Security statements update against sql injection attacks.

[fa-stable.git] / admin / db / company_db.inc

diff --git a/admin/db/company_db.inc b/admin/db/company_db.inc
index 672d95458e6335a58d82570f6a0876e32a673f6c..6a0a4ac4ff6bfc039efc026cb1adcf94dbc3da4f 100644 (file)
--- a/admin/db/company_db.inc
+++ b/admin/db/company_db.inc
@@ -118,14 +118,14 @@ function add_fiscalyear($from_date, $to_date, $closed)
        $to = date2sql($to_date);
 
        $sql = "INSERT INTO ".TB_PREF."fiscal_year (begin, end, closed)
-               VALUES (".db_escape($from).",".db_escape($to).", $closed)";
+               VALUES (".db_escape($from).",".db_escape($to).", ".db_escape($closed).")";
 
        db_query($sql, "could not add fiscal year");
 }
 
 function update_fiscalyear($id, $closed)
 {
-       $sql = "UPDATE ".TB_PREF."fiscal_year SET closed=$closed
+       $sql = "UPDATE ".TB_PREF."fiscal_year SET closed=".db_escape($closed)."
                WHERE id=".db_escape($id);
 
        db_query($sql, "could not update fiscal year");
@@ -151,7 +151,7 @@ function get_current_fiscalyear()
 {
        $year = get_company_pref('f_year');
 
-       $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=$year";
+       $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=".db_escape($year);
 
        $result = db_query($sql, "could not get current fiscal year");