- $sql = "INSERT INTO ".TB_PREF."salesman (salesman_name, salesman_phone, salesman_fax, salesman_email)
- VALUES ('" . $_POST['salesman_name'] . "', '" . $_POST['salesman_phone'] . "', '" . $_POST['salesman_fax'] . "', '" . $_POST['salesman_email'] . "')";
+ $sql = "INSERT INTO ".TB_PREF."salesman (salesman_name, salesman_phone, salesman_fax, salesman_email,
+ provision, break_pt, provision2)
+ VALUES (".db_escape($_POST['salesman_name']) . ", "
+ .db_escape($_POST['salesman_phone']) . ", "
+ .db_escape($_POST['salesman_fax']) . ", "
+ .db_escape($_POST['salesman_email']) . ", ".
+ input_num('provision').", ".input_num('break_pt').", "
+ .input_num('provision2').")";