if (!isset($_POST['bank_account']))
$_POST['bank_account'] = "";
$sql = "SELECT ".TB_PREF."bank_trans.* FROM ".TB_PREF."bank_trans
- WHERE ".TB_PREF."bank_trans.bank_act = '" . $_POST['bank_account'] . "'
+ WHERE ".TB_PREF."bank_trans.bank_act = ".db_escape($_POST['bank_account']) . "
AND trans_date >= '$date_after'
AND trans_date <= '$date_to'
ORDER BY trans_date,".TB_PREF."bank_trans.id";
_("Debit"), _("Credit"), _("Balance"), _("Person/Item"), "");
table_header($th);
-$sql = "SELECT SUM(amount) FROM ".TB_PREF."bank_trans WHERE bank_act='" . $_POST['bank_account'] . "'
+$sql = "SELECT SUM(amount) FROM ".TB_PREF."bank_trans WHERE bank_act="
+ .db_escape($_POST['bank_account']) . "
AND trans_date < '$date_after'";
$before_qty = db_query($sql, "The starting balance on hand could not be calculated");