date bugs in add and update

[fa-stable.git] / dimensions / includes / dimensions_db.inc

diff --git a/dimensions/includes/dimensions_db.inc b/dimensions/includes/dimensions_db.inc
index a66ca53873e7f6de20abca06a1a458b1327da1c5..756ff255a7ec737dfb965ac194e42245e6869402 100644 (file)
--- a/dimensions/includes/dimensions_db.inc
+++ b/dimensions/includes/dimensions_db.inc
@@ -1,5 +1,14 @@
 <?php
-
+/**********************************************************************
+    Copyright (C) FrontAccounting, LLC.
+       Released under the terms of the GNU General Public License, GPL, 
+       as published by the Free Software Foundation, either version 3 
+       of the License, or (at your option) any later version.
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
+    See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
+***********************************************************************/
 function add_dimension($reference, $name, $type_, $date_, $due_date, $memo_)
 {
        begin_transaction();
@@ -8,15 +17,14 @@ function add_dimension($reference, $name, $type_, $date_, $due_date, $memo_)
        $duedate = date2sql($due_date);
 
        $sql = "INSERT INTO ".TB_PREF."dimensions (reference, name, type_, date_, due_date)
-               VALUES ('$reference', '$name', $type_, '$date', '$duedate')";
+               VALUES (".db_escape($reference).", ".db_escape($name).", ".db_escape($type_)
+               .", '$date', '$duedate')";
        db_query($sql, "could not add dimension");
 
        $id = db_insert_id();
 
        add_comments(systypes::dimension(), $id, $date_, $memo_);
 
-       add_forms_for_sys_type(systypes::dimension(), $id);
-
        references::save_last($reference, systypes::dimension());
 
        commit_transaction();
@@ -31,11 +39,11 @@ function update_dimension($id, $name, $type_, $date_, $due_date, $memo_)
        $date = date2sql($date_);
        $duedate = date2sql($due_date);
 
-       $sql = "UPDATE ".TB_PREF."dimensions SET name='$name',
-               type_ = $type_,
+       $sql = "UPDATE ".TB_PREF."dimensions SET name=".db_escape($name).",
+               type_ = ".db_escape($type_).",
                date_='$date',
                due_date='$duedate'
-               WHERE id = $id";
+               WHERE id = ".db_escape($id);
 
        db_query($sql, "could not update dimension");
 
@@ -51,13 +59,11 @@ function delete_dimension($id)
        begin_transaction();
 
        // delete the actual dimension
-       $sql="DELETE FROM ".TB_PREF."dimensions WHERE id=$id";
+       $sql="DELETE FROM ".TB_PREF."dimensions WHERE id=".db_escape($id);
        db_query($sql,"The dimension could not be deleted");
 
        delete_comments(systypes::dimension(), $id);
 
-       delete_forms_for_systype(systypes::dimension(), $id);
-
        commit_transaction();
 }
 
@@ -65,7 +71,7 @@ function delete_dimension($id)
 
 function get_dimension($id, $allow_null=false)
 {
-    $sql = "SELECT * FROM ".TB_PREF."dimensions        WHERE id=$id";
+    $sql = "SELECT * FROM ".TB_PREF."dimensions        WHERE id=".db_escape($id);
 
        $result = db_query($sql, "The dimension could not be retrieved");
 
@@ -83,15 +89,15 @@ function get_dimension_string($id, $html=false, $space=' ')
        {
                if ($html)
                        $dim = "&nbsp;";
-               else    
+               else
                        $dim = "";
-       }               
+       }
        else
        {
                $row = get_dimension($id, true);
                $dim = $row['reference'] . $space . $row['name'];
        }
-       
+
        return $dim;
 }
 
@@ -115,7 +121,7 @@ function dimension_has_deposits($id)
 
 function dimension_has_payments($id)
 {
-       $sql = "SELECT SUM(amount) FROM ".TB_PREF."gl_trans WHERE dimension_id = $id";
+       $sql = "SELECT SUM(amount) FROM ".TB_PREF."gl_trans WHERE dimension_id = ".db_escape($id);
        $res = db_query($sql, "Transactions could not be calculated");
        $row = db_fetch_row($res);
        return ($row[0] != 0.0);
@@ -131,7 +137,7 @@ function dimension_is_closed($id)
 
 function close_dimension($id)
 {
-       $sql = "UPDATE ".TB_PREF."dimensions SET closed='1' WHERE id = $id";
+       $sql = "UPDATE ".TB_PREF."dimensions SET closed='1' WHERE id = ".db_escape($id);
        db_query($sql, "could not close dimension");
 }