FIX pgsql compatibility. Add PHPUnit to avoid using dates without quotes

htdocs/accountancy/class/accountancysystem.class.php

@@ -37,7 +37,7 @@ class AccountancySystem
 	var $label;
 	var $account_number;
 	var $account_parent;
-	
+
 	/**
 	 * Constructor
 	 *
@@ -46,20 +46,20 @@ class AccountancySystem
 	function __construct($db) {
 		$this->db = $db;
 	}
-	
-	
+
+
 	/**
 	 * Load record in memory
 	 *
 	 * @param 	int 	$rowid 				   Id
 	 * @param 	string 	$ref             	   ref
 	 * @return 	int                            <0 if KO, Id of record if OK and found
 	 */
-	function fetch($rowid = 0, $ref = '') 
+	function fetch($rowid = 0, $ref = '')
 	{
 	    global $conf;
-	
-	    if ($rowid > 0 || $ref) 
+
+	    if ($rowid > 0 || $ref)
 	    {
 	        $sql  = "SELECT a.pcg_version, a.label, a.active";
 	        $sql .= " FROM " . MAIN_DB_PREFIX . "accounting_system as a";
@@ -69,20 +69,20 @@ function fetch($rowid = 0, $ref = '')
 	        } elseif ($ref) {
 	            $sql .= " a.pcg_version = '" . $ref . "'";
 	        }
-	
+
 	        dol_syslog(get_class($this) . "::fetch sql=" . $sql, LOG_DEBUG);
 	        $result = $this->db->query($sql);
 	        if ($result) {
 	            $obj = $this->db->fetch_object($result);
-	
+
 	            if ($obj) {
 	                $this->id = $obj->rowid;
 	                $this->rowid = $obj->rowid;
 	                $this->pcg_version = $obj->pcg_version;
 	                $this->ref = $obj->pcg_version;
 	                $this->label = $obj->label;
 	                $this->active = $obj->active;
-	                	
+
 	                return $this->id;
 	            } else {
 	                return 0;
@@ -94,8 +94,8 @@ function fetch($rowid = 0, $ref = '')
 	    }
 	    return - 1;
 	}
-	
-	
+
+
 	/**
 	 * Insert accountancy system name into database
 	 *
@@ -104,16 +104,16 @@ function fetch($rowid = 0, $ref = '')
 	 */
 	function create($user) {
 		$now = dol_now();
-		
+
 		$sql = "INSERT INTO " . MAIN_DB_PREFIX . "accounting_system";
 		$sql .= " (date_creation, fk_user_author, numero, label)";
-		$sql .= " VALUES (" . $this->db->idate($now) . "," . $user->id . ",'" . $this->numero . "','" . $this->label . "')";
-		
+		$sql .= " VALUES ('" . $this->db->idate($now) . "'," . $user->id . ",'" . $this->numero . "','" . $this->label . "')";
+
 		dol_syslog(get_class($this) . "::create sql=" . $sql, LOG_DEBUG);
 		$resql = $this->db->query($sql);
 		if ($resql) {
 			$id = $this->db->last_insert_id(MAIN_DB_PREFIX . "accounting_system");
-			
+
 			if ($id > 0) {
 				$this->rowid = $id;
 				$result = $this->rowid;
@@ -127,7 +127,7 @@ function create($user) {
 			$this->error = "AccountancySystem::Create Erreur $result";
 			dol_syslog($this->error, LOG_ERR);
 		}
-		
+
 		return $result;
 	}
 }

htdocs/comm/mailing/class/advtargetemailing.class.php

@@ -124,7 +124,7 @@ function create($user, $notrigger=0)
 		$sql.= " ".(! isset($this->fk_mailing)?'NULL':"'".$this->fk_mailing."'").",";
 		$sql.= " ".(! isset($this->filtervalue)?'NULL':"'".$this->db->escape($this->filtervalue)."'").",";
 		$sql.= " ".$user->id.",";
-		$sql.= " ".$this->db->idate(dol_now()).",";
+		$sql.= " '".$this->db->idate(dol_now())."',";
 		$sql.= " ".$user->id;
 
 

htdocs/compta/bank/class/paymentvarious.class.php

@@ -86,9 +86,9 @@ function update($user=null, $notrigger=0)
 		// Update request
 		$sql = "UPDATE ".MAIN_DB_PREFIX."payment_various SET";
 
-		$sql.= " tms=".$this->db->idate($this->tms).",";
-		$sql.= " datep=".$this->db->idate($this->datep).",";
-		$sql.= " datev=".$this->db->idate($this->datev).",";
+		$sql.= " tms='".$this->db->idate($this->tms)."',";
+		$sql.= " datep='".$this->db->idate($this->datep)."',";
+		$sql.= " datev='".$this->db->idate($this->datev)."',";
 		$sql.= " sens=".$this->sens.",";
 		$sql.= " amount=".price2num($this->amount).",";
 		$sql.= " fk_typepayment=".$this->fk_typepayment."',";

htdocs/compta/localtax/class/localtax.class.php

@@ -151,9 +151,9 @@ function update($user=null, $notrigger=0)
 		// Update request
         $sql = "UPDATE ".MAIN_DB_PREFIX."localtax SET";
         $sql.= " localtaxtype=".$this->ltt.",";
-		$sql.= " tms=".$this->db->idate($this->tms).",";
-		$sql.= " datep=".$this->db->idate($this->datep).",";
-		$sql.= " datev=".$this->db->idate($this->datev).",";
+		$sql.= " tms='".$this->db->idate($this->tms)."',";
+		$sql.= " datep='".$this->db->idate($this->datep)."',";
+		$sql.= " datev='".$this->db->idate($this->datev)."',";
 		$sql.= " amount=".price2num($this->amount).",";
 		$sql.= " label='".$this->db->escape($this->label)."',";
 		$sql.= " note='".$this->db->escape($this->note)."',";

htdocs/compta/salaries/class/paymentsalary.class.php

@@ -34,7 +34,7 @@ class PaymentSalary extends CommonObject
 	//public $element='payment_salary';			//!< Id that identify managed objects
 	//public $table_element='payment_salary';	//!< Name of table without prefix where object is stored
     public $picto='payment';
-    
+
 	public $tms;
 	public $fk_user;
 	public $datep;
@@ -97,16 +97,16 @@ function update($user=null, $notrigger=0)
 		// Update request
 		$sql = "UPDATE ".MAIN_DB_PREFIX."payment_salary SET";
 
-		$sql.= " tms=".$this->db->idate($this->tms).",";
+		$sql.= " tms='".$this->db->idate($this->tms)."',";
 		$sql.= " fk_user=".$this->fk_user.",";
-		$sql.= " datep=".$this->db->idate($this->datep).",";
-		$sql.= " datev=".$this->db->idate($this->datev).",";
+		$sql.= " datep='".$this->db->idate($this->datep)."',";
+		$sql.= " datev='".$this->db->idate($this->datev)."',";
 		$sql.= " amount=".price2num($this->amount).",";
 		$sql.= " fk_typepayment=".$this->fk_typepayment."',";
 		$sql.= " num_payment='".$this->db->escape($this->num_payment)."',";
 		$sql.= " label='".$this->db->escape($this->label)."',";
-		$sql.= " datesp=".$this->db->idate($this->datesp).",";
-		$sql.= " dateep=".$this->db->idate($this->dateep).",";
+		$sql.= " datesp='".$this->db->idate($this->datesp)."',";
+		$sql.= " dateep='".$this->db->idate($this->dateep)."',";
 		$sql.= " note='".$this->db->escape($this->note)."',";
 		$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").",";
 		$sql.= " fk_user_author=".$this->fk_user_author.",";
@@ -548,7 +548,7 @@ function info($id)
 		}
 	}
 
-	
+
 	/**
 	 * Retourne le libelle du statut d'une facture (brouillon, validee, abandonnee, payee)
 	 *
@@ -559,7 +559,7 @@ function getLibStatut($mode=0)
 	{
 	    return $this->LibStatut($this->statut,$mode);
 	}
-	
+
 	/**
 	 * Renvoi le libelle d'un statut donne
 	 *
@@ -570,7 +570,7 @@ function getLibStatut($mode=0)
 	function LibStatut($status,$mode=0)
 	{
 	    global $langs;	// TODO Renvoyer le libelle anglais et faire traduction a affichage
-	
+
 	    $langs->load('compta');
 	    /*if ($mode == 0)
 	    {
@@ -609,5 +609,5 @@ function LibStatut($status,$mode=0)
 	    }*/
 	    return '';
 	}
-	
+
 }

htdocs/compta/tva/class/tva.class.php

@@ -173,9 +173,9 @@ function update($user=null, $notrigger=0)
 
 		// Update request
         $sql = "UPDATE ".MAIN_DB_PREFIX."tva SET";
-		$sql.= " tms=".$this->db->idate($this->tms).",";
-		$sql.= " datep=".$this->db->idate($this->datep).",";
-		$sql.= " datev=".$this->db->idate($this->datev).",";
+		$sql.= " tms='".$this->db->idate($this->tms)."',";
+		$sql.= " datep='".$this->db->idate($this->datep)."',";
+		$sql.= " datev='".$this->db->idate($this->datev)."',";
 		$sql.= " amount=".price2num($this->amount).",";
 		$sql.= " label='".$this->db->escape($this->label)."',";
 		$sql.= " note='".$this->db->escape($this->note)."',";

htdocs/core/class/events.class.php

@@ -172,7 +172,7 @@ function update($user=null, $notrigger=0)
 		// Update request
 		$sql = "UPDATE ".MAIN_DB_PREFIX."events SET";
 		$sql.= " type='".$this->db->escape($this->type)."',";
-		$sql.= " dateevent=".$this->db->idate($this->dateevent).",";
+		$sql.= " dateevent='".$this->db->idate($this->dateevent)."',";
 		$sql.= " description='".$this->db->escape($this->description)."'";
 		$sql.= " WHERE rowid=".$this->id;
 

test/phpunit/CodingPhpTest.php

@@ -155,6 +155,25 @@ public function testPHP()
             print 'Check php file '.$file['fullname']."\n";
             $filecontent=file_get_contents($file['fullname']);
 
+
+            $ok=true;
+            $matches=array();
+            // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
+            preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER);
+            foreach($matches as $key => $val)
+            {
+            	if ($val[1] != '\'"' && $val[1] != '\'\'')
+            	{
+            		$ok=false;
+            		break;
+            	}
+            	//if ($reg[0] != 'db') $ok=false;
+            }
+            //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+            $this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['fullname'].' :: '.$val[0]);
+            //exit;
+
+
             $ok=true;
             $matches=array();
             // Check string   ='".$this->xxx   with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
@@ -172,6 +191,7 @@ public function testPHP()
             $this->assertTrue($ok, 'Found non escaped string in building of a sql request '.$file['fullname'].' ('.$val[0].'). Bad.');
             //exit;
 
+
             // Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
             $ok=true;
             $matches=array();