Security update merged from 2.1.

[fa-stable.git] / inventory / includes / db / items_locations_db.inc

diff --git a/inventory/includes/db/items_locations_db.inc b/inventory/includes/db/items_locations_db.inc
index 809e928c028f1021aed34bd9e2bcbee28c6c0f15..b0372971441a3ca1e49d0404fb379770d7b9103f 100644 (file)
--- a/inventory/includes/db/items_locations_db.inc
+++ b/inventory/includes/db/items_locations_db.inc
@@ -13,13 +13,14 @@ function add_item_location($loc_code, $location_name, $delivery_address, $phone,
 {
        $sql = "INSERT INTO ".TB_PREF."locations (loc_code, location_name, delivery_address, phone, phone2, fax, email, contact)
                VALUES (".db_escape($loc_code).", ".db_escape($location_name).", ".db_escape($delivery_address).", "
-                       .db_escape($phone).", ".db_escape($phone2).", ".db_escape($fax).", ".db_escape($email).", ".db_escape($contact).")";
+                       .db_escape($phone).", ".db_escape($phone2).", ".db_escape($fax).", ".db_escape($email).", "
+                       .db_escape($contact).")";
 
        db_query($sql,"a location could not be added");
 
        /* Also need to add loc_stock records for all existing items */
        $sql = "INSERT INTO ".TB_PREF."loc_stock (loc_code, stock_id, reorder_level)
-               SELECT '$loc_code', ".TB_PREF."stock_master.stock_id, 0 FROM ".TB_PREF."stock_master";
+               SELECT ".db_escape($loc_code).", ".TB_PREF."stock_master.stock_id, 0 FROM ".TB_PREF."stock_master";
 
        db_query($sql,"a location could not be added");
 }
@@ -33,7 +34,7 @@ function update_item_location($loc_code, $location_name, $delivery_address, $pho
        delivery_address=".db_escape($delivery_address).",
        phone=".db_escape($phone).", phone2=".db_escape($phone2).", fax=".db_escape($fax).",
        email=".db_escape($email).", contact=".db_escape($contact)."
-       WHERE loc_code = '$loc_code'";
+       WHERE loc_code = ".db_escape($loc_code);
 
        db_query($sql,"a location could not be updated");
 }
@@ -42,10 +43,10 @@ function update_item_location($loc_code, $location_name, $delivery_address, $pho
 
 function delete_item_location($item_location)
 {
-       $sql="DELETE FROM ".TB_PREF."locations WHERE loc_code='$item_location'";
+       $sql="DELETE FROM ".TB_PREF."locations WHERE loc_code=".db_escape($item_location);
        db_query($sql,"a location could not be deleted");
 
-       $sql = "DELETE FROM ".TB_PREF."loc_stock WHERE loc_code ='$item_location'";
+       $sql = "DELETE FROM ".TB_PREF."loc_stock WHERE loc_code =".db_escape($item_location);
        db_query($sql,"a location could not be deleted");
 }
 
@@ -53,7 +54,7 @@ function delete_item_location($item_location)
 
 function get_item_location($item_location)
 {
-       $sql="SELECT * FROM ".TB_PREF."locations WHERE loc_code='$item_location'";
+       $sql="SELECT * FROM ".TB_PREF."locations WHERE loc_code=".db_escape($item_location);
 
        $result = db_query($sql,"a location could not be retrieved");
 
@@ -65,7 +66,7 @@ function get_item_location($item_location)
 function set_reorder_level($stock_id, $loc_code, $reorder_level)
 {
        $sql = "UPDATE ".TB_PREF."loc_stock SET reorder_level = $reorder_level
-               WHERE stock_id = '$stock_id' AND loc_code = '$loc_code'";
+               WHERE stock_id = ".db_escape($stock_id)." AND loc_code = ".db_escape($loc_code);
 
        db_query($sql,"an item reorder could not be set");
 }
@@ -77,7 +78,8 @@ function get_loc_details($stock_id)
        $sql = "SELECT ".TB_PREF."loc_stock.*, ".TB_PREF."locations.location_name
                FROM ".TB_PREF."loc_stock, ".TB_PREF."locations
                WHERE ".TB_PREF."loc_stock.loc_code=".TB_PREF."locations.loc_code
-               AND ".TB_PREF."loc_stock.stock_id = '" . $stock_id . "' ORDER BY ".TB_PREF."loc_stock.loc_code";
+               AND ".TB_PREF."loc_stock.stock_id = ".db_escape($stock_id) 
+               ." ORDER BY ".TB_PREF."loc_stock.loc_code";
        return db_query($sql,"an item reorder could not be retreived");
 }