/* returns true ie 1 if the bom contains the parent part as a component
ie the bom is recursive otherwise false ie 0 */
- $sql = "SELECT component FROM ".TB_PREF."bom WHERE parent='$component_to_check'";
+ $sql = "SELECT component FROM ".TB_PREF."bom WHERE parent=".db_escape($component_to_check);
$result = db_query($sql,"could not check recursive bom");
if ($result != 0)
if ($selected_component != -1)
{
- $sql = "UPDATE ".TB_PREF."bom SET workcentre_added='" . $_POST['workcentre_added'] . "',
- loc_code='" . $_POST['loc_code'] . "',
+ $sql = "UPDATE ".TB_PREF."bom SET workcentre_added=".db_escape($_POST['workcentre_added'])
+ . ",loc_code=".db_escape($_POST['loc_code']) . ",
quantity= " . input_num('quantity') . "
- WHERE parent='" . $selected_parent . "'
- AND id='" . $selected_component . "'";
+ WHERE parent=".db_escape($selected_parent) . "
+ AND id=".db_escape($selected_component);
check_db_error("Could not update this bom component", $sql);
db_query($sql,"could not update bom");
/*Now check to see that the component is not already on the bom */
$sql = "SELECT component FROM ".TB_PREF."bom
- WHERE parent='$selected_parent'
- AND component='" . $_POST['component'] . "'
- AND workcentre_added='" . $_POST['workcentre_added'] . "'
- AND loc_code='" . $_POST['loc_code'] . "'" ;
+ WHERE parent=".db_escape($selected_parent)."
+ AND component=".db_escape($_POST['component']) . "
+ AND workcentre_added=".db_escape($_POST['workcentre_added']) . "
+ AND loc_code=".db_escape($_POST['loc_code']);
$result = db_query($sql,"check failed");
if (db_num_rows($result) == 0)
{
$sql = "INSERT INTO ".TB_PREF."bom (parent, component, workcentre_added, loc_code, quantity)
- VALUES ('$selected_parent', '" . $_POST['component'] . "', '"
- . $_POST['workcentre_added'] . "', '" . $_POST['loc_code'] . "', "
+ VALUES (".db_escape($selected_parent).", ".db_escape($_POST['component']) . ","
+ .db_escape($_POST['workcentre_added']) . ", ".db_escape($_POST['loc_code']) . ", "
. input_num('quantity') . ")";
db_query($sql,"check failed");
if ($Mode == 'Delete')
{
- $sql = "DELETE FROM ".TB_PREF."bom WHERE id='" . $selected_id. "'";
+ $sql = "DELETE FROM ".TB_PREF."bom WHERE id=".db_escape($selected_id);
db_query($sql,"Could not delete this bom components");
display_notification(_("The component item has been deleted from this bom"));
{
if ($Mode == 'Edit') {
//editing a selected component from the link to the line item
- $sql = "SELECT ".TB_PREF."bom.*,".TB_PREF."stock_master.description FROM ".TB_PREF."bom,".TB_PREF."stock_master
- WHERE id='$selected_id'
+ $sql = "SELECT ".TB_PREF."bom.*,".TB_PREF."stock_master.description FROM "
+ .TB_PREF."bom,".TB_PREF."stock_master
+ WHERE id=".db_escape($selected_id)."
AND ".TB_PREF."stock_master.stock_id=".TB_PREF."bom.component";
$result = db_query($sql, "could not get bom");
projects / fa-stable.git / blobdiff