Security update merged from 2.1.

[fa-stable.git] / gl / includes / db / gl_db_account_types.inc

diff --git a/gl/includes/db/gl_db_account_types.inc b/gl/includes/db/gl_db_account_types.inc
index e82ee8dfa88fffd441609c398d1da4b79a022cd1..bd760c19ae3cd820799d055610de99b770c836ec 100644 (file)
--- a/gl/includes/db/gl_db_account_types.inc
+++ b/gl/includes/db/gl_db_account_types.inc
@@ -12,7 +12,7 @@
 function add_account_type($id, $name, $class_id, $parent)
 {
        $sql = "INSERT INTO ".TB_PREF."chart_types (id, name, class_id, parent)
-               VALUES ($id, ".db_escape($name).", $class_id, $parent)";
+               VALUES ($id, ".db_escape($name).", ".db_escape($class_id).", ".db_escape($parent).")";
 
        return db_query($sql);
 }
@@ -20,7 +20,8 @@ function add_account_type($id, $name, $class_id, $parent)
 function update_account_type($id, $name, $class_id, $parent)
 {
     $sql = "UPDATE ".TB_PREF."chart_types SET name=".db_escape($name).",
-               class_id=$class_id,     parent=$parent WHERE id = $id";
+               class_id=".db_escape($class_id).", parent=".db_escape($parent)
+               ." WHERE id = ".db_escape($id);
 
        return db_query($sql, "could not update account type");
 }
@@ -37,7 +38,7 @@ function get_account_types($all=false)
 
 function get_account_type($id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."chart_types WHERE id = $id";
+       $sql = "SELECT * FROM ".TB_PREF."chart_types WHERE id = ".db_escape($id);
 
        $result = db_query($sql, "could not get account type");
 
@@ -46,7 +47,7 @@ function get_account_type($id)
 
 function get_account_type_name($id)
 {
-       $sql = "SELECT name FROM ".TB_PREF."chart_types WHERE id = $id";
+       $sql = "SELECT name FROM ".TB_PREF."chart_types WHERE id = ".db_escape($id);
 
        $result = db_query($sql, "could not get account type");
 
@@ -56,7 +57,7 @@ function get_account_type_name($id)
 
 function delete_account_type($id)
 {
-       $sql = "DELETE FROM ".TB_PREF."chart_types WHERE id = $id";
+       $sql = "DELETE FROM ".TB_PREF."chart_types WHERE id = ".db_escape($id);
 
        db_query($sql, "could not delete account type");
 }
@@ -64,7 +65,7 @@ function delete_account_type($id)
 function add_account_class($id, $name, $ctype)
 {
        $sql = "INSERT INTO ".TB_PREF."chart_class (cid, class_name, ctype)
-               VALUES ($id, ".db_escape($name).", $ctype)";
+               VALUES (".db_escape($id).", ".db_escape($name).", ".db_escape($ctype).")";
 
        return db_query($sql);
 }
@@ -72,7 +73,7 @@ function add_account_class($id, $name, $ctype)
 function update_account_class($id, $name, $ctype)
 {
     $sql = "UPDATE ".TB_PREF."chart_class SET class_name=".db_escape($name).",
-               ctype=$ctype WHERE cid = $id";
+               ctype=".db_escape($balance)." WHERE cid = ".db_escape($id);
 
        return db_query($sql);
 }
@@ -88,7 +89,7 @@ function get_account_classes($all=false)
 
 function get_account_class($id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."chart_class WHERE cid = $id";
+       $sql = "SELECT * FROM ".TB_PREF."chart_class WHERE cid = ".db_escape($id);
 
        $result = db_query($sql, "could not get account type");
 
@@ -97,7 +98,7 @@ function get_account_class($id)
 
 function get_account_class_name($id)
 {
-       $sql = "SELECT class_name FROM ".TB_PREF."chart_class WHERE cid = $id";
+       $sql = "SELECT class_name FROM ".TB_PREF."chart_class WHERE cid =".db_escape($id);
 
        $result = db_query($sql, "could not get account type");
 
@@ -107,7 +108,7 @@ function get_account_class_name($id)
 
 function delete_account_class($id)
 {
-       $sql = "DELETE FROM ".TB_PREF."chart_class WHERE cid = $id";
+       $sql = "DELETE FROM ".TB_PREF."chart_class WHERE cid = ".db_escape($id);
 
        db_query($sql, "could not delete account type");
 }