projects / fa-stable.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fixed edition of purchase order (bug #0000001)
[fa-stable.git] / admin / shipping_companies.php
diff --git a/admin/shipping_companies.php b/admin/shipping_companies.php
index 7d4e530c7cb0a424742928a86d821c1a15f11a42..ec9f89536d93744df579f8c28963a36cdfa508cc 100644 (file)
--- a/admin/shipping_companies.php
+++ b/admin/shipping_companies.php
@@ -24,6 +24,7 @@ function can_process()
        if (strlen($_POST['shipper_name']) == 0) 
        {
                display_error(_("The shipping company name cannot be empty."));
+               set_focus('shipper_name');
                return false;
        }
        return true;
@@ -35,10 +36,10 @@ if (isset($_POST['ADD_ITEM']) && can_process())
 {
 
        $sql = "INSERT INTO ".TB_PREF."shippers (shipper_name, contact, phone, address)
-               VALUES ('" . $_POST['shipper_name'] . "', '" .
-               $_POST['contact'] . "', '" .
-               $_POST['phone'] . "', '" .
-               $_POST['address'] . "')";
+               VALUES (" . db_escape($_POST['shipper_name']) . ", " .
+               db_escape($_POST['contact']). ", " .
+               db_escape($_POST['phone']). ", " .
+               db_escape($_POST['address']) . ")";
 
        db_query($sql,"The Shipping Company could not be added");
        meta_forward($_SERVER['PHP_SELF']);
@@ -49,10 +50,10 @@ if (isset($_POST['ADD_ITEM']) && can_process())
 if (isset($_POST['UPDATE_ITEM']) && can_process()) 
 {
 
-       $sql = "UPDATE ".TB_PREF."shippers SET shipper_name='" . $_POST['shipper_name'] . "' ,
-               contact ='" . $_POST['contact'] . "' ,
-               phone ='" . $_POST['phone'] . "' ,
-               address ='" . $_POST['address'] . "'
+       $sql = "UPDATE ".TB_PREF."shippers SET shipper_name=" . db_escape($_POST['shipper_name']). " ,
+               contact =" . db_escape($_POST['contact']). " ,
+               phone =" . db_escape($_POST['phone']). " ,
+               address =" . db_escape($_POST['address']). "
                WHERE shipper_id = $selected_id";
 
        db_query($sql,"The shipping company could not be updated");
FrontAccounting stable branch