Security statements update against sql injection attacks.

[fa-stable.git] / inventory / includes / db / movement_types_db.inc

diff --git a/inventory/includes/db/movement_types_db.inc b/inventory/includes/db/movement_types_db.inc
index 78e55a9705b0e5054f31fe10104392a0e5e1e073..f6562b1896eade09549b17eea6ad983c010ec02b 100644 (file)
--- a/inventory/includes/db/movement_types_db.inc
+++ b/inventory/includes/db/movement_types_db.inc
@@ -20,7 +20,7 @@ function add_movement_type($name)
 function update_movement_type($type_id, $name)
 {
        $sql = "UPDATE ".TB_PREF."movement_types SET name=".db_escape($name)."
-                       WHERE id=$type_id";
+                       WHERE id=".db_escape($type_id);
 
        db_query($sql, "could not update item movement type");
 }
@@ -34,7 +34,7 @@ function get_all_movement_type()
 
 function get_movement_type($type_id)
 {
-       $sql = "SELECT * FROM ".TB_PREF."movement_types WHERE id=$type_id";
+       $sql = "SELECT * FROM ".TB_PREF."movement_types WHERE id=".db_escape($type_id);
 
        $result = db_query($sql, "could not get item movement type");
 
@@ -43,7 +43,7 @@ function get_movement_type($type_id)
 
 function delete_movement_type($type_id)
 {
-       $sql="DELETE FROM ".TB_PREF."movement_types WHERE id=$type_id";
+       $sql="DELETE FROM ".TB_PREF."movement_types WHERE id=".db_escape($type_id);
 
        db_query($sql, "could not delete item movement type");
 }