Security update of sql statements, a couple of smaller fixes.

[fa-stable.git] / manufacturing / search_work_orders.php

diff --git a/manufacturing/search_work_orders.php b/manufacturing/search_work_orders.php
index bc5c53f475aadfa5a437dd7fdd841ec41f081245..447dbd0782cbedf4013bb08fda3e87a99426356c 100644 (file)
--- a/manufacturing/search_work_orders.php
+++ b/manufacturing/search_work_orders.php
@@ -130,10 +130,15 @@ function produce_link($row)
 
 function costs_link($row)
 {
+/*
        return $row["closed"] || !$row["released"] ? '' :
                pager_link(_('Costs'),
                        "/gl/gl_bank.php?NewPayment=1&PayType=" 
                        .payment_person_types::WorkOrder(). "&PayPerson=" .$row["id"]);
+*/                     
+       return $row["closed"] || !$row["released"] ? '' :
+               pager_link(_('Costs'),
+                       "/manufacturing/work_order_costs.php?trans_no=" .$row["id"]);
 }
 
 function view_gl_link($row)
@@ -178,17 +183,17 @@ if (check_value('OpenOnly') || $outstanding_only != 0)
 
 if (isset($_POST['StockLocation']) && $_POST['StockLocation'] != $all_items)
 {
-       $sql .= " AND workorder.loc_code='" . $_POST['StockLocation'] . "' ";
+       $sql .= " AND workorder.loc_code=".db_escape($_POST['StockLocation']);
 }
 
 if (isset($_POST['OrderNumber']) && $_POST['OrderNumber'] != "")
 {
-       $sql .= " AND workorder.wo_ref LIKE '%". $_POST['OrderNumber'] . "%'";
+       $sql .= " AND workorder.wo_ref LIKE ".db_escape('%'.$_POST['OrderNumber'].'%');
 }
 
 if (isset($_POST['SelectedStockItem']) && $_POST['SelectedStockItem'] != $all_items)
 {
-       $sql .= " AND workorder.stock_id='". $_POST['SelectedStockItem'] . "'";
+       $sql .= " AND workorder.stock_id=".db_escape($_POST['SelectedStockItem']);
 }
 
 if (check_value('OverdueOnly'))