Security statements update against sql injection attacks.

[fa-stable.git] / inventory / cost_update.php

diff --git a/inventory/cost_update.php b/inventory/cost_update.php
index c35e81b518f9c0a047815f907daefdd1af8b9013..432bf6524205d8207d4e13e1a49bbb8617a4038f 100644 (file)
--- a/inventory/cost_update.php
+++ b/inventory/cost_update.php
@@ -91,7 +91,7 @@ set_global_stock_item($_POST['stock_id']);
 $sql = "SELECT description, units, material_cost, labour_cost,
        overhead_cost, mb_flag
        FROM ".TB_PREF."stock_master
-       WHERE stock_id='" . $_POST['stock_id'] . "'
+       WHERE stock_id=".db_escape($_POST['stock_id']) . "
        GROUP BY description, units, material_cost, labour_cost, overhead_cost, mb_flag";
 $result = db_query($sql);
 check_db_error("The cost details for the item could not be retrieved", $sql);