- $sql .= "'".$_POST['supplier_id']."', '" . $_POST['stock_id'] . "', " .
- input_num('price') . ", '" . $_POST['suppliers_uom'] . "', " .
- input_num('conversion_factor') . ", '" . $_POST['supplier_description'] . "')";
+ $sql .= db_escape($_POST['supplier_id']).", ".db_escape($_POST['stock_id']). ", "
+ .input_num('price',0) . ", ".db_escape( $_POST['suppliers_uom'] ). ", "
+ .input_num('conversion_factor') . ", "
+ .db_escape($_POST['supplier_description']) . ")";