Security update of sql statements, a couple of smaller fixes.

[fa-stable.git] / admin / shipping_companies.php
diff --git a/admin/shipping_companies.php b/admin/shipping_companies.php

index 1c16fa3f72358dccb17f9e5514200531452fe8d6..646e7b11c6c5ebba7ba2809c082ee14b422a00cd 100644 (file)
--- a/admin/shipping_companies.php
+++ b/admin/shipping_companies.php
@@ -1,6 +1,14 @@
  <?php
-
-
+/**********************************************************************
+    Copyright (C) FrontAccounting, LLC.
+       Released under the terms of the GNU General Public License, GPL, 
+       as published by the Free Software Foundation, either version 3 
+       of the License, or (at your option) any later version.
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
+    See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
+***********************************************************************/
  $page_security = 14;
  $path_to_root="..";
  include($path_to_root . "/includes/session.inc");
@@ -45,7 +53,7 @@ if ($Mode=='UPDATE_ITEM' && can_process())
                 contact =" . db_escape($_POST['contact']). " ,
                 phone =" . db_escape($_POST['phone']). " ,
                 address =" . db_escape($_POST['address']). "
-               WHERE shipper_id = $selected_id";
+               WHERE shipper_id = ".db_escape($selected_id);
  
         db_query($sql,"The shipping company could not be updated");
         display_notification(_('Selected shipping company has been updated'));
@@ -58,7 +66,7 @@ if ($Mode == 'Delete')
  {
  // PREVENT DELETES IF DEPENDENT RECORDS IN 'sales_orders'
  
-       $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE ship_via='$selected_id'";
+       $sql= "SELECT COUNT(*) FROM ".TB_PREF."sales_orders WHERE ship_via=".db_escape($selected_id);
         $result = db_query($sql,"check failed");
         $myrow = db_fetch_row($result);
         if ($myrow[0] > 0) 
@@ -70,7 +78,7 @@ if ($Mode == 'Delete')
         {
                 // PREVENT DELETES IF DEPENDENT RECORDS IN 'debtor_trans'
  
-               $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE ship_via='$selected_id'";
+               $sql= "SELECT COUNT(*) FROM ".TB_PREF."debtor_trans WHERE ship_via=".db_escape($selected_id);
                 $result = db_query($sql,"check failed");
                 $myrow = db_fetch_row($result);
                 if ($myrow[0] > 0) 
@@ -80,7 +88,7 @@ if ($Mode == 'Delete')
                 } 
                 else 
                 {
-                       $sql="DELETE FROM ".TB_PREF."shippers WHERE shipper_id=$selected_id";
+                       $sql="DELETE FROM ".TB_PREF."shippers WHERE shipper_id=".db_escape($selected_id);
                         db_query($sql,"could not delete shipper");
                         display_notification(_('Selected shipping company has been deleted'));
                 }
@@ -113,7 +121,7 @@ while ($myrow = db_fetch($result))
         label_cell($myrow["phone"]);
         label_cell($myrow["address"]);
         edit_button_cell("Edit".$myrow[0], _("Edit"));
-       edit_button_cell("Delete".$myrow[0], _("Delete"));
+       delete_button_cell("Delete".$myrow[0], _("Delete"));
         end_row();
  }
  
@@ -132,7 +140,7 @@ if ($selected_id != -1)
         if ($Mode == 'Edit') {
                 //editing an existing Shipper
  
-               $sql = "SELECT * FROM ".TB_PREF."shippers WHERE shipper_id=$selected_id";
+               $sql = "SELECT * FROM ".TB_PREF."shippers WHERE shipper_id=".db_escape($selected_id);
  
                 $result = db_query($sql, "could not get shipper");
                 $myrow = db_fetch($result);