Security statements update against sql injection attacks.

[fa-stable.git] / purchasing / includes / db / supp_trans_db.inc

diff --git a/purchasing/includes/db/supp_trans_db.inc b/purchasing/includes/db/supp_trans_db.inc
index 975fe428001eb6fc4d024048434079be1b4742cd..9c51f904dd368cecc7f20a9a2c7b34270a693683 100644 (file)
--- a/purchasing/includes/db/supp_trans_db.inc
+++ b/purchasing/includes/db/supp_trans_db.inc
@@ -1,5 +1,14 @@
 <?php
-
+/**********************************************************************
+    Copyright (C) FrontAccounting, LLC.
+       Released under the terms of the GNU General Public License, GPL, 
+       as published by the Free Software Foundation, either version 3 
+       of the License, or (at your option) any later version.
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
+    See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
+***********************************************************************/
 //-------------------------------------------------------------------------------------------------------------
 
 function add_supp_trans($type, $supplier_id, $date_, $due_date, $reference, $supp_reference,
@@ -21,8 +30,10 @@ function add_supp_trans($type, $supplier_id, $date_, $due_date, $reference, $sup
 
        $sql = "INSERT INTO ".TB_PREF."supp_trans (trans_no, type, supplier_id, tran_date, due_date,
                reference, supp_reference, ov_amount, ov_gst, rate, ov_discount) ";
-       $sql .= "VALUES ($trans_no, $type, $supplier_id, '$date', '$due_date',
-               ".db_escape($reference).", ".db_escape($supp_reference).", $amount, $amount_tax, $rate, $discount)";
+       $sql .= "VALUES (".db_escape($trans_no).", ".db_escape($type)
+       .", ".db_escape($supplier_id).", '$date', '$due_date',
+               ".db_escape($reference).", ".db_escape($supp_reference).", ".db_escape($amount)
+               .", ".db_escape($amount_tax).", ".db_escape($rate).", ".db_escape($discount).")";
 
        if ($err_msg == "")
                $err_msg = "Cannot insert a supplier transaction record";
@@ -43,7 +54,7 @@ function get_supp_trans($trans_no, $trans_type=-1)
        {
                // it's a payment so also get the bank account
                $sql .= ", ".TB_PREF."bank_accounts.bank_name, ".TB_PREF."bank_accounts.bank_account_name, ".TB_PREF."bank_accounts.bank_curr_code,
-                       ".TB_PREF."bank_trans_types.name AS BankTransType, ".TB_PREF."bank_trans.amount AS BankAmount,
+                       ".TB_PREF."bank_accounts.account_type AS BankTransType, ".TB_PREF."bank_trans.amount AS BankAmount,
                        ".TB_PREF."bank_trans.ref ";
        }
 
@@ -52,22 +63,21 @@ function get_supp_trans($trans_no, $trans_type=-1)
        if ($trans_type == 22)
        {
                // it's a payment so also get the bank account
-               $sql .= ", ".TB_PREF."bank_trans, ".TB_PREF."bank_accounts, ".TB_PREF."bank_trans_types ";
+               $sql .= ", ".TB_PREF."bank_trans, ".TB_PREF."bank_accounts";
        }
 
-       $sql .= " WHERE ".TB_PREF."supp_trans.trans_no=$trans_no
+       $sql .= " WHERE ".TB_PREF."supp_trans.trans_no=".db_escape($trans_no)."
                AND ".TB_PREF."supp_trans.supplier_id=".TB_PREF."suppliers.supplier_id";
 
        if ($trans_type > 0)
-               $sql .= " AND ".TB_PREF."supp_trans.type=$trans_type ";
+               $sql .= " AND ".TB_PREF."supp_trans.type=".db_escape($trans_type);
 
        if ($trans_type == 22)
        {
                // it's a payment so also get the bank account
-               $sql .= " AND ".TB_PREF."bank_trans.trans_no =$trans_no
-                       AND ".TB_PREF."bank_trans.type=$trans_type
-                       AND ".TB_PREF."bank_trans_types.id = ".TB_PREF."bank_trans.bank_trans_type_id
-                       AND ".TB_PREF."bank_accounts.account_code=".TB_PREF."bank_trans.bank_act ";
+               $sql .= " AND ".TB_PREF."bank_trans.trans_no =".db_escape($trans_no)."
+                       AND ".TB_PREF."bank_trans.type=".db_escape($trans_type)."
+                       AND ".TB_PREF."bank_accounts.id=".TB_PREF."bank_trans.bank_act ";
        }
 
        $result = db_query($sql, "Cannot retreive a supplier transaction");
@@ -91,39 +101,13 @@ function get_supp_trans($trans_no, $trans_type=-1)
 
 //----------------------------------------------------------------------------------------
 
-function get_supplier_transactions($extra_fields=null, $extra_conditions=null, $extra_tables=null)
-{
-       $sql = "SELECT ".TB_PREF."supp_trans.*,
-               ov_amount+ov_gst+ov_discount AS Total,
-               ".TB_PREF."suppliers.supp_name, ".TB_PREF."suppliers.address,
-               ".TB_PREF."suppliers.curr_code ";
-
-       if ($extra_fields)
-               $sql .= ", $extra_fields ";
-
-       $sql .= " FROM ".TB_PREF."supp_trans, ".TB_PREF."suppliers ";
-       if ($extra_tables)
-               $sql .= " ,$extra_tables ";
-
-       $sql .= " WHERE ".TB_PREF."supp_trans.supplier_id=".TB_PREF."suppliers.supplier_id";
-
-       if ($extra_conditions)
-               $sql .= " AND $extra_conditions ";
-
-       $sql .= " ORDER BY trans_no";
-
-       return db_query($sql, "Cannot retreive supplier transactions");
-}
-
-//----------------------------------------------------------------------------------------
-
 function exists_supp_trans($type, $type_no)
 {
        if ($type == 25)
                return exists_grn($type_no);
 
-       $sql = "SELECT trans_no FROM ".TB_PREF."supp_trans WHERE type=$type
-               AND trans_no=$type_no";
+       $sql = "SELECT trans_no FROM ".TB_PREF."supp_trans WHERE type=".db_escape($type)."
+               AND trans_no=".db_escape($type_no);
        $result = db_query($sql, "Cannot retreive a supplier transaction");
 
     return (db_num_rows($result) > 0);
@@ -134,7 +118,7 @@ function exists_supp_trans($type, $type_no)
 function void_supp_trans($type, $type_no)
 {
        $sql = "UPDATE ".TB_PREF."supp_trans SET ov_amount=0, ov_discount=0, ov_gst=0,
-               alloc=0 WHERE type=$type AND trans_no=$type_no";
+               alloc=0 WHERE type=".db_escape($type)." AND trans_no=".db_escape($type_no);
 
        db_query($sql, "could not void supp transactions for type=$type and trans_no=$type_no");
 }