projects
/
fa-stable.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Security statements update against sql injection attacks.
[fa-stable.git]
/
admin
/
db
/
company_db.inc
diff --git
a/admin/db/company_db.inc
b/admin/db/company_db.inc
index 672d95458e6335a58d82570f6a0876e32a673f6c..6a0a4ac4ff6bfc039efc026cb1adcf94dbc3da4f 100644
(file)
--- a/
admin/db/company_db.inc
+++ b/
admin/db/company_db.inc
@@
-118,14
+118,14
@@
function add_fiscalyear($from_date, $to_date, $closed)
$to = date2sql($to_date);
$sql = "INSERT INTO ".TB_PREF."fiscal_year (begin, end, closed)
$to = date2sql($to_date);
$sql = "INSERT INTO ".TB_PREF."fiscal_year (begin, end, closed)
- VALUES (".db_escape($from).",".db_escape($to).",
$closed
)";
+ VALUES (".db_escape($from).",".db_escape($to).",
".db_escape($closed)."
)";
db_query($sql, "could not add fiscal year");
}
function update_fiscalyear($id, $closed)
{
db_query($sql, "could not add fiscal year");
}
function update_fiscalyear($id, $closed)
{
- $sql = "UPDATE ".TB_PREF."fiscal_year SET closed=
$closed
+ $sql = "UPDATE ".TB_PREF."fiscal_year SET closed=
".db_escape($closed)."
WHERE id=".db_escape($id);
db_query($sql, "could not update fiscal year");
WHERE id=".db_escape($id);
db_query($sql, "could not update fiscal year");
@@
-151,7
+151,7
@@
function get_current_fiscalyear()
{
$year = get_company_pref('f_year');
{
$year = get_company_pref('f_year');
- $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=
$year"
;
+ $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=
".db_escape($year)
;
$result = db_query($sql, "could not get current fiscal year");
$result = db_query($sql, "could not get current fiscal year");