETPOST('name','alpha'),$conf->entity);
if ($result < 0)
{
print $db->error();
@@ -4,7 +4,7 @@
* Copyright (C) 2005-2011 Regis Houssin <regis@dolibarr.fr>
* Copyright (C) 2004 Sebastien Di Cintio <sdicintio@ressource-toi.org>
* Copyright (C) 2004 Benoit Mortier <benoit.mortier@opensides.be>
- * Copyright (C) 2010-2011 Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2010-2012 Juanjo Menent <jmenent@2byte.es>
* Copyright (C) 2011 Philippe Grand <philippe.grand@atoo-net.com>
*
* This program is free software; you can redistribute it and/or modify
@@ -38,9 +38,9 @@
if (!$user->admin)
accessforbidden();
-$type=GETPOST('type');
-$value=GETPOST('value');
-$action=GETPOST('action');
+$type=GETPOST('type', 'alpha');
+$value=GETPOST('value', 'alpha');
+$action=GETPOST('action', 'alpha');
$specimenthirdparty=new Societe($db);
$specimenthirdparty->initAsSpecimen();
@@ -52,8 +52,9 @@
if ($action == 'updateMask')
{
- $maskconstorder=$_POST['maskconstorder'];
- $maskorder=$_POST['maskorder'];
+ $maskconstorder=GETPOST('maskconstorder','alpha');
+ $maskorder=GETPOST('maskorder','alpha');
+
if ($maskconstorder) $res = dolibarr_set_const($db,$maskconstorder,$maskorder,'chaine',0,'',$conf->entity);
if (! $res > 0) $error++;
@@ -70,7 +71,7 @@
if ($action == 'specimen') // For orders
{
- $modele=GETPOST("module");
+ $modele=GETPOST('module','alpha');
$commande = new CommandeFournisseur($db);
$commande->initAsSpecimen();
@@ -116,7 +117,7 @@
if ($action == 'specimenfacture') // For invoices
{
- $modele=GETPOST("module");
+ $modele=GETPOST('module','alpha');
$facture = new FactureFournisseur($db);
$facture->initAsSpecimen();
@@ -162,10 +163,13 @@
if ($action == 'set')
{
+ $label = GETPOST('label','alpha');
+ $scandir = GETPOST('scandir','alpha');
+
$sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
$sql.= " VALUES ('".$db->escape($value)."','".$type."',".$conf->entity.", ";
- $sql.= ($_GET["label"]?"'".$db->escape($_GET["label"])."'":'null').", ";
- $sql.= (! empty($_GET["scandir"])?"'".$db->escape($_GET["scandir"])."'":"null");
+ $sql.= ($label?"'".$db->escape($label)."'":'null').", ";
+ $sql.= (! empty($scandir)?"'".$db->escape($scandir)."'":"null");
$sql.= ")";
$res=$db->query($sql);
if ($res)
@@ -191,14 +195,17 @@
if ($action == 'setdoc')
{
+ $label = GETPOST('label','alpha');
+ $scandir = GETPOST('scandir','alpha');
+
$db->begin();
- if ($_GET["type"] == 'order_supplier' && dolibarr_set_const($db, "COMMANDE_SUPPLIER_ADDON_PDF",$value,'chaine',0,'',$conf->entity))
+ if ($type == 'order_supplier' && dolibarr_set_const($db, "COMMANDE_SUPPLIER_ADDON_PDF",$value,'chaine',0,'',$conf->entity))
{
$conf->global->COMMANDE_SUPPLIER_ADDON_PDF = $value;
}
- if ($_GET["type"] == 'invoice_supplier' && dolibarr_set_const($db, "INVOICE_SUPPLIER_ADDON_PDF",$value,'chaine',0,'',$conf->entity))
+ if ($type == 'invoice_supplier' && dolibarr_set_const($db, "INVOICE_SUPPLIER_ADDON_PDF",$value,'chaine',0,'',$conf->entity))
{
$conf->global->INVOICE_SUPPLIER_ADDON_PDF = $value;
}
@@ -212,8 +219,8 @@
$sql = "INSERT INTO ".MAIN_DB_PREFIX."document_model (nom, type, entity, libelle, description)";
$sql.= " VALUES ('".$db->escape($value)."', '".$type."', ".$conf->entity.", ";
- $sql.= ($_GET["label"]?"'".$db->escape($_GET["label"])."'":'null').", ";
- $sql.= (! empty($_GET["scandir"])?"'".$db->escape($_GET["scandir"])."'":"null");
+ $sql.= ($label?"'".$db->escape($label)."'":'null').", ";
+ $sql.= (! empty($scandir)?"'".$db->escape($scandir)."'":"null");
$sql.= ")";
$result2=$db->query($sql);
if ($result1 && $result2)
@@ -242,7 +249,7 @@
if ($action == 'set_SUPPLIER_INVOICE_FREE_TEXT')
{
- $free = GETPOST("SUPPLIER_INVOICE_FREE_TEXT");
+ $free = GETPOST('SUPPLIER_INVOICE_FREE_TEXT','alpha');
$res = dolibarr_set_const($db, "SUPPLIER_INVOICE_FREE_TEXT",$free,'chaine',0,'',$conf->entity);
if (! $res > 0) $error++;
@@ -1,6 +1,6 @@
<?php
/* Copyright (C) 2008-2011 Laurent Destailleur <eldy@users.sourceforge.net>
- * Copyright (C) 2011 Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2011-2012 Juanjo Menent <jmenent@2byte.es>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -29,9 +29,9 @@
// If socid provided by ajax company selector
if (! empty($_REQUEST['CASHDESK_ID_THIRDPARTY_id']))
{
- $_GET['CASHDESK_ID_THIRDPARTY'] = $_GET['CASHDESK_ID_THIRDPARTY_id'];
- $_POST['CASHDESK_ID_THIRDPARTY'] = $_POST['CASHDESK_ID_THIRDPARTY_id'];
- $_REQUEST['CASHDESK_ID_THIRDPARTY'] = $_REQUEST['CASHDESK_ID_THIRDPARTY_id'];
+ $_GET['CASHDESK_ID_THIRDPARTY'] = GETPOST('CASHDESK_ID_THIRDPARTY_id','alpha');
+ $_POST['CASHDESK_ID_THIRDPARTY'] = GETPOST('CASHDESK_ID_THIRDPARTY_id','alpha');
+ $_REQUEST['CASHDESK_ID_THIRDPARTY'] = GETPOST('CASHDESK_ID_THIRDPARTY_id','alpha');
}
// Security check
@@ -45,7 +45,7 @@
/*
* Actions
*/
-if (GETPOST("action") == 'set')
+if (GETPOST('action','alpha') == 'set')
{
$db->begin();
@@ -54,13 +54,13 @@
if (GETPOST("CASHDESK_ID_WAREHOUSE") < 0) $_POST["CASHDESK_ID_WAREHOUSE"]='';*/
$res = dolibarr_set_const($db,"CASHDESK_ID_THIRDPARTY",GETPOST('socid','int'),'chaine',0,'',$conf->entity);
- $res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CASH",GETPOST("CASHDESK_ID_BANKACCOUNT_CASH"),'chaine',0,'',$conf->entity);
- $res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CHEQUE",GETPOST("CASHDESK_ID_BANKACCOUNT_CHEQUE"),'chaine',0,'',$conf->entity);
- $res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CB",GETPOST("CASHDESK_ID_BANKACCOUNT_CB"),'chaine',0,'',$conf->entity);
- $res = dolibarr_set_const($db,"CASHDESK_ID_WAREHOUSE",GETPOST("CASHDESK_ID_WAREHOUSE"),'chaine',0,'',$conf->entity);
- $res = dolibarr_set_const($db,"CASHDESK_SERVICES", GETPOST("CASHDESK_SERVICES"),'chaine',0,'',$conf->entity);
+ $res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CASH",GETPOST('CASHDESK_ID_BANKACCOUNT_CASH','alpha'),'chaine',0,'',$conf->entity);
+ $res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CHEQUE",GETPOST('CASHDESK_ID_BANKACCOUNT_CHEQUE','alpha'),'chaine',0,'',$conf->entity);
+ $res = dolibarr_set_const($db,"CASHDESK_ID_BANKACCOUNT_CB",GETPOST('CASHDESK_ID_BANKACCOUNT_CB','alpha'),'chaine',0,'',$conf->entity);
+ $res = dolibarr_set_const($db,"CASHDESK_ID_WAREHOUSE",GETPOST('CASHDESK_ID_WAREHOUSE','alpha'),'chaine',0,'',$conf->entity);
+ $res = dolibarr_set_const($db,"CASHDESK_SERVICES", GETPOST('CASHDESK_SERVICES','alpha'),'chaine',0,'',$conf->entity);
- dol_syslog("admin/cashdesk: level ".GETPOST("level"));
+ dol_syslog("admin/cashdesk: level ".GETPOST('level','alpha'));
if (! $res > 0) $error++;
@@ -4,7 +4,7 @@
* Copyright (C) 2006-2007 Rodolphe Quiedeville <rodolphe@quiedeville.org>
* Copyright (C) 2007 Auguria SARL <info@auguria.org>
* Copyright (C) 2005-2012 Regis Houssin <regis@dolibarr.fr>
- * Copyright (C) 2011 Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2011-2012 Juanjo Menent <jmenent@2byte.es>
* Copyright (C) 2012 Christophe Battarel <christophe.battarel@altairis.fr>
**
* This program is free software; you can redistribute it and/or modify
@@ -38,8 +38,8 @@
// Security check
if (! $user->admin) accessforbidden();
-$action = GETPOST("action");
-$value = GETPOST("value");
+$action = GETPOST('action','alpha');
+$value = GETPOST('value','alpha');
/*
@@ -56,35 +56,35 @@
}
if ($action == 'multiprix')
{
- $multiprix = GETPOST("activate_multiprix");
+ $multiprix = GETPOST('activate_multiprix','alpha');
$res = dolibarr_set_const($db, "PRODUIT_MULTIPRICES", $multiprix,'chaine',0,'',$conf->entity);
$res =dolibarr_set_const($db, "PRODUIT_MULTIPRICES_LIMIT", "5",'chaine',0,'',$conf->entity);
}
else if ($action == 'sousproduits')
{
- $sousproduits = GETPOST("activate_sousproduits");
+ $sousproduits = GETPOST('activate_sousproduits','alpha');
$res = dolibarr_set_const($db, "PRODUIT_SOUSPRODUITS", $sousproduits,'chaine',0,'',$conf->entity);
}
else if ($action == 'viewProdDescInForm')
{
- $view = GETPOST("activate_viewProdDescInForm");
+ $view = GETPOST('activate_viewProdDescInForm','alpha');
$res = dolibarr_set_const($db, "PRODUIT_DESC_IN_FORM", $view,'chaine',0,'',$conf->entity);
}
else if ($action == 'viewProdTextsInThirdpartyLanguage')
{
- $view = GETPOST("activate_viewProdTextsInThirdpartyLanguage");
+ $view = GETPOST('activate_viewProdTextsInThirdpartyLanguage','alpha');
$res = dolibarr_set_const($db, "PRODUIT_TEXTS_IN_THIRDPARTY_LANGUAGE", $view,'chaine',0,'',$conf->entity);
}
else if ($action == 'usesearchtoselectproduct')
{
- $usesearch = GETPOST("activate_usesearchtoselectproduct");
+ $usesearch = GETPOST('activate_usesearchtoselectproduct','alpha');
$res = dolibarr_set_const($db, "PRODUIT_USE_SEARCH_TO_SELECT", $usesearch,'chaine',0,'',$conf->entity);
}
else if ($action == 'set')
{
- $const = "PRODUCT_SPECIAL_".strtoupper($_GET["spe"]);
- if ($_GET["value"]) $res = dolibarr_set_const($db, $const, $value,'chaine',0,'',$conf->entity);
+ $const = "PRODUCT_SPECIAL_".strtoupper(GETPOST('spe','alpha'));
+ if (GETPOST('value','alpha')) $res = dolibarr_set_const($db, $const, $value,'chaine',0,'',$conf->entity);
else $res = dolibarr_del_const($db, $const,$conf->entity);
}
/*else if ($action == 'useecotaxe')

0 comments on commit a0cae77

Please sign in to comment.