Changed db_escape function to avoid XSS attacks via js db injection

[fa-stable.git] / manufacturing / includes / db / work_order_issues_db.inc

diff --git a/manufacturing/includes/db/work_order_issues_db.inc b/manufacturing/includes/db/work_order_issues_db.inc
index f59f88932e53d93fe467cad8100ed4b7f0488047..a2a6a4188c47c567eca3c516527dc3a01f9dbb5d 100644 (file)
--- a/manufacturing/includes/db/work_order_issues_db.inc
+++ b/manufacturing/includes/db/work_order_issues_db.inc
@@ -25,8 +25,8 @@ function add_work_order_issue($woid, $ref, $to_work_order, $items, $location, $w
 
        // insert the actual issue
        $sql = "INSERT INTO ".TB_PREF."wo_issues (workorder_id, reference, issue_date, loc_code, workcentre_id)
-               VALUES ($woid, '$ref', '" .
-               date2sql($date_) . "', '$location', $workcentre)";
+               VALUES ($woid, ".db_quote($ref).", '" .
+               date2sql($date_) . "', ".db_quote($location).", $workcentre)";
        db_query($sql,"The work order issue could not be added");
 
        $number = db_insert_id();