function exists_gl_budget($date_, $account, $dimension, $dimension2)
{
- $sql = "SELECT account FROM ".TB_PREF."budget_trans WHERE account='$account' AND tran_date='$date_' AND
- dimension_id=$dimension AND dimension2_id=$dimension2";
+ $sql = "SELECT account FROM ".TB_PREF."budget_trans WHERE account=".db_escape($account)
+ ." AND tran_date='$date_' AND
+ dimension_id=".db_escape($dimension)." AND dimension2_id=".db_escape($dimension2);
$result = db_query($sql, "Cannot retreive a gl transaction");
return (db_num_rows($result) > 0);
$date = date2sql($date_);
if (exists_gl_budget($date, $account, $dimension, $dimension2))
- $sql = "UPDATE ".TB_PREF."budget_trans SET amount=$amount WHERE account='$account' AND
- dimension_id=$dimension AND dimension2_id=$dimension2 AND tran_date='$date'";
+ $sql = "UPDATE ".TB_PREF."budget_trans SET amount=".db_escape($amount)
+ ." WHERE account=".db_escape($account)
+ ." AND dimension_id=".db_escape($dimension)
+ ." AND dimension2_id=".db_escape($dimension2)
+ ." AND tran_date='$date'";
else
$sql = "INSERT INTO ".TB_PREF."budget_trans (tran_date,
account, dimension_id, dimension2_id, amount, memo_) VALUES ('$date',
- '$account', $dimension, $dimension2, $amount, '')";
+ ".db_escape($account).", ".db_escape($dimension).", "
+ .db_escape($dimension2).", ".db_escape($amount).", '')";
db_query($sql, "The GL budget transaction could not be saved");
}
{
$date = date2sql($date_);
- $sql = "DELETE FROM ".TB_PREF."budget_trans WHERE account='$account' AND
- dimension_id=$dimension AND dimension2_id=$dimension2 AND tran_date='$date'";
+ $sql = "DELETE FROM ".TB_PREF."budget_trans WHERE account=".db_escape($account)
+ ." AND dimension_id=".db_escape($dimension)
+ ." AND dimension2_id=".db_escape($dimension2)
+ ." AND tran_date='$date'";
db_query($sql, "The GL budget transaction could not be deleted");
}
$to = date2sql($to_date);
$sql = "SELECT SUM(amount) FROM ".TB_PREF."budget_trans
- WHERE account='$account' AND tran_date >= '$from' AND tran_date <= '$to'
- AND dimension_id = $dimension AND dimension2_id = $dimension2";
+ WHERE account=".db_escape($account)
+ ." AND tran_date >= '$from' AND tran_date <= '$to'
+ AND dimension_id = ".db_escape($dimension)
+ ." AND dimension2_id = ".db_escape($dimension2);
$result = db_query($sql,"No budget accounts were returned");
$row = db_fetch_row($result);
table_header($th);
$year = $_POST['fyear'];
if (get_post('update') == '') {
- $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=$year";
+ $sql = "SELECT * FROM ".TB_PREF."fiscal_year WHERE id=".db_escape($year);
$result = db_query($sql, "could not get current fiscal year");