Module gl sealed against XSS Attacks

[fa-stable.git] / gl / includes / db / gl_db_bank_accounts.inc

diff --git a/gl/includes/db/gl_db_bank_accounts.inc b/gl/includes/db/gl_db_bank_accounts.inc
index 138ad95a40c78c9aa57b48e211a625375e4ac1f6..2c405614b9b8b2db9f8a9db18e1894df73bd18fb 100644 (file)
--- a/gl/includes/db/gl_db_bank_accounts.inc
+++ b/gl/includes/db/gl_db_bank_accounts.inc
@@ -2,28 +2,28 @@
 
 //---------------------------------------------------------------------------------------------
 
-function add_bank_account($account_code, $account_type, $bank_account_name, $bank_name, $bank_account_number, 
+function add_bank_account($account_code, $account_type, $bank_account_name, $bank_name, $bank_account_number,
        $bank_address, $bank_curr_code)
 {
-       $sql = "INSERT INTO ".TB_PREF."bank_accounts (account_code, account_type, bank_account_name, bank_name, bank_account_number, bank_address, bank_curr_code) 
-               VALUES ('$account_code', $account_type, '$bank_account_name', '$bank_name', '$bank_account_number', 
-               '$bank_address', '$bank_curr_code')";   
-       
+       $sql = "INSERT INTO ".TB_PREF."bank_accounts (account_code, account_type, bank_account_name, bank_name, bank_account_number, bank_address, bank_curr_code)
+               VALUES (".db_escape($account_code).", $account_type, ".db_escape($bank_account_name).", ".db_escape($bank_name).", ".db_escape($bank_account_number).",
+               ".db_escape($bank_address).", '$bank_curr_code')";
+
        db_query($sql, "could not add a bank account for $account_code");
 }
 
 //---------------------------------------------------------------------------------------------
 
-function update_bank_account($account_code, $account_type, $bank_account_name, $bank_name, $bank_account_number, 
+function update_bank_account($account_code, $account_type, $bank_account_name, $bank_name, $bank_account_number,
        $bank_address, $bank_curr_code)
 {
-       $sql = "UPDATE ".TB_PREF."bank_accounts SET account_type = $account_type, 
-               bank_account_name='$bank_account_name', bank_name='$bank_name',
-               bank_account_number='$bank_account_number', bank_curr_code='$bank_curr_code',
-               bank_address='$bank_address' WHERE account_code = '$account_code'";
-                       
+       $sql = "UPDATE ".TB_PREF."bank_accounts SET account_type = $account_type,
+               bank_account_name=".db_escape($bank_account_name).", bank_name=".db_escape($bank_name).",
+               bank_account_number=".db_escape($bank_account_number).", bank_curr_code='$bank_curr_code',
+               bank_address=".db_escape($bank_address)." WHERE account_code = '$account_code'";
+
        db_query($sql, "could not update bank account for $account_code");
-}      
+}
 
 //---------------------------------------------------------------------------------------------
 
@@ -31,7 +31,7 @@ function delete_bank_account($account_code)
 {
        $sql = "DELETE FROM ".TB_PREF."bank_accounts WHERE account_code='$account_code'";
 
-       db_query($sql,"could not delete bank account for $account_code");       
+       db_query($sql,"could not delete bank account for $account_code");
 }
 
 
@@ -42,7 +42,7 @@ function get_bank_account($account_code)
        $sql = "SELECT * FROM ".TB_PREF."bank_accounts WHERE account_code='$account_code'";
 
        $result = db_query($sql, "could not retreive bank account for $account_code");
-       
+
        return db_fetch($result);
 }