projects / fa-stable.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Changed db_escape function to avoid XSS attacks via js db injection
[fa-stable.git] / inventory / includes / db / items_units_db.inc
diff --git a/inventory/includes/db/items_units_db.inc b/inventory/includes/db/items_units_db.inc
index f755fed51bebde3fc9b152d4abc4862078a2809b..05cb544ca86663a5ac6c1d5e22971c604276b086 100644 (file)
--- a/inventory/includes/db/items_units_db.inc
+++ b/inventory/includes/db/items_units_db.inc
@@ -4,40 +4,40 @@ function write_item_unit($selected, $abbr, $description, $decimals)
 {
     if($selected!='')
                $sql = "UPDATE ".TB_PREF."item_units SET
-               abbr = '$abbr',
-               name = '$description',
+               abbr = ".db_quote($abbr).",
+               name = ".db_quote($description).",
                decimals = $decimals
                WHERE    abbr = '$selected'";
     else
                $sql = "INSERT INTO ".TB_PREF."item_units
-                       (abbr, name, decimals) VALUES( '$abbr',
-                       '$description', $decimals)";
-         
-       db_query($sql,"an item unit could not be updated");     
+                       (abbr, name, decimals) VALUES( ".db_quote($abbr).",
+                       ".db_quote($description).", $decimals)";
+
+       db_query($sql,"an item unit could not be updated");
 }
 
 function delete_item_unit($unit)
 {
-       $sql="DELETE FROM ".TB_PREF."item_units WHERE abbr='$unit'";    
-       
-       db_query($sql,"an unit of measure could not be deleted");       
+       $sql="DELETE FROM ".TB_PREF."item_units WHERE abbr='$unit'";
+
+       db_query($sql,"an unit of measure could not be deleted");
 }
 
 function get_item_unit($unit)
 {
-       $sql="SELECT * FROM ".TB_PREF."item_units WHERE abbr='$unit'";  
-       
+       $sql="SELECT * FROM ".TB_PREF."item_units WHERE abbr='$unit'";
+
        $result = db_query($sql,"an unit of measure could not be retrieved");
-       
-       return db_fetch($result);       
+
+       return db_fetch($result);
 }
 
 function get_unit_descr($unit)
 {
-       $sql = "SELECT description FROM ".TB_PREF."item_units WHERE abbr='$id'";
-       
+       $sql = "SELECT description FROM ".TB_PREF."item_units WHERE abbr='$unit'";
+
        $result = db_query($sql, "could not unit description");
-       
+
        $row = db_fetch_row($result);
        return $row[0];
 }
FrontAccounting stable branch