//---------------------------------------------------------------------------------------------
function get_exchange_rate($rate_id)
{
//---------------------------------------------------------------------------------------------
function get_exchange_rate($rate_id)
{
$result = db_query($sql, "could not get exchange rate for $rate_id");
return db_fetch($result);
$result = db_query($sql, "could not get exchange rate for $rate_id");
return db_fetch($result);
function get_date_exchange_rate($curr_code, $date_)
{
$date = date2sql($date_);
function get_date_exchange_rate($curr_code, $date_)
{
$date = date2sql($date_);
$result = db_query($sql, "could not get exchange rate for $curr_code - $date_");
if(db_num_rows($result) == 0)
$result = db_query($sql, "could not get exchange rate for $curr_code - $date_");
if(db_num_rows($result) == 0)
- $sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=$sell_rate
- WHERE curr_code='$curr_code' AND date_='$date'";
+ $sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=".db_escape($sell_rate)
+ ." WHERE curr_code=".db_escape($curr_code)." AND date_='$date'";
$date = date2sql($date_);
$sql = "INSERT INTO ".TB_PREF."exchange_rates (curr_code, date_, rate_buy, rate_sell)
$date = date2sql($date_);
$sql = "INSERT INTO ".TB_PREF."exchange_rates (curr_code, date_, rate_buy, rate_sell)
- VALUES ('$curr_code', '$date', $buy_rate, $sell_rate)";
+ VALUES (".db_escape($curr_code).", '$date', ".db_escape($buy_rate)
+ .", ".db_escape($sell_rate).")";