- $sql = "UPDATE ".TB_PREF."suppliers SET supp_name='" . $_POST['supp_name'] . "',
- address='" . $_POST['address'] . "',
- email='" . $_POST['email'] . "',
- bank_account='" . $_POST['bank_account'] . "',
- dimension_id=" . $_POST['dimension_id'] . ",
- dimension2_id=" . $_POST['dimension2_id'] . ",
- curr_code='" . $_POST['curr_code'] . "',
- payment_terms='" . $_POST['payment_terms'] . "',
- payable_account='" . $_POST['payable_account'] . "',
- purchase_account='" . $_POST['purchase_account'] . "',
- payment_discount_account='" . $_POST['payment_discount_account'] . "',
- tax_group_id=" . $_POST['tax_group_id'] . " WHERE supplier_id = '" . $_POST['supplier_id'] . "'";
+ $sql = "UPDATE ".TB_PREF."suppliers SET supp_name=".db_escape($_POST['supp_name']) . ",
+ address=".db_escape($_POST['address']) . ",
+ email=".db_escape($_POST['email']) . ",
+ bank_account=".db_escape($_POST['bank_account']) . ",
+ dimension_id=".db_escape($_POST['dimension_id']) . ",
+ dimension2_id=".db_escape($_POST['dimension2_id']) . ",
+ curr_code=".db_escape($_POST['curr_code']).",
+ payment_terms=".db_escape($_POST['payment_terms']) . ",
+ payable_account=".db_escape($_POST['payable_account']) . ",
+ purchase_account=".db_escape($_POST['purchase_account']) . ",
+ payment_discount_account=".db_escape($_POST['payment_discount_account']) . ",
+ tax_group_id=".db_escape($_POST['tax_group_id']) . " WHERE supplier_id = '" . $_POST['supplier_id'] . "'";