projects
/
fa-stable.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Security statements update against sql injection attacks.
[fa-stable.git]
/
admin
/
view_print_transaction.php
diff --git
a/admin/view_print_transaction.php
b/admin/view_print_transaction.php
index 98bf8d9e7ca9f188437189b4e7089bceef1f0b26..99f2be1df36104b4dad0e9d148f1394439c83d97 100644
(file)
--- a/
admin/view_print_transaction.php
+++ b/
admin/view_print_transaction.php
@@
-60,7
+60,7
@@
function viewing_controls()
ref_cells(_("to #:"), 'ToTransNo');
ref_cells(_("to #:"), 'ToTransNo');
- submit_cells('ProcessSearch', _("Search"), '', '',
true
);
+ submit_cells('ProcessSearch', _("Search"), '', '',
'default'
);
end_row();
end_table(1);
end_row();
end_table(1);
@@
-82,8
+82,6
@@
function check_valid_entries()
display_error(_("The ending transaction number is expected to be numeric and greater than zero."));
return false;
}
display_error(_("The ending transaction number is expected to be numeric and greater than zero."));
return false;
}
- if (!isset($_POST['filterType']) || $_POST['filterType'] == "")
- return false;
return true;
}
return true;
}
@@
-111,11
+109,11
@@
function handle_search()
$sql .= " ,$trans_ref ";
$sql .= ", ".$_POST['filterType']." as type FROM $table_name
$sql .= " ,$trans_ref ";
$sql .= ", ".$_POST['filterType']." as type FROM $table_name
- WHERE $trans_no_name >= "
. $_POST['FromTransNo']
. "
- AND $trans_no_name <= "
. $_POST['ToTransNo']
;
+ WHERE $trans_no_name >= "
.db_escape($_POST['FromTransNo'])
. "
+ AND $trans_no_name <= "
.db_escape($_POST['ToTransNo'])
;
if ($type_name != null)
if ($type_name != null)
- $sql .= " AND `$type_name` = "
. $_POST['filterType']
;
+ $sql .= " AND `$type_name` = "
.db_escape($_POST['filterType'])
;
$sql .= " ORDER BY $trans_no_name";
$sql .= " ORDER BY $trans_no_name";
@@
-139,7
+137,7
@@
function handle_search()
}
$table =& new_db_pager('transactions', $sql, $cols);
}
$table =& new_db_pager('transactions', $sql, $cols);
- if (list_updated('filterType')) {
+ if (list_updated('filterType')
|| get_post('ProcessSearch')
) {
$table->set_sql($sql);
$table->set_columns($cols);
}
$table->set_sql($sql);
$table->set_columns($cols);
}
@@
-160,7
+158,7
@@
if (isset($_POST['ProcessSearch']))
//----------------------------------------------------------------------------------------
//----------------------------------------------------------------------------------------
-start_form(false
, true
);
+start_form(false);
viewing_controls();
handle_search();
end_form(2);
viewing_controls();
handle_search();
end_form(2);