Security update merged from 2.1.

[fa-stable.git] / admin / db / voiding_db.inc

diff --git a/admin/db/voiding_db.inc b/admin/db/voiding_db.inc
index 8efc0036dbdd0d13451545894da9200601ce363a..553240c2b016c1d2220d930529d0dd244b21afe6 100644 (file)
--- a/admin/db/voiding_db.inc
+++ b/admin/db/voiding_db.inc
@@ -115,7 +115,8 @@ function void_transaction($type, $type_no, $date_, $memo_)
 
 function get_voided_entry($type, $type_no)
 {
-       $sql = "SELECT * FROM ".TB_PREF."voided WHERE type=$type AND id=$type_no";
+       $sql = "SELECT * FROM ".TB_PREF."voided WHERE type=".db_escape($type)
+               ." AND id=".db_escape($type_no);
 
        $result = db_query($sql, "could not query voided transaction table");
 
@@ -128,7 +129,8 @@ function add_voided_entry($type, $type_no, $date_, $memo_)
 {
        $date = date2sql($date_);
        $sql = "INSERT INTO ".TB_PREF."voided (type, id, date_, memo_)
-               VALUES ($type, $type_no, ".db_escape($date).", ".db_escape($memo_).")";
+               VALUES (".db_escape($type).", ".db_escape($type_no).", "
+               .db_escape($date).", ".db_escape($memo_).")";
 
        db_query($sql, "could not add voided transaction entry");
 }