projects
/
fa-stable.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Security update of sql statements, a couple of smaller fixes.
[fa-stable.git]
/
admin
/
db
/
voiding_db.inc
diff --git
a/admin/db/voiding_db.inc
b/admin/db/voiding_db.inc
index fafac43051a38b3ded47f04514dd9b404c166690..59e3680d2ab9ed08e617e9352136791922485d4d 100644
(file)
--- a/
admin/db/voiding_db.inc
+++ b/
admin/db/voiding_db.inc
@@
-110,7
+110,8
@@
function void_transaction($type, $type_no, $date_, $memo_)
function get_voided_entry($type, $type_no)
{
function get_voided_entry($type, $type_no)
{
- $sql = "SELECT * FROM ".TB_PREF."voided WHERE type=$type AND id=$type_no";
+ $sql = "SELECT * FROM ".TB_PREF."voided WHERE type=".db_escape($type)
+ ." AND id=".db_escape($type_no);
$result = db_query($sql, "could not query voided transaction table");
$result = db_query($sql, "could not query voided transaction table");
@@
-123,7
+124,8
@@
function add_voided_entry($type, $type_no, $date_, $memo_)
{
$date = date2sql($date_);
$sql = "INSERT INTO ".TB_PREF."voided (type, id, date_, memo_)
{
$date = date2sql($date_);
$sql = "INSERT INTO ".TB_PREF."voided (type, id, date_, memo_)
- VALUES ($type, $type_no, ".db_escape($date).", ".db_escape($memo_).")";
+ VALUES (".db_escape($type).", ".db_escape($type_no).", "
+ .db_escape($date).", ".db_escape($memo_).")";
db_query($sql, "could not add voided transaction entry");
}
db_query($sql, "could not add voided transaction entry");
}