1. Version 2.8.32 (Nov 22, 2010)

2. fixed SQL injection 3. fixed date paid formatting 4. updated Dutch translation modified: SL/AA.pm modified: SL/AM.pm modified: SL/CP.pm modified: SL/CT.pm modified: SL/Form.pm modified: SL/GL.pm modified: SL/HR.pm modified: SL/IC.pm modified: SL/IR.pm modified: SL/IS.pm modified: SL/JC.pm modified: SL/OE.pm modified: SL/PE.pm modified: SL/VR.pm modified: VERSION modified: bin/lynx/arapprn.pl modified: bin/mozilla/arapprn.pl modified: locale/nl/aa modified: locale/nl/all modified: locale/nl/am modified: locale/nl/ap modified: locale/nl/ar modified: locale/nl/arap modified: locale/nl/arapprn modified: locale/nl/bp modified: locale/nl/cp modified: locale/nl/ct modified: locale/nl/gl modified: locale/nl/hr modified: locale/nl/ic modified: locale/nl/im modified: locale/nl/io modified: locale/nl/ir modified: locale/nl/is modified: locale/nl/menu modified: locale/nl/oe modified: locale/nl/pos modified: locale/nl/ps modified: locale/nl/rp modified: locale/nl/vr
GerHobbelt · Nov 23, 2010 · e06211a · e06211a
1 parent 5cc406b
commit e06211a
Show file tree

Hide file tree

Showing 40 changed files with 483 additions and 497 deletions.
diff --git a/SL/AA.pm b/SL/AA.pm
@@ -202,7 +202,7 @@ sub post_transaction {
   my $vth;
 
   # check if id really exists
-  if ($form->{id}) {
+  if ($form->{id} *= 1) {
     $query = qq|SELECT id
                 FROM $table
  	        WHERE id = $form->{id}|;
@@ -596,7 +596,7 @@ sub reverse_vouchers {
   $form->{voucher}{transaction} = $ref;
   $sth->finish;
 
-  if ($form->{batchid}) {
+  if ($form->{batchid} *= 1) {
     $form->update_balance($dbh,
 			  'br',
 			  'amount',
@@ -658,6 +658,8 @@ sub delete_transaction {
 
   my $table = ($form->{vc} eq 'customer') ? 'ar' : 'ap';
 
+  $form->{id} *= 1;
+
   my %audittrail = ( tablename  => $table,
                      reference  => $form->{invnumber},
 		     formname   => 'transaction',
@@ -1343,6 +1345,8 @@ sub ship_to {
   # connect to database
   my $dbh = $form->dbconnect($myconfig);
 
+  $form->{"$form->{vc}_id"} *= 1;
+
   AA->company_details($myconfig, $form, $dbh);
 
   my $table = ($form->{vc} eq 'customer') ? 'ar' : 'ap';
@@ -1373,7 +1377,7 @@ sub ship_to {
 		 JOIN $table a ON (a.id = s.trans_id)
 		 WHERE a.$form->{vc}_id = $form->{"$form->{vc}_id"}|;
 
-  if ($form->{id}) {
+  if ($form->{id} *= 1) {
     $query .= qq|
                  EXCEPT
 		 SELECT
@@ -1382,7 +1386,7 @@ sub ship_to {
 		 s.shiptocountry, s.shiptocontact, s.shiptophone,
 		 s.shiptofax, s.shiptoemail
 		 FROM shipto s
-		 WHERE s.trans_id = '$form->{id}'|;
+		 WHERE s.trans_id = $form->{id}|;
   }
 
   my $sth = $dbh->prepare($query);

diff --git a/SL/AM.pm b/SL/AM.pm
@@ -23,6 +23,8 @@ sub get_account {
   # connect to database
   my $dbh = $form->dbconnect($myconfig);
 
+  $form->{id} *= 1;
+
   my $query = qq|SELECT accno, description, charttype, gifi_accno,
                  category, link, contra
                  FROM chart
@@ -94,7 +96,7 @@ sub save_account {
   $form->{contra} *= 1;
 
   # if we have an id then replace the old record
-  if ($form->{id}) {
+  if ($form->{id} *= 1) {
     $query = qq|UPDATE chart SET
                 accno = '$form->{accno}',
 		description = |.$dbh->quote($form->{description}).qq|,
@@ -171,6 +173,8 @@ sub delete_account {
   # set inventory_accno_id, income_accno_id, expense_accno_id to defaults
   my %defaults = $form->get_defaults($dbh, \@{['%_accno_id']});
 
+  $form->{id} *= 1;
+
   for (qw(inventory_accno_id income_accno_id expense_accno_id)) {
     $query = qq|SELECT count(*)
                 FROM parts
@@ -252,15 +256,15 @@ sub get_gifi {
 
   my $query = qq|SELECT accno, description
                  FROM gifi
-	         WHERE accno = '$form->{accno}'|;
+	         WHERE accno = |.$dbh->quote($form->{accno});
 
   ($form->{accno}, $form->{description}) = $dbh->selectrow_array($query);
 
   # check for transactions
   $query = qq|SELECT * FROM acc_trans a
               JOIN chart c ON (a.chart_id = c.id)
 	      JOIN gifi g ON (c.gifi_accno = g.accno)
-	      WHERE g.accno = '$form->{accno}'|;
+	      WHERE g.accno = |.$dbh->quote($form->{accno});
   ($form->{orphaned}) = $dbh->selectrow_array($query);
   $form->{orphaned} = !$form->{orphaned};
 
@@ -283,7 +287,7 @@ sub save_gifi {
   }
 
   # id is the old account number!
-  if ($form->{id}) {
+  if ($form->{id} *= 1) {
     $query = qq|UPDATE gifi SET
                 accno = '$form->{accno}',
 		description = |.$dbh->quote($form->{description}).qq|
@@ -310,7 +314,7 @@ sub delete_gifi {
 
   # id is the old account number!
   $query = qq|DELETE FROM gifi
-	      WHERE accno = '$form->{id}'|;
+	      WHERE accno = |.$dbh->quote($form->{id});
   $dbh->do($query) || $form->dberror($query);
 
   $dbh->disconnect;
@@ -351,6 +355,8 @@ sub get_warehouse {
   # connect to database
   my $dbh = $form->dbconnect($myconfig);
 
+  $form->{id} *= 1;
+
   my $query = qq|SELECT w.description, a.address1, a.address2, a.city,
                  a.state, a.zipcode, a.country
                  FROM warehouse w
@@ -383,7 +389,7 @@ sub save_warehouse {
   $form->{description} =~ s/-(-)+/-/g;
   $form->{description} =~ s/ ( )+/ /g;
 
-  if ($form->{id}) {
+  if ($form->{id} *= 1) {
     $query = qq|SELECT id
                 FROM warehouse
 		WHERE id = $form->{id}|;
@@ -438,6 +444,8 @@ sub delete_warehouse {
   # connect to database
   my $dbh = $form->dbconnect_noauto($myconfig);
 
+  $form->{id} *= 1;
+
   my $query = qq|DELETE FROM warehouse
 	      WHERE id = $form->{id}|;
   $dbh->do($query) || $form->dberror($query);
@@ -486,6 +494,8 @@ sub get_department {
   # connect to database
   my $dbh = $form->dbconnect($myconfig);
 
+  $form->{id} *= 1;
+
   my $query = qq|SELECT description, role
                  FROM department
 	         WHERE id = $form->{id}|;
@@ -511,7 +521,7 @@ sub save_department {
   $form->{description} =~ s/-(-)+/-/g;
   $form->{description} =~ s/ ( )+/ /g;
 
-  if ($form->{id}) {
+  if ($form->{id} *= 1) {
     $query = qq|UPDATE department SET
 		description = |.$dbh->quote($form->{description}).qq|,
 		role = '$form->{role}'
@@ -535,6 +545,8 @@ sub delete_department {
   # connect to database
   my $dbh = $form->dbconnect($myconfig);
 
+  $form->{id} *= 1;
+
   $query = qq|DELETE FROM department
 	      WHERE id = $form->{id}|;
   $dbh->do($query);
@@ -575,6 +587,8 @@ sub get_business {
   # connect to database
   my $dbh = $form->dbconnect($myconfig);
 
+  $form->{id} *= 1;
+
   my $query = qq|SELECT description, discount
                  FROM business
 	         WHERE id = $form->{id}|;
@@ -595,7 +609,7 @@ sub save_business {
   $form->{description} =~ s/ ( )+/ /g;
   $form->{discount} /= 100;
 
-  if ($form->{id}) {
+  if ($form->{id} *= 1) {
     $query = qq|UPDATE business SET
 		description = |.$dbh->quote($form->{description}).qq|,
 		discount = $form->{discount}
@@ -619,6 +633,8 @@ sub delete_business {
   # connect to database
   my $dbh = $form->dbconnect($myconfig);
 
+  $form->{id} *= 1;
+
   $query = qq|DELETE FROM business
 	      WHERE id = $form->{id}|;
   $dbh->do($query) || $form->dberror($query);
@@ -668,6 +684,8 @@ sub get_paymentmethod {
   # connect to database
   my $dbh = $form->dbconnect($myconfig);
 
+  $form->{id} *= 1;
+
   my $query = qq|SELECT description, fee
                  FROM paymentmethod
 	         WHERE id = $form->{id}|;
@@ -687,7 +705,7 @@ sub save_paymentmethod {
   $form->{description} =~ s/-(-)+/-/g;
   $form->{description} =~ s/ ( )+/ /g;
 
-  if ($form->{id}) {
+  if ($form->{id} *= 1) {
     $query = qq|UPDATE paymentmethod SET
 		description = |.$dbh->quote($form->{description}).qq|,
 		fee = |.$form->parse_amount($myconfig, $form->{fee}).qq|
@@ -716,6 +734,8 @@ sub delete_paymentmethod {
   # connect to database
   my $dbh = $form->dbconnect_noauto($myconfig);
 
+  $form->{id} *= 1;
+
   my $query = qq|SELECT rn FROM paymentmethod
                  WHERE id = $form->{id}|;
   my ($rn) = $dbh->selectrow_array($query);
@@ -1995,6 +2015,8 @@ sub get_bank {
   # connect to database
   my $dbh = $form->dbconnect($myconfig);
 
+  $form->{id} *= 1;
+
   $query = qq|SELECT c.accno, c.description,
               bk.name, bk.iban, bk.bic, bk.membernumber, bk.dcn, bk.rvc,
 	      ad.address1, ad.address2, ad.city,
@@ -2025,6 +2047,8 @@ sub save_bank {
   # connect to database
   my $dbh = $form->dbconnect_noauto($myconfig);
 
+  $form->{id} *= 1;
+
   my $query = qq|SELECT id FROM bank
                  WHERE id = $form->{id}|;
   my ($id) = $dbh->selectrow_array($query);
@@ -2241,7 +2265,7 @@ sub get_currency {
   my $dbh = $form->dbconnect($myconfig);
 
   my $query = qq|SELECT * FROM curr
-	         WHERE curr = '$form->{curr}'|;
+	         WHERE curr = |.$dbh->quote($form->{curr});
   my $sth = $dbh->prepare($query) || $form->dberror($query);
   $sth->execute;
 
@@ -2270,7 +2294,7 @@ sub save_currency {
 
   $query = qq|SELECT curr
 	      FROM curr
-	      WHERE curr = '$form->{curr}'|;
+	      WHERE curr = |.$dbh->quote($form->{curr});
   my ($curr) = $dbh->selectrow_array($query);
 
   my $rn;
@@ -2288,7 +2312,7 @@ sub save_currency {
   for (qw(precision)) { $form->{$_} *= 1 }
   $query = qq|UPDATE curr SET
 	      precision = $form->{precision}
-	      WHERE curr = '$form->{curr}'|;
+	      WHERE curr = |.$dbh->quote($form->{curr});
   $dbh->do($query) || $form->dberror($query);
 
   my $rc = $dbh->commit;
@@ -2306,15 +2330,15 @@ sub delete_currency {
   my $dbh = $form->dbconnect_noauto($myconfig);
 
   my $query = qq|SELECT rn FROM curr
-                 WHERE curr = '$form->{curr}'|;
+                 WHERE curr = |.$dbh->quote($form->{curr});
   my ($rn) = $dbh->selectrow_array($query);
 
   $query = qq|UPDATE curr SET rn = rn - 1
               WHERE rn > $rn|;
   $dbh->do($query) || $form->dberror($query);
 
   $query = qq|DELETE FROM curr
-	      WHERE curr = '$form->{curr}'|;
+	      WHERE curr = |.$dbh->quote($form->{curr});
   $dbh->do($query) || $form->dberror($query);
 
   my $rc = $dbh->commit;
@@ -2334,7 +2358,7 @@ sub move {
   my $id;
 
   my $query = qq|SELECT rn FROM $form->{db}
-                 WHERE $form->{fld} = '$form->{id}'|;
+                 WHERE $form->{fld} = |.$dbh->quote($form->{id});
   my ($rn) = $dbh->selectrow_array($query);
 
   $query = qq|SELECT MAX(rn) FROM $form->{db}|;
@@ -2346,7 +2370,7 @@ sub move {
     ($id) = $dbh->selectrow_array($query);
 
     $query = qq|UPDATE $form->{db} SET rn = $rn + 1
-                WHERE $form->{fld} = '$form->{id}'|;
+                WHERE $form->{fld} = |.$dbh->quote($form->{id});
     $dbh->do($query) || $form->dberror($query);
 
     $query = qq|UPDATE $form->{db} SET rn = $rn
@@ -2360,7 +2384,7 @@ sub move {
     ($id) = $dbh->selectrow_array($query);
 
     $query = qq|UPDATE $form->{db} SET rn = $rn - 1
-                WHERE $form->{fld} = '$form->{id}'|;
+                WHERE $form->{fld} = |.$dbh->quote($form->{id});
     $dbh->do($query) || $form->dberror($query);
 
     $query = qq|UPDATE $form->{db} SET rn = $rn

diff --git a/SL/CP.pm b/SL/CP.pm
@@ -273,6 +273,8 @@ sub retrieve {
 
   my $ml = 1;
 
+  $form->{id} *= 1;
+
   if ($form->{vc} eq 'customer') {
     $ml = -1;
   }
@@ -394,7 +396,7 @@ sub retrieve {
   ($form->{batchdescription}, $form->{vouchernumber}) = $dbh->selectrow_array($query);
 
   $form->{voucherid} = $form->{id};
-  $form->{id} = "1";
+  $form->{id} = 1;
   AA->get_name($myconfig, $form, $dbh);
 
   $form->{"old$form->{vc}"} = qq|$form->{$form->{vc}}--$form->{"$form->{vc}_id"}|;
@@ -639,6 +641,7 @@ sub post_payment {
   my $rate;
 
   # delete payments
+  $form->{voucherid} *= 1;
   if ($form->{edit} && $form->{voucherid}) {
     $query = qq|SELECT SUM(ac.amount) * $ml * -1
                 FROM acc_trans ac

diff --git a/SL/CT.pm b/SL/CT.pm
@@ -26,7 +26,7 @@ sub create_links {
   my $description;
   my $translation;
 
-  if ($form->{id}) {
+  if ($form->{id} *= 1) {
     $query = qq/SELECT ct.*,
                 ad.id AS addressid, ad.address1, ad.address2, ad.city,
 		ad.state, ad.zipcode, ad.country,
@@ -242,7 +242,7 @@ sub save {
     $form->{$_} /= 100;
   }
 
-  for (qw(terms discountterms taxincluded addressid contactid remittancevoucher)) { $form->{$_} *= 1 }
+  for (qw(id terms discountterms taxincluded addressid contactid remittancevoucher)) { $form->{$_} *= 1 }
 
   for (qw(creditlimit threshold)) { $form->{$_} = $form->parse_amount($myconfig, $form->{$_}) }
 
@@ -506,6 +506,8 @@ sub delete {
   # connect to database
   my $dbh = $form->dbconnect_noauto($myconfig);
 
+  $form->{id} *= 1;
+
   # delete customer/vendor
   my $query = qq|DELETE FROM $form->{db}
 	         WHERE id = $form->{id}|;
@@ -1114,6 +1116,8 @@ sub save_pricelist {
 
   my $dbh = $form->dbconnect_noauto($myconfig);
 
+  $form->{id} *= 1;
+
   my $query = qq|DELETE FROM parts$form->{db}
                  WHERE $form->{db}_id = $form->{id}|;
   $dbh->do($query) || $form->dberror($query);
@@ -1220,7 +1224,7 @@ sub ship_to {
 
   my $table = ($form->{db} eq 'customer') ? 'ar' : 'ap';
 
-  if ($form->{id}) {
+  if ($form->{id} *= 1) {
     $query = qq|SELECT
                 s.shiptoname, s.shiptoaddress1, s.shiptoaddress2,
                 s.shiptocity, s.shiptostate, s.shiptozipcode,