*** empty log message ***

[fa-stable.git] / inventory / purchasing_data.php

diff --git a/inventory/purchasing_data.php b/inventory/purchasing_data.php
index c545beb5f902fb7703233b0f71b2d01fbbcc5bf9..ce1c9b7853c5226ad78e02f4e328d968ad34723b 100644 (file)
--- a/inventory/purchasing_data.php
+++ b/inventory/purchasing_data.php
@@ -67,17 +67,17 @@ if ($Mode=='ADD_ITEM' || $Mode=='UPDATE_ITEM')
                $sql = "INSERT INTO ".TB_PREF."purch_data (supplier_id, stock_id, price, suppliers_uom,
                        conversion_factor, supplier_description) VALUES (";
                $sql .= "'".$_POST['supplier_id']."', '" . $_POST['stock_id'] . "', " .
-                   input_num('price') . ", '" . $_POST['suppliers_uom'] . "', " .
-                       input_num('conversion_factor') . ", '" . $_POST['supplier_description'] . "')";
+                   input_num('price',0) . ", '" . $_POST['suppliers_uom'] . "', " .
+                       input_num('conversion_factor') . ", " . db_escape($_POST['supplier_description']) . ")";
 
                db_query($sql,"The supplier purchasing details could not be added");
                display_notification(_("This supplier purchasing data has been added."));
                } else
                {
-               $sql = "UPDATE ".TB_PREF."purch_data SET price=" . input_num('price') . ",
+               $sql = "UPDATE ".TB_PREF."purch_data SET price=" . input_num('price',0) . ",
                                suppliers_uom='" . $_POST['suppliers_uom'] . "',
                                conversion_factor=" . input_num('conversion_factor') . ",
-                               supplier_description='" . $_POST['supplier_description'] . "'
+                               supplier_description=" . db_escape($_POST['supplier_description']) . "
                                WHERE stock_id='" . $_POST['stock_id'] . "' AND
                                supplier_id='$selected_id'";
                db_query($sql,"The supplier purchasing details could not be updated");