Security statements update against sql injection attacks.

[fa-stable.git] / gl / includes / db / gl_db_rates.inc

diff --git a/gl/includes/db/gl_db_rates.inc b/gl/includes/db/gl_db_rates.inc
index 0c9ae6863b5d81d572f404ddff4789bbf7c37322..bd0775eaa746ca7fa74a0e72b0622f9561cfffa8 100644 (file)
--- a/gl/includes/db/gl_db_rates.inc
+++ b/gl/includes/db/gl_db_rates.inc
@@ -12,7 +12,7 @@
 //---------------------------------------------------------------------------------------------
 function get_exchange_rate($rate_id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."exchange_rates WHERE id=$rate_id";
+       $sql = "SELECT * FROM ".TB_PREF."exchange_rates WHERE id=".db_escape($rate_id);
        $result = db_query($sql, "could not get exchange rate for $rate_id");   
 
        return db_fetch($result);
@@ -22,8 +22,8 @@ function get_exchange_rate($rate_id)
 function get_date_exchange_rate($curr_code, $date_)
 {
        $date = date2sql($date_);
-       $sql = "SELECT rate_buy FROM ".TB_PREF."exchange_rates WHERE curr_code='$curr_code' 
-               AND date_='$date'";
+       $sql = "SELECT rate_buy FROM ".TB_PREF."exchange_rates WHERE curr_code=".db_escape($curr_code)
+       ." AND date_='$date'";
        $result = db_query($sql, "could not get exchange rate for $curr_code - $date_");        
 
        if(db_num_rows($result) == 0) 
@@ -41,8 +41,8 @@ function update_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate)
                        
        $date = date2sql($date_);
                
-       $sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=$sell_rate
-               WHERE curr_code='$curr_code' AND date_='$date'";
+       $sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=".db_escape($sell_rate)
+       ." WHERE curr_code=".db_escape($curr_code)." AND date_='$date'";
                                
        db_query($sql, "could not add exchange rate for $curr_code");                           
 }
@@ -57,7 +57,8 @@ function add_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate)
        $date = date2sql($date_);
                
        $sql = "INSERT INTO ".TB_PREF."exchange_rates (curr_code, date_, rate_buy, rate_sell)
-               VALUES ('$curr_code', '$date', $buy_rate, $sell_rate)";
+               VALUES (".db_escape($curr_code).", '$date', ".db_escape($buy_rate)
+               .", ".db_escape($sell_rate).")";
        db_query($sql, "could not add exchange rate for $curr_code");                           
 }
 
@@ -65,7 +66,7 @@ function add_exchange_rate($curr_code, $date_, $buy_rate, $sell_rate)
 
 function delete_exchange_rate($rate_id)
 {
-       $sql = "DELETE FROM ".TB_PREF."exchange_rates WHERE id=$rate_id";
+       $sql = "DELETE FROM ".TB_PREF."exchange_rates WHERE id=".db_escape($rate_id);
        db_query($sql, "could not delete exchange rate $rate_id");              
 }