$sql .= " ,$trans_ref ";
$sql .= ", ".$_POST['filterType']." as type FROM $table_name
- WHERE $trans_no_name >= " . $_POST['FromTransNo']. "
- AND $trans_no_name <= " . $_POST['ToTransNo'];
+ WHERE $trans_no_name >= ".db_escape($_POST['FromTransNo']). "
+ AND $trans_no_name <= ".db_escape($_POST['ToTransNo']);
if ($type_name != null)
- $sql .= " AND `$type_name` = " . $_POST['filterType'];
+ $sql .= " AND `$type_name` = ".db_escape($_POST['filterType']);
$sql .= " ORDER BY $trans_no_name";
}
$table =& new_db_pager('transactions', $sql, $cols);
- if (list_updated('filterType') || get_post('ProcessSearch')) {
- $table->set_sql($sql);
- $table->set_columns($cols);
- }
$table->width = "40%";
display_db_pager($table);
}