From dda17f4082784fcbc8a277a65bb34a14685613d1 Mon Sep 17 00:00:00 2001 From: Cedric Date: Sat, 12 Jul 2014 16:22:49 +0200 Subject: [PATCH] Security fix --- htdocs/product/stock/fiche.php | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/htdocs/product/stock/fiche.php b/htdocs/product/stock/fiche.php index ecc29a559279e..874b082ceae8c 100644 --- a/htdocs/product/stock/fiche.php +++ b/htdocs/product/stock/fiche.php @@ -39,6 +39,7 @@ $sortfield = GETPOST("sortfield",'alpha'); $sortorder = GETPOST("sortorder",'alpha'); +$id = GETPOST("id",'int'); if (! $sortfield) $sortfield="p.ref"; if (! $sortorder) $sortorder="DESC"; @@ -109,7 +110,7 @@ if ($action == 'update' && $_POST["cancel"] <> $langs->trans("Cancel")) { $object = new Entrepot($db); - if ($object->fetch($_POST["id"])) + if ($object->fetch($id)) { $object->libelle = $_POST["libelle"]; $object->description = $_POST["desc"]; @@ -120,23 +121,20 @@ $object->town = $_POST["town"]; $object->country_id = $_POST["country_id"]; - if ( $object->update($_POST["id"], $user) > 0) + if ( $object->update($id, $user) > 0) { $action = ''; - $_GET["id"] = $_POST["id"]; //$mesg = '
Fiche mise a jour
'; } else { $action = 'edit'; - $_GET["id"] = $_POST["id"]; $mesg = '
'.$object->error.'
'; } } else { $action = 'edit'; - $_GET["id"] = $_POST["id"]; $mesg = '
'.$object->error.'
'; } } @@ -144,7 +142,6 @@ if ($_POST["cancel"] == $langs->trans("Cancel")) { $action = ''; - $_GET["id"] = $_POST["id"]; } @@ -219,12 +216,13 @@ } else { - if ($_GET["id"]) + $id=GETPOST("id",'int'); + if ($id) { dol_htmloutput_mesg($mesg); $object = new Entrepot($db); - $result = $object->fetch($_GET["id"]); + $result = $object->fetch($id); if ($result < 0) { dol_print_error($db); @@ -368,13 +366,13 @@ print ''; print ""; - print_liste_field_titre($langs->trans("Product"),"", "p.ref","&id=".$_GET['id'],"","",$sortfield,$sortorder); - print_liste_field_titre($langs->trans("Label"),"", "p.label","&id=".$_GET['id'],"","",$sortfield,$sortorder); - print_liste_field_titre($langs->trans("Units"),"", "ps.reel","&id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder); - print_liste_field_titre($langs->trans("AverageUnitPricePMPShort"),"", "ps.pmp","&id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder); - print_liste_field_titre($langs->trans("EstimatedStockValueShort"),"", "","&id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder); - if (empty($conf->global->PRODUIT_MULTIPRICES)) print_liste_field_titre($langs->trans("SellPriceMin"),"", "p.price","&id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder); - if (empty($conf->global->PRODUIT_MULTIPRICES)) print_liste_field_titre($langs->trans("EstimatedStockValueSellShort"),"", "","&id=".$_GET['id'],"",'align="right"',$sortfield,$sortorder); + print_liste_field_titre($langs->trans("Product"),"", "p.ref","&id=".$id,"","",$sortfield,$sortorder); + print_liste_field_titre($langs->trans("Label"),"", "p.label","&id=".$id,"","",$sortfield,$sortorder); + print_liste_field_titre($langs->trans("Units"),"", "ps.reel","&id=".$id,"",'align="right"',$sortfield,$sortorder); + print_liste_field_titre($langs->trans("AverageUnitPricePMPShort"),"", "ps.pmp","&id=".$id,"",'align="right"',$sortfield,$sortorder); + print_liste_field_titre($langs->trans("EstimatedStockValueShort"),"", "","&id=".$id,"",'align="right"',$sortfield,$sortorder); + if (empty($conf->global->PRODUIT_MULTIPRICES)) print_liste_field_titre($langs->trans("SellPriceMin"),"", "p.price","&id=".$id,"",'align="right"',$sortfield,$sortorder); + if (empty($conf->global->PRODUIT_MULTIPRICES)) print_liste_field_titre($langs->trans("EstimatedStockValueSellShort"),"", "","&id=".$id,"",'align="right"',$sortfield,$sortorder); if ($user->rights->stock->mouvement->creer) print ''; if ($user->rights->stock->creer) print ''; print "";