Skip to content

Commit

Permalink
Fix against SQL injection. Add phpunit to detect missing escapement.
Browse files Browse the repository at this point in the history
  • Loading branch information
@eldy
eldy committed May 12, 2017
1 parent 0d11fce commit fa290c3
Show file tree
Hide file tree
Showing 57 changed files with 202 additions and 198 deletions.
8 changes: 4 additions & 4 deletions htdocs/accountancy/class/accountingaccount.class.php
View file
Expand Up @@ -251,12 +251,12 @@ function update($user)
$sql .= " SET fk_pcg_version = " . ($this->fk_pcg_version ? "'" . $this->db->escape($this->fk_pcg_version) . "'" : "null");
$sql .= " , pcg_type = " . ($this->pcg_type ? "'" . $this->db->escape($this->pcg_type) . "'" : "null");
$sql .= " , pcg_subtype = " . ($this->pcg_subtype ? "'" . $this->db->escape($this->pcg_subtype) . "'" : "null");
$sql .= " , account_number = '" . $this->account_number . "'";
$sql .= " , account_parent = '" . $this->account_parent . "'";
$sql .= " , account_number = '" . $this->db->escape($this->account_number) . "'";
$sql .= " , account_parent = '" . $this->db->escape($this->account_parent) . "'";
$sql .= " , label = " . ($this->label ? "'" . $this->db->escape($this->label) . "'" : "null");
$sql .= " , fk_accounting_category = '" . $this->account_category . "'";
$sql .= " , fk_accounting_category = '" . $this->db->escape($this->account_category) . "'";
$sql .= " , fk_user_modif = " . $user->id;
$sql .= " , active = '" . $this->active . "'";
$sql .= " , active = " . $this->active;
$sql .= " WHERE rowid = " . $this->id;

dol_syslog(get_class($this) . "::update sql=" . $sql, LOG_DEBUG);
Expand Down
10 changes: 5 additions & 5 deletions htdocs/accountancy/class/bookkeeping.class.php
View file
Expand Up @@ -189,10 +189,10 @@ public function create(User $user, $notrigger = false) {
// First check if line not yet already in bookkeeping
$sql = "SELECT count(*) as nb";
$sql .= " FROM " . MAIN_DB_PREFIX . $this->table_element;
$sql .= " WHERE doc_type = '" . $this->doc_type . "'";
$sql .= " WHERE doc_type = '" . $this->db->escape($this->doc_type) . "'";
$sql .= " AND fk_doc = " . $this->fk_doc;
$sql .= " AND fk_docdet = " . $this->fk_docdet; // This field can be 0 is record is for several lines
$sql .= " AND numero_compte = '" . $this->numero_compte . "'";
$sql .= " AND numero_compte = '" . $this->db->escape($this->numero_compte) . "'";
$sql .= " AND entity IN (" . getEntity("accountancy", 1) . ")";

$resql = $this->db->query($sql);
Expand All @@ -204,9 +204,9 @@ public function create(User $user, $notrigger = false) {
// Determine piece_num
$sqlnum = "SELECT piece_num";
$sqlnum .= " FROM " . MAIN_DB_PREFIX . $this->table_element;
$sqlnum .= " WHERE doc_type = '" . $this->doc_type . "'"; // For example doc_type = 'bank'
$sqlnum .= " AND fk_docdet = '" . $this->fk_docdet . "'"; // fk_docdet is rowid into llx_bank or llx_facturedet or llx_facturefourndet, or ...
$sqlnum .= " AND doc_ref = '" . $this->doc_ref . "'"; // ref of source object
$sqlnum .= " WHERE doc_type = '" . $this->db->escape($this->doc_type) . "'"; // For example doc_type = 'bank'
$sqlnum .= " AND fk_docdet = " . $this->db->escape($this->fk_docdet); // fk_docdet is rowid into llx_bank or llx_facturedet or llx_facturefourndet, or ...
$sqlnum .= " AND doc_ref = '" . $this->db->escape($this->doc_ref) . "'"; // ref of source object
$sqlnum .= " AND entity IN (" . getEntity("accountancy", 1) . ")";

dol_syslog(get_class($this) . ":: create sqlnum=" . $sqlnum, LOG_DEBUG);
Expand Down
4 changes: 2 additions & 2 deletions htdocs/adherents/class/adherent.class.php
View file
Expand Up @@ -345,7 +345,7 @@ function create($user,$notrigger=0)
{
// Add link to user
$sql = "UPDATE ".MAIN_DB_PREFIX."user SET";
$sql.= " fk_member = '".$this->id."'";
$sql.= " fk_member = ".$this->id;
$sql.= " WHERE rowid = ".$this->user_id;
dol_syslog(get_class($this)."::create", LOG_DEBUG);
$resql = $this->db->query($sql);
Expand Down Expand Up @@ -1099,7 +1099,7 @@ function fetch($rowid,$ref='',$fk_soc='',$ref_ext='')
elseif ($ref || $fk_soc) {
$sql.= " AND d.entity IN (".getEntity().")";
if ($ref) $sql.= " AND d.rowid='".$this->db->escape($ref)."'";
elseif ($fk_soc) $sql.= " AND d.fk_soc='".$fk_soc."'";
elseif ($fk_soc > 0) $sql.= " AND d.fk_soc=".$fk_soc;
}
elseif ($ref_ext)
{
Expand Down
4 changes: 2 additions & 2 deletions htdocs/adherents/class/adherent_type.class.php
View file
Expand Up @@ -123,9 +123,9 @@ function update($user)
$sql.= "SET ";
$sql.= "statut = ".$this->statut.",";
$sql.= "libelle = '".$this->db->escape($this->libelle) ."',";
$sql.= "subscription = '".$this->subscription."',";
$sql.= "subscription = '".$this->db->escape($this->subscription)."',";
$sql.= "note = '".$this->db->escape($this->note)."',";
$sql.= "vote = '".$this->vote."',";
$sql.= "vote = '".$this->db->escape($this->vote)."',";
$sql.= "mail_valid = '".$this->db->escape($this->mail_valid)."'";
$sql .= " WHERE rowid =".$this->id;

Expand Down
6 changes: 3 additions & 3 deletions htdocs/bookmarks/class/bookmark.class.php
View file
Expand Up @@ -173,10 +173,10 @@ function update()
$sql.= " SET fk_user = ".($this->fk_user > 0?"'".$this->fk_user."'":"0");
$sql.= " ,dateb = '".$this->db->idate($this->datec)."'";
$sql.= " ,url = '".$this->db->escape($this->url)."'";
$sql.= " ,target = '".$this->target."'";
$sql.= " ,target = '".$this->db->escape($this->target)."'";
$sql.= " ,title = '".$this->db->escape($this->title)."'";
$sql.= " ,favicon = '".$this->favicon."'";
$sql.= " ,position = '".$this->position."'";
$sql.= " ,favicon = '".$this->db->escape($this->favicon)."'";
$sql.= " ,position = '".$this->db->escape($this->position)."'";
$sql.= " WHERE rowid = ".$this->id;

dol_syslog("Bookmark::update", LOG_DEBUG);
Expand Down
10 changes: 5 additions & 5 deletions htdocs/categories/class/categorie.class.php
View file
Expand Up @@ -189,9 +189,9 @@ function fetch($id,$label='',$type='')

$sql = "SELECT rowid, fk_parent, entity, label, description, color, fk_soc, visible, type";
$sql.= " FROM ".MAIN_DB_PREFIX."categorie";
if ($id)
if ($id > 0)
{
$sql.= " WHERE rowid = '".$id."'";
$sql.= " WHERE rowid = ".$id;
}
else
{
Expand Down Expand Up @@ -399,7 +399,7 @@ function update($user='')
{
$sql .= ", fk_soc = ".($this->socid != -1 ? $this->socid : 'null');
}
$sql .= ", visible = '".$this->visible."'";
$sql .= ", visible = '".$this->db->escape($this->visible)."'";
$sql .= ", fk_parent = ".$this->fk_parent;
$sql .= " WHERE rowid = ".$this->id;

Expand Down Expand Up @@ -1670,7 +1670,7 @@ function setMultiLangs($user)
$sql2 = "UPDATE ".MAIN_DB_PREFIX."categorie_lang";
$sql2.= " SET label='".$this->db->escape($this->label)."',";
$sql2.= " description='".$this->db->escape($this->description)."'";
$sql2.= " WHERE fk_category=".$this->id." AND lang='".$key."'";
$sql2.= " WHERE fk_category=".$this->id." AND lang='".$this->db->escape($key)."'";
}
else
{
Expand All @@ -1692,7 +1692,7 @@ function setMultiLangs($user)
$sql2 = "UPDATE ".MAIN_DB_PREFIX."categorie_lang";
$sql2.= " SET label='".$this->db->escape($this->multilangs["$key"]["label"])."',";
$sql2.= " description='".$this->db->escape($this->multilangs["$key"]["description"])."'";
$sql2.= " WHERE fk_category=".$this->id." AND lang='".$key."'";
$sql2.= " WHERE fk_category=".$this->id." AND lang='".$this->db->escape($key)."'";
}
else
{
Expand Down
12 changes: 6 additions & 6 deletions htdocs/comm/action/class/actioncomm.class.php
View file
Expand Up @@ -753,8 +753,8 @@ function update($user,$notrigger=0)
$this->db->begin();

$sql = "UPDATE ".MAIN_DB_PREFIX."actioncomm ";
$sql.= " SET percent = '".$this->percentage."'";
if ($this->fk_action > 0) $sql.= ", fk_action = '".$this->fk_action."'";
$sql.= " SET percent = '".$this->db->escape($this->percentage)."'";
if ($this->fk_action > 0) $sql.= ", fk_action = '".$this->db->escape($this->fk_action)."'";
$sql.= ", label = ".($this->label ? "'".$this->db->escape($this->label)."'":"null");
$sql.= ", datep = ".(strval($this->datep)!='' ? "'".$this->db->idate($this->datep)."'" : 'null');
$sql.= ", datep2 = ".(strval($this->datef)!='' ? "'".$this->db->idate($this->datef)."'" : 'null');
Expand All @@ -763,11 +763,11 @@ function update($user,$notrigger=0)
$sql.= ", fk_project =". ($this->fk_project > 0 ? "'".$this->fk_project."'":"null");
$sql.= ", fk_soc =". ($socid > 0 ? "'".$socid."'":"null");
$sql.= ", fk_contact =". ($contactid > 0 ? "'".$contactid."'":"null");
$sql.= ", priority = '".$this->priority."'";
$sql.= ", fulldayevent = '".$this->fulldayevent."'";
$sql.= ", priority = '".$this->db->escape($this->priority)."'";
$sql.= ", fulldayevent = '".$this->db->escape($this->fulldayevent)."'";
$sql.= ", location = ".($this->location ? "'".$this->db->escape($this->location)."'":"null");
$sql.= ", transparency = '".$this->transparency."'";
$sql.= ", fk_user_mod = '".$user->id."'";
$sql.= ", transparency = '".$this->db->escape($this->transparency)."'";
$sql.= ", fk_user_mod = ".$user->id;
$sql.= ", fk_user_action=".($userownerid > 0 ? "'".$userownerid."'":"null");
$sql.= ", fk_user_done=".($userdoneid > 0 ? "'".$userdoneid."'":"null");
if (! empty($this->fk_element)) $sql.= ", fk_element=".($this->fk_element?$this->fk_element:"null");
Expand Down
10 changes: 5 additions & 5 deletions htdocs/comm/mailing/class/mailing.class.php
View file
Expand Up @@ -159,11 +159,11 @@ function update($user)
$sql .= " SET titre = '".$this->db->escape($this->titre)."'";
$sql .= ", sujet = '".$this->db->escape($this->sujet)."'";
$sql .= ", body = '".$this->db->escape($this->body)."'";
$sql .= ", email_from = '".$this->email_from."'";
$sql .= ", email_replyto = '".$this->email_replyto."'";
$sql .= ", email_errorsto = '".$this->email_errorsto."'";
$sql .= ", bgcolor = '".($this->bgcolor?$this->bgcolor:null)."'";
$sql .= ", bgimage = '".($this->bgimage?$this->bgimage:null)."'";
$sql .= ", email_from = '".$this->db->escape($this->email_from)."'";
$sql .= ", email_replyto = '".$this->db->escape($this->email_replyto)."'";
$sql .= ", email_errorsto = '".$this->db->escape($this->email_errorsto)."'";
$sql .= ", bgcolor = '".($this->bgcolor?$this->db->escape($this->bgcolor):null)."'";
$sql .= ", bgimage = '".($this->bgimage?$this->db->escape($this->bgimage):null)."'";
$sql .= " WHERE rowid = ".$this->id;

dol_syslog("Mailing::Update", LOG_DEBUG);
Expand Down
2 changes: 1 addition & 1 deletion htdocs/comm/propal/class/propal.class.php
View file
Expand Up @@ -1021,7 +1021,7 @@ function create($user, $notrigger=0)
{
$sql = "UPDATE ".MAIN_DB_PREFIX."propal";
$sql.= " SET fk_delivery_address = ".$this->fk_delivery_address;
$sql.= " WHERE ref = '".$this->ref."'";
$sql.= " WHERE ref = '".$this->db->escape($this->ref)."'";
$sql.= " AND entity = ".$conf->entity;

$result=$this->db->query($sql);
Expand Down
6 changes: 3 additions & 3 deletions htdocs/compta/bank/class/account.class.php
View file
Expand Up @@ -701,8 +701,8 @@ function update(User $user = null, $notrigger = 0)
$sql.= ",clos = ".$this->clos;
$sql.= ",rappro = ".$this->rappro;
$sql.= ",url = ".($this->url?"'".$this->url."'":"null");
$sql.= ",account_number = '".$this->account_number."'";
$sql.= ",fk_accountancy_journal = '".$this->fk_accountancy_journal."'";
$sql.= ",account_number = '".$this->db->escape($this->account_number)."'";
$sql.= ",fk_accountancy_journal = '".$this->db->escape($this->fk_accountancy_journal)."'";

$sql.= ",bank = '".$this->db->escape($this->bank)."'";
$sql.= ",code_banque='".$this->db->escape($this->code_banque)."'";
Expand Down Expand Up @@ -1858,7 +1858,7 @@ function update_conciliation(User $user, $cat)

$sql = "UPDATE ".MAIN_DB_PREFIX."bank SET";
$sql.= " rappro = 1";
$sql.= ", num_releve = '".$this->num_releve."'";
$sql.= ", num_releve = '".$this->db->escape($this->num_releve)."'";
$sql.= ", fk_user_rappro = ".$user->id;
$sql.= " WHERE rowid = ".$this->id;

Expand Down
12 changes: 6 additions & 6 deletions htdocs/compta/bank/class/paymentvarious.class.php
View file
Expand Up @@ -88,19 +88,19 @@ function update($user=null, $notrigger=0)
$sql = "UPDATE ".MAIN_DB_PREFIX."payment_salary SET";

$sql.= " tms=".$this->db->idate($this->tms).",";
$sql.= " fk_user='".$this->fk_user."',";
$sql.= " fk_user=".$this->fk_user.",";
$sql.= " datep=".$this->db->idate($this->datep).",";
$sql.= " datev=".$this->db->idate($this->datev).",";
$sql.= " sens=".$this->sens.",";
$sql.= " amount='".$this->amount."',";
$sql.= " amount=".price2num($this->amount).",";
$sql.= " fk_typepayment=".$this->fk_typepayment."',";
$sql.= " num_payment='".$this->num_payment."',";
$sql.= " num_payment='".$this->db->escape($this->num_payment)."',";
$sql.= " label='".$this->db->escape($this->label)."',";
$sql.= " note='".$this->db->escape($this->note)."',";
$sql.= " accountancy_code='".$this->db->escape($this->accountancy_code)."',";
$sql.= " fk_bank=".($this->fk_bank > 0 ? "'".$this->fk_bank."'":"null").",";
$sql.= " fk_user_author='".$this->fk_user_author."',";
$sql.= " fk_user_modif='".$this->fk_user_modif."'";
$sql.= " fk_bank=".($this->fk_bank > 0 ? $this->fk_bank:"null").",";
$sql.= " fk_user_author=".$this->fk_user_author.",";
$sql.= " fk_user_modif=".$this->fk_user_modif;

$sql.= " WHERE rowid=".$this->id;

Expand Down
4 changes: 2 additions & 2 deletions htdocs/compta/deplacement/class/deplacement.class.php
View file
Expand Up @@ -187,8 +187,8 @@ function update($user)
$sql = "UPDATE ".MAIN_DB_PREFIX."deplacement ";
$sql .= " SET km = ".$this->km; // This is a distance or amount
$sql .= " , dated = '".$this->db->idate($this->date)."'";
$sql .= " , type = '".$this->type."'";
$sql .= " , fk_statut = '".$this->statut."'";
$sql .= " , type = '".$this->db->escape($this->type)."'";
$sql .= " , fk_statut = '".$this->db->escape($this->statut)."'";
$sql .= " , fk_user = ".$this->fk_user;
$sql .= " , fk_user_modif = ".$user->id;
$sql .= " , fk_soc = ".($this->socid > 0?$this->socid:'null');
Expand Down
2 changes: 1 addition & 1 deletion htdocs/compta/paiement/cheque/class/remisecheque.class.php
View file
Expand Up @@ -308,7 +308,7 @@ function delete($user='')
if ( $this->errno === 0) {
$sql = "UPDATE ".MAIN_DB_PREFIX."bank";
$sql.= " SET fk_bordereau = 0";
$sql.= " WHERE fk_bordereau = '".$this->id."'";
$sql.= " WHERE fk_bordereau = ".$this->id;

$resql = $this->db->query($sql);
if (!$resql)
Expand Down
8 changes: 4 additions & 4 deletions htdocs/compta/prelevement/class/bonprelevement.class.php
View file
Expand Up @@ -1082,19 +1082,19 @@ function delete()
{
$this->db->begin();

$sql = "DELETE FROM ".MAIN_DB_PREFIX."prelevement_facture WHERE fk_prelevement_lignes IN (SELECT rowid FROM ".MAIN_DB_PREFIX."prelevement_lignes WHERE fk_prelevement_bons = '".$this->id."')";
$sql = "DELETE FROM ".MAIN_DB_PREFIX."prelevement_facture WHERE fk_prelevement_lignes IN (SELECT rowid FROM ".MAIN_DB_PREFIX."prelevement_lignes WHERE fk_prelevement_bons = ".$this->id.")";
$resql1=$this->db->query($sql);
if (! $resql1) dol_print_error($this->db);

$sql = "DELETE FROM ".MAIN_DB_PREFIX."prelevement_lignes WHERE fk_prelevement_bons = '".$this->id."'";
$sql = "DELETE FROM ".MAIN_DB_PREFIX."prelevement_lignes WHERE fk_prelevement_bons = ".$this->id;
$resql2=$this->db->query($sql);
if (! $resql2) dol_print_error($this->db);

$sql = "DELETE FROM ".MAIN_DB_PREFIX."prelevement_bons WHERE rowid = '".$this->id."'";
$sql = "DELETE FROM ".MAIN_DB_PREFIX."prelevement_bons WHERE rowid = ".$this->id;
$resql3=$this->db->query($sql);
if (! $resql3) dol_print_error($this->db);

$sql = "UPDATE ".MAIN_DB_PREFIX."prelevement_facture_demande SET fk_prelevement_bons = NULL, traite = 0 WHERE fk_prelevement_bons = '".$this->id."'";
$sql = "UPDATE ".MAIN_DB_PREFIX."prelevement_facture_demande SET fk_prelevement_bons = NULL, traite = 0 WHERE fk_prelevement_bons = ".$this->id;
$resql4=$this->db->query($sql);
if (! $resql4) dol_print_error($this->db);

Expand Down
2 changes: 1 addition & 1 deletion htdocs/contact/class/contact.class.php
View file
Expand Up @@ -317,7 +317,7 @@ function update($id, $user=null, $notrigger=0, $action='update')
$sql .= ", phone_perso = ".(isset($this->phone_perso)?"'".$this->db->escape($this->phone_perso)."'":"null");
$sql .= ", phone_mobile = ".(isset($this->phone_mobile)?"'".$this->db->escape($this->phone_mobile)."'":"null");
$sql .= ", jabberid = ".(isset($this->jabberid)?"'".$this->db->escape($this->jabberid)."'":"null");
$sql .= ", priv = '".$this->priv."'";
$sql .= ", priv = '".$this->db->escape($this->priv)."'";
$sql .= ", statut = ".$this->statut;
$sql .= ", fk_user_modif=".($user->id > 0 ? "'".$user->id."'":"NULL");
$sql .= ", default_lang=".($this->default_lang?"'".$this->default_lang."'":"NULL");
Expand Down
10 changes: 5 additions & 5 deletions htdocs/contrat/class/contrat.class.php
View file
Expand Up @@ -2801,10 +2801,10 @@ function update($user, $notrigger=0)
$sql.= " tva_tx=".price2num($this->tva_tx).",";
$sql.= " localtax1_tx=".price2num($this->localtax1_tx).",";
$sql.= " localtax2_tx=".price2num($this->localtax2_tx).",";
$sql.= " qty='".$this->qty."',";
$sql.= " qty=".price2num($this->qty).",";
$sql.= " remise_percent=".price2num($this->remise_percent).",";
$sql.= " remise=".($this->remise?"'".$this->remise."'":"null").",";
$sql.= " fk_remise_except=".($this->fk_remise_except?"'".$this->fk_remise_except."'":"null").",";
$sql.= " remise=".($this->remise?price2num($this->remise):"null").",";
$sql.= " fk_remise_except=".($this->fk_remise_except > 0?$this->fk_remise_except:"null").",";
$sql.= " subprice=".($this->subprice != '' ? $this->subprice : "null").",";
$sql.= " price_ht=".($this->price_ht != '' ? $this->price_ht : "null").",";
$sql.= " total_ht=".$this->total_ht.",";
Expand All @@ -2818,8 +2818,8 @@ function update($user, $notrigger=0)
$sql.= " fk_user_author=".($this->fk_user_author >= 0?$this->fk_user_author:"NULL").",";
$sql.= " fk_user_ouverture=".($this->fk_user_ouverture > 0?$this->fk_user_ouverture:"NULL").",";
$sql.= " fk_user_cloture=".($this->fk_user_cloture > 0?$this->fk_user_cloture:"NULL").",";
$sql.= " commentaire='".$this->db->escape($this->commentaire)."'";
$sql.= ", fk_unit=".(!$this->fk_unit ? 'NULL' : $this->fk_unit);
$sql.= " commentaire='".$this->db->escape($this->commentaire)."',";
$sql.= " fk_unit=".(!$this->fk_unit ? 'NULL' : $this->fk_unit);
$sql.= " WHERE rowid=".$this->id;

dol_syslog(get_class($this)."::update", LOG_DEBUG);
Expand Down

0 comments on commit fa290c3

Please sign in to comment.