Security statements update against sql injection attacks.

[fa-stable.git] / inventory / includes / db / items_category_db.inc

diff --git a/inventory/includes/db/items_category_db.inc b/inventory/includes/db/items_category_db.inc
index 014b75208c48f3505ec03a75d94aa6a46608a449..20f469b0384dfabed5a07139567cec2d84e3a629 100644 (file)
--- a/inventory/includes/db/items_category_db.inc
+++ b/inventory/includes/db/items_category_db.inc
@@ -22,21 +22,21 @@ function update_item_category($ItemCategory, $description)
 
 {
        $sql = "UPDATE ".TB_PREF."stock_category SET description = ".db_escape($description)."
-        WHERE category_id = '$ItemCategory'";
+        WHERE category_id = ".db_escape($ItemCategory);
 
        db_query($sql,"an item category could not be updated");
 }
 
 function delete_item_category($ItemCategory)
 {
-       $sql="DELETE FROM ".TB_PREF."stock_category WHERE category_id='$ItemCategory'";
+       $sql="DELETE FROM ".TB_PREF."stock_category WHERE category_id=".db_escape($ItemCategory);
 
        db_query($sql,"an item category could not be deleted");
 }
 
 function get_item_category($ItemCategory)
 {
-       $sql="SELECT * FROM ".TB_PREF."stock_category WHERE category_id='$ItemCategory'";
+       $sql="SELECT * FROM ".TB_PREF."stock_category WHERE category_id=".db_escape($ItemCategory);
 
        $result = db_query($sql,"an item category could not be retrieved");
 
@@ -45,7 +45,7 @@ function get_item_category($ItemCategory)
 
 function get_category_name($id)
 {
-       $sql = "SELECT description FROM ".TB_PREF."stock_category WHERE category_id=$id";
+       $sql = "SELECT description FROM ".TB_PREF."stock_category WHERE category_id=".db_escape($id);
 
        $result = db_query($sql, "could not get sales type");