projects
/
fa-stable.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Security update merged from 2.1.
[fa-stable.git]
/
sales
/
inquiry
/
sales_deliveries_view.php
diff --git
a/sales/inquiry/sales_deliveries_view.php
b/sales/inquiry/sales_deliveries_view.php
index 4f601014ef4451cb961fc1ad9ab5b8cb185e8e72..72e6d132da71930d9f5e84a1a0bdb40aa0d3d9c2 100644
(file)
--- a/
sales/inquiry/sales_deliveries_view.php
+++ b/
sales/inquiry/sales_deliveries_view.php
@@
-9,7
+9,7
@@
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
***********************************************************************/
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
***********************************************************************/
-$page_security = 'SA_SALES
TRANSVIEW
';
+$page_security = 'SA_SALES
INVOICE
';
$path_to_root = "../..";
include($path_to_root . "/includes/db_pager.inc");
include($path_to_root . "/includes/session.inc");
$path_to_root = "../..";
include($path_to_root . "/includes/db_pager.inc");
include($path_to_root . "/includes/session.inc");
@@
-204,7
+204,8
@@
if ($_POST['OutstandingOnly'] == true) {
//figure out the sql required from the inputs available
if (isset($_POST['DeliveryNumber']) && $_POST['DeliveryNumber'] != "")
{
//figure out the sql required from the inputs available
if (isset($_POST['DeliveryNumber']) && $_POST['DeliveryNumber'] != "")
{
- $sql .= " AND trans.trans_no LIKE '%". $_POST['DeliveryNumber'] ."'";
+ $delivery = "%".$_POST['DeliveryNumber'];
+ $sql .= " AND trans.trans_no LIKE ".db_escape($delivery);
$sql .= " GROUP BY trans.trans_no";
}
else
$sql .= " GROUP BY trans.trans_no";
}
else
@@
-213,13
+214,13
@@
else
$sql .= " AND trans.tran_date <= '".date2sql($_POST['DeliveryToDate'])."'";
if ($selected_customer != -1)
$sql .= " AND trans.tran_date <= '".date2sql($_POST['DeliveryToDate'])."'";
if ($selected_customer != -1)
- $sql .= " AND trans.debtor_no=
'" . $selected_customer . "'
";
+ $sql .= " AND trans.debtor_no=
".db_escape($selected_customer)."
";
if (isset($selected_stock_item))
if (isset($selected_stock_item))
- $sql .= " AND line.stock_id=
'". $selected_stock_item ."'
";
+ $sql .= " AND line.stock_id=
".db_escape($selected_stock_item)."
";
if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != ALL_TEXT)
if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != ALL_TEXT)
- $sql .= " AND sorder.from_stk_loc =
'". $_POST['StockLocation'] . "'
";
+ $sql .= " AND sorder.from_stk_loc =
".db_escape($_POST['StockLocation'])."
";
$sql .= " GROUP BY trans.trans_no ";
$sql .= " GROUP BY trans.trans_no ";
@@
-255,10
+256,6
@@
if (isset($_SESSION['Batch']))
$table =& new_db_pager('deliveries_tbl', $sql, $cols);
$table->set_marker('check_overdue', _("Marked items are overdue."));
$table =& new_db_pager('deliveries_tbl', $sql, $cols);
$table->set_marker('check_overdue', _("Marked items are overdue."));
-if (get_post('SearchOrders')) {
- $table->set_sql($sql);
- $table->set_columns($cols);
-}
//$table->width = "92%";
start_form();
//$table->width = "92%";
start_form();