Sealing against XSS atacks: purchasing,sales,install,admin,taxes

[fa-stable.git] / purchasing / includes / db / invoice_items_db.inc

diff --git a/purchasing/includes/db/invoice_items_db.inc b/purchasing/includes/db/invoice_items_db.inc
index 18ff4aa9ba37f609783d7f5f2a73c5ebd29e5e8d..621309bb0464dcb21bd2d1171c008d3e784fc53e 100644 (file)
--- a/purchasing/includes/db/invoice_items_db.inc
+++ b/purchasing/includes/db/invoice_items_db.inc
@@ -8,8 +8,9 @@ function add_supp_invoice_item($supp_trans_type, $supp_trans_no, $stock_id, $des
 {
        $sql = "INSERT INTO ".TB_PREF."supp_invoice_items (supp_trans_type, supp_trans_no, stock_id, description, gl_code, unit_price, unit_tax, quantity,
                grn_item_id, po_detail_item_id, memo_) ";
-       $sql .= "VALUES ($supp_trans_type, $supp_trans_no, '$stock_id', '$description', '$gl_code', $unit_price, $unit_tax, $quantity,
-               $grn_item_id, $po_detail_item_id, '$memo_')";
+       $sql .= "VALUES ($supp_trans_type, $supp_trans_no, ".db_escape($stock_id).
+       ", ".db_escape($description).", ".db_escape($gl_code).", $unit_price, $unit_tax, $quantity,
+               $grn_item_id, $po_detail_item_id, ".db_escape($memo_).")";
 
        if ($err_msg == "")
                $err_msg = "Cannot insert a supplier transaction detail record";