//---------------------------------------------------------------------------------------------
function get_exchange_rate($rate_id)
{
- $sql = "SELECT * FROM ".TB_PREF."exchange_rates WHERE id=$rate_id";
+ $sql = "SELECT * FROM ".TB_PREF."exchange_rates WHERE id=".db_escape($rate_id);
$result = db_query($sql, "could not get exchange rate for $rate_id");
return db_fetch($result);
function get_date_exchange_rate($curr_code, $date_)
{
$date = date2sql($date_);
- $sql = "SELECT rate_buy FROM ".TB_PREF."exchange_rates WHERE curr_code='$curr_code'
- AND date_='$date'";
+ $sql = "SELECT rate_buy FROM ".TB_PREF."exchange_rates WHERE curr_code=".db_escape($curr_code)
+ ." AND date_='$date'";
$result = db_query($sql, "could not get exchange rate for $curr_code - $date_");
if(db_num_rows($result) == 0)
$date = date2sql($date_);
- $sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=$sell_rate
- WHERE curr_code='$curr_code' AND date_='$date'";
+ $sql = "UPDATE ".TB_PREF."exchange_rates SET rate_buy=$buy_rate, rate_sell=".db_escape($sell_rate)
+ ." WHERE curr_code=".db_escape($curr_code)." AND date_='$date'";
db_query($sql, "could not add exchange rate for $curr_code");
}
$date = date2sql($date_);
$sql = "INSERT INTO ".TB_PREF."exchange_rates (curr_code, date_, rate_buy, rate_sell)
- VALUES ('$curr_code', '$date', $buy_rate, $sell_rate)";
+ VALUES (".db_escape($curr_code).", '$date', ".db_escape($buy_rate)
+ .", ".db_escape($sell_rate).")";
db_query($sql, "could not add exchange rate for $curr_code");
}
function delete_exchange_rate($rate_id)
{
- $sql = "DELETE FROM ".TB_PREF."exchange_rates WHERE id=$rate_id";
+ $sql = "DELETE FROM ".TB_PREF."exchange_rates WHERE id=".db_escape($rate_id);
db_query($sql, "could not delete exchange rate $rate_id");
}